(1) The flags in acl.c for fakereject allowed it in too many places. It
[exim.git] / src / src / acl.c
CommitLineData
a6c4ab60 1/* $Cambridge: exim/src/src/acl.c,v 1.13 2005/01/12 12:24:13 ph10 Exp $ */
059ec3d9
PH
2
3/*************************************************
4* Exim - an Internet mail transport agent *
5*************************************************/
6
c988f1f4 7/* Copyright (c) University of Cambridge 1995 - 2005 */
059ec3d9
PH
8/* See the file NOTICE for conditions of use and distribution. */
9
10/* Code for handling Access Control Lists (ACLs) */
11
12#include "exim.h"
13
14
15/* Default callout timeout */
16
17#define CALLOUT_TIMEOUT_DEFAULT 30
18
19/* ACL verb codes - keep in step with the table of verbs that follows */
20
21enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
22 ACL_WARN };
23
24/* ACL verbs */
25
26static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
28 US"warn" };
29
30/* For each verb, the condition for which "message" is used */
31
32static int msgcond[] = { FAIL, OK, OK, FAIL, OK, FAIL, OK };
33
34/* ACL condition and modifier codes - keep in step with the table that
35follows. */
36
8523533c
TK
37enum { ACLC_ACL, ACLC_AUTHENTICATED,
38#ifdef EXPERIMENTAL_BRIGHTMAIL
39 ACLC_BMI_OPTIN,
40#endif
41ACLC_CONDITION, ACLC_CONTROL,
42#ifdef WITH_CONTENT_SCAN
43 ACLC_DECODE,
44#endif
45 ACLC_DELAY,
46#ifdef WITH_OLD_DEMIME
47 ACLC_DEMIME,
48#endif
49 ACLC_DNSLISTS, ACLC_DOMAINS, ACLC_ENCRYPTED, ACLC_ENDPASS,
50 ACLC_HOSTS, ACLC_LOCAL_PARTS, ACLC_LOG_MESSAGE, ACLC_LOGWRITE,
51#ifdef WITH_CONTENT_SCAN
52 ACLC_MALWARE,
53#endif
54 ACLC_MESSAGE,
55#ifdef WITH_CONTENT_SCAN
56 ACLC_MIME_REGEX,
57#endif
58 ACLC_RECIPIENTS,
59#ifdef WITH_CONTENT_SCAN
60 ACLC_REGEX,
61#endif
62 ACLC_SENDER_DOMAINS, ACLC_SENDERS, ACLC_SET,
63#ifdef WITH_CONTENT_SCAN
64 ACLC_SPAM,
65#endif
66#ifdef EXPERIMENTAL_SPF
67 ACLC_SPF,
68#endif
69 ACLC_VERIFY };
059ec3d9
PH
70
71/* ACL conditions/modifiers: "delay", "control", "endpass", "message",
72"log_message", "logwrite", and "set" are modifiers that look like conditions
73but always return TRUE. They are used for their side effects. */
74
8523533c
TK
75static uschar *conditions[] = { US"acl", US"authenticated",
76#ifdef EXPERIMENTAL_BRIGHTMAIL
77 US"bmi_optin",
78#endif
79 US"condition",
80 US"control",
81#ifdef WITH_CONTENT_SCAN
82 US"decode",
83#endif
84 US"delay",
85#ifdef WITH_OLD_DEMIME
86 US"demime",
87#endif
88 US"dnslists", US"domains", US"encrypted",
059ec3d9 89 US"endpass", US"hosts", US"local_parts", US"log_message", US"logwrite",
8523533c
TK
90#ifdef WITH_CONTENT_SCAN
91 US"malware",
92#endif
93 US"message",
94#ifdef WITH_CONTENT_SCAN
95 US"mime_regex",
96#endif
97 US"recipients",
98#ifdef WITH_CONTENT_SCAN
99 US"regex",
100#endif
101 US"sender_domains", US"senders", US"set",
102#ifdef WITH_CONTENT_SCAN
103 US"spam",
104#endif
105#ifdef EXPERIMENTAL_SPF
106 US"spf",
107#endif
059ec3d9 108 US"verify" };
c5fcb476
PH
109
110/* ACL control names */
111
112static uschar *controls[] = { US"error", US"caseful_local_part",
113 US"caselower_local_part", US"enforce_sync", US"no_enforce_sync", US"freeze",
114 US"queue_only", US"submission", US"no_multiline"};
059ec3d9
PH
115
116/* Flags to indicate for which conditions /modifiers a string expansion is done
117at the outer level. In the other cases, expansion already occurs in the
118checking functions. */
119
120static uschar cond_expand_at_top[] = {
121 TRUE, /* acl */
122 FALSE, /* authenticated */
8523533c
TK
123#ifdef EXPERIMENTAL_BRIGHTMAIL
124 TRUE, /* bmi_optin */
125#endif
059ec3d9
PH
126 TRUE, /* condition */
127 TRUE, /* control */
8523533c
TK
128#ifdef WITH_CONTENT_SCAN
129 TRUE, /* decode */
130#endif
059ec3d9 131 TRUE, /* delay */
8523533c
TK
132#ifdef WITH_OLD_DEMIME
133 TRUE, /* demime */
134#endif
059ec3d9
PH
135 TRUE, /* dnslists */
136 FALSE, /* domains */
137 FALSE, /* encrypted */
138 TRUE, /* endpass */
139 FALSE, /* hosts */
140 FALSE, /* local_parts */
141 TRUE, /* log_message */
142 TRUE, /* logwrite */
8523533c
TK
143#ifdef WITH_CONTENT_SCAN
144 TRUE, /* malware */
145#endif
059ec3d9 146 TRUE, /* message */
8523533c
TK
147#ifdef WITH_CONTENT_SCAN
148 TRUE, /* mime_regex */
149#endif
059ec3d9 150 FALSE, /* recipients */
8523533c
TK
151#ifdef WITH_CONTENT_SCAN
152 TRUE, /* regex */
153#endif
059ec3d9
PH
154 FALSE, /* sender_domains */
155 FALSE, /* senders */
156 TRUE, /* set */
8523533c
TK
157#ifdef WITH_CONTENT_SCAN
158 TRUE, /* spam */
159#endif
160#ifdef EXPERIMENTAL_SPF
161 TRUE, /* spf */
162#endif
059ec3d9
PH
163 TRUE /* verify */
164};
165
166/* Flags to identify the modifiers */
167
168static uschar cond_modifiers[] = {
169 FALSE, /* acl */
170 FALSE, /* authenticated */
8523533c
TK
171#ifdef EXPERIMENTAL_BRIGHTMAIL
172 TRUE, /* bmi_optin */
173#endif
059ec3d9
PH
174 FALSE, /* condition */
175 TRUE, /* control */
8523533c
TK
176#ifdef WITH_CONTENT_SCAN
177 FALSE, /* decode */
178#endif
059ec3d9 179 TRUE, /* delay */
8523533c
TK
180#ifdef WITH_OLD_DEMIME
181 FALSE, /* demime */
182#endif
059ec3d9
PH
183 FALSE, /* dnslists */
184 FALSE, /* domains */
185 FALSE, /* encrypted */
186 TRUE, /* endpass */
187 FALSE, /* hosts */
188 FALSE, /* local_parts */
189 TRUE, /* log_message */
8523533c
TK
190 TRUE, /* logwrite */
191#ifdef WITH_CONTENT_SCAN
192 FALSE, /* malware */
193#endif
059ec3d9 194 TRUE, /* message */
8523533c
TK
195#ifdef WITH_CONTENT_SCAN
196 FALSE, /* mime_regex */
197#endif
059ec3d9 198 FALSE, /* recipients */
8523533c
TK
199#ifdef WITH_CONTENT_SCAN
200 FALSE, /* regex */
201#endif
059ec3d9
PH
202 FALSE, /* sender_domains */
203 FALSE, /* senders */
204 TRUE, /* set */
8523533c
TK
205#ifdef WITH_CONTENT_SCAN
206 FALSE, /* spam */
207#endif
208#ifdef EXPERIMENTAL_SPF
209 FALSE, /* spf */
210#endif
059ec3d9
PH
211 FALSE /* verify */
212};
213
c5fcb476
PH
214/* Bit map vector of which conditions are not allowed at certain times. For
215each condition, there's a bitmap of dis-allowed times. */
059ec3d9
PH
216
217static unsigned int cond_forbids[] = {
218 0, /* acl */
219 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* authenticated */
220 (1<<ACL_WHERE_HELO),
8523533c
TK
221
222#ifdef EXPERIMENTAL_BRIGHTMAIL
3864bb8e 223 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
8523533c
TK
224 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
225 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
226 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
227 (1<<ACL_WHERE_MAILAUTH)|
228 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
229 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA),
230#endif
231
059ec3d9 232 0, /* condition */
8523533c 233
059ec3d9
PH
234 /* Certain types of control are always allowed, so we let it through
235 always and check in the control processing itself */
8523533c 236
059ec3d9 237 0, /* control */
8523533c
TK
238
239#ifdef WITH_CONTENT_SCAN
3864bb8e 240 (1<<ACL_WHERE_AUTH)| /* decode */
8523533c
TK
241 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
242 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
243 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
244 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
245 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
246 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_RCPT),
247#endif
248
059ec3d9 249 0, /* delay */
8523533c 250
f7b63901 251#ifdef WITH_OLD_DEMIME
3864bb8e 252 (1<<ACL_WHERE_AUTH)| /* demime */
8523533c
TK
253 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
254 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
255 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
256 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
257 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
258 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
259#endif
260
059ec3d9
PH
261 (1<<ACL_WHERE_NOTSMTP), /* dnslists */
262
263 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* domains */
264 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
265 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
266 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
267 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
268 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
269 (1<<ACL_WHERE_VRFY),
270
271 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* encrypted */
272 (1<<ACL_WHERE_HELO),
273 0, /* endpass */
274 (1<<ACL_WHERE_NOTSMTP), /* hosts */
275
276 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* local_parts */
277 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
278 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
279 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
280 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
281 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
282 (1<<ACL_WHERE_VRFY),
283
284 0, /* log_message */
285 0, /* logwrite */
8523533c
TK
286
287#ifdef WITH_CONTENT_SCAN
3864bb8e 288 (1<<ACL_WHERE_AUTH)| /* malware */
8523533c
TK
289 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
290 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
291 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
