Change notes for bug 660.
[exim.git] / src / src / acl.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
0a49a7a4 5/* Copyright (c) University of Cambridge 1995 - 2009 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
8/* Code for handling Access Control Lists (ACLs) */
9
10#include "exim.h"
11
12
13/* Default callout timeout */
14
15#define CALLOUT_TIMEOUT_DEFAULT 30
16
17/* ACL verb codes - keep in step with the table of verbs that follows */
18
19enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
20 ACL_WARN };
21
22/* ACL verbs */
23
24static uschar *verbs[] =
25 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
26 US"warn" };
27
4e88a19f
PH
28/* For each verb, the conditions for which "message" or "log_message" are used
29are held as a bitmap. This is to avoid expanding the strings unnecessarily. For
30"accept", the FAIL case is used only after "endpass", but that is selected in
31the code. */
32
33static int msgcond[] = {
34 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* accept */
35 (1<<OK), /* defer */
36 (1<<OK), /* deny */
37 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* discard */
38 (1<<OK), /* drop */
39 (1<<FAIL) | (1<<FAIL_DROP), /* require */
40 (1<<OK) /* warn */
41 };
059ec3d9
PH
42
43/* ACL condition and modifier codes - keep in step with the table that
71fafd95
PH
44follows, and the cond_expand_at_top and uschar cond_modifiers tables lower
45down. */
059ec3d9 46
71fafd95
PH
47enum { ACLC_ACL,
48 ACLC_ADD_HEADER,
49 ACLC_AUTHENTICATED,
8523533c
TK
50#ifdef EXPERIMENTAL_BRIGHTMAIL
51 ACLC_BMI_OPTIN,
52#endif
71fafd95 53 ACLC_CONDITION,
c3611384 54 ACLC_CONTINUE,
71fafd95 55 ACLC_CONTROL,
6a8f9482
TK
56#ifdef EXPERIMENTAL_DCC
57 ACLC_DCC,
58#endif
8523533c
TK
59#ifdef WITH_CONTENT_SCAN
60 ACLC_DECODE,
61#endif
62 ACLC_DELAY,
63#ifdef WITH_OLD_DEMIME
64 ACLC_DEMIME,
8e669ac1 65#endif
80a47a2c
TK
66#ifndef DISABLE_DKIM
67 ACLC_DKIM_SIGNER,
68 ACLC_DKIM_STATUS,
fb2274d4 69#endif
71fafd95
PH
70 ACLC_DNSLISTS,
71 ACLC_DOMAINS,
72 ACLC_ENCRYPTED,
73 ACLC_ENDPASS,
74 ACLC_HOSTS,
75 ACLC_LOCAL_PARTS,
76 ACLC_LOG_MESSAGE,
6ea85e9a 77 ACLC_LOG_REJECT_TARGET,
71fafd95 78 ACLC_LOGWRITE,
8523533c
TK
79#ifdef WITH_CONTENT_SCAN
80 ACLC_MALWARE,
81#endif
82 ACLC_MESSAGE,
83#ifdef WITH_CONTENT_SCAN
84 ACLC_MIME_REGEX,
85#endif
870f6ba8 86 ACLC_RATELIMIT,
8523533c
TK
87 ACLC_RECIPIENTS,
88#ifdef WITH_CONTENT_SCAN
89 ACLC_REGEX,
90#endif
71fafd95
PH
91 ACLC_SENDER_DOMAINS,
92 ACLC_SENDERS,
93 ACLC_SET,
8523533c 94#ifdef WITH_CONTENT_SCAN
8e669ac1 95 ACLC_SPAM,
8523533c
TK
96#endif
97#ifdef EXPERIMENTAL_SPF
98 ACLC_SPF,
65a7d8c3 99 ACLC_SPF_GUESS,
8523533c
TK
100#endif
101 ACLC_VERIFY };
059ec3d9 102
c3611384
PH
103/* ACL conditions/modifiers: "delay", "control", "continue", "endpass",
104"message", "log_message", "log_reject_target", "logwrite", and "set" are
105modifiers that look like conditions but always return TRUE. They are used for
106their side effects. */
059ec3d9 107
9a26b6b2
PH
108static uschar *conditions[] = {
109 US"acl",
71fafd95 110 US"add_header",
9a26b6b2 111 US"authenticated",
8523533c
TK
112#ifdef EXPERIMENTAL_BRIGHTMAIL
113 US"bmi_optin",
114#endif
115 US"condition",
c3611384 116 US"continue",
8e669ac1 117 US"control",
6a8f9482
TK
118#ifdef EXPERIMENTAL_DCC
119 US"dcc",
120#endif
8523533c
TK
121#ifdef WITH_CONTENT_SCAN
122 US"decode",
123#endif
124 US"delay",
125#ifdef WITH_OLD_DEMIME
126 US"demime",
127#endif
80a47a2c
TK
128#ifndef DISABLE_DKIM
129 US"dkim_signers",
130 US"dkim_status",
fb2274d4 131#endif
6ea85e9a
PH
132 US"dnslists",
133 US"domains",
134 US"encrypted",
135 US"endpass",
136 US"hosts",
137 US"local_parts",
138 US"log_message",
139 US"log_reject_target",
140 US"logwrite",
8523533c
TK
141#ifdef WITH_CONTENT_SCAN
142 US"malware",
143#endif
144 US"message",
145#ifdef WITH_CONTENT_SCAN
146 US"mime_regex",
147#endif
870f6ba8 148 US"ratelimit",
8523533c
TK
149 US"recipients",
150#ifdef WITH_CONTENT_SCAN
151 US"regex",
152#endif
153 US"sender_domains", US"senders", US"set",
154#ifdef WITH_CONTENT_SCAN
155 US"spam",
156#endif
157#ifdef EXPERIMENTAL_SPF
158 US"spf",
65a7d8c3 159 US"spf_guess",
8523533c 160#endif
059ec3d9 161 US"verify" };
8e669ac1 162
c5fcb476 163
9a26b6b2
PH
164/* Return values from decode_control(); keep in step with the table of names
165that follows! */
166
167enum {
c46782ef
PH
168 CONTROL_AUTH_UNADVERTISED,
169 #ifdef EXPERIMENTAL_BRIGHTMAIL
9a26b6b2 170 CONTROL_BMI_RUN,
c46782ef 171 #endif
ed7f7860 172 CONTROL_DEBUG,
80a47a2c 173 #ifndef DISABLE_DKIM
f7572e5a
TK
174 CONTROL_DKIM_VERIFY,
175 #endif
c46782ef
PH
176 CONTROL_ERROR,
177 CONTROL_CASEFUL_LOCAL_PART,
178 CONTROL_CASELOWER_LOCAL_PART,
179 CONTROL_ENFORCE_SYNC,
180 CONTROL_NO_ENFORCE_SYNC,
181 CONTROL_FREEZE,
182 CONTROL_QUEUE_ONLY,
183 CONTROL_SUBMISSION,
184 CONTROL_SUPPRESS_LOCAL_FIXUPS,
185 #ifdef WITH_CONTENT_SCAN
9a26b6b2 186 CONTROL_NO_MBOX_UNSPOOL,
c46782ef
PH
187 #endif
188 CONTROL_FAKEDEFER,
189 CONTROL_FAKEREJECT,
cf8b11a5 190 CONTROL_NO_MULTILINE,
047bdd8c 191 CONTROL_NO_PIPELINING,
4c590bd1
PH
192 CONTROL_NO_DELAY_FLUSH,
193 CONTROL_NO_CALLOUT_FLUSH
c46782ef 194};
9a26b6b2 195
8800895a
PH
196/* ACL control names; keep in step with the table above! This list is used for
197turning ids into names. The actual list of recognized names is in the variable
198control_def controls_list[] below. The fact that there are two lists is a mess
199and should be tidied up. */
9a26b6b2
PH
200
201static uschar *controls[] = {
c46782ef 202 US"allow_auth_unadvertised",
9a26b6b2
PH
203 #ifdef EXPERIMENTAL_BRIGHTMAIL
204 US"bmi_run",
205 #endif
ed7f7860 206 US"debug",
80a47a2c
TK
207 #ifndef DISABLE_DKIM
208 US"dkim_disable_verify",
f7572e5a 209 #endif
c46782ef
PH
210 US"error",
211 US"caseful_local_part",
212 US"caselower_local_part",
213 US"enforce_sync",
214 US"no_enforce_sync",
215 US"freeze",
216 US"queue_only",
217 US"submission",
218 US"suppress_local_fixups",
9a26b6b2
PH
219 #ifdef WITH_CONTENT_SCAN
220 US"no_mbox_unspool",
221 #endif
cf8b11a5
PH
222 US"fakedefer",
223 US"fakereject",
aa6dc513 224 US"no_multiline_responses",
cf8b11a5 225 US"no_pipelining",
4c590bd1
PH
226 US"no_delay_flush",
227 US"no_callout_flush"
c46782ef 228};
059ec3d9 229
047bdd8c 230/* Flags to indicate for which conditions/modifiers a string expansion is done
059ec3d9
PH
231at the outer level. In the other cases, expansion already occurs in the
232checking functions. */
233
234static uschar cond_expand_at_top[] = {
235 TRUE, /* acl */
3e536984 236 TRUE, /* add_header */
059ec3d9 237 FALSE, /* authenticated */
8523533c
TK
238#ifdef EXPERIMENTAL_BRIGHTMAIL
239 TRUE, /* bmi_optin */
8e669ac1 240#endif
059ec3d9 241 TRUE, /* condition */
c3611384 242 TRUE, /* continue */
059ec3d9 243 TRUE, /* control */
6a8f9482
TK
244#ifdef EXPERIMENTAL_DCC
245 TRUE, /* dcc */
246#endif
8523533c
TK
247#ifdef WITH_CONTENT_SCAN
248 TRUE, /* decode */
249#endif
059ec3d9 250 TRUE, /* delay */
8523533c
TK
251#ifdef WITH_OLD_DEMIME
252 TRUE, /* demime */
253#endif
80a47a2c
TK
254#ifndef DISABLE_DKIM
255 TRUE, /* dkim_signers */
256 TRUE, /* dkim_status */
fb2274d4 257#endif
059ec3d9
PH
258 TRUE, /* dnslists */
259 FALSE, /* domains */
260 FALSE, /* encrypted */
261 TRUE, /* endpass */
262 FALSE, /* hosts */
263 FALSE, /* local_parts */
264 TRUE, /* log_message */
6ea85e9a 265 TRUE, /* log_reject_target */
059ec3d9 266 TRUE, /* logwrite */
8523533c
TK
267#ifdef WITH_CONTENT_SCAN
268 TRUE, /* malware */
269#endif
059ec3d9 270 TRUE, /* message */
8523533c
TK
271#ifdef WITH_CONTENT_SCAN
272 TRUE, /* mime_regex */
273#endif
870f6ba8 274 TRUE, /* ratelimit */
059ec3d9 275 FALSE, /* recipients */
8523533c
TK
276#ifdef WITH_CONTENT_SCAN
277 TRUE, /* regex */
278#endif
059ec3d9
PH
279 FALSE, /* sender_domains */
280 FALSE, /* senders */
281 TRUE, /* set */
8523533c
TK
282#ifdef WITH_CONTENT_SCAN
283 TRUE, /* spam */
284#endif
285#ifdef EXPERIMENTAL_SPF
286 TRUE, /* spf */
65a7d8c3 287 TRUE, /* spf_guess */
8523533c 288#endif
059ec3d9
PH
289 TRUE /* verify */
290};
291
292/* Flags to identify the modifiers */
293
294static uschar cond_modifiers[] = {
295 FALSE, /* acl */
3e536984 296 TRUE, /* add_header */
059ec3d9 297 FALSE, /* authenticated */
8523533c
TK
298#ifdef EXPERIMENTAL_BRIGHTMAIL
299 TRUE, /* bmi_optin */
8e669ac1 300#endif
059ec3d9 301 FALSE, /* condition */
c3611384 302 TRUE, /* continue */
059ec3d9 303 TRUE, /* control */
6a8f9482
TK
304#ifdef EXPERIMENTAL_DCC
305 FALSE, /* dcc */
306#endif
8523533c
TK
307#ifdef WITH_CONTENT_SCAN
308 FALSE, /* decode */
309#endif
059ec3d9 310 TRUE, /* delay */
8523533c
TK
311#ifdef WITH_OLD_DEMIME
312 FALSE, /* demime */
313#endif
80a47a2c
TK
314#ifndef DISABLE_DKIM
315 FALSE, /* dkim_signers */
316 FALSE, /* dkim_status */
fb2274d4 317#endif
059ec3d9
PH
318 FALSE, /* dnslists */
319 FALSE, /* domains */
320 FALSE, /* encrypted */
321 TRUE, /* endpass */
322 FALSE, /* hosts */
323 FALSE, /* local_parts */
324 TRUE, /* log_message */
6ea85e9a 325 TRUE, /* log_reject_target */
8523533c
TK
326 TRUE, /* logwrite */
327#ifdef WITH_CONTENT_SCAN
328 FALSE, /* malware */
329#endif
059ec3d9 330 TRUE, /* message */
8523533c
TK
331#ifdef WITH_CONTENT_SCAN
332 FALSE, /* mime_regex */
333#endif
870f6ba8 334 FALSE, /* ratelimit */
059ec3d9 335 FALSE, /* recipients */
8523533c
TK
336#ifdef WITH_CONTENT_SCAN
337 FALSE, /* regex */
338#endif
059ec3d9
PH
339 FALSE, /* sender_domains */
340 FALSE, /* senders */
341 TRUE, /* set */
8523533c
TK
342#ifdef WITH_CONTENT_SCAN
343 FALSE, /* spam */
344#endif
345#ifdef EXPERIMENTAL_SPF
346 FALSE, /* spf */
65a7d8c3 347 FALSE, /* spf_guess */
8523533c 348#endif
059ec3d9
PH
349 FALSE /* verify */
350};
351
c3611384 352/* Bit map vector of which conditions and modifiers are not allowed at certain
8f128379
PH
353times. For each condition and modifier, there's a bitmap of dis-allowed times.
