projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Fix "regex" condition not being available in MIME ACL
[exim.git] / src / src / acl.c
CommitLineData
82c6549e 1/* $Cambridge: exim/src/src/acl.c,v 1.22 2005/03/09 13:16:29 tom Exp $ */
059ec3d9
PH		 2
3/*************************************************
4* Exim - an Internet mail transport agent *
5*************************************************/
6
c988f1f4 7/* Copyright (c) University of Cambridge 1995 - 2005 */
059ec3d9
PH		 8/* See the file NOTICE for conditions of use and distribution. */
9
10/* Code for handling Access Control Lists (ACLs) */
11
12#include "exim.h"
13
14
15/* Default callout timeout */
16
17#define CALLOUT_TIMEOUT_DEFAULT 30
18
19/* ACL verb codes - keep in step with the table of verbs that follows */
20
21enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
22 ACL_WARN };
23
24/* ACL verbs */
25
26static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
28 US"warn" };
29
30/* For each verb, the condition for which "message" is used */
31
32static int msgcond[] = { FAIL, OK, OK, FAIL, OK, FAIL, OK };
33
34/* ACL condition and modifier codes - keep in step with the table that
35follows. */
36
8523533c
TK		 37enum { ACLC_ACL, ACLC_AUTHENTICATED,
38#ifdef EXPERIMENTAL_BRIGHTMAIL
39 ACLC_BMI_OPTIN,
40#endif
41ACLC_CONDITION, ACLC_CONTROL,
42#ifdef WITH_CONTENT_SCAN
43 ACLC_DECODE,
44#endif
45 ACLC_DELAY,
46#ifdef WITH_OLD_DEMIME
47 ACLC_DEMIME,
fb2274d4
TK		 48#endif
49#ifdef EXPERIMENTAL_DOMAINKEYS
50 ACLC_DK_DOMAIN_SOURCE,
51 ACLC_DK_POLICY,
52 ACLC_DK_SENDER_DOMAINS,
53 ACLC_DK_SENDER_LOCAL_PARTS,
54 ACLC_DK_SENDERS,
55 ACLC_DK_STATUS,
8e669ac1 56#endif
8523533c
TK		 57 ACLC_DNSLISTS, ACLC_DOMAINS, ACLC_ENCRYPTED, ACLC_ENDPASS,
58 ACLC_HOSTS, ACLC_LOCAL_PARTS, ACLC_LOG_MESSAGE, ACLC_LOGWRITE,
59#ifdef WITH_CONTENT_SCAN
60 ACLC_MALWARE,
61#endif
62 ACLC_MESSAGE,
63#ifdef WITH_CONTENT_SCAN
64 ACLC_MIME_REGEX,
65#endif
66 ACLC_RECIPIENTS,
67#ifdef WITH_CONTENT_SCAN
68 ACLC_REGEX,
69#endif
70 ACLC_SENDER_DOMAINS, ACLC_SENDERS, ACLC_SET,
71#ifdef WITH_CONTENT_SCAN
8e669ac1 72 ACLC_SPAM,
8523533c
TK		 73#endif
74#ifdef EXPERIMENTAL_SPF
75 ACLC_SPF,
76#endif
77 ACLC_VERIFY };
059ec3d9
PH		 78
79/* ACL conditions/modifiers: "delay", "control", "endpass", "message",
80"log_message", "logwrite", and "set" are modifiers that look like conditions
81but always return TRUE. They are used for their side effects. */
82
8523533c
TK		 83static uschar *conditions[] = { US"acl", US"authenticated",
84#ifdef EXPERIMENTAL_BRIGHTMAIL
85 US"bmi_optin",
86#endif
87 US"condition",
8e669ac1 88 US"control",
8523533c
TK		 89#ifdef WITH_CONTENT_SCAN
90 US"decode",
91#endif
92 US"delay",
93#ifdef WITH_OLD_DEMIME
94 US"demime",
fb2274d4
TK		 95#endif
96#ifdef EXPERIMENTAL_DOMAINKEYS
97 US"dk_domain_source",
98 US"dk_policy",
99 US"dk_sender_domains",
100 US"dk_sender_local_parts",
101 US"dk_senders",
102 US"dk_status",
8523533c
TK		 103#endif
104 US"dnslists", US"domains", US"encrypted",
059ec3d9 105 US"endpass", US"hosts", US"local_parts", US"log_message", US"logwrite",
8523533c
TK		 106#ifdef WITH_CONTENT_SCAN
107 US"malware",
108#endif
109 US"message",
110#ifdef WITH_CONTENT_SCAN
111 US"mime_regex",
112#endif
113 US"recipients",
114#ifdef WITH_CONTENT_SCAN
115 US"regex",
116#endif
117 US"sender_domains", US"senders", US"set",
118#ifdef WITH_CONTENT_SCAN
119 US"spam",
120#endif
121#ifdef EXPERIMENTAL_SPF
122 US"spf",
123#endif
059ec3d9 124 US"verify" };
8e669ac1 125
c5fcb476
PH		 126/* ACL control names */
127
128static uschar *controls[] = { US"error", US"caseful_local_part",
129 US"caselower_local_part", US"enforce_sync", US"no_enforce_sync", US"freeze",
8e669ac1 130 US"queue_only", US"submission", US"no_multiline"};
059ec3d9
PH		 131
132/* Flags to indicate for which conditions /modifiers a string expansion is done
133at the outer level. In the other cases, expansion already occurs in the
134checking functions. */
135
136static uschar cond_expand_at_top[] = {
137 TRUE, /* acl */
138 FALSE, /* authenticated */
8523533c
TK		 139#ifdef EXPERIMENTAL_BRIGHTMAIL
140 TRUE, /* bmi_optin */
8e669ac1 141#endif
059ec3d9
PH		 142 TRUE, /* condition */
143 TRUE, /* control */
8523533c
TK		 144#ifdef WITH_CONTENT_SCAN
145 TRUE, /* decode */
146#endif
059ec3d9 147 TRUE, /* delay */
8523533c
TK		 148#ifdef WITH_OLD_DEMIME
149 TRUE, /* demime */
fb2274d4
TK		 150#endif
151#ifdef EXPERIMENTAL_DOMAINKEYS
152 TRUE,
153 TRUE,
154 TRUE,
155 TRUE,
156 TRUE,
157 TRUE,
8523533c 158#endif
059ec3d9
PH		 159 TRUE, /* dnslists */
160 FALSE, /* domains */
161 FALSE, /* encrypted */
162 TRUE, /* endpass */
163 FALSE, /* hosts */
164 FALSE, /* local_parts */
165 TRUE, /* log_message */
166 TRUE, /* logwrite */
8523533c
TK		 167#ifdef WITH_CONTENT_SCAN
168 TRUE, /* malware */
169#endif
059ec3d9 170 TRUE, /* message */
8523533c
TK		 171#ifdef WITH_CONTENT_SCAN
172 TRUE, /* mime_regex */
173#endif
059ec3d9 174 FALSE, /* recipients */
8523533c
TK		 175#ifdef WITH_CONTENT_SCAN
176 TRUE, /* regex */
177#endif
059ec3d9
PH		 178 FALSE, /* sender_domains */
179 FALSE, /* senders */
180 TRUE, /* set */
8523533c
TK		 181#ifdef WITH_CONTENT_SCAN
182 TRUE, /* spam */
183#endif
184#ifdef EXPERIMENTAL_SPF
185 TRUE, /* spf */
186#endif
059ec3d9
PH		 187 TRUE /* verify */
188};
189
190/* Flags to identify the modifiers */
191
192static uschar cond_modifiers[] = {
193 FALSE, /* acl */
194 FALSE, /* authenticated */
8523533c
TK		 195#ifdef EXPERIMENTAL_BRIGHTMAIL
196 TRUE, /* bmi_optin */
8e669ac1 197#endif
059ec3d9
PH		 198 FALSE, /* condition */
199 TRUE, /* control */
8523533c
TK		 200#ifdef WITH_CONTENT_SCAN
201 FALSE, /* decode */
202#endif
059ec3d9 203 TRUE, /* delay */
8523533c
TK		 204#ifdef WITH_OLD_DEMIME
205 FALSE, /* demime */
fb2274d4
TK		 206#endif
207#ifdef EXPERIMENTAL_DOMAINKEYS
208 FALSE,
209 FALSE,
210 FALSE,
211 FALSE,
212 FALSE,
213 FALSE,
8523533c 214#endif
059ec3d9
PH		 215 FALSE, /* dnslists */
216 FALSE, /* domains */
217 FALSE, /* encrypted */
218 TRUE, /* endpass */
219 FALSE, /* hosts */
220 FALSE, /* local_parts */
221 TRUE, /* log_message */
8523533c
TK		 222 TRUE, /* logwrite */
223#ifdef WITH_CONTENT_SCAN
224 FALSE, /* malware */
225#endif
059ec3d9 226 TRUE, /* message */
8523533c
TK		 227#ifdef WITH_CONTENT_SCAN
228 FALSE, /* mime_regex */
229#endif
059ec3d9 230 FALSE, /* recipients */
8523533c
TK		 231#ifdef WITH_CONTENT_SCAN
232 FALSE, /* regex */
233#endif
059ec3d9
PH		 234 FALSE, /* sender_domains */
235 FALSE, /* senders */
236 TRUE, /* set */
8523533c
TK		 237#ifdef WITH_CONTENT_SCAN
238 FALSE, /* spam */
239#endif
240#ifdef EXPERIMENTAL_SPF
241 FALSE, /* spf */
242#endif
059ec3d9
PH		 243 FALSE /* verify */
244};
245
c5fcb476
PH		 246/* Bit map vector of which conditions are not allowed at certain times. For
247each condition, there's a bitmap of dis-allowed times. */
059ec3d9
PH		 248
249static unsigned int cond_forbids[] = {
250 0, /* acl */
8e669ac1 251
059ec3d9
PH		 252 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* authenticated */
253 (1<<ACL_WHERE_HELO),
8e669ac1 254
8523533c 255#ifdef EXPERIMENTAL_BRIGHTMAIL
3864bb8e 256 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
8523533c
TK		 257 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
258 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
8e669ac1 259 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
8523533c
TK		 260 (1<<ACL_WHERE_MAILAUTH)|
261 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
262 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA),
263#endif
8e669ac1 264
059ec3d9 265 0, /* condition */
8e669ac1 266
059ec3d9
PH		 267 /* Certain types of control are always allowed, so we let it through
268 always and check in the control processing itself */
8e669ac1 269
059ec3d9 270 0, /* control */
8e669ac1 271
8523533c 272#ifdef WITH_CONTENT_SCAN
3864bb8e 273 (1<<ACL_WHERE_AUTH)| /* decode */
8523533c
TK		 274 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
275 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
276 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
277 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
278 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
279 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_RCPT),
280#endif
281
059ec3d9 282 0, /* delay */
8e669ac1 283
f7b63901 284#ifdef WITH_OLD_DEMIME
3864bb8e 285 (1<<ACL_WHERE_AUTH)| /* demime */
8523533c
TK		 286 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
287 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
288 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
289 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
290 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
291 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
292#endif
8e669ac1 293
fb2274d4
TK		 294#ifdef EXPERIMENTAL_DOMAINKEYS
295 (1<<ACL_WHERE_AUTH)|
296 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
297 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
298 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
299 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
300 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
301 (1<<ACL_WHERE_VRFY),
84330b7b 302
fb2274d4
TK		 303 (1<<ACL_WHERE_AUTH)|
304 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
305 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
306 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
307 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
308 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
309 (1<<ACL_WHERE_VRFY),
84330b7b 310
fb2274d4
TK		 311 (1<<ACL_WHERE_AUTH)|
312 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
313 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
314 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
315 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
316 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
317 (1<<ACL_WHERE_VRFY),
84330b7b 318
fb2274d4
TK		 319 (1<<ACL_WHERE_AUTH)|
320 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
321 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
322 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
323 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
324 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
325 (1<<ACL_WHERE_VRFY),
84330b7b 326
fb2274d4
TK		 327 (1<<ACL_WHERE_AUTH)|
328 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
329 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
330 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
331 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
332 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
333 (1<<ACL_WHERE_VRFY),
