If setrlimit() barfs at 1000 file descriptors, try for 256 to
[exim.git] / src / src / acl.c
CommitLineData
059ec3d9
PH
1/* $Cambridge: exim/src/src/acl.c,v 1.1 2004/10/07 10:39:01 ph10 Exp $ */
2
3/*************************************************
4* Exim - an Internet mail transport agent *
5*************************************************/
6
7/* Copyright (c) University of Cambridge 1995 - 2004 */
8/* See the file NOTICE for conditions of use and distribution. */
9
10/* Code for handling Access Control Lists (ACLs) */
11
12#include "exim.h"
13
14
15/* Default callout timeout */
16
17#define CALLOUT_TIMEOUT_DEFAULT 30
18
19/* ACL verb codes - keep in step with the table of verbs that follows */
20
21enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
22 ACL_WARN };
23
24/* ACL verbs */
25
26static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
28 US"warn" };
29
30/* For each verb, the condition for which "message" is used */
31
32static int msgcond[] = { FAIL, OK, OK, FAIL, OK, FAIL, OK };
33
34/* ACL condition and modifier codes - keep in step with the table that
35follows. */
36
37enum { ACLC_ACL, ACLC_AUTHENTICATED, ACLC_CONDITION, ACLC_CONTROL, ACLC_DELAY,
38 ACLC_DNSLISTS, ACLC_DOMAINS, ACLC_ENCRYPTED, ACLC_ENDPASS, ACLC_HOSTS,
39 ACLC_LOCAL_PARTS, ACLC_LOG_MESSAGE, ACLC_LOGWRITE, ACLC_MESSAGE,
40 ACLC_RECIPIENTS, ACLC_SENDER_DOMAINS, ACLC_SENDERS, ACLC_SET, ACLC_VERIFY };
41
42/* ACL conditions/modifiers: "delay", "control", "endpass", "message",
43"log_message", "logwrite", and "set" are modifiers that look like conditions
44but always return TRUE. They are used for their side effects. */
45
46static uschar *conditions[] = { US"acl", US"authenticated", US"condition",
47 US"control", US"delay", US"dnslists", US"domains", US"encrypted",
48 US"endpass", US"hosts", US"local_parts", US"log_message", US"logwrite",
49 US"message", US"recipients", US"sender_domains", US"senders", US"set",
50 US"verify" };
51
52/* Flags to indicate for which conditions /modifiers a string expansion is done
53at the outer level. In the other cases, expansion already occurs in the
54checking functions. */
55
56static uschar cond_expand_at_top[] = {
57 TRUE, /* acl */
58 FALSE, /* authenticated */
59 TRUE, /* condition */
60 TRUE, /* control */
61 TRUE, /* delay */
62 TRUE, /* dnslists */
63 FALSE, /* domains */
64 FALSE, /* encrypted */
65 TRUE, /* endpass */
66 FALSE, /* hosts */
67 FALSE, /* local_parts */
68 TRUE, /* log_message */
69 TRUE, /* logwrite */
70 TRUE, /* message */
71 FALSE, /* recipients */
72 FALSE, /* sender_domains */
73 FALSE, /* senders */
74 TRUE, /* set */
75 TRUE /* verify */
76};
77
78/* Flags to identify the modifiers */
79
80static uschar cond_modifiers[] = {
81 FALSE, /* acl */
82 FALSE, /* authenticated */
83 FALSE, /* condition */
84 TRUE, /* control */
85 TRUE, /* delay */
86 FALSE, /* dnslists */
87 FALSE, /* domains */
88 FALSE, /* encrypted */
89 TRUE, /* endpass */
90 FALSE, /* hosts */
91 FALSE, /* local_parts */
92 TRUE, /* log_message */
93 TRUE, /* log_write */
94 TRUE, /* message */
95 FALSE, /* recipients */
96 FALSE, /* sender_domains */
97 FALSE, /* senders */
98 TRUE, /* set */
99 FALSE /* verify */
100};
101
102/* Bit map of which conditions are not allowed at certain times. For each
103condition, there's a bitmap of dis-allowed times. */
104
105static unsigned int cond_forbids[] = {
106 0, /* acl */
107 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* authenticated */
108 (1<<ACL_WHERE_HELO),
109 0, /* condition */
110
111 /* Certain types of control are always allowed, so we let it through
112 always and check in the control processing itself */
113
114 0, /* control */
115 0, /* delay */
116 (1<<ACL_WHERE_NOTSMTP), /* dnslists */
117
118 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* domains */
119 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
120 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
121 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
122 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
123 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
124 (1<<ACL_WHERE_VRFY),
125
126 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* encrypted */
127 (1<<ACL_WHERE_HELO),
128 0, /* endpass */
129 (1<<ACL_WHERE_NOTSMTP), /* hosts */
130
131 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* local_parts */
132 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
133 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
134 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
135 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
136 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
137 (1<<ACL_WHERE_VRFY),
138
139 0, /* log_message */
140 0, /* logwrite */
141 0, /* message */
142
143 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* recipients */
144 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
145 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
146 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
147 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
148 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
149 (1<<ACL_WHERE_VRFY),
150
151 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
152 (1<<ACL_WHERE_HELO)|
153 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
154 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
155 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
156
157 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
158 (1<<ACL_WHERE_HELO)|
159 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
160 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
161 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
162
163 0, /* set */
164
165 /* Certain types of verify are always allowed, so we let it through
166 always and check in the verify function itself */
167
168 0 /* verify */
169
170};
171
172
173/* Return values from decode_control() */
174
175enum { CONTROL_ERROR, CONTROL_CASEFUL_LOCAL_PART, CONTROL_CASELOWER_LOCAL_PART,
176 CONTROL_ENFORCE_SYNC, CONTROL_NO_ENFORCE_SYNC, CONTROL_FREEZE,
177 CONTROL_QUEUE_ONLY, CONTROL_SUBMISSION, CONTROL_NO_MULTILINE };
178
179/* Structure listing various control arguments, with their characteristics.
180The maximum "where" value controls the ACLs in which the various controls are
181permitted to occur. Specifying ACL_WHERE_RCPT limits it to just the RCPT ACL;
182specifying ACL_WHERE_NOTSMTP limits it to "message" ACLs. */
183
184typedef struct control_def {
185 uschar *name;
186 int value; /* CONTROL_xxx value */
187 int where_max; /* Maximum "where" value */
188 BOOL has_option; /* Has /option(s) following */
189} control_def;
190
191static control_def controls_list[] = {
192 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART,
193 ACL_WHERE_RCPT, FALSE },
194 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART,
195 ACL_WHERE_RCPT, FALSE },
196 { US"enforce_sync", CONTROL_ENFORCE_SYNC,
197 INT_MAX, FALSE },
198 { US"freeze", CONTROL_FREEZE,
199 ACL_WHERE_NOTSMTP, FALSE },
200 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC,
201 INT_MAX, FALSE },
202 { US"no_multiline_responses", CONTROL_NO_MULTILINE,
203 INT_MAX, FALSE },
204 { US"queue_only", CONTROL_QUEUE_ONLY,
205 ACL_WHERE_NOTSMTP, FALSE },
206 { US"submission", CONTROL_SUBMISSION,
207 ACL_WHERE_NOTSMTP, TRUE }
208 };
209
210/* Enable recursion between acl_check_internal() and acl_check_condition() */
211
212static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
213 uschar **);
214
215
216/*************************************************
217* Pick out name from list *
218*************************************************/
219
220/* Use a binary chop method
221
222Arguments:
223 name name to find
224 list list of names
225 end size of list
226
227Returns: offset in list, or -1 if not found
228*/
229
230static int
231acl_checkname(uschar *name, uschar **list, int end)
232{
233int start = 0;
234
235while (start < end)
236 {
237 int mid = (start + end)/2;
238 int c = Ustrcmp(name, list[mid]);
239 if (c == 0) return mid;
240 if (c < 0) end = mid; else start = mid + 1;
241 }
242
243return -1;
244}
245
246
247/*************************************************
248* Read and parse one ACL *
249*************************************************/
250
251/* This function is called both from readconf in order to parse the ACLs in the
252configuration file, and also when an ACL is encountered dynamically (e.g. as
253the result of an expansion). It is given a function to call in order to
254retrieve the lines of the ACL. This function handles skipping comments and
255blank lines (where relevant).
