Installed a modified version of Nikos Mavrogiannopoulos' patch that
[exim.git] / src / src / acl.c
CommitLineData
8e669ac1 1/* $Cambridge: exim/src/src/acl.c,v 1.19 2005/02/17 11:58:25 ph10 Exp $ */
059ec3d9
PH
2
3/*************************************************
4* Exim - an Internet mail transport agent *
5*************************************************/
6
c988f1f4 7/* Copyright (c) University of Cambridge 1995 - 2005 */
059ec3d9
PH
8/* See the file NOTICE for conditions of use and distribution. */
9
10/* Code for handling Access Control Lists (ACLs) */
11
12#include "exim.h"
13
14
15/* Default callout timeout */
16
17#define CALLOUT_TIMEOUT_DEFAULT 30
18
19/* ACL verb codes - keep in step with the table of verbs that follows */
20
21enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
22 ACL_WARN };
23
24/* ACL verbs */
25
26static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
28 US"warn" };
29
30/* For each verb, the condition for which "message" is used */
31
32static int msgcond[] = { FAIL, OK, OK, FAIL, OK, FAIL, OK };
33
34/* ACL condition and modifier codes - keep in step with the table that
35follows. */
36
8523533c
TK
37enum { ACLC_ACL, ACLC_AUTHENTICATED,
38#ifdef EXPERIMENTAL_BRIGHTMAIL
39 ACLC_BMI_OPTIN,
40#endif
41ACLC_CONDITION, ACLC_CONTROL,
42#ifdef WITH_CONTENT_SCAN
43 ACLC_DECODE,
44#endif
45 ACLC_DELAY,
46#ifdef WITH_OLD_DEMIME
47 ACLC_DEMIME,
8e669ac1 48#endif
8523533c
TK
49 ACLC_DNSLISTS, ACLC_DOMAINS, ACLC_ENCRYPTED, ACLC_ENDPASS,
50 ACLC_HOSTS, ACLC_LOCAL_PARTS, ACLC_LOG_MESSAGE, ACLC_LOGWRITE,
51#ifdef WITH_CONTENT_SCAN
52 ACLC_MALWARE,
53#endif
54 ACLC_MESSAGE,
55#ifdef WITH_CONTENT_SCAN
56 ACLC_MIME_REGEX,
57#endif
58 ACLC_RECIPIENTS,
59#ifdef WITH_CONTENT_SCAN
60 ACLC_REGEX,
61#endif
62 ACLC_SENDER_DOMAINS, ACLC_SENDERS, ACLC_SET,
63#ifdef WITH_CONTENT_SCAN
8e669ac1 64 ACLC_SPAM,
8523533c
TK
65#endif
66#ifdef EXPERIMENTAL_SPF
67 ACLC_SPF,
68#endif
69 ACLC_VERIFY };
059ec3d9
PH
70
71/* ACL conditions/modifiers: "delay", "control", "endpass", "message",
72"log_message", "logwrite", and "set" are modifiers that look like conditions
73but always return TRUE. They are used for their side effects. */
74
8523533c
TK
75static uschar *conditions[] = { US"acl", US"authenticated",
76#ifdef EXPERIMENTAL_BRIGHTMAIL
77 US"bmi_optin",
78#endif
79 US"condition",
8e669ac1 80 US"control",
8523533c
TK
81#ifdef WITH_CONTENT_SCAN
82 US"decode",
83#endif
84 US"delay",
85#ifdef WITH_OLD_DEMIME
86 US"demime",
87#endif
88 US"dnslists", US"domains", US"encrypted",
059ec3d9 89 US"endpass", US"hosts", US"local_parts", US"log_message", US"logwrite",
8523533c
TK
90#ifdef WITH_CONTENT_SCAN
91 US"malware",
92#endif
93 US"message",
94#ifdef WITH_CONTENT_SCAN
95 US"mime_regex",
96#endif
97 US"recipients",
98#ifdef WITH_CONTENT_SCAN
99 US"regex",
100#endif
101 US"sender_domains", US"senders", US"set",
102#ifdef WITH_CONTENT_SCAN
103 US"spam",
104#endif
105#ifdef EXPERIMENTAL_SPF
106 US"spf",
107#endif
059ec3d9 108 US"verify" };
8e669ac1 109
c5fcb476
PH
110/* ACL control names */
111
112static uschar *controls[] = { US"error", US"caseful_local_part",
113 US"caselower_local_part", US"enforce_sync", US"no_enforce_sync", US"freeze",
8e669ac1 114 US"queue_only", US"submission", US"no_multiline"};
059ec3d9
PH
115
116/* Flags to indicate for which conditions /modifiers a string expansion is done
117at the outer level. In the other cases, expansion already occurs in the
118checking functions. */
119
120static uschar cond_expand_at_top[] = {
121 TRUE, /* acl */
122 FALSE, /* authenticated */
8523533c
TK
123#ifdef EXPERIMENTAL_BRIGHTMAIL
124 TRUE, /* bmi_optin */
8e669ac1 125#endif
059ec3d9
PH
126 TRUE, /* condition */
127 TRUE, /* control */
8523533c
TK
128#ifdef WITH_CONTENT_SCAN
129 TRUE, /* decode */
130#endif
059ec3d9 131 TRUE, /* delay */
8523533c
TK
132#ifdef WITH_OLD_DEMIME
133 TRUE, /* demime */
134#endif
059ec3d9
PH
135 TRUE, /* dnslists */
136 FALSE, /* domains */
137 FALSE, /* encrypted */
138 TRUE, /* endpass */
139 FALSE, /* hosts */
140 FALSE, /* local_parts */
141 TRUE, /* log_message */
142 TRUE, /* logwrite */
8523533c
TK
143#ifdef WITH_CONTENT_SCAN
144 TRUE, /* malware */
145#endif
059ec3d9 146 TRUE, /* message */
8523533c
TK
147#ifdef WITH_CONTENT_SCAN
148 TRUE, /* mime_regex */
149#endif
059ec3d9 150 FALSE, /* recipients */
8523533c
TK
151#ifdef WITH_CONTENT_SCAN
152 TRUE, /* regex */
153#endif
059ec3d9
PH
154 FALSE, /* sender_domains */
155 FALSE, /* senders */
156 TRUE, /* set */
8523533c
TK
157#ifdef WITH_CONTENT_SCAN
158 TRUE, /* spam */
159#endif
160#ifdef EXPERIMENTAL_SPF
161 TRUE, /* spf */
162#endif
059ec3d9
PH
163 TRUE /* verify */
164};
165
166/* Flags to identify the modifiers */
167
168static uschar cond_modifiers[] = {
169 FALSE, /* acl */
170 FALSE, /* authenticated */
8523533c
TK
171#ifdef EXPERIMENTAL_BRIGHTMAIL
172 TRUE, /* bmi_optin */
8e669ac1 173#endif
059ec3d9
PH
174 FALSE, /* condition */
175 TRUE, /* control */
8523533c
TK
176#ifdef WITH_CONTENT_SCAN
177 FALSE, /* decode */
178#endif
059ec3d9 179 TRUE, /* delay */
8523533c
TK
180#ifdef WITH_OLD_DEMIME
181 FALSE, /* demime */
182#endif
059ec3d9
PH
183 FALSE, /* dnslists */
184 FALSE, /* domains */
185 FALSE, /* encrypted */
186 TRUE, /* endpass */
187 FALSE, /* hosts */
188 FALSE, /* local_parts */
189 TRUE, /* log_message */
8523533c
TK
190 TRUE, /* logwrite */
191#ifdef WITH_CONTENT_SCAN
192 FALSE, /* malware */
193#endif
059ec3d9 194 TRUE, /* message */
8523533c
TK
195#ifdef WITH_CONTENT_SCAN
196 FALSE, /* mime_regex */
197#endif
059ec3d9 198 FALSE, /* recipients */
8523533c
TK
199#ifdef WITH_CONTENT_SCAN
200 FALSE, /* regex */
201#endif
059ec3d9
PH
202 FALSE, /* sender_domains */
203 FALSE, /* senders */
204 TRUE, /* set */
8523533c
TK
205#ifdef WITH_CONTENT_SCAN
206 FALSE, /* spam */
207#endif
208#ifdef EXPERIMENTAL_SPF
209 FALSE, /* spf */
210#endif
059ec3d9
PH
211 FALSE /* verify */
212};
213
c5fcb476
PH
214/* Bit map vector of which conditions are not allowed at certain times. For
215each condition, there's a bitmap of dis-allowed times. */
059ec3d9
PH
216
217static unsigned int cond_forbids[] = {
218 0, /* acl */
8e669ac1 219
059ec3d9
PH
220 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* authenticated */
221 (1<<ACL_WHERE_HELO),
8e669ac1 222
8523533c 223#ifdef EXPERIMENTAL_BRIGHTMAIL
3864bb8e 224 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
8523533c
TK
225 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
226 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
8e669ac1 227 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
8523533c
TK
228 (1<<ACL_WHERE_MAILAUTH)|
229 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
230 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA),
231#endif
8e669ac1 232
059ec3d9 233 0, /* condition */
8e669ac1 234
059ec3d9
PH
235 /* Certain types of control are always allowed, so we let it through
236 always and check in the control processing itself */
8e669ac1 237
059ec3d9 238 0, /* control */
8e669ac1 239
8523533c 240#ifdef WITH_CONTENT_SCAN
3864bb8e 241 (1<<ACL_WHERE_AUTH)| /* decode */
8523533c
TK
242 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
243 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
244 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
245 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
246 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
247 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_RCPT),
248#endif
249
059ec3d9 250 0, /* delay */
8e669ac1 251
f7b63901 252#ifdef WITH_OLD_DEMIME
3864bb8e 253 (1<<ACL_WHERE_AUTH)| /* demime */
8523533c
TK
254 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
255 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
256 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
257 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
258 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
259 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
260#endif
8e669ac1 261
059ec3d9
PH
262 (1<<ACL_WHERE_NOTSMTP), /* dnslists */
263
264 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* domains */
265 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
266 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
267 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
268 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
269 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
270 (1<<ACL_WHERE_VRFY),
271
272 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* encrypted */
273 (1<<ACL_WHERE_HELO),
8e669ac1 274
059ec3d9 275 0, /* endpass */
8e669ac1 276
059ec3d9
PH
277 (1<<ACL_WHERE_NOTSMTP), /* hosts */
278
279 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* local_parts */
280 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
281 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
282 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
283 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
284 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
285 (1<<ACL_WHERE_VRFY),
286
287 0, /* log_message */
8e669ac1 288
059ec3d9 289 0, /* logwrite */
8e669ac1 290
8523533c 291#ifdef WITH_CONTENT_SCAN
3864bb8e 292 (1<<ACL_WHERE_AUTH)| /* malware */
8523533c
TK
293 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
294 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
295 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
296 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
