A test for the encoded-character extention.
[exim.git] / src / src / acl.c
CommitLineData
6a8f9482 1/* $Cambridge: exim/src/src/acl.c,v 1.81 2008/01/17 13:03:35 tom Exp $ */
059ec3d9
PH
2
3/*************************************************
4* Exim - an Internet mail transport agent *
5*************************************************/
6
184e8823 7/* Copyright (c) University of Cambridge 1995 - 2007 */
059ec3d9
PH
8/* See the file NOTICE for conditions of use and distribution. */
9
10/* Code for handling Access Control Lists (ACLs) */
11
12#include "exim.h"
13
14
15/* Default callout timeout */
16
17#define CALLOUT_TIMEOUT_DEFAULT 30
18
19/* ACL verb codes - keep in step with the table of verbs that follows */
20
21enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
22 ACL_WARN };
23
24/* ACL verbs */
25
26static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
28 US"warn" };
29
4e88a19f
PH
30/* For each verb, the conditions for which "message" or "log_message" are used
31are held as a bitmap. This is to avoid expanding the strings unnecessarily. For
32"accept", the FAIL case is used only after "endpass", but that is selected in
33the code. */
34
35static int msgcond[] = {
36 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* accept */
37 (1<<OK), /* defer */
38 (1<<OK), /* deny */
39 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* discard */
40 (1<<OK), /* drop */
41 (1<<FAIL) | (1<<FAIL_DROP), /* require */
42 (1<<OK) /* warn */
43 };
059ec3d9
PH
44
45/* ACL condition and modifier codes - keep in step with the table that
71fafd95
PH
46follows, and the cond_expand_at_top and uschar cond_modifiers tables lower
47down. */
059ec3d9 48
71fafd95
PH
49enum { ACLC_ACL,
50 ACLC_ADD_HEADER,
51 ACLC_AUTHENTICATED,
8523533c
TK
52#ifdef EXPERIMENTAL_BRIGHTMAIL
53 ACLC_BMI_OPTIN,
54#endif
71fafd95 55 ACLC_CONDITION,
c3611384 56 ACLC_CONTINUE,
71fafd95 57 ACLC_CONTROL,
6a8f9482
TK
58#ifdef EXPERIMENTAL_DCC
59 ACLC_DCC,
60#endif
8523533c
TK
61#ifdef WITH_CONTENT_SCAN
62 ACLC_DECODE,
63#endif
64 ACLC_DELAY,
65#ifdef WITH_OLD_DEMIME
66 ACLC_DEMIME,
8e669ac1 67#endif
fb2274d4
TK
68#ifdef EXPERIMENTAL_DOMAINKEYS
69 ACLC_DK_DOMAIN_SOURCE,
70 ACLC_DK_POLICY,
71 ACLC_DK_SENDER_DOMAINS,
72 ACLC_DK_SENDER_LOCAL_PARTS,
73 ACLC_DK_SENDERS,
74 ACLC_DK_STATUS,
75#endif
71fafd95
PH
76 ACLC_DNSLISTS,
77 ACLC_DOMAINS,
78 ACLC_ENCRYPTED,
79 ACLC_ENDPASS,
80 ACLC_HOSTS,
81 ACLC_LOCAL_PARTS,
82 ACLC_LOG_MESSAGE,
6ea85e9a 83 ACLC_LOG_REJECT_TARGET,
71fafd95 84 ACLC_LOGWRITE,
8523533c
TK
85#ifdef WITH_CONTENT_SCAN
86 ACLC_MALWARE,
87#endif
88 ACLC_MESSAGE,
89#ifdef WITH_CONTENT_SCAN
90 ACLC_MIME_REGEX,
91#endif
870f6ba8 92 ACLC_RATELIMIT,
8523533c
TK
93 ACLC_RECIPIENTS,
94#ifdef WITH_CONTENT_SCAN
95 ACLC_REGEX,
96#endif
71fafd95
PH
97 ACLC_SENDER_DOMAINS,
98 ACLC_SENDERS,
99 ACLC_SET,
8523533c 100#ifdef WITH_CONTENT_SCAN
8e669ac1 101 ACLC_SPAM,
8523533c
TK
102#endif
103#ifdef EXPERIMENTAL_SPF
104 ACLC_SPF,
105#endif
106 ACLC_VERIFY };
059ec3d9 107
c3611384
PH
108/* ACL conditions/modifiers: "delay", "control", "continue", "endpass",
109"message", "log_message", "log_reject_target", "logwrite", and "set" are
110modifiers that look like conditions but always return TRUE. They are used for
111their side effects. */
059ec3d9 112
9a26b6b2
PH
113static uschar *conditions[] = {
114 US"acl",
71fafd95 115 US"add_header",
9a26b6b2 116 US"authenticated",
8523533c
TK
117#ifdef EXPERIMENTAL_BRIGHTMAIL
118 US"bmi_optin",
119#endif
120 US"condition",
c3611384 121 US"continue",
8e669ac1 122 US"control",
6a8f9482
TK
123#ifdef EXPERIMENTAL_DCC
124 US"dcc",
125#endif
8523533c
TK
126#ifdef WITH_CONTENT_SCAN
127 US"decode",
128#endif
129 US"delay",
130#ifdef WITH_OLD_DEMIME
131 US"demime",
132#endif
fb2274d4 133#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH
134 US"dk_domain_source",
135 US"dk_policy",
136 US"dk_sender_domains",
137 US"dk_sender_local_parts",
138 US"dk_senders",
139 US"dk_status",
fb2274d4 140#endif
6ea85e9a
PH
141 US"dnslists",
142 US"domains",
143 US"encrypted",
144 US"endpass",
145 US"hosts",
146 US"local_parts",
147 US"log_message",
148 US"log_reject_target",
149 US"logwrite",
8523533c
TK
150#ifdef WITH_CONTENT_SCAN
151 US"malware",
152#endif
153 US"message",
154#ifdef WITH_CONTENT_SCAN
155 US"mime_regex",
156#endif
870f6ba8 157 US"ratelimit",
8523533c
TK
158 US"recipients",
159#ifdef WITH_CONTENT_SCAN
160 US"regex",
161#endif
162 US"sender_domains", US"senders", US"set",
163#ifdef WITH_CONTENT_SCAN
164 US"spam",
165#endif
166#ifdef EXPERIMENTAL_SPF
167 US"spf",
168#endif
059ec3d9 169 US"verify" };
8e669ac1 170
c5fcb476 171
9a26b6b2
PH
172/* Return values from decode_control(); keep in step with the table of names
173that follows! */
174
175enum {
c46782ef
PH
176 CONTROL_AUTH_UNADVERTISED,
177 #ifdef EXPERIMENTAL_BRIGHTMAIL
9a26b6b2 178 CONTROL_BMI_RUN,
c46782ef
PH
179 #endif
180 #ifdef EXPERIMENTAL_DOMAINKEYS
9a26b6b2 181 CONTROL_DK_VERIFY,
c46782ef 182 #endif
f7572e5a
TK
183 #ifdef EXPERIMENTAL_DKIM
184 CONTROL_DKIM_VERIFY,
185 #endif
c46782ef
PH
186 CONTROL_ERROR,
187 CONTROL_CASEFUL_LOCAL_PART,
188 CONTROL_CASELOWER_LOCAL_PART,
189 CONTROL_ENFORCE_SYNC,
190 CONTROL_NO_ENFORCE_SYNC,
191 CONTROL_FREEZE,
192 CONTROL_QUEUE_ONLY,
193 CONTROL_SUBMISSION,
194 CONTROL_SUPPRESS_LOCAL_FIXUPS,
195 #ifdef WITH_CONTENT_SCAN
9a26b6b2 196 CONTROL_NO_MBOX_UNSPOOL,
c46782ef
PH
197 #endif
198 CONTROL_FAKEDEFER,
199 CONTROL_FAKEREJECT,
cf8b11a5 200 CONTROL_NO_MULTILINE,
047bdd8c 201 CONTROL_NO_PIPELINING,
4c590bd1
PH
202 CONTROL_NO_DELAY_FLUSH,
203 CONTROL_NO_CALLOUT_FLUSH
c46782ef 204};
9a26b6b2 205
8800895a
PH
206/* ACL control names; keep in step with the table above! This list is used for
207turning ids into names. The actual list of recognized names is in the variable
208control_def controls_list[] below. The fact that there are two lists is a mess
209and should be tidied up. */
9a26b6b2
PH
210
211static uschar *controls[] = {
c46782ef 212 US"allow_auth_unadvertised",
9a26b6b2
PH
213 #ifdef EXPERIMENTAL_BRIGHTMAIL
214 US"bmi_run",
215 #endif
216 #ifdef EXPERIMENTAL_DOMAINKEYS
217 US"dk_verify",
218 #endif
f7572e5a
TK
219 #ifdef EXPERIMENTAL_DKIM
220 US"dkim_verify",
221 #endif
c46782ef
PH
222 US"error",
223 US"caseful_local_part",
224 US"caselower_local_part",
225 US"enforce_sync",
226 US"no_enforce_sync",
227 US"freeze",
228 US"queue_only",
229 US"submission",
230 US"suppress_local_fixups",
9a26b6b2
PH
231 #ifdef WITH_CONTENT_SCAN
232 US"no_mbox_unspool",
233 #endif
cf8b11a5
PH
234 US"fakedefer",
235 US"fakereject",
aa6dc513 236 US"no_multiline_responses",
cf8b11a5 237 US"no_pipelining",
4c590bd1
PH
238 US"no_delay_flush",
239 US"no_callout_flush"
c46782ef 240};
059ec3d9 241
047bdd8c 242/* Flags to indicate for which conditions/modifiers a string expansion is done
059ec3d9
PH
243at the outer level. In the other cases, expansion already occurs in the
244checking functions. */
245
246static uschar cond_expand_at_top[] = {
247 TRUE, /* acl */
3e536984 248 TRUE, /* add_header */
059ec3d9 249 FALSE, /* authenticated */
8523533c
TK
250#ifdef EXPERIMENTAL_BRIGHTMAIL
251 TRUE, /* bmi_optin */
8e669ac1 252#endif
059ec3d9 253 TRUE, /* condition */
c3611384 254 TRUE, /* continue */
059ec3d9 255 TRUE, /* control */
6a8f9482
TK
256#ifdef EXPERIMENTAL_DCC
257 TRUE, /* dcc */
258#endif
8523533c
TK
259#ifdef WITH_CONTENT_SCAN
260 TRUE, /* decode */
261#endif
059ec3d9 262 TRUE, /* delay */
8523533c
TK
263#ifdef WITH_OLD_DEMIME
264 TRUE, /* demime */
265#endif
fb2274d4 266#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH
267 TRUE, /* dk_domain_source */
268 TRUE, /* dk_policy */
269 TRUE, /* dk_sender_domains */
e715ad22 270 TRUE, /* dk_sender_local_parts */
7f45268c
PH
271 TRUE, /* dk_senders */
272 TRUE, /* dk_status */
fb2274d4 273#endif
059ec3d9
PH
274 TRUE, /* dnslists */
275 FALSE, /* domains */
276 FALSE, /* encrypted */
277 TRUE, /* endpass */
278 FALSE, /* hosts */
279 FALSE, /* local_parts */
280 TRUE, /* log_message */
6ea85e9a 281 TRUE, /* log_reject_target */
059ec3d9 282 TRUE, /* logwrite */
8523533c
TK
283#ifdef WITH_CONTENT_SCAN
284 TRUE, /* malware */
285#endif
059ec3d9 286 TRUE, /* message */
8523533c
TK
287#ifdef WITH_CONTENT_SCAN
288 TRUE, /* mime_regex */
289#endif
870f6ba8 290 TRUE, /* ratelimit */
059ec3d9 291 FALSE, /* recipients */
8523533c
TK
292#ifdef WITH_CONTENT_SCAN
293 TRUE, /* regex */
294#endif
059ec3d9
PH
295 FALSE, /* sender_domains */
296 FALSE, /* senders */
297 TRUE, /* set */
8523533c
TK
298#ifdef WITH_CONTENT_SCAN
299 TRUE, /* spam */
300#endif
301#ifdef EXPERIMENTAL_SPF
302 TRUE, /* spf */
303#endif
059ec3d9
PH
304 TRUE /* verify */
305};
306
307/* Flags to identify the modifiers */
308
309static uschar cond_modifiers[] = {
310 FALSE, /* acl */
3e536984 311 TRUE, /* add_header */
059ec3d9 312 FALSE, /* authenticated */
8523533c
TK
313#ifdef EXPERIMENTAL_BRIGHTMAIL
314 TRUE, /* bmi_optin */
8e669ac1 315#endif
059ec3d9 316 FALSE, /* condition */
c3611384 317 TRUE, /* continue */
059ec3d9 318 TRUE, /* control */
6a8f9482
TK
319#ifdef EXPERIMENTAL_DCC
320 FALSE, /* dcc */
321#endif
8523533c
TK
322#ifdef WITH_CONTENT_SCAN
323 FALSE, /* decode */
324#endif
059ec3d9 325 TRUE, /* delay */
8523533c
TK
326#ifdef WITH_OLD_DEMIME
327 FALSE, /* demime */
328#endif
fb2274d4 329#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH
330 FALSE, /* dk_domain_source */
331 FALSE, /* dk_policy */
332 FALSE, /* dk_sender_domains */
e715ad22 333 FALSE, /* dk_sender_local_parts */
7f45268c
PH
334 FALSE, /* dk_senders */
335 FALSE, /* dk_status */
fb2274d4 336#endif
059ec3d9
PH
337 FALSE, /* dnslists */
338 FALSE, /* domains */
339 FALSE, /* encrypted */
340 TRUE, /* endpass */
341 FALSE, /* hosts */
342 FALSE, /* local_parts */
343 TRUE, /* log_message */
6ea85e9a 344 TRUE, /* log_reject_target */
8523533c
TK
345 TRUE, /* logwrite */
346#ifdef WITH_CONTENT_SCAN
347 FALSE, /* malware */
348#endif
059ec3d9 349 TRUE, /* message */
8523533c
TK
350#ifdef WITH_CONTENT_SCAN
351 FALSE, /* mime_regex */
352#endif
870f6ba8 353 FALSE, /* ratelimit */
059ec3d9 354 FALSE, /* recipients */
8523533c
TK
355#ifdef WITH_CONTENT_SCAN
356 FALSE, /* regex */
357#endif
059ec3d9
PH
358 FALSE, /* sender_domains */
359 FALSE, /* senders */
360 TRUE, /* set */
8523533c
TK
361#ifdef WITH_CONTENT_SCAN
362 FALSE, /* spam */
363#endif
364#ifdef EXPERIMENTAL_SPF
365 FALSE, /* spf */
366#endif
059ec3d9
PH
367 FALSE /* verify */
368};
369
c3611384 370/* Bit map vector of which conditions and modifiers are not allowed at certain
8f128379
PH
371times. For each condition and modifier, there's a bitmap of dis-allowed times.