256
257Arguments:
258 func function to get next line of ACL
259 error where to put an error message
260
261Returns: pointer to ACL, or NULL
262 NULL can be legal (empty ACL); in this case error will be NULL
263*/
264
265acl_block *
266acl_read(uschar *(*func)(void), uschar **error)
267{
268acl_block *yield = NULL;
269acl_block **lastp = &yield;
270acl_block *this = NULL;
271acl_condition_block *cond;
272acl_condition_block **condp = NULL;
273uschar *s;
274
275*error = NULL;
276
277while ((s = (*func)()) != NULL)
278 {
279 int v, c;
280 BOOL negated = FALSE;
281 uschar *saveline = s;
282 uschar name[64];
283
284 /* Conditions (but not verbs) are allowed to be negated by an initial
285 exclamation mark. */
286
287 while (isspace(*s)) s++;
288 if (*s == '!')
289 {
290 negated = TRUE;
291 s++;
292 }
293
294 /* Read the name of a verb or a condition, or the start of a new ACL */
295
296 s = readconf_readname(name, sizeof(name), s);
297 if (*s == ':')
298 {
299 if (negated || name[0] == 0)
300 {
301 *error = string_sprintf("malformed ACL name in \"%s\"", saveline);
302 return NULL;
303 }
304 break;
305 }
306
307 /* If a verb is unrecognized, it may be another condition or modifier that
308 continues the previous verb. */
309
310 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
311 if (v < 0)
312 {
313 if (this == NULL)
314 {
315 *error = string_sprintf("unknown ACL verb in \"%s\"", saveline);
316 return NULL;
317 }
318 }
319
320 /* New verb */
321
322 else
323 {
324 if (negated)
325 {
326 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
327 return NULL;
328 }
329 this = store_get(sizeof(acl_block));
330 *lastp = this;
331 lastp = &(this->next);
332 this->next = NULL;
333 this->verb = v;
334 this->condition = NULL;
335 condp = &(this->condition);
336 if (*s == 0) continue; /* No condition on this line */
337 if (*s == '!')
338 {
339 negated = TRUE;
340 s++;
341 }
342 s = readconf_readname(name, sizeof(name), s); /* Condition name */
343 }
344
345 /* Handle a condition or modifier. */
346
347 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
348 if (c < 0)
349 {
350 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
351 saveline);
352 return NULL;
353 }
354
355 /* The modifiers may not be negated */
356
357 if (negated && cond_modifiers[c])
358 {
359 *error = string_sprintf("ACL error: negation is not allowed with "
360 "\"%s\"", conditions[c]);
361 return NULL;
362 }
363
364 /* ENDPASS may occur only with ACCEPT or DISCARD. */
365
366 if (c == ACLC_ENDPASS &&
367 this->verb != ACL_ACCEPT &&
368 this->verb != ACL_DISCARD)
369 {
370 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
371 conditions[c], verbs[this->verb]);
372 return NULL;
373 }
374
375 cond = store_get(sizeof(acl_condition_block));
376 cond->next = NULL;
377 cond->type = c;
378 cond->u.negated = negated;
379
380 *condp = cond;
381 condp = &(cond->next);
382
383 /* The "set" modifier is different in that its argument is "name=value"
384 rather than just a value, and we can check the validity of the name, which
385 gives us a variable number to insert into the data block. */
386
387 if (c == ACLC_SET)
388 {
389 if (Ustrncmp(s, "acl_", 4) != 0 || (s[4] != 'c' && s[4] != 'm') ||
390 !isdigit(s[5]) || (!isspace(s[6]) && s[6] != '='))
391 {
392 *error = string_sprintf("unrecognized name after \"set\" in ACL "
393 "modifier \"set %s\"", s);
394 return NULL;
395 }
396
397 cond->u.varnumber = s[5] - '0';
398 if (s[4] == 'm') cond->u.varnumber += ACL_C_MAX;
399 s += 6;
400 while (isspace(*s)) s++;
401 }
402
403 /* For "set", we are now positioned for the data. For the others, only
404 "endpass" has no data */
405
406 if (c != ACLC_ENDPASS)
407 {
408 if (*s++ != '=')
409 {
410 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
411 cond_modifiers[c]? US"modifier" : US"condition");
412 return NULL;
413 }
414 while (isspace(*s)) s++;
415 cond->arg = string_copy(s);
416 }
417 }
418
419return yield;
420}
421
422
423
424/*************************************************
425* Handle warnings *
426*************************************************/
427
428/* This function is called when a WARN verb's conditions are true. It adds to
429the message's headers, and/or writes information to the log. In each case, this
430only happens once (per message for headers, per connection for log).
431
432Arguments:
433 where ACL_WHERE_xxxx indicating which ACL this is
434 user_message message for adding to headers
435 log_message message for logging, if different
436
437Returns: nothing
438*/
439
440static void
441acl_warn(int where, uschar *user_message, uschar *log_message)
442{
443int hlen;
444
445if (log_message != NULL && log_message != user_message)
446 {
447 uschar *text;
448 string_item *logged;
449
450 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
451 string_printing(log_message));
452
453 /* If a sender verification has failed, and the log message is "sender verify
454 failed", add the failure message. */
455
456 if (sender_verified_failed != NULL &&
457 sender_verified_failed->message != NULL &&
458 strcmpic(log_message, US"sender verify failed") == 0)
459 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
460
461 /* Search previously logged warnings. They are kept in malloc store so they
462 can be freed at the start of a new message. */
463
464 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
465 if (Ustrcmp(logged->text, text) == 0) break;
466
467 if (logged == NULL)
468 {
469 int length = Ustrlen(text) + 1;
470 log_write(0, LOG_MAIN, "%s", text);
471 logged = store_malloc(sizeof(string_item) + length);
472 logged->text = (uschar *)logged + sizeof(string_item);
473 memcpy(logged->text, text, length);
474 logged->next = acl_warn_logged;
475 acl_warn_logged = logged;
476 }
477 }
478
479/* If there's no user message, we are done. */
480
481if (user_message == NULL) return;
482
483/* If this isn't a message ACL, we can't do anything with a user message.