84330b7b 334
fb2274d4
TK		 335 (1<<ACL_WHERE_AUTH)|
336 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
337 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
338 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
339 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
340 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
341 (1<<ACL_WHERE_VRFY),
342#endif
343
059ec3d9
PH		 344 (1<<ACL_WHERE_NOTSMTP), /* dnslists */
345
346 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* domains */
347 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
348 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
349 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
350 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
351 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
352 (1<<ACL_WHERE_VRFY),
353
354 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* encrypted */
355 (1<<ACL_WHERE_HELO),
8e669ac1 356
059ec3d9 357 0, /* endpass */
8e669ac1 358
059ec3d9
PH		 359 (1<<ACL_WHERE_NOTSMTP), /* hosts */
360
361 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* local_parts */
362 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
363 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
364 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
365 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
366 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
367 (1<<ACL_WHERE_VRFY),
368
369 0, /* log_message */
8e669ac1 370
059ec3d9 371 0, /* logwrite */
8e669ac1 372
8523533c 373#ifdef WITH_CONTENT_SCAN
3864bb8e 374 (1<<ACL_WHERE_AUTH)| /* malware */
8523533c
TK		 375 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
376 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
377 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
378 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
379 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
380 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
381#endif
382
059ec3d9
PH		 383 0, /* message */
384
8523533c 385#ifdef WITH_CONTENT_SCAN
3864bb8e 386 (1<<ACL_WHERE_AUTH)| /* mime_regex */
8523533c
TK		 387 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
388 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
389 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
390 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
391 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
392 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_RCPT),
393#endif
394
059ec3d9
PH		 395 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* recipients */
396 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
397 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
398 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
399 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
400 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
401 (1<<ACL_WHERE_VRFY),
402
8523533c 403#ifdef WITH_CONTENT_SCAN
3864bb8e 404 (1<<ACL_WHERE_AUTH)| /* regex */
8523533c
TK		 405 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
406 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
407 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
408 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
409 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
82c6549e 410 (1<<ACL_WHERE_VRFY),
8523533c
TK		 411#endif
412
059ec3d9
PH		 413 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
414 (1<<ACL_WHERE_HELO)|
415 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
416 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
417 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
418
419 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
420 (1<<ACL_WHERE_HELO)|
421 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
422 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
423 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
424
425 0, /* set */
426
8523533c 427#ifdef WITH_CONTENT_SCAN
3864bb8e 428 (1<<ACL_WHERE_AUTH)| /* spam */
8523533c
TK		 429 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
430 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
431 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
432 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
433 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
434 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
435#endif
436
437#ifdef EXPERIMENTAL_SPF
438 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
439 (1<<ACL_WHERE_HELO)|
440 (1<<ACL_WHERE_MAILAUTH)|
441 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
442 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
443#endif
444
059ec3d9
PH		 445 /* Certain types of verify are always allowed, so we let it through
446 always and check in the verify function itself */
447
448 0 /* verify */
059ec3d9
PH		 449};
450
451
452/* Return values from decode_control() */
453
8e669ac1 454enum {
8523533c
TK		 455#ifdef EXPERIMENTAL_BRIGHTMAIL
456 CONTROL_BMI_RUN,
fb2274d4
TK		 457#endif
458#ifdef EXPERIMENTAL_DOMAINKEYS
459 CONTROL_DK_VERIFY,
8e669ac1 460#endif
8523533c 461 CONTROL_ERROR, CONTROL_CASEFUL_LOCAL_PART, CONTROL_CASELOWER_LOCAL_PART,
059ec3d9 462 CONTROL_ENFORCE_SYNC, CONTROL_NO_ENFORCE_SYNC, CONTROL_FREEZE,
8523533c
TK		 463 CONTROL_QUEUE_ONLY, CONTROL_SUBMISSION,
464#ifdef WITH_CONTENT_SCAN
8e669ac1 465 CONTROL_NO_MBOX_UNSPOOL,
8523533c 466#endif
0f9b0483 467 CONTROL_FAKEREJECT, CONTROL_NO_MULTILINE };
059ec3d9 468
c5fcb476
PH		 469/* Bit map vector of which controls are not allowed at certain times. For
470each control, there's a bitmap of dis-allowed times. For some, it is easier to
471specify the negation of a small number of allowed times. */
472
473static unsigned int control_forbids[] = {
8523533c
TK		 474#ifdef EXPERIMENTAL_BRIGHTMAIL
475 0, /* bmi_run */
476#endif
fb2274d4
TK		 477#ifdef EXPERIMENTAL_DOMAINKEYS
478 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA), /* dk_verify */
479#endif
3e11c26b 480
c5fcb476 481 0, /* error */
8e669ac1
PH		 482
483 (unsigned int)
c5fcb476 484 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
8e669ac1
PH		 485
486 (unsigned int)
c5fcb476 487 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
8e669ac1 488
c5fcb476 489 (1<<ACL_WHERE_NOTSMTP), /* enforce_sync */
8e669ac1 490
c5fcb476 491 (1<<ACL_WHERE_NOTSMTP), /* no_enforce_sync */
8e669ac1
PH		 492
493 (unsigned int)
c5fcb476
PH		 494 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
495 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
496 (1<<ACL_WHERE_NOTSMTP)),
8e669ac1
PH		 497
498 (unsigned int)
c5fcb476
PH		 499 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
500 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
501 (1<<ACL_WHERE_NOTSMTP)),
8e669ac1
PH		 502
503 (unsigned int)
c5fcb476 504 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
8e669ac1 505 (1<<ACL_WHERE_PREDATA)),
8523533c
TK		 506
507#ifdef WITH_CONTENT_SCAN
8e669ac1 508 (unsigned int)
14d57970
PH		 509 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
510 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)),
8523533c 511#endif
a6c4ab60 512
8e669ac1 513 (unsigned int)
a6c4ab60
PH		 514 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
515 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)),
8523533c 516
c5fcb476
PH		 517 (1<<ACL_WHERE_NOTSMTP) /* no_multiline */
518};
519
520/* Structure listing various control arguments, with their characteristics. */
059ec3d9
PH		 521
522typedef struct control_def {
523 uschar *name;
524 int value; /* CONTROL_xxx value */
059ec3d9
PH		 525 BOOL has_option; /* Has /option(s) following */
526} control_def;
527
528static control_def controls_list[] = {
8523533c
TK		 529#ifdef EXPERIMENTAL_BRIGHTMAIL
530 { US"bmi_run", CONTROL_BMI_RUN, FALSE},
fb2274d4
TK		 531#endif
532#ifdef EXPERIMENTAL_DOMAINKEYS
533 { US"dk_verify", CONTROL_DK_VERIFY, FALSE},
8523533c 534#endif
c5fcb476
PH		 535 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE},
536 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE},
537 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE},
538 { US"freeze", CONTROL_FREEZE, FALSE},
539 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE},
540 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE},
541 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE},
8523533c
TK		 542#ifdef WITH_CONTENT_SCAN
543 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE},
8523533c 544#endif
0f9b0483 545 { US"fakereject", CONTROL_FAKEREJECT, TRUE},
c5fcb476 546 { US"submission", CONTROL_SUBMISSION, TRUE}
059ec3d9
PH		 547 };
548
549/* Enable recursion between acl_check_internal() and acl_check_condition() */
550
551static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
552 uschar **);
553
554
555/*************************************************
556* Pick out name from list *
557*************************************************/
558
559/* Use a binary chop method
560
561Arguments:
562 name name to find
563 list list of names
564 end size of list
565
566Returns: offset in list, or -1 if not found
567*/
568
569static int
570acl_checkname(uschar *name, uschar **list, int end)
571{
572int start = 0;
573
574while (start < end)
575 {
576 int mid = (start + end)/2;
577 int c = Ustrcmp(name, list[mid]);
578 if (c == 0) return mid;
579 if (c < 0) end = mid; else start = mid + 1;
580 }
581
582return -1;
583}
584
585
586/*************************************************
587* Read and parse one ACL *
588*************************************************/
589
590/* This function is called both from readconf in order to parse the ACLs in the
591configuration file, and also when an ACL is encountered dynamically (e.g. as
592the result of an expansion). It is given a function to call in order to
593retrieve the lines of the ACL. This function handles skipping comments and
594blank lines (where relevant).
595
596Arguments:
597 func function to get next line of ACL
598 error where to put an error message
599
600Returns: pointer to ACL, or NULL
601 NULL can be legal (empty ACL); in this case error will be NULL
602*/
603
604acl_block *
605acl_read(uschar *(*func)(void), uschar **error)
606{
607acl_block *yield = NULL;
608acl_block **lastp = &yield;
609acl_block *this = NULL;
610acl_condition_block *cond;
611acl_condition_block **condp = NULL;
612uschar *s;
613
614*error = NULL;
615
616while ((s = (*func)()) != NULL)
617 {
618 int v, c;
619 BOOL negated = FALSE;
620 uschar *saveline = s;
621 uschar name[64];
622
623 /* Conditions (but not verbs) are allowed to be negated by an initial
624 exclamation mark. */
625
626 while (isspace(*s)) s++;
627 if (*s == '!')
