Added some musings to the WishList.
[exim.git] / src / src / acl.c
CommitLineData
c46782ef 1/* $Cambridge: exim/src/src/acl.c,v 1.56 2006/03/02 12:25:48 ph10 Exp $ */
059ec3d9
PH
2
3/*************************************************
4* Exim - an Internet mail transport agent *
5*************************************************/
6
d7d7b7b9 7/* Copyright (c) University of Cambridge 1995 - 2006 */
059ec3d9
PH
8/* See the file NOTICE for conditions of use and distribution. */
9
10/* Code for handling Access Control Lists (ACLs) */
11
12#include "exim.h"
13
14
15/* Default callout timeout */
16
17#define CALLOUT_TIMEOUT_DEFAULT 30
18
19/* ACL verb codes - keep in step with the table of verbs that follows */
20
21enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
22 ACL_WARN };
23
24/* ACL verbs */
25
26static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
28 US"warn" };
29
30/* For each verb, the condition for which "message" is used */
31
32static int msgcond[] = { FAIL, OK, OK, FAIL, OK, FAIL, OK };
33
34/* ACL condition and modifier codes - keep in step with the table that
35follows. */
36
8523533c
TK
37enum { ACLC_ACL, ACLC_AUTHENTICATED,
38#ifdef EXPERIMENTAL_BRIGHTMAIL
39 ACLC_BMI_OPTIN,
40#endif
41ACLC_CONDITION, ACLC_CONTROL,
42#ifdef WITH_CONTENT_SCAN
43 ACLC_DECODE,
44#endif
45 ACLC_DELAY,
46#ifdef WITH_OLD_DEMIME
47 ACLC_DEMIME,
8e669ac1 48#endif
fb2274d4
TK
49#ifdef EXPERIMENTAL_DOMAINKEYS
50 ACLC_DK_DOMAIN_SOURCE,
51 ACLC_DK_POLICY,
52 ACLC_DK_SENDER_DOMAINS,
53 ACLC_DK_SENDER_LOCAL_PARTS,
54 ACLC_DK_SENDERS,
55 ACLC_DK_STATUS,
56#endif
8523533c
TK
57 ACLC_DNSLISTS, ACLC_DOMAINS, ACLC_ENCRYPTED, ACLC_ENDPASS,
58 ACLC_HOSTS, ACLC_LOCAL_PARTS, ACLC_LOG_MESSAGE, ACLC_LOGWRITE,
59#ifdef WITH_CONTENT_SCAN
60 ACLC_MALWARE,
61#endif
62 ACLC_MESSAGE,
63#ifdef WITH_CONTENT_SCAN
64 ACLC_MIME_REGEX,
65#endif
870f6ba8 66 ACLC_RATELIMIT,
8523533c
TK
67 ACLC_RECIPIENTS,
68#ifdef WITH_CONTENT_SCAN
69 ACLC_REGEX,
70#endif
71 ACLC_SENDER_DOMAINS, ACLC_SENDERS, ACLC_SET,
72#ifdef WITH_CONTENT_SCAN
8e669ac1 73 ACLC_SPAM,
8523533c
TK
74#endif
75#ifdef EXPERIMENTAL_SPF
76 ACLC_SPF,
77#endif
78 ACLC_VERIFY };
059ec3d9
PH
79
80/* ACL conditions/modifiers: "delay", "control", "endpass", "message",
81"log_message", "logwrite", and "set" are modifiers that look like conditions
82but always return TRUE. They are used for their side effects. */
83
9a26b6b2
PH
84static uschar *conditions[] = {
85 US"acl",
86 US"authenticated",
8523533c
TK
87#ifdef EXPERIMENTAL_BRIGHTMAIL
88 US"bmi_optin",
89#endif
90 US"condition",
8e669ac1 91 US"control",
8523533c
TK
92#ifdef WITH_CONTENT_SCAN
93 US"decode",
94#endif
95 US"delay",
96#ifdef WITH_OLD_DEMIME
97 US"demime",
98#endif
fb2274d4 99#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH
100 US"dk_domain_source",
101 US"dk_policy",
102 US"dk_sender_domains",
103 US"dk_sender_local_parts",
104 US"dk_senders",
105 US"dk_status",
fb2274d4 106#endif
8523533c 107 US"dnslists", US"domains", US"encrypted",
059ec3d9 108 US"endpass", US"hosts", US"local_parts", US"log_message", US"logwrite",
8523533c
TK
109#ifdef WITH_CONTENT_SCAN
110 US"malware",
111#endif
112 US"message",
113#ifdef WITH_CONTENT_SCAN
114 US"mime_regex",
115#endif
870f6ba8 116 US"ratelimit",
8523533c
TK
117 US"recipients",
118#ifdef WITH_CONTENT_SCAN
119 US"regex",
120#endif
121 US"sender_domains", US"senders", US"set",
122#ifdef WITH_CONTENT_SCAN
123 US"spam",
124#endif
125#ifdef EXPERIMENTAL_SPF
126 US"spf",
127#endif
059ec3d9 128 US"verify" };
8e669ac1 129
c5fcb476 130
9a26b6b2
PH
131/* Return values from decode_control(); keep in step with the table of names
132that follows! */
133
134enum {
c46782ef
PH
135 CONTROL_AUTH_UNADVERTISED,
136 #ifdef EXPERIMENTAL_BRIGHTMAIL
9a26b6b2 137 CONTROL_BMI_RUN,
c46782ef
PH
138 #endif
139 #ifdef EXPERIMENTAL_DOMAINKEYS
9a26b6b2 140 CONTROL_DK_VERIFY,
c46782ef
PH
141 #endif
142 CONTROL_ERROR,
143 CONTROL_CASEFUL_LOCAL_PART,
144 CONTROL_CASELOWER_LOCAL_PART,
145 CONTROL_ENFORCE_SYNC,
146 CONTROL_NO_ENFORCE_SYNC,
147 CONTROL_FREEZE,
148 CONTROL_QUEUE_ONLY,
149 CONTROL_SUBMISSION,
150 CONTROL_SUPPRESS_LOCAL_FIXUPS,
151 #ifdef WITH_CONTENT_SCAN
9a26b6b2 152 CONTROL_NO_MBOX_UNSPOOL,
c46782ef
PH
153 #endif
154 CONTROL_FAKEDEFER,
155 CONTROL_FAKEREJECT,
156 CONTROL_NO_MULTILINE
157};
9a26b6b2 158
8800895a
PH
159/* ACL control names; keep in step with the table above! This list is used for
160turning ids into names. The actual list of recognized names is in the variable
161control_def controls_list[] below. The fact that there are two lists is a mess
162and should be tidied up. */
9a26b6b2
PH
163
164static uschar *controls[] = {
c46782ef 165 US"allow_auth_unadvertised",
9a26b6b2
PH
166 #ifdef EXPERIMENTAL_BRIGHTMAIL
167 US"bmi_run",
168 #endif
169 #ifdef EXPERIMENTAL_DOMAINKEYS
170 US"dk_verify",
171 #endif
c46782ef
PH
172 US"error",
173 US"caseful_local_part",
174 US"caselower_local_part",
175 US"enforce_sync",
176 US"no_enforce_sync",
177 US"freeze",
178 US"queue_only",
179 US"submission",
180 US"suppress_local_fixups",
9a26b6b2
PH
181 #ifdef WITH_CONTENT_SCAN
182 US"no_mbox_unspool",
183 #endif
c46782ef
PH
184 US"no_multiline"
185};
059ec3d9
PH
186
187/* Flags to indicate for which conditions /modifiers a string expansion is done
188at the outer level. In the other cases, expansion already occurs in the
189checking functions. */
190
191static uschar cond_expand_at_top[] = {
192 TRUE, /* acl */
193 FALSE, /* authenticated */
8523533c
TK
194#ifdef EXPERIMENTAL_BRIGHTMAIL
195 TRUE, /* bmi_optin */
8e669ac1 196#endif
059ec3d9
PH
197 TRUE, /* condition */
198 TRUE, /* control */
8523533c
TK
199#ifdef WITH_CONTENT_SCAN
200 TRUE, /* decode */
201#endif
059ec3d9 202 TRUE, /* delay */
8523533c
TK
203#ifdef WITH_OLD_DEMIME
204 TRUE, /* demime */
205#endif
fb2274d4 206#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH
207 TRUE, /* dk_domain_source */
208 TRUE, /* dk_policy */
209 TRUE, /* dk_sender_domains */
e715ad22 210 TRUE, /* dk_sender_local_parts */
7f45268c
PH
211 TRUE, /* dk_senders */
212 TRUE, /* dk_status */
fb2274d4 213#endif
059ec3d9
PH
214 TRUE, /* dnslists */
215 FALSE, /* domains */
216 FALSE, /* encrypted */
217 TRUE, /* endpass */
218 FALSE, /* hosts */
219 FALSE, /* local_parts */
220 TRUE, /* log_message */
221 TRUE, /* logwrite */
8523533c
TK
222#ifdef WITH_CONTENT_SCAN
223 TRUE, /* malware */
224#endif
059ec3d9 225 TRUE, /* message */
8523533c
TK
226#ifdef WITH_CONTENT_SCAN
227 TRUE, /* mime_regex */
228#endif
870f6ba8 229 TRUE, /* ratelimit */
059ec3d9 230 FALSE, /* recipients */
8523533c
TK
231#ifdef WITH_CONTENT_SCAN
232 TRUE, /* regex */
233#endif
059ec3d9
PH
234 FALSE, /* sender_domains */
235 FALSE, /* senders */
236 TRUE, /* set */
8523533c
TK
237#ifdef WITH_CONTENT_SCAN
238 TRUE, /* spam */
239#endif
240#ifdef EXPERIMENTAL_SPF
241 TRUE, /* spf */
242#endif
059ec3d9
PH
243 TRUE /* verify */
244};
245
246/* Flags to identify the modifiers */
247
248static uschar cond_modifiers[] = {
249 FALSE, /* acl */
250 FALSE, /* authenticated */
8523533c
TK
251#ifdef EXPERIMENTAL_BRIGHTMAIL
252 TRUE, /* bmi_optin */
8e669ac1 253#endif
059ec3d9
PH
254 FALSE, /* condition */
255 TRUE, /* control */
8523533c
TK
256#ifdef WITH_CONTENT_SCAN
257 FALSE, /* decode */
258#endif
059ec3d9 259 TRUE, /* delay */
8523533c
TK
260#ifdef WITH_OLD_DEMIME
261 FALSE, /* demime */
262#endif
fb2274d4 263#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH
264 FALSE, /* dk_domain_source */
265 FALSE, /* dk_policy */
266 FALSE, /* dk_sender_domains */
e715ad22 267 FALSE, /* dk_sender_local_parts */
7f45268c
PH
268 FALSE, /* dk_senders */
269 FALSE, /* dk_status */
fb2274d4 270#endif
059ec3d9
PH
271 FALSE, /* dnslists */
272 FALSE, /* domains */
273 FALSE, /* encrypted */
274 TRUE, /* endpass */
275 FALSE, /* hosts */
276 FALSE, /* local_parts */
277 TRUE, /* log_message */
8523533c
TK
278 TRUE, /* logwrite */
279#ifdef WITH_CONTENT_SCAN
280 FALSE, /* malware */
281#endif
059ec3d9 282 TRUE, /* message */
8523533c
TK
283#ifdef WITH_CONTENT_SCAN
284 FALSE, /* mime_regex */
285#endif
870f6ba8 286 FALSE, /* ratelimit */
059ec3d9 287 FALSE, /* recipients */
8523533c
TK
288#ifdef WITH_CONTENT_SCAN
289 FALSE, /* regex */
290#endif
059ec3d9
PH
291 FALSE, /* sender_domains */
292 FALSE, /* senders */
293 TRUE, /* set */
8523533c
TK
294#ifdef WITH_CONTENT_SCAN
295 FALSE, /* spam */
296#endif
297#ifdef EXPERIMENTAL_SPF
298 FALSE, /* spf */
299#endif
059ec3d9
PH
300 FALSE /* verify */
301};
302
c5fcb476 303/* Bit map vector of which conditions are not allowed at certain times. For
2f079f46
PH
304each condition, there's a bitmap of dis-allowed times. For some, it is easier
305to specify the negation of a small number of allowed times. */
059ec3d9
PH
306
307static unsigned int cond_forbids[] = {
308 0, /* acl */
8e669ac1 309
059ec3d9
PH
310 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* authenticated */
311 (1<<ACL_WHERE_HELO),
8e669ac1 312
8523533c 313#ifdef EXPERIMENTAL_BRIGHTMAIL
3864bb8e 314 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
8523533c
TK
315 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
316 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
8e669ac1 317 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
8523533c
TK
318 (1<<ACL_WHERE_MAILAUTH)|
319 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
320 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA),
321#endif
8e669ac1 322
059ec3d9 323 0, /* condition */
8e669ac1 324
059ec3d9 325 /* Certain types of control are always allowed, so we let it through
2f079f46 326 always and check in the control processing itself. */
8e669ac1 327
059ec3d9 328 0, /* control */
8e669ac1 329
8523533c 330#ifdef WITH_CONTENT_SCAN
2f079f46
PH
331 (unsigned int)
332 ~(1<<ACL_WHERE_MIME), /* decode */
8523533c
TK
333#endif
334
059ec3d9 335 0, /* delay */
8e669ac1 336
f7b63901 337#ifdef WITH_OLD_DEMIME
2f079f46
PH
338 (unsigned int)
339 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* demime */
8523533c 340#endif
8e669ac1 341
fb2274d4 342#ifdef EXPERIMENTAL_DOMAINKEYS
2f079f46 343 (1<<ACL_WHERE_AUTH)| /* dk_domain_source */
fb2274d4
TK
344 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
345 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
346 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
347 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
348 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
349 (1<<ACL_WHERE_VRFY),
84330b7b 350
2f079f46 351 (1<<ACL_WHERE_AUTH)| /* dk_policy */
fb2274d4
TK
352 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
353 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
354 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
355 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
356 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
357 (1<<ACL_WHERE_VRFY),
84330b7b 358
2f079f46 359 (1<<ACL_WHERE_AUTH)| /* dk_sender_domains */
fb2274d4
TK
360 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
361 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
362 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
363 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
364 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
365 (1<<ACL_WHERE_VRFY),
84330b7b 366
2f079f46 367 (1<<ACL_WHERE_AUTH)| /* dk_sender_local_parts */
fb2274d4
TK
368 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
369 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
370 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
371 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
372 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
373 (1<<ACL_WHERE_VRFY),
84330b7b 374
2f079f46 375 (1<<ACL_WHERE_AUTH)| /* dk_senders */
fb2274d4
TK
376 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
377 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
378 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
379 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
380 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
381 (1<<ACL_WHERE_VRFY),
84330b7b 382
2f079f46 383 (1<<ACL_WHERE_AUTH)| /* dk_status */
fb2274d4
TK
384 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
385 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
386 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
387 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
388 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
389 (1<<ACL_WHERE_VRFY),
390#endif
391
059ec3d9
PH
392 (1<<ACL_WHERE_NOTSMTP), /* dnslists */
393
2f079f46
PH
394 (unsigned int)
395 ~(1<<ACL_WHERE_RCPT), /* domains */
059ec3d9
PH
396
397 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* encrypted */
398 (1<<ACL_WHERE_HELO),
8e669ac1 399
059ec3d9 400 0, /* endpass */
8e669ac1 401
059ec3d9
PH
402 (1<<ACL_WHERE_NOTSMTP), /* hosts */
403
2f079f46
PH
404 (unsigned int)
405 ~(1<<ACL_WHERE_RCPT), /* local_parts */
059ec3d9
PH
406
407 0, /* log_message */
8e669ac1 408
059ec3d9 409 0, /* logwrite */
8e669ac1 410
8523533c 411#ifdef WITH_CONTENT_SCAN
2f079f46
PH
412 (unsigned int)
413 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* malware */
8523533c
TK
414#endif
415
059ec3d9
PH
416 0, /* message */
417
8523533c 418#ifdef WITH_CONTENT_SCAN
2f079f46
PH
419 (unsigned int)
420 ~(1<<ACL_WHERE_MIME), /* mime_regex */
8523533c
TK
421#endif
422
870f6ba8
TF
423 0, /* ratelimit */
424
2f079f46
PH
425 (unsigned int)
426 ~(1<<ACL_WHERE_RCPT), /* recipients */
059ec3d9 427
8523533c 428#ifdef WITH_CONTENT_SCAN
2f079f46
PH
429 (unsigned int)
430 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* regex */
431 (1<<ACL_WHERE_MIME)),
8523533c
TK
432#endif
433
059ec3d9
PH
434 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
435 (1<<ACL_WHERE_HELO)|
436 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
437 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
438 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
439
440 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
441 (1<<ACL_WHERE_HELO)|