297 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
298 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
299#endif
300
059ec3d9
PH
301 0, /* message */
302
8523533c 303#ifdef WITH_CONTENT_SCAN
3864bb8e 304 (1<<ACL_WHERE_AUTH)| /* mime_regex */
8523533c
TK
305 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
306 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
307 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
308 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
309 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
310 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_RCPT),
311#endif
312
059ec3d9
PH
313 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* recipients */
314 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
315 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
316 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
317 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
318 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
319 (1<<ACL_WHERE_VRFY),
320
8523533c 321#ifdef WITH_CONTENT_SCAN
3864bb8e 322 (1<<ACL_WHERE_AUTH)| /* regex */
8523533c
TK
323 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
324 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
325 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
326 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
327 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
328 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
329#endif
330
059ec3d9
PH
331 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
332 (1<<ACL_WHERE_HELO)|
333 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
334 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
335 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
336
337 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
338 (1<<ACL_WHERE_HELO)|
339 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
340 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
341 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
342
343 0, /* set */
344
8523533c 345#ifdef WITH_CONTENT_SCAN
3864bb8e 346 (1<<ACL_WHERE_AUTH)| /* spam */
8523533c
TK
347 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
348 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
349 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
350 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
351 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
352 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
353#endif
354
355#ifdef EXPERIMENTAL_SPF
356 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
357 (1<<ACL_WHERE_HELO)|
358 (1<<ACL_WHERE_MAILAUTH)|
359 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
360 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
361#endif
362
059ec3d9
PH
363 /* Certain types of verify are always allowed, so we let it through
364 always and check in the verify function itself */
365
366 0 /* verify */
059ec3d9
PH
367};
368
369
370/* Return values from decode_control() */
371
8e669ac1 372enum {
8523533c
TK
373#ifdef EXPERIMENTAL_BRIGHTMAIL
374 CONTROL_BMI_RUN,
8e669ac1 375#endif
8523533c 376 CONTROL_ERROR, CONTROL_CASEFUL_LOCAL_PART, CONTROL_CASELOWER_LOCAL_PART,
059ec3d9 377 CONTROL_ENFORCE_SYNC, CONTROL_NO_ENFORCE_SYNC, CONTROL_FREEZE,
8523533c
TK
378 CONTROL_QUEUE_ONLY, CONTROL_SUBMISSION,
379#ifdef WITH_CONTENT_SCAN
8e669ac1 380 CONTROL_NO_MBOX_UNSPOOL,
8523533c 381#endif
0f9b0483 382 CONTROL_FAKEREJECT, CONTROL_NO_MULTILINE };
059ec3d9 383
c5fcb476
PH
384/* Bit map vector of which controls are not allowed at certain times. For
385each control, there's a bitmap of dis-allowed times. For some, it is easier to
386specify the negation of a small number of allowed times. */
387
388static unsigned int control_forbids[] = {
8523533c
TK
389#ifdef EXPERIMENTAL_BRIGHTMAIL
390 0, /* bmi_run */
391#endif
3e11c26b 392
c5fcb476 393 0, /* error */
8e669ac1
PH
394
395 (unsigned int)
c5fcb476 396 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
8e669ac1
PH
397
398 (unsigned int)
c5fcb476 399 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
8e669ac1 400
c5fcb476 401 (1<<ACL_WHERE_NOTSMTP), /* enforce_sync */
8e669ac1 402
c5fcb476 403 (1<<ACL_WHERE_NOTSMTP), /* no_enforce_sync */
8e669ac1
PH
404
405 (unsigned int)
c5fcb476
PH
406 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
407 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
408 (1<<ACL_WHERE_NOTSMTP)),
8e669ac1
PH
409
410 (unsigned int)
c5fcb476
PH
411 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
412 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
413 (1<<ACL_WHERE_NOTSMTP)),
8e669ac1
PH
414
415 (unsigned int)
c5fcb476 416 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
8e669ac1 417 (1<<ACL_WHERE_PREDATA)),
8523533c
TK
418
419#ifdef WITH_CONTENT_SCAN
8e669ac1 420 (unsigned int)
14d57970
PH
421 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
422 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)),
8523533c 423#endif
a6c4ab60 424
8e669ac1 425 (unsigned int)
a6c4ab60
PH
426 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
427 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)),
8523533c 428
c5fcb476
PH
429 (1<<ACL_WHERE_NOTSMTP) /* no_multiline */
430};
431
432/* Structure listing various control arguments, with their characteristics. */
059ec3d9
PH
433
434typedef struct control_def {
435 uschar *name;
436 int value; /* CONTROL_xxx value */
059ec3d9
PH
437 BOOL has_option; /* Has /option(s) following */
438} control_def;
439
440static control_def controls_list[] = {
8523533c
TK
441#ifdef EXPERIMENTAL_BRIGHTMAIL
442 { US"bmi_run", CONTROL_BMI_RUN, FALSE},
443#endif
c5fcb476
PH
444 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE},
445 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE},
446 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE},
447 { US"freeze", CONTROL_FREEZE, FALSE},
448 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE},
449 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE},
450 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE},
8523533c
TK
451#ifdef WITH_CONTENT_SCAN
452 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE},
8523533c 453#endif
0f9b0483 454 { US"fakereject", CONTROL_FAKEREJECT, TRUE},
c5fcb476 455 { US"submission", CONTROL_SUBMISSION, TRUE}
059ec3d9
PH
456 };
457
458/* Enable recursion between acl_check_internal() and acl_check_condition() */
459
460static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
461 uschar **);
462
463
464/*************************************************
465* Pick out name from list *
466*************************************************/
467
468/* Use a binary chop method
469
470Arguments:
471 name name to find
472 list list of names
473 end size of list
474
475Returns: offset in list, or -1 if not found
476*/
477
478static int
479acl_checkname(uschar *name, uschar **list, int end)
480{
481int start = 0;
482
483while (start < end)
484 {
485 int mid = (start + end)/2;
486 int c = Ustrcmp(name, list[mid]);
487 if (c == 0) return mid;
488 if (c < 0) end = mid; else start = mid + 1;
489 }
490
491return -1;
492}
493
494
495/*************************************************
496* Read and parse one ACL *
497*************************************************/
498
499/* This function is called both from readconf in order to parse the ACLs in the
500configuration file, and also when an ACL is encountered dynamically (e.g. as
501the result of an expansion). It is given a function to call in order to
502retrieve the lines of the ACL. This function handles skipping comments and
503blank lines (where relevant).
504
505Arguments:
506 func function to get next line of ACL
507 error where to put an error message
508
509Returns: pointer to ACL, or NULL
510 NULL can be legal (empty ACL); in this case error will be NULL
511*/
512
513acl_block *
514acl_read(uschar *(*func)(void), uschar **error)
515{
516acl_block *yield = NULL;
517acl_block **lastp = &yield;
518acl_block *this = NULL;
519acl_condition_block *cond;
520acl_condition_block **condp = NULL;
521uschar *s;
522
523*error = NULL;
524
525while ((s = (*func)()) != NULL)
526 {
527 int v, c;
528 BOOL negated = FALSE;
529 uschar *saveline = s;
530 uschar name[64];
531
532 /* Conditions (but not verbs) are allowed to be negated by an initial
533 exclamation mark. */
534
535 while (isspace(*s)) s++;
536 if (*s == '!')
537 {
538 negated = TRUE;
539 s++;
540 }
541
542 /* Read the name of a verb or a condition, or the start of a new ACL */
543
544 s = readconf_readname(name, sizeof(name), s);
545 if (*s == ':')
546 {
547 if (negated || name[0] == 0)
548 {
549 *error = string_sprintf("malformed ACL name in \"%s\"", saveline);
550 return NULL;
551 }
552 break;
553 }
554
555 /* If a verb is unrecognized, it may be another condition or modifier that
556 continues the previous verb. */
557
558 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
559 if (v < 0)
560 {
561 if (this == NULL)
562 {
563 *error = string_sprintf("unknown ACL verb in \"%s\"", saveline);
564 return NULL;
565 }
566 }
567
568 /* New verb */
569
570 else
571 {
572 if (negated)
573 {
574 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
575 return NULL;
576 }
577 this = store_get(sizeof(acl_block));
578 *lastp = this;
579 lastp = &(this->next);
580 this->next = NULL;
581 this->verb = v;
582 this->condition = NULL;
583 condp = &(this->condition);
584 if (*s == 0) continue; /* No condition on this line */
585 if (*s == '!')
