projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Check for overflow in numeric expansion conditions; forbid negative
[exim.git] / src / src / acl.c
CommitLineData
91ecef39 1/* $Cambridge: exim/src/src/acl.c,v 1.63 2006/09/05 14:05:43 ph10 Exp $ */
059ec3d9
PH		 2
3/*************************************************
4* Exim - an Internet mail transport agent *
5*************************************************/
6
d7d7b7b9 7/* Copyright (c) University of Cambridge 1995 - 2006 */
059ec3d9
PH		 8/* See the file NOTICE for conditions of use and distribution. */
9
10/* Code for handling Access Control Lists (ACLs) */
11
12#include "exim.h"
13
14
15/* Default callout timeout */
16
17#define CALLOUT_TIMEOUT_DEFAULT 30
18
19/* ACL verb codes - keep in step with the table of verbs that follows */
20
21enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
22 ACL_WARN };
23
24/* ACL verbs */
25
26static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
28 US"warn" };
29
30/* For each verb, the condition for which "message" is used */
31
32static int msgcond[] = { FAIL, OK, OK, FAIL, OK, FAIL, OK };
33
34/* ACL condition and modifier codes - keep in step with the table that
71fafd95
PH		 35follows, and the cond_expand_at_top and uschar cond_modifiers tables lower
36down. */
059ec3d9 37
71fafd95
PH		 38enum { ACLC_ACL,
39 ACLC_ADD_HEADER,
40 ACLC_AUTHENTICATED,
8523533c
TK		 41#ifdef EXPERIMENTAL_BRIGHTMAIL
42 ACLC_BMI_OPTIN,
43#endif
71fafd95
PH		 44 ACLC_CONDITION,
45 ACLC_CONTROL,
8523533c
TK		 46#ifdef WITH_CONTENT_SCAN
47 ACLC_DECODE,
48#endif
49 ACLC_DELAY,
50#ifdef WITH_OLD_DEMIME
51 ACLC_DEMIME,
fb2274d4
TK		 52#endif
53#ifdef EXPERIMENTAL_DOMAINKEYS
54 ACLC_DK_DOMAIN_SOURCE,
55 ACLC_DK_POLICY,
56 ACLC_DK_SENDER_DOMAINS,
57 ACLC_DK_SENDER_LOCAL_PARTS,
58 ACLC_DK_SENDERS,
59 ACLC_DK_STATUS,
8e669ac1 60#endif
71fafd95
PH		 61 ACLC_DNSLISTS,
62 ACLC_DOMAINS,
63 ACLC_ENCRYPTED,
64 ACLC_ENDPASS,
65 ACLC_HOSTS,
66 ACLC_LOCAL_PARTS,
67 ACLC_LOG_MESSAGE,
68 ACLC_LOGWRITE,
8523533c
TK		 69#ifdef WITH_CONTENT_SCAN
70 ACLC_MALWARE,
71#endif
72 ACLC_MESSAGE,
73#ifdef WITH_CONTENT_SCAN
74 ACLC_MIME_REGEX,
75#endif
870f6ba8 76 ACLC_RATELIMIT,
8523533c
TK		 77 ACLC_RECIPIENTS,
78#ifdef WITH_CONTENT_SCAN
79 ACLC_REGEX,
80#endif
71fafd95
PH		 81 ACLC_SENDER_DOMAINS,
82 ACLC_SENDERS,
83 ACLC_SET,
8523533c 84#ifdef WITH_CONTENT_SCAN
8e669ac1 85 ACLC_SPAM,
8523533c
TK		 86#endif
87#ifdef EXPERIMENTAL_SPF
88 ACLC_SPF,
89#endif
90 ACLC_VERIFY };
059ec3d9
PH		 91
92/* ACL conditions/modifiers: "delay", "control", "endpass", "message",
93"log_message", "logwrite", and "set" are modifiers that look like conditions
94but always return TRUE. They are used for their side effects. */
95
9a26b6b2
PH		 96static uschar *conditions[] = {
97 US"acl",
71fafd95 98 US"add_header",
9a26b6b2 99 US"authenticated",
8523533c
TK		 100#ifdef EXPERIMENTAL_BRIGHTMAIL
101 US"bmi_optin",
102#endif
103 US"condition",
8e669ac1 104 US"control",
8523533c
TK		 105#ifdef WITH_CONTENT_SCAN
106 US"decode",
107#endif
108 US"delay",
109#ifdef WITH_OLD_DEMIME
110 US"demime",
fb2274d4
TK		 111#endif
112#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH		 113 US"dk_domain_source",
114 US"dk_policy",
115 US"dk_sender_domains",
116 US"dk_sender_local_parts",
117 US"dk_senders",
118 US"dk_status",
8523533c
TK		 119#endif
120 US"dnslists", US"domains", US"encrypted",
059ec3d9 121 US"endpass", US"hosts", US"local_parts", US"log_message", US"logwrite",
8523533c
TK		 122#ifdef WITH_CONTENT_SCAN
123 US"malware",
124#endif
125 US"message",
126#ifdef WITH_CONTENT_SCAN
127 US"mime_regex",
128#endif
870f6ba8 129 US"ratelimit",
8523533c
TK		 130 US"recipients",
131#ifdef WITH_CONTENT_SCAN
132 US"regex",
133#endif
134 US"sender_domains", US"senders", US"set",
135#ifdef WITH_CONTENT_SCAN
136 US"spam",
137#endif
138#ifdef EXPERIMENTAL_SPF
139 US"spf",
140#endif
059ec3d9 141 US"verify" };
8e669ac1 142
c5fcb476 143
9a26b6b2
PH		 144/* Return values from decode_control(); keep in step with the table of names
145that follows! */
146
147enum {
c46782ef
PH		 148 CONTROL_AUTH_UNADVERTISED,
149 #ifdef EXPERIMENTAL_BRIGHTMAIL
9a26b6b2 150 CONTROL_BMI_RUN,
c46782ef
PH		 151 #endif
152 #ifdef EXPERIMENTAL_DOMAINKEYS
9a26b6b2 153 CONTROL_DK_VERIFY,
c46782ef
PH		 154 #endif
155 CONTROL_ERROR,
156 CONTROL_CASEFUL_LOCAL_PART,
157 CONTROL_CASELOWER_LOCAL_PART,
158 CONTROL_ENFORCE_SYNC,
159 CONTROL_NO_ENFORCE_SYNC,
160 CONTROL_FREEZE,
161 CONTROL_QUEUE_ONLY,
162 CONTROL_SUBMISSION,
163 CONTROL_SUPPRESS_LOCAL_FIXUPS,
164 #ifdef WITH_CONTENT_SCAN
9a26b6b2 165 CONTROL_NO_MBOX_UNSPOOL,
c46782ef
PH		 166 #endif
167 CONTROL_FAKEDEFER,
168 CONTROL_FAKEREJECT,
169 CONTROL_NO_MULTILINE
170};
9a26b6b2 171
8800895a
PH		 172/* ACL control names; keep in step with the table above! This list is used for
173turning ids into names. The actual list of recognized names is in the variable
174control_def controls_list[] below. The fact that there are two lists is a mess
175and should be tidied up. */
9a26b6b2
PH		 176
177static uschar *controls[] = {
c46782ef 178 US"allow_auth_unadvertised",
9a26b6b2
PH		 179 #ifdef EXPERIMENTAL_BRIGHTMAIL
180 US"bmi_run",
181 #endif
182 #ifdef EXPERIMENTAL_DOMAINKEYS
183 US"dk_verify",
184 #endif
c46782ef
PH		 185 US"error",
186 US"caseful_local_part",
187 US"caselower_local_part",
188 US"enforce_sync",
189 US"no_enforce_sync",
190 US"freeze",
191 US"queue_only",
192 US"submission",
193 US"suppress_local_fixups",
9a26b6b2
PH		 194 #ifdef WITH_CONTENT_SCAN
195 US"no_mbox_unspool",
196 #endif
c46782ef
PH		 197 US"no_multiline"
198};
059ec3d9
PH		 199
200/* Flags to indicate for which conditions /modifiers a string expansion is done
201at the outer level. In the other cases, expansion already occurs in the
202checking functions. */
203
204static uschar cond_expand_at_top[] = {
205 TRUE, /* acl */
3e536984 206 TRUE, /* add_header */
059ec3d9 207 FALSE, /* authenticated */
8523533c
TK		 208#ifdef EXPERIMENTAL_BRIGHTMAIL
209 TRUE, /* bmi_optin */
8e669ac1 210#endif
059ec3d9
PH		 211 TRUE, /* condition */
212 TRUE, /* control */
8523533c
TK		 213#ifdef WITH_CONTENT_SCAN
214 TRUE, /* decode */
215#endif
059ec3d9 216 TRUE, /* delay */
8523533c
TK		 217#ifdef WITH_OLD_DEMIME
218 TRUE, /* demime */
fb2274d4
TK		 219#endif
220#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH		 221 TRUE, /* dk_domain_source */
222 TRUE, /* dk_policy */
223 TRUE, /* dk_sender_domains */
e715ad22 224 TRUE, /* dk_sender_local_parts */
7f45268c
PH		 225 TRUE, /* dk_senders */
226 TRUE, /* dk_status */
8523533c 227#endif
059ec3d9
PH		 228 TRUE, /* dnslists */
229 FALSE, /* domains */
230 FALSE, /* encrypted */
231 TRUE, /* endpass */
232 FALSE, /* hosts */
233 FALSE, /* local_parts */
234 TRUE, /* log_message */
235 TRUE, /* logwrite */
8523533c
TK		 236#ifdef WITH_CONTENT_SCAN
237 TRUE, /* malware */
238#endif
059ec3d9 239 TRUE, /* message */
8523533c
TK		 240#ifdef WITH_CONTENT_SCAN
241 TRUE, /* mime_regex */
242#endif
870f6ba8 243 TRUE, /* ratelimit */
059ec3d9 244 FALSE, /* recipients */
8523533c
TK		 245#ifdef WITH_CONTENT_SCAN
246 TRUE, /* regex */
247#endif
059ec3d9
PH		 248 FALSE, /* sender_domains */
249 FALSE, /* senders */
250 TRUE, /* set */
8523533c
TK		 251#ifdef WITH_CONTENT_SCAN
252 TRUE, /* spam */
253#endif
254#ifdef EXPERIMENTAL_SPF
255 TRUE, /* spf */
256#endif
059ec3d9
PH		 257 TRUE /* verify */
258};
259
260/* Flags to identify the modifiers */
261
262static uschar cond_modifiers[] = {
263 FALSE, /* acl */
3e536984 264 TRUE, /* add_header */
059ec3d9 265 FALSE, /* authenticated */
8523533c
TK		 266#ifdef EXPERIMENTAL_BRIGHTMAIL
267 TRUE, /* bmi_optin */
8e669ac1 268#endif
059ec3d9
PH		 269 FALSE, /* condition */
270 TRUE, /* control */
8523533c
TK		 271#ifdef WITH_CONTENT_SCAN
272 FALSE, /* decode */
273#endif
059ec3d9 274 TRUE, /* delay */
8523533c
TK		 275#ifdef WITH_OLD_DEMIME
276 FALSE, /* demime */
fb2274d4
TK		 277#endif
278#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH		 279 FALSE, /* dk_domain_source */
280 FALSE, /* dk_policy */
281 FALSE, /* dk_sender_domains */
e715ad22 282 FALSE, /* dk_sender_local_parts */
7f45268c
PH		 283 FALSE, /* dk_senders */
284 FALSE, /* dk_status */
8523533c 285#endif
059ec3d9
PH		 286 FALSE, /* dnslists */
287 FALSE, /* domains */
288 FALSE, /* encrypted */
289 TRUE, /* endpass */
290 FALSE, /* hosts */
291 FALSE, /* local_parts */
292 TRUE, /* log_message */
8523533c
TK		 293 TRUE, /* logwrite */
294#ifdef WITH_CONTENT_SCAN
295 FALSE, /* malware */
296#endif
059ec3d9 297 TRUE, /* message */
8523533c
TK		 298#ifdef WITH_CONTENT_SCAN
299 FALSE, /* mime_regex */
300#endif
870f6ba8 301 FALSE, /* ratelimit */
059ec3d9 302 FALSE, /* recipients */
8523533c
TK		 303#ifdef WITH_CONTENT_SCAN
304 FALSE, /* regex */
305#endif
059ec3d9
PH		 306 FALSE, /* sender_domains */
307 FALSE, /* senders */
308 TRUE, /* set */
8523533c
TK		 309#ifdef WITH_CONTENT_SCAN
310 FALSE, /* spam */
311#endif
312#ifdef EXPERIMENTAL_SPF
313 FALSE, /* spf */
314#endif
059ec3d9
PH		 315 FALSE /* verify */
316};
317
c5fcb476 318/* Bit map vector of which conditions are not allowed at certain times. For
2f079f46
PH		 319each condition, there's a bitmap of dis-allowed times. For some, it is easier
320to specify the negation of a small number of allowed times. */
059ec3d9
PH		 321
322static unsigned int cond_forbids[] = {
323 0, /* acl */
8e669ac1 324
71fafd95 325 (unsigned int)
45b91596 326 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* add_header */
71fafd95 327 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
45b91596
PH		 328 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
329 (1<<ACL_WHERE_NOTSMTP_START)),
71fafd95 330
45b91596
PH		 331 (1<<ACL_WHERE_NOTSMTP)| /* authenticated */
332 (1<<ACL_WHERE_NOTSMTP_START)|
333 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO),
8e669ac1 334
71fafd95 335 #ifdef EXPERIMENTAL_BRIGHTMAIL
3864bb8e 336 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
8523533c
TK		 337 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
338 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
8e669ac1 339 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
8523533c
TK		 340 (1<<ACL_WHERE_MAILAUTH)|
341 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596
PH		 342 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA)|
343 (1<<ACL_WHERE_NOTSMTP_START),
71fafd95 344 #endif
8e669ac1 345
059ec3d9 346 0, /* condition */
8e669ac1 347
059ec3d9 348 /* Certain types of control are always allowed, so we let it through
2f079f46 349 always and check in the control processing itself. */
8e669ac1 350
059ec3d9 351 0, /* control */
8e669ac1 352
71fafd95 353 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 354 (unsigned int)
355 ~(1<<ACL_WHERE_MIME), /* decode */
71fafd95 356 #endif
8523533c 357
059ec3d9 358 0, /* delay */
8e669ac1 359
71fafd95 360 #ifdef WITH_OLD_DEMIME
2f079f46
PH		 361 (unsigned int)
362 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* demime */
71fafd95 363 #endif
8e669ac1 364
71fafd95 365 #ifdef EXPERIMENTAL_DOMAINKEYS
2f079f46 366 (1<<ACL_WHERE_AUTH)| /* dk_domain_source */
fb2274d4
TK		 367 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
368 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
369 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
370 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
371 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 372 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
84330b7b 373
2f079f46 374 (1<<ACL_WHERE_AUTH)| /* dk_policy */
fb2274d4
TK		 375 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
376 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
377 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
378 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
379 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 380 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
84330b7b 381
2f079f46 382 (1<<ACL_WHERE_AUTH)| /* dk_sender_domains */
fb2274d4
TK		 383 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
384 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
385 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
386 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
387 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 388 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
84330b7b 389
2f079f46 390 (1<<ACL_WHERE_AUTH)| /* dk_sender_local_parts */
fb2274d4
TK		 391 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
392 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
393 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
394 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