292 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
293 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
294 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
295#endif
296
059ec3d9
PH
297 0, /* message */
298
8523533c 299#ifdef WITH_CONTENT_SCAN
3864bb8e 300 (1<<ACL_WHERE_AUTH)| /* mime_regex */
8523533c
TK
301 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
302 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
303 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
304 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
305 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
306 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_RCPT),
307#endif
308
059ec3d9
PH
309 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* recipients */
310 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
311 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
312 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
313 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
314 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
315 (1<<ACL_WHERE_VRFY),
316
8523533c 317#ifdef WITH_CONTENT_SCAN
3864bb8e 318 (1<<ACL_WHERE_AUTH)| /* regex */
8523533c
TK
319 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
320 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
321 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
322 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
323 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
324 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
325#endif
326
059ec3d9
PH
327 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
328 (1<<ACL_WHERE_HELO)|
329 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
330 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
331 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
332
333 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
334 (1<<ACL_WHERE_HELO)|
335 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
336 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
337 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
338
339 0, /* set */
340
8523533c 341#ifdef WITH_CONTENT_SCAN
3864bb8e 342 (1<<ACL_WHERE_AUTH)| /* spam */
8523533c
TK
343 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
344 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
345 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
346 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
347 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
348 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
349#endif
350
351#ifdef EXPERIMENTAL_SPF
352 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
353 (1<<ACL_WHERE_HELO)|
354 (1<<ACL_WHERE_MAILAUTH)|
355 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
356 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
357#endif
358
059ec3d9
PH
359 /* Certain types of verify are always allowed, so we let it through
360 always and check in the verify function itself */
361
362 0 /* verify */
059ec3d9
PH
363};
364
365
366/* Return values from decode_control() */
367
8523533c
TK
368enum {
369#ifdef EXPERIMENTAL_BRIGHTMAIL
370 CONTROL_BMI_RUN,
371#endif
372 CONTROL_ERROR, CONTROL_CASEFUL_LOCAL_PART, CONTROL_CASELOWER_LOCAL_PART,
059ec3d9 373 CONTROL_ENFORCE_SYNC, CONTROL_NO_ENFORCE_SYNC, CONTROL_FREEZE,
8523533c
TK
374 CONTROL_QUEUE_ONLY, CONTROL_SUBMISSION,
375#ifdef WITH_CONTENT_SCAN
0f9b0483 376 CONTROL_NO_MBOX_UNSPOOL,
8523533c 377#endif
0f9b0483 378 CONTROL_FAKEREJECT, CONTROL_NO_MULTILINE };
059ec3d9 379
c5fcb476
PH
380/* Bit map vector of which controls are not allowed at certain times. For
381each control, there's a bitmap of dis-allowed times. For some, it is easier to
382specify the negation of a small number of allowed times. */
383
384static unsigned int control_forbids[] = {
8523533c
TK
385#ifdef EXPERIMENTAL_BRIGHTMAIL
386 0, /* bmi_run */
387#endif
c5fcb476
PH
388 0, /* error */
389 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
390 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
391 (1<<ACL_WHERE_NOTSMTP), /* enforce_sync */
392 (1<<ACL_WHERE_NOTSMTP), /* no_enforce_sync */
393
394 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
395 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
396 (1<<ACL_WHERE_NOTSMTP)),
397
398 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
399 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
400 (1<<ACL_WHERE_NOTSMTP)),
401
402 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
403 (1<<ACL_WHERE_PREDATA)),
8523533c
TK
404
405#ifdef WITH_CONTENT_SCAN
406 (1<<ACL_WHERE_NOTSMTP), /* no_mbox_unspool */
8523533c 407#endif
a6c4ab60
PH
408
409 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
410 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)),
8523533c 411
c5fcb476
PH
412 (1<<ACL_WHERE_NOTSMTP) /* no_multiline */
413};
414
415/* Structure listing various control arguments, with their characteristics. */
059ec3d9
PH
416
417typedef struct control_def {
418 uschar *name;
419 int value; /* CONTROL_xxx value */
059ec3d9
PH
420 BOOL has_option; /* Has /option(s) following */
421} control_def;
422
423static control_def controls_list[] = {
8523533c
TK
424#ifdef EXPERIMENTAL_BRIGHTMAIL
425 { US"bmi_run", CONTROL_BMI_RUN, FALSE},
426#endif
c5fcb476
PH
427 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE},
428 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE},
429 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE},
430 { US"freeze", CONTROL_FREEZE, FALSE},
431 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE},
432 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE},
433 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE},
8523533c
TK
434#ifdef WITH_CONTENT_SCAN
435 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE},
8523533c 436#endif
0f9b0483 437 { US"fakereject", CONTROL_FAKEREJECT, TRUE},
c5fcb476 438 { US"submission", CONTROL_SUBMISSION, TRUE}
059ec3d9
PH
439 };
440
441/* Enable recursion between acl_check_internal() and acl_check_condition() */
442
443static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
444 uschar **);
445
446
447/*************************************************
448* Pick out name from list *
449*************************************************/
450
451/* Use a binary chop method
452
453Arguments:
454 name name to find
455 list list of names
456 end size of list
457
458Returns: offset in list, or -1 if not found
459*/
460
461static int
462acl_checkname(uschar *name, uschar **list, int end)
463{
464int start = 0;
465
466while (start < end)
467 {
468 int mid = (start + end)/2;
469 int c = Ustrcmp(name, list[mid]);
470 if (c == 0) return mid;
471 if (c < 0) end = mid; else start = mid + 1;
472 }
473
474return -1;
475}
476
477
478/*************************************************
479* Read and parse one ACL *
480*************************************************/
481
482/* This function is called both from readconf in order to parse the ACLs in the
483configuration file, and also when an ACL is encountered dynamically (e.g. as
484the result of an expansion). It is given a function to call in order to
485retrieve the lines of the ACL. This function handles skipping comments and
486blank lines (where relevant).
487
488Arguments:
489 func function to get next line of ACL
490 error where to put an error message
491
492Returns: pointer to ACL, or NULL
493 NULL can be legal (empty ACL); in this case error will be NULL
494*/
495
496acl_block *
497acl_read(uschar *(*func)(void), uschar **error)
498{
499acl_block *yield = NULL;
500acl_block **lastp = &yield;
501acl_block *this = NULL;
502acl_condition_block *cond;
503acl_condition_block **condp = NULL;
504uschar *s;
505
506*error = NULL;
507
508while ((s = (*func)()) != NULL)
509 {
510 int v, c;
511 BOOL negated = FALSE;
512 uschar *saveline = s;
513 uschar name[64];
514
515 /* Conditions (but not verbs) are allowed to be negated by an initial
516 exclamation mark. */
517
518 while (isspace(*s)) s++;
519 if (*s == '!')
520 {
521 negated = TRUE;
522 s++;
523 }
524
525 /* Read the name of a verb or a condition, or the start of a new ACL */
526
527 s = readconf_readname(name, sizeof(name), s);
528 if (*s == ':')
529 {
530 if (negated || name[0] == 0)
531 {
532 *error = string_sprintf("malformed ACL name in \"%s\"", saveline);
533 return NULL;
534 }
535 break;
536 }
537
538 /* If a verb is unrecognized, it may be another condition or modifier that
539 continues the previous verb. */
540
541 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
542 if (v < 0)
543 {
544 if (this == NULL)
545 {
546 *error = string_sprintf("unknown ACL verb in \"%s\"", saveline);
547 return NULL;
548 }
549 }
550
551 /* New verb */
552
553 else
554 {
555 if (negated)
556 {
557 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
558 return NULL;
559 }
560 this = store_get(sizeof(acl_block));
561 *lastp = this;
562 lastp = &(this->next);
563 this->next = NULL;
564 this->verb = v;
565 this->condition = NULL;
566 condp = &(this->condition);
567 if (*s == 0) continue; /* No condition on this line */
568 if (*s == '!')