586 {
587 negated = TRUE;
588 s++;
589 }
590 s = readconf_readname(name, sizeof(name), s); /* Condition name */
591 }
592
593 /* Handle a condition or modifier. */
594
595 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
596 if (c < 0)
597 {
598 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
599 saveline);
600 return NULL;
601 }
602
603 /* The modifiers may not be negated */
604
605 if (negated && cond_modifiers[c])
606 {
607 *error = string_sprintf("ACL error: negation is not allowed with "
608 "\"%s\"", conditions[c]);
609 return NULL;
610 }
611
612 /* ENDPASS may occur only with ACCEPT or DISCARD. */
613
614 if (c == ACLC_ENDPASS &&
615 this->verb != ACL_ACCEPT &&
616 this->verb != ACL_DISCARD)
617 {
618 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
619 conditions[c], verbs[this->verb]);
620 return NULL;
621 }
622
623 cond = store_get(sizeof(acl_condition_block));
624 cond->next = NULL;
625 cond->type = c;
626 cond->u.negated = negated;
627
628 *condp = cond;
629 condp = &(cond->next);
630
631 /* The "set" modifier is different in that its argument is "name=value"
632 rather than just a value, and we can check the validity of the name, which
633 gives us a variable number to insert into the data block. */
634
635 if (c == ACLC_SET)
636 {
637 if (Ustrncmp(s, "acl_", 4) != 0 || (s[4] != 'c' && s[4] != 'm') ||
638 !isdigit(s[5]) || (!isspace(s[6]) && s[6] != '='))
639 {
640 *error = string_sprintf("unrecognized name after \"set\" in ACL "
641 "modifier \"set %s\"", s);
642 return NULL;
643 }
644
645 cond->u.varnumber = s[5] - '0';
646 if (s[4] == 'm') cond->u.varnumber += ACL_C_MAX;
647 s += 6;
648 while (isspace(*s)) s++;
649 }
650
651 /* For "set", we are now positioned for the data. For the others, only
652 "endpass" has no data */
653
654 if (c != ACLC_ENDPASS)
655 {
656 if (*s++ != '=')
657 {
658 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
659 cond_modifiers[c]? US"modifier" : US"condition");
660 return NULL;
661 }
662 while (isspace(*s)) s++;
663 cond->arg = string_copy(s);
664 }
665 }
666
667return yield;
668}
669
670
671
672/*************************************************
673* Handle warnings *
674*************************************************/
675
676/* This function is called when a WARN verb's conditions are true. It adds to
677the message's headers, and/or writes information to the log. In each case, this
678only happens once (per message for headers, per connection for log).
679
680Arguments:
681 where ACL_WHERE_xxxx indicating which ACL this is
682 user_message message for adding to headers
683 log_message message for logging, if different
684
685Returns: nothing
686*/
687
688static void
689acl_warn(int where, uschar *user_message, uschar *log_message)
690{
691int hlen;
692
693if (log_message != NULL && log_message != user_message)
694 {
695 uschar *text;
696 string_item *logged;
697
698 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
699 string_printing(log_message));
700
701 /* If a sender verification has failed, and the log message is "sender verify
702 failed", add the failure message. */
703
704 if (sender_verified_failed != NULL &&
705 sender_verified_failed->message != NULL &&
706 strcmpic(log_message, US"sender verify failed") == 0)
707 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
708
709 /* Search previously logged warnings. They are kept in malloc store so they
710 can be freed at the start of a new message. */
711
712 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
713 if (Ustrcmp(logged->text, text) == 0) break;
714
715 if (logged == NULL)
716 {
717 int length = Ustrlen(text) + 1;
718 log_write(0, LOG_MAIN, "%s", text);
719 logged = store_malloc(sizeof(string_item) + length);
720 logged->text = (uschar *)logged + sizeof(string_item);
721 memcpy(logged->text, text, length);
722 logged->next = acl_warn_logged;
723 acl_warn_logged = logged;
724 }
725 }
726
727/* If there's no user message, we are done. */
728
729if (user_message == NULL) return;
730
731/* If this isn't a message ACL, we can't do anything with a user message.
732Log an error. */
733
734if (where > ACL_WHERE_NOTSMTP)
735 {
736 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
737 "found in a non-message (%s) ACL: cannot specify header lines here: "
738 "message ignored", acl_wherenames[where]);
739 return;
740 }
741
742/* Treat the user message as a sequence of one or more header lines. */
743
744hlen = Ustrlen(user_message);
745if (hlen > 0)
746 {
747 uschar *text, *p, *q;
748
749 /* Add a final newline if not present */
750
751 text = ((user_message)[hlen-1] == '\n')? user_message :
752 string_sprintf("%s\n", user_message);
753
754 /* Loop for multiple header lines, taking care about continuations */
755
756 for (p = q = text; *p != 0; )
757 {
758 uschar *s;
759 int newtype = htype_add_bot;
760 header_line **hptr = &acl_warn_headers;
761
762 /* Find next header line within the string */
763
764 for (;;)
765 {
766 q = Ustrchr(q, '\n');
767 if (*(++q) != ' ' && *q != '\t') break;
768 }
769
770 /* If the line starts with a colon, interpret the instruction for where to
771 add it. This temporarily sets up a new type. */
772
773 if (*p == ':')
774 {
775 if (strncmpic(p, US":after_received:", 16) == 0)
776 {
777 newtype = htype_add_rec;
778 p += 16;
779 }
8523533c
TK
780 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
781 {
782 newtype = htype_add_rfc;
783 p += 14;
8e669ac1 784 }
059ec3d9
PH
785 else if (strncmpic(p, US":at_start:", 10) == 0)
786 {
787 newtype = htype_add_top;
788 p += 10;
789 }
790 else if (strncmpic(p, US":at_end:", 8) == 0)
791 {
792 newtype = htype_add_bot;
793 p += 8;
794 }
795 while (*p == ' ' || *p == '\t') p++;
796 }
797
798 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
799 to the front of it. */
800
801 for (s = p; s < q - 1; s++)
802 {
803 if (*s == ':' || !isgraph(*s)) break;
804 }
805
806 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
807 hlen = Ustrlen(s);
808
809 /* See if this line has already been added */
810
811 while (*hptr != NULL)
812 {
813 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
814 hptr = &((*hptr)->next);
815 }
816
817 /* Add if not previously present */
818
819 if (*hptr == NULL)
820 {
821 header_line *h = store_get(sizeof(header_line));
822 h->text = s;
823 h->next = NULL;
824 h->type = newtype;
825 h->slen = hlen;
826 *hptr = h;
827 hptr = &(h->next);
828 }
829
830 /* Advance for next header line within the string */
831
832 p = q;
833 }
834 }
835}
836
837
838
839/*************************************************
840* Verify and check reverse DNS *
841*************************************************/
842
843/* Called from acl_verify() below. We look up the host name(s) of the client IP
844address if this has not yet been done. The host_name_lookup() function checks
845that one of these names resolves to an address list that contains the client IP
846address, so we don't actually have to do the check here.
847
848Arguments:
849 user_msgptr pointer for user message
850 log_msgptr pointer for log message
851
852Returns: OK verification condition succeeded
853 FAIL verification failed
854 DEFER there was a problem verifying
855*/
856
857static int
858acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
859{
860int rc;
861
862user_msgptr = user_msgptr; /* stop compiler warning */
863
864/* Previous success */
865
866if (sender_host_name != NULL) return OK;
867
868/* Previous failure */
869
870if (host_lookup_failed)
871 {
872 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
873 return FAIL;
874 }
875
876/* Need to do a lookup */
877
878HDEBUG(D_acl)
879 debug_printf("looking up host name to force name/address consistency check\n");
880
881if ((rc = host_name_lookup()) != OK)
882 {
883 *log_msgptr = (rc == DEFER)?
884 US"host lookup deferred for reverse lookup check"
885 :
886 string_sprintf("host lookup failed for reverse lookup check%s",
887 host_lookup_msg);
888 return rc; /* DEFER or FAIL */
889 }
890
891host_build_sender_fullhost();
892return OK;
893}
894
895
896
897/*************************************************
898* Handle verification (address & other) *
899*************************************************/
900
901/* This function implements the "verify" condition. It is called when
902encountered in any ACL, because some tests are almost always permitted. Some
903just don't make sense, and always fail (for example, an attempt to test a host
904lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
905
906Arguments:
907 where where called from
908 addr the recipient address that the ACL is handling, or NULL
909 arg the argument of "verify"
910 user_msgptr pointer for user message
911 log_msgptr pointer for log message
912 basic_errno where to put verify errno
913
914Returns: OK verification condition succeeded
915 FAIL verification failed
916 DEFER there was a problem verifying
917 ERROR syntax error
918*/
919
920static int
921acl_verify(int where, address_item *addr, uschar *arg,
922 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
923{
924int sep = '/';
925int callout = -1;
926int callout_overall = -1;
4deaf07d 927int callout_connect = -1;
059ec3d9
PH
928int verify_options = 0;
929int rc;
930BOOL verify_header_sender = FALSE;
931BOOL defer_ok = FALSE;
932BOOL callout_defer_ok = FALSE;
933BOOL no_details = FALSE;
934address_item *sender_vaddr = NULL;
935uschar *verify_sender_address = NULL;
936uschar *pm_mailfrom = NULL;
937uschar *se_mailfrom = NULL;
938uschar *list = arg;
939uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
940
941if (ss == NULL) goto BAD_VERIFY;
942
943/* Handle name/address consistency verification in a separate function. */
944
945if (strcmpic(ss, US"reverse_host_lookup") == 0)
946 {
947 if (sender_host_address == NULL) return OK;
948 return acl_verify_reverse(user_msgptr, log_msgptr);
949 }
950
951/* TLS certificate verification is done at STARTTLS time; here we just
952test whether it was successful or not. (This is for optional verification; for
953mandatory verification, the connection doesn't last this long.) */
954
955if (strcmpic(ss, US"certificate") == 0)
956 {
957 if (tls_certificate_verified) return OK;
958 *user_msgptr = US"no verified certificate";
959 return FAIL;
960 }
961
962/* We can test the result of optional HELO verification */
963
964if (strcmpic(ss, US"helo") == 0) return helo_verified? OK : FAIL;
965
966/* Handle header verification options - permitted only after DATA or a non-SMTP
967message. */
968
969if (strncmpic(ss, US"header_", 7) == 0)
970 {
971 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
972 {
973 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
974 "(only possible in ACL for DATA)", acl_wherenames[where]);
975 return ERROR;
976 }
977
978 /* Check that all relevant header lines have the correct syntax. If there is
979 a syntax error, we return details of the error to the sender if configured to
980 send out full details. (But a "message" setting on the ACL can override, as
981 always). */
982
983 if (strcmpic(ss+7, US"syntax") == 0)
984 {
985 int rc = verify_check_headers(log_msgptr);
986 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
987 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
988 return rc;
989 }
990
991 /* Check that there is at least one verifiable sender address in the relevant
992 header lines. This can be followed by callout and defer options, just like
993 sender and recipient. */
994
995 else if (strcmpic(ss+7, US"sender") == 0) verify_header_sender = TRUE;
996
997 /* Unknown verify argument starting with "header_" */
998
999 else goto BAD_VERIFY;
1000 }
1001
1002/* Otherwise, first item in verify argument must be "sender" or "recipient".