442 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
443 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
444 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
445
446 0, /* set */
447
8523533c 448#ifdef WITH_CONTENT_SCAN
2f079f46
PH
449 (unsigned int)
450 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* spam */
8523533c
TK
451#endif
452
453#ifdef EXPERIMENTAL_SPF
454 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
455 (1<<ACL_WHERE_HELO)|
456 (1<<ACL_WHERE_MAILAUTH)|
457 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
458 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
459#endif
460
059ec3d9
PH
461 /* Certain types of verify are always allowed, so we let it through
462 always and check in the verify function itself */
463
464 0 /* verify */
059ec3d9
PH
465};
466
467
c5fcb476
PH
468/* Bit map vector of which controls are not allowed at certain times. For
469each control, there's a bitmap of dis-allowed times. For some, it is easier to
470specify the negation of a small number of allowed times. */
471
472static unsigned int control_forbids[] = {
c46782ef
PH
473 (unsigned int)
474 ~((1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)), /* allow_auth_unadvertised */
475
476 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c 477 0, /* bmi_run */
c46782ef
PH
478 #endif
479
480 #ifdef EXPERIMENTAL_DOMAINKEYS
e715ad22 481 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), /* dk_verify */
c46782ef 482 #endif
3e11c26b 483
c5fcb476 484 0, /* error */
8e669ac1
PH
485
486 (unsigned int)
c5fcb476 487 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
8e669ac1
PH
488
489 (unsigned int)
c5fcb476 490 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
8e669ac1 491
c5fcb476 492 (1<<ACL_WHERE_NOTSMTP), /* enforce_sync */
8e669ac1 493
c5fcb476 494 (1<<ACL_WHERE_NOTSMTP), /* no_enforce_sync */
8e669ac1
PH
495
496 (unsigned int)
c5fcb476
PH
497 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
498 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 499 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH
500
501 (unsigned int)
c5fcb476
PH
502 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
503 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 504 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH
505
506 (unsigned int)
c5fcb476 507 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
8e669ac1 508 (1<<ACL_WHERE_PREDATA)),
8523533c 509
8800895a
PH
510 (unsigned int)
511 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* suppress_local_fixups */
512 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_PREDATA)),
513
c46782ef 514 #ifdef WITH_CONTENT_SCAN
8e669ac1 515 (unsigned int)
14d57970 516 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
e715ad22
TK
517 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
518 (1<<ACL_WHERE_MIME)),
c46782ef 519 #endif
a6c4ab60 520
8e669ac1 521 (unsigned int)
29aba418
TF
522 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakedefer */
523 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
524 (1<<ACL_WHERE_MIME)),
525
526 (unsigned int)
a6c4ab60 527 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
e715ad22
TK
528 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
529 (1<<ACL_WHERE_MIME)),
8523533c 530
c5fcb476
PH
531 (1<<ACL_WHERE_NOTSMTP) /* no_multiline */
532};
533
534/* Structure listing various control arguments, with their characteristics. */
059ec3d9
PH
535
536typedef struct control_def {
537 uschar *name;
538 int value; /* CONTROL_xxx value */
059ec3d9
PH
539 BOOL has_option; /* Has /option(s) following */
540} control_def;
541
542static control_def controls_list[] = {
c46782ef 543 { US"allow_auth_unadvertised", CONTROL_AUTH_UNADVERTISED, FALSE },
8523533c 544#ifdef EXPERIMENTAL_BRIGHTMAIL
c46782ef 545 { US"bmi_run", CONTROL_BMI_RUN, FALSE },
8523533c 546#endif
fb2274d4 547#ifdef EXPERIMENTAL_DOMAINKEYS
c46782ef 548 { US"dk_verify", CONTROL_DK_VERIFY, FALSE },
fb2274d4 549#endif
c46782ef
PH
550 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE },
551 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE },
552 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE },
553 { US"freeze", CONTROL_FREEZE, TRUE },
554 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE },
555 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE },
556 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE },
8523533c 557#ifdef WITH_CONTENT_SCAN
c46782ef 558 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE },
8523533c 559#endif
c46782ef
PH
560 { US"fakedefer", CONTROL_FAKEDEFER, TRUE },
561 { US"fakereject", CONTROL_FAKEREJECT, TRUE },
562 { US"submission", CONTROL_SUBMISSION, TRUE },
563 { US"suppress_local_fixups", CONTROL_SUPPRESS_LOCAL_FIXUPS, FALSE }
059ec3d9
PH
564 };
565
e5a9dba6
PH
566/* Support data structures for Client SMTP Authorization. acl_verify_csa()
567caches its result in a tree to avoid repeated DNS queries. The result is an
568integer code which is used as an index into the following tables of
569explanatory strings and verification return codes. */
570
571static tree_node *csa_cache = NULL;
572
573enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
574 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
575
576/* The acl_verify_csa() return code is translated into an acl_verify() return
577code using the following table. It is OK unless the client is definitely not
578authorized. This is because CSA is supposed to be optional for sending sites,
579so recipients should not be too strict about checking it - especially because
580DNS problems are quite likely to occur. It's possible to use $csa_status in
581further ACL conditions to distinguish ok, unknown, and defer if required, but
582the aim is to make the usual configuration simple. */
583
584static int csa_return_code[] = {
585 OK, OK, OK, OK,
586 FAIL, FAIL, FAIL, FAIL
587};
588
589static uschar *csa_status_string[] = {
590 US"unknown", US"ok", US"defer", US"defer",
591 US"fail", US"fail", US"fail", US"fail"
592};
593
594static uschar *csa_reason_string[] = {
595 US"unknown",
596 US"ok",
597 US"deferred (SRV lookup failed)",
598 US"deferred (target address lookup failed)",
599 US"failed (explicit authorization required)",
600 US"failed (host name not authorized)",
601 US"failed (no authorized addresses)",
602 US"failed (client address mismatch)"
603};
604
059ec3d9
PH
605/* Enable recursion between acl_check_internal() and acl_check_condition() */
606
607static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
608 uschar **);
609
610
611/*************************************************
612* Pick out name from list *
613*************************************************/
614
615/* Use a binary chop method
616
617Arguments:
618 name name to find
619 list list of names
620 end size of list
621
622Returns: offset in list, or -1 if not found
623*/
624
625static int
626acl_checkname(uschar *name, uschar **list, int end)
627{
628int start = 0;
629
630while (start < end)
631 {
632 int mid = (start + end)/2;
633 int c = Ustrcmp(name, list[mid]);
634 if (c == 0) return mid;
635 if (c < 0) end = mid; else start = mid + 1;
636 }
637
638return -1;
639}
640
641
642/*************************************************
643* Read and parse one ACL *
644*************************************************/
645
646/* This function is called both from readconf in order to parse the ACLs in the
647configuration file, and also when an ACL is encountered dynamically (e.g. as
648the result of an expansion). It is given a function to call in order to
649retrieve the lines of the ACL. This function handles skipping comments and
650blank lines (where relevant).
651
652Arguments:
653 func function to get next line of ACL
654 error where to put an error message
655
656Returns: pointer to ACL, or NULL
657 NULL can be legal (empty ACL); in this case error will be NULL
658*/
659
660acl_block *
661acl_read(uschar *(*func)(void), uschar **error)
662{
663acl_block *yield = NULL;
664acl_block **lastp = &yield;
665acl_block *this = NULL;
666acl_condition_block *cond;
667acl_condition_block **condp = NULL;
668uschar *s;
669
670*error = NULL;
671
672while ((s = (*func)()) != NULL)
673 {
674 int v, c;
675 BOOL negated = FALSE;
676 uschar *saveline = s;
677 uschar name[64];
678
679 /* Conditions (but not verbs) are allowed to be negated by an initial
680 exclamation mark. */
681
682 while (isspace(*s)) s++;
683 if (*s == '!')
684 {
685 negated = TRUE;
686 s++;
687 }
688
cf00dad6
PH
689 /* Read the name of a verb or a condition, or the start of a new ACL, which
690 can be started by a name, or by a macro definition. */
059ec3d9
PH
691
692 s = readconf_readname(name, sizeof(name), s);
cf00dad6 693 if (*s == ':' || isupper(name[0] && *s == '=')) return yield;
059ec3d9
PH
694
695 /* If a verb is unrecognized, it may be another condition or modifier that
696 continues the previous verb. */
697
698 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
699 if (v < 0)
700 {
701 if (this == NULL)
702 {
703 *error = string_sprintf("unknown ACL verb in \"%s\"", saveline);
704 return NULL;
705 }
706 }
707
708 /* New verb */
709
710 else
711 {
712 if (negated)
713 {
714 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
715 return NULL;
716 }
717 this = store_get(sizeof(acl_block));
718 *lastp = this;
719 lastp = &(this->next);
720 this->next = NULL;
721 this->verb = v;
722 this->condition = NULL;
723 condp = &(this->condition);
724 if (*s == 0) continue; /* No condition on this line */
725 if (*s == '!')
726 {
727 negated = TRUE;
728 s++;
729 }
730 s = readconf_readname(name, sizeof(name), s); /* Condition name */
731 }
732
733 /* Handle a condition or modifier. */
734
735 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
736 if (c < 0)
737 {
738 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
739 saveline);
740 return NULL;
741 }
742
743 /* The modifiers may not be negated */
744
745 if (negated && cond_modifiers[c])
746 {
747 *error = string_sprintf("ACL error: negation is not allowed with "
748 "\"%s\"", conditions[c]);
749 return NULL;
750 }
751
752 /* ENDPASS may occur only with ACCEPT or DISCARD. */
753
754 if (c == ACLC_ENDPASS &&
755 this->verb != ACL_ACCEPT &&
756 this->verb != ACL_DISCARD)
757 {
758 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
759 conditions[c], verbs[this->verb]);
760 return NULL;
761 }
762
763 cond = store_get(sizeof(acl_condition_block));
764 cond->next = NULL;
765 cond->type = c;
766 cond->u.negated = negated;
767
768 *condp = cond;
769 condp = &(cond->next);
770
771 /* The "set" modifier is different in that its argument is "name=value"
772 rather than just a value, and we can check the validity of the name, which
773 gives us a variable number to insert into the data block. */
774
775 if (c == ACLC_SET)
776 {
47ca6d6c
PH
777 int offset, max, n;
778 uschar *endptr;
779
780 if (Ustrncmp(s, "acl_", 4) != 0) goto BAD_ACL_VAR;
781 if (s[4] == 'c')
782 {
783 offset = 0;
784 max = ACL_CVARS;
785 }
786 else if (s[4] == 'm')
787 {
788 offset = ACL_CVARS;
789 max = ACL_MVARS;
790 }
791 else goto BAD_ACL_VAR;
792
793 n = Ustrtoul(s + 5, &endptr, 10);
794 if ((*endptr != 0 && *endptr != '=' && !isspace(*endptr)) || n >= max)
059ec3d9 795 {
47ca6d6c
PH
796 BAD_ACL_VAR:
797 *error = string_sprintf("syntax error or unrecognized name after "
798 "\"set\" in ACL modifier \"set %s\"", s);
059ec3d9
PH
799 return NULL;
800 }
801
47ca6d6c
PH
802 cond->u.varnumber = n + offset;
803 s = endptr;
059ec3d9
PH
804 while (isspace(*s)) s++;
805 }
806
807 /* For "set", we are now positioned for the data. For the others, only
808 "endpass" has no data */
809
810 if (c != ACLC_ENDPASS)
811 {
812 if (*s++ != '=')
813 {
814 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
815 cond_modifiers[c]? US"modifier" : US"condition");
816 return NULL;
817 }
818 while (isspace(*s)) s++;
819 cond->arg = string_copy(s);
820 }
821 }
822
823return yield;
824}
825
826
827
828/*************************************************
829* Handle warnings *
830*************************************************/
831
832/* This function is called when a WARN verb's conditions are true. It adds to
833the message's headers, and/or writes information to the log. In each case, this
834only happens once (per message for headers, per connection for log).
835
836Arguments:
837 where ACL_WHERE_xxxx indicating which ACL this is
838 user_message message for adding to headers
839 log_message message for logging, if different
840
841Returns: nothing
842*/
843
844static void
845acl_warn(int where, uschar *user_message, uschar *log_message)
846{
847int hlen;
848
849if (log_message != NULL && log_message != user_message)
850 {
851 uschar *text;
852 string_item *logged;
853
854 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
855 string_printing(log_message));
856
857 /* If a sender verification has failed, and the log message is "sender verify
858 failed", add the failure message. */
859
860 if (sender_verified_failed != NULL &&
861 sender_verified_failed->message != NULL &&
862 strcmpic(log_message, US"sender verify failed") == 0)
863 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
864
9c7a242c
PH
865 /* Search previously logged warnings. They are kept in malloc
866 store so they can be freed at the start of a new message. */
059ec3d9
PH
867
868 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
869 if (Ustrcmp(logged->text, text) == 0) break;
870
871 if (logged == NULL)
872 {
873 int length = Ustrlen(text) + 1;
874 log_write(0, LOG_MAIN, "%s", text);
875 logged = store_malloc(sizeof(string_item) + length);
876 logged->text = (uschar *)logged + sizeof(string_item);
877 memcpy(logged->text, text, length);
878 logged->next = acl_warn_logged;
879 acl_warn_logged = logged;
880 }
881 }
882
883/* If there's no user message, we are done. */
884
885if (user_message == NULL) return;
886
887/* If this isn't a message ACL, we can't do anything with a user message.