372For some, it is easier to specify the negation of a small number of allowed
373times. */
059ec3d9
PH
374
375static unsigned int cond_forbids[] = {
376 0, /* acl */
8e669ac1 377
71fafd95 378 (unsigned int)
45b91596 379 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* add_header */
71fafd95 380 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
45b91596
PH
381 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
382 (1<<ACL_WHERE_NOTSMTP_START)),
71fafd95 383
45b91596
PH
384 (1<<ACL_WHERE_NOTSMTP)| /* authenticated */
385 (1<<ACL_WHERE_NOTSMTP_START)|
386 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO),
8e669ac1 387
71fafd95 388 #ifdef EXPERIMENTAL_BRIGHTMAIL
3864bb8e 389 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
8523533c
TK
390 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
391 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
8e669ac1 392 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
8523533c
TK
393 (1<<ACL_WHERE_MAILAUTH)|
394 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596
PH
395 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA)|
396 (1<<ACL_WHERE_NOTSMTP_START),
71fafd95 397 #endif
8e669ac1 398
059ec3d9 399 0, /* condition */
8e669ac1 400
c3611384
PH
401 0, /* continue */
402
059ec3d9 403 /* Certain types of control are always allowed, so we let it through
2f079f46 404 always and check in the control processing itself. */
8e669ac1 405
059ec3d9 406 0, /* control */
8e669ac1 407
6a8f9482
TK
408 #ifdef EXPERIMENTAL_DCC
409 (unsigned int)
410 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* dcc */
411 #endif
412
71fafd95 413 #ifdef WITH_CONTENT_SCAN
2f079f46
PH
414 (unsigned int)
415 ~(1<<ACL_WHERE_MIME), /* decode */
71fafd95 416 #endif
8523533c 417
8f128379 418 (1<<ACL_WHERE_NOTQUIT), /* delay */
8e669ac1 419
71fafd95 420 #ifdef WITH_OLD_DEMIME
2f079f46
PH
421 (unsigned int)
422 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* demime */
71fafd95 423 #endif
8e669ac1 424
71fafd95 425 #ifdef EXPERIMENTAL_DOMAINKEYS
2f079f46 426 (1<<ACL_WHERE_AUTH)| /* dk_domain_source */
fb2274d4
TK
427 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
428 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
429 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
430 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
431 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 432 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
84330b7b 433
2f079f46 434 (1<<ACL_WHERE_AUTH)| /* dk_policy */
fb2274d4
TK
435 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
436 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
437 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
438 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
439 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 440 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
84330b7b 441
2f079f46 442 (1<<ACL_WHERE_AUTH)| /* dk_sender_domains */
fb2274d4
TK
443 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
444 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
445 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
446 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
447 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 448 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
84330b7b 449
2f079f46 450 (1<<ACL_WHERE_AUTH)| /* dk_sender_local_parts */
fb2274d4
TK
451 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
452 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
453 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
454 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
455 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 456 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
84330b7b 457
2f079f46 458 (1<<ACL_WHERE_AUTH)| /* dk_senders */
fb2274d4
TK
459 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
460 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
461 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
462 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
463 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 464 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
84330b7b 465
2f079f46 466 (1<<ACL_WHERE_AUTH)| /* dk_status */
fb2274d4
TK
467 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
468 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
469 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
470 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
471 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 472 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
71fafd95 473 #endif
fb2274d4 474
45b91596
PH
475 (1<<ACL_WHERE_NOTSMTP)| /* dnslists */
476 (1<<ACL_WHERE_NOTSMTP_START),
059ec3d9 477
2f079f46
PH
478 (unsigned int)
479 ~(1<<ACL_WHERE_RCPT), /* domains */
059ec3d9 480
45b91596
PH
481 (1<<ACL_WHERE_NOTSMTP)| /* encrypted */
482 (1<<ACL_WHERE_CONNECT)|
483 (1<<ACL_WHERE_NOTSMTP_START)|
059ec3d9 484 (1<<ACL_WHERE_HELO),
8e669ac1 485
059ec3d9 486 0, /* endpass */
8e669ac1 487
45b91596
PH
488 (1<<ACL_WHERE_NOTSMTP)| /* hosts */
489 (1<<ACL_WHERE_NOTSMTP_START),
059ec3d9 490
2f079f46
PH
491 (unsigned int)
492 ~(1<<ACL_WHERE_RCPT), /* local_parts */
059ec3d9
PH
493
494 0, /* log_message */
8e669ac1 495
6ea85e9a
PH
496 0, /* log_reject_target */
497
059ec3d9 498 0, /* logwrite */
8e669ac1 499
71fafd95 500 #ifdef WITH_CONTENT_SCAN
2f079f46
PH
501 (unsigned int)
502 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* malware */
71fafd95 503 #endif
8523533c 504
059ec3d9
PH
505 0, /* message */
506
71fafd95 507 #ifdef WITH_CONTENT_SCAN
2f079f46
PH
508 (unsigned int)
509 ~(1<<ACL_WHERE_MIME), /* mime_regex */
71fafd95 510 #endif
8523533c 511
870f6ba8
TF
512 0, /* ratelimit */
513
2f079f46
PH
514 (unsigned int)
515 ~(1<<ACL_WHERE_RCPT), /* recipients */
059ec3d9 516
71fafd95 517 #ifdef WITH_CONTENT_SCAN
2f079f46
PH
518 (unsigned int)
519 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* regex */
520 (1<<ACL_WHERE_MIME)),
71fafd95 521 #endif
8523533c 522
059ec3d9
PH
523 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
524 (1<<ACL_WHERE_HELO)|
525 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
526 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
527 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
528
529 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
530 (1<<ACL_WHERE_HELO)|
531 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
532 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
533 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
534
535 0, /* set */
536
71fafd95 537 #ifdef WITH_CONTENT_SCAN
2f079f46
PH
538 (unsigned int)
539 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* spam */
71fafd95 540 #endif
8523533c 541
71fafd95 542 #ifdef EXPERIMENTAL_SPF
8523533c
TK
543 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
544 (1<<ACL_WHERE_HELO)|
545 (1<<ACL_WHERE_MAILAUTH)|
546 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
45b91596
PH
547 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
548 (1<<ACL_WHERE_NOTSMTP)|
549 (1<<ACL_WHERE_NOTSMTP_START),
71fafd95 550 #endif
8523533c 551
059ec3d9
PH
552 /* Certain types of verify are always allowed, so we let it through
553 always and check in the verify function itself */
554
555 0 /* verify */
059ec3d9
PH
556};
557
558
c5fcb476
PH
559/* Bit map vector of which controls are not allowed at certain times. For
560each control, there's a bitmap of dis-allowed times. For some, it is easier to
561specify the negation of a small number of allowed times. */
562
563static unsigned int control_forbids[] = {
c46782ef
PH
564 (unsigned int)
565 ~((1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)), /* allow_auth_unadvertised */
566
567 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c 568 0, /* bmi_run */
c46782ef
PH
569 #endif
570
571 #ifdef EXPERIMENTAL_DOMAINKEYS
45b91596
PH
572 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dk_verify */
573 (1<<ACL_WHERE_NOTSMTP_START),
c46782ef 574 #endif
3e11c26b 575
f7572e5a
TK
576 #ifdef EXPERIMENTAL_DKIM
577 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dkim_verify */
578 (1<<ACL_WHERE_NOTSMTP_START),
579 #endif
580
c5fcb476 581 0, /* error */
8e669ac1
PH
582
583 (unsigned int)
c5fcb476 584 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
8e669ac1
PH
585
586 (unsigned int)
c5fcb476 587 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
8e669ac1 588
45b91596
PH
589 (1<<ACL_WHERE_NOTSMTP)| /* enforce_sync */
590 (1<<ACL_WHERE_NOTSMTP_START),
8e669ac1 591
45b91596
PH
592 (1<<ACL_WHERE_NOTSMTP)| /* no_enforce_sync */
593 (1<<ACL_WHERE_NOTSMTP_START),
8e669ac1
PH
594
595 (unsigned int)
c5fcb476
PH
596 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
597 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 598 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH
599
600 (unsigned int)
c5fcb476
PH
601 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
602 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 603 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH
604
605 (unsigned int)
c5fcb476 606 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
8e669ac1 607 (1<<ACL_WHERE_PREDATA)),
8523533c 608
8800895a
PH
609 (unsigned int)
610 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* suppress_local_fixups */
45b91596
PH
611 (1<<ACL_WHERE_PREDATA)|
612 (1<<ACL_WHERE_NOTSMTP_START)),
8800895a 613
c46782ef 614 #ifdef WITH_CONTENT_SCAN
8e669ac1 615 (unsigned int)
14d57970 616 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
e715ad22
TK
617 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
618 (1<<ACL_WHERE_MIME)),
c46782ef 619 #endif
a6c4ab60 620
8e669ac1 621 (unsigned int)
29aba418
TF
622 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakedefer */
623 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
624 (1<<ACL_WHERE_MIME)),
625
626 (unsigned int)
a6c4ab60 627 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
e715ad22
TK
628 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
629 (1<<ACL_WHERE_MIME)),
8523533c 630
45b91596 631 (1<<ACL_WHERE_NOTSMTP)| /* no_multiline */
cf8b11a5
PH
632 (1<<ACL_WHERE_NOTSMTP_START),
633
634 (1<<ACL_WHERE_NOTSMTP)| /* no_pipelining */
047bdd8c
PH
635 (1<<ACL_WHERE_NOTSMTP_START),
636
637 (1<<ACL_WHERE_NOTSMTP)| /* no_delay_flush */
4c590bd1
PH
638 (1<<ACL_WHERE_NOTSMTP_START),
639
640 (1<<ACL_WHERE_NOTSMTP)| /* no_callout_flush */
45b91596 641 (1<<ACL_WHERE_NOTSMTP_START)
c5fcb476
PH
642};
643
644/* Structure listing various control arguments, with their characteristics. */
059ec3d9
PH
645
646typedef struct control_def {
647 uschar *name;
648 int value; /* CONTROL_xxx value */
059ec3d9
PH
649 BOOL has_option; /* Has /option(s) following */
650} control_def;
651
652static control_def controls_list[] = {
c46782ef 653 { US"allow_auth_unadvertised", CONTROL_AUTH_UNADVERTISED, FALSE },
8523533c 654#ifdef EXPERIMENTAL_BRIGHTMAIL
c46782ef 655 { US"bmi_run", CONTROL_BMI_RUN, FALSE },
8523533c 656#endif
fb2274d4 657#ifdef EXPERIMENTAL_DOMAINKEYS
c46782ef 658 { US"dk_verify", CONTROL_DK_VERIFY, FALSE },
fb2274d4 659#endif
f7572e5a
TK
660#ifdef EXPERIMENTAL_DKIM
661 { US"dkim_verify", CONTROL_DKIM_VERIFY, FALSE },
662#endif
c46782ef
PH
663 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE },
664 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE },
665 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE },
666 { US"freeze", CONTROL_FREEZE, TRUE },
4c590bd1 667 { US"no_callout_flush", CONTROL_NO_CALLOUT_FLUSH, FALSE },
047bdd8c 668 { US"no_delay_flush", CONTROL_NO_DELAY_FLUSH, FALSE },
c46782ef
PH
669 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE },
670 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE },
cf8b11a5 671 { US"no_pipelining", CONTROL_NO_PIPELINING, FALSE },
c46782ef 672 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE },
8523533c 673#ifdef WITH_CONTENT_SCAN
c46782ef 674 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE },
8523533c 675#endif
c46782ef
PH
676 { US"fakedefer", CONTROL_FAKEDEFER, TRUE },
677 { US"fakereject", CONTROL_FAKEREJECT, TRUE },
678 { US"submission", CONTROL_SUBMISSION, TRUE },
679 { US"suppress_local_fixups", CONTROL_SUPPRESS_LOCAL_FIXUPS, FALSE }
059ec3d9
PH
680 };
681
e5a9dba6
PH
682/* Support data structures for Client SMTP Authorization. acl_verify_csa()
683caches its result in a tree to avoid repeated DNS queries. The result is an
684integer code which is used as an index into the following tables of
685explanatory strings and verification return codes. */
686
687static tree_node *csa_cache = NULL;
688
689enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
690 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
691
692/* The acl_verify_csa() return code is translated into an acl_verify() return
693code using the following table. It is OK unless the client is definitely not
694authorized. This is because CSA is supposed to be optional for sending sites,
695so recipients should not be too strict about checking it - especially because
696DNS problems are quite likely to occur. It's possible to use $csa_status in
697further ACL conditions to distinguish ok, unknown, and defer if required, but
698the aim is to make the usual configuration simple. */
699
700static int csa_return_code[] = {
701 OK, OK, OK, OK,
702 FAIL, FAIL, FAIL, FAIL
703};
704
705static uschar *csa_status_string[] = {
706 US"unknown", US"ok", US"defer", US"defer",
707 US"fail", US"fail", US"fail", US"fail"
708};
709
710static uschar *csa_reason_string[] = {
711 US"unknown",
712 US"ok",
713 US"deferred (SRV lookup failed)",
714 US"deferred (target address lookup failed)",
715 US"failed (explicit authorization required)",
716 US"failed (host name not authorized)",
717 US"failed (no authorized addresses)",
718 US"failed (client address mismatch)"
719};
720
059ec3d9
PH
721/* Enable recursion between acl_check_internal() and acl_check_condition() */
722
723static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
724 uschar **);
725
726
727/*************************************************
728* Pick out name from list *
729*************************************************/
730
731/* Use a binary chop method
732
733Arguments:
734 name name to find
735 list list of names
736 end size of list
737
738Returns: offset in list, or -1 if not found
739*/
740
741static int
742acl_checkname(uschar *name, uschar **list, int end)
743{
744int start = 0;
745
746while (start < end)
747 {
748 int mid = (start + end)/2;
749 int c = Ustrcmp(name, list[mid]);
750 if (c == 0) return mid;
751 if (c < 0) end = mid; else start = mid + 1;
752 }
753
754return -1;
755}
756
757
758/*************************************************
759* Read and parse one ACL *
760*************************************************/
761
762/* This function is called both from readconf in order to parse the ACLs in the
763configuration file, and also when an ACL is encountered dynamically (e.g. as
764the result of an expansion). It is given a function to call in order to
765retrieve the lines of the ACL. This function handles skipping comments and
766blank lines (where relevant).
767
768Arguments:
769 func function to get next line of ACL
770 error where to put an error message
771
772Returns: pointer to ACL, or NULL
773 NULL can be legal (empty ACL); in this case error will be NULL
774*/
775
776acl_block *
777acl_read(uschar *(*func)(void), uschar **error)
778{
779acl_block *yield = NULL;
780acl_block **lastp = &yield;
781acl_block *this = NULL;
782acl_condition_block *cond;
783acl_condition_block **condp = NULL;
784uschar *s;
785
786*error = NULL;
787
788while ((s = (*func)()) != NULL)
789 {
790 int v, c;
791 BOOL negated = FALSE;
792 uschar *saveline = s;
793 uschar name[64];
794
795 /* Conditions (but not verbs) are allowed to be negated by an initial
796 exclamation mark. */
797
798 while (isspace(*s)) s++;
799 if (*s == '!')
800 {
801 negated = TRUE;
802 s++;
803 }
804
cf00dad6
PH
805 /* Read the name of a verb or a condition, or the start of a new ACL, which
806 can be started by a name, or by a macro definition. */
059ec3d9
PH
807
808 s = readconf_readname(name, sizeof(name), s);
b8dc3e4a 809 if (*s == ':' || (isupper(name[0]) && *s == '=')) return yield;
059ec3d9
PH
810
811 /* If a verb is unrecognized, it may be another condition or modifier that
812 continues the previous verb. */
813
814 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
815 if (v < 0)
816 {
817 if (this == NULL)
818 {
4e167a8c
PH
819 *error = string_sprintf("unknown ACL verb \"%s\" in \"%s\"", name,
820 saveline);
059ec3d9
PH
821 return NULL;
822 }
823 }
824
825 /* New verb */
826
827 else
828 {
829 if (negated)
830 {
831 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
832 return NULL;
833 }
834 this = store_get(sizeof(acl_block));
835 *lastp = this;
836 lastp = &(this->next);
837 this->next = NULL;
838 this->verb = v;
839 this->condition = NULL;
840 condp = &(this->condition);
841 if (*s == 0) continue; /* No condition on this line */
842 if (*s == '!')
843 {
844 negated = TRUE;
845 s++;
846 }
847 s = readconf_readname(name, sizeof(name), s); /* Condition name */
848 }
849
850 /* Handle a condition or modifier. */
851
852 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
853 if (c < 0)
854 {
855 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
856 saveline);
857 return NULL;
858 }
859
860 /* The modifiers may not be negated */
861
862 if (negated && cond_modifiers[c])
863 {
864 *error = string_sprintf("ACL error: negation is not allowed with "
865 "\"%s\"", conditions[c]);
866 return NULL;
867 }
868
869 /* ENDPASS may occur only with ACCEPT or DISCARD. */
870
871 if (c == ACLC_ENDPASS &&
872 this->verb != ACL_ACCEPT &&
873 this->verb != ACL_DISCARD)
874 {
875 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
876 conditions[c], verbs[this->verb]);
877 return NULL;
878 }
879
880 cond = store_get(sizeof(acl_condition_block));
881 cond->next = NULL;
882 cond->type = c;
883 cond->u.negated = negated;
884
885 *condp = cond;
886 condp = &(cond->next);
887
888 /* The "set" modifier is different in that its argument is "name=value"
889 rather than just a value, and we can check the validity of the name, which
38a0a95f
PH
890 gives us a variable name to insert into the data block. The original ACL
891 variable names were acl_c0 ... acl_c9 and acl_m0 ... acl_m9. This was
892 extended to 20 of each type, but after that people successfully argued for
641cb756
PH
893 arbitrary names. In the new scheme, the names must start with acl_c or acl_m.
