projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
More wishes.
[exim.git] / src / src / acl.c
CommitLineData
4deaf07d 1/* $Cambridge: exim/src/src/acl.c,v 1.5 2004/11/04 12:19:48 ph10 Exp $ */
059ec3d9
PH		 2
3/*************************************************
4* Exim - an Internet mail transport agent *
5*************************************************/
6
7/* Copyright (c) University of Cambridge 1995 - 2004 */
8/* See the file NOTICE for conditions of use and distribution. */
9
10/* Code for handling Access Control Lists (ACLs) */
11
12#include "exim.h"
13
14
15/* Default callout timeout */
16
17#define CALLOUT_TIMEOUT_DEFAULT 30
18
19/* ACL verb codes - keep in step with the table of verbs that follows */
20
21enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
22 ACL_WARN };
23
24/* ACL verbs */
25
26static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
28 US"warn" };
29
30/* For each verb, the condition for which "message" is used */
31
32static int msgcond[] = { FAIL, OK, OK, FAIL, OK, FAIL, OK };
33
34/* ACL condition and modifier codes - keep in step with the table that
35follows. */
36
37enum { ACLC_ACL, ACLC_AUTHENTICATED, ACLC_CONDITION, ACLC_CONTROL, ACLC_DELAY,
38 ACLC_DNSLISTS, ACLC_DOMAINS, ACLC_ENCRYPTED, ACLC_ENDPASS, ACLC_HOSTS,
39 ACLC_LOCAL_PARTS, ACLC_LOG_MESSAGE, ACLC_LOGWRITE, ACLC_MESSAGE,
40 ACLC_RECIPIENTS, ACLC_SENDER_DOMAINS, ACLC_SENDERS, ACLC_SET, ACLC_VERIFY };
41
42/* ACL conditions/modifiers: "delay", "control", "endpass", "message",
43"log_message", "logwrite", and "set" are modifiers that look like conditions
44but always return TRUE. They are used for their side effects. */
45
46static uschar *conditions[] = { US"acl", US"authenticated", US"condition",
47 US"control", US"delay", US"dnslists", US"domains", US"encrypted",
48 US"endpass", US"hosts", US"local_parts", US"log_message", US"logwrite",
49 US"message", US"recipients", US"sender_domains", US"senders", US"set",
50 US"verify" };
c5fcb476
PH		 51
52/* ACL control names */
53
54static uschar *controls[] = { US"error", US"caseful_local_part",
55 US"caselower_local_part", US"enforce_sync", US"no_enforce_sync", US"freeze",
56 US"queue_only", US"submission", US"no_multiline"};
059ec3d9
PH		 57
58/* Flags to indicate for which conditions /modifiers a string expansion is done
59at the outer level. In the other cases, expansion already occurs in the
60checking functions. */
61
62static uschar cond_expand_at_top[] = {
63 TRUE, /* acl */
64 FALSE, /* authenticated */
65 TRUE, /* condition */
66 TRUE, /* control */
67 TRUE, /* delay */
68 TRUE, /* dnslists */
69 FALSE, /* domains */
70 FALSE, /* encrypted */
71 TRUE, /* endpass */
72 FALSE, /* hosts */
73 FALSE, /* local_parts */
74 TRUE, /* log_message */
75 TRUE, /* logwrite */
76 TRUE, /* message */
77 FALSE, /* recipients */
78 FALSE, /* sender_domains */
79 FALSE, /* senders */
80 TRUE, /* set */
81 TRUE /* verify */
82};
83
84/* Flags to identify the modifiers */
85
86static uschar cond_modifiers[] = {
87 FALSE, /* acl */
88 FALSE, /* authenticated */
89 FALSE, /* condition */
90 TRUE, /* control */
91 TRUE, /* delay */
92 FALSE, /* dnslists */
93 FALSE, /* domains */
94 FALSE, /* encrypted */
95 TRUE, /* endpass */
96 FALSE, /* hosts */
97 FALSE, /* local_parts */
98 TRUE, /* log_message */
99 TRUE, /* log_write */
100 TRUE, /* message */
101 FALSE, /* recipients */
102 FALSE, /* sender_domains */
103 FALSE, /* senders */
104 TRUE, /* set */
105 FALSE /* verify */
106};
107
c5fcb476
PH		 108/* Bit map vector of which conditions are not allowed at certain times. For
109each condition, there's a bitmap of dis-allowed times. */
059ec3d9
PH		 110
111static unsigned int cond_forbids[] = {
112 0, /* acl */
113 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* authenticated */
114 (1<<ACL_WHERE_HELO),
115 0, /* condition */
116
117 /* Certain types of control are always allowed, so we let it through
118 always and check in the control processing itself */
119
120 0, /* control */
121 0, /* delay */
122 (1<<ACL_WHERE_NOTSMTP), /* dnslists */
123
124 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* domains */
125 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
126 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
127 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
128 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
129 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
130 (1<<ACL_WHERE_VRFY),
131
132 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* encrypted */
133 (1<<ACL_WHERE_HELO),
134 0, /* endpass */
135 (1<<ACL_WHERE_NOTSMTP), /* hosts */
136
137 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* local_parts */
138 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
139 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
140 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
141 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
142 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
143 (1<<ACL_WHERE_VRFY),
144
145 0, /* log_message */
146 0, /* logwrite */
147 0, /* message */
148
149 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* recipients */
150 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
151 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
152 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
153 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
154 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
155 (1<<ACL_WHERE_VRFY),
156
157 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
158 (1<<ACL_WHERE_HELO)|
159 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
160 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
161 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
162
163 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
164 (1<<ACL_WHERE_HELO)|
165 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
166 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
167 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
168
169 0, /* set */
170
171 /* Certain types of verify are always allowed, so we let it through
172 always and check in the verify function itself */
173
174 0 /* verify */
059ec3d9
PH		 175};
176
177
178/* Return values from decode_control() */
179
180enum { CONTROL_ERROR, CONTROL_CASEFUL_LOCAL_PART, CONTROL_CASELOWER_LOCAL_PART,
181 CONTROL_ENFORCE_SYNC, CONTROL_NO_ENFORCE_SYNC, CONTROL_FREEZE,
182 CONTROL_QUEUE_ONLY, CONTROL_SUBMISSION, CONTROL_NO_MULTILINE };
183
c5fcb476
PH		 184/* Bit map vector of which controls are not allowed at certain times. For
185each control, there's a bitmap of dis-allowed times. For some, it is easier to
186specify the negation of a small number of allowed times. */
187
188static unsigned int control_forbids[] = {
189 0, /* error */
190 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
191 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
192 (1<<ACL_WHERE_NOTSMTP), /* enforce_sync */
193 (1<<ACL_WHERE_NOTSMTP), /* no_enforce_sync */
194
195 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
196 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
197 (1<<ACL_WHERE_NOTSMTP)),
198
199 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
200 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
201 (1<<ACL_WHERE_NOTSMTP)),
202
203 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
204 (1<<ACL_WHERE_PREDATA)),
205
206 (1<<ACL_WHERE_NOTSMTP) /* no_multiline */
207};
208
209/* Structure listing various control arguments, with their characteristics. */
059ec3d9
PH		 210
211typedef struct control_def {
212 uschar *name;
213 int value; /* CONTROL_xxx value */
059ec3d9
PH		 214 BOOL has_option; /* Has /option(s) following */
215} control_def;
216
217static control_def controls_list[] = {
c5fcb476
PH		 218 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE},
219 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE},
220 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE},
221 { US"freeze", CONTROL_FREEZE, FALSE},
222 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE},
223 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE},
224 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE},
225 { US"submission", CONTROL_SUBMISSION, TRUE}
059ec3d9
PH		 226 };
227
228/* Enable recursion between acl_check_internal() and acl_check_condition() */
229
230static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
231 uschar **);
232
233
234/*************************************************
235* Pick out name from list *
236*************************************************/
237
238/* Use a binary chop method
239
240Arguments:
241 name name to find
242 list list of names
243 end size of list
244
245Returns: offset in list, or -1 if not found
246*/
247
248static int
249acl_checkname(uschar *name, uschar **list, int end)
250{
251int start = 0;
252
253while (start < end)
254 {
255 int mid = (start + end)/2;
256 int c = Ustrcmp(name, list[mid]);
257 if (c == 0) return mid;
258 if (c < 0) end = mid; else start = mid + 1;
259 }
260
261return -1;
262}
263
264
265/*************************************************
266* Read and parse one ACL *
267*************************************************/
268
269/* This function is called both from readconf in order to parse the ACLs in the
270configuration file, and also when an ACL is encountered dynamically (e.g. as
271the result of an expansion). It is given a function to call in order to
272retrieve the lines of the ACL. This function handles skipping comments and
273blank lines (where relevant).