888Log an error. */
889
890if (where > ACL_WHERE_NOTSMTP)
891 {
892 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
893 "found in a non-message (%s) ACL: cannot specify header lines here: "
894 "message ignored", acl_wherenames[where]);
895 return;
896 }
897
898/* Treat the user message as a sequence of one or more header lines. */
899
900hlen = Ustrlen(user_message);
901if (hlen > 0)
902 {
903 uschar *text, *p, *q;
904
905 /* Add a final newline if not present */
906
907 text = ((user_message)[hlen-1] == '\n')? user_message :
908 string_sprintf("%s\n", user_message);
909
910 /* Loop for multiple header lines, taking care about continuations */
911
912 for (p = q = text; *p != 0; )
913 {
914 uschar *s;
915 int newtype = htype_add_bot;
916 header_line **hptr = &acl_warn_headers;
917
918 /* Find next header line within the string */
919
920 for (;;)
921 {
922 q = Ustrchr(q, '\n');
923 if (*(++q) != ' ' && *q != '\t') break;
924 }
925
926 /* If the line starts with a colon, interpret the instruction for where to
927 add it. This temporarily sets up a new type. */
928
929 if (*p == ':')
930 {
931 if (strncmpic(p, US":after_received:", 16) == 0)
932 {
933 newtype = htype_add_rec;
934 p += 16;
935 }
8523533c
TK
936 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
937 {
938 newtype = htype_add_rfc;
939 p += 14;
8e669ac1 940 }
059ec3d9
PH
941 else if (strncmpic(p, US":at_start:", 10) == 0)
942 {
943 newtype = htype_add_top;
944 p += 10;
945 }
946 else if (strncmpic(p, US":at_end:", 8) == 0)
947 {
948 newtype = htype_add_bot;
949 p += 8;
950 }
951 while (*p == ' ' || *p == '\t') p++;
952 }
953
954 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
955 to the front of it. */
956
957 for (s = p; s < q - 1; s++)
958 {
959 if (*s == ':' || !isgraph(*s)) break;
960 }
961
962 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
963 hlen = Ustrlen(s);
964
965 /* See if this line has already been added */
966
967 while (*hptr != NULL)
968 {
969 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
970 hptr = &((*hptr)->next);
971 }
972
973 /* Add if not previously present */
974
975 if (*hptr == NULL)
976 {
977 header_line *h = store_get(sizeof(header_line));
978 h->text = s;
979 h->next = NULL;
980 h->type = newtype;
981 h->slen = hlen;
982 *hptr = h;
983 hptr = &(h->next);
984 }
985
986 /* Advance for next header line within the string */
987
988 p = q;
989 }
990 }
991}
992
993
994
995/*************************************************
996* Verify and check reverse DNS *
997*************************************************/
998
999/* Called from acl_verify() below. We look up the host name(s) of the client IP
1000address if this has not yet been done. The host_name_lookup() function checks
1001that one of these names resolves to an address list that contains the client IP
1002address, so we don't actually have to do the check here.
1003
1004Arguments:
1005 user_msgptr pointer for user message
1006 log_msgptr pointer for log message
1007
1008Returns: OK verification condition succeeded
1009 FAIL verification failed
1010 DEFER there was a problem verifying
1011*/
1012
1013static int
1014acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
1015{
1016int rc;
1017
1018user_msgptr = user_msgptr; /* stop compiler warning */
1019
1020/* Previous success */
1021
1022if (sender_host_name != NULL) return OK;
1023
1024/* Previous failure */
1025
1026if (host_lookup_failed)
1027 {
1028 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
1029 return FAIL;
1030 }
1031
1032/* Need to do a lookup */
1033
1034HDEBUG(D_acl)
1035 debug_printf("looking up host name to force name/address consistency check\n");
1036
1037if ((rc = host_name_lookup()) != OK)
1038 {
1039 *log_msgptr = (rc == DEFER)?
1040 US"host lookup deferred for reverse lookup check"
1041 :
1042 string_sprintf("host lookup failed for reverse lookup check%s",
1043 host_lookup_msg);
1044 return rc; /* DEFER or FAIL */
1045 }
1046
1047host_build_sender_fullhost();
1048return OK;
1049}
1050
1051
1052
1053/*************************************************
e5a9dba6
PH
1054* Check client IP address matches CSA target *
1055*************************************************/
1056
1057/* Called from acl_verify_csa() below. This routine scans a section of a DNS
1058response for address records belonging to the CSA target hostname. The section
1059is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
1060If one of the addresses matches the client's IP address, then the client is
1061authorized by CSA. If there are target IP addresses but none of them match
1062then the client is using an unauthorized IP address. If there are no target IP
1063addresses then the client cannot be using an authorized IP address. (This is
1064an odd configuration - why didn't the SRV record have a weight of 1 instead?)
1065
1066Arguments:
1067 dnsa the DNS answer block
1068 dnss a DNS scan block for us to use
1069 reset option specifing what portion to scan, as described above
1070 target the target hostname to use for matching RR names
1071
1072Returns: CSA_OK successfully authorized
1073 CSA_FAIL_MISMATCH addresses found but none matched
1074 CSA_FAIL_NOADDR no target addresses found
1075*/
1076
1077static int
1078acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1079 uschar *target)
1080{
1081dns_record *rr;
1082dns_address *da;
1083
1084BOOL target_found = FALSE;
1085
1086for (rr = dns_next_rr(dnsa, dnss, reset);
1087 rr != NULL;
1088 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1089 {
1090 /* Check this is an address RR for the target hostname. */
1091
1092 if (rr->type != T_A
1093 #if HAVE_IPV6
1094 && rr->type != T_AAAA
1095 #ifdef SUPPORT_A6
1096 && rr->type != T_A6
1097 #endif
1098 #endif
1099 ) continue;
1100
1101 if (strcmpic(target, rr->name) != 0) continue;
1102
1103 target_found = TRUE;
1104
1105 /* Turn the target address RR into a list of textual IP addresses and scan
1106 the list. There may be more than one if it is an A6 RR. */
1107
1108 for (da = dns_address_from_rr(dnsa, rr); da != NULL; da = da->next)
1109 {
1110 /* If the client IP address matches the target IP address, it's good! */
1111
1112 DEBUG(D_acl) debug_printf("CSA target address is %s\n", da->address);
1113
1114 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1115 }
1116 }
1117
1118/* If we found some target addresses but none of them matched, the client is
1119using an unauthorized IP address, otherwise the target has no authorized IP
1120addresses. */
1121
1122if (target_found) return CSA_FAIL_MISMATCH;
1123else return CSA_FAIL_NOADDR;
1124}
1125
1126
1127
1128/*************************************************
1129* Verify Client SMTP Authorization *
1130*************************************************/
1131
1132/* Called from acl_verify() below. This routine calls dns_lookup_special()
1133to find the CSA SRV record corresponding to the domain argument, or
1134$sender_helo_name if no argument is provided. It then checks that the
1135client is authorized, and that its IP address corresponds to the SRV
1136target's address by calling acl_verify_csa_address() above. The address
1137should have been returned in the DNS response's ADDITIONAL section, but if
1138not we perform another DNS lookup to get it.
1139
1140Arguments:
1141 domain pointer to optional parameter following verify = csa
1142
1143Returns: CSA_UNKNOWN no valid CSA record found
1144 CSA_OK successfully authorized
1145 CSA_FAIL_* client is definitely not authorized
1146 CSA_DEFER_* there was a DNS problem
1147*/
1148
1149static int
1150acl_verify_csa(uschar *domain)
1151{
1152tree_node *t;
1153uschar *found, *p;
1154int priority, weight, port;
1155dns_answer dnsa;
1156dns_scan dnss;
1157dns_record *rr;
1158int rc, type;
1159uschar target[256];
1160
1161/* Work out the domain we are using for the CSA lookup. The default is the
1162client's HELO domain. If the client has not said HELO, use its IP address
1163instead. If it's a local client (exim -bs), CSA isn't applicable. */
1164
1165while (isspace(*domain) && *domain != '\0') ++domain;
1166if (*domain == '\0') domain = sender_helo_name;
1167if (domain == NULL) domain = sender_host_address;
1168if (sender_host_address == NULL) return CSA_UNKNOWN;
1169
1170/* If we have an address literal, strip off the framing ready for turning it
1171into a domain. The framing consists of matched square brackets possibly
1172containing a keyword and a colon before the actual IP address. */
1173
1174if (domain[0] == '[')
1175 {
1176 uschar *start = Ustrchr(domain, ':');
1177 if (start == NULL) start = domain;
1178 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1179 }
1180
1181/* Turn domains that look like bare IP addresses into domains in the reverse
1182DNS. This code also deals with address literals and $sender_host_address. It's
1183not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1184address literals, but it's probably the most friendly thing to do. This is an
1185extension to CSA, so we allow it to be turned off for proper conformance. */
1186
7e66e54d 1187if (string_is_ip_address(domain, NULL) != 0)
e5a9dba6
PH
1188 {
1189 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1190 dns_build_reverse(domain, target);
1191 domain = target;
1192 }
1193
1194/* Find out if we've already done the CSA check for this domain. If we have,
1195return the same result again. Otherwise build a new cached result structure
1196for this domain. The name is filled in now, and the value is filled in when
1197we return from this function. */
1198
1199t = tree_search(csa_cache, domain);
1200if (t != NULL) return t->data.val;
1201
1202t = store_get_perm(sizeof(tree_node) + Ustrlen(domain));
1203Ustrcpy(t->name, domain);
1204(void)tree_insertnode(&csa_cache, t);
1205
1206/* Now we are ready to do the actual DNS lookup(s). */
1207
28e6ef29 1208found = domain;
e5a9dba6
PH
1209switch (dns_special_lookup(&dnsa, domain, T_CSA, &found))
1210 {
1211 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1212
1213 default:
1214 return t->data.val = CSA_DEFER_SRV;
1215
1216 /* If we found nothing, the client's authorization is unknown. */
1217
1218 case DNS_NOMATCH:
1219 case DNS_NODATA:
1220 return t->data.val = CSA_UNKNOWN;
1221
1222 /* We got something! Go on to look at the reply in more detail. */
1223
1224 case DNS_SUCCEED:
1225 break;
1226 }
1227
1228/* Scan the reply for well-formed CSA SRV records. */
1229
1230for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
1231 rr != NULL;
1232 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
1233 {
1234 if (rr->type != T_SRV) continue;
1235
1236 /* Extract the numerical SRV fields (p is incremented) */
1237
1238 p = rr->data;
1239 GETSHORT(priority, p);
1240 GETSHORT(weight, p);
1241 GETSHORT(port, p);
1242
1243 DEBUG(D_acl)
1244 debug_printf("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1245
1246 /* Check the CSA version number */
1247
1248 if (priority != 1) continue;
1249
1250 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1251 found by dns_special_lookup() is a parent of the one we asked for), we check
1252 the subdomain assertions in the port field. At the moment there's only one
1253 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1254 SRV records of their own. */
1255
1256 if (found != domain)
1257 {
1258 if (port & 1)
1259 return t->data.val = CSA_FAIL_EXPLICIT;
1260 else
1261 return t->data.val = CSA_UNKNOWN;
1262 }
1263
1264 /* This CSA SRV record refers directly to our domain, so we check the value
1265 in the weight field to work out the domain's authorization. 0 and 1 are
1266 unauthorized; 3 means the client is authorized but we can't check the IP
1267 address in order to authenticate it, so we treat it as unknown; values
1268 greater than 3 are undefined. */
1269
1270 if (weight < 2) return t->data.val = CSA_FAIL_DOMAIN;
1271
1272 if (weight > 2) continue;
1273
1274 /* Weight == 2, which means the domain is authorized. We must check that the
1275 client's IP address is listed as one of the SRV target addresses. Save the
1276 target hostname then break to scan the additional data for its addresses. */
1277
1278 (void)dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
1279 (DN_EXPAND_ARG4_TYPE)target, sizeof(target));
1280
1281 DEBUG(D_acl) debug_printf("CSA target is %s\n", target);
1282
1283 break;
1284 }
1285
1286/* If we didn't break the loop then no appropriate records were found. */
1287
1288if (rr == NULL) return t->data.val = CSA_UNKNOWN;
1289
1290/* Do not check addresses if the target is ".", in accordance with RFC 2782.
1291A target of "." indicates there are no valid addresses, so the client cannot
1292be authorized. (This is an odd configuration because weight=2 target=. is
1293equivalent to weight=1, but we check for it in order to keep load off the
1294root name servers.) Note that dn_expand() turns "." into "". */
1295
1296if (Ustrcmp(target, "") == 0) return t->data.val = CSA_FAIL_NOADDR;
1297
1298/* Scan the additional section of the CSA SRV reply for addresses belonging
1299to the target. If the name server didn't return any additional data (e.g.
1300because it does not fully support SRV records), we need to do another lookup
1301to obtain the target addresses; otherwise we have a definitive result. */
1302
1303rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ADDITIONAL, target);
1304if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1305
1306/* The DNS lookup type corresponds to the IP version used by the client. */
1307
1308#if HAVE_IPV6
1309if (Ustrchr(sender_host_address, ':') != NULL)
1310 type = T_AAAA;
1311else
1312#endif /* HAVE_IPV6 */
1313 type = T_A;
1314
1315
1316#if HAVE_IPV6 && defined(SUPPORT_A6)
1317DNS_LOOKUP_AGAIN:
1318#endif
1319
1320switch (dns_lookup(&dnsa, target, type, NULL))
1321 {
1322 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1323
1324 default:
1325 return t->data.val = CSA_DEFER_ADDR;
1326
1327 /* If the query succeeded, scan the addresses and return the result. */
1328
1329 case DNS_SUCCEED:
1330 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ANSWERS, target);
1331 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1332 /* else fall through */
1333
1334 /* If the target has no IP addresses, the client cannot have an authorized
1335 IP address. However, if the target site uses A6 records (not AAAA records)
1336 we have to do yet another lookup in order to check them. */
1337
1338 case DNS_NOMATCH:
1339 case DNS_NODATA:
1340
1341 #if HAVE_IPV6 && defined(SUPPORT_A6)
1342 if (type == T_AAAA) { type = T_A6; goto DNS_LOOKUP_AGAIN; }
1343 #endif
1344
1345 return t->data.val = CSA_FAIL_NOADDR;
1346 }
1347}
1348
1349
1350
1351/*************************************************
059ec3d9
PH
1352* Handle verification (address & other) *
1353*************************************************/
1354
1355/* This function implements the "verify" condition. It is called when
1356encountered in any ACL, because some tests are almost always permitted. Some
1357just don't make sense, and always fail (for example, an attempt to test a host
1358lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1359
1360Arguments:
1361 where where called from
1362 addr the recipient address that the ACL is handling, or NULL
1363 arg the argument of "verify"
1364 user_msgptr pointer for user message
1365 log_msgptr pointer for log message
1366 basic_errno where to put verify errno
1367
1368Returns: OK verification condition succeeded
1369 FAIL verification failed
1370 DEFER there was a problem verifying
1371 ERROR syntax error
1372*/
1373
1374static int
1375acl_verify(int where, address_item *addr, uschar *arg,
1376 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1377{
1378int sep = '/';
1379int callout = -1;
1380int callout_overall = -1;
4deaf07d 1381int callout_connect = -1;
059ec3d9
PH
1382int verify_options = 0;
1383int rc;
1384BOOL verify_header_sender = FALSE;
1385BOOL defer_ok = FALSE;
1386BOOL callout_defer_ok = FALSE;
1387BOOL no_details = FALSE;
eafd343b 1388BOOL success_on_redirect = FALSE;
059ec3d9
PH
1389address_item *sender_vaddr = NULL;
1390uschar *verify_sender_address = NULL;
1391uschar *pm_mailfrom = NULL;
1392uschar *se_mailfrom = NULL;
596875b3
PH
1393
1394/* Some of the verify items have slash-separated options; some do not. Diagnose
1395an error if options are given for items that don't expect them. This code has
1396now got very message. Refactoring to use a table would be a good idea one day.