628 {
629 negated = TRUE;
630 s++;
631 }
632
633 /* Read the name of a verb or a condition, or the start of a new ACL */
634
635 s = readconf_readname(name, sizeof(name), s);
636 if (*s == ':')
637 {
638 if (negated || name[0] == 0)
639 {
640 *error = string_sprintf("malformed ACL name in \"%s\"", saveline);
641 return NULL;
642 }
643 break;
644 }
645
646 /* If a verb is unrecognized, it may be another condition or modifier that
647 continues the previous verb. */
648
649 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
650 if (v < 0)
651 {
652 if (this == NULL)
653 {
654 *error = string_sprintf("unknown ACL verb in \"%s\"", saveline);
655 return NULL;
656 }
657 }
658
659 /* New verb */
660
661 else
662 {
663 if (negated)
664 {
665 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
666 return NULL;
667 }
668 this = store_get(sizeof(acl_block));
669 *lastp = this;
670 lastp = &(this->next);
671 this->next = NULL;
672 this->verb = v;
673 this->condition = NULL;
674 condp = &(this->condition);
675 if (*s == 0) continue; /* No condition on this line */
676 if (*s == '!')
677 {
678 negated = TRUE;
679 s++;
680 }
681 s = readconf_readname(name, sizeof(name), s); /* Condition name */
682 }
683
684 /* Handle a condition or modifier. */
685
686 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
687 if (c < 0)
688 {
689 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
690 saveline);
691 return NULL;
692 }
693
694 /* The modifiers may not be negated */
695
696 if (negated && cond_modifiers[c])
697 {
698 *error = string_sprintf("ACL error: negation is not allowed with "
699 "\"%s\"", conditions[c]);
700 return NULL;
701 }
702
703 /* ENDPASS may occur only with ACCEPT or DISCARD. */
704
705 if (c == ACLC_ENDPASS &&
706 this->verb != ACL_ACCEPT &&
707 this->verb != ACL_DISCARD)
708 {
709 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
710 conditions[c], verbs[this->verb]);
711 return NULL;
712 }
713
714 cond = store_get(sizeof(acl_condition_block));
715 cond->next = NULL;
716 cond->type = c;
717 cond->u.negated = negated;
718
719 *condp = cond;
720 condp = &(cond->next);
721
722 /* The "set" modifier is different in that its argument is "name=value"
723 rather than just a value, and we can check the validity of the name, which
724 gives us a variable number to insert into the data block. */
725
726 if (c == ACLC_SET)
727 {
728 if (Ustrncmp(s, "acl_", 4) != 0 || (s[4] != 'c' && s[4] != 'm') ||
729 !isdigit(s[5]) || (!isspace(s[6]) && s[6] != '='))
730 {
731 *error = string_sprintf("unrecognized name after \"set\" in ACL "
732 "modifier \"set %s\"", s);
733 return NULL;
734 }
735
736 cond->u.varnumber = s[5] - '0';
737 if (s[4] == 'm') cond->u.varnumber += ACL_C_MAX;
738 s += 6;
739 while (isspace(*s)) s++;
740 }
741
742 /* For "set", we are now positioned for the data. For the others, only
743 "endpass" has no data */
744
745 if (c != ACLC_ENDPASS)
746 {
747 if (*s++ != '=')
748 {
749 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
750 cond_modifiers[c]? US"modifier" : US"condition");
751 return NULL;
752 }
753 while (isspace(*s)) s++;
754 cond->arg = string_copy(s);
755 }
756 }
757
758return yield;
759}
760
761
762
763/*************************************************
764* Handle warnings *
765*************************************************/
766
767/* This function is called when a WARN verb's conditions are true. It adds to
768the message's headers, and/or writes information to the log. In each case, this
769only happens once (per message for headers, per connection for log).
770
771Arguments:
772 where ACL_WHERE_xxxx indicating which ACL this is
773 user_message message for adding to headers
774 log_message message for logging, if different
775
776Returns: nothing
777*/
778
779static void
780acl_warn(int where, uschar *user_message, uschar *log_message)
781{
782int hlen;
783
784if (log_message != NULL && log_message != user_message)
785 {
786 uschar *text;
787 string_item *logged;
788
789 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
790 string_printing(log_message));
791
792 /* If a sender verification has failed, and the log message is "sender verify
793 failed", add the failure message. */
794
795 if (sender_verified_failed != NULL &&
796 sender_verified_failed->message != NULL &&
797 strcmpic(log_message, US"sender verify failed") == 0)
798 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
799
800 /* Search previously logged warnings. They are kept in malloc store so they
801 can be freed at the start of a new message. */
802
803 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
804 if (Ustrcmp(logged->text, text) == 0) break;
805
806 if (logged == NULL)
807 {
808 int length = Ustrlen(text) + 1;
809 log_write(0, LOG_MAIN, "%s", text);
810 logged = store_malloc(sizeof(string_item) + length);
811 logged->text = (uschar *)logged + sizeof(string_item);
812 memcpy(logged->text, text, length);
813 logged->next = acl_warn_logged;
814 acl_warn_logged = logged;
815 }
816 }
817
818/* If there's no user message, we are done. */
819
820if (user_message == NULL) return;
821
822/* If this isn't a message ACL, we can't do anything with a user message.
823Log an error. */
824
825if (where > ACL_WHERE_NOTSMTP)
826 {
827 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
828 "found in a non-message (%s) ACL: cannot specify header lines here: "
829 "message ignored", acl_wherenames[where]);
830 return;
831 }
832
833/* Treat the user message as a sequence of one or more header lines. */
834
835hlen = Ustrlen(user_message);
836if (hlen > 0)
837 {
838 uschar *text, *p, *q;
839
840 /* Add a final newline if not present */
841
842 text = ((user_message)[hlen-1] == '\n')? user_message :
843 string_sprintf("%s\n", user_message);
844
845 /* Loop for multiple header lines, taking care about continuations */
846
847 for (p = q = text; *p != 0; )
848 {
849 uschar *s;
850 int newtype = htype_add_bot;
851 header_line **hptr = &acl_warn_headers;
852
853 /* Find next header line within the string */
854
855 for (;;)
856 {
857 q = Ustrchr(q, '\n');
858 if (*(++q) != ' ' && *q != '\t') break;
859 }
860
861 /* If the line starts with a colon, interpret the instruction for where to
862 add it. This temporarily sets up a new type. */
863
864 if (*p == ':')
865 {
866 if (strncmpic(p, US":after_received:", 16) == 0)
867 {
868 newtype = htype_add_rec;
869 p += 16;
870 }
8523533c
TK		 871 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
872 {
873 newtype = htype_add_rfc;
874 p += 14;
8e669ac1 875 }
059ec3d9
PH		 876 else if (strncmpic(p, US":at_start:", 10) == 0)
877 {
878 newtype = htype_add_top;
879 p += 10;
880 }
881 else if (strncmpic(p, US":at_end:", 8) == 0)
882 {
883 newtype = htype_add_bot;
884 p += 8;
885 }
886 while (*p == ' ' || *p == '\t') p++;
887 }
888
889 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
890 to the front of it. */
891
892 for (s = p; s < q - 1; s++)
893 {
894 if (*s == ':' || !isgraph(*s)) break;
895 }
896
897 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
898 hlen = Ustrlen(s);
899
900 /* See if this line has already been added */
901
902 while (*hptr != NULL)
903 {
904 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
905 hptr = &((*hptr)->next);
906 }
907
908 /* Add if not previously present */
909
910 if (*hptr == NULL)
911 {
912 header_line *h = store_get(sizeof(header_line));
913 h->text = s;
914 h->next = NULL;
915 h->type = newtype;
916 h->slen = hlen;
917 *hptr = h;
918 hptr = &(h->next);
919 }
920
921 /* Advance for next header line within the string */
922
923 p = q;
924 }
925 }
926}
927
928
929
930/*************************************************
931* Verify and check reverse DNS *
932*************************************************/
933
934/* Called from acl_verify() below. We look up the host name(s) of the client IP
935address if this has not yet been done. The host_name_lookup() function checks
936that one of these names resolves to an address list that contains the client IP
937address, so we don't actually have to do the check here.
938
939Arguments:
940 user_msgptr pointer for user message
941 log_msgptr pointer for log message
942
943Returns: OK verification condition succeeded
944 FAIL verification failed
945 DEFER there was a problem verifying
946*/
947
948static int
949acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
950{
951int rc;
952
953user_msgptr = user_msgptr; /* stop compiler warning */
954
955/* Previous success */
956
957if (sender_host_name != NULL) return OK;
958
959/* Previous failure */
960
961if (host_lookup_failed)
962 {
963 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
964 return FAIL;
965 }
966
967/* Need to do a lookup */
968
969HDEBUG(D_acl)
970 debug_printf("looking up host name to force name/address consistency check\n");
971
972if ((rc = host_name_lookup()) != OK)
973 {
974 *log_msgptr = (rc == DEFER)?
975 US"host lookup deferred for reverse lookup check"
976 :
977 string_sprintf("host lookup failed for reverse lookup check%s",
978 host_lookup_msg);
979 return rc; /* DEFER or FAIL */
980 }
981
982host_build_sender_fullhost();
983return OK;
984}
985
986
987
988/*************************************************
989* Handle verification (address & other) *
990*************************************************/
991
992/* This function implements the "verify" condition. It is called when
993encountered in any ACL, because some tests are almost always permitted. Some
994just don't make sense, and always fail (for example, an attempt to test a host
995lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
996
997Arguments:
998 where where called from
999 addr the recipient address that the ACL is handling, or NULL
1000 arg the argument of "verify"
1001 user_msgptr pointer for user message
1002 log_msgptr pointer for log message
1003 basic_errno where to put verify errno
1004
1005Returns: OK verification condition succeeded
1006 FAIL verification failed
1007 DEFER there was a problem verifying
1008 ERROR syntax error
1009*/
1010
1011static int
1012acl_verify(int where, address_item *addr, uschar *arg,
1013 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1014{
1015int sep = '/';
1016int callout = -1;
1017int callout_overall = -1;
4deaf07d 1018int callout_connect = -1;
059ec3d9
PH		 1019int verify_options = 0;
1020int rc;
1021BOOL verify_header_sender = FALSE;
1022BOOL defer_ok = FALSE;
1023BOOL callout_defer_ok = FALSE;
1024BOOL no_details = FALSE;
1025address_item *sender_vaddr = NULL;
1026uschar *verify_sender_address = NULL;
1027uschar *pm_mailfrom = NULL;
1028uschar *se_mailfrom = NULL;
1029uschar *list = arg;
1030uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
1031
1032if (ss == NULL) goto BAD_VERIFY;
1033
1034/* Handle name/address consistency verification in a separate function. */
1035
1036if (strcmpic(ss, US"reverse_host_lookup") == 0)
1037 {
1038 if (sender_host_address == NULL) return OK;
1039 return acl_verify_reverse(user_msgptr, log_msgptr);
1040 }
1041
1042/* TLS certificate verification is done at STARTTLS time; here we just
1043test whether it was successful or not. (This is for optional verification; for
1044mandatory verification, the connection doesn't last this long.) */
1045
1046if (strcmpic(ss, US"certificate") == 0)
1047 {
1048 if (tls_certificate_verified) return OK;
1049 *user_msgptr = US"no verified certificate";
1050 return FAIL;
1051 }
1052
1053/* We can test the result of optional HELO verification */
1054
1055if (strcmpic(ss, US"helo") == 0) return helo_verified? OK : FAIL;
1056
1057/* Handle header verification options - permitted only after DATA or a non-SMTP
1058message. */
1059
1060if (strncmpic(ss, US"header_", 7) == 0)
1061 {
1062 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
1063 {
1064 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
1065 "(only possible in ACL for DATA)", acl_wherenames[where]);
1066 return ERROR;
1067 }
1068
1069 /* Check that all relevant header lines have the correct syntax. If there is
1070 a syntax error, we return details of the error to the sender if configured to
1071 send out full details. (But a "message" setting on the ACL can override, as
1072 always). */
1073
1074 if (strcmpic(ss+7, US"syntax") == 0)
1075 {
1076 int rc = verify_check_headers(log_msgptr);
1077 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1078 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1079 return rc;
1080 }
1081
1082 /* Check that there is at least one verifiable sender address in the relevant
1083 header lines. This can be followed by callout and defer options, just like
1084 sender and recipient. */
1085
1086 else if (strcmpic(ss+7, US"sender") == 0) verify_header_sender = TRUE;
1087
1088 /* Unknown verify argument starting with "header_" */
1089
1090 else goto BAD_VERIFY;
1091 }
1092
1093/* Otherwise, first item in verify argument must be "sender" or "recipient".
