projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Improved ratelimit ACL condition.
[exim.git] / src / src / acl.c
CommitLineData
ed7f7860 1/* $Cambridge: exim/src/src/acl.c,v 1.88 2010/06/06 00:27:52 pdp Exp $ */
059ec3d9
PH		 2
3/*************************************************
4* Exim - an Internet mail transport agent *
5*************************************************/
6
0a49a7a4 7/* Copyright (c) University of Cambridge 1995 - 2009 */
059ec3d9
PH		 8/* See the file NOTICE for conditions of use and distribution. */
9
10/* Code for handling Access Control Lists (ACLs) */
11
12#include "exim.h"
13
14
15/* Default callout timeout */
16
17#define CALLOUT_TIMEOUT_DEFAULT 30
18
19/* ACL verb codes - keep in step with the table of verbs that follows */
20
21enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
22 ACL_WARN };
23
24/* ACL verbs */
25
26static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
28 US"warn" };
29
4e88a19f
PH		 30/* For each verb, the conditions for which "message" or "log_message" are used
31are held as a bitmap. This is to avoid expanding the strings unnecessarily. For
32"accept", the FAIL case is used only after "endpass", but that is selected in
33the code. */
34
35static int msgcond[] = {
36 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* accept */
37 (1<<OK), /* defer */
38 (1<<OK), /* deny */
39 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* discard */
40 (1<<OK), /* drop */
41 (1<<FAIL) | (1<<FAIL_DROP), /* require */
42 (1<<OK) /* warn */
43 };
059ec3d9
PH		 44
45/* ACL condition and modifier codes - keep in step with the table that
71fafd95
PH		 46follows, and the cond_expand_at_top and uschar cond_modifiers tables lower
47down. */
059ec3d9 48
71fafd95
PH		 49enum { ACLC_ACL,
50 ACLC_ADD_HEADER,
51 ACLC_AUTHENTICATED,
8523533c
TK		 52#ifdef EXPERIMENTAL_BRIGHTMAIL
53 ACLC_BMI_OPTIN,
54#endif
71fafd95 55 ACLC_CONDITION,
c3611384 56 ACLC_CONTINUE,
71fafd95 57 ACLC_CONTROL,
6a8f9482
TK		 58#ifdef EXPERIMENTAL_DCC
59 ACLC_DCC,
60#endif
8523533c
TK		 61#ifdef WITH_CONTENT_SCAN
62 ACLC_DECODE,
63#endif
64 ACLC_DELAY,
65#ifdef WITH_OLD_DEMIME
66 ACLC_DEMIME,
fb2274d4 67#endif
80a47a2c
TK		 68#ifndef DISABLE_DKIM
69 ACLC_DKIM_SIGNER,
70 ACLC_DKIM_STATUS,
8e669ac1 71#endif
71fafd95
PH		 72 ACLC_DNSLISTS,
73 ACLC_DOMAINS,
74 ACLC_ENCRYPTED,
75 ACLC_ENDPASS,
76 ACLC_HOSTS,
77 ACLC_LOCAL_PARTS,
78 ACLC_LOG_MESSAGE,
6ea85e9a 79 ACLC_LOG_REJECT_TARGET,
71fafd95 80 ACLC_LOGWRITE,
8523533c
TK		 81#ifdef WITH_CONTENT_SCAN
82 ACLC_MALWARE,
83#endif
84 ACLC_MESSAGE,
85#ifdef WITH_CONTENT_SCAN
86 ACLC_MIME_REGEX,
87#endif
870f6ba8 88 ACLC_RATELIMIT,
8523533c
TK		 89 ACLC_RECIPIENTS,
90#ifdef WITH_CONTENT_SCAN
91 ACLC_REGEX,
92#endif
71fafd95
PH		 93 ACLC_SENDER_DOMAINS,
94 ACLC_SENDERS,
95 ACLC_SET,
8523533c 96#ifdef WITH_CONTENT_SCAN
8e669ac1 97 ACLC_SPAM,
8523533c
TK		 98#endif
99#ifdef EXPERIMENTAL_SPF
100 ACLC_SPF,
65a7d8c3 101 ACLC_SPF_GUESS,
8523533c
TK		 102#endif
103 ACLC_VERIFY };
059ec3d9 104
c3611384
PH		 105/* ACL conditions/modifiers: "delay", "control", "continue", "endpass",
106"message", "log_message", "log_reject_target", "logwrite", and "set" are
107modifiers that look like conditions but always return TRUE. They are used for
108their side effects. */
059ec3d9 109
9a26b6b2
PH		 110static uschar *conditions[] = {
111 US"acl",
71fafd95 112 US"add_header",
9a26b6b2 113 US"authenticated",
8523533c
TK		 114#ifdef EXPERIMENTAL_BRIGHTMAIL
115 US"bmi_optin",
116#endif
117 US"condition",
c3611384 118 US"continue",
8e669ac1 119 US"control",
6a8f9482
TK		 120#ifdef EXPERIMENTAL_DCC
121 US"dcc",
122#endif
8523533c
TK		 123#ifdef WITH_CONTENT_SCAN
124 US"decode",
125#endif
126 US"delay",
127#ifdef WITH_OLD_DEMIME
128 US"demime",
fb2274d4 129#endif
80a47a2c
TK		 130#ifndef DISABLE_DKIM
131 US"dkim_signers",
132 US"dkim_status",
8523533c 133#endif
6ea85e9a
PH		 134 US"dnslists",
135 US"domains",
136 US"encrypted",
137 US"endpass",
138 US"hosts",
139 US"local_parts",
140 US"log_message",
141 US"log_reject_target",
142 US"logwrite",
8523533c
TK		 143#ifdef WITH_CONTENT_SCAN
144 US"malware",
145#endif
146 US"message",
147#ifdef WITH_CONTENT_SCAN
148 US"mime_regex",
149#endif
870f6ba8 150 US"ratelimit",
8523533c
TK		 151 US"recipients",
152#ifdef WITH_CONTENT_SCAN
153 US"regex",
154#endif
155 US"sender_domains", US"senders", US"set",
156#ifdef WITH_CONTENT_SCAN
157 US"spam",
158#endif
159#ifdef EXPERIMENTAL_SPF
160 US"spf",
65a7d8c3 161 US"spf_guess",
8523533c 162#endif
059ec3d9 163 US"verify" };
8e669ac1 164
c5fcb476 165
9a26b6b2
PH		 166/* Return values from decode_control(); keep in step with the table of names
167that follows! */
168
169enum {
c46782ef
PH		 170 CONTROL_AUTH_UNADVERTISED,
171 #ifdef EXPERIMENTAL_BRIGHTMAIL
9a26b6b2 172 CONTROL_BMI_RUN,
c46782ef 173 #endif
ed7f7860 174 CONTROL_DEBUG,
80a47a2c 175 #ifndef DISABLE_DKIM
f7572e5a
TK		 176 CONTROL_DKIM_VERIFY,
177 #endif
c46782ef
PH		 178 CONTROL_ERROR,
179 CONTROL_CASEFUL_LOCAL_PART,
180 CONTROL_CASELOWER_LOCAL_PART,
181 CONTROL_ENFORCE_SYNC,
182 CONTROL_NO_ENFORCE_SYNC,
183 CONTROL_FREEZE,
184 CONTROL_QUEUE_ONLY,
185 CONTROL_SUBMISSION,
186 CONTROL_SUPPRESS_LOCAL_FIXUPS,
187 #ifdef WITH_CONTENT_SCAN
9a26b6b2 188 CONTROL_NO_MBOX_UNSPOOL,
c46782ef
PH		 189 #endif
190 CONTROL_FAKEDEFER,
191 CONTROL_FAKEREJECT,
cf8b11a5 192 CONTROL_NO_MULTILINE,
047bdd8c 193 CONTROL_NO_PIPELINING,
4c590bd1
PH		 194 CONTROL_NO_DELAY_FLUSH,
195 CONTROL_NO_CALLOUT_FLUSH
c46782ef 196};
9a26b6b2 197
8800895a
PH		 198/* ACL control names; keep in step with the table above! This list is used for
199turning ids into names. The actual list of recognized names is in the variable
200control_def controls_list[] below. The fact that there are two lists is a mess
201and should be tidied up. */
9a26b6b2
PH		 202
203static uschar *controls[] = {
c46782ef 204 US"allow_auth_unadvertised",
9a26b6b2
PH		 205 #ifdef EXPERIMENTAL_BRIGHTMAIL
206 US"bmi_run",
207 #endif
ed7f7860 208 US"debug",
80a47a2c
TK		 209 #ifndef DISABLE_DKIM
210 US"dkim_disable_verify",
f7572e5a 211 #endif
c46782ef
PH		 212 US"error",
213 US"caseful_local_part",
214 US"caselower_local_part",
215 US"enforce_sync",
216 US"no_enforce_sync",
217 US"freeze",
218 US"queue_only",
219 US"submission",
220 US"suppress_local_fixups",
9a26b6b2
PH		 221 #ifdef WITH_CONTENT_SCAN
222 US"no_mbox_unspool",
223 #endif
cf8b11a5
PH		 224 US"fakedefer",
225 US"fakereject",
aa6dc513 226 US"no_multiline_responses",
cf8b11a5 227 US"no_pipelining",
4c590bd1
PH		 228 US"no_delay_flush",
229 US"no_callout_flush"
c46782ef 230};
059ec3d9 231
047bdd8c 232/* Flags to indicate for which conditions/modifiers a string expansion is done
059ec3d9
PH		 233at the outer level. In the other cases, expansion already occurs in the
234checking functions. */
235
236static uschar cond_expand_at_top[] = {
237 TRUE, /* acl */
3e536984 238 TRUE, /* add_header */
059ec3d9 239 FALSE, /* authenticated */
8523533c
TK		 240#ifdef EXPERIMENTAL_BRIGHTMAIL
241 TRUE, /* bmi_optin */
8e669ac1 242#endif
059ec3d9 243 TRUE, /* condition */
c3611384 244 TRUE, /* continue */
059ec3d9 245 TRUE, /* control */
6a8f9482
TK		 246#ifdef EXPERIMENTAL_DCC
247 TRUE, /* dcc */
248#endif
8523533c
TK		 249#ifdef WITH_CONTENT_SCAN
250 TRUE, /* decode */
251#endif
059ec3d9 252 TRUE, /* delay */
8523533c
TK		 253#ifdef WITH_OLD_DEMIME
254 TRUE, /* demime */
fb2274d4 255#endif
80a47a2c
TK		 256#ifndef DISABLE_DKIM
257 TRUE, /* dkim_signers */
258 TRUE, /* dkim_status */
8523533c 259#endif
059ec3d9
PH		 260 TRUE, /* dnslists */
261 FALSE, /* domains */
262 FALSE, /* encrypted */
263 TRUE, /* endpass */
264 FALSE, /* hosts */
265 FALSE, /* local_parts */
266 TRUE, /* log_message */
6ea85e9a 267 TRUE, /* log_reject_target */
059ec3d9 268 TRUE, /* logwrite */
8523533c
TK		 269#ifdef WITH_CONTENT_SCAN
270 TRUE, /* malware */
271#endif
059ec3d9 272 TRUE, /* message */
8523533c
TK		 273#ifdef WITH_CONTENT_SCAN
274 TRUE, /* mime_regex */
275#endif
870f6ba8 276 TRUE, /* ratelimit */
059ec3d9 277 FALSE, /* recipients */
8523533c
TK		 278#ifdef WITH_CONTENT_SCAN
279 TRUE, /* regex */
280#endif
059ec3d9
PH		 281 FALSE, /* sender_domains */
282 FALSE, /* senders */
283 TRUE, /* set */
8523533c
TK		 284#ifdef WITH_CONTENT_SCAN
285 TRUE, /* spam */
286#endif
287#ifdef EXPERIMENTAL_SPF
288 TRUE, /* spf */
65a7d8c3 289 TRUE, /* spf_guess */
8523533c 290#endif
059ec3d9
PH		 291 TRUE /* verify */
292};
293
294/* Flags to identify the modifiers */
295
296static uschar cond_modifiers[] = {
297 FALSE, /* acl */
3e536984 298 TRUE, /* add_header */
059ec3d9 299 FALSE, /* authenticated */
8523533c
TK		 300#ifdef EXPERIMENTAL_BRIGHTMAIL
301 TRUE, /* bmi_optin */
8e669ac1 302#endif
059ec3d9 303 FALSE, /* condition */
c3611384 304 TRUE, /* continue */
059ec3d9 305 TRUE, /* control */
6a8f9482
TK		 306#ifdef EXPERIMENTAL_DCC
307 FALSE, /* dcc */
308#endif
8523533c
TK		 309#ifdef WITH_CONTENT_SCAN
310 FALSE, /* decode */
311#endif
059ec3d9 312 TRUE, /* delay */
8523533c
TK		 313#ifdef WITH_OLD_DEMIME
314 FALSE, /* demime */
fb2274d4 315#endif
80a47a2c
TK		 316#ifndef DISABLE_DKIM
317 FALSE, /* dkim_signers */
318 FALSE, /* dkim_status */
8523533c 319#endif
059ec3d9
PH		 320 FALSE, /* dnslists */
321 FALSE, /* domains */
322 FALSE, /* encrypted */
323 TRUE, /* endpass */
324 FALSE, /* hosts */
325 FALSE, /* local_parts */
326 TRUE, /* log_message */
6ea85e9a 327 TRUE, /* log_reject_target */
8523533c
TK		 328 TRUE, /* logwrite */
329#ifdef WITH_CONTENT_SCAN
330 FALSE, /* malware */
331#endif
059ec3d9 332 TRUE, /* message */
8523533c
TK		 333#ifdef WITH_CONTENT_SCAN
334 FALSE, /* mime_regex */
335#endif
870f6ba8 336 FALSE, /* ratelimit */
059ec3d9 337 FALSE, /* recipients */
8523533c
TK		 338#ifdef WITH_CONTENT_SCAN
339 FALSE, /* regex */
340#endif
059ec3d9
PH		 341 FALSE, /* sender_domains */
342 FALSE, /* senders */
343 TRUE, /* set */
8523533c
TK		 344#ifdef WITH_CONTENT_SCAN
345 FALSE, /* spam */
346#endif
347#ifdef EXPERIMENTAL_SPF
348 FALSE, /* spf */
65a7d8c3 349 FALSE, /* spf_guess */
8523533c 350#endif
059ec3d9
PH		 351 FALSE /* verify */
352};
353
c3611384 354/* Bit map vector of which conditions and modifiers are not allowed at certain
8f128379
PH		 355times. For each condition and modifier, there's a bitmap of dis-allowed times.