1397*/
1398
1399uschar *slash = Ustrchr(arg, '/');
059ec3d9
PH
1400uschar *list = arg;
1401uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
1402
1403if (ss == NULL) goto BAD_VERIFY;
1404
1405/* Handle name/address consistency verification in a separate function. */
1406
1407if (strcmpic(ss, US"reverse_host_lookup") == 0)
1408 {
596875b3 1409 if (slash != NULL) goto NO_OPTIONS;
059ec3d9
PH
1410 if (sender_host_address == NULL) return OK;
1411 return acl_verify_reverse(user_msgptr, log_msgptr);
1412 }
1413
1414/* TLS certificate verification is done at STARTTLS time; here we just
1415test whether it was successful or not. (This is for optional verification; for
1416mandatory verification, the connection doesn't last this long.) */
1417
1418if (strcmpic(ss, US"certificate") == 0)
1419 {
596875b3 1420 if (slash != NULL) goto NO_OPTIONS;
059ec3d9
PH
1421 if (tls_certificate_verified) return OK;
1422 *user_msgptr = US"no verified certificate";
1423 return FAIL;
1424 }
1425
d7b47fd0
PH
1426/* We can test the result of optional HELO verification that might have
1427occurred earlier. If not, we can attempt the verification now. */
059ec3d9 1428
596875b3
PH
1429if (strcmpic(ss, US"helo") == 0)
1430 {
1431 if (slash != NULL) goto NO_OPTIONS;
0154e85a
TF
1432 if (!helo_verified && !helo_verify_failed) smtp_verify_helo();
1433 return helo_verified? OK : FAIL;
596875b3 1434 }
059ec3d9 1435
e5a9dba6
PH
1436/* Do Client SMTP Authorization checks in a separate function, and turn the
1437result code into user-friendly strings. */
1438
1439if (strcmpic(ss, US"csa") == 0)
1440 {
1441 rc = acl_verify_csa(list);
1442 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1443 csa_reason_string[rc]);
1444 csa_status = csa_status_string[rc];
1445 DEBUG(D_acl) debug_printf("CSA result %s\n", csa_status);
1446 return csa_return_code[rc];
1447 }
1448
596875b3
PH
1449/* Check that all relevant header lines have the correct syntax. If there is
1450a syntax error, we return details of the error to the sender if configured to
1451send out full details. (But a "message" setting on the ACL can override, as
1452always). */
059ec3d9 1453
596875b3 1454if (strcmpic(ss, US"header_syntax") == 0)
059ec3d9 1455 {
596875b3 1456 if (slash != NULL) goto NO_OPTIONS;
1c41c9cc 1457 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
596875b3
PH
1458 rc = verify_check_headers(log_msgptr);
1459 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1460 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1461 return rc;
1462 }
059ec3d9 1463
1c41c9cc
PH
1464/* Check that no recipient of this message is "blind", that is, every envelope
1465recipient must be mentioned in either To: or Cc:. */
1466
1467if (strcmpic(ss, US"not_blind") == 0)
1468 {
1469 if (slash != NULL) goto NO_OPTIONS;
1470 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
1471 rc = verify_check_notblind();
1472 if (rc != OK)
1473 {
1474 *log_msgptr = string_sprintf("bcc recipient detected");
1475 if (smtp_return_error_details)
1476 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1477 }
1478 return rc;
1479 }
059ec3d9 1480
596875b3
PH
1481/* The remaining verification tests check recipient and sender addresses,
1482either from the envelope or from the header. There are a number of
1483slash-separated options that are common to all of them. */
059ec3d9 1484
059ec3d9 1485
596875b3
PH
1486/* Check that there is at least one verifiable sender address in the relevant
1487header lines. This can be followed by callout and defer options, just like
1488sender and recipient. */
059ec3d9 1489
596875b3
PH
1490if (strcmpic(ss, US"header_sender") == 0)
1491 {
1c41c9cc 1492 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
596875b3 1493 verify_header_sender = TRUE;
059ec3d9
PH
1494 }
1495
1496/* Otherwise, first item in verify argument must be "sender" or "recipient".
1497In the case of a sender, this can optionally be followed by an address to use
1498in place of the actual sender (rare special-case requirement). */
1499
1500else if (strncmpic(ss, US"sender", 6) == 0)
1501 {
1502 uschar *s = ss + 6;
1503 if (where > ACL_WHERE_NOTSMTP)
1504 {
1505 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1506 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1507 acl_wherenames[where]);
1508 return ERROR;
1509 }
1510 if (*s == 0)
1511 verify_sender_address = sender_address;
1512 else
1513 {
1514 while (isspace(*s)) s++;
1515 if (*s++ != '=') goto BAD_VERIFY;
1516 while (isspace(*s)) s++;
1517 verify_sender_address = string_copy(s);
1518 }
1519 }
1520else
1521 {
1522 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1523 if (addr == NULL)
1524 {
1525 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1526 "(only possible for RCPT)", acl_wherenames[where]);
1527 return ERROR;
1528 }
1529 }
1530
596875b3
PH
1531/* Remaining items are optional; they apply to sender and recipient
1532verification, including "header sender" verification. */
059ec3d9
PH
1533
1534while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1535 != NULL)
1536 {
1537 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1538 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
eafd343b 1539 else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
059ec3d9
PH
1540
1541 /* These two old options are left for backwards compatibility */
1542
1543 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1544 {
1545 callout_defer_ok = TRUE;
1546 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1547 }
1548
1549 else if (strcmpic(ss, US"check_postmaster") == 0)
1550 {
1551 pm_mailfrom = US"";
1552 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1553 }
1554
1555 /* The callout option has a number of sub-options, comma separated */
1556
1557 else if (strncmpic(ss, US"callout", 7) == 0)
1558 {
1559 callout = CALLOUT_TIMEOUT_DEFAULT;
1560 ss += 7;
1561 if (*ss != 0)
1562 {
1563 while (isspace(*ss)) ss++;
1564 if (*ss++ == '=')
1565 {
1566 int optsep = ',';
1567 uschar *opt;
1568 uschar buffer[256];
1569 while (isspace(*ss)) ss++;
8e669ac1
PH
1570
1571 /* This callout option handling code has become a mess as new options
1572 have been added in an ad hoc manner. It should be tidied up into some
4deaf07d 1573 kind of table-driven thing. */
8e669ac1 1574
059ec3d9
PH
1575 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1576 != NULL)
1577 {
1578 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1579 else if (strcmpic(opt, US"no_cache") == 0)
1580 verify_options |= vopt_callout_no_cache;
1581 else if (strcmpic(opt, US"random") == 0)
1582 verify_options |= vopt_callout_random;
1583 else if (strcmpic(opt, US"use_sender") == 0)
1584 verify_options |= vopt_callout_recipsender;
1585 else if (strcmpic(opt, US"use_postmaster") == 0)
1586 verify_options |= vopt_callout_recippmaster;
1587 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
2a4be8f9
PH
1588 else if (strcmpic(opt, US"fullpostmaster") == 0)
1589 {
1590 pm_mailfrom = US"";
1591 verify_options |= vopt_callout_fullpm;
1592 }
059ec3d9
PH
1593
1594 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1595 {
1596 if (!verify_header_sender)
1597 {
1598 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1599 "callout option only for verify=header_sender (detected in ACL "
1600 "condition \"%s\")", arg);
1601 return ERROR;
1602 }
1603 opt += 8;
1604 while (isspace(*opt)) opt++;
1605 if (*opt++ != '=')
1606 {
1607 *log_msgptr = string_sprintf("'=' expected after "
1608 "\"mailfrom\" in ACL condition \"%s\"", arg);
1609 return ERROR;
1610 }
1611 while (isspace(*opt)) opt++;
1612 se_mailfrom = string_copy(opt);
1613 }
1614
1615 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1616 {
1617 opt += 19;
1618 while (isspace(*opt)) opt++;
1619 if (*opt++ != '=')
1620 {
1621 *log_msgptr = string_sprintf("'=' expected after "
1622 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1623 return ERROR;
1624 }
1625 while (isspace(*opt)) opt++;
1626 pm_mailfrom = string_copy(opt);
1627 }
1628
1629 else if (strncmpic(opt, US"maxwait", 7) == 0)
1630 {
1631 opt += 7;
1632 while (isspace(*opt)) opt++;
1633 if (*opt++ != '=')
1634 {
1635 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1636 "ACL condition \"%s\"", arg);
1637 return ERROR;
1638 }
1639 while (isspace(*opt)) opt++;
1640 callout_overall = readconf_readtime(opt, 0, FALSE);
1641 if (callout_overall < 0)
1642 {
1643 *log_msgptr = string_sprintf("bad time value in ACL condition "
1644 "\"verify %s\"", arg);
1645 return ERROR;
1646 }
1647 }
4deaf07d
PH
1648 else if (strncmpic(opt, US"connect", 7) == 0)
1649 {
1650 opt += 7;
1651 while (isspace(*opt)) opt++;
1652 if (*opt++ != '=')
1653 {
1654 *log_msgptr = string_sprintf("'=' expected after "
1655 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1656 return ERROR;
1657 }
1658 while (isspace(*opt)) opt++;
1659 callout_connect = readconf_readtime(opt, 0, FALSE);
1660 if (callout_connect < 0)
1661 {
1662 *log_msgptr = string_sprintf("bad time value in ACL condition "
1663 "\"verify %s\"", arg);
1664 return ERROR;
1665 }
1666 }
059ec3d9
PH
1667 else /* Plain time is callout connect/command timeout */
1668 {
1669 callout = readconf_readtime(opt, 0, FALSE);
1670 if (callout < 0)
1671 {
1672 *log_msgptr = string_sprintf("bad time value in ACL condition "
1673 "\"verify %s\"", arg);
1674 return ERROR;
1675 }
1676 }
1677 }
1678 }
1679 else
1680 {
1681 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1682 "ACL condition \"%s\"", arg);
1683 return ERROR;
1684 }
1685 }
1686 }
1687
1688 /* Option not recognized */
1689
1690 else
1691 {
1692 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1693 "condition \"verify %s\"", ss, arg);
1694 return ERROR;
1695 }
1696 }
1697
1698if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1699 (vopt_callout_recipsender|vopt_callout_recippmaster))
1700 {
1701 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1702 "for a recipient callout";
1703 return ERROR;
1704 }
1705
1706/* Handle sender-in-header verification. Default the user message to the log
1707message if giving out verification details. */
1708
1709if (verify_header_sender)
1710 {
8e669ac1 1711 int verrno;
059ec3d9 1712 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
fe5b5d0b
PH
1713 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1714 &verrno);
1715 if (rc != OK)
8e669ac1 1716 {
fe5b5d0b
PH
1717 *basic_errno = verrno;
1718 if (smtp_return_error_details)
1719 {
1720 if (*user_msgptr == NULL && *log_msgptr != NULL)
1721 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1722 if (rc == DEFER) acl_temp_details = TRUE;
1723 }
8e669ac1 1724 }
059ec3d9
PH
1725 }
1726
1727/* Handle a sender address. The default is to verify *the* sender address, but
1728optionally a different address can be given, for special requirements. If the
1729address is empty, we are dealing with a bounce message that has no sender, so
1730we cannot do any checking. If the real sender address gets rewritten during
1731verification (e.g. DNS widening), set the flag to stop it being rewritten again
1732during message reception.
1733
1734A list of verified "sender" addresses is kept to try to avoid doing to much
1735work repetitively when there are multiple recipients in a message and they all
1736require sender verification. However, when callouts are involved, it gets too
1737complicated because different recipients may require different callout options.
1738Therefore, we always do a full sender verify when any kind of callout is
1739specified. Caching elsewhere, for instance in the DNS resolver and in the
1740callout handling, should ensure that this is not terribly inefficient. */
1741
1742else if (verify_sender_address != NULL)
1743 {
1744 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1745 != 0)
1746 {
1747 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1748 "sender verify callout";
1749 return ERROR;
1750 }
1751
1752 sender_vaddr = verify_checked_sender(verify_sender_address);
1753 if (sender_vaddr != NULL && /* Previously checked */
1754 callout <= 0) /* No callout needed this time */
1755 {
1756 /* If the "routed" flag is set, it means that routing worked before, so
1757 this check can give OK (the saved return code value, if set, belongs to a
1758 callout that was done previously). If the "routed" flag is not set, routing
1759 must have failed, so we use the saved return code. */
1760
1761 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1762 {
1763 rc = sender_vaddr->special_action;
1764 *basic_errno = sender_vaddr->basic_errno;
1765 }
1766 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1767 }
1768
1769 /* Do a new verification, and cache the result. The cache is used to avoid
1770 verifying the sender multiple times for multiple RCPTs when callouts are not
1771 specified (see comments above).