1094In the case of a sender, this can optionally be followed by an address to use
1095in place of the actual sender (rare special-case requirement). */
1096
1097else if (strncmpic(ss, US"sender", 6) == 0)
1098 {
1099 uschar *s = ss + 6;
1100 if (where > ACL_WHERE_NOTSMTP)
1101 {
1102 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1103 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1104 acl_wherenames[where]);
1105 return ERROR;
1106 }
1107 if (*s == 0)
1108 verify_sender_address = sender_address;
1109 else
1110 {
1111 while (isspace(*s)) s++;
1112 if (*s++ != '=') goto BAD_VERIFY;
1113 while (isspace(*s)) s++;
1114 verify_sender_address = string_copy(s);
1115 }
1116 }
1117else
1118 {
1119 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1120 if (addr == NULL)
1121 {
1122 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1123 "(only possible for RCPT)", acl_wherenames[where]);
1124 return ERROR;
1125 }
1126 }
1127
1128/* Remaining items are optional */
1129
1130while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1131 != NULL)
1132 {
1133 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1134 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1135
1136 /* These two old options are left for backwards compatibility */
1137
1138 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1139 {
1140 callout_defer_ok = TRUE;
1141 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1142 }
1143
1144 else if (strcmpic(ss, US"check_postmaster") == 0)
1145 {
1146 pm_mailfrom = US"";
1147 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1148 }
1149
1150 /* The callout option has a number of sub-options, comma separated */
1151
1152 else if (strncmpic(ss, US"callout", 7) == 0)
1153 {
1154 callout = CALLOUT_TIMEOUT_DEFAULT;
1155 ss += 7;
1156 if (*ss != 0)
1157 {
1158 while (isspace(*ss)) ss++;
1159 if (*ss++ == '=')
1160 {
1161 int optsep = ',';
1162 uschar *opt;
1163 uschar buffer[256];
1164 while (isspace(*ss)) ss++;
8e669ac1
PH		 1165
1166 /* This callout option handling code has become a mess as new options
1167 have been added in an ad hoc manner. It should be tidied up into some
4deaf07d 1168 kind of table-driven thing. */
8e669ac1 1169
059ec3d9
PH		 1170 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1171 != NULL)
1172 {
1173 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1174 else if (strcmpic(opt, US"no_cache") == 0)
1175 verify_options |= vopt_callout_no_cache;
1176 else if (strcmpic(opt, US"random") == 0)
1177 verify_options |= vopt_callout_random;
1178 else if (strcmpic(opt, US"use_sender") == 0)
1179 verify_options |= vopt_callout_recipsender;
1180 else if (strcmpic(opt, US"use_postmaster") == 0)
1181 verify_options |= vopt_callout_recippmaster;
1182 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
1183
1184 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1185 {
1186 if (!verify_header_sender)
1187 {
1188 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1189 "callout option only for verify=header_sender (detected in ACL "
1190 "condition \"%s\")", arg);
1191 return ERROR;
1192 }
1193 opt += 8;
1194 while (isspace(*opt)) opt++;
1195 if (*opt++ != '=')
1196 {
1197 *log_msgptr = string_sprintf("'=' expected after "
1198 "\"mailfrom\" in ACL condition \"%s\"", arg);
1199 return ERROR;
1200 }
1201 while (isspace(*opt)) opt++;
1202 se_mailfrom = string_copy(opt);
1203 }
1204
1205 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1206 {
1207 opt += 19;
1208 while (isspace(*opt)) opt++;
1209 if (*opt++ != '=')
1210 {
1211 *log_msgptr = string_sprintf("'=' expected after "
1212 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1213 return ERROR;
1214 }
1215 while (isspace(*opt)) opt++;
1216 pm_mailfrom = string_copy(opt);
1217 }
1218
1219 else if (strncmpic(opt, US"maxwait", 7) == 0)
1220 {
1221 opt += 7;
1222 while (isspace(*opt)) opt++;
1223 if (*opt++ != '=')
1224 {
1225 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1226 "ACL condition \"%s\"", arg);
1227 return ERROR;
1228 }
1229 while (isspace(*opt)) opt++;
1230 callout_overall = readconf_readtime(opt, 0, FALSE);
1231 if (callout_overall < 0)
1232 {
1233 *log_msgptr = string_sprintf("bad time value in ACL condition "
1234 "\"verify %s\"", arg);
1235 return ERROR;
1236 }
1237 }
4deaf07d
PH		 1238 else if (strncmpic(opt, US"connect", 7) == 0)
1239 {
1240 opt += 7;
1241 while (isspace(*opt)) opt++;
1242 if (*opt++ != '=')
1243 {
1244 *log_msgptr = string_sprintf("'=' expected after "
1245 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1246 return ERROR;
1247 }
1248 while (isspace(*opt)) opt++;
1249 callout_connect = readconf_readtime(opt, 0, FALSE);
1250 if (callout_connect < 0)
1251 {
1252 *log_msgptr = string_sprintf("bad time value in ACL condition "
1253 "\"verify %s\"", arg);
1254 return ERROR;
1255 }
1256 }
059ec3d9
PH		 1257 else /* Plain time is callout connect/command timeout */
1258 {
1259 callout = readconf_readtime(opt, 0, FALSE);
1260 if (callout < 0)
1261 {
1262 *log_msgptr = string_sprintf("bad time value in ACL condition "
1263 "\"verify %s\"", arg);
1264 return ERROR;
1265 }
1266 }
1267 }
1268 }
1269 else
1270 {
1271 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1272 "ACL condition \"%s\"", arg);
1273 return ERROR;
1274 }
1275 }
1276 }
1277
1278 /* Option not recognized */
1279
1280 else
1281 {
1282 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1283 "condition \"verify %s\"", ss, arg);
1284 return ERROR;
1285 }
1286 }
1287
1288if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1289 (vopt_callout_recipsender|vopt_callout_recippmaster))
1290 {
1291 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1292 "for a recipient callout";
1293 return ERROR;
1294 }
1295
1296/* Handle sender-in-header verification. Default the user message to the log
1297message if giving out verification details. */
1298
1299if (verify_header_sender)
1300 {
8e669ac1 1301 int verrno;
059ec3d9 1302 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
fe5b5d0b
PH		 1303 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1304 &verrno);
1305 if (rc != OK)
8e669ac1 1306 {
fe5b5d0b
PH		 1307 *basic_errno = verrno;
1308 if (smtp_return_error_details)
1309 {
1310 if (*user_msgptr == NULL && *log_msgptr != NULL)
1311 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1312 if (rc == DEFER) acl_temp_details = TRUE;
1313 }
8e669ac1 1314 }
059ec3d9
PH		 1315 }
1316
1317/* Handle a sender address. The default is to verify *the* sender address, but
1318optionally a different address can be given, for special requirements. If the
1319address is empty, we are dealing with a bounce message that has no sender, so
1320we cannot do any checking. If the real sender address gets rewritten during
1321verification (e.g. DNS widening), set the flag to stop it being rewritten again
1322during message reception.
1323
1324A list of verified "sender" addresses is kept to try to avoid doing to much
1325work repetitively when there are multiple recipients in a message and they all
1326require sender verification. However, when callouts are involved, it gets too
1327complicated because different recipients may require different callout options.
1328Therefore, we always do a full sender verify when any kind of callout is
1329specified. Caching elsewhere, for instance in the DNS resolver and in the
1330callout handling, should ensure that this is not terribly inefficient. */
1331
1332else if (verify_sender_address != NULL)
1333 {
1334 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1335 != 0)
1336 {
1337 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1338 "sender verify callout";
1339 return ERROR;
1340 }
1341
1342 sender_vaddr = verify_checked_sender(verify_sender_address);
1343 if (sender_vaddr != NULL && /* Previously checked */
1344 callout <= 0) /* No callout needed this time */
1345 {
1346 /* If the "routed" flag is set, it means that routing worked before, so
1347 this check can give OK (the saved return code value, if set, belongs to a
1348 callout that was done previously). If the "routed" flag is not set, routing
1349 must have failed, so we use the saved return code. */
1350
1351 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1352 {
1353 rc = sender_vaddr->special_action;
1354 *basic_errno = sender_vaddr->basic_errno;
1355 }
1356 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1357 }
1358
1359 /* Do a new verification, and cache the result. The cache is used to avoid
1360 verifying the sender multiple times for multiple RCPTs when callouts are not
1361 specified (see comments above).