356For some, it is easier to specify the negation of a small number of allowed
357times. */
059ec3d9
PH		 358
359static unsigned int cond_forbids[] = {
360 0, /* acl */
8e669ac1 361
71fafd95 362 (unsigned int)
45b91596 363 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* add_header */
71fafd95 364 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
45b91596 365 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
67caae1f 366 (1<<ACL_WHERE_DKIM)|
45b91596 367 (1<<ACL_WHERE_NOTSMTP_START)),
71fafd95 368
45b91596
PH		 369 (1<<ACL_WHERE_NOTSMTP)| /* authenticated */
370 (1<<ACL_WHERE_NOTSMTP_START)|
371 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO),
8e669ac1 372
71fafd95 373 #ifdef EXPERIMENTAL_BRIGHTMAIL
3864bb8e 374 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
8523533c
TK		 375 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
376 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
8e669ac1 377 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
8523533c
TK		 378 (1<<ACL_WHERE_MAILAUTH)|
379 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596
PH		 380 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA)|
381 (1<<ACL_WHERE_NOTSMTP_START),
71fafd95 382 #endif
8e669ac1 383
059ec3d9 384 0, /* condition */
8e669ac1 385
c3611384
PH		 386 0, /* continue */
387
059ec3d9 388 /* Certain types of control are always allowed, so we let it through
2f079f46 389 always and check in the control processing itself. */
8e669ac1 390
059ec3d9 391 0, /* control */
8e669ac1 392
6a8f9482
TK		 393 #ifdef EXPERIMENTAL_DCC
394 (unsigned int)
395 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* dcc */
396 #endif
397
71fafd95 398 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 399 (unsigned int)
400 ~(1<<ACL_WHERE_MIME), /* decode */
71fafd95 401 #endif
8523533c 402
8f128379 403 (1<<ACL_WHERE_NOTQUIT), /* delay */
8e669ac1 404
71fafd95 405 #ifdef WITH_OLD_DEMIME
2f079f46
PH		 406 (unsigned int)
407 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* demime */
71fafd95 408 #endif
8e669ac1 409
80a47a2c
TK		 410 #ifndef DISABLE_DKIM
411 (unsigned int)
412 ~(1<<ACL_WHERE_DKIM), /* dkim_signers */
84330b7b 413
80a47a2c
TK		 414 (unsigned int)
415 ~(1<<ACL_WHERE_DKIM), /* dkim_status */
71fafd95 416 #endif
fb2274d4 417
45b91596
PH		 418 (1<<ACL_WHERE_NOTSMTP)| /* dnslists */
419 (1<<ACL_WHERE_NOTSMTP_START),
059ec3d9 420
2f079f46
PH		 421 (unsigned int)
422 ~(1<<ACL_WHERE_RCPT), /* domains */
059ec3d9 423
45b91596
PH		 424 (1<<ACL_WHERE_NOTSMTP)| /* encrypted */
425 (1<<ACL_WHERE_CONNECT)|
426 (1<<ACL_WHERE_NOTSMTP_START)|
059ec3d9 427 (1<<ACL_WHERE_HELO),
8e669ac1 428
059ec3d9 429 0, /* endpass */
8e669ac1 430
45b91596
PH		 431 (1<<ACL_WHERE_NOTSMTP)| /* hosts */
432 (1<<ACL_WHERE_NOTSMTP_START),
059ec3d9 433
2f079f46
PH		 434 (unsigned int)
435 ~(1<<ACL_WHERE_RCPT), /* local_parts */
059ec3d9
PH		 436
437 0, /* log_message */
8e669ac1 438
6ea85e9a
PH		 439 0, /* log_reject_target */
440
059ec3d9 441 0, /* logwrite */
8e669ac1 442
71fafd95 443 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 444 (unsigned int)
445 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* malware */
71fafd95 446 #endif
8523533c 447
059ec3d9
PH		 448 0, /* message */
449
71fafd95 450 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 451 (unsigned int)
452 ~(1<<ACL_WHERE_MIME), /* mime_regex */
71fafd95 453 #endif
8523533c 454
870f6ba8
TF		 455 0, /* ratelimit */
456
2f079f46
PH		 457 (unsigned int)
458 ~(1<<ACL_WHERE_RCPT), /* recipients */
059ec3d9 459
71fafd95 460 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 461 (unsigned int)
462 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* regex */
463 (1<<ACL_WHERE_MIME)),
71fafd95 464 #endif
8523533c 465
059ec3d9
PH		 466 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
467 (1<<ACL_WHERE_HELO)|
468 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
469 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
470 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
471
472 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
473 (1<<ACL_WHERE_HELO)|
474 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
475 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
476 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
477
478 0, /* set */
479
71fafd95 480 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 481 (unsigned int)
482 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* spam */
71fafd95 483 #endif
8523533c 484
71fafd95 485 #ifdef EXPERIMENTAL_SPF
8523533c
TK		 486 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
487 (1<<ACL_WHERE_HELO)|
488 (1<<ACL_WHERE_MAILAUTH)|
489 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
45b91596
PH		 490 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
491 (1<<ACL_WHERE_NOTSMTP)|
492 (1<<ACL_WHERE_NOTSMTP_START),
65a7d8c3
NM		 493
494 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf_guess */
495 (1<<ACL_WHERE_HELO)|
496 (1<<ACL_WHERE_MAILAUTH)|
497 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
498 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
499 (1<<ACL_WHERE_NOTSMTP)|
500 (1<<ACL_WHERE_NOTSMTP_START),
71fafd95 501 #endif
8523533c 502
059ec3d9
PH		 503 /* Certain types of verify are always allowed, so we let it through
504 always and check in the verify function itself */
505
506 0 /* verify */
059ec3d9
PH		 507};
508
509
c5fcb476
PH		 510/* Bit map vector of which controls are not allowed at certain times. For
511each control, there's a bitmap of dis-allowed times. For some, it is easier to
512specify the negation of a small number of allowed times. */
513
514static unsigned int control_forbids[] = {
c46782ef
PH		 515 (unsigned int)
516 ~((1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)), /* allow_auth_unadvertised */
517
518 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c 519 0, /* bmi_run */
c46782ef
PH		 520 #endif
521
ed7f7860
PP		 522 0, /* debug */
523
80a47a2c
TK		 524 #ifndef DISABLE_DKIM
525 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dkim_disable_verify */
f7572e5a
TK		 526 (1<<ACL_WHERE_NOTSMTP_START),
527 #endif
528
c5fcb476 529 0, /* error */
8e669ac1
PH		 530
531 (unsigned int)
c5fcb476 532 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
8e669ac1
PH		 533
534 (unsigned int)
c5fcb476 535 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
8e669ac1 536
45b91596
PH		 537 (1<<ACL_WHERE_NOTSMTP)| /* enforce_sync */
538 (1<<ACL_WHERE_NOTSMTP_START),
8e669ac1 539
45b91596
PH		 540 (1<<ACL_WHERE_NOTSMTP)| /* no_enforce_sync */
541 (1<<ACL_WHERE_NOTSMTP_START),
8e669ac1
PH		 542
543 (unsigned int)
c5fcb476
PH		 544 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
545 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 546 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 547
548 (unsigned int)
c5fcb476
PH		 549 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
550 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 551 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 552
553 (unsigned int)
c5fcb476 554 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
8e669ac1 555 (1<<ACL_WHERE_PREDATA)),
8523533c 556
8800895a
PH		 557 (unsigned int)
558 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* suppress_local_fixups */
45b91596
PH		 559 (1<<ACL_WHERE_PREDATA)|
560 (1<<ACL_WHERE_NOTSMTP_START)),
8800895a 561
c46782ef 562 #ifdef WITH_CONTENT_SCAN
8e669ac1 563 (unsigned int)
14d57970 564 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
e715ad22
TK		 565 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
566 (1<<ACL_WHERE_MIME)),
c46782ef 567 #endif
a6c4ab60 568
29aba418
TF		 569 (unsigned int)
570 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakedefer */
571 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
572 (1<<ACL_WHERE_MIME)),
573
8e669ac1 574 (unsigned int)
a6c4ab60 575 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
e715ad22
TK		 576 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
577 (1<<ACL_WHERE_MIME)),
8523533c 578
45b91596 579 (1<<ACL_WHERE_NOTSMTP)| /* no_multiline */
cf8b11a5
PH		 580 (1<<ACL_WHERE_NOTSMTP_START),
581
582 (1<<ACL_WHERE_NOTSMTP)| /* no_pipelining */
047bdd8c
PH		 583 (1<<ACL_WHERE_NOTSMTP_START),
584
585 (1<<ACL_WHERE_NOTSMTP)| /* no_delay_flush */
4c590bd1
PH		 586 (1<<ACL_WHERE_NOTSMTP_START),
587
588 (1<<ACL_WHERE_NOTSMTP)| /* no_callout_flush */
45b91596 589 (1<<ACL_WHERE_NOTSMTP_START)
c5fcb476
PH		 590};
591
592/* Structure listing various control arguments, with their characteristics. */
059ec3d9
PH		 593
594typedef struct control_def {
595 uschar *name;
596 int value; /* CONTROL_xxx value */
059ec3d9
PH		 597 BOOL has_option; /* Has /option(s) following */
598} control_def;
599
600static control_def controls_list[] = {
c46782ef 601 { US"allow_auth_unadvertised", CONTROL_AUTH_UNADVERTISED, FALSE },
8523533c 602#ifdef EXPERIMENTAL_BRIGHTMAIL
c46782ef 603 { US"bmi_run", CONTROL_BMI_RUN, FALSE },
fb2274d4 604#endif
ed7f7860 605 { US"debug", CONTROL_DEBUG, TRUE },
80a47a2c
TK		 606#ifndef DISABLE_DKIM
607 { US"dkim_disable_verify", CONTROL_DKIM_VERIFY, FALSE },
8523533c 608#endif
c46782ef
PH		 609 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE },
610 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE },
611 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE },
612 { US"freeze", CONTROL_FREEZE, TRUE },
4c590bd1 613 { US"no_callout_flush", CONTROL_NO_CALLOUT_FLUSH, FALSE },
047bdd8c 614 { US"no_delay_flush", CONTROL_NO_DELAY_FLUSH, FALSE },
c46782ef
PH		 615 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE },
616 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE },
cf8b11a5 617 { US"no_pipelining", CONTROL_NO_PIPELINING, FALSE },
c46782ef 618 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE },
8523533c 619#ifdef WITH_CONTENT_SCAN
c46782ef 620 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE },
8523533c 621#endif
c46782ef
PH		 622 { US"fakedefer", CONTROL_FAKEDEFER, TRUE },
623 { US"fakereject", CONTROL_FAKEREJECT, TRUE },
624 { US"submission", CONTROL_SUBMISSION, TRUE },
625 { US"suppress_local_fixups", CONTROL_SUPPRESS_LOCAL_FIXUPS, FALSE }
059ec3d9
PH		 626 };
627
e5a9dba6
PH		 628/* Support data structures for Client SMTP Authorization. acl_verify_csa()
629caches its result in a tree to avoid repeated DNS queries. The result is an
630integer code which is used as an index into the following tables of
631explanatory strings and verification return codes. */
632
633static tree_node *csa_cache = NULL;
634
635enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
636 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
637
638/* The acl_verify_csa() return code is translated into an acl_verify() return
639code using the following table. It is OK unless the client is definitely not
640authorized. This is because CSA is supposed to be optional for sending sites,
641so recipients should not be too strict about checking it - especially because
642DNS problems are quite likely to occur. It's possible to use $csa_status in
643further ACL conditions to distinguish ok, unknown, and defer if required, but
644the aim is to make the usual configuration simple. */
645
646static int csa_return_code[] = {
647 OK, OK, OK, OK,
648 FAIL, FAIL, FAIL, FAIL
649};
650
651static uschar *csa_status_string[] = {
652 US"unknown", US"ok", US"defer", US"defer",
653 US"fail", US"fail", US"fail", US"fail"
654};
655
656static uschar *csa_reason_string[] = {
657 US"unknown",
658 US"ok",
659 US"deferred (SRV lookup failed)",
660 US"deferred (target address lookup failed)",
661 US"failed (explicit authorization required)",
662 US"failed (host name not authorized)",
663 US"failed (no authorized addresses)",
664 US"failed (client address mismatch)"
665};
666
c99ce5c9
TF		 667/* Options for the ratelimit condition. Note that there are two variants of
668the per_rcpt option, depending on the ACL that is used to measure the rate.
669However any ACL must be able to look up per_rcpt rates in /noupdate mode,
670so the two variants must have the same internal representation as well as
671the same configuration string. */
672
673enum {
674 RATE_PER_WHAT, RATE_PER_CLASH, RATE_PER_ADDR, RATE_PER_BYTE, RATE_PER_CMD,
675 RATE_PER_CONN, RATE_PER_MAIL, RATE_PER_RCPT, RATE_PER_ALLRCPTS
676};
677
678#define RATE_SET(var,new) \
679 (((var) == RATE_PER_WHAT) ? ((var) = RATE_##new) : ((var) = RATE_PER_CLASH))
680
681static uschar *ratelimit_option_string[] = {
682 US"?", US"!", US"per_addr", US"per_byte", US"per_cmd",
683 US"per_conn", US"per_mail", US"per_rcpt", US"per_rcpt"
684};
685
059ec3d9
PH		 686/* Enable recursion between acl_check_internal() and acl_check_condition() */
687
688static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
689 uschar **);
690
691
692/*************************************************
693* Pick out name from list *
694*************************************************/
695
696/* Use a binary chop method
697
698Arguments:
699 name name to find
700 list list of names
701 end size of list
702
703Returns: offset in list, or -1 if not found
704*/
705
706static int
707acl_checkname(uschar *name, uschar **list, int end)
708{
709int start = 0;
710
711while (start < end)
712 {
713 int mid = (start + end)/2;
714 int c = Ustrcmp(name, list[mid]);
715 if (c == 0) return mid;
716 if (c < 0) end = mid; else start = mid + 1;
717 }
718
719return -1;
720}
721
722
723/*************************************************
724* Read and parse one ACL *
725*************************************************/
726
727/* This function is called both from readconf in order to parse the ACLs in the
728configuration file, and also when an ACL is encountered dynamically (e.g. as
729the result of an expansion). It is given a function to call in order to
730retrieve the lines of the ACL. This function handles skipping comments and
731blank lines (where relevant).
732
733Arguments:
734 func function to get next line of ACL
735 error where to put an error message
736
737Returns: pointer to ACL, or NULL
738 NULL can be legal (empty ACL); in this case error will be NULL
739*/
740
741acl_block *
742acl_read(uschar *(*func)(void), uschar **error)
743{
744acl_block *yield = NULL;
745acl_block **lastp = &yield;
746acl_block *this = NULL;
747acl_condition_block *cond;
748acl_condition_block **condp = NULL;
749uschar *s;
750
751*error = NULL;
752
753while ((s = (*func)()) != NULL)
754 {
755 int v, c;
756 BOOL negated = FALSE;
757 uschar *saveline = s;
758 uschar name[64];
759
760 /* Conditions (but not verbs) are allowed to be negated by an initial
761 exclamation mark. */
762
763 while (isspace(*s)) s++;
764 if (*s == '!')
765 {
766 negated = TRUE;
767 s++;
768 }
769
cf00dad6
PH		 770 /* Read the name of a verb or a condition, or the start of a new ACL, which
771 can be started by a name, or by a macro definition. */
059ec3d9
PH		 772
773 s = readconf_readname(name, sizeof(name), s);
b8dc3e4a 774 if (*s == ':' || (isupper(name[0]) && *s == '=')) return yield;
059ec3d9
PH		 775
776 /* If a verb is unrecognized, it may be another condition or modifier that
777 continues the previous verb. */
778
779 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
780 if (v < 0)
781 {
782 if (this == NULL)
783 {
4e167a8c
PH		 784 *error = string_sprintf("unknown ACL verb \"%s\" in \"%s\"", name,
785 saveline);
059ec3d9
PH		 786 return NULL;
787 }
788 }
789
790 /* New verb */
791
792 else
793 {
794 if (negated)
795 {
796 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
797 return NULL;
798 }
799 this = store_get(sizeof(acl_block));
800 *lastp = this;
801 lastp = &(this->next);
802 this->next = NULL;
803 this->verb = v;
804 this->condition = NULL;
805 condp = &(this->condition);
806 if (*s == 0) continue; /* No condition on this line */
807 if (*s == '!')
808 {
809 negated = TRUE;
810 s++;
811 }
812 s = readconf_readname(name, sizeof(name), s); /* Condition name */
813 }
814
815 /* Handle a condition or modifier. */
816
817 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
818 if (c < 0)
819 {
820 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
821 saveline);
822 return NULL;
823 }
824
825 /* The modifiers may not be negated */
826
827 if (negated && cond_modifiers[c])
828 {
829 *error = string_sprintf("ACL error: negation is not allowed with "
830 "\"%s\"", conditions[c]);
831 return NULL;
832 }
833
834 /* ENDPASS may occur only with ACCEPT or DISCARD. */
835
836 if (c == ACLC_ENDPASS &&
837 this->verb != ACL_ACCEPT &&
838 this->verb != ACL_DISCARD)
839 {
840 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
841 conditions[c], verbs[this->verb]);
842 return NULL;
843 }
844
845 cond = store_get(sizeof(acl_condition_block));
846 cond->next = NULL;
847 cond->type = c;
848 cond->u.negated = negated;
849
850 *condp = cond;
851 condp = &(cond->next);
852
853 /* The "set" modifier is different in that its argument is "name=value"
854 rather than just a value, and we can check the validity of the name, which
38a0a95f
PH		 855 gives us a variable name to insert into the data block. The original ACL
856 variable names were acl_c0 ... acl_c9 and acl_m0 ... acl_m9. This was
857 extended to 20 of each type, but after that people successfully argued for
641cb756
PH		 858 arbitrary names. In the new scheme, the names must start with acl_c or acl_m.
859 After that, we allow alphanumerics and underscores, but the first character
860 after c or m must be a digit or an underscore. This retains backwards
861 compatibility. */
059ec3d9
PH		 862
863 if (c == ACLC_SET)
864 {
47ca6d6c
PH		 865 uschar *endptr;
866
38a0a95f
PH		 867 if (Ustrncmp(s, "acl_c", 5) != 0 &&
868 Ustrncmp(s, "acl_m", 5) != 0)
47ca6d6c 869 {
38a0a95f
PH		 870 *error = string_sprintf("invalid variable name after \"set\" in ACL "
871 "modifier \"set %s\" (must start \"acl_c\" or \"acl_m\")", s);
872 return NULL;
47ca6d6c 873 }
38a0a95f
PH		 874
875 endptr = s + 5;
641cb756
PH		 876 if (!isdigit(*endptr) && *endptr != '_')
877 {
878 *error = string_sprintf("invalid variable name after \"set\" in ACL "
879 "modifier \"set %s\" (digit or underscore must follow acl_c or acl_m)",
880 s);
881 return NULL;
882 }
883
38a0a95f 884 while (*endptr != 0 && *endptr != '=' && !isspace(*endptr))
47ca6d6c 885 {
38a0a95f
PH		 886 if (!isalnum(*endptr) && *endptr != '_')
887 {
888 *error = string_sprintf("invalid character \"%c\" in variable name "
889 "in ACL modifier \"set %s\"", *endptr, s);
890 return NULL;
891 }
892 endptr++;
47ca6d6c 893 }
47ca6d6c 894
38a0a95f 895 cond->u.varname = string_copyn(s + 4, endptr - s - 4);
47ca6d6c 896 s = endptr;
059ec3d9
PH		 897 while (isspace(*s)) s++;
898 }
899
900 /* For "set", we are now positioned for the data. For the others, only
901 "endpass" has no data */
902
903 if (c != ACLC_ENDPASS)
904 {
905 if (*s++ != '=')
906 {
907 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
908 cond_modifiers[c]? US"modifier" : US"condition");
909 return NULL;
910 }
911 while (isspace(*s)) s++;
912 cond->arg = string_copy(s);
913 }
914 }
915
916return yield;
917}
918
919
920
71fafd95
PH		 921/*************************************************
922* Set up added header line(s) *
923*************************************************/
924
925/* This function is called by the add_header modifier, and also from acl_warn()
926to implement the now-deprecated way of adding header lines using "message" on a
927"warn" verb. The argument is treated as a sequence of header lines which are
928added to a chain, provided there isn't an identical one already there.