894 After that, we allow alphanumerics and underscores, but the first character
895 after c or m must be a digit or an underscore. This retains backwards
896 compatibility. */
059ec3d9
PH
897
898 if (c == ACLC_SET)
899 {
47ca6d6c
PH
900 uschar *endptr;
901
38a0a95f
PH
902 if (Ustrncmp(s, "acl_c", 5) != 0 &&
903 Ustrncmp(s, "acl_m", 5) != 0)
47ca6d6c 904 {
38a0a95f
PH
905 *error = string_sprintf("invalid variable name after \"set\" in ACL "
906 "modifier \"set %s\" (must start \"acl_c\" or \"acl_m\")", s);
907 return NULL;
47ca6d6c 908 }
38a0a95f
PH
909
910 endptr = s + 5;
641cb756
PH
911 if (!isdigit(*endptr) && *endptr != '_')
912 {
913 *error = string_sprintf("invalid variable name after \"set\" in ACL "
914 "modifier \"set %s\" (digit or underscore must follow acl_c or acl_m)",
915 s);
916 return NULL;
917 }
918
38a0a95f 919 while (*endptr != 0 && *endptr != '=' && !isspace(*endptr))
47ca6d6c 920 {
38a0a95f
PH
921 if (!isalnum(*endptr) && *endptr != '_')
922 {
923 *error = string_sprintf("invalid character \"%c\" in variable name "
924 "in ACL modifier \"set %s\"", *endptr, s);
925 return NULL;
926 }
927 endptr++;
47ca6d6c 928 }
47ca6d6c 929
38a0a95f 930 cond->u.varname = string_copyn(s + 4, endptr - s - 4);
47ca6d6c 931 s = endptr;
059ec3d9
PH
932 while (isspace(*s)) s++;
933 }
934
935 /* For "set", we are now positioned for the data. For the others, only
936 "endpass" has no data */
937
938 if (c != ACLC_ENDPASS)
939 {
940 if (*s++ != '=')
941 {
942 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
943 cond_modifiers[c]? US"modifier" : US"condition");
944 return NULL;
945 }
946 while (isspace(*s)) s++;
947 cond->arg = string_copy(s);
948 }
949 }
950
951return yield;
952}
953
954
955
956/*************************************************
71fafd95
PH
957* Set up added header line(s) *
958*************************************************/
959
960/* This function is called by the add_header modifier, and also from acl_warn()
961to implement the now-deprecated way of adding header lines using "message" on a
962"warn" verb. The argument is treated as a sequence of header lines which are
963added to a chain, provided there isn't an identical one already there.
964
965Argument: string of header lines
966Returns: nothing
967*/
968
969static void
970setup_header(uschar *hstring)
971{
972uschar *p, *q;
973int hlen = Ustrlen(hstring);
974
975/* An empty string does nothing; otherwise add a final newline if necessary. */
976
977if (hlen <= 0) return;
978if (hstring[hlen-1] != '\n') hstring = string_sprintf("%s\n", hstring);
979
980/* Loop for multiple header lines, taking care about continuations */
981
982for (p = q = hstring; *p != 0; )
983 {
984 uschar *s;
985 int newtype = htype_add_bot;
986 header_line **hptr = &acl_added_headers;
987
988 /* Find next header line within the string */
989
990 for (;;)
991 {
992 q = Ustrchr(q, '\n');
993 if (*(++q) != ' ' && *q != '\t') break;
994 }
995
996 /* If the line starts with a colon, interpret the instruction for where to
997 add it. This temporarily sets up a new type. */
998
999 if (*p == ':')
1000 {
1001 if (strncmpic(p, US":after_received:", 16) == 0)
1002 {
1003 newtype = htype_add_rec;
1004 p += 16;
1005 }
1006 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
1007 {
1008 newtype = htype_add_rfc;
1009 p += 14;
1010 }
1011 else if (strncmpic(p, US":at_start:", 10) == 0)
1012 {
1013 newtype = htype_add_top;
1014 p += 10;
1015 }
1016 else if (strncmpic(p, US":at_end:", 8) == 0)
1017 {
1018 newtype = htype_add_bot;
1019 p += 8;
1020 }
1021 while (*p == ' ' || *p == '\t') p++;
1022 }
1023
1024 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
1025 to the front of it. */
1026
1027 for (s = p; s < q - 1; s++)
1028 {
1029 if (*s == ':' || !isgraph(*s)) break;
1030 }
1031
1032 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
1033 hlen = Ustrlen(s);
1034
1035 /* See if this line has already been added */
1036
1037 while (*hptr != NULL)
1038 {
1039 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
1040 hptr = &((*hptr)->next);
1041 }
1042
1043 /* Add if not previously present */
1044
1045 if (*hptr == NULL)
1046 {
1047 header_line *h = store_get(sizeof(header_line));
1048 h->text = s;
1049 h->next = NULL;
1050 h->type = newtype;
1051 h->slen = hlen;
1052 *hptr = h;
1053 hptr = &(h->next);
1054 }
1055
1056 /* Advance for next header line within the string */
1057
1058 p = q;
1059 }
1060}
1061
1062
1063
1064
1065/*************************************************
059ec3d9
PH
1066* Handle warnings *
1067*************************************************/
1068
1069/* This function is called when a WARN verb's conditions are true. It adds to
1070the message's headers, and/or writes information to the log. In each case, this
1071only happens once (per message for headers, per connection for log).
1072
71fafd95
PH
1073** NOTE: The header adding action using the "message" setting is historic, and
1074its use is now deprecated. The new add_header modifier should be used instead.
1075
059ec3d9
PH
1076Arguments:
1077 where ACL_WHERE_xxxx indicating which ACL this is
1078 user_message message for adding to headers
1079 log_message message for logging, if different
1080
1081Returns: nothing
1082*/
1083
1084static void
1085acl_warn(int where, uschar *user_message, uschar *log_message)
1086{
059ec3d9
PH
1087if (log_message != NULL && log_message != user_message)
1088 {
1089 uschar *text;
1090 string_item *logged;
1091
1092 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
1093 string_printing(log_message));
1094
1095 /* If a sender verification has failed, and the log message is "sender verify
1096 failed", add the failure message. */
1097
1098 if (sender_verified_failed != NULL &&
1099 sender_verified_failed->message != NULL &&
1100 strcmpic(log_message, US"sender verify failed") == 0)
1101 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
1102
9c7a242c
PH
1103 /* Search previously logged warnings. They are kept in malloc
1104 store so they can be freed at the start of a new message. */
059ec3d9
PH
1105
1106 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
1107 if (Ustrcmp(logged->text, text) == 0) break;
1108
1109 if (logged == NULL)
1110 {
1111 int length = Ustrlen(text) + 1;
1112 log_write(0, LOG_MAIN, "%s", text);
1113 logged = store_malloc(sizeof(string_item) + length);
1114 logged->text = (uschar *)logged + sizeof(string_item);
1115 memcpy(logged->text, text, length);
1116 logged->next = acl_warn_logged;
1117 acl_warn_logged = logged;
1118 }
1119 }
1120
1121/* If there's no user message, we are done. */
1122
1123if (user_message == NULL) return;
1124
1125/* If this isn't a message ACL, we can't do anything with a user message.
1126Log an error. */
1127
1128if (where > ACL_WHERE_NOTSMTP)
1129 {
1130 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
1131 "found in a non-message (%s) ACL: cannot specify header lines here: "
1132 "message ignored", acl_wherenames[where]);
1133 return;
1134 }
1135
71fafd95
PH
1136/* The code for setting up header lines is now abstracted into a separate
1137function so that it can be used for the add_header modifier as well. */
059ec3d9 1138
71fafd95 1139setup_header(user_message);
059ec3d9
PH
1140}
1141
1142
1143
1144/*************************************************
1145* Verify and check reverse DNS *
1146*************************************************/
1147
1148/* Called from acl_verify() below. We look up the host name(s) of the client IP
1149address if this has not yet been done. The host_name_lookup() function checks
1150that one of these names resolves to an address list that contains the client IP
1151address, so we don't actually have to do the check here.
1152
1153Arguments:
1154 user_msgptr pointer for user message
1155 log_msgptr pointer for log message
1156
1157Returns: OK verification condition succeeded
1158 FAIL verification failed
1159 DEFER there was a problem verifying
1160*/
1161
1162static int
1163acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
1164{
1165int rc;
1166
1167user_msgptr = user_msgptr; /* stop compiler warning */
1168
1169/* Previous success */
1170
1171if (sender_host_name != NULL) return OK;
1172
1173/* Previous failure */
1174
1175if (host_lookup_failed)
1176 {
1177 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
1178 return FAIL;
1179 }
1180
1181/* Need to do a lookup */
1182
1183HDEBUG(D_acl)
1184 debug_printf("looking up host name to force name/address consistency check\n");
1185
1186if ((rc = host_name_lookup()) != OK)
1187 {
1188 *log_msgptr = (rc == DEFER)?
1189 US"host lookup deferred for reverse lookup check"
1190 :
1191 string_sprintf("host lookup failed for reverse lookup check%s",
1192 host_lookup_msg);
1193 return rc; /* DEFER or FAIL */
1194 }
1195
1196host_build_sender_fullhost();
1197return OK;
1198}
1199
1200
1201
1202/*************************************************
e5a9dba6
PH
1203* Check client IP address matches CSA target *
1204*************************************************/
1205
1206/* Called from acl_verify_csa() below. This routine scans a section of a DNS
1207response for address records belonging to the CSA target hostname. The section
1208is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
1209If one of the addresses matches the client's IP address, then the client is
1210authorized by CSA. If there are target IP addresses but none of them match
1211then the client is using an unauthorized IP address. If there are no target IP
1212addresses then the client cannot be using an authorized IP address. (This is
1213an odd configuration - why didn't the SRV record have a weight of 1 instead?)
1214
1215Arguments:
1216 dnsa the DNS answer block
1217 dnss a DNS scan block for us to use
1218 reset option specifing what portion to scan, as described above
1219 target the target hostname to use for matching RR names
1220
1221Returns: CSA_OK successfully authorized
1222 CSA_FAIL_MISMATCH addresses found but none matched
1223 CSA_FAIL_NOADDR no target addresses found
1224*/
1225
1226static int
1227acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1228 uschar *target)
1229{
1230dns_record *rr;
1231dns_address *da;
1232
1233BOOL target_found = FALSE;
1234
1235for (rr = dns_next_rr(dnsa, dnss, reset);
1236 rr != NULL;
1237 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1238 {
1239 /* Check this is an address RR for the target hostname. */
1240
1241 if (rr->type != T_A
1242 #if HAVE_IPV6
1243 && rr->type != T_AAAA
1244 #ifdef SUPPORT_A6
1245 && rr->type != T_A6
1246 #endif
1247 #endif
1248 ) continue;
1249
1250 if (strcmpic(target, rr->name) != 0) continue;
1251
1252 target_found = TRUE;
1253
1254 /* Turn the target address RR into a list of textual IP addresses and scan
1255 the list. There may be more than one if it is an A6 RR. */
1256
1257 for (da = dns_address_from_rr(dnsa, rr); da != NULL; da = da->next)
1258 {
1259 /* If the client IP address matches the target IP address, it's good! */
1260
1261 DEBUG(D_acl) debug_printf("CSA target address is %s\n", da->address);
1262
1263 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1264 }
1265 }
1266
1267/* If we found some target addresses but none of them matched, the client is
1268using an unauthorized IP address, otherwise the target has no authorized IP
1269addresses. */
1270
1271if (target_found) return CSA_FAIL_MISMATCH;
1272else return CSA_FAIL_NOADDR;
1273}
1274
1275
1276
1277/*************************************************
1278* Verify Client SMTP Authorization *
1279*************************************************/
1280
1281/* Called from acl_verify() below. This routine calls dns_lookup_special()
1282to find the CSA SRV record corresponding to the domain argument, or
1283$sender_helo_name if no argument is provided. It then checks that the
1284client is authorized, and that its IP address corresponds to the SRV
1285target's address by calling acl_verify_csa_address() above. The address
1286should have been returned in the DNS response's ADDITIONAL section, but if
1287not we perform another DNS lookup to get it.
1288
1289Arguments:
1290 domain pointer to optional parameter following verify = csa
1291
1292Returns: CSA_UNKNOWN no valid CSA record found
1293 CSA_OK successfully authorized
1294 CSA_FAIL_* client is definitely not authorized
1295 CSA_DEFER_* there was a DNS problem
1296*/
1297
1298static int
1299acl_verify_csa(uschar *domain)
1300{
1301tree_node *t;
1302uschar *found, *p;
1303int priority, weight, port;
1304dns_answer dnsa;
1305dns_scan dnss;
1306dns_record *rr;
1307int rc, type;
1308uschar target[256];
1309
1310/* Work out the domain we are using for the CSA lookup. The default is the
1311client's HELO domain. If the client has not said HELO, use its IP address
1312instead. If it's a local client (exim -bs), CSA isn't applicable. */
1313
1314while (isspace(*domain) && *domain != '\0') ++domain;
1315if (*domain == '\0') domain = sender_helo_name;
1316if (domain == NULL) domain = sender_host_address;
1317if (sender_host_address == NULL) return CSA_UNKNOWN;
1318
1319/* If we have an address literal, strip off the framing ready for turning it
1320into a domain. The framing consists of matched square brackets possibly
1321containing a keyword and a colon before the actual IP address. */
1322
1323if (domain[0] == '[')
1324 {
1325 uschar *start = Ustrchr(domain, ':');
1326 if (start == NULL) start = domain;
1327 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1328 }
1329
1330/* Turn domains that look like bare IP addresses into domains in the reverse
1331DNS. This code also deals with address literals and $sender_host_address. It's
1332not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1333address literals, but it's probably the most friendly thing to do. This is an
1334extension to CSA, so we allow it to be turned off for proper conformance. */
1335
7e66e54d 1336if (string_is_ip_address(domain, NULL) != 0)
e5a9dba6
PH
1337 {
1338 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1339 dns_build_reverse(domain, target);
1340 domain = target;
1341 }
1342
1343/* Find out if we've already done the CSA check for this domain. If we have,
1344return the same result again. Otherwise build a new cached result structure
1345for this domain. The name is filled in now, and the value is filled in when
1346we return from this function. */
1347
1348t = tree_search(csa_cache, domain);
1349if (t != NULL) return t->data.val;
1350
1351t = store_get_perm(sizeof(tree_node) + Ustrlen(domain));
1352Ustrcpy(t->name, domain);
1353(void)tree_insertnode(&csa_cache, t);
1354
1355/* Now we are ready to do the actual DNS lookup(s). */
1356
28e6ef29 1357found = domain;
e5a9dba6
PH
1358switch (dns_special_lookup(&dnsa, domain, T_CSA, &found))
1359 {
1360 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1361
1362 default:
1363 return t->data.val = CSA_DEFER_SRV;
1364
1365 /* If we found nothing, the client's authorization is unknown. */
1366
1367 case DNS_NOMATCH:
1368 case DNS_NODATA:
1369 return t->data.val = CSA_UNKNOWN;
1370
1371 /* We got something! Go on to look at the reply in more detail. */
1372
1373 case DNS_SUCCEED:
1374 break;
1375 }
1376
1377/* Scan the reply for well-formed CSA SRV records. */
1378
1379for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
1380 rr != NULL;
1381 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
1382 {
1383 if (rr->type != T_SRV) continue;
1384
1385 /* Extract the numerical SRV fields (p is incremented) */
1386
1387 p = rr->data;
1388 GETSHORT(priority, p);
1389 GETSHORT(weight, p);
1390 GETSHORT(port, p);
1391
1392 DEBUG(D_acl)
1393 debug_printf("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1394
1395 /* Check the CSA version number */
1396
1397 if (priority != 1) continue;
1398
1399 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1400 found by dns_special_lookup() is a parent of the one we asked for), we check
1401 the subdomain assertions in the port field. At the moment there's only one
1402 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1403 SRV records of their own. */
1404
1405 if (found != domain)
1406 {
1407 if (port & 1)
1408 return t->data.val = CSA_FAIL_EXPLICIT;
1409 else
1410 return t->data.val = CSA_UNKNOWN;
1411 }
1412
1413 /* This CSA SRV record refers directly to our domain, so we check the value
1414 in the weight field to work out the domain's authorization. 0 and 1 are
1415 unauthorized; 3 means the client is authorized but we can't check the IP
1416 address in order to authenticate it, so we treat it as unknown; values
1417 greater than 3 are undefined. */
1418
1419 if (weight < 2) return t->data.val = CSA_FAIL_DOMAIN;
1420
1421 if (weight > 2) continue;
1422
1423 /* Weight == 2, which means the domain is authorized. We must check that the
1424 client's IP address is listed as one of the SRV target addresses. Save the
1425 target hostname then break to scan the additional data for its addresses. */
1426
1427 (void)dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
1428 (DN_EXPAND_ARG4_TYPE)target, sizeof(target));
1429
1430 DEBUG(D_acl) debug_printf("CSA target is %s\n", target);
1431
1432 break;
1433 }
1434
1435/* If we didn't break the loop then no appropriate records were found. */
1436
1437if (rr == NULL) return t->data.val = CSA_UNKNOWN;
1438
1439/* Do not check addresses if the target is ".", in accordance with RFC 2782.