274
275Arguments:
276 func function to get next line of ACL
277 error where to put an error message
278
279Returns: pointer to ACL, or NULL
280 NULL can be legal (empty ACL); in this case error will be NULL
281*/
282
283acl_block *
284acl_read(uschar *(*func)(void), uschar **error)
285{
286acl_block *yield = NULL;
287acl_block **lastp = &yield;
288acl_block *this = NULL;
289acl_condition_block *cond;
290acl_condition_block **condp = NULL;
291uschar *s;
292
293*error = NULL;
294
295while ((s = (*func)()) != NULL)
296 {
297 int v, c;
298 BOOL negated = FALSE;
299 uschar *saveline = s;
300 uschar name[64];
301
302 /* Conditions (but not verbs) are allowed to be negated by an initial
303 exclamation mark. */
304
305 while (isspace(*s)) s++;
306 if (*s == '!')
307 {
308 negated = TRUE;
309 s++;
310 }
311
312 /* Read the name of a verb or a condition, or the start of a new ACL */
313
314 s = readconf_readname(name, sizeof(name), s);
315 if (*s == ':')
316 {
317 if (negated || name[0] == 0)
318 {
319 *error = string_sprintf("malformed ACL name in \"%s\"", saveline);
320 return NULL;
321 }
322 break;
323 }
324
325 /* If a verb is unrecognized, it may be another condition or modifier that
326 continues the previous verb. */
327
328 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
329 if (v < 0)
330 {
331 if (this == NULL)
332 {
333 *error = string_sprintf("unknown ACL verb in \"%s\"", saveline);
334 return NULL;
335 }
336 }
337
338 /* New verb */
339
340 else
341 {
342 if (negated)
343 {
344 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
345 return NULL;
346 }
347 this = store_get(sizeof(acl_block));
348 *lastp = this;
349 lastp = &(this->next);
350 this->next = NULL;
351 this->verb = v;
352 this->condition = NULL;
353 condp = &(this->condition);
354 if (*s == 0) continue; /* No condition on this line */
355 if (*s == '!')
356 {
357 negated = TRUE;
358 s++;
359 }
360 s = readconf_readname(name, sizeof(name), s); /* Condition name */
361 }
362
363 /* Handle a condition or modifier. */
364
365 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
366 if (c < 0)
367 {
368 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
369 saveline);
370 return NULL;
371 }
372
373 /* The modifiers may not be negated */
374
375 if (negated && cond_modifiers[c])
376 {
377 *error = string_sprintf("ACL error: negation is not allowed with "
378 "\"%s\"", conditions[c]);
379 return NULL;
380 }
381
382 /* ENDPASS may occur only with ACCEPT or DISCARD. */
383
384 if (c == ACLC_ENDPASS &&
385 this->verb != ACL_ACCEPT &&
386 this->verb != ACL_DISCARD)
387 {
388 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
389 conditions[c], verbs[this->verb]);
390 return NULL;
391 }
392
393 cond = store_get(sizeof(acl_condition_block));
394 cond->next = NULL;
395 cond->type = c;
396 cond->u.negated = negated;
397
398 *condp = cond;
399 condp = &(cond->next);
400
401 /* The "set" modifier is different in that its argument is "name=value"
402 rather than just a value, and we can check the validity of the name, which
403 gives us a variable number to insert into the data block. */
404
405 if (c == ACLC_SET)
406 {
407 if (Ustrncmp(s, "acl_", 4) != 0 || (s[4] != 'c' && s[4] != 'm') ||
408 !isdigit(s[5]) || (!isspace(s[6]) && s[6] != '='))
409 {
410 *error = string_sprintf("unrecognized name after \"set\" in ACL "
411 "modifier \"set %s\"", s);
412 return NULL;
413 }
414
415 cond->u.varnumber = s[5] - '0';
416 if (s[4] == 'm') cond->u.varnumber += ACL_C_MAX;
417 s += 6;
418 while (isspace(*s)) s++;
419 }
420
421 /* For "set", we are now positioned for the data. For the others, only
422 "endpass" has no data */
423
424 if (c != ACLC_ENDPASS)
425 {
426 if (*s++ != '=')
427 {
428 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
429 cond_modifiers[c]? US"modifier" : US"condition");
430 return NULL;
431 }
432 while (isspace(*s)) s++;
433 cond->arg = string_copy(s);
434 }
435 }
436
437return yield;
438}
439
440
441
442/*************************************************
443* Handle warnings *
444*************************************************/
445
446/* This function is called when a WARN verb's conditions are true. It adds to
447the message's headers, and/or writes information to the log. In each case, this
448only happens once (per message for headers, per connection for log).
449
450Arguments:
451 where ACL_WHERE_xxxx indicating which ACL this is
452 user_message message for adding to headers
453 log_message message for logging, if different
454
455Returns: nothing
456*/
457
458static void
459acl_warn(int where, uschar *user_message, uschar *log_message)
460{
461int hlen;
462
463if (log_message != NULL && log_message != user_message)
464 {
465 uschar *text;
466 string_item *logged;
467
468 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
469 string_printing(log_message));
470
471 /* If a sender verification has failed, and the log message is "sender verify
472 failed", add the failure message. */
473
474 if (sender_verified_failed != NULL &&
475 sender_verified_failed->message != NULL &&
476 strcmpic(log_message, US"sender verify failed") == 0)
477 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
478
479 /* Search previously logged warnings. They are kept in malloc store so they
480 can be freed at the start of a new message. */
481
482 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
483 if (Ustrcmp(logged->text, text) == 0) break;
484
485 if (logged == NULL)
486 {
487 int length = Ustrlen(text) + 1;
488 log_write(0, LOG_MAIN, "%s", text);
489 logged = store_malloc(sizeof(string_item) + length);
490 logged->text = (uschar *)logged + sizeof(string_item);
491 memcpy(logged->text, text, length);
492 logged->next = acl_warn_logged;
493 acl_warn_logged = logged;
494 }
495 }
496
497/* If there's no user message, we are done. */
498
499if (user_message == NULL) return;
500
501/* If this isn't a message ACL, we can't do anything with a user message.
502Log an error. */
503
504if (where > ACL_WHERE_NOTSMTP)
505 {
506 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
507 "found in a non-message (%s) ACL: cannot specify header lines here: "
508 "message ignored", acl_wherenames[where]);
509 return;
510 }
511
512/* Treat the user message as a sequence of one or more header lines. */
513
514hlen = Ustrlen(user_message);
515if (hlen > 0)
516 {
517 uschar *text, *p, *q;
518
519 /* Add a final newline if not present */
520
521 text = ((user_message)[hlen-1] == '\n')? user_message :
522 string_sprintf("%s\n", user_message);
523
524 /* Loop for multiple header lines, taking care about continuations */
525
526 for (p = q = text; *p != 0; )
527 {
528 uschar *s;
529 int newtype = htype_add_bot;
530 header_line **hptr = &acl_warn_headers;
531
532 /* Find next header line within the string */
533
534 for (;;)
535 {
536 q = Ustrchr(q, '\n');
537 if (*(++q) != ' ' && *q != '\t') break;
538 }
539
540 /* If the line starts with a colon, interpret the instruction for where to
541 add it. This temporarily sets up a new type. */
542
543 if (*p == ':')
544 {
545 if (strncmpic(p, US":after_received:", 16) == 0)
546 {
547 newtype = htype_add_rec;
548 p += 16;
549 }
550 else if (strncmpic(p, US":at_start:", 10) == 0)
551 {
552 newtype = htype_add_top;
553 p += 10;
554 }
555 else if (strncmpic(p, US":at_end:", 8) == 0)
556 {
557 newtype = htype_add_bot;
558 p += 8;
559 }
560 while (*p == ' ' || *p == '\t') p++;
561 }
562
563 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
564 to the front of it. */
565
566 for (s = p; s < q - 1; s++)
567 {
568 if (*s == ':' || !isgraph(*s)) break;
569 }
570
571 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
572 hlen = Ustrlen(s);
573
574 /* See if this line has already been added */
575
576 while (*hptr != NULL)
577 {
578 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
579 hptr = &((*hptr)->next);
580 }
581
582 /* Add if not previously present */
583
584 if (*hptr == NULL)
585 {
586 header_line *h = store_get(sizeof(header_line));
587 h->text = s;
588 h->next = NULL;
589 h->type = newtype;
590 h->slen = hlen;
591 *hptr = h;
592 hptr = &(h->next);
593 }
594
595 /* Advance for next header line within the string */
596
597 p = q;
598 }
599 }
600}
601
602
603
604/*************************************************
605* Verify and check reverse DNS *
606*************************************************/
607
608/* Called from acl_verify() below. We look up the host name(s) of the client IP
609address if this has not yet been done. The host_name_lookup() function checks
610that one of these names resolves to an address list that contains the client IP
611address, so we don't actually have to do the check here.