929
930Argument: string of header lines
931Returns: nothing
932*/
933
934static void
935setup_header(uschar *hstring)
936{
937uschar *p, *q;
938int hlen = Ustrlen(hstring);
939
940/* An empty string does nothing; otherwise add a final newline if necessary. */
941
942if (hlen <= 0) return;
943if (hstring[hlen-1] != '\n') hstring = string_sprintf("%s\n", hstring);
944
945/* Loop for multiple header lines, taking care about continuations */
946
947for (p = q = hstring; *p != 0; )
948 {
949 uschar *s;
950 int newtype = htype_add_bot;
951 header_line **hptr = &acl_added_headers;
952
953 /* Find next header line within the string */
954
955 for (;;)
956 {
957 q = Ustrchr(q, '\n');
958 if (*(++q) != ' ' && *q != '\t') break;
959 }
960
961 /* If the line starts with a colon, interpret the instruction for where to
962 add it. This temporarily sets up a new type. */
963
964 if (*p == ':')
965 {
966 if (strncmpic(p, US":after_received:", 16) == 0)
967 {
968 newtype = htype_add_rec;
969 p += 16;
970 }
971 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
972 {
973 newtype = htype_add_rfc;
974 p += 14;
975 }
976 else if (strncmpic(p, US":at_start:", 10) == 0)
977 {
978 newtype = htype_add_top;
979 p += 10;
980 }
981 else if (strncmpic(p, US":at_end:", 8) == 0)
982 {
983 newtype = htype_add_bot;
984 p += 8;
985 }
986 while (*p == ' ' || *p == '\t') p++;
987 }
988
989 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
990 to the front of it. */
991
992 for (s = p; s < q - 1; s++)
993 {
994 if (*s == ':' || !isgraph(*s)) break;
995 }
996
997 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
998 hlen = Ustrlen(s);
999
1000 /* See if this line has already been added */
1001
1002 while (*hptr != NULL)
1003 {
1004 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
1005 hptr = &((*hptr)->next);
1006 }
1007
1008 /* Add if not previously present */
1009
1010 if (*hptr == NULL)
1011 {
1012 header_line *h = store_get(sizeof(header_line));
1013 h->text = s;
1014 h->next = NULL;
1015 h->type = newtype;
1016 h->slen = hlen;
1017 *hptr = h;
1018 hptr = &(h->next);
1019 }
1020
1021 /* Advance for next header line within the string */
1022
1023 p = q;
1024 }
1025}
1026
1027
1028
1029
059ec3d9
PH		 1030/*************************************************
1031* Handle warnings *
1032*************************************************/
1033
1034/* This function is called when a WARN verb's conditions are true. It adds to
1035the message's headers, and/or writes information to the log. In each case, this
1036only happens once (per message for headers, per connection for log).
1037
71fafd95
PH		 1038** NOTE: The header adding action using the "message" setting is historic, and
1039its use is now deprecated. The new add_header modifier should be used instead.
1040
059ec3d9
PH		 1041Arguments:
1042 where ACL_WHERE_xxxx indicating which ACL this is
1043 user_message message for adding to headers
1044 log_message message for logging, if different
1045
1046Returns: nothing
1047*/
1048
1049static void
1050acl_warn(int where, uschar *user_message, uschar *log_message)
1051{
059ec3d9
PH		 1052if (log_message != NULL && log_message != user_message)
1053 {
1054 uschar *text;
1055 string_item *logged;
1056
1057 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
1058 string_printing(log_message));
1059
1060 /* If a sender verification has failed, and the log message is "sender verify
1061 failed", add the failure message. */
1062
1063 if (sender_verified_failed != NULL &&
1064 sender_verified_failed->message != NULL &&
1065 strcmpic(log_message, US"sender verify failed") == 0)
1066 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
1067
9c7a242c
PH		 1068 /* Search previously logged warnings. They are kept in malloc
1069 store so they can be freed at the start of a new message. */
059ec3d9
PH		 1070
1071 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
1072 if (Ustrcmp(logged->text, text) == 0) break;
1073
1074 if (logged == NULL)
1075 {
1076 int length = Ustrlen(text) + 1;
1077 log_write(0, LOG_MAIN, "%s", text);
1078 logged = store_malloc(sizeof(string_item) + length);
1079 logged->text = (uschar *)logged + sizeof(string_item);
1080 memcpy(logged->text, text, length);
1081 logged->next = acl_warn_logged;
1082 acl_warn_logged = logged;
1083 }
1084 }
1085
1086/* If there's no user message, we are done. */
1087
1088if (user_message == NULL) return;
1089
1090/* If this isn't a message ACL, we can't do anything with a user message.
1091Log an error. */
1092
1093if (where > ACL_WHERE_NOTSMTP)
1094 {
1095 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
1096 "found in a non-message (%s) ACL: cannot specify header lines here: "
1097 "message ignored", acl_wherenames[where]);
1098 return;
1099 }
1100
71fafd95
PH		 1101/* The code for setting up header lines is now abstracted into a separate
1102function so that it can be used for the add_header modifier as well. */
059ec3d9 1103
71fafd95 1104setup_header(user_message);
059ec3d9
PH		 1105}
1106
1107
1108
1109/*************************************************
1110* Verify and check reverse DNS *
1111*************************************************/
1112
1113/* Called from acl_verify() below. We look up the host name(s) of the client IP
1114address if this has not yet been done. The host_name_lookup() function checks
1115that one of these names resolves to an address list that contains the client IP
1116address, so we don't actually have to do the check here.
1117
1118Arguments:
1119 user_msgptr pointer for user message
1120 log_msgptr pointer for log message
1121
1122Returns: OK verification condition succeeded
1123 FAIL verification failed
1124 DEFER there was a problem verifying
1125*/
1126
1127static int
1128acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
1129{
1130int rc;
1131
1132user_msgptr = user_msgptr; /* stop compiler warning */
1133
1134/* Previous success */
1135
1136if (sender_host_name != NULL) return OK;
1137
1138/* Previous failure */
1139
1140if (host_lookup_failed)
1141 {
1142 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
1143 return FAIL;
1144 }
1145
1146/* Need to do a lookup */
1147
1148HDEBUG(D_acl)
1149 debug_printf("looking up host name to force name/address consistency check\n");
1150
1151if ((rc = host_name_lookup()) != OK)
1152 {
1153 *log_msgptr = (rc == DEFER)?
1154 US"host lookup deferred for reverse lookup check"
1155 :
1156 string_sprintf("host lookup failed for reverse lookup check%s",
1157 host_lookup_msg);
1158 return rc; /* DEFER or FAIL */
1159 }
1160
1161host_build_sender_fullhost();
1162return OK;
1163}
1164
1165
1166
e5a9dba6
PH		 1167/*************************************************
1168* Check client IP address matches CSA target *
1169*************************************************/
1170
1171/* Called from acl_verify_csa() below. This routine scans a section of a DNS
1172response for address records belonging to the CSA target hostname. The section
1173is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
1174If one of the addresses matches the client's IP address, then the client is
1175authorized by CSA. If there are target IP addresses but none of them match
1176then the client is using an unauthorized IP address. If there are no target IP
1177addresses then the client cannot be using an authorized IP address. (This is
1178an odd configuration - why didn't the SRV record have a weight of 1 instead?)
1179
1180Arguments:
1181 dnsa the DNS answer block
1182 dnss a DNS scan block for us to use
1183 reset option specifing what portion to scan, as described above
1184 target the target hostname to use for matching RR names
1185
1186Returns: CSA_OK successfully authorized
1187 CSA_FAIL_MISMATCH addresses found but none matched
1188 CSA_FAIL_NOADDR no target addresses found
1189*/
1190
1191static int
1192acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1193 uschar *target)
1194{
1195dns_record *rr;
1196dns_address *da;
1197
1198BOOL target_found = FALSE;
1199
1200for (rr = dns_next_rr(dnsa, dnss, reset);
1201 rr != NULL;
1202 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1203 {
1204 /* Check this is an address RR for the target hostname. */
1205
1206 if (rr->type != T_A
1207 #if HAVE_IPV6
1208 && rr->type != T_AAAA
1209 #ifdef SUPPORT_A6
1210 && rr->type != T_A6
1211 #endif
1212 #endif
1213 ) continue;
1214
1215 if (strcmpic(target, rr->name) != 0) continue;
1216
1217 target_found = TRUE;
1218
1219 /* Turn the target address RR into a list of textual IP addresses and scan
1220 the list. There may be more than one if it is an A6 RR. */
1221
1222 for (da = dns_address_from_rr(dnsa, rr); da != NULL; da = da->next)
1223 {
1224 /* If the client IP address matches the target IP address, it's good! */
1225
1226 DEBUG(D_acl) debug_printf("CSA target address is %s\n", da->address);
1227
1228 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1229 }
1230 }
1231
1232/* If we found some target addresses but none of them matched, the client is
1233using an unauthorized IP address, otherwise the target has no authorized IP
1234addresses. */
1235
1236if (target_found) return CSA_FAIL_MISMATCH;
1237else return CSA_FAIL_NOADDR;
1238}
1239
1240
1241
1242/*************************************************
1243* Verify Client SMTP Authorization *
1244*************************************************/
1245
1246/* Called from acl_verify() below. This routine calls dns_lookup_special()
1247to find the CSA SRV record corresponding to the domain argument, or
1248$sender_helo_name if no argument is provided. It then checks that the
1249client is authorized, and that its IP address corresponds to the SRV
1250target's address by calling acl_verify_csa_address() above. The address
1251should have been returned in the DNS response's ADDITIONAL section, but if
1252not we perform another DNS lookup to get it.
1253
1254Arguments:
1255 domain pointer to optional parameter following verify = csa
1256
1257Returns: CSA_UNKNOWN no valid CSA record found
1258 CSA_OK successfully authorized
1259 CSA_FAIL_* client is definitely not authorized
1260 CSA_DEFER_* there was a DNS problem
1261*/
1262
1263static int
1264acl_verify_csa(uschar *domain)
1265{
1266tree_node *t;
1267uschar *found, *p;
1268int priority, weight, port;
1269dns_answer dnsa;
1270dns_scan dnss;
1271dns_record *rr;
1272int rc, type;
1273uschar target[256];
1274
1275/* Work out the domain we are using for the CSA lookup. The default is the
1276client's HELO domain. If the client has not said HELO, use its IP address
1277instead. If it's a local client (exim -bs), CSA isn't applicable. */
1278
1279while (isspace(*domain) && *domain != '\0') ++domain;
1280if (*domain == '\0') domain = sender_helo_name;
1281if (domain == NULL) domain = sender_host_address;
1282if (sender_host_address == NULL) return CSA_UNKNOWN;
1283
1284/* If we have an address literal, strip off the framing ready for turning it
1285into a domain. The framing consists of matched square brackets possibly
1286containing a keyword and a colon before the actual IP address. */
1287
1288if (domain[0] == '[')
1289 {
1290 uschar *start = Ustrchr(domain, ':');
1291 if (start == NULL) start = domain;
1292 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1293 }
1294
1295/* Turn domains that look like bare IP addresses into domains in the reverse
1296DNS. This code also deals with address literals and $sender_host_address. It's
1297not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1298address literals, but it's probably the most friendly thing to do. This is an
1299extension to CSA, so we allow it to be turned off for proper conformance. */
1300
7e66e54d 1301if (string_is_ip_address(domain, NULL) != 0)
e5a9dba6
PH		 1302 {
1303 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1304 dns_build_reverse(domain, target);
1305 domain = target;
1306 }
1307
1308/* Find out if we've already done the CSA check for this domain. If we have,
1309return the same result again. Otherwise build a new cached result structure
1310for this domain. The name is filled in now, and the value is filled in when
1311we return from this function. */
1312
1313t = tree_search(csa_cache, domain);
1314if (t != NULL) return t->data.val;
1315
1316t = store_get_perm(sizeof(tree_node) + Ustrlen(domain));
1317Ustrcpy(t->name, domain);
1318(void)tree_insertnode(&csa_cache, t);
1319
1320/* Now we are ready to do the actual DNS lookup(s). */
1321
28e6ef29 1322found = domain;
e5a9dba6
PH		 1323switch (dns_special_lookup(&dnsa, domain, T_CSA, &found))
1324 {
1325 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1326
1327 default:
1328 return t->data.val = CSA_DEFER_SRV;
1329
1330 /* If we found nothing, the client's authorization is unknown. */
1331
1332 case DNS_NOMATCH:
1333 case DNS_NODATA:
1334 return t->data.val = CSA_UNKNOWN;
1335
1336 /* We got something! Go on to look at the reply in more detail. */
1337
1338 case DNS_SUCCEED:
1339 break;
1340 }
1341
1342/* Scan the reply for well-formed CSA SRV records. */
1343
1344for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
1345 rr != NULL;
1346 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
1347 {
1348 if (rr->type != T_SRV) continue;
1349
1350 /* Extract the numerical SRV fields (p is incremented) */
1351
1352 p = rr->data;
1353 GETSHORT(priority, p);
1354 GETSHORT(weight, p);
1355 GETSHORT(port, p);
1356
1357 DEBUG(D_acl)
1358 debug_printf("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1359
1360 /* Check the CSA version number */
1361
1362 if (priority != 1) continue;
1363
1364 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1365 found by dns_special_lookup() is a parent of the one we asked for), we check
1366 the subdomain assertions in the port field. At the moment there's only one
1367 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1368 SRV records of their own. */
1369
1370 if (found != domain)
1371 {
1372 if (port & 1)
1373 return t->data.val = CSA_FAIL_EXPLICIT;
1374 else
1375 return t->data.val = CSA_UNKNOWN;
1376 }
1377
1378 /* This CSA SRV record refers directly to our domain, so we check the value
1379 in the weight field to work out the domain's authorization. 0 and 1 are
1380 unauthorized; 3 means the client is authorized but we can't check the IP
1381 address in order to authenticate it, so we treat it as unknown; values
1382 greater than 3 are undefined. */
1383
1384 if (weight < 2) return t->data.val = CSA_FAIL_DOMAIN;
1385
1386 if (weight > 2) continue;
1387
1388 /* Weight == 2, which means the domain is authorized. We must check that the
1389 client's IP address is listed as one of the SRV target addresses. Save the
1390 target hostname then break to scan the additional data for its addresses. */
1391
1392 (void)dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
1393 (DN_EXPAND_ARG4_TYPE)target, sizeof(target));
1394
1395 DEBUG(D_acl) debug_printf("CSA target is %s\n", target);
1396
1397 break;
1398 }
1399
1400/* If we didn't break the loop then no appropriate records were found. */
1401
1402if (rr == NULL) return t->data.val = CSA_UNKNOWN;
1403
1404/* Do not check addresses if the target is ".", in accordance with RFC 2782.
1405A target of "." indicates there are no valid addresses, so the client cannot
1406be authorized. (This is an odd configuration because weight=2 target=. is
1407equivalent to weight=1, but we check for it in order to keep load off the
1408root name servers.) Note that dn_expand() turns "." into "". */
1409
1410if (Ustrcmp(target, "") == 0) return t->data.val = CSA_FAIL_NOADDR;
1411
1412/* Scan the additional section of the CSA SRV reply for addresses belonging
1413to the target. If the name server didn't return any additional data (e.g.
1414because it does not fully support SRV records), we need to do another lookup
1415to obtain the target addresses; otherwise we have a definitive result. */
1416
1417rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ADDITIONAL, target);
1418if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1419
1420/* The DNS lookup type corresponds to the IP version used by the client. */
1421
1422#if HAVE_IPV6
1423if (Ustrchr(sender_host_address, ':') != NULL)
1424 type = T_AAAA;
1425else
1426#endif /* HAVE_IPV6 */
1427 type = T_A;
1428
1429
1430#if HAVE_IPV6 && defined(SUPPORT_A6)
1431DNS_LOOKUP_AGAIN:
1432#endif
1433
1434switch (dns_lookup(&dnsa, target, type, NULL))
1435 {
1436 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1437
1438 default:
1439 return t->data.val = CSA_DEFER_ADDR;
1440
1441 /* If the query succeeded, scan the addresses and return the result. */
1442
1443 case DNS_SUCCEED:
1444 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ANSWERS, target);
1445 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1446 /* else fall through */
1447
1448 /* If the target has no IP addresses, the client cannot have an authorized
1449 IP address. However, if the target site uses A6 records (not AAAA records)
1450 we have to do yet another lookup in order to check them. */
1451
1452 case DNS_NOMATCH:
1453 case DNS_NODATA:
1454
1455 #if HAVE_IPV6 && defined(SUPPORT_A6)
1456 if (type == T_AAAA) { type = T_A6; goto DNS_LOOKUP_AGAIN; }
1457 #endif
1458
1459 return t->data.val = CSA_FAIL_NOADDR;
1460 }
1461}
1462
1463
1464
059ec3d9
PH		 1465/*************************************************
1466* Handle verification (address & other) *
1467*************************************************/
1468
1469/* This function implements the "verify" condition. It is called when
1470encountered in any ACL, because some tests are almost always permitted. Some
1471just don't make sense, and always fail (for example, an attempt to test a host
1472lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1473
1474Arguments:
1475 where where called from
1476 addr the recipient address that the ACL is handling, or NULL
1477 arg the argument of "verify"
1478 user_msgptr pointer for user message
1479 log_msgptr pointer for log message
1480 basic_errno where to put verify errno
1481
1482Returns: OK verification condition succeeded
1483 FAIL verification failed
1484 DEFER there was a problem verifying
1485 ERROR syntax error
1486*/
1487
1488static int
1489acl_verify(int where, address_item *addr, uschar *arg,
1490 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1491{
1492int sep = '/';
1493int callout = -1;
1494int callout_overall = -1;
4deaf07d 1495int callout_connect = -1;
059ec3d9
PH		 1496int verify_options = 0;
1497int rc;
1498BOOL verify_header_sender = FALSE;
1499BOOL defer_ok = FALSE;
1500BOOL callout_defer_ok = FALSE;
1501BOOL no_details = FALSE;
eafd343b 1502BOOL success_on_redirect = FALSE;
059ec3d9
PH		 1503address_item *sender_vaddr = NULL;
1504uschar *verify_sender_address = NULL;
1505uschar *pm_mailfrom = NULL;
1506uschar *se_mailfrom = NULL;
596875b3
PH		 1507
1508/* Some of the verify items have slash-separated options; some do not. Diagnose
1509an error if options are given for items that don't expect them. This code has
1510now got very message. Refactoring to use a table would be a good idea one day.