1440A target of "." indicates there are no valid addresses, so the client cannot
1441be authorized. (This is an odd configuration because weight=2 target=. is
1442equivalent to weight=1, but we check for it in order to keep load off the
1443root name servers.) Note that dn_expand() turns "." into "". */
1444
1445if (Ustrcmp(target, "") == 0) return t->data.val = CSA_FAIL_NOADDR;
1446
1447/* Scan the additional section of the CSA SRV reply for addresses belonging
1448to the target. If the name server didn't return any additional data (e.g.
1449because it does not fully support SRV records), we need to do another lookup
1450to obtain the target addresses; otherwise we have a definitive result. */
1451
1452rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ADDITIONAL, target);
1453if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1454
1455/* The DNS lookup type corresponds to the IP version used by the client. */
1456
1457#if HAVE_IPV6
1458if (Ustrchr(sender_host_address, ':') != NULL)
1459 type = T_AAAA;
1460else
1461#endif /* HAVE_IPV6 */
1462 type = T_A;
1463
1464
1465#if HAVE_IPV6 && defined(SUPPORT_A6)
1466DNS_LOOKUP_AGAIN:
1467#endif
1468
1469switch (dns_lookup(&dnsa, target, type, NULL))
1470 {
1471 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1472
1473 default:
1474 return t->data.val = CSA_DEFER_ADDR;
1475
1476 /* If the query succeeded, scan the addresses and return the result. */
1477
1478 case DNS_SUCCEED:
1479 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ANSWERS, target);
1480 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1481 /* else fall through */
1482
1483 /* If the target has no IP addresses, the client cannot have an authorized
1484 IP address. However, if the target site uses A6 records (not AAAA records)
1485 we have to do yet another lookup in order to check them. */
1486
1487 case DNS_NOMATCH:
1488 case DNS_NODATA:
1489
1490 #if HAVE_IPV6 && defined(SUPPORT_A6)
1491 if (type == T_AAAA) { type = T_A6; goto DNS_LOOKUP_AGAIN; }
1492 #endif
1493
1494 return t->data.val = CSA_FAIL_NOADDR;
1495 }
1496}
1497
1498
1499
1500/*************************************************
059ec3d9
PH
1501* Handle verification (address & other) *
1502*************************************************/
1503
1504/* This function implements the "verify" condition. It is called when
1505encountered in any ACL, because some tests are almost always permitted. Some
1506just don't make sense, and always fail (for example, an attempt to test a host
1507lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1508
1509Arguments:
1510 where where called from
1511 addr the recipient address that the ACL is handling, or NULL
1512 arg the argument of "verify"
1513 user_msgptr pointer for user message
1514 log_msgptr pointer for log message
1515 basic_errno where to put verify errno
1516
1517Returns: OK verification condition succeeded
1518 FAIL verification failed
1519 DEFER there was a problem verifying
1520 ERROR syntax error
1521*/
1522
1523static int
1524acl_verify(int where, address_item *addr, uschar *arg,
1525 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1526{
1527int sep = '/';
1528int callout = -1;
1529int callout_overall = -1;
4deaf07d 1530int callout_connect = -1;
059ec3d9
PH
1531int verify_options = 0;
1532int rc;
1533BOOL verify_header_sender = FALSE;
1534BOOL defer_ok = FALSE;
1535BOOL callout_defer_ok = FALSE;
1536BOOL no_details = FALSE;
eafd343b 1537BOOL success_on_redirect = FALSE;
059ec3d9
PH
1538address_item *sender_vaddr = NULL;
1539uschar *verify_sender_address = NULL;
1540uschar *pm_mailfrom = NULL;
1541uschar *se_mailfrom = NULL;
596875b3
PH
1542
1543/* Some of the verify items have slash-separated options; some do not. Diagnose
1544an error if options are given for items that don't expect them. This code has
1545now got very message. Refactoring to use a table would be a good idea one day.
1546*/
1547
1548uschar *slash = Ustrchr(arg, '/');
059ec3d9
PH
1549uschar *list = arg;
1550uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
1551
1552if (ss == NULL) goto BAD_VERIFY;
1553
1554/* Handle name/address consistency verification in a separate function. */
1555
1556if (strcmpic(ss, US"reverse_host_lookup") == 0)
1557 {
596875b3 1558 if (slash != NULL) goto NO_OPTIONS;
059ec3d9
PH
1559 if (sender_host_address == NULL) return OK;
1560 return acl_verify_reverse(user_msgptr, log_msgptr);
1561 }
1562
1563/* TLS certificate verification is done at STARTTLS time; here we just
1564test whether it was successful or not. (This is for optional verification; for
1565mandatory verification, the connection doesn't last this long.) */
1566
1567if (strcmpic(ss, US"certificate") == 0)
1568 {
596875b3 1569 if (slash != NULL) goto NO_OPTIONS;
059ec3d9
PH
1570 if (tls_certificate_verified) return OK;
1571 *user_msgptr = US"no verified certificate";
1572 return FAIL;
1573 }
1574
d7b47fd0
PH
1575/* We can test the result of optional HELO verification that might have
1576occurred earlier. If not, we can attempt the verification now. */
059ec3d9 1577
596875b3
PH
1578if (strcmpic(ss, US"helo") == 0)
1579 {
1580 if (slash != NULL) goto NO_OPTIONS;
0154e85a
TF
1581 if (!helo_verified && !helo_verify_failed) smtp_verify_helo();
1582 return helo_verified? OK : FAIL;
596875b3 1583 }
059ec3d9 1584
e5a9dba6
PH
1585/* Do Client SMTP Authorization checks in a separate function, and turn the
1586result code into user-friendly strings. */
1587
1588if (strcmpic(ss, US"csa") == 0)
1589 {
1590 rc = acl_verify_csa(list);
1591 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1592 csa_reason_string[rc]);
1593 csa_status = csa_status_string[rc];
1594 DEBUG(D_acl) debug_printf("CSA result %s\n", csa_status);
1595 return csa_return_code[rc];
1596 }
1597
596875b3
PH
1598/* Check that all relevant header lines have the correct syntax. If there is
1599a syntax error, we return details of the error to the sender if configured to
1600send out full details. (But a "message" setting on the ACL can override, as
1601always). */
059ec3d9 1602
596875b3 1603if (strcmpic(ss, US"header_syntax") == 0)
059ec3d9 1604 {
596875b3 1605 if (slash != NULL) goto NO_OPTIONS;
1c41c9cc 1606 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
596875b3
PH
1607 rc = verify_check_headers(log_msgptr);
1608 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1609 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1610 return rc;
1611 }
059ec3d9 1612
1c41c9cc
PH
1613/* Check that no recipient of this message is "blind", that is, every envelope
1614recipient must be mentioned in either To: or Cc:. */
1615
1616if (strcmpic(ss, US"not_blind") == 0)
1617 {
1618 if (slash != NULL) goto NO_OPTIONS;
1619 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
1620 rc = verify_check_notblind();
1621 if (rc != OK)
1622 {
1623 *log_msgptr = string_sprintf("bcc recipient detected");
1624 if (smtp_return_error_details)
1625 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1626 }
1627 return rc;
1628 }
059ec3d9 1629
596875b3
PH
1630/* The remaining verification tests check recipient and sender addresses,
1631either from the envelope or from the header. There are a number of
1632slash-separated options that are common to all of them. */
059ec3d9 1633
059ec3d9 1634
596875b3
PH
1635/* Check that there is at least one verifiable sender address in the relevant
1636header lines. This can be followed by callout and defer options, just like
1637sender and recipient. */
059ec3d9 1638
596875b3
PH
1639if (strcmpic(ss, US"header_sender") == 0)
1640 {
1c41c9cc 1641 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
596875b3 1642 verify_header_sender = TRUE;
059ec3d9
PH
1643 }
1644
1645/* Otherwise, first item in verify argument must be "sender" or "recipient".
1646In the case of a sender, this can optionally be followed by an address to use
1647in place of the actual sender (rare special-case requirement). */
1648
1649else if (strncmpic(ss, US"sender", 6) == 0)
1650 {
1651 uschar *s = ss + 6;
1652 if (where > ACL_WHERE_NOTSMTP)
1653 {
1654 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1655 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1656 acl_wherenames[where]);
1657 return ERROR;
1658 }
1659 if (*s == 0)
1660 verify_sender_address = sender_address;
1661 else
1662 {
1663 while (isspace(*s)) s++;
1664 if (*s++ != '=') goto BAD_VERIFY;
1665 while (isspace(*s)) s++;
1666 verify_sender_address = string_copy(s);
1667 }
1668 }
1669else
1670 {
1671 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1672 if (addr == NULL)
1673 {
1674 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1675 "(only possible for RCPT)", acl_wherenames[where]);
1676 return ERROR;
1677 }
1678 }
1679
596875b3
PH
1680/* Remaining items are optional; they apply to sender and recipient
1681verification, including "header sender" verification. */
059ec3d9
PH
1682
1683while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1684 != NULL)
1685 {
1686 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1687 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
eafd343b 1688 else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
059ec3d9
PH
1689
1690 /* These two old options are left for backwards compatibility */
1691
1692 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1693 {
1694 callout_defer_ok = TRUE;
1695 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1696 }
1697
1698 else if (strcmpic(ss, US"check_postmaster") == 0)
1699 {
1700 pm_mailfrom = US"";
1701 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1702 }
1703
1704 /* The callout option has a number of sub-options, comma separated */
1705
1706 else if (strncmpic(ss, US"callout", 7) == 0)
1707 {
1708 callout = CALLOUT_TIMEOUT_DEFAULT;
1709 ss += 7;
1710 if (*ss != 0)
1711 {
1712 while (isspace(*ss)) ss++;
1713 if (*ss++ == '=')
1714 {
1715 int optsep = ',';
1716 uschar *opt;
1717 uschar buffer[256];
1718 while (isspace(*ss)) ss++;
8e669ac1
PH
1719
1720 /* This callout option handling code has become a mess as new options
1721 have been added in an ad hoc manner. It should be tidied up into some
4deaf07d 1722 kind of table-driven thing. */
8e669ac1 1723
059ec3d9
PH
1724 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1725 != NULL)
1726 {
1727 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1728 else if (strcmpic(opt, US"no_cache") == 0)
1729 verify_options |= vopt_callout_no_cache;
1730 else if (strcmpic(opt, US"random") == 0)
1731 verify_options |= vopt_callout_random;
1732 else if (strcmpic(opt, US"use_sender") == 0)
1733 verify_options |= vopt_callout_recipsender;
1734 else if (strcmpic(opt, US"use_postmaster") == 0)
1735 verify_options |= vopt_callout_recippmaster;
1736 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
2a4be8f9
PH
1737 else if (strcmpic(opt, US"fullpostmaster") == 0)
1738 {
1739 pm_mailfrom = US"";
1740 verify_options |= vopt_callout_fullpm;
1741 }
059ec3d9
PH
1742
1743 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1744 {
1745 if (!verify_header_sender)
1746 {
1747 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1748 "callout option only for verify=header_sender (detected in ACL "
1749 "condition \"%s\")", arg);
1750 return ERROR;
1751 }
1752 opt += 8;
1753 while (isspace(*opt)) opt++;
1754 if (*opt++ != '=')
1755 {
1756 *log_msgptr = string_sprintf("'=' expected after "
1757 "\"mailfrom\" in ACL condition \"%s\"", arg);
1758 return ERROR;
1759 }
1760 while (isspace(*opt)) opt++;
1761 se_mailfrom = string_copy(opt);
1762 }
1763
1764 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1765 {
1766 opt += 19;
1767 while (isspace(*opt)) opt++;
1768 if (*opt++ != '=')
1769 {
1770 *log_msgptr = string_sprintf("'=' expected after "
1771 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1772 return ERROR;
1773 }
1774 while (isspace(*opt)) opt++;
1775 pm_mailfrom = string_copy(opt);
1776 }
1777
1778 else if (strncmpic(opt, US"maxwait", 7) == 0)
1779 {
1780 opt += 7;
1781 while (isspace(*opt)) opt++;
1782 if (*opt++ != '=')
1783 {
1784 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1785 "ACL condition \"%s\"", arg);
1786 return ERROR;
1787 }
1788 while (isspace(*opt)) opt++;
1789 callout_overall = readconf_readtime(opt, 0, FALSE);
1790 if (callout_overall < 0)
1791 {
1792 *log_msgptr = string_sprintf("bad time value in ACL condition "
1793 "\"verify %s\"", arg);
1794 return ERROR;
1795 }
1796 }
4deaf07d
PH
1797 else if (strncmpic(opt, US"connect", 7) == 0)
1798 {
1799 opt += 7;
1800 while (isspace(*opt)) opt++;
1801 if (*opt++ != '=')
1802 {
1803 *log_msgptr = string_sprintf("'=' expected after "
1804 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1805 return ERROR;
1806 }
1807 while (isspace(*opt)) opt++;
1808 callout_connect = readconf_readtime(opt, 0, FALSE);
1809 if (callout_connect < 0)
1810 {
1811 *log_msgptr = string_sprintf("bad time value in ACL condition "
1812 "\"verify %s\"", arg);
1813 return ERROR;
1814 }
1815 }
059ec3d9
PH
1816 else /* Plain time is callout connect/command timeout */
1817 {
1818 callout = readconf_readtime(opt, 0, FALSE);
1819 if (callout < 0)
1820 {
1821 *log_msgptr = string_sprintf("bad time value in ACL condition "
1822 "\"verify %s\"", arg);
1823 return ERROR;
1824 }
1825 }
1826 }
1827 }
1828 else
1829 {
1830 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1831 "ACL condition \"%s\"", arg);
1832 return ERROR;
1833 }
1834 }
1835 }
1836
1837 /* Option not recognized */
1838
1839 else
1840 {
1841 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1842 "condition \"verify %s\"", ss, arg);
1843 return ERROR;
1844 }
1845 }
1846
1847if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1848 (vopt_callout_recipsender|vopt_callout_recippmaster))
1849 {
1850 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1851 "for a recipient callout";
1852 return ERROR;
1853 }
1854
1855/* Handle sender-in-header verification. Default the user message to the log
1856message if giving out verification details. */
1857
1858if (verify_header_sender)
1859 {
8e669ac1 1860 int verrno;
059ec3d9 1861 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
fe5b5d0b
PH
1862 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1863 &verrno);
1864 if (rc != OK)
8e669ac1 1865 {
fe5b5d0b
PH
1866 *basic_errno = verrno;
1867 if (smtp_return_error_details)
1868 {
1869 if (*user_msgptr == NULL && *log_msgptr != NULL)
1870 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1871 if (rc == DEFER) acl_temp_details = TRUE;
1872 }
8e669ac1 1873 }
059ec3d9
PH
1874 }
1875
1876/* Handle a sender address. The default is to verify *the* sender address, but
1877optionally a different address can be given, for special requirements. If the
1878address is empty, we are dealing with a bounce message that has no sender, so
1879we cannot do any checking. If the real sender address gets rewritten during
1880verification (e.g. DNS widening), set the flag to stop it being rewritten again
1881during message reception.
1882
1883A list of verified "sender" addresses is kept to try to avoid doing to much
1884work repetitively when there are multiple recipients in a message and they all
1885require sender verification. However, when callouts are involved, it gets too
1886complicated because different recipients may require different callout options.
1887Therefore, we always do a full sender verify when any kind of callout is
1888specified. Caching elsewhere, for instance in the DNS resolver and in the
1889callout handling, should ensure that this is not terribly inefficient. */
1890
1891else if (verify_sender_address != NULL)
1892 {
1893 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1894 != 0)
1895 {
1896 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1897 "sender verify callout";
1898 return ERROR;
1899 }
1900
1901 sender_vaddr = verify_checked_sender(verify_sender_address);
1902 if (sender_vaddr != NULL && /* Previously checked */
1903 callout <= 0) /* No callout needed this time */
1904 {
1905 /* If the "routed" flag is set, it means that routing worked before, so
1906 this check can give OK (the saved return code value, if set, belongs to a
1907 callout that was done previously). If the "routed" flag is not set, routing
1908 must have failed, so we use the saved return code. */
1909
1910 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1911 {
1912 rc = sender_vaddr->special_action;
1913 *basic_errno = sender_vaddr->basic_errno;
1914 }
1915 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1916 }
1917
1918 /* Do a new verification, and cache the result. The cache is used to avoid
1919 verifying the sender multiple times for multiple RCPTs when callouts are not
1920 specified (see comments above).