354For some, it is easier to specify the negation of a small number of allowed
355times. */
059ec3d9
PH
356
357static unsigned int cond_forbids[] = {
358 0, /* acl */
8e669ac1 359
71fafd95 360 (unsigned int)
45b91596 361 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* add_header */
71fafd95 362 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
45b91596 363 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
67caae1f 364 (1<<ACL_WHERE_DKIM)|
45b91596 365 (1<<ACL_WHERE_NOTSMTP_START)),
71fafd95 366
45b91596
PH
367 (1<<ACL_WHERE_NOTSMTP)| /* authenticated */
368 (1<<ACL_WHERE_NOTSMTP_START)|
369 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO),
8e669ac1 370
71fafd95 371 #ifdef EXPERIMENTAL_BRIGHTMAIL
3864bb8e 372 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
8523533c
TK
373 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
374 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
8e669ac1 375 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
8523533c
TK
376 (1<<ACL_WHERE_MAILAUTH)|
377 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596
PH
378 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA)|
379 (1<<ACL_WHERE_NOTSMTP_START),
71fafd95 380 #endif
8e669ac1 381
059ec3d9 382 0, /* condition */
8e669ac1 383
c3611384
PH
384 0, /* continue */
385
059ec3d9 386 /* Certain types of control are always allowed, so we let it through
2f079f46 387 always and check in the control processing itself. */
8e669ac1 388
059ec3d9 389 0, /* control */
8e669ac1 390
6a8f9482
TK
391 #ifdef EXPERIMENTAL_DCC
392 (unsigned int)
393 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* dcc */
394 #endif
395
71fafd95 396 #ifdef WITH_CONTENT_SCAN
2f079f46
PH
397 (unsigned int)
398 ~(1<<ACL_WHERE_MIME), /* decode */
71fafd95 399 #endif
8523533c 400
8f128379 401 (1<<ACL_WHERE_NOTQUIT), /* delay */
8e669ac1 402
71fafd95 403 #ifdef WITH_OLD_DEMIME
2f079f46
PH
404 (unsigned int)
405 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* demime */
71fafd95 406 #endif
8e669ac1 407
80a47a2c
TK
408 #ifndef DISABLE_DKIM
409 (unsigned int)
410 ~(1<<ACL_WHERE_DKIM), /* dkim_signers */
84330b7b 411
80a47a2c
TK
412 (unsigned int)
413 ~(1<<ACL_WHERE_DKIM), /* dkim_status */
71fafd95 414 #endif
fb2274d4 415
45b91596
PH
416 (1<<ACL_WHERE_NOTSMTP)| /* dnslists */
417 (1<<ACL_WHERE_NOTSMTP_START),
059ec3d9 418
2f079f46
PH
419 (unsigned int)
420 ~(1<<ACL_WHERE_RCPT), /* domains */
059ec3d9 421
45b91596
PH
422 (1<<ACL_WHERE_NOTSMTP)| /* encrypted */
423 (1<<ACL_WHERE_CONNECT)|
424 (1<<ACL_WHERE_NOTSMTP_START)|
059ec3d9 425 (1<<ACL_WHERE_HELO),
8e669ac1 426
059ec3d9 427 0, /* endpass */
8e669ac1 428
45b91596
PH
429 (1<<ACL_WHERE_NOTSMTP)| /* hosts */
430 (1<<ACL_WHERE_NOTSMTP_START),
059ec3d9 431
2f079f46
PH
432 (unsigned int)
433 ~(1<<ACL_WHERE_RCPT), /* local_parts */
059ec3d9
PH
434
435 0, /* log_message */
8e669ac1 436
6ea85e9a
PH
437 0, /* log_reject_target */
438
059ec3d9 439 0, /* logwrite */
8e669ac1 440
71fafd95 441 #ifdef WITH_CONTENT_SCAN
2f079f46
PH
442 (unsigned int)
443 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* malware */
71fafd95 444 #endif
8523533c 445
059ec3d9
PH
446 0, /* message */
447
71fafd95 448 #ifdef WITH_CONTENT_SCAN
2f079f46
PH
449 (unsigned int)
450 ~(1<<ACL_WHERE_MIME), /* mime_regex */
71fafd95 451 #endif
8523533c 452
870f6ba8
TF
453 0, /* ratelimit */
454
2f079f46
PH
455 (unsigned int)
456 ~(1<<ACL_WHERE_RCPT), /* recipients */
059ec3d9 457
71fafd95 458 #ifdef WITH_CONTENT_SCAN
2f079f46
PH
459 (unsigned int)
460 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* regex */
461 (1<<ACL_WHERE_MIME)),
71fafd95 462 #endif
8523533c 463
059ec3d9
PH
464 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
465 (1<<ACL_WHERE_HELO)|
466 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
467 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
468 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
469
470 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
471 (1<<ACL_WHERE_HELO)|
472 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
473 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
474 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
475
476 0, /* set */
477
71fafd95 478 #ifdef WITH_CONTENT_SCAN
2f079f46
PH
479 (unsigned int)
480 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* spam */
71fafd95 481 #endif
8523533c 482
71fafd95 483 #ifdef EXPERIMENTAL_SPF
8523533c
TK
484 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
485 (1<<ACL_WHERE_HELO)|
486 (1<<ACL_WHERE_MAILAUTH)|
487 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
45b91596
PH
488 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
489 (1<<ACL_WHERE_NOTSMTP)|
490 (1<<ACL_WHERE_NOTSMTP_START),
65a7d8c3
NM
491
492 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf_guess */
493 (1<<ACL_WHERE_HELO)|
494 (1<<ACL_WHERE_MAILAUTH)|
495 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
496 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
497 (1<<ACL_WHERE_NOTSMTP)|
498 (1<<ACL_WHERE_NOTSMTP_START),
71fafd95 499 #endif
8523533c 500
059ec3d9
PH
501 /* Certain types of verify are always allowed, so we let it through
502 always and check in the verify function itself */
503
504 0 /* verify */
059ec3d9
PH
505};
506
507
c5fcb476
PH
508/* Bit map vector of which controls are not allowed at certain times. For
509each control, there's a bitmap of dis-allowed times. For some, it is easier to
510specify the negation of a small number of allowed times. */
511
512static unsigned int control_forbids[] = {
c46782ef
PH
513 (unsigned int)
514 ~((1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)), /* allow_auth_unadvertised */
515
516 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c 517 0, /* bmi_run */
c46782ef
PH
518 #endif
519
ed7f7860
PP
520 0, /* debug */
521
80a47a2c
TK
522 #ifndef DISABLE_DKIM
523 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dkim_disable_verify */
f7572e5a
TK
524 (1<<ACL_WHERE_NOTSMTP_START),
525 #endif
526
c5fcb476 527 0, /* error */
8e669ac1
PH
528
529 (unsigned int)
c5fcb476 530 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
8e669ac1
PH
531
532 (unsigned int)
c5fcb476 533 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
8e669ac1 534
45b91596
PH
535 (1<<ACL_WHERE_NOTSMTP)| /* enforce_sync */
536 (1<<ACL_WHERE_NOTSMTP_START),
8e669ac1 537
45b91596
PH
538 (1<<ACL_WHERE_NOTSMTP)| /* no_enforce_sync */
539 (1<<ACL_WHERE_NOTSMTP_START),
8e669ac1
PH
540
541 (unsigned int)
c5fcb476
PH
542 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
543 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 544 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH
545
546 (unsigned int)
c5fcb476
PH
547 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
548 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 549 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH
550
551 (unsigned int)
c5fcb476 552 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
8e669ac1 553 (1<<ACL_WHERE_PREDATA)),
8523533c 554
8800895a
PH
555 (unsigned int)
556 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* suppress_local_fixups */
45b91596
PH
557 (1<<ACL_WHERE_PREDATA)|
558 (1<<ACL_WHERE_NOTSMTP_START)),
8800895a 559
c46782ef 560 #ifdef WITH_CONTENT_SCAN
8e669ac1 561 (unsigned int)
14d57970 562 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
e715ad22
TK
563 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
564 (1<<ACL_WHERE_MIME)),
c46782ef 565 #endif
a6c4ab60 566
8e669ac1 567 (unsigned int)
29aba418
TF
568 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakedefer */
569 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
570 (1<<ACL_WHERE_MIME)),
571
572 (unsigned int)
a6c4ab60 573 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
e715ad22
TK
574 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
575 (1<<ACL_WHERE_MIME)),
8523533c 576
45b91596 577 (1<<ACL_WHERE_NOTSMTP)| /* no_multiline */
cf8b11a5
PH
578 (1<<ACL_WHERE_NOTSMTP_START),
579
580 (1<<ACL_WHERE_NOTSMTP)| /* no_pipelining */
047bdd8c
PH
581 (1<<ACL_WHERE_NOTSMTP_START),
582
583 (1<<ACL_WHERE_NOTSMTP)| /* no_delay_flush */
4c590bd1
PH
584 (1<<ACL_WHERE_NOTSMTP_START),
585
586 (1<<ACL_WHERE_NOTSMTP)| /* no_callout_flush */
45b91596 587 (1<<ACL_WHERE_NOTSMTP_START)
c5fcb476
PH
588};
589
590/* Structure listing various control arguments, with their characteristics. */
059ec3d9
PH
591
592typedef struct control_def {
593 uschar *name;
594 int value; /* CONTROL_xxx value */
059ec3d9
PH
595 BOOL has_option; /* Has /option(s) following */
596} control_def;
597
598static control_def controls_list[] = {
c46782ef 599 { US"allow_auth_unadvertised", CONTROL_AUTH_UNADVERTISED, FALSE },
8523533c 600#ifdef EXPERIMENTAL_BRIGHTMAIL
c46782ef 601 { US"bmi_run", CONTROL_BMI_RUN, FALSE },
8523533c 602#endif
ed7f7860 603 { US"debug", CONTROL_DEBUG, TRUE },
80a47a2c
TK
604#ifndef DISABLE_DKIM
605 { US"dkim_disable_verify", CONTROL_DKIM_VERIFY, FALSE },
f7572e5a 606#endif
c46782ef
PH
607 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE },
608 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE },
609 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE },
610 { US"freeze", CONTROL_FREEZE, TRUE },
4c590bd1 611 { US"no_callout_flush", CONTROL_NO_CALLOUT_FLUSH, FALSE },
047bdd8c 612 { US"no_delay_flush", CONTROL_NO_DELAY_FLUSH, FALSE },
c46782ef
PH
613 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE },
614 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE },
cf8b11a5 615 { US"no_pipelining", CONTROL_NO_PIPELINING, FALSE },
c46782ef 616 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE },
8523533c 617#ifdef WITH_CONTENT_SCAN
c46782ef 618 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE },
8523533c 619#endif
c46782ef
PH
620 { US"fakedefer", CONTROL_FAKEDEFER, TRUE },
621 { US"fakereject", CONTROL_FAKEREJECT, TRUE },
622 { US"submission", CONTROL_SUBMISSION, TRUE },
623 { US"suppress_local_fixups", CONTROL_SUPPRESS_LOCAL_FIXUPS, FALSE }
059ec3d9
PH
624 };
625
e5a9dba6
PH
626/* Support data structures for Client SMTP Authorization. acl_verify_csa()
627caches its result in a tree to avoid repeated DNS queries. The result is an
628integer code which is used as an index into the following tables of
629explanatory strings and verification return codes. */
630
631static tree_node *csa_cache = NULL;
632
633enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
634 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
635
636/* The acl_verify_csa() return code is translated into an acl_verify() return
637code using the following table. It is OK unless the client is definitely not
638authorized. This is because CSA is supposed to be optional for sending sites,
639so recipients should not be too strict about checking it - especially because
640DNS problems are quite likely to occur. It's possible to use $csa_status in
641further ACL conditions to distinguish ok, unknown, and defer if required, but
642the aim is to make the usual configuration simple. */
643
644static int csa_return_code[] = {
645 OK, OK, OK, OK,
646 FAIL, FAIL, FAIL, FAIL
647};
648
649static uschar *csa_status_string[] = {
650 US"unknown", US"ok", US"defer", US"defer",
651 US"fail", US"fail", US"fail", US"fail"
652};
653
654static uschar *csa_reason_string[] = {
655 US"unknown",
656 US"ok",
657 US"deferred (SRV lookup failed)",
658 US"deferred (target address lookup failed)",
659 US"failed (explicit authorization required)",
660 US"failed (host name not authorized)",
661 US"failed (no authorized addresses)",
662 US"failed (client address mismatch)"
663};
664
c99ce5c9
TF
665/* Options for the ratelimit condition. Note that there are two variants of
666the per_rcpt option, depending on the ACL that is used to measure the rate.
667However any ACL must be able to look up per_rcpt rates in /noupdate mode,
668so the two variants must have the same internal representation as well as
669the same configuration string. */
670
671enum {
672 RATE_PER_WHAT, RATE_PER_CLASH, RATE_PER_ADDR, RATE_PER_BYTE, RATE_PER_CMD,
673 RATE_PER_CONN, RATE_PER_MAIL, RATE_PER_RCPT, RATE_PER_ALLRCPTS
674};
675
676#define RATE_SET(var,new) \
677 (((var) == RATE_PER_WHAT) ? ((var) = RATE_##new) : ((var) = RATE_PER_CLASH))
678
679static uschar *ratelimit_option_string[] = {
680 US"?", US"!", US"per_addr", US"per_byte", US"per_cmd",
681 US"per_conn", US"per_mail", US"per_rcpt", US"per_rcpt"
682};
683
059ec3d9
PH
684/* Enable recursion between acl_check_internal() and acl_check_condition() */
685
686static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
687 uschar **);
688
689
690/*************************************************
691* Pick out name from list *
692*************************************************/
693
694/* Use a binary chop method
695
696Arguments:
697 name name to find
698 list list of names
699 end size of list
700
701Returns: offset in list, or -1 if not found
702*/
703
704static int
705acl_checkname(uschar *name, uschar **list, int end)
706{
707int start = 0;
708
709while (start < end)
710 {
711 int mid = (start + end)/2;
712 int c = Ustrcmp(name, list[mid]);
713 if (c == 0) return mid;
714 if (c < 0) end = mid; else start = mid + 1;
715 }
716
717return -1;
718}
719
720
721/*************************************************
722* Read and parse one ACL *
723*************************************************/
724
725/* This function is called both from readconf in order to parse the ACLs in the
726configuration file, and also when an ACL is encountered dynamically (e.g. as
727the result of an expansion). It is given a function to call in order to
728retrieve the lines of the ACL. This function handles skipping comments and
729blank lines (where relevant).
730
731Arguments:
732 func function to get next line of ACL
733 error where to put an error message
734
735Returns: pointer to ACL, or NULL
736 NULL can be legal (empty ACL); in this case error will be NULL
737*/
738
739acl_block *
740acl_read(uschar *(*func)(void), uschar **error)
741{
742acl_block *yield = NULL;
743acl_block **lastp = &yield;
744acl_block *this = NULL;
745acl_condition_block *cond;
746acl_condition_block **condp = NULL;
747uschar *s;
748
749*error = NULL;
750
751while ((s = (*func)()) != NULL)
752 {
753 int v, c;
754 BOOL negated = FALSE;
755 uschar *saveline = s;
756 uschar name[64];
757
758 /* Conditions (but not verbs) are allowed to be negated by an initial
759 exclamation mark. */
760
761 while (isspace(*s)) s++;
762 if (*s == '!')
763 {
764 negated = TRUE;
765 s++;
766 }
767
cf00dad6
PH
768 /* Read the name of a verb or a condition, or the start of a new ACL, which
769 can be started by a name, or by a macro definition. */
059ec3d9
PH
770
771 s = readconf_readname(name, sizeof(name), s);
b8dc3e4a 772 if (*s == ':' || (isupper(name[0]) && *s == '=')) return yield;
059ec3d9
PH
773
774 /* If a verb is unrecognized, it may be another condition or modifier that
775 continues the previous verb. */
776
777 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
778 if (v < 0)
779 {
780 if (this == NULL)
781 {
4e167a8c
PH
782 *error = string_sprintf("unknown ACL verb \"%s\" in \"%s\"", name,
783 saveline);
059ec3d9
PH
784 return NULL;
785 }
786 }
787
788 /* New verb */
789
790 else
791 {
792 if (negated)
793 {
794 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
795 return NULL;
796 }
797 this = store_get(sizeof(acl_block));
798 *lastp = this;
799 lastp = &(this->next);
800 this->next = NULL;
801 this->verb = v;
802 this->condition = NULL;
803 condp = &(this->condition);
804 if (*s == 0) continue; /* No condition on this line */
805 if (*s == '!')
806 {
807 negated = TRUE;
808 s++;
809 }
810 s = readconf_readname(name, sizeof(name), s); /* Condition name */
811 }
812
813 /* Handle a condition or modifier. */
814
815 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
816 if (c < 0)
817 {
818 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
819 saveline);
820 return NULL;
821 }
822
823 /* The modifiers may not be negated */
824
825 if (negated && cond_modifiers[c])
826 {
827 *error = string_sprintf("ACL error: negation is not allowed with "
828 "\"%s\"", conditions[c]);
829 return NULL;
830 }
831
832 /* ENDPASS may occur only with ACCEPT or DISCARD. */
833
834 if (c == ACLC_ENDPASS &&
835 this->verb != ACL_ACCEPT &&
836 this->verb != ACL_DISCARD)
837 {
838 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
839 conditions[c], verbs[this->verb]);
840 return NULL;
841 }
842
843 cond = store_get(sizeof(acl_condition_block));
844 cond->next = NULL;
845 cond->type = c;
846 cond->u.negated = negated;
847
848 *condp = cond;
849 condp = &(cond->next);
850
851 /* The "set" modifier is different in that its argument is "name=value"
852 rather than just a value, and we can check the validity of the name, which
38a0a95f
PH
853 gives us a variable name to insert into the data block. The original ACL
854 variable names were acl_c0 ... acl_c9 and acl_m0 ... acl_m9. This was
855 extended to 20 of each type, but after that people successfully argued for
641cb756
PH
856 arbitrary names. In the new scheme, the names must start with acl_c or acl_m.
857 After that, we allow alphanumerics and underscores, but the first character
858 after c or m must be a digit or an underscore. This retains backwards
859 compatibility. */
059ec3d9
PH
860
861 if (c == ACLC_SET)
862 {
47ca6d6c
PH
863 uschar *endptr;
864
38a0a95f
PH
865 if (Ustrncmp(s, "acl_c", 5) != 0 &&
866 Ustrncmp(s, "acl_m", 5) != 0)
47ca6d6c 867 {
38a0a95f
PH
868 *error = string_sprintf("invalid variable name after \"set\" in ACL "
869 "modifier \"set %s\" (must start \"acl_c\" or \"acl_m\")", s);
870 return NULL;
47ca6d6c 871 }
38a0a95f
PH
872
873 endptr = s + 5;
641cb756
PH
874 if (!isdigit(*endptr) && *endptr != '_')
875 {
876 *error = string_sprintf("invalid variable name after \"set\" in ACL "
877 "modifier \"set %s\" (digit or underscore must follow acl_c or acl_m)",
878 s);
879 return NULL;
880 }
881
38a0a95f 882 while (*endptr != 0 && *endptr != '=' && !isspace(*endptr))
47ca6d6c 883 {
38a0a95f
PH
884 if (!isalnum(*endptr) && *endptr != '_')
885 {
886 *error = string_sprintf("invalid character \"%c\" in variable name "
887 "in ACL modifier \"set %s\"", *endptr, s);
888 return NULL;
889 }
890 endptr++;
47ca6d6c 891 }
47ca6d6c 892
38a0a95f 893 cond->u.varname = string_copyn(s + 4, endptr - s - 4);
47ca6d6c 894 s = endptr;
059ec3d9
PH
895 while (isspace(*s)) s++;
896 }
897
898 /* For "set", we are now positioned for the data. For the others, only
899 "endpass" has no data */
900
901 if (c != ACLC_ENDPASS)
902 {
903 if (*s++ != '=')
904 {
905 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
906 cond_modifiers[c]? US"modifier" : US"condition");
907 return NULL;
908 }
909 while (isspace(*s)) s++;
910 cond->arg = string_copy(s);
911 }
912 }
913
914return yield;
915}
916
917
918
919/*************************************************
71fafd95
PH
920* Set up added header line(s) *
921*************************************************/
922
923/* This function is called by the add_header modifier, and also from acl_warn()
924to implement the now-deprecated way of adding header lines using "message" on a
925"warn" verb. The argument is treated as a sequence of header lines which are
926added to a chain, provided there isn't an identical one already there.