1003In the case of a sender, this can optionally be followed by an address to use
1004in place of the actual sender (rare special-case requirement). */
1005
1006else if (strncmpic(ss, US"sender", 6) == 0)
1007 {
1008 uschar *s = ss + 6;
1009 if (where > ACL_WHERE_NOTSMTP)
1010 {
1011 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1012 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1013 acl_wherenames[where]);
1014 return ERROR;
1015 }
1016 if (*s == 0)
1017 verify_sender_address = sender_address;
1018 else
1019 {
1020 while (isspace(*s)) s++;
1021 if (*s++ != '=') goto BAD_VERIFY;
1022 while (isspace(*s)) s++;
1023 verify_sender_address = string_copy(s);
1024 }
1025 }
1026else
1027 {
1028 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1029 if (addr == NULL)
1030 {
1031 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1032 "(only possible for RCPT)", acl_wherenames[where]);
1033 return ERROR;
1034 }
1035 }
1036
1037/* Remaining items are optional */
1038
1039while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1040 != NULL)
1041 {
1042 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1043 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1044
1045 /* These two old options are left for backwards compatibility */
1046
1047 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1048 {
1049 callout_defer_ok = TRUE;
1050 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1051 }
1052
1053 else if (strcmpic(ss, US"check_postmaster") == 0)
1054 {
1055 pm_mailfrom = US"";
1056 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1057 }
1058
1059 /* The callout option has a number of sub-options, comma separated */
1060
1061 else if (strncmpic(ss, US"callout", 7) == 0)
1062 {
1063 callout = CALLOUT_TIMEOUT_DEFAULT;
1064 ss += 7;
1065 if (*ss != 0)
1066 {
1067 while (isspace(*ss)) ss++;
1068 if (*ss++ == '=')
1069 {
1070 int optsep = ',';
1071 uschar *opt;
1072 uschar buffer[256];
1073 while (isspace(*ss)) ss++;
8e669ac1
PH
1074
1075 /* This callout option handling code has become a mess as new options
1076 have been added in an ad hoc manner. It should be tidied up into some
4deaf07d 1077 kind of table-driven thing. */
8e669ac1 1078
059ec3d9
PH
1079 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1080 != NULL)
1081 {
1082 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1083 else if (strcmpic(opt, US"no_cache") == 0)
1084 verify_options |= vopt_callout_no_cache;
1085 else if (strcmpic(opt, US"random") == 0)
1086 verify_options |= vopt_callout_random;
1087 else if (strcmpic(opt, US"use_sender") == 0)
1088 verify_options |= vopt_callout_recipsender;
1089 else if (strcmpic(opt, US"use_postmaster") == 0)
1090 verify_options |= vopt_callout_recippmaster;
1091 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
1092
1093 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1094 {
1095 if (!verify_header_sender)
1096 {
1097 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1098 "callout option only for verify=header_sender (detected in ACL "
1099 "condition \"%s\")", arg);
1100 return ERROR;
1101 }
1102 opt += 8;
1103 while (isspace(*opt)) opt++;
1104 if (*opt++ != '=')
1105 {
1106 *log_msgptr = string_sprintf("'=' expected after "
1107 "\"mailfrom\" in ACL condition \"%s\"", arg);
1108 return ERROR;
1109 }
1110 while (isspace(*opt)) opt++;
1111 se_mailfrom = string_copy(opt);
1112 }
1113
1114 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1115 {
1116 opt += 19;
1117 while (isspace(*opt)) opt++;
1118 if (*opt++ != '=')
1119 {
1120 *log_msgptr = string_sprintf("'=' expected after "
1121 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1122 return ERROR;
1123 }
1124 while (isspace(*opt)) opt++;
1125 pm_mailfrom = string_copy(opt);
1126 }
1127
1128 else if (strncmpic(opt, US"maxwait", 7) == 0)
1129 {
1130 opt += 7;
1131 while (isspace(*opt)) opt++;
1132 if (*opt++ != '=')
1133 {
1134 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1135 "ACL condition \"%s\"", arg);
1136 return ERROR;
1137 }
1138 while (isspace(*opt)) opt++;
1139 callout_overall = readconf_readtime(opt, 0, FALSE);
1140 if (callout_overall < 0)
1141 {
1142 *log_msgptr = string_sprintf("bad time value in ACL condition "
1143 "\"verify %s\"", arg);
1144 return ERROR;
1145 }
1146 }
4deaf07d
PH
1147 else if (strncmpic(opt, US"connect", 7) == 0)
1148 {
1149 opt += 7;
1150 while (isspace(*opt)) opt++;
1151 if (*opt++ != '=')
1152 {
1153 *log_msgptr = string_sprintf("'=' expected after "
1154 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1155 return ERROR;
1156 }
1157 while (isspace(*opt)) opt++;
1158 callout_connect = readconf_readtime(opt, 0, FALSE);
1159 if (callout_connect < 0)
1160 {
1161 *log_msgptr = string_sprintf("bad time value in ACL condition "
1162 "\"verify %s\"", arg);
1163 return ERROR;
1164 }
1165 }
059ec3d9
PH
1166 else /* Plain time is callout connect/command timeout */
1167 {
1168 callout = readconf_readtime(opt, 0, FALSE);
1169 if (callout < 0)
1170 {
1171 *log_msgptr = string_sprintf("bad time value in ACL condition "
1172 "\"verify %s\"", arg);
1173 return ERROR;
1174 }
1175 }
1176 }
1177 }
1178 else
1179 {
1180 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1181 "ACL condition \"%s\"", arg);
1182 return ERROR;
1183 }
1184 }
1185 }
1186
1187 /* Option not recognized */
1188
1189 else
1190 {
1191 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1192 "condition \"verify %s\"", ss, arg);
1193 return ERROR;
1194 }
1195 }
1196
1197if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1198 (vopt_callout_recipsender|vopt_callout_recippmaster))
1199 {
1200 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1201 "for a recipient callout";
1202 return ERROR;
1203 }
1204
1205/* Handle sender-in-header verification. Default the user message to the log
1206message if giving out verification details. */
1207
1208if (verify_header_sender)
1209 {
8e669ac1 1210 int verrno;
059ec3d9 1211 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
fe5b5d0b
PH
1212 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1213 &verrno);
1214 if (rc != OK)
8e669ac1 1215 {
fe5b5d0b
PH
1216 *basic_errno = verrno;
1217 if (smtp_return_error_details)
1218 {
1219 if (*user_msgptr == NULL && *log_msgptr != NULL)
1220 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1221 if (rc == DEFER) acl_temp_details = TRUE;
1222 }
8e669ac1 1223 }
059ec3d9
PH
1224 }
1225
1226/* Handle a sender address. The default is to verify *the* sender address, but
1227optionally a different address can be given, for special requirements. If the
1228address is empty, we are dealing with a bounce message that has no sender, so
1229we cannot do any checking. If the real sender address gets rewritten during
1230verification (e.g. DNS widening), set the flag to stop it being rewritten again
1231during message reception.
1232
1233A list of verified "sender" addresses is kept to try to avoid doing to much
1234work repetitively when there are multiple recipients in a message and they all
1235require sender verification. However, when callouts are involved, it gets too
1236complicated because different recipients may require different callout options.
1237Therefore, we always do a full sender verify when any kind of callout is
1238specified. Caching elsewhere, for instance in the DNS resolver and in the
1239callout handling, should ensure that this is not terribly inefficient. */
1240
1241else if (verify_sender_address != NULL)
1242 {
1243 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1244 != 0)
1245 {
1246 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1247 "sender verify callout";
1248 return ERROR;
1249 }
1250
1251 sender_vaddr = verify_checked_sender(verify_sender_address);
1252 if (sender_vaddr != NULL && /* Previously checked */
1253 callout <= 0) /* No callout needed this time */
1254 {
1255 /* If the "routed" flag is set, it means that routing worked before, so
1256 this check can give OK (the saved return code value, if set, belongs to a
1257 callout that was done previously). If the "routed" flag is not set, routing
1258 must have failed, so we use the saved return code. */
1259
1260 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1261 {
1262 rc = sender_vaddr->special_action;
1263 *basic_errno = sender_vaddr->basic_errno;
1264 }
1265 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1266 }
1267
1268 /* Do a new verification, and cache the result. The cache is used to avoid
1269 verifying the sender multiple times for multiple RCPTs when callouts are not
1270 specified (see comments above).