1362
1363 The cache is also used on failure to give details in response to the first
1364 RCPT that gets bounced for this reason. However, this can be suppressed by
1365 the no_details option, which sets the flag that says "this detail has already
1366 been sent". The cache normally contains just one address, but there may be
1367 more in esoteric circumstances. */
1368
1369 else
1370 {
1371 BOOL routed = TRUE;
2a3eea10 1372 uschar *save_address_data = deliver_address_data;
8e669ac1 1373
059ec3d9
PH		 1374 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1375 if (no_details) setflag(sender_vaddr, af_sverify_told);
1376 if (verify_sender_address[0] != 0)
1377 {
1378 /* If this is the real sender address, save the unrewritten version
1379 for use later in receive. Otherwise, set a flag so that rewriting the
1380 sender in verify_address() does not update sender_address. */
1381
1382 if (verify_sender_address == sender_address)
1383 sender_address_unrewritten = sender_address;
1384 else
1385 verify_options |= vopt_fake_sender;
1386
1387 /* The recipient, qualify, and expn options are never set in
1388 verify_options. */
1389
1390 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
4deaf07d 1391 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
059ec3d9
PH		 1392
1393 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1394
1395 if (rc == OK)
1396 {
1397 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1398 {
1399 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1400 verify_sender_address, sender_vaddr->address);
1401 }
1402 else
1403 {
1404 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1405 verify_sender_address);
1406 }
1407 }
1408 else *basic_errno = sender_vaddr->basic_errno;
1409 }
1410 else rc = OK; /* Null sender */
1411
1412 /* Cache the result code */
1413
1414 if (routed) setflag(sender_vaddr, af_verify_routed);
1415 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1416 sender_vaddr->special_action = rc;
1417 sender_vaddr->next = sender_verified_list;
1418 sender_verified_list = sender_vaddr;
8e669ac1
PH		 1419
1420 /* Restore the recipient address data, which might have been clobbered by
2a3eea10 1421 the sender verification. */
8e669ac1 1422
2a3eea10 1423 deliver_address_data = save_address_data;
059ec3d9 1424 }
8e669ac1 1425
2a3eea10
PH		 1426 /* Put the sender address_data value into $sender_address_data */
1427
8e669ac1 1428 sender_address_data = sender_vaddr->p.address_data;
059ec3d9
PH		 1429 }
1430
1431/* A recipient address just gets a straightforward verify; again we must handle
1432the DEFER overrides. */
1433
1434else
1435 {
1436 address_item addr2;
1437
1438 /* We must use a copy of the address for verification, because it might
1439 get rewritten. */
1440
1441 addr2 = *addr;
1442 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
4deaf07d 1443 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
059ec3d9 1444 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
8e669ac1 1445
059ec3d9 1446 *log_msgptr = addr2.message;
8e669ac1 1447 *user_msgptr = (addr2.user_message != NULL)?
6729cf78 1448 addr2.user_message : addr2.message;
059ec3d9
PH		 1449 *basic_errno = addr2.basic_errno;
1450
1451 /* Make $address_data visible */
1452 deliver_address_data = addr2.p.address_data;
1453 }
1454
1455/* We have a result from the relevant test. Handle defer overrides first. */
1456
1457if (rc == DEFER && (defer_ok ||
1458 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1459 {
1460 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1461 defer_ok? "defer_ok" : "callout_defer_ok");
1462 rc = OK;
1463 }
1464
1465/* If we've failed a sender, set up a recipient message, and point
1466sender_verified_failed to the address item that actually failed. */
1467
1468if (rc != OK && verify_sender_address != NULL)
1469 {
1470 if (rc != DEFER)
1471 {
1472 *log_msgptr = *user_msgptr = US"Sender verify failed";
1473 }
1474 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1475 {
1476 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1477 }
1478 else
1479 {
1480 *log_msgptr = US"Could not complete sender verify callout";
1481 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1482 *log_msgptr;
1483 }
1484
1485 sender_verified_failed = sender_vaddr;
1486 }
1487
1488/* Verifying an address messes up the values of $domain and $local_part,
1489so reset them before returning if this is a RCPT ACL. */
1490
1491if (addr != NULL)
1492 {
1493 deliver_domain = addr->domain;
1494 deliver_localpart = addr->local_part;
1495 }
1496return rc;
1497
1498/* Syntax errors in the verify argument come here. */
1499
1500BAD_VERIFY:
1501*log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
1502 "\"header_syntax\" or \"header_sender\" at start of ACL condition "
1503 "\"verify %s\"", arg);
1504return ERROR;
1505}
1506
1507
1508
1509
1510/*************************************************
1511* Check argument for control= modifier *
1512*************************************************/
1513
1514/* Called from acl_check_condition() below
1515
1516Arguments:
1517 arg the argument string for control=
1518 pptr set to point to the terminating character
1519 where which ACL we are in
1520 log_msgptr for error messages
1521
1522Returns: CONTROL_xxx value
1523*/
1524
1525static int
1526decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
1527{
1528int len;
1529control_def *d;
1530
1531for (d = controls_list;
1532 d < controls_list + sizeof(controls_list)/sizeof(control_def);
1533 d++)
1534 {
1535 len = Ustrlen(d->name);
1536 if (Ustrncmp(d->name, arg, len) == 0) break;
1537 }
1538
1539if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
1540 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
1541 {
1542 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1543 return CONTROL_ERROR;
1544 }
1545
059ec3d9
PH		 1546*pptr = arg + len;
1547return d->value;
1548}
1549
1550
1551
1552/*************************************************
1553* Handle conditions/modifiers on an ACL item *
1554*************************************************/
1555
1556/* Called from acl_check() below.
1557
1558Arguments:
1559 verb ACL verb
1560 cb ACL condition block - if NULL, result is OK
1561 where where called from
1562 addr the address being checked for RCPT, or NULL
1563 level the nesting level
1564 epp pointer to pass back TRUE if "endpass" encountered
1565 (applies only to "accept" and "discard")
1566 user_msgptr user message pointer
1567 log_msgptr log message pointer
1568 basic_errno pointer to where to put verify error
1569
1570Returns: OK - all conditions are met
1571 DISCARD - an "acl" condition returned DISCARD - only allowed
1572 for "accept" or "discard" verbs
1573 FAIL - at least one condition fails
1574 FAIL_DROP - an "acl" condition returned FAIL_DROP
1575 DEFER - can't tell at the moment (typically, lookup defer,
1576 but can be temporary callout problem)
1577 ERROR - ERROR from nested ACL or expansion failure or other
1578 error
1579*/
1580
1581static int
1582acl_check_condition(int verb, acl_condition_block *cb, int where,
1583 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
1584 uschar **log_msgptr, int *basic_errno)
1585{
1586uschar *user_message = NULL;
1587uschar *log_message = NULL;
1588uschar *p;
1589int rc = OK;
8523533c
TK		 1590#ifdef WITH_CONTENT_SCAN
1591int sep = '/';
1592#endif
059ec3d9
PH		 1593
1594for (; cb != NULL; cb = cb->next)
1595 {
1596 uschar *arg;
8e669ac1 1597 int control_type;
059ec3d9
PH		 1598
1599 /* The message and log_message items set up messages to be used in
1600 case of rejection. They are expanded later. */
1601
1602 if (cb->type == ACLC_MESSAGE)
1603 {
1604 user_message = cb->arg;
1605 continue;
1606 }
1607
1608 if (cb->type == ACLC_LOG_MESSAGE)
1609 {
1610 log_message = cb->arg;
1611 continue;
1612 }
1613
1614 /* The endpass "condition" just sets a flag to show it occurred. This is
1615 checked at compile time to be on an "accept" or "discard" item. */
1616
1617 if (cb->type == ACLC_ENDPASS)
1618 {
1619 *epp = TRUE;
1620 continue;
1621 }
1622
1623 /* For other conditions and modifiers, the argument is expanded now for some
1624 of them, but not for all, because expansion happens down in some lower level
1625 checking functions in some cases. */
1626
1627 if (cond_expand_at_top[cb->type])
1628 {
1629 arg = expand_string(cb->arg);
1630 if (arg == NULL)
1631 {
1632 if (expand_string_forcedfail) continue;
1633 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
1634 cb->arg, expand_string_message);
1635 return search_find_defer? DEFER : ERROR;
1636 }
1637 }
1638 else arg = cb->arg;
1639
1640 /* Show condition, and expanded condition if it's different */
1641
1642 HDEBUG(D_acl)
1643 {
1644 int lhswidth = 0;
1645 debug_printf("check %s%s %n",
1646 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
1647 conditions[cb->type], &lhswidth);
1648
1649 if (cb->type == ACLC_SET)
1650 {
1651 int n = cb->u.varnumber;
1652 int t = (n < ACL_C_MAX)? 'c' : 'm';
1653 if (n >= ACL_C_MAX) n -= ACL_C_MAX;
1654 debug_printf("acl_%c%d ", t, n);
1655 lhswidth += 7;
1656 }
1657
1658 debug_printf("= %s\n", cb->arg);
1659
1660 if (arg != cb->arg)
1661 debug_printf("%.*s= %s\n", lhswidth,
1662 US" ", CS arg);
1663 }
1664
1665 /* Check that this condition makes sense at this time */
1666
1667 if ((cond_forbids[cb->type] & (1 << where)) != 0)
1668 {
1669 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
1670 cond_modifiers[cb->type]? "use" : "test",
1671 conditions[cb->type], acl_wherenames[where]);
1672 return ERROR;
1673 }
1674
1675 /* Run the appropriate test for each condition, or take the appropriate
1676 action for the remaining modifiers. */
1677
1678 switch(cb->type)
1679 {
1680 /* A nested ACL that returns "discard" makes sense only for an "accept" or
1681 "discard" verb. */
1682
1683 case ACLC_ACL:
1684 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
1685 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
1686 {
1687 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
1688 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
1689 verbs[verb]);
1690 return ERROR;
1691 }
1692 break;
1693
1694 case ACLC_AUTHENTICATED:
1695 rc = (sender_host_authenticated == NULL)? FAIL :
1696 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
1697 TRUE, NULL);
1698 break;
1699
8523533c
TK		 1700#ifdef EXPERIMENTAL_BRIGHTMAIL
1701 case ACLC_BMI_OPTIN:
1702 {
1703 int old_pool = store_pool;
1704 store_pool = POOL_PERM;
1705 bmi_current_optin = string_copy(arg);
1706 store_pool = old_pool;
1707 }
1708 break;
1709#endif
1710
059ec3d9
PH		 1711 case ACLC_CONDITION:
1712 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
1713 rc = (Uatoi(arg) == 0)? FAIL : OK;