1921
1922 The cache is also used on failure to give details in response to the first
1923 RCPT that gets bounced for this reason. However, this can be suppressed by
1924 the no_details option, which sets the flag that says "this detail has already
1925 been sent". The cache normally contains just one address, but there may be
1926 more in esoteric circumstances. */
1927
1928 else
1929 {
1930 BOOL routed = TRUE;
2a3eea10 1931 uschar *save_address_data = deliver_address_data;
8e669ac1 1932
059ec3d9
PH
1933 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1934 if (no_details) setflag(sender_vaddr, af_sverify_told);
1935 if (verify_sender_address[0] != 0)
1936 {
1937 /* If this is the real sender address, save the unrewritten version
1938 for use later in receive. Otherwise, set a flag so that rewriting the
1939 sender in verify_address() does not update sender_address. */
1940
1941 if (verify_sender_address == sender_address)
1942 sender_address_unrewritten = sender_address;
1943 else
1944 verify_options |= vopt_fake_sender;
1945
eafd343b
TK
1946 if (success_on_redirect)
1947 verify_options |= vopt_success_on_redirect;
1948
059ec3d9
PH
1949 /* The recipient, qualify, and expn options are never set in
1950 verify_options. */
1951
1952 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
4deaf07d 1953 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
059ec3d9
PH
1954
1955 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1956
1957 if (rc == OK)
1958 {
1959 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1960 {
1961 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1962 verify_sender_address, sender_vaddr->address);
1963 }
1964 else
1965 {
1966 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1967 verify_sender_address);
1968 }
1969 }
1970 else *basic_errno = sender_vaddr->basic_errno;
1971 }
1972 else rc = OK; /* Null sender */
1973
1974 /* Cache the result code */
1975
1976 if (routed) setflag(sender_vaddr, af_verify_routed);
1977 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1978 sender_vaddr->special_action = rc;
1979 sender_vaddr->next = sender_verified_list;
1980 sender_verified_list = sender_vaddr;
8e669ac1
PH
1981
1982 /* Restore the recipient address data, which might have been clobbered by
2a3eea10 1983 the sender verification. */
8e669ac1 1984
2a3eea10 1985 deliver_address_data = save_address_data;
059ec3d9 1986 }
8e669ac1 1987
2a3eea10
PH
1988 /* Put the sender address_data value into $sender_address_data */
1989
8e669ac1 1990 sender_address_data = sender_vaddr->p.address_data;
059ec3d9
PH
1991 }
1992
1993/* A recipient address just gets a straightforward verify; again we must handle
1994the DEFER overrides. */
1995
1996else
1997 {
1998 address_item addr2;
1999
eafd343b
TK
2000 if (success_on_redirect)
2001 verify_options |= vopt_success_on_redirect;
2002
059ec3d9
PH
2003 /* We must use a copy of the address for verification, because it might
2004 get rewritten. */
2005
2006 addr2 = *addr;
2007 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
4deaf07d 2008 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
059ec3d9 2009 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
8e669ac1 2010
42855d71 2011 *basic_errno = addr2.basic_errno;
059ec3d9 2012 *log_msgptr = addr2.message;
8e669ac1 2013 *user_msgptr = (addr2.user_message != NULL)?
6729cf78 2014 addr2.user_message : addr2.message;
42855d71
PH
2015
2016 /* Allow details for temporary error if the address is so flagged. */
2017 if (testflag((&addr2), af_pass_message)) acl_temp_details = TRUE;
059ec3d9
PH
2018
2019 /* Make $address_data visible */
2020 deliver_address_data = addr2.p.address_data;
2021 }
2022
2023/* We have a result from the relevant test. Handle defer overrides first. */
2024
2025if (rc == DEFER && (defer_ok ||
2026 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
2027 {
2028 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
2029 defer_ok? "defer_ok" : "callout_defer_ok");
2030 rc = OK;
2031 }
2032
2033/* If we've failed a sender, set up a recipient message, and point
2034sender_verified_failed to the address item that actually failed. */
2035
2036if (rc != OK && verify_sender_address != NULL)
2037 {
2038 if (rc != DEFER)
2039 {
2040 *log_msgptr = *user_msgptr = US"Sender verify failed";
2041 }
2042 else if (*basic_errno != ERRNO_CALLOUTDEFER)
2043 {
2044 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
2045 }
2046 else
2047 {
2048 *log_msgptr = US"Could not complete sender verify callout";
2049 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
2050 *log_msgptr;
2051 }
2052
2053 sender_verified_failed = sender_vaddr;
2054 }
2055
2056/* Verifying an address messes up the values of $domain and $local_part,
2057so reset them before returning if this is a RCPT ACL. */
2058
2059if (addr != NULL)
2060 {
2061 deliver_domain = addr->domain;
2062 deliver_localpart = addr->local_part;
2063 }
2064return rc;
2065
2066/* Syntax errors in the verify argument come here. */
2067
2068BAD_VERIFY:
2069*log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
596875b3
PH
2070 "\"helo\", \"header_syntax\", \"header_sender\" or "
2071 "\"reverse_host_lookup\" at start of ACL condition "
059ec3d9
PH
2072 "\"verify %s\"", arg);
2073return ERROR;
596875b3
PH
2074
2075/* Options supplied when not allowed come here */
2076
2077NO_OPTIONS:
2078*log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
2079 "(this verify item has no options)", arg);
2080return ERROR;
1c41c9cc
PH
2081
2082/* Calls in the wrong ACL come here */
2083
2084WRONG_ACL:
2085*log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
2086 "(only possible in ACL for DATA)", acl_wherenames[where]);
2087return ERROR;
059ec3d9
PH
2088}
2089
2090
2091
2092
2093/*************************************************
2094* Check argument for control= modifier *
2095*************************************************/
2096
2097/* Called from acl_check_condition() below
2098
2099Arguments:
2100 arg the argument string for control=
2101 pptr set to point to the terminating character
2102 where which ACL we are in
2103 log_msgptr for error messages
2104
2105Returns: CONTROL_xxx value
2106*/
2107
2108static int
2109decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
2110{
2111int len;
2112control_def *d;
2113
2114for (d = controls_list;
2115 d < controls_list + sizeof(controls_list)/sizeof(control_def);
2116 d++)
2117 {
2118 len = Ustrlen(d->name);
2119 if (Ustrncmp(d->name, arg, len) == 0) break;
2120 }
2121
2122if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
2123 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
2124 {
2125 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2126 return CONTROL_ERROR;
2127 }
2128
059ec3d9
PH
2129*pptr = arg + len;
2130return d->value;
2131}
2132
2133
2134
2135/*************************************************
870f6ba8
TF
2136* Handle rate limiting *
2137*************************************************/
2138
2139/* Called by acl_check_condition() below to calculate the result
2140of the ACL ratelimit condition.
2141
2142Note that the return value might be slightly unexpected: if the
2143sender's rate is above the limit then the result is OK. This is
2144similar to the dnslists condition, and is so that you can write
2145ACL clauses like: defer ratelimit = 15 / 1h
2146
2147Arguments:
2148 arg the option string for ratelimit=
90fc3069 2149 where ACL_WHERE_xxxx indicating which ACL this is
870f6ba8
TF
2150 log_msgptr for error messages
2151
2152Returns: OK - Sender's rate is above limit
2153 FAIL - Sender's rate is below limit
2154 DEFER - Problem opening ratelimit database
2155 ERROR - Syntax error in options.
2156*/
2157
2158static int
90fc3069 2159acl_ratelimit(uschar *arg, int where, uschar **log_msgptr)
870f6ba8
TF
2160{
2161double limit, period;
8f240103
PH
2162uschar *ss;
2163uschar *key = NULL;
870f6ba8 2164int sep = '/';
8f240103 2165BOOL leaky = FALSE, strict = FALSE, noupdate = FALSE;
870f6ba8
TF
2166BOOL per_byte = FALSE, per_cmd = FALSE, per_conn = FALSE, per_mail = FALSE;
2167int old_pool, rc;
2168tree_node **anchor, *t;
2169open_db dbblock, *dbm;
2170dbdata_ratelimit *dbd;
2171struct timeval tv;
2172
2173/* Parse the first two options and record their values in expansion
2174variables. These variables allow the configuration to have informative
2175error messages based on rate limits obtained from a table lookup. */
2176
2177/* First is the maximum number of messages per period and maximum burst
2178size, which must be greater than or equal to zero. Zero is useful for
2179rate measurement as opposed to rate limiting. */
2180
2181sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0);
2182if (sender_rate_limit == NULL)
2183 limit = -1.0;
2184else
2185 {
2186 limit = Ustrtod(sender_rate_limit, &ss);
2187 if (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
2188 else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
2189 else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
2190 }
2191if (limit < 0.0 || *ss != 0)
2192 {
2193 *log_msgptr = string_sprintf("syntax error in argument for "
2194 "\"ratelimit\" condition: \"%s\" is not a positive number",
2195 sender_rate_limit);
2196 return ERROR;
2197 }
2198
2199/* Second is the rate measurement period and exponential smoothing time
2200constant. This must be strictly greater than zero, because zero leads to
2201run-time division errors. */
2202
2203sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0);
2204if (sender_rate_period == NULL) period = -1.0;
2205else period = readconf_readtime(sender_rate_period, 0, FALSE);
2206if (period <= 0.0)
2207 {
2208 *log_msgptr = string_sprintf("syntax error in argument for "
2209 "\"ratelimit\" condition: \"%s\" is not a time value",
2210 sender_rate_period);
2211 return ERROR;
2212 }
2213
2214/* Parse the other options. Should we check if the per_* options are being
2215used in ACLs where they don't make sense, e.g. per_mail in the connect ACL? */
2216
2217while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2218 != NULL)
2219 {
2220 if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
2221 else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
8f240103 2222 else if (strcmpic(ss, US"noupdate") == 0) noupdate = TRUE;
870f6ba8 2223 else if (strcmpic(ss, US"per_byte") == 0) per_byte = TRUE;
8f240103
PH
2224 else if (strcmpic(ss, US"per_cmd") == 0) per_cmd = TRUE;
2225 else if (strcmpic(ss, US"per_rcpt") == 0) per_cmd = TRUE; /* alias */
870f6ba8
TF
2226 else if (strcmpic(ss, US"per_conn") == 0) per_conn = TRUE;
2227 else if (strcmpic(ss, US"per_mail") == 0) per_mail = TRUE;
8f240103 2228 else key = string_sprintf("%s", ss);
870f6ba8 2229 }
8f240103 2230
870f6ba8
TF
2231if (leaky + strict > 1 || per_byte + per_cmd + per_conn + per_mail > 1)
2232 {
2233 *log_msgptr = US"conflicting options for \"ratelimit\" condition";
2234 return ERROR;
2235 }
2236
2237/* Default option values */
8f240103 2238
870f6ba8
TF
2239if (!strict) leaky = TRUE;
2240if (!per_byte && !per_cmd && !per_conn) per_mail = TRUE;
2241
8f240103
PH
2242/* Create the lookup key. If there is no explicit key, use sender_host_address.
2243If there is no sender_host_address (e.g. -bs or acl_not_smtp) then we simply
2244omit it. The smoothing constant (sender_rate_period) and the per_xxx options
2245are added to the key because they alter the meaning of the stored data. */
2246
2247if (key == NULL)
2248 key = (sender_host_address == NULL)? US"" : sender_host_address;
870f6ba8 2249
8f240103
PH
2250key = string_sprintf("%s/%s/%s/%s",
2251 sender_rate_period,
2252 per_byte? US"per_byte" :
2253 per_cmd? US"per_cmd" :
2254 per_mail? US"per_mail" : US"per_conn",
2255 strict? US"strict" : US"leaky",
2256 key);
870f6ba8
TF
2257
2258HDEBUG(D_acl) debug_printf("ratelimit condition limit=%.0f period=%.0f key=%s\n",
2259 limit, period, key);
2260
8f240103
PH
2261/* See if we have already computed the rate by looking in the relevant tree.
2262For per-connection rate limiting, store tree nodes and dbdata in the permanent
2263pool so that they survive across resets. */
870f6ba8
TF
2264
2265anchor = NULL;
2266old_pool = store_pool;
2267
2268if (per_conn)
2269 {
2270 anchor = &ratelimiters_conn;
2271 store_pool = POOL_PERM;
2272 }
fe0dab11 2273else if (per_mail || per_byte)
870f6ba8 2274 anchor = &ratelimiters_mail;
fe0dab11
TF
2275else if (per_cmd)
2276 anchor = &ratelimiters_cmd;
870f6ba8
TF
2277
2278if (anchor != NULL && (t = tree_search(*anchor, key)) != NULL)
2279 {
2280 dbd = t->data.ptr;
2281 /* The following few lines duplicate some of the code below. */
8f240103 2282 rc = (dbd->rate < limit)? FAIL : OK;
870f6ba8
TF
2283 store_pool = old_pool;
2284 sender_rate = string_sprintf("%.1f", dbd->rate);
2285 HDEBUG(D_acl)
2286 debug_printf("ratelimit found pre-computed rate %s\n", sender_rate);
2287 return rc;
2288 }
2289
2290/* We aren't using a pre-computed rate, so get a previously recorded
8f240103
PH
2291rate from the database, update it, and write it back when required. If there's
2292no previous rate for this key, create one. */
870f6ba8
TF
2293
2294dbm = dbfn_open(US"ratelimit", O_RDWR, &dbblock, TRUE);
2295if (dbm == NULL)
2296 {
2297 store_pool = old_pool;
2298 sender_rate = NULL;
2299 HDEBUG(D_acl) debug_printf("ratelimit database not available\n");
2300 *log_msgptr = US"ratelimit database not available";
2301 return DEFER;
2302 }
2303dbd = dbfn_read(dbm, key);
2304
2305gettimeofday(&tv, NULL);
2306
2307if (dbd == NULL)
2308 {
2309 HDEBUG(D_acl) debug_printf("ratelimit initializing new key's data\n");
2310 dbd = store_get(sizeof(dbdata_ratelimit));
2311 dbd->time_stamp = tv.tv_sec;
2312 dbd->time_usec = tv.tv_usec;
2313 dbd->rate = 0.0;
2314 }
2315else
2316 {
2317 /* The smoothed rate is computed using an exponentially weighted moving
2318 average adjusted for variable sampling intervals. The standard EWMA for
2319 a fixed sampling interval is: f'(t) = (1 - a) * f(t) + a * f'(t - 1)
2320 where f() is the measured value and f'() is the smoothed value.
2321
2322 Old data decays out of the smoothed value exponentially, such that data n
2323 samples old is multiplied by a^n. The exponential decay time constant p
2324 is defined such that data p samples old is multiplied by 1/e, which means
2325 that a = exp(-1/p). We can maintain the same time constant for a variable
2326 sampling interval i by using a = exp(-i/p).
2327
2328 The rate we are measuring is messages per period, suitable for directly
2329 comparing with the limit. The average rate between now and the previous
2330 message is period / interval, which we feed into the EWMA as the sample.
2331
2332 It turns out that the number of messages required for the smoothed rate
2333 to reach the limit when they are sent in a burst is equal to the limit.
