projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add control=no_pipelining.
[exim.git] / src / src / acl.c
CommitLineData
cf8b11a5 1/* $Cambridge: exim/src/src/acl.c,v 1.69 2007/01/30 11:45:20 ph10 Exp $ */
059ec3d9
PH		 2
3/*************************************************
4* Exim - an Internet mail transport agent *
5*************************************************/
6
184e8823 7/* Copyright (c) University of Cambridge 1995 - 2007 */
059ec3d9
PH		 8/* See the file NOTICE for conditions of use and distribution. */
9
10/* Code for handling Access Control Lists (ACLs) */
11
12#include "exim.h"
13
14
15/* Default callout timeout */
16
17#define CALLOUT_TIMEOUT_DEFAULT 30
18
19/* ACL verb codes - keep in step with the table of verbs that follows */
20
21enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
22 ACL_WARN };
23
24/* ACL verbs */
25
26static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
28 US"warn" };
29
4e88a19f
PH		 30/* For each verb, the conditions for which "message" or "log_message" are used
31are held as a bitmap. This is to avoid expanding the strings unnecessarily. For
32"accept", the FAIL case is used only after "endpass", but that is selected in
33the code. */
34
35static int msgcond[] = {
36 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* accept */
37 (1<<OK), /* defer */
38 (1<<OK), /* deny */
39 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* discard */
40 (1<<OK), /* drop */
41 (1<<FAIL) | (1<<FAIL_DROP), /* require */
42 (1<<OK) /* warn */
43 };
059ec3d9
PH		 44
45/* ACL condition and modifier codes - keep in step with the table that
71fafd95
PH		 46follows, and the cond_expand_at_top and uschar cond_modifiers tables lower
47down. */
059ec3d9 48
71fafd95
PH		 49enum { ACLC_ACL,
50 ACLC_ADD_HEADER,
51 ACLC_AUTHENTICATED,
8523533c
TK		 52#ifdef EXPERIMENTAL_BRIGHTMAIL
53 ACLC_BMI_OPTIN,
54#endif
71fafd95
PH		 55 ACLC_CONDITION,
56 ACLC_CONTROL,
8523533c
TK		 57#ifdef WITH_CONTENT_SCAN
58 ACLC_DECODE,
59#endif
60 ACLC_DELAY,
61#ifdef WITH_OLD_DEMIME
62 ACLC_DEMIME,
fb2274d4
TK		 63#endif
64#ifdef EXPERIMENTAL_DOMAINKEYS
65 ACLC_DK_DOMAIN_SOURCE,
66 ACLC_DK_POLICY,
67 ACLC_DK_SENDER_DOMAINS,
68 ACLC_DK_SENDER_LOCAL_PARTS,
69 ACLC_DK_SENDERS,
70 ACLC_DK_STATUS,
8e669ac1 71#endif
71fafd95
PH		 72 ACLC_DNSLISTS,
73 ACLC_DOMAINS,
74 ACLC_ENCRYPTED,
75 ACLC_ENDPASS,
76 ACLC_HOSTS,
77 ACLC_LOCAL_PARTS,
78 ACLC_LOG_MESSAGE,
6ea85e9a 79 ACLC_LOG_REJECT_TARGET,
71fafd95 80 ACLC_LOGWRITE,
8523533c
TK		 81#ifdef WITH_CONTENT_SCAN
82 ACLC_MALWARE,
83#endif
84 ACLC_MESSAGE,
85#ifdef WITH_CONTENT_SCAN
86 ACLC_MIME_REGEX,
87#endif
870f6ba8 88 ACLC_RATELIMIT,
8523533c
TK		 89 ACLC_RECIPIENTS,
90#ifdef WITH_CONTENT_SCAN
91 ACLC_REGEX,
92#endif
71fafd95
PH		 93 ACLC_SENDER_DOMAINS,
94 ACLC_SENDERS,
95 ACLC_SET,
8523533c 96#ifdef WITH_CONTENT_SCAN
8e669ac1 97 ACLC_SPAM,
8523533c
TK		 98#endif
99#ifdef EXPERIMENTAL_SPF
100 ACLC_SPF,
101#endif
102 ACLC_VERIFY };
059ec3d9
PH		 103
104/* ACL conditions/modifiers: "delay", "control", "endpass", "message",
6ea85e9a
PH		 105"log_message", "log_reject_target", "logwrite", and "set" are modifiers that
106look like conditions but always return TRUE. They are used for their side
107effects. */
059ec3d9 108
9a26b6b2
PH		 109static uschar *conditions[] = {
110 US"acl",
71fafd95 111 US"add_header",
9a26b6b2 112 US"authenticated",
8523533c
TK		 113#ifdef EXPERIMENTAL_BRIGHTMAIL
114 US"bmi_optin",
115#endif
116 US"condition",
8e669ac1 117 US"control",
8523533c
TK		 118#ifdef WITH_CONTENT_SCAN
119 US"decode",
120#endif
121 US"delay",
122#ifdef WITH_OLD_DEMIME
123 US"demime",
fb2274d4
TK		 124#endif
125#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH		 126 US"dk_domain_source",
127 US"dk_policy",
128 US"dk_sender_domains",
129 US"dk_sender_local_parts",
130 US"dk_senders",
131 US"dk_status",
8523533c 132#endif
6ea85e9a
PH		 133 US"dnslists",
134 US"domains",
135 US"encrypted",
136 US"endpass",
137 US"hosts",
138 US"local_parts",
139 US"log_message",
140 US"log_reject_target",
141 US"logwrite",
8523533c
TK		 142#ifdef WITH_CONTENT_SCAN
143 US"malware",
144#endif
145 US"message",
146#ifdef WITH_CONTENT_SCAN
147 US"mime_regex",
148#endif
870f6ba8 149 US"ratelimit",
8523533c
TK		 150 US"recipients",
151#ifdef WITH_CONTENT_SCAN
152 US"regex",
153#endif
154 US"sender_domains", US"senders", US"set",
155#ifdef WITH_CONTENT_SCAN
156 US"spam",
157#endif
158#ifdef EXPERIMENTAL_SPF
159 US"spf",
160#endif
059ec3d9 161 US"verify" };
8e669ac1 162
c5fcb476 163
9a26b6b2
PH		 164/* Return values from decode_control(); keep in step with the table of names
165that follows! */
166
167enum {
c46782ef
PH		 168 CONTROL_AUTH_UNADVERTISED,
169 #ifdef EXPERIMENTAL_BRIGHTMAIL
9a26b6b2 170 CONTROL_BMI_RUN,
c46782ef
PH		 171 #endif
172 #ifdef EXPERIMENTAL_DOMAINKEYS
9a26b6b2 173 CONTROL_DK_VERIFY,
c46782ef
PH		 174 #endif
175 CONTROL_ERROR,
176 CONTROL_CASEFUL_LOCAL_PART,
177 CONTROL_CASELOWER_LOCAL_PART,
178 CONTROL_ENFORCE_SYNC,
179 CONTROL_NO_ENFORCE_SYNC,
180 CONTROL_FREEZE,
181 CONTROL_QUEUE_ONLY,
182 CONTROL_SUBMISSION,
183 CONTROL_SUPPRESS_LOCAL_FIXUPS,
184 #ifdef WITH_CONTENT_SCAN
9a26b6b2 185 CONTROL_NO_MBOX_UNSPOOL,
c46782ef
PH		 186 #endif
187 CONTROL_FAKEDEFER,
188 CONTROL_FAKEREJECT,
cf8b11a5
PH		 189 CONTROL_NO_MULTILINE,
190 CONTROL_NO_PIPELINING
c46782ef 191};
9a26b6b2 192
8800895a
PH		 193/* ACL control names; keep in step with the table above! This list is used for
194turning ids into names. The actual list of recognized names is in the variable
195control_def controls_list[] below. The fact that there are two lists is a mess
196and should be tidied up. */
9a26b6b2
PH		 197
198static uschar *controls[] = {
c46782ef 199 US"allow_auth_unadvertised",
9a26b6b2
PH		 200 #ifdef EXPERIMENTAL_BRIGHTMAIL
201 US"bmi_run",
202 #endif
203 #ifdef EXPERIMENTAL_DOMAINKEYS
204 US"dk_verify",
205 #endif
c46782ef
PH		 206 US"error",
207 US"caseful_local_part",
208 US"caselower_local_part",
209 US"enforce_sync",
210 US"no_enforce_sync",
211 US"freeze",
212 US"queue_only",
213 US"submission",
214 US"suppress_local_fixups",
9a26b6b2
PH		 215 #ifdef WITH_CONTENT_SCAN
216 US"no_mbox_unspool",
217 #endif
cf8b11a5
PH		 218 US"fakedefer",
219 US"fakereject",
220 US"no_multiline",
221 US"no_pipelining",
c46782ef 222};
059ec3d9
PH		 223
224/* Flags to indicate for which conditions /modifiers a string expansion is done
225at the outer level. In the other cases, expansion already occurs in the
226checking functions. */
227
228static uschar cond_expand_at_top[] = {
229 TRUE, /* acl */
3e536984 230 TRUE, /* add_header */
059ec3d9 231 FALSE, /* authenticated */
8523533c
TK		 232#ifdef EXPERIMENTAL_BRIGHTMAIL
233 TRUE, /* bmi_optin */
8e669ac1 234#endif
059ec3d9
PH		 235 TRUE, /* condition */
236 TRUE, /* control */
8523533c
TK		 237#ifdef WITH_CONTENT_SCAN
238 TRUE, /* decode */
239#endif
059ec3d9 240 TRUE, /* delay */
8523533c
TK		 241#ifdef WITH_OLD_DEMIME
242 TRUE, /* demime */
fb2274d4
TK		 243#endif
244#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH		 245 TRUE, /* dk_domain_source */
246 TRUE, /* dk_policy */
247 TRUE, /* dk_sender_domains */
e715ad22 248 TRUE, /* dk_sender_local_parts */
7f45268c
PH		 249 TRUE, /* dk_senders */
250 TRUE, /* dk_status */
8523533c 251#endif
059ec3d9
PH		 252 TRUE, /* dnslists */
253 FALSE, /* domains */
254 FALSE, /* encrypted */
255 TRUE, /* endpass */
256 FALSE, /* hosts */
257 FALSE, /* local_parts */
258 TRUE, /* log_message */
6ea85e9a 259 TRUE, /* log_reject_target */
059ec3d9 260 TRUE, /* logwrite */
8523533c
TK		 261#ifdef WITH_CONTENT_SCAN
262 TRUE, /* malware */
263#endif
059ec3d9 264 TRUE, /* message */
8523533c
TK		 265#ifdef WITH_CONTENT_SCAN
266 TRUE, /* mime_regex */
267#endif
870f6ba8 268 TRUE, /* ratelimit */
059ec3d9 269 FALSE, /* recipients */
8523533c
TK		 270#ifdef WITH_CONTENT_SCAN
271 TRUE, /* regex */
272#endif
059ec3d9
PH		 273 FALSE, /* sender_domains */
274 FALSE, /* senders */
275 TRUE, /* set */
8523533c
TK		 276#ifdef WITH_CONTENT_SCAN
277 TRUE, /* spam */
278#endif
279#ifdef EXPERIMENTAL_SPF
280 TRUE, /* spf */
281#endif
059ec3d9
PH		 282 TRUE /* verify */
283};
284
285/* Flags to identify the modifiers */
286
287static uschar cond_modifiers[] = {
288 FALSE, /* acl */
3e536984 289 TRUE, /* add_header */
059ec3d9 290 FALSE, /* authenticated */
8523533c
TK		 291#ifdef EXPERIMENTAL_BRIGHTMAIL
292 TRUE, /* bmi_optin */
8e669ac1 293#endif
059ec3d9
PH		 294 FALSE, /* condition */
295 TRUE, /* control */
8523533c
TK		 296#ifdef WITH_CONTENT_SCAN
297 FALSE, /* decode */
298#endif
059ec3d9 299 TRUE, /* delay */
8523533c
TK		 300#ifdef WITH_OLD_DEMIME
301 FALSE, /* demime */
fb2274d4
TK		 302#endif
303#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH		 304 FALSE, /* dk_domain_source */
305 FALSE, /* dk_policy */
306 FALSE, /* dk_sender_domains */
e715ad22 307 FALSE, /* dk_sender_local_parts */
7f45268c
PH		 308 FALSE, /* dk_senders */
309 FALSE, /* dk_status */
8523533c 310#endif
059ec3d9
PH		 311 FALSE, /* dnslists */
312 FALSE, /* domains */
313 FALSE, /* encrypted */
314 TRUE, /* endpass */
315 FALSE, /* hosts */
316 FALSE, /* local_parts */
317 TRUE, /* log_message */
6ea85e9a 318 TRUE, /* log_reject_target */
8523533c
TK		 319 TRUE, /* logwrite */
320#ifdef WITH_CONTENT_SCAN
321 FALSE, /* malware */
322#endif
059ec3d9 323 TRUE, /* message */
8523533c
TK		 324#ifdef WITH_CONTENT_SCAN
325 FALSE, /* mime_regex */
326#endif
870f6ba8 327 FALSE, /* ratelimit */
059ec3d9 328 FALSE, /* recipients */
8523533c
TK		 329#ifdef WITH_CONTENT_SCAN
330 FALSE, /* regex */
331#endif
059ec3d9
PH		 332 FALSE, /* sender_domains */
333 FALSE, /* senders */
334 TRUE, /* set */
8523533c
TK		 335#ifdef WITH_CONTENT_SCAN
336 FALSE, /* spam */
337#endif
338#ifdef EXPERIMENTAL_SPF
339 FALSE, /* spf */
340#endif
059ec3d9
PH		 341 FALSE /* verify */
342};
343
c5fcb476 344/* Bit map vector of which conditions are not allowed at certain times. For
2f079f46
PH		 345each condition, there's a bitmap of dis-allowed times. For some, it is easier
346to specify the negation of a small number of allowed times. */
059ec3d9
PH		 347
348static unsigned int cond_forbids[] = {
349 0, /* acl */
8e669ac1 350
71fafd95 351 (unsigned int)
45b91596 352 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* add_header */
71fafd95 353 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
45b91596
PH		 354 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
355 (1<<ACL_WHERE_NOTSMTP_START)),
71fafd95 356
45b91596
PH		 357 (1<<ACL_WHERE_NOTSMTP)| /* authenticated */
358 (1<<ACL_WHERE_NOTSMTP_START)|
359 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO),
8e669ac1 360
71fafd95 361 #ifdef EXPERIMENTAL_BRIGHTMAIL
3864bb8e 362 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
8523533c
TK		 363 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
364 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
8e669ac1 365 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
8523533c
TK		 366 (1<<ACL_WHERE_MAILAUTH)|
367 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596
PH		 368 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA)|
369 (1<<ACL_WHERE_NOTSMTP_START),
71fafd95 370 #endif
8e669ac1 371
059ec3d9 372 0, /* condition */
8e669ac1 373
059ec3d9 374 /* Certain types of control are always allowed, so we let it through
2f079f46 375 always and check in the control processing itself. */
8e669ac1 376
059ec3d9 377 0, /* control */
8e669ac1 378
71fafd95 379 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 380 (unsigned int)
381 ~(1<<ACL_WHERE_MIME), /* decode */
71fafd95 382 #endif
8523533c 383
059ec3d9 384 0, /* delay */
8e669ac1 385
71fafd95 386 #ifdef WITH_OLD_DEMIME
2f079f46
PH		 387 (unsigned int)
388 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* demime */
71fafd95 389 #endif
8e669ac1 390
71fafd95 391 #ifdef EXPERIMENTAL_DOMAINKEYS
2f079f46 392 (1<<ACL_WHERE_AUTH)| /* dk_domain_source */
fb2274d4
TK		 393 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
394 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
395 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
396 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
397 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 398 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
84330b7b 399
2f079f46 400 (1<<ACL_WHERE_AUTH)| /* dk_policy */
fb2274d4
TK		 401 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
402 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
403 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
404 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
405 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 406 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
84330b7b 407
2f079f46 408 (1<<ACL_WHERE_AUTH)| /* dk_sender_domains */
fb2274d4
TK		 409 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
410 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
411 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
412 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
413 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 414 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
84330b7b 415
2f079f46 416 (1<<ACL_WHERE_AUTH)| /* dk_sender_local_parts */
fb2274d4
TK		 417 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
418 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
419 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
420 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
421 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 422 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
84330b7b 423
2f079f46 424 (1<<ACL_WHERE_AUTH)| /* dk_senders */
fb2274d4
TK		 425 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
426 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
427 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
428 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
429 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 430 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
84330b7b 431
2f079f46 432 (1<<ACL_WHERE_AUTH)| /* dk_status */
fb2274d4
TK		 433 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
434 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
435 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
436 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
437 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 438 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
71fafd95 439 #endif
fb2274d4 440
45b91596
PH		 441 (1<<ACL_WHERE_NOTSMTP)| /* dnslists */
442 (1<<ACL_WHERE_NOTSMTP_START),
059ec3d9 443
2f079f46
PH		 444 (unsigned int)
445 ~(1<<ACL_WHERE_RCPT), /* domains */
059ec3d9 446
45b91596
PH		 447 (1<<ACL_WHERE_NOTSMTP)| /* encrypted */
448 (1<<ACL_WHERE_CONNECT)|
449 (1<<ACL_WHERE_NOTSMTP_START)|
059ec3d9 450 (1<<ACL_WHERE_HELO),
8e669ac1 451
059ec3d9 452 0, /* endpass */
8e669ac1 453
45b91596
PH		 454 (1<<ACL_WHERE_NOTSMTP)| /* hosts */
455 (1<<ACL_WHERE_NOTSMTP_START),
059ec3d9 456
2f079f46
PH		 457 (unsigned int)
458 ~(1<<ACL_WHERE_RCPT), /* local_parts */
059ec3d9
PH		 459
460 0, /* log_message */