1714 else
1715 rc = (strcmpic(arg, US"no") == 0 ||
1716 strcmpic(arg, US"false") == 0)? FAIL :
1717 (strcmpic(arg, US"yes") == 0 ||
1718 strcmpic(arg, US"true") == 0)? OK : DEFER;
1719 if (rc == DEFER)
1720 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
1721 break;
1722
1723 case ACLC_CONTROL:
c5fcb476
PH		 1724 control_type = decode_control(arg, &p, where, log_msgptr);
1725
8523533c 1726 /* Check if this control makes sense at this time */
c5fcb476
PH		 1727
1728 if ((control_forbids[control_type] & (1 << where)) != 0)
1729 {
1730 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
1731 controls[control_type], acl_wherenames[where]);
1732 return ERROR;
8e669ac1 1733 }
c5fcb476
PH		 1734
1735 switch(control_type)
059ec3d9 1736 {
8523533c
TK		 1737#ifdef EXPERIMENTAL_BRIGHTMAIL
1738 case CONTROL_BMI_RUN:
1739 bmi_run = 1;
1740 break;
1741#endif
fb2274d4
TK		 1742#ifdef EXPERIMENTAL_DOMAINKEYS
1743 case CONTROL_DK_VERIFY:
1744 dk_do_verify = 1;
1745 break;
1746#endif
059ec3d9
PH		 1747 case CONTROL_ERROR:
1748 return ERROR;
1749
1750 case CONTROL_CASEFUL_LOCAL_PART:
1751 deliver_localpart = addr->cc_local_part;
1752 break;
1753
1754 case CONTROL_CASELOWER_LOCAL_PART:
1755 deliver_localpart = addr->lc_local_part;
1756 break;
1757
1758 case CONTROL_ENFORCE_SYNC:
1759 smtp_enforce_sync = TRUE;
1760 break;
1761
1762 case CONTROL_NO_ENFORCE_SYNC:
1763 smtp_enforce_sync = FALSE;
1764 break;
1765
8523533c
TK		 1766#ifdef WITH_CONTENT_SCAN
1767 case CONTROL_NO_MBOX_UNSPOOL:
1768 no_mbox_unspool = TRUE;
1769 break;
1770#endif
1771
059ec3d9
PH		 1772 case CONTROL_NO_MULTILINE:
1773 no_multiline_responses = TRUE;
1774 break;
1775
8523533c
TK		 1776 case CONTROL_FAKEREJECT:
1777 fake_reject = TRUE;
1778 if (*p == '/')
8e669ac1 1779 {
8523533c 1780 uschar *pp = p + 1;
8e669ac1 1781 while (*pp != 0) pp++;
8523533c
TK		 1782 fake_reject_text = expand_string(string_copyn(p+1, pp-p));
1783 p = pp;
1784 }
1785 else
1786 {
1787 /* Explicitly reset to default string */
dc082449 1788 fake_reject_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
8523533c
TK		 1789 }
1790 break;
8523533c 1791
059ec3d9
PH		 1792 case CONTROL_FREEZE:
1793 deliver_freeze = TRUE;
1794 deliver_frozen_at = time(NULL);
1795 break;
1796
1797 case CONTROL_QUEUE_ONLY:
1798 queue_only_policy = TRUE;
1799 break;
1800
1801 case CONTROL_SUBMISSION:
1802 submission_mode = TRUE;
69358f02 1803 while (*p == '/')
8e669ac1 1804 {
69358f02
PH		 1805 if (Ustrncmp(p, "/sender_retain", 14) == 0)
1806 {
1807 p += 14;
1808 active_local_sender_retain = TRUE;
8e669ac1
PH		 1809 active_local_from_check = FALSE;
1810 }
69358f02
PH		 1811 else if (Ustrncmp(p, "/domain=", 8) == 0)
1812 {
1813 uschar *pp = p + 8;
8e669ac1 1814 while (*pp != 0 && *pp != '/') pp++;
69358f02 1815 submission_domain = string_copyn(p+8, pp-p);
8e669ac1 1816 p = pp;
69358f02 1817 }
8e669ac1
PH		 1818 else break;
1819 }
69358f02 1820 if (*p != 0)
059ec3d9 1821 {
69358f02 1822 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
059ec3d9
PH		 1823 return ERROR;
1824 }
1825 break;
1826 }
1827 break;
1828
8523533c
TK		 1829#ifdef WITH_CONTENT_SCAN
1830 case ACLC_DECODE:
1831 rc = mime_decode(&arg);
1832 break;
1833#endif
1834
059ec3d9
PH		 1835 case ACLC_DELAY:
1836 {
1837 int delay = readconf_readtime(arg, 0, FALSE);
1838 if (delay < 0)
1839 {
1840 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
1841 "modifier: \"%s\" is not a time value", arg);
1842 return ERROR;
1843 }
1844 else
1845 {
1846 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
1847 delay);
1848 if (host_checking)
1849 {
1850 HDEBUG(D_acl)
1851 debug_printf("delay skipped in -bh checking mode\n");
1852 }
8e669ac1 1853 else
86b8287f
PH		 1854 {
1855 while (delay > 0) delay = sleep(delay);
8e669ac1 1856 }
059ec3d9
PH		 1857 }
1858 }
1859 break;
1860
8523533c
TK		 1861#ifdef WITH_OLD_DEMIME
1862 case ACLC_DEMIME:
1863 rc = demime(&arg);
1864 break;
1865#endif
1866
fb2274d4
TK		 1867#ifdef EXPERIMENTAL_DOMAINKEYS
1868 case ACLC_DK_DOMAIN_SOURCE:
1869 if (dk_verify_block == NULL) { rc = FAIL; break; };
1870 /* check header source of domain against given string */
1871 switch (dk_verify_block->address_source) {
1872 case DK_EXIM_ADDRESS_FROM_FROM:
1873 rc = match_isinlist(US"from", &arg, 0, NULL,
1874 NULL, MCL_STRING, TRUE, NULL);
1875 break;
1876 case DK_EXIM_ADDRESS_FROM_SENDER:
1877 rc = match_isinlist(US"sender", &arg, 0, NULL,
1878 NULL, MCL_STRING, TRUE, NULL);
1879 break;
1880 case DK_EXIM_ADDRESS_NONE:
1881 rc = match_isinlist(US"none", &arg, 0, NULL,
1882 NULL, MCL_STRING, TRUE, NULL);
1883 break;
1884 }
1885 break;
1886 case ACLC_DK_POLICY:
1887 if (dk_verify_block == NULL) { rc = FAIL; break; };
1888 /* check policy against given string, default FAIL */
1889 rc = FAIL;
1890 if (dk_verify_block->signsall)
1891 rc = match_isinlist(US"signsall", &arg, 0, NULL,
1892 NULL, MCL_STRING, TRUE, NULL);
1893 if (dk_verify_block->testing)
1894 rc = match_isinlist(US"testing", &arg, 0, NULL,
1895 NULL, MCL_STRING, TRUE, NULL);
1896 break;
1897 case ACLC_DK_SENDER_DOMAINS:
1898 if (dk_verify_block == NULL) { rc = FAIL; break; };
1899 if (dk_verify_block->domain != NULL)
1900 rc = match_isinlist(dk_verify_block->domain, &arg, 0, &domainlist_anchor,
1901 NULL, MCL_DOMAIN, TRUE, NULL);
1902 else rc = FAIL;
1903 break;
1904 case ACLC_DK_SENDER_LOCAL_PARTS:
1905 if (dk_verify_block == NULL) { rc = FAIL; break; };
1906 if (dk_verify_block->local_part != NULL)
1907 rc = match_isinlist(dk_verify_block->local_part, &arg, 0, &localpartlist_anchor,
1908 NULL, MCL_LOCALPART, TRUE, NULL);
1909 else rc = FAIL;
1910 break;
1911 case ACLC_DK_SENDERS:
1912 if (dk_verify_block == NULL) { rc = FAIL; break; };
1913 if (dk_verify_block->address != NULL)
1914 rc = match_address_list(dk_verify_block->address, TRUE, TRUE, &arg, NULL, -1, 0, NULL);
1915 else rc = FAIL;
1916 break;
1917 case ACLC_DK_STATUS:
1918 if (dk_verify_block == NULL) { rc = FAIL; break; };
1919 if (dk_verify_block->result > 0) {
1920 switch(dk_verify_block->result) {
1921 case DK_EXIM_RESULT_BAD_FORMAT:
1922 rc = match_isinlist(US"bad format", &arg, 0, NULL,
1923 NULL, MCL_STRING, TRUE, NULL);
1924 break;
1925 case DK_EXIM_RESULT_NO_KEY:
1926 rc = match_isinlist(US"no key", &arg, 0, NULL,
1927 NULL, MCL_STRING, TRUE, NULL);
1928 break;
1929 case DK_EXIM_RESULT_NO_SIGNATURE:
1930 rc = match_isinlist(US"no signature", &arg, 0, NULL,
1931 NULL, MCL_STRING, TRUE, NULL);
1932 break;
1933 case DK_EXIM_RESULT_REVOKED:
1934 rc = match_isinlist(US"revoked", &arg, 0, NULL,
1935 NULL, MCL_STRING, TRUE, NULL);
1936 break;
1937 case DK_EXIM_RESULT_NON_PARTICIPANT:
1938 rc = match_isinlist(US"non-participant", &arg, 0, NULL,
1939 NULL, MCL_STRING, TRUE, NULL);
1940 break;
1941 case DK_EXIM_RESULT_GOOD:
1942 rc = match_isinlist(US"good", &arg, 0, NULL,
1943 NULL, MCL_STRING, TRUE, NULL);
1944 break;
1945 case DK_EXIM_RESULT_BAD:
1946 rc = match_isinlist(US"bad", &arg, 0, NULL,
1947 NULL, MCL_STRING, TRUE, NULL);
1948 break;
1949 }
1950 }
1951 break;
1952#endif
1953
059ec3d9
PH		 1954 case ACLC_DNSLISTS:
1955 rc = verify_check_dnsbl(&arg);
1956 break;
1957
1958 case ACLC_DOMAINS:
1959 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
1960 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
1961 break;
1962
1963 /* The value in tls_cipher is the full cipher name, for example,
1964 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
1965 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
1966 what may in practice come out of the SSL library - which at the time of
1967 writing is poorly documented. */
1968
1969 case ACLC_ENCRYPTED:
1970 if (tls_cipher == NULL) rc = FAIL; else
1971 {
1972 uschar *endcipher = NULL;
1973 uschar *cipher = Ustrchr(tls_cipher, ':');
1974 if (cipher == NULL) cipher = tls_cipher; else
1975 {
1976 endcipher = Ustrchr(++cipher, ':');
1977 if (endcipher != NULL) *endcipher = 0;
1978 }
1979 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
1980 if (endcipher != NULL) *endcipher = ':';
1981 }
1982 break;
1983
1984 /* Use verify_check_this_host() instead of verify_check_host() so that
1985 we can pass over &host_data to catch any looked up data. Once it has been
1986 set, it retains its value so that it's still there if another ACL verb
1987 comes through here and uses the cache. However, we must put it into
1988 permanent store in case it is also expected to be used in a subsequent
1989 message in the same SMTP connection. */
1990
1991 case ACLC_HOSTS:
1992 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
1993 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
1994 if (host_data != NULL) host_data = string_copy_malloc(host_data);
1995 break;
1996
1997 case ACLC_LOCAL_PARTS:
1998 rc = match_isinlist(addr->cc_local_part, &arg, 0,
1999 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
2000 &deliver_localpart_data);
2001 break;
2002
2003 case ACLC_LOGWRITE:
2004 {
2005 int logbits = 0;
2006 uschar *s = arg;
2007 if (*s == ':')
2008 {
2009 s++;
2010 while (*s != ':')
2011 {
2012 if (Ustrncmp(s, "main", 4) == 0)
2013 { logbits |= LOG_MAIN; s += 4; }
2014 else if (Ustrncmp(s, "panic", 5) == 0)
2015 { logbits |= LOG_PANIC; s += 5; }
2016 else if (Ustrncmp(s, "reject", 6) == 0)
2017 { logbits |= LOG_REJECT; s += 6; }
2018 else
2019 {
2020 logbits = LOG_MAIN|LOG_PANIC;
2021 s = string_sprintf(":unknown log name in \"%s\" in "
2022 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
2023 }
2024 if (*s == ',') s++;
2025 }
2026 s++;
2027 }
2028 while (isspace(*s)) s++;
2029 if (logbits == 0) logbits = LOG_MAIN;
2030 log_write(0, logbits, "%s", string_printing(s));
2031 }
2032 break;
8e669ac1 2033
8523533c
TK		 2034#ifdef WITH_CONTENT_SCAN
2035 case ACLC_MALWARE:
2036 {
2037 /* Seperate the regular expression and any optional parameters. */
2038 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2039 /* Run the malware backend. */
2040 rc = malware(&ss);
2041 /* Modify return code based upon the existance of options. */
2042 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2043 != NULL) {
2044 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2045 {
2046 /* FAIL so that the message is passed to the next ACL */
2047 rc = FAIL;
2048 }
2049 }
2050 }
2051 break;
2052
2053 case ACLC_MIME_REGEX:
2054 rc = mime_regex(&arg);
2055 break;
2056#endif
059ec3d9
PH		 2057
2058 case ACLC_RECIPIENTS:
2059 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
2060 &recipient_data);
2061 break;
2062
8523533c
TK		 2063#ifdef WITH_CONTENT_SCAN
2064 case ACLC_REGEX:
2065 rc = regex(&arg);
2066 break;
2067#endif
2068
059ec3d9
PH		 2069 case ACLC_SENDER_DOMAINS:
2070 {
2071 uschar *sdomain;
2072 sdomain = Ustrrchr(sender_address, '@');