1772
1773 The cache is also used on failure to give details in response to the first
1774 RCPT that gets bounced for this reason. However, this can be suppressed by
1775 the no_details option, which sets the flag that says "this detail has already
1776 been sent". The cache normally contains just one address, but there may be
1777 more in esoteric circumstances. */
1778
1779 else
1780 {
1781 BOOL routed = TRUE;
2a3eea10 1782 uschar *save_address_data = deliver_address_data;
8e669ac1 1783
059ec3d9
PH
1784 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1785 if (no_details) setflag(sender_vaddr, af_sverify_told);
1786 if (verify_sender_address[0] != 0)
1787 {
1788 /* If this is the real sender address, save the unrewritten version
1789 for use later in receive. Otherwise, set a flag so that rewriting the
1790 sender in verify_address() does not update sender_address. */
1791
1792 if (verify_sender_address == sender_address)
1793 sender_address_unrewritten = sender_address;
1794 else
1795 verify_options |= vopt_fake_sender;
1796
eafd343b
TK
1797 if (success_on_redirect)
1798 verify_options |= vopt_success_on_redirect;
1799
059ec3d9
PH
1800 /* The recipient, qualify, and expn options are never set in
1801 verify_options. */
1802
1803 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
4deaf07d 1804 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
059ec3d9
PH
1805
1806 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1807
1808 if (rc == OK)
1809 {
1810 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1811 {
1812 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1813 verify_sender_address, sender_vaddr->address);
1814 }
1815 else
1816 {
1817 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1818 verify_sender_address);
1819 }
1820 }
1821 else *basic_errno = sender_vaddr->basic_errno;
1822 }
1823 else rc = OK; /* Null sender */
1824
1825 /* Cache the result code */
1826
1827 if (routed) setflag(sender_vaddr, af_verify_routed);
1828 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1829 sender_vaddr->special_action = rc;
1830 sender_vaddr->next = sender_verified_list;
1831 sender_verified_list = sender_vaddr;
8e669ac1
PH
1832
1833 /* Restore the recipient address data, which might have been clobbered by
2a3eea10 1834 the sender verification. */
8e669ac1 1835
2a3eea10 1836 deliver_address_data = save_address_data;
059ec3d9 1837 }
8e669ac1 1838
2a3eea10
PH
1839 /* Put the sender address_data value into $sender_address_data */
1840
8e669ac1 1841 sender_address_data = sender_vaddr->p.address_data;
059ec3d9
PH
1842 }
1843
1844/* A recipient address just gets a straightforward verify; again we must handle
1845the DEFER overrides. */
1846
1847else
1848 {
1849 address_item addr2;
1850
eafd343b
TK
1851 if (success_on_redirect)
1852 verify_options |= vopt_success_on_redirect;
1853
059ec3d9
PH
1854 /* We must use a copy of the address for verification, because it might
1855 get rewritten. */
1856
1857 addr2 = *addr;
1858 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
4deaf07d 1859 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
059ec3d9 1860 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
8e669ac1 1861
059ec3d9 1862 *log_msgptr = addr2.message;
8e669ac1 1863 *user_msgptr = (addr2.user_message != NULL)?
6729cf78 1864 addr2.user_message : addr2.message;
059ec3d9
PH
1865 *basic_errno = addr2.basic_errno;
1866
1867 /* Make $address_data visible */
1868 deliver_address_data = addr2.p.address_data;
1869 }
1870
1871/* We have a result from the relevant test. Handle defer overrides first. */
1872
1873if (rc == DEFER && (defer_ok ||
1874 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1875 {
1876 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1877 defer_ok? "defer_ok" : "callout_defer_ok");
1878 rc = OK;
1879 }
1880
1881/* If we've failed a sender, set up a recipient message, and point
1882sender_verified_failed to the address item that actually failed. */
1883
1884if (rc != OK && verify_sender_address != NULL)
1885 {
1886 if (rc != DEFER)
1887 {
1888 *log_msgptr = *user_msgptr = US"Sender verify failed";
1889 }
1890 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1891 {
1892 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1893 }
1894 else
1895 {
1896 *log_msgptr = US"Could not complete sender verify callout";
1897 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1898 *log_msgptr;
1899 }
1900
1901 sender_verified_failed = sender_vaddr;
1902 }
1903
1904/* Verifying an address messes up the values of $domain and $local_part,
1905so reset them before returning if this is a RCPT ACL. */
1906
1907if (addr != NULL)
1908 {
1909 deliver_domain = addr->domain;
1910 deliver_localpart = addr->local_part;
1911 }
1912return rc;
1913
1914/* Syntax errors in the verify argument come here. */
1915
1916BAD_VERIFY:
1917*log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
596875b3
PH
1918 "\"helo\", \"header_syntax\", \"header_sender\" or "
1919 "\"reverse_host_lookup\" at start of ACL condition "
059ec3d9
PH
1920 "\"verify %s\"", arg);
1921return ERROR;
596875b3
PH
1922
1923/* Options supplied when not allowed come here */
1924
1925NO_OPTIONS:
1926*log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1927 "(this verify item has no options)", arg);
1928return ERROR;
1c41c9cc
PH
1929
1930/* Calls in the wrong ACL come here */
1931
1932WRONG_ACL:
1933*log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
1934 "(only possible in ACL for DATA)", acl_wherenames[where]);
1935return ERROR;
059ec3d9
PH
1936}
1937
1938
1939
1940
1941/*************************************************
1942* Check argument for control= modifier *
1943*************************************************/
1944
1945/* Called from acl_check_condition() below
1946
1947Arguments:
1948 arg the argument string for control=
1949 pptr set to point to the terminating character
1950 where which ACL we are in
1951 log_msgptr for error messages
1952
1953Returns: CONTROL_xxx value
1954*/
1955
1956static int
1957decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
1958{
1959int len;
1960control_def *d;
1961
1962for (d = controls_list;
1963 d < controls_list + sizeof(controls_list)/sizeof(control_def);
1964 d++)
1965 {
1966 len = Ustrlen(d->name);
1967 if (Ustrncmp(d->name, arg, len) == 0) break;
1968 }
1969
1970if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
1971 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
1972 {
1973 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1974 return CONTROL_ERROR;
1975 }
1976
059ec3d9
PH
1977*pptr = arg + len;
1978return d->value;
1979}
1980
1981
1982
1983/*************************************************
870f6ba8
TF
1984* Handle rate limiting *
1985*************************************************/
1986
1987/* Called by acl_check_condition() below to calculate the result
1988of the ACL ratelimit condition.
1989
1990Note that the return value might be slightly unexpected: if the
1991sender's rate is above the limit then the result is OK. This is
1992similar to the dnslists condition, and is so that you can write
1993ACL clauses like: defer ratelimit = 15 / 1h
1994
1995Arguments:
1996 arg the option string for ratelimit=
1997 log_msgptr for error messages
1998
1999Returns: OK - Sender's rate is above limit
2000 FAIL - Sender's rate is below limit
2001 DEFER - Problem opening ratelimit database
2002 ERROR - Syntax error in options.
2003*/
2004
2005static int
2006acl_ratelimit(uschar *arg, uschar **log_msgptr)
2007{
2008double limit, period;
f3dcf4a2 2009uschar *ss, *key;
870f6ba8
TF
2010int sep = '/';
2011BOOL have_key = FALSE, leaky = FALSE, strict = FALSE;
2012BOOL per_byte = FALSE, per_cmd = FALSE, per_conn = FALSE, per_mail = FALSE;
2013int old_pool, rc;
2014tree_node **anchor, *t;
2015open_db dbblock, *dbm;
2016dbdata_ratelimit *dbd;
2017struct timeval tv;
2018
2019/* Parse the first two options and record their values in expansion
2020variables. These variables allow the configuration to have informative
2021error messages based on rate limits obtained from a table lookup. */
2022
2023/* First is the maximum number of messages per period and maximum burst
2024size, which must be greater than or equal to zero. Zero is useful for
2025rate measurement as opposed to rate limiting. */
2026
2027sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0);
2028if (sender_rate_limit == NULL)
2029 limit = -1.0;
2030else
2031 {
2032 limit = Ustrtod(sender_rate_limit, &ss);
2033 if (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
2034 else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
2035 else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
2036 }
2037if (limit < 0.0 || *ss != 0)
2038 {
2039 *log_msgptr = string_sprintf("syntax error in argument for "
2040 "\"ratelimit\" condition: \"%s\" is not a positive number",
2041 sender_rate_limit);
2042 return ERROR;
2043 }
2044
f3dcf4a2
TF
2045/* We use the rest of the argument list following the limit as the
2046lookup key, because it doesn't make sense to use the same stored data
2047if the period or options are different. */
2048
2049key = arg;
2050
870f6ba8
TF
2051/* Second is the rate measurement period and exponential smoothing time
2052constant. This must be strictly greater than zero, because zero leads to
2053run-time division errors. */
2054
2055sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0);
2056if (sender_rate_period == NULL) period = -1.0;
2057else period = readconf_readtime(sender_rate_period, 0, FALSE);
2058if (period <= 0.0)
2059 {
2060 *log_msgptr = string_sprintf("syntax error in argument for "
2061 "\"ratelimit\" condition: \"%s\" is not a time value",
2062 sender_rate_period);
2063 return ERROR;
2064 }
2065
2066/* Parse the other options. Should we check if the per_* options are being
2067used in ACLs where they don't make sense, e.g. per_mail in the connect ACL? */
2068
2069while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2070 != NULL)
2071 {
2072 if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
2073 else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
2074 else if (strcmpic(ss, US"per_byte") == 0) per_byte = TRUE;
2075 else if (strcmpic(ss, US"per_cmd") == 0) per_cmd = TRUE;
2076 else if (strcmpic(ss, US"per_conn") == 0) per_conn = TRUE;
2077 else if (strcmpic(ss, US"per_mail") == 0) per_mail = TRUE;
2078 else if (strcmpic(ss, US"per_rcpt") == 0) per_cmd = TRUE; /* alias */
2079 else have_key = TRUE;
2080 }
2081if (leaky + strict > 1 || per_byte + per_cmd + per_conn + per_mail > 1)
2082 {
2083 *log_msgptr = US"conflicting options for \"ratelimit\" condition";
2084 return ERROR;
2085 }
2086
2087/* Default option values */
2088if (!strict) leaky = TRUE;
2089if (!per_byte && !per_cmd && !per_conn) per_mail = TRUE;
2090
f3dcf4a2 2091/* If there is no explicit key, use the sender_host_address. If there is no
870f6ba8
TF
2092sender_host_address (e.g. -bs or acl_not_smtp) then we simply omit it. */
2093
2094if (!have_key && sender_host_address != NULL)
2095 key = string_sprintf("%s / %s", key, sender_host_address);
2096
2097HDEBUG(D_acl) debug_printf("ratelimit condition limit=%.0f period=%.0f key=%s\n",
2098 limit, period, key);
2099
fe0dab11 2100/* See if we have already computed the rate by looking in the relevant tree. For
870f6ba8
TF
2101per-connection rate limiting, store tree nodes and dbdata in the permanent pool
2102so that they survive across resets. */
2103
2104anchor = NULL;
2105old_pool = store_pool;
2106
2107if (per_conn)
2108 {
2109 anchor = &ratelimiters_conn;
2110 store_pool = POOL_PERM;
2111 }
fe0dab11 2112else if (per_mail || per_byte)
870f6ba8 2113 anchor = &ratelimiters_mail;
fe0dab11
TF
2114else if (per_cmd)
2115 anchor = &ratelimiters_cmd;
870f6ba8
TF
2116
2117if (anchor != NULL && (t = tree_search(*anchor, key)) != NULL)
2118 {
2119 dbd = t->data.ptr;
2120 /* The following few lines duplicate some of the code below. */
3348576f
TF
2121 if (dbd->rate < limit) rc = FAIL;
2122 else rc = OK;
870f6ba8
TF
2123 store_pool = old_pool;
2124 sender_rate = string_sprintf("%.1f", dbd->rate);
2125 HDEBUG(D_acl)
2126 debug_printf("ratelimit found pre-computed rate %s\n", sender_rate);
2127 return rc;
2128 }
2129
2130/* We aren't using a pre-computed rate, so get a previously recorded
2131rate from the database, update it, and write it back. If there's no
2132previous rate for this key, create one. */
2133
2134dbm = dbfn_open(US"ratelimit", O_RDWR, &dbblock, TRUE);
2135if (dbm == NULL)
2136 {
2137 store_pool = old_pool;
2138 sender_rate = NULL;
2139 HDEBUG(D_acl) debug_printf("ratelimit database not available\n");
2140 *log_msgptr = US"ratelimit database not available";
2141 return DEFER;
2142 }
2143dbd = dbfn_read(dbm, key);
2144
2145gettimeofday(&tv, NULL);
2146
2147if (dbd == NULL)
2148 {
2149 HDEBUG(D_acl) debug_printf("ratelimit initializing new key's data\n");
2150 dbd = store_get(sizeof(dbdata_ratelimit));
2151 dbd->time_stamp = tv.tv_sec;
2152 dbd->time_usec = tv.tv_usec;
2153 dbd->rate = 0.0;
2154 }
2155else
2156 {
2157 /* The smoothed rate is computed using an exponentially weighted moving
2158 average adjusted for variable sampling intervals. The standard EWMA for
2159 a fixed sampling interval is: f'(t) = (1 - a) * f(t) + a * f'(t - 1)
2160 where f() is the measured value and f'() is the smoothed value.
2161
2162 Old data decays out of the smoothed value exponentially, such that data n
2163 samples old is multiplied by a^n. The exponential decay time constant p
2164 is defined such that data p samples old is multiplied by 1/e, which means
2165 that a = exp(-1/p). We can maintain the same time constant for a variable
2166 sampling interval i by using a = exp(-i/p).
2167
2168 The rate we are measuring is messages per period, suitable for directly
2169 comparing with the limit. The average rate between now and the previous
2170 message is period / interval, which we feed into the EWMA as the sample.
2171
2172 It turns out that the number of messages required for the smoothed rate
2173 to reach the limit when they are sent in a burst is equal to the limit.