612
613Arguments:
614 user_msgptr pointer for user message
615 log_msgptr pointer for log message
616
617Returns: OK verification condition succeeded
618 FAIL verification failed
619 DEFER there was a problem verifying
620*/
621
622static int
623acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
624{
625int rc;
626
627user_msgptr = user_msgptr; /* stop compiler warning */
628
629/* Previous success */
630
631if (sender_host_name != NULL) return OK;
632
633/* Previous failure */
634
635if (host_lookup_failed)
636 {
637 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
638 return FAIL;
639 }
640
641/* Need to do a lookup */
642
643HDEBUG(D_acl)
644 debug_printf("looking up host name to force name/address consistency check\n");
645
646if ((rc = host_name_lookup()) != OK)
647 {
648 *log_msgptr = (rc == DEFER)?
649 US"host lookup deferred for reverse lookup check"
650 :
651 string_sprintf("host lookup failed for reverse lookup check%s",
652 host_lookup_msg);
653 return rc; /* DEFER or FAIL */
654 }
655
656host_build_sender_fullhost();
657return OK;
658}
659
660
661
662/*************************************************
663* Handle verification (address & other) *
664*************************************************/
665
666/* This function implements the "verify" condition. It is called when
667encountered in any ACL, because some tests are almost always permitted. Some
668just don't make sense, and always fail (for example, an attempt to test a host
669lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
670
671Arguments:
672 where where called from
673 addr the recipient address that the ACL is handling, or NULL
674 arg the argument of "verify"
675 user_msgptr pointer for user message
676 log_msgptr pointer for log message
677 basic_errno where to put verify errno
678
679Returns: OK verification condition succeeded
680 FAIL verification failed
681 DEFER there was a problem verifying
682 ERROR syntax error
683*/
684
685static int
686acl_verify(int where, address_item *addr, uschar *arg,
687 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
688{
689int sep = '/';
690int callout = -1;
691int callout_overall = -1;
4deaf07d 692int callout_connect = -1;
059ec3d9
PH		 693int verify_options = 0;
694int rc;
695BOOL verify_header_sender = FALSE;
696BOOL defer_ok = FALSE;
697BOOL callout_defer_ok = FALSE;
698BOOL no_details = FALSE;
699address_item *sender_vaddr = NULL;
700uschar *verify_sender_address = NULL;
701uschar *pm_mailfrom = NULL;
702uschar *se_mailfrom = NULL;
703uschar *list = arg;
704uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
705
706if (ss == NULL) goto BAD_VERIFY;
707
708/* Handle name/address consistency verification in a separate function. */
709
710if (strcmpic(ss, US"reverse_host_lookup") == 0)
711 {
712 if (sender_host_address == NULL) return OK;
713 return acl_verify_reverse(user_msgptr, log_msgptr);
714 }
715
716/* TLS certificate verification is done at STARTTLS time; here we just
717test whether it was successful or not. (This is for optional verification; for
718mandatory verification, the connection doesn't last this long.) */
719
720if (strcmpic(ss, US"certificate") == 0)
721 {
722 if (tls_certificate_verified) return OK;
723 *user_msgptr = US"no verified certificate";
724 return FAIL;
725 }
726
727/* We can test the result of optional HELO verification */
728
729if (strcmpic(ss, US"helo") == 0) return helo_verified? OK : FAIL;
730
731/* Handle header verification options - permitted only after DATA or a non-SMTP
732message. */
733
734if (strncmpic(ss, US"header_", 7) == 0)
735 {
736 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
737 {
738 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
739 "(only possible in ACL for DATA)", acl_wherenames[where]);
740 return ERROR;
741 }
742
743 /* Check that all relevant header lines have the correct syntax. If there is
744 a syntax error, we return details of the error to the sender if configured to
745 send out full details. (But a "message" setting on the ACL can override, as
746 always). */
747
748 if (strcmpic(ss+7, US"syntax") == 0)
749 {
750 int rc = verify_check_headers(log_msgptr);
751 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
752 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
753 return rc;
754 }
755
756 /* Check that there is at least one verifiable sender address in the relevant
757 header lines. This can be followed by callout and defer options, just like
758 sender and recipient. */
759
760 else if (strcmpic(ss+7, US"sender") == 0) verify_header_sender = TRUE;
761
762 /* Unknown verify argument starting with "header_" */
763
764 else goto BAD_VERIFY;
765 }
766
767/* Otherwise, first item in verify argument must be "sender" or "recipient".
768In the case of a sender, this can optionally be followed by an address to use
769in place of the actual sender (rare special-case requirement). */
770
771else if (strncmpic(ss, US"sender", 6) == 0)
772 {
773 uschar *s = ss + 6;
774 if (where > ACL_WHERE_NOTSMTP)
775 {
776 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
777 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
778 acl_wherenames[where]);
779 return ERROR;
780 }
781 if (*s == 0)
782 verify_sender_address = sender_address;
783 else
784 {
785 while (isspace(*s)) s++;
786 if (*s++ != '=') goto BAD_VERIFY;
787 while (isspace(*s)) s++;
788 verify_sender_address = string_copy(s);
789 }
790 }
791else
792 {
793 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
794 if (addr == NULL)
795 {
796 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
797 "(only possible for RCPT)", acl_wherenames[where]);
798 return ERROR;
799 }
800 }
801
802/* Remaining items are optional */
803
804while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
805 != NULL)
806 {
807 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
808 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
809
810 /* These two old options are left for backwards compatibility */
811
812 else if (strcmpic(ss, US"callout_defer_ok") == 0)
813 {
814 callout_defer_ok = TRUE;
815 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
816 }
817
818 else if (strcmpic(ss, US"check_postmaster") == 0)
819 {
820 pm_mailfrom = US"";
821 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
822 }
823
824 /* The callout option has a number of sub-options, comma separated */
825
826 else if (strncmpic(ss, US"callout", 7) == 0)
827 {
828 callout = CALLOUT_TIMEOUT_DEFAULT;
829 ss += 7;
830 if (*ss != 0)
831 {
832 while (isspace(*ss)) ss++;
833 if (*ss++ == '=')
834 {
835 int optsep = ',';
836 uschar *opt;
837 uschar buffer[256];
838 while (isspace(*ss)) ss++;
4deaf07d
PH		 839
840 /* This callout option handling code has become a mess as new options
841 have been added in an ad hoc manner. It should be tidied up into some
842 kind of table-driven thing. */
843
059ec3d9
PH		 844 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
845 != NULL)
846 {
847 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
848 else if (strcmpic(opt, US"no_cache") == 0)
849 verify_options |= vopt_callout_no_cache;
850 else if (strcmpic(opt, US"random") == 0)
851 verify_options |= vopt_callout_random;
852 else if (strcmpic(opt, US"use_sender") == 0)
853 verify_options |= vopt_callout_recipsender;
854 else if (strcmpic(opt, US"use_postmaster") == 0)
855 verify_options |= vopt_callout_recippmaster;
856 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
857
858 else if (strncmpic(opt, US"mailfrom", 8) == 0)
859 {
860 if (!verify_header_sender)
861 {
862 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
863 "callout option only for verify=header_sender (detected in ACL "
864 "condition \"%s\")", arg);
865 return ERROR;
866 }
867 opt += 8;
868 while (isspace(*opt)) opt++;
869 if (*opt++ != '=')
870 {
871 *log_msgptr = string_sprintf("'=' expected after "
872 "\"mailfrom\" in ACL condition \"%s\"", arg);
873 return ERROR;
874 }
875 while (isspace(*opt)) opt++;
876 se_mailfrom = string_copy(opt);
877 }
878
879 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
880 {
881 opt += 19;
882 while (isspace(*opt)) opt++;
883 if (*opt++ != '=')
884 {
885 *log_msgptr = string_sprintf("'=' expected after "
886 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
887 return ERROR;
888 }
889 while (isspace(*opt)) opt++;
890 pm_mailfrom = string_copy(opt);
891 }
892
893 else if (strncmpic(opt, US"maxwait", 7) == 0)
894 {
895 opt += 7;
896 while (isspace(*opt)) opt++;
897 if (*opt++ != '=')
898 {
899 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
900 "ACL condition \"%s\"", arg);
901 return ERROR;
902 }
903 while (isspace(*opt)) opt++;
904 callout_overall = readconf_readtime(opt, 0, FALSE);
905 if (callout_overall < 0)
906 {
907 *log_msgptr = string_sprintf("bad time value in ACL condition "
908 "\"verify %s\"", arg);
909 return ERROR;
910 }
911 }
4deaf07d
PH		 912 else if (strncmpic(opt, US"connect", 7) == 0)
913 {
914 opt += 7;
915 while (isspace(*opt)) opt++;
916 if (*opt++ != '=')
917 {
918 *log_msgptr = string_sprintf("'=' expected after "
919 "\"callout_overaall\" in ACL condition \"%s\"", arg);
920 return ERROR;
921 }
922 while (isspace(*opt)) opt++;
923 callout_connect = readconf_readtime(opt, 0, FALSE);
924 if (callout_connect < 0)
925 {
926 *log_msgptr = string_sprintf("bad time value in ACL condition "
927 "\"verify %s\"", arg);
928 return ERROR;
929 }
930 }
059ec3d9
PH		 931 else /* Plain time is callout connect/command timeout */