2073 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
2074 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
2075 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
2076 }
2077 break;
2078
2079 case ACLC_SENDERS:
2080 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
2081 sender_address_cache, -1, 0, &sender_data);
2082 break;
2083
2084 /* Connection variables must persist forever */
2085
2086 case ACLC_SET:
2087 {
2088 int old_pool = store_pool;
2089 if (cb->u.varnumber < ACL_C_MAX) store_pool = POOL_PERM;
2090 acl_var[cb->u.varnumber] = string_copy(arg);
2091 store_pool = old_pool;
2092 }
2093 break;
2094
8523533c
TK		 2095#ifdef WITH_CONTENT_SCAN
2096 case ACLC_SPAM:
2097 {
2098 /* Seperate the regular expression and any optional parameters. */
2099 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2100 /* Run the spam backend. */
2101 rc = spam(&ss);
2102 /* Modify return code based upon the existance of options. */
2103 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2104 != NULL) {
2105 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2106 {
2107 /* FAIL so that the message is passed to the next ACL */
2108 rc = FAIL;
2109 }
2110 }
2111 }
2112 break;
2113#endif
2114
2115#ifdef EXPERIMENTAL_SPF
2116 case ACLC_SPF:
2117 rc = spf_process(&arg, sender_address);
2118 break;
2119#endif
2120
059ec3d9
PH		 2121 /* If the verb is WARN, discard any user message from verification, because
2122 such messages are SMTP responses, not header additions. The latter come
2123 only from explicit "message" modifiers. */
2124
2125 case ACLC_VERIFY:
2126 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
2127 if (verb == ACL_WARN) *user_msgptr = NULL;
2128 break;
2129
2130 default:
2131 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
2132 "condition %d", cb->type);
2133 break;
2134 }
2135
2136 /* If a condition was negated, invert OK/FAIL. */
2137
2138 if (!cond_modifiers[cb->type] && cb->u.negated)
2139 {
2140 if (rc == OK) rc = FAIL;
2141 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
2142 }
2143
2144 if (rc != OK) break; /* Conditions loop */
2145 }
2146
2147
2148/* If the result is the one for which "message" and/or "log_message" are used,
2149handle the values of these options. Most verbs have but a single return for
2150which the messages are relevant, but for "discard", it's useful to have the log
2151message both when it succeeds and when it fails. Also, for an "accept" that
2152appears in a QUIT ACL, we want to handle the user message. Since only "accept"
2153and "warn" are permitted in that ACL, we don't need to test the verb.
2154
2155These modifiers act in different ways:
2156
2157"message" is a user message that will be included in an SMTP response. Unless
2158it is empty, it overrides any previously set user message.
2159
2160"log_message" is a non-user message, and it adds to any existing non-user
2161message that is already set.
2162
2163If there isn't a log message set, we make it the same as the user message. */
2164
2165if (((rc == FAIL_DROP)? FAIL : rc) == msgcond[verb] ||
2166 (verb == ACL_DISCARD && rc == OK) ||
2167 (where == ACL_WHERE_QUIT))
2168 {
2169 uschar *expmessage;
2170
2171 /* If the verb is "warn", messages generated by conditions (verification or
2172 nested ACLs) are discarded. Only messages specified at this level are used.
2173 However, the value of an existing message is available in $acl_verify_message
2174 during expansions. */
2175
2176 uschar *old_user_msgptr = *user_msgptr;
2177 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
2178
2179 if (verb == ACL_WARN) *log_msgptr = *user_msgptr = NULL;
2180
2181 if (user_message != NULL)
2182 {
2183 acl_verify_message = old_user_msgptr;
2184 expmessage = expand_string(user_message);
2185 if (expmessage == NULL)
2186 {
2187 if (!expand_string_forcedfail)
2188 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2189 user_message, expand_string_message);
2190 }
2191 else if (expmessage[0] != 0) *user_msgptr = expmessage;
2192 }
2193
2194 if (log_message != NULL)
2195 {
2196 acl_verify_message = old_log_msgptr;
2197 expmessage = expand_string(log_message);
2198 if (expmessage == NULL)
2199 {
2200 if (!expand_string_forcedfail)
2201 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2202 log_message, expand_string_message);
2203 }
2204 else if (expmessage[0] != 0)
2205 {
2206 *log_msgptr = (*log_msgptr == NULL)? expmessage :
2207 string_sprintf("%s: %s", expmessage, *log_msgptr);
2208 }
2209 }
2210
2211 /* If no log message, default it to the user message */
2212
2213 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
2214 }
2215
2216acl_verify_message = NULL;
2217return rc;
2218}
2219
2220
2221
2222
2223
2224/*************************************************
2225* Get line from a literal ACL *
2226*************************************************/
2227
2228/* This function is passed to acl_read() in order to extract individual lines
2229of a literal ACL, which we access via static pointers. We can destroy the
2230contents because this is called only once (the compiled ACL is remembered).
2231
2232This code is intended to treat the data in the same way as lines in the main
2233Exim configuration file. That is:
2234
2235 . Leading spaces are ignored.
2236
2237 . A \ at the end of a line is a continuation - trailing spaces after the \
2238 are permitted (this is because I don't believe in making invisible things
2239 significant). Leading spaces on the continued part of a line are ignored.
2240
2241 . Physical lines starting (significantly) with # are totally ignored, and
2242 may appear within a sequence of backslash-continued lines.
2243
2244 . Blank lines are ignored, but will end a sequence of continuations.
2245
2246Arguments: none
2247Returns: a pointer to the next line
2248*/
2249
2250
2251static uschar *acl_text; /* Current pointer in the text */
2252static uschar *acl_text_end; /* Points one past the terminating '0' */
2253
2254
2255static uschar *
2256acl_getline(void)
2257{
2258uschar *yield;
2259
2260/* This loop handles leading blank lines and comments. */
2261
2262for(;;)
2263 {
2264 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
2265 if (*acl_text == 0) return NULL; /* No more data */
2266 yield = acl_text; /* Potential data line */
2267
2268 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2269
2270 /* If we hit the end before a newline, we have the whole logical line. If
2271 it's a comment, there's no more data to be given. Otherwise, yield it. */
2272
2273 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
2274
2275 /* After reaching a newline, end this loop if the physical line does not
2276 start with '#'. If it does, it's a comment, and the loop continues. */
2277
2278 if (*yield != '#') break;
2279 }
2280
2281/* This loop handles continuations. We know we have some real data, ending in
2282newline. See if there is a continuation marker at the end (ignoring trailing
2283white space). We know that *yield is not white space, so no need to test for
2284cont > yield in the backwards scanning loop. */
2285
2286for(;;)
2287 {
2288 uschar *cont;
2289 for (cont = acl_text - 1; isspace(*cont); cont--);
2290
2291 /* If no continuation follows, we are done. Mark the end of the line and
2292 return it. */
2293
2294 if (*cont != '\\')
2295 {
2296 *acl_text++ = 0;
2297 return yield;
2298 }
2299
2300 /* We have encountered a continuation. Skip over whitespace at the start of
2301 the next line, and indeed the whole of the next line or lines if they are
2302 comment lines. */
2303
2304 for (;;)
2305 {
2306 while (*(++acl_text) == ' ' || *acl_text == '\t');
2307 if (*acl_text != '#') break;
2308 while (*(++acl_text) != 0 && *acl_text != '\n');
2309 }
2310
2311 /* We have the start of a continuation line. Move all the rest of the data
2312 to join onto the previous line, and then find its end. If the end is not a
2313 newline, we are done. Otherwise loop to look for another continuation. */
2314
2315 memmove(cont, acl_text, acl_text_end - acl_text);
2316 acl_text_end -= acl_text - cont;
2317 acl_text = cont;
2318 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2319 if (*acl_text == 0) return yield;
2320 }
2321
2322/* Control does not reach here */
2323}
2324
2325
2326
2327
2328
2329/*************************************************
2330* Check access using an ACL *
2331*************************************************/
2332
2333/* This function is called from address_check. It may recurse via
2334acl_check_condition() - hence the use of a level to stop looping. The ACL is
2335passed as a string which is expanded. A forced failure implies no access check
2336is required. If the result is a single word, it is taken as the name of an ACL
2337which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
2338text, complete with newlines, and parsed as such. In both cases, the ACL check
2339is then run. This function uses an auxiliary function for acl_read() to call
2340for reading individual lines of a literal ACL. This is acl_getline(), which
2341appears immediately above.
2342
2343Arguments:
2344 where where called from
2345 addr address item when called from RCPT; otherwise NULL
2346 s the input string; NULL is the same as an empty ACL => DENY
2347 level the nesting level
2348 user_msgptr where to put a user error (for SMTP response)
2349 log_msgptr where to put a logging message (not for SMTP response)
2350
2351Returns: OK access is granted
2352 DISCARD access is apparently granted...
2353 FAIL access is denied
2354 FAIL_DROP access is denied; drop the connection
2355 DEFER can't tell at the moment
2356 ERROR disaster
2357*/
2358
2359static int
2360acl_check_internal(int where, address_item *addr, uschar *s, int level,
2361 uschar **user_msgptr, uschar **log_msgptr)
2362{
2363int fd = -1;
2364acl_block *acl = NULL;
2365uschar *acl_name = US"inline ACL";
2366uschar *ss;
2367
2368/* Catch configuration loops */
2369
2370if (level > 20)
2371 {
2372 *log_msgptr = US"ACL nested too deep: possible loop";
2373 return ERROR;
2374 }
2375
2376if (s == NULL)
2377 {
2378 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
2379 return FAIL;
2380 }
2381
2382/* At top level, we expand the incoming string. At lower levels, it has already
2383been expanded as part of condition processing. */
2384
2385if (level == 0)
2386 {
2387 ss = expand_string(s);
2388 if (ss == NULL)
2389 {
2390 if (expand_string_forcedfail) return OK;
2391 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
2392 expand_string_message);
2393 return ERROR;
2394 }
2395 }
2396else ss = s;
2397
2398while (isspace(*ss))ss++;
2399
2400/* If we can't find a named ACL, the default is to parse it as an inline one.