927
928Argument: string of header lines
929Returns: nothing
930*/
931
932static void
933setup_header(uschar *hstring)
934{
935uschar *p, *q;
936int hlen = Ustrlen(hstring);
937
938/* An empty string does nothing; otherwise add a final newline if necessary. */
939
940if (hlen <= 0) return;
941if (hstring[hlen-1] != '\n') hstring = string_sprintf("%s\n", hstring);
942
943/* Loop for multiple header lines, taking care about continuations */
944
945for (p = q = hstring; *p != 0; )
946 {
947 uschar *s;
948 int newtype = htype_add_bot;
949 header_line **hptr = &acl_added_headers;
950
951 /* Find next header line within the string */
952
953 for (;;)
954 {
955 q = Ustrchr(q, '\n');
956 if (*(++q) != ' ' && *q != '\t') break;
957 }
958
959 /* If the line starts with a colon, interpret the instruction for where to
960 add it. This temporarily sets up a new type. */
961
962 if (*p == ':')
963 {
964 if (strncmpic(p, US":after_received:", 16) == 0)
965 {
966 newtype = htype_add_rec;
967 p += 16;
968 }
969 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
970 {
971 newtype = htype_add_rfc;
972 p += 14;
973 }
974 else if (strncmpic(p, US":at_start:", 10) == 0)
975 {
976 newtype = htype_add_top;
977 p += 10;
978 }
979 else if (strncmpic(p, US":at_end:", 8) == 0)
980 {
981 newtype = htype_add_bot;
982 p += 8;
983 }
984 while (*p == ' ' || *p == '\t') p++;
985 }
986
987 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
988 to the front of it. */
989
990 for (s = p; s < q - 1; s++)
991 {
992 if (*s == ':' || !isgraph(*s)) break;
993 }
994
995 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
996 hlen = Ustrlen(s);
997
998 /* See if this line has already been added */
999
1000 while (*hptr != NULL)
1001 {
1002 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
1003 hptr = &((*hptr)->next);
1004 }
1005
1006 /* Add if not previously present */
1007
1008 if (*hptr == NULL)
1009 {
1010 header_line *h = store_get(sizeof(header_line));
1011 h->text = s;
1012 h->next = NULL;
1013 h->type = newtype;
1014 h->slen = hlen;
1015 *hptr = h;
1016 hptr = &(h->next);
1017 }
1018
1019 /* Advance for next header line within the string */
1020
1021 p = q;
1022 }
1023}
1024
1025
1026
1027
1028/*************************************************
059ec3d9
PH
1029* Handle warnings *
1030*************************************************/
1031
1032/* This function is called when a WARN verb's conditions are true. It adds to
1033the message's headers, and/or writes information to the log. In each case, this
1034only happens once (per message for headers, per connection for log).
1035
71fafd95
PH
1036** NOTE: The header adding action using the "message" setting is historic, and
1037its use is now deprecated. The new add_header modifier should be used instead.
1038
059ec3d9
PH
1039Arguments:
1040 where ACL_WHERE_xxxx indicating which ACL this is
1041 user_message message for adding to headers
1042 log_message message for logging, if different
1043
1044Returns: nothing
1045*/
1046
1047static void
1048acl_warn(int where, uschar *user_message, uschar *log_message)
1049{
059ec3d9
PH
1050if (log_message != NULL && log_message != user_message)
1051 {
1052 uschar *text;
1053 string_item *logged;
1054
1055 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
1056 string_printing(log_message));
1057
1058 /* If a sender verification has failed, and the log message is "sender verify
1059 failed", add the failure message. */
1060
1061 if (sender_verified_failed != NULL &&
1062 sender_verified_failed->message != NULL &&
1063 strcmpic(log_message, US"sender verify failed") == 0)
1064 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
1065
9c7a242c
PH
1066 /* Search previously logged warnings. They are kept in malloc
1067 store so they can be freed at the start of a new message. */
059ec3d9
PH
1068
1069 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
1070 if (Ustrcmp(logged->text, text) == 0) break;
1071
1072 if (logged == NULL)
1073 {
1074 int length = Ustrlen(text) + 1;
1075 log_write(0, LOG_MAIN, "%s", text);
1076 logged = store_malloc(sizeof(string_item) + length);
1077 logged->text = (uschar *)logged + sizeof(string_item);
1078 memcpy(logged->text, text, length);
1079 logged->next = acl_warn_logged;
1080 acl_warn_logged = logged;
1081 }
1082 }
1083
1084/* If there's no user message, we are done. */
1085
1086if (user_message == NULL) return;
1087
1088/* If this isn't a message ACL, we can't do anything with a user message.
1089Log an error. */
1090
1091if (where > ACL_WHERE_NOTSMTP)
1092 {
1093 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
1094 "found in a non-message (%s) ACL: cannot specify header lines here: "
1095 "message ignored", acl_wherenames[where]);
1096 return;
1097 }
1098
71fafd95
PH
1099/* The code for setting up header lines is now abstracted into a separate
1100function so that it can be used for the add_header modifier as well. */
059ec3d9 1101
71fafd95 1102setup_header(user_message);
059ec3d9
PH
1103}
1104
1105
1106
1107/*************************************************
1108* Verify and check reverse DNS *
1109*************************************************/
1110
1111/* Called from acl_verify() below. We look up the host name(s) of the client IP
1112address if this has not yet been done. The host_name_lookup() function checks
1113that one of these names resolves to an address list that contains the client IP
1114address, so we don't actually have to do the check here.
1115
1116Arguments:
1117 user_msgptr pointer for user message
1118 log_msgptr pointer for log message
1119
1120Returns: OK verification condition succeeded
1121 FAIL verification failed
1122 DEFER there was a problem verifying
1123*/
1124
1125static int
1126acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
1127{
1128int rc;
1129
1130user_msgptr = user_msgptr; /* stop compiler warning */
1131
1132/* Previous success */
1133
1134if (sender_host_name != NULL) return OK;
1135
1136/* Previous failure */
1137
1138if (host_lookup_failed)
1139 {
1140 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
1141 return FAIL;
1142 }
1143
1144/* Need to do a lookup */
1145
1146HDEBUG(D_acl)
1147 debug_printf("looking up host name to force name/address consistency check\n");
1148
1149if ((rc = host_name_lookup()) != OK)
1150 {
1151 *log_msgptr = (rc == DEFER)?
1152 US"host lookup deferred for reverse lookup check"
1153 :
1154 string_sprintf("host lookup failed for reverse lookup check%s",
1155 host_lookup_msg);
1156 return rc; /* DEFER or FAIL */
1157 }
1158
1159host_build_sender_fullhost();
1160return OK;
1161}
1162
1163
1164
1165/*************************************************
e5a9dba6
PH
1166* Check client IP address matches CSA target *
1167*************************************************/
1168
1169/* Called from acl_verify_csa() below. This routine scans a section of a DNS
1170response for address records belonging to the CSA target hostname. The section
1171is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
1172If one of the addresses matches the client's IP address, then the client is
1173authorized by CSA. If there are target IP addresses but none of them match
1174then the client is using an unauthorized IP address. If there are no target IP
1175addresses then the client cannot be using an authorized IP address. (This is
1176an odd configuration - why didn't the SRV record have a weight of 1 instead?)
1177
1178Arguments:
1179 dnsa the DNS answer block
1180 dnss a DNS scan block for us to use
1181 reset option specifing what portion to scan, as described above
1182 target the target hostname to use for matching RR names
1183
1184Returns: CSA_OK successfully authorized
1185 CSA_FAIL_MISMATCH addresses found but none matched
1186 CSA_FAIL_NOADDR no target addresses found
1187*/
1188
1189static int
1190acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1191 uschar *target)
1192{
1193dns_record *rr;
1194dns_address *da;
1195
1196BOOL target_found = FALSE;
1197
1198for (rr = dns_next_rr(dnsa, dnss, reset);
1199 rr != NULL;
1200 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1201 {
1202 /* Check this is an address RR for the target hostname. */
1203
1204 if (rr->type != T_A
1205 #if HAVE_IPV6
1206 && rr->type != T_AAAA
1207 #ifdef SUPPORT_A6
1208 && rr->type != T_A6
1209 #endif
1210 #endif
1211 ) continue;
1212
1213 if (strcmpic(target, rr->name) != 0) continue;
1214
1215 target_found = TRUE;
1216
1217 /* Turn the target address RR into a list of textual IP addresses and scan
1218 the list. There may be more than one if it is an A6 RR. */
1219
1220 for (da = dns_address_from_rr(dnsa, rr); da != NULL; da = da->next)
1221 {
1222 /* If the client IP address matches the target IP address, it's good! */
1223
1224 DEBUG(D_acl) debug_printf("CSA target address is %s\n", da->address);
1225
1226 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1227 }
1228 }
1229
1230/* If we found some target addresses but none of them matched, the client is
1231using an unauthorized IP address, otherwise the target has no authorized IP
1232addresses. */
1233
1234if (target_found) return CSA_FAIL_MISMATCH;
1235else return CSA_FAIL_NOADDR;
1236}
1237
1238
1239
1240/*************************************************
1241* Verify Client SMTP Authorization *
1242*************************************************/
1243
1244/* Called from acl_verify() below. This routine calls dns_lookup_special()
1245to find the CSA SRV record corresponding to the domain argument, or
1246$sender_helo_name if no argument is provided. It then checks that the
1247client is authorized, and that its IP address corresponds to the SRV
1248target's address by calling acl_verify_csa_address() above. The address
1249should have been returned in the DNS response's ADDITIONAL section, but if
1250not we perform another DNS lookup to get it.
1251
1252Arguments:
1253 domain pointer to optional parameter following verify = csa
1254
1255Returns: CSA_UNKNOWN no valid CSA record found
1256 CSA_OK successfully authorized
1257 CSA_FAIL_* client is definitely not authorized
1258 CSA_DEFER_* there was a DNS problem
1259*/
1260
1261static int
1262acl_verify_csa(uschar *domain)
1263{
1264tree_node *t;
1265uschar *found, *p;
1266int priority, weight, port;
1267dns_answer dnsa;
1268dns_scan dnss;
1269dns_record *rr;
1270int rc, type;
1271uschar target[256];
1272
1273/* Work out the domain we are using for the CSA lookup. The default is the
1274client's HELO domain. If the client has not said HELO, use its IP address
1275instead. If it's a local client (exim -bs), CSA isn't applicable. */
1276
1277while (isspace(*domain) && *domain != '\0') ++domain;
1278if (*domain == '\0') domain = sender_helo_name;
1279if (domain == NULL) domain = sender_host_address;
1280if (sender_host_address == NULL) return CSA_UNKNOWN;
1281
1282/* If we have an address literal, strip off the framing ready for turning it
1283into a domain. The framing consists of matched square brackets possibly
1284containing a keyword and a colon before the actual IP address. */
1285
1286if (domain[0] == '[')
1287 {
1288 uschar *start = Ustrchr(domain, ':');
1289 if (start == NULL) start = domain;
1290 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1291 }
1292
1293/* Turn domains that look like bare IP addresses into domains in the reverse
1294DNS. This code also deals with address literals and $sender_host_address. It's
1295not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1296address literals, but it's probably the most friendly thing to do. This is an
1297extension to CSA, so we allow it to be turned off for proper conformance. */
1298
7e66e54d 1299if (string_is_ip_address(domain, NULL) != 0)
e5a9dba6
PH
1300 {
1301 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1302 dns_build_reverse(domain, target);
1303 domain = target;
1304 }
1305
1306/* Find out if we've already done the CSA check for this domain. If we have,
1307return the same result again. Otherwise build a new cached result structure
1308for this domain. The name is filled in now, and the value is filled in when
1309we return from this function. */
1310
1311t = tree_search(csa_cache, domain);
1312if (t != NULL) return t->data.val;
1313
1314t = store_get_perm(sizeof(tree_node) + Ustrlen(domain));
1315Ustrcpy(t->name, domain);
1316(void)tree_insertnode(&csa_cache, t);
1317
1318/* Now we are ready to do the actual DNS lookup(s). */
1319
28e6ef29 1320found = domain;
e5a9dba6
PH
1321switch (dns_special_lookup(&dnsa, domain, T_CSA, &found))
1322 {
1323 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1324
1325 default:
1326 return t->data.val = CSA_DEFER_SRV;
1327
1328 /* If we found nothing, the client's authorization is unknown. */
1329
1330 case DNS_NOMATCH:
1331 case DNS_NODATA:
1332 return t->data.val = CSA_UNKNOWN;
1333
1334 /* We got something! Go on to look at the reply in more detail. */
1335
1336 case DNS_SUCCEED:
1337 break;
1338 }
1339
1340/* Scan the reply for well-formed CSA SRV records. */
1341
1342for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
1343 rr != NULL;
1344 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
1345 {
1346 if (rr->type != T_SRV) continue;
1347
1348 /* Extract the numerical SRV fields (p is incremented) */
1349
1350 p = rr->data;
1351 GETSHORT(priority, p);
1352 GETSHORT(weight, p);
1353 GETSHORT(port, p);
1354
1355 DEBUG(D_acl)
1356 debug_printf("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1357
1358 /* Check the CSA version number */
1359
1360 if (priority != 1) continue;
1361
1362 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1363 found by dns_special_lookup() is a parent of the one we asked for), we check
1364 the subdomain assertions in the port field. At the moment there's only one
1365 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1366 SRV records of their own. */
1367
1368 if (found != domain)
1369 {
1370 if (port & 1)
1371 return t->data.val = CSA_FAIL_EXPLICIT;
1372 else
1373 return t->data.val = CSA_UNKNOWN;
1374 }
1375
1376 /* This CSA SRV record refers directly to our domain, so we check the value
1377 in the weight field to work out the domain's authorization. 0 and 1 are
1378 unauthorized; 3 means the client is authorized but we can't check the IP
1379 address in order to authenticate it, so we treat it as unknown; values
1380 greater than 3 are undefined. */
1381
1382 if (weight < 2) return t->data.val = CSA_FAIL_DOMAIN;
1383
1384 if (weight > 2) continue;
1385
1386 /* Weight == 2, which means the domain is authorized. We must check that the
1387 client's IP address is listed as one of the SRV target addresses. Save the
1388 target hostname then break to scan the additional data for its addresses. */
1389
1390 (void)dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
1391 (DN_EXPAND_ARG4_TYPE)target, sizeof(target));
1392
1393 DEBUG(D_acl) debug_printf("CSA target is %s\n", target);
1394
1395 break;
1396 }
1397
1398/* If we didn't break the loop then no appropriate records were found. */
1399
1400if (rr == NULL) return t->data.val = CSA_UNKNOWN;
1401
1402/* Do not check addresses if the target is ".", in accordance with RFC 2782.
1403A target of "." indicates there are no valid addresses, so the client cannot
1404be authorized. (This is an odd configuration because weight=2 target=. is
1405equivalent to weight=1, but we check for it in order to keep load off the
1406root name servers.) Note that dn_expand() turns "." into "". */
1407
1408if (Ustrcmp(target, "") == 0) return t->data.val = CSA_FAIL_NOADDR;
1409
1410/* Scan the additional section of the CSA SRV reply for addresses belonging
1411to the target. If the name server didn't return any additional data (e.g.
1412because it does not fully support SRV records), we need to do another lookup
1413to obtain the target addresses; otherwise we have a definitive result. */
1414
1415rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ADDITIONAL, target);
1416if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1417
1418/* The DNS lookup type corresponds to the IP version used by the client. */
1419
1420#if HAVE_IPV6
1421if (Ustrchr(sender_host_address, ':') != NULL)
1422 type = T_AAAA;
1423else
1424#endif /* HAVE_IPV6 */
1425 type = T_A;
1426
1427
1428#if HAVE_IPV6 && defined(SUPPORT_A6)
1429DNS_LOOKUP_AGAIN:
1430#endif
1431
1432switch (dns_lookup(&dnsa, target, type, NULL))
1433 {
1434 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1435
1436 default:
1437 return t->data.val = CSA_DEFER_ADDR;
1438
1439 /* If the query succeeded, scan the addresses and return the result. */
1440
1441 case DNS_SUCCEED:
1442 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ANSWERS, target);
1443 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1444 /* else fall through */
1445
1446 /* If the target has no IP addresses, the client cannot have an authorized
1447 IP address. However, if the target site uses A6 records (not AAAA records)
1448 we have to do yet another lookup in order to check them. */
1449
1450 case DNS_NOMATCH:
1451 case DNS_NODATA:
1452
1453 #if HAVE_IPV6 && defined(SUPPORT_A6)
1454 if (type == T_AAAA) { type = T_A6; goto DNS_LOOKUP_AGAIN; }
1455 #endif
1456
1457 return t->data.val = CSA_FAIL_NOADDR;
1458 }
1459}
1460
1461
1462
1463/*************************************************
059ec3d9
PH
1464* Handle verification (address & other) *
1465*************************************************/
1466
1467/* This function implements the "verify" condition. It is called when
1468encountered in any ACL, because some tests are almost always permitted. Some
1469just don't make sense, and always fail (for example, an attempt to test a host
1470lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1471
1472Arguments:
1473 where where called from
1474 addr the recipient address that the ACL is handling, or NULL
1475 arg the argument of "verify"
1476 user_msgptr pointer for user message
1477 log_msgptr pointer for log message
1478 basic_errno where to put verify errno
1479
1480Returns: OK verification condition succeeded
1481 FAIL verification failed
1482 DEFER there was a problem verifying
1483 ERROR syntax error
1484*/
1485
1486static int
1487acl_verify(int where, address_item *addr, uschar *arg,
1488 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1489{
1490int sep = '/';
1491int callout = -1;
1492int callout_overall = -1;
4deaf07d 1493int callout_connect = -1;
059ec3d9
PH
1494int verify_options = 0;
1495int rc;
1496BOOL verify_header_sender = FALSE;
1497BOOL defer_ok = FALSE;
1498BOOL callout_defer_ok = FALSE;
1499BOOL no_details = FALSE;
eafd343b 1500BOOL success_on_redirect = FALSE;
059ec3d9
PH
1501address_item *sender_vaddr = NULL;
1502uschar *verify_sender_address = NULL;
1503uschar *pm_mailfrom = NULL;
1504uschar *se_mailfrom = NULL;
596875b3
PH
1505
1506/* Some of the verify items have slash-separated options; some do not. Diagnose
1507an error if options are given for items that don't expect them. This code has
1508now got very message. Refactoring to use a table would be a good idea one day.