932 {
933 callout = readconf_readtime(opt, 0, FALSE);
934 if (callout < 0)
935 {
936 *log_msgptr = string_sprintf("bad time value in ACL condition "
937 "\"verify %s\"", arg);
938 return ERROR;
939 }
940 }
941 }
942 }
943 else
944 {
945 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
946 "ACL condition \"%s\"", arg);
947 return ERROR;
948 }
949 }
950 }
951
952 /* Option not recognized */
953
954 else
955 {
956 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
957 "condition \"verify %s\"", ss, arg);
958 return ERROR;
959 }
960 }
961
962if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
963 (vopt_callout_recipsender|vopt_callout_recippmaster))
964 {
965 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
966 "for a recipient callout";
967 return ERROR;
968 }
969
970/* Handle sender-in-header verification. Default the user message to the log
971message if giving out verification details. */
972
973if (verify_header_sender)
974 {
975 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
4deaf07d 976 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options);
059ec3d9
PH		 977 if (smtp_return_error_details)
978 {
979 if (*user_msgptr == NULL && *log_msgptr != NULL)
980 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
981 if (rc == DEFER) acl_temp_details = TRUE;
982 }
983 }
984
985/* Handle a sender address. The default is to verify *the* sender address, but
986optionally a different address can be given, for special requirements. If the
987address is empty, we are dealing with a bounce message that has no sender, so
988we cannot do any checking. If the real sender address gets rewritten during
989verification (e.g. DNS widening), set the flag to stop it being rewritten again
990during message reception.
991
992A list of verified "sender" addresses is kept to try to avoid doing to much
993work repetitively when there are multiple recipients in a message and they all
994require sender verification. However, when callouts are involved, it gets too
995complicated because different recipients may require different callout options.
996Therefore, we always do a full sender verify when any kind of callout is
997specified. Caching elsewhere, for instance in the DNS resolver and in the
998callout handling, should ensure that this is not terribly inefficient. */
999
1000else if (verify_sender_address != NULL)
1001 {
1002 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1003 != 0)
1004 {
1005 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1006 "sender verify callout";
1007 return ERROR;
1008 }
1009
1010 sender_vaddr = verify_checked_sender(verify_sender_address);
1011 if (sender_vaddr != NULL && /* Previously checked */
1012 callout <= 0) /* No callout needed this time */
1013 {
1014 /* If the "routed" flag is set, it means that routing worked before, so
1015 this check can give OK (the saved return code value, if set, belongs to a
1016 callout that was done previously). If the "routed" flag is not set, routing
1017 must have failed, so we use the saved return code. */
1018
1019 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1020 {
1021 rc = sender_vaddr->special_action;
1022 *basic_errno = sender_vaddr->basic_errno;
1023 }
1024 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1025 }
1026
1027 /* Do a new verification, and cache the result. The cache is used to avoid
1028 verifying the sender multiple times for multiple RCPTs when callouts are not
1029 specified (see comments above).
1030
1031 The cache is also used on failure to give details in response to the first
1032 RCPT that gets bounced for this reason. However, this can be suppressed by
1033 the no_details option, which sets the flag that says "this detail has already
1034 been sent". The cache normally contains just one address, but there may be
1035 more in esoteric circumstances. */
1036
1037 else
1038 {
1039 BOOL routed = TRUE;
2a3eea10
PH		 1040 uschar *save_address_data = deliver_address_data;
1041
059ec3d9
PH		 1042 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1043 if (no_details) setflag(sender_vaddr, af_sverify_told);
1044 if (verify_sender_address[0] != 0)
1045 {
1046 /* If this is the real sender address, save the unrewritten version
1047 for use later in receive. Otherwise, set a flag so that rewriting the
1048 sender in verify_address() does not update sender_address. */
1049
1050 if (verify_sender_address == sender_address)
1051 sender_address_unrewritten = sender_address;
1052 else
1053 verify_options |= vopt_fake_sender;
1054
1055 /* The recipient, qualify, and expn options are never set in
1056 verify_options. */
1057
1058 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
4deaf07d 1059 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
059ec3d9
PH		 1060
1061 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1062
1063 if (rc == OK)
1064 {
1065 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1066 {
1067 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1068 verify_sender_address, sender_vaddr->address);
1069 }
1070 else
1071 {
1072 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1073 verify_sender_address);
1074 }
1075 }
1076 else *basic_errno = sender_vaddr->basic_errno;
1077 }
1078 else rc = OK; /* Null sender */
1079
1080 /* Cache the result code */
1081
1082 if (routed) setflag(sender_vaddr, af_verify_routed);
1083 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1084 sender_vaddr->special_action = rc;
1085 sender_vaddr->next = sender_verified_list;
1086 sender_verified_list = sender_vaddr;
2a3eea10
PH		 1087
1088 /* Restore the recipient address data, which might have been clobbered by
1089 the sender verification. */
1090
1091 deliver_address_data = save_address_data;
059ec3d9 1092 }
2a3eea10
PH		 1093
1094 /* Put the sender address_data value into $sender_address_data */
1095
1096 sender_address_data = sender_vaddr->p.address_data;
059ec3d9
PH		 1097 }
1098
1099/* A recipient address just gets a straightforward verify; again we must handle
1100the DEFER overrides. */
1101
1102else
1103 {
1104 address_item addr2;
1105
1106 /* We must use a copy of the address for verification, because it might
1107 get rewritten. */
1108
1109 addr2 = *addr;
1110 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
4deaf07d 1111 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
059ec3d9
PH		 1112 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1113 *log_msgptr = addr2.message;
1114 *user_msgptr = addr2.user_message;
1115 *basic_errno = addr2.basic_errno;
1116
1117 /* Make $address_data visible */
1118 deliver_address_data = addr2.p.address_data;
1119 }
1120
1121/* We have a result from the relevant test. Handle defer overrides first. */
1122
1123if (rc == DEFER && (defer_ok ||
1124 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1125 {
1126 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1127 defer_ok? "defer_ok" : "callout_defer_ok");
1128 rc = OK;
1129 }
1130
1131/* If we've failed a sender, set up a recipient message, and point
1132sender_verified_failed to the address item that actually failed. */
1133
1134if (rc != OK && verify_sender_address != NULL)
1135 {
1136 if (rc != DEFER)
1137 {
1138 *log_msgptr = *user_msgptr = US"Sender verify failed";
1139 }
1140 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1141 {
1142 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1143 }
1144 else
1145 {
1146 *log_msgptr = US"Could not complete sender verify callout";
1147 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1148 *log_msgptr;
1149 }
1150
1151 sender_verified_failed = sender_vaddr;
1152 }
1153
1154/* Verifying an address messes up the values of $domain and $local_part,
1155so reset them before returning if this is a RCPT ACL. */
1156
1157if (addr != NULL)
1158 {
1159 deliver_domain = addr->domain;
1160 deliver_localpart = addr->local_part;
1161 }
1162return rc;
1163
1164/* Syntax errors in the verify argument come here. */
1165
1166BAD_VERIFY:
1167*log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
1168 "\"header_syntax\" or \"header_sender\" at start of ACL condition "
1169 "\"verify %s\"", arg);
1170return ERROR;
1171}
1172
1173
1174
1175
1176/*************************************************
1177* Check argument for control= modifier *
1178*************************************************/
1179
1180/* Called from acl_check_condition() below
1181
1182Arguments:
1183 arg the argument string for control=
1184 pptr set to point to the terminating character
1185 where which ACL we are in
1186 log_msgptr for error messages
1187
1188Returns: CONTROL_xxx value
1189*/
1190
1191static int
1192decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
1193{
1194int len;
1195control_def *d;
1196
1197for (d = controls_list;
1198 d < controls_list + sizeof(controls_list)/sizeof(control_def);
1199 d++)
1200 {
1201 len = Ustrlen(d->name);
1202 if (Ustrncmp(d->name, arg, len) == 0) break;
1203 }
1204
1205if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
1206 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
1207 {
1208 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1209 return CONTROL_ERROR;
1210 }
1211
059ec3d9
PH		 1212*pptr = arg + len;
1213return d->value;
1214}
1215
1216
1217
1218/*************************************************
1219* Handle conditions/modifiers on an ACL item *
1220*************************************************/
1221
1222/* Called from acl_check() below.