395 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 396 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
84330b7b 397
2f079f46 398 (1<<ACL_WHERE_AUTH)| /* dk_senders */
fb2274d4
TK		 399 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
400 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
401 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
402 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
403 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 404 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
84330b7b 405
2f079f46 406 (1<<ACL_WHERE_AUTH)| /* dk_status */
fb2274d4
TK		 407 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
408 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
409 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
410 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
411 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 412 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
71fafd95 413 #endif
fb2274d4 414
45b91596
PH		 415 (1<<ACL_WHERE_NOTSMTP)| /* dnslists */
416 (1<<ACL_WHERE_NOTSMTP_START),
059ec3d9 417
2f079f46
PH		 418 (unsigned int)
419 ~(1<<ACL_WHERE_RCPT), /* domains */
059ec3d9 420
45b91596
PH		 421 (1<<ACL_WHERE_NOTSMTP)| /* encrypted */
422 (1<<ACL_WHERE_CONNECT)|
423 (1<<ACL_WHERE_NOTSMTP_START)|
059ec3d9 424 (1<<ACL_WHERE_HELO),
8e669ac1 425
059ec3d9 426 0, /* endpass */
8e669ac1 427
45b91596
PH		 428 (1<<ACL_WHERE_NOTSMTP)| /* hosts */
429 (1<<ACL_WHERE_NOTSMTP_START),
059ec3d9 430
2f079f46
PH		 431 (unsigned int)
432 ~(1<<ACL_WHERE_RCPT), /* local_parts */
059ec3d9
PH		 433
434 0, /* log_message */
8e669ac1 435
059ec3d9 436 0, /* logwrite */
8e669ac1 437
71fafd95 438 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 439 (unsigned int)
440 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* malware */
71fafd95 441 #endif
8523533c 442
059ec3d9
PH		 443 0, /* message */
444
71fafd95 445 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 446 (unsigned int)
447 ~(1<<ACL_WHERE_MIME), /* mime_regex */
71fafd95 448 #endif
8523533c 449
870f6ba8
TF		 450 0, /* ratelimit */
451
2f079f46
PH		 452 (unsigned int)
453 ~(1<<ACL_WHERE_RCPT), /* recipients */
059ec3d9 454
71fafd95 455 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 456 (unsigned int)
457 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* regex */
458 (1<<ACL_WHERE_MIME)),
71fafd95 459 #endif
8523533c 460
059ec3d9
PH		 461 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
462 (1<<ACL_WHERE_HELO)|
463 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
464 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
465 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
466
467 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
468 (1<<ACL_WHERE_HELO)|
469 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
470 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
471 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
472
473 0, /* set */
474
71fafd95 475 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 476 (unsigned int)
477 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* spam */
71fafd95 478 #endif
8523533c 479
71fafd95 480 #ifdef EXPERIMENTAL_SPF
8523533c
TK		 481 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
482 (1<<ACL_WHERE_HELO)|
483 (1<<ACL_WHERE_MAILAUTH)|
484 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
45b91596
PH		 485 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
486 (1<<ACL_WHERE_NOTSMTP)|
487 (1<<ACL_WHERE_NOTSMTP_START),
71fafd95 488 #endif
8523533c 489
059ec3d9
PH		 490 /* Certain types of verify are always allowed, so we let it through
491 always and check in the verify function itself */
492
493 0 /* verify */
059ec3d9
PH		 494};
495
496
c5fcb476
PH		 497/* Bit map vector of which controls are not allowed at certain times. For
498each control, there's a bitmap of dis-allowed times. For some, it is easier to
499specify the negation of a small number of allowed times. */
500
501static unsigned int control_forbids[] = {
c46782ef
PH		 502 (unsigned int)
503 ~((1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)), /* allow_auth_unadvertised */
504
505 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c 506 0, /* bmi_run */
c46782ef
PH		 507 #endif
508
509 #ifdef EXPERIMENTAL_DOMAINKEYS
45b91596
PH		 510 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dk_verify */
511 (1<<ACL_WHERE_NOTSMTP_START),
c46782ef 512 #endif
3e11c26b 513
c5fcb476 514 0, /* error */
8e669ac1
PH		 515
516 (unsigned int)
c5fcb476 517 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
8e669ac1
PH		 518
519 (unsigned int)
c5fcb476 520 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
8e669ac1 521
45b91596
PH		 522 (1<<ACL_WHERE_NOTSMTP)| /* enforce_sync */
523 (1<<ACL_WHERE_NOTSMTP_START),
8e669ac1 524
45b91596
PH		 525 (1<<ACL_WHERE_NOTSMTP)| /* no_enforce_sync */
526 (1<<ACL_WHERE_NOTSMTP_START),
8e669ac1
PH		 527
528 (unsigned int)
c5fcb476
PH		 529 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
530 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 531 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 532
533 (unsigned int)
c5fcb476
PH		 534 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
535 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 536 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 537
538 (unsigned int)
c5fcb476 539 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
8e669ac1 540 (1<<ACL_WHERE_PREDATA)),
8523533c 541
8800895a
PH		 542 (unsigned int)
543 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* suppress_local_fixups */
45b91596
PH		 544 (1<<ACL_WHERE_PREDATA)|
545 (1<<ACL_WHERE_NOTSMTP_START)),
8800895a 546
c46782ef 547 #ifdef WITH_CONTENT_SCAN
8e669ac1 548 (unsigned int)
14d57970 549 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
e715ad22
TK		 550 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
551 (1<<ACL_WHERE_MIME)),
c46782ef 552 #endif
a6c4ab60 553
29aba418
TF		 554 (unsigned int)
555 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakedefer */
556 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
557 (1<<ACL_WHERE_MIME)),
558
8e669ac1 559 (unsigned int)
a6c4ab60 560 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
e715ad22
TK		 561 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
562 (1<<ACL_WHERE_MIME)),
8523533c 563
45b91596
PH		 564 (1<<ACL_WHERE_NOTSMTP)| /* no_multiline */
565 (1<<ACL_WHERE_NOTSMTP_START)
c5fcb476
PH		 566};
567
568/* Structure listing various control arguments, with their characteristics. */
059ec3d9
PH		 569
570typedef struct control_def {
571 uschar *name;
572 int value; /* CONTROL_xxx value */
059ec3d9
PH		 573 BOOL has_option; /* Has /option(s) following */
574} control_def;
575
576static control_def controls_list[] = {
c46782ef 577 { US"allow_auth_unadvertised", CONTROL_AUTH_UNADVERTISED, FALSE },
8523533c 578#ifdef EXPERIMENTAL_BRIGHTMAIL
c46782ef 579 { US"bmi_run", CONTROL_BMI_RUN, FALSE },
fb2274d4
TK		 580#endif
581#ifdef EXPERIMENTAL_DOMAINKEYS
c46782ef 582 { US"dk_verify", CONTROL_DK_VERIFY, FALSE },
8523533c 583#endif
c46782ef
PH		 584 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE },
585 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE },
586 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE },
587 { US"freeze", CONTROL_FREEZE, TRUE },
588 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE },
589 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE },
590 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE },
8523533c 591#ifdef WITH_CONTENT_SCAN
c46782ef 592 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE },
8523533c 593#endif
c46782ef
PH		 594 { US"fakedefer", CONTROL_FAKEDEFER, TRUE },
595 { US"fakereject", CONTROL_FAKEREJECT, TRUE },
596 { US"submission", CONTROL_SUBMISSION, TRUE },
597 { US"suppress_local_fixups", CONTROL_SUPPRESS_LOCAL_FIXUPS, FALSE }
059ec3d9
PH		 598 };
599
e5a9dba6
PH		 600/* Support data structures for Client SMTP Authorization. acl_verify_csa()
601caches its result in a tree to avoid repeated DNS queries. The result is an
602integer code which is used as an index into the following tables of
603explanatory strings and verification return codes. */
604
605static tree_node *csa_cache = NULL;
606
607enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
608 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
609
610/* The acl_verify_csa() return code is translated into an acl_verify() return
611code using the following table. It is OK unless the client is definitely not
612authorized. This is because CSA is supposed to be optional for sending sites,
613so recipients should not be too strict about checking it - especially because
614DNS problems are quite likely to occur. It's possible to use $csa_status in
615further ACL conditions to distinguish ok, unknown, and defer if required, but
616the aim is to make the usual configuration simple. */
617
618static int csa_return_code[] = {
619 OK, OK, OK, OK,
620 FAIL, FAIL, FAIL, FAIL
621};
622
623static uschar *csa_status_string[] = {
624 US"unknown", US"ok", US"defer", US"defer",
625 US"fail", US"fail", US"fail", US"fail"
626};
627
628static uschar *csa_reason_string[] = {
629 US"unknown",
630 US"ok",
631 US"deferred (SRV lookup failed)",
632 US"deferred (target address lookup failed)",
633 US"failed (explicit authorization required)",
634 US"failed (host name not authorized)",
635 US"failed (no authorized addresses)",
636 US"failed (client address mismatch)"
637};
638
059ec3d9
PH		 639/* Enable recursion between acl_check_internal() and acl_check_condition() */
640
641static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
642 uschar **);
643
644
645/*************************************************
646* Pick out name from list *
647*************************************************/
648
649/* Use a binary chop method
650
651Arguments:
652 name name to find
653 list list of names
654 end size of list
655
656Returns: offset in list, or -1 if not found
657*/
658
659static int
660acl_checkname(uschar *name, uschar **list, int end)
661{
662int start = 0;
663
664while (start < end)
665 {
666 int mid = (start + end)/2;
667 int c = Ustrcmp(name, list[mid]);
668 if (c == 0) return mid;
669 if (c < 0) end = mid; else start = mid + 1;
670 }
671
672return -1;
673}
674
675
676/*************************************************
677* Read and parse one ACL *
678*************************************************/
679
680/* This function is called both from readconf in order to parse the ACLs in the
681configuration file, and also when an ACL is encountered dynamically (e.g. as
682the result of an expansion). It is given a function to call in order to
683retrieve the lines of the ACL. This function handles skipping comments and
684blank lines (where relevant).
685
686Arguments:
687 func function to get next line of ACL
688 error where to put an error message
689
690Returns: pointer to ACL, or NULL
691 NULL can be legal (empty ACL); in this case error will be NULL
692*/
693
694acl_block *
695acl_read(uschar *(*func)(void), uschar **error)
696{
697acl_block *yield = NULL;
698acl_block **lastp = &yield;
699acl_block *this = NULL;
700acl_condition_block *cond;
701acl_condition_block **condp = NULL;
702uschar *s;
703
704*error = NULL;
705
706while ((s = (*func)()) != NULL)
707 {
708 int v, c;
709 BOOL negated = FALSE;
710 uschar *saveline = s;
711 uschar name[64];
712
713 /* Conditions (but not verbs) are allowed to be negated by an initial
714 exclamation mark. */
715
716 while (isspace(*s)) s++;
717 if (*s == '!')
718 {
719 negated = TRUE;
720 s++;
721 }
722
cf00dad6
PH		 723 /* Read the name of a verb or a condition, or the start of a new ACL, which
724 can be started by a name, or by a macro definition. */
059ec3d9
PH		 725
726 s = readconf_readname(name, sizeof(name), s);
b8dc3e4a 727 if (*s == ':' || (isupper(name[0]) && *s == '=')) return yield;
059ec3d9
PH		 728
729 /* If a verb is unrecognized, it may be another condition or modifier that
730 continues the previous verb. */
731
732 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
733 if (v < 0)
734 {
735 if (this == NULL)
736 {
4e167a8c
PH		 737 *error = string_sprintf("unknown ACL verb \"%s\" in \"%s\"", name,
738 saveline);
059ec3d9
PH		 739 return NULL;
740 }
741 }
742
743 /* New verb */
744
745 else
746 {
747 if (negated)
748 {
749 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
750 return NULL;
751 }
752 this = store_get(sizeof(acl_block));
753 *lastp = this;
754 lastp = &(this->next);
755 this->next = NULL;
756 this->verb = v;
757 this->condition = NULL;
758 condp = &(this->condition);
759 if (*s == 0) continue; /* No condition on this line */
760 if (*s == '!')