569 {
570 negated = TRUE;
571 s++;
572 }
573 s = readconf_readname(name, sizeof(name), s); /* Condition name */
574 }
575
576 /* Handle a condition or modifier. */
577
578 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
579 if (c < 0)
580 {
581 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
582 saveline);
583 return NULL;
584 }
585
586 /* The modifiers may not be negated */
587
588 if (negated && cond_modifiers[c])
589 {
590 *error = string_sprintf("ACL error: negation is not allowed with "
591 "\"%s\"", conditions[c]);
592 return NULL;
593 }
594
595 /* ENDPASS may occur only with ACCEPT or DISCARD. */
596
597 if (c == ACLC_ENDPASS &&
598 this->verb != ACL_ACCEPT &&
599 this->verb != ACL_DISCARD)
600 {
601 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
602 conditions[c], verbs[this->verb]);
603 return NULL;
604 }
605
606 cond = store_get(sizeof(acl_condition_block));
607 cond->next = NULL;
608 cond->type = c;
609 cond->u.negated = negated;
610
611 *condp = cond;
612 condp = &(cond->next);
613
614 /* The "set" modifier is different in that its argument is "name=value"
615 rather than just a value, and we can check the validity of the name, which
616 gives us a variable number to insert into the data block. */
617
618 if (c == ACLC_SET)
619 {
620 if (Ustrncmp(s, "acl_", 4) != 0 || (s[4] != 'c' && s[4] != 'm') ||
621 !isdigit(s[5]) || (!isspace(s[6]) && s[6] != '='))
622 {
623 *error = string_sprintf("unrecognized name after \"set\" in ACL "
624 "modifier \"set %s\"", s);
625 return NULL;
626 }
627
628 cond->u.varnumber = s[5] - '0';
629 if (s[4] == 'm') cond->u.varnumber += ACL_C_MAX;
630 s += 6;
631 while (isspace(*s)) s++;
632 }
633
634 /* For "set", we are now positioned for the data. For the others, only
635 "endpass" has no data */
636
637 if (c != ACLC_ENDPASS)
638 {
639 if (*s++ != '=')
640 {
641 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
642 cond_modifiers[c]? US"modifier" : US"condition");
643 return NULL;
644 }
645 while (isspace(*s)) s++;
646 cond->arg = string_copy(s);
647 }
648 }
649
650return yield;
651}
652
653
654
655/*************************************************
656* Handle warnings *
657*************************************************/
658
659/* This function is called when a WARN verb's conditions are true. It adds to
660the message's headers, and/or writes information to the log. In each case, this
661only happens once (per message for headers, per connection for log).
662
663Arguments:
664 where ACL_WHERE_xxxx indicating which ACL this is
665 user_message message for adding to headers
666 log_message message for logging, if different
667
668Returns: nothing
669*/
670
671static void
672acl_warn(int where, uschar *user_message, uschar *log_message)
673{
674int hlen;
675
676if (log_message != NULL && log_message != user_message)
677 {
678 uschar *text;
679 string_item *logged;
680
681 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
682 string_printing(log_message));
683
684 /* If a sender verification has failed, and the log message is "sender verify
685 failed", add the failure message. */
686
687 if (sender_verified_failed != NULL &&
688 sender_verified_failed->message != NULL &&
689 strcmpic(log_message, US"sender verify failed") == 0)
690 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
691
692 /* Search previously logged warnings. They are kept in malloc store so they
693 can be freed at the start of a new message. */
694
695 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
696 if (Ustrcmp(logged->text, text) == 0) break;
697
698 if (logged == NULL)
699 {
700 int length = Ustrlen(text) + 1;
701 log_write(0, LOG_MAIN, "%s", text);
702 logged = store_malloc(sizeof(string_item) + length);
703 logged->text = (uschar *)logged + sizeof(string_item);
704 memcpy(logged->text, text, length);
705 logged->next = acl_warn_logged;
706 acl_warn_logged = logged;
707 }
708 }
709
710/* If there's no user message, we are done. */
711
712if (user_message == NULL) return;
713
714/* If this isn't a message ACL, we can't do anything with a user message.
715Log an error. */
716
717if (where > ACL_WHERE_NOTSMTP)
718 {
719 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
720 "found in a non-message (%s) ACL: cannot specify header lines here: "
721 "message ignored", acl_wherenames[where]);
722 return;
723 }
724
725/* Treat the user message as a sequence of one or more header lines. */
726
727hlen = Ustrlen(user_message);
728if (hlen > 0)
729 {
730 uschar *text, *p, *q;
731
732 /* Add a final newline if not present */
733
734 text = ((user_message)[hlen-1] == '\n')? user_message :
735 string_sprintf("%s\n", user_message);
736
737 /* Loop for multiple header lines, taking care about continuations */
738
739 for (p = q = text; *p != 0; )
740 {
741 uschar *s;
742 int newtype = htype_add_bot;
743 header_line **hptr = &acl_warn_headers;
744
745 /* Find next header line within the string */
746
747 for (;;)
748 {
749 q = Ustrchr(q, '\n');
750 if (*(++q) != ' ' && *q != '\t') break;
751 }
752
753 /* If the line starts with a colon, interpret the instruction for where to
754 add it. This temporarily sets up a new type. */
755
756 if (*p == ':')
757 {
758 if (strncmpic(p, US":after_received:", 16) == 0)
759 {
760 newtype = htype_add_rec;
761 p += 16;
762 }
8523533c
TK
763 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
764 {
765 newtype = htype_add_rfc;
766 p += 14;
767 }
059ec3d9
PH
768 else if (strncmpic(p, US":at_start:", 10) == 0)
769 {
770 newtype = htype_add_top;
771 p += 10;
772 }
773 else if (strncmpic(p, US":at_end:", 8) == 0)
774 {
775 newtype = htype_add_bot;
776 p += 8;
777 }
778 while (*p == ' ' || *p == '\t') p++;
779 }
780
781 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
782 to the front of it. */
783
784 for (s = p; s < q - 1; s++)
785 {
786 if (*s == ':' || !isgraph(*s)) break;
787 }
788
789 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
790 hlen = Ustrlen(s);
791
792 /* See if this line has already been added */
793
794 while (*hptr != NULL)
795 {
796 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
797 hptr = &((*hptr)->next);
798 }
799
800 /* Add if not previously present */
801
802 if (*hptr == NULL)
803 {
804 header_line *h = store_get(sizeof(header_line));
805 h->text = s;
806 h->next = NULL;
807 h->type = newtype;
808 h->slen = hlen;
809 *hptr = h;
810 hptr = &(h->next);
811 }
812
813 /* Advance for next header line within the string */
814
815 p = q;
816 }
817 }
818}
819
820
821
822/*************************************************
823* Verify and check reverse DNS *
824*************************************************/
825
826/* Called from acl_verify() below. We look up the host name(s) of the client IP
827address if this has not yet been done. The host_name_lookup() function checks
828that one of these names resolves to an address list that contains the client IP
829address, so we don't actually have to do the check here.
830
831Arguments:
832 user_msgptr pointer for user message
833 log_msgptr pointer for log message
834
835Returns: OK verification condition succeeded
836 FAIL verification failed
837 DEFER there was a problem verifying
838*/
839
840static int
841acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
842{
843int rc;
844
845user_msgptr = user_msgptr; /* stop compiler warning */
846
847/* Previous success */
848
849if (sender_host_name != NULL) return OK;
850
851/* Previous failure */
852
853if (host_lookup_failed)
854 {
855 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
856 return FAIL;
857 }
858
859/* Need to do a lookup */
860
861HDEBUG(D_acl)
862 debug_printf("looking up host name to force name/address consistency check\n");
863
864if ((rc = host_name_lookup()) != OK)
865 {
866 *log_msgptr = (rc == DEFER)?
867 US"host lookup deferred for reverse lookup check"
868 :
869 string_sprintf("host lookup failed for reverse lookup check%s",
870 host_lookup_msg);
871 return rc; /* DEFER or FAIL */
872 }
873
874host_build_sender_fullhost();
875return OK;
876}
877
878
879
880/*************************************************
881* Handle verification (address & other) *
882*************************************************/
883
884/* This function implements the "verify" condition. It is called when
885encountered in any ACL, because some tests are almost always permitted. Some
886just don't make sense, and always fail (for example, an attempt to test a host
887lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
888
889Arguments:
890 where where called from
891 addr the recipient address that the ACL is handling, or NULL
892 arg the argument of "verify"
893 user_msgptr pointer for user message
894 log_msgptr pointer for log message
895 basic_errno where to put verify errno
896
897Returns: OK verification condition succeeded
898 FAIL verification failed
899 DEFER there was a problem verifying
900 ERROR syntax error
901*/
902
903static int
904acl_verify(int where, address_item *addr, uschar *arg,
905 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
906{
907int sep = '/';
908int callout = -1;
909int callout_overall = -1;
4deaf07d 910int callout_connect = -1;
059ec3d9
PH
911int verify_options = 0;
912int rc;
913BOOL verify_header_sender = FALSE;
914BOOL defer_ok = FALSE;
915BOOL callout_defer_ok = FALSE;
916BOOL no_details = FALSE;
917address_item *sender_vaddr = NULL;
918uschar *verify_sender_address = NULL;
919uschar *pm_mailfrom = NULL;
920uschar *se_mailfrom = NULL;
921uschar *list = arg;
922uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
923
924if (ss == NULL) goto BAD_VERIFY;
925
926/* Handle name/address consistency verification in a separate function. */
927
928if (strcmpic(ss, US"reverse_host_lookup") == 0)
929 {
930 if (sender_host_address == NULL) return OK;
931 return acl_verify_reverse(user_msgptr, log_msgptr);
932 }
933
934/* TLS certificate verification is done at STARTTLS time; here we just
935test whether it was successful or not. (This is for optional verification; for
936mandatory verification, the connection doesn't last this long.) */
937
938if (strcmpic(ss, US"certificate") == 0)
939 {
940 if (tls_certificate_verified) return OK;
941 *user_msgptr = US"no verified certificate";
942 return FAIL;
943 }
944
945/* We can test the result of optional HELO verification */
946
947if (strcmpic(ss, US"helo") == 0) return helo_verified? OK : FAIL;
948
949/* Handle header verification options - permitted only after DATA or a non-SMTP
950message. */
951
952if (strncmpic(ss, US"header_", 7) == 0)
953 {
954 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
955 {
956 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
957 "(only possible in ACL for DATA)", acl_wherenames[where]);
958 return ERROR;
959 }
960
961 /* Check that all relevant header lines have the correct syntax. If there is
962 a syntax error, we return details of the error to the sender if configured to
963 send out full details. (But a "message" setting on the ACL can override, as
964 always). */
965
966 if (strcmpic(ss+7, US"syntax") == 0)
967 {
968 int rc = verify_check_headers(log_msgptr);
969 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
970 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
971 return rc;
972 }
973
974 /* Check that there is at least one verifiable sender address in the relevant
975 header lines. This can be followed by callout and defer options, just like
976 sender and recipient. */
977
978 else if (strcmpic(ss+7, US"sender") == 0) verify_header_sender = TRUE;
979
980 /* Unknown verify argument starting with "header_" */
981
982 else goto BAD_VERIFY;
983 }
984
985/* Otherwise, first item in verify argument must be "sender" or "recipient".