8e669ac1 461
6ea85e9a
PH		 462 0, /* log_reject_target */
463
059ec3d9 464 0, /* logwrite */
8e669ac1 465
71fafd95 466 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 467 (unsigned int)
468 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* malware */
71fafd95 469 #endif
8523533c 470
059ec3d9
PH		 471 0, /* message */
472
71fafd95 473 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 474 (unsigned int)
475 ~(1<<ACL_WHERE_MIME), /* mime_regex */
71fafd95 476 #endif
8523533c 477
870f6ba8
TF		 478 0, /* ratelimit */
479
2f079f46
PH		 480 (unsigned int)
481 ~(1<<ACL_WHERE_RCPT), /* recipients */
059ec3d9 482
71fafd95 483 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 484 (unsigned int)
485 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* regex */
486 (1<<ACL_WHERE_MIME)),
71fafd95 487 #endif
8523533c 488
059ec3d9
PH		 489 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
490 (1<<ACL_WHERE_HELO)|
491 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
492 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
493 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
494
495 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
496 (1<<ACL_WHERE_HELO)|
497 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
498 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
499 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
500
501 0, /* set */
502
71fafd95 503 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 504 (unsigned int)
505 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* spam */
71fafd95 506 #endif
8523533c 507
71fafd95 508 #ifdef EXPERIMENTAL_SPF
8523533c
TK		 509 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
510 (1<<ACL_WHERE_HELO)|
511 (1<<ACL_WHERE_MAILAUTH)|
512 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
45b91596
PH		 513 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
514 (1<<ACL_WHERE_NOTSMTP)|
515 (1<<ACL_WHERE_NOTSMTP_START),
71fafd95 516 #endif
8523533c 517
059ec3d9
PH		 518 /* Certain types of verify are always allowed, so we let it through
519 always and check in the verify function itself */
520
521 0 /* verify */
059ec3d9
PH		 522};
523
524
c5fcb476
PH		 525/* Bit map vector of which controls are not allowed at certain times. For
526each control, there's a bitmap of dis-allowed times. For some, it is easier to
527specify the negation of a small number of allowed times. */
528
529static unsigned int control_forbids[] = {
c46782ef
PH		 530 (unsigned int)
531 ~((1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)), /* allow_auth_unadvertised */
532
533 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c 534 0, /* bmi_run */
c46782ef
PH		 535 #endif
536
537 #ifdef EXPERIMENTAL_DOMAINKEYS
45b91596
PH		 538 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dk_verify */
539 (1<<ACL_WHERE_NOTSMTP_START),
c46782ef 540 #endif
3e11c26b 541
c5fcb476 542 0, /* error */
8e669ac1
PH		 543
544 (unsigned int)
c5fcb476 545 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
8e669ac1
PH		 546
547 (unsigned int)
c5fcb476 548 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
8e669ac1 549
45b91596
PH		 550 (1<<ACL_WHERE_NOTSMTP)| /* enforce_sync */
551 (1<<ACL_WHERE_NOTSMTP_START),
8e669ac1 552
45b91596
PH		 553 (1<<ACL_WHERE_NOTSMTP)| /* no_enforce_sync */
554 (1<<ACL_WHERE_NOTSMTP_START),
8e669ac1
PH		 555
556 (unsigned int)
c5fcb476
PH		 557 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
558 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 559 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 560
561 (unsigned int)
c5fcb476
PH		 562 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
563 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 564 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 565
566 (unsigned int)
c5fcb476 567 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
8e669ac1 568 (1<<ACL_WHERE_PREDATA)),
8523533c 569
8800895a
PH		 570 (unsigned int)
571 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* suppress_local_fixups */
45b91596
PH		 572 (1<<ACL_WHERE_PREDATA)|
573 (1<<ACL_WHERE_NOTSMTP_START)),
8800895a 574
c46782ef 575 #ifdef WITH_CONTENT_SCAN
8e669ac1 576 (unsigned int)
14d57970 577 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
e715ad22
TK		 578 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
579 (1<<ACL_WHERE_MIME)),
c46782ef 580 #endif
a6c4ab60 581
29aba418
TF		 582 (unsigned int)
583 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakedefer */
584 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
585 (1<<ACL_WHERE_MIME)),
586
8e669ac1 587 (unsigned int)
a6c4ab60 588 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
e715ad22
TK		 589 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
590 (1<<ACL_WHERE_MIME)),
8523533c 591
45b91596 592 (1<<ACL_WHERE_NOTSMTP)| /* no_multiline */
cf8b11a5
PH		 593 (1<<ACL_WHERE_NOTSMTP_START),
594
595 (1<<ACL_WHERE_NOTSMTP)| /* no_pipelining */
45b91596 596 (1<<ACL_WHERE_NOTSMTP_START)
c5fcb476
PH		 597};
598
599/* Structure listing various control arguments, with their characteristics. */
059ec3d9
PH		 600
601typedef struct control_def {
602 uschar *name;
603 int value; /* CONTROL_xxx value */
059ec3d9
PH		 604 BOOL has_option; /* Has /option(s) following */
605} control_def;
606
607static control_def controls_list[] = {
c46782ef 608 { US"allow_auth_unadvertised", CONTROL_AUTH_UNADVERTISED, FALSE },
8523533c 609#ifdef EXPERIMENTAL_BRIGHTMAIL
c46782ef 610 { US"bmi_run", CONTROL_BMI_RUN, FALSE },
fb2274d4
TK		 611#endif
612#ifdef EXPERIMENTAL_DOMAINKEYS
c46782ef 613 { US"dk_verify", CONTROL_DK_VERIFY, FALSE },
8523533c 614#endif
c46782ef
PH		 615 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE },
616 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE },
617 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE },
618 { US"freeze", CONTROL_FREEZE, TRUE },
619 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE },
620 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE },
cf8b11a5 621 { US"no_pipelining", CONTROL_NO_PIPELINING, FALSE },
c46782ef 622 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE },
8523533c 623#ifdef WITH_CONTENT_SCAN
c46782ef 624 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE },
8523533c 625#endif
c46782ef
PH		 626 { US"fakedefer", CONTROL_FAKEDEFER, TRUE },
627 { US"fakereject", CONTROL_FAKEREJECT, TRUE },
628 { US"submission", CONTROL_SUBMISSION, TRUE },
629 { US"suppress_local_fixups", CONTROL_SUPPRESS_LOCAL_FIXUPS, FALSE }
059ec3d9
PH		 630 };
631
e5a9dba6
PH		 632/* Support data structures for Client SMTP Authorization. acl_verify_csa()
633caches its result in a tree to avoid repeated DNS queries. The result is an
634integer code which is used as an index into the following tables of
635explanatory strings and verification return codes. */
636
637static tree_node *csa_cache = NULL;
638
639enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
640 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
641
642/* The acl_verify_csa() return code is translated into an acl_verify() return
643code using the following table. It is OK unless the client is definitely not
644authorized. This is because CSA is supposed to be optional for sending sites,
645so recipients should not be too strict about checking it - especially because
646DNS problems are quite likely to occur. It's possible to use $csa_status in
647further ACL conditions to distinguish ok, unknown, and defer if required, but
648the aim is to make the usual configuration simple. */
649
650static int csa_return_code[] = {
651 OK, OK, OK, OK,
652 FAIL, FAIL, FAIL, FAIL
653};
654
655static uschar *csa_status_string[] = {
656 US"unknown", US"ok", US"defer", US"defer",
657 US"fail", US"fail", US"fail", US"fail"
658};
659
660static uschar *csa_reason_string[] = {
661 US"unknown",
662 US"ok",
663 US"deferred (SRV lookup failed)",
664 US"deferred (target address lookup failed)",
665 US"failed (explicit authorization required)",
666 US"failed (host name not authorized)",
667 US"failed (no authorized addresses)",
668 US"failed (client address mismatch)"
669};
670
059ec3d9
PH		 671/* Enable recursion between acl_check_internal() and acl_check_condition() */
672
673static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
674 uschar **);
675
676
677/*************************************************
678* Pick out name from list *
679*************************************************/
680
681/* Use a binary chop method
682
683Arguments:
684 name name to find
685 list list of names
686 end size of list
687
688Returns: offset in list, or -1 if not found
689*/
690
691static int
692acl_checkname(uschar *name, uschar **list, int end)
693{
694int start = 0;
695
696while (start < end)
697 {
698 int mid = (start + end)/2;
699 int c = Ustrcmp(name, list[mid]);
700 if (c == 0) return mid;
701 if (c < 0) end = mid; else start = mid + 1;
702 }
703
704return -1;
705}
706
707
708/*************************************************
709* Read and parse one ACL *
710*************************************************/
711
712/* This function is called both from readconf in order to parse the ACLs in the
713configuration file, and also when an ACL is encountered dynamically (e.g. as
714the result of an expansion). It is given a function to call in order to
715retrieve the lines of the ACL. This function handles skipping comments and
716blank lines (where relevant).
717
718Arguments:
719 func function to get next line of ACL
720 error where to put an error message
721
722Returns: pointer to ACL, or NULL
723 NULL can be legal (empty ACL); in this case error will be NULL
724*/
725
726acl_block *
727acl_read(uschar *(*func)(void), uschar **error)
728{
729acl_block *yield = NULL;
730acl_block **lastp = &yield;
731acl_block *this = NULL;
732acl_condition_block *cond;
733acl_condition_block **condp = NULL;
734uschar *s;
735
736*error = NULL;
737
738while ((s = (*func)()) != NULL)
739 {
740 int v, c;
741 BOOL negated = FALSE;
742 uschar *saveline = s;
743 uschar name[64];
744
745 /* Conditions (but not verbs) are allowed to be negated by an initial
746 exclamation mark. */
747
748 while (isspace(*s)) s++;
749 if (*s == '!')
750 {
751 negated = TRUE;
752 s++;
753 }
754
cf00dad6
PH		 755 /* Read the name of a verb or a condition, or the start of a new ACL, which
756 can be started by a name, or by a macro definition. */
059ec3d9
PH		 757
758 s = readconf_readname(name, sizeof(name), s);
b8dc3e4a 759 if (*s == ':' || (isupper(name[0]) && *s == '=')) return yield;
059ec3d9
PH		 760
761 /* If a verb is unrecognized, it may be another condition or modifier that
762 continues the previous verb. */
763
764 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
765 if (v < 0)
766 {
767 if (this == NULL)
768 {
4e167a8c
PH		 769 *error = string_sprintf("unknown ACL verb \"%s\" in \"%s\"", name,
770 saveline);
059ec3d9
PH		 771 return NULL;
772 }
773 }
774
775 /* New verb */
776
777 else
778 {
779 if (negated)
780 {
781 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
782 return NULL;
783 }
784 this = store_get(sizeof(acl_block));
785 *lastp = this;
786 lastp = &(this->next);
787 this->next = NULL;
788 this->verb = v;
789 this->condition = NULL;
790 condp = &(this->condition);
791 if (*s == 0) continue; /* No condition on this line */
792 if (*s == '!')
793 {
794 negated = TRUE;
795 s++;
796 }
797 s = readconf_readname(name, sizeof(name), s); /* Condition name */
798 }
799
800 /* Handle a condition or modifier. */
801
802 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
803 if (c < 0)
804 {
805 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
806 saveline);
807 return NULL;
808 }
809
810 /* The modifiers may not be negated */
811
812 if (negated && cond_modifiers[c])
813 {
814 *error = string_sprintf("ACL error: negation is not allowed with "
815 "\"%s\"", conditions[c]);
816 return NULL;
817 }
818
819 /* ENDPASS may occur only with ACCEPT or DISCARD. */
820
821 if (c == ACLC_ENDPASS &&
822 this->verb != ACL_ACCEPT &&
823 this->verb != ACL_DISCARD)
824 {
825 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
826 conditions[c], verbs[this->verb]);
827 return NULL;
828 }
829
830 cond = store_get(sizeof(acl_condition_block));
831 cond->next = NULL;
832 cond->type = c;
833 cond->u.negated = negated;
834
835 *condp = cond;
836 condp = &(cond->next);
837
838 /* The "set" modifier is different in that its argument is "name=value"
839 rather than just a value, and we can check the validity of the name, which
38a0a95f
PH		 840 gives us a variable name to insert into the data block. The original ACL
841 variable names were acl_c0 ... acl_c9 and acl_m0 ... acl_m9. This was
842 extended to 20 of each type, but after that people successfully argued for
641cb756
PH		 843 arbitrary names. In the new scheme, the names must start with acl_c or acl_m.
844 After that, we allow alphanumerics and underscores, but the first character
845 after c or m must be a digit or an underscore. This retains backwards
846 compatibility. */
059ec3d9
PH		 847
848 if (c == ACLC_SET)
849 {
47ca6d6c
PH		 850 uschar *endptr;
851
38a0a95f
PH		 852 if (Ustrncmp(s, "acl_c", 5) != 0 &&
853 Ustrncmp(s, "acl_m", 5) != 0)
47ca6d6c 854 {
38a0a95f
PH		 855 *error = string_sprintf("invalid variable name after \"set\" in ACL "
856 "modifier \"set %s\" (must start \"acl_c\" or \"acl_m\")", s);
857 return NULL;
47ca6d6c 858 }
38a0a95f
PH		 859
860 endptr = s + 5;
641cb756
PH		 861 if (!isdigit(*endptr) && *endptr != '_')
862 {
863 *error = string_sprintf("invalid variable name after \"set\" in ACL "
864 "modifier \"set %s\" (digit or underscore must follow acl_c or acl_m)",
865 s);
866 return NULL;
867 }
868
38a0a95f 869 while (*endptr != 0 && *endptr != '=' && !isspace(*endptr))
47ca6d6c 870 {
38a0a95f
PH		 871 if (!isalnum(*endptr) && *endptr != '_')
872 {
873 *error = string_sprintf("invalid character \"%c\" in variable name "
874 "in ACL modifier \"set %s\"", *endptr, s);
875 return NULL;
876 }
877 endptr++;
47ca6d6c 878 }
47ca6d6c 879
38a0a95f 880 cond->u.varname = string_copyn(s + 4, endptr - s - 4);
47ca6d6c 881 s = endptr;
059ec3d9
PH		 882 while (isspace(*s)) s++;
883 }
884
885 /* For "set", we are now positioned for the data. For the others, only
886 "endpass" has no data */
887
888 if (c != ACLC_ENDPASS)
889 {
890 if (*s++ != '=')
891 {
892 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
893 cond_modifiers[c]? US"modifier" : US"condition");
894 return NULL;
895 }
896 while (isspace(*s)) s++;
897 cond->arg = string_copy(s);
898 }
899 }
900
901return yield;
902}
903
904
905
71fafd95
PH		 906/*************************************************
907* Set up added header line(s) *
908*************************************************/
909
910/* This function is called by the add_header modifier, and also from acl_warn()
911to implement the now-deprecated way of adding header lines using "message" on a
912"warn" verb. The argument is treated as a sequence of header lines which are
913added to a chain, provided there isn't an identical one already there.