2334 This can be seen by analysing the value of the smoothed rate after N
2335 messages sent at even intervals. Let k = (1 - a) * p/i
2336
2337 rate_1 = (1 - a) * p/i + a * rate_0
2338 = k + a * rate_0
2339 rate_2 = k + a * rate_1
2340 = k + a * k + a^2 * rate_0
2341 rate_3 = k + a * k + a^2 * k + a^3 * rate_0
2342 rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
2343 = rate_0 * a^N + k * (1 - a^N) / (1 - a)
2344 = rate_0 * a^N + p/i * (1 - a^N)
2345
2346 When N is large, a^N -> 0 so rate_N -> p/i as desired.
2347
2348 rate_N = p/i + (rate_0 - p/i) * a^N
2349 a^N = (rate_N - p/i) / (rate_0 - p/i)
2350 N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
2351 N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
2352
2353 Numerical analysis of the above equation, setting the computed rate to
2354 increase from rate_0 = 0 to rate_N = limit, shows that for large sending
2355 rates, p/i, the number of messages N = limit. So limit serves as both the
2356 maximum rate measured in messages per period, and the maximum number of
2357 messages that can be sent in a fast burst. */
2358
2359 double this_time = (double)tv.tv_sec
2360 + (double)tv.tv_usec / 1000000.0;
2361 double prev_time = (double)dbd->time_stamp
2362 + (double)dbd->time_usec / 1000000.0;
870f6ba8
TF
2363
2364 /* We must avoid division by zero, and deal gracefully with the clock going
2365 backwards. If we blunder ahead when time is in reverse then the computed
e5d5a95f 2366 rate will be bogus. To be safe we clamp interval to a very small number. */
870f6ba8 2367
e5d5a95f
TF
2368 double interval = this_time - prev_time <= 0.0 ? 1e-9
2369 : this_time - prev_time;
2370
2371 double i_over_p = interval / period;
2372 double a = exp(-i_over_p);
870f6ba8
TF
2373
2374 dbd->time_stamp = tv.tv_sec;
2375 dbd->time_usec = tv.tv_usec;
2376
2377 /* If we are measuring the rate in bytes per period, multiply the
2378 measured rate by the message size. If we don't know the message size
2379 then it's safe to just use a value of zero and let the recorded rate
2380 decay as if nothing happened. */
2381
2382 if (per_byte)
2383 dbd->rate = (message_size < 0 ? 0.0 : (double)message_size)
2384 * (1 - a) / i_over_p + a * dbd->rate;
90fc3069
TF
2385 else if (per_cmd && where == ACL_WHERE_NOTSMTP)
2386 dbd->rate = (double)recipients_count
2387 * (1 - a) / i_over_p + a * dbd->rate;
870f6ba8
TF
2388 else
2389 dbd->rate = (1 - a) / i_over_p + a * dbd->rate;
2390 }
2391
3348576f
TF
2392/* Clients sending at the limit are considered to be over the limit. This
2393matters for edge cases such the first message sent by a client (which gets
2394the initial rate of 0.0) when the rate limit is zero (i.e. the client should
2395be completely blocked). */
2396
8f240103 2397rc = (dbd->rate < limit)? FAIL : OK;
870f6ba8
TF
2398
2399/* Update the state if the rate is low or if we are being strict. If we
2400are in leaky mode and the sender's rate is too high, we do not update
2401the recorded rate in order to avoid an over-aggressive sender's retry
8f240103
PH
2402rate preventing them from getting any email through. If noupdate is set,
2403do not do any updates. */
870f6ba8 2404
8f240103
PH
2405if ((rc == FAIL || !leaky) && !noupdate)
2406 {
870f6ba8 2407 dbfn_write(dbm, key, dbd, sizeof(dbdata_ratelimit));
8f240103
PH
2408 HDEBUG(D_acl) debug_printf("ratelimit db updated\n");
2409 }
2410else
2411 {
2412 HDEBUG(D_acl) debug_printf("ratelimit db not updated: %s\n",
2413 noupdate? "noupdate set" : "over the limit, but leaky");
2414 }
2415
870f6ba8
TF
2416dbfn_close(dbm);
2417
2418/* Store the result in the tree for future reference, if necessary. */
2419
8f240103 2420if (anchor != NULL && !noupdate)
870f6ba8
TF
2421 {
2422 t = store_get(sizeof(tree_node) + Ustrlen(key));
2423 t->data.ptr = dbd;
2424 Ustrcpy(t->name, key);
2425 (void)tree_insertnode(anchor, t);
2426 }
2427
2428/* We create the formatted version of the sender's rate very late in
2429order to ensure that it is done using the correct storage pool. */
2430
2431store_pool = old_pool;
2432sender_rate = string_sprintf("%.1f", dbd->rate);
2433
2434HDEBUG(D_acl)
2435 debug_printf("ratelimit computed rate %s\n", sender_rate);
2436
2437return rc;
2438}
2439
2440
2441
2442/*************************************************
059ec3d9
PH
2443* Handle conditions/modifiers on an ACL item *
2444*************************************************/
2445
2446/* Called from acl_check() below.
2447
2448Arguments:
2449 verb ACL verb
2450 cb ACL condition block - if NULL, result is OK
2451 where where called from
2452 addr the address being checked for RCPT, or NULL
2453 level the nesting level
2454 epp pointer to pass back TRUE if "endpass" encountered
2455 (applies only to "accept" and "discard")
2456 user_msgptr user message pointer
2457 log_msgptr log message pointer
2458 basic_errno pointer to where to put verify error
2459
2460Returns: OK - all conditions are met
2461 DISCARD - an "acl" condition returned DISCARD - only allowed
2462 for "accept" or "discard" verbs
2463 FAIL - at least one condition fails
2464 FAIL_DROP - an "acl" condition returned FAIL_DROP
2465 DEFER - can't tell at the moment (typically, lookup defer,
2466 but can be temporary callout problem)
2467 ERROR - ERROR from nested ACL or expansion failure or other
2468 error
2469*/
2470
2471static int
2472acl_check_condition(int verb, acl_condition_block *cb, int where,
2473 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
2474 uschar **log_msgptr, int *basic_errno)
2475{
2476uschar *user_message = NULL;
2477uschar *log_message = NULL;
91ecef39 2478uschar *p = NULL;
059ec3d9 2479int rc = OK;
8523533c
TK
2480#ifdef WITH_CONTENT_SCAN
2481int sep = '/';
2482#endif
059ec3d9
PH
2483
2484for (; cb != NULL; cb = cb->next)
2485 {
2486 uschar *arg;
8e669ac1 2487 int control_type;
059ec3d9
PH
2488
2489 /* The message and log_message items set up messages to be used in
2490 case of rejection. They are expanded later. */
2491
2492 if (cb->type == ACLC_MESSAGE)
2493 {
2494 user_message = cb->arg;
2495 continue;
2496 }
2497
2498 if (cb->type == ACLC_LOG_MESSAGE)
2499 {
2500 log_message = cb->arg;
2501 continue;
2502 }
2503
2504 /* The endpass "condition" just sets a flag to show it occurred. This is
2505 checked at compile time to be on an "accept" or "discard" item. */
2506
2507 if (cb->type == ACLC_ENDPASS)
2508 {
2509 *epp = TRUE;
2510 continue;
2511 }
2512
2513 /* For other conditions and modifiers, the argument is expanded now for some
2514 of them, but not for all, because expansion happens down in some lower level
2515 checking functions in some cases. */
2516
2517 if (cond_expand_at_top[cb->type])
2518 {
2519 arg = expand_string(cb->arg);
2520 if (arg == NULL)
2521 {
2522 if (expand_string_forcedfail) continue;
2523 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
2524 cb->arg, expand_string_message);
2525 return search_find_defer? DEFER : ERROR;
2526 }
2527 }
2528 else arg = cb->arg;
2529
2530 /* Show condition, and expanded condition if it's different */
2531
2532 HDEBUG(D_acl)
2533 {
2534 int lhswidth = 0;
2535 debug_printf("check %s%s %n",
2536 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
2537 conditions[cb->type], &lhswidth);
2538
2539 if (cb->type == ACLC_SET)
2540 {
38a0a95f
PH
2541 debug_printf("acl_%s ", cb->u.varname);
2542 lhswidth += 5 + Ustrlen(cb->u.varname);
059ec3d9
PH
2543 }
2544
2545 debug_printf("= %s\n", cb->arg);
2546
2547 if (arg != cb->arg)
2548 debug_printf("%.*s= %s\n", lhswidth,
2549 US" ", CS arg);
2550 }
2551
2552 /* Check that this condition makes sense at this time */
2553
2554 if ((cond_forbids[cb->type] & (1 << where)) != 0)
2555 {
2556 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
2557 cond_modifiers[cb->type]? "use" : "test",
2558 conditions[cb->type], acl_wherenames[where]);
2559 return ERROR;
2560 }
2561
2562 /* Run the appropriate test for each condition, or take the appropriate
2563 action for the remaining modifiers. */
2564
2565 switch(cb->type)
2566 {
71fafd95
PH
2567 case ACLC_ADD_HEADER:
2568 setup_header(arg);
2569 break;
2570
059ec3d9
PH
2571 /* A nested ACL that returns "discard" makes sense only for an "accept" or
2572 "discard" verb. */
71fafd95 2573
059ec3d9
PH
2574 case ACLC_ACL:
2575 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
2576 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
2577 {
2578 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
2579 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
2580 verbs[verb]);
2581 return ERROR;
2582 }
2583 break;
2584
2585 case ACLC_AUTHENTICATED:
2586 rc = (sender_host_authenticated == NULL)? FAIL :
2587 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
2588 TRUE, NULL);
2589 break;
2590
71fafd95 2591 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK
2592 case ACLC_BMI_OPTIN:
2593 {
2594 int old_pool = store_pool;
2595 store_pool = POOL_PERM;
2596 bmi_current_optin = string_copy(arg);
2597 store_pool = old_pool;
2598 }
2599 break;
71fafd95 2600 #endif
8523533c 2601
059ec3d9
PH
2602 case ACLC_CONDITION:
2603 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
2604 rc = (Uatoi(arg) == 0)? FAIL : OK;
2605 else
2606 rc = (strcmpic(arg, US"no") == 0 ||
2607 strcmpic(arg, US"false") == 0)? FAIL :
2608 (strcmpic(arg, US"yes") == 0 ||
2609 strcmpic(arg, US"true") == 0)? OK : DEFER;
2610 if (rc == DEFER)
2611 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
2612 break;
2613
c3611384
PH
2614 case ACLC_CONTINUE: /* Always succeeds */
2615 break;
2616
059ec3d9 2617 case ACLC_CONTROL:
c5fcb476
PH
2618 control_type = decode_control(arg, &p, where, log_msgptr);
2619
8523533c 2620 /* Check if this control makes sense at this time */
c5fcb476
PH
2621
2622 if ((control_forbids[control_type] & (1 << where)) != 0)
2623 {
2624 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
2625 controls[control_type], acl_wherenames[where]);
2626 return ERROR;
8e669ac1 2627 }
c5fcb476
PH
2628
2629 switch(control_type)
059ec3d9 2630 {
c46782ef
PH
2631 case CONTROL_AUTH_UNADVERTISED:
2632 allow_auth_unadvertised = TRUE;
2633 break;
2634
2635 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK
2636 case CONTROL_BMI_RUN:
2637 bmi_run = 1;
2638 break;
c46782ef
PH
2639 #endif
2640
2641 #ifdef EXPERIMENTAL_DOMAINKEYS
fb2274d4
TK
2642 case CONTROL_DK_VERIFY:
2643 dk_do_verify = 1;
2644 break;
c46782ef
PH
2645 #endif
2646
f7572e5a
TK
2647 #ifdef EXPERIMENTAL_DKIM
2648 case CONTROL_DKIM_VERIFY:
2649 dkim_do_verify = 1;
2650 break;
2651 #endif
2652
059ec3d9
PH
2653 case CONTROL_ERROR:
2654 return ERROR;
2655
2656 case CONTROL_CASEFUL_LOCAL_PART:
2657 deliver_localpart = addr->cc_local_part;
2658 break;
2659
2660 case CONTROL_CASELOWER_LOCAL_PART:
2661 deliver_localpart = addr->lc_local_part;
2662 break;
2663
2664 case CONTROL_ENFORCE_SYNC:
2665 smtp_enforce_sync = TRUE;
2666 break;
2667
2668 case CONTROL_NO_ENFORCE_SYNC:
2669 smtp_enforce_sync = FALSE;
2670 break;
2671
c46782ef 2672 #ifdef WITH_CONTENT_SCAN
8523533c
TK
2673 case CONTROL_NO_MBOX_UNSPOOL:
2674 no_mbox_unspool = TRUE;
2675 break;
c46782ef 2676 #endif
8523533c 2677
059ec3d9
PH
2678 case CONTROL_NO_MULTILINE:
2679 no_multiline_responses = TRUE;
2680 break;
2681
cf8b11a5
PH
2682 case CONTROL_NO_PIPELINING:
2683 pipelining_enable = FALSE;
2684 break;
2685
047bdd8c
PH
2686 case CONTROL_NO_DELAY_FLUSH:
2687 disable_delay_flush = TRUE;
2688 break;
2689
4c590bd1
PH
2690 case CONTROL_NO_CALLOUT_FLUSH:
2691 disable_callout_flush = TRUE;
2692 break;
2693
29aba418 2694 case CONTROL_FAKEDEFER:
8523533c 2695 case CONTROL_FAKEREJECT:
29aba418 2696 fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
8523533c 2697 if (*p == '/')
8e669ac1 2698 {
8523533c 2699 uschar *pp = p + 1;
8e669ac1 2700 while (*pp != 0) pp++;
29aba418 2701 fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
8523533c
TK
2702 p = pp;
2703 }
2704 else
2705 {
2706 /* Explicitly reset to default string */
29aba418 2707 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
8523533c
TK
2708 }
2709 break;
8523533c 2710
059ec3d9
PH
2711 case CONTROL_FREEZE:
2712 deliver_freeze = TRUE;
2713 deliver_frozen_at = time(NULL);
6a3f1455
PH
2714 freeze_tell = freeze_tell_config; /* Reset to configured value */
2715 if (Ustrncmp(p, "/no_tell", 8) == 0)
2716 {
2717 p += 8;
2718 freeze_tell = NULL;
2719 }
2720 if (*p != 0)
2721 {
2722 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2723 return ERROR;
2724 }
059ec3d9
PH
2725 break;
2726
2727 case CONTROL_QUEUE_ONLY:
2728 queue_only_policy = TRUE;
2729 break;
2730
2731 case CONTROL_SUBMISSION:
87ba3f5f 2732 originator_name = US"";
059ec3d9 2733 submission_mode = TRUE;
69358f02 2734 while (*p == '/')
8e669ac1 2735 {
69358f02
PH
2736 if (Ustrncmp(p, "/sender_retain", 14) == 0)
2737 {
2738 p += 14;
2739 active_local_sender_retain = TRUE;
8e669ac1
PH
2740 active_local_from_check = FALSE;
2741 }
69358f02
PH
2742 else if (Ustrncmp(p, "/domain=", 8) == 0)
2743 {
2744 uschar *pp = p + 8;
8e669ac1 2745 while (*pp != 0 && *pp != '/') pp++;
87ba3f5f
PH
2746 submission_domain = string_copyn(p+8, pp-p-8);
2747 p = pp;
2748 }
8857ccfd
PH
2749 /* The name= option must be last, because it swallows the rest of
2750 the string. */
87ba3f5f
PH
2751 else if (Ustrncmp(p, "/name=", 6) == 0)
2752 {
2753 uschar *pp = p + 6;
8857ccfd 2754 while (*pp != 0) pp++;
2fe1a124 2755 submission_name = string_copy(parse_fix_phrase(p+6, pp-p-6,
87ba3f5f 2756 big_buffer, big_buffer_size));
8e669ac1 2757 p = pp;
69358f02 2758 }
8e669ac1
PH
2759 else break;
2760 }
69358f02 2761 if (*p != 0)
059ec3d9 2762 {
69358f02 2763 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
059ec3d9
PH
2764 return ERROR;
2765 }
2766 break;
8800895a
PH
2767
2768 case CONTROL_SUPPRESS_LOCAL_FIXUPS:
2769 suppress_local_fixups = TRUE;
2770 break;
059ec3d9
PH
2771 }
2772 break;
2773
6a8f9482
TK
2774 #ifdef EXPERIMENTAL_DCC
2775 case ACLC_DCC:
2776 {
2777 /* Seperate the regular expression and any optional parameters. */
2778 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2779 /* Run the dcc backend. */
2780 rc = dcc_process(&ss);
2781 /* Modify return code based upon the existance of options. */
2782 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2783 != NULL) {
2784 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2785 {
2786 /* FAIL so that the message is passed to the next ACL */
2787 rc = FAIL;
2788 }
2789 }
2790 }
2791 break;
2792 #endif
2793
71fafd95 2794 #ifdef WITH_CONTENT_SCAN
8523533c
TK
2795 case ACLC_DECODE:
2796 rc = mime_decode(&arg);
2797 break;
71fafd95 2798 #endif
8523533c 2799
059ec3d9
PH
2800 case ACLC_DELAY:
2801 {
2802 int delay = readconf_readtime(arg, 0, FALSE);
2803 if (delay < 0)
2804 {
2805 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
2806 "modifier: \"%s\" is not a time value", arg);
2807 return ERROR;
2808 }
2809 else
2810 {
2811 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
2812 delay);
2813 if (host_checking)
2814 {
2815 HDEBUG(D_acl)
2816 debug_printf("delay skipped in -bh checking mode\n");
2817 }
010c2d14
PH
2818
2819 /* It appears to be impossible to detect that a TCP/IP connection has
2820 gone away without reading from it. This means that we cannot shorten
2821 the delay below if the client goes away, because we cannot discover
2822 that the client has closed its end of the connection. (The connection
2823 is actually in a half-closed state, waiting for the server to close its
2824 end.) It would be nice to be able to detect this state, so that the
2825 Exim process is not held up unnecessarily. However, it seems that we
2826 can't. The poll() function does not do the right thing, and in any case
2827 it is not always available.
2828
047bdd8c 2829 NOTE 1: If ever this state of affairs changes, remember that we may be
010c2d14 2830 dealing with stdin/stdout here, in addition to TCP/IP connections.