1509*/
1510
1511uschar *slash = Ustrchr(arg, '/');
059ec3d9
PH
1512uschar *list = arg;
1513uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
1514
1515if (ss == NULL) goto BAD_VERIFY;
1516
1517/* Handle name/address consistency verification in a separate function. */
1518
1519if (strcmpic(ss, US"reverse_host_lookup") == 0)
1520 {
596875b3 1521 if (slash != NULL) goto NO_OPTIONS;
059ec3d9
PH
1522 if (sender_host_address == NULL) return OK;
1523 return acl_verify_reverse(user_msgptr, log_msgptr);
1524 }
1525
1526/* TLS certificate verification is done at STARTTLS time; here we just
1527test whether it was successful or not. (This is for optional verification; for
1528mandatory verification, the connection doesn't last this long.) */
1529
1530if (strcmpic(ss, US"certificate") == 0)
1531 {
596875b3 1532 if (slash != NULL) goto NO_OPTIONS;
059ec3d9
PH
1533 if (tls_certificate_verified) return OK;
1534 *user_msgptr = US"no verified certificate";
1535 return FAIL;
1536 }
1537
d7b47fd0
PH
1538/* We can test the result of optional HELO verification that might have
1539occurred earlier. If not, we can attempt the verification now. */
059ec3d9 1540
596875b3
PH
1541if (strcmpic(ss, US"helo") == 0)
1542 {
1543 if (slash != NULL) goto NO_OPTIONS;
0154e85a
TF
1544 if (!helo_verified && !helo_verify_failed) smtp_verify_helo();
1545 return helo_verified? OK : FAIL;
596875b3 1546 }
059ec3d9 1547
e5a9dba6
PH
1548/* Do Client SMTP Authorization checks in a separate function, and turn the
1549result code into user-friendly strings. */
1550
1551if (strcmpic(ss, US"csa") == 0)
1552 {
1553 rc = acl_verify_csa(list);
1554 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1555 csa_reason_string[rc]);
1556 csa_status = csa_status_string[rc];
1557 DEBUG(D_acl) debug_printf("CSA result %s\n", csa_status);
1558 return csa_return_code[rc];
1559 }
1560
596875b3
PH
1561/* Check that all relevant header lines have the correct syntax. If there is
1562a syntax error, we return details of the error to the sender if configured to
1563send out full details. (But a "message" setting on the ACL can override, as
1564always). */
059ec3d9 1565
596875b3 1566if (strcmpic(ss, US"header_syntax") == 0)
059ec3d9 1567 {
596875b3 1568 if (slash != NULL) goto NO_OPTIONS;
1c41c9cc 1569 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
596875b3
PH
1570 rc = verify_check_headers(log_msgptr);
1571 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1572 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1573 return rc;
1574 }
059ec3d9 1575
1c41c9cc
PH
1576/* Check that no recipient of this message is "blind", that is, every envelope
1577recipient must be mentioned in either To: or Cc:. */
1578
1579if (strcmpic(ss, US"not_blind") == 0)
1580 {
1581 if (slash != NULL) goto NO_OPTIONS;
1582 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
1583 rc = verify_check_notblind();
1584 if (rc != OK)
1585 {
1586 *log_msgptr = string_sprintf("bcc recipient detected");
1587 if (smtp_return_error_details)
1588 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1589 }
1590 return rc;
1591 }
059ec3d9 1592
596875b3
PH
1593/* The remaining verification tests check recipient and sender addresses,
1594either from the envelope or from the header. There are a number of
1595slash-separated options that are common to all of them. */
059ec3d9 1596
059ec3d9 1597
596875b3
PH
1598/* Check that there is at least one verifiable sender address in the relevant
1599header lines. This can be followed by callout and defer options, just like
1600sender and recipient. */
059ec3d9 1601
596875b3
PH
1602if (strcmpic(ss, US"header_sender") == 0)
1603 {
1c41c9cc 1604 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
596875b3 1605 verify_header_sender = TRUE;
059ec3d9
PH
1606 }
1607
1608/* Otherwise, first item in verify argument must be "sender" or "recipient".
1609In the case of a sender, this can optionally be followed by an address to use
1610in place of the actual sender (rare special-case requirement). */
1611
1612else if (strncmpic(ss, US"sender", 6) == 0)
1613 {
1614 uschar *s = ss + 6;
1615 if (where > ACL_WHERE_NOTSMTP)
1616 {
1617 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1618 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1619 acl_wherenames[where]);
1620 return ERROR;
1621 }
1622 if (*s == 0)
1623 verify_sender_address = sender_address;
1624 else
1625 {
1626 while (isspace(*s)) s++;
1627 if (*s++ != '=') goto BAD_VERIFY;
1628 while (isspace(*s)) s++;
1629 verify_sender_address = string_copy(s);
1630 }
1631 }
1632else
1633 {
1634 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1635 if (addr == NULL)
1636 {
1637 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1638 "(only possible for RCPT)", acl_wherenames[where]);
1639 return ERROR;
1640 }
1641 }
1642
596875b3
PH
1643/* Remaining items are optional; they apply to sender and recipient
1644verification, including "header sender" verification. */
059ec3d9
PH
1645
1646while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1647 != NULL)
1648 {
1649 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1650 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
eafd343b 1651 else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
059ec3d9
PH
1652
1653 /* These two old options are left for backwards compatibility */
1654
1655 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1656 {
1657 callout_defer_ok = TRUE;
1658 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1659 }
1660
1661 else if (strcmpic(ss, US"check_postmaster") == 0)
1662 {
1663 pm_mailfrom = US"";
1664 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1665 }
1666
1667 /* The callout option has a number of sub-options, comma separated */
1668
1669 else if (strncmpic(ss, US"callout", 7) == 0)
1670 {
1671 callout = CALLOUT_TIMEOUT_DEFAULT;
1672 ss += 7;
1673 if (*ss != 0)
1674 {
1675 while (isspace(*ss)) ss++;
1676 if (*ss++ == '=')
1677 {
1678 int optsep = ',';
1679 uschar *opt;
1680 uschar buffer[256];
1681 while (isspace(*ss)) ss++;
8e669ac1
PH
1682
1683 /* This callout option handling code has become a mess as new options
1684 have been added in an ad hoc manner. It should be tidied up into some
4deaf07d 1685 kind of table-driven thing. */
8e669ac1 1686
059ec3d9
PH
1687 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1688 != NULL)
1689 {
1690 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1691 else if (strcmpic(opt, US"no_cache") == 0)
1692 verify_options |= vopt_callout_no_cache;
1693 else if (strcmpic(opt, US"random") == 0)
1694 verify_options |= vopt_callout_random;
1695 else if (strcmpic(opt, US"use_sender") == 0)
1696 verify_options |= vopt_callout_recipsender;
1697 else if (strcmpic(opt, US"use_postmaster") == 0)
1698 verify_options |= vopt_callout_recippmaster;
1699 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
2a4be8f9
PH
1700 else if (strcmpic(opt, US"fullpostmaster") == 0)
1701 {
1702 pm_mailfrom = US"";
1703 verify_options |= vopt_callout_fullpm;
1704 }
059ec3d9
PH
1705
1706 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1707 {
1708 if (!verify_header_sender)
1709 {
1710 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1711 "callout option only for verify=header_sender (detected in ACL "
1712 "condition \"%s\")", arg);
1713 return ERROR;
1714 }
1715 opt += 8;
1716 while (isspace(*opt)) opt++;
1717 if (*opt++ != '=')
1718 {
1719 *log_msgptr = string_sprintf("'=' expected after "
1720 "\"mailfrom\" in ACL condition \"%s\"", arg);
1721 return ERROR;
1722 }
1723 while (isspace(*opt)) opt++;
1724 se_mailfrom = string_copy(opt);
1725 }
1726
1727 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1728 {
1729 opt += 19;
1730 while (isspace(*opt)) opt++;
1731 if (*opt++ != '=')
1732 {
1733 *log_msgptr = string_sprintf("'=' expected after "
1734 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1735 return ERROR;
1736 }
1737 while (isspace(*opt)) opt++;
1738 pm_mailfrom = string_copy(opt);
1739 }
1740
1741 else if (strncmpic(opt, US"maxwait", 7) == 0)
1742 {
1743 opt += 7;
1744 while (isspace(*opt)) opt++;
1745 if (*opt++ != '=')
1746 {
1747 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1748 "ACL condition \"%s\"", arg);
1749 return ERROR;
1750 }
1751 while (isspace(*opt)) opt++;
1752 callout_overall = readconf_readtime(opt, 0, FALSE);
1753 if (callout_overall < 0)
1754 {
1755 *log_msgptr = string_sprintf("bad time value in ACL condition "
1756 "\"verify %s\"", arg);
1757 return ERROR;
1758 }
1759 }
4deaf07d
PH
1760 else if (strncmpic(opt, US"connect", 7) == 0)
1761 {
1762 opt += 7;
1763 while (isspace(*opt)) opt++;
1764 if (*opt++ != '=')
1765 {
1766 *log_msgptr = string_sprintf("'=' expected after "
1767 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1768 return ERROR;
1769 }
1770 while (isspace(*opt)) opt++;
1771 callout_connect = readconf_readtime(opt, 0, FALSE);
1772 if (callout_connect < 0)
1773 {
1774 *log_msgptr = string_sprintf("bad time value in ACL condition "
1775 "\"verify %s\"", arg);
1776 return ERROR;
1777 }
1778 }
059ec3d9
PH
1779 else /* Plain time is callout connect/command timeout */
1780 {
1781 callout = readconf_readtime(opt, 0, FALSE);
1782 if (callout < 0)
1783 {
1784 *log_msgptr = string_sprintf("bad time value in ACL condition "
1785 "\"verify %s\"", arg);
1786 return ERROR;
1787 }
1788 }
1789 }
1790 }
1791 else
1792 {
1793 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1794 "ACL condition \"%s\"", arg);
1795 return ERROR;
1796 }
1797 }
1798 }
1799
1800 /* Option not recognized */
1801
1802 else
1803 {
1804 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1805 "condition \"verify %s\"", ss, arg);
1806 return ERROR;
1807 }
1808 }
1809
1810if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1811 (vopt_callout_recipsender|vopt_callout_recippmaster))
1812 {
1813 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1814 "for a recipient callout";
1815 return ERROR;
1816 }
1817
1818/* Handle sender-in-header verification. Default the user message to the log
1819message if giving out verification details. */
1820
1821if (verify_header_sender)
1822 {
8e669ac1 1823 int verrno;
059ec3d9 1824 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
fe5b5d0b
PH
1825 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1826 &verrno);
1827 if (rc != OK)
8e669ac1 1828 {
fe5b5d0b
PH
1829 *basic_errno = verrno;
1830 if (smtp_return_error_details)
1831 {
1832 if (*user_msgptr == NULL && *log_msgptr != NULL)
1833 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1834 if (rc == DEFER) acl_temp_details = TRUE;
1835 }
8e669ac1 1836 }
059ec3d9
PH
1837 }
1838
1839/* Handle a sender address. The default is to verify *the* sender address, but
1840optionally a different address can be given, for special requirements. If the
1841address is empty, we are dealing with a bounce message that has no sender, so
1842we cannot do any checking. If the real sender address gets rewritten during
1843verification (e.g. DNS widening), set the flag to stop it being rewritten again
1844during message reception.
1845
1846A list of verified "sender" addresses is kept to try to avoid doing to much
1847work repetitively when there are multiple recipients in a message and they all
1848require sender verification. However, when callouts are involved, it gets too
1849complicated because different recipients may require different callout options.
1850Therefore, we always do a full sender verify when any kind of callout is
1851specified. Caching elsewhere, for instance in the DNS resolver and in the
1852callout handling, should ensure that this is not terribly inefficient. */
1853
1854else if (verify_sender_address != NULL)
1855 {
1856 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1857 != 0)
1858 {
1859 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1860 "sender verify callout";
1861 return ERROR;
1862 }
1863
1864 sender_vaddr = verify_checked_sender(verify_sender_address);
1865 if (sender_vaddr != NULL && /* Previously checked */
1866 callout <= 0) /* No callout needed this time */
1867 {
1868 /* If the "routed" flag is set, it means that routing worked before, so
1869 this check can give OK (the saved return code value, if set, belongs to a
1870 callout that was done previously). If the "routed" flag is not set, routing
1871 must have failed, so we use the saved return code. */
1872
1873 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1874 {
1875 rc = sender_vaddr->special_action;
1876 *basic_errno = sender_vaddr->basic_errno;
1877 }
1878 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1879 }
1880
1881 /* Do a new verification, and cache the result. The cache is used to avoid
1882 verifying the sender multiple times for multiple RCPTs when callouts are not
1883 specified (see comments above).
1884
1885 The cache is also used on failure to give details in response to the first
1886 RCPT that gets bounced for this reason. However, this can be suppressed by
1887 the no_details option, which sets the flag that says "this detail has already
1888 been sent". The cache normally contains just one address, but there may be
1889 more in esoteric circumstances. */
1890
1891 else
1892 {
1893 BOOL routed = TRUE;
2a3eea10 1894 uschar *save_address_data = deliver_address_data;
8e669ac1 1895
059ec3d9
PH
1896 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1897 if (no_details) setflag(sender_vaddr, af_sverify_told);
1898 if (verify_sender_address[0] != 0)
1899 {
1900 /* If this is the real sender address, save the unrewritten version
1901 for use later in receive. Otherwise, set a flag so that rewriting the
1902 sender in verify_address() does not update sender_address. */
1903
1904 if (verify_sender_address == sender_address)
1905 sender_address_unrewritten = sender_address;
1906 else
1907 verify_options |= vopt_fake_sender;
1908
eafd343b
TK
1909 if (success_on_redirect)
1910 verify_options |= vopt_success_on_redirect;
1911
059ec3d9
PH
1912 /* The recipient, qualify, and expn options are never set in
1913 verify_options. */
1914
1915 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
4deaf07d 1916 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
059ec3d9
PH
1917
1918 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1919
1920 if (rc == OK)
1921 {
1922 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1923 {
1924 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1925 verify_sender_address, sender_vaddr->address);
1926 }
1927 else
1928 {
1929 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1930 verify_sender_address);
1931 }
1932 }
1933 else *basic_errno = sender_vaddr->basic_errno;
1934 }
1935 else rc = OK; /* Null sender */
1936
1937 /* Cache the result code */
1938
1939 if (routed) setflag(sender_vaddr, af_verify_routed);
1940 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1941 sender_vaddr->special_action = rc;
1942 sender_vaddr->next = sender_verified_list;
1943 sender_verified_list = sender_vaddr;
8e669ac1
PH
1944
1945 /* Restore the recipient address data, which might have been clobbered by
2a3eea10 1946 the sender verification. */
8e669ac1 1947
2a3eea10 1948 deliver_address_data = save_address_data;
059ec3d9 1949 }
8e669ac1 1950
2a3eea10
PH
1951 /* Put the sender address_data value into $sender_address_data */
1952
8e669ac1 1953 sender_address_data = sender_vaddr->p.address_data;
059ec3d9
PH
1954 }
1955
1956/* A recipient address just gets a straightforward verify; again we must handle
1957the DEFER overrides. */
1958
1959else
1960 {
1961 address_item addr2;
1962
eafd343b
TK
1963 if (success_on_redirect)
1964 verify_options |= vopt_success_on_redirect;
1965
059ec3d9
PH
1966 /* We must use a copy of the address for verification, because it might
1967 get rewritten. */
1968
1969 addr2 = *addr;
1970 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
4deaf07d 1971 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
059ec3d9 1972 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
8e669ac1 1973
42855d71 1974 *basic_errno = addr2.basic_errno;
059ec3d9 1975 *log_msgptr = addr2.message;
8e669ac1 1976 *user_msgptr = (addr2.user_message != NULL)?