1271
1272 The cache is also used on failure to give details in response to the first
1273 RCPT that gets bounced for this reason. However, this can be suppressed by
1274 the no_details option, which sets the flag that says "this detail has already
1275 been sent". The cache normally contains just one address, but there may be
1276 more in esoteric circumstances. */
1277
1278 else
1279 {
1280 BOOL routed = TRUE;
2a3eea10 1281 uschar *save_address_data = deliver_address_data;
8e669ac1 1282
059ec3d9
PH
1283 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1284 if (no_details) setflag(sender_vaddr, af_sverify_told);
1285 if (verify_sender_address[0] != 0)
1286 {
1287 /* If this is the real sender address, save the unrewritten version
1288 for use later in receive. Otherwise, set a flag so that rewriting the
1289 sender in verify_address() does not update sender_address. */
1290
1291 if (verify_sender_address == sender_address)
1292 sender_address_unrewritten = sender_address;
1293 else
1294 verify_options |= vopt_fake_sender;
1295
1296 /* The recipient, qualify, and expn options are never set in
1297 verify_options. */
1298
1299 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
4deaf07d 1300 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
059ec3d9
PH
1301
1302 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1303
1304 if (rc == OK)
1305 {
1306 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1307 {
1308 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1309 verify_sender_address, sender_vaddr->address);
1310 }
1311 else
1312 {
1313 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1314 verify_sender_address);
1315 }
1316 }
1317 else *basic_errno = sender_vaddr->basic_errno;
1318 }
1319 else rc = OK; /* Null sender */
1320
1321 /* Cache the result code */
1322
1323 if (routed) setflag(sender_vaddr, af_verify_routed);
1324 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1325 sender_vaddr->special_action = rc;
1326 sender_vaddr->next = sender_verified_list;
1327 sender_verified_list = sender_vaddr;
8e669ac1
PH
1328
1329 /* Restore the recipient address data, which might have been clobbered by
2a3eea10 1330 the sender verification. */
8e669ac1 1331
2a3eea10 1332 deliver_address_data = save_address_data;
059ec3d9 1333 }
8e669ac1 1334
2a3eea10
PH
1335 /* Put the sender address_data value into $sender_address_data */
1336
8e669ac1 1337 sender_address_data = sender_vaddr->p.address_data;
059ec3d9
PH
1338 }
1339
1340/* A recipient address just gets a straightforward verify; again we must handle
1341the DEFER overrides. */
1342
1343else
1344 {
1345 address_item addr2;
1346
1347 /* We must use a copy of the address for verification, because it might
1348 get rewritten. */
1349
1350 addr2 = *addr;
1351 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
4deaf07d 1352 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
059ec3d9 1353 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
8e669ac1 1354
059ec3d9 1355 *log_msgptr = addr2.message;
8e669ac1 1356 *user_msgptr = (addr2.user_message != NULL)?
6729cf78 1357 addr2.user_message : addr2.message;
059ec3d9
PH
1358 *basic_errno = addr2.basic_errno;
1359
1360 /* Make $address_data visible */
1361 deliver_address_data = addr2.p.address_data;
1362 }
1363
1364/* We have a result from the relevant test. Handle defer overrides first. */
1365
1366if (rc == DEFER && (defer_ok ||
1367 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1368 {
1369 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1370 defer_ok? "defer_ok" : "callout_defer_ok");
1371 rc = OK;
1372 }
1373
1374/* If we've failed a sender, set up a recipient message, and point
1375sender_verified_failed to the address item that actually failed. */
1376
1377if (rc != OK && verify_sender_address != NULL)
1378 {
1379 if (rc != DEFER)
1380 {
1381 *log_msgptr = *user_msgptr = US"Sender verify failed";
1382 }
1383 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1384 {
1385 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1386 }
1387 else
1388 {
1389 *log_msgptr = US"Could not complete sender verify callout";
1390 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1391 *log_msgptr;
1392 }
1393
1394 sender_verified_failed = sender_vaddr;
1395 }
1396
1397/* Verifying an address messes up the values of $domain and $local_part,
1398so reset them before returning if this is a RCPT ACL. */
1399
1400if (addr != NULL)
1401 {
1402 deliver_domain = addr->domain;
1403 deliver_localpart = addr->local_part;
1404 }
1405return rc;
1406
1407/* Syntax errors in the verify argument come here. */
1408
1409BAD_VERIFY:
1410*log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
1411 "\"header_syntax\" or \"header_sender\" at start of ACL condition "
1412 "\"verify %s\"", arg);
1413return ERROR;
1414}
1415
1416
1417
1418
1419/*************************************************
1420* Check argument for control= modifier *
1421*************************************************/
1422
1423/* Called from acl_check_condition() below
1424
1425Arguments:
1426 arg the argument string for control=
1427 pptr set to point to the terminating character
1428 where which ACL we are in
1429 log_msgptr for error messages
1430
1431Returns: CONTROL_xxx value
1432*/
1433
1434static int
1435decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
1436{
1437int len;
1438control_def *d;
1439
1440for (d = controls_list;
1441 d < controls_list + sizeof(controls_list)/sizeof(control_def);
1442 d++)
1443 {
1444 len = Ustrlen(d->name);
1445 if (Ustrncmp(d->name, arg, len) == 0) break;
1446 }
1447
1448if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
1449 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
1450 {
1451 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1452 return CONTROL_ERROR;
1453 }
1454
059ec3d9
PH
1455*pptr = arg + len;
1456return d->value;
1457}
1458
1459
1460
1461/*************************************************
1462* Handle conditions/modifiers on an ACL item *
1463*************************************************/
1464
1465/* Called from acl_check() below.
1466
1467Arguments:
1468 verb ACL verb
1469 cb ACL condition block - if NULL, result is OK
1470 where where called from
1471 addr the address being checked for RCPT, or NULL
1472 level the nesting level
1473 epp pointer to pass back TRUE if "endpass" encountered
1474 (applies only to "accept" and "discard")
1475 user_msgptr user message pointer
1476 log_msgptr log message pointer
1477 basic_errno pointer to where to put verify error
1478
1479Returns: OK - all conditions are met
1480 DISCARD - an "acl" condition returned DISCARD - only allowed
1481 for "accept" or "discard" verbs
1482 FAIL - at least one condition fails
1483 FAIL_DROP - an "acl" condition returned FAIL_DROP
1484 DEFER - can't tell at the moment (typically, lookup defer,
1485 but can be temporary callout problem)
1486 ERROR - ERROR from nested ACL or expansion failure or other
1487 error
1488*/
1489
1490static int
1491acl_check_condition(int verb, acl_condition_block *cb, int where,
1492 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
1493 uschar **log_msgptr, int *basic_errno)
1494{
1495uschar *user_message = NULL;
1496uschar *log_message = NULL;
1497uschar *p;
1498int rc = OK;
8523533c
TK
1499#ifdef WITH_CONTENT_SCAN
1500int sep = '/';
1501#endif
059ec3d9
PH
1502
1503for (; cb != NULL; cb = cb->next)
1504 {
1505 uschar *arg;
8e669ac1 1506 int control_type;
059ec3d9
PH
1507
1508 /* The message and log_message items set up messages to be used in
1509 case of rejection. They are expanded later. */
1510
1511 if (cb->type == ACLC_MESSAGE)
1512 {
1513 user_message = cb->arg;
1514 continue;
1515 }
1516
1517 if (cb->type == ACLC_LOG_MESSAGE)
1518 {
1519 log_message = cb->arg;
1520 continue;
1521 }
1522
1523 /* The endpass "condition" just sets a flag to show it occurred. This is
1524 checked at compile time to be on an "accept" or "discard" item. */
1525
1526 if (cb->type == ACLC_ENDPASS)
1527 {
1528 *epp = TRUE;
1529 continue;
1530 }
1531
1532 /* For other conditions and modifiers, the argument is expanded now for some
1533 of them, but not for all, because expansion happens down in some lower level
1534 checking functions in some cases. */
1535
1536 if (cond_expand_at_top[cb->type])
1537 {
1538 arg = expand_string(cb->arg);
1539 if (arg == NULL)
1540 {
1541 if (expand_string_forcedfail) continue;
1542 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
1543 cb->arg, expand_string_message);
1544 return search_find_defer? DEFER : ERROR;
1545 }
1546 }
1547 else arg = cb->arg;
1548
1549 /* Show condition, and expanded condition if it's different */
1550
1551 HDEBUG(D_acl)
1552 {
1553 int lhswidth = 0;
1554 debug_printf("check %s%s %n",
1555 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
1556 conditions[cb->type], &lhswidth);
1557
1558 if (cb->type == ACLC_SET)
1559 {
1560 int n = cb->u.varnumber;
1561 int t = (n < ACL_C_MAX)? 'c' : 'm';
1562 if (n >= ACL_C_MAX) n -= ACL_C_MAX;
1563 debug_printf("acl_%c%d ", t, n);
1564 lhswidth += 7;
1565 }
1566
1567 debug_printf("= %s\n", cb->arg);
1568
1569 if (arg != cb->arg)
1570 debug_printf("%.*s= %s\n", lhswidth,
1571 US" ", CS arg);
1572 }
1573
1574 /* Check that this condition makes sense at this time */
1575
1576 if ((cond_forbids[cb->type] & (1 << where)) != 0)
1577 {
1578 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
1579 cond_modifiers[cb->type]? "use" : "test",
1580 conditions[cb->type], acl_wherenames[where]);
1581 return ERROR;
1582 }
1583
1584 /* Run the appropriate test for each condition, or take the appropriate
1585 action for the remaining modifiers. */
1586
1587 switch(cb->type)
1588 {
1589 /* A nested ACL that returns "discard" makes sense only for an "accept" or
1590 "discard" verb. */
1591
1592 case ACLC_ACL:
1593 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
1594 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
1595 {
1596 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
1597 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
1598 verbs[verb]);
1599 return ERROR;
1600 }
1601 break;
1602
1603 case ACLC_AUTHENTICATED:
1604 rc = (sender_host_authenticated == NULL)? FAIL :
1605 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
1606 TRUE, NULL);
1607 break;
1608
8523533c
TK
1609#ifdef EXPERIMENTAL_BRIGHTMAIL
1610 case ACLC_BMI_OPTIN:
1611 {
1612 int old_pool = store_pool;
1613 store_pool = POOL_PERM;
1614 bmi_current_optin = string_copy(arg);
1615 store_pool = old_pool;
1616 }
1617 break;
1618#endif
1619
059ec3d9
PH
1620 case ACLC_CONDITION:
1621 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
1622 rc = (Uatoi(arg) == 0)? FAIL : OK;
1623 else
1624 rc = (strcmpic(arg, US"no") == 0 ||
1625 strcmpic(arg, US"false") == 0)? FAIL :
1626 (strcmpic(arg, US"yes") == 0 ||
1627 strcmpic(arg, US"true") == 0)? OK : DEFER;
1628 if (rc == DEFER)
1629 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
1630 break;
1631
1632 case ACLC_CONTROL:
c5fcb476
PH
1633 control_type = decode_control(arg, &p, where, log_msgptr);
1634
8523533c 1635 /* Check if this control makes sense at this time */
c5fcb476
PH
1636
1637 if ((control_forbids[control_type] & (1 << where)) != 0)
1638 {
1639 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
1640 controls[control_type], acl_wherenames[where]);
1641 return ERROR;
8e669ac1 1642 }
c5fcb476
PH
1643
1644 switch(control_type)
059ec3d9 1645 {
8523533c
TK
1646#ifdef EXPERIMENTAL_BRIGHTMAIL
1647 case CONTROL_BMI_RUN:
1648 bmi_run = 1;
1649 break;
1650#endif
8e669ac1 1651
059ec3d9
PH
1652 case CONTROL_ERROR:
1653 return ERROR;
1654
1655 case CONTROL_CASEFUL_LOCAL_PART:
1656 deliver_localpart = addr->cc_local_part;
1657 break;
1658
1659 case CONTROL_CASELOWER_LOCAL_PART:
1660 deliver_localpart = addr->lc_local_part;
1661 break;
1662
1663 case CONTROL_ENFORCE_SYNC:
1664 smtp_enforce_sync = TRUE;
1665 break;
1666
1667 case CONTROL_NO_ENFORCE_SYNC:
1668 smtp_enforce_sync = FALSE;
1669 break;
1670
8523533c
TK
1671#ifdef WITH_CONTENT_SCAN
1672 case CONTROL_NO_MBOX_UNSPOOL:
1673 no_mbox_unspool = TRUE;
1674 break;
1675#endif
1676
059ec3d9
PH
1677 case CONTROL_NO_MULTILINE:
1678 no_multiline_responses = TRUE;
1679 break;
1680
8523533c
TK
1681 case CONTROL_FAKEREJECT:
1682 fake_reject = TRUE;
1683 if (*p == '/')
8e669ac1 1684 {
8523533c 1685 uschar *pp = p + 1;
8e669ac1 1686 while (*pp != 0) pp++;
8523533c
TK
1687 fake_reject_text = expand_string(string_copyn(p+1, pp-p));
1688 p = pp;
1689 }
1690 else
1691 {
1692 /* Explicitly reset to default string */
dc082449 1693 fake_reject_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
8523533c
TK
1694 }
1695 break;
8523533c 1696
059ec3d9
PH
1697 case CONTROL_FREEZE:
1698 deliver_freeze = TRUE;
1699 deliver_frozen_at = time(NULL);
1700 break;
1701
1702 case CONTROL_QUEUE_ONLY:
1703 queue_only_policy = TRUE;
1704 break;
1705
1706 case CONTROL_SUBMISSION:
1707 submission_mode = TRUE;
69358f02 1708 while (*p == '/')
8e669ac1 1709 {
69358f02
PH
1710 if (Ustrncmp(p, "/sender_retain", 14) == 0)
1711 {
1712 p += 14;
1713 active_local_sender_retain = TRUE;
8e669ac1
PH
1714 active_local_from_check = FALSE;
1715 }
69358f02
PH
1716 else if (Ustrncmp(p, "/domain=", 8) == 0)
1717 {
1718 uschar *pp = p + 8;
8e669ac1 1719 while (*pp != 0 && *pp != '/') pp++;
69358f02 1720 submission_domain = string_copyn(p+8, pp-p);
8e669ac1 1721 p = pp;
69358f02 1722 }
8e669ac1
PH
1723 else break;
1724 }
69358f02 1725 if (*p != 0)
059ec3d9 1726 {
69358f02 1727 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
059ec3d9
PH
1728 return ERROR;
1729 }
1730 break;
1731 }
1732 break;
1733
8523533c
TK
1734#ifdef WITH_CONTENT_SCAN
1735 case ACLC_DECODE:
1736 rc = mime_decode(&arg);
1737 break;
1738#endif
1739
059ec3d9
PH
1740 case ACLC_DELAY:
1741 {
1742 int delay = readconf_readtime(arg, 0, FALSE);
1743 if (delay < 0)
1744 {
1745 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
1746 "modifier: \"%s\" is not a time value", arg);
1747 return ERROR;
1748 }
1749 else
1750 {
1751 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
1752 delay);
1753 if (host_checking)
1754 {
1755 HDEBUG(D_acl)
1756 debug_printf("delay skipped in -bh checking mode\n");
1757 }
8e669ac1 1758 else
86b8287f
PH
1759 {
1760 while (delay > 0) delay = sleep(delay);
8e669ac1 1761 }
059ec3d9
PH
1762 }
1763 }
1764 break;
1765
8523533c
TK
1766#ifdef WITH_OLD_DEMIME
1767 case ACLC_DEMIME:
1768 rc = demime(&arg);
1769 break;
1770#endif
1771
059ec3d9
PH
1772 case ACLC_DNSLISTS:
1773 rc = verify_check_dnsbl(&arg);
1774 break;
1775
1776 case ACLC_DOMAINS:
1777 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
1778 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
1779 break;
1780
1781 /* The value in tls_cipher is the full cipher name, for example,
1782 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
1783 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
1784 what may in practice come out of the SSL library - which at the time of
1785 writing is poorly documented. */
1786
1787 case ACLC_ENCRYPTED:
1788 if (tls_cipher == NULL) rc = FAIL; else
1789 {
1790 uschar *endcipher = NULL;
1791 uschar *cipher = Ustrchr(tls_cipher, ':');
1792 if (cipher == NULL) cipher = tls_cipher; else
1793 {
1794 endcipher = Ustrchr(++cipher, ':');
1795 if (endcipher != NULL) *endcipher = 0;
1796 }
1797 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
1798 if (endcipher != NULL) *endcipher = ':';
1799 }
1800 break;
1801
1802 /* Use verify_check_this_host() instead of verify_check_host() so that
1803 we can pass over &host_data to catch any looked up data. Once it has been
1804 set, it retains its value so that it's still there if another ACL verb
1805 comes through here and uses the cache. However, we must put it into
1806 permanent store in case it is also expected to be used in a subsequent
1807 message in the same SMTP connection. */
1808
1809 case ACLC_HOSTS:
1810 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
1811 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
1812 if (host_data != NULL) host_data = string_copy_malloc(host_data);
1813 break;
1814
1815 case ACLC_LOCAL_PARTS:
1816 rc = match_isinlist(addr->cc_local_part, &arg, 0,
1817 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
1818 &deliver_localpart_data);
1819 break;
1820
1821 case ACLC_LOGWRITE:
1822 {
1823 int logbits = 0;
1824 uschar *s = arg;
1825 if (*s == ':')
1826 {
1827 s++;
1828 while (*s != ':')
1829 {
1830 if (Ustrncmp(s, "main", 4) == 0)
1831 { logbits |= LOG_MAIN; s += 4; }
1832 else if (Ustrncmp(s, "panic", 5) == 0)
1833 { logbits |= LOG_PANIC; s += 5; }
1834 else if (Ustrncmp(s, "reject", 6) == 0)
1835 { logbits |= LOG_REJECT; s += 6; }
1836 else
1837 {
1838 logbits = LOG_MAIN|LOG_PANIC;
1839 s = string_sprintf(":unknown log name in \"%s\" in "
1840 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
1841 }
1842 if (*s == ',') s++;
1843 }
1844 s++;
1845 }
1846 while (isspace(*s)) s++;
1847 if (logbits == 0) logbits = LOG_MAIN;
1848 log_write(0, logbits, "%s", string_printing(s));
1849 }
1850 break;
8e669ac1 1851
8523533c
TK
1852#ifdef WITH_CONTENT_SCAN
1853 case ACLC_MALWARE:
1854 {
1855 /* Seperate the regular expression and any optional parameters. */
1856 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
1857 /* Run the malware backend. */
1858 rc = malware(&ss);
1859 /* Modify return code based upon the existance of options. */
1860 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
1861 != NULL) {
1862 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
1863 {
1864 /* FAIL so that the message is passed to the next ACL */
1865 rc = FAIL;
1866 }
1867 }
1868 }
1869 break;
1870
1871 case ACLC_MIME_REGEX:
1872 rc = mime_regex(&arg);
1873 break;
1874#endif
059ec3d9
PH
1875
1876 case ACLC_RECIPIENTS:
1877 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
1878 &recipient_data);
1879 break;
1880
8523533c
TK
1881#ifdef WITH_CONTENT_SCAN
1882 case ACLC_REGEX:
1883 rc = regex(&arg);
1884 break;
1885#endif
1886
059ec3d9
PH
1887 case ACLC_SENDER_DOMAINS:
1888 {
1889 uschar *sdomain;
1890 sdomain = Ustrrchr(sender_address, '@');
1891 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
1892 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
1893 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
1894 }
1895 break;
1896
1897 case ACLC_SENDERS:
1898 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
1899 sender_address_cache, -1, 0, &sender_data);
1900 break;
1901
1902 /* Connection variables must persist forever */
1903
1904 case ACLC_SET:
1905 {
1906 int old_pool = store_pool;
1907 if (cb->u.varnumber < ACL_C_MAX) store_pool = POOL_PERM;
1908 acl_var[cb->u.varnumber] = string_copy(arg);
1909 store_pool = old_pool;
1910 }
1911 break;
1912
8523533c
TK
1913#ifdef WITH_CONTENT_SCAN
1914 case ACLC_SPAM:
1915 {
1916 /* Seperate the regular expression and any optional parameters. */
1917 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
1918 /* Run the spam backend. */
1919 rc = spam(&ss);
1920 /* Modify return code based upon the existance of options. */
1921 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
1922 != NULL) {
1923 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
1924 {
1925 /* FAIL so that the message is passed to the next ACL */
1926 rc = FAIL;
1927 }
1928 }
1929 }
1930 break;
1931#endif
1932
1933#ifdef EXPERIMENTAL_SPF
1934 case ACLC_SPF:
1935 rc = spf_process(&arg, sender_address);
1936 break;
1937#endif
1938
059ec3d9
PH
1939 /* If the verb is WARN, discard any user message from verification, because
1940 such messages are SMTP responses, not header additions. The latter come
1941 only from explicit "message" modifiers. */
1942
1943 case ACLC_VERIFY:
1944 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
1945 if (verb == ACL_WARN) *user_msgptr = NULL;
1946 break;
1947
1948 default:
1949 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
1950 "condition %d", cb->type);
1951 break;
1952 }
1953
1954 /* If a condition was negated, invert OK/FAIL. */
1955
1956 if (!cond_modifiers[cb->type] && cb->u.negated)
1957 {
1958 if (rc == OK) rc = FAIL;
1959 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
1960 }
1961
1962 if (rc != OK) break; /* Conditions loop */
1963 }
1964
1965
1966/* If the result is the one for which "message" and/or "log_message" are used,
1967handle the values of these options. Most verbs have but a single return for
1968which the messages are relevant, but for "discard", it's useful to have the log
1969message both when it succeeds and when it fails. Also, for an "accept" that
1970appears in a QUIT ACL, we want to handle the user message. Since only "accept"
1971and "warn" are permitted in that ACL, we don't need to test the verb.