047bdd8c
PH
2831 Also, delays may be specified for non-SMTP input, where smtp_out and
2832 smtp_in will be NULL. Whatever is done must work in all cases.
2833
2834 NOTE 2: The added feature of flushing the output before a delay must
2835 apply only to SMTP input. Hence the test for smtp_out being non-NULL.
2836 */
010c2d14 2837
8e669ac1 2838 else
86b8287f 2839 {
14f4a80d 2840 if (smtp_out != NULL && !disable_delay_flush) mac_smtp_fflush();
86b8287f 2841 while (delay > 0) delay = sleep(delay);
8e669ac1 2842 }
059ec3d9
PH
2843 }
2844 }
2845 break;
2846
71fafd95 2847 #ifdef WITH_OLD_DEMIME
8523533c
TK
2848 case ACLC_DEMIME:
2849 rc = demime(&arg);
2850 break;
71fafd95 2851 #endif
8523533c 2852
71fafd95
PH
2853 #ifdef EXPERIMENTAL_DOMAINKEYS
2854 case ACLC_DK_DOMAIN_SOURCE:
fb2274d4
TK
2855 if (dk_verify_block == NULL) { rc = FAIL; break; };
2856 /* check header source of domain against given string */
2857 switch (dk_verify_block->address_source) {
2858 case DK_EXIM_ADDRESS_FROM_FROM:
2859 rc = match_isinlist(US"from", &arg, 0, NULL,
2860 NULL, MCL_STRING, TRUE, NULL);
2861 break;
2862 case DK_EXIM_ADDRESS_FROM_SENDER:
2863 rc = match_isinlist(US"sender", &arg, 0, NULL,
2864 NULL, MCL_STRING, TRUE, NULL);
2865 break;
2866 case DK_EXIM_ADDRESS_NONE:
2867 rc = match_isinlist(US"none", &arg, 0, NULL,
2868 NULL, MCL_STRING, TRUE, NULL);
2869 break;
71fafd95
PH
2870 }
2871 break;
2872
2873 case ACLC_DK_POLICY:
fb2274d4
TK
2874 if (dk_verify_block == NULL) { rc = FAIL; break; };
2875 /* check policy against given string, default FAIL */
2876 rc = FAIL;
2877 if (dk_verify_block->signsall)
2878 rc = match_isinlist(US"signsall", &arg, 0, NULL,
2879 NULL, MCL_STRING, TRUE, NULL);
2880 if (dk_verify_block->testing)
2881 rc = match_isinlist(US"testing", &arg, 0, NULL,
2882 NULL, MCL_STRING, TRUE, NULL);
71fafd95
PH
2883 break;
2884
2885 case ACLC_DK_SENDER_DOMAINS:
fb2274d4
TK
2886 if (dk_verify_block == NULL) { rc = FAIL; break; };
2887 if (dk_verify_block->domain != NULL)
2888 rc = match_isinlist(dk_verify_block->domain, &arg, 0, &domainlist_anchor,
2889 NULL, MCL_DOMAIN, TRUE, NULL);
2890 else rc = FAIL;
71fafd95
PH
2891 break;
2892
2893 case ACLC_DK_SENDER_LOCAL_PARTS:
fb2274d4
TK
2894 if (dk_verify_block == NULL) { rc = FAIL; break; };
2895 if (dk_verify_block->local_part != NULL)
2896 rc = match_isinlist(dk_verify_block->local_part, &arg, 0, &localpartlist_anchor,
2897 NULL, MCL_LOCALPART, TRUE, NULL);
2898 else rc = FAIL;
71fafd95
PH
2899 break;
2900
2901 case ACLC_DK_SENDERS:
fb2274d4
TK
2902 if (dk_verify_block == NULL) { rc = FAIL; break; };
2903 if (dk_verify_block->address != NULL)
2904 rc = match_address_list(dk_verify_block->address, TRUE, TRUE, &arg, NULL, -1, 0, NULL);
2905 else rc = FAIL;
71fafd95
PH
2906 break;
2907
2908 case ACLC_DK_STATUS:
fb2274d4
TK
2909 if (dk_verify_block == NULL) { rc = FAIL; break; };
2910 if (dk_verify_block->result > 0) {
2911 switch(dk_verify_block->result) {
2912 case DK_EXIM_RESULT_BAD_FORMAT:
2913 rc = match_isinlist(US"bad format", &arg, 0, NULL,
2914 NULL, MCL_STRING, TRUE, NULL);
2915 break;
2916 case DK_EXIM_RESULT_NO_KEY:
2917 rc = match_isinlist(US"no key", &arg, 0, NULL,
2918 NULL, MCL_STRING, TRUE, NULL);
2919 break;
2920 case DK_EXIM_RESULT_NO_SIGNATURE:
2921 rc = match_isinlist(US"no signature", &arg, 0, NULL,
2922 NULL, MCL_STRING, TRUE, NULL);
2923 break;
2924 case DK_EXIM_RESULT_REVOKED:
2925 rc = match_isinlist(US"revoked", &arg, 0, NULL,
2926 NULL, MCL_STRING, TRUE, NULL);
2927 break;
2928 case DK_EXIM_RESULT_NON_PARTICIPANT:
2929 rc = match_isinlist(US"non-participant", &arg, 0, NULL,
2930 NULL, MCL_STRING, TRUE, NULL);
2931 break;
2932 case DK_EXIM_RESULT_GOOD:
2933 rc = match_isinlist(US"good", &arg, 0, NULL,
2934 NULL, MCL_STRING, TRUE, NULL);
2935 break;
2936 case DK_EXIM_RESULT_BAD:
2937 rc = match_isinlist(US"bad", &arg, 0, NULL,
2938 NULL, MCL_STRING, TRUE, NULL);
2939 break;
71fafd95 2940 }
fb2274d4 2941 }
71fafd95
PH
2942 break;
2943 #endif
fb2274d4 2944
059ec3d9
PH
2945 case ACLC_DNSLISTS:
2946 rc = verify_check_dnsbl(&arg);
2947 break;
2948
2949 case ACLC_DOMAINS:
2950 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
2951 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
2952 break;
2953
2954 /* The value in tls_cipher is the full cipher name, for example,
2955 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
2956 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
2957 what may in practice come out of the SSL library - which at the time of
2958 writing is poorly documented. */
2959
2960 case ACLC_ENCRYPTED:
2961 if (tls_cipher == NULL) rc = FAIL; else
2962 {
2963 uschar *endcipher = NULL;
2964 uschar *cipher = Ustrchr(tls_cipher, ':');
2965 if (cipher == NULL) cipher = tls_cipher; else
2966 {
2967 endcipher = Ustrchr(++cipher, ':');
2968 if (endcipher != NULL) *endcipher = 0;
2969 }
2970 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
2971 if (endcipher != NULL) *endcipher = ':';
2972 }
2973 break;
2974
2975 /* Use verify_check_this_host() instead of verify_check_host() so that
2976 we can pass over &host_data to catch any looked up data. Once it has been
2977 set, it retains its value so that it's still there if another ACL verb
2978 comes through here and uses the cache. However, we must put it into
2979 permanent store in case it is also expected to be used in a subsequent
2980 message in the same SMTP connection. */
2981
2982 case ACLC_HOSTS:
2983 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
2984 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
2985 if (host_data != NULL) host_data = string_copy_malloc(host_data);
2986 break;
2987
2988 case ACLC_LOCAL_PARTS:
2989 rc = match_isinlist(addr->cc_local_part, &arg, 0,
2990 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
2991 &deliver_localpart_data);
2992 break;
2993
6ea85e9a
PH
2994 case ACLC_LOG_REJECT_TARGET:
2995 {
2996 int logbits = 0;
2997 int sep = 0;
2998 uschar *s = arg;
2999 uschar *ss;
3000 while ((ss = string_nextinlist(&s, &sep, big_buffer, big_buffer_size))
3001 != NULL)
3002 {
3003 if (Ustrcmp(ss, "main") == 0) logbits |= LOG_MAIN;
3004 else if (Ustrcmp(ss, "panic") == 0) logbits |= LOG_PANIC;
3005 else if (Ustrcmp(ss, "reject") == 0) logbits |= LOG_REJECT;
3006 else
3007 {
3008 logbits |= LOG_MAIN|LOG_REJECT;
3009 log_write(0, LOG_MAIN|LOG_PANIC, "unknown log name \"%s\" in "
3010 "\"log_reject_target\" in %s ACL", ss, acl_wherenames[where]);
3011 }
3012 }
3013 log_reject_target = logbits;
3014 }
3015 break;
3016
059ec3d9
PH
3017 case ACLC_LOGWRITE:
3018 {
3019 int logbits = 0;
3020 uschar *s = arg;
3021 if (*s == ':')
3022 {
3023 s++;
3024 while (*s != ':')
3025 {
3026 if (Ustrncmp(s, "main", 4) == 0)
3027 { logbits |= LOG_MAIN; s += 4; }
3028 else if (Ustrncmp(s, "panic", 5) == 0)
3029 { logbits |= LOG_PANIC; s += 5; }
3030 else if (Ustrncmp(s, "reject", 6) == 0)
3031 { logbits |= LOG_REJECT; s += 6; }
3032 else
3033 {
3034 logbits = LOG_MAIN|LOG_PANIC;
3035 s = string_sprintf(":unknown log name in \"%s\" in "
3036 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
3037 }
3038 if (*s == ',') s++;
3039 }
3040 s++;
3041 }
3042 while (isspace(*s)) s++;
6ea85e9a
PH
3043
3044
059ec3d9
PH
3045 if (logbits == 0) logbits = LOG_MAIN;
3046 log_write(0, logbits, "%s", string_printing(s));
3047 }
3048 break;
8e669ac1 3049
71fafd95 3050 #ifdef WITH_CONTENT_SCAN
8523533c
TK
3051 case ACLC_MALWARE:
3052 {
6ea85e9a 3053 /* Separate the regular expression and any optional parameters. */
8523533c
TK
3054 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3055 /* Run the malware backend. */
3056 rc = malware(&ss);
3057 /* Modify return code based upon the existance of options. */
3058 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3059 != NULL) {
3060 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3061 {
3062 /* FAIL so that the message is passed to the next ACL */
3063 rc = FAIL;
3064 }
3065 }
3066 }
3067 break;
3068
3069 case ACLC_MIME_REGEX:
71fafd95 3070 rc = mime_regex(&arg);
8523533c 3071 break;
71fafd95 3072 #endif
059ec3d9 3073
870f6ba8 3074 case ACLC_RATELIMIT:
90fc3069 3075 rc = acl_ratelimit(arg, where, log_msgptr);
870f6ba8
TF
3076 break;
3077
059ec3d9
PH
3078 case ACLC_RECIPIENTS:
3079 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
3080 &recipient_data);
3081 break;
3082
71fafd95
PH
3083 #ifdef WITH_CONTENT_SCAN
3084 case ACLC_REGEX:
3085 rc = regex(&arg);
8523533c 3086 break;
71fafd95 3087 #endif
8523533c 3088
059ec3d9
PH
3089 case ACLC_SENDER_DOMAINS:
3090 {
3091 uschar *sdomain;
3092 sdomain = Ustrrchr(sender_address, '@');
3093 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
3094 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
3095 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
3096 }
3097 break;
3098
3099 case ACLC_SENDERS:
3100 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
3101 sender_address_cache, -1, 0, &sender_data);
3102 break;
3103
3104 /* Connection variables must persist forever */
3105
3106 case ACLC_SET:
3107 {
3108 int old_pool = store_pool;
38a0a95f
PH
3109 if (cb->u.varname[0] == 'c') store_pool = POOL_PERM;
3110 acl_var_create(cb->u.varname)->data.ptr = string_copy(arg);
059ec3d9
PH
3111 store_pool = old_pool;
3112 }
3113 break;
3114
71fafd95 3115 #ifdef WITH_CONTENT_SCAN
8523533c
TK
3116 case ACLC_SPAM:
3117 {
3118 /* Seperate the regular expression and any optional parameters. */
3119 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3120 /* Run the spam backend. */
3121 rc = spam(&ss);
3122 /* Modify return code based upon the existance of options. */
3123 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3124 != NULL) {
3125 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3126 {
3127 /* FAIL so that the message is passed to the next ACL */
3128 rc = FAIL;
3129 }
3130 }
3131 }
3132 break;
71fafd95 3133 #endif
8523533c 3134
71fafd95 3135 #ifdef EXPERIMENTAL_SPF
8523533c
TK
3136 case ACLC_SPF:
3137 rc = spf_process(&arg, sender_address);
3138 break;
71fafd95 3139 #endif
8523533c 3140
059ec3d9
PH
3141 /* If the verb is WARN, discard any user message from verification, because
3142 such messages are SMTP responses, not header additions. The latter come
475fe28a
PH
3143 only from explicit "message" modifiers. However, put the user message into
3144 $acl_verify_message so it can be used in subsequent conditions or modifiers
3145 (until something changes it). */
059ec3d9
PH
3146
3147 case ACLC_VERIFY:
3148 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
475fe28a 3149 acl_verify_message = *user_msgptr;
059ec3d9
PH
3150 if (verb == ACL_WARN) *user_msgptr = NULL;
3151 break;
3152
3153 default:
3154 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
3155 "condition %d", cb->type);
3156 break;
3157 }
3158
3159 /* If a condition was negated, invert OK/FAIL. */
3160
3161 if (!cond_modifiers[cb->type] && cb->u.negated)
3162 {
3163 if (rc == OK) rc = FAIL;
3164 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
3165 }
3166
3167 if (rc != OK) break; /* Conditions loop */
3168 }
3169
3170
3171/* If the result is the one for which "message" and/or "log_message" are used,
4e88a19f
PH
3172handle the values of these modifiers. If there isn't a log message set, we make
3173it the same as the user message.
059ec3d9
PH
3174
3175"message" is a user message that will be included in an SMTP response. Unless
3176it is empty, it overrides any previously set user message.
3177
3178"log_message" is a non-user message, and it adds to any existing non-user
3179message that is already set.
3180
4e88a19f
PH
3181Most verbs have but a single return for which the messages are relevant, but
3182for "discard", it's useful to have the log message both when it succeeds and
3183when it fails. For "accept", the message is used in the OK case if there is no
3184"endpass", but (for backwards compatibility) in the FAIL case if "endpass" is
3185present. */
059ec3d9 3186
4e88a19f
PH
3187if (*epp && rc == OK) user_message = NULL;
3188
3189if (((1<<rc) & msgcond[verb]) != 0)
059ec3d9
PH
3190 {
3191 uschar *expmessage;
4e88a19f
PH
3192 uschar *old_user_msgptr = *user_msgptr;
3193 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
059ec3d9
PH
3194
3195 /* If the verb is "warn", messages generated by conditions (verification or
4e88a19f
PH
3196 nested ACLs) are always discarded. This also happens for acceptance verbs
3197 when they actually do accept. Only messages specified at this level are used.
059ec3d9
PH
3198 However, the value of an existing message is available in $acl_verify_message
3199 during expansions. */
3200
4e88a19f
PH
3201 if (verb == ACL_WARN ||
3202 (rc == OK && (verb == ACL_ACCEPT || verb == ACL_DISCARD)))
3203 *log_msgptr = *user_msgptr = NULL;
059ec3d9
PH
3204
3205 if (user_message != NULL)
3206 {
3207 acl_verify_message = old_user_msgptr;
3208 expmessage = expand_string(user_message);
3209 if (expmessage == NULL)
3210 {
3211 if (!expand_string_forcedfail)
3212 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3213 user_message, expand_string_message);
3214 }
3215 else if (expmessage[0] != 0) *user_msgptr = expmessage;
3216 }
3217
3218 if (log_message != NULL)
3219 {
3220 acl_verify_message = old_log_msgptr;
3221 expmessage = expand_string(log_message);
3222 if (expmessage == NULL)
3223 {
3224 if (!expand_string_forcedfail)
3225 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3226 log_message, expand_string_message);
3227 }
3228 else if (expmessage[0] != 0)
3229 {
3230 *log_msgptr = (*log_msgptr == NULL)? expmessage :
3231 string_sprintf("%s: %s", expmessage, *log_msgptr);
3232 }
3233 }
3234
3235 /* If no log message, default it to the user message */
3236
3237 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
3238 }
3239
3240acl_verify_message = NULL;
3241return rc;
3242}
3243
3244
3245
3246
3247
3248/*************************************************
3249* Get line from a literal ACL *
3250*************************************************/
3251
3252/* This function is passed to acl_read() in order to extract individual lines
3253of a literal ACL, which we access via static pointers. We can destroy the
3254contents because this is called only once (the compiled ACL is remembered).
3255
3256This code is intended to treat the data in the same way as lines in the main
3257Exim configuration file. That is:
3258
3259 . Leading spaces are ignored.