1223
1224Arguments:
1225 verb ACL verb
1226 cb ACL condition block - if NULL, result is OK
1227 where where called from
1228 addr the address being checked for RCPT, or NULL
1229 level the nesting level
1230 epp pointer to pass back TRUE if "endpass" encountered
1231 (applies only to "accept" and "discard")
1232 user_msgptr user message pointer
1233 log_msgptr log message pointer
1234 basic_errno pointer to where to put verify error
1235
1236Returns: OK - all conditions are met
1237 DISCARD - an "acl" condition returned DISCARD - only allowed
1238 for "accept" or "discard" verbs
1239 FAIL - at least one condition fails
1240 FAIL_DROP - an "acl" condition returned FAIL_DROP
1241 DEFER - can't tell at the moment (typically, lookup defer,
1242 but can be temporary callout problem)
1243 ERROR - ERROR from nested ACL or expansion failure or other
1244 error
1245*/
1246
1247static int
1248acl_check_condition(int verb, acl_condition_block *cb, int where,
1249 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
1250 uschar **log_msgptr, int *basic_errno)
1251{
1252uschar *user_message = NULL;
1253uschar *log_message = NULL;
1254uschar *p;
1255int rc = OK;
1256
1257for (; cb != NULL; cb = cb->next)
1258 {
1259 uschar *arg;
c5fcb476 1260 int control_type;
059ec3d9
PH		 1261
1262 /* The message and log_message items set up messages to be used in
1263 case of rejection. They are expanded later. */
1264
1265 if (cb->type == ACLC_MESSAGE)
1266 {
1267 user_message = cb->arg;
1268 continue;
1269 }
1270
1271 if (cb->type == ACLC_LOG_MESSAGE)
1272 {
1273 log_message = cb->arg;
1274 continue;
1275 }
1276
1277 /* The endpass "condition" just sets a flag to show it occurred. This is
1278 checked at compile time to be on an "accept" or "discard" item. */
1279
1280 if (cb->type == ACLC_ENDPASS)
1281 {
1282 *epp = TRUE;
1283 continue;
1284 }
1285
1286 /* For other conditions and modifiers, the argument is expanded now for some
1287 of them, but not for all, because expansion happens down in some lower level
1288 checking functions in some cases. */
1289
1290 if (cond_expand_at_top[cb->type])
1291 {
1292 arg = expand_string(cb->arg);
1293 if (arg == NULL)
1294 {
1295 if (expand_string_forcedfail) continue;
1296 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
1297 cb->arg, expand_string_message);
1298 return search_find_defer? DEFER : ERROR;
1299 }
1300 }
1301 else arg = cb->arg;
1302
1303 /* Show condition, and expanded condition if it's different */
1304
1305 HDEBUG(D_acl)
1306 {
1307 int lhswidth = 0;
1308 debug_printf("check %s%s %n",
1309 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
1310 conditions[cb->type], &lhswidth);
1311
1312 if (cb->type == ACLC_SET)
1313 {
1314 int n = cb->u.varnumber;
1315 int t = (n < ACL_C_MAX)? 'c' : 'm';
1316 if (n >= ACL_C_MAX) n -= ACL_C_MAX;
1317 debug_printf("acl_%c%d ", t, n);
1318 lhswidth += 7;
1319 }
1320
1321 debug_printf("= %s\n", cb->arg);
1322
1323 if (arg != cb->arg)
1324 debug_printf("%.*s= %s\n", lhswidth,
1325 US" ", CS arg);
1326 }
1327
1328 /* Check that this condition makes sense at this time */
1329
1330 if ((cond_forbids[cb->type] & (1 << where)) != 0)
1331 {
1332 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
1333 cond_modifiers[cb->type]? "use" : "test",
1334 conditions[cb->type], acl_wherenames[where]);
1335 return ERROR;
1336 }
1337
1338 /* Run the appropriate test for each condition, or take the appropriate
1339 action for the remaining modifiers. */
1340
1341 switch(cb->type)
1342 {
1343 /* A nested ACL that returns "discard" makes sense only for an "accept" or
1344 "discard" verb. */
1345
1346 case ACLC_ACL:
1347 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
1348 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
1349 {
1350 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
1351 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
1352 verbs[verb]);
1353 return ERROR;
1354 }
1355 break;
1356
1357 case ACLC_AUTHENTICATED:
1358 rc = (sender_host_authenticated == NULL)? FAIL :
1359 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
1360 TRUE, NULL);
1361 break;
1362
1363 case ACLC_CONDITION:
1364 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
1365 rc = (Uatoi(arg) == 0)? FAIL : OK;
1366 else
1367 rc = (strcmpic(arg, US"no") == 0 ||
1368 strcmpic(arg, US"false") == 0)? FAIL :
1369 (strcmpic(arg, US"yes") == 0 ||
1370 strcmpic(arg, US"true") == 0)? OK : DEFER;
1371 if (rc == DEFER)
1372 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
1373 break;
1374
1375 case ACLC_CONTROL:
c5fcb476
PH		 1376 control_type = decode_control(arg, &p, where, log_msgptr);
1377
1378 /* Check this control makes sense at this time */
1379
1380 if ((control_forbids[control_type] & (1 << where)) != 0)
1381 {
1382 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
1383 controls[control_type], acl_wherenames[where]);
1384 return ERROR;
1385 }
1386
1387 switch(control_type)
059ec3d9
PH		 1388 {
1389 case CONTROL_ERROR:
1390 return ERROR;
1391
1392 case CONTROL_CASEFUL_LOCAL_PART:
1393 deliver_localpart = addr->cc_local_part;
1394 break;
1395
1396 case CONTROL_CASELOWER_LOCAL_PART:
1397 deliver_localpart = addr->lc_local_part;
1398 break;
1399
1400 case CONTROL_ENFORCE_SYNC:
1401 smtp_enforce_sync = TRUE;
1402 break;
1403
1404 case CONTROL_NO_ENFORCE_SYNC:
1405 smtp_enforce_sync = FALSE;
1406 break;
1407
1408 case CONTROL_NO_MULTILINE:
1409 no_multiline_responses = TRUE;
1410 break;
1411
1412 case CONTROL_FREEZE:
1413 deliver_freeze = TRUE;
1414 deliver_frozen_at = time(NULL);
1415 break;
1416
1417 case CONTROL_QUEUE_ONLY:
1418 queue_only_policy = TRUE;
1419 break;
1420
1421 case CONTROL_SUBMISSION:
1422 submission_mode = TRUE;
69358f02
PH		 1423 while (*p == '/')
1424 {
1425 if (Ustrncmp(p, "/sender_retain", 14) == 0)
1426 {
1427 p += 14;
1428 active_local_sender_retain = TRUE;
1429 active_local_from_check = FALSE;
1430 }
1431 else if (Ustrncmp(p, "/domain=", 8) == 0)
1432 {
1433 uschar *pp = p + 8;
1434 while (*pp != 0 && *pp != '/') pp++;
1435 submission_domain = string_copyn(p+8, pp-p);
1436 p = pp;
1437 }
1438 else break;
1439 }
1440 if (*p != 0)