1972
1973These modifiers act in different ways:
1974
1975"message" is a user message that will be included in an SMTP response. Unless
1976it is empty, it overrides any previously set user message.
1977
1978"log_message" is a non-user message, and it adds to any existing non-user
1979message that is already set.
1980
1981If there isn't a log message set, we make it the same as the user message. */
1982
1983if (((rc == FAIL_DROP)? FAIL : rc) == msgcond[verb] ||
1984 (verb == ACL_DISCARD && rc == OK) ||
1985 (where == ACL_WHERE_QUIT))
1986 {
1987 uschar *expmessage;
1988
1989 /* If the verb is "warn", messages generated by conditions (verification or
1990 nested ACLs) are discarded. Only messages specified at this level are used.
1991 However, the value of an existing message is available in $acl_verify_message
1992 during expansions. */
1993
1994 uschar *old_user_msgptr = *user_msgptr;
1995 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
1996
1997 if (verb == ACL_WARN) *log_msgptr = *user_msgptr = NULL;
1998
1999 if (user_message != NULL)
2000 {
2001 acl_verify_message = old_user_msgptr;
2002 expmessage = expand_string(user_message);
2003 if (expmessage == NULL)
2004 {
2005 if (!expand_string_forcedfail)
2006 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2007 user_message, expand_string_message);
2008 }
2009 else if (expmessage[0] != 0) *user_msgptr = expmessage;
2010 }
2011
2012 if (log_message != NULL)
2013 {
2014 acl_verify_message = old_log_msgptr;
2015 expmessage = expand_string(log_message);
2016 if (expmessage == NULL)
2017 {
2018 if (!expand_string_forcedfail)
2019 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2020 log_message, expand_string_message);
2021 }
2022 else if (expmessage[0] != 0)
2023 {
2024 *log_msgptr = (*log_msgptr == NULL)? expmessage :
2025 string_sprintf("%s: %s", expmessage, *log_msgptr);
2026 }
2027 }
2028
2029 /* If no log message, default it to the user message */
2030
2031 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
2032 }
2033
2034acl_verify_message = NULL;
2035return rc;
2036}
2037
2038
2039
2040
2041
2042/*************************************************
2043* Get line from a literal ACL *
2044*************************************************/
2045
2046/* This function is passed to acl_read() in order to extract individual lines
2047of a literal ACL, which we access via static pointers. We can destroy the
2048contents because this is called only once (the compiled ACL is remembered).
2049
2050This code is intended to treat the data in the same way as lines in the main
2051Exim configuration file. That is:
2052
2053 . Leading spaces are ignored.
2054
2055 . A \ at the end of a line is a continuation - trailing spaces after the \
2056 are permitted (this is because I don't believe in making invisible things
2057 significant). Leading spaces on the continued part of a line are ignored.
2058
2059 . Physical lines starting (significantly) with # are totally ignored, and
2060 may appear within a sequence of backslash-continued lines.
2061
2062 . Blank lines are ignored, but will end a sequence of continuations.
2063
2064Arguments: none
2065Returns: a pointer to the next line
2066*/
2067
2068
2069static uschar *acl_text; /* Current pointer in the text */
2070static uschar *acl_text_end; /* Points one past the terminating '0' */
2071
2072
2073static uschar *
2074acl_getline(void)
2075{
2076uschar *yield;
2077
2078/* This loop handles leading blank lines and comments. */
2079
2080for(;;)
2081 {
2082 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
2083 if (*acl_text == 0) return NULL; /* No more data */
2084 yield = acl_text; /* Potential data line */
2085
2086 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2087
2088 /* If we hit the end before a newline, we have the whole logical line. If
2089 it's a comment, there's no more data to be given. Otherwise, yield it. */
2090
2091 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
2092
2093 /* After reaching a newline, end this loop if the physical line does not
2094 start with '#'. If it does, it's a comment, and the loop continues. */
2095
2096 if (*yield != '#') break;
2097 }
2098
2099/* This loop handles continuations. We know we have some real data, ending in
2100newline. See if there is a continuation marker at the end (ignoring trailing
2101white space). We know that *yield is not white space, so no need to test for
2102cont > yield in the backwards scanning loop. */
2103
2104for(;;)
2105 {
2106 uschar *cont;
2107 for (cont = acl_text - 1; isspace(*cont); cont--);
2108
2109 /* If no continuation follows, we are done. Mark the end of the line and
2110 return it. */
2111
2112 if (*cont != '\\')
2113 {
2114 *acl_text++ = 0;
2115 return yield;
2116 }
2117
2118 /* We have encountered a continuation. Skip over whitespace at the start of
2119 the next line, and indeed the whole of the next line or lines if they are
2120 comment lines. */
2121
2122 for (;;)
2123 {
2124 while (*(++acl_text) == ' ' || *acl_text == '\t');
2125 if (*acl_text != '#') break;
2126 while (*(++acl_text) != 0 && *acl_text != '\n');
2127 }
2128
2129 /* We have the start of a continuation line. Move all the rest of the data
2130 to join onto the previous line, and then find its end. If the end is not a
2131 newline, we are done. Otherwise loop to look for another continuation. */
2132
2133 memmove(cont, acl_text, acl_text_end - acl_text);
2134 acl_text_end -= acl_text - cont;
2135 acl_text = cont;
2136 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2137 if (*acl_text == 0) return yield;
2138 }
2139
2140/* Control does not reach here */
2141}
2142
2143
2144
2145
2146
2147/*************************************************
2148* Check access using an ACL *
2149*************************************************/
2150
2151/* This function is called from address_check. It may recurse via
2152acl_check_condition() - hence the use of a level to stop looping. The ACL is
2153passed as a string which is expanded. A forced failure implies no access check
2154is required. If the result is a single word, it is taken as the name of an ACL
2155which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
2156text, complete with newlines, and parsed as such. In both cases, the ACL check
2157is then run. This function uses an auxiliary function for acl_read() to call
2158for reading individual lines of a literal ACL. This is acl_getline(), which
2159appears immediately above.
2160
2161Arguments:
2162 where where called from
2163 addr address item when called from RCPT; otherwise NULL
2164 s the input string; NULL is the same as an empty ACL => DENY
2165 level the nesting level
2166 user_msgptr where to put a user error (for SMTP response)
2167 log_msgptr where to put a logging message (not for SMTP response)
2168
2169Returns: OK access is granted
2170 DISCARD access is apparently granted...
2171 FAIL access is denied
2172 FAIL_DROP access is denied; drop the connection
2173 DEFER can't tell at the moment
2174 ERROR disaster
2175*/
2176
2177static int
2178acl_check_internal(int where, address_item *addr, uschar *s, int level,
2179 uschar **user_msgptr, uschar **log_msgptr)
2180{
2181int fd = -1;
2182acl_block *acl = NULL;
2183uschar *acl_name = US"inline ACL";
2184uschar *ss;
2185
2186/* Catch configuration loops */
2187
2188if (level > 20)
2189 {
2190 *log_msgptr = US"ACL nested too deep: possible loop";
2191 return ERROR;
2192 }
2193
2194if (s == NULL)
2195 {
2196 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
2197 return FAIL;
2198 }
2199
2200/* At top level, we expand the incoming string. At lower levels, it has already
2201been expanded as part of condition processing. */
2202
2203if (level == 0)
2204 {
2205 ss = expand_string(s);
2206 if (ss == NULL)
2207 {
2208 if (expand_string_forcedfail) return OK;
2209 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
2210 expand_string_message);
2211 return ERROR;
2212 }
2213 }
2214else ss = s;
2215
2216while (isspace(*ss))ss++;
2217
2218/* If we can't find a named ACL, the default is to parse it as an inline one.
2219(Unless it begins with a slash; non-existent files give rise to an error.) */
2220
2221acl_text = ss;
2222
2223/* Handle the case of a string that does not contain any spaces. Look for a
2224named ACL among those read from the configuration, or a previously read file.