6729cf78 1977 addr2.user_message : addr2.message;
42855d71
PH
1978
1979 /* Allow details for temporary error if the address is so flagged. */
1980 if (testflag((&addr2), af_pass_message)) acl_temp_details = TRUE;
059ec3d9
PH
1981
1982 /* Make $address_data visible */
1983 deliver_address_data = addr2.p.address_data;
1984 }
1985
1986/* We have a result from the relevant test. Handle defer overrides first. */
1987
1988if (rc == DEFER && (defer_ok ||
1989 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1990 {
1991 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1992 defer_ok? "defer_ok" : "callout_defer_ok");
1993 rc = OK;
1994 }
1995
1996/* If we've failed a sender, set up a recipient message, and point
1997sender_verified_failed to the address item that actually failed. */
1998
1999if (rc != OK && verify_sender_address != NULL)
2000 {
2001 if (rc != DEFER)
2002 {
2003 *log_msgptr = *user_msgptr = US"Sender verify failed";
2004 }
2005 else if (*basic_errno != ERRNO_CALLOUTDEFER)
2006 {
2007 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
2008 }
2009 else
2010 {
2011 *log_msgptr = US"Could not complete sender verify callout";
2012 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
2013 *log_msgptr;
2014 }
2015
2016 sender_verified_failed = sender_vaddr;
2017 }
2018
2019/* Verifying an address messes up the values of $domain and $local_part,
2020so reset them before returning if this is a RCPT ACL. */
2021
2022if (addr != NULL)
2023 {
2024 deliver_domain = addr->domain;
2025 deliver_localpart = addr->local_part;
2026 }
2027return rc;
2028
2029/* Syntax errors in the verify argument come here. */
2030
2031BAD_VERIFY:
2032*log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
596875b3
PH
2033 "\"helo\", \"header_syntax\", \"header_sender\" or "
2034 "\"reverse_host_lookup\" at start of ACL condition "
059ec3d9
PH
2035 "\"verify %s\"", arg);
2036return ERROR;
596875b3
PH
2037
2038/* Options supplied when not allowed come here */
2039
2040NO_OPTIONS:
2041*log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
2042 "(this verify item has no options)", arg);
2043return ERROR;
1c41c9cc
PH
2044
2045/* Calls in the wrong ACL come here */
2046
2047WRONG_ACL:
2048*log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
2049 "(only possible in ACL for DATA)", acl_wherenames[where]);
2050return ERROR;
059ec3d9
PH
2051}
2052
2053
2054
2055
2056/*************************************************
2057* Check argument for control= modifier *
2058*************************************************/
2059
2060/* Called from acl_check_condition() below
2061
2062Arguments:
2063 arg the argument string for control=
2064 pptr set to point to the terminating character
2065 where which ACL we are in
2066 log_msgptr for error messages
2067
2068Returns: CONTROL_xxx value
2069*/
2070
2071static int
2072decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
2073{
2074int len;
2075control_def *d;
2076
2077for (d = controls_list;
2078 d < controls_list + sizeof(controls_list)/sizeof(control_def);
2079 d++)
2080 {
2081 len = Ustrlen(d->name);
2082 if (Ustrncmp(d->name, arg, len) == 0) break;
2083 }
2084
2085if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
2086 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
2087 {
2088 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2089 return CONTROL_ERROR;
2090 }
2091
059ec3d9
PH
2092*pptr = arg + len;
2093return d->value;
2094}
2095
2096
2097
c99ce5c9
TF
2098
2099/*************************************************
2100* Return a ratelimit error *
2101*************************************************/
2102
2103/* Called from acl_ratelimit() below
2104
2105Arguments:
2106 log_msgptr for error messages
2107 format format string
2108 ... supplementary arguments
2109 ss ratelimit option name
2110 where ACL_WHERE_xxxx indicating which ACL this is
2111
2112Returns: ERROR
2113*/
2114
2115static int
2116ratelimit_error(uschar **log_msgptr, const char *format, ...)
2117{
2118va_list ap;
2119uschar buffer[STRING_SPRINTF_BUFFER_SIZE];
2120va_start(ap, format);
2121if (!string_vformat(buffer, sizeof(buffer), format, ap))
2122 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
2123 "string_sprintf expansion was longer than %d", sizeof(buffer));
2124va_end(ap);
2125*log_msgptr = string_sprintf(
2126 "error in arguments to \"ratelimit\" condition: %s", buffer);
2127return ERROR;
2128}
2129
2130
2131
2132
059ec3d9 2133/*************************************************
870f6ba8
TF
2134* Handle rate limiting *
2135*************************************************/
2136
2137/* Called by acl_check_condition() below to calculate the result
2138of the ACL ratelimit condition.
2139
2140Note that the return value might be slightly unexpected: if the
2141sender's rate is above the limit then the result is OK. This is
2142similar to the dnslists condition, and is so that you can write
2143ACL clauses like: defer ratelimit = 15 / 1h
2144
2145Arguments:
2146 arg the option string for ratelimit=
90fc3069 2147 where ACL_WHERE_xxxx indicating which ACL this is
870f6ba8
TF
2148 log_msgptr for error messages
2149
2150Returns: OK - Sender's rate is above limit
2151 FAIL - Sender's rate is below limit
2152 DEFER - Problem opening ratelimit database
2153 ERROR - Syntax error in options.
2154*/
2155
2156static int
90fc3069 2157acl_ratelimit(uschar *arg, int where, uschar **log_msgptr)
870f6ba8 2158{
c99ce5c9 2159double limit, period, count;
8f240103
PH
2160uschar *ss;
2161uschar *key = NULL;
c99ce5c9 2162uschar *unique = NULL;
870f6ba8 2163int sep = '/';
c99ce5c9
TF
2164BOOL leaky = FALSE, strict = FALSE, readonly = FALSE;
2165BOOL noupdate = FALSE, badacl = FALSE;
2166int mode = RATE_PER_WHAT;
870f6ba8
TF
2167int old_pool, rc;
2168tree_node **anchor, *t;
2169open_db dbblock, *dbm;
c99ce5c9 2170int dbdb_size;
870f6ba8 2171dbdata_ratelimit *dbd;
c99ce5c9 2172dbdata_ratelimit_unique *dbdb;
870f6ba8
TF
2173struct timeval tv;
2174
2175/* Parse the first two options and record their values in expansion
2176variables. These variables allow the configuration to have informative
2177error messages based on rate limits obtained from a table lookup. */
2178
c99ce5c9 2179/* First is the maximum number of messages per period / maximum burst
870f6ba8
TF
2180size, which must be greater than or equal to zero. Zero is useful for
2181rate measurement as opposed to rate limiting. */
2182
2183sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0);
2184if (sender_rate_limit == NULL)
2185 limit = -1.0;
2186else
2187 {
2188 limit = Ustrtod(sender_rate_limit, &ss);
2189 if (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
2190 else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
2191 else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
2192 }
c99ce5c9
TF
2193if (limit < 0.0 || *ss != '\0')
2194 return ratelimit_error(log_msgptr,
2195 "\"%s\" is not a positive number", sender_rate_limit);
870f6ba8 2196
c99ce5c9 2197/* Second is the rate measurement period / exponential smoothing time
870f6ba8
TF
2198constant. This must be strictly greater than zero, because zero leads to
2199run-time division errors. */
2200
2201sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0);
2202if (sender_rate_period == NULL) period = -1.0;
2203else period = readconf_readtime(sender_rate_period, 0, FALSE);
2204if (period <= 0.0)
c99ce5c9
TF
2205 return ratelimit_error(log_msgptr,
2206 "\"%s\" is not a time value", sender_rate_period);
2207
2208/* By default we are counting one of something, but the per_rcpt,
2209per_byte, and count options can change this. */
2210
2211count = 1.0;
870f6ba8 2212
c99ce5c9 2213/* Parse the other options. */
870f6ba8
TF
2214
2215while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2216 != NULL)
2217 {
2218 if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
2219 else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
8f240103 2220 else if (strcmpic(ss, US"noupdate") == 0) noupdate = TRUE;
c99ce5c9
TF
2221 else if (strcmpic(ss, US"readonly") == 0) readonly = TRUE;
2222 else if (strcmpic(ss, US"per_cmd") == 0) RATE_SET(mode, PER_CMD);
2223 else if (strcmpic(ss, US"per_conn") == 0)
2224 {
2225 RATE_SET(mode, PER_CONN);
2226 if (where == ACL_WHERE_NOTSMTP || where == ACL_WHERE_NOTSMTP_START)
2227 badacl = TRUE;
2228 }
2229 else if (strcmpic(ss, US"per_mail") == 0)
2230 {
2231 RATE_SET(mode, PER_MAIL);
2232 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2233 }
2234 else if (strcmpic(ss, US"per_rcpt") == 0)
2235 {
2236 /* If we are running in the RCPT ACL, then we'll count the recipients
2237 one by one, but if we are running when we have accumulated the whole
2238 list then we'll add them all in one batch. */
2239 if (where == ACL_WHERE_RCPT)
2240 RATE_SET(mode, PER_RCPT);
2241 else if (where >= ACL_WHERE_PREDATA && where <= ACL_WHERE_NOTSMTP)
2242 RATE_SET(mode, PER_ALLRCPTS), count = (double)recipients_count;
2243 else if (where == ACL_WHERE_MAIL || where > ACL_WHERE_NOTSMTP)
2244 RATE_SET(mode, PER_RCPT), badacl = TRUE;
2245 }
2246 else if (strcmpic(ss, US"per_byte") == 0)
2247 {
2248 /* If we have not yet received the message data and there was no SIZE
2249 declaration on the MAIL comand, then it's safe to just use a value of
2250 zero and let the recorded rate decay as if nothing happened. */
2251 RATE_SET(mode, PER_MAIL);
2252 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2253 else count = message_size < 0 ? 0.0 : (double)message_size;
2254 }
2255 else if (strcmpic(ss, US"per_addr") == 0)
2256 {
2257 RATE_SET(mode, PER_RCPT);
2258 if (where != ACL_WHERE_RCPT) badacl = TRUE, unique = "*";
2259 else unique = string_sprintf("%s@%s", deliver_localpart, deliver_domain);
2260 }
2261 else if (strncmpic(ss, US"count=", 6) == 0)
2262 {
2263 uschar *e;
2264 count = Ustrtod(ss+6, &e);
2265 if (count < 0.0 || *e != '\0')
2266 return ratelimit_error(log_msgptr,
2267 "\"%s\" is not a positive number", ss);
2268 }
2269 else if (strncmpic(ss, US"unique=", 7) == 0)
2270 unique = string_copy(ss + 7);
2271 else if (key == NULL)
2272 key = string_copy(ss);
2273 else
2274 key = string_sprintf("%s/%s", key, ss);
870f6ba8
TF
2275 }
2276
c99ce5c9
TF
2277/* Sanity check. When the badacl flag is set the update mode must either
2278be readonly (which is the default if it is omitted) or, for backwards
2279compatibility, a combination of noupdate and strict or leaky. */
2280
2281if (mode == RATE_PER_CLASH)
2282 return ratelimit_error(log_msgptr, "conflicting per_* options");
2283if (leaky + strict + readonly > 1)
2284 return ratelimit_error(log_msgptr, "conflicting update modes");
2285if (badacl && (leaky || strict) && !noupdate)
2286 return ratelimit_error(log_msgptr,
2287 "\"%s\" must not have /leaky or /strict option in %s ACL",
2288 ratelimit_option_string[mode], acl_wherenames[where]);
2289
2290/* Set the default values of any unset options. In readonly mode we
2291perform the rate computation without any increment so that its value
2292decays to eventually allow over-limit senders through. */
2293
2294if (noupdate) readonly = TRUE, leaky = strict = FALSE;
2295if (badacl) readonly = TRUE;
2296if (readonly) count = 0.0;
2297if (!strict && !readonly) leaky = TRUE;
2298if (mode == RATE_PER_WHAT) mode = RATE_PER_MAIL;
870f6ba8 2299
8f240103
PH
2300/* Create the lookup key. If there is no explicit key, use sender_host_address.
2301If there is no sender_host_address (e.g. -bs or acl_not_smtp) then we simply
2302omit it. The smoothing constant (sender_rate_period) and the per_xxx options
2303are added to the key because they alter the meaning of the stored data. */
2304
2305if (key == NULL)
2306 key = (sender_host_address == NULL)? US"" : sender_host_address;
870f6ba8 2307
c99ce5c9 2308key = string_sprintf("%s/%s/%s%s",
8f240103 2309 sender_rate_period,
c99ce5c9
TF
2310 ratelimit_option_string[mode],
2311 unique == NULL ? "" : "unique/",
8f240103 2312 key);
870f6ba8 2313
c99ce5c9
TF
2314HDEBUG(D_acl)
2315 debug_printf("ratelimit condition count=%.0f %.1f/%s\n", count, limit, key);
870f6ba8 2316
8f240103
PH
2317/* See if we have already computed the rate by looking in the relevant tree.
2318For per-connection rate limiting, store tree nodes and dbdata in the permanent
c99ce5c9
TF
2319pool so that they survive across resets. In readonly mode we only remember the
2320result for the rest of this command in case a later command changes it. After
2321this bit of logic the code is independent of the per_* mode. */
870f6ba8 2322
870f6ba8
TF
2323old_pool = store_pool;
2324
c99ce5c9
TF
2325if (readonly)
2326 anchor = &ratelimiters_cmd;
2327else switch(mode) {
2328case RATE_PER_CONN:
870f6ba8
TF
2329 anchor = &ratelimiters_conn;
2330 store_pool = POOL_PERM;
c99ce5c9
TF
2331 break;
2332case RATE_PER_BYTE:
2333case RATE_PER_MAIL:
2334case RATE_PER_ALLRCPTS:
870f6ba8 2335 anchor = &ratelimiters_mail;
c99ce5c9
TF
2336 break;
2337case RATE_PER_ADDR:
2338case RATE_PER_CMD:
2339case RATE_PER_RCPT:
fe0dab11 2340 anchor = &ratelimiters_cmd;
c99ce5c9
TF
2341 break;
2342default:
3399bb60 2343 anchor = NULL; /* silence an "unused" complaint */
c99ce5c9
TF
2344 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
2345 "internal ACL error: unknown ratelimit mode %d", mode);
2346 break;
2347}
870f6ba8 2348
c99ce5c9
TF
2349t = tree_search(*anchor, key);
2350if (t != NULL)
870f6ba8
TF
2351 {
2352 dbd = t->data.ptr;
2353 /* The following few lines duplicate some of the code below. */
8f240103 2354 rc = (dbd->rate < limit)? FAIL : OK;
870f6ba8
TF
2355 store_pool = old_pool;
2356 sender_rate = string_sprintf("%.1f", dbd->rate);
2357 HDEBUG(D_acl)
2358 debug_printf("ratelimit found pre-computed rate %s\n", sender_rate);
2359 return rc;
2360 }
2361
c99ce5c9
TF
2362/* We aren't using a pre-computed rate, so get a previously recorded rate
2363from the database, which will be updated and written back if required. */
870f6ba8
TF
2364
2365dbm = dbfn_open(US"ratelimit", O_RDWR, &dbblock, TRUE);
2366if (dbm == NULL)
2367 {
2368 store_pool = old_pool;
2369 sender_rate = NULL;
2370 HDEBUG(D_acl) debug_printf("ratelimit database not available\n");
2371 *log_msgptr = US"ratelimit database not available";
2372 return DEFER;
2373 }
c99ce5c9
TF
2374dbdb = dbfn_read_with_length(dbm, key, &dbdb_size);
2375dbd = NULL;
870f6ba8
TF
2376
2377gettimeofday(&tv, NULL);
2378
c99ce5c9
TF
2379if (dbdb != NULL)
2380 {
2381 /* Locate the basic ratelimit block inside the DB data. */
2382 HDEBUG(D_acl) debug_printf("ratelimit found key in database\n");
2383 dbd = &dbdb->dbd;
2384
2385 /* Forget the old Bloom filter if it is too old, so that we count each
2386 repeating event once per period. We don't simply clear and re-use the old
2387 filter because we want its size to change if the limit changes. Note that
2388 we keep the dbd pointer for copying the rate into the new data block. */
2389
2390 if(unique != NULL && tv.tv_sec > dbdb->bloom_epoch + period)
2391 {
2392 HDEBUG(D_acl) debug_printf("ratelimit discarding old Bloom filter\n");
2393 dbdb = NULL;
2394 }
2395
2396 /* Sanity check. */
2397
2398 if(unique != NULL && dbdb_size < sizeof(*dbdb))
2399 {
2400 HDEBUG(D_acl) debug_printf("ratelimit discarding undersize Bloom filter\n");
2401 dbdb = NULL;
2402 }
2403 }
2404
2405/* Allocate a new data block if the database lookup failed
2406or the Bloom filter passed its age limit. */
2407
2408if (dbdb == NULL)
2409 {
2410 if (unique == NULL)
2411 {
2412 /* No Bloom filter. This basic ratelimit block is initialized below. */
2413 HDEBUG(D_acl) debug_printf("ratelimit creating new rate data block\n");
2414 dbdb_size = sizeof(*dbd);
2415 dbdb = store_get(dbdb_size);
2416 }
2417 else
2418 {
2419 int extra;
2420 HDEBUG(D_acl) debug_printf("ratelimit creating new Bloom filter\n");
2421
2422 /* See the long comment below for an explanation of the magic number 2.