059ec3d9 1441 {
69358f02 1442 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
059ec3d9
PH		 1443 return ERROR;
1444 }
1445 break;
1446 }
1447 break;
1448
1449 case ACLC_DELAY:
1450 {
1451 int delay = readconf_readtime(arg, 0, FALSE);
1452 if (delay < 0)
1453 {
1454 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
1455 "modifier: \"%s\" is not a time value", arg);
1456 return ERROR;
1457 }
1458 else
1459 {
1460 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
1461 delay);
1462 if (host_checking)
1463 {
1464 HDEBUG(D_acl)
1465 debug_printf("delay skipped in -bh checking mode\n");
1466 }
1467 else sleep(delay);
1468 }
1469 }
1470 break;
1471
1472 case ACLC_DNSLISTS:
1473 rc = verify_check_dnsbl(&arg);
1474 break;
1475
1476 case ACLC_DOMAINS:
1477 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
1478 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
1479 break;
1480
1481 /* The value in tls_cipher is the full cipher name, for example,
1482 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
1483 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
1484 what may in practice come out of the SSL library - which at the time of
1485 writing is poorly documented. */
1486
1487 case ACLC_ENCRYPTED:
1488 if (tls_cipher == NULL) rc = FAIL; else
1489 {
1490 uschar *endcipher = NULL;
1491 uschar *cipher = Ustrchr(tls_cipher, ':');
1492 if (cipher == NULL) cipher = tls_cipher; else
1493 {
1494 endcipher = Ustrchr(++cipher, ':');
1495 if (endcipher != NULL) *endcipher = 0;
1496 }
1497 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
1498 if (endcipher != NULL) *endcipher = ':';
1499 }
1500 break;
1501
1502 /* Use verify_check_this_host() instead of verify_check_host() so that
1503 we can pass over &host_data to catch any looked up data. Once it has been
1504 set, it retains its value so that it's still there if another ACL verb
1505 comes through here and uses the cache. However, we must put it into
1506 permanent store in case it is also expected to be used in a subsequent
1507 message in the same SMTP connection. */
1508
1509 case ACLC_HOSTS:
1510 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
1511 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
1512 if (host_data != NULL) host_data = string_copy_malloc(host_data);
1513 break;
1514
1515 case ACLC_LOCAL_PARTS:
1516 rc = match_isinlist(addr->cc_local_part, &arg, 0,
1517 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
1518 &deliver_localpart_data);
1519 break;
1520
1521 case ACLC_LOGWRITE:
1522 {
1523 int logbits = 0;
1524 uschar *s = arg;
1525 if (*s == ':')
1526 {
1527 s++;
1528 while (*s != ':')
1529 {
1530 if (Ustrncmp(s, "main", 4) == 0)
1531 { logbits |= LOG_MAIN; s += 4; }
1532 else if (Ustrncmp(s, "panic", 5) == 0)
1533 { logbits |= LOG_PANIC; s += 5; }
1534 else if (Ustrncmp(s, "reject", 6) == 0)
1535 { logbits |= LOG_REJECT; s += 6; }
1536 else
1537 {
1538 logbits = LOG_MAIN|LOG_PANIC;
1539 s = string_sprintf(":unknown log name in \"%s\" in "
1540 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
1541 }
1542 if (*s == ',') s++;
1543 }
1544 s++;
1545 }
1546 while (isspace(*s)) s++;
1547 if (logbits == 0) logbits = LOG_MAIN;
1548 log_write(0, logbits, "%s", string_printing(s));
1549 }
1550 break;
1551
1552 case ACLC_RECIPIENTS:
1553 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
1554 &recipient_data);
1555 break;
1556
1557 case ACLC_SENDER_DOMAINS:
1558 {
1559 uschar *sdomain;
1560 sdomain = Ustrrchr(sender_address, '@');
1561 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
1562 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
1563 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
1564 }
1565 break;
1566
1567 case ACLC_SENDERS:
1568 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
1569 sender_address_cache, -1, 0, &sender_data);
1570 break;
1571
1572 /* Connection variables must persist forever */
1573
1574 case ACLC_SET:
1575 {
1576 int old_pool = store_pool;
1577 if (cb->u.varnumber < ACL_C_MAX) store_pool = POOL_PERM;
1578 acl_var[cb->u.varnumber] = string_copy(arg);
1579 store_pool = old_pool;
1580 }
1581 break;
1582
1583 /* If the verb is WARN, discard any user message from verification, because
1584 such messages are SMTP responses, not header additions. The latter come
1585 only from explicit "message" modifiers. */
1586
1587 case ACLC_VERIFY:
1588 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
1589 if (verb == ACL_WARN) *user_msgptr = NULL;
1590 break;
1591
1592 default:
1593 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
1594 "condition %d", cb->type);
1595 break;
1596 }
1597
1598 /* If a condition was negated, invert OK/FAIL. */
1599
1600 if (!cond_modifiers[cb->type] && cb->u.negated)
1601 {
1602 if (rc == OK) rc = FAIL;
1603 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
1604 }
1605
1606 if (rc != OK) break; /* Conditions loop */
1607 }
1608
1609
1610/* If the result is the one for which "message" and/or "log_message" are used,
1611handle the values of these options. Most verbs have but a single return for
1612which the messages are relevant, but for "discard", it's useful to have the log
1613message both when it succeeds and when it fails. Also, for an "accept" that
1614appears in a QUIT ACL, we want to handle the user message. Since only "accept"
1615and "warn" are permitted in that ACL, we don't need to test the verb.
1616
1617These modifiers act in different ways:
1618
1619"message" is a user message that will be included in an SMTP response. Unless
1620it is empty, it overrides any previously set user message.
1621
1622"log_message" is a non-user message, and it adds to any existing non-user
1623message that is already set.
1624
1625If there isn't a log message set, we make it the same as the user message. */
1626
1627if (((rc == FAIL_DROP)? FAIL : rc) == msgcond[verb] ||
1628 (verb == ACL_DISCARD && rc == OK) ||
1629 (where == ACL_WHERE_QUIT))
1630 {
1631 uschar *expmessage;
1632
1633 /* If the verb is "warn", messages generated by conditions (verification or
1634 nested ACLs) are discarded. Only messages specified at this level are used.