1511*/
1512
1513uschar *slash = Ustrchr(arg, '/');
059ec3d9
PH		 1514uschar *list = arg;
1515uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
1516
1517if (ss == NULL) goto BAD_VERIFY;
1518
1519/* Handle name/address consistency verification in a separate function. */
1520
1521if (strcmpic(ss, US"reverse_host_lookup") == 0)
1522 {
596875b3 1523 if (slash != NULL) goto NO_OPTIONS;
059ec3d9
PH		 1524 if (sender_host_address == NULL) return OK;
1525 return acl_verify_reverse(user_msgptr, log_msgptr);
1526 }
1527
1528/* TLS certificate verification is done at STARTTLS time; here we just
1529test whether it was successful or not. (This is for optional verification; for
1530mandatory verification, the connection doesn't last this long.) */
1531
1532if (strcmpic(ss, US"certificate") == 0)
1533 {
596875b3 1534 if (slash != NULL) goto NO_OPTIONS;
059ec3d9
PH		 1535 if (tls_certificate_verified) return OK;
1536 *user_msgptr = US"no verified certificate";
1537 return FAIL;
1538 }
1539
d7b47fd0
PH		 1540/* We can test the result of optional HELO verification that might have
1541occurred earlier. If not, we can attempt the verification now. */
059ec3d9 1542
596875b3
PH		 1543if (strcmpic(ss, US"helo") == 0)
1544 {
1545 if (slash != NULL) goto NO_OPTIONS;
0154e85a
TF		 1546 if (!helo_verified && !helo_verify_failed) smtp_verify_helo();
1547 return helo_verified? OK : FAIL;
596875b3 1548 }
059ec3d9 1549
e5a9dba6
PH		 1550/* Do Client SMTP Authorization checks in a separate function, and turn the
1551result code into user-friendly strings. */
1552
1553if (strcmpic(ss, US"csa") == 0)
1554 {
1555 rc = acl_verify_csa(list);
1556 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1557 csa_reason_string[rc]);
1558 csa_status = csa_status_string[rc];
1559 DEBUG(D_acl) debug_printf("CSA result %s\n", csa_status);
1560 return csa_return_code[rc];
1561 }
1562
596875b3
PH		 1563/* Check that all relevant header lines have the correct syntax. If there is
1564a syntax error, we return details of the error to the sender if configured to
1565send out full details. (But a "message" setting on the ACL can override, as
1566always). */
059ec3d9 1567
596875b3 1568if (strcmpic(ss, US"header_syntax") == 0)
059ec3d9 1569 {
596875b3 1570 if (slash != NULL) goto NO_OPTIONS;
1c41c9cc 1571 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
596875b3
PH		 1572 rc = verify_check_headers(log_msgptr);
1573 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1574 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1575 return rc;
1576 }
059ec3d9 1577
1c41c9cc
PH		 1578/* Check that no recipient of this message is "blind", that is, every envelope
1579recipient must be mentioned in either To: or Cc:. */
1580
1581if (strcmpic(ss, US"not_blind") == 0)
1582 {
1583 if (slash != NULL) goto NO_OPTIONS;
1584 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
1585 rc = verify_check_notblind();
1586 if (rc != OK)
1587 {
1588 *log_msgptr = string_sprintf("bcc recipient detected");
1589 if (smtp_return_error_details)
1590 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1591 }
1592 return rc;
1593 }
059ec3d9 1594
596875b3
PH		 1595/* The remaining verification tests check recipient and sender addresses,
1596either from the envelope or from the header. There are a number of
1597slash-separated options that are common to all of them. */
059ec3d9 1598
059ec3d9 1599
596875b3
PH		 1600/* Check that there is at least one verifiable sender address in the relevant
1601header lines. This can be followed by callout and defer options, just like
1602sender and recipient. */
059ec3d9 1603
596875b3
PH		 1604if (strcmpic(ss, US"header_sender") == 0)
1605 {
1c41c9cc 1606 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
596875b3 1607 verify_header_sender = TRUE;
059ec3d9
PH		 1608 }
1609
1610/* Otherwise, first item in verify argument must be "sender" or "recipient".
1611In the case of a sender, this can optionally be followed by an address to use
1612in place of the actual sender (rare special-case requirement). */
1613
1614else if (strncmpic(ss, US"sender", 6) == 0)
1615 {
1616 uschar *s = ss + 6;
1617 if (where > ACL_WHERE_NOTSMTP)
1618 {
1619 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1620 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1621 acl_wherenames[where]);
1622 return ERROR;
1623 }
1624 if (*s == 0)
1625 verify_sender_address = sender_address;
1626 else
1627 {
1628 while (isspace(*s)) s++;
1629 if (*s++ != '=') goto BAD_VERIFY;
1630 while (isspace(*s)) s++;
1631 verify_sender_address = string_copy(s);
1632 }
1633 }
1634else
1635 {
1636 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1637 if (addr == NULL)
1638 {
1639 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1640 "(only possible for RCPT)", acl_wherenames[where]);
1641 return ERROR;
1642 }
1643 }
1644
596875b3
PH		 1645/* Remaining items are optional; they apply to sender and recipient
1646verification, including "header sender" verification. */
059ec3d9
PH		 1647
1648while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1649 != NULL)
1650 {
1651 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1652 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
eafd343b 1653 else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
059ec3d9
PH		 1654
1655 /* These two old options are left for backwards compatibility */
1656
1657 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1658 {
1659 callout_defer_ok = TRUE;
1660 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1661 }
1662
1663 else if (strcmpic(ss, US"check_postmaster") == 0)
1664 {
1665 pm_mailfrom = US"";
1666 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1667 }
1668
1669 /* The callout option has a number of sub-options, comma separated */
1670
1671 else if (strncmpic(ss, US"callout", 7) == 0)
1672 {
1673 callout = CALLOUT_TIMEOUT_DEFAULT;
1674 ss += 7;
1675 if (*ss != 0)
1676 {
1677 while (isspace(*ss)) ss++;
1678 if (*ss++ == '=')
1679 {
1680 int optsep = ',';
1681 uschar *opt;
1682 uschar buffer[256];
1683 while (isspace(*ss)) ss++;
8e669ac1
PH		 1684
1685 /* This callout option handling code has become a mess as new options
1686 have been added in an ad hoc manner. It should be tidied up into some
4deaf07d 1687 kind of table-driven thing. */
8e669ac1 1688
059ec3d9
PH		 1689 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1690 != NULL)
1691 {
1692 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1693 else if (strcmpic(opt, US"no_cache") == 0)
1694 verify_options |= vopt_callout_no_cache;
1695 else if (strcmpic(opt, US"random") == 0)
1696 verify_options |= vopt_callout_random;
1697 else if (strcmpic(opt, US"use_sender") == 0)
1698 verify_options |= vopt_callout_recipsender;
1699 else if (strcmpic(opt, US"use_postmaster") == 0)
1700 verify_options |= vopt_callout_recippmaster;
1701 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
2a4be8f9
PH		 1702 else if (strcmpic(opt, US"fullpostmaster") == 0)
1703 {
1704 pm_mailfrom = US"";
1705 verify_options |= vopt_callout_fullpm;
1706 }
059ec3d9
PH		 1707
1708 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1709 {
1710 if (!verify_header_sender)
1711 {
1712 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1713 "callout option only for verify=header_sender (detected in ACL "
1714 "condition \"%s\")", arg);
1715 return ERROR;
1716 }
1717 opt += 8;
1718 while (isspace(*opt)) opt++;
1719 if (*opt++ != '=')
1720 {
1721 *log_msgptr = string_sprintf("'=' expected after "
1722 "\"mailfrom\" in ACL condition \"%s\"", arg);
1723 return ERROR;
1724 }
1725 while (isspace(*opt)) opt++;
1726 se_mailfrom = string_copy(opt);
1727 }
1728
1729 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1730 {
1731 opt += 19;
1732 while (isspace(*opt)) opt++;
1733 if (*opt++ != '=')
1734 {
1735 *log_msgptr = string_sprintf("'=' expected after "
1736 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1737 return ERROR;
1738 }
1739 while (isspace(*opt)) opt++;
1740 pm_mailfrom = string_copy(opt);
1741 }
1742
1743 else if (strncmpic(opt, US"maxwait", 7) == 0)
1744 {
1745 opt += 7;
1746 while (isspace(*opt)) opt++;
1747 if (*opt++ != '=')
1748 {
1749 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1750 "ACL condition \"%s\"", arg);
1751 return ERROR;
1752 }
1753 while (isspace(*opt)) opt++;
1754 callout_overall = readconf_readtime(opt, 0, FALSE);
1755 if (callout_overall < 0)
1756 {
1757 *log_msgptr = string_sprintf("bad time value in ACL condition "
1758 "\"verify %s\"", arg);
1759 return ERROR;
1760 }
1761 }
4deaf07d
PH		 1762 else if (strncmpic(opt, US"connect", 7) == 0)
1763 {
1764 opt += 7;
1765 while (isspace(*opt)) opt++;
1766 if (*opt++ != '=')
1767 {
1768 *log_msgptr = string_sprintf("'=' expected after "
1769 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1770 return ERROR;
1771 }
1772 while (isspace(*opt)) opt++;
1773 callout_connect = readconf_readtime(opt, 0, FALSE);
1774 if (callout_connect < 0)
1775 {
1776 *log_msgptr = string_sprintf("bad time value in ACL condition "
1777 "\"verify %s\"", arg);
1778 return ERROR;
1779 }
1780 }
059ec3d9
PH		 1781 else /* Plain time is callout connect/command timeout */
1782 {
1783 callout = readconf_readtime(opt, 0, FALSE);
1784 if (callout < 0)
1785 {
1786 *log_msgptr = string_sprintf("bad time value in ACL condition "
1787 "\"verify %s\"", arg);
1788 return ERROR;
1789 }
1790 }
1791 }
1792 }
1793 else
1794 {
1795 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1796 "ACL condition \"%s\"", arg);
1797 return ERROR;
1798 }
1799 }
1800 }
1801
1802 /* Option not recognized */
1803
1804 else
1805 {
1806 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1807 "condition \"verify %s\"", ss, arg);
1808 return ERROR;
1809 }
1810 }
1811
1812if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1813 (vopt_callout_recipsender|vopt_callout_recippmaster))
1814 {
1815 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1816 "for a recipient callout";
1817 return ERROR;
1818 }
1819
1820/* Handle sender-in-header verification. Default the user message to the log
1821message if giving out verification details. */
1822
1823if (verify_header_sender)
1824 {
8e669ac1 1825 int verrno;
059ec3d9 1826 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
fe5b5d0b
PH		 1827 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1828 &verrno);
1829 if (rc != OK)
8e669ac1 1830 {
fe5b5d0b
PH		 1831 *basic_errno = verrno;
1832 if (smtp_return_error_details)
1833 {
1834 if (*user_msgptr == NULL && *log_msgptr != NULL)
1835 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1836 if (rc == DEFER) acl_temp_details = TRUE;
1837 }
8e669ac1 1838 }
059ec3d9
PH		 1839 }
1840
1841/* Handle a sender address. The default is to verify *the* sender address, but
1842optionally a different address can be given, for special requirements. If the
1843address is empty, we are dealing with a bounce message that has no sender, so
1844we cannot do any checking. If the real sender address gets rewritten during
1845verification (e.g. DNS widening), set the flag to stop it being rewritten again
1846during message reception.
1847
1848A list of verified "sender" addresses is kept to try to avoid doing to much
1849work repetitively when there are multiple recipients in a message and they all
1850require sender verification. However, when callouts are involved, it gets too
1851complicated because different recipients may require different callout options.
1852Therefore, we always do a full sender verify when any kind of callout is
1853specified. Caching elsewhere, for instance in the DNS resolver and in the
1854callout handling, should ensure that this is not terribly inefficient. */
1855
1856else if (verify_sender_address != NULL)
1857 {
1858 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1859 != 0)
1860 {
1861 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1862 "sender verify callout";
1863 return ERROR;
1864 }
1865
1866 sender_vaddr = verify_checked_sender(verify_sender_address);
1867 if (sender_vaddr != NULL && /* Previously checked */
1868 callout <= 0) /* No callout needed this time */
1869 {
1870 /* If the "routed" flag is set, it means that routing worked before, so
1871 this check can give OK (the saved return code value, if set, belongs to a
1872 callout that was done previously). If the "routed" flag is not set, routing
1873 must have failed, so we use the saved return code. */
1874
1875 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1876 {
1877 rc = sender_vaddr->special_action;
1878 *basic_errno = sender_vaddr->basic_errno;
1879 }
1880 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1881 }
1882
1883 /* Do a new verification, and cache the result. The cache is used to avoid
1884 verifying the sender multiple times for multiple RCPTs when callouts are not
1885 specified (see comments above).
1886
1887 The cache is also used on failure to give details in response to the first
1888 RCPT that gets bounced for this reason. However, this can be suppressed by
1889 the no_details option, which sets the flag that says "this detail has already
1890 been sent". The cache normally contains just one address, but there may be
1891 more in esoteric circumstances. */
1892
1893 else
1894 {
1895 BOOL routed = TRUE;
2a3eea10 1896 uschar *save_address_data = deliver_address_data;
8e669ac1 1897
059ec3d9
PH		 1898 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1899 if (no_details) setflag(sender_vaddr, af_sverify_told);
1900 if (verify_sender_address[0] != 0)
1901 {
1902 /* If this is the real sender address, save the unrewritten version
1903 for use later in receive. Otherwise, set a flag so that rewriting the
1904 sender in verify_address() does not update sender_address. */
1905
1906 if (verify_sender_address == sender_address)
1907 sender_address_unrewritten = sender_address;
1908 else
1909 verify_options |= vopt_fake_sender;
1910
eafd343b
TK		 1911 if (success_on_redirect)
1912 verify_options |= vopt_success_on_redirect;
1913
059ec3d9
PH		 1914 /* The recipient, qualify, and expn options are never set in
1915 verify_options. */
1916
1917 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
4deaf07d 1918 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
059ec3d9
PH		 1919
1920 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1921
1922 if (rc == OK)
1923 {
1924 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1925 {
1926 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1927 verify_sender_address, sender_vaddr->address);
1928 }
1929 else
1930 {
1931 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1932 verify_sender_address);
1933 }
1934 }
1935 else *basic_errno = sender_vaddr->basic_errno;
1936 }
1937 else rc = OK; /* Null sender */
1938
1939 /* Cache the result code */
1940
1941 if (routed) setflag(sender_vaddr, af_verify_routed);
1942 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1943 sender_vaddr->special_action = rc;
1944 sender_vaddr->next = sender_verified_list;
1945 sender_verified_list = sender_vaddr;
8e669ac1
PH		 1946
1947 /* Restore the recipient address data, which might have been clobbered by
2a3eea10 1948 the sender verification. */
8e669ac1 1949
2a3eea10 1950 deliver_address_data = save_address_data;
059ec3d9 1951 }
8e669ac1 1952
2a3eea10
PH		 1953 /* Put the sender address_data value into $sender_address_data */
1954
8e669ac1 1955 sender_address_data = sender_vaddr->p.address_data;
059ec3d9
PH		 1956 }
1957
1958/* A recipient address just gets a straightforward verify; again we must handle
1959the DEFER overrides. */
1960
1961else
1962 {
1963 address_item addr2;
1964
eafd343b
TK		 1965 if (success_on_redirect)
1966 verify_options |= vopt_success_on_redirect;
1967
059ec3d9
PH		 1968 /* We must use a copy of the address for verification, because it might
1969 get rewritten. */
1970
1971 addr2 = *addr;
1972 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
4deaf07d 1973 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
059ec3d9 1974 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
8e669ac1 1975
42855d71 1976 *basic_errno = addr2.basic_errno;
059ec3d9 1977 *log_msgptr = addr2.message;
8e669ac1 1978 *user_msgptr = (addr2.user_message != NULL)?