761 {
762 negated = TRUE;
763 s++;
764 }
765 s = readconf_readname(name, sizeof(name), s); /* Condition name */
766 }
767
768 /* Handle a condition or modifier. */
769
770 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
771 if (c < 0)
772 {
773 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
774 saveline);
775 return NULL;
776 }
777
778 /* The modifiers may not be negated */
779
780 if (negated && cond_modifiers[c])
781 {
782 *error = string_sprintf("ACL error: negation is not allowed with "
783 "\"%s\"", conditions[c]);
784 return NULL;
785 }
786
787 /* ENDPASS may occur only with ACCEPT or DISCARD. */
788
789 if (c == ACLC_ENDPASS &&
790 this->verb != ACL_ACCEPT &&
791 this->verb != ACL_DISCARD)
792 {
793 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
794 conditions[c], verbs[this->verb]);
795 return NULL;
796 }
797
798 cond = store_get(sizeof(acl_condition_block));
799 cond->next = NULL;
800 cond->type = c;
801 cond->u.negated = negated;
802
803 *condp = cond;
804 condp = &(cond->next);
805
806 /* The "set" modifier is different in that its argument is "name=value"
807 rather than just a value, and we can check the validity of the name, which
808 gives us a variable number to insert into the data block. */
809
810 if (c == ACLC_SET)
811 {
47ca6d6c
PH		 812 int offset, max, n;
813 uschar *endptr;
814
815 if (Ustrncmp(s, "acl_", 4) != 0) goto BAD_ACL_VAR;
816 if (s[4] == 'c')
817 {
818 offset = 0;
819 max = ACL_CVARS;
820 }
821 else if (s[4] == 'm')
822 {
823 offset = ACL_CVARS;
824 max = ACL_MVARS;
825 }
826 else goto BAD_ACL_VAR;
827
828 n = Ustrtoul(s + 5, &endptr, 10);
829 if ((*endptr != 0 && *endptr != '=' && !isspace(*endptr)) || n >= max)
059ec3d9 830 {
47ca6d6c
PH		 831 BAD_ACL_VAR:
832 *error = string_sprintf("syntax error or unrecognized name after "
833 "\"set\" in ACL modifier \"set %s\"", s);
059ec3d9
PH		 834 return NULL;
835 }
836
47ca6d6c
PH		 837 cond->u.varnumber = n + offset;
838 s = endptr;
059ec3d9
PH		 839 while (isspace(*s)) s++;
840 }
841
842 /* For "set", we are now positioned for the data. For the others, only
843 "endpass" has no data */
844
845 if (c != ACLC_ENDPASS)
846 {
847 if (*s++ != '=')
848 {
849 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
850 cond_modifiers[c]? US"modifier" : US"condition");
851 return NULL;
852 }
853 while (isspace(*s)) s++;
854 cond->arg = string_copy(s);
855 }
856 }
857
858return yield;
859}
860
861
862
71fafd95
PH		 863/*************************************************
864* Set up added header line(s) *
865*************************************************/
866
867/* This function is called by the add_header modifier, and also from acl_warn()
868to implement the now-deprecated way of adding header lines using "message" on a
869"warn" verb. The argument is treated as a sequence of header lines which are
870added to a chain, provided there isn't an identical one already there.
871
872Argument: string of header lines
873Returns: nothing
874*/
875
876static void
877setup_header(uschar *hstring)
878{
879uschar *p, *q;
880int hlen = Ustrlen(hstring);
881
882/* An empty string does nothing; otherwise add a final newline if necessary. */
883
884if (hlen <= 0) return;
885if (hstring[hlen-1] != '\n') hstring = string_sprintf("%s\n", hstring);
886
887/* Loop for multiple header lines, taking care about continuations */
888
889for (p = q = hstring; *p != 0; )
890 {
891 uschar *s;
892 int newtype = htype_add_bot;
893 header_line **hptr = &acl_added_headers;
894
895 /* Find next header line within the string */
896
897 for (;;)
898 {
899 q = Ustrchr(q, '\n');
900 if (*(++q) != ' ' && *q != '\t') break;
901 }
902
903 /* If the line starts with a colon, interpret the instruction for where to
904 add it. This temporarily sets up a new type. */
905
906 if (*p == ':')
907 {
908 if (strncmpic(p, US":after_received:", 16) == 0)
909 {
910 newtype = htype_add_rec;
911 p += 16;
912 }
913 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
914 {
915 newtype = htype_add_rfc;
916 p += 14;
917 }
918 else if (strncmpic(p, US":at_start:", 10) == 0)
919 {
920 newtype = htype_add_top;
921 p += 10;
922 }
923 else if (strncmpic(p, US":at_end:", 8) == 0)
924 {
925 newtype = htype_add_bot;
926 p += 8;
927 }
928 while (*p == ' ' || *p == '\t') p++;
929 }
930
931 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
932 to the front of it. */
933
934 for (s = p; s < q - 1; s++)
935 {
936 if (*s == ':' || !isgraph(*s)) break;
937 }
938
939 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
940 hlen = Ustrlen(s);
941
942 /* See if this line has already been added */
943
944 while (*hptr != NULL)
945 {
946 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
947 hptr = &((*hptr)->next);
948 }
949
950 /* Add if not previously present */
951
952 if (*hptr == NULL)
953 {
954 header_line *h = store_get(sizeof(header_line));
955 h->text = s;
956 h->next = NULL;
957 h->type = newtype;
958 h->slen = hlen;
959 *hptr = h;
960 hptr = &(h->next);
961 }
962
963 /* Advance for next header line within the string */
964
965 p = q;
966 }
967}
968
969
970
971
059ec3d9
PH		 972/*************************************************
973* Handle warnings *
974*************************************************/
975
976/* This function is called when a WARN verb's conditions are true. It adds to
977the message's headers, and/or writes information to the log. In each case, this
978only happens once (per message for headers, per connection for log).
979
71fafd95
PH		 980** NOTE: The header adding action using the "message" setting is historic, and
981its use is now deprecated. The new add_header modifier should be used instead.
982
059ec3d9
PH		 983Arguments:
984 where ACL_WHERE_xxxx indicating which ACL this is
985 user_message message for adding to headers
986 log_message message for logging, if different
987
988Returns: nothing
989*/
990
991static void
992acl_warn(int where, uschar *user_message, uschar *log_message)
993{
059ec3d9
PH		 994if (log_message != NULL && log_message != user_message)
995 {
996 uschar *text;
997 string_item *logged;
998
999 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
1000 string_printing(log_message));
1001
1002 /* If a sender verification has failed, and the log message is "sender verify
1003 failed", add the failure message. */
1004
1005 if (sender_verified_failed != NULL &&
1006 sender_verified_failed->message != NULL &&
1007 strcmpic(log_message, US"sender verify failed") == 0)
1008 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
1009
9c7a242c
PH		 1010 /* Search previously logged warnings. They are kept in malloc
1011 store so they can be freed at the start of a new message. */
059ec3d9
PH		 1012
1013 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
1014 if (Ustrcmp(logged->text, text) == 0) break;
1015
1016 if (logged == NULL)
1017 {
1018 int length = Ustrlen(text) + 1;
1019 log_write(0, LOG_MAIN, "%s", text);
1020 logged = store_malloc(sizeof(string_item) + length);
1021 logged->text = (uschar *)logged + sizeof(string_item);
1022 memcpy(logged->text, text, length);
1023 logged->next = acl_warn_logged;
1024 acl_warn_logged = logged;
1025 }
1026 }
1027
1028/* If there's no user message, we are done. */
1029
1030if (user_message == NULL) return;
1031
1032/* If this isn't a message ACL, we can't do anything with a user message.
1033Log an error. */
1034
1035if (where > ACL_WHERE_NOTSMTP)
1036 {
1037 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
1038 "found in a non-message (%s) ACL: cannot specify header lines here: "
1039 "message ignored", acl_wherenames[where]);
1040 return;
1041 }
1042
71fafd95
PH		 1043/* The code for setting up header lines is now abstracted into a separate
1044function so that it can be used for the add_header modifier as well. */
059ec3d9 1045
71fafd95 1046setup_header(user_message);
059ec3d9
PH		 1047}
1048
1049
1050
1051/*************************************************
1052* Verify and check reverse DNS *
1053*************************************************/
1054
1055/* Called from acl_verify() below. We look up the host name(s) of the client IP
1056address if this has not yet been done. The host_name_lookup() function checks
1057that one of these names resolves to an address list that contains the client IP
1058address, so we don't actually have to do the check here.
1059
1060Arguments:
1061 user_msgptr pointer for user message
1062 log_msgptr pointer for log message
1063
1064Returns: OK verification condition succeeded
1065 FAIL verification failed
1066 DEFER there was a problem verifying
1067*/
1068
1069static int
1070acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
1071{
1072int rc;
1073
1074user_msgptr = user_msgptr; /* stop compiler warning */
1075
1076/* Previous success */
1077
1078if (sender_host_name != NULL) return OK;
1079
1080/* Previous failure */
1081
1082if (host_lookup_failed)
1083 {
1084 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
1085 return FAIL;
1086 }
1087
1088/* Need to do a lookup */
1089
1090HDEBUG(D_acl)
1091 debug_printf("looking up host name to force name/address consistency check\n");
1092
1093if ((rc = host_name_lookup()) != OK)
1094 {
1095 *log_msgptr = (rc == DEFER)?
1096 US"host lookup deferred for reverse lookup check"
1097 :
1098 string_sprintf("host lookup failed for reverse lookup check%s",
1099 host_lookup_msg);
1100 return rc; /* DEFER or FAIL */
1101 }
1102
1103host_build_sender_fullhost();
1104return OK;
1105}
1106
1107
1108
e5a9dba6
PH		 1109/*************************************************
1110* Check client IP address matches CSA target *
1111*************************************************/
1112
1113/* Called from acl_verify_csa() below. This routine scans a section of a DNS
1114response for address records belonging to the CSA target hostname. The section
1115is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
1116If one of the addresses matches the client's IP address, then the client is
1117authorized by CSA. If there are target IP addresses but none of them match
1118then the client is using an unauthorized IP address. If there are no target IP
1119addresses then the client cannot be using an authorized IP address. (This is
1120an odd configuration - why didn't the SRV record have a weight of 1 instead?)
1121
1122Arguments:
1123 dnsa the DNS answer block
1124 dnss a DNS scan block for us to use
1125 reset option specifing what portion to scan, as described above
1126 target the target hostname to use for matching RR names
1127
1128Returns: CSA_OK successfully authorized
1129 CSA_FAIL_MISMATCH addresses found but none matched
1130 CSA_FAIL_NOADDR no target addresses found
1131*/
1132
1133static int
1134acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1135 uschar *target)
1136{
1137dns_record *rr;
1138dns_address *da;
1139
1140BOOL target_found = FALSE;
1141
1142for (rr = dns_next_rr(dnsa, dnss, reset);
1143 rr != NULL;
1144 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1145 {
1146 /* Check this is an address RR for the target hostname. */
1147
1148 if (rr->type != T_A
1149 #if HAVE_IPV6
1150 && rr->type != T_AAAA
1151 #ifdef SUPPORT_A6
1152 && rr->type != T_A6
1153 #endif
1154 #endif
1155 ) continue;
1156
1157 if (strcmpic(target, rr->name) != 0) continue;
1158
1159 target_found = TRUE;
1160
1161 /* Turn the target address RR into a list of textual IP addresses and scan
1162 the list. There may be more than one if it is an A6 RR. */
1163
1164 for (da = dns_address_from_rr(dnsa, rr); da != NULL; da = da->next)
1165 {
1166 /* If the client IP address matches the target IP address, it's good! */
1167
1168 DEBUG(D_acl) debug_printf("CSA target address is %s\n", da->address);
1169
1170 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1171 }
1172 }
1173
1174/* If we found some target addresses but none of them matched, the client is
1175using an unauthorized IP address, otherwise the target has no authorized IP
1176addresses. */
1177
1178if (target_found) return CSA_FAIL_MISMATCH;
1179else return CSA_FAIL_NOADDR;
1180}
1181
1182
1183
1184/*************************************************
1185* Verify Client SMTP Authorization *
1186*************************************************/
1187
1188/* Called from acl_verify() below. This routine calls dns_lookup_special()
1189to find the CSA SRV record corresponding to the domain argument, or
1190$sender_helo_name if no argument is provided. It then checks that the
1191client is authorized, and that its IP address corresponds to the SRV
1192target's address by calling acl_verify_csa_address() above. The address
1193should have been returned in the DNS response's ADDITIONAL section, but if
1194not we perform another DNS lookup to get it.
1195
1196Arguments:
1197 domain pointer to optional parameter following verify = csa
1198
1199Returns: CSA_UNKNOWN no valid CSA record found
1200 CSA_OK successfully authorized
1201 CSA_FAIL_* client is definitely not authorized
1202 CSA_DEFER_* there was a DNS problem
1203*/
1204
1205static int
1206acl_verify_csa(uschar *domain)
1207{
1208tree_node *t;
1209uschar *found, *p;
1210int priority, weight, port;
1211dns_answer dnsa;
1212dns_scan dnss;
1213dns_record *rr;
1214int rc, type;
1215uschar target[256];
1216
1217/* Work out the domain we are using for the CSA lookup. The default is the
1218client's HELO domain. If the client has not said HELO, use its IP address
1219instead. If it's a local client (exim -bs), CSA isn't applicable. */
1220
1221while (isspace(*domain) && *domain != '\0') ++domain;
1222if (*domain == '\0') domain = sender_helo_name;
1223if (domain == NULL) domain = sender_host_address;
1224if (sender_host_address == NULL) return CSA_UNKNOWN;
1225
1226/* If we have an address literal, strip off the framing ready for turning it
1227into a domain. The framing consists of matched square brackets possibly
1228containing a keyword and a colon before the actual IP address. */
1229
1230if (domain[0] == '[')
1231 {
1232 uschar *start = Ustrchr(domain, ':');
1233 if (start == NULL) start = domain;
1234 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1235 }
1236
1237/* Turn domains that look like bare IP addresses into domains in the reverse
1238DNS. This code also deals with address literals and $sender_host_address. It's
1239not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1240address literals, but it's probably the most friendly thing to do. This is an
1241extension to CSA, so we allow it to be turned off for proper conformance. */
1242
7e66e54d 1243if (string_is_ip_address(domain, NULL) != 0)
e5a9dba6
PH		 1244 {
1245 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1246 dns_build_reverse(domain, target);
1247 domain = target;
1248 }
1249
1250/* Find out if we've already done the CSA check for this domain. If we have,
1251return the same result again. Otherwise build a new cached result structure
1252for this domain. The name is filled in now, and the value is filled in when
1253we return from this function. */
1254
1255t = tree_search(csa_cache, domain);
1256if (t != NULL) return t->data.val;
1257
1258t = store_get_perm(sizeof(tree_node) + Ustrlen(domain));
1259Ustrcpy(t->name, domain);
1260(void)tree_insertnode(&csa_cache, t);
1261
1262/* Now we are ready to do the actual DNS lookup(s). */
1263
28e6ef29 1264found = domain;
e5a9dba6
PH		 1265switch (dns_special_lookup(&dnsa, domain, T_CSA, &found))
1266 {
1267 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1268
1269 default:
1270 return t->data.val = CSA_DEFER_SRV;
1271
1272 /* If we found nothing, the client's authorization is unknown. */
1273
1274 case DNS_NOMATCH:
1275 case DNS_NODATA:
1276 return t->data.val = CSA_UNKNOWN;
1277
1278 /* We got something! Go on to look at the reply in more detail. */
1279
1280 case DNS_SUCCEED:
1281 break;
1282 }
1283
1284/* Scan the reply for well-formed CSA SRV records. */
1285
1286for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
1287 rr != NULL;
1288 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
1289 {
1290 if (rr->type != T_SRV) continue;
1291
1292 /* Extract the numerical SRV fields (p is incremented) */
1293
1294 p = rr->data;
1295 GETSHORT(priority, p);
1296 GETSHORT(weight, p);
1297 GETSHORT(port, p);
1298
1299 DEBUG(D_acl)
1300 debug_printf("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1301
1302 /* Check the CSA version number */
1303
1304 if (priority != 1) continue;
1305
1306 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1307 found by dns_special_lookup() is a parent of the one we asked for), we check
1308 the subdomain assertions in the port field. At the moment there's only one
1309 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1310 SRV records of their own. */
1311
1312 if (found != domain)
1313 {
1314 if (port & 1)
1315 return t->data.val = CSA_FAIL_EXPLICIT;
1316 else
1317 return t->data.val = CSA_UNKNOWN;
1318 }
1319
1320 /* This CSA SRV record refers directly to our domain, so we check the value
1321 in the weight field to work out the domain's authorization. 0 and 1 are
1322 unauthorized; 3 means the client is authorized but we can't check the IP
1323 address in order to authenticate it, so we treat it as unknown; values
1324 greater than 3 are undefined. */
1325
1326 if (weight < 2) return t->data.val = CSA_FAIL_DOMAIN;
1327
1328 if (weight > 2) continue;
1329
1330 /* Weight == 2, which means the domain is authorized. We must check that the
1331 client's IP address is listed as one of the SRV target addresses. Save the
1332 target hostname then break to scan the additional data for its addresses. */
1333
1334 (void)dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
1335 (DN_EXPAND_ARG4_TYPE)target, sizeof(target));
1336
1337 DEBUG(D_acl) debug_printf("CSA target is %s\n", target);
1338
1339 break;
1340 }
1341
1342/* If we didn't break the loop then no appropriate records were found. */
1343
1344if (rr == NULL) return t->data.val = CSA_UNKNOWN;
1345
1346/* Do not check addresses if the target is ".", in accordance with RFC 2782.