986In the case of a sender, this can optionally be followed by an address to use
987in place of the actual sender (rare special-case requirement). */
988
989else if (strncmpic(ss, US"sender", 6) == 0)
990 {
991 uschar *s = ss + 6;
992 if (where > ACL_WHERE_NOTSMTP)
993 {
994 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
995 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
996 acl_wherenames[where]);
997 return ERROR;
998 }
999 if (*s == 0)
1000 verify_sender_address = sender_address;
1001 else
1002 {
1003 while (isspace(*s)) s++;
1004 if (*s++ != '=') goto BAD_VERIFY;
1005 while (isspace(*s)) s++;
1006 verify_sender_address = string_copy(s);
1007 }
1008 }
1009else
1010 {
1011 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1012 if (addr == NULL)
1013 {
1014 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1015 "(only possible for RCPT)", acl_wherenames[where]);
1016 return ERROR;
1017 }
1018 }
1019
1020/* Remaining items are optional */
1021
1022while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1023 != NULL)
1024 {
1025 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1026 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1027
1028 /* These two old options are left for backwards compatibility */
1029
1030 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1031 {
1032 callout_defer_ok = TRUE;
1033 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1034 }
1035
1036 else if (strcmpic(ss, US"check_postmaster") == 0)
1037 {
1038 pm_mailfrom = US"";
1039 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1040 }
1041
1042 /* The callout option has a number of sub-options, comma separated */
1043
1044 else if (strncmpic(ss, US"callout", 7) == 0)
1045 {
1046 callout = CALLOUT_TIMEOUT_DEFAULT;
1047 ss += 7;
1048 if (*ss != 0)
1049 {
1050 while (isspace(*ss)) ss++;
1051 if (*ss++ == '=')
1052 {
1053 int optsep = ',';
1054 uschar *opt;
1055 uschar buffer[256];
1056 while (isspace(*ss)) ss++;
4deaf07d
PH
1057
1058 /* This callout option handling code has become a mess as new options
1059 have been added in an ad hoc manner. It should be tidied up into some
1060 kind of table-driven thing. */
1061
059ec3d9
PH
1062 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1063 != NULL)
1064 {
1065 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1066 else if (strcmpic(opt, US"no_cache") == 0)
1067 verify_options |= vopt_callout_no_cache;
1068 else if (strcmpic(opt, US"random") == 0)
1069 verify_options |= vopt_callout_random;
1070 else if (strcmpic(opt, US"use_sender") == 0)
1071 verify_options |= vopt_callout_recipsender;
1072 else if (strcmpic(opt, US"use_postmaster") == 0)
1073 verify_options |= vopt_callout_recippmaster;
1074 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
1075
1076 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1077 {
1078 if (!verify_header_sender)
1079 {
1080 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1081 "callout option only for verify=header_sender (detected in ACL "
1082 "condition \"%s\")", arg);
1083 return ERROR;
1084 }
1085 opt += 8;
1086 while (isspace(*opt)) opt++;
1087 if (*opt++ != '=')
1088 {
1089 *log_msgptr = string_sprintf("'=' expected after "
1090 "\"mailfrom\" in ACL condition \"%s\"", arg);
1091 return ERROR;
1092 }
1093 while (isspace(*opt)) opt++;
1094 se_mailfrom = string_copy(opt);
1095 }
1096
1097 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1098 {
1099 opt += 19;
1100 while (isspace(*opt)) opt++;
1101 if (*opt++ != '=')
1102 {
1103 *log_msgptr = string_sprintf("'=' expected after "
1104 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1105 return ERROR;
1106 }
1107 while (isspace(*opt)) opt++;
1108 pm_mailfrom = string_copy(opt);
1109 }
1110
1111 else if (strncmpic(opt, US"maxwait", 7) == 0)
1112 {
1113 opt += 7;
1114 while (isspace(*opt)) opt++;
1115 if (*opt++ != '=')
1116 {
1117 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1118 "ACL condition \"%s\"", arg);
1119 return ERROR;
1120 }
1121 while (isspace(*opt)) opt++;
1122 callout_overall = readconf_readtime(opt, 0, FALSE);
1123 if (callout_overall < 0)
1124 {
1125 *log_msgptr = string_sprintf("bad time value in ACL condition "
1126 "\"verify %s\"", arg);
1127 return ERROR;
1128 }
1129 }
4deaf07d
PH
1130 else if (strncmpic(opt, US"connect", 7) == 0)
1131 {
1132 opt += 7;
1133 while (isspace(*opt)) opt++;
1134 if (*opt++ != '=')
1135 {
1136 *log_msgptr = string_sprintf("'=' expected after "
1137 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1138 return ERROR;
1139 }
1140 while (isspace(*opt)) opt++;
1141 callout_connect = readconf_readtime(opt, 0, FALSE);
1142 if (callout_connect < 0)
1143 {
1144 *log_msgptr = string_sprintf("bad time value in ACL condition "
1145 "\"verify %s\"", arg);
1146 return ERROR;
1147 }
1148 }
059ec3d9
PH
1149 else /* Plain time is callout connect/command timeout */
1150 {
1151 callout = readconf_readtime(opt, 0, FALSE);
1152 if (callout < 0)
1153 {
1154 *log_msgptr = string_sprintf("bad time value in ACL condition "
1155 "\"verify %s\"", arg);
1156 return ERROR;
1157 }
1158 }
1159 }
1160 }
1161 else
1162 {
1163 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1164 "ACL condition \"%s\"", arg);
1165 return ERROR;
1166 }
1167 }
1168 }
1169
1170 /* Option not recognized */
1171
1172 else
1173 {
1174 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1175 "condition \"verify %s\"", ss, arg);
1176 return ERROR;
1177 }
1178 }
1179
1180if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1181 (vopt_callout_recipsender|vopt_callout_recippmaster))
1182 {
1183 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1184 "for a recipient callout";
1185 return ERROR;
1186 }
1187
1188/* Handle sender-in-header verification. Default the user message to the log
1189message if giving out verification details. */
1190
1191if (verify_header_sender)
1192 {
1193 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
4deaf07d 1194 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options);
059ec3d9
PH
1195 if (smtp_return_error_details)
1196 {
1197 if (*user_msgptr == NULL && *log_msgptr != NULL)
1198 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1199 if (rc == DEFER) acl_temp_details = TRUE;
1200 }
1201 }
1202
1203/* Handle a sender address. The default is to verify *the* sender address, but
1204optionally a different address can be given, for special requirements. If the
1205address is empty, we are dealing with a bounce message that has no sender, so
1206we cannot do any checking. If the real sender address gets rewritten during
1207verification (e.g. DNS widening), set the flag to stop it being rewritten again
1208during message reception.
1209
1210A list of verified "sender" addresses is kept to try to avoid doing to much
1211work repetitively when there are multiple recipients in a message and they all
1212require sender verification. However, when callouts are involved, it gets too
1213complicated because different recipients may require different callout options.
1214Therefore, we always do a full sender verify when any kind of callout is
1215specified. Caching elsewhere, for instance in the DNS resolver and in the
1216callout handling, should ensure that this is not terribly inefficient. */
1217
1218else if (verify_sender_address != NULL)
1219 {
1220 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1221 != 0)
1222 {
1223 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1224 "sender verify callout";
1225 return ERROR;
1226 }
1227
1228 sender_vaddr = verify_checked_sender(verify_sender_address);
1229 if (sender_vaddr != NULL && /* Previously checked */
1230 callout <= 0) /* No callout needed this time */
1231 {
1232 /* If the "routed" flag is set, it means that routing worked before, so
1233 this check can give OK (the saved return code value, if set, belongs to a
1234 callout that was done previously). If the "routed" flag is not set, routing
1235 must have failed, so we use the saved return code. */
1236
1237 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1238 {
1239 rc = sender_vaddr->special_action;
1240 *basic_errno = sender_vaddr->basic_errno;
1241 }
1242 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1243 }
1244
1245 /* Do a new verification, and cache the result. The cache is used to avoid
1246 verifying the sender multiple times for multiple RCPTs when callouts are not
1247 specified (see comments above).