2225It is possible that the pointer to the ACL is NULL if the configuration
2226contains a name with no data. If not found, and the text begins with '/',
2227read an ACL from a file, and save it so it can be re-used. */
2228
2229if (Ustrchr(ss, ' ') == NULL)
2230 {
2231 tree_node *t = tree_search(acl_anchor, ss);
2232 if (t != NULL)
2233 {
2234 acl = (acl_block *)(t->data.ptr);
2235 if (acl == NULL)
2236 {
2237 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
2238 return FAIL;
2239 }
2240 acl_name = string_sprintf("ACL \"%s\"", ss);
2241 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
2242 }
2243
2244 else if (*ss == '/')
2245 {
2246 struct stat statbuf;
2247 fd = Uopen(ss, O_RDONLY, 0);
2248 if (fd < 0)
2249 {
2250 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
2251 strerror(errno));
2252 return ERROR;
2253 }
2254
2255 if (fstat(fd, &statbuf) != 0)
2256 {
2257 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
2258 strerror(errno));
2259 return ERROR;
2260 }
2261
2262 acl_text = store_get(statbuf.st_size + 1);
2263 acl_text_end = acl_text + statbuf.st_size + 1;
2264
2265 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
2266 {
2267 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
2268 ss, strerror(errno));
2269 return ERROR;
2270 }
2271 acl_text[statbuf.st_size] = 0;
2272 close(fd);
2273
2274 acl_name = string_sprintf("ACL \"%s\"", ss);
2275 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
2276 }
2277 }
2278
2279/* Parse an ACL that is still in text form. If it came from a file, remember it
2280in the ACL tree, having read it into the POOL_PERM store pool so that it
2281persists between multiple messages. */
2282
2283if (acl == NULL)
2284 {
2285 int old_pool = store_pool;
2286 if (fd >= 0) store_pool = POOL_PERM;
2287 acl = acl_read(acl_getline, log_msgptr);
2288 store_pool = old_pool;
2289 if (acl == NULL && *log_msgptr != NULL) return ERROR;
2290 if (fd >= 0)
2291 {
2292 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
2293 Ustrcpy(t->name, ss);
2294 t->data.ptr = acl;
2295 (void)tree_insertnode(&acl_anchor, t);
2296 }
2297 }
2298
2299/* Now we have an ACL to use. It's possible it may be NULL. */
2300
2301while (acl != NULL)
2302 {
2303 int cond;
2304 int basic_errno = 0;
2305 BOOL endpass_seen = FALSE;
2306
2307 *log_msgptr = *user_msgptr = NULL;
2308 acl_temp_details = FALSE;
2309
2310 if (where == ACL_WHERE_QUIT &&
2311 acl->verb != ACL_ACCEPT &&
2312 acl->verb != ACL_WARN)
2313 {
2314 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
2315 verbs[acl->verb]);
2316 return ERROR;
2317 }
2318
2319 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
2320
2321 /* Clear out any search error message from a previous check before testing
2322 this condition. */
2323
2324 search_error_message = NULL;
2325 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
2326 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
2327
2328 /* Handle special returns: DEFER causes a return except on a WARN verb;
2329 ERROR always causes a return. */
2330
2331 switch (cond)
2332 {
2333 case DEFER:
2334 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
2335 if (basic_errno != ERRNO_CALLOUTDEFER)
2336 {
2337 if (search_error_message != NULL && *search_error_message != 0)
2338 *log_msgptr = search_error_message;
2339 if (smtp_return_error_details) acl_temp_details = TRUE;
2340 }
2341 else
2342 {
2343 acl_temp_details = TRUE;
2344 }
2345 if (acl->verb != ACL_WARN) return DEFER;
2346 break;
2347
2348 default: /* Paranoia */
2349 case ERROR:
2350 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
2351 return ERROR;
2352
2353 case OK:
2354 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
2355 verbs[acl->verb]);
2356 break;
2357
2358 case FAIL:
2359 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
2360 break;
2361
2362 /* DISCARD and DROP can happen only from a nested ACL condition, and
2363 DISCARD can happen only for an "accept" or "discard" verb. */
2364
2365 case DISCARD:
2366 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
2367 verbs[acl->verb]);
2368 break;
2369
2370 case FAIL_DROP:
2371 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
2372 verbs[acl->verb]);
2373 break;
2374 }
2375
2376 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
2377 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
2378 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
2379
2380 switch(acl->verb)
2381 {
2382 case ACL_ACCEPT:
2383 if (cond == OK || cond == DISCARD) return cond;
2384 if (endpass_seen)
2385 {
2386 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
2387 return cond;
2388 }
2389 break;
2390
2391 case ACL_DEFER:
2392 if (cond == OK)
2393 {
2394 acl_temp_details = TRUE;
2395 return DEFER;
2396 }
2397 break;
2398
2399 case ACL_DENY:
2400 if (cond == OK) return FAIL;
2401 break;
2402
2403 case ACL_DISCARD:
2404 if (cond == OK || cond == DISCARD) return DISCARD;
2405 if (endpass_seen)
2406 {
2407 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
2408 return cond;
2409 }
2410 break;
2411
2412 case ACL_DROP:
2413 if (cond == OK) return FAIL_DROP;
2414 break;
2415
2416 case ACL_REQUIRE:
2417 if (cond != OK) return cond;
2418 break;
2419
2420 case ACL_WARN:
2421 if (cond == OK)
2422 acl_warn(where, *user_msgptr, *log_msgptr);
2423 else if (cond == DEFER)
2424 acl_warn(where, NULL, string_sprintf("ACL \"warn\" statement skipped: "
2425 "condition test deferred: %s",
2426 (*log_msgptr == NULL)? US"" : *log_msgptr));
2427 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
2428 break;
2429
2430 default:
2431 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
2432 acl->verb);
2433 break;
2434 }
2435
2436 /* Pass to the next ACL item */
2437
2438 acl = acl->next;
2439 }
2440
2441/* We have reached the end of the ACL. This is an implicit DENY. */
2442
2443HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
2444return FAIL;
2445}
2446
2447
2448/*************************************************
2449* Check access using an ACL *
2450*************************************************/
2451
2452/* This is the external interface for ACL checks. It sets up an address and the
2453expansions for $domain and $local_part when called after RCPT, then calls
2454acl_check_internal() to do the actual work.
2455
2456Arguments:
2457 where ACL_WHERE_xxxx indicating where called from
2458 data_string RCPT address, or SMTP command argument, or NULL
2459 s the input string; NULL is the same as an empty ACL => DENY
2460 user_msgptr where to put a user error (for SMTP response)
2461 log_msgptr where to put a logging message (not for SMTP response)
2462
2463Returns: OK access is granted by an ACCEPT verb
2464 DISCARD access is granted by a DISCARD verb
2465 FAIL access is denied
2466 FAIL_DROP access is denied; drop the connection
2467 DEFER can't tell at the moment
2468 ERROR disaster
2469*/
2470
2471int
2472acl_check(int where, uschar *data_string, uschar *s, uschar **user_msgptr,
2473 uschar **log_msgptr)
2474{
2475int rc;
2476address_item adb;
2477address_item *addr;
2478
2479*user_msgptr = *log_msgptr = NULL;
2480sender_verified_failed = NULL;
2481
2482if (where == ACL_WHERE_RCPT)
2483 {
2484 adb = address_defaults;
2485 addr = &adb;
2486 addr->address = data_string;
2487 if (deliver_split_address(addr) == DEFER)
2488 {
2489 *log_msgptr = US"defer in percent_hack_domains check";
2490 return DEFER;
2491 }
2492 deliver_domain = addr->domain;
2493 deliver_localpart = addr->local_part;
2494 }
2495else
2496 {
2497 addr = NULL;
2498 smtp_command_argument = data_string;
2499 }
2500
2501rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
2502
2503smtp_command_argument = deliver_domain =
2a3eea10 2504 deliver_localpart = deliver_address_data = sender_address_data = NULL;
059ec3d9
PH
2505
2506/* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
2507ACL, which is really in the middle of an SMTP command. */
2508
2509if (rc == DISCARD)
2510 {
2511 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
2512 {
2513 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
2514 "ACL", acl_wherenames[where]);
2515 return ERROR;
2516 }
2517 return DISCARD;
2518 }
2519
2520/* A DROP response is not permitted from MAILAUTH */
2521
2522if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
2523 {
2524 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
2525 "ACL", acl_wherenames[where]);
2526 return ERROR;
2527 }
2528
2529/* Before giving an error response, take a look at the length of any user
2530message, and split it up into multiple lines if possible. */
2531
2532if (rc != OK && *user_msgptr != NULL && Ustrlen(*user_msgptr) > 75)
2533 {
2534 uschar *s = *user_msgptr = string_copy(*user_msgptr);
2535 uschar *ss = s;
2536
2537 for (;;)
2538 {
2539 int i = 0;
2540 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
2541 if (*ss == 0) break;
2542 if (*ss == '\n')
2543 s = ++ss;
2544 else
2545 {
2546 uschar *t = ss + 1;
2547 uschar *tt = NULL;
2548 while (--t > s + 35)
2549 {
2550 if (*t == ' ')
2551 {
2552 if (t[-1] == ':') { tt = t; break; }
2553 if (tt == NULL) tt = t;
2554 }
2555 }
2556
2557 if (tt == NULL) /* Can't split behind - try ahead */
2558 {
2559 t = ss + 1;
2560 while (*t != 0)
2561 {
2562 if (*t == ' ' || *t == '\n')
2563 { tt = t; break; }
2564 t++;
2565 }
2566 }
2567
2568 if (tt == NULL) break; /* Can't find anywhere to split */
2569 *tt = '\n';
2570 s = ss = tt+1;
2571 }
2572 }
2573 }
2574
2575return rc;
2576}
2577
2578/* End of acl.c */