2174 This can be seen by analysing the value of the smoothed rate after N
2175 messages sent at even intervals. Let k = (1 - a) * p/i
2176
2177 rate_1 = (1 - a) * p/i + a * rate_0
2178 = k + a * rate_0
2179 rate_2 = k + a * rate_1
2180 = k + a * k + a^2 * rate_0
2181 rate_3 = k + a * k + a^2 * k + a^3 * rate_0
2182 rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
2183 = rate_0 * a^N + k * (1 - a^N) / (1 - a)
2184 = rate_0 * a^N + p/i * (1 - a^N)
2185
2186 When N is large, a^N -> 0 so rate_N -> p/i as desired.
2187
2188 rate_N = p/i + (rate_0 - p/i) * a^N
2189 a^N = (rate_N - p/i) / (rate_0 - p/i)
2190 N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
2191 N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
2192
2193 Numerical analysis of the above equation, setting the computed rate to
2194 increase from rate_0 = 0 to rate_N = limit, shows that for large sending
2195 rates, p/i, the number of messages N = limit. So limit serves as both the
2196 maximum rate measured in messages per period, and the maximum number of
2197 messages that can be sent in a fast burst. */
2198
2199 double this_time = (double)tv.tv_sec
2200 + (double)tv.tv_usec / 1000000.0;
2201 double prev_time = (double)dbd->time_stamp
2202 + (double)dbd->time_usec / 1000000.0;
870f6ba8
TF
2203
2204 /* We must avoid division by zero, and deal gracefully with the clock going
2205 backwards. If we blunder ahead when time is in reverse then the computed
e5d5a95f 2206 rate will be bogus. To be safe we clamp interval to a very small number. */
870f6ba8 2207
e5d5a95f
TF
2208 double interval = this_time - prev_time <= 0.0 ? 1e-9
2209 : this_time - prev_time;
2210
2211 double i_over_p = interval / period;
2212 double a = exp(-i_over_p);
870f6ba8
TF
2213
2214 dbd->time_stamp = tv.tv_sec;
2215 dbd->time_usec = tv.tv_usec;
2216
2217 /* If we are measuring the rate in bytes per period, multiply the
2218 measured rate by the message size. If we don't know the message size
2219 then it's safe to just use a value of zero and let the recorded rate
2220 decay as if nothing happened. */
2221
2222 if (per_byte)
2223 dbd->rate = (message_size < 0 ? 0.0 : (double)message_size)
2224 * (1 - a) / i_over_p + a * dbd->rate;
2225 else
2226 dbd->rate = (1 - a) / i_over_p + a * dbd->rate;
2227 }
2228
3348576f
TF
2229/* Clients sending at the limit are considered to be over the limit. This
2230matters for edge cases such the first message sent by a client (which gets
2231the initial rate of 0.0) when the rate limit is zero (i.e. the client should
2232be completely blocked). */
2233
2234if (dbd->rate < limit) rc = FAIL;
2235 else rc = OK;
870f6ba8
TF
2236
2237/* Update the state if the rate is low or if we are being strict. If we
2238are in leaky mode and the sender's rate is too high, we do not update
2239the recorded rate in order to avoid an over-aggressive sender's retry
2240rate preventing them from getting any email through. */
2241
2242if (rc == FAIL || !leaky)
2243 dbfn_write(dbm, key, dbd, sizeof(dbdata_ratelimit));
2244dbfn_close(dbm);
2245
2246/* Store the result in the tree for future reference, if necessary. */
2247
2248if (anchor != NULL)
2249 {
2250 t = store_get(sizeof(tree_node) + Ustrlen(key));
2251 t->data.ptr = dbd;
2252 Ustrcpy(t->name, key);
2253 (void)tree_insertnode(anchor, t);
2254 }
2255
2256/* We create the formatted version of the sender's rate very late in
2257order to ensure that it is done using the correct storage pool. */
2258
2259store_pool = old_pool;
2260sender_rate = string_sprintf("%.1f", dbd->rate);
2261
2262HDEBUG(D_acl)
2263 debug_printf("ratelimit computed rate %s\n", sender_rate);
2264
2265return rc;
2266}
2267
2268
2269
2270/*************************************************
059ec3d9
PH
2271* Handle conditions/modifiers on an ACL item *
2272*************************************************/
2273
2274/* Called from acl_check() below.
2275
2276Arguments:
2277 verb ACL verb
2278 cb ACL condition block - if NULL, result is OK
2279 where where called from
2280 addr the address being checked for RCPT, or NULL
2281 level the nesting level
2282 epp pointer to pass back TRUE if "endpass" encountered
2283 (applies only to "accept" and "discard")
2284 user_msgptr user message pointer
2285 log_msgptr log message pointer
2286 basic_errno pointer to where to put verify error
2287
2288Returns: OK - all conditions are met
2289 DISCARD - an "acl" condition returned DISCARD - only allowed
2290 for "accept" or "discard" verbs
2291 FAIL - at least one condition fails
2292 FAIL_DROP - an "acl" condition returned FAIL_DROP
2293 DEFER - can't tell at the moment (typically, lookup defer,
2294 but can be temporary callout problem)
2295 ERROR - ERROR from nested ACL or expansion failure or other
2296 error
2297*/
2298
2299static int
2300acl_check_condition(int verb, acl_condition_block *cb, int where,
2301 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
2302 uschar **log_msgptr, int *basic_errno)
2303{
2304uschar *user_message = NULL;
2305uschar *log_message = NULL;
2306uschar *p;
2307int rc = OK;
8523533c
TK
2308#ifdef WITH_CONTENT_SCAN
2309int sep = '/';
2310#endif
059ec3d9
PH
2311
2312for (; cb != NULL; cb = cb->next)
2313 {
2314 uschar *arg;
8e669ac1 2315 int control_type;
059ec3d9
PH
2316
2317 /* The message and log_message items set up messages to be used in
2318 case of rejection. They are expanded later. */
2319
2320 if (cb->type == ACLC_MESSAGE)
2321 {
2322 user_message = cb->arg;
2323 continue;
2324 }
2325
2326 if (cb->type == ACLC_LOG_MESSAGE)
2327 {
2328 log_message = cb->arg;
2329 continue;
2330 }
2331
2332 /* The endpass "condition" just sets a flag to show it occurred. This is
2333 checked at compile time to be on an "accept" or "discard" item. */
2334
2335 if (cb->type == ACLC_ENDPASS)
2336 {
2337 *epp = TRUE;
2338 continue;
2339 }
2340
2341 /* For other conditions and modifiers, the argument is expanded now for some
2342 of them, but not for all, because expansion happens down in some lower level
2343 checking functions in some cases. */
2344
2345 if (cond_expand_at_top[cb->type])
2346 {
2347 arg = expand_string(cb->arg);
2348 if (arg == NULL)
2349 {
2350 if (expand_string_forcedfail) continue;
2351 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
2352 cb->arg, expand_string_message);
2353 return search_find_defer? DEFER : ERROR;
2354 }
2355 }
2356 else arg = cb->arg;
2357
2358 /* Show condition, and expanded condition if it's different */
2359
2360 HDEBUG(D_acl)
2361 {
2362 int lhswidth = 0;
2363 debug_printf("check %s%s %n",
2364 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
2365 conditions[cb->type], &lhswidth);
2366
2367 if (cb->type == ACLC_SET)
2368 {
2369 int n = cb->u.varnumber;
47ca6d6c
PH
2370 int t = (n < ACL_CVARS)? 'c' : 'm';
2371 if (n >= ACL_CVARS) n -= ACL_CVARS;
059ec3d9
PH
2372 debug_printf("acl_%c%d ", t, n);
2373 lhswidth += 7;
2374 }
2375
2376 debug_printf("= %s\n", cb->arg);
2377
2378 if (arg != cb->arg)
2379 debug_printf("%.*s= %s\n", lhswidth,
2380 US" ", CS arg);
2381 }
2382
2383 /* Check that this condition makes sense at this time */
2384
2385 if ((cond_forbids[cb->type] & (1 << where)) != 0)
2386 {
2387 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
2388 cond_modifiers[cb->type]? "use" : "test",
2389 conditions[cb->type], acl_wherenames[where]);
2390 return ERROR;
2391 }
2392
2393 /* Run the appropriate test for each condition, or take the appropriate
2394 action for the remaining modifiers. */
2395
2396 switch(cb->type)
2397 {
2398 /* A nested ACL that returns "discard" makes sense only for an "accept" or
2399 "discard" verb. */
6a3f1455 2400\
059ec3d9
PH
2401 case ACLC_ACL:
2402 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
2403 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
2404 {
2405 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
2406 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
2407 verbs[verb]);
2408 return ERROR;
2409 }
2410 break;
2411
2412 case ACLC_AUTHENTICATED:
2413 rc = (sender_host_authenticated == NULL)? FAIL :
2414 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
2415 TRUE, NULL);
2416 break;
2417
8523533c
TK
2418#ifdef EXPERIMENTAL_BRIGHTMAIL
2419 case ACLC_BMI_OPTIN:
2420 {
2421 int old_pool = store_pool;
2422 store_pool = POOL_PERM;
2423 bmi_current_optin = string_copy(arg);
2424 store_pool = old_pool;
2425 }
2426 break;
2427#endif
2428
059ec3d9
PH
2429 case ACLC_CONDITION:
2430 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
2431 rc = (Uatoi(arg) == 0)? FAIL : OK;
2432 else
2433 rc = (strcmpic(arg, US"no") == 0 ||
2434 strcmpic(arg, US"false") == 0)? FAIL :
2435 (strcmpic(arg, US"yes") == 0 ||
2436 strcmpic(arg, US"true") == 0)? OK : DEFER;
2437 if (rc == DEFER)
2438 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
2439 break;
2440
2441 case ACLC_CONTROL:
c5fcb476
PH
2442 control_type = decode_control(arg, &p, where, log_msgptr);
2443
8523533c 2444 /* Check if this control makes sense at this time */
c5fcb476
PH
2445
2446 if ((control_forbids[control_type] & (1 << where)) != 0)
2447 {
2448 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
2449 controls[control_type], acl_wherenames[where]);
2450 return ERROR;
8e669ac1 2451 }
c5fcb476
PH
2452
2453 switch(control_type)
059ec3d9 2454 {
c46782ef
PH
2455 case CONTROL_AUTH_UNADVERTISED:
2456 allow_auth_unadvertised = TRUE;
2457 break;
2458
2459 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK
2460 case CONTROL_BMI_RUN:
2461 bmi_run = 1;
2462 break;
c46782ef
PH
2463 #endif
2464
2465 #ifdef EXPERIMENTAL_DOMAINKEYS
fb2274d4
TK
2466 case CONTROL_DK_VERIFY:
2467 dk_do_verify = 1;
2468 break;
c46782ef
PH
2469 #endif
2470
059ec3d9
PH
2471 case CONTROL_ERROR:
2472 return ERROR;
2473
2474 case CONTROL_CASEFUL_LOCAL_PART:
2475 deliver_localpart = addr->cc_local_part;
2476 break;
2477
2478 case CONTROL_CASELOWER_LOCAL_PART:
2479 deliver_localpart = addr->lc_local_part;
2480 break;
2481
2482 case CONTROL_ENFORCE_SYNC:
2483 smtp_enforce_sync = TRUE;
2484 break;
2485
2486 case CONTROL_NO_ENFORCE_SYNC:
2487 smtp_enforce_sync = FALSE;
2488 break;
2489
c46782ef 2490 #ifdef WITH_CONTENT_SCAN
8523533c
TK
2491 case CONTROL_NO_MBOX_UNSPOOL:
2492 no_mbox_unspool = TRUE;
2493 break;
c46782ef 2494 #endif
8523533c 2495
059ec3d9
PH
2496 case CONTROL_NO_MULTILINE:
2497 no_multiline_responses = TRUE;
2498 break;
2499
29aba418 2500 case CONTROL_FAKEDEFER:
8523533c 2501 case CONTROL_FAKEREJECT:
29aba418 2502 fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
8523533c 2503 if (*p == '/')
8e669ac1 2504 {
8523533c 2505 uschar *pp = p + 1;
8e669ac1 2506 while (*pp != 0) pp++;
29aba418 2507 fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
8523533c
TK
2508 p = pp;
2509 }
2510 else
2511 {
2512 /* Explicitly reset to default string */
29aba418 2513 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
8523533c
TK
2514 }
2515 break;
8523533c 2516
059ec3d9
PH
2517 case CONTROL_FREEZE:
2518 deliver_freeze = TRUE;
2519 deliver_frozen_at = time(NULL);
6a3f1455
PH
2520 freeze_tell = freeze_tell_config; /* Reset to configured value */
2521 if (Ustrncmp(p, "/no_tell", 8) == 0)
2522 {
2523 p += 8;
2524 freeze_tell = NULL;
2525 }
2526 if (*p != 0)
2527 {
2528 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2529 return ERROR;
2530 }
059ec3d9
PH
2531 break;
2532
2533 case CONTROL_QUEUE_ONLY:
2534 queue_only_policy = TRUE;
2535 break;
2536
2537 case CONTROL_SUBMISSION:
87ba3f5f 2538 originator_name = US"";
059ec3d9 2539 submission_mode = TRUE;
69358f02 2540 while (*p == '/')
8e669ac1 2541 {
69358f02
PH
2542 if (Ustrncmp(p, "/sender_retain", 14) == 0)
2543 {
2544 p += 14;
2545 active_local_sender_retain = TRUE;
8e669ac1
PH
2546 active_local_from_check = FALSE;
2547 }
69358f02
PH
2548 else if (Ustrncmp(p, "/domain=", 8) == 0)
2549 {
2550 uschar *pp = p + 8;
8e669ac1 2551 while (*pp != 0 && *pp != '/') pp++;
87ba3f5f
PH
2552 submission_domain = string_copyn(p+8, pp-p-8);
2553 p = pp;
2554 }
8857ccfd
PH
2555 /* The name= option must be last, because it swallows the rest of
2556 the string. */
87ba3f5f
PH
2557 else if (Ustrncmp(p, "/name=", 6) == 0)
2558 {
2559 uschar *pp = p + 6;
8857ccfd 2560 while (*pp != 0) pp++;
2fe1a124 2561 submission_name = string_copy(parse_fix_phrase(p+6, pp-p-6,
87ba3f5f 2562 big_buffer, big_buffer_size));
8e669ac1 2563 p = pp;
69358f02 2564 }
8e669ac1
PH
2565 else break;
2566 }
69358f02 2567 if (*p != 0)
059ec3d9 2568 {
69358f02 2569 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
059ec3d9
PH
2570 return ERROR;
2571 }
2572 break;
8800895a
PH
2573
2574 case CONTROL_SUPPRESS_LOCAL_FIXUPS:
2575 suppress_local_fixups = TRUE;
2576 break;
059ec3d9
PH
2577 }
2578 break;
2579
8523533c
TK
2580#ifdef WITH_CONTENT_SCAN
2581 case ACLC_DECODE:
2582 rc = mime_decode(&arg);
2583 break;
2584#endif
2585
059ec3d9
PH
2586 case ACLC_DELAY:
2587 {
2588 int delay = readconf_readtime(arg, 0, FALSE);
2589 if (delay < 0)
2590 {
2591 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
2592 "modifier: \"%s\" is not a time value", arg);
2593 return ERROR;
2594 }
2595 else
2596 {
2597 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
2598 delay);
2599 if (host_checking)
2600 {
2601 HDEBUG(D_acl)
2602 debug_printf("delay skipped in -bh checking mode\n");
2603 }
010c2d14
PH
2604
2605 /* It appears to be impossible to detect that a TCP/IP connection has
2606 gone away without reading from it. This means that we cannot shorten
2607 the delay below if the client goes away, because we cannot discover
2608 that the client has closed its end of the connection. (The connection
2609 is actually in a half-closed state, waiting for the server to close its
2610 end.) It would be nice to be able to detect this state, so that the
2611 Exim process is not held up unnecessarily. However, it seems that we
2612 can't. The poll() function does not do the right thing, and in any case
2613 it is not always available.
2614
2615 NOTE: If ever this state of affairs changes, remember that we may be
2616 dealing with stdin/stdout here, in addition to TCP/IP connections.