2423 The filter has a minimum size in case the rate limit is very small;
2424 this is determined by the definition of dbdata_ratelimit_unique. */
2425
2426 extra = (int)limit * 2 - sizeof(dbdb->bloom);
2427 if (extra < 0) extra = 0;
2428 dbdb_size = sizeof(*dbdb) + extra;
2429 dbdb = store_get(dbdb_size);
2430 dbdb->bloom_epoch = tv.tv_sec;
2431 dbdb->bloom_size = sizeof(dbdb->bloom) + extra;
2432 memset(dbdb->bloom, 0, dbdb->bloom_size);
2433
2434 /* Preserve any basic ratelimit data (which is our longer-term memory)
2435 by copying it from the discarded block. */
2436
2437 if (dbd != NULL)
2438 {
2439 dbdb->dbd = *dbd;
2440 dbd = &dbdb->dbd;
2441 }
2442 }
2443 }
2444
2445/* If we are counting unique events, find out if this event is new or not.
2446If the client repeats the event during the current period then it should be
2447counted. We skip this code in readonly mode for efficiency, because any
2448changes to the filter will be discarded and because count is already set to
2449zero. */
2450
2451if (unique != NULL && !readonly)
2452 {
2453 /* We identify unique events using a Bloom filter. (You can find my
2454 notes on Bloom filters at http://fanf.livejournal.com/81696.html)
2455 With the per_addr option, an "event" is a recipient address, though the
2456 user can use the unique option to define their own events. We only count
2457 an event if we have not seen it before.
2458
2459 We size the filter according to the rate limit, which (in leaky mode)
2460 is the limit on the population of the filter. We allow 16 bits of space
2461 per entry (see the construction code above) and we set (up to) 8 of them
2462 when inserting an element (see the loop below). The probability of a false
2463 positive (an event we have not seen before but which we fail to count) is
2464
2465 size = limit * 16
2466 numhash = 8
2467 allzero = exp(-numhash * pop / size)
2468 = exp(-0.5 * pop / limit)
2469 fpr = pow(1 - allzero, numhash)
2470
2471 For senders at the limit the fpr is 0.06% or 1 in 1700
2472 and for senders at half the limit it is 0.0006% or 1 in 170000
2473
2474 In strict mode the Bloom filter can fill up beyond the normal limit, in
2475 which case the false positive rate will rise. This means that the
2476 measured rate for very fast senders can bogusly drop off after a while.
2477
2478 At twice the limit, the fpr is 2.5% or 1 in 40
2479 At four times the limit, it is 31% or 1 in 3.2
2480
2481 It takes ln(pop/limit) periods for an over-limit burst of pop events to
2482 decay below the limit, and if this is more than one then the Bloom filter
2483 will be discarded before the decay gets that far. The false positive rate
2484 at this threshold is 9.3% or 1 in 10.7. */
2485
2486 BOOL seen;
2487 unsigned n, hash, hinc;
2488 uschar md5sum[16];
2489 md5 md5info;
2490
2491 /* Instead of using eight independent hash values, we combine two values
2492 using the formula h1 + n * h2. This does not harm the Bloom filter's
2493 performance, and means the amount of hash we need is independent of the
2494 number of bits we set in the filter. */
2495
2496 md5_start(&md5info);
2497 md5_end(&md5info, unique, Ustrlen(unique), md5sum);
2498 hash = md5sum[0] | md5sum[1] << 8 | md5sum[2] << 16 | md5sum[3] << 24;
2499 hinc = md5sum[4] | md5sum[5] << 8 | md5sum[6] << 16 | md5sum[7] << 24;
2500
2501 /* Scan the bits corresponding to this event. A zero bit means we have
2502 not seen it before. Ensure all bits are set to record this event. */
2503
2504 HDEBUG(D_acl) debug_printf("ratelimit checking uniqueness of %s\n", unique);
2505
2506 seen = TRUE;
2507 for (n = 0; n < 8; n++, hash += hinc)
2508 {
2509 int bit = 1 << (hash % 8);
2510 int byte = (hash / 8) % dbdb->bloom_size;
2511 if ((dbdb->bloom[byte] & bit) == 0)
2512 {
2513 dbdb->bloom[byte] |= bit;
2514 seen = FALSE;
2515 }
2516 }
2517
2518 /* If this event has occurred before, do not count it. */
2519
2520 if (seen)
2521 {
2522 HDEBUG(D_acl) debug_printf("ratelimit event found in Bloom filter\n");
2523 count = 0.0;
2524 }
2525 else
2526 HDEBUG(D_acl) debug_printf("ratelimit event added to Bloom filter\n");
2527 }
2528
2529/* If there was no previous ratelimit data block for this key, initialize
2530the new one, otherwise update the block from the database. The initial rate
2531is what would be computed by the code below for an infinite interval. */
2532
870f6ba8
TF
2533if (dbd == NULL)
2534 {
c99ce5c9
TF
2535 HDEBUG(D_acl) debug_printf("ratelimit initializing new key's rate data\n");
2536 dbd = &dbdb->dbd;
870f6ba8
TF
2537 dbd->time_stamp = tv.tv_sec;
2538 dbd->time_usec = tv.tv_usec;
c99ce5c9 2539 dbd->rate = count;
870f6ba8
TF
2540 }
2541else
2542 {
2543 /* The smoothed rate is computed using an exponentially weighted moving
2544 average adjusted for variable sampling intervals. The standard EWMA for
2545 a fixed sampling interval is: f'(t) = (1 - a) * f(t) + a * f'(t - 1)
2546 where f() is the measured value and f'() is the smoothed value.
2547
2548 Old data decays out of the smoothed value exponentially, such that data n
2549 samples old is multiplied by a^n. The exponential decay time constant p
2550 is defined such that data p samples old is multiplied by 1/e, which means
2551 that a = exp(-1/p). We can maintain the same time constant for a variable
2552 sampling interval i by using a = exp(-i/p).
2553
2554 The rate we are measuring is messages per period, suitable for directly
2555 comparing with the limit. The average rate between now and the previous
2556 message is period / interval, which we feed into the EWMA as the sample.
2557
2558 It turns out that the number of messages required for the smoothed rate
2559 to reach the limit when they are sent in a burst is equal to the limit.
2560 This can be seen by analysing the value of the smoothed rate after N
2561 messages sent at even intervals. Let k = (1 - a) * p/i
2562
2563 rate_1 = (1 - a) * p/i + a * rate_0
2564 = k + a * rate_0
2565 rate_2 = k + a * rate_1
2566 = k + a * k + a^2 * rate_0
2567 rate_3 = k + a * k + a^2 * k + a^3 * rate_0
2568 rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
2569 = rate_0 * a^N + k * (1 - a^N) / (1 - a)
2570 = rate_0 * a^N + p/i * (1 - a^N)
2571
2572 When N is large, a^N -> 0 so rate_N -> p/i as desired.
2573
2574 rate_N = p/i + (rate_0 - p/i) * a^N
2575 a^N = (rate_N - p/i) / (rate_0 - p/i)
2576 N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
2577 N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
2578
2579 Numerical analysis of the above equation, setting the computed rate to
2580 increase from rate_0 = 0 to rate_N = limit, shows that for large sending
2581 rates, p/i, the number of messages N = limit. So limit serves as both the
2582 maximum rate measured in messages per period, and the maximum number of
2583 messages that can be sent in a fast burst. */
2584
2585 double this_time = (double)tv.tv_sec
2586 + (double)tv.tv_usec / 1000000.0;
2587 double prev_time = (double)dbd->time_stamp
2588 + (double)dbd->time_usec / 1000000.0;
870f6ba8
TF
2589
2590 /* We must avoid division by zero, and deal gracefully with the clock going
2591 backwards. If we blunder ahead when time is in reverse then the computed
e5d5a95f 2592 rate will be bogus. To be safe we clamp interval to a very small number. */
870f6ba8 2593
e5d5a95f
TF
2594 double interval = this_time - prev_time <= 0.0 ? 1e-9
2595 : this_time - prev_time;
2596
2597 double i_over_p = interval / period;
2598 double a = exp(-i_over_p);
870f6ba8 2599
c99ce5c9
TF
2600 /* Combine the instantaneous rate (period / interval) with the previous rate
2601 using the smoothing factor a. In order to measure sized events, multiply the
2602 instantaneous rate by the count of bytes or recipients etc. */
2603
870f6ba8
TF
2604 dbd->time_stamp = tv.tv_sec;
2605 dbd->time_usec = tv.tv_usec;
c99ce5c9
TF
2606 dbd->rate = (1 - a) * count / i_over_p + a * dbd->rate;
2607
2608 /* When events are very widely spaced the computed rate tends towards zero.
2609 Although this is accurate it turns out not to be useful for our purposes,
2610 especially when the first event after a long silence is the start of a spam
2611 run. A more useful model is that the rate for an isolated event should be the
2612 size of the event per the period size, ignoring the lack of events outside
2613 the current period and regardless of where the event falls in the period. So,
2614 if the interval was so long that the calculated rate is unhelpfully small, we
2615 re-intialize the rate. In the absence of higher-rate bursts, the condition
2616 below is true if the interval is greater than the period. */
2617
2618 if (dbd->rate < count) dbd->rate = count;
870f6ba8
TF
2619 }
2620
c99ce5c9
TF
2621/* Clients sending at the limit are considered to be over the limit.
2622This matters for edge cases such as a limit of zero, when the client
2623should be completely blocked. */
3348576f 2624
8f240103 2625rc = (dbd->rate < limit)? FAIL : OK;
870f6ba8
TF
2626
2627/* Update the state if the rate is low or if we are being strict. If we
2628are in leaky mode and the sender's rate is too high, we do not update
2629the recorded rate in order to avoid an over-aggressive sender's retry
c99ce5c9
TF
2630rate preventing them from getting any email through. If readonly is set,
2631neither leaky nor strict are set, so we do not do any updates. */
870f6ba8 2632
c99ce5c9 2633if ((rc == FAIL && leaky) || strict)
8f240103 2634 {
c99ce5c9 2635 dbfn_write(dbm, key, dbdb, dbdb_size);
8f240103
PH
2636 HDEBUG(D_acl) debug_printf("ratelimit db updated\n");
2637 }
2638else
2639 {
2640 HDEBUG(D_acl) debug_printf("ratelimit db not updated: %s\n",
c99ce5c9 2641 readonly? "readonly mode" : "over the limit, but leaky");
8f240103
PH
2642 }
2643
870f6ba8
TF
2644dbfn_close(dbm);
2645
c99ce5c9 2646/* Store the result in the tree for future reference. */
870f6ba8 2647
c99ce5c9
TF
2648t = store_get(sizeof(tree_node) + Ustrlen(key));
2649t->data.ptr = dbd;
2650Ustrcpy(t->name, key);
2651(void)tree_insertnode(anchor, t);
870f6ba8
TF
2652
2653/* We create the formatted version of the sender's rate very late in
2654order to ensure that it is done using the correct storage pool. */
2655
2656store_pool = old_pool;
2657sender_rate = string_sprintf("%.1f", dbd->rate);
2658
2659HDEBUG(D_acl)
2660 debug_printf("ratelimit computed rate %s\n", sender_rate);
2661
2662return rc;
2663}
2664
2665
2666
2667/*************************************************
059ec3d9
PH
2668* Handle conditions/modifiers on an ACL item *
2669*************************************************/
2670
2671/* Called from acl_check() below.
2672
2673Arguments:
2674 verb ACL verb
2675 cb ACL condition block - if NULL, result is OK
2676 where where called from
2677 addr the address being checked for RCPT, or NULL
2678 level the nesting level
2679 epp pointer to pass back TRUE if "endpass" encountered
2680 (applies only to "accept" and "discard")
2681 user_msgptr user message pointer
2682 log_msgptr log message pointer
2683 basic_errno pointer to where to put verify error
2684
2685Returns: OK - all conditions are met
2686 DISCARD - an "acl" condition returned DISCARD - only allowed
2687 for "accept" or "discard" verbs
2688 FAIL - at least one condition fails
2689 FAIL_DROP - an "acl" condition returned FAIL_DROP
2690 DEFER - can't tell at the moment (typically, lookup defer,
2691 but can be temporary callout problem)
2692 ERROR - ERROR from nested ACL or expansion failure or other
2693 error
2694*/
2695
2696static int
2697acl_check_condition(int verb, acl_condition_block *cb, int where,
2698 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
2699 uschar **log_msgptr, int *basic_errno)
2700{
2701uschar *user_message = NULL;
2702uschar *log_message = NULL;
ed7f7860
PP
2703uschar *debug_tag = NULL;
2704uschar *debug_opts = NULL;
91ecef39 2705uschar *p = NULL;
059ec3d9 2706int rc = OK;
8523533c
TK
2707#ifdef WITH_CONTENT_SCAN
2708int sep = '/';
2709#endif
059ec3d9
PH
2710
2711for (; cb != NULL; cb = cb->next)
2712 {
2713 uschar *arg;
8e669ac1 2714 int control_type;
059ec3d9
PH
2715
2716 /* The message and log_message items set up messages to be used in
2717 case of rejection. They are expanded later. */
2718
2719 if (cb->type == ACLC_MESSAGE)
2720 {
2721 user_message = cb->arg;
2722 continue;
2723 }
2724
2725 if (cb->type == ACLC_LOG_MESSAGE)
2726 {
2727 log_message = cb->arg;
2728 continue;
2729 }
2730
2731 /* The endpass "condition" just sets a flag to show it occurred. This is
2732 checked at compile time to be on an "accept" or "discard" item. */
2733
2734 if (cb->type == ACLC_ENDPASS)
2735 {
2736 *epp = TRUE;
2737 continue;
2738 }
2739
2740 /* For other conditions and modifiers, the argument is expanded now for some
2741 of them, but not for all, because expansion happens down in some lower level
2742 checking functions in some cases. */
2743
2744 if (cond_expand_at_top[cb->type])
2745 {
2746 arg = expand_string(cb->arg);
2747 if (arg == NULL)
2748 {
2749 if (expand_string_forcedfail) continue;
2750 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
2751 cb->arg, expand_string_message);
2752 return search_find_defer? DEFER : ERROR;
2753 }
2754 }
2755 else arg = cb->arg;
2756
2757 /* Show condition, and expanded condition if it's different */
2758
2759 HDEBUG(D_acl)
2760 {
2761 int lhswidth = 0;
2762 debug_printf("check %s%s %n",
2763 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
2764 conditions[cb->type], &lhswidth);
2765
2766 if (cb->type == ACLC_SET)
2767 {
38a0a95f
PH
2768 debug_printf("acl_%s ", cb->u.varname);
2769 lhswidth += 5 + Ustrlen(cb->u.varname);
059ec3d9
PH
2770 }
2771
2772 debug_printf("= %s\n", cb->arg);
2773
2774 if (arg != cb->arg)
2775 debug_printf("%.*s= %s\n", lhswidth,
2776 US" ", CS arg);
2777 }
2778
2779 /* Check that this condition makes sense at this time */
2780
2781 if ((cond_forbids[cb->type] & (1 << where)) != 0)
2782 {
2783 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
2784 cond_modifiers[cb->type]? "use" : "test",
2785 conditions[cb->type], acl_wherenames[where]);
2786 return ERROR;
2787 }
2788
2789 /* Run the appropriate test for each condition, or take the appropriate
2790 action for the remaining modifiers. */
2791
2792 switch(cb->type)
2793 {
71fafd95
PH
2794 case ACLC_ADD_HEADER:
2795 setup_header(arg);
2796 break;
2797
059ec3d9
PH
2798 /* A nested ACL that returns "discard" makes sense only for an "accept" or
2799 "discard" verb. */
71fafd95 2800
059ec3d9
PH
2801 case ACLC_ACL:
2802 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
2803 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
2804 {
2805 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
2806 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
2807 verbs[verb]);
2808 return ERROR;
2809 }
2810 break;
2811
2812 case ACLC_AUTHENTICATED:
2813 rc = (sender_host_authenticated == NULL)? FAIL :
2814 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
2815 TRUE, NULL);
2816 break;
2817
71fafd95 2818 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK
2819 case ACLC_BMI_OPTIN:
2820 {
2821 int old_pool = store_pool;
2822 store_pool = POOL_PERM;
2823 bmi_current_optin = string_copy(arg);
2824 store_pool = old_pool;
2825 }
2826 break;
71fafd95 2827 #endif
8523533c 2828
059ec3d9 2829 case ACLC_CONDITION:
f3766eb5
NM
2830 /* The true/false parsing here should be kept in sync with that used in
2831 expand.c when dealing with ECOND_BOOL so that we don't have too many
2832 different definitions of what can be a boolean. */
059ec3d9
PH
2833 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
2834 rc = (Uatoi(arg) == 0)? FAIL : OK;
2835 else
2836 rc = (strcmpic(arg, US"no") == 0 ||