1347A target of "." indicates there are no valid addresses, so the client cannot
1348be authorized. (This is an odd configuration because weight=2 target=. is
1349equivalent to weight=1, but we check for it in order to keep load off the
1350root name servers.) Note that dn_expand() turns "." into "". */
1351
1352if (Ustrcmp(target, "") == 0) return t->data.val = CSA_FAIL_NOADDR;
1353
1354/* Scan the additional section of the CSA SRV reply for addresses belonging
1355to the target. If the name server didn't return any additional data (e.g.
1356because it does not fully support SRV records), we need to do another lookup
1357to obtain the target addresses; otherwise we have a definitive result. */
1358
1359rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ADDITIONAL, target);
1360if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1361
1362/* The DNS lookup type corresponds to the IP version used by the client. */
1363
1364#if HAVE_IPV6
1365if (Ustrchr(sender_host_address, ':') != NULL)
1366 type = T_AAAA;
1367else
1368#endif /* HAVE_IPV6 */
1369 type = T_A;
1370
1371
1372#if HAVE_IPV6 && defined(SUPPORT_A6)
1373DNS_LOOKUP_AGAIN:
1374#endif
1375
1376switch (dns_lookup(&dnsa, target, type, NULL))
1377 {
1378 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1379
1380 default:
1381 return t->data.val = CSA_DEFER_ADDR;
1382
1383 /* If the query succeeded, scan the addresses and return the result. */
1384
1385 case DNS_SUCCEED:
1386 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ANSWERS, target);
1387 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1388 /* else fall through */
1389
1390 /* If the target has no IP addresses, the client cannot have an authorized
1391 IP address. However, if the target site uses A6 records (not AAAA records)
1392 we have to do yet another lookup in order to check them. */
1393
1394 case DNS_NOMATCH:
1395 case DNS_NODATA:
1396
1397 #if HAVE_IPV6 && defined(SUPPORT_A6)
1398 if (type == T_AAAA) { type = T_A6; goto DNS_LOOKUP_AGAIN; }
1399 #endif
1400
1401 return t->data.val = CSA_FAIL_NOADDR;
1402 }
1403}
1404
1405
1406
059ec3d9
PH		 1407/*************************************************
1408* Handle verification (address & other) *
1409*************************************************/
1410
1411/* This function implements the "verify" condition. It is called when
1412encountered in any ACL, because some tests are almost always permitted. Some
1413just don't make sense, and always fail (for example, an attempt to test a host
1414lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1415
1416Arguments:
1417 where where called from
1418 addr the recipient address that the ACL is handling, or NULL
1419 arg the argument of "verify"
1420 user_msgptr pointer for user message
1421 log_msgptr pointer for log message
1422 basic_errno where to put verify errno
1423
1424Returns: OK verification condition succeeded
1425 FAIL verification failed
1426 DEFER there was a problem verifying
1427 ERROR syntax error
1428*/
1429
1430static int
1431acl_verify(int where, address_item *addr, uschar *arg,
1432 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1433{
1434int sep = '/';
1435int callout = -1;
1436int callout_overall = -1;
4deaf07d 1437int callout_connect = -1;
059ec3d9
PH		 1438int verify_options = 0;
1439int rc;
1440BOOL verify_header_sender = FALSE;
1441BOOL defer_ok = FALSE;
1442BOOL callout_defer_ok = FALSE;
1443BOOL no_details = FALSE;
eafd343b 1444BOOL success_on_redirect = FALSE;
059ec3d9
PH		 1445address_item *sender_vaddr = NULL;
1446uschar *verify_sender_address = NULL;
1447uschar *pm_mailfrom = NULL;
1448uschar *se_mailfrom = NULL;
596875b3
PH		 1449
1450/* Some of the verify items have slash-separated options; some do not. Diagnose
1451an error if options are given for items that don't expect them. This code has
1452now got very message. Refactoring to use a table would be a good idea one day.
1453*/
1454
1455uschar *slash = Ustrchr(arg, '/');
059ec3d9
PH		 1456uschar *list = arg;
1457uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
1458
1459if (ss == NULL) goto BAD_VERIFY;
1460
1461/* Handle name/address consistency verification in a separate function. */
1462
1463if (strcmpic(ss, US"reverse_host_lookup") == 0)
1464 {
596875b3 1465 if (slash != NULL) goto NO_OPTIONS;
059ec3d9
PH		 1466 if (sender_host_address == NULL) return OK;
1467 return acl_verify_reverse(user_msgptr, log_msgptr);
1468 }
1469
1470/* TLS certificate verification is done at STARTTLS time; here we just
1471test whether it was successful or not. (This is for optional verification; for
1472mandatory verification, the connection doesn't last this long.) */
1473
1474if (strcmpic(ss, US"certificate") == 0)
1475 {
596875b3 1476 if (slash != NULL) goto NO_OPTIONS;
059ec3d9
PH		 1477 if (tls_certificate_verified) return OK;
1478 *user_msgptr = US"no verified certificate";
1479 return FAIL;
1480 }
1481
d7b47fd0
PH		 1482/* We can test the result of optional HELO verification that might have
1483occurred earlier. If not, we can attempt the verification now. */
059ec3d9 1484
596875b3
PH		 1485if (strcmpic(ss, US"helo") == 0)
1486 {
1487 if (slash != NULL) goto NO_OPTIONS;
0154e85a
TF		 1488 if (!helo_verified && !helo_verify_failed) smtp_verify_helo();
1489 return helo_verified? OK : FAIL;
596875b3 1490 }
059ec3d9 1491
e5a9dba6
PH		 1492/* Do Client SMTP Authorization checks in a separate function, and turn the
1493result code into user-friendly strings. */
1494
1495if (strcmpic(ss, US"csa") == 0)
1496 {
1497 rc = acl_verify_csa(list);
1498 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1499 csa_reason_string[rc]);
1500 csa_status = csa_status_string[rc];
1501 DEBUG(D_acl) debug_printf("CSA result %s\n", csa_status);
1502 return csa_return_code[rc];
1503 }
1504
596875b3
PH		 1505/* Check that all relevant header lines have the correct syntax. If there is
1506a syntax error, we return details of the error to the sender if configured to
1507send out full details. (But a "message" setting on the ACL can override, as
1508always). */
059ec3d9 1509
596875b3 1510if (strcmpic(ss, US"header_syntax") == 0)
059ec3d9 1511 {
596875b3 1512 if (slash != NULL) goto NO_OPTIONS;
1c41c9cc 1513 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
596875b3
PH		 1514 rc = verify_check_headers(log_msgptr);
1515 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1516 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1517 return rc;
1518 }
059ec3d9 1519
1c41c9cc
PH		 1520/* Check that no recipient of this message is "blind", that is, every envelope
1521recipient must be mentioned in either To: or Cc:. */
1522
1523if (strcmpic(ss, US"not_blind") == 0)
1524 {
1525 if (slash != NULL) goto NO_OPTIONS;
1526 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
1527 rc = verify_check_notblind();
1528 if (rc != OK)
1529 {
1530 *log_msgptr = string_sprintf("bcc recipient detected");
1531 if (smtp_return_error_details)
1532 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1533 }
1534 return rc;
1535 }
059ec3d9 1536
596875b3
PH		 1537/* The remaining verification tests check recipient and sender addresses,
1538either from the envelope or from the header. There are a number of
1539slash-separated options that are common to all of them. */
059ec3d9 1540
059ec3d9 1541
596875b3
PH		 1542/* Check that there is at least one verifiable sender address in the relevant
1543header lines. This can be followed by callout and defer options, just like
1544sender and recipient. */
059ec3d9 1545
596875b3
PH		 1546if (strcmpic(ss, US"header_sender") == 0)
1547 {
1c41c9cc 1548 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
596875b3 1549 verify_header_sender = TRUE;
059ec3d9
PH		 1550 }
1551
1552/* Otherwise, first item in verify argument must be "sender" or "recipient".
1553In the case of a sender, this can optionally be followed by an address to use
1554in place of the actual sender (rare special-case requirement). */
1555
1556else if (strncmpic(ss, US"sender", 6) == 0)
1557 {
1558 uschar *s = ss + 6;
1559 if (where > ACL_WHERE_NOTSMTP)
1560 {
1561 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1562 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1563 acl_wherenames[where]);
1564 return ERROR;
1565 }
1566 if (*s == 0)
1567 verify_sender_address = sender_address;
1568 else
1569 {
1570 while (isspace(*s)) s++;
1571 if (*s++ != '=') goto BAD_VERIFY;
1572 while (isspace(*s)) s++;
1573 verify_sender_address = string_copy(s);
1574 }
1575 }
1576else
1577 {
1578 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1579 if (addr == NULL)
1580 {
1581 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1582 "(only possible for RCPT)", acl_wherenames[where]);
1583 return ERROR;
1584 }
1585 }
1586
596875b3
PH		 1587/* Remaining items are optional; they apply to sender and recipient
1588verification, including "header sender" verification. */
059ec3d9
PH		 1589
1590while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1591 != NULL)
1592 {
1593 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1594 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
eafd343b 1595 else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
059ec3d9
PH		 1596
1597 /* These two old options are left for backwards compatibility */
1598
1599 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1600 {
1601 callout_defer_ok = TRUE;
1602 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1603 }
1604
1605 else if (strcmpic(ss, US"check_postmaster") == 0)
1606 {
1607 pm_mailfrom = US"";
1608 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1609 }
1610
1611 /* The callout option has a number of sub-options, comma separated */
1612
1613 else if (strncmpic(ss, US"callout", 7) == 0)
1614 {
1615 callout = CALLOUT_TIMEOUT_DEFAULT;
1616 ss += 7;
1617 if (*ss != 0)
1618 {
1619 while (isspace(*ss)) ss++;
1620 if (*ss++ == '=')
1621 {
1622 int optsep = ',';
1623 uschar *opt;
1624 uschar buffer[256];
1625 while (isspace(*ss)) ss++;
8e669ac1
PH		 1626
1627 /* This callout option handling code has become a mess as new options
1628 have been added in an ad hoc manner. It should be tidied up into some
4deaf07d 1629 kind of table-driven thing. */
8e669ac1 1630
059ec3d9
PH		 1631 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1632 != NULL)
1633 {
1634 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1635 else if (strcmpic(opt, US"no_cache") == 0)
1636 verify_options |= vopt_callout_no_cache;
1637 else if (strcmpic(opt, US"random") == 0)
1638 verify_options |= vopt_callout_random;
1639 else if (strcmpic(opt, US"use_sender") == 0)
1640 verify_options |= vopt_callout_recipsender;
1641 else if (strcmpic(opt, US"use_postmaster") == 0)
1642 verify_options |= vopt_callout_recippmaster;
1643 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
2a4be8f9
PH		 1644 else if (strcmpic(opt, US"fullpostmaster") == 0)
1645 {
1646 pm_mailfrom = US"";
1647 verify_options |= vopt_callout_fullpm;
1648 }
059ec3d9
PH		 1649
1650 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1651 {
1652 if (!verify_header_sender)
1653 {
1654 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1655 "callout option only for verify=header_sender (detected in ACL "
1656 "condition \"%s\")", arg);
1657 return ERROR;
1658 }
1659 opt += 8;
1660 while (isspace(*opt)) opt++;
1661 if (*opt++ != '=')
1662 {
1663 *log_msgptr = string_sprintf("'=' expected after "
1664 "\"mailfrom\" in ACL condition \"%s\"", arg);
1665 return ERROR;
1666 }
1667 while (isspace(*opt)) opt++;
1668 se_mailfrom = string_copy(opt);
1669 }
1670
1671 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1672 {
1673 opt += 19;
1674 while (isspace(*opt)) opt++;
1675 if (*opt++ != '=')
1676 {
1677 *log_msgptr = string_sprintf("'=' expected after "
1678 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1679 return ERROR;
1680 }
1681 while (isspace(*opt)) opt++;
1682 pm_mailfrom = string_copy(opt);
1683 }
1684
1685 else if (strncmpic(opt, US"maxwait", 7) == 0)
1686 {
1687 opt += 7;
1688 while (isspace(*opt)) opt++;
1689 if (*opt++ != '=')
1690 {
1691 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1692 "ACL condition \"%s\"", arg);
1693 return ERROR;
1694 }
1695 while (isspace(*opt)) opt++;
1696 callout_overall = readconf_readtime(opt, 0, FALSE);
1697 if (callout_overall < 0)
1698 {
1699 *log_msgptr = string_sprintf("bad time value in ACL condition "
1700 "\"verify %s\"", arg);
1701 return ERROR;
1702 }
1703 }
4deaf07d
PH		 1704 else if (strncmpic(opt, US"connect", 7) == 0)
1705 {
1706 opt += 7;
1707 while (isspace(*opt)) opt++;
1708 if (*opt++ != '=')
1709 {
1710 *log_msgptr = string_sprintf("'=' expected after "
1711 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1712 return ERROR;
1713 }
1714 while (isspace(*opt)) opt++;
1715 callout_connect = readconf_readtime(opt, 0, FALSE);
1716 if (callout_connect < 0)
1717 {
1718 *log_msgptr = string_sprintf("bad time value in ACL condition "
1719 "\"verify %s\"", arg);
1720 return ERROR;
1721 }
1722 }
059ec3d9
PH		 1723 else /* Plain time is callout connect/command timeout */
1724 {
1725 callout = readconf_readtime(opt, 0, FALSE);
1726 if (callout < 0)
1727 {
1728 *log_msgptr = string_sprintf("bad time value in ACL condition "
1729 "\"verify %s\"", arg);
1730 return ERROR;
1731 }
1732 }
1733 }
1734 }
1735 else
1736 {
1737 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1738 "ACL condition \"%s\"", arg);
1739 return ERROR;
1740 }
1741 }
1742 }
1743
1744 /* Option not recognized */
1745
1746 else
1747 {
1748 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1749 "condition \"verify %s\"", ss, arg);
1750 return ERROR;
1751 }
1752 }
1753
1754if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1755 (vopt_callout_recipsender|vopt_callout_recippmaster))
1756 {
1757 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1758 "for a recipient callout";
1759 return ERROR;
1760 }
1761
1762/* Handle sender-in-header verification. Default the user message to the log
1763message if giving out verification details. */
1764
1765if (verify_header_sender)
1766 {
8e669ac1 1767 int verrno;
059ec3d9 1768 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
fe5b5d0b
PH		 1769 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1770 &verrno);
1771 if (rc != OK)
8e669ac1 1772 {
fe5b5d0b
PH		 1773 *basic_errno = verrno;
1774 if (smtp_return_error_details)
1775 {
1776 if (*user_msgptr == NULL && *log_msgptr != NULL)
1777 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1778 if (rc == DEFER) acl_temp_details = TRUE;
1779 }
8e669ac1 1780 }
059ec3d9
PH		 1781 }
1782
1783/* Handle a sender address. The default is to verify *the* sender address, but
1784optionally a different address can be given, for special requirements. If the
1785address is empty, we are dealing with a bounce message that has no sender, so
1786we cannot do any checking. If the real sender address gets rewritten during
1787verification (e.g. DNS widening), set the flag to stop it being rewritten again
1788during message reception.