1248
1249 The cache is also used on failure to give details in response to the first
1250 RCPT that gets bounced for this reason. However, this can be suppressed by
1251 the no_details option, which sets the flag that says "this detail has already
1252 been sent". The cache normally contains just one address, but there may be
1253 more in esoteric circumstances. */
1254
1255 else
1256 {
1257 BOOL routed = TRUE;
2a3eea10
PH
1258 uschar *save_address_data = deliver_address_data;
1259
059ec3d9
PH
1260 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1261 if (no_details) setflag(sender_vaddr, af_sverify_told);
1262 if (verify_sender_address[0] != 0)
1263 {
1264 /* If this is the real sender address, save the unrewritten version
1265 for use later in receive. Otherwise, set a flag so that rewriting the
1266 sender in verify_address() does not update sender_address. */
1267
1268 if (verify_sender_address == sender_address)
1269 sender_address_unrewritten = sender_address;
1270 else
1271 verify_options |= vopt_fake_sender;
1272
1273 /* The recipient, qualify, and expn options are never set in
1274 verify_options. */
1275
1276 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
4deaf07d 1277 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
059ec3d9
PH
1278
1279 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1280
1281 if (rc == OK)
1282 {
1283 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1284 {
1285 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1286 verify_sender_address, sender_vaddr->address);
1287 }
1288 else
1289 {
1290 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1291 verify_sender_address);
1292 }
1293 }
1294 else *basic_errno = sender_vaddr->basic_errno;
1295 }
1296 else rc = OK; /* Null sender */
1297
1298 /* Cache the result code */
1299
1300 if (routed) setflag(sender_vaddr, af_verify_routed);
1301 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1302 sender_vaddr->special_action = rc;
1303 sender_vaddr->next = sender_verified_list;
1304 sender_verified_list = sender_vaddr;
2a3eea10
PH
1305
1306 /* Restore the recipient address data, which might have been clobbered by
1307 the sender verification. */
1308
1309 deliver_address_data = save_address_data;
059ec3d9 1310 }
2a3eea10
PH
1311
1312 /* Put the sender address_data value into $sender_address_data */
1313
1314 sender_address_data = sender_vaddr->p.address_data;
059ec3d9
PH
1315 }
1316
1317/* A recipient address just gets a straightforward verify; again we must handle
1318the DEFER overrides. */
1319
1320else
1321 {
1322 address_item addr2;
1323
1324 /* We must use a copy of the address for verification, because it might
1325 get rewritten. */
1326
1327 addr2 = *addr;
1328 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
4deaf07d 1329 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
059ec3d9
PH
1330 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1331 *log_msgptr = addr2.message;
1332 *user_msgptr = addr2.user_message;
1333 *basic_errno = addr2.basic_errno;
1334
1335 /* Make $address_data visible */
1336 deliver_address_data = addr2.p.address_data;
1337 }
1338
1339/* We have a result from the relevant test. Handle defer overrides first. */
1340
1341if (rc == DEFER && (defer_ok ||
1342 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1343 {
1344 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1345 defer_ok? "defer_ok" : "callout_defer_ok");
1346 rc = OK;
1347 }
1348
1349/* If we've failed a sender, set up a recipient message, and point
1350sender_verified_failed to the address item that actually failed. */
1351
1352if (rc != OK && verify_sender_address != NULL)
1353 {
1354 if (rc != DEFER)
1355 {
1356 *log_msgptr = *user_msgptr = US"Sender verify failed";
1357 }
1358 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1359 {
1360 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1361 }
1362 else
1363 {
1364 *log_msgptr = US"Could not complete sender verify callout";
1365 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1366 *log_msgptr;
1367 }
1368
1369 sender_verified_failed = sender_vaddr;
1370 }
1371
1372/* Verifying an address messes up the values of $domain and $local_part,
1373so reset them before returning if this is a RCPT ACL. */
1374
1375if (addr != NULL)
1376 {
1377 deliver_domain = addr->domain;
1378 deliver_localpart = addr->local_part;
1379 }
1380return rc;
1381
1382/* Syntax errors in the verify argument come here. */
1383
1384BAD_VERIFY:
1385*log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
1386 "\"header_syntax\" or \"header_sender\" at start of ACL condition "
1387 "\"verify %s\"", arg);
1388return ERROR;
1389}
1390
1391
1392
1393
1394/*************************************************
1395* Check argument for control= modifier *
1396*************************************************/
1397
1398/* Called from acl_check_condition() below
1399
1400Arguments:
1401 arg the argument string for control=
1402 pptr set to point to the terminating character
1403 where which ACL we are in
1404 log_msgptr for error messages
1405
1406Returns: CONTROL_xxx value
1407*/
1408
1409static int
1410decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
1411{
1412int len;
1413control_def *d;
1414
1415for (d = controls_list;
1416 d < controls_list + sizeof(controls_list)/sizeof(control_def);
1417 d++)
1418 {
1419 len = Ustrlen(d->name);
1420 if (Ustrncmp(d->name, arg, len) == 0) break;
1421 }
1422
1423if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
1424 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
1425 {
1426 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1427 return CONTROL_ERROR;
1428 }
1429
059ec3d9
PH
1430*pptr = arg + len;
1431return d->value;
1432}
1433
1434
1435
1436/*************************************************
1437* Handle conditions/modifiers on an ACL item *
1438*************************************************/
1439
1440/* Called from acl_check() below.
1441
1442Arguments:
1443 verb ACL verb
1444 cb ACL condition block - if NULL, result is OK
1445 where where called from
1446 addr the address being checked for RCPT, or NULL
1447 level the nesting level
1448 epp pointer to pass back TRUE if "endpass" encountered
1449 (applies only to "accept" and "discard")
1450 user_msgptr user message pointer
1451 log_msgptr log message pointer
1452 basic_errno pointer to where to put verify error
1453
1454Returns: OK - all conditions are met
1455 DISCARD - an "acl" condition returned DISCARD - only allowed
1456 for "accept" or "discard" verbs
1457 FAIL - at least one condition fails
1458 FAIL_DROP - an "acl" condition returned FAIL_DROP
1459 DEFER - can't tell at the moment (typically, lookup defer,
1460 but can be temporary callout problem)
1461 ERROR - ERROR from nested ACL or expansion failure or other
1462 error
1463*/
1464
1465static int
1466acl_check_condition(int verb, acl_condition_block *cb, int where,
1467 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
1468 uschar **log_msgptr, int *basic_errno)
1469{
1470uschar *user_message = NULL;
1471uschar *log_message = NULL;
1472uschar *p;
1473int rc = OK;
8523533c
TK
1474#ifdef WITH_CONTENT_SCAN
1475int sep = '/';
1476#endif
059ec3d9
PH
1477
1478for (; cb != NULL; cb = cb->next)
1479 {
1480 uschar *arg;
c5fcb476 1481 int control_type;
059ec3d9
PH
1482
1483 /* The message and log_message items set up messages to be used in
1484 case of rejection. They are expanded later. */
1485
1486 if (cb->type == ACLC_MESSAGE)
1487 {
1488 user_message = cb->arg;
1489 continue;
1490 }
1491
1492 if (cb->type == ACLC_LOG_MESSAGE)
1493 {
1494 log_message = cb->arg;
1495 continue;
1496 }
1497
1498 /* The endpass "condition" just sets a flag to show it occurred. This is
1499 checked at compile time to be on an "accept" or "discard" item. */
1500
1501 if (cb->type == ACLC_ENDPASS)
1502 {
1503 *epp = TRUE;
1504 continue;
1505 }
1506
1507 /* For other conditions and modifiers, the argument is expanded now for some
1508 of them, but not for all, because expansion happens down in some lower level
1509 checking functions in some cases. */
1510
1511 if (cond_expand_at_top[cb->type])
1512 {
1513 arg = expand_string(cb->arg);
1514 if (arg == NULL)
1515 {
1516 if (expand_string_forcedfail) continue;
1517 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
1518 cb->arg, expand_string_message);
1519 return search_find_defer? DEFER : ERROR;
1520 }
1521 }
1522 else arg = cb->arg;
1523
1524 /* Show condition, and expanded condition if it's different */
1525
1526 HDEBUG(D_acl)
1527 {
1528 int lhswidth = 0;
1529 debug_printf("check %s%s %n",
1530 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
1531 conditions[cb->type], &lhswidth);
1532
1533 if (cb->type == ACLC_SET)
1534 {
1535 int n = cb->u.varnumber;
1536 int t = (n < ACL_C_MAX)? 'c' : 'm';
1537 if (n >= ACL_C_MAX) n -= ACL_C_MAX;
1538 debug_printf("acl_%c%d ", t, n);
1539 lhswidth += 7;
1540 }
1541
1542 debug_printf("= %s\n", cb->arg);
1543
1544 if (arg != cb->arg)
1545 debug_printf("%.*s= %s\n", lhswidth,
1546 US" ", CS arg);
1547 }
1548
1549 /* Check that this condition makes sense at this time */
1550
1551 if ((cond_forbids[cb->type] & (1 << where)) != 0)
1552 {
1553 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
1554 cond_modifiers[cb->type]? "use" : "test",
1555 conditions[cb->type], acl_wherenames[where]);
1556 return ERROR;
1557 }
1558
1559 /* Run the appropriate test for each condition, or take the appropriate
1560 action for the remaining modifiers. */
1561
1562 switch(cb->type)
1563 {
1564 /* A nested ACL that returns "discard" makes sense only for an "accept" or
1565 "discard" verb. */
1566
1567 case ACLC_ACL:
1568 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
1569 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
1570 {
1571 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
1572 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
1573 verbs[verb]);
1574 return ERROR;
1575 }
1576 break;
1577
1578 case ACLC_AUTHENTICATED:
1579 rc = (sender_host_authenticated == NULL)? FAIL :
1580 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
1581 TRUE, NULL);
1582 break;
1583
8523533c
TK
1584#ifdef EXPERIMENTAL_BRIGHTMAIL
1585 case ACLC_BMI_OPTIN:
1586 {
1587 int old_pool = store_pool;
1588 store_pool = POOL_PERM;
1589 bmi_current_optin = string_copy(arg);
1590 store_pool = old_pool;
1591 }
1592 break;
1593#endif
1594
059ec3d9
PH
1595 case ACLC_CONDITION:
1596 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
1597 rc = (Uatoi(arg) == 0)? FAIL : OK;
1598 else
1599 rc = (strcmpic(arg, US"no") == 0 ||
1600 strcmpic(arg, US"false") == 0)? FAIL :
1601 (strcmpic(arg, US"yes") == 0 ||
1602 strcmpic(arg, US"true") == 0)? OK : DEFER;
1603 if (rc == DEFER)
1604 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
1605 break;
1606
1607 case ACLC_CONTROL:
c5fcb476
PH
1608 control_type = decode_control(arg, &p, where, log_msgptr);
1609
8523533c 1610 /* Check if this control makes sense at this time */
c5fcb476
PH
1611
1612 if ((control_forbids[control_type] & (1 << where)) != 0)
1613 {
1614 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
1615 controls[control_type], acl_wherenames[where]);
1616 return ERROR;
1617 }
1618
1619 switch(control_type)
059ec3d9 1620 {
8523533c
TK
1621#ifdef EXPERIMENTAL_BRIGHTMAIL
1622 case CONTROL_BMI_RUN:
1623 bmi_run = 1;
1624 break;
1625#endif
1626
059ec3d9
PH
1627 case CONTROL_ERROR:
1628 return ERROR;
1629
1630 case CONTROL_CASEFUL_LOCAL_PART:
1631 deliver_localpart = addr->cc_local_part;
1632 break;
1633
1634 case CONTROL_CASELOWER_LOCAL_PART:
1635 deliver_localpart = addr->lc_local_part;
1636 break;
1637
1638 case CONTROL_ENFORCE_SYNC:
1639 smtp_enforce_sync = TRUE;
1640 break;
1641
1642 case CONTROL_NO_ENFORCE_SYNC:
1643 smtp_enforce_sync = FALSE;
1644 break;
1645
8523533c
TK
1646#ifdef WITH_CONTENT_SCAN
1647 case CONTROL_NO_MBOX_UNSPOOL:
1648 no_mbox_unspool = TRUE;
1649 break;
1650#endif
1651
059ec3d9
PH
1652 case CONTROL_NO_MULTILINE:
1653 no_multiline_responses = TRUE;
1654 break;
1655
8523533c
TK
1656 case CONTROL_FAKEREJECT:
1657 fake_reject = TRUE;
1658 if (*p == '/')
1659 {
1660 uschar *pp = p + 1;
1661 while (*pp != 0) pp++;
1662 fake_reject_text = expand_string(string_copyn(p+1, pp-p));
1663 p = pp;
1664 }
1665 else
1666 {
1667 /* Explicitly reset to default string */
1668 fake_reject_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legit message, it may still be delivered to the target recipient(s).";
1669 }
1670 break;
8523533c 1671
059ec3d9
PH
1672 case CONTROL_FREEZE:
1673 deliver_freeze = TRUE;
1674 deliver_frozen_at = time(NULL);
1675 break;
1676
1677 case CONTROL_QUEUE_ONLY:
1678 queue_only_policy = TRUE;
1679 break;
1680
1681 case CONTROL_SUBMISSION:
1682 submission_mode = TRUE;
69358f02
PH
1683 while (*p == '/')
1684 {
1685 if (Ustrncmp(p, "/sender_retain", 14) == 0)
1686 {
1687 p += 14;
1688 active_local_sender_retain = TRUE;
1689 active_local_from_check = FALSE;
1690 }
1691 else if (Ustrncmp(p, "/domain=", 8) == 0)
1692 {
1693 uschar *pp = p + 8;
1694 while (*pp != 0 && *pp != '/') pp++;
1695 submission_domain = string_copyn(p+8, pp-p);
1696 p = pp;
1697 }
1698 else break;
1699 }
1700 if (*p != 0)
059ec3d9 1701 {
69358f02 1702 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
059ec3d9
PH
1703 return ERROR;
1704 }
1705 break;
1706 }
1707 break;
1708
8523533c
TK
1709#ifdef WITH_CONTENT_SCAN
1710 case ACLC_DECODE:
1711 rc = mime_decode(&arg);
1712 break;
1713#endif
1714
059ec3d9
PH
1715 case ACLC_DELAY:
1716 {
1717 int delay = readconf_readtime(arg, 0, FALSE);
1718 if (delay < 0)
1719 {
1720 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
1721 "modifier: \"%s\" is not a time value", arg);
1722 return ERROR;
1723 }
1724 else
1725 {
1726 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
1727 delay);
1728 if (host_checking)
1729 {
1730 HDEBUG(D_acl)
1731 debug_printf("delay skipped in -bh checking mode\n");
1732 }
86b8287f
PH
1733 else
1734 {
1735 while (delay > 0) delay = sleep(delay);
1736 }
059ec3d9
PH
1737 }
1738 }
1739 break;
1740
8523533c
TK
1741#ifdef WITH_OLD_DEMIME
1742 case ACLC_DEMIME:
1743 rc = demime(&arg);
1744 break;
1745#endif
1746
059ec3d9
PH
1747 case ACLC_DNSLISTS:
1748 rc = verify_check_dnsbl(&arg);
1749 break;
1750
1751 case ACLC_DOMAINS:
1752 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
1753 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
1754 break;
1755
1756 /* The value in tls_cipher is the full cipher name, for example,
1757 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
1758 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
1759 what may in practice come out of the SSL library - which at the time of
1760 writing is poorly documented. */
1761
1762 case ACLC_ENCRYPTED:
1763 if (tls_cipher == NULL) rc = FAIL; else
1764 {
1765 uschar *endcipher = NULL;
1766 uschar *cipher = Ustrchr(tls_cipher, ':');
1767 if (cipher == NULL) cipher = tls_cipher; else
1768 {
1769 endcipher = Ustrchr(++cipher, ':');
1770 if (endcipher != NULL) *endcipher = 0;
1771 }
1772 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
1773 if (endcipher != NULL) *endcipher = ':';
1774 }
1775 break;
1776
1777 /* Use verify_check_this_host() instead of verify_check_host() so that
1778 we can pass over &host_data to catch any looked up data. Once it has been
1779 set, it retains its value so that it's still there if another ACL verb
1780 comes through here and uses the cache. However, we must put it into
1781 permanent store in case it is also expected to be used in a subsequent
1782 message in the same SMTP connection. */
1783
1784 case ACLC_HOSTS:
1785 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
1786 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
1787 if (host_data != NULL) host_data = string_copy_malloc(host_data);
1788 break;
1789
1790 case ACLC_LOCAL_PARTS:
1791 rc = match_isinlist(addr->cc_local_part, &arg, 0,
1792 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
1793 &deliver_localpart_data);
1794 break;
1795
1796 case ACLC_LOGWRITE:
1797 {
1798 int logbits = 0;
1799 uschar *s = arg;
1800 if (*s == ':')
1801 {
1802 s++;
1803 while (*s != ':')
1804 {
1805 if (Ustrncmp(s, "main", 4) == 0)
1806 { logbits |= LOG_MAIN; s += 4; }
1807 else if (Ustrncmp(s, "panic", 5) == 0)
1808 { logbits |= LOG_PANIC; s += 5; }
1809 else if (Ustrncmp(s, "reject", 6) == 0)
1810 { logbits |= LOG_REJECT; s += 6; }
1811 else
1812 {
1813 logbits = LOG_MAIN|LOG_PANIC;
1814 s = string_sprintf(":unknown log name in \"%s\" in "
1815 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
1816 }
1817 if (*s == ',') s++;
1818 }
1819 s++;
1820 }
1821 while (isspace(*s)) s++;
1822 if (logbits == 0) logbits = LOG_MAIN;
1823 log_write(0, logbits, "%s", string_printing(s));
1824 }
1825 break;
8523533c
TK
1826
1827#ifdef WITH_CONTENT_SCAN
1828 case ACLC_MALWARE:
1829 {
1830 /* Seperate the regular expression and any optional parameters. */
1831 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
1832 /* Run the malware backend. */
1833 rc = malware(&ss);
1834 /* Modify return code based upon the existance of options. */
1835 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
1836 != NULL) {
1837 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
1838 {
1839 /* FAIL so that the message is passed to the next ACL */
1840 rc = FAIL;
1841 }
1842 }
1843 }
1844 break;
1845
1846 case ACLC_MIME_REGEX:
1847 rc = mime_regex(&arg);
1848 break;
1849#endif
059ec3d9
PH
1850
1851 case ACLC_RECIPIENTS:
1852 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
1853 &recipient_data);
1854 break;
1855
8523533c
TK
1856#ifdef WITH_CONTENT_SCAN
1857 case ACLC_REGEX:
1858 rc = regex(&arg);
1859 break;
1860#endif
1861
059ec3d9
PH
1862 case ACLC_SENDER_DOMAINS:
1863 {
1864 uschar *sdomain;
1865 sdomain = Ustrrchr(sender_address, '@');
1866 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
1867 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
1868 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
1869 }
1870 break;
1871
1872 case ACLC_SENDERS:
1873 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
1874 sender_address_cache, -1, 0, &sender_data);
1875 break;
1876
1877 /* Connection variables must persist forever */
1878
1879 case ACLC_SET:
1880 {
1881 int old_pool = store_pool;
1882 if (cb->u.varnumber < ACL_C_MAX) store_pool = POOL_PERM;
1883 acl_var[cb->u.varnumber] = string_copy(arg);
1884 store_pool = old_pool;
1885 }
1886 break;
1887
8523533c
TK
1888#ifdef WITH_CONTENT_SCAN
1889 case ACLC_SPAM:
1890 {
1891 /* Seperate the regular expression and any optional parameters. */
1892 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
1893 /* Run the spam backend. */
1894 rc = spam(&ss);
1895 /* Modify return code based upon the existance of options. */
1896 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
1897 != NULL) {
1898 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
1899 {
1900 /* FAIL so that the message is passed to the next ACL */
1901 rc = FAIL;
1902 }
1903 }
1904 }
1905 break;
1906#endif
1907
1908#ifdef EXPERIMENTAL_SPF
1909 case ACLC_SPF:
1910 rc = spf_process(&arg, sender_address);
1911 break;
1912#endif
1913
059ec3d9
PH
1914 /* If the verb is WARN, discard any user message from verification, because
1915 such messages are SMTP responses, not header additions. The latter come
1916 only from explicit "message" modifiers. */
1917
1918 case ACLC_VERIFY:
1919 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
1920 if (verb == ACL_WARN) *user_msgptr = NULL;
1921 break;
1922
1923 default:
1924 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
1925 "condition %d", cb->type);
1926 break;
1927 }
1928
1929 /* If a condition was negated, invert OK/FAIL. */
1930
1931 if (!cond_modifiers[cb->type] && cb->u.negated)
1932 {
1933 if (rc == OK) rc = FAIL;
1934 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
1935 }
1936
1937 if (rc != OK) break; /* Conditions loop */
1938 }
1939
1940
1941/* If the result is the one for which "message" and/or "log_message" are used,
1942handle the values of these options. Most verbs have but a single return for
1943which the messages are relevant, but for "discard", it's useful to have the log
1944message both when it succeeds and when it fails. Also, for an "accept" that
1945appears in a QUIT ACL, we want to handle the user message. Since only "accept"
1946and "warn" are permitted in that ACL, we don't need to test the verb.