914
915Argument: string of header lines
916Returns: nothing
917*/
918
919static void
920setup_header(uschar *hstring)
921{
922uschar *p, *q;
923int hlen = Ustrlen(hstring);
924
925/* An empty string does nothing; otherwise add a final newline if necessary. */
926
927if (hlen <= 0) return;
928if (hstring[hlen-1] != '\n') hstring = string_sprintf("%s\n", hstring);
929
930/* Loop for multiple header lines, taking care about continuations */
931
932for (p = q = hstring; *p != 0; )
933 {
934 uschar *s;
935 int newtype = htype_add_bot;
936 header_line **hptr = &acl_added_headers;
937
938 /* Find next header line within the string */
939
940 for (;;)
941 {
942 q = Ustrchr(q, '\n');
943 if (*(++q) != ' ' && *q != '\t') break;
944 }
945
946 /* If the line starts with a colon, interpret the instruction for where to
947 add it. This temporarily sets up a new type. */
948
949 if (*p == ':')
950 {
951 if (strncmpic(p, US":after_received:", 16) == 0)
952 {
953 newtype = htype_add_rec;
954 p += 16;
955 }
956 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
957 {
958 newtype = htype_add_rfc;
959 p += 14;
960 }
961 else if (strncmpic(p, US":at_start:", 10) == 0)
962 {
963 newtype = htype_add_top;
964 p += 10;
965 }
966 else if (strncmpic(p, US":at_end:", 8) == 0)
967 {
968 newtype = htype_add_bot;
969 p += 8;
970 }
971 while (*p == ' ' || *p == '\t') p++;
972 }
973
974 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
975 to the front of it. */
976
977 for (s = p; s < q - 1; s++)
978 {
979 if (*s == ':' || !isgraph(*s)) break;
980 }
981
982 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
983 hlen = Ustrlen(s);
984
985 /* See if this line has already been added */
986
987 while (*hptr != NULL)
988 {
989 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
990 hptr = &((*hptr)->next);
991 }
992
993 /* Add if not previously present */
994
995 if (*hptr == NULL)
996 {
997 header_line *h = store_get(sizeof(header_line));
998 h->text = s;
999 h->next = NULL;
1000 h->type = newtype;
1001 h->slen = hlen;
1002 *hptr = h;
1003 hptr = &(h->next);
1004 }
1005
1006 /* Advance for next header line within the string */
1007
1008 p = q;
1009 }
1010}
1011
1012
1013
1014
059ec3d9
PH		 1015/*************************************************
1016* Handle warnings *
1017*************************************************/
1018
1019/* This function is called when a WARN verb's conditions are true. It adds to
1020the message's headers, and/or writes information to the log. In each case, this
1021only happens once (per message for headers, per connection for log).
1022
71fafd95
PH		 1023** NOTE: The header adding action using the "message" setting is historic, and
1024its use is now deprecated. The new add_header modifier should be used instead.
1025
059ec3d9
PH		 1026Arguments:
1027 where ACL_WHERE_xxxx indicating which ACL this is
1028 user_message message for adding to headers
1029 log_message message for logging, if different
1030
1031Returns: nothing
1032*/
1033
1034static void
1035acl_warn(int where, uschar *user_message, uschar *log_message)
1036{
059ec3d9
PH		 1037if (log_message != NULL && log_message != user_message)
1038 {
1039 uschar *text;
1040 string_item *logged;
1041
1042 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
1043 string_printing(log_message));
1044
1045 /* If a sender verification has failed, and the log message is "sender verify
1046 failed", add the failure message. */
1047
1048 if (sender_verified_failed != NULL &&
1049 sender_verified_failed->message != NULL &&
1050 strcmpic(log_message, US"sender verify failed") == 0)
1051 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
1052
9c7a242c
PH		 1053 /* Search previously logged warnings. They are kept in malloc
1054 store so they can be freed at the start of a new message. */
059ec3d9
PH		 1055
1056 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
1057 if (Ustrcmp(logged->text, text) == 0) break;
1058
1059 if (logged == NULL)
1060 {
1061 int length = Ustrlen(text) + 1;
1062 log_write(0, LOG_MAIN, "%s", text);
1063 logged = store_malloc(sizeof(string_item) + length);
1064 logged->text = (uschar *)logged + sizeof(string_item);
1065 memcpy(logged->text, text, length);
1066 logged->next = acl_warn_logged;
1067 acl_warn_logged = logged;
1068 }
1069 }
1070
1071/* If there's no user message, we are done. */
1072
1073if (user_message == NULL) return;
1074
1075/* If this isn't a message ACL, we can't do anything with a user message.
1076Log an error. */
1077
1078if (where > ACL_WHERE_NOTSMTP)
1079 {
1080 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
1081 "found in a non-message (%s) ACL: cannot specify header lines here: "
1082 "message ignored", acl_wherenames[where]);
1083 return;
1084 }
1085
71fafd95
PH		 1086/* The code for setting up header lines is now abstracted into a separate
1087function so that it can be used for the add_header modifier as well. */
059ec3d9 1088
71fafd95 1089setup_header(user_message);
059ec3d9
PH		 1090}
1091
1092
1093
1094/*************************************************
1095* Verify and check reverse DNS *
1096*************************************************/
1097
1098/* Called from acl_verify() below. We look up the host name(s) of the client IP
1099address if this has not yet been done. The host_name_lookup() function checks
1100that one of these names resolves to an address list that contains the client IP
1101address, so we don't actually have to do the check here.
1102
1103Arguments:
1104 user_msgptr pointer for user message
1105 log_msgptr pointer for log message
1106
1107Returns: OK verification condition succeeded
1108 FAIL verification failed
1109 DEFER there was a problem verifying
1110*/
1111
1112static int
1113acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
1114{
1115int rc;
1116
1117user_msgptr = user_msgptr; /* stop compiler warning */
1118
1119/* Previous success */
1120
1121if (sender_host_name != NULL) return OK;
1122
1123/* Previous failure */
1124
1125if (host_lookup_failed)
1126 {
1127 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
1128 return FAIL;
1129 }
1130
1131/* Need to do a lookup */
1132
1133HDEBUG(D_acl)
1134 debug_printf("looking up host name to force name/address consistency check\n");
1135
1136if ((rc = host_name_lookup()) != OK)
1137 {
1138 *log_msgptr = (rc == DEFER)?
1139 US"host lookup deferred for reverse lookup check"
1140 :
1141 string_sprintf("host lookup failed for reverse lookup check%s",
1142 host_lookup_msg);
1143 return rc; /* DEFER or FAIL */
1144 }
1145
1146host_build_sender_fullhost();
1147return OK;
1148}
1149
1150
1151
e5a9dba6
PH		 1152/*************************************************
1153* Check client IP address matches CSA target *
1154*************************************************/
1155
1156/* Called from acl_verify_csa() below. This routine scans a section of a DNS
1157response for address records belonging to the CSA target hostname. The section
1158is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
1159If one of the addresses matches the client's IP address, then the client is
1160authorized by CSA. If there are target IP addresses but none of them match
1161then the client is using an unauthorized IP address. If there are no target IP
1162addresses then the client cannot be using an authorized IP address. (This is
1163an odd configuration - why didn't the SRV record have a weight of 1 instead?)
1164
1165Arguments:
1166 dnsa the DNS answer block
1167 dnss a DNS scan block for us to use
1168 reset option specifing what portion to scan, as described above
1169 target the target hostname to use for matching RR names
1170
1171Returns: CSA_OK successfully authorized
1172 CSA_FAIL_MISMATCH addresses found but none matched
1173 CSA_FAIL_NOADDR no target addresses found
1174*/
1175
1176static int
1177acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1178 uschar *target)
1179{
1180dns_record *rr;
1181dns_address *da;
1182
1183BOOL target_found = FALSE;
1184
1185for (rr = dns_next_rr(dnsa, dnss, reset);
1186 rr != NULL;
1187 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1188 {
1189 /* Check this is an address RR for the target hostname. */
1190
1191 if (rr->type != T_A
1192 #if HAVE_IPV6
1193 && rr->type != T_AAAA
1194 #ifdef SUPPORT_A6
1195 && rr->type != T_A6
1196 #endif
1197 #endif
1198 ) continue;
1199
1200 if (strcmpic(target, rr->name) != 0) continue;
1201
1202 target_found = TRUE;
1203
1204 /* Turn the target address RR into a list of textual IP addresses and scan
1205 the list. There may be more than one if it is an A6 RR. */
1206
1207 for (da = dns_address_from_rr(dnsa, rr); da != NULL; da = da->next)
1208 {
1209 /* If the client IP address matches the target IP address, it's good! */
1210
1211 DEBUG(D_acl) debug_printf("CSA target address is %s\n", da->address);
1212
1213 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1214 }
1215 }
1216
1217/* If we found some target addresses but none of them matched, the client is
1218using an unauthorized IP address, otherwise the target has no authorized IP
1219addresses. */
1220
1221if (target_found) return CSA_FAIL_MISMATCH;
1222else return CSA_FAIL_NOADDR;
1223}
1224
1225
1226
1227/*************************************************
1228* Verify Client SMTP Authorization *
1229*************************************************/
1230
1231/* Called from acl_verify() below. This routine calls dns_lookup_special()
1232to find the CSA SRV record corresponding to the domain argument, or
1233$sender_helo_name if no argument is provided. It then checks that the
1234client is authorized, and that its IP address corresponds to the SRV
1235target's address by calling acl_verify_csa_address() above. The address
1236should have been returned in the DNS response's ADDITIONAL section, but if
1237not we perform another DNS lookup to get it.
1238
1239Arguments:
1240 domain pointer to optional parameter following verify = csa
1241
1242Returns: CSA_UNKNOWN no valid CSA record found
1243 CSA_OK successfully authorized
1244 CSA_FAIL_* client is definitely not authorized
1245 CSA_DEFER_* there was a DNS problem
1246*/
1247
1248static int
1249acl_verify_csa(uschar *domain)
1250{
1251tree_node *t;
1252uschar *found, *p;
1253int priority, weight, port;
1254dns_answer dnsa;
1255dns_scan dnss;
1256dns_record *rr;
1257int rc, type;
1258uschar target[256];
1259
1260/* Work out the domain we are using for the CSA lookup. The default is the
1261client's HELO domain. If the client has not said HELO, use its IP address
1262instead. If it's a local client (exim -bs), CSA isn't applicable. */
1263
1264while (isspace(*domain) && *domain != '\0') ++domain;
1265if (*domain == '\0') domain = sender_helo_name;
1266if (domain == NULL) domain = sender_host_address;
1267if (sender_host_address == NULL) return CSA_UNKNOWN;
1268
1269/* If we have an address literal, strip off the framing ready for turning it
1270into a domain. The framing consists of matched square brackets possibly
1271containing a keyword and a colon before the actual IP address. */
1272
1273if (domain[0] == '[')
1274 {
1275 uschar *start = Ustrchr(domain, ':');
1276 if (start == NULL) start = domain;
1277 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1278 }
1279
1280/* Turn domains that look like bare IP addresses into domains in the reverse
1281DNS. This code also deals with address literals and $sender_host_address. It's
1282not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1283address literals, but it's probably the most friendly thing to do. This is an
1284extension to CSA, so we allow it to be turned off for proper conformance. */
1285
7e66e54d 1286if (string_is_ip_address(domain, NULL) != 0)
e5a9dba6
PH		 1287 {
1288 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1289 dns_build_reverse(domain, target);
1290 domain = target;
1291 }
1292
1293/* Find out if we've already done the CSA check for this domain. If we have,
1294return the same result again. Otherwise build a new cached result structure
1295for this domain. The name is filled in now, and the value is filled in when
1296we return from this function. */
1297
1298t = tree_search(csa_cache, domain);
1299if (t != NULL) return t->data.val;
1300
1301t = store_get_perm(sizeof(tree_node) + Ustrlen(domain));
1302Ustrcpy(t->name, domain);
1303(void)tree_insertnode(&csa_cache, t);
1304
1305/* Now we are ready to do the actual DNS lookup(s). */
1306
28e6ef29 1307found = domain;
e5a9dba6
PH		 1308switch (dns_special_lookup(&dnsa, domain, T_CSA, &found))
1309 {
1310 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1311
1312 default:
1313 return t->data.val = CSA_DEFER_SRV;
1314
1315 /* If we found nothing, the client's authorization is unknown. */
1316
1317 case DNS_NOMATCH:
1318 case DNS_NODATA:
1319 return t->data.val = CSA_UNKNOWN;
1320
1321 /* We got something! Go on to look at the reply in more detail. */
1322
1323 case DNS_SUCCEED:
1324 break;
1325 }
1326
1327/* Scan the reply for well-formed CSA SRV records. */
1328
1329for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
1330 rr != NULL;
1331 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
1332 {
1333 if (rr->type != T_SRV) continue;
1334
1335 /* Extract the numerical SRV fields (p is incremented) */
1336
1337 p = rr->data;
1338 GETSHORT(priority, p);
1339 GETSHORT(weight, p);
1340 GETSHORT(port, p);
1341
1342 DEBUG(D_acl)
1343 debug_printf("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1344
1345 /* Check the CSA version number */
1346
1347 if (priority != 1) continue;
1348
1349 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1350 found by dns_special_lookup() is a parent of the one we asked for), we check
1351 the subdomain assertions in the port field. At the moment there's only one
1352 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1353 SRV records of their own. */
1354
1355 if (found != domain)
1356 {
1357 if (port & 1)
1358 return t->data.val = CSA_FAIL_EXPLICIT;
1359 else
1360 return t->data.val = CSA_UNKNOWN;
1361 }
1362
1363 /* This CSA SRV record refers directly to our domain, so we check the value
1364 in the weight field to work out the domain's authorization. 0 and 1 are
1365 unauthorized; 3 means the client is authorized but we can't check the IP
1366 address in order to authenticate it, so we treat it as unknown; values
1367 greater than 3 are undefined. */
1368
1369 if (weight < 2) return t->data.val = CSA_FAIL_DOMAIN;
1370
1371 if (weight > 2) continue;
1372
1373 /* Weight == 2, which means the domain is authorized. We must check that the
1374 client's IP address is listed as one of the SRV target addresses. Save the
1375 target hostname then break to scan the additional data for its addresses. */
1376
1377 (void)dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
1378 (DN_EXPAND_ARG4_TYPE)target, sizeof(target));
1379
1380 DEBUG(D_acl) debug_printf("CSA target is %s\n", target);
1381
1382 break;
1383 }
1384
1385/* If we didn't break the loop then no appropriate records were found. */
1386
1387if (rr == NULL) return t->data.val = CSA_UNKNOWN;
1388
1389/* Do not check addresses if the target is ".", in accordance with RFC 2782.
1390A target of "." indicates there are no valid addresses, so the client cannot
1391be authorized. (This is an odd configuration because weight=2 target=. is
1392equivalent to weight=1, but we check for it in order to keep load off the
1393root name servers.) Note that dn_expand() turns "." into "". */
1394
1395if (Ustrcmp(target, "") == 0) return t->data.val = CSA_FAIL_NOADDR;
1396
1397/* Scan the additional section of the CSA SRV reply for addresses belonging
1398to the target. If the name server didn't return any additional data (e.g.