484Log an error. */
485
486if (where > ACL_WHERE_NOTSMTP)
487 {
488 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
489 "found in a non-message (%s) ACL: cannot specify header lines here: "
490 "message ignored", acl_wherenames[where]);
491 return;
492 }
493
494/* Treat the user message as a sequence of one or more header lines. */
495
496hlen = Ustrlen(user_message);
497if (hlen > 0)
498 {
499 uschar *text, *p, *q;
500
501 /* Add a final newline if not present */
502
503 text = ((user_message)[hlen-1] == '\n')? user_message :
504 string_sprintf("%s\n", user_message);
505
506 /* Loop for multiple header lines, taking care about continuations */
507
508 for (p = q = text; *p != 0; )
509 {
510 uschar *s;
511 int newtype = htype_add_bot;
512 header_line **hptr = &acl_warn_headers;
513
514 /* Find next header line within the string */
515
516 for (;;)
517 {
518 q = Ustrchr(q, '\n');
519 if (*(++q) != ' ' && *q != '\t') break;
520 }
521
522 /* If the line starts with a colon, interpret the instruction for where to
523 add it. This temporarily sets up a new type. */
524
525 if (*p == ':')
526 {
527 if (strncmpic(p, US":after_received:", 16) == 0)
528 {
529 newtype = htype_add_rec;
530 p += 16;
531 }
532 else if (strncmpic(p, US":at_start:", 10) == 0)
533 {
534 newtype = htype_add_top;
535 p += 10;
536 }
537 else if (strncmpic(p, US":at_end:", 8) == 0)
538 {
539 newtype = htype_add_bot;
540 p += 8;
541 }
542 while (*p == ' ' || *p == '\t') p++;
543 }
544
545 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
546 to the front of it. */
547
548 for (s = p; s < q - 1; s++)
549 {
550 if (*s == ':' || !isgraph(*s)) break;
551 }
552
553 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
554 hlen = Ustrlen(s);
555
556 /* See if this line has already been added */
557
558 while (*hptr != NULL)
559 {
560 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
561 hptr = &((*hptr)->next);
562 }
563
564 /* Add if not previously present */
565
566 if (*hptr == NULL)
567 {
568 header_line *h = store_get(sizeof(header_line));
569 h->text = s;
570 h->next = NULL;
571 h->type = newtype;
572 h->slen = hlen;
573 *hptr = h;
574 hptr = &(h->next);
575 }
576
577 /* Advance for next header line within the string */
578
579 p = q;
580 }
581 }
582}
583
584
585
586/*************************************************
587* Verify and check reverse DNS *
588*************************************************/
589
590/* Called from acl_verify() below. We look up the host name(s) of the client IP
591address if this has not yet been done. The host_name_lookup() function checks
592that one of these names resolves to an address list that contains the client IP
593address, so we don't actually have to do the check here.
594
595Arguments:
596 user_msgptr pointer for user message
597 log_msgptr pointer for log message
598
599Returns: OK verification condition succeeded
600 FAIL verification failed
601 DEFER there was a problem verifying
602*/
603
604static int
605acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
606{
607int rc;
608
609user_msgptr = user_msgptr; /* stop compiler warning */
610
611/* Previous success */
612
613if (sender_host_name != NULL) return OK;
614
615/* Previous failure */
616
617if (host_lookup_failed)
618 {
619 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
620 return FAIL;
621 }
622
623/* Need to do a lookup */
624
625HDEBUG(D_acl)
626 debug_printf("looking up host name to force name/address consistency check\n");
627
628if ((rc = host_name_lookup()) != OK)
629 {
630 *log_msgptr = (rc == DEFER)?
631 US"host lookup deferred for reverse lookup check"
632 :
633 string_sprintf("host lookup failed for reverse lookup check%s",
634 host_lookup_msg);
635 return rc; /* DEFER or FAIL */
636 }
637
638host_build_sender_fullhost();
639return OK;
640}
641
642
643
644/*************************************************
645* Handle verification (address & other) *
646*************************************************/
647
648/* This function implements the "verify" condition. It is called when
649encountered in any ACL, because some tests are almost always permitted. Some
650just don't make sense, and always fail (for example, an attempt to test a host
651lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
652
653Arguments:
654 where where called from
655 addr the recipient address that the ACL is handling, or NULL
656 arg the argument of "verify"
657 user_msgptr pointer for user message
658 log_msgptr pointer for log message
659 basic_errno where to put verify errno
660
661Returns: OK verification condition succeeded
662 FAIL verification failed
663 DEFER there was a problem verifying
664 ERROR syntax error
665*/
666
667static int
668acl_verify(int where, address_item *addr, uschar *arg,
669 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
670{
671int sep = '/';
672int callout = -1;
673int callout_overall = -1;
674int verify_options = 0;
675int rc;
676BOOL verify_header_sender = FALSE;
677BOOL defer_ok = FALSE;
678BOOL callout_defer_ok = FALSE;
679BOOL no_details = FALSE;
680address_item *sender_vaddr = NULL;
681uschar *verify_sender_address = NULL;
682uschar *pm_mailfrom = NULL;
683uschar *se_mailfrom = NULL;
684uschar *list = arg;
685uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
686
687if (ss == NULL) goto BAD_VERIFY;
688
689/* Handle name/address consistency verification in a separate function. */
690
691if (strcmpic(ss, US"reverse_host_lookup") == 0)
692 {
693 if (sender_host_address == NULL) return OK;
694 return acl_verify_reverse(user_msgptr, log_msgptr);
695 }
696
697/* TLS certificate verification is done at STARTTLS time; here we just
698test whether it was successful or not. (This is for optional verification; for
699mandatory verification, the connection doesn't last this long.) */
700
701if (strcmpic(ss, US"certificate") == 0)
702 {
703 if (tls_certificate_verified) return OK;
704 *user_msgptr = US"no verified certificate";
705 return FAIL;
706 }
707
708/* We can test the result of optional HELO verification */
709
710if (strcmpic(ss, US"helo") == 0) return helo_verified? OK : FAIL;
711
712/* Handle header verification options - permitted only after DATA or a non-SMTP
713message. */
714
715if (strncmpic(ss, US"header_", 7) == 0)
716 {
717 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
718 {
719 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
720 "(only possible in ACL for DATA)", acl_wherenames[where]);
721 return ERROR;
722 }
723
724 /* Check that all relevant header lines have the correct syntax. If there is
725 a syntax error, we return details of the error to the sender if configured to
726 send out full details. (But a "message" setting on the ACL can override, as
727 always). */
728
729 if (strcmpic(ss+7, US"syntax") == 0)
730 {
731 int rc = verify_check_headers(log_msgptr);
732 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
733 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
734 return rc;
735 }
736
737 /* Check that there is at least one verifiable sender address in the relevant
738 header lines. This can be followed by callout and defer options, just like
739 sender and recipient. */
740
741 else if (strcmpic(ss+7, US"sender") == 0) verify_header_sender = TRUE;
742
743 /* Unknown verify argument starting with "header_" */
744
745 else goto BAD_VERIFY;
746 }
747
748/* Otherwise, first item in verify argument must be "sender" or "recipient".