3260
3261 . A \ at the end of a line is a continuation - trailing spaces after the \
3262 are permitted (this is because I don't believe in making invisible things
3263 significant). Leading spaces on the continued part of a line are ignored.
3264
3265 . Physical lines starting (significantly) with # are totally ignored, and
3266 may appear within a sequence of backslash-continued lines.
3267
3268 . Blank lines are ignored, but will end a sequence of continuations.
3269
3270Arguments: none
3271Returns: a pointer to the next line
3272*/
3273
3274
3275static uschar *acl_text; /* Current pointer in the text */
3276static uschar *acl_text_end; /* Points one past the terminating '0' */
3277
3278
3279static uschar *
3280acl_getline(void)
3281{
3282uschar *yield;
3283
3284/* This loop handles leading blank lines and comments. */
3285
3286for(;;)
3287 {
3288 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
3289 if (*acl_text == 0) return NULL; /* No more data */
3290 yield = acl_text; /* Potential data line */
3291
3292 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3293
3294 /* If we hit the end before a newline, we have the whole logical line. If
3295 it's a comment, there's no more data to be given. Otherwise, yield it. */
3296
3297 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
3298
3299 /* After reaching a newline, end this loop if the physical line does not
3300 start with '#'. If it does, it's a comment, and the loop continues. */
3301
3302 if (*yield != '#') break;
3303 }
3304
3305/* This loop handles continuations. We know we have some real data, ending in
3306newline. See if there is a continuation marker at the end (ignoring trailing
3307white space). We know that *yield is not white space, so no need to test for
3308cont > yield in the backwards scanning loop. */
3309
3310for(;;)
3311 {
3312 uschar *cont;
3313 for (cont = acl_text - 1; isspace(*cont); cont--);
3314
3315 /* If no continuation follows, we are done. Mark the end of the line and
3316 return it. */
3317
3318 if (*cont != '\\')
3319 {
3320 *acl_text++ = 0;
3321 return yield;
3322 }
3323
3324 /* We have encountered a continuation. Skip over whitespace at the start of
3325 the next line, and indeed the whole of the next line or lines if they are
3326 comment lines. */
3327
3328 for (;;)
3329 {
3330 while (*(++acl_text) == ' ' || *acl_text == '\t');
3331 if (*acl_text != '#') break;
3332 while (*(++acl_text) != 0 && *acl_text != '\n');
3333 }
3334
3335 /* We have the start of a continuation line. Move all the rest of the data
3336 to join onto the previous line, and then find its end. If the end is not a
3337 newline, we are done. Otherwise loop to look for another continuation. */
3338
3339 memmove(cont, acl_text, acl_text_end - acl_text);
3340 acl_text_end -= acl_text - cont;
3341 acl_text = cont;
3342 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3343 if (*acl_text == 0) return yield;
3344 }
3345
3346/* Control does not reach here */
3347}
3348
3349
3350
3351
3352
3353/*************************************************
3354* Check access using an ACL *
3355*************************************************/
3356
3357/* This function is called from address_check. It may recurse via
3358acl_check_condition() - hence the use of a level to stop looping. The ACL is
3359passed as a string which is expanded. A forced failure implies no access check
3360is required. If the result is a single word, it is taken as the name of an ACL
3361which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
3362text, complete with newlines, and parsed as such. In both cases, the ACL check
3363is then run. This function uses an auxiliary function for acl_read() to call
3364for reading individual lines of a literal ACL. This is acl_getline(), which
3365appears immediately above.
3366
3367Arguments:
3368 where where called from
3369 addr address item when called from RCPT; otherwise NULL
3370 s the input string; NULL is the same as an empty ACL => DENY
3371 level the nesting level
3372 user_msgptr where to put a user error (for SMTP response)
3373 log_msgptr where to put a logging message (not for SMTP response)
3374
3375Returns: OK access is granted
3376 DISCARD access is apparently granted...
3377 FAIL access is denied
3378 FAIL_DROP access is denied; drop the connection
3379 DEFER can't tell at the moment
3380 ERROR disaster
3381*/
3382
3383static int
3384acl_check_internal(int where, address_item *addr, uschar *s, int level,
3385 uschar **user_msgptr, uschar **log_msgptr)
3386{
3387int fd = -1;
3388acl_block *acl = NULL;
3389uschar *acl_name = US"inline ACL";
3390uschar *ss;
3391
3392/* Catch configuration loops */
3393
3394if (level > 20)
3395 {
3396 *log_msgptr = US"ACL nested too deep: possible loop";
3397 return ERROR;
3398 }
3399
3400if (s == NULL)
3401 {
3402 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
3403 return FAIL;
3404 }
3405
3406/* At top level, we expand the incoming string. At lower levels, it has already
3407been expanded as part of condition processing. */
3408
3409if (level == 0)
3410 {
3411 ss = expand_string(s);
3412 if (ss == NULL)
3413 {
3414 if (expand_string_forcedfail) return OK;
3415 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
3416 expand_string_message);
3417 return ERROR;
3418 }
3419 }
3420else ss = s;
3421
3422while (isspace(*ss))ss++;
3423
3424/* If we can't find a named ACL, the default is to parse it as an inline one.
3425(Unless it begins with a slash; non-existent files give rise to an error.) */
3426
3427acl_text = ss;
3428
3429/* Handle the case of a string that does not contain any spaces. Look for a
3430named ACL among those read from the configuration, or a previously read file.
3431It is possible that the pointer to the ACL is NULL if the configuration
3432contains a name with no data. If not found, and the text begins with '/',
3433read an ACL from a file, and save it so it can be re-used. */
3434
3435if (Ustrchr(ss, ' ') == NULL)
3436 {
3437 tree_node *t = tree_search(acl_anchor, ss);
3438 if (t != NULL)
3439 {
3440 acl = (acl_block *)(t->data.ptr);
3441 if (acl == NULL)
3442 {
3443 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
3444 return FAIL;
3445 }
3446 acl_name = string_sprintf("ACL \"%s\"", ss);
3447 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
3448 }
3449
3450 else if (*ss == '/')
3451 {
3452 struct stat statbuf;
3453 fd = Uopen(ss, O_RDONLY, 0);
3454 if (fd < 0)
3455 {
3456 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
3457 strerror(errno));
3458 return ERROR;
3459 }
3460
3461 if (fstat(fd, &statbuf) != 0)
3462 {
3463 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
3464 strerror(errno));
3465 return ERROR;
3466 }
3467
3468 acl_text = store_get(statbuf.st_size + 1);
3469 acl_text_end = acl_text + statbuf.st_size + 1;
3470
3471 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
3472 {
3473 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
3474 ss, strerror(errno));
3475 return ERROR;
3476 }
3477 acl_text[statbuf.st_size] = 0;
f1e894f3 3478 (void)close(fd);
059ec3d9
PH
3479
3480 acl_name = string_sprintf("ACL \"%s\"", ss);
3481 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
3482 }
3483 }
3484
3485/* Parse an ACL that is still in text form. If it came from a file, remember it
3486in the ACL tree, having read it into the POOL_PERM store pool so that it
3487persists between multiple messages. */
3488
3489if (acl == NULL)
3490 {
3491 int old_pool = store_pool;
3492 if (fd >= 0) store_pool = POOL_PERM;
3493 acl = acl_read(acl_getline, log_msgptr);
3494 store_pool = old_pool;
3495 if (acl == NULL && *log_msgptr != NULL) return ERROR;
3496 if (fd >= 0)
3497 {
3498 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
3499 Ustrcpy(t->name, ss);
3500 t->data.ptr = acl;
3501 (void)tree_insertnode(&acl_anchor, t);
3502 }
3503 }
3504
3505/* Now we have an ACL to use. It's possible it may be NULL. */
3506
3507while (acl != NULL)
3508 {
3509 int cond;
3510 int basic_errno = 0;
3511 BOOL endpass_seen = FALSE;
3512
3513 *log_msgptr = *user_msgptr = NULL;
3514 acl_temp_details = FALSE;
3515
7353285c 3516 if ((where == ACL_WHERE_QUIT || where == ACL_WHERE_NOTQUIT) &&
059ec3d9
PH
3517 acl->verb != ACL_ACCEPT &&
3518 acl->verb != ACL_WARN)
3519 {
7353285c 3520 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT or not-QUIT ACL",
059ec3d9
PH
3521 verbs[acl->verb]);
3522 return ERROR;
3523 }
3524
3525 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
3526
3527 /* Clear out any search error message from a previous check before testing
3528 this condition. */
3529
3530 search_error_message = NULL;
3531 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
3532 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
3533
3534 /* Handle special returns: DEFER causes a return except on a WARN verb;
3535 ERROR always causes a return. */
3536
3537 switch (cond)
3538 {
3539 case DEFER:
3540 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
3541 if (basic_errno != ERRNO_CALLOUTDEFER)
3542 {
3543 if (search_error_message != NULL && *search_error_message != 0)
3544 *log_msgptr = search_error_message;
3545 if (smtp_return_error_details) acl_temp_details = TRUE;
3546 }
3547 else
3548 {
3549 acl_temp_details = TRUE;
3550 }
3551 if (acl->verb != ACL_WARN) return DEFER;
3552 break;
3553
3554 default: /* Paranoia */
3555 case ERROR:
3556 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
3557 return ERROR;
3558
3559 case OK:
3560 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
3561 verbs[acl->verb]);
3562 break;
3563
3564 case FAIL:
3565 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
3566 break;
3567
3568 /* DISCARD and DROP can happen only from a nested ACL condition, and
3569 DISCARD can happen only for an "accept" or "discard" verb. */
3570
3571 case DISCARD:
3572 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
3573 verbs[acl->verb]);
3574 break;
3575
3576 case FAIL_DROP:
3577 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
3578 verbs[acl->verb]);
3579 break;
3580 }
3581
3582 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
3583 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
3584 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
3585
3586 switch(acl->verb)
3587 {
3588 case ACL_ACCEPT:
3589 if (cond == OK || cond == DISCARD) return cond;
3590 if (endpass_seen)
3591 {
3592 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
3593 return cond;
3594 }
3595 break;
3596
3597 case ACL_DEFER:
3598 if (cond == OK)
3599 {
3600 acl_temp_details = TRUE;
3601 return DEFER;
3602 }
3603 break;
3604
3605 case ACL_DENY:
3606 if (cond == OK) return FAIL;
3607 break;
3608
3609 case ACL_DISCARD:
3610 if (cond == OK || cond == DISCARD) return DISCARD;
3611 if (endpass_seen)
3612 {
3613 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
3614 return cond;
3615 }
3616 break;
3617
3618 case ACL_DROP:
3619 if (cond == OK) return FAIL_DROP;
3620 break;
3621
3622 case ACL_REQUIRE:
3623 if (cond != OK) return cond;
3624 break;
3625
3626 case ACL_WARN:
3627 if (cond == OK)
3628 acl_warn(where, *user_msgptr, *log_msgptr);
49826d12 3629 else if (cond == DEFER && (log_extra_selector & LX_acl_warn_skipped) != 0)
9c7a242c
PH
3630 log_write(0, LOG_MAIN, "%s Warning: ACL \"warn\" statement skipped: "
3631 "condition test deferred%s%s", host_and_ident(TRUE),
3632 (*log_msgptr == NULL)? US"" : US": ",
3633 (*log_msgptr == NULL)? US"" : *log_msgptr);
059ec3d9
PH
3634 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
3635 break;
3636
3637 default:
3638 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
3639 acl->verb);
3640 break;
3641 }
3642
3643 /* Pass to the next ACL item */
3644
3645 acl = acl->next;
3646 }
3647
3648/* We have reached the end of the ACL. This is an implicit DENY. */
3649
3650HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
3651return FAIL;
3652}
3653
3654
3655/*************************************************
3656* Check access using an ACL *
3657*************************************************/
3658
3659/* This is the external interface for ACL checks. It sets up an address and the
3660expansions for $domain and $local_part when called after RCPT, then calls
3661acl_check_internal() to do the actual work.
3662
3663Arguments:
3664 where ACL_WHERE_xxxx indicating where called from
64ffc24f 3665 recipient RCPT address for RCPT check, else NULL
059ec3d9
PH
3666 s the input string; NULL is the same as an empty ACL => DENY
3667 user_msgptr where to put a user error (for SMTP response)
3668 log_msgptr where to put a logging message (not for SMTP response)
3669
3670Returns: OK access is granted by an ACCEPT verb
3671 DISCARD access is granted by a DISCARD verb
3672 FAIL access is denied
3673 FAIL_DROP access is denied; drop the connection
3674 DEFER can't tell at the moment
3675 ERROR disaster
3676*/
3677
3678int
64ffc24f 3679acl_check(int where, uschar *recipient, uschar *s, uschar **user_msgptr,
059ec3d9
PH
3680 uschar **log_msgptr)
3681{
3682int rc;
3683address_item adb;
64ffc24f 3684address_item *addr = NULL;
059ec3d9
PH
3685
3686*user_msgptr = *log_msgptr = NULL;
3687sender_verified_failed = NULL;
fe0dab11 3688ratelimiters_cmd = NULL;
6ea85e9a 3689log_reject_target = LOG_MAIN|LOG_REJECT;
059ec3d9
PH
3690
3691if (where == ACL_WHERE_RCPT)
3692 {
3693 adb = address_defaults;
3694 addr = &adb;
64ffc24f 3695 addr->address = recipient;
059ec3d9
PH
3696 if (deliver_split_address(addr) == DEFER)
3697 {
3698 *log_msgptr = US"defer in percent_hack_domains check";
3699 return DEFER;
3700 }
3701 deliver_domain = addr->domain;
3702 deliver_localpart = addr->local_part;
3703 }
059ec3d9
PH
3704
3705rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
3706
64ffc24f
PH
3707deliver_domain = deliver_localpart = deliver_address_data =
3708 sender_address_data = NULL;
059ec3d9
PH
3709
3710/* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
3711ACL, which is really in the middle of an SMTP command. */
3712
3713if (rc == DISCARD)
3714 {
3715 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
3716 {
3717 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
3718 "ACL", acl_wherenames[where]);
3719 return ERROR;
3720 }
3721 return DISCARD;
3722 }
3723
3724/* A DROP response is not permitted from MAILAUTH */
3725
3726if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
3727 {
3728 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
3729 "ACL", acl_wherenames[where]);
3730 return ERROR;
3731 }
3732
4e88a19f
PH
3733/* Before giving a response, take a look at the length of any user message, and
3734split it up into multiple lines if possible. */
059ec3d9 3735
e28326d8
PH
3736*user_msgptr = string_split_message(*user_msgptr);
3737if (fake_response != OK)
3738 fake_response_text = string_split_message(fake_response_text);
059ec3d9
PH
3739
3740return rc;
3741}
3742
38a0a95f
PH
3743
3744
3745/*************************************************
3746* Create ACL variable *
3747*************************************************/
3748
3749/* Create an ACL variable or reuse an existing one. ACL variables are in a
3750binary tree (see tree.c) with acl_var_c and acl_var_m as root nodes.
3751
3752Argument:
3753 name pointer to the variable's name, starting with c or m
3754
3755Returns the pointer to variable's tree node
3756*/
3757
3758tree_node *
3759acl_var_create(uschar *name)
3760{
3761tree_node *node, **root;
3762root = (name[0] == 'c')? &acl_var_c : &acl_var_m;
3763node = tree_search(*root, name);
3764if (node == NULL)
3765 {
3766 node = store_get(sizeof(tree_node) + Ustrlen(name));
3767 Ustrcpy(node->name, name);
3768 (void)tree_insertnode(root, node);
3769 }
3770node->data.ptr = NULL;
3771return node;
3772}
3773
3774
3775
3776/*************************************************
3777* Write an ACL variable in spool format *
3778*************************************************/
3779
3780/* This function is used as a callback for tree_walk when writing variables to
3781the spool file. To retain spool file compatibility, what is written is -aclc or
3782-aclm followed by the rest of the name and the data length, space separated,
3783then the value itself, starting on a new line, and terminated by an additional
3784newline. When we had only numbered ACL variables, the first line might look
3785like this: "-aclc 5 20". Now it might be "-aclc foo 20" for the variable called
3786acl_cfoo.
3787
3788Arguments:
3789 name of the variable
3790 value of the variable
3791 ctx FILE pointer (as a void pointer)
3792
3793Returns: nothing
3794*/
3795
3796void
3797acl_var_write(uschar *name, uschar *value, void *ctx)
3798{
3799FILE *f = (FILE *)ctx;
3800fprintf(f, "-acl%c %s %d\n%s\n", name[0], name+1, Ustrlen(value), value);
3801}
3802
059ec3d9 3803/* End of acl.c */