1399because it does not fully support SRV records), we need to do another lookup
1400to obtain the target addresses; otherwise we have a definitive result. */
1401
1402rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ADDITIONAL, target);
1403if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1404
1405/* The DNS lookup type corresponds to the IP version used by the client. */
1406
1407#if HAVE_IPV6
1408if (Ustrchr(sender_host_address, ':') != NULL)
1409 type = T_AAAA;
1410else
1411#endif /* HAVE_IPV6 */
1412 type = T_A;
1413
1414
1415#if HAVE_IPV6 && defined(SUPPORT_A6)
1416DNS_LOOKUP_AGAIN:
1417#endif
1418
1419switch (dns_lookup(&dnsa, target, type, NULL))
1420 {
1421 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1422
1423 default:
1424 return t->data.val = CSA_DEFER_ADDR;
1425
1426 /* If the query succeeded, scan the addresses and return the result. */
1427
1428 case DNS_SUCCEED:
1429 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ANSWERS, target);
1430 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1431 /* else fall through */
1432
1433 /* If the target has no IP addresses, the client cannot have an authorized
1434 IP address. However, if the target site uses A6 records (not AAAA records)
1435 we have to do yet another lookup in order to check them. */
1436
1437 case DNS_NOMATCH:
1438 case DNS_NODATA:
1439
1440 #if HAVE_IPV6 && defined(SUPPORT_A6)
1441 if (type == T_AAAA) { type = T_A6; goto DNS_LOOKUP_AGAIN; }
1442 #endif
1443
1444 return t->data.val = CSA_FAIL_NOADDR;
1445 }
1446}
1447
1448
1449
059ec3d9
PH		 1450/*************************************************
1451* Handle verification (address & other) *
1452*************************************************/
1453
1454/* This function implements the "verify" condition. It is called when
1455encountered in any ACL, because some tests are almost always permitted. Some
1456just don't make sense, and always fail (for example, an attempt to test a host
1457lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1458
1459Arguments:
1460 where where called from
1461 addr the recipient address that the ACL is handling, or NULL
1462 arg the argument of "verify"
1463 user_msgptr pointer for user message
1464 log_msgptr pointer for log message
1465 basic_errno where to put verify errno
1466
1467Returns: OK verification condition succeeded
1468 FAIL verification failed
1469 DEFER there was a problem verifying
1470 ERROR syntax error
1471*/
1472
1473static int
1474acl_verify(int where, address_item *addr, uschar *arg,
1475 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1476{
1477int sep = '/';
1478int callout = -1;
1479int callout_overall = -1;
4deaf07d 1480int callout_connect = -1;
059ec3d9
PH		 1481int verify_options = 0;
1482int rc;
1483BOOL verify_header_sender = FALSE;
1484BOOL defer_ok = FALSE;
1485BOOL callout_defer_ok = FALSE;
1486BOOL no_details = FALSE;
eafd343b 1487BOOL success_on_redirect = FALSE;
059ec3d9
PH		 1488address_item *sender_vaddr = NULL;
1489uschar *verify_sender_address = NULL;
1490uschar *pm_mailfrom = NULL;
1491uschar *se_mailfrom = NULL;
596875b3
PH		 1492
1493/* Some of the verify items have slash-separated options; some do not. Diagnose
1494an error if options are given for items that don't expect them. This code has
1495now got very message. Refactoring to use a table would be a good idea one day.
1496*/
1497
1498uschar *slash = Ustrchr(arg, '/');
059ec3d9
PH		 1499uschar *list = arg;
1500uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
1501
1502if (ss == NULL) goto BAD_VERIFY;
1503
1504/* Handle name/address consistency verification in a separate function. */
1505
1506if (strcmpic(ss, US"reverse_host_lookup") == 0)
1507 {
596875b3 1508 if (slash != NULL) goto NO_OPTIONS;
059ec3d9
PH		 1509 if (sender_host_address == NULL) return OK;
1510 return acl_verify_reverse(user_msgptr, log_msgptr);
1511 }
1512
1513/* TLS certificate verification is done at STARTTLS time; here we just
1514test whether it was successful or not. (This is for optional verification; for
1515mandatory verification, the connection doesn't last this long.) */
1516
1517if (strcmpic(ss, US"certificate") == 0)
1518 {
596875b3 1519 if (slash != NULL) goto NO_OPTIONS;
059ec3d9
PH		 1520 if (tls_certificate_verified) return OK;
1521 *user_msgptr = US"no verified certificate";
1522 return FAIL;
1523 }
1524
d7b47fd0
PH		 1525/* We can test the result of optional HELO verification that might have
1526occurred earlier. If not, we can attempt the verification now. */
059ec3d9 1527
596875b3
PH		 1528if (strcmpic(ss, US"helo") == 0)
1529 {
1530 if (slash != NULL) goto NO_OPTIONS;
0154e85a
TF		 1531 if (!helo_verified && !helo_verify_failed) smtp_verify_helo();
1532 return helo_verified? OK : FAIL;
596875b3 1533 }
059ec3d9 1534
e5a9dba6
PH		 1535/* Do Client SMTP Authorization checks in a separate function, and turn the
1536result code into user-friendly strings. */
1537
1538if (strcmpic(ss, US"csa") == 0)
1539 {
1540 rc = acl_verify_csa(list);
1541 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1542 csa_reason_string[rc]);
1543 csa_status = csa_status_string[rc];
1544 DEBUG(D_acl) debug_printf("CSA result %s\n", csa_status);
1545 return csa_return_code[rc];
1546 }
1547
596875b3
PH		 1548/* Check that all relevant header lines have the correct syntax. If there is
1549a syntax error, we return details of the error to the sender if configured to
1550send out full details. (But a "message" setting on the ACL can override, as
1551always). */
059ec3d9 1552
596875b3 1553if (strcmpic(ss, US"header_syntax") == 0)
059ec3d9 1554 {
596875b3 1555 if (slash != NULL) goto NO_OPTIONS;
1c41c9cc 1556 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
596875b3
PH		 1557 rc = verify_check_headers(log_msgptr);
1558 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1559 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1560 return rc;
1561 }
059ec3d9 1562
1c41c9cc
PH		 1563/* Check that no recipient of this message is "blind", that is, every envelope
1564recipient must be mentioned in either To: or Cc:. */
1565
1566if (strcmpic(ss, US"not_blind") == 0)
1567 {
1568 if (slash != NULL) goto NO_OPTIONS;
1569 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
1570 rc = verify_check_notblind();
1571 if (rc != OK)
1572 {
1573 *log_msgptr = string_sprintf("bcc recipient detected");
1574 if (smtp_return_error_details)
1575 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1576 }
1577 return rc;
1578 }
059ec3d9 1579
596875b3
PH		 1580/* The remaining verification tests check recipient and sender addresses,
1581either from the envelope or from the header. There are a number of
1582slash-separated options that are common to all of them. */
059ec3d9 1583
059ec3d9 1584
596875b3
PH		 1585/* Check that there is at least one verifiable sender address in the relevant
1586header lines. This can be followed by callout and defer options, just like
1587sender and recipient. */
059ec3d9 1588
596875b3
PH		 1589if (strcmpic(ss, US"header_sender") == 0)
1590 {
1c41c9cc 1591 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
596875b3 1592 verify_header_sender = TRUE;
059ec3d9
PH		 1593 }
1594
1595/* Otherwise, first item in verify argument must be "sender" or "recipient".
1596In the case of a sender, this can optionally be followed by an address to use
1597in place of the actual sender (rare special-case requirement). */
1598
1599else if (strncmpic(ss, US"sender", 6) == 0)
1600 {
1601 uschar *s = ss + 6;
1602 if (where > ACL_WHERE_NOTSMTP)
1603 {
1604 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1605 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1606 acl_wherenames[where]);
1607 return ERROR;
1608 }
1609 if (*s == 0)
1610 verify_sender_address = sender_address;
1611 else
1612 {
1613 while (isspace(*s)) s++;
1614 if (*s++ != '=') goto BAD_VERIFY;
1615 while (isspace(*s)) s++;
1616 verify_sender_address = string_copy(s);
1617 }
1618 }
1619else
1620 {
1621 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1622 if (addr == NULL)
1623 {
1624 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1625 "(only possible for RCPT)", acl_wherenames[where]);
1626 return ERROR;
1627 }
1628 }
1629
596875b3
PH		 1630/* Remaining items are optional; they apply to sender and recipient
1631verification, including "header sender" verification. */
059ec3d9
PH		 1632
1633while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1634 != NULL)
1635 {
1636 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1637 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
eafd343b 1638 else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
059ec3d9
PH		 1639
1640 /* These two old options are left for backwards compatibility */
1641
1642 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1643 {
1644 callout_defer_ok = TRUE;
1645 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1646 }
1647
1648 else if (strcmpic(ss, US"check_postmaster") == 0)
1649 {
1650 pm_mailfrom = US"";
1651 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1652 }
1653
1654 /* The callout option has a number of sub-options, comma separated */
1655
1656 else if (strncmpic(ss, US"callout", 7) == 0)
1657 {
1658 callout = CALLOUT_TIMEOUT_DEFAULT;
1659 ss += 7;
1660 if (*ss != 0)
1661 {
1662 while (isspace(*ss)) ss++;
1663 if (*ss++ == '=')
1664 {
1665 int optsep = ',';
1666 uschar *opt;
1667 uschar buffer[256];
1668 while (isspace(*ss)) ss++;
8e669ac1
PH		 1669
1670 /* This callout option handling code has become a mess as new options
1671 have been added in an ad hoc manner. It should be tidied up into some
4deaf07d 1672 kind of table-driven thing. */
8e669ac1 1673
059ec3d9
PH		 1674 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1675 != NULL)
1676 {
1677 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1678 else if (strcmpic(opt, US"no_cache") == 0)
1679 verify_options |= vopt_callout_no_cache;
1680 else if (strcmpic(opt, US"random") == 0)
1681 verify_options |= vopt_callout_random;
1682 else if (strcmpic(opt, US"use_sender") == 0)
1683 verify_options |= vopt_callout_recipsender;
1684 else if (strcmpic(opt, US"use_postmaster") == 0)
1685 verify_options |= vopt_callout_recippmaster;
1686 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
2a4be8f9
PH		 1687 else if (strcmpic(opt, US"fullpostmaster") == 0)
1688 {
1689 pm_mailfrom = US"";
1690 verify_options |= vopt_callout_fullpm;
1691 }
059ec3d9
PH		 1692
1693 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1694 {
1695 if (!verify_header_sender)
1696 {
1697 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1698 "callout option only for verify=header_sender (detected in ACL "
1699 "condition \"%s\")", arg);
1700 return ERROR;
1701 }
1702 opt += 8;
1703 while (isspace(*opt)) opt++;
1704 if (*opt++ != '=')
1705 {
1706 *log_msgptr = string_sprintf("'=' expected after "
1707 "\"mailfrom\" in ACL condition \"%s\"", arg);
1708 return ERROR;
1709 }
1710 while (isspace(*opt)) opt++;
1711 se_mailfrom = string_copy(opt);
1712 }
1713
1714 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1715 {
1716 opt += 19;
1717 while (isspace(*opt)) opt++;
1718 if (*opt++ != '=')
1719 {
1720 *log_msgptr = string_sprintf("'=' expected after "
1721 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1722 return ERROR;
1723 }
1724 while (isspace(*opt)) opt++;
1725 pm_mailfrom = string_copy(opt);
1726 }
1727
1728 else if (strncmpic(opt, US"maxwait", 7) == 0)
1729 {
1730 opt += 7;
1731 while (isspace(*opt)) opt++;
1732 if (*opt++ != '=')
1733 {
1734 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1735 "ACL condition \"%s\"", arg);
1736 return ERROR;
1737 }
1738 while (isspace(*opt)) opt++;
1739 callout_overall = readconf_readtime(opt, 0, FALSE);
1740 if (callout_overall < 0)
1741 {
1742 *log_msgptr = string_sprintf("bad time value in ACL condition "
1743 "\"verify %s\"", arg);
1744 return ERROR;
1745 }
1746 }
4deaf07d
PH		 1747 else if (strncmpic(opt, US"connect", 7) == 0)
1748 {
1749 opt += 7;
1750 while (isspace(*opt)) opt++;
1751 if (*opt++ != '=')
1752 {
1753 *log_msgptr = string_sprintf("'=' expected after "
1754 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1755 return ERROR;
1756 }
1757 while (isspace(*opt)) opt++;
1758 callout_connect = readconf_readtime(opt, 0, FALSE);
1759 if (callout_connect < 0)
1760 {
1761 *log_msgptr = string_sprintf("bad time value in ACL condition "
1762 "\"verify %s\"", arg);
1763 return ERROR;
1764 }
1765 }
059ec3d9
PH		 1766 else /* Plain time is callout connect/command timeout */
1767 {
1768 callout = readconf_readtime(opt, 0, FALSE);
1769 if (callout < 0)
1770 {
1771 *log_msgptr = string_sprintf("bad time value in ACL condition "
1772 "\"verify %s\"", arg);
1773 return ERROR;
1774 }
1775 }
1776 }
1777 }
1778 else
1779 {
1780 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1781 "ACL condition \"%s\"", arg);
1782 return ERROR;
1783 }
1784 }
1785 }
1786
1787 /* Option not recognized */
1788
1789 else
1790 {
1791 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1792 "condition \"verify %s\"", ss, arg);
1793 return ERROR;
1794 }
1795 }
1796
1797if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1798 (vopt_callout_recipsender|vopt_callout_recippmaster))
1799 {
1800 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1801 "for a recipient callout";
1802 return ERROR;
1803 }
1804
1805/* Handle sender-in-header verification. Default the user message to the log
1806message if giving out verification details. */
1807
1808if (verify_header_sender)
1809 {
8e669ac1 1810 int verrno;
059ec3d9 1811 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
fe5b5d0b
PH		 1812 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1813 &verrno);
1814 if (rc != OK)
8e669ac1 1815 {
fe5b5d0b
PH		 1816 *basic_errno = verrno;
1817 if (smtp_return_error_details)
1818 {
1819 if (*user_msgptr == NULL && *log_msgptr != NULL)
1820 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1821 if (rc == DEFER) acl_temp_details = TRUE;
1822 }
8e669ac1 1823 }
059ec3d9
PH		 1824 }
1825
1826/* Handle a sender address. The default is to verify *the* sender address, but
1827optionally a different address can be given, for special requirements. If the
1828address is empty, we are dealing with a bounce message that has no sender, so
1829we cannot do any checking. If the real sender address gets rewritten during
1830verification (e.g. DNS widening), set the flag to stop it being rewritten again
1831during message reception.
1832
1833A list of verified "sender" addresses is kept to try to avoid doing to much
1834work repetitively when there are multiple recipients in a message and they all
1835require sender verification. However, when callouts are involved, it gets too
1836complicated because different recipients may require different callout options.
1837Therefore, we always do a full sender verify when any kind of callout is
1838specified. Caching elsewhere, for instance in the DNS resolver and in the
1839callout handling, should ensure that this is not terribly inefficient. */
1840
1841else if (verify_sender_address != NULL)
1842 {
1843 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1844 != 0)
1845 {
1846 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1847 "sender verify callout";
1848 return ERROR;
1849 }
1850
1851 sender_vaddr = verify_checked_sender(verify_sender_address);
1852 if (sender_vaddr != NULL && /* Previously checked */
1853 callout <= 0) /* No callout needed this time */
1854 {
1855 /* If the "routed" flag is set, it means that routing worked before, so
1856 this check can give OK (the saved return code value, if set, belongs to a
1857 callout that was done previously). If the "routed" flag is not set, routing
1858 must have failed, so we use the saved return code. */
1859
1860 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1861 {
1862 rc = sender_vaddr->special_action;
1863 *basic_errno = sender_vaddr->basic_errno;
1864 }
1865 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1866 }
1867
1868 /* Do a new verification, and cache the result. The cache is used to avoid
1869 verifying the sender multiple times for multiple RCPTs when callouts are not
1870 specified (see comments above).