749In the case of a sender, this can optionally be followed by an address to use
750in place of the actual sender (rare special-case requirement). */
751
752else if (strncmpic(ss, US"sender", 6) == 0)
753 {
754 uschar *s = ss + 6;
755 if (where > ACL_WHERE_NOTSMTP)
756 {
757 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
758 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
759 acl_wherenames[where]);
760 return ERROR;
761 }
762 if (*s == 0)
763 verify_sender_address = sender_address;
764 else
765 {
766 while (isspace(*s)) s++;
767 if (*s++ != '=') goto BAD_VERIFY;
768 while (isspace(*s)) s++;
769 verify_sender_address = string_copy(s);
770 }
771 }
772else
773 {
774 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
775 if (addr == NULL)
776 {
777 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
778 "(only possible for RCPT)", acl_wherenames[where]);
779 return ERROR;
780 }
781 }
782
783/* Remaining items are optional */
784
785while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
786 != NULL)
787 {
788 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
789 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
790
791 /* These two old options are left for backwards compatibility */
792
793 else if (strcmpic(ss, US"callout_defer_ok") == 0)
794 {
795 callout_defer_ok = TRUE;
796 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
797 }
798
799 else if (strcmpic(ss, US"check_postmaster") == 0)
800 {
801 pm_mailfrom = US"";
802 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
803 }
804
805 /* The callout option has a number of sub-options, comma separated */
806
807 else if (strncmpic(ss, US"callout", 7) == 0)
808 {
809 callout = CALLOUT_TIMEOUT_DEFAULT;
810 ss += 7;
811 if (*ss != 0)
812 {
813 while (isspace(*ss)) ss++;
814 if (*ss++ == '=')
815 {
816 int optsep = ',';
817 uschar *opt;
818 uschar buffer[256];
819 while (isspace(*ss)) ss++;
820 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
821 != NULL)
822 {
823 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
824 else if (strcmpic(opt, US"no_cache") == 0)
825 verify_options |= vopt_callout_no_cache;
826 else if (strcmpic(opt, US"random") == 0)
827 verify_options |= vopt_callout_random;
828 else if (strcmpic(opt, US"use_sender") == 0)
829 verify_options |= vopt_callout_recipsender;
830 else if (strcmpic(opt, US"use_postmaster") == 0)
831 verify_options |= vopt_callout_recippmaster;
832 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
833
834 else if (strncmpic(opt, US"mailfrom", 8) == 0)
835 {
836 if (!verify_header_sender)
837 {
838 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
839 "callout option only for verify=header_sender (detected in ACL "
840 "condition \"%s\")", arg);
841 return ERROR;
842 }
843 opt += 8;
844 while (isspace(*opt)) opt++;
845 if (*opt++ != '=')
846 {
847 *log_msgptr = string_sprintf("'=' expected after "
848 "\"mailfrom\" in ACL condition \"%s\"", arg);
849 return ERROR;
850 }
851 while (isspace(*opt)) opt++;
852 se_mailfrom = string_copy(opt);
853 }
854
855 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
856 {
857 opt += 19;
858 while (isspace(*opt)) opt++;
859 if (*opt++ != '=')
860 {
861 *log_msgptr = string_sprintf("'=' expected after "
862 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
863 return ERROR;
864 }
865 while (isspace(*opt)) opt++;
866 pm_mailfrom = string_copy(opt);
867 }
868
869 else if (strncmpic(opt, US"maxwait", 7) == 0)
870 {
871 opt += 7;
872 while (isspace(*opt)) opt++;
873 if (*opt++ != '=')
874 {
875 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
876 "ACL condition \"%s\"", arg);
877 return ERROR;
878 }
879 while (isspace(*opt)) opt++;
880 callout_overall = readconf_readtime(opt, 0, FALSE);
881 if (callout_overall < 0)
882 {
883 *log_msgptr = string_sprintf("bad time value in ACL condition "
884 "\"verify %s\"", arg);
885 return ERROR;
886 }
887 }
888 else /* Plain time is callout connect/command timeout */
889 {
890 callout = readconf_readtime(opt, 0, FALSE);
891 if (callout < 0)
892 {
893 *log_msgptr = string_sprintf("bad time value in ACL condition "
894 "\"verify %s\"", arg);
895 return ERROR;
896 }
897 }
898 }
899 }
900 else
901 {
902 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
903 "ACL condition \"%s\"", arg);
904 return ERROR;
905 }
906 }
907 }
908
909 /* Option not recognized */
910
911 else
912 {
913 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
914 "condition \"verify %s\"", ss, arg);
915 return ERROR;
916 }
917 }
918
919if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
920 (vopt_callout_recipsender|vopt_callout_recippmaster))
921 {
922 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
923 "for a recipient callout";
924 return ERROR;
925 }
926
927/* Handle sender-in-header verification. Default the user message to the log
928message if giving out verification details. */
929
930if (verify_header_sender)
931 {
932 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
933 callout_overall, se_mailfrom, pm_mailfrom, verify_options);
934 if (smtp_return_error_details)
935 {
936 if (*user_msgptr == NULL && *log_msgptr != NULL)
937 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
938 if (rc == DEFER) acl_temp_details = TRUE;
939 }
940 }
941
942/* Handle a sender address. The default is to verify *the* sender address, but
943optionally a different address can be given, for special requirements. If the
944address is empty, we are dealing with a bounce message that has no sender, so
945we cannot do any checking. If the real sender address gets rewritten during
946verification (e.g. DNS widening), set the flag to stop it being rewritten again
947during message reception.
948
949A list of verified "sender" addresses is kept to try to avoid doing to much
950work repetitively when there are multiple recipients in a message and they all
951require sender verification. However, when callouts are involved, it gets too
952complicated because different recipients may require different callout options.
953Therefore, we always do a full sender verify when any kind of callout is
954specified. Caching elsewhere, for instance in the DNS resolver and in the
955callout handling, should ensure that this is not terribly inefficient. */
956
957else if (verify_sender_address != NULL)
958 {
959 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
960 != 0)
961 {
962 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
963 "sender verify callout";
964 return ERROR;
965 }
966
967 sender_vaddr = verify_checked_sender(verify_sender_address);
968 if (sender_vaddr != NULL && /* Previously checked */
969 callout <= 0) /* No callout needed this time */
970 {
971 /* If the "routed" flag is set, it means that routing worked before, so
972 this check can give OK (the saved return code value, if set, belongs to a
973 callout that was done previously). If the "routed" flag is not set, routing
974 must have failed, so we use the saved return code. */
975
976 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
977 {
978 rc = sender_vaddr->special_action;
979 *basic_errno = sender_vaddr->basic_errno;
980 }
981 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
982 }
983
984 /* Do a new verification, and cache the result. The cache is used to avoid
985 verifying the sender multiple times for multiple RCPTs when callouts are not
986 specified (see comments above).
987
988 The cache is also used on failure to give details in response to the first
989 RCPT that gets bounced for this reason. However, this can be suppressed by
990 the no_details option, which sets the flag that says "this detail has already
991 been sent". The cache normally contains just one address, but there may be
992 more in esoteric circumstances. */
993
994 else
995 {
996 BOOL routed = TRUE;
997 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
998 if (no_details) setflag(sender_vaddr, af_sverify_told);
999 if (verify_sender_address[0] != 0)
1000 {
1001 /* If this is the real sender address, save the unrewritten version
1002 for use later in receive. Otherwise, set a flag so that rewriting the
1003 sender in verify_address() does not update sender_address. */
1004
1005 if (verify_sender_address == sender_address)
1006 sender_address_unrewritten = sender_address;
1007 else
1008 verify_options |= vopt_fake_sender;
1009
1010 /* The recipient, qualify, and expn options are never set in
1011 verify_options. */
1012
1013 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
1014 callout_overall, se_mailfrom, pm_mailfrom, &routed);
1015
1016 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1017
1018 if (rc == OK)
1019 {
1020 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1021 {
1022 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1023 verify_sender_address, sender_vaddr->address);
1024 }
1025 else
1026 {
1027 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1028 verify_sender_address);
1029 }
1030 }
1031 else *basic_errno = sender_vaddr->basic_errno;
1032 }
1033 else rc = OK; /* Null sender */
1034
1035 /* Cache the result code */
1036
1037 if (routed) setflag(sender_vaddr, af_verify_routed);
1038 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1039 sender_vaddr->special_action = rc;
1040 sender_vaddr->next = sender_verified_list;
1041 sender_verified_list = sender_vaddr;
1042 }
1043 }
1044
1045/* A recipient address just gets a straightforward verify; again we must handle
1046the DEFER overrides. */
1047
1048else
1049 {
1050 address_item addr2;
1051
1052 /* We must use a copy of the address for verification, because it might
1053 get rewritten. */
1054
1055 addr2 = *addr;
1056 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
1057 callout_overall, se_mailfrom, pm_mailfrom, NULL);
1058 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1059 *log_msgptr = addr2.message;
1060 *user_msgptr = addr2.user_message;
1061 *basic_errno = addr2.basic_errno;
1062
1063 /* Make $address_data visible */
1064 deliver_address_data = addr2.p.address_data;
1065 }
1066
1067/* We have a result from the relevant test. Handle defer overrides first. */
1068
1069if (rc == DEFER && (defer_ok ||
1070 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1071 {
1072 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1073 defer_ok? "defer_ok" : "callout_defer_ok");
1074 rc = OK;
1075 }
1076
1077/* If we've failed a sender, set up a recipient message, and point
1078sender_verified_failed to the address item that actually failed. */
1079
1080if (rc != OK && verify_sender_address != NULL)
1081 {
1082 if (rc != DEFER)
1083 {
1084 *log_msgptr = *user_msgptr = US"Sender verify failed";
1085 }
1086 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1087 {
1088 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1089 }
1090 else
1091 {
1092 *log_msgptr = US"Could not complete sender verify callout";
1093 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1094 *log_msgptr;
1095 }
1096
1097 sender_verified_failed = sender_vaddr;
1098 }
1099
1100/* Verifying an address messes up the values of $domain and $local_part,
1101so reset them before returning if this is a RCPT ACL. */
1102
1103if (addr != NULL)
1104 {
1105 deliver_domain = addr->domain;
1106 deliver_localpart = addr->local_part;
1107 }
1108return rc;
1109
1110/* Syntax errors in the verify argument come here. */
1111
1112BAD_VERIFY:
1113*log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
1114 "\"header_syntax\" or \"header_sender\" at start of ACL condition "
1115 "\"verify %s\"", arg);
1116return ERROR;
1117}
1118
1119
1120
1121
1122/*************************************************
1123* Check argument for control= modifier *
1124*************************************************/
1125
1126/* Called from acl_check_condition() below
1127
1128Arguments:
1129 arg the argument string for control=
1130 pptr set to point to the terminating character
1131 where which ACL we are in
1132 log_msgptr for error messages
1133
1134Returns: CONTROL_xxx value
1135*/
1136
1137static int
1138decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
1139{
1140int len;
1141control_def *d;
1142
1143for (d = controls_list;
1144 d < controls_list + sizeof(controls_list)/sizeof(control_def);
1145 d++)
1146 {
1147 len = Ustrlen(d->name);
1148 if (Ustrncmp(d->name, arg, len) == 0) break;
1149 }
1150
1151if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
1152 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
1153 {
1154 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1155 return CONTROL_ERROR;
1156 }
1157
1158if (where > d->where_max)
1159 {
1160 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
1161 arg, acl_wherenames[where]);
1162 return CONTROL_ERROR;
1163 }
1164
1165*pptr = arg + len;
1166return d->value;
1167}
1168
1169
1170
1171/*************************************************
1172* Handle conditions/modifiers on an ACL item *
1173*************************************************/
1174
1175/* Called from acl_check() below.