1947
1948These modifiers act in different ways:
1949
1950"message" is a user message that will be included in an SMTP response. Unless
1951it is empty, it overrides any previously set user message.
1952
1953"log_message" is a non-user message, and it adds to any existing non-user
1954message that is already set.
1955
1956If there isn't a log message set, we make it the same as the user message. */
1957
1958if (((rc == FAIL_DROP)? FAIL : rc) == msgcond[verb] ||
1959 (verb == ACL_DISCARD && rc == OK) ||
1960 (where == ACL_WHERE_QUIT))
1961 {
1962 uschar *expmessage;
1963
1964 /* If the verb is "warn", messages generated by conditions (verification or
1965 nested ACLs) are discarded. Only messages specified at this level are used.
1966 However, the value of an existing message is available in $acl_verify_message
1967 during expansions. */
1968
1969 uschar *old_user_msgptr = *user_msgptr;
1970 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
1971
1972 if (verb == ACL_WARN) *log_msgptr = *user_msgptr = NULL;
1973
1974 if (user_message != NULL)
1975 {
1976 acl_verify_message = old_user_msgptr;
1977 expmessage = expand_string(user_message);
1978 if (expmessage == NULL)
1979 {
1980 if (!expand_string_forcedfail)
1981 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
1982 user_message, expand_string_message);
1983 }
1984 else if (expmessage[0] != 0) *user_msgptr = expmessage;
1985 }
1986
1987 if (log_message != NULL)
1988 {
1989 acl_verify_message = old_log_msgptr;
1990 expmessage = expand_string(log_message);
1991 if (expmessage == NULL)
1992 {
1993 if (!expand_string_forcedfail)
1994 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
1995 log_message, expand_string_message);
1996 }
1997 else if (expmessage[0] != 0)
1998 {
1999 *log_msgptr = (*log_msgptr == NULL)? expmessage :
2000 string_sprintf("%s: %s", expmessage, *log_msgptr);
2001 }
2002 }
2003
2004 /* If no log message, default it to the user message */
2005
2006 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
2007 }
2008
2009acl_verify_message = NULL;
2010return rc;
2011}
2012
2013
2014
2015
2016
2017/*************************************************
2018* Get line from a literal ACL *
2019*************************************************/
2020
2021/* This function is passed to acl_read() in order to extract individual lines
2022of a literal ACL, which we access via static pointers. We can destroy the
2023contents because this is called only once (the compiled ACL is remembered).
2024
2025This code is intended to treat the data in the same way as lines in the main
2026Exim configuration file. That is:
2027
2028 . Leading spaces are ignored.
2029
2030 . A \ at the end of a line is a continuation - trailing spaces after the \
2031 are permitted (this is because I don't believe in making invisible things
2032 significant). Leading spaces on the continued part of a line are ignored.
2033
2034 . Physical lines starting (significantly) with # are totally ignored, and
2035 may appear within a sequence of backslash-continued lines.
2036
2037 . Blank lines are ignored, but will end a sequence of continuations.
2038
2039Arguments: none
2040Returns: a pointer to the next line
2041*/
2042
2043
2044static uschar *acl_text; /* Current pointer in the text */
2045static uschar *acl_text_end; /* Points one past the terminating '0' */
2046
2047
2048static uschar *
2049acl_getline(void)
2050{
2051uschar *yield;
2052
2053/* This loop handles leading blank lines and comments. */
2054
2055for(;;)
2056 {
2057 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
2058 if (*acl_text == 0) return NULL; /* No more data */
2059 yield = acl_text; /* Potential data line */
2060
2061 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2062
2063 /* If we hit the end before a newline, we have the whole logical line. If
2064 it's a comment, there's no more data to be given. Otherwise, yield it. */
2065
2066 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
2067
2068 /* After reaching a newline, end this loop if the physical line does not
2069 start with '#'. If it does, it's a comment, and the loop continues. */
2070
2071 if (*yield != '#') break;
2072 }
2073
2074/* This loop handles continuations. We know we have some real data, ending in
2075newline. See if there is a continuation marker at the end (ignoring trailing
2076white space). We know that *yield is not white space, so no need to test for
2077cont > yield in the backwards scanning loop. */
2078
2079for(;;)
2080 {
2081 uschar *cont;
2082 for (cont = acl_text - 1; isspace(*cont); cont--);
2083
2084 /* If no continuation follows, we are done. Mark the end of the line and
2085 return it. */
2086
2087 if (*cont != '\\')
2088 {
2089 *acl_text++ = 0;
2090 return yield;
2091 }
2092
2093 /* We have encountered a continuation. Skip over whitespace at the start of
2094 the next line, and indeed the whole of the next line or lines if they are
2095 comment lines. */
2096
2097 for (;;)
2098 {
2099 while (*(++acl_text) == ' ' || *acl_text == '\t');
2100 if (*acl_text != '#') break;
2101 while (*(++acl_text) != 0 && *acl_text != '\n');
2102 }
2103
2104 /* We have the start of a continuation line. Move all the rest of the data
2105 to join onto the previous line, and then find its end. If the end is not a
2106 newline, we are done. Otherwise loop to look for another continuation. */
2107
2108 memmove(cont, acl_text, acl_text_end - acl_text);
2109 acl_text_end -= acl_text - cont;
2110 acl_text = cont;
2111 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2112 if (*acl_text == 0) return yield;
2113 }
2114
2115/* Control does not reach here */
2116}
2117
2118
2119
2120
2121
2122/*************************************************
2123* Check access using an ACL *
2124*************************************************/
2125
2126/* This function is called from address_check. It may recurse via
2127acl_check_condition() - hence the use of a level to stop looping. The ACL is
2128passed as a string which is expanded. A forced failure implies no access check
2129is required. If the result is a single word, it is taken as the name of an ACL
2130which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
2131text, complete with newlines, and parsed as such. In both cases, the ACL check
2132is then run. This function uses an auxiliary function for acl_read() to call
2133for reading individual lines of a literal ACL. This is acl_getline(), which
2134appears immediately above.
2135
2136Arguments:
2137 where where called from
2138 addr address item when called from RCPT; otherwise NULL
2139 s the input string; NULL is the same as an empty ACL => DENY
2140 level the nesting level
2141 user_msgptr where to put a user error (for SMTP response)
2142 log_msgptr where to put a logging message (not for SMTP response)
2143
2144Returns: OK access is granted
2145 DISCARD access is apparently granted...
2146 FAIL access is denied
2147 FAIL_DROP access is denied; drop the connection
2148 DEFER can't tell at the moment
2149 ERROR disaster
2150*/
2151
2152static int
2153acl_check_internal(int where, address_item *addr, uschar *s, int level,
2154 uschar **user_msgptr, uschar **log_msgptr)
2155{
2156int fd = -1;
2157acl_block *acl = NULL;
2158uschar *acl_name = US"inline ACL";
2159uschar *ss;
2160
2161/* Catch configuration loops */
2162
2163if (level > 20)
2164 {
2165 *log_msgptr = US"ACL nested too deep: possible loop";
2166 return ERROR;
2167 }
2168
2169if (s == NULL)
2170 {
2171 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
2172 return FAIL;
2173 }
2174
2175/* At top level, we expand the incoming string. At lower levels, it has already
2176been expanded as part of condition processing. */
2177
2178if (level == 0)
2179 {
2180 ss = expand_string(s);
2181 if (ss == NULL)
2182 {
2183 if (expand_string_forcedfail) return OK;
2184 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
2185 expand_string_message);
2186 return ERROR;
2187 }
2188 }
2189else ss = s;
2190
2191while (isspace(*ss))ss++;
2192
2193/* If we can't find a named ACL, the default is to parse it as an inline one.
2194(Unless it begins with a slash; non-existent files give rise to an error.) */
2195
2196acl_text = ss;
2197
2198/* Handle the case of a string that does not contain any spaces. Look for a
2199named ACL among those read from the configuration, or a previously read file.