1871
1872 The cache is also used on failure to give details in response to the first
1873 RCPT that gets bounced for this reason. However, this can be suppressed by
1874 the no_details option, which sets the flag that says "this detail has already
1875 been sent". The cache normally contains just one address, but there may be
1876 more in esoteric circumstances. */
1877
1878 else
1879 {
1880 BOOL routed = TRUE;
2a3eea10 1881 uschar *save_address_data = deliver_address_data;
8e669ac1 1882
059ec3d9
PH		 1883 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1884 if (no_details) setflag(sender_vaddr, af_sverify_told);
1885 if (verify_sender_address[0] != 0)
1886 {
1887 /* If this is the real sender address, save the unrewritten version
1888 for use later in receive. Otherwise, set a flag so that rewriting the
1889 sender in verify_address() does not update sender_address. */
1890
1891 if (verify_sender_address == sender_address)
1892 sender_address_unrewritten = sender_address;
1893 else
1894 verify_options |= vopt_fake_sender;
1895
eafd343b
TK		 1896 if (success_on_redirect)
1897 verify_options |= vopt_success_on_redirect;
1898
059ec3d9
PH		 1899 /* The recipient, qualify, and expn options are never set in
1900 verify_options. */
1901
1902 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
4deaf07d 1903 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
059ec3d9
PH		 1904
1905 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1906
1907 if (rc == OK)
1908 {
1909 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1910 {
1911 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1912 verify_sender_address, sender_vaddr->address);
1913 }
1914 else
1915 {
1916 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1917 verify_sender_address);
1918 }
1919 }
1920 else *basic_errno = sender_vaddr->basic_errno;
1921 }
1922 else rc = OK; /* Null sender */
1923
1924 /* Cache the result code */
1925
1926 if (routed) setflag(sender_vaddr, af_verify_routed);
1927 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1928 sender_vaddr->special_action = rc;
1929 sender_vaddr->next = sender_verified_list;
1930 sender_verified_list = sender_vaddr;
8e669ac1
PH		 1931
1932 /* Restore the recipient address data, which might have been clobbered by
2a3eea10 1933 the sender verification. */
8e669ac1 1934
2a3eea10 1935 deliver_address_data = save_address_data;
059ec3d9 1936 }
8e669ac1 1937
2a3eea10
PH		 1938 /* Put the sender address_data value into $sender_address_data */
1939
8e669ac1 1940 sender_address_data = sender_vaddr->p.address_data;
059ec3d9
PH		 1941 }
1942
1943/* A recipient address just gets a straightforward verify; again we must handle
1944the DEFER overrides. */
1945
1946else
1947 {
1948 address_item addr2;
1949
eafd343b
TK		 1950 if (success_on_redirect)
1951 verify_options |= vopt_success_on_redirect;
1952
059ec3d9
PH		 1953 /* We must use a copy of the address for verification, because it might
1954 get rewritten. */
1955
1956 addr2 = *addr;
1957 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
4deaf07d 1958 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
059ec3d9 1959 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
8e669ac1 1960
059ec3d9 1961 *log_msgptr = addr2.message;
8e669ac1 1962 *user_msgptr = (addr2.user_message != NULL)?
6729cf78 1963 addr2.user_message : addr2.message;
059ec3d9
PH		 1964 *basic_errno = addr2.basic_errno;
1965
1966 /* Make $address_data visible */
1967 deliver_address_data = addr2.p.address_data;
1968 }
1969
1970/* We have a result from the relevant test. Handle defer overrides first. */
1971
1972if (rc == DEFER && (defer_ok ||
1973 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1974 {
1975 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1976 defer_ok? "defer_ok" : "callout_defer_ok");
1977 rc = OK;
1978 }
1979
1980/* If we've failed a sender, set up a recipient message, and point
1981sender_verified_failed to the address item that actually failed. */
1982
1983if (rc != OK && verify_sender_address != NULL)
1984 {
1985 if (rc != DEFER)
1986 {
1987 *log_msgptr = *user_msgptr = US"Sender verify failed";
1988 }
1989 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1990 {
1991 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1992 }
1993 else
1994 {
1995 *log_msgptr = US"Could not complete sender verify callout";
1996 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1997 *log_msgptr;
1998 }
1999
2000 sender_verified_failed = sender_vaddr;
2001 }
2002
2003/* Verifying an address messes up the values of $domain and $local_part,
2004so reset them before returning if this is a RCPT ACL. */
2005
2006if (addr != NULL)
2007 {
2008 deliver_domain = addr->domain;
2009 deliver_localpart = addr->local_part;
2010 }
2011return rc;
2012
2013/* Syntax errors in the verify argument come here. */
2014
2015BAD_VERIFY:
2016*log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
596875b3
PH		 2017 "\"helo\", \"header_syntax\", \"header_sender\" or "
2018 "\"reverse_host_lookup\" at start of ACL condition "
059ec3d9
PH		 2019 "\"verify %s\"", arg);
2020return ERROR;
596875b3
PH		 2021
2022/* Options supplied when not allowed come here */
2023
2024NO_OPTIONS:
2025*log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
2026 "(this verify item has no options)", arg);
2027return ERROR;
1c41c9cc
PH		 2028
2029/* Calls in the wrong ACL come here */
2030
2031WRONG_ACL:
2032*log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
2033 "(only possible in ACL for DATA)", acl_wherenames[where]);
2034return ERROR;
059ec3d9
PH		 2035}
2036
2037
2038
2039
2040/*************************************************
2041* Check argument for control= modifier *
2042*************************************************/
2043
2044/* Called from acl_check_condition() below
2045
2046Arguments:
2047 arg the argument string for control=
2048 pptr set to point to the terminating character
2049 where which ACL we are in
2050 log_msgptr for error messages
2051
2052Returns: CONTROL_xxx value
2053*/
2054
2055static int
2056decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
2057{
2058int len;
2059control_def *d;
2060
2061for (d = controls_list;
2062 d < controls_list + sizeof(controls_list)/sizeof(control_def);
2063 d++)
2064 {
2065 len = Ustrlen(d->name);
2066 if (Ustrncmp(d->name, arg, len) == 0) break;
2067 }
2068
2069if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
2070 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
2071 {
2072 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2073 return CONTROL_ERROR;
2074 }
2075
059ec3d9
PH		 2076*pptr = arg + len;
2077return d->value;
2078}
2079
2080
2081
870f6ba8
TF		 2082/*************************************************
2083* Handle rate limiting *
2084*************************************************/
2085
2086/* Called by acl_check_condition() below to calculate the result
2087of the ACL ratelimit condition.
2088
2089Note that the return value might be slightly unexpected: if the
2090sender's rate is above the limit then the result is OK. This is
2091similar to the dnslists condition, and is so that you can write
2092ACL clauses like: defer ratelimit = 15 / 1h
2093
2094Arguments:
2095 arg the option string for ratelimit=
90fc3069 2096 where ACL_WHERE_xxxx indicating which ACL this is
870f6ba8
TF		 2097 log_msgptr for error messages
2098
2099Returns: OK - Sender's rate is above limit
2100 FAIL - Sender's rate is below limit
2101 DEFER - Problem opening ratelimit database
2102 ERROR - Syntax error in options.
2103*/
2104
2105static int
90fc3069 2106acl_ratelimit(uschar *arg, int where, uschar **log_msgptr)
870f6ba8
TF		 2107{
2108double limit, period;
f3dcf4a2 2109uschar *ss, *key;
870f6ba8
TF		 2110int sep = '/';
2111BOOL have_key = FALSE, leaky = FALSE, strict = FALSE;
2112BOOL per_byte = FALSE, per_cmd = FALSE, per_conn = FALSE, per_mail = FALSE;
2113int old_pool, rc;
2114tree_node **anchor, *t;
2115open_db dbblock, *dbm;
2116dbdata_ratelimit *dbd;
2117struct timeval tv;
2118
2119/* Parse the first two options and record their values in expansion
2120variables. These variables allow the configuration to have informative
2121error messages based on rate limits obtained from a table lookup. */
2122
2123/* First is the maximum number of messages per period and maximum burst
2124size, which must be greater than or equal to zero. Zero is useful for
2125rate measurement as opposed to rate limiting. */
2126
2127sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0);
2128if (sender_rate_limit == NULL)
2129 limit = -1.0;
2130else
2131 {
2132 limit = Ustrtod(sender_rate_limit, &ss);
2133 if (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
2134 else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
2135 else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
2136 }
2137if (limit < 0.0 || *ss != 0)
2138 {
2139 *log_msgptr = string_sprintf("syntax error in argument for "
2140 "\"ratelimit\" condition: \"%s\" is not a positive number",
2141 sender_rate_limit);
2142 return ERROR;
2143 }
2144
f3dcf4a2
TF		 2145/* We use the rest of the argument list following the limit as the
2146lookup key, because it doesn't make sense to use the same stored data
2147if the period or options are different. */
2148
2149key = arg;
2150
870f6ba8
TF		 2151/* Second is the rate measurement period and exponential smoothing time
2152constant. This must be strictly greater than zero, because zero leads to
2153run-time division errors. */
2154
2155sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0);
2156if (sender_rate_period == NULL) period = -1.0;
2157else period = readconf_readtime(sender_rate_period, 0, FALSE);
2158if (period <= 0.0)
2159 {
2160 *log_msgptr = string_sprintf("syntax error in argument for "
2161 "\"ratelimit\" condition: \"%s\" is not a time value",
2162 sender_rate_period);
2163 return ERROR;
2164 }
2165
2166/* Parse the other options. Should we check if the per_* options are being
2167used in ACLs where they don't make sense, e.g. per_mail in the connect ACL? */
2168
2169while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2170 != NULL)
2171 {
2172 if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
2173 else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
2174 else if (strcmpic(ss, US"per_byte") == 0) per_byte = TRUE;
2175 else if (strcmpic(ss, US"per_cmd") == 0) per_cmd = TRUE;
2176 else if (strcmpic(ss, US"per_conn") == 0) per_conn = TRUE;
2177 else if (strcmpic(ss, US"per_mail") == 0) per_mail = TRUE;
2178 else if (strcmpic(ss, US"per_rcpt") == 0) per_cmd = TRUE; /* alias */
2179 else have_key = TRUE;
2180 }
2181if (leaky + strict > 1 || per_byte + per_cmd + per_conn + per_mail > 1)
2182 {
2183 *log_msgptr = US"conflicting options for \"ratelimit\" condition";
2184 return ERROR;
2185 }
2186
2187/* Default option values */
2188if (!strict) leaky = TRUE;
2189if (!per_byte && !per_cmd && !per_conn) per_mail = TRUE;
2190
f3dcf4a2 2191/* If there is no explicit key, use the sender_host_address. If there is no
870f6ba8
TF		 2192sender_host_address (e.g. -bs or acl_not_smtp) then we simply omit it. */
2193
2194if (!have_key && sender_host_address != NULL)
2195 key = string_sprintf("%s / %s", key, sender_host_address);
2196
2197HDEBUG(D_acl) debug_printf("ratelimit condition limit=%.0f period=%.0f key=%s\n",
2198 limit, period, key);
2199
fe0dab11 2200/* See if we have already computed the rate by looking in the relevant tree. For
870f6ba8
TF		 2201per-connection rate limiting, store tree nodes and dbdata in the permanent pool
2202so that they survive across resets. */
2203
2204anchor = NULL;
2205old_pool = store_pool;
2206
2207if (per_conn)
2208 {
2209 anchor = &ratelimiters_conn;
2210 store_pool = POOL_PERM;
2211 }
fe0dab11 2212else if (per_mail || per_byte)
870f6ba8 2213 anchor = &ratelimiters_mail;
fe0dab11
TF		 2214else if (per_cmd)
2215 anchor = &ratelimiters_cmd;
870f6ba8
TF		 2216
2217if (anchor != NULL && (t = tree_search(*anchor, key)) != NULL)
2218 {
2219 dbd = t->data.ptr;
2220 /* The following few lines duplicate some of the code below. */
3348576f
TF		 2221 if (dbd->rate < limit) rc = FAIL;
2222 else rc = OK;
870f6ba8
TF		 2223 store_pool = old_pool;
2224 sender_rate = string_sprintf("%.1f", dbd->rate);
2225 HDEBUG(D_acl)
2226 debug_printf("ratelimit found pre-computed rate %s\n", sender_rate);
2227 return rc;
2228 }
2229
2230/* We aren't using a pre-computed rate, so get a previously recorded
2231rate from the database, update it, and write it back. If there's no
2232previous rate for this key, create one. */
2233
2234dbm = dbfn_open(US"ratelimit", O_RDWR, &dbblock, TRUE);
2235if (dbm == NULL)
2236 {
2237 store_pool = old_pool;
2238 sender_rate = NULL;
2239 HDEBUG(D_acl) debug_printf("ratelimit database not available\n");
2240 *log_msgptr = US"ratelimit database not available";
2241 return DEFER;
2242 }
2243dbd = dbfn_read(dbm, key);
2244
2245gettimeofday(&tv, NULL);
2246
2247if (dbd == NULL)
2248 {
2249 HDEBUG(D_acl) debug_printf("ratelimit initializing new key's data\n");
2250 dbd = store_get(sizeof(dbdata_ratelimit));
2251 dbd->time_stamp = tv.tv_sec;
2252 dbd->time_usec = tv.tv_usec;
2253 dbd->rate = 0.0;
2254 }
2255else
2256 {
2257 /* The smoothed rate is computed using an exponentially weighted moving
2258 average adjusted for variable sampling intervals. The standard EWMA for
2259 a fixed sampling interval is: f'(t) = (1 - a) * f(t) + a * f'(t - 1)
2260 where f() is the measured value and f'() is the smoothed value.
2261
2262 Old data decays out of the smoothed value exponentially, such that data n
2263 samples old is multiplied by a^n. The exponential decay time constant p
2264 is defined such that data p samples old is multiplied by 1/e, which means
2265 that a = exp(-1/p). We can maintain the same time constant for a variable
2266 sampling interval i by using a = exp(-i/p).
2267
2268 The rate we are measuring is messages per period, suitable for directly
2269 comparing with the limit. The average rate between now and the previous
2270 message is period / interval, which we feed into the EWMA as the sample.
2271
2272 It turns out that the number of messages required for the smoothed rate
2273 to reach the limit when they are sent in a burst is equal to the limit.
2274 This can be seen by analysing the value of the smoothed rate after N
2275 messages sent at even intervals. Let k = (1 - a) * p/i
2276
2277 rate_1 = (1 - a) * p/i + a * rate_0
2278 = k + a * rate_0
2279 rate_2 = k + a * rate_1
2280 = k + a * k + a^2 * rate_0
2281 rate_3 = k + a * k + a^2 * k + a^3 * rate_0
2282 rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
2283 = rate_0 * a^N + k * (1 - a^N) / (1 - a)
2284 = rate_0 * a^N + p/i * (1 - a^N)
2285
2286 When N is large, a^N -> 0 so rate_N -> p/i as desired.
2287
2288 rate_N = p/i + (rate_0 - p/i) * a^N
2289 a^N = (rate_N - p/i) / (rate_0 - p/i)
2290 N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
2291 N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
2292
2293 Numerical analysis of the above equation, setting the computed rate to
2294 increase from rate_0 = 0 to rate_N = limit, shows that for large sending
2295 rates, p/i, the number of messages N = limit. So limit serves as both the
2296 maximum rate measured in messages per period, and the maximum number of
2297 messages that can be sent in a fast burst. */
2298
2299 double this_time = (double)tv.tv_sec
2300 + (double)tv.tv_usec / 1000000.0;
2301 double prev_time = (double)dbd->time_stamp
2302 + (double)dbd->time_usec / 1000000.0;
870f6ba8
TF		 2303
2304 /* We must avoid division by zero, and deal gracefully with the clock going
2305 backwards. If we blunder ahead when time is in reverse then the computed
e5d5a95f 2306 rate will be bogus. To be safe we clamp interval to a very small number. */
870f6ba8 2307
e5d5a95f
TF		 2308 double interval = this_time - prev_time <= 0.0 ? 1e-9
2309 : this_time - prev_time;
2310
2311 double i_over_p = interval / period;
2312 double a = exp(-i_over_p);
870f6ba8
TF		 2313
2314 dbd->time_stamp = tv.tv_sec;
2315 dbd->time_usec = tv.tv_usec;
2316
2317 /* If we are measuring the rate in bytes per period, multiply the
2318 measured rate by the message size. If we don't know the message size
2319 then it's safe to just use a value of zero and let the recorded rate
2320 decay as if nothing happened. */
2321
2322 if (per_byte)
2323 dbd->rate = (message_size < 0 ? 0.0 : (double)message_size)
2324 * (1 - a) / i_over_p + a * dbd->rate;
90fc3069
TF		 2325 else if (per_cmd && where == ACL_WHERE_NOTSMTP)
2326 dbd->rate = (double)recipients_count
2327 * (1 - a) / i_over_p + a * dbd->rate;
870f6ba8
TF		 2328 else
2329 dbd->rate = (1 - a) / i_over_p + a * dbd->rate;
2330 }
2331
3348576f
TF		 2332/* Clients sending at the limit are considered to be over the limit. This
2333matters for edge cases such the first message sent by a client (which gets
2334the initial rate of 0.0) when the rate limit is zero (i.e. the client should
2335be completely blocked). */
2336
2337if (dbd->rate < limit) rc = FAIL;
2338 else rc = OK;
870f6ba8
TF		 2339
2340/* Update the state if the rate is low or if we are being strict. If we
2341are in leaky mode and the sender's rate is too high, we do not update
2342the recorded rate in order to avoid an over-aggressive sender's retry
2343rate preventing them from getting any email through. */
2344
2345if (rc == FAIL || !leaky)
2346 dbfn_write(dbm, key, dbd, sizeof(dbdata_ratelimit));
2347dbfn_close(dbm);
2348
2349/* Store the result in the tree for future reference, if necessary. */
2350
2351if (anchor != NULL)
2352 {
2353 t = store_get(sizeof(tree_node) + Ustrlen(key));
2354 t->data.ptr = dbd;
2355 Ustrcpy(t->name, key);
2356 (void)tree_insertnode(anchor, t);
2357 }
2358
2359/* We create the formatted version of the sender's rate very late in
2360order to ensure that it is done using the correct storage pool. */
2361
2362store_pool = old_pool;
2363sender_rate = string_sprintf("%.1f", dbd->rate);
2364
2365HDEBUG(D_acl)
2366 debug_printf("ratelimit computed rate %s\n", sender_rate);
2367
2368return rc;
2369}
2370
2371
2372
059ec3d9
PH		 2373/*************************************************
2374* Handle conditions/modifiers on an ACL item *
2375*************************************************/
2376
2377/* Called from acl_check() below.