1176
1177Arguments:
1178 verb ACL verb
1179 cb ACL condition block - if NULL, result is OK
1180 where where called from
1181 addr the address being checked for RCPT, or NULL
1182 level the nesting level
1183 epp pointer to pass back TRUE if "endpass" encountered
1184 (applies only to "accept" and "discard")
1185 user_msgptr user message pointer
1186 log_msgptr log message pointer
1187 basic_errno pointer to where to put verify error
1188
1189Returns: OK - all conditions are met
1190 DISCARD - an "acl" condition returned DISCARD - only allowed
1191 for "accept" or "discard" verbs
1192 FAIL - at least one condition fails
1193 FAIL_DROP - an "acl" condition returned FAIL_DROP
1194 DEFER - can't tell at the moment (typically, lookup defer,
1195 but can be temporary callout problem)
1196 ERROR - ERROR from nested ACL or expansion failure or other
1197 error
1198*/
1199
1200static int
1201acl_check_condition(int verb, acl_condition_block *cb, int where,
1202 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
1203 uschar **log_msgptr, int *basic_errno)
1204{
1205uschar *user_message = NULL;
1206uschar *log_message = NULL;
1207uschar *p;
1208int rc = OK;
1209
1210for (; cb != NULL; cb = cb->next)
1211 {
1212 uschar *arg;
1213
1214 /* The message and log_message items set up messages to be used in
1215 case of rejection. They are expanded later. */
1216
1217 if (cb->type == ACLC_MESSAGE)
1218 {
1219 user_message = cb->arg;
1220 continue;
1221 }
1222
1223 if (cb->type == ACLC_LOG_MESSAGE)
1224 {
1225 log_message = cb->arg;
1226 continue;
1227 }
1228
1229 /* The endpass "condition" just sets a flag to show it occurred. This is
1230 checked at compile time to be on an "accept" or "discard" item. */
1231
1232 if (cb->type == ACLC_ENDPASS)
1233 {
1234 *epp = TRUE;
1235 continue;
1236 }
1237
1238 /* For other conditions and modifiers, the argument is expanded now for some
1239 of them, but not for all, because expansion happens down in some lower level
1240 checking functions in some cases. */
1241
1242 if (cond_expand_at_top[cb->type])
1243 {
1244 arg = expand_string(cb->arg);
1245 if (arg == NULL)
1246 {
1247 if (expand_string_forcedfail) continue;
1248 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
1249 cb->arg, expand_string_message);
1250 return search_find_defer? DEFER : ERROR;
1251 }
1252 }
1253 else arg = cb->arg;
1254
1255 /* Show condition, and expanded condition if it's different */
1256
1257 HDEBUG(D_acl)
1258 {
1259 int lhswidth = 0;
1260 debug_printf("check %s%s %n",
1261 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
1262 conditions[cb->type], &lhswidth);
1263
1264 if (cb->type == ACLC_SET)
1265 {
1266 int n = cb->u.varnumber;
1267 int t = (n < ACL_C_MAX)? 'c' : 'm';
1268 if (n >= ACL_C_MAX) n -= ACL_C_MAX;
1269 debug_printf("acl_%c%d ", t, n);
1270 lhswidth += 7;
1271 }
1272
1273 debug_printf("= %s\n", cb->arg);
1274
1275 if (arg != cb->arg)
1276 debug_printf("%.*s= %s\n", lhswidth,
1277 US" ", CS arg);
1278 }
1279
1280 /* Check that this condition makes sense at this time */
1281
1282 if ((cond_forbids[cb->type] & (1 << where)) != 0)
1283 {
1284 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
1285 cond_modifiers[cb->type]? "use" : "test",
1286 conditions[cb->type], acl_wherenames[where]);
1287 return ERROR;
1288 }
1289
1290 /* Run the appropriate test for each condition, or take the appropriate
1291 action for the remaining modifiers. */
1292
1293 switch(cb->type)
1294 {
1295 /* A nested ACL that returns "discard" makes sense only for an "accept" or
1296 "discard" verb. */
1297
1298 case ACLC_ACL:
1299 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
1300 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
1301 {
1302 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
1303 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
1304 verbs[verb]);
1305 return ERROR;
1306 }
1307 break;
1308
1309 case ACLC_AUTHENTICATED:
1310 rc = (sender_host_authenticated == NULL)? FAIL :
1311 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
1312 TRUE, NULL);
1313 break;
1314
1315 case ACLC_CONDITION:
1316 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
1317 rc = (Uatoi(arg) == 0)? FAIL : OK;
1318 else
1319 rc = (strcmpic(arg, US"no") == 0 ||
1320 strcmpic(arg, US"false") == 0)? FAIL :
1321 (strcmpic(arg, US"yes") == 0 ||
1322 strcmpic(arg, US"true") == 0)? OK : DEFER;
1323 if (rc == DEFER)
1324 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
1325 break;
1326
1327 case ACLC_CONTROL:
1328 switch (decode_control(arg, &p, where, log_msgptr))
1329 {
1330 case CONTROL_ERROR:
1331 return ERROR;
1332
1333 case CONTROL_CASEFUL_LOCAL_PART:
1334 deliver_localpart = addr->cc_local_part;
1335 break;
1336
1337 case CONTROL_CASELOWER_LOCAL_PART:
1338 deliver_localpart = addr->lc_local_part;
1339 break;
1340
1341 case CONTROL_ENFORCE_SYNC:
1342 smtp_enforce_sync = TRUE;
1343 break;
1344
1345 case CONTROL_NO_ENFORCE_SYNC:
1346 smtp_enforce_sync = FALSE;
1347 break;
1348
1349 case CONTROL_NO_MULTILINE:
1350 no_multiline_responses = TRUE;
1351 break;
1352
1353 case CONTROL_FREEZE:
1354 deliver_freeze = TRUE;
1355 deliver_frozen_at = time(NULL);
1356 break;
1357
1358 case CONTROL_QUEUE_ONLY:
1359 queue_only_policy = TRUE;
1360 break;
1361
1362 case CONTROL_SUBMISSION:
1363 submission_mode = TRUE;
1364 if (Ustrncmp(p, "/domain=", 8) == 0)
1365 {
1366 submission_domain = string_copy(p+8);
1367 }
1368 else if (*p != 0)
1369 {
1370 *log_msgptr = string_sprintf("syntax error in argument for "
1371 "\"control\" modifier \"%s\"", arg);
1372 return ERROR;
1373 }
1374 break;
1375 }
1376 break;
1377
1378 case ACLC_DELAY:
1379 {
1380 int delay = readconf_readtime(arg, 0, FALSE);
1381 if (delay < 0)
1382 {
1383 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
1384 "modifier: \"%s\" is not a time value", arg);
1385 return ERROR;
1386 }
1387 else
1388 {
1389 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
1390 delay);
1391 if (host_checking)
1392 {
1393 HDEBUG(D_acl)
1394 debug_printf("delay skipped in -bh checking mode\n");
1395 }
1396 else sleep(delay);
1397 }
1398 }
1399 break;
1400
1401 case ACLC_DNSLISTS:
1402 rc = verify_check_dnsbl(&arg);
1403 break;
1404
1405 case ACLC_DOMAINS:
1406 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
1407 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
1408 break;
1409
1410 /* The value in tls_cipher is the full cipher name, for example,
1411 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
1412 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
1413 what may in practice come out of the SSL library - which at the time of
1414 writing is poorly documented. */
1415