1789
1790A list of verified "sender" addresses is kept to try to avoid doing to much
1791work repetitively when there are multiple recipients in a message and they all
1792require sender verification. However, when callouts are involved, it gets too
1793complicated because different recipients may require different callout options.
1794Therefore, we always do a full sender verify when any kind of callout is
1795specified. Caching elsewhere, for instance in the DNS resolver and in the
1796callout handling, should ensure that this is not terribly inefficient. */
1797
1798else if (verify_sender_address != NULL)
1799 {
1800 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1801 != 0)
1802 {
1803 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1804 "sender verify callout";
1805 return ERROR;
1806 }
1807
1808 sender_vaddr = verify_checked_sender(verify_sender_address);
1809 if (sender_vaddr != NULL && /* Previously checked */
1810 callout <= 0) /* No callout needed this time */
1811 {
1812 /* If the "routed" flag is set, it means that routing worked before, so
1813 this check can give OK (the saved return code value, if set, belongs to a
1814 callout that was done previously). If the "routed" flag is not set, routing
1815 must have failed, so we use the saved return code. */
1816
1817 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1818 {
1819 rc = sender_vaddr->special_action;
1820 *basic_errno = sender_vaddr->basic_errno;
1821 }
1822 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1823 }
1824
1825 /* Do a new verification, and cache the result. The cache is used to avoid
1826 verifying the sender multiple times for multiple RCPTs when callouts are not
1827 specified (see comments above).
1828
1829 The cache is also used on failure to give details in response to the first
1830 RCPT that gets bounced for this reason. However, this can be suppressed by
1831 the no_details option, which sets the flag that says "this detail has already
1832 been sent". The cache normally contains just one address, but there may be
1833 more in esoteric circumstances. */
1834
1835 else
1836 {
1837 BOOL routed = TRUE;
2a3eea10 1838 uschar *save_address_data = deliver_address_data;
8e669ac1 1839
059ec3d9
PH		 1840 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1841 if (no_details) setflag(sender_vaddr, af_sverify_told);
1842 if (verify_sender_address[0] != 0)
1843 {
1844 /* If this is the real sender address, save the unrewritten version
1845 for use later in receive. Otherwise, set a flag so that rewriting the
1846 sender in verify_address() does not update sender_address. */
1847
1848 if (verify_sender_address == sender_address)
1849 sender_address_unrewritten = sender_address;
1850 else
1851 verify_options |= vopt_fake_sender;
1852
eafd343b
TK		 1853 if (success_on_redirect)
1854 verify_options |= vopt_success_on_redirect;
1855
059ec3d9
PH		 1856 /* The recipient, qualify, and expn options are never set in
1857 verify_options. */
1858
1859 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
4deaf07d 1860 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
059ec3d9
PH		 1861
1862 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1863
1864 if (rc == OK)
1865 {
1866 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1867 {
1868 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1869 verify_sender_address, sender_vaddr->address);
1870 }
1871 else
1872 {
1873 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1874 verify_sender_address);
1875 }
1876 }
1877 else *basic_errno = sender_vaddr->basic_errno;
1878 }
1879 else rc = OK; /* Null sender */
1880
1881 /* Cache the result code */
1882
1883 if (routed) setflag(sender_vaddr, af_verify_routed);
1884 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1885 sender_vaddr->special_action = rc;
1886 sender_vaddr->next = sender_verified_list;
1887 sender_verified_list = sender_vaddr;
8e669ac1
PH		 1888
1889 /* Restore the recipient address data, which might have been clobbered by
2a3eea10 1890 the sender verification. */
8e669ac1 1891
2a3eea10 1892 deliver_address_data = save_address_data;
059ec3d9 1893 }
8e669ac1 1894
2a3eea10
PH		 1895 /* Put the sender address_data value into $sender_address_data */
1896
8e669ac1 1897 sender_address_data = sender_vaddr->p.address_data;
059ec3d9
PH		 1898 }
1899
1900/* A recipient address just gets a straightforward verify; again we must handle
1901the DEFER overrides. */
1902
1903else
1904 {
1905 address_item addr2;
1906
eafd343b
TK		 1907 if (success_on_redirect)
1908 verify_options |= vopt_success_on_redirect;
1909
059ec3d9
PH		 1910 /* We must use a copy of the address for verification, because it might
1911 get rewritten. */
1912
1913 addr2 = *addr;
1914 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
4deaf07d 1915 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
059ec3d9 1916 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
8e669ac1 1917
059ec3d9 1918 *log_msgptr = addr2.message;
8e669ac1 1919 *user_msgptr = (addr2.user_message != NULL)?
6729cf78 1920 addr2.user_message : addr2.message;
059ec3d9
PH		 1921 *basic_errno = addr2.basic_errno;
1922
1923 /* Make $address_data visible */
1924 deliver_address_data = addr2.p.address_data;
1925 }
1926
1927/* We have a result from the relevant test. Handle defer overrides first. */
1928
1929if (rc == DEFER && (defer_ok ||
1930 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1931 {
1932 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1933 defer_ok? "defer_ok" : "callout_defer_ok");
1934 rc = OK;
1935 }
1936
1937/* If we've failed a sender, set up a recipient message, and point
1938sender_verified_failed to the address item that actually failed. */
1939
1940if (rc != OK && verify_sender_address != NULL)
1941 {
1942 if (rc != DEFER)
1943 {
1944 *log_msgptr = *user_msgptr = US"Sender verify failed";
1945 }
1946 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1947 {
1948 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1949 }
1950 else
1951 {
1952 *log_msgptr = US"Could not complete sender verify callout";
1953 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1954 *log_msgptr;
1955 }
1956
1957 sender_verified_failed = sender_vaddr;
1958 }
1959
1960/* Verifying an address messes up the values of $domain and $local_part,
1961so reset them before returning if this is a RCPT ACL. */
1962
1963if (addr != NULL)
1964 {
1965 deliver_domain = addr->domain;
1966 deliver_localpart = addr->local_part;
1967 }
1968return rc;
1969
1970/* Syntax errors in the verify argument come here. */
1971
1972BAD_VERIFY:
1973*log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
596875b3
PH		 1974 "\"helo\", \"header_syntax\", \"header_sender\" or "
1975 "\"reverse_host_lookup\" at start of ACL condition "
059ec3d9
PH		 1976 "\"verify %s\"", arg);
1977return ERROR;
596875b3
PH		 1978
1979/* Options supplied when not allowed come here */
1980
1981NO_OPTIONS:
1982*log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1983 "(this verify item has no options)", arg);
1984return ERROR;
1c41c9cc
PH		 1985
1986/* Calls in the wrong ACL come here */
1987
1988WRONG_ACL:
1989*log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
1990 "(only possible in ACL for DATA)", acl_wherenames[where]);
1991return ERROR;
059ec3d9
PH		 1992}
1993
1994
1995
1996
1997/*************************************************
1998* Check argument for control= modifier *
1999*************************************************/
2000
2001/* Called from acl_check_condition() below
2002
2003Arguments:
2004 arg the argument string for control=
2005 pptr set to point to the terminating character
2006 where which ACL we are in
2007 log_msgptr for error messages
2008
2009Returns: CONTROL_xxx value
2010*/
2011
2012static int
2013decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
2014{
2015int len;
2016control_def *d;
2017
2018for (d = controls_list;
2019 d < controls_list + sizeof(controls_list)/sizeof(control_def);
2020 d++)
2021 {
2022 len = Ustrlen(d->name);
2023 if (Ustrncmp(d->name, arg, len) == 0) break;
2024 }
2025
2026if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
2027 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
2028 {
2029 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2030 return CONTROL_ERROR;
2031 }
2032
059ec3d9
PH		 2033*pptr = arg + len;
2034return d->value;
2035}
2036
2037
2038
870f6ba8
TF		 2039/*************************************************
2040* Handle rate limiting *
2041*************************************************/
2042
2043/* Called by acl_check_condition() below to calculate the result
2044of the ACL ratelimit condition.
2045
2046Note that the return value might be slightly unexpected: if the
2047sender's rate is above the limit then the result is OK. This is
2048similar to the dnslists condition, and is so that you can write
2049ACL clauses like: defer ratelimit = 15 / 1h
2050
2051Arguments:
2052 arg the option string for ratelimit=
90fc3069 2053 where ACL_WHERE_xxxx indicating which ACL this is
870f6ba8
TF		 2054 log_msgptr for error messages
2055
2056Returns: OK - Sender's rate is above limit
2057 FAIL - Sender's rate is below limit
2058 DEFER - Problem opening ratelimit database
2059 ERROR - Syntax error in options.
2060*/
2061
2062static int
90fc3069 2063acl_ratelimit(uschar *arg, int where, uschar **log_msgptr)
870f6ba8
TF		 2064{
2065double limit, period;
f3dcf4a2 2066uschar *ss, *key;
870f6ba8
TF		 2067int sep = '/';
2068BOOL have_key = FALSE, leaky = FALSE, strict = FALSE;
2069BOOL per_byte = FALSE, per_cmd = FALSE, per_conn = FALSE, per_mail = FALSE;
2070int old_pool, rc;
2071tree_node **anchor, *t;
2072open_db dbblock, *dbm;
2073dbdata_ratelimit *dbd;
2074struct timeval tv;
2075
2076/* Parse the first two options and record their values in expansion
2077variables. These variables allow the configuration to have informative
2078error messages based on rate limits obtained from a table lookup. */
2079
2080/* First is the maximum number of messages per period and maximum burst
2081size, which must be greater than or equal to zero. Zero is useful for
2082rate measurement as opposed to rate limiting. */
2083
2084sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0);
2085if (sender_rate_limit == NULL)
2086 limit = -1.0;
2087else
2088 {
2089 limit = Ustrtod(sender_rate_limit, &ss);
2090 if (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
2091 else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
2092 else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
2093 }
2094if (limit < 0.0 || *ss != 0)
2095 {
2096 *log_msgptr = string_sprintf("syntax error in argument for "
2097 "\"ratelimit\" condition: \"%s\" is not a positive number",
2098 sender_rate_limit);
2099 return ERROR;
2100 }
2101
f3dcf4a2
TF		 2102/* We use the rest of the argument list following the limit as the
2103lookup key, because it doesn't make sense to use the same stored data
2104if the period or options are different. */
2105
2106key = arg;
2107
870f6ba8
TF		 2108/* Second is the rate measurement period and exponential smoothing time
2109constant. This must be strictly greater than zero, because zero leads to
2110run-time division errors. */
2111
2112sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0);
2113if (sender_rate_period == NULL) period = -1.0;
2114else period = readconf_readtime(sender_rate_period, 0, FALSE);
2115if (period <= 0.0)
2116 {
2117 *log_msgptr = string_sprintf("syntax error in argument for "
2118 "\"ratelimit\" condition: \"%s\" is not a time value",
2119 sender_rate_period);
2120 return ERROR;
2121 }
2122
2123/* Parse the other options. Should we check if the per_* options are being
2124used in ACLs where they don't make sense, e.g. per_mail in the connect ACL? */
2125
2126while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2127 != NULL)
2128 {
2129 if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
2130 else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
2131 else if (strcmpic(ss, US"per_byte") == 0) per_byte = TRUE;
2132 else if (strcmpic(ss, US"per_cmd") == 0) per_cmd = TRUE;
2133 else if (strcmpic(ss, US"per_conn") == 0) per_conn = TRUE;
2134 else if (strcmpic(ss, US"per_mail") == 0) per_mail = TRUE;
2135 else if (strcmpic(ss, US"per_rcpt") == 0) per_cmd = TRUE; /* alias */
2136 else have_key = TRUE;
2137 }
2138if (leaky + strict > 1 || per_byte + per_cmd + per_conn + per_mail > 1)
2139 {
2140 *log_msgptr = US"conflicting options for \"ratelimit\" condition";
2141 return ERROR;
2142 }
2143
2144/* Default option values */
2145if (!strict) leaky = TRUE;
2146if (!per_byte && !per_cmd && !per_conn) per_mail = TRUE;
2147
f3dcf4a2 2148/* If there is no explicit key, use the sender_host_address. If there is no
870f6ba8
TF		 2149sender_host_address (e.g. -bs or acl_not_smtp) then we simply omit it. */
2150
2151if (!have_key && sender_host_address != NULL)
2152 key = string_sprintf("%s / %s", key, sender_host_address);
2153
2154HDEBUG(D_acl) debug_printf("ratelimit condition limit=%.0f period=%.0f key=%s\n",
2155 limit, period, key);
2156
fe0dab11 2157/* See if we have already computed the rate by looking in the relevant tree. For
870f6ba8
TF		 2158per-connection rate limiting, store tree nodes and dbdata in the permanent pool
2159so that they survive across resets. */
2160
2161anchor = NULL;
2162old_pool = store_pool;
2163
2164if (per_conn)
2165 {
2166 anchor = &ratelimiters_conn;
2167 store_pool = POOL_PERM;
2168 }
fe0dab11 2169else if (per_mail || per_byte)
870f6ba8 2170 anchor = &ratelimiters_mail;
fe0dab11
TF		 2171else if (per_cmd)
2172 anchor = &ratelimiters_cmd;
870f6ba8
TF		 2173
2174if (anchor != NULL && (t = tree_search(*anchor, key)) != NULL)
2175 {
2176 dbd = t->data.ptr;
2177 /* The following few lines duplicate some of the code below. */
3348576f
TF		 2178 if (dbd->rate < limit) rc = FAIL;
2179 else rc = OK;
870f6ba8
TF		 2180 store_pool = old_pool;
2181 sender_rate = string_sprintf("%.1f", dbd->rate);
2182 HDEBUG(D_acl)
2183 debug_printf("ratelimit found pre-computed rate %s\n", sender_rate);
2184 return rc;
2185 }
2186
2187/* We aren't using a pre-computed rate, so get a previously recorded
2188rate from the database, update it, and write it back. If there's no
2189previous rate for this key, create one. */
2190
2191dbm = dbfn_open(US"ratelimit", O_RDWR, &dbblock, TRUE);
2192if (dbm == NULL)
2193 {
2194 store_pool = old_pool;
2195 sender_rate = NULL;
2196 HDEBUG(D_acl) debug_printf("ratelimit database not available\n");
2197 *log_msgptr = US"ratelimit database not available";
2198 return DEFER;
2199 }
2200dbd = dbfn_read(dbm, key);
2201
2202gettimeofday(&tv, NULL);
2203
2204if (dbd == NULL)
2205 {
2206 HDEBUG(D_acl) debug_printf("ratelimit initializing new key's data\n");
2207 dbd = store_get(sizeof(dbdata_ratelimit));
2208 dbd->time_stamp = tv.tv_sec;
2209 dbd->time_usec = tv.tv_usec;
2210 dbd->rate = 0.0;
2211 }
2212else
2213 {
2214 /* The smoothed rate is computed using an exponentially weighted moving
2215 average adjusted for variable sampling intervals. The standard EWMA for
2216 a fixed sampling interval is: f'(t) = (1 - a) * f(t) + a * f'(t - 1)
2217 where f() is the measured value and f'() is the smoothed value.
2218
2219 Old data decays out of the smoothed value exponentially, such that data n
2220 samples old is multiplied by a^n. The exponential decay time constant p
2221 is defined such that data p samples old is multiplied by 1/e, which means
2222 that a = exp(-1/p). We can maintain the same time constant for a variable
2223 sampling interval i by using a = exp(-i/p).
2224
2225 The rate we are measuring is messages per period, suitable for directly
2226 comparing with the limit. The average rate between now and the previous
2227 message is period / interval, which we feed into the EWMA as the sample.
2228
2229 It turns out that the number of messages required for the smoothed rate
2230 to reach the limit when they are sent in a burst is equal to the limit.
2231 This can be seen by analysing the value of the smoothed rate after N
2232 messages sent at even intervals. Let k = (1 - a) * p/i
2233
2234 rate_1 = (1 - a) * p/i + a * rate_0
2235 = k + a * rate_0
2236 rate_2 = k + a * rate_1
2237 = k + a * k + a^2 * rate_0
2238 rate_3 = k + a * k + a^2 * k + a^3 * rate_0
2239 rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
2240 = rate_0 * a^N + k * (1 - a^N) / (1 - a)
2241 = rate_0 * a^N + p/i * (1 - a^N)
2242
2243 When N is large, a^N -> 0 so rate_N -> p/i as desired.
2244
2245 rate_N = p/i + (rate_0 - p/i) * a^N
2246 a^N = (rate_N - p/i) / (rate_0 - p/i)
2247 N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
2248 N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
2249
2250 Numerical analysis of the above equation, setting the computed rate to
2251 increase from rate_0 = 0 to rate_N = limit, shows that for large sending
2252 rates, p/i, the number of messages N = limit. So limit serves as both the
2253 maximum rate measured in messages per period, and the maximum number of
2254 messages that can be sent in a fast burst. */
2255
2256 double this_time = (double)tv.tv_sec
2257 + (double)tv.tv_usec / 1000000.0;
2258 double prev_time = (double)dbd->time_stamp
2259 + (double)dbd->time_usec / 1000000.0;
870f6ba8
TF		 2260
2261 /* We must avoid division by zero, and deal gracefully with the clock going
2262 backwards. If we blunder ahead when time is in reverse then the computed
e5d5a95f 2263 rate will be bogus. To be safe we clamp interval to a very small number. */
870f6ba8 2264
e5d5a95f
TF		 2265 double interval = this_time - prev_time <= 0.0 ? 1e-9
2266 : this_time - prev_time;
2267
2268 double i_over_p = interval / period;
2269 double a = exp(-i_over_p);
870f6ba8
TF		 2270
2271 dbd->time_stamp = tv.tv_sec;
2272 dbd->time_usec = tv.tv_usec;
2273
2274 /* If we are measuring the rate in bytes per period, multiply the
2275 measured rate by the message size. If we don't know the message size
2276 then it's safe to just use a value of zero and let the recorded rate
2277 decay as if nothing happened. */
2278
2279 if (per_byte)
2280 dbd->rate = (message_size < 0 ? 0.0 : (double)message_size)
2281 * (1 - a) / i_over_p + a * dbd->rate;
90fc3069
TF		 2282 else if (per_cmd && where == ACL_WHERE_NOTSMTP)
2283 dbd->rate = (double)recipients_count
2284 * (1 - a) / i_over_p + a * dbd->rate;
870f6ba8
TF		 2285 else
2286 dbd->rate = (1 - a) / i_over_p + a * dbd->rate;
2287 }
2288
3348576f
TF		 2289/* Clients sending at the limit are considered to be over the limit. This
2290matters for edge cases such the first message sent by a client (which gets
2291the initial rate of 0.0) when the rate limit is zero (i.e. the client should
2292be completely blocked). */
2293
2294if (dbd->rate < limit) rc = FAIL;
2295 else rc = OK;
870f6ba8
TF		 2296
2297/* Update the state if the rate is low or if we are being strict. If we
2298are in leaky mode and the sender's rate is too high, we do not update
2299the recorded rate in order to avoid an over-aggressive sender's retry
2300rate preventing them from getting any email through. */
2301
2302if (rc == FAIL || !leaky)
2303 dbfn_write(dbm, key, dbd, sizeof(dbdata_ratelimit));
2304dbfn_close(dbm);
2305
2306/* Store the result in the tree for future reference, if necessary. */
2307
2308if (anchor != NULL)
2309 {
2310 t = store_get(sizeof(tree_node) + Ustrlen(key));
2311 t->data.ptr = dbd;
2312 Ustrcpy(t->name, key);
2313 (void)tree_insertnode(anchor, t);
2314 }
2315
2316/* We create the formatted version of the sender's rate very late in
2317order to ensure that it is done using the correct storage pool. */
2318
2319store_pool = old_pool;
2320sender_rate = string_sprintf("%.1f", dbd->rate);
2321
2322HDEBUG(D_acl)
2323 debug_printf("ratelimit computed rate %s\n", sender_rate);
2324
2325return rc;
2326}
2327
2328
2329
059ec3d9
PH		 2330/*************************************************
2331* Handle conditions/modifiers on an ACL item *
2332*************************************************/
2333
2334/* Called from acl_check() below.
2335
2336Arguments:
2337 verb ACL verb
2338 cb ACL condition block - if NULL, result is OK
2339 where where called from
2340 addr the address being checked for RCPT, or NULL
2341 level the nesting level
2342 epp pointer to pass back TRUE if "endpass" encountered
2343 (applies only to "accept" and "discard")
2344 user_msgptr user message pointer
2345 log_msgptr log message pointer
2346 basic_errno pointer to where to put verify error
2347
2348Returns: OK - all conditions are met
2349 DISCARD - an "acl" condition returned DISCARD - only allowed
2350 for "accept" or "discard" verbs
2351 FAIL - at least one condition fails
2352 FAIL_DROP - an "acl" condition returned FAIL_DROP
2353 DEFER - can't tell at the moment (typically, lookup defer,
2354 but can be temporary callout problem)
2355 ERROR - ERROR from nested ACL or expansion failure or other
2356 error
2357*/
2358
2359static int
2360acl_check_condition(int verb, acl_condition_block *cb, int where,
2361 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
2362 uschar **log_msgptr, int *basic_errno)
2363{
2364uschar *user_message = NULL;
2365uschar *log_message = NULL;
91ecef39 2366uschar *p = NULL;
059ec3d9 2367int rc = OK;
8523533c
TK		 2368#ifdef WITH_CONTENT_SCAN
2369int sep = '/';
2370#endif
059ec3d9
PH		 2371
2372for (; cb != NULL; cb = cb->next)
2373 {
2374 uschar *arg;
8e669ac1 2375 int control_type;
059ec3d9
PH		 2376
2377 /* The message and log_message items set up messages to be used in
2378 case of rejection. They are expanded later. */
2379
2380 if (cb->type == ACLC_MESSAGE)
2381 {
2382 user_message = cb->arg;
2383 continue;
2384 }
2385
2386 if (cb->type == ACLC_LOG_MESSAGE)
2387 {
2388 log_message = cb->arg;
2389 continue;
2390 }
2391
2392 /* The endpass "condition" just sets a flag to show it occurred. This is
2393 checked at compile time to be on an "accept" or "discard" item. */
2394
2395 if (cb->type == ACLC_ENDPASS)
2396 {
2397 *epp = TRUE;
2398 continue;
2399 }
2400
2401 /* For other conditions and modifiers, the argument is expanded now for some
2402 of them, but not for all, because expansion happens down in some lower level
2403 checking functions in some cases. */
2404
2405 if (cond_expand_at_top[cb->type])
2406 {
2407 arg = expand_string(cb->arg);
2408 if (arg == NULL)
2409 {
2410 if (expand_string_forcedfail) continue;
2411 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
2412 cb->arg, expand_string_message);
2413 return search_find_defer? DEFER : ERROR;
2414 }
2415 }
2416 else arg = cb->arg;
2417
2418 /* Show condition, and expanded condition if it's different */
2419
2420 HDEBUG(D_acl)
2421 {
2422 int lhswidth = 0;
2423 debug_printf("check %s%s %n",
2424 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
2425 conditions[cb->type], &lhswidth);
2426
2427 if (cb->type == ACLC_SET)