2378
2379Arguments:
2380 verb ACL verb
2381 cb ACL condition block - if NULL, result is OK
2382 where where called from
2383 addr the address being checked for RCPT, or NULL
2384 level the nesting level
2385 epp pointer to pass back TRUE if "endpass" encountered
2386 (applies only to "accept" and "discard")
2387 user_msgptr user message pointer
2388 log_msgptr log message pointer
2389 basic_errno pointer to where to put verify error
2390
2391Returns: OK - all conditions are met
2392 DISCARD - an "acl" condition returned DISCARD - only allowed
2393 for "accept" or "discard" verbs
2394 FAIL - at least one condition fails
2395 FAIL_DROP - an "acl" condition returned FAIL_DROP
2396 DEFER - can't tell at the moment (typically, lookup defer,
2397 but can be temporary callout problem)
2398 ERROR - ERROR from nested ACL or expansion failure or other
2399 error
2400*/
2401
2402static int
2403acl_check_condition(int verb, acl_condition_block *cb, int where,
2404 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
2405 uschar **log_msgptr, int *basic_errno)
2406{
2407uschar *user_message = NULL;
2408uschar *log_message = NULL;
91ecef39 2409uschar *p = NULL;
059ec3d9 2410int rc = OK;
8523533c
TK		 2411#ifdef WITH_CONTENT_SCAN
2412int sep = '/';
2413#endif
059ec3d9
PH		 2414
2415for (; cb != NULL; cb = cb->next)
2416 {
2417 uschar *arg;
8e669ac1 2418 int control_type;
059ec3d9
PH		 2419
2420 /* The message and log_message items set up messages to be used in
2421 case of rejection. They are expanded later. */
2422
2423 if (cb->type == ACLC_MESSAGE)
2424 {
2425 user_message = cb->arg;
2426 continue;
2427 }
2428
2429 if (cb->type == ACLC_LOG_MESSAGE)
2430 {
2431 log_message = cb->arg;
2432 continue;
2433 }
2434
2435 /* The endpass "condition" just sets a flag to show it occurred. This is
2436 checked at compile time to be on an "accept" or "discard" item. */
2437
2438 if (cb->type == ACLC_ENDPASS)
2439 {
2440 *epp = TRUE;
2441 continue;
2442 }
2443
2444 /* For other conditions and modifiers, the argument is expanded now for some
2445 of them, but not for all, because expansion happens down in some lower level
2446 checking functions in some cases. */
2447
2448 if (cond_expand_at_top[cb->type])
2449 {
2450 arg = expand_string(cb->arg);
2451 if (arg == NULL)
2452 {
2453 if (expand_string_forcedfail) continue;
2454 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
2455 cb->arg, expand_string_message);
2456 return search_find_defer? DEFER : ERROR;
2457 }
2458 }
2459 else arg = cb->arg;
2460
2461 /* Show condition, and expanded condition if it's different */
2462
2463 HDEBUG(D_acl)
2464 {
2465 int lhswidth = 0;
2466 debug_printf("check %s%s %n",
2467 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
2468 conditions[cb->type], &lhswidth);
2469
2470 if (cb->type == ACLC_SET)
2471 {
38a0a95f
PH		 2472 debug_printf("acl_%s ", cb->u.varname);
2473 lhswidth += 5 + Ustrlen(cb->u.varname);
059ec3d9
PH		 2474 }
2475
2476 debug_printf("= %s\n", cb->arg);
2477
2478 if (arg != cb->arg)
2479 debug_printf("%.*s= %s\n", lhswidth,
2480 US" ", CS arg);
2481 }
2482
2483 /* Check that this condition makes sense at this time */
2484
2485 if ((cond_forbids[cb->type] & (1 << where)) != 0)
2486 {
2487 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
2488 cond_modifiers[cb->type]? "use" : "test",
2489 conditions[cb->type], acl_wherenames[where]);
2490 return ERROR;
2491 }
2492
2493 /* Run the appropriate test for each condition, or take the appropriate
2494 action for the remaining modifiers. */
2495
2496 switch(cb->type)
2497 {
71fafd95
PH		 2498 case ACLC_ADD_HEADER:
2499 setup_header(arg);
2500 break;
2501
059ec3d9
PH		 2502 /* A nested ACL that returns "discard" makes sense only for an "accept" or
2503 "discard" verb. */
71fafd95 2504
059ec3d9
PH		 2505 case ACLC_ACL:
2506 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
2507 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
2508 {
2509 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
2510 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
2511 verbs[verb]);
2512 return ERROR;
2513 }
2514 break;
2515
2516 case ACLC_AUTHENTICATED:
2517 rc = (sender_host_authenticated == NULL)? FAIL :
2518 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
2519 TRUE, NULL);
2520 break;
2521
71fafd95 2522 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK		 2523 case ACLC_BMI_OPTIN:
2524 {
2525 int old_pool = store_pool;
2526 store_pool = POOL_PERM;
2527 bmi_current_optin = string_copy(arg);
2528 store_pool = old_pool;
2529 }
2530 break;
71fafd95 2531 #endif
8523533c 2532
059ec3d9
PH		 2533 case ACLC_CONDITION:
2534 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
2535 rc = (Uatoi(arg) == 0)? FAIL : OK;
2536 else
2537 rc = (strcmpic(arg, US"no") == 0 ||
2538 strcmpic(arg, US"false") == 0)? FAIL :
2539 (strcmpic(arg, US"yes") == 0 ||
2540 strcmpic(arg, US"true") == 0)? OK : DEFER;
2541 if (rc == DEFER)
2542 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
2543 break;
2544
2545 case ACLC_CONTROL:
c5fcb476
PH		 2546 control_type = decode_control(arg, &p, where, log_msgptr);
2547
8523533c 2548 /* Check if this control makes sense at this time */
c5fcb476
PH		 2549
2550 if ((control_forbids[control_type] & (1 << where)) != 0)
2551 {
2552 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
2553 controls[control_type], acl_wherenames[where]);
2554 return ERROR;
8e669ac1 2555 }
c5fcb476
PH		 2556
2557 switch(control_type)
059ec3d9 2558 {
c46782ef
PH		 2559 case CONTROL_AUTH_UNADVERTISED:
2560 allow_auth_unadvertised = TRUE;
2561 break;
2562
2563 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK		 2564 case CONTROL_BMI_RUN:
2565 bmi_run = 1;
2566 break;
c46782ef
PH		 2567 #endif
2568
2569 #ifdef EXPERIMENTAL_DOMAINKEYS
fb2274d4
TK		 2570 case CONTROL_DK_VERIFY:
2571 dk_do_verify = 1;
2572 break;
c46782ef
PH		 2573 #endif
2574
059ec3d9
PH		 2575 case CONTROL_ERROR:
2576 return ERROR;
2577
2578 case CONTROL_CASEFUL_LOCAL_PART:
2579 deliver_localpart = addr->cc_local_part;
2580 break;
2581
2582 case CONTROL_CASELOWER_LOCAL_PART:
2583 deliver_localpart = addr->lc_local_part;
2584 break;
2585
2586 case CONTROL_ENFORCE_SYNC:
2587 smtp_enforce_sync = TRUE;
2588 break;
2589
2590 case CONTROL_NO_ENFORCE_SYNC:
2591 smtp_enforce_sync = FALSE;
2592 break;
2593
c46782ef 2594 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 2595 case CONTROL_NO_MBOX_UNSPOOL:
2596 no_mbox_unspool = TRUE;
2597 break;
c46782ef 2598 #endif
8523533c 2599
059ec3d9
PH		 2600 case CONTROL_NO_MULTILINE:
2601 no_multiline_responses = TRUE;
2602 break;
2603
cf8b11a5
PH		 2604 case CONTROL_NO_PIPELINING:
2605 pipelining_enable = FALSE;
2606 break;
2607
29aba418 2608 case CONTROL_FAKEDEFER:
8523533c 2609 case CONTROL_FAKEREJECT:
29aba418 2610 fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
8523533c 2611 if (*p == '/')
8e669ac1 2612 {
8523533c 2613 uschar *pp = p + 1;
8e669ac1 2614 while (*pp != 0) pp++;
29aba418 2615 fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
8523533c
TK		 2616 p = pp;
2617 }
2618 else
2619 {
2620 /* Explicitly reset to default string */
29aba418 2621 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
8523533c
TK		 2622 }
2623 break;
8523533c 2624
059ec3d9
PH		 2625 case CONTROL_FREEZE:
2626 deliver_freeze = TRUE;
2627 deliver_frozen_at = time(NULL);
6a3f1455
PH		 2628 freeze_tell = freeze_tell_config; /* Reset to configured value */
2629 if (Ustrncmp(p, "/no_tell", 8) == 0)
2630 {
2631 p += 8;
2632 freeze_tell = NULL;
2633 }
2634 if (*p != 0)
2635 {
2636 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2637 return ERROR;
2638 }
059ec3d9
PH		 2639 break;
2640
2641 case CONTROL_QUEUE_ONLY:
2642 queue_only_policy = TRUE;
2643 break;
2644
2645 case CONTROL_SUBMISSION:
87ba3f5f 2646 originator_name = US"";
059ec3d9 2647 submission_mode = TRUE;
69358f02 2648 while (*p == '/')
8e669ac1 2649 {
69358f02
PH		 2650 if (Ustrncmp(p, "/sender_retain", 14) == 0)
2651 {
2652 p += 14;
2653 active_local_sender_retain = TRUE;
8e669ac1
PH		 2654 active_local_from_check = FALSE;
2655 }
69358f02
PH		 2656 else if (Ustrncmp(p, "/domain=", 8) == 0)
2657 {
2658 uschar *pp = p + 8;
8e669ac1 2659 while (*pp != 0 && *pp != '/') pp++;
87ba3f5f
PH		 2660 submission_domain = string_copyn(p+8, pp-p-8);
2661 p = pp;
2662 }
8857ccfd
PH		 2663 /* The name= option must be last, because it swallows the rest of
2664 the string. */
87ba3f5f
PH		 2665 else if (Ustrncmp(p, "/name=", 6) == 0)
2666 {
2667 uschar *pp = p + 6;
8857ccfd 2668 while (*pp != 0) pp++;
2fe1a124 2669 submission_name = string_copy(parse_fix_phrase(p+6, pp-p-6,
87ba3f5f 2670 big_buffer, big_buffer_size));
8e669ac1 2671 p = pp;
69358f02 2672 }
8e669ac1
PH		 2673 else break;
2674 }
69358f02 2675 if (*p != 0)
059ec3d9 2676 {
69358f02 2677 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
059ec3d9
PH		 2678 return ERROR;
2679 }
2680 break;
8800895a
PH		 2681
2682 case CONTROL_SUPPRESS_LOCAL_FIXUPS:
2683 suppress_local_fixups = TRUE;
2684 break;
059ec3d9
PH		 2685 }
2686 break;
2687
71fafd95 2688 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 2689 case ACLC_DECODE:
2690 rc = mime_decode(&arg);
2691 break;
71fafd95 2692 #endif
8523533c 2693
059ec3d9
PH		 2694 case ACLC_DELAY:
2695 {
2696 int delay = readconf_readtime(arg, 0, FALSE);
2697 if (delay < 0)
2698 {
2699 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
2700 "modifier: \"%s\" is not a time value", arg);
2701 return ERROR;
2702 }
2703 else
2704 {
2705 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
2706 delay);
2707 if (host_checking)
2708 {
2709 HDEBUG(D_acl)
2710 debug_printf("delay skipped in -bh checking mode\n");
2711 }
010c2d14
PH		 2712
2713 /* It appears to be impossible to detect that a TCP/IP connection has
2714 gone away without reading from it. This means that we cannot shorten
2715 the delay below if the client goes away, because we cannot discover
2716 that the client has closed its end of the connection. (The connection
2717 is actually in a half-closed state, waiting for the server to close its
2718 end.) It would be nice to be able to detect this state, so that the
2719 Exim process is not held up unnecessarily. However, it seems that we
2720 can't. The poll() function does not do the right thing, and in any case
2721 it is not always available.
2722
2723 NOTE: If ever this state of affairs changes, remember that we may be
2724 dealing with stdin/stdout here, in addition to TCP/IP connections.