6729cf78 1979 addr2.user_message : addr2.message;
42855d71
PH		 1980
1981 /* Allow details for temporary error if the address is so flagged. */
1982 if (testflag((&addr2), af_pass_message)) acl_temp_details = TRUE;
059ec3d9
PH		 1983
1984 /* Make $address_data visible */
1985 deliver_address_data = addr2.p.address_data;
1986 }
1987
1988/* We have a result from the relevant test. Handle defer overrides first. */
1989
1990if (rc == DEFER && (defer_ok ||
1991 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1992 {
1993 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1994 defer_ok? "defer_ok" : "callout_defer_ok");
1995 rc = OK;
1996 }
1997
1998/* If we've failed a sender, set up a recipient message, and point
1999sender_verified_failed to the address item that actually failed. */
2000
2001if (rc != OK && verify_sender_address != NULL)
2002 {
2003 if (rc != DEFER)
2004 {
2005 *log_msgptr = *user_msgptr = US"Sender verify failed";
2006 }
2007 else if (*basic_errno != ERRNO_CALLOUTDEFER)
2008 {
2009 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
2010 }
2011 else
2012 {
2013 *log_msgptr = US"Could not complete sender verify callout";
2014 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
2015 *log_msgptr;
2016 }
2017
2018 sender_verified_failed = sender_vaddr;
2019 }
2020
2021/* Verifying an address messes up the values of $domain and $local_part,
2022so reset them before returning if this is a RCPT ACL. */
2023
2024if (addr != NULL)
2025 {
2026 deliver_domain = addr->domain;
2027 deliver_localpart = addr->local_part;
2028 }
2029return rc;
2030
2031/* Syntax errors in the verify argument come here. */
2032
2033BAD_VERIFY:
2034*log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
596875b3
PH		 2035 "\"helo\", \"header_syntax\", \"header_sender\" or "
2036 "\"reverse_host_lookup\" at start of ACL condition "
059ec3d9
PH		 2037 "\"verify %s\"", arg);
2038return ERROR;
596875b3
PH		 2039
2040/* Options supplied when not allowed come here */
2041
2042NO_OPTIONS:
2043*log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
2044 "(this verify item has no options)", arg);
2045return ERROR;
1c41c9cc
PH		 2046
2047/* Calls in the wrong ACL come here */
2048
2049WRONG_ACL:
2050*log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
2051 "(only possible in ACL for DATA)", acl_wherenames[where]);
2052return ERROR;
059ec3d9
PH		 2053}
2054
2055
2056
2057
2058/*************************************************
2059* Check argument for control= modifier *
2060*************************************************/
2061
2062/* Called from acl_check_condition() below
2063
2064Arguments:
2065 arg the argument string for control=
2066 pptr set to point to the terminating character
2067 where which ACL we are in
2068 log_msgptr for error messages
2069
2070Returns: CONTROL_xxx value
2071*/
2072
2073static int
2074decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
2075{
2076int len;
2077control_def *d;
2078
2079for (d = controls_list;
2080 d < controls_list + sizeof(controls_list)/sizeof(control_def);
2081 d++)
2082 {
2083 len = Ustrlen(d->name);
2084 if (Ustrncmp(d->name, arg, len) == 0) break;
2085 }
2086
2087if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
2088 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
2089 {
2090 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2091 return CONTROL_ERROR;
2092 }
2093
059ec3d9
PH		 2094*pptr = arg + len;
2095return d->value;
2096}
2097
2098
2099
c99ce5c9
TF		 2100
2101/*************************************************
2102* Return a ratelimit error *
2103*************************************************/
2104
2105/* Called from acl_ratelimit() below
2106
2107Arguments:
2108 log_msgptr for error messages
2109 format format string
2110 ... supplementary arguments
2111 ss ratelimit option name
2112 where ACL_WHERE_xxxx indicating which ACL this is
2113
2114Returns: ERROR
2115*/
2116
2117static int
2118ratelimit_error(uschar **log_msgptr, const char *format, ...)
2119{
2120va_list ap;
2121uschar buffer[STRING_SPRINTF_BUFFER_SIZE];
2122va_start(ap, format);
2123if (!string_vformat(buffer, sizeof(buffer), format, ap))
2124 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
2125 "string_sprintf expansion was longer than %d", sizeof(buffer));
2126va_end(ap);
2127*log_msgptr = string_sprintf(
2128 "error in arguments to \"ratelimit\" condition: %s", buffer);
2129return ERROR;
2130}
2131
2132
2133
2134
870f6ba8
TF		 2135/*************************************************
2136* Handle rate limiting *
2137*************************************************/
2138
2139/* Called by acl_check_condition() below to calculate the result
2140of the ACL ratelimit condition.
2141
2142Note that the return value might be slightly unexpected: if the
2143sender's rate is above the limit then the result is OK. This is
2144similar to the dnslists condition, and is so that you can write
2145ACL clauses like: defer ratelimit = 15 / 1h
2146
2147Arguments:
2148 arg the option string for ratelimit=
90fc3069 2149 where ACL_WHERE_xxxx indicating which ACL this is
870f6ba8
TF		 2150 log_msgptr for error messages
2151
2152Returns: OK - Sender's rate is above limit
2153 FAIL - Sender's rate is below limit
2154 DEFER - Problem opening ratelimit database
2155 ERROR - Syntax error in options.
2156*/
2157
2158static int
90fc3069 2159acl_ratelimit(uschar *arg, int where, uschar **log_msgptr)
870f6ba8 2160{
c99ce5c9 2161double limit, period, count;
8f240103
PH		 2162uschar *ss;
2163uschar *key = NULL;
c99ce5c9 2164uschar *unique = NULL;
870f6ba8 2165int sep = '/';
c99ce5c9
TF		 2166BOOL leaky = FALSE, strict = FALSE, readonly = FALSE;
2167BOOL noupdate = FALSE, badacl = FALSE;
2168int mode = RATE_PER_WHAT;
870f6ba8
TF		 2169int old_pool, rc;
2170tree_node **anchor, *t;
2171open_db dbblock, *dbm;
c99ce5c9 2172int dbdb_size;
870f6ba8 2173dbdata_ratelimit *dbd;
c99ce5c9 2174dbdata_ratelimit_unique *dbdb;
870f6ba8
TF		 2175struct timeval tv;
2176
2177/* Parse the first two options and record their values in expansion
2178variables. These variables allow the configuration to have informative
2179error messages based on rate limits obtained from a table lookup. */
2180
c99ce5c9 2181/* First is the maximum number of messages per period / maximum burst
870f6ba8
TF		 2182size, which must be greater than or equal to zero. Zero is useful for
2183rate measurement as opposed to rate limiting. */
2184
2185sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0);
2186if (sender_rate_limit == NULL)
2187 limit = -1.0;
2188else
2189 {
2190 limit = Ustrtod(sender_rate_limit, &ss);
2191 if (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
2192 else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
2193 else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
2194 }
c99ce5c9
TF		 2195if (limit < 0.0 || *ss != '\0')
2196 return ratelimit_error(log_msgptr,
2197 "\"%s\" is not a positive number", sender_rate_limit);
870f6ba8 2198
c99ce5c9 2199/* Second is the rate measurement period / exponential smoothing time
870f6ba8
TF		 2200constant. This must be strictly greater than zero, because zero leads to
2201run-time division errors. */
2202
2203sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0);
2204if (sender_rate_period == NULL) period = -1.0;
2205else period = readconf_readtime(sender_rate_period, 0, FALSE);
2206if (period <= 0.0)
c99ce5c9
TF		 2207 return ratelimit_error(log_msgptr,
2208 "\"%s\" is not a time value", sender_rate_period);
2209
2210/* By default we are counting one of something, but the per_rcpt,
2211per_byte, and count options can change this. */
2212
2213count = 1.0;
870f6ba8 2214
c99ce5c9 2215/* Parse the other options. */
870f6ba8
TF		 2216
2217while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2218 != NULL)
2219 {
2220 if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
2221 else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
8f240103 2222 else if (strcmpic(ss, US"noupdate") == 0) noupdate = TRUE;
c99ce5c9
TF		 2223 else if (strcmpic(ss, US"readonly") == 0) readonly = TRUE;
2224 else if (strcmpic(ss, US"per_cmd") == 0) RATE_SET(mode, PER_CMD);
2225 else if (strcmpic(ss, US"per_conn") == 0)
2226 {
2227 RATE_SET(mode, PER_CONN);
2228 if (where == ACL_WHERE_NOTSMTP || where == ACL_WHERE_NOTSMTP_START)
2229 badacl = TRUE;
2230 }
2231 else if (strcmpic(ss, US"per_mail") == 0)
2232 {
2233 RATE_SET(mode, PER_MAIL);
2234 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2235 }
2236 else if (strcmpic(ss, US"per_rcpt") == 0)
2237 {
2238 /* If we are running in the RCPT ACL, then we'll count the recipients
2239 one by one, but if we are running when we have accumulated the whole
2240 list then we'll add them all in one batch. */
2241 if (where == ACL_WHERE_RCPT)
2242 RATE_SET(mode, PER_RCPT);
2243 else if (where >= ACL_WHERE_PREDATA && where <= ACL_WHERE_NOTSMTP)
2244 RATE_SET(mode, PER_ALLRCPTS), count = (double)recipients_count;
2245 else if (where == ACL_WHERE_MAIL || where > ACL_WHERE_NOTSMTP)
2246 RATE_SET(mode, PER_RCPT), badacl = TRUE;
2247 }
2248 else if (strcmpic(ss, US"per_byte") == 0)
2249 {
2250 /* If we have not yet received the message data and there was no SIZE
2251 declaration on the MAIL comand, then it's safe to just use a value of
2252 zero and let the recorded rate decay as if nothing happened. */
2253 RATE_SET(mode, PER_MAIL);
2254 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2255 else count = message_size < 0 ? 0.0 : (double)message_size;
2256 }
2257 else if (strcmpic(ss, US"per_addr") == 0)
2258 {
2259 RATE_SET(mode, PER_RCPT);
2260 if (where != ACL_WHERE_RCPT) badacl = TRUE, unique = "*";
2261 else unique = string_sprintf("%s@%s", deliver_localpart, deliver_domain);
2262 }
2263 else if (strncmpic(ss, US"count=", 6) == 0)
2264 {
2265 uschar *e;
2266 count = Ustrtod(ss+6, &e);
2267 if (count < 0.0 || *e != '\0')
2268 return ratelimit_error(log_msgptr,
2269 "\"%s\" is not a positive number", ss);
2270 }
2271 else if (strncmpic(ss, US"unique=", 7) == 0)
2272 unique = string_copy(ss + 7);
2273 else if (key == NULL)
2274 key = string_copy(ss);
2275 else
2276 key = string_sprintf("%s/%s", key, ss);
870f6ba8
TF		 2277 }
2278
c99ce5c9
TF		 2279/* Sanity check. When the badacl flag is set the update mode must either
2280be readonly (which is the default if it is omitted) or, for backwards
2281compatibility, a combination of noupdate and strict or leaky. */
2282
2283if (mode == RATE_PER_CLASH)
2284 return ratelimit_error(log_msgptr, "conflicting per_* options");
2285if (leaky + strict + readonly > 1)
2286 return ratelimit_error(log_msgptr, "conflicting update modes");
2287if (badacl && (leaky || strict) && !noupdate)
2288 return ratelimit_error(log_msgptr,
2289 "\"%s\" must not have /leaky or /strict option in %s ACL",
2290 ratelimit_option_string[mode], acl_wherenames[where]);
2291
2292/* Set the default values of any unset options. In readonly mode we
2293perform the rate computation without any increment so that its value
2294decays to eventually allow over-limit senders through. */
2295
2296if (noupdate) readonly = TRUE, leaky = strict = FALSE;
2297if (badacl) readonly = TRUE;
2298if (readonly) count = 0.0;
2299if (!strict && !readonly) leaky = TRUE;
2300if (mode == RATE_PER_WHAT) mode = RATE_PER_MAIL;
870f6ba8 2301
8f240103
PH		 2302/* Create the lookup key. If there is no explicit key, use sender_host_address.
2303If there is no sender_host_address (e.g. -bs or acl_not_smtp) then we simply
2304omit it. The smoothing constant (sender_rate_period) and the per_xxx options
2305are added to the key because they alter the meaning of the stored data. */
2306
2307if (key == NULL)
2308 key = (sender_host_address == NULL)? US"" : sender_host_address;
870f6ba8 2309
c99ce5c9 2310key = string_sprintf("%s/%s/%s%s",
8f240103 2311 sender_rate_period,
c99ce5c9
TF		 2312 ratelimit_option_string[mode],
2313 unique == NULL ? "" : "unique/",
8f240103 2314 key);
870f6ba8 2315
c99ce5c9
TF		 2316HDEBUG(D_acl)
2317 debug_printf("ratelimit condition count=%.0f %.1f/%s\n", count, limit, key);
870f6ba8 2318
8f240103
PH		 2319/* See if we have already computed the rate by looking in the relevant tree.
2320For per-connection rate limiting, store tree nodes and dbdata in the permanent
c99ce5c9
TF		 2321pool so that they survive across resets. In readonly mode we only remember the
2322result for the rest of this command in case a later command changes it. After
2323this bit of logic the code is independent of the per_* mode. */
870f6ba8 2324
870f6ba8
TF		 2325old_pool = store_pool;
2326
c99ce5c9
TF		 2327if (readonly)
2328 anchor = &ratelimiters_cmd;
2329else switch(mode) {
2330case RATE_PER_CONN:
870f6ba8
TF		 2331 anchor = &ratelimiters_conn;
2332 store_pool = POOL_PERM;
c99ce5c9
TF		 2333 break;
2334case RATE_PER_BYTE:
2335case RATE_PER_MAIL:
2336case RATE_PER_ALLRCPTS:
870f6ba8 2337 anchor = &ratelimiters_mail;
c99ce5c9
TF		 2338 break;
2339case RATE_PER_ADDR:
2340case RATE_PER_CMD:
2341case RATE_PER_RCPT:
fe0dab11 2342 anchor = &ratelimiters_cmd;
c99ce5c9
TF		 2343 break;
2344default:
2345 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
2346 "internal ACL error: unknown ratelimit mode %d", mode);
2347 break;
2348}
870f6ba8 2349
c99ce5c9
TF		 2350t = tree_search(*anchor, key);
2351if (t != NULL)
870f6ba8
TF		 2352 {
2353 dbd = t->data.ptr;
2354 /* The following few lines duplicate some of the code below. */
8f240103 2355 rc = (dbd->rate < limit)? FAIL : OK;
870f6ba8
TF		 2356 store_pool = old_pool;
2357 sender_rate = string_sprintf("%.1f", dbd->rate);
2358 HDEBUG(D_acl)
2359 debug_printf("ratelimit found pre-computed rate %s\n", sender_rate);
2360 return rc;
2361 }
2362
c99ce5c9
TF		 2363/* We aren't using a pre-computed rate, so get a previously recorded rate
2364from the database, which will be updated and written back if required. */
870f6ba8
TF		 2365
2366dbm = dbfn_open(US"ratelimit", O_RDWR, &dbblock, TRUE);
2367if (dbm == NULL)
2368 {
2369 store_pool = old_pool;
2370 sender_rate = NULL;
2371 HDEBUG(D_acl) debug_printf("ratelimit database not available\n");
2372 *log_msgptr = US"ratelimit database not available";
2373 return DEFER;
2374 }
c99ce5c9
TF		 2375dbdb = dbfn_read_with_length(dbm, key, &dbdb_size);
2376dbd = NULL;
870f6ba8
TF		 2377
2378gettimeofday(&tv, NULL);
2379
c99ce5c9
TF		 2380if (dbdb != NULL)
2381 {
2382 /* Locate the basic ratelimit block inside the DB data. */
2383 HDEBUG(D_acl) debug_printf("ratelimit found key in database\n");
2384 dbd = &dbdb->dbd;
2385
2386 /* Forget the old Bloom filter if it is too old, so that we count each
2387 repeating event once per period. We don't simply clear and re-use the old
2388 filter because we want its size to change if the limit changes. Note that
2389 we keep the dbd pointer for copying the rate into the new data block. */
2390
2391 if(unique != NULL && tv.tv_sec > dbdb->bloom_epoch + period)
2392 {
2393 HDEBUG(D_acl) debug_printf("ratelimit discarding old Bloom filter\n");
2394 dbdb = NULL;
2395 }
2396
2397 /* Sanity check. */
2398
2399 if(unique != NULL && dbdb_size < sizeof(*dbdb))
2400 {
2401 HDEBUG(D_acl) debug_printf("ratelimit discarding undersize Bloom filter\n");
2402 dbdb = NULL;
2403 }
2404 }
2405
2406/* Allocate a new data block if the database lookup failed
2407or the Bloom filter passed its age limit. */
2408
2409if (dbdb == NULL)
2410 {
2411 if (unique == NULL)
2412 {
2413 /* No Bloom filter. This basic ratelimit block is initialized below. */
2414 HDEBUG(D_acl) debug_printf("ratelimit creating new rate data block\n");
2415 dbdb_size = sizeof(*dbd);
2416 dbdb = store_get(dbdb_size);
2417 }
2418 else
2419 {
2420 int extra;
2421 HDEBUG(D_acl) debug_printf("ratelimit creating new Bloom filter\n");
2422
2423 /* See the long comment below for an explanation of the magic number 2.
2424 The filter has a minimum size in case the rate limit is very small;
2425 this is determined by the definition of dbdata_ratelimit_unique. */
2426
2427 extra = (int)limit * 2 - sizeof(dbdb->bloom);
2428 if (extra < 0) extra = 0;
2429 dbdb_size = sizeof(*dbdb) + extra;
2430 dbdb = store_get(dbdb_size);
2431 dbdb->bloom_epoch = tv.tv_sec;
2432 dbdb->bloom_size = sizeof(dbdb->bloom) + extra;
2433 memset(dbdb->bloom, 0, dbdb->bloom_size);
2434
2435 /* Preserve any basic ratelimit data (which is our longer-term memory)
2436 by copying it from the discarded block. */
2437
2438 if (dbd != NULL)
2439 {
2440 dbdb->dbd = *dbd;
2441 dbd = &dbdb->dbd;
2442 }
2443 }
2444 }
2445
2446/* If we are counting unique events, find out if this event is new or not.
2447If the client repeats the event during the current period then it should be
2448counted. We skip this code in readonly mode for efficiency, because any
2449changes to the filter will be discarded and because count is already set to
2450zero. */
2451
2452if (unique != NULL && !readonly)
2453 {
2454 /* We identify unique events using a Bloom filter. (You can find my
2455 notes on Bloom filters at http://fanf.livejournal.com/81696.html)
2456 With the per_addr option, an "event" is a recipient address, though the
2457 user can use the unique option to define their own events. We only count
2458 an event if we have not seen it before.
2459
2460 We size the filter according to the rate limit, which (in leaky mode)
2461 is the limit on the population of the filter. We allow 16 bits of space
2462 per entry (see the construction code above) and we set (up to) 8 of them
2463 when inserting an element (see the loop below). The probability of a false
2464 positive (an event we have not seen before but which we fail to count) is
2465
2466 size = limit * 16
2467 numhash = 8
2468 allzero = exp(-numhash * pop / size)
2469 = exp(-0.5 * pop / limit)
2470 fpr = pow(1 - allzero, numhash)
2471
2472 For senders at the limit the fpr is 0.06% or 1 in 1700
2473 and for senders at half the limit it is 0.0006% or 1 in 170000
2474
2475 In strict mode the Bloom filter can fill up beyond the normal limit, in
2476 which case the false positive rate will rise. This means that the
2477 measured rate for very fast senders can bogusly drop off after a while.