2617 Whatever is done must work in both cases. To detected the stdin/stdout
2618 case, check for smtp_in or smtp_out being NULL. */
2619
8e669ac1 2620 else
86b8287f
PH
2621 {
2622 while (delay > 0) delay = sleep(delay);
8e669ac1 2623 }
059ec3d9
PH
2624 }
2625 }
2626 break;
2627
8523533c
TK
2628#ifdef WITH_OLD_DEMIME
2629 case ACLC_DEMIME:
2630 rc = demime(&arg);
2631 break;
2632#endif
2633
fb2274d4
TK
2634#ifdef EXPERIMENTAL_DOMAINKEYS
2635 case ACLC_DK_DOMAIN_SOURCE:
2636 if (dk_verify_block == NULL) { rc = FAIL; break; };
2637 /* check header source of domain against given string */
2638 switch (dk_verify_block->address_source) {
2639 case DK_EXIM_ADDRESS_FROM_FROM:
2640 rc = match_isinlist(US"from", &arg, 0, NULL,
2641 NULL, MCL_STRING, TRUE, NULL);
2642 break;
2643 case DK_EXIM_ADDRESS_FROM_SENDER:
2644 rc = match_isinlist(US"sender", &arg, 0, NULL,
2645 NULL, MCL_STRING, TRUE, NULL);
2646 break;
2647 case DK_EXIM_ADDRESS_NONE:
2648 rc = match_isinlist(US"none", &arg, 0, NULL,
2649 NULL, MCL_STRING, TRUE, NULL);
2650 break;
2651 }
2652 break;
2653 case ACLC_DK_POLICY:
2654 if (dk_verify_block == NULL) { rc = FAIL; break; };
2655 /* check policy against given string, default FAIL */
2656 rc = FAIL;
2657 if (dk_verify_block->signsall)
2658 rc = match_isinlist(US"signsall", &arg, 0, NULL,
2659 NULL, MCL_STRING, TRUE, NULL);
2660 if (dk_verify_block->testing)
2661 rc = match_isinlist(US"testing", &arg, 0, NULL,
2662 NULL, MCL_STRING, TRUE, NULL);
2663 break;
2664 case ACLC_DK_SENDER_DOMAINS:
2665 if (dk_verify_block == NULL) { rc = FAIL; break; };
2666 if (dk_verify_block->domain != NULL)
2667 rc = match_isinlist(dk_verify_block->domain, &arg, 0, &domainlist_anchor,
2668 NULL, MCL_DOMAIN, TRUE, NULL);
2669 else rc = FAIL;
2670 break;
2671 case ACLC_DK_SENDER_LOCAL_PARTS:
2672 if (dk_verify_block == NULL) { rc = FAIL; break; };
2673 if (dk_verify_block->local_part != NULL)
2674 rc = match_isinlist(dk_verify_block->local_part, &arg, 0, &localpartlist_anchor,
2675 NULL, MCL_LOCALPART, TRUE, NULL);
2676 else rc = FAIL;
2677 break;
2678 case ACLC_DK_SENDERS:
2679 if (dk_verify_block == NULL) { rc = FAIL; break; };
2680 if (dk_verify_block->address != NULL)
2681 rc = match_address_list(dk_verify_block->address, TRUE, TRUE, &arg, NULL, -1, 0, NULL);
2682 else rc = FAIL;
2683 break;
2684 case ACLC_DK_STATUS:
2685 if (dk_verify_block == NULL) { rc = FAIL; break; };
2686 if (dk_verify_block->result > 0) {
2687 switch(dk_verify_block->result) {
2688 case DK_EXIM_RESULT_BAD_FORMAT:
2689 rc = match_isinlist(US"bad format", &arg, 0, NULL,
2690 NULL, MCL_STRING, TRUE, NULL);
2691 break;
2692 case DK_EXIM_RESULT_NO_KEY:
2693 rc = match_isinlist(US"no key", &arg, 0, NULL,
2694 NULL, MCL_STRING, TRUE, NULL);
2695 break;
2696 case DK_EXIM_RESULT_NO_SIGNATURE:
2697 rc = match_isinlist(US"no signature", &arg, 0, NULL,
2698 NULL, MCL_STRING, TRUE, NULL);
2699 break;
2700 case DK_EXIM_RESULT_REVOKED:
2701 rc = match_isinlist(US"revoked", &arg, 0, NULL,
2702 NULL, MCL_STRING, TRUE, NULL);
2703 break;
2704 case DK_EXIM_RESULT_NON_PARTICIPANT:
2705 rc = match_isinlist(US"non-participant", &arg, 0, NULL,
2706 NULL, MCL_STRING, TRUE, NULL);
2707 break;
2708 case DK_EXIM_RESULT_GOOD:
2709 rc = match_isinlist(US"good", &arg, 0, NULL,
2710 NULL, MCL_STRING, TRUE, NULL);
2711 break;
2712 case DK_EXIM_RESULT_BAD:
2713 rc = match_isinlist(US"bad", &arg, 0, NULL,
2714 NULL, MCL_STRING, TRUE, NULL);
2715 break;
2716 }
2717 }
2718 break;
2719#endif
2720
059ec3d9
PH
2721 case ACLC_DNSLISTS:
2722 rc = verify_check_dnsbl(&arg);
2723 break;
2724
2725 case ACLC_DOMAINS:
2726 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
2727 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
2728 break;
2729
2730 /* The value in tls_cipher is the full cipher name, for example,
2731 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
2732 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
2733 what may in practice come out of the SSL library - which at the time of
2734 writing is poorly documented. */
2735
2736 case ACLC_ENCRYPTED:
2737 if (tls_cipher == NULL) rc = FAIL; else
2738 {
2739 uschar *endcipher = NULL;
2740 uschar *cipher = Ustrchr(tls_cipher, ':');
2741 if (cipher == NULL) cipher = tls_cipher; else
2742 {
2743 endcipher = Ustrchr(++cipher, ':');
2744 if (endcipher != NULL) *endcipher = 0;
2745 }
2746 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
2747 if (endcipher != NULL) *endcipher = ':';
2748 }
2749 break;
2750
2751 /* Use verify_check_this_host() instead of verify_check_host() so that
2752 we can pass over &host_data to catch any looked up data. Once it has been
2753 set, it retains its value so that it's still there if another ACL verb
2754 comes through here and uses the cache. However, we must put it into
2755 permanent store in case it is also expected to be used in a subsequent
2756 message in the same SMTP connection. */
2757
2758 case ACLC_HOSTS:
2759 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
2760 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
2761 if (host_data != NULL) host_data = string_copy_malloc(host_data);
2762 break;
2763
2764 case ACLC_LOCAL_PARTS:
2765 rc = match_isinlist(addr->cc_local_part, &arg, 0,
2766 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
2767 &deliver_localpart_data);
2768 break;
2769
2770 case ACLC_LOGWRITE:
2771 {
2772 int logbits = 0;
2773 uschar *s = arg;
2774 if (*s == ':')
2775 {
2776 s++;
2777 while (*s != ':')
2778 {
2779 if (Ustrncmp(s, "main", 4) == 0)
2780 { logbits |= LOG_MAIN; s += 4; }
2781 else if (Ustrncmp(s, "panic", 5) == 0)
2782 { logbits |= LOG_PANIC; s += 5; }
2783 else if (Ustrncmp(s, "reject", 6) == 0)
2784 { logbits |= LOG_REJECT; s += 6; }
2785 else
2786 {
2787 logbits = LOG_MAIN|LOG_PANIC;
2788 s = string_sprintf(":unknown log name in \"%s\" in "
2789 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
2790 }
2791 if (*s == ',') s++;
2792 }
2793 s++;
2794 }
2795 while (isspace(*s)) s++;
2796 if (logbits == 0) logbits = LOG_MAIN;
2797 log_write(0, logbits, "%s", string_printing(s));
2798 }
2799 break;
8e669ac1 2800
8523533c
TK
2801#ifdef WITH_CONTENT_SCAN
2802 case ACLC_MALWARE:
2803 {
2804 /* Seperate the regular expression and any optional parameters. */
2805 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2806 /* Run the malware backend. */
2807 rc = malware(&ss);
2808 /* Modify return code based upon the existance of options. */
2809 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2810 != NULL) {
2811 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2812 {
2813 /* FAIL so that the message is passed to the next ACL */
2814 rc = FAIL;
2815 }
2816 }
2817 }
2818 break;
2819
2820 case ACLC_MIME_REGEX:
2821 rc = mime_regex(&arg);
2822 break;
2823#endif
059ec3d9 2824
870f6ba8
TF
2825 case ACLC_RATELIMIT:
2826 rc = acl_ratelimit(arg, log_msgptr);
2827 break;
2828
059ec3d9
PH
2829 case ACLC_RECIPIENTS:
2830 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
2831 &recipient_data);
2832 break;
2833
8523533c
TK
2834#ifdef WITH_CONTENT_SCAN
2835 case ACLC_REGEX:
2836 rc = regex(&arg);
2837 break;
2838#endif
2839
059ec3d9
PH
2840 case ACLC_SENDER_DOMAINS:
2841 {
2842 uschar *sdomain;
2843 sdomain = Ustrrchr(sender_address, '@');
2844 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
2845 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
2846 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
2847 }
2848 break;
2849
2850 case ACLC_SENDERS:
2851 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
2852 sender_address_cache, -1, 0, &sender_data);
2853 break;
2854
2855 /* Connection variables must persist forever */
2856
2857 case ACLC_SET:
2858 {
2859 int old_pool = store_pool;
47ca6d6c 2860 if (cb->u.varnumber < ACL_CVARS) store_pool = POOL_PERM;
059ec3d9
PH
2861 acl_var[cb->u.varnumber] = string_copy(arg);
2862 store_pool = old_pool;
2863 }
2864 break;
2865
8523533c
TK
2866#ifdef WITH_CONTENT_SCAN
2867 case ACLC_SPAM:
2868 {
2869 /* Seperate the regular expression and any optional parameters. */
2870 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2871 /* Run the spam backend. */
2872 rc = spam(&ss);
2873 /* Modify return code based upon the existance of options. */
2874 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2875 != NULL) {
2876 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2877 {
2878 /* FAIL so that the message is passed to the next ACL */
2879 rc = FAIL;
2880 }
2881 }
2882 }
2883 break;
2884#endif
2885
2886#ifdef EXPERIMENTAL_SPF
2887 case ACLC_SPF:
2888 rc = spf_process(&arg, sender_address);
2889 break;
2890#endif
2891
059ec3d9
PH
2892 /* If the verb is WARN, discard any user message from verification, because
2893 such messages are SMTP responses, not header additions. The latter come
475fe28a
PH
2894 only from explicit "message" modifiers. However, put the user message into
2895 $acl_verify_message so it can be used in subsequent conditions or modifiers
2896 (until something changes it). */
059ec3d9
PH
2897
2898 case ACLC_VERIFY:
2899 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
475fe28a 2900 acl_verify_message = *user_msgptr;
059ec3d9
PH
2901 if (verb == ACL_WARN) *user_msgptr = NULL;
2902 break;
2903
2904 default:
2905 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
2906 "condition %d", cb->type);
2907 break;
2908 }
2909
2910 /* If a condition was negated, invert OK/FAIL. */
2911
2912 if (!cond_modifiers[cb->type] && cb->u.negated)
2913 {
2914 if (rc == OK) rc = FAIL;
2915 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
2916 }
2917
2918 if (rc != OK) break; /* Conditions loop */
2919 }
2920
2921
2922/* If the result is the one for which "message" and/or "log_message" are used,
2923handle the values of these options. Most verbs have but a single return for
2924which the messages are relevant, but for "discard", it's useful to have the log
2925message both when it succeeds and when it fails. Also, for an "accept" that
2926appears in a QUIT ACL, we want to handle the user message. Since only "accept"
2927and "warn" are permitted in that ACL, we don't need to test the verb.
2928
2929These modifiers act in different ways:
2930
2931"message" is a user message that will be included in an SMTP response. Unless
2932it is empty, it overrides any previously set user message.
2933
2934"log_message" is a non-user message, and it adds to any existing non-user
2935message that is already set.
2936
2937If there isn't a log message set, we make it the same as the user message. */
2938
2939if (((rc == FAIL_DROP)? FAIL : rc) == msgcond[verb] ||
2940 (verb == ACL_DISCARD && rc == OK) ||
2941 (where == ACL_WHERE_QUIT))
2942 {
2943 uschar *expmessage;
2944
2945 /* If the verb is "warn", messages generated by conditions (verification or
2946 nested ACLs) are discarded. Only messages specified at this level are used.
2947 However, the value of an existing message is available in $acl_verify_message
2948 during expansions. */
2949
2950 uschar *old_user_msgptr = *user_msgptr;
2951 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
2952
2953 if (verb == ACL_WARN) *log_msgptr = *user_msgptr = NULL;
2954
2955 if (user_message != NULL)
2956 {
2957 acl_verify_message = old_user_msgptr;
2958 expmessage = expand_string(user_message);
2959 if (expmessage == NULL)
2960 {
2961 if (!expand_string_forcedfail)
2962 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2963 user_message, expand_string_message);
2964 }
2965 else if (expmessage[0] != 0) *user_msgptr = expmessage;
2966 }
2967
2968 if (log_message != NULL)
2969 {
2970 acl_verify_message = old_log_msgptr;
2971 expmessage = expand_string(log_message);
2972 if (expmessage == NULL)
2973 {
2974 if (!expand_string_forcedfail)
2975 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2976 log_message, expand_string_message);
2977 }
2978 else if (expmessage[0] != 0)
2979 {
2980 *log_msgptr = (*log_msgptr == NULL)? expmessage :
2981 string_sprintf("%s: %s", expmessage, *log_msgptr);
2982 }
2983 }
2984
2985 /* If no log message, default it to the user message */
2986
2987 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
2988 }
2989
2990acl_verify_message = NULL;
2991return rc;
2992}
2993
2994
2995
2996
2997
2998/*************************************************
2999* Get line from a literal ACL *
3000*************************************************/
3001
3002/* This function is passed to acl_read() in order to extract individual lines
3003of a literal ACL, which we access via static pointers. We can destroy the
3004contents because this is called only once (the compiled ACL is remembered).
3005
3006This code is intended to treat the data in the same way as lines in the main
3007Exim configuration file. That is:
3008
3009 . Leading spaces are ignored.
3010
3011 . A \ at the end of a line is a continuation - trailing spaces after the \
3012 are permitted (this is because I don't believe in making invisible things
3013 significant). Leading spaces on the continued part of a line are ignored.
3014
3015 . Physical lines starting (significantly) with # are totally ignored, and
3016 may appear within a sequence of backslash-continued lines.
3017
3018 . Blank lines are ignored, but will end a sequence of continuations.