2401(Unless it begins with a slash; non-existent files give rise to an error.) */
2402
2403acl_text = ss;
2404
2405/* Handle the case of a string that does not contain any spaces. Look for a
2406named ACL among those read from the configuration, or a previously read file.
2407It is possible that the pointer to the ACL is NULL if the configuration
2408contains a name with no data. If not found, and the text begins with '/',
2409read an ACL from a file, and save it so it can be re-used. */
2410
2411if (Ustrchr(ss, ' ') == NULL)
2412 {
2413 tree_node *t = tree_search(acl_anchor, ss);
2414 if (t != NULL)
2415 {
2416 acl = (acl_block *)(t->data.ptr);
2417 if (acl == NULL)
2418 {
2419 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
2420 return FAIL;
2421 }
2422 acl_name = string_sprintf("ACL \"%s\"", ss);
2423 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
2424 }
2425
2426 else if (*ss == '/')
2427 {
2428 struct stat statbuf;
2429 fd = Uopen(ss, O_RDONLY, 0);
2430 if (fd < 0)
2431 {
2432 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
2433 strerror(errno));
2434 return ERROR;
2435 }
2436
2437 if (fstat(fd, &statbuf) != 0)
2438 {
2439 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
2440 strerror(errno));
2441 return ERROR;
2442 }
2443
2444 acl_text = store_get(statbuf.st_size + 1);
2445 acl_text_end = acl_text + statbuf.st_size + 1;
2446
2447 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
2448 {
2449 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
2450 ss, strerror(errno));
2451 return ERROR;
2452 }
2453 acl_text[statbuf.st_size] = 0;
2454 close(fd);
2455
2456 acl_name = string_sprintf("ACL \"%s\"", ss);
2457 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
2458 }
2459 }
2460
2461/* Parse an ACL that is still in text form. If it came from a file, remember it
2462in the ACL tree, having read it into the POOL_PERM store pool so that it
2463persists between multiple messages. */
2464
2465if (acl == NULL)
2466 {
2467 int old_pool = store_pool;
2468 if (fd >= 0) store_pool = POOL_PERM;
2469 acl = acl_read(acl_getline, log_msgptr);
2470 store_pool = old_pool;
2471 if (acl == NULL && *log_msgptr != NULL) return ERROR;
2472 if (fd >= 0)
2473 {
2474 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
2475 Ustrcpy(t->name, ss);
2476 t->data.ptr = acl;
2477 (void)tree_insertnode(&acl_anchor, t);
2478 }
2479 }
2480
2481/* Now we have an ACL to use. It's possible it may be NULL. */
2482
2483while (acl != NULL)
2484 {
2485 int cond;
2486 int basic_errno = 0;
2487 BOOL endpass_seen = FALSE;
2488
2489 *log_msgptr = *user_msgptr = NULL;
2490 acl_temp_details = FALSE;
2491
2492 if (where == ACL_WHERE_QUIT &&
2493 acl->verb != ACL_ACCEPT &&
2494 acl->verb != ACL_WARN)
2495 {
2496 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
2497 verbs[acl->verb]);
2498 return ERROR;
2499 }
2500
2501 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
2502
2503 /* Clear out any search error message from a previous check before testing
2504 this condition. */
2505
2506 search_error_message = NULL;
2507 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
2508 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
2509
2510 /* Handle special returns: DEFER causes a return except on a WARN verb;
2511 ERROR always causes a return. */
2512
2513 switch (cond)
2514 {
2515 case DEFER:
2516 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
2517 if (basic_errno != ERRNO_CALLOUTDEFER)
2518 {
2519 if (search_error_message != NULL && *search_error_message != 0)
2520 *log_msgptr = search_error_message;
2521 if (smtp_return_error_details) acl_temp_details = TRUE;
2522 }
2523 else
2524 {
2525 acl_temp_details = TRUE;
2526 }
2527 if (acl->verb != ACL_WARN) return DEFER;
2528 break;
2529
2530 default: /* Paranoia */
2531 case ERROR:
2532 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
2533 return ERROR;
2534
2535 case OK:
2536 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
2537 verbs[acl->verb]);
2538 break;
2539
2540 case FAIL:
2541 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
2542 break;
2543
2544 /* DISCARD and DROP can happen only from a nested ACL condition, and
2545 DISCARD can happen only for an "accept" or "discard" verb. */
2546
2547 case DISCARD:
2548 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
2549 verbs[acl->verb]);
2550 break;
2551
2552 case FAIL_DROP:
2553 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
2554 verbs[acl->verb]);
2555 break;
2556 }
2557
2558 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
2559 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
2560 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
2561
2562 switch(acl->verb)
2563 {
2564 case ACL_ACCEPT:
2565 if (cond == OK || cond == DISCARD) return cond;
2566 if (endpass_seen)
2567 {
2568 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
2569 return cond;
2570 }
2571 break;
2572
2573 case ACL_DEFER:
2574 if (cond == OK)
2575 {
2576 acl_temp_details = TRUE;
2577 return DEFER;
2578 }
2579 break;
2580
2581 case ACL_DENY:
2582 if (cond == OK) return FAIL;
2583 break;
2584
2585 case ACL_DISCARD:
2586 if (cond == OK || cond == DISCARD) return DISCARD;
2587 if (endpass_seen)
2588 {
2589 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
2590 return cond;
2591 }
2592 break;
2593
2594 case ACL_DROP:
2595 if (cond == OK) return FAIL_DROP;
2596 break;
2597
2598 case ACL_REQUIRE:
2599 if (cond != OK) return cond;
2600 break;
2601
2602 case ACL_WARN:
2603 if (cond == OK)
2604 acl_warn(where, *user_msgptr, *log_msgptr);
2605 else if (cond == DEFER)
2606 acl_warn(where, NULL, string_sprintf("ACL \"warn\" statement skipped: "
2607 "condition test deferred: %s",
2608 (*log_msgptr == NULL)? US"" : *log_msgptr));
2609 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
2610 break;
2611
2612 default:
2613 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
2614 acl->verb);
2615 break;
2616 }
2617
2618 /* Pass to the next ACL item */
2619
2620 acl = acl->next;
2621 }
2622
2623/* We have reached the end of the ACL. This is an implicit DENY. */
2624
2625HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
2626return FAIL;
2627}
2628
2629
2630/*************************************************
2631* Check access using an ACL *
2632*************************************************/
2633
2634/* This is the external interface for ACL checks. It sets up an address and the
2635expansions for $domain and $local_part when called after RCPT, then calls
2636acl_check_internal() to do the actual work.
2637
2638Arguments:
2639 where ACL_WHERE_xxxx indicating where called from
2640 data_string RCPT address, or SMTP command argument, or NULL
2641 s the input string; NULL is the same as an empty ACL => DENY
2642 user_msgptr where to put a user error (for SMTP response)
2643 log_msgptr where to put a logging message (not for SMTP response)
2644
2645Returns: OK access is granted by an ACCEPT verb
2646 DISCARD access is granted by a DISCARD verb
2647 FAIL access is denied
2648 FAIL_DROP access is denied; drop the connection
2649 DEFER can't tell at the moment
2650 ERROR disaster
2651*/
2652
2653int
2654acl_check(int where, uschar *data_string, uschar *s, uschar **user_msgptr,
2655 uschar **log_msgptr)
2656{
2657int rc;
2658address_item adb;
2659address_item *addr;
2660
2661*user_msgptr = *log_msgptr = NULL;
2662sender_verified_failed = NULL;
2663
2664if (where == ACL_WHERE_RCPT)
2665 {
2666 adb = address_defaults;
2667 addr = &adb;
2668 addr->address = data_string;
2669 if (deliver_split_address(addr) == DEFER)
2670 {
2671 *log_msgptr = US"defer in percent_hack_domains check";
2672 return DEFER;
2673 }
2674 deliver_domain = addr->domain;
2675 deliver_localpart = addr->local_part;
2676 }
2677else
2678 {
2679 addr = NULL;
2680 smtp_command_argument = data_string;
2681 }
2682
2683rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
2684
2685smtp_command_argument = deliver_domain =
2a3eea10 2686 deliver_localpart = deliver_address_data = sender_address_data = NULL;
059ec3d9
PH		 2687
2688/* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
2689ACL, which is really in the middle of an SMTP command. */
2690
2691if (rc == DISCARD)
2692 {
2693 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
2694 {
2695 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
2696 "ACL", acl_wherenames[where]);
2697 return ERROR;
2698 }
2699 return DISCARD;
2700 }
2701
2702/* A DROP response is not permitted from MAILAUTH */
2703
2704if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
2705 {
2706 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
2707 "ACL", acl_wherenames[where]);
2708 return ERROR;
2709 }
2710
2711/* Before giving an error response, take a look at the length of any user
2712message, and split it up into multiple lines if possible. */
2713
2714if (rc != OK && *user_msgptr != NULL && Ustrlen(*user_msgptr) > 75)
2715 {
2716 uschar *s = *user_msgptr = string_copy(*user_msgptr);
2717 uschar *ss = s;
2718
2719 for (;;)
2720 {
2721 int i = 0;
2722 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
2723 if (*ss == 0) break;
2724 if (*ss == '\n')
2725 s = ++ss;
2726 else
2727 {
2728 uschar *t = ss + 1;
2729 uschar *tt = NULL;
2730 while (--t > s + 35)
2731 {
2732 if (*t == ' ')
2733 {
2734 if (t[-1] == ':') { tt = t; break; }
2735 if (tt == NULL) tt = t;
2736 }
2737 }
2738
2739 if (tt == NULL) /* Can't split behind - try ahead */
2740 {
2741 t = ss + 1;
2742 while (*t != 0)
2743 {
2744 if (*t == ' ' || *t == '\n')
2745 { tt = t; break; }
2746 t++;
2747 }
2748 }
2749
2750 if (tt == NULL) break; /* Can't find anywhere to split */
2751 *tt = '\n';
2752 s = ss = tt+1;
2753 }
2754 }
2755 }
2756
2757return rc;
2758}
2759
2760/* End of acl.c */
Unnamed repository; edit this file 'description' to name the repository.