2837 strcmpic(arg, US"false") == 0)? FAIL :
2838 (strcmpic(arg, US"yes") == 0 ||
2839 strcmpic(arg, US"true") == 0)? OK : DEFER;
2840 if (rc == DEFER)
2841 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
2842 break;
2843
c3611384
PH
2844 case ACLC_CONTINUE: /* Always succeeds */
2845 break;
2846
059ec3d9 2847 case ACLC_CONTROL:
c5fcb476
PH
2848 control_type = decode_control(arg, &p, where, log_msgptr);
2849
8523533c 2850 /* Check if this control makes sense at this time */
c5fcb476
PH
2851
2852 if ((control_forbids[control_type] & (1 << where)) != 0)
2853 {
2854 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
2855 controls[control_type], acl_wherenames[where]);
2856 return ERROR;
8e669ac1 2857 }
c5fcb476
PH
2858
2859 switch(control_type)
059ec3d9 2860 {
c46782ef
PH
2861 case CONTROL_AUTH_UNADVERTISED:
2862 allow_auth_unadvertised = TRUE;
2863 break;
2864
2865 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK
2866 case CONTROL_BMI_RUN:
2867 bmi_run = 1;
2868 break;
c46782ef
PH
2869 #endif
2870
80a47a2c 2871 #ifndef DISABLE_DKIM
f7572e5a 2872 case CONTROL_DKIM_VERIFY:
80a47a2c 2873 dkim_disable_verify = TRUE;
f7572e5a
TK
2874 break;
2875 #endif
2876
059ec3d9
PH
2877 case CONTROL_ERROR:
2878 return ERROR;
2879
2880 case CONTROL_CASEFUL_LOCAL_PART:
2881 deliver_localpart = addr->cc_local_part;
2882 break;
2883
2884 case CONTROL_CASELOWER_LOCAL_PART:
2885 deliver_localpart = addr->lc_local_part;
2886 break;
2887
2888 case CONTROL_ENFORCE_SYNC:
2889 smtp_enforce_sync = TRUE;
2890 break;
2891
2892 case CONTROL_NO_ENFORCE_SYNC:
2893 smtp_enforce_sync = FALSE;
2894 break;
2895
c46782ef 2896 #ifdef WITH_CONTENT_SCAN
8523533c
TK
2897 case CONTROL_NO_MBOX_UNSPOOL:
2898 no_mbox_unspool = TRUE;
2899 break;
c46782ef 2900 #endif
8523533c 2901
059ec3d9
PH
2902 case CONTROL_NO_MULTILINE:
2903 no_multiline_responses = TRUE;
2904 break;
2905
cf8b11a5
PH
2906 case CONTROL_NO_PIPELINING:
2907 pipelining_enable = FALSE;
2908 break;
2909
047bdd8c
PH
2910 case CONTROL_NO_DELAY_FLUSH:
2911 disable_delay_flush = TRUE;
2912 break;
2913
4c590bd1
PH
2914 case CONTROL_NO_CALLOUT_FLUSH:
2915 disable_callout_flush = TRUE;
2916 break;
2917
29aba418 2918 case CONTROL_FAKEDEFER:
8523533c 2919 case CONTROL_FAKEREJECT:
29aba418 2920 fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
8523533c 2921 if (*p == '/')
8e669ac1 2922 {
8523533c 2923 uschar *pp = p + 1;
8e669ac1 2924 while (*pp != 0) pp++;
29aba418 2925 fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
8523533c
TK
2926 p = pp;
2927 }
2928 else
2929 {
2930 /* Explicitly reset to default string */
29aba418 2931 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
8523533c
TK
2932 }
2933 break;
8523533c 2934
059ec3d9
PH
2935 case CONTROL_FREEZE:
2936 deliver_freeze = TRUE;
2937 deliver_frozen_at = time(NULL);
6a3f1455
PH
2938 freeze_tell = freeze_tell_config; /* Reset to configured value */
2939 if (Ustrncmp(p, "/no_tell", 8) == 0)
2940 {
2941 p += 8;
2942 freeze_tell = NULL;
2943 }
2944 if (*p != 0)
2945 {
2946 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2947 return ERROR;
2948 }
059ec3d9
PH
2949 break;
2950
2951 case CONTROL_QUEUE_ONLY:
2952 queue_only_policy = TRUE;
2953 break;
2954
2955 case CONTROL_SUBMISSION:
87ba3f5f 2956 originator_name = US"";
059ec3d9 2957 submission_mode = TRUE;
69358f02 2958 while (*p == '/')
8e669ac1 2959 {
69358f02
PH
2960 if (Ustrncmp(p, "/sender_retain", 14) == 0)
2961 {
2962 p += 14;
2963 active_local_sender_retain = TRUE;
8e669ac1
PH
2964 active_local_from_check = FALSE;
2965 }
69358f02
PH
2966 else if (Ustrncmp(p, "/domain=", 8) == 0)
2967 {
2968 uschar *pp = p + 8;
8e669ac1 2969 while (*pp != 0 && *pp != '/') pp++;
87ba3f5f
PH
2970 submission_domain = string_copyn(p+8, pp-p-8);
2971 p = pp;
2972 }
8857ccfd
PH
2973 /* The name= option must be last, because it swallows the rest of
2974 the string. */
87ba3f5f
PH
2975 else if (Ustrncmp(p, "/name=", 6) == 0)
2976 {
2977 uschar *pp = p + 6;
8857ccfd 2978 while (*pp != 0) pp++;
2fe1a124 2979 submission_name = string_copy(parse_fix_phrase(p+6, pp-p-6,
87ba3f5f 2980 big_buffer, big_buffer_size));
8e669ac1 2981 p = pp;
69358f02 2982 }
8e669ac1
PH
2983 else break;
2984 }
69358f02 2985 if (*p != 0)
059ec3d9 2986 {
69358f02 2987 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
059ec3d9
PH
2988 return ERROR;
2989 }
2990 break;
8800895a 2991
ed7f7860
PP
2992 case CONTROL_DEBUG:
2993 while (*p == '/')
2994 {
2995 if (Ustrncmp(p, "/tag=", 5) == 0)
2996 {
2997 uschar *pp = p + 5;
2998 while (*pp != '\0' && *pp != '/') pp++;
2999 debug_tag = string_copyn(p+5, pp-p-5);
3000 p = pp;
3001 }
3002 else if (Ustrncmp(p, "/opts=", 6) == 0)
3003 {
3004 uschar *pp = p + 6;
3005 while (*pp != '\0' && *pp != '/') pp++;
3006 debug_opts = string_copyn(p+6, pp-p-6);
3007 p = pp;
3008 }
3009 }
3010 debug_logging_activate(debug_tag, debug_opts);
3011 break;
3012
8800895a
PH
3013 case CONTROL_SUPPRESS_LOCAL_FIXUPS:
3014 suppress_local_fixups = TRUE;
3015 break;
059ec3d9
PH
3016 }
3017 break;
3018
6a8f9482
TK
3019 #ifdef EXPERIMENTAL_DCC
3020 case ACLC_DCC:
3021 {
3022 /* Seperate the regular expression and any optional parameters. */
3023 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3024 /* Run the dcc backend. */
3025 rc = dcc_process(&ss);
3026 /* Modify return code based upon the existance of options. */
3027 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3028 != NULL) {
3029 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3030 {
3031 /* FAIL so that the message is passed to the next ACL */
3032 rc = FAIL;
3033 }
3034 }
3035 }
3036 break;
3037 #endif
3038
71fafd95 3039 #ifdef WITH_CONTENT_SCAN
8523533c
TK
3040 case ACLC_DECODE:
3041 rc = mime_decode(&arg);
3042 break;
71fafd95 3043 #endif
8523533c 3044
059ec3d9
PH
3045 case ACLC_DELAY:
3046 {
3047 int delay = readconf_readtime(arg, 0, FALSE);
3048 if (delay < 0)
3049 {
3050 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
3051 "modifier: \"%s\" is not a time value", arg);
3052 return ERROR;
3053 }
3054 else
3055 {
3056 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
3057 delay);
3058 if (host_checking)
3059 {
3060 HDEBUG(D_acl)
3061 debug_printf("delay skipped in -bh checking mode\n");
3062 }
010c2d14
PH
3063
3064 /* It appears to be impossible to detect that a TCP/IP connection has
3065 gone away without reading from it. This means that we cannot shorten
3066 the delay below if the client goes away, because we cannot discover
3067 that the client has closed its end of the connection. (The connection
3068 is actually in a half-closed state, waiting for the server to close its
3069 end.) It would be nice to be able to detect this state, so that the
3070 Exim process is not held up unnecessarily. However, it seems that we
3071 can't. The poll() function does not do the right thing, and in any case
3072 it is not always available.
3073
047bdd8c 3074 NOTE 1: If ever this state of affairs changes, remember that we may be
010c2d14 3075 dealing with stdin/stdout here, in addition to TCP/IP connections.
047bdd8c
PH
3076 Also, delays may be specified for non-SMTP input, where smtp_out and
3077 smtp_in will be NULL. Whatever is done must work in all cases.
3078
3079 NOTE 2: The added feature of flushing the output before a delay must
3080 apply only to SMTP input. Hence the test for smtp_out being non-NULL.
3081 */
010c2d14 3082
8e669ac1 3083 else
86b8287f 3084 {
14f4a80d 3085 if (smtp_out != NULL && !disable_delay_flush) mac_smtp_fflush();
86b8287f 3086 while (delay > 0) delay = sleep(delay);
8e669ac1 3087 }
059ec3d9
PH
3088 }
3089 }
3090 break;
3091
71fafd95 3092 #ifdef WITH_OLD_DEMIME
8523533c
TK
3093 case ACLC_DEMIME:
3094 rc = demime(&arg);
3095 break;
71fafd95 3096 #endif
8523533c 3097
80a47a2c
TK
3098 #ifndef DISABLE_DKIM
3099 case ACLC_DKIM_SIGNER:
9e5d6b55
TK
3100 if (dkim_cur_signer != NULL)
3101 rc = match_isinlist(dkim_cur_signer,
80a47a2c 3102 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
80a47a2c 3103 else
80a47a2c 3104 rc = FAIL;
71fafd95
PH
3105 break;
3106
80a47a2c
TK
3107 case ACLC_DKIM_STATUS:
3108 rc = match_isinlist(dkim_exim_expand_query(DKIM_VERIFY_STATUS),
3109 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
71fafd95
PH
3110 break;
3111 #endif
fb2274d4 3112
059ec3d9
PH
3113 case ACLC_DNSLISTS:
3114 rc = verify_check_dnsbl(&arg);
3115 break;
3116
3117 case ACLC_DOMAINS:
3118 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
3119 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
3120 break;
3121
3122 /* The value in tls_cipher is the full cipher name, for example,
3123 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
3124 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
3125 what may in practice come out of the SSL library - which at the time of
3126 writing is poorly documented. */
3127
3128 case ACLC_ENCRYPTED:
3129 if (tls_cipher == NULL) rc = FAIL; else
3130 {
3131 uschar *endcipher = NULL;
3132 uschar *cipher = Ustrchr(tls_cipher, ':');
3133 if (cipher == NULL) cipher = tls_cipher; else
3134 {
3135 endcipher = Ustrchr(++cipher, ':');
3136 if (endcipher != NULL) *endcipher = 0;
3137 }
3138 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
3139 if (endcipher != NULL) *endcipher = ':';
3140 }
3141 break;
3142
3143 /* Use verify_check_this_host() instead of verify_check_host() so that
3144 we can pass over &host_data to catch any looked up data. Once it has been
3145 set, it retains its value so that it's still there if another ACL verb
3146 comes through here and uses the cache. However, we must put it into
3147 permanent store in case it is also expected to be used in a subsequent
3148 message in the same SMTP connection. */
3149
3150 case ACLC_HOSTS:
3151 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
3152 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
3153 if (host_data != NULL) host_data = string_copy_malloc(host_data);
3154 break;
3155
3156 case ACLC_LOCAL_PARTS:
3157 rc = match_isinlist(addr->cc_local_part, &arg, 0,
3158 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
3159 &deliver_localpart_data);
3160 break;
3161
6ea85e9a
PH
3162 case ACLC_LOG_REJECT_TARGET:
3163 {
3164 int logbits = 0;
3165 int sep = 0;
3166 uschar *s = arg;
3167 uschar *ss;
3168 while ((ss = string_nextinlist(&s, &sep, big_buffer, big_buffer_size))
3169 != NULL)
3170 {
3171 if (Ustrcmp(ss, "main") == 0) logbits |= LOG_MAIN;
3172 else if (Ustrcmp(ss, "panic") == 0) logbits |= LOG_PANIC;
3173 else if (Ustrcmp(ss, "reject") == 0) logbits |= LOG_REJECT;
3174 else
3175 {
3176 logbits |= LOG_MAIN|LOG_REJECT;
3177 log_write(0, LOG_MAIN|LOG_PANIC, "unknown log name \"%s\" in "
3178 "\"log_reject_target\" in %s ACL", ss, acl_wherenames[where]);
3179 }
3180 }
3181 log_reject_target = logbits;
3182 }
3183 break;
3184
059ec3d9
PH
3185 case ACLC_LOGWRITE:
3186 {
3187 int logbits = 0;
3188 uschar *s = arg;
3189 if (*s == ':')
3190 {
3191 s++;
3192 while (*s != ':')
3193 {
3194 if (Ustrncmp(s, "main", 4) == 0)
3195 { logbits |= LOG_MAIN; s += 4; }
3196 else if (Ustrncmp(s, "panic", 5) == 0)
3197 { logbits |= LOG_PANIC; s += 5; }
3198 else if (Ustrncmp(s, "reject", 6) == 0)
3199 { logbits |= LOG_REJECT; s += 6; }
3200 else
3201 {
3202 logbits = LOG_MAIN|LOG_PANIC;
3203 s = string_sprintf(":unknown log name in \"%s\" in "
3204 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
3205 }
3206 if (*s == ',') s++;
3207 }
3208 s++;
3209 }
3210 while (isspace(*s)) s++;
6ea85e9a
PH
3211
3212
059ec3d9
PH
3213 if (logbits == 0) logbits = LOG_MAIN;
3214 log_write(0, logbits, "%s", string_printing(s));
3215 }
3216 break;
8e669ac1 3217
71fafd95 3218 #ifdef WITH_CONTENT_SCAN
8523533c
TK
3219 case ACLC_MALWARE:
3220 {
6ea85e9a 3221 /* Separate the regular expression and any optional parameters. */
8523533c
TK
3222 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3223 /* Run the malware backend. */
3224 rc = malware(&ss);
3225 /* Modify return code based upon the existance of options. */
3226 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3227 != NULL) {
3228 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3229 {
3230 /* FAIL so that the message is passed to the next ACL */
3231 rc = FAIL;
3232 }
3233 }
3234 }
3235 break;
3236
3237 case ACLC_MIME_REGEX:
71fafd95 3238 rc = mime_regex(&arg);
8523533c 3239 break;
71fafd95 3240 #endif
059ec3d9 3241
870f6ba8 3242 case ACLC_RATELIMIT:
90fc3069 3243 rc = acl_ratelimit(arg, where, log_msgptr);
870f6ba8
TF
3244 break;
3245
059ec3d9
PH
3246 case ACLC_RECIPIENTS:
3247 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
3248 &recipient_data);
3249 break;
3250
71fafd95
PH
3251 #ifdef WITH_CONTENT_SCAN
3252 case ACLC_REGEX:
3253 rc = regex(&arg);
8523533c 3254 break;
71fafd95 3255 #endif
8523533c 3256
059ec3d9
PH
3257 case ACLC_SENDER_DOMAINS:
3258 {
3259 uschar *sdomain;
3260 sdomain = Ustrrchr(sender_address, '@');
3261 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
3262 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
3263 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
3264 }
3265 break;
3266
3267 case ACLC_SENDERS:
3268 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
3269 sender_address_cache, -1, 0, &sender_data);
3270 break;
3271
3272 /* Connection variables must persist forever */
3273
3274 case ACLC_SET:
3275 {
3276 int old_pool = store_pool;
38a0a95f
PH
3277 if (cb->u.varname[0] == 'c') store_pool = POOL_PERM;
3278 acl_var_create(cb->u.varname)->data.ptr = string_copy(arg);
059ec3d9
PH
3279 store_pool = old_pool;
3280 }
3281 break;
3282
71fafd95 3283 #ifdef WITH_CONTENT_SCAN
8523533c
TK
3284 case ACLC_SPAM:
3285 {
3286 /* Seperate the regular expression and any optional parameters. */
3287 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3288 /* Run the spam backend. */
3289 rc = spam(&ss);
3290 /* Modify return code based upon the existance of options. */
3291 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3292 != NULL) {
3293 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3294 {
3295 /* FAIL so that the message is passed to the next ACL */
3296 rc = FAIL;
3297 }
3298 }
3299 }
3300 break;
71fafd95 3301 #endif
8523533c 3302
71fafd95 3303 #ifdef EXPERIMENTAL_SPF
8523533c 3304 case ACLC_SPF:
65a7d8c3
NM
3305 rc = spf_process(&arg, sender_address, SPF_PROCESS_NORMAL);
3306 break;
3307 case ACLC_SPF_GUESS:
3308 rc = spf_process(&arg, sender_address, SPF_PROCESS_GUESS);
8523533c 3309 break;
71fafd95 3310 #endif
8523533c 3311
059ec3d9
PH
3312 /* If the verb is WARN, discard any user message from verification, because
3313 such messages are SMTP responses, not header additions. The latter come
475fe28a
PH
3314 only from explicit "message" modifiers. However, put the user message into
3315 $acl_verify_message so it can be used in subsequent conditions or modifiers
3316 (until something changes it). */
059ec3d9
PH
3317
3318 case ACLC_VERIFY:
3319 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
475fe28a 3320 acl_verify_message = *user_msgptr;
059ec3d9
PH
3321 if (verb == ACL_WARN) *user_msgptr = NULL;
3322 break;
3323
3324 default:
3325 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
3326 "condition %d", cb->type);
3327 break;
3328 }
3329
3330 /* If a condition was negated, invert OK/FAIL. */
3331
3332 if (!cond_modifiers[cb->type] && cb->u.negated)
3333 {
3334 if (rc == OK) rc = FAIL;
3335 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
3336 }
3337
3338 if (rc != OK) break; /* Conditions loop */
3339 }
3340
3341
3342/* If the result is the one for which "message" and/or "log_message" are used,
4e88a19f
PH
3343handle the values of these modifiers. If there isn't a log message set, we make
3344it the same as the user message.