2200It is possible that the pointer to the ACL is NULL if the configuration
2201contains a name with no data. If not found, and the text begins with '/',
2202read an ACL from a file, and save it so it can be re-used. */
2203
2204if (Ustrchr(ss, ' ') == NULL)
2205 {
2206 tree_node *t = tree_search(acl_anchor, ss);
2207 if (t != NULL)
2208 {
2209 acl = (acl_block *)(t->data.ptr);
2210 if (acl == NULL)
2211 {
2212 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
2213 return FAIL;
2214 }
2215 acl_name = string_sprintf("ACL \"%s\"", ss);
2216 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
2217 }
2218
2219 else if (*ss == '/')
2220 {
2221 struct stat statbuf;
2222 fd = Uopen(ss, O_RDONLY, 0);
2223 if (fd < 0)
2224 {
2225 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
2226 strerror(errno));
2227 return ERROR;
2228 }
2229
2230 if (fstat(fd, &statbuf) != 0)
2231 {
2232 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
2233 strerror(errno));
2234 return ERROR;
2235 }
2236
2237 acl_text = store_get(statbuf.st_size + 1);
2238 acl_text_end = acl_text + statbuf.st_size + 1;
2239
2240 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
2241 {
2242 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
2243 ss, strerror(errno));
2244 return ERROR;
2245 }
2246 acl_text[statbuf.st_size] = 0;
2247 close(fd);
2248
2249 acl_name = string_sprintf("ACL \"%s\"", ss);
2250 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
2251 }
2252 }
2253
2254/* Parse an ACL that is still in text form. If it came from a file, remember it
2255in the ACL tree, having read it into the POOL_PERM store pool so that it
2256persists between multiple messages. */
2257
2258if (acl == NULL)
2259 {
2260 int old_pool = store_pool;
2261 if (fd >= 0) store_pool = POOL_PERM;
2262 acl = acl_read(acl_getline, log_msgptr);
2263 store_pool = old_pool;
2264 if (acl == NULL && *log_msgptr != NULL) return ERROR;
2265 if (fd >= 0)
2266 {
2267 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
2268 Ustrcpy(t->name, ss);
2269 t->data.ptr = acl;
2270 (void)tree_insertnode(&acl_anchor, t);
2271 }
2272 }
2273
2274/* Now we have an ACL to use. It's possible it may be NULL. */
2275
2276while (acl != NULL)
2277 {
2278 int cond;
2279 int basic_errno = 0;
2280 BOOL endpass_seen = FALSE;
2281
2282 *log_msgptr = *user_msgptr = NULL;
2283 acl_temp_details = FALSE;
2284
2285 if (where == ACL_WHERE_QUIT &&
2286 acl->verb != ACL_ACCEPT &&
2287 acl->verb != ACL_WARN)
2288 {
2289 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
2290 verbs[acl->verb]);
2291 return ERROR;
2292 }
2293
2294 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
2295
2296 /* Clear out any search error message from a previous check before testing
2297 this condition. */
2298
2299 search_error_message = NULL;
2300 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
2301 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
2302
2303 /* Handle special returns: DEFER causes a return except on a WARN verb;
2304 ERROR always causes a return. */
2305
2306 switch (cond)
2307 {
2308 case DEFER:
2309 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
2310 if (basic_errno != ERRNO_CALLOUTDEFER)
2311 {
2312 if (search_error_message != NULL && *search_error_message != 0)
2313 *log_msgptr = search_error_message;
2314 if (smtp_return_error_details) acl_temp_details = TRUE;
2315 }
2316 else
2317 {
2318 acl_temp_details = TRUE;
2319 }
2320 if (acl->verb != ACL_WARN) return DEFER;
2321 break;
2322
2323 default: /* Paranoia */
2324 case ERROR:
2325 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
2326 return ERROR;
2327
2328 case OK:
2329 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
2330 verbs[acl->verb]);
2331 break;
2332
2333 case FAIL:
2334 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
2335 break;
2336
2337 /* DISCARD and DROP can happen only from a nested ACL condition, and
2338 DISCARD can happen only for an "accept" or "discard" verb. */
2339
2340 case DISCARD:
2341 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
2342 verbs[acl->verb]);
2343 break;
2344
2345 case FAIL_DROP:
2346 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
2347 verbs[acl->verb]);
2348 break;
2349 }
2350
2351 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
2352 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
2353 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
2354
2355 switch(acl->verb)
2356 {
2357 case ACL_ACCEPT:
2358 if (cond == OK || cond == DISCARD) return cond;
2359 if (endpass_seen)
2360 {
2361 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
2362 return cond;
2363 }
2364 break;
2365
2366 case ACL_DEFER:
2367 if (cond == OK)
2368 {
2369 acl_temp_details = TRUE;
2370 return DEFER;
2371 }
2372 break;
2373
2374 case ACL_DENY:
2375 if (cond == OK) return FAIL;
2376 break;
2377
2378 case ACL_DISCARD:
2379 if (cond == OK || cond == DISCARD) return DISCARD;
2380 if (endpass_seen)
2381 {
2382 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
2383 return cond;
2384 }
2385 break;
2386
2387 case ACL_DROP:
2388 if (cond == OK) return FAIL_DROP;
2389 break;
2390
2391 case ACL_REQUIRE:
2392 if (cond != OK) return cond;
2393 break;
2394
2395 case ACL_WARN:
2396 if (cond == OK)
2397 acl_warn(where, *user_msgptr, *log_msgptr);
2398 else if (cond == DEFER)
2399 acl_warn(where, NULL, string_sprintf("ACL \"warn\" statement skipped: "
2400 "condition test deferred: %s",
2401 (*log_msgptr == NULL)? US"" : *log_msgptr));
2402 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
2403 break;
2404
2405 default:
2406 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
2407 acl->verb);
2408 break;
2409 }
2410
2411 /* Pass to the next ACL item */
2412
2413 acl = acl->next;
2414 }
2415
2416/* We have reached the end of the ACL. This is an implicit DENY. */
2417
2418HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
2419return FAIL;
2420}
2421
2422
2423/*************************************************
2424* Check access using an ACL *
2425*************************************************/
2426
2427/* This is the external interface for ACL checks. It sets up an address and the
2428expansions for $domain and $local_part when called after RCPT, then calls
2429acl_check_internal() to do the actual work.
2430
2431Arguments:
2432 where ACL_WHERE_xxxx indicating where called from
2433 data_string RCPT address, or SMTP command argument, or NULL
2434 s the input string; NULL is the same as an empty ACL => DENY
2435 user_msgptr where to put a user error (for SMTP response)
2436 log_msgptr where to put a logging message (not for SMTP response)
2437
2438Returns: OK access is granted by an ACCEPT verb
2439 DISCARD access is granted by a DISCARD verb
2440 FAIL access is denied
2441 FAIL_DROP access is denied; drop the connection
2442 DEFER can't tell at the moment
2443 ERROR disaster
2444*/
2445
2446int
2447acl_check(int where, uschar *data_string, uschar *s, uschar **user_msgptr,
2448 uschar **log_msgptr)
2449{
2450int rc;
2451address_item adb;
2452address_item *addr;
2453
2454*user_msgptr = *log_msgptr = NULL;
2455sender_verified_failed = NULL;
2456
2457if (where == ACL_WHERE_RCPT)
2458 {
2459 adb = address_defaults;
2460 addr = &adb;
2461 addr->address = data_string;
2462 if (deliver_split_address(addr) == DEFER)
2463 {
2464 *log_msgptr = US"defer in percent_hack_domains check";
2465 return DEFER;
2466 }
2467 deliver_domain = addr->domain;
2468 deliver_localpart = addr->local_part;
2469 }
2470else
2471 {
2472 addr = NULL;
2473 smtp_command_argument = data_string;
2474 }
2475
2476rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
2477
2478smtp_command_argument = deliver_domain =
2a3eea10 2479 deliver_localpart = deliver_address_data = sender_address_data = NULL;
059ec3d9
PH
2480
2481/* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
2482ACL, which is really in the middle of an SMTP command. */
2483
2484if (rc == DISCARD)
2485 {
2486 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
2487 {
2488 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
2489 "ACL", acl_wherenames[where]);
2490 return ERROR;
2491 }
2492 return DISCARD;
2493 }
2494
2495/* A DROP response is not permitted from MAILAUTH */
2496
2497if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
2498 {
2499 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
2500 "ACL", acl_wherenames[where]);
2501 return ERROR;
2502 }
2503
2504/* Before giving an error response, take a look at the length of any user
2505message, and split it up into multiple lines if possible. */
2506
2507if (rc != OK && *user_msgptr != NULL && Ustrlen(*user_msgptr) > 75)
2508 {
2509 uschar *s = *user_msgptr = string_copy(*user_msgptr);
2510 uschar *ss = s;
2511
2512 for (;;)
2513 {
2514 int i = 0;
2515 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
2516 if (*ss == 0) break;
2517 if (*ss == '\n')
2518 s = ++ss;
2519 else
2520 {
2521 uschar *t = ss + 1;
2522 uschar *tt = NULL;
2523 while (--t > s + 35)
2524 {
2525 if (*t == ' ')
2526 {
2527 if (t[-1] == ':') { tt = t; break; }
2528 if (tt == NULL) tt = t;
2529 }
2530 }
2531
2532 if (tt == NULL) /* Can't split behind - try ahead */
2533 {
2534 t = ss + 1;
2535 while (*t != 0)
2536 {
2537 if (*t == ' ' || *t == '\n')
2538 { tt = t; break; }
2539 t++;
2540 }
2541 }
2542
2543 if (tt == NULL) break; /* Can't find anywhere to split */
2544 *tt = '\n';
2545 s = ss = tt+1;
2546 }
2547 }
2548 }
2549
2550return rc;
2551}
2552
2553/* End of acl.c */