2478
2479 At twice the limit, the fpr is 2.5% or 1 in 40
2480 At four times the limit, it is 31% or 1 in 3.2
2481
2482 It takes ln(pop/limit) periods for an over-limit burst of pop events to
2483 decay below the limit, and if this is more than one then the Bloom filter
2484 will be discarded before the decay gets that far. The false positive rate
2485 at this threshold is 9.3% or 1 in 10.7. */
2486
2487 BOOL seen;
2488 unsigned n, hash, hinc;
2489 uschar md5sum[16];
2490 md5 md5info;
2491
2492 /* Instead of using eight independent hash values, we combine two values
2493 using the formula h1 + n * h2. This does not harm the Bloom filter's
2494 performance, and means the amount of hash we need is independent of the
2495 number of bits we set in the filter. */
2496
2497 md5_start(&md5info);
2498 md5_end(&md5info, unique, Ustrlen(unique), md5sum);
2499 hash = md5sum[0] | md5sum[1] << 8 | md5sum[2] << 16 | md5sum[3] << 24;
2500 hinc = md5sum[4] | md5sum[5] << 8 | md5sum[6] << 16 | md5sum[7] << 24;
2501
2502 /* Scan the bits corresponding to this event. A zero bit means we have
2503 not seen it before. Ensure all bits are set to record this event. */
2504
2505 HDEBUG(D_acl) debug_printf("ratelimit checking uniqueness of %s\n", unique);
2506
2507 seen = TRUE;
2508 for (n = 0; n < 8; n++, hash += hinc)
2509 {
2510 int bit = 1 << (hash % 8);
2511 int byte = (hash / 8) % dbdb->bloom_size;
2512 if ((dbdb->bloom[byte] & bit) == 0)
2513 {
2514 dbdb->bloom[byte] |= bit;
2515 seen = FALSE;
2516 }
2517 }
2518
2519 /* If this event has occurred before, do not count it. */
2520
2521 if (seen)
2522 {
2523 HDEBUG(D_acl) debug_printf("ratelimit event found in Bloom filter\n");
2524 count = 0.0;
2525 }
2526 else
2527 HDEBUG(D_acl) debug_printf("ratelimit event added to Bloom filter\n");
2528 }
2529
2530/* If there was no previous ratelimit data block for this key, initialize
2531the new one, otherwise update the block from the database. The initial rate
2532is what would be computed by the code below for an infinite interval. */
2533
870f6ba8
TF		 2534if (dbd == NULL)
2535 {
c99ce5c9
TF		 2536 HDEBUG(D_acl) debug_printf("ratelimit initializing new key's rate data\n");
2537 dbd = &dbdb->dbd;
870f6ba8
TF		 2538 dbd->time_stamp = tv.tv_sec;
2539 dbd->time_usec = tv.tv_usec;
c99ce5c9 2540 dbd->rate = count;
870f6ba8
TF		 2541 }
2542else
2543 {
2544 /* The smoothed rate is computed using an exponentially weighted moving
2545 average adjusted for variable sampling intervals. The standard EWMA for
2546 a fixed sampling interval is: f'(t) = (1 - a) * f(t) + a * f'(t - 1)
2547 where f() is the measured value and f'() is the smoothed value.
2548
2549 Old data decays out of the smoothed value exponentially, such that data n
2550 samples old is multiplied by a^n. The exponential decay time constant p
2551 is defined such that data p samples old is multiplied by 1/e, which means
2552 that a = exp(-1/p). We can maintain the same time constant for a variable
2553 sampling interval i by using a = exp(-i/p).
2554
2555 The rate we are measuring is messages per period, suitable for directly
2556 comparing with the limit. The average rate between now and the previous
2557 message is period / interval, which we feed into the EWMA as the sample.
2558
2559 It turns out that the number of messages required for the smoothed rate
2560 to reach the limit when they are sent in a burst is equal to the limit.
2561 This can be seen by analysing the value of the smoothed rate after N
2562 messages sent at even intervals. Let k = (1 - a) * p/i
2563
2564 rate_1 = (1 - a) * p/i + a * rate_0
2565 = k + a * rate_0
2566 rate_2 = k + a * rate_1
2567 = k + a * k + a^2 * rate_0
2568 rate_3 = k + a * k + a^2 * k + a^3 * rate_0
2569 rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
2570 = rate_0 * a^N + k * (1 - a^N) / (1 - a)
2571 = rate_0 * a^N + p/i * (1 - a^N)
2572
2573 When N is large, a^N -> 0 so rate_N -> p/i as desired.
2574
2575 rate_N = p/i + (rate_0 - p/i) * a^N
2576 a^N = (rate_N - p/i) / (rate_0 - p/i)
2577 N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
2578 N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
2579
2580 Numerical analysis of the above equation, setting the computed rate to
2581 increase from rate_0 = 0 to rate_N = limit, shows that for large sending
2582 rates, p/i, the number of messages N = limit. So limit serves as both the
2583 maximum rate measured in messages per period, and the maximum number of
2584 messages that can be sent in a fast burst. */
2585
2586 double this_time = (double)tv.tv_sec
2587 + (double)tv.tv_usec / 1000000.0;
2588 double prev_time = (double)dbd->time_stamp
2589 + (double)dbd->time_usec / 1000000.0;
870f6ba8
TF		 2590
2591 /* We must avoid division by zero, and deal gracefully with the clock going
2592 backwards. If we blunder ahead when time is in reverse then the computed
e5d5a95f 2593 rate will be bogus. To be safe we clamp interval to a very small number. */
870f6ba8 2594
e5d5a95f
TF		 2595 double interval = this_time - prev_time <= 0.0 ? 1e-9
2596 : this_time - prev_time;
2597
2598 double i_over_p = interval / period;
2599 double a = exp(-i_over_p);
870f6ba8 2600
c99ce5c9
TF		 2601 /* Combine the instantaneous rate (period / interval) with the previous rate
2602 using the smoothing factor a. In order to measure sized events, multiply the
2603 instantaneous rate by the count of bytes or recipients etc. */
2604
870f6ba8
TF		 2605 dbd->time_stamp = tv.tv_sec;
2606 dbd->time_usec = tv.tv_usec;
c99ce5c9
TF		 2607 dbd->rate = (1 - a) * count / i_over_p + a * dbd->rate;
2608
2609 /* When events are very widely spaced the computed rate tends towards zero.
2610 Although this is accurate it turns out not to be useful for our purposes,
2611 especially when the first event after a long silence is the start of a spam
2612 run. A more useful model is that the rate for an isolated event should be the
2613 size of the event per the period size, ignoring the lack of events outside
2614 the current period and regardless of where the event falls in the period. So,
2615 if the interval was so long that the calculated rate is unhelpfully small, we
2616 re-intialize the rate. In the absence of higher-rate bursts, the condition
2617 below is true if the interval is greater than the period. */
2618
2619 if (dbd->rate < count) dbd->rate = count;
870f6ba8
TF		 2620 }
2621
c99ce5c9
TF		 2622/* Clients sending at the limit are considered to be over the limit.
2623This matters for edge cases such as a limit of zero, when the client
2624should be completely blocked. */
3348576f 2625
8f240103 2626rc = (dbd->rate < limit)? FAIL : OK;
870f6ba8
TF		 2627
2628/* Update the state if the rate is low or if we are being strict. If we
2629are in leaky mode and the sender's rate is too high, we do not update
2630the recorded rate in order to avoid an over-aggressive sender's retry
c99ce5c9
TF		 2631rate preventing them from getting any email through. If readonly is set,
2632neither leaky nor strict are set, so we do not do any updates. */
870f6ba8 2633
c99ce5c9 2634if ((rc == FAIL && leaky) || strict)
8f240103 2635 {
c99ce5c9 2636 dbfn_write(dbm, key, dbdb, dbdb_size);
8f240103
PH		 2637 HDEBUG(D_acl) debug_printf("ratelimit db updated\n");
2638 }
2639else
2640 {
2641 HDEBUG(D_acl) debug_printf("ratelimit db not updated: %s\n",
c99ce5c9 2642 readonly? "readonly mode" : "over the limit, but leaky");
8f240103
PH		 2643 }
2644
870f6ba8
TF		 2645dbfn_close(dbm);
2646
c99ce5c9 2647/* Store the result in the tree for future reference. */
870f6ba8 2648
c99ce5c9
TF		 2649t = store_get(sizeof(tree_node) + Ustrlen(key));
2650t->data.ptr = dbd;
2651Ustrcpy(t->name, key);
2652(void)tree_insertnode(anchor, t);
870f6ba8
TF		 2653
2654/* We create the formatted version of the sender's rate very late in
2655order to ensure that it is done using the correct storage pool. */
2656
2657store_pool = old_pool;
2658sender_rate = string_sprintf("%.1f", dbd->rate);
2659
2660HDEBUG(D_acl)
2661 debug_printf("ratelimit computed rate %s\n", sender_rate);
2662
2663return rc;
2664}
2665
2666
2667
059ec3d9
PH		 2668/*************************************************
2669* Handle conditions/modifiers on an ACL item *
2670*************************************************/
2671
2672/* Called from acl_check() below.
2673
2674Arguments:
2675 verb ACL verb
2676 cb ACL condition block - if NULL, result is OK
2677 where where called from
2678 addr the address being checked for RCPT, or NULL
2679 level the nesting level
2680 epp pointer to pass back TRUE if "endpass" encountered
2681 (applies only to "accept" and "discard")
2682 user_msgptr user message pointer
2683 log_msgptr log message pointer
2684 basic_errno pointer to where to put verify error
2685
2686Returns: OK - all conditions are met
2687 DISCARD - an "acl" condition returned DISCARD - only allowed
2688 for "accept" or "discard" verbs
2689 FAIL - at least one condition fails
2690 FAIL_DROP - an "acl" condition returned FAIL_DROP
2691 DEFER - can't tell at the moment (typically, lookup defer,
2692 but can be temporary callout problem)
2693 ERROR - ERROR from nested ACL or expansion failure or other
2694 error
2695*/
2696
2697static int
2698acl_check_condition(int verb, acl_condition_block *cb, int where,
2699 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
2700 uschar **log_msgptr, int *basic_errno)
2701{
2702uschar *user_message = NULL;
2703uschar *log_message = NULL;
ed7f7860
PP		 2704uschar *debug_tag = NULL;
2705uschar *debug_opts = NULL;
91ecef39 2706uschar *p = NULL;
059ec3d9 2707int rc = OK;
8523533c
TK		 2708#ifdef WITH_CONTENT_SCAN
2709int sep = '/';
2710#endif
059ec3d9
PH		 2711
2712for (; cb != NULL; cb = cb->next)
2713 {
2714 uschar *arg;
8e669ac1 2715 int control_type;
059ec3d9
PH		 2716
2717 /* The message and log_message items set up messages to be used in
2718 case of rejection. They are expanded later. */
2719
2720 if (cb->type == ACLC_MESSAGE)
2721 {
2722 user_message = cb->arg;
2723 continue;
2724 }
2725
2726 if (cb->type == ACLC_LOG_MESSAGE)
2727 {
2728 log_message = cb->arg;
2729 continue;
2730 }
2731
2732 /* The endpass "condition" just sets a flag to show it occurred. This is
2733 checked at compile time to be on an "accept" or "discard" item. */
2734
2735 if (cb->type == ACLC_ENDPASS)
2736 {
2737 *epp = TRUE;
2738 continue;
2739 }
2740
2741 /* For other conditions and modifiers, the argument is expanded now for some
2742 of them, but not for all, because expansion happens down in some lower level
2743 checking functions in some cases. */
2744
2745 if (cond_expand_at_top[cb->type])
2746 {
2747 arg = expand_string(cb->arg);
2748 if (arg == NULL)
2749 {
2750 if (expand_string_forcedfail) continue;
2751 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
2752 cb->arg, expand_string_message);
2753 return search_find_defer? DEFER : ERROR;
2754 }
2755 }
2756 else arg = cb->arg;
2757
2758 /* Show condition, and expanded condition if it's different */
2759
2760 HDEBUG(D_acl)
2761 {
2762 int lhswidth = 0;
2763 debug_printf("check %s%s %n",
2764 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
2765 conditions[cb->type], &lhswidth);
2766
2767 if (cb->type == ACLC_SET)
2768 {
38a0a95f
PH		 2769 debug_printf("acl_%s ", cb->u.varname);
2770 lhswidth += 5 + Ustrlen(cb->u.varname);
059ec3d9
PH		 2771 }
2772
2773 debug_printf("= %s\n", cb->arg);
2774
2775 if (arg != cb->arg)
2776 debug_printf("%.*s= %s\n", lhswidth,
2777 US" ", CS arg);
2778 }
2779
2780 /* Check that this condition makes sense at this time */
2781
2782 if ((cond_forbids[cb->type] & (1 << where)) != 0)
2783 {
2784 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
2785 cond_modifiers[cb->type]? "use" : "test",
2786 conditions[cb->type], acl_wherenames[where]);
2787 return ERROR;
2788 }
2789
2790 /* Run the appropriate test for each condition, or take the appropriate
2791 action for the remaining modifiers. */
2792
2793 switch(cb->type)
2794 {
71fafd95
PH		 2795 case ACLC_ADD_HEADER:
2796 setup_header(arg);
2797 break;
2798
059ec3d9
PH		 2799 /* A nested ACL that returns "discard" makes sense only for an "accept" or
2800 "discard" verb. */
71fafd95 2801
059ec3d9
PH		 2802 case ACLC_ACL:
2803 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
2804 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
2805 {
2806 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
2807 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
2808 verbs[verb]);
2809 return ERROR;
2810 }
2811 break;
2812
2813 case ACLC_AUTHENTICATED:
2814 rc = (sender_host_authenticated == NULL)? FAIL :
2815 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
2816 TRUE, NULL);
2817 break;
2818
71fafd95 2819 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK		 2820 case ACLC_BMI_OPTIN:
2821 {
2822 int old_pool = store_pool;
2823 store_pool = POOL_PERM;
2824 bmi_current_optin = string_copy(arg);
2825 store_pool = old_pool;
2826 }
2827 break;
71fafd95 2828 #endif
8523533c 2829
059ec3d9 2830 case ACLC_CONDITION:
f3766eb5
NM		 2831 /* The true/false parsing here should be kept in sync with that used in
2832 expand.c when dealing with ECOND_BOOL so that we don't have too many
2833 different definitions of what can be a boolean. */
059ec3d9
PH		 2834 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
2835 rc = (Uatoi(arg) == 0)? FAIL : OK;
2836 else
2837 rc = (strcmpic(arg, US"no") == 0 ||
2838 strcmpic(arg, US"false") == 0)? FAIL :
2839 (strcmpic(arg, US"yes") == 0 ||
2840 strcmpic(arg, US"true") == 0)? OK : DEFER;
2841 if (rc == DEFER)
2842 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
2843 break;
2844
c3611384
PH		 2845 case ACLC_CONTINUE: /* Always succeeds */
2846 break;
2847
059ec3d9 2848 case ACLC_CONTROL:
c5fcb476
PH		 2849 control_type = decode_control(arg, &p, where, log_msgptr);
2850
8523533c 2851 /* Check if this control makes sense at this time */
c5fcb476
PH		 2852
2853 if ((control_forbids[control_type] & (1 << where)) != 0)
2854 {
2855 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
2856 controls[control_type], acl_wherenames[where]);
2857 return ERROR;
8e669ac1 2858 }
c5fcb476
PH		 2859
2860 switch(control_type)
059ec3d9 2861 {
c46782ef
PH		 2862 case CONTROL_AUTH_UNADVERTISED:
2863 allow_auth_unadvertised = TRUE;
2864 break;
2865
2866 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK		 2867 case CONTROL_BMI_RUN:
2868 bmi_run = 1;
2869 break;
c46782ef
PH		 2870 #endif
2871
80a47a2c 2872 #ifndef DISABLE_DKIM
f7572e5a 2873 case CONTROL_DKIM_VERIFY:
80a47a2c 2874 dkim_disable_verify = TRUE;
f7572e5a
TK		 2875 break;
2876 #endif
2877
059ec3d9
PH		 2878 case CONTROL_ERROR:
2879 return ERROR;
2880
2881 case CONTROL_CASEFUL_LOCAL_PART:
2882 deliver_localpart = addr->cc_local_part;
2883 break;
2884
2885 case CONTROL_CASELOWER_LOCAL_PART:
2886 deliver_localpart = addr->lc_local_part;
2887 break;
2888
2889 case CONTROL_ENFORCE_SYNC:
2890 smtp_enforce_sync = TRUE;
2891 break;
2892
2893 case CONTROL_NO_ENFORCE_SYNC:
2894 smtp_enforce_sync = FALSE;
2895 break;
2896
c46782ef 2897 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 2898 case CONTROL_NO_MBOX_UNSPOOL:
2899 no_mbox_unspool = TRUE;
2900 break;
c46782ef 2901 #endif
8523533c 2902
059ec3d9
PH		 2903 case CONTROL_NO_MULTILINE:
2904 no_multiline_responses = TRUE;
2905 break;
2906
cf8b11a5
PH		 2907 case CONTROL_NO_PIPELINING:
2908 pipelining_enable = FALSE;
2909 break;
2910
047bdd8c
PH		 2911 case CONTROL_NO_DELAY_FLUSH:
2912 disable_delay_flush = TRUE;
2913 break;
2914
4c590bd1
PH		 2915 case CONTROL_NO_CALLOUT_FLUSH:
2916 disable_callout_flush = TRUE;
2917 break;
2918
29aba418 2919 case CONTROL_FAKEDEFER:
8523533c 2920 case CONTROL_FAKEREJECT:
29aba418 2921 fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
8523533c 2922 if (*p == '/')
8e669ac1 2923 {
8523533c 2924 uschar *pp = p + 1;
8e669ac1 2925 while (*pp != 0) pp++;
29aba418 2926 fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
8523533c
TK		 2927 p = pp;
2928 }
2929 else
2930 {
2931 /* Explicitly reset to default string */
29aba418 2932 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