2428 {
2429 int n = cb->u.varnumber;
47ca6d6c
PH		 2430 int t = (n < ACL_CVARS)? 'c' : 'm';
2431 if (n >= ACL_CVARS) n -= ACL_CVARS;
059ec3d9
PH		 2432 debug_printf("acl_%c%d ", t, n);
2433 lhswidth += 7;
2434 }
2435
2436 debug_printf("= %s\n", cb->arg);
2437
2438 if (arg != cb->arg)
2439 debug_printf("%.*s= %s\n", lhswidth,
2440 US" ", CS arg);
2441 }
2442
2443 /* Check that this condition makes sense at this time */
2444
2445 if ((cond_forbids[cb->type] & (1 << where)) != 0)
2446 {
2447 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
2448 cond_modifiers[cb->type]? "use" : "test",
2449 conditions[cb->type], acl_wherenames[where]);
2450 return ERROR;
2451 }
2452
2453 /* Run the appropriate test for each condition, or take the appropriate
2454 action for the remaining modifiers. */
2455
2456 switch(cb->type)
2457 {
71fafd95
PH		 2458 case ACLC_ADD_HEADER:
2459 setup_header(arg);
2460 break;
2461
059ec3d9
PH		 2462 /* A nested ACL that returns "discard" makes sense only for an "accept" or
2463 "discard" verb. */
71fafd95 2464
059ec3d9
PH		 2465 case ACLC_ACL:
2466 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
2467 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
2468 {
2469 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
2470 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
2471 verbs[verb]);
2472 return ERROR;
2473 }
2474 break;
2475
2476 case ACLC_AUTHENTICATED:
2477 rc = (sender_host_authenticated == NULL)? FAIL :
2478 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
2479 TRUE, NULL);
2480 break;
2481
71fafd95 2482 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK		 2483 case ACLC_BMI_OPTIN:
2484 {
2485 int old_pool = store_pool;
2486 store_pool = POOL_PERM;
2487 bmi_current_optin = string_copy(arg);
2488 store_pool = old_pool;
2489 }
2490 break;
71fafd95 2491 #endif
8523533c 2492
059ec3d9
PH		 2493 case ACLC_CONDITION:
2494 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
2495 rc = (Uatoi(arg) == 0)? FAIL : OK;
2496 else
2497 rc = (strcmpic(arg, US"no") == 0 ||
2498 strcmpic(arg, US"false") == 0)? FAIL :
2499 (strcmpic(arg, US"yes") == 0 ||
2500 strcmpic(arg, US"true") == 0)? OK : DEFER;
2501 if (rc == DEFER)
2502 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
2503 break;
2504
2505 case ACLC_CONTROL:
c5fcb476
PH		 2506 control_type = decode_control(arg, &p, where, log_msgptr);
2507
8523533c 2508 /* Check if this control makes sense at this time */
c5fcb476
PH		 2509
2510 if ((control_forbids[control_type] & (1 << where)) != 0)
2511 {
2512 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
2513 controls[control_type], acl_wherenames[where]);
2514 return ERROR;
8e669ac1 2515 }
c5fcb476
PH		 2516
2517 switch(control_type)
059ec3d9 2518 {
c46782ef
PH		 2519 case CONTROL_AUTH_UNADVERTISED:
2520 allow_auth_unadvertised = TRUE;
2521 break;
2522
2523 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK		 2524 case CONTROL_BMI_RUN:
2525 bmi_run = 1;
2526 break;
c46782ef
PH		 2527 #endif
2528
2529 #ifdef EXPERIMENTAL_DOMAINKEYS
fb2274d4
TK		 2530 case CONTROL_DK_VERIFY:
2531 dk_do_verify = 1;
2532 break;
c46782ef
PH		 2533 #endif
2534
059ec3d9
PH		 2535 case CONTROL_ERROR:
2536 return ERROR;
2537
2538 case CONTROL_CASEFUL_LOCAL_PART:
2539 deliver_localpart = addr->cc_local_part;
2540 break;
2541
2542 case CONTROL_CASELOWER_LOCAL_PART:
2543 deliver_localpart = addr->lc_local_part;
2544 break;
2545
2546 case CONTROL_ENFORCE_SYNC:
2547 smtp_enforce_sync = TRUE;
2548 break;
2549
2550 case CONTROL_NO_ENFORCE_SYNC:
2551 smtp_enforce_sync = FALSE;
2552 break;
2553
c46782ef 2554 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 2555 case CONTROL_NO_MBOX_UNSPOOL:
2556 no_mbox_unspool = TRUE;
2557 break;
c46782ef 2558 #endif
8523533c 2559
059ec3d9
PH		 2560 case CONTROL_NO_MULTILINE:
2561 no_multiline_responses = TRUE;
2562 break;
2563
29aba418 2564 case CONTROL_FAKEDEFER:
8523533c 2565 case CONTROL_FAKEREJECT:
29aba418 2566 fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
8523533c 2567 if (*p == '/')
8e669ac1 2568 {
8523533c 2569 uschar *pp = p + 1;
8e669ac1 2570 while (*pp != 0) pp++;
29aba418 2571 fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
8523533c
TK		 2572 p = pp;
2573 }
2574 else
2575 {
2576 /* Explicitly reset to default string */
29aba418 2577 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
8523533c
TK		 2578 }
2579 break;
8523533c 2580
059ec3d9
PH		 2581 case CONTROL_FREEZE:
2582 deliver_freeze = TRUE;
2583 deliver_frozen_at = time(NULL);
6a3f1455
PH		 2584 freeze_tell = freeze_tell_config; /* Reset to configured value */
2585 if (Ustrncmp(p, "/no_tell", 8) == 0)
2586 {
2587 p += 8;
2588 freeze_tell = NULL;
2589 }
2590 if (*p != 0)
2591 {
2592 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2593 return ERROR;
2594 }
059ec3d9
PH		 2595 break;
2596
2597 case CONTROL_QUEUE_ONLY:
2598 queue_only_policy = TRUE;
2599 break;
2600
2601 case CONTROL_SUBMISSION:
87ba3f5f 2602 originator_name = US"";
059ec3d9 2603 submission_mode = TRUE;
69358f02 2604 while (*p == '/')
8e669ac1 2605 {
69358f02
PH		 2606 if (Ustrncmp(p, "/sender_retain", 14) == 0)
2607 {
2608 p += 14;
2609 active_local_sender_retain = TRUE;
8e669ac1
PH		 2610 active_local_from_check = FALSE;
2611 }
69358f02
PH		 2612 else if (Ustrncmp(p, "/domain=", 8) == 0)
2613 {
2614 uschar *pp = p + 8;
8e669ac1 2615 while (*pp != 0 && *pp != '/') pp++;
87ba3f5f
PH		 2616 submission_domain = string_copyn(p+8, pp-p-8);
2617 p = pp;
2618 }
8857ccfd
PH		 2619 /* The name= option must be last, because it swallows the rest of
2620 the string. */
87ba3f5f
PH		 2621 else if (Ustrncmp(p, "/name=", 6) == 0)
2622 {
2623 uschar *pp = p + 6;
8857ccfd 2624 while (*pp != 0) pp++;
2fe1a124 2625 submission_name = string_copy(parse_fix_phrase(p+6, pp-p-6,
87ba3f5f 2626 big_buffer, big_buffer_size));
8e669ac1 2627 p = pp;
69358f02 2628 }
8e669ac1
PH		 2629 else break;
2630 }
69358f02 2631 if (*p != 0)
059ec3d9 2632 {
69358f02 2633 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
059ec3d9
PH		 2634 return ERROR;
2635 }
2636 break;
8800895a
PH		 2637
2638 case CONTROL_SUPPRESS_LOCAL_FIXUPS:
2639 suppress_local_fixups = TRUE;
2640 break;
059ec3d9
PH		 2641 }
2642 break;
2643
71fafd95 2644 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 2645 case ACLC_DECODE:
2646 rc = mime_decode(&arg);
2647 break;
71fafd95 2648 #endif
8523533c 2649
059ec3d9
PH		 2650 case ACLC_DELAY:
2651 {
2652 int delay = readconf_readtime(arg, 0, FALSE);
2653 if (delay < 0)
2654 {
2655 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
2656 "modifier: \"%s\" is not a time value", arg);
2657 return ERROR;
2658 }
2659 else
2660 {
2661 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
2662 delay);
2663 if (host_checking)
2664 {
2665 HDEBUG(D_acl)
2666 debug_printf("delay skipped in -bh checking mode\n");
2667 }
010c2d14
PH		 2668
2669 /* It appears to be impossible to detect that a TCP/IP connection has
2670 gone away without reading from it. This means that we cannot shorten
2671 the delay below if the client goes away, because we cannot discover
2672 that the client has closed its end of the connection. (The connection
2673 is actually in a half-closed state, waiting for the server to close its
2674 end.) It would be nice to be able to detect this state, so that the
2675 Exim process is not held up unnecessarily. However, it seems that we
2676 can't. The poll() function does not do the right thing, and in any case
2677 it is not always available.
2678
2679 NOTE: If ever this state of affairs changes, remember that we may be
2680 dealing with stdin/stdout here, in addition to TCP/IP connections.
2681 Whatever is done must work in both cases. To detected the stdin/stdout
2682 case, check for smtp_in or smtp_out being NULL. */
2683
8e669ac1 2684 else
86b8287f
PH		 2685 {
2686 while (delay > 0) delay = sleep(delay);
8e669ac1 2687 }
059ec3d9
PH		 2688 }
2689 }
2690 break;
2691
71fafd95 2692 #ifdef WITH_OLD_DEMIME
8523533c
TK		 2693 case ACLC_DEMIME:
2694 rc = demime(&arg);
2695 break;
71fafd95 2696 #endif
8523533c 2697
71fafd95
PH		 2698 #ifdef EXPERIMENTAL_DOMAINKEYS
2699 case ACLC_DK_DOMAIN_SOURCE:
fb2274d4
TK		 2700 if (dk_verify_block == NULL) { rc = FAIL; break; };
2701 /* check header source of domain against given string */
2702 switch (dk_verify_block->address_source) {
2703 case DK_EXIM_ADDRESS_FROM_FROM:
2704 rc = match_isinlist(US"from", &arg, 0, NULL,
2705 NULL, MCL_STRING, TRUE, NULL);
2706 break;
2707 case DK_EXIM_ADDRESS_FROM_SENDER:
2708 rc = match_isinlist(US"sender", &arg, 0, NULL,
2709 NULL, MCL_STRING, TRUE, NULL);
2710 break;
2711 case DK_EXIM_ADDRESS_NONE:
2712 rc = match_isinlist(US"none", &arg, 0, NULL,
2713 NULL, MCL_STRING, TRUE, NULL);
2714 break;
71fafd95
PH		 2715 }
2716 break;
2717
2718 case ACLC_DK_POLICY:
fb2274d4
TK		 2719 if (dk_verify_block == NULL) { rc = FAIL; break; };
2720 /* check policy against given string, default FAIL */
2721 rc = FAIL;
2722 if (dk_verify_block->signsall)
2723 rc = match_isinlist(US"signsall", &arg, 0, NULL,
2724 NULL, MCL_STRING, TRUE, NULL);
2725 if (dk_verify_block->testing)
2726 rc = match_isinlist(US"testing", &arg, 0, NULL,
2727 NULL, MCL_STRING, TRUE, NULL);
71fafd95
PH		 2728 break;
2729
2730 case ACLC_DK_SENDER_DOMAINS:
fb2274d4
TK		 2731 if (dk_verify_block == NULL) { rc = FAIL; break; };
2732 if (dk_verify_block->domain != NULL)
2733 rc = match_isinlist(dk_verify_block->domain, &arg, 0, &domainlist_anchor,
2734 NULL, MCL_DOMAIN, TRUE, NULL);
2735 else rc = FAIL;
71fafd95
PH		 2736 break;
2737
2738 case ACLC_DK_SENDER_LOCAL_PARTS:
fb2274d4
TK		 2739 if (dk_verify_block == NULL) { rc = FAIL; break; };
2740 if (dk_verify_block->local_part != NULL)
2741 rc = match_isinlist(dk_verify_block->local_part, &arg, 0, &localpartlist_anchor,
2742 NULL, MCL_LOCALPART, TRUE, NULL);
2743 else rc = FAIL;
71fafd95
PH		 2744 break;
2745
2746 case ACLC_DK_SENDERS:
fb2274d4
TK		 2747 if (dk_verify_block == NULL) { rc = FAIL; break; };
2748 if (dk_verify_block->address != NULL)
2749 rc = match_address_list(dk_verify_block->address, TRUE, TRUE, &arg, NULL, -1, 0, NULL);
2750 else rc = FAIL;
71fafd95
PH		 2751 break;
2752
2753 case ACLC_DK_STATUS:
fb2274d4
TK		 2754 if (dk_verify_block == NULL) { rc = FAIL; break; };
2755 if (dk_verify_block->result > 0) {
2756 switch(dk_verify_block->result) {
2757 case DK_EXIM_RESULT_BAD_FORMAT:
2758 rc = match_isinlist(US"bad format", &arg, 0, NULL,
2759 NULL, MCL_STRING, TRUE, NULL);
2760 break;
2761 case DK_EXIM_RESULT_NO_KEY:
2762 rc = match_isinlist(US"no key", &arg, 0, NULL,
2763 NULL, MCL_STRING, TRUE, NULL);
2764 break;
2765 case DK_EXIM_RESULT_NO_SIGNATURE:
2766 rc = match_isinlist(US"no signature", &arg, 0, NULL,
2767 NULL, MCL_STRING, TRUE, NULL);
2768 break;
2769 case DK_EXIM_RESULT_REVOKED:
2770 rc = match_isinlist(US"revoked", &arg, 0, NULL,
2771 NULL, MCL_STRING, TRUE, NULL);
2772 break;
2773 case DK_EXIM_RESULT_NON_PARTICIPANT:
2774 rc = match_isinlist(US"non-participant", &arg, 0, NULL,
2775 NULL, MCL_STRING, TRUE, NULL);
2776 break;
2777 case DK_EXIM_RESULT_GOOD:
2778 rc = match_isinlist(US"good", &arg, 0, NULL,
2779 NULL, MCL_STRING, TRUE, NULL);
2780 break;
2781 case DK_EXIM_RESULT_BAD:
2782 rc = match_isinlist(US"bad", &arg, 0, NULL,
2783 NULL, MCL_STRING, TRUE, NULL);
2784 break;
71fafd95 2785 }
fb2274d4 2786 }
71fafd95
PH		 2787 break;
2788 #endif
fb2274d4 2789
059ec3d9
PH		 2790 case ACLC_DNSLISTS:
2791 rc = verify_check_dnsbl(&arg);
2792 break;
2793
2794 case ACLC_DOMAINS:
2795 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
2796 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
2797 break;
2798
2799 /* The value in tls_cipher is the full cipher name, for example,
2800 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
2801 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
2802 what may in practice come out of the SSL library - which at the time of
2803 writing is poorly documented. */
2804
2805 case ACLC_ENCRYPTED:
2806 if (tls_cipher == NULL) rc = FAIL; else
2807 {
2808 uschar *endcipher = NULL;
2809 uschar *cipher = Ustrchr(tls_cipher, ':');
2810 if (cipher == NULL) cipher = tls_cipher; else
2811 {
2812 endcipher = Ustrchr(++cipher, ':');
2813 if (endcipher != NULL) *endcipher = 0;
2814 }
2815 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
2816 if (endcipher != NULL) *endcipher = ':';
2817 }
2818 break;
2819
2820 /* Use verify_check_this_host() instead of verify_check_host() so that
2821 we can pass over &host_data to catch any looked up data. Once it has been
2822 set, it retains its value so that it's still there if another ACL verb
2823 comes through here and uses the cache. However, we must put it into
2824 permanent store in case it is also expected to be used in a subsequent
2825 message in the same SMTP connection. */
2826
2827 case ACLC_HOSTS:
2828 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
2829 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
2830 if (host_data != NULL) host_data = string_copy_malloc(host_data);
2831 break;
2832
2833 case ACLC_LOCAL_PARTS:
2834 rc = match_isinlist(addr->cc_local_part, &arg, 0,
2835 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
2836 &deliver_localpart_data);
2837 break;
2838
2839 case ACLC_LOGWRITE:
2840 {
2841 int logbits = 0;
2842 uschar *s = arg;
2843 if (*s == ':')
2844 {
2845 s++;
2846 while (*s != ':')
2847 {
2848 if (Ustrncmp(s, "main", 4) == 0)
2849 { logbits |= LOG_MAIN; s += 4; }
2850 else if (Ustrncmp(s, "panic", 5) == 0)
2851 { logbits |= LOG_PANIC; s += 5; }
2852 else if (Ustrncmp(s, "reject", 6) == 0)
2853 { logbits |= LOG_REJECT; s += 6; }
2854 else
2855 {
2856 logbits = LOG_MAIN|LOG_PANIC;
2857 s = string_sprintf(":unknown log name in \"%s\" in "
2858 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
2859 }
2860 if (*s == ',') s++;
2861 }
2862 s++;
2863 }
2864 while (isspace(*s)) s++;
2865 if (logbits == 0) logbits = LOG_MAIN;
2866 log_write(0, logbits, "%s", string_printing(s));