1635 However, the value of an existing message is available in $acl_verify_message
1636 during expansions. */
1637
1638 uschar *old_user_msgptr = *user_msgptr;
1639 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
1640
1641 if (verb == ACL_WARN) *log_msgptr = *user_msgptr = NULL;
1642
1643 if (user_message != NULL)
1644 {
1645 acl_verify_message = old_user_msgptr;
1646 expmessage = expand_string(user_message);
1647 if (expmessage == NULL)
1648 {
1649 if (!expand_string_forcedfail)
1650 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
1651 user_message, expand_string_message);
1652 }
1653 else if (expmessage[0] != 0) *user_msgptr = expmessage;
1654 }
1655
1656 if (log_message != NULL)
1657 {
1658 acl_verify_message = old_log_msgptr;
1659 expmessage = expand_string(log_message);
1660 if (expmessage == NULL)
1661 {
1662 if (!expand_string_forcedfail)
1663 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
1664 log_message, expand_string_message);
1665 }
1666 else if (expmessage[0] != 0)
1667 {
1668 *log_msgptr = (*log_msgptr == NULL)? expmessage :
1669 string_sprintf("%s: %s", expmessage, *log_msgptr);
1670 }
1671 }
1672
1673 /* If no log message, default it to the user message */
1674
1675 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
1676 }
1677
1678acl_verify_message = NULL;
1679return rc;
1680}
1681
1682
1683
1684
1685
1686/*************************************************
1687* Get line from a literal ACL *
1688*************************************************/
1689
1690/* This function is passed to acl_read() in order to extract individual lines
1691of a literal ACL, which we access via static pointers. We can destroy the
1692contents because this is called only once (the compiled ACL is remembered).
1693
1694This code is intended to treat the data in the same way as lines in the main
1695Exim configuration file. That is:
1696
1697 . Leading spaces are ignored.
1698
1699 . A \ at the end of a line is a continuation - trailing spaces after the \
1700 are permitted (this is because I don't believe in making invisible things
1701 significant). Leading spaces on the continued part of a line are ignored.
1702
1703 . Physical lines starting (significantly) with # are totally ignored, and
1704 may appear within a sequence of backslash-continued lines.
1705
1706 . Blank lines are ignored, but will end a sequence of continuations.
1707
1708Arguments: none
1709Returns: a pointer to the next line
1710*/
1711
1712
1713static uschar *acl_text; /* Current pointer in the text */
1714static uschar *acl_text_end; /* Points one past the terminating '0' */
1715
1716
1717static uschar *
1718acl_getline(void)
1719{
1720uschar *yield;
1721
1722/* This loop handles leading blank lines and comments. */
1723
1724for(;;)
1725 {
1726 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
1727 if (*acl_text == 0) return NULL; /* No more data */
1728 yield = acl_text; /* Potential data line */
1729
1730 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
1731
1732 /* If we hit the end before a newline, we have the whole logical line. If
1733 it's a comment, there's no more data to be given. Otherwise, yield it. */
1734
1735 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
1736
1737 /* After reaching a newline, end this loop if the physical line does not
1738 start with '#'. If it does, it's a comment, and the loop continues. */
1739
1740 if (*yield != '#') break;
1741 }
1742
1743/* This loop handles continuations. We know we have some real data, ending in
1744newline. See if there is a continuation marker at the end (ignoring trailing
1745white space). We know that *yield is not white space, so no need to test for
1746cont > yield in the backwards scanning loop. */
1747
1748for(;;)
1749 {
1750 uschar *cont;
1751 for (cont = acl_text - 1; isspace(*cont); cont--);
1752
1753 /* If no continuation follows, we are done. Mark the end of the line and
1754 return it. */
1755
1756 if (*cont != '\\')
1757 {
1758 *acl_text++ = 0;
1759 return yield;
1760 }
1761
1762 /* We have encountered a continuation. Skip over whitespace at the start of
1763 the next line, and indeed the whole of the next line or lines if they are
1764 comment lines. */
1765
1766 for (;;)
1767 {
1768 while (*(++acl_text) == ' ' || *acl_text == '\t');
1769 if (*acl_text != '#') break;
1770 while (*(++acl_text) != 0 && *acl_text != '\n');
1771 }
1772
1773 /* We have the start of a continuation line. Move all the rest of the data
1774 to join onto the previous line, and then find its end. If the end is not a
1775 newline, we are done. Otherwise loop to look for another continuation. */
1776
1777 memmove(cont, acl_text, acl_text_end - acl_text);
1778 acl_text_end -= acl_text - cont;
1779 acl_text = cont;
1780 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
1781 if (*acl_text == 0) return yield;
1782 }
1783
1784/* Control does not reach here */
1785}
1786
1787
1788
1789
1790
1791/*************************************************
1792* Check access using an ACL *
1793*************************************************/
1794
1795/* This function is called from address_check. It may recurse via
1796acl_check_condition() - hence the use of a level to stop looping. The ACL is
1797passed as a string which is expanded. A forced failure implies no access check
1798is required. If the result is a single word, it is taken as the name of an ACL
1799which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
1800text, complete with newlines, and parsed as such. In both cases, the ACL check
1801is then run. This function uses an auxiliary function for acl_read() to call
1802for reading individual lines of a literal ACL. This is acl_getline(), which
1803appears immediately above.
1804
1805Arguments:
1806 where where called from
1807 addr address item when called from RCPT; otherwise NULL
1808 s the input string; NULL is the same as an empty ACL => DENY
1809 level the nesting level
1810 user_msgptr where to put a user error (for SMTP response)
1811 log_msgptr where to put a logging message (not for SMTP response)
1812
1813Returns: OK access is granted
1814 DISCARD access is apparently granted...
1815 FAIL access is denied
1816 FAIL_DROP access is denied; drop the connection
1817 DEFER can't tell at the moment
1818 ERROR disaster
1819*/
1820
1821static int
1822acl_check_internal(int where, address_item *addr, uschar *s, int level,
1823 uschar **user_msgptr, uschar **log_msgptr)
1824{
1825int fd = -1;
1826acl_block *acl = NULL;
1827uschar *acl_name = US"inline ACL";
1828uschar *ss;
1829
1830/* Catch configuration loops */
1831
1832if (level > 20)
1833 {
1834 *log_msgptr = US"ACL nested too deep: possible loop";
1835 return ERROR;
1836 }
1837
1838if (s == NULL)
1839 {
1840 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
1841 return FAIL;
1842 }
1843
1844/* At top level, we expand the incoming string. At lower levels, it has already
1845been expanded as part of condition processing. */
1846
1847if (level == 0)
1848 {
1849 ss = expand_string(s);
1850 if (ss == NULL)
1851 {
1852 if (expand_string_forcedfail) return OK;
1853 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
1854 expand_string_message);
1855 return ERROR;
1856 }
1857 }
1858else ss = s;
1859
1860while (isspace(*ss))ss++;
1861
1862/* If we can't find a named ACL, the default is to parse it as an inline one.
1863(Unless it begins with a slash; non-existent files give rise to an error.) */
1864
1865acl_text = ss;
1866
1867/* Handle the case of a string that does not contain any spaces. Look for a
1868named ACL among those read from the configuration, or a previously read file.