2725 Whatever is done must work in both cases. To detected the stdin/stdout
2726 case, check for smtp_in or smtp_out being NULL. */
2727
8e669ac1 2728 else
86b8287f
PH		 2729 {
2730 while (delay > 0) delay = sleep(delay);
8e669ac1 2731 }
059ec3d9
PH		 2732 }
2733 }
2734 break;
2735
71fafd95 2736 #ifdef WITH_OLD_DEMIME
8523533c
TK		 2737 case ACLC_DEMIME:
2738 rc = demime(&arg);
2739 break;
71fafd95 2740 #endif
8523533c 2741
71fafd95
PH		 2742 #ifdef EXPERIMENTAL_DOMAINKEYS
2743 case ACLC_DK_DOMAIN_SOURCE:
fb2274d4
TK		 2744 if (dk_verify_block == NULL) { rc = FAIL; break; };
2745 /* check header source of domain against given string */
2746 switch (dk_verify_block->address_source) {
2747 case DK_EXIM_ADDRESS_FROM_FROM:
2748 rc = match_isinlist(US"from", &arg, 0, NULL,
2749 NULL, MCL_STRING, TRUE, NULL);
2750 break;
2751 case DK_EXIM_ADDRESS_FROM_SENDER:
2752 rc = match_isinlist(US"sender", &arg, 0, NULL,
2753 NULL, MCL_STRING, TRUE, NULL);
2754 break;
2755 case DK_EXIM_ADDRESS_NONE:
2756 rc = match_isinlist(US"none", &arg, 0, NULL,
2757 NULL, MCL_STRING, TRUE, NULL);
2758 break;
71fafd95
PH		 2759 }
2760 break;
2761
2762 case ACLC_DK_POLICY:
fb2274d4
TK		 2763 if (dk_verify_block == NULL) { rc = FAIL; break; };
2764 /* check policy against given string, default FAIL */
2765 rc = FAIL;
2766 if (dk_verify_block->signsall)
2767 rc = match_isinlist(US"signsall", &arg, 0, NULL,
2768 NULL, MCL_STRING, TRUE, NULL);
2769 if (dk_verify_block->testing)
2770 rc = match_isinlist(US"testing", &arg, 0, NULL,
2771 NULL, MCL_STRING, TRUE, NULL);
71fafd95
PH		 2772 break;
2773
2774 case ACLC_DK_SENDER_DOMAINS:
fb2274d4
TK		 2775 if (dk_verify_block == NULL) { rc = FAIL; break; };
2776 if (dk_verify_block->domain != NULL)
2777 rc = match_isinlist(dk_verify_block->domain, &arg, 0, &domainlist_anchor,
2778 NULL, MCL_DOMAIN, TRUE, NULL);
2779 else rc = FAIL;
71fafd95
PH		 2780 break;
2781
2782 case ACLC_DK_SENDER_LOCAL_PARTS:
fb2274d4
TK		 2783 if (dk_verify_block == NULL) { rc = FAIL; break; };
2784 if (dk_verify_block->local_part != NULL)
2785 rc = match_isinlist(dk_verify_block->local_part, &arg, 0, &localpartlist_anchor,
2786 NULL, MCL_LOCALPART, TRUE, NULL);
2787 else rc = FAIL;
71fafd95
PH		 2788 break;
2789
2790 case ACLC_DK_SENDERS:
fb2274d4
TK		 2791 if (dk_verify_block == NULL) { rc = FAIL; break; };
2792 if (dk_verify_block->address != NULL)
2793 rc = match_address_list(dk_verify_block->address, TRUE, TRUE, &arg, NULL, -1, 0, NULL);
2794 else rc = FAIL;
71fafd95
PH		 2795 break;
2796
2797 case ACLC_DK_STATUS:
fb2274d4
TK		 2798 if (dk_verify_block == NULL) { rc = FAIL; break; };
2799 if (dk_verify_block->result > 0) {
2800 switch(dk_verify_block->result) {
2801 case DK_EXIM_RESULT_BAD_FORMAT:
2802 rc = match_isinlist(US"bad format", &arg, 0, NULL,
2803 NULL, MCL_STRING, TRUE, NULL);
2804 break;
2805 case DK_EXIM_RESULT_NO_KEY:
2806 rc = match_isinlist(US"no key", &arg, 0, NULL,
2807 NULL, MCL_STRING, TRUE, NULL);
2808 break;
2809 case DK_EXIM_RESULT_NO_SIGNATURE:
2810 rc = match_isinlist(US"no signature", &arg, 0, NULL,
2811 NULL, MCL_STRING, TRUE, NULL);
2812 break;
2813 case DK_EXIM_RESULT_REVOKED:
2814 rc = match_isinlist(US"revoked", &arg, 0, NULL,
2815 NULL, MCL_STRING, TRUE, NULL);
2816 break;
2817 case DK_EXIM_RESULT_NON_PARTICIPANT:
2818 rc = match_isinlist(US"non-participant", &arg, 0, NULL,
2819 NULL, MCL_STRING, TRUE, NULL);
2820 break;
2821 case DK_EXIM_RESULT_GOOD:
2822 rc = match_isinlist(US"good", &arg, 0, NULL,
2823 NULL, MCL_STRING, TRUE, NULL);
2824 break;
2825 case DK_EXIM_RESULT_BAD:
2826 rc = match_isinlist(US"bad", &arg, 0, NULL,
2827 NULL, MCL_STRING, TRUE, NULL);
2828 break;
71fafd95 2829 }
fb2274d4 2830 }
71fafd95
PH		 2831 break;
2832 #endif
fb2274d4 2833
059ec3d9
PH		 2834 case ACLC_DNSLISTS:
2835 rc = verify_check_dnsbl(&arg);
2836 break;
2837
2838 case ACLC_DOMAINS:
2839 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
2840 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
2841 break;
2842
2843 /* The value in tls_cipher is the full cipher name, for example,
2844 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
2845 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
2846 what may in practice come out of the SSL library - which at the time of
2847 writing is poorly documented. */
2848
2849 case ACLC_ENCRYPTED:
2850 if (tls_cipher == NULL) rc = FAIL; else
2851 {
2852 uschar *endcipher = NULL;
2853 uschar *cipher = Ustrchr(tls_cipher, ':');
2854 if (cipher == NULL) cipher = tls_cipher; else
2855 {
2856 endcipher = Ustrchr(++cipher, ':');
2857 if (endcipher != NULL) *endcipher = 0;
2858 }
2859 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
2860 if (endcipher != NULL) *endcipher = ':';
2861 }
2862 break;
2863
2864 /* Use verify_check_this_host() instead of verify_check_host() so that
2865 we can pass over &host_data to catch any looked up data. Once it has been
2866 set, it retains its value so that it's still there if another ACL verb
2867 comes through here and uses the cache. However, we must put it into
2868 permanent store in case it is also expected to be used in a subsequent
2869 message in the same SMTP connection. */
2870
2871 case ACLC_HOSTS:
2872 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
2873 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
2874 if (host_data != NULL) host_data = string_copy_malloc(host_data);
2875 break;
2876
2877 case ACLC_LOCAL_PARTS:
2878 rc = match_isinlist(addr->cc_local_part, &arg, 0,
2879 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
2880 &deliver_localpart_data);
2881 break;
2882
6ea85e9a
PH		 2883 case ACLC_LOG_REJECT_TARGET:
2884 {
2885 int logbits = 0;
2886 int sep = 0;
2887 uschar *s = arg;
2888 uschar *ss;
2889 while ((ss = string_nextinlist(&s, &sep, big_buffer, big_buffer_size))
2890 != NULL)
2891 {
2892 if (Ustrcmp(ss, "main") == 0) logbits |= LOG_MAIN;
2893 else if (Ustrcmp(ss, "panic") == 0) logbits |= LOG_PANIC;
2894 else if (Ustrcmp(ss, "reject") == 0) logbits |= LOG_REJECT;
2895 else
2896 {
2897 logbits |= LOG_MAIN|LOG_REJECT;
2898 log_write(0, LOG_MAIN|LOG_PANIC, "unknown log name \"%s\" in "
2899 "\"log_reject_target\" in %s ACL", ss, acl_wherenames[where]);
2900 }
2901 }
2902 log_reject_target = logbits;
2903 }
2904 break;
2905
059ec3d9
PH		 2906 case ACLC_LOGWRITE:
2907 {
2908 int logbits = 0;
2909 uschar *s = arg;
2910 if (*s == ':')
2911 {
2912 s++;
2913 while (*s != ':')
2914 {
2915 if (Ustrncmp(s, "main", 4) == 0)
2916 { logbits |= LOG_MAIN; s += 4; }
2917 else if (Ustrncmp(s, "panic", 5) == 0)
2918 { logbits |= LOG_PANIC; s += 5; }
2919 else if (Ustrncmp(s, "reject", 6) == 0)
2920 { logbits |= LOG_REJECT; s += 6; }
2921 else
2922 {
2923 logbits = LOG_MAIN|LOG_PANIC;
2924 s = string_sprintf(":unknown log name in \"%s\" in "
2925 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
2926 }
2927 if (*s == ',') s++;
2928 }
2929 s++;
2930 }
2931 while (isspace(*s)) s++;
6ea85e9a
PH		 2932
2933
059ec3d9
PH		 2934 if (logbits == 0) logbits = LOG_MAIN;
2935 log_write(0, logbits, "%s", string_printing(s));
2936 }
2937 break;
8e669ac1 2938
71fafd95 2939 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 2940 case ACLC_MALWARE:
2941 {
6ea85e9a 2942 /* Separate the regular expression and any optional parameters. */
8523533c
TK		 2943 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2944 /* Run the malware backend. */
2945 rc = malware(&ss);
2946 /* Modify return code based upon the existance of options. */
2947 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2948 != NULL) {
2949 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2950 {
2951 /* FAIL so that the message is passed to the next ACL */
2952 rc = FAIL;
2953 }
2954 }
2955 }
2956 break;
2957
2958 case ACLC_MIME_REGEX:
71fafd95 2959 rc = mime_regex(&arg);
8523533c 2960 break;
71fafd95 2961 #endif
059ec3d9 2962
870f6ba8 2963 case ACLC_RATELIMIT:
90fc3069 2964 rc = acl_ratelimit(arg, where, log_msgptr);
870f6ba8
TF		 2965 break;
2966
059ec3d9
PH		 2967 case ACLC_RECIPIENTS:
2968 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
2969 &recipient_data);
2970 break;
2971
71fafd95
PH		 2972 #ifdef WITH_CONTENT_SCAN
2973 case ACLC_REGEX:
2974 rc = regex(&arg);
8523533c 2975 break;
71fafd95 2976 #endif
8523533c 2977
059ec3d9
PH		 2978 case ACLC_SENDER_DOMAINS:
2979 {
2980 uschar *sdomain;
2981 sdomain = Ustrrchr(sender_address, '@');
2982 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
2983 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
2984 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
2985 }
2986 break;
2987
2988 case ACLC_SENDERS:
2989 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
2990 sender_address_cache, -1, 0, &sender_data);
2991 break;
2992
2993 /* Connection variables must persist forever */
2994
2995 case ACLC_SET:
2996 {
2997 int old_pool = store_pool;
38a0a95f
PH		 2998 if (cb->u.varname[0] == 'c') store_pool = POOL_PERM;
2999 acl_var_create(cb->u.varname)->data.ptr = string_copy(arg);
059ec3d9
PH		 3000 store_pool = old_pool;
3001 }
3002 break;
3003
71fafd95 3004 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 3005 case ACLC_SPAM:
3006 {
3007 /* Seperate the regular expression and any optional parameters. */
3008 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3009 /* Run the spam backend. */
3010 rc = spam(&ss);
3011 /* Modify return code based upon the existance of options. */
3012 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3013 != NULL) {
3014 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3015 {
3016 /* FAIL so that the message is passed to the next ACL */
3017 rc = FAIL;
3018 }
3019 }
3020 }
3021 break;
71fafd95 3022 #endif
8523533c 3023
71fafd95 3024 #ifdef EXPERIMENTAL_SPF
8523533c
TK		 3025 case ACLC_SPF:
3026 rc = spf_process(&arg, sender_address);
3027 break;
71fafd95 3028 #endif
8523533c 3029
059ec3d9
PH		 3030 /* If the verb is WARN, discard any user message from verification, because
3031 such messages are SMTP responses, not header additions. The latter come
475fe28a
PH		 3032 only from explicit "message" modifiers. However, put the user message into
3033 $acl_verify_message so it can be used in subsequent conditions or modifiers
3034 (until something changes it). */
059ec3d9
PH		 3035
3036 case ACLC_VERIFY:
3037 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
475fe28a 3038 acl_verify_message = *user_msgptr;
059ec3d9
PH		 3039 if (verb == ACL_WARN) *user_msgptr = NULL;
3040 break;
3041
3042 default:
3043 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
3044 "condition %d", cb->type);
3045 break;
3046 }
3047
3048 /* If a condition was negated, invert OK/FAIL. */
3049
3050 if (!cond_modifiers[cb->type] && cb->u.negated)
3051 {
3052 if (rc == OK) rc = FAIL;
3053 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
3054 }
3055
3056 if (rc != OK) break; /* Conditions loop */
3057 }
3058
3059
3060/* If the result is the one for which "message" and/or "log_message" are used,
4e88a19f
PH		 3061handle the values of these modifiers. If there isn't a log message set, we make
3062it the same as the user message.
059ec3d9
PH		 3063
3064"message" is a user message that will be included in an SMTP response. Unless
3065it is empty, it overrides any previously set user message.
3066
3067"log_message" is a non-user message, and it adds to any existing non-user
3068message that is already set.
3069
4e88a19f
PH		 3070Most verbs have but a single return for which the messages are relevant, but
3071for "discard", it's useful to have the log message both when it succeeds and
3072when it fails. For "accept", the message is used in the OK case if there is no
3073"endpass", but (for backwards compatibility) in the FAIL case if "endpass" is
3074present. */
059ec3d9 3075
4e88a19f
PH		 3076if (*epp && rc == OK) user_message = NULL;
3077
3078if (((1<<rc) & msgcond[verb]) != 0)
059ec3d9
PH		 3079 {
3080 uschar *expmessage;
4e88a19f
PH		 3081 uschar *old_user_msgptr = *user_msgptr;
3082 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
059ec3d9
PH		 3083
3084 /* If the verb is "warn", messages generated by conditions (verification or
4e88a19f
PH		 3085 nested ACLs) are always discarded. This also happens for acceptance verbs
3086 when they actually do accept. Only messages specified at this level are used.
059ec3d9
PH		 3087 However, the value of an existing message is available in $acl_verify_message
3088 during expansions. */
3089
4e88a19f
PH		 3090 if (verb == ACL_WARN ||
3091 (rc == OK && (verb == ACL_ACCEPT || verb == ACL_DISCARD)))
3092 *log_msgptr = *user_msgptr = NULL;
059ec3d9
PH		 3093
3094 if (user_message != NULL)
3095 {
3096 acl_verify_message = old_user_msgptr;
3097 expmessage = expand_string(user_message);
3098 if (expmessage == NULL)
3099 {
3100 if (!expand_string_forcedfail)
3101 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3102 user_message, expand_string_message);
3103 }
3104 else if (expmessage[0] != 0) *user_msgptr = expmessage;
3105 }
3106
3107 if (log_message != NULL)
3108 {
3109 acl_verify_message = old_log_msgptr;
3110 expmessage = expand_string(log_message);
3111 if (expmessage == NULL)
3112 {
3113 if (!expand_string_forcedfail)
3114 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3115 log_message, expand_string_message);
3116 }
3117 else if (expmessage[0] != 0)
3118 {
3119 *log_msgptr = (*log_msgptr == NULL)? expmessage :
3120 string_sprintf("%s: %s", expmessage, *log_msgptr);
3121 }
3122 }
3123
3124 /* If no log message, default it to the user message */
3125
3126 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
3127 }
3128
3129acl_verify_message = NULL;
3130return rc;
3131}
3132
3133
3134
3135
3136
3137/*************************************************
3138* Get line from a literal ACL *
3139*************************************************/
3140
3141/* This function is passed to acl_read() in order to extract individual lines
3142of a literal ACL, which we access via static pointers. We can destroy the
3143contents because this is called only once (the compiled ACL is remembered).
3144
3145This code is intended to treat the data in the same way as lines in the main
3146Exim configuration file. That is:
3147
3148 . Leading spaces are ignored.
3149
3150 . A \ at the end of a line is a continuation - trailing spaces after the \
3151 are permitted (this is because I don't believe in making invisible things
3152 significant). Leading spaces on the continued part of a line are ignored.
3153
3154 . Physical lines starting (significantly) with # are totally ignored, and
3155 may appear within a sequence of backslash-continued lines.
3156
3157 . Blank lines are ignored, but will end a sequence of continuations.