059ec3d9
PH
3345
3346"message" is a user message that will be included in an SMTP response. Unless
3347it is empty, it overrides any previously set user message.
3348
3349"log_message" is a non-user message, and it adds to any existing non-user
3350message that is already set.
3351
4e88a19f
PH
3352Most verbs have but a single return for which the messages are relevant, but
3353for "discard", it's useful to have the log message both when it succeeds and
3354when it fails. For "accept", the message is used in the OK case if there is no
3355"endpass", but (for backwards compatibility) in the FAIL case if "endpass" is
3356present. */
059ec3d9 3357
4e88a19f
PH
3358if (*epp && rc == OK) user_message = NULL;
3359
3360if (((1<<rc) & msgcond[verb]) != 0)
059ec3d9
PH
3361 {
3362 uschar *expmessage;
4e88a19f
PH
3363 uschar *old_user_msgptr = *user_msgptr;
3364 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
059ec3d9
PH
3365
3366 /* If the verb is "warn", messages generated by conditions (verification or
4e88a19f
PH
3367 nested ACLs) are always discarded. This also happens for acceptance verbs
3368 when they actually do accept. Only messages specified at this level are used.
059ec3d9
PH
3369 However, the value of an existing message is available in $acl_verify_message
3370 during expansions. */
3371
4e88a19f
PH
3372 if (verb == ACL_WARN ||
3373 (rc == OK && (verb == ACL_ACCEPT || verb == ACL_DISCARD)))
3374 *log_msgptr = *user_msgptr = NULL;
059ec3d9
PH
3375
3376 if (user_message != NULL)
3377 {
3378 acl_verify_message = old_user_msgptr;
3379 expmessage = expand_string(user_message);
3380 if (expmessage == NULL)
3381 {
3382 if (!expand_string_forcedfail)
3383 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3384 user_message, expand_string_message);
3385 }
3386 else if (expmessage[0] != 0) *user_msgptr = expmessage;
3387 }
3388
3389 if (log_message != NULL)
3390 {
3391 acl_verify_message = old_log_msgptr;
3392 expmessage = expand_string(log_message);
3393 if (expmessage == NULL)
3394 {
3395 if (!expand_string_forcedfail)
3396 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3397 log_message, expand_string_message);
3398 }
3399 else if (expmessage[0] != 0)
3400 {
3401 *log_msgptr = (*log_msgptr == NULL)? expmessage :
3402 string_sprintf("%s: %s", expmessage, *log_msgptr);
3403 }
3404 }
3405
3406 /* If no log message, default it to the user message */
3407
3408 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
3409 }
3410
3411acl_verify_message = NULL;
3412return rc;
3413}
3414
3415
3416
3417
3418
3419/*************************************************
3420* Get line from a literal ACL *
3421*************************************************/
3422
3423/* This function is passed to acl_read() in order to extract individual lines
3424of a literal ACL, which we access via static pointers. We can destroy the
3425contents because this is called only once (the compiled ACL is remembered).
3426
3427This code is intended to treat the data in the same way as lines in the main
3428Exim configuration file. That is:
3429
3430 . Leading spaces are ignored.
3431
3432 . A \ at the end of a line is a continuation - trailing spaces after the \
3433 are permitted (this is because I don't believe in making invisible things
3434 significant). Leading spaces on the continued part of a line are ignored.
3435
3436 . Physical lines starting (significantly) with # are totally ignored, and
3437 may appear within a sequence of backslash-continued lines.
3438
3439 . Blank lines are ignored, but will end a sequence of continuations.
3440
3441Arguments: none
3442Returns: a pointer to the next line
3443*/
3444
3445
3446static uschar *acl_text; /* Current pointer in the text */
3447static uschar *acl_text_end; /* Points one past the terminating '0' */
3448
3449
3450static uschar *
3451acl_getline(void)
3452{
3453uschar *yield;
3454
3455/* This loop handles leading blank lines and comments. */
3456
3457for(;;)
3458 {
3459 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
3460 if (*acl_text == 0) return NULL; /* No more data */
3461 yield = acl_text; /* Potential data line */
3462
3463 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3464
3465 /* If we hit the end before a newline, we have the whole logical line. If
3466 it's a comment, there's no more data to be given. Otherwise, yield it. */
3467
3468 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
3469
3470 /* After reaching a newline, end this loop if the physical line does not
3471 start with '#'. If it does, it's a comment, and the loop continues. */
3472
3473 if (*yield != '#') break;
3474 }
3475
3476/* This loop handles continuations. We know we have some real data, ending in
3477newline. See if there is a continuation marker at the end (ignoring trailing
3478white space). We know that *yield is not white space, so no need to test for
3479cont > yield in the backwards scanning loop. */
3480
3481for(;;)
3482 {
3483 uschar *cont;
3484 for (cont = acl_text - 1; isspace(*cont); cont--);
3485
3486 /* If no continuation follows, we are done. Mark the end of the line and
3487 return it. */
3488
3489 if (*cont != '\\')
3490 {
3491 *acl_text++ = 0;
3492 return yield;
3493 }
3494
3495 /* We have encountered a continuation. Skip over whitespace at the start of
3496 the next line, and indeed the whole of the next line or lines if they are
3497 comment lines. */
3498
3499 for (;;)
3500 {
3501 while (*(++acl_text) == ' ' || *acl_text == '\t');
3502 if (*acl_text != '#') break;
3503 while (*(++acl_text) != 0 && *acl_text != '\n');
3504 }
3505
3506 /* We have the start of a continuation line. Move all the rest of the data
3507 to join onto the previous line, and then find its end. If the end is not a
3508 newline, we are done. Otherwise loop to look for another continuation. */
3509
3510 memmove(cont, acl_text, acl_text_end - acl_text);
3511 acl_text_end -= acl_text - cont;
3512 acl_text = cont;
3513 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3514 if (*acl_text == 0) return yield;
3515 }
3516
3517/* Control does not reach here */
3518}
3519
3520
3521
3522
3523
3524/*************************************************
3525* Check access using an ACL *
3526*************************************************/
3527
3528/* This function is called from address_check. It may recurse via
3529acl_check_condition() - hence the use of a level to stop looping. The ACL is
3530passed as a string which is expanded. A forced failure implies no access check
3531is required. If the result is a single word, it is taken as the name of an ACL
3532which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
3533text, complete with newlines, and parsed as such. In both cases, the ACL check
3534is then run. This function uses an auxiliary function for acl_read() to call
3535for reading individual lines of a literal ACL. This is acl_getline(), which
3536appears immediately above.
3537
3538Arguments:
3539 where where called from
3540 addr address item when called from RCPT; otherwise NULL
3541 s the input string; NULL is the same as an empty ACL => DENY
3542 level the nesting level
3543 user_msgptr where to put a user error (for SMTP response)
3544 log_msgptr where to put a logging message (not for SMTP response)
3545
3546Returns: OK access is granted
3547 DISCARD access is apparently granted...
3548 FAIL access is denied
3549 FAIL_DROP access is denied; drop the connection
3550 DEFER can't tell at the moment
3551 ERROR disaster
3552*/
3553
3554static int
3555acl_check_internal(int where, address_item *addr, uschar *s, int level,
3556 uschar **user_msgptr, uschar **log_msgptr)
3557{
3558int fd = -1;
3559acl_block *acl = NULL;
3560uschar *acl_name = US"inline ACL";
3561uschar *ss;
3562
3563/* Catch configuration loops */
3564
3565if (level > 20)
3566 {
3567 *log_msgptr = US"ACL nested too deep: possible loop";
3568 return ERROR;
3569 }
3570
3571if (s == NULL)
3572 {
3573 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
3574 return FAIL;
3575 }
3576
3577/* At top level, we expand the incoming string. At lower levels, it has already
3578been expanded as part of condition processing. */
3579
3580if (level == 0)
3581 {
3582 ss = expand_string(s);
3583 if (ss == NULL)
3584 {
3585 if (expand_string_forcedfail) return OK;
3586 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
3587 expand_string_message);
3588 return ERROR;
3589 }
3590 }
3591else ss = s;
3592
3593while (isspace(*ss))ss++;
3594
3595/* If we can't find a named ACL, the default is to parse it as an inline one.
3596(Unless it begins with a slash; non-existent files give rise to an error.) */
3597
3598acl_text = ss;
3599
3600/* Handle the case of a string that does not contain any spaces. Look for a
3601named ACL among those read from the configuration, or a previously read file.
3602It is possible that the pointer to the ACL is NULL if the configuration
3603contains a name with no data. If not found, and the text begins with '/',
3604read an ACL from a file, and save it so it can be re-used. */
3605
3606if (Ustrchr(ss, ' ') == NULL)
3607 {
3608 tree_node *t = tree_search(acl_anchor, ss);
3609 if (t != NULL)
3610 {
3611 acl = (acl_block *)(t->data.ptr);
3612 if (acl == NULL)
3613 {
3614 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
3615 return FAIL;
3616 }
3617 acl_name = string_sprintf("ACL \"%s\"", ss);
3618 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
3619 }
3620
3621 else if (*ss == '/')
3622 {
3623 struct stat statbuf;
3624 fd = Uopen(ss, O_RDONLY, 0);
3625 if (fd < 0)
3626 {
3627 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
3628 strerror(errno));
3629 return ERROR;
3630 }
3631
3632 if (fstat(fd, &statbuf) != 0)
3633 {
3634 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
3635 strerror(errno));
3636 return ERROR;
3637 }
3638
3639 acl_text = store_get(statbuf.st_size + 1);
3640 acl_text_end = acl_text + statbuf.st_size + 1;
3641
3642 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
3643 {
3644 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
3645 ss, strerror(errno));
3646 return ERROR;
3647 }
3648 acl_text[statbuf.st_size] = 0;
f1e894f3 3649 (void)close(fd);
059ec3d9
PH
3650
3651 acl_name = string_sprintf("ACL \"%s\"", ss);
3652 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
3653 }
3654 }
3655
3656/* Parse an ACL that is still in text form. If it came from a file, remember it
3657in the ACL tree, having read it into the POOL_PERM store pool so that it
3658persists between multiple messages. */
3659
3660if (acl == NULL)
3661 {
3662 int old_pool = store_pool;
3663 if (fd >= 0) store_pool = POOL_PERM;
3664 acl = acl_read(acl_getline, log_msgptr);
3665 store_pool = old_pool;
3666 if (acl == NULL && *log_msgptr != NULL) return ERROR;
3667 if (fd >= 0)
3668 {
3669 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
3670 Ustrcpy(t->name, ss);
3671 t->data.ptr = acl;
3672 (void)tree_insertnode(&acl_anchor, t);
3673 }
3674 }
3675
3676/* Now we have an ACL to use. It's possible it may be NULL. */
3677
3678while (acl != NULL)
3679 {
3680 int cond;
3681 int basic_errno = 0;
3682 BOOL endpass_seen = FALSE;
3683
3684 *log_msgptr = *user_msgptr = NULL;
3685 acl_temp_details = FALSE;
3686
7353285c 3687 if ((where == ACL_WHERE_QUIT || where == ACL_WHERE_NOTQUIT) &&
059ec3d9
PH
3688 acl->verb != ACL_ACCEPT &&
3689 acl->verb != ACL_WARN)
3690 {
7353285c 3691 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT or not-QUIT ACL",
059ec3d9
PH
3692 verbs[acl->verb]);
3693 return ERROR;
3694 }
3695
3696 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
3697
3698 /* Clear out any search error message from a previous check before testing
3699 this condition. */
3700
3701 search_error_message = NULL;
3702 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
3703 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
3704
3705 /* Handle special returns: DEFER causes a return except on a WARN verb;
3706 ERROR always causes a return. */
3707
3708 switch (cond)
3709 {
3710 case DEFER:
6968512f 3711 HDEBUG(D_acl) debug_printf("%s: condition test deferred in %s\n", verbs[acl->verb], acl_name);
059ec3d9
PH
3712 if (basic_errno != ERRNO_CALLOUTDEFER)
3713 {
3714 if (search_error_message != NULL && *search_error_message != 0)
3715 *log_msgptr = search_error_message;
3716 if (smtp_return_error_details) acl_temp_details = TRUE;
3717 }
3718 else
3719 {
3720 acl_temp_details = TRUE;
3721 }
3722 if (acl->verb != ACL_WARN) return DEFER;
3723 break;
3724
3725 default: /* Paranoia */
3726 case ERROR:
6968512f 3727 HDEBUG(D_acl) debug_printf("%s: condition test error in %s\n", verbs[acl->verb], acl_name);
059ec3d9
PH
3728 return ERROR;
3729
3730 case OK:
6968512f
JH
3731 HDEBUG(D_acl) debug_printf("%s: condition test succeeded in %s\n",
3732 verbs[acl->verb], acl_name);
059ec3d9
PH
3733 break;
3734
3735 case FAIL:
6968512f 3736 HDEBUG(D_acl) debug_printf("%s: condition test failed in %s\n", verbs[acl->verb], acl_name);
059ec3d9
PH
3737 break;
3738
3739 /* DISCARD and DROP can happen only from a nested ACL condition, and
3740 DISCARD can happen only for an "accept" or "discard" verb. */
3741
3742 case DISCARD:
6968512f
JH
3743 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\" in %s\n",
3744 verbs[acl->verb], acl_name);
059ec3d9
PH
3745 break;
3746
3747 case FAIL_DROP:
6968512f
JH
3748 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\" in %s\n",
3749 verbs[acl->verb], acl_name);
059ec3d9
PH
3750 break;
3751 }
3752
3753 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
3754 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
3755 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
3756
3757 switch(acl->verb)
3758 {
3759 case ACL_ACCEPT:
3760 if (cond == OK || cond == DISCARD) return cond;
3761 if (endpass_seen)
3762 {
3763 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
3764 return cond;
3765 }
3766 break;
3767
3768 case ACL_DEFER:
3769 if (cond == OK)
3770 {
3771 acl_temp_details = TRUE;
3772 return DEFER;
3773 }
3774 break;
3775
3776 case ACL_DENY:
3777 if (cond == OK) return FAIL;
3778 break;
3779
3780 case ACL_DISCARD:
3781 if (cond == OK || cond == DISCARD) return DISCARD;
3782 if (endpass_seen)
3783 {
3784 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
3785 return cond;
3786 }
3787 break;
3788
3789 case ACL_DROP:
3790 if (cond == OK) return FAIL_DROP;
3791 break;
3792
3793 case ACL_REQUIRE:
3794 if (cond != OK) return cond;
3795 break;
3796
3797 case ACL_WARN:
3798 if (cond == OK)
3799 acl_warn(where, *user_msgptr, *log_msgptr);
49826d12 3800 else if (cond == DEFER && (log_extra_selector & LX_acl_warn_skipped) != 0)
9c7a242c
PH
3801 log_write(0, LOG_MAIN, "%s Warning: ACL \"warn\" statement skipped: "
3802 "condition test deferred%s%s", host_and_ident(TRUE),
3803 (*log_msgptr == NULL)? US"" : US": ",
3804 (*log_msgptr == NULL)? US"" : *log_msgptr);
059ec3d9
PH
3805 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
3806 break;
3807
3808 default:
3809 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
3810 acl->verb);
3811 break;
3812 }
3813
3814 /* Pass to the next ACL item */
3815
3816 acl = acl->next;
3817 }
3818
3819/* We have reached the end of the ACL. This is an implicit DENY. */
3820
3821HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
3822return FAIL;
3823}
3824
3825
3826/*************************************************
3827* Check access using an ACL *
3828*************************************************/
3829
3830/* This is the external interface for ACL checks. It sets up an address and the
3831expansions for $domain and $local_part when called after RCPT, then calls
3832acl_check_internal() to do the actual work.
3833
3834Arguments:
3835 where ACL_WHERE_xxxx indicating where called from
64ffc24f 3836 recipient RCPT address for RCPT check, else NULL
059ec3d9
PH
3837 s the input string; NULL is the same as an empty ACL => DENY
3838 user_msgptr where to put a user error (for SMTP response)
3839 log_msgptr where to put a logging message (not for SMTP response)
3840
3841Returns: OK access is granted by an ACCEPT verb
3842 DISCARD access is granted by a DISCARD verb