8523533c
TK		 2933 }
2934 break;
8523533c 2935
059ec3d9
PH		 2936 case CONTROL_FREEZE:
2937 deliver_freeze = TRUE;
2938 deliver_frozen_at = time(NULL);
6a3f1455
PH		 2939 freeze_tell = freeze_tell_config; /* Reset to configured value */
2940 if (Ustrncmp(p, "/no_tell", 8) == 0)
2941 {
2942 p += 8;
2943 freeze_tell = NULL;
2944 }
2945 if (*p != 0)
2946 {
2947 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2948 return ERROR;
2949 }
059ec3d9
PH		 2950 break;
2951
2952 case CONTROL_QUEUE_ONLY:
2953 queue_only_policy = TRUE;
2954 break;
2955
2956 case CONTROL_SUBMISSION:
87ba3f5f 2957 originator_name = US"";
059ec3d9 2958 submission_mode = TRUE;
69358f02 2959 while (*p == '/')
8e669ac1 2960 {
69358f02
PH		 2961 if (Ustrncmp(p, "/sender_retain", 14) == 0)
2962 {
2963 p += 14;
2964 active_local_sender_retain = TRUE;
8e669ac1
PH		 2965 active_local_from_check = FALSE;
2966 }
69358f02
PH		 2967 else if (Ustrncmp(p, "/domain=", 8) == 0)
2968 {
2969 uschar *pp = p + 8;
8e669ac1 2970 while (*pp != 0 && *pp != '/') pp++;
87ba3f5f
PH		 2971 submission_domain = string_copyn(p+8, pp-p-8);
2972 p = pp;
2973 }
8857ccfd
PH		 2974 /* The name= option must be last, because it swallows the rest of
2975 the string. */
87ba3f5f
PH		 2976 else if (Ustrncmp(p, "/name=", 6) == 0)
2977 {
2978 uschar *pp = p + 6;
8857ccfd 2979 while (*pp != 0) pp++;
2fe1a124 2980 submission_name = string_copy(parse_fix_phrase(p+6, pp-p-6,
87ba3f5f 2981 big_buffer, big_buffer_size));
8e669ac1 2982 p = pp;
69358f02 2983 }
8e669ac1
PH		 2984 else break;
2985 }
69358f02 2986 if (*p != 0)
059ec3d9 2987 {
69358f02 2988 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
059ec3d9
PH		 2989 return ERROR;
2990 }
2991 break;
8800895a 2992
ed7f7860
PP		 2993 case CONTROL_DEBUG:
2994 while (*p == '/')
2995 {
2996 if (Ustrncmp(p, "/tag=", 5) == 0)
2997 {
2998 uschar *pp = p + 5;
2999 while (*pp != '\0' && *pp != '/') pp++;
3000 debug_tag = string_copyn(p+5, pp-p-5);
3001 p = pp;
3002 }
3003 else if (Ustrncmp(p, "/opts=", 6) == 0)
3004 {
3005 uschar *pp = p + 6;
3006 while (*pp != '\0' && *pp != '/') pp++;
3007 debug_opts = string_copyn(p+6, pp-p-6);
3008 p = pp;
3009 }
3010 }
3011 debug_logging_activate(debug_tag, debug_opts);
3012 break;
3013
8800895a
PH		 3014 case CONTROL_SUPPRESS_LOCAL_FIXUPS:
3015 suppress_local_fixups = TRUE;
3016 break;
059ec3d9
PH		 3017 }
3018 break;
3019
6a8f9482
TK		 3020 #ifdef EXPERIMENTAL_DCC
3021 case ACLC_DCC:
3022 {
3023 /* Seperate the regular expression and any optional parameters. */
3024 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3025 /* Run the dcc backend. */
3026 rc = dcc_process(&ss);
3027 /* Modify return code based upon the existance of options. */
3028 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3029 != NULL) {
3030 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3031 {
3032 /* FAIL so that the message is passed to the next ACL */
3033 rc = FAIL;
3034 }
3035 }
3036 }
3037 break;
3038 #endif
3039
71fafd95 3040 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 3041 case ACLC_DECODE:
3042 rc = mime_decode(&arg);
3043 break;
71fafd95 3044 #endif
8523533c 3045
059ec3d9
PH		 3046 case ACLC_DELAY:
3047 {
3048 int delay = readconf_readtime(arg, 0, FALSE);
3049 if (delay < 0)
3050 {
3051 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
3052 "modifier: \"%s\" is not a time value", arg);
3053 return ERROR;
3054 }
3055 else
3056 {
3057 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
3058 delay);
3059 if (host_checking)
3060 {
3061 HDEBUG(D_acl)
3062 debug_printf("delay skipped in -bh checking mode\n");
3063 }
010c2d14
PH		 3064
3065 /* It appears to be impossible to detect that a TCP/IP connection has
3066 gone away without reading from it. This means that we cannot shorten
3067 the delay below if the client goes away, because we cannot discover
3068 that the client has closed its end of the connection. (The connection
3069 is actually in a half-closed state, waiting for the server to close its
3070 end.) It would be nice to be able to detect this state, so that the
3071 Exim process is not held up unnecessarily. However, it seems that we
3072 can't. The poll() function does not do the right thing, and in any case
3073 it is not always available.
3074
047bdd8c 3075 NOTE 1: If ever this state of affairs changes, remember that we may be
010c2d14 3076 dealing with stdin/stdout here, in addition to TCP/IP connections.
047bdd8c
PH		 3077 Also, delays may be specified for non-SMTP input, where smtp_out and
3078 smtp_in will be NULL. Whatever is done must work in all cases.
3079
3080 NOTE 2: The added feature of flushing the output before a delay must
3081 apply only to SMTP input. Hence the test for smtp_out being non-NULL.
3082 */
010c2d14 3083
8e669ac1 3084 else
86b8287f 3085 {
14f4a80d 3086 if (smtp_out != NULL && !disable_delay_flush) mac_smtp_fflush();
86b8287f 3087 while (delay > 0) delay = sleep(delay);
8e669ac1 3088 }
059ec3d9
PH		 3089 }
3090 }
3091 break;
3092
71fafd95 3093 #ifdef WITH_OLD_DEMIME
8523533c
TK		 3094 case ACLC_DEMIME:
3095 rc = demime(&arg);
3096 break;
71fafd95 3097 #endif
8523533c 3098
80a47a2c
TK		 3099 #ifndef DISABLE_DKIM
3100 case ACLC_DKIM_SIGNER:
9e5d6b55
TK		 3101 if (dkim_cur_signer != NULL)
3102 rc = match_isinlist(dkim_cur_signer,
80a47a2c 3103 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
80a47a2c 3104 else
80a47a2c 3105 rc = FAIL;
71fafd95
PH		 3106 break;
3107
80a47a2c
TK		 3108 case ACLC_DKIM_STATUS:
3109 rc = match_isinlist(dkim_exim_expand_query(DKIM_VERIFY_STATUS),
3110 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
71fafd95
PH		 3111 break;
3112 #endif
fb2274d4 3113
059ec3d9
PH		 3114 case ACLC_DNSLISTS:
3115 rc = verify_check_dnsbl(&arg);
3116 break;
3117
3118 case ACLC_DOMAINS:
3119 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
3120 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
3121 break;
3122
3123 /* The value in tls_cipher is the full cipher name, for example,
3124 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
3125 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
3126 what may in practice come out of the SSL library - which at the time of
3127 writing is poorly documented. */
3128
3129 case ACLC_ENCRYPTED:
3130 if (tls_cipher == NULL) rc = FAIL; else
3131 {
3132 uschar *endcipher = NULL;
3133 uschar *cipher = Ustrchr(tls_cipher, ':');
3134 if (cipher == NULL) cipher = tls_cipher; else
3135 {
3136 endcipher = Ustrchr(++cipher, ':');
3137 if (endcipher != NULL) *endcipher = 0;
3138 }
3139 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
3140 if (endcipher != NULL) *endcipher = ':';
3141 }
3142 break;
3143
3144 /* Use verify_check_this_host() instead of verify_check_host() so that
3145 we can pass over &host_data to catch any looked up data. Once it has been
3146 set, it retains its value so that it's still there if another ACL verb
3147 comes through here and uses the cache. However, we must put it into
3148 permanent store in case it is also expected to be used in a subsequent
3149 message in the same SMTP connection. */
3150
3151 case ACLC_HOSTS:
3152 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
3153 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
3154 if (host_data != NULL) host_data = string_copy_malloc(host_data);
3155 break;
3156
3157 case ACLC_LOCAL_PARTS:
3158 rc = match_isinlist(addr->cc_local_part, &arg, 0,
3159 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
3160 &deliver_localpart_data);
3161 break;
3162
6ea85e9a
PH		 3163 case ACLC_LOG_REJECT_TARGET:
3164 {
3165 int logbits = 0;
3166 int sep = 0;
3167 uschar *s = arg;
3168 uschar *ss;
3169 while ((ss = string_nextinlist(&s, &sep, big_buffer, big_buffer_size))
3170 != NULL)
3171 {
3172 if (Ustrcmp(ss, "main") == 0) logbits |= LOG_MAIN;
3173 else if (Ustrcmp(ss, "panic") == 0) logbits |= LOG_PANIC;
3174 else if (Ustrcmp(ss, "reject") == 0) logbits |= LOG_REJECT;
3175 else
3176 {
3177 logbits |= LOG_MAIN|LOG_REJECT;
3178 log_write(0, LOG_MAIN|LOG_PANIC, "unknown log name \"%s\" in "
3179 "\"log_reject_target\" in %s ACL", ss, acl_wherenames[where]);
3180 }
3181 }
3182 log_reject_target = logbits;
3183 }
3184 break;
3185
059ec3d9
PH		 3186 case ACLC_LOGWRITE:
3187 {
3188 int logbits = 0;
3189 uschar *s = arg;
3190 if (*s == ':')
3191 {
3192 s++;
3193 while (*s != ':')
3194 {
3195 if (Ustrncmp(s, "main", 4) == 0)
3196 { logbits |= LOG_MAIN; s += 4; }
3197 else if (Ustrncmp(s, "panic", 5) == 0)
3198 { logbits |= LOG_PANIC; s += 5; }
3199 else if (Ustrncmp(s, "reject", 6) == 0)
3200 { logbits |= LOG_REJECT; s += 6; }
3201 else
3202 {
3203 logbits = LOG_MAIN|LOG_PANIC;
3204 s = string_sprintf(":unknown log name in \"%s\" in "
3205 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
3206 }
3207 if (*s == ',') s++;
3208 }
3209 s++;
3210 }
3211 while (isspace(*s)) s++;
6ea85e9a
PH		 3212
3213
059ec3d9
PH		 3214 if (logbits == 0) logbits = LOG_MAIN;
3215 log_write(0, logbits, "%s", string_printing(s));
3216 }
3217 break;
8e669ac1 3218
71fafd95 3219 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 3220 case ACLC_MALWARE:
3221 {
6ea85e9a 3222 /* Separate the regular expression and any optional parameters. */
8523533c
TK		 3223 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3224 /* Run the malware backend. */
3225 rc = malware(&ss);
3226 /* Modify return code based upon the existance of options. */
3227 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3228 != NULL) {
3229 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3230 {
3231 /* FAIL so that the message is passed to the next ACL */
3232 rc = FAIL;
3233 }
3234 }
3235 }
3236 break;
3237
3238 case ACLC_MIME_REGEX:
71fafd95 3239 rc = mime_regex(&arg);
8523533c 3240 break;
71fafd95 3241 #endif
059ec3d9 3242
870f6ba8 3243 case ACLC_RATELIMIT:
90fc3069 3244 rc = acl_ratelimit(arg, where, log_msgptr);
870f6ba8
TF		 3245 break;
3246
059ec3d9
PH		 3247 case ACLC_RECIPIENTS:
3248 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
3249 &recipient_data);
3250 break;
3251
71fafd95
PH		 3252 #ifdef WITH_CONTENT_SCAN
3253 case ACLC_REGEX:
3254 rc = regex(&arg);
8523533c 3255 break;
71fafd95 3256 #endif
8523533c 3257
059ec3d9
PH		 3258 case ACLC_SENDER_DOMAINS:
3259 {
3260 uschar *sdomain;
3261 sdomain = Ustrrchr(sender_address, '@');
3262 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
3263 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
3264 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
3265 }
3266 break;
3267
3268 case ACLC_SENDERS:
3269 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
3270 sender_address_cache, -1, 0, &sender_data);
3271 break;
3272
3273 /* Connection variables must persist forever */
3274
3275 case ACLC_SET:
3276 {
3277 int old_pool = store_pool;
38a0a95f
PH		 3278 if (cb->u.varname[0] == 'c') store_pool = POOL_PERM;
3279 acl_var_create(cb->u.varname)->data.ptr = string_copy(arg);
059ec3d9
PH		 3280 store_pool = old_pool;
3281 }
3282 break;
3283
71fafd95 3284 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 3285 case ACLC_SPAM:
3286 {
3287 /* Seperate the regular expression and any optional parameters. */
3288 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3289 /* Run the spam backend. */
3290 rc = spam(&ss);
3291 /* Modify return code based upon the existance of options. */
3292 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3293 != NULL) {
3294 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3295 {
3296 /* FAIL so that the message is passed to the next ACL */
3297 rc = FAIL;
3298 }
3299 }
3300 }
3301 break;
71fafd95 3302 #endif
8523533c 3303
71fafd95 3304 #ifdef EXPERIMENTAL_SPF
8523533c 3305 case ACLC_SPF:
65a7d8c3
NM		 3306 rc = spf_process(&arg, sender_address, SPF_PROCESS_NORMAL);
3307 break;
3308 case ACLC_SPF_GUESS:
3309 rc = spf_process(&arg, sender_address, SPF_PROCESS_GUESS);
8523533c 3310 break;
71fafd95 3311 #endif
8523533c 3312
059ec3d9
PH		 3313 /* If the verb is WARN, discard any user message from verification, because
3314 such messages are SMTP responses, not header additions. The latter come
475fe28a
PH		 3315 only from explicit "message" modifiers. However, put the user message into
3316 $acl_verify_message so it can be used in subsequent conditions or modifiers
3317 (until something changes it). */
059ec3d9
PH		 3318
3319 case ACLC_VERIFY:
3320 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
475fe28a 3321 acl_verify_message = *user_msgptr;
059ec3d9
PH		 3322 if (verb == ACL_WARN) *user_msgptr = NULL;
3323 break;
3324
3325 default:
3326 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
3327 "condition %d", cb->type);
3328 break;
3329 }
3330
3331 /* If a condition was negated, invert OK/FAIL. */
3332
3333 if (!cond_modifiers[cb->type] && cb->u.negated)
3334 {
3335 if (rc == OK) rc = FAIL;
3336 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
3337 }
3338
3339 if (rc != OK) break; /* Conditions loop */
3340 }
3341
3342
3343/* If the result is the one for which "message" and/or "log_message" are used,
4e88a19f
PH		 3344handle the values of these modifiers. If there isn't a log message set, we make
3345it the same as the user message.
059ec3d9
PH		 3346
3347"message" is a user message that will be included in an SMTP response. Unless
3348it is empty, it overrides any previously set user message.
3349
3350"log_message" is a non-user message, and it adds to any existing non-user
3351message that is already set.
3352
4e88a19f
PH		 3353Most verbs have but a single return for which the messages are relevant, but
3354for "discard", it's useful to have the log message both when it succeeds and
3355when it fails. For "accept", the message is used in the OK case if there is no
3356"endpass", but (for backwards compatibility) in the FAIL case if "endpass" is
3357present. */
059ec3d9 3358
4e88a19f
PH		 3359if (*epp && rc == OK) user_message = NULL;
3360
3361if (((1<<rc) & msgcond[verb]) != 0)
059ec3d9
PH		 3362 {
3363 uschar *expmessage;
4e88a19f
PH		 3364 uschar *old_user_msgptr = *user_msgptr;
3365 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
059ec3d9
PH		 3366
3367 /* If the verb is "warn", messages generated by conditions (verification or
4e88a19f
PH		 3368 nested ACLs) are always discarded. This also happens for acceptance verbs
3369 when they actually do accept. Only messages specified at this level are used.
059ec3d9
PH		 3370 However, the value of an existing message is available in $acl_verify_message
3371 during expansions. */
3372
4e88a19f
PH		 3373 if (verb == ACL_WARN ||
3374 (rc == OK && (verb == ACL_ACCEPT || verb == ACL_DISCARD)))
3375 *log_msgptr = *user_msgptr = NULL;
059ec3d9
PH		 3376
3377 if (user_message != NULL)
3378 {
3379 acl_verify_message = old_user_msgptr;
3380 expmessage = expand_string(user_message);
3381 if (expmessage == NULL)
3382 {
3383 if (!expand_string_forcedfail)
3384 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3385 user_message, expand_string_message);
3386 }
3387 else if (expmessage[0] != 0) *user_msgptr = expmessage;
3388 }
3389
3390 if (log_message != NULL)
3391 {
3392 acl_verify_message = old_log_msgptr;
3393 expmessage = expand_string(log_message);
3394 if (expmessage == NULL)
3395 {
3396 if (!expand_string_forcedfail)
3397 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3398 log_message, expand_string_message);
3399 }
3400 else if (expmessage[0] != 0)
3401 {
3402 *log_msgptr = (*log_msgptr == NULL)? expmessage :
3403 string_sprintf("%s: %s", expmessage, *log_msgptr);
3404 }
3405 }
3406
3407 /* If no log message, default it to the user message */
3408
3409 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
3410 }
3411
3412acl_verify_message = NULL;
3413return rc;
3414}
3415
3416
3417
3418
3419
3420/*************************************************
3421* Get line from a literal ACL *
3422*************************************************/
3423
3424/* This function is passed to acl_read() in order to extract individual lines
3425of a literal ACL, which we access via static pointers. We can destroy the
3426contents because this is called only once (the compiled ACL is remembered).