3158
3159Arguments: none
3160Returns: a pointer to the next line
3161*/
3162
3163
3164static uschar *acl_text; /* Current pointer in the text */
3165static uschar *acl_text_end; /* Points one past the terminating '0' */
3166
3167
3168static uschar *
3169acl_getline(void)
3170{
3171uschar *yield;
3172
3173/* This loop handles leading blank lines and comments. */
3174
3175for(;;)
3176 {
3177 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
3178 if (*acl_text == 0) return NULL; /* No more data */
3179 yield = acl_text; /* Potential data line */
3180
3181 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3182
3183 /* If we hit the end before a newline, we have the whole logical line. If
3184 it's a comment, there's no more data to be given. Otherwise, yield it. */
3185
3186 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
3187
3188 /* After reaching a newline, end this loop if the physical line does not
3189 start with '#'. If it does, it's a comment, and the loop continues. */
3190
3191 if (*yield != '#') break;
3192 }
3193
3194/* This loop handles continuations. We know we have some real data, ending in
3195newline. See if there is a continuation marker at the end (ignoring trailing
3196white space). We know that *yield is not white space, so no need to test for
3197cont > yield in the backwards scanning loop. */
3198
3199for(;;)
3200 {
3201 uschar *cont;
3202 for (cont = acl_text - 1; isspace(*cont); cont--);
3203
3204 /* If no continuation follows, we are done. Mark the end of the line and
3205 return it. */
3206
3207 if (*cont != '\\')
3208 {
3209 *acl_text++ = 0;
3210 return yield;
3211 }
3212
3213 /* We have encountered a continuation. Skip over whitespace at the start of
3214 the next line, and indeed the whole of the next line or lines if they are
3215 comment lines. */
3216
3217 for (;;)
3218 {
3219 while (*(++acl_text) == ' ' || *acl_text == '\t');
3220 if (*acl_text != '#') break;
3221 while (*(++acl_text) != 0 && *acl_text != '\n');
3222 }
3223
3224 /* We have the start of a continuation line. Move all the rest of the data
3225 to join onto the previous line, and then find its end. If the end is not a
3226 newline, we are done. Otherwise loop to look for another continuation. */
3227
3228 memmove(cont, acl_text, acl_text_end - acl_text);
3229 acl_text_end -= acl_text - cont;
3230 acl_text = cont;
3231 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3232 if (*acl_text == 0) return yield;
3233 }
3234
3235/* Control does not reach here */
3236}
3237
3238
3239
3240
3241
3242/*************************************************
3243* Check access using an ACL *
3244*************************************************/
3245
3246/* This function is called from address_check. It may recurse via
3247acl_check_condition() - hence the use of a level to stop looping. The ACL is
3248passed as a string which is expanded. A forced failure implies no access check
3249is required. If the result is a single word, it is taken as the name of an ACL
3250which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
3251text, complete with newlines, and parsed as such. In both cases, the ACL check
3252is then run. This function uses an auxiliary function for acl_read() to call
3253for reading individual lines of a literal ACL. This is acl_getline(), which
3254appears immediately above.
3255
3256Arguments:
3257 where where called from
3258 addr address item when called from RCPT; otherwise NULL
3259 s the input string; NULL is the same as an empty ACL => DENY
3260 level the nesting level
3261 user_msgptr where to put a user error (for SMTP response)
3262 log_msgptr where to put a logging message (not for SMTP response)
3263
3264Returns: OK access is granted
3265 DISCARD access is apparently granted...
3266 FAIL access is denied
3267 FAIL_DROP access is denied; drop the connection
3268 DEFER can't tell at the moment
3269 ERROR disaster
3270*/
3271
3272static int
3273acl_check_internal(int where, address_item *addr, uschar *s, int level,
3274 uschar **user_msgptr, uschar **log_msgptr)
3275{
3276int fd = -1;
3277acl_block *acl = NULL;
3278uschar *acl_name = US"inline ACL";
3279uschar *ss;
3280
3281/* Catch configuration loops */
3282
3283if (level > 20)
3284 {
3285 *log_msgptr = US"ACL nested too deep: possible loop";
3286 return ERROR;
3287 }
3288
3289if (s == NULL)
3290 {
3291 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
3292 return FAIL;
3293 }
3294
3295/* At top level, we expand the incoming string. At lower levels, it has already
3296been expanded as part of condition processing. */
3297
3298if (level == 0)
3299 {
3300 ss = expand_string(s);
3301 if (ss == NULL)
3302 {
3303 if (expand_string_forcedfail) return OK;
3304 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
3305 expand_string_message);
3306 return ERROR;
3307 }
3308 }
3309else ss = s;
3310
3311while (isspace(*ss))ss++;
3312
3313/* If we can't find a named ACL, the default is to parse it as an inline one.
3314(Unless it begins with a slash; non-existent files give rise to an error.) */
3315
3316acl_text = ss;
3317
3318/* Handle the case of a string that does not contain any spaces. Look for a
3319named ACL among those read from the configuration, or a previously read file.
3320It is possible that the pointer to the ACL is NULL if the configuration
3321contains a name with no data. If not found, and the text begins with '/',
3322read an ACL from a file, and save it so it can be re-used. */
3323
3324if (Ustrchr(ss, ' ') == NULL)
3325 {
3326 tree_node *t = tree_search(acl_anchor, ss);
3327 if (t != NULL)
3328 {
3329 acl = (acl_block *)(t->data.ptr);
3330 if (acl == NULL)
3331 {
3332 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
3333 return FAIL;
3334 }
3335 acl_name = string_sprintf("ACL \"%s\"", ss);
3336 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
3337 }
3338
3339 else if (*ss == '/')
3340 {
3341 struct stat statbuf;
3342 fd = Uopen(ss, O_RDONLY, 0);
3343 if (fd < 0)
3344 {
3345 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
3346 strerror(errno));
3347 return ERROR;
3348 }
3349
3350 if (fstat(fd, &statbuf) != 0)
3351 {
3352 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
3353 strerror(errno));
3354 return ERROR;
3355 }
3356
3357 acl_text = store_get(statbuf.st_size + 1);
3358 acl_text_end = acl_text + statbuf.st_size + 1;
3359
3360 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
3361 {
3362 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
3363 ss, strerror(errno));
3364 return ERROR;
3365 }
3366 acl_text[statbuf.st_size] = 0;
f1e894f3 3367 (void)close(fd);
059ec3d9
PH		 3368
3369 acl_name = string_sprintf("ACL \"%s\"", ss);
3370 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
3371 }
3372 }
3373
3374/* Parse an ACL that is still in text form. If it came from a file, remember it
3375in the ACL tree, having read it into the POOL_PERM store pool so that it
3376persists between multiple messages. */
3377
3378if (acl == NULL)
3379 {
3380 int old_pool = store_pool;
3381 if (fd >= 0) store_pool = POOL_PERM;
3382 acl = acl_read(acl_getline, log_msgptr);
3383 store_pool = old_pool;
3384 if (acl == NULL && *log_msgptr != NULL) return ERROR;
3385 if (fd >= 0)
3386 {
3387 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
3388 Ustrcpy(t->name, ss);
3389 t->data.ptr = acl;
3390 (void)tree_insertnode(&acl_anchor, t);
3391 }
3392 }
3393
3394/* Now we have an ACL to use. It's possible it may be NULL. */
3395
3396while (acl != NULL)
3397 {
3398 int cond;
3399 int basic_errno = 0;
3400 BOOL endpass_seen = FALSE;
3401
3402 *log_msgptr = *user_msgptr = NULL;
3403 acl_temp_details = FALSE;
3404
3405 if (where == ACL_WHERE_QUIT &&
3406 acl->verb != ACL_ACCEPT &&
3407 acl->verb != ACL_WARN)
3408 {
3409 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
3410 verbs[acl->verb]);
3411 return ERROR;
3412 }
3413
3414 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
3415
3416 /* Clear out any search error message from a previous check before testing
3417 this condition. */
3418
3419 search_error_message = NULL;
3420 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
3421 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
3422
3423 /* Handle special returns: DEFER causes a return except on a WARN verb;
3424 ERROR always causes a return. */
3425
3426 switch (cond)
3427 {
3428 case DEFER:
3429 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
3430 if (basic_errno != ERRNO_CALLOUTDEFER)
3431 {
3432 if (search_error_message != NULL && *search_error_message != 0)
3433 *log_msgptr = search_error_message;
3434 if (smtp_return_error_details) acl_temp_details = TRUE;
3435 }
3436 else
3437 {
3438 acl_temp_details = TRUE;
3439 }
3440 if (acl->verb != ACL_WARN) return DEFER;
3441 break;
3442
3443 default: /* Paranoia */
3444 case ERROR:
3445 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
3446 return ERROR;
3447
3448 case OK:
3449 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
3450 verbs[acl->verb]);
3451 break;
3452
3453 case FAIL:
3454 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
3455 break;
3456
3457 /* DISCARD and DROP can happen only from a nested ACL condition, and
3458 DISCARD can happen only for an "accept" or "discard" verb. */
3459
3460 case DISCARD:
3461 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
3462 verbs[acl->verb]);
3463 break;
3464
3465 case FAIL_DROP:
3466 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
3467 verbs[acl->verb]);
3468 break;
3469 }
3470
3471 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
3472 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
3473 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
3474
3475 switch(acl->verb)
3476 {
3477 case ACL_ACCEPT:
3478 if (cond == OK || cond == DISCARD) return cond;
3479 if (endpass_seen)
3480 {
3481 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
3482 return cond;
3483 }
3484 break;
3485
3486 case ACL_DEFER:
3487 if (cond == OK)
3488 {
3489 acl_temp_details = TRUE;
3490 return DEFER;
3491 }
3492 break;
3493
3494 case ACL_DENY:
3495 if (cond == OK) return FAIL;
3496 break;
3497
3498 case ACL_DISCARD:
3499 if (cond == OK || cond == DISCARD) return DISCARD;
3500 if (endpass_seen)
3501 {
3502 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
3503 return cond;
3504 }
3505 break;
3506
3507 case ACL_DROP:
3508 if (cond == OK) return FAIL_DROP;
3509 break;
3510
3511 case ACL_REQUIRE:
3512 if (cond != OK) return cond;
3513 break;
3514
3515 case ACL_WARN:
3516 if (cond == OK)
3517 acl_warn(where, *user_msgptr, *log_msgptr);
49826d12 3518 else if (cond == DEFER && (log_extra_selector & LX_acl_warn_skipped) != 0)
9c7a242c
PH		 3519 log_write(0, LOG_MAIN, "%s Warning: ACL \"warn\" statement skipped: "
3520 "condition test deferred%s%s", host_and_ident(TRUE),
3521 (*log_msgptr == NULL)? US"" : US": ",
3522 (*log_msgptr == NULL)? US"" : *log_msgptr);
059ec3d9
PH		 3523 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
3524 break;
3525
3526 default:
3527 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
3528 acl->verb);
3529 break;
3530 }
3531
3532 /* Pass to the next ACL item */
3533
3534 acl = acl->next;
3535 }
3536
3537/* We have reached the end of the ACL. This is an implicit DENY. */
3538
3539HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
3540return FAIL;
3541}
3542
3543
3544/*************************************************
3545* Check access using an ACL *
3546*************************************************/
3547
3548/* This is the external interface for ACL checks. It sets up an address and the
3549expansions for $domain and $local_part when called after RCPT, then calls
3550acl_check_internal() to do the actual work.
3551
3552Arguments:
3553 where ACL_WHERE_xxxx indicating where called from
64ffc24f 3554 recipient RCPT address for RCPT check, else NULL
059ec3d9
PH		 3555 s the input string; NULL is the same as an empty ACL => DENY
3556 user_msgptr where to put a user error (for SMTP response)
3557 log_msgptr where to put a logging message (not for SMTP response)
3558
3559Returns: OK access is granted by an ACCEPT verb
3560 DISCARD access is granted by a DISCARD verb
3561 FAIL access is denied
3562 FAIL_DROP access is denied; drop the connection
3563 DEFER can't tell at the moment
3564 ERROR disaster
3565*/
3566
3567int
64ffc24f 3568acl_check(int where, uschar *recipient, uschar *s, uschar **user_msgptr,
059ec3d9
PH		 3569 uschar **log_msgptr)
3570{
3571int rc;
3572address_item adb;
64ffc24f 3573address_item *addr = NULL;
059ec3d9
PH		 3574
3575*user_msgptr = *log_msgptr = NULL;
3576sender_verified_failed = NULL;
fe0dab11 3577ratelimiters_cmd = NULL;
6ea85e9a 3578log_reject_target = LOG_MAIN|LOG_REJECT;
059ec3d9
PH		 3579
3580if (where == ACL_WHERE_RCPT)
3581 {
3582 adb = address_defaults;
3583 addr = &adb;
64ffc24f 3584 addr->address = recipient;
059ec3d9
PH		 3585 if (deliver_split_address(addr) == DEFER)
3586 {
3587 *log_msgptr = US"defer in percent_hack_domains check";
3588 return DEFER;
3589 }
3590 deliver_domain = addr->domain;
3591 deliver_localpart = addr->local_part;
3592 }
059ec3d9
PH		 3593
3594rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
3595
64ffc24f
PH		 3596deliver_domain = deliver_localpart = deliver_address_data =
3597 sender_address_data = NULL;
059ec3d9
PH		 3598
3599/* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
3600ACL, which is really in the middle of an SMTP command. */
3601
3602if (rc == DISCARD)
3603 {
3604 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
3605 {
3606 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
3607 "ACL", acl_wherenames[where]);
3608 return ERROR;
3609 }
3610 return DISCARD;
3611 }
3612
3613/* A DROP response is not permitted from MAILAUTH */
3614
3615if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
3616 {
3617 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
3618 "ACL", acl_wherenames[where]);
3619 return ERROR;
3620 }
3621
4e88a19f
PH		 3622/* Before giving a response, take a look at the length of any user message, and
3623split it up into multiple lines if possible. */
059ec3d9 3624
4e88a19f 3625if (*user_msgptr != NULL && Ustrlen(*user_msgptr) > 75)
059ec3d9
PH		 3626 {
3627 uschar *s = *user_msgptr = string_copy(*user_msgptr);
3628 uschar *ss = s;
3629
3630 for (;;)
3631 {
3632 int i = 0;
3633 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
3634 if (*ss == 0) break;
3635 if (*ss == '\n')
3636 s = ++ss;
3637 else
3638 {
3639 uschar *t = ss + 1;
3640 uschar *tt = NULL;
3641 while (--t > s + 35)
3642 {
3643 if (*t == ' ')
3644 {
3645 if (t[-1] == ':') { tt = t; break; }
3646 if (tt == NULL) tt = t;
3647 }
3648 }
3649
3650 if (tt == NULL) /* Can't split behind - try ahead */
3651 {
3652 t = ss + 1;
3653 while (*t != 0)
3654 {
3655 if (*t == ' ' || *t == '\n')
3656 { tt = t; break; }
3657 t++;
3658 }
3659 }
3660
3661 if (tt == NULL) break; /* Can't find anywhere to split */
3662 *tt = '\n';
3663 s = ss = tt+1;
3664 }
3665 }
3666 }
3667
3668return rc;
3669}
3670
38a0a95f
PH		 3671
3672
3673/*************************************************
3674* Create ACL variable *
3675*************************************************/
3676
3677/* Create an ACL variable or reuse an existing one. ACL variables are in a
3678binary tree (see tree.c) with acl_var_c and acl_var_m as root nodes.
3679
3680Argument:
3681 name pointer to the variable's name, starting with c or m
3682
3683Returns the pointer to variable's tree node
3684*/
3685
3686tree_node *
3687acl_var_create(uschar *name)
3688{
3689tree_node *node, **root;
3690root = (name[0] == 'c')? &acl_var_c : &acl_var_m;
3691node = tree_search(*root, name);
3692if (node == NULL)
3693 {
3694 node = store_get(sizeof(tree_node) + Ustrlen(name));
3695 Ustrcpy(node->name, name);
3696 (void)tree_insertnode(root, node);
3697 }
3698node->data.ptr = NULL;
3699return node;
3700}
3701
3702
3703
3704/*************************************************
3705* Write an ACL variable in spool format *
3706*************************************************/
3707
3708/* This function is used as a callback for tree_walk when writing variables to
3709the spool file. To retain spool file compatibility, what is written is -aclc or
3710-aclm followed by the rest of the name and the data length, space separated,
3711then the value itself, starting on a new line, and terminated by an additional
3712newline. When we had only numbered ACL variables, the first line might look
3713like this: "-aclc 5 20". Now it might be "-aclc foo 20" for the variable called
3714acl_cfoo.
3715
3716Arguments:
3717 name of the variable
3718 value of the variable
3719 ctx FILE pointer (as a void pointer)
3720
3721Returns: nothing
3722*/
3723
3724void
3725acl_var_write(uschar *name, uschar *value, void *ctx)
3726{
3727FILE *f = (FILE *)ctx;
3728fprintf(f, "-acl%c %s %d\n%s\n", name[0], name+1, Ustrlen(value), value);
3729}
3730
059ec3d9 3731/* End of acl.c */
Unnamed repository; edit this file 'description' to name the repository.