1416 case ACLC_ENCRYPTED:
1417 if (tls_cipher == NULL) rc = FAIL; else
1418 {
1419 uschar *endcipher = NULL;
1420 uschar *cipher = Ustrchr(tls_cipher, ':');
1421 if (cipher == NULL) cipher = tls_cipher; else
1422 {
1423 endcipher = Ustrchr(++cipher, ':');
1424 if (endcipher != NULL) *endcipher = 0;
1425 }
1426 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
1427 if (endcipher != NULL) *endcipher = ':';
1428 }
1429 break;
1430
1431 /* Use verify_check_this_host() instead of verify_check_host() so that
1432 we can pass over &host_data to catch any looked up data. Once it has been
1433 set, it retains its value so that it's still there if another ACL verb
1434 comes through here and uses the cache. However, we must put it into
1435 permanent store in case it is also expected to be used in a subsequent
1436 message in the same SMTP connection. */
1437
1438 case ACLC_HOSTS:
1439 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
1440 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
1441 if (host_data != NULL) host_data = string_copy_malloc(host_data);
1442 break;
1443
1444 case ACLC_LOCAL_PARTS:
1445 rc = match_isinlist(addr->cc_local_part, &arg, 0,
1446 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
1447 &deliver_localpart_data);
1448 break;
1449
1450 case ACLC_LOGWRITE:
1451 {
1452 int logbits = 0;
1453 uschar *s = arg;
1454 if (*s == ':')
1455 {
1456 s++;
1457 while (*s != ':')
1458 {
1459 if (Ustrncmp(s, "main", 4) == 0)
1460 { logbits |= LOG_MAIN; s += 4; }
1461 else if (Ustrncmp(s, "panic", 5) == 0)
1462 { logbits |= LOG_PANIC; s += 5; }
1463 else if (Ustrncmp(s, "reject", 6) == 0)
1464 { logbits |= LOG_REJECT; s += 6; }
1465 else
1466 {
1467 logbits = LOG_MAIN|LOG_PANIC;
1468 s = string_sprintf(":unknown log name in \"%s\" in "
1469 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
1470 }
1471 if (*s == ',') s++;
1472 }
1473 s++;
1474 }
1475 while (isspace(*s)) s++;
1476 if (logbits == 0) logbits = LOG_MAIN;
1477 log_write(0, logbits, "%s", string_printing(s));
1478 }
1479 break;
1480
1481 case ACLC_RECIPIENTS:
1482 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
1483 &recipient_data);
1484 break;
1485
1486 case ACLC_SENDER_DOMAINS:
1487 {
1488 uschar *sdomain;
1489 sdomain = Ustrrchr(sender_address, '@');
1490 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
1491 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
1492 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
1493 }
1494 break;
1495
1496 case ACLC_SENDERS:
1497 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
1498 sender_address_cache, -1, 0, &sender_data);
1499 break;
1500
1501 /* Connection variables must persist forever */
1502
1503 case ACLC_SET:
1504 {
1505 int old_pool = store_pool;
1506 if (cb->u.varnumber < ACL_C_MAX) store_pool = POOL_PERM;
1507 acl_var[cb->u.varnumber] = string_copy(arg);
1508 store_pool = old_pool;
1509 }
1510 break;
1511
1512 /* If the verb is WARN, discard any user message from verification, because
1513 such messages are SMTP responses, not header additions. The latter come
1514 only from explicit "message" modifiers. */
1515
1516 case ACLC_VERIFY:
1517 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
1518 if (verb == ACL_WARN) *user_msgptr = NULL;
1519 break;
1520
1521 default:
1522 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
1523 "condition %d", cb->type);
1524 break;
1525 }
1526
1527 /* If a condition was negated, invert OK/FAIL. */
1528
1529 if (!cond_modifiers[cb->type] && cb->u.negated)
1530 {
1531 if (rc == OK) rc = FAIL;
1532 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
1533 }
1534
1535 if (rc != OK) break; /* Conditions loop */
1536 }
1537
1538
1539/* If the result is the one for which "message" and/or "log_message" are used,
1540handle the values of these options. Most verbs have but a single return for
1541which the messages are relevant, but for "discard", it's useful to have the log
1542message both when it succeeds and when it fails. Also, for an "accept" that
1543appears in a QUIT ACL, we want to handle the user message. Since only "accept"
1544and "warn" are permitted in that ACL, we don't need to test the verb.
1545
1546These modifiers act in different ways:
1547
1548"message" is a user message that will be included in an SMTP response. Unless
1549it is empty, it overrides any previously set user message.
1550
1551"log_message" is a non-user message, and it adds to any existing non-user
1552message that is already set.
1553
1554If there isn't a log message set, we make it the same as the user message. */
1555
1556if (((rc == FAIL_DROP)? FAIL : rc) == msgcond[verb] ||
1557 (verb == ACL_DISCARD && rc == OK) ||
1558 (where == ACL_WHERE_QUIT))
1559 {
1560 uschar *expmessage;
1561
1562 /* If the verb is "warn", messages generated by conditions (verification or
1563 nested ACLs) are discarded. Only messages specified at this level are used.
1564 However, the value of an existing message is available in $acl_verify_message
1565 during expansions. */
1566
1567 uschar *old_user_msgptr = *user_msgptr;
1568 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
1569
1570 if (verb == ACL_WARN) *log_msgptr = *user_msgptr = NULL;
1571
1572 if (user_message != NULL)
1573 {
1574 acl_verify_message = old_user_msgptr;
1575 expmessage = expand_string(user_message);
1576 if (expmessage == NULL)
1577 {
1578 if (!expand_string_forcedfail)
1579 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
1580 user_message, expand_string_message);
1581 }
1582 else if (expmessage[0] != 0) *user_msgptr = expmessage;
1583 }
1584
1585 if (log_message != NULL)
1586 {
1587 acl_verify_message = old_log_msgptr;
1588 expmessage = expand_string(log_message);
1589 if (expmessage == NULL)
1590 {
1591 if (!expand_string_forcedfail)
1592 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
1593 log_message, expand_string_message);
1594 }
1595 else if (expmessage[0] != 0)
1596 {
1597 *log_msgptr = (*log_msgptr == NULL)? expmessage :
1598 string_sprintf("%s: %s", expmessage, *log_msgptr);
1599 }
1600 }
1601
1602 /* If no log message, default it to the user message */
1603
1604 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
1605 }
1606
1607acl_verify_message = NULL;
1608return rc;
1609}
1610
1611
1612
1613
1614
1615/*************************************************
1616* Get line from a literal ACL *
1617*************************************************/
1618
1619/* This function is passed to acl_read() in order to extract individual lines
1620of a literal ACL, which we access via static pointers. We can destroy the
1621contents because this is called only once (the compiled ACL is remembered).