3019
3020Arguments: none
3021Returns: a pointer to the next line
3022*/
3023
3024
3025static uschar *acl_text; /* Current pointer in the text */
3026static uschar *acl_text_end; /* Points one past the terminating '0' */
3027
3028
3029static uschar *
3030acl_getline(void)
3031{
3032uschar *yield;
3033
3034/* This loop handles leading blank lines and comments. */
3035
3036for(;;)
3037 {
3038 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
3039 if (*acl_text == 0) return NULL; /* No more data */
3040 yield = acl_text; /* Potential data line */
3041
3042 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3043
3044 /* If we hit the end before a newline, we have the whole logical line. If
3045 it's a comment, there's no more data to be given. Otherwise, yield it. */
3046
3047 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
3048
3049 /* After reaching a newline, end this loop if the physical line does not
3050 start with '#'. If it does, it's a comment, and the loop continues. */
3051
3052 if (*yield != '#') break;
3053 }
3054
3055/* This loop handles continuations. We know we have some real data, ending in
3056newline. See if there is a continuation marker at the end (ignoring trailing
3057white space). We know that *yield is not white space, so no need to test for
3058cont > yield in the backwards scanning loop. */
3059
3060for(;;)
3061 {
3062 uschar *cont;
3063 for (cont = acl_text - 1; isspace(*cont); cont--);
3064
3065 /* If no continuation follows, we are done. Mark the end of the line and
3066 return it. */
3067
3068 if (*cont != '\\')
3069 {
3070 *acl_text++ = 0;
3071 return yield;
3072 }
3073
3074 /* We have encountered a continuation. Skip over whitespace at the start of
3075 the next line, and indeed the whole of the next line or lines if they are
3076 comment lines. */
3077
3078 for (;;)
3079 {
3080 while (*(++acl_text) == ' ' || *acl_text == '\t');
3081 if (*acl_text != '#') break;
3082 while (*(++acl_text) != 0 && *acl_text != '\n');
3083 }
3084
3085 /* We have the start of a continuation line. Move all the rest of the data
3086 to join onto the previous line, and then find its end. If the end is not a
3087 newline, we are done. Otherwise loop to look for another continuation. */
3088
3089 memmove(cont, acl_text, acl_text_end - acl_text);
3090 acl_text_end -= acl_text - cont;
3091 acl_text = cont;
3092 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3093 if (*acl_text == 0) return yield;
3094 }
3095
3096/* Control does not reach here */
3097}
3098
3099
3100
3101
3102
3103/*************************************************
3104* Check access using an ACL *
3105*************************************************/
3106
3107/* This function is called from address_check. It may recurse via
3108acl_check_condition() - hence the use of a level to stop looping. The ACL is
3109passed as a string which is expanded. A forced failure implies no access check
3110is required. If the result is a single word, it is taken as the name of an ACL
3111which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
3112text, complete with newlines, and parsed as such. In both cases, the ACL check
3113is then run. This function uses an auxiliary function for acl_read() to call
3114for reading individual lines of a literal ACL. This is acl_getline(), which
3115appears immediately above.
3116
3117Arguments:
3118 where where called from
3119 addr address item when called from RCPT; otherwise NULL
3120 s the input string; NULL is the same as an empty ACL => DENY
3121 level the nesting level
3122 user_msgptr where to put a user error (for SMTP response)
3123 log_msgptr where to put a logging message (not for SMTP response)
3124
3125Returns: OK access is granted
3126 DISCARD access is apparently granted...
3127 FAIL access is denied
3128 FAIL_DROP access is denied; drop the connection
3129 DEFER can't tell at the moment
3130 ERROR disaster
3131*/
3132
3133static int
3134acl_check_internal(int where, address_item *addr, uschar *s, int level,
3135 uschar **user_msgptr, uschar **log_msgptr)
3136{
3137int fd = -1;
3138acl_block *acl = NULL;
3139uschar *acl_name = US"inline ACL";
3140uschar *ss;
3141
3142/* Catch configuration loops */
3143
3144if (level > 20)
3145 {
3146 *log_msgptr = US"ACL nested too deep: possible loop";
3147 return ERROR;
3148 }
3149
3150if (s == NULL)
3151 {
3152 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
3153 return FAIL;
3154 }
3155
3156/* At top level, we expand the incoming string. At lower levels, it has already
3157been expanded as part of condition processing. */
3158
3159if (level == 0)
3160 {
3161 ss = expand_string(s);
3162 if (ss == NULL)
3163 {
3164 if (expand_string_forcedfail) return OK;
3165 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
3166 expand_string_message);
3167 return ERROR;
3168 }
3169 }
3170else ss = s;
3171
3172while (isspace(*ss))ss++;
3173
3174/* If we can't find a named ACL, the default is to parse it as an inline one.
3175(Unless it begins with a slash; non-existent files give rise to an error.) */
3176
3177acl_text = ss;
3178
3179/* Handle the case of a string that does not contain any spaces. Look for a
3180named ACL among those read from the configuration, or a previously read file.
3181It is possible that the pointer to the ACL is NULL if the configuration
3182contains a name with no data. If not found, and the text begins with '/',
3183read an ACL from a file, and save it so it can be re-used. */
3184
3185if (Ustrchr(ss, ' ') == NULL)
3186 {
3187 tree_node *t = tree_search(acl_anchor, ss);
3188 if (t != NULL)
3189 {
3190 acl = (acl_block *)(t->data.ptr);
3191 if (acl == NULL)
3192 {
3193 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
3194 return FAIL;
3195 }
3196 acl_name = string_sprintf("ACL \"%s\"", ss);
3197 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
3198 }
3199
3200 else if (*ss == '/')
3201 {
3202 struct stat statbuf;
3203 fd = Uopen(ss, O_RDONLY, 0);
3204 if (fd < 0)
3205 {
3206 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
3207 strerror(errno));
3208 return ERROR;
3209 }
3210
3211 if (fstat(fd, &statbuf) != 0)
3212 {
3213 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
3214 strerror(errno));
3215 return ERROR;
3216 }
3217
3218 acl_text = store_get(statbuf.st_size + 1);
3219 acl_text_end = acl_text + statbuf.st_size + 1;
3220
3221 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
3222 {
3223 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
3224 ss, strerror(errno));
3225 return ERROR;
3226 }
3227 acl_text[statbuf.st_size] = 0;
f1e894f3 3228 (void)close(fd);
059ec3d9
PH
3229
3230 acl_name = string_sprintf("ACL \"%s\"", ss);
3231 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
3232 }
3233 }
3234
3235/* Parse an ACL that is still in text form. If it came from a file, remember it
3236in the ACL tree, having read it into the POOL_PERM store pool so that it
3237persists between multiple messages. */
3238
3239if (acl == NULL)
3240 {
3241 int old_pool = store_pool;
3242 if (fd >= 0) store_pool = POOL_PERM;
3243 acl = acl_read(acl_getline, log_msgptr);
3244 store_pool = old_pool;
3245 if (acl == NULL && *log_msgptr != NULL) return ERROR;
3246 if (fd >= 0)
3247 {
3248 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
3249 Ustrcpy(t->name, ss);
3250 t->data.ptr = acl;
3251 (void)tree_insertnode(&acl_anchor, t);
3252 }
3253 }
3254
3255/* Now we have an ACL to use. It's possible it may be NULL. */
3256
3257while (acl != NULL)
3258 {
3259 int cond;
3260 int basic_errno = 0;
3261 BOOL endpass_seen = FALSE;
3262
3263 *log_msgptr = *user_msgptr = NULL;
3264 acl_temp_details = FALSE;
3265
3266 if (where == ACL_WHERE_QUIT &&
3267 acl->verb != ACL_ACCEPT &&
3268 acl->verb != ACL_WARN)
3269 {
3270 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
3271 verbs[acl->verb]);
3272 return ERROR;
3273 }
3274
3275 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
3276
3277 /* Clear out any search error message from a previous check before testing
3278 this condition. */
3279
3280 search_error_message = NULL;
3281 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
3282 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
3283
3284 /* Handle special returns: DEFER causes a return except on a WARN verb;
3285 ERROR always causes a return. */
3286
3287 switch (cond)
3288 {
3289 case DEFER:
3290 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
3291 if (basic_errno != ERRNO_CALLOUTDEFER)
3292 {
3293 if (search_error_message != NULL && *search_error_message != 0)
3294 *log_msgptr = search_error_message;
3295 if (smtp_return_error_details) acl_temp_details = TRUE;
3296 }
3297 else
3298 {
3299 acl_temp_details = TRUE;
3300 }
3301 if (acl->verb != ACL_WARN) return DEFER;
3302 break;
3303
3304 default: /* Paranoia */
3305 case ERROR:
3306 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
3307 return ERROR;
3308
3309 case OK:
3310 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
3311 verbs[acl->verb]);
3312 break;
3313
3314 case FAIL:
3315 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
3316 break;
3317
3318 /* DISCARD and DROP can happen only from a nested ACL condition, and
3319 DISCARD can happen only for an "accept" or "discard" verb. */
3320
3321 case DISCARD:
3322 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
3323 verbs[acl->verb]);
3324 break;
3325
3326 case FAIL_DROP:
3327 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
3328 verbs[acl->verb]);
3329 break;
3330 }
3331
3332 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
3333 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
3334 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
3335
3336 switch(acl->verb)
3337 {
3338 case ACL_ACCEPT:
3339 if (cond == OK || cond == DISCARD) return cond;
3340 if (endpass_seen)
3341 {
3342 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
3343 return cond;
3344 }
3345 break;
3346
3347 case ACL_DEFER:
3348 if (cond == OK)
3349 {
3350 acl_temp_details = TRUE;
3351 return DEFER;
3352 }
3353 break;
3354
3355 case ACL_DENY:
3356 if (cond == OK) return FAIL;
3357 break;
3358
3359 case ACL_DISCARD:
3360 if (cond == OK || cond == DISCARD) return DISCARD;
3361 if (endpass_seen)
3362 {
3363 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
3364 return cond;
3365 }
3366 break;
3367
3368 case ACL_DROP:
3369 if (cond == OK) return FAIL_DROP;
3370 break;
3371
3372 case ACL_REQUIRE:
3373 if (cond != OK) return cond;
3374 break;
3375
3376 case ACL_WARN:
3377 if (cond == OK)
3378 acl_warn(where, *user_msgptr, *log_msgptr);
49826d12 3379 else if (cond == DEFER && (log_extra_selector & LX_acl_warn_skipped) != 0)
9c7a242c
PH
3380 log_write(0, LOG_MAIN, "%s Warning: ACL \"warn\" statement skipped: "
3381 "condition test deferred%s%s", host_and_ident(TRUE),
3382 (*log_msgptr == NULL)? US"" : US": ",
3383 (*log_msgptr == NULL)? US"" : *log_msgptr);
059ec3d9
PH
3384 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
3385 break;
3386
3387 default:
3388 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
3389 acl->verb);
3390 break;
3391 }
3392
3393 /* Pass to the next ACL item */
3394
3395 acl = acl->next;
3396 }
3397
3398/* We have reached the end of the ACL. This is an implicit DENY. */
3399
3400HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
3401return FAIL;
3402}
3403
3404
3405/*************************************************
3406* Check access using an ACL *
3407*************************************************/
3408
3409/* This is the external interface for ACL checks. It sets up an address and the
3410expansions for $domain and $local_part when called after RCPT, then calls
3411acl_check_internal() to do the actual work.
3412
3413Arguments:
3414 where ACL_WHERE_xxxx indicating where called from
64ffc24f 3415 recipient RCPT address for RCPT check, else NULL
059ec3d9
PH
3416 s the input string; NULL is the same as an empty ACL => DENY
3417 user_msgptr where to put a user error (for SMTP response)
3418 log_msgptr where to put a logging message (not for SMTP response)
3419
3420Returns: OK access is granted by an ACCEPT verb
3421 DISCARD access is granted by a DISCARD verb
3422 FAIL access is denied
3423 FAIL_DROP access is denied; drop the connection
3424 DEFER can't tell at the moment
3425 ERROR disaster
3426*/
3427
3428int
64ffc24f 3429acl_check(int where, uschar *recipient, uschar *s, uschar **user_msgptr,
059ec3d9
PH
3430 uschar **log_msgptr)
3431{
3432int rc;
3433address_item adb;
64ffc24f 3434address_item *addr = NULL;
059ec3d9
PH
3435
3436*user_msgptr = *log_msgptr = NULL;
3437sender_verified_failed = NULL;
fe0dab11 3438ratelimiters_cmd = NULL;
059ec3d9
PH
3439
3440if (where == ACL_WHERE_RCPT)
3441 {
3442 adb = address_defaults;
3443 addr = &adb;
64ffc24f 3444 addr->address = recipient;
059ec3d9
PH
3445 if (deliver_split_address(addr) == DEFER)
3446 {
3447 *log_msgptr = US"defer in percent_hack_domains check";
3448 return DEFER;
3449 }
3450 deliver_domain = addr->domain;
3451 deliver_localpart = addr->local_part;
3452 }
059ec3d9
PH
3453
3454rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
3455
64ffc24f
PH
3456deliver_domain = deliver_localpart = deliver_address_data =
3457 sender_address_data = NULL;
059ec3d9
PH
3458
3459/* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
3460ACL, which is really in the middle of an SMTP command. */
3461
3462if (rc == DISCARD)
3463 {
3464 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
3465 {
3466 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
3467 "ACL", acl_wherenames[where]);
3468 return ERROR;
3469 }
3470 return DISCARD;
3471 }
3472
3473/* A DROP response is not permitted from MAILAUTH */
3474
3475if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
3476 {
3477 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
3478 "ACL", acl_wherenames[where]);
3479 return ERROR;
3480 }
3481
3482/* Before giving an error response, take a look at the length of any user
3483message, and split it up into multiple lines if possible. */
3484
3485if (rc != OK && *user_msgptr != NULL && Ustrlen(*user_msgptr) > 75)
3486 {
3487 uschar *s = *user_msgptr = string_copy(*user_msgptr);
3488 uschar *ss = s;
3489
3490 for (;;)
3491 {
3492 int i = 0;
3493 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
3494 if (*ss == 0) break;
3495 if (*ss == '\n')
3496 s = ++ss;
3497 else
3498 {
3499 uschar *t = ss + 1;
3500 uschar *tt = NULL;
3501 while (--t > s + 35)
3502 {
3503 if (*t == ' ')
3504 {
3505 if (t[-1] == ':') { tt = t; break; }
3506 if (tt == NULL) tt = t;
3507 }
3508 }
3509
3510 if (tt == NULL) /* Can't split behind - try ahead */
3511 {
3512 t = ss + 1;
3513 while (*t != 0)
3514 {
3515 if (*t == ' ' || *t == '\n')
3516 { tt = t; break; }
3517 t++;
3518 }
3519 }
3520
3521 if (tt == NULL) break; /* Can't find anywhere to split */
3522 *tt = '\n';
3523 s = ss = tt+1;
3524 }
3525 }
3526 }
3527
3528return rc;
3529}
3530
3531/* End of acl.c */