3427
3428This code is intended to treat the data in the same way as lines in the main
3429Exim configuration file. That is:
3430
3431 . Leading spaces are ignored.
3432
3433 . A \ at the end of a line is a continuation - trailing spaces after the \
3434 are permitted (this is because I don't believe in making invisible things
3435 significant). Leading spaces on the continued part of a line are ignored.
3436
3437 . Physical lines starting (significantly) with # are totally ignored, and
3438 may appear within a sequence of backslash-continued lines.
3439
3440 . Blank lines are ignored, but will end a sequence of continuations.
3441
3442Arguments: none
3443Returns: a pointer to the next line
3444*/
3445
3446
3447static uschar *acl_text; /* Current pointer in the text */
3448static uschar *acl_text_end; /* Points one past the terminating '0' */
3449
3450
3451static uschar *
3452acl_getline(void)
3453{
3454uschar *yield;
3455
3456/* This loop handles leading blank lines and comments. */
3457
3458for(;;)
3459 {
3460 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
3461 if (*acl_text == 0) return NULL; /* No more data */
3462 yield = acl_text; /* Potential data line */
3463
3464 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3465
3466 /* If we hit the end before a newline, we have the whole logical line. If
3467 it's a comment, there's no more data to be given. Otherwise, yield it. */
3468
3469 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
3470
3471 /* After reaching a newline, end this loop if the physical line does not
3472 start with '#'. If it does, it's a comment, and the loop continues. */
3473
3474 if (*yield != '#') break;
3475 }
3476
3477/* This loop handles continuations. We know we have some real data, ending in
3478newline. See if there is a continuation marker at the end (ignoring trailing
3479white space). We know that *yield is not white space, so no need to test for
3480cont > yield in the backwards scanning loop. */
3481
3482for(;;)
3483 {
3484 uschar *cont;
3485 for (cont = acl_text - 1; isspace(*cont); cont--);
3486
3487 /* If no continuation follows, we are done. Mark the end of the line and
3488 return it. */
3489
3490 if (*cont != '\\')
3491 {
3492 *acl_text++ = 0;
3493 return yield;
3494 }
3495
3496 /* We have encountered a continuation. Skip over whitespace at the start of
3497 the next line, and indeed the whole of the next line or lines if they are
3498 comment lines. */
3499
3500 for (;;)
3501 {
3502 while (*(++acl_text) == ' ' || *acl_text == '\t');
3503 if (*acl_text != '#') break;
3504 while (*(++acl_text) != 0 && *acl_text != '\n');
3505 }
3506
3507 /* We have the start of a continuation line. Move all the rest of the data
3508 to join onto the previous line, and then find its end. If the end is not a
3509 newline, we are done. Otherwise loop to look for another continuation. */
3510
3511 memmove(cont, acl_text, acl_text_end - acl_text);
3512 acl_text_end -= acl_text - cont;
3513 acl_text = cont;
3514 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3515 if (*acl_text == 0) return yield;
3516 }
3517
3518/* Control does not reach here */
3519}
3520
3521
3522
3523
3524
3525/*************************************************
3526* Check access using an ACL *
3527*************************************************/
3528
3529/* This function is called from address_check. It may recurse via
3530acl_check_condition() - hence the use of a level to stop looping. The ACL is
3531passed as a string which is expanded. A forced failure implies no access check
3532is required. If the result is a single word, it is taken as the name of an ACL
3533which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
3534text, complete with newlines, and parsed as such. In both cases, the ACL check
3535is then run. This function uses an auxiliary function for acl_read() to call
3536for reading individual lines of a literal ACL. This is acl_getline(), which
3537appears immediately above.
3538
3539Arguments:
3540 where where called from
3541 addr address item when called from RCPT; otherwise NULL
3542 s the input string; NULL is the same as an empty ACL => DENY
3543 level the nesting level
3544 user_msgptr where to put a user error (for SMTP response)
3545 log_msgptr where to put a logging message (not for SMTP response)
3546
3547Returns: OK access is granted
3548 DISCARD access is apparently granted...
3549 FAIL access is denied
3550 FAIL_DROP access is denied; drop the connection
3551 DEFER can't tell at the moment
3552 ERROR disaster
3553*/
3554
3555static int
3556acl_check_internal(int where, address_item *addr, uschar *s, int level,
3557 uschar **user_msgptr, uschar **log_msgptr)
3558{
3559int fd = -1;
3560acl_block *acl = NULL;
3561uschar *acl_name = US"inline ACL";
3562uschar *ss;
3563
3564/* Catch configuration loops */
3565
3566if (level > 20)
3567 {
3568 *log_msgptr = US"ACL nested too deep: possible loop";
3569 return ERROR;
3570 }
3571
3572if (s == NULL)
3573 {
3574 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
3575 return FAIL;
3576 }
3577
3578/* At top level, we expand the incoming string. At lower levels, it has already
3579been expanded as part of condition processing. */
3580
3581if (level == 0)
3582 {
3583 ss = expand_string(s);
3584 if (ss == NULL)
3585 {
3586 if (expand_string_forcedfail) return OK;
3587 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
3588 expand_string_message);
3589 return ERROR;
3590 }
3591 }
3592else ss = s;
3593
3594while (isspace(*ss))ss++;
3595
3596/* If we can't find a named ACL, the default is to parse it as an inline one.
3597(Unless it begins with a slash; non-existent files give rise to an error.) */
3598
3599acl_text = ss;
3600
3601/* Handle the case of a string that does not contain any spaces. Look for a
3602named ACL among those read from the configuration, or a previously read file.
3603It is possible that the pointer to the ACL is NULL if the configuration
3604contains a name with no data. If not found, and the text begins with '/',
3605read an ACL from a file, and save it so it can be re-used. */
3606
3607if (Ustrchr(ss, ' ') == NULL)
3608 {
3609 tree_node *t = tree_search(acl_anchor, ss);
3610 if (t != NULL)
3611 {
3612 acl = (acl_block *)(t->data.ptr);
3613 if (acl == NULL)
3614 {
3615 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
3616 return FAIL;
3617 }
3618 acl_name = string_sprintf("ACL \"%s\"", ss);
3619 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
3620 }
3621
3622 else if (*ss == '/')
3623 {
3624 struct stat statbuf;
3625 fd = Uopen(ss, O_RDONLY, 0);
3626 if (fd < 0)
3627 {
3628 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
3629 strerror(errno));
3630 return ERROR;
3631 }
3632
3633 if (fstat(fd, &statbuf) != 0)
3634 {
3635 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
3636 strerror(errno));
3637 return ERROR;
3638 }
3639
3640 acl_text = store_get(statbuf.st_size + 1);
3641 acl_text_end = acl_text + statbuf.st_size + 1;
3642
3643 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
3644 {
3645 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
3646 ss, strerror(errno));
3647 return ERROR;
3648 }
3649 acl_text[statbuf.st_size] = 0;
f1e894f3 3650 (void)close(fd);
059ec3d9
PH		 3651
3652 acl_name = string_sprintf("ACL \"%s\"", ss);
3653 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
3654 }
3655 }
3656
3657/* Parse an ACL that is still in text form. If it came from a file, remember it
3658in the ACL tree, having read it into the POOL_PERM store pool so that it
3659persists between multiple messages. */
3660
3661if (acl == NULL)
3662 {
3663 int old_pool = store_pool;
3664 if (fd >= 0) store_pool = POOL_PERM;
3665 acl = acl_read(acl_getline, log_msgptr);
3666 store_pool = old_pool;
3667 if (acl == NULL && *log_msgptr != NULL) return ERROR;
3668 if (fd >= 0)
3669 {
3670 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
3671 Ustrcpy(t->name, ss);
3672 t->data.ptr = acl;
3673 (void)tree_insertnode(&acl_anchor, t);
3674 }
3675 }
3676
3677/* Now we have an ACL to use. It's possible it may be NULL. */
3678
3679while (acl != NULL)
3680 {
3681 int cond;
3682 int basic_errno = 0;
3683 BOOL endpass_seen = FALSE;
3684
3685 *log_msgptr = *user_msgptr = NULL;
3686 acl_temp_details = FALSE;
3687
7353285c 3688 if ((where == ACL_WHERE_QUIT || where == ACL_WHERE_NOTQUIT) &&
059ec3d9
PH		 3689 acl->verb != ACL_ACCEPT &&
3690 acl->verb != ACL_WARN)
3691 {
7353285c 3692 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT or not-QUIT ACL",
059ec3d9
PH		 3693 verbs[acl->verb]);
3694 return ERROR;
3695 }
3696
3697 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
3698
3699 /* Clear out any search error message from a previous check before testing
3700 this condition. */
3701
3702 search_error_message = NULL;
3703 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
3704 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
3705
3706 /* Handle special returns: DEFER causes a return except on a WARN verb;
3707 ERROR always causes a return. */
3708
3709 switch (cond)
3710 {
3711 case DEFER:
3712 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
3713 if (basic_errno != ERRNO_CALLOUTDEFER)
3714 {
3715 if (search_error_message != NULL && *search_error_message != 0)
3716 *log_msgptr = search_error_message;
3717 if (smtp_return_error_details) acl_temp_details = TRUE;
3718 }
3719 else
3720 {
3721 acl_temp_details = TRUE;
3722 }
3723 if (acl->verb != ACL_WARN) return DEFER;
3724 break;
3725
3726 default: /* Paranoia */
3727 case ERROR:
3728 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
3729 return ERROR;
3730
3731 case OK:
3732 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
3733 verbs[acl->verb]);
3734 break;
3735
3736 case FAIL:
3737 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
3738 break;
3739
3740 /* DISCARD and DROP can happen only from a nested ACL condition, and
3741 DISCARD can happen only for an "accept" or "discard" verb. */
3742
3743 case DISCARD:
3744 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
3745 verbs[acl->verb]);
3746 break;
3747
3748 case FAIL_DROP:
3749 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
3750 verbs[acl->verb]);
3751 break;
3752 }
3753
3754 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
3755 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
3756 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
3757
3758 switch(acl->verb)
3759 {
3760 case ACL_ACCEPT:
3761 if (cond == OK || cond == DISCARD) return cond;
3762 if (endpass_seen)
3763 {
3764 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
3765 return cond;
3766 }
3767 break;
3768
3769 case ACL_DEFER:
3770 if (cond == OK)
3771 {
3772 acl_temp_details = TRUE;
3773 return DEFER;
3774 }
3775 break;
3776
3777 case ACL_DENY:
3778 if (cond == OK) return FAIL;
3779 break;
3780
3781 case ACL_DISCARD:
3782 if (cond == OK || cond == DISCARD) return DISCARD;
3783 if (endpass_seen)
3784 {
3785 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
3786 return cond;
3787 }
3788 break;
3789
3790 case ACL_DROP:
3791 if (cond == OK) return FAIL_DROP;
3792 break;
3793
3794 case ACL_REQUIRE:
3795 if (cond != OK) return cond;
3796 break;
3797
3798 case ACL_WARN:
3799 if (cond == OK)
3800 acl_warn(where, *user_msgptr, *log_msgptr);
49826d12 3801 else if (cond == DEFER && (log_extra_selector & LX_acl_warn_skipped) != 0)
9c7a242c
PH		 3802 log_write(0, LOG_MAIN, "%s Warning: ACL \"warn\" statement skipped: "
3803 "condition test deferred%s%s", host_and_ident(TRUE),
3804 (*log_msgptr == NULL)? US"" : US": ",
3805 (*log_msgptr == NULL)? US"" : *log_msgptr);
059ec3d9
PH		 3806 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
3807 break;
3808
3809 default:
3810 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
3811 acl->verb);
3812 break;
3813 }
3814
3815 /* Pass to the next ACL item */
3816
3817 acl = acl->next;
3818 }
3819
3820/* We have reached the end of the ACL. This is an implicit DENY. */
3821
3822HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
3823return FAIL;
3824}
3825
3826
3827/*************************************************
3828* Check access using an ACL *
3829*************************************************/
3830
3831/* This is the external interface for ACL checks. It sets up an address and the
3832expansions for $domain and $local_part when called after RCPT, then calls
3833acl_check_internal() to do the actual work.
3834
3835Arguments:
3836 where ACL_WHERE_xxxx indicating where called from
64ffc24f 3837 recipient RCPT address for RCPT check, else NULL
059ec3d9
PH		 3838 s the input string; NULL is the same as an empty ACL => DENY
3839 user_msgptr where to put a user error (for SMTP response)
3840 log_msgptr where to put a logging message (not for SMTP response)
3841
3842Returns: OK access is granted by an ACCEPT verb
3843 DISCARD access is granted by a DISCARD verb
3844 FAIL access is denied
3845 FAIL_DROP access is denied; drop the connection
3846 DEFER can't tell at the moment
3847 ERROR disaster
3848*/
3849
3850int
64ffc24f 3851acl_check(int where, uschar *recipient, uschar *s, uschar **user_msgptr,
059ec3d9
PH		 3852 uschar **log_msgptr)
3853{
3854int rc;
3855address_item adb;
64ffc24f 3856address_item *addr = NULL;
059ec3d9
PH		 3857
3858*user_msgptr = *log_msgptr = NULL;
3859sender_verified_failed = NULL;
fe0dab11 3860ratelimiters_cmd = NULL;
6ea85e9a 3861log_reject_target = LOG_MAIN|LOG_REJECT;
059ec3d9
PH		 3862
3863if (where == ACL_WHERE_RCPT)
3864 {
3865 adb = address_defaults;
3866 addr = &adb;
64ffc24f 3867 addr->address = recipient;
059ec3d9
PH		 3868 if (deliver_split_address(addr) == DEFER)
3869 {
3870 *log_msgptr = US"defer in percent_hack_domains check";
3871 return DEFER;
3872 }
3873 deliver_domain = addr->domain;
3874 deliver_localpart = addr->local_part;
3875 }
059ec3d9
PH		 3876
3877rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
3878
64ffc24f
PH		 3879deliver_domain = deliver_localpart = deliver_address_data =
3880 sender_address_data = NULL;
059ec3d9
PH		 3881
3882/* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
3883ACL, which is really in the middle of an SMTP command. */
3884
3885if (rc == DISCARD)
3886 {
3887 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
3888 {
3889 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
3890 "ACL", acl_wherenames[where]);
3891 return ERROR;
3892 }
3893 return DISCARD;
3894 }
3895
3896/* A DROP response is not permitted from MAILAUTH */
3897
3898if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
3899 {
3900 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
3901 "ACL", acl_wherenames[where]);
3902 return ERROR;
3903 }
3904
4e88a19f
PH		 3905/* Before giving a response, take a look at the length of any user message, and
3906split it up into multiple lines if possible. */
059ec3d9 3907
e28326d8
PH		 3908*user_msgptr = string_split_message(*user_msgptr);
3909if (fake_response != OK)
3910 fake_response_text = string_split_message(fake_response_text);
059ec3d9
PH		 3911
3912return rc;
3913}
3914
38a0a95f
PH		 3915
3916
3917/*************************************************
3918* Create ACL variable *
3919*************************************************/
3920
3921/* Create an ACL variable or reuse an existing one. ACL variables are in a
3922binary tree (see tree.c) with acl_var_c and acl_var_m as root nodes.
3923
3924Argument:
3925 name pointer to the variable's name, starting with c or m
3926
3927Returns the pointer to variable's tree node
3928*/
3929
3930tree_node *
3931acl_var_create(uschar *name)
3932{
3933tree_node *node, **root;
3934root = (name[0] == 'c')? &acl_var_c : &acl_var_m;
3935node = tree_search(*root, name);
3936if (node == NULL)
3937 {
3938 node = store_get(sizeof(tree_node) + Ustrlen(name));
3939 Ustrcpy(node->name, name);
3940 (void)tree_insertnode(root, node);
3941 }
3942node->data.ptr = NULL;
3943return node;
3944}
3945
3946
3947
3948/*************************************************
3949* Write an ACL variable in spool format *
3950*************************************************/
3951
3952/* This function is used as a callback for tree_walk when writing variables to
3953the spool file. To retain spool file compatibility, what is written is -aclc or
3954-aclm followed by the rest of the name and the data length, space separated,
3955then the value itself, starting on a new line, and terminated by an additional
3956newline. When we had only numbered ACL variables, the first line might look
3957like this: "-aclc 5 20". Now it might be "-aclc foo 20" for the variable called
3958acl_cfoo.
3959
3960Arguments:
3961 name of the variable
3962 value of the variable
3963 ctx FILE pointer (as a void pointer)
3964
3965Returns: nothing
3966*/
3967
3968void
3969acl_var_write(uschar *name, uschar *value, void *ctx)
3970{
3971FILE *f = (FILE *)ctx;
3972fprintf(f, "-acl%c %s %d\n%s\n", name[0], name+1, Ustrlen(value), value);
3973}
3974
059ec3d9 3975/* End of acl.c */
Unnamed repository; edit this file 'description' to name the repository.