1869It is possible that the pointer to the ACL is NULL if the configuration
1870contains a name with no data. If not found, and the text begins with '/',
1871read an ACL from a file, and save it so it can be re-used. */
1872
1873if (Ustrchr(ss, ' ') == NULL)
1874 {
1875 tree_node *t = tree_search(acl_anchor, ss);
1876 if (t != NULL)
1877 {
1878 acl = (acl_block *)(t->data.ptr);
1879 if (acl == NULL)
1880 {
1881 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
1882 return FAIL;
1883 }
1884 acl_name = string_sprintf("ACL \"%s\"", ss);
1885 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
1886 }
1887
1888 else if (*ss == '/')
1889 {
1890 struct stat statbuf;
1891 fd = Uopen(ss, O_RDONLY, 0);
1892 if (fd < 0)
1893 {
1894 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
1895 strerror(errno));
1896 return ERROR;
1897 }
1898
1899 if (fstat(fd, &statbuf) != 0)
1900 {
1901 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
1902 strerror(errno));
1903 return ERROR;
1904 }
1905
1906 acl_text = store_get(statbuf.st_size + 1);
1907 acl_text_end = acl_text + statbuf.st_size + 1;
1908
1909 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
1910 {
1911 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
1912 ss, strerror(errno));
1913 return ERROR;
1914 }
1915 acl_text[statbuf.st_size] = 0;
1916 close(fd);
1917
1918 acl_name = string_sprintf("ACL \"%s\"", ss);
1919 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
1920 }
1921 }
1922
1923/* Parse an ACL that is still in text form. If it came from a file, remember it
1924in the ACL tree, having read it into the POOL_PERM store pool so that it
1925persists between multiple messages. */
1926
1927if (acl == NULL)
1928 {
1929 int old_pool = store_pool;
1930 if (fd >= 0) store_pool = POOL_PERM;
1931 acl = acl_read(acl_getline, log_msgptr);
1932 store_pool = old_pool;
1933 if (acl == NULL && *log_msgptr != NULL) return ERROR;
1934 if (fd >= 0)
1935 {
1936 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
1937 Ustrcpy(t->name, ss);
1938 t->data.ptr = acl;
1939 (void)tree_insertnode(&acl_anchor, t);
1940 }
1941 }
1942
1943/* Now we have an ACL to use. It's possible it may be NULL. */
1944
1945while (acl != NULL)
1946 {
1947 int cond;
1948 int basic_errno = 0;
1949 BOOL endpass_seen = FALSE;
1950
1951 *log_msgptr = *user_msgptr = NULL;
1952 acl_temp_details = FALSE;
1953
1954 if (where == ACL_WHERE_QUIT &&
1955 acl->verb != ACL_ACCEPT &&
1956 acl->verb != ACL_WARN)
1957 {
1958 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
1959 verbs[acl->verb]);
1960 return ERROR;
1961 }
1962
1963 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
1964
1965 /* Clear out any search error message from a previous check before testing
1966 this condition. */
1967
1968 search_error_message = NULL;
1969 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
1970 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
1971
1972 /* Handle special returns: DEFER causes a return except on a WARN verb;
1973 ERROR always causes a return. */
1974
1975 switch (cond)
1976 {
1977 case DEFER:
1978 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
1979 if (basic_errno != ERRNO_CALLOUTDEFER)
1980 {
1981 if (search_error_message != NULL && *search_error_message != 0)
1982 *log_msgptr = search_error_message;
1983 if (smtp_return_error_details) acl_temp_details = TRUE;
1984 }
1985 else
1986 {
1987 acl_temp_details = TRUE;
1988 }
1989 if (acl->verb != ACL_WARN) return DEFER;
1990 break;
1991
1992 default: /* Paranoia */
1993 case ERROR:
1994 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
1995 return ERROR;
1996
1997 case OK:
1998 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
1999 verbs[acl->verb]);
2000 break;
2001
2002 case FAIL:
2003 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
2004 break;
2005
2006 /* DISCARD and DROP can happen only from a nested ACL condition, and
2007 DISCARD can happen only for an "accept" or "discard" verb. */
2008
2009 case DISCARD:
2010 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
2011 verbs[acl->verb]);
2012 break;
2013
2014 case FAIL_DROP:
2015 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
2016 verbs[acl->verb]);
2017 break;
2018 }
2019
2020 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
2021 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
2022 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
2023
2024 switch(acl->verb)
2025 {
2026 case ACL_ACCEPT:
2027 if (cond == OK || cond == DISCARD) return cond;
2028 if (endpass_seen)
2029 {
2030 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
2031 return cond;
2032 }
2033 break;
2034
2035 case ACL_DEFER:
2036 if (cond == OK)
2037 {
2038 acl_temp_details = TRUE;
2039 return DEFER;
2040 }
2041 break;
2042
2043 case ACL_DENY:
2044 if (cond == OK) return FAIL;
2045 break;
2046
2047 case ACL_DISCARD:
2048 if (cond == OK || cond == DISCARD) return DISCARD;
2049 if (endpass_seen)
2050 {
2051 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
2052 return cond;
2053 }
2054 break;
2055
2056 case ACL_DROP:
2057 if (cond == OK) return FAIL_DROP;
2058 break;
2059
2060 case ACL_REQUIRE:
2061 if (cond != OK) return cond;
2062 break;
2063
2064 case ACL_WARN:
2065 if (cond == OK)
2066 acl_warn(where, *user_msgptr, *log_msgptr);
2067 else if (cond == DEFER)
2068 acl_warn(where, NULL, string_sprintf("ACL \"warn\" statement skipped: "
2069 "condition test deferred: %s",
2070 (*log_msgptr == NULL)? US"" : *log_msgptr));
2071 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
2072 break;
2073
2074 default:
2075 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
2076 acl->verb);
2077 break;
2078 }
2079
2080 /* Pass to the next ACL item */
2081
2082 acl = acl->next;
2083 }
2084
2085/* We have reached the end of the ACL. This is an implicit DENY. */
2086
2087HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
2088return FAIL;
2089}
2090
2091
2092/*************************************************
2093* Check access using an ACL *
2094*************************************************/
2095
2096/* This is the external interface for ACL checks. It sets up an address and the
2097expansions for $domain and $local_part when called after RCPT, then calls
2098acl_check_internal() to do the actual work.
2099
2100Arguments:
2101 where ACL_WHERE_xxxx indicating where called from
2102 data_string RCPT address, or SMTP command argument, or NULL
2103 s the input string; NULL is the same as an empty ACL => DENY
2104 user_msgptr where to put a user error (for SMTP response)
2105 log_msgptr where to put a logging message (not for SMTP response)
2106
2107Returns: OK access is granted by an ACCEPT verb
2108 DISCARD access is granted by a DISCARD verb
2109 FAIL access is denied
2110 FAIL_DROP access is denied; drop the connection
2111 DEFER can't tell at the moment
2112 ERROR disaster
2113*/
2114
2115int
2116acl_check(int where, uschar *data_string, uschar *s, uschar **user_msgptr,
2117 uschar **log_msgptr)
2118{
2119int rc;
2120address_item adb;
2121address_item *addr;
2122
2123*user_msgptr = *log_msgptr = NULL;
2124sender_verified_failed = NULL;
2125
2126if (where == ACL_WHERE_RCPT)
2127 {
2128 adb = address_defaults;
2129 addr = &adb;
2130 addr->address = data_string;
2131 if (deliver_split_address(addr) == DEFER)
2132 {
2133 *log_msgptr = US"defer in percent_hack_domains check";
2134 return DEFER;
2135 }
2136 deliver_domain = addr->domain;
2137 deliver_localpart = addr->local_part;
2138 }
2139else
2140 {
2141 addr = NULL;
2142 smtp_command_argument = data_string;
2143 }
2144
2145rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
2146
2147smtp_command_argument = deliver_domain =
2a3eea10 2148 deliver_localpart = deliver_address_data = sender_address_data = NULL;
059ec3d9
PH		 2149
2150/* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
2151ACL, which is really in the middle of an SMTP command. */
2152
2153if (rc == DISCARD)
2154 {
2155 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
2156 {
2157 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
2158 "ACL", acl_wherenames[where]);
2159 return ERROR;
2160 }
2161 return DISCARD;
2162 }
2163
2164/* A DROP response is not permitted from MAILAUTH */
2165
2166if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
2167 {
2168 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
2169 "ACL", acl_wherenames[where]);
2170 return ERROR;
2171 }
2172
2173/* Before giving an error response, take a look at the length of any user
2174message, and split it up into multiple lines if possible. */
2175
2176if (rc != OK && *user_msgptr != NULL && Ustrlen(*user_msgptr) > 75)
2177 {
2178 uschar *s = *user_msgptr = string_copy(*user_msgptr);
2179 uschar *ss = s;
2180
2181 for (;;)
2182 {
2183 int i = 0;
2184 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
2185 if (*ss == 0) break;
2186 if (*ss == '\n')
2187 s = ++ss;
2188 else
2189 {
2190 uschar *t = ss + 1;
2191 uschar *tt = NULL;
2192 while (--t > s + 35)
2193 {
2194 if (*t == ' ')
2195 {
2196 if (t[-1] == ':') { tt = t; break; }
2197 if (tt == NULL) tt = t;
2198 }
2199 }
2200
2201 if (tt == NULL) /* Can't split behind - try ahead */
2202 {
2203 t = ss + 1;
2204 while (*t != 0)
2205 {
2206 if (*t == ' ' || *t == '\n')
2207 { tt = t; break; }
2208 t++;
2209 }
2210 }
2211
2212 if (tt == NULL) break; /* Can't find anywhere to split */
2213 *tt = '\n';
2214 s = ss = tt+1;
2215 }
2216 }
2217 }
2218
2219return rc;
2220}
2221
2222/* End of acl.c */
Unnamed repository; edit this file 'description' to name the repository.