1622
1623This code is intended to treat the data in the same way as lines in the main
1624Exim configuration file. That is:
1625
1626 . Leading spaces are ignored.
1627
1628 . A \ at the end of a line is a continuation - trailing spaces after the \
1629 are permitted (this is because I don't believe in making invisible things
1630 significant). Leading spaces on the continued part of a line are ignored.
1631
1632 . Physical lines starting (significantly) with # are totally ignored, and
1633 may appear within a sequence of backslash-continued lines.
1634
1635 . Blank lines are ignored, but will end a sequence of continuations.
1636
1637Arguments: none
1638Returns: a pointer to the next line
1639*/
1640
1641
1642static uschar *acl_text; /* Current pointer in the text */
1643static uschar *acl_text_end; /* Points one past the terminating '0' */
1644
1645
1646static uschar *
1647acl_getline(void)
1648{
1649uschar *yield;
1650
1651/* This loop handles leading blank lines and comments. */
1652
1653for(;;)
1654 {
1655 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
1656 if (*acl_text == 0) return NULL; /* No more data */
1657 yield = acl_text; /* Potential data line */
1658
1659 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
1660
1661 /* If we hit the end before a newline, we have the whole logical line. If
1662 it's a comment, there's no more data to be given. Otherwise, yield it. */
1663
1664 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
1665
1666 /* After reaching a newline, end this loop if the physical line does not
1667 start with '#'. If it does, it's a comment, and the loop continues. */
1668
1669 if (*yield != '#') break;
1670 }
1671
1672/* This loop handles continuations. We know we have some real data, ending in
1673newline. See if there is a continuation marker at the end (ignoring trailing
1674white space). We know that *yield is not white space, so no need to test for
1675cont > yield in the backwards scanning loop. */
1676
1677for(;;)
1678 {
1679 uschar *cont;
1680 for (cont = acl_text - 1; isspace(*cont); cont--);
1681
1682 /* If no continuation follows, we are done. Mark the end of the line and
1683 return it. */
1684
1685 if (*cont != '\\')
1686 {
1687 *acl_text++ = 0;
1688 return yield;
1689 }
1690
1691 /* We have encountered a continuation. Skip over whitespace at the start of
1692 the next line, and indeed the whole of the next line or lines if they are
1693 comment lines. */
1694
1695 for (;;)
1696 {
1697 while (*(++acl_text) == ' ' || *acl_text == '\t');
1698 if (*acl_text != '#') break;
1699 while (*(++acl_text) != 0 && *acl_text != '\n');
1700 }
1701
1702 /* We have the start of a continuation line. Move all the rest of the data
1703 to join onto the previous line, and then find its end. If the end is not a
1704 newline, we are done. Otherwise loop to look for another continuation. */
1705
1706 memmove(cont, acl_text, acl_text_end - acl_text);
1707 acl_text_end -= acl_text - cont;
1708 acl_text = cont;
1709 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
1710 if (*acl_text == 0) return yield;
1711 }
1712
1713/* Control does not reach here */
1714}
1715
1716
1717
1718
1719
1720/*************************************************
1721* Check access using an ACL *
1722*************************************************/
1723
1724/* This function is called from address_check. It may recurse via
1725acl_check_condition() - hence the use of a level to stop looping. The ACL is
1726passed as a string which is expanded. A forced failure implies no access check
1727is required. If the result is a single word, it is taken as the name of an ACL
1728which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
1729text, complete with newlines, and parsed as such. In both cases, the ACL check
1730is then run. This function uses an auxiliary function for acl_read() to call
1731for reading individual lines of a literal ACL. This is acl_getline(), which
1732appears immediately above.
1733
1734Arguments:
1735 where where called from
1736 addr address item when called from RCPT; otherwise NULL
1737 s the input string; NULL is the same as an empty ACL => DENY
1738 level the nesting level
1739 user_msgptr where to put a user error (for SMTP response)
1740 log_msgptr where to put a logging message (not for SMTP response)
1741
1742Returns: OK access is granted
1743 DISCARD access is apparently granted...
1744 FAIL access is denied
1745 FAIL_DROP access is denied; drop the connection
1746 DEFER can't tell at the moment
1747 ERROR disaster
1748*/
1749
1750static int
1751acl_check_internal(int where, address_item *addr, uschar *s, int level,
1752 uschar **user_msgptr, uschar **log_msgptr)
1753{
1754int fd = -1;
1755acl_block *acl = NULL;
1756uschar *acl_name = US"inline ACL";
1757uschar *ss;
1758
1759/* Catch configuration loops */
1760
1761if (level > 20)
1762 {
1763 *log_msgptr = US"ACL nested too deep: possible loop";
1764 return ERROR;
1765 }
1766
1767if (s == NULL)
1768 {
1769 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
1770 return FAIL;
1771 }
1772
1773/* At top level, we expand the incoming string. At lower levels, it has already
1774been expanded as part of condition processing. */
1775
1776if (level == 0)
1777 {
1778 ss = expand_string(s);
1779 if (ss == NULL)
1780 {
1781 if (expand_string_forcedfail) return OK;
1782 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
1783 expand_string_message);
1784 return ERROR;
1785 }
1786 }
1787else ss = s;
1788
1789while (isspace(*ss))ss++;
1790
1791/* If we can't find a named ACL, the default is to parse it as an inline one.
1792(Unless it begins with a slash; non-existent files give rise to an error.) */
1793
1794acl_text = ss;
1795
1796/* Handle the case of a string that does not contain any spaces. Look for a
1797named ACL among those read from the configuration, or a previously read file.
1798It is possible that the pointer to the ACL is NULL if the configuration
1799contains a name with no data. If not found, and the text begins with '/',
1800read an ACL from a file, and save it so it can be re-used. */
1801
1802if (Ustrchr(ss, ' ') == NULL)
1803 {
1804 tree_node *t = tree_search(acl_anchor, ss);
1805 if (t != NULL)
1806 {
1807 acl = (acl_block *)(t->data.ptr);
1808 if (acl == NULL)
1809 {
1810 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
1811 return FAIL;
1812 }
1813 acl_name = string_sprintf("ACL \"%s\"", ss);
1814 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
1815 }
1816
1817 else if (*ss == '/')
1818 {
1819 struct stat statbuf;
1820 fd = Uopen(ss, O_RDONLY, 0);
1821 if (fd < 0)
1822 {
1823 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
1824 strerror(errno));
1825 return ERROR;
1826 }
1827
1828 if (fstat(fd, &statbuf) != 0)
1829 {
1830 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
1831 strerror(errno));
1832 return ERROR;
1833 }
1834
1835 acl_text = store_get(statbuf.st_size + 1);
1836 acl_text_end = acl_text + statbuf.st_size + 1;
1837
1838 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
1839 {
1840 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
1841 ss, strerror(errno));
1842 return ERROR;
1843 }
1844 acl_text[statbuf.st_size] = 0;
1845 close(fd);
1846
1847 acl_name = string_sprintf("ACL \"%s\"", ss);
1848 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
1849 }
1850 }
1851
1852/* Parse an ACL that is still in text form. If it came from a file, remember it
1853in the ACL tree, having read it into the POOL_PERM store pool so that it
1854persists between multiple messages. */
1855
1856if (acl == NULL)
1857 {
1858 int old_pool = store_pool;
1859 if (fd >= 0) store_pool = POOL_PERM;
1860 acl = acl_read(acl_getline, log_msgptr);
1861 store_pool = old_pool;
1862 if (acl == NULL && *log_msgptr != NULL) return ERROR;
1863 if (fd >= 0)
1864 {
1865 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
1866 Ustrcpy(t->name, ss);
1867 t->data.ptr = acl;
1868 (void)tree_insertnode(&acl_anchor, t);
1869 }
1870 }
1871
1872/* Now we have an ACL to use. It's possible it may be NULL. */
1873
1874while (acl != NULL)
1875 {
1876 int cond;
1877 int basic_errno = 0;
1878 BOOL endpass_seen = FALSE;
1879
1880 *log_msgptr = *user_msgptr = NULL;
1881 acl_temp_details = FALSE;
1882
1883 if (where == ACL_WHERE_QUIT &&
1884 acl->verb != ACL_ACCEPT &&
1885 acl->verb != ACL_WARN)
1886 {
1887 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
1888 verbs[acl->verb]);
1889 return ERROR;
1890 }
1891
1892 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
1893
1894 /* Clear out any search error message from a previous check before testing
1895 this condition. */
1896
1897 search_error_message = NULL;
1898 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
1899 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
1900
1901 /* Handle special returns: DEFER causes a return except on a WARN verb;
1902 ERROR always causes a return. */
1903
1904 switch (cond)
1905 {
1906 case DEFER:
1907 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
1908 if (basic_errno != ERRNO_CALLOUTDEFER)
1909 {
1910 if (search_error_message != NULL && *search_error_message != 0)
1911 *log_msgptr = search_error_message;
1912 if (smtp_return_error_details) acl_temp_details = TRUE;
1913 }
1914 else
1915 {
1916 acl_temp_details = TRUE;
1917 }
1918 if (acl->verb != ACL_WARN) return DEFER;
1919 break;
1920
1921 default: /* Paranoia */
1922 case ERROR:
1923 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
1924 return ERROR;
1925
1926 case OK:
1927 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
1928 verbs[acl->verb]);
1929 break;
1930
1931 case FAIL:
1932 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
1933 break;
1934
1935 /* DISCARD and DROP can happen only from a nested ACL condition, and
1936 DISCARD can happen only for an "accept" or "discard" verb. */
1937
1938 case DISCARD:
1939 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
1940 verbs[acl->verb]);
1941 break;
1942
1943 case FAIL_DROP:
1944 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
1945 verbs[acl->verb]);
1946 break;
1947 }
1948
1949 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
1950 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
1951 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
1952
1953 switch(acl->verb)
1954 {
1955 case ACL_ACCEPT:
1956 if (cond == OK || cond == DISCARD) return cond;
1957 if (endpass_seen)
1958 {
1959 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
1960 return cond;
1961 }
1962 break;
1963
1964 case ACL_DEFER:
1965 if (cond == OK)
1966 {
1967 acl_temp_details = TRUE;
1968 return DEFER;
1969 }
1970 break;
1971
1972 case ACL_DENY:
1973 if (cond == OK) return FAIL;
1974 break;
1975
1976 case ACL_DISCARD:
1977 if (cond == OK || cond == DISCARD) return DISCARD;
1978 if (endpass_seen)
1979 {
1980 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
1981 return cond;
1982 }
1983 break;
1984
1985 case ACL_DROP:
1986 if (cond == OK) return FAIL_DROP;
1987 break;
1988
1989 case ACL_REQUIRE:
1990 if (cond != OK) return cond;
1991 break;
1992
1993 case ACL_WARN:
1994 if (cond == OK)
1995 acl_warn(where, *user_msgptr, *log_msgptr);
1996 else if (cond == DEFER)
1997 acl_warn(where, NULL, string_sprintf("ACL \"warn\" statement skipped: "
1998 "condition test deferred: %s",
1999 (*log_msgptr == NULL)? US"" : *log_msgptr));
2000 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
2001 break;
2002
2003 default:
2004 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
2005 acl->verb);
2006 break;
2007 }
2008
2009 /* Pass to the next ACL item */
2010
2011 acl = acl->next;
2012 }
2013
2014/* We have reached the end of the ACL. This is an implicit DENY. */
2015
2016HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
2017return FAIL;
2018}
2019
2020
2021/*************************************************
2022* Check access using an ACL *
2023*************************************************/
2024
2025/* This is the external interface for ACL checks. It sets up an address and the
2026expansions for $domain and $local_part when called after RCPT, then calls
2027acl_check_internal() to do the actual work.
2028
2029Arguments:
2030 where ACL_WHERE_xxxx indicating where called from
2031 data_string RCPT address, or SMTP command argument, or NULL
2032 s the input string; NULL is the same as an empty ACL => DENY
2033 user_msgptr where to put a user error (for SMTP response)
2034 log_msgptr where to put a logging message (not for SMTP response)
2035
2036Returns: OK access is granted by an ACCEPT verb
2037 DISCARD access is granted by a DISCARD verb
2038 FAIL access is denied
2039 FAIL_DROP access is denied; drop the connection
2040 DEFER can't tell at the moment
2041 ERROR disaster
2042*/
2043
2044int
2045acl_check(int where, uschar *data_string, uschar *s, uschar **user_msgptr,
2046 uschar **log_msgptr)
2047{
2048int rc;
2049address_item adb;
2050address_item *addr;
2051
2052*user_msgptr = *log_msgptr = NULL;
2053sender_verified_failed = NULL;
2054
2055if (where == ACL_WHERE_RCPT)
2056 {
2057 adb = address_defaults;
2058 addr = &adb;
2059 addr->address = data_string;
2060 if (deliver_split_address(addr) == DEFER)
2061 {
2062 *log_msgptr = US"defer in percent_hack_domains check";
2063 return DEFER;
2064 }
2065 deliver_domain = addr->domain;
2066 deliver_localpart = addr->local_part;
2067 }
2068else
2069 {
2070 addr = NULL;
2071 smtp_command_argument = data_string;
2072 }
2073
2074rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
2075
2076smtp_command_argument = deliver_domain =
2077 deliver_localpart = deliver_address_data = NULL;
2078
2079/* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
2080ACL, which is really in the middle of an SMTP command. */
2081
2082if (rc == DISCARD)
2083 {
2084 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
2085 {
2086 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
2087 "ACL", acl_wherenames[where]);
2088 return ERROR;
2089 }
2090 return DISCARD;
2091 }
2092
2093/* A DROP response is not permitted from MAILAUTH */
2094
2095if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
2096 {
2097 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
2098 "ACL", acl_wherenames[where]);
2099 return ERROR;
2100 }
2101
2102/* Before giving an error response, take a look at the length of any user
2103message, and split it up into multiple lines if possible. */
2104
2105if (rc != OK && *user_msgptr != NULL && Ustrlen(*user_msgptr) > 75)
2106 {
2107 uschar *s = *user_msgptr = string_copy(*user_msgptr);
2108 uschar *ss = s;
2109
2110 for (;;)
2111 {
2112 int i = 0;
2113 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
2114 if (*ss == 0) break;
2115 if (*ss == '\n')
2116 s = ++ss;
2117 else
2118 {
2119 uschar *t = ss + 1;
2120 uschar *tt = NULL;
2121 while (--t > s + 35)
2122 {
2123 if (*t == ' ')
2124 {
2125 if (t[-1] == ':') { tt = t; break; }
2126 if (tt == NULL) tt = t;
2127 }
2128 }
2129
2130 if (tt == NULL) /* Can't split behind - try ahead */
2131 {
2132 t = ss + 1;
2133 while (*t != 0)
2134 {
2135 if (*t == ' ' || *t == '\n')
2136 { tt = t; break; }
2137 t++;
2138 }
2139 }
2140
2141 if (tt == NULL) break; /* Can't find anywhere to split */
2142 *tt = '\n';
2143 s = ss = tt+1;
2144 }
2145 }
2146 }
2147
2148return rc;
2149}
2150
2151/* End of acl.c */