2867 }
2868 break;
8e669ac1 2869
71fafd95 2870 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 2871 case ACLC_MALWARE:
2872 {
2873 /* Seperate the regular expression and any optional parameters. */
2874 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2875 /* Run the malware backend. */
2876 rc = malware(&ss);
2877 /* Modify return code based upon the existance of options. */
2878 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2879 != NULL) {
2880 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2881 {
2882 /* FAIL so that the message is passed to the next ACL */
2883 rc = FAIL;
2884 }
2885 }
2886 }
2887 break;
2888
2889 case ACLC_MIME_REGEX:
71fafd95 2890 rc = mime_regex(&arg);
8523533c 2891 break;
71fafd95 2892 #endif
059ec3d9 2893
870f6ba8 2894 case ACLC_RATELIMIT:
90fc3069 2895 rc = acl_ratelimit(arg, where, log_msgptr);
870f6ba8
TF		 2896 break;
2897
059ec3d9
PH		 2898 case ACLC_RECIPIENTS:
2899 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
2900 &recipient_data);
2901 break;
2902
71fafd95
PH		 2903 #ifdef WITH_CONTENT_SCAN
2904 case ACLC_REGEX:
2905 rc = regex(&arg);
8523533c 2906 break;
71fafd95 2907 #endif
8523533c 2908
059ec3d9
PH		 2909 case ACLC_SENDER_DOMAINS:
2910 {
2911 uschar *sdomain;
2912 sdomain = Ustrrchr(sender_address, '@');
2913 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
2914 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
2915 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
2916 }
2917 break;
2918
2919 case ACLC_SENDERS:
2920 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
2921 sender_address_cache, -1, 0, &sender_data);
2922 break;
2923
2924 /* Connection variables must persist forever */
2925
2926 case ACLC_SET:
2927 {
2928 int old_pool = store_pool;
47ca6d6c 2929 if (cb->u.varnumber < ACL_CVARS) store_pool = POOL_PERM;
059ec3d9
PH		 2930 acl_var[cb->u.varnumber] = string_copy(arg);
2931 store_pool = old_pool;
2932 }
2933 break;
2934
71fafd95 2935 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 2936 case ACLC_SPAM:
2937 {
2938 /* Seperate the regular expression and any optional parameters. */
2939 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2940 /* Run the spam backend. */
2941 rc = spam(&ss);
2942 /* Modify return code based upon the existance of options. */
2943 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2944 != NULL) {
2945 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2946 {
2947 /* FAIL so that the message is passed to the next ACL */
2948 rc = FAIL;
2949 }
2950 }
2951 }
2952 break;
71fafd95 2953 #endif
8523533c 2954
71fafd95 2955 #ifdef EXPERIMENTAL_SPF
8523533c
TK		 2956 case ACLC_SPF:
2957 rc = spf_process(&arg, sender_address);
2958 break;
71fafd95 2959 #endif
8523533c 2960
059ec3d9
PH		 2961 /* If the verb is WARN, discard any user message from verification, because
2962 such messages are SMTP responses, not header additions. The latter come
475fe28a
PH		 2963 only from explicit "message" modifiers. However, put the user message into
2964 $acl_verify_message so it can be used in subsequent conditions or modifiers
2965 (until something changes it). */
059ec3d9
PH		 2966
2967 case ACLC_VERIFY:
2968 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
475fe28a 2969 acl_verify_message = *user_msgptr;
059ec3d9
PH		 2970 if (verb == ACL_WARN) *user_msgptr = NULL;
2971 break;
2972
2973 default:
2974 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
2975 "condition %d", cb->type);
2976 break;
2977 }
2978
2979 /* If a condition was negated, invert OK/FAIL. */
2980
2981 if (!cond_modifiers[cb->type] && cb->u.negated)
2982 {
2983 if (rc == OK) rc = FAIL;
2984 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
2985 }
2986
2987 if (rc != OK) break; /* Conditions loop */
2988 }
2989
2990
2991/* If the result is the one for which "message" and/or "log_message" are used,
2992handle the values of these options. Most verbs have but a single return for
2993which the messages are relevant, but for "discard", it's useful to have the log
2994message both when it succeeds and when it fails. Also, for an "accept" that
2995appears in a QUIT ACL, we want to handle the user message. Since only "accept"
2996and "warn" are permitted in that ACL, we don't need to test the verb.
2997
2998These modifiers act in different ways:
2999
3000"message" is a user message that will be included in an SMTP response. Unless
3001it is empty, it overrides any previously set user message.
3002
3003"log_message" is a non-user message, and it adds to any existing non-user
3004message that is already set.
3005
3006If there isn't a log message set, we make it the same as the user message. */
3007
3008if (((rc == FAIL_DROP)? FAIL : rc) == msgcond[verb] ||
3009 (verb == ACL_DISCARD && rc == OK) ||
3010 (where == ACL_WHERE_QUIT))
3011 {
3012 uschar *expmessage;
3013
3014 /* If the verb is "warn", messages generated by conditions (verification or
3015 nested ACLs) are discarded. Only messages specified at this level are used.
3016 However, the value of an existing message is available in $acl_verify_message
3017 during expansions. */
3018
3019 uschar *old_user_msgptr = *user_msgptr;
3020 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
3021
3022 if (verb == ACL_WARN) *log_msgptr = *user_msgptr = NULL;
3023
3024 if (user_message != NULL)
3025 {
3026 acl_verify_message = old_user_msgptr;
3027 expmessage = expand_string(user_message);
3028 if (expmessage == NULL)
3029 {
3030 if (!expand_string_forcedfail)
3031 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3032 user_message, expand_string_message);
3033 }
3034 else if (expmessage[0] != 0) *user_msgptr = expmessage;
3035 }
3036
3037 if (log_message != NULL)
3038 {
3039 acl_verify_message = old_log_msgptr;
3040 expmessage = expand_string(log_message);
3041 if (expmessage == NULL)
3042 {
3043 if (!expand_string_forcedfail)
3044 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3045 log_message, expand_string_message);
3046 }
3047 else if (expmessage[0] != 0)
3048 {
3049 *log_msgptr = (*log_msgptr == NULL)? expmessage :
3050 string_sprintf("%s: %s", expmessage, *log_msgptr);
3051 }
3052 }
3053
3054 /* If no log message, default it to the user message */
3055
3056 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
3057 }
3058
3059acl_verify_message = NULL;
3060return rc;
3061}
3062
3063
3064
3065
3066
3067/*************************************************
3068* Get line from a literal ACL *
3069*************************************************/
3070
3071/* This function is passed to acl_read() in order to extract individual lines
3072of a literal ACL, which we access via static pointers. We can destroy the
3073contents because this is called only once (the compiled ACL is remembered).
3074
3075This code is intended to treat the data in the same way as lines in the main
3076Exim configuration file. That is:
3077
3078 . Leading spaces are ignored.
3079
3080 . A \ at the end of a line is a continuation - trailing spaces after the \
3081 are permitted (this is because I don't believe in making invisible things
3082 significant). Leading spaces on the continued part of a line are ignored.
3083
3084 . Physical lines starting (significantly) with # are totally ignored, and
3085 may appear within a sequence of backslash-continued lines.
3086
3087 . Blank lines are ignored, but will end a sequence of continuations.
3088
3089Arguments: none
3090Returns: a pointer to the next line
3091*/
3092
3093
3094static uschar *acl_text; /* Current pointer in the text */
3095static uschar *acl_text_end; /* Points one past the terminating '0' */
3096
3097
3098static uschar *
3099acl_getline(void)
3100{
3101uschar *yield;
3102
3103/* This loop handles leading blank lines and comments. */
3104
3105for(;;)
3106 {
3107 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
3108 if (*acl_text == 0) return NULL; /* No more data */
3109 yield = acl_text; /* Potential data line */
3110
3111 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3112
3113 /* If we hit the end before a newline, we have the whole logical line. If
3114 it's a comment, there's no more data to be given. Otherwise, yield it. */
3115
3116 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
3117
3118 /* After reaching a newline, end this loop if the physical line does not
3119 start with '#'. If it does, it's a comment, and the loop continues. */
3120
3121 if (*yield != '#') break;
3122 }
3123
3124/* This loop handles continuations. We know we have some real data, ending in
3125newline. See if there is a continuation marker at the end (ignoring trailing
3126white space). We know that *yield is not white space, so no need to test for
3127cont > yield in the backwards scanning loop. */
3128
3129for(;;)
3130 {
3131 uschar *cont;
3132 for (cont = acl_text - 1; isspace(*cont); cont--);
3133
3134 /* If no continuation follows, we are done. Mark the end of the line and
3135 return it. */
3136
3137 if (*cont != '\\')
3138 {
3139 *acl_text++ = 0;
3140 return yield;
3141 }
3142
3143 /* We have encountered a continuation. Skip over whitespace at the start of
3144 the next line, and indeed the whole of the next line or lines if they are
3145 comment lines. */
3146
3147 for (;;)
3148 {
3149 while (*(++acl_text) == ' ' || *acl_text == '\t');
3150 if (*acl_text != '#') break;
3151 while (*(++acl_text) != 0 && *acl_text != '\n');
3152 }
3153
3154 /* We have the start of a continuation line. Move all the rest of the data
3155 to join onto the previous line, and then find its end. If the end is not a
3156 newline, we are done. Otherwise loop to look for another continuation. */
3157
3158 memmove(cont, acl_text, acl_text_end - acl_text);
3159 acl_text_end -= acl_text - cont;
3160 acl_text = cont;
3161 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3162 if (*acl_text == 0) return yield;
3163 }
3164
3165/* Control does not reach here */
3166}
3167
3168
3169
3170
3171
3172/*************************************************
3173* Check access using an ACL *
3174*************************************************/
3175
3176/* This function is called from address_check. It may recurse via
3177acl_check_condition() - hence the use of a level to stop looping. The ACL is
3178passed as a string which is expanded. A forced failure implies no access check
3179is required. If the result is a single word, it is taken as the name of an ACL
3180which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
3181text, complete with newlines, and parsed as such. In both cases, the ACL check
3182is then run. This function uses an auxiliary function for acl_read() to call
3183for reading individual lines of a literal ACL. This is acl_getline(), which
3184appears immediately above.
3185
3186Arguments:
3187 where where called from
3188 addr address item when called from RCPT; otherwise NULL
3189 s the input string; NULL is the same as an empty ACL => DENY
3190 level the nesting level
3191 user_msgptr where to put a user error (for SMTP response)
3192 log_msgptr where to put a logging message (not for SMTP response)
3193
3194Returns: OK access is granted
3195 DISCARD access is apparently granted...
3196 FAIL access is denied
3197 FAIL_DROP access is denied; drop the connection
3198 DEFER can't tell at the moment
3199 ERROR disaster
3200*/
3201
3202static int
3203acl_check_internal(int where, address_item *addr, uschar *s, int level,
3204 uschar **user_msgptr, uschar **log_msgptr)
3205{
3206int fd = -1;
3207acl_block *acl = NULL;
3208uschar *acl_name = US"inline ACL";
3209uschar *ss;
3210
3211/* Catch configuration loops */
3212
3213if (level > 20)
3214 {
3215 *log_msgptr = US"ACL nested too deep: possible loop";
3216 return ERROR;
3217 }
3218
3219if (s == NULL)
3220 {
3221 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
3222 return FAIL;
3223 }
3224
3225/* At top level, we expand the incoming string. At lower levels, it has already
3226been expanded as part of condition processing. */
3227
3228if (level == 0)
3229 {
3230 ss = expand_string(s);
3231 if (ss == NULL)
3232 {
3233 if (expand_string_forcedfail) return OK;
3234 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
3235 expand_string_message);
3236 return ERROR;
3237 }
3238 }
3239else ss = s;
3240
3241while (isspace(*ss))ss++;
3242
3243/* If we can't find a named ACL, the default is to parse it as an inline one.
3244(Unless it begins with a slash; non-existent files give rise to an error.) */
3245
3246acl_text = ss;
3247
3248/* Handle the case of a string that does not contain any spaces. Look for a
3249named ACL among those read from the configuration, or a previously read file.
3250It is possible that the pointer to the ACL is NULL if the configuration
3251contains a name with no data. If not found, and the text begins with '/',
3252read an ACL from a file, and save it so it can be re-used. */
3253
3254if (Ustrchr(ss, ' ') == NULL)
3255 {
3256 tree_node *t = tree_search(acl_anchor, ss);
3257 if (t != NULL)
3258 {
3259 acl = (acl_block *)(t->data.ptr);
3260 if (acl == NULL)
3261 {
3262 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
3263 return FAIL;
3264 }
3265 acl_name = string_sprintf("ACL \"%s\"", ss);
3266 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
3267 }
3268
3269 else if (*ss == '/')
3270 {
3271 struct stat statbuf;
3272 fd = Uopen(ss, O_RDONLY, 0);
3273 if (fd < 0)
3274 {
3275 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
3276 strerror(errno));
3277 return ERROR;
3278 }
3279
3280 if (fstat(fd, &statbuf) != 0)
3281 {
3282 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
3283 strerror(errno));
3284 return ERROR;
3285 }
3286
3287 acl_text = store_get(statbuf.st_size + 1);
3288 acl_text_end = acl_text + statbuf.st_size + 1;
3289
3290 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
3291 {
3292 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
3293 ss, strerror(errno));
3294 return ERROR;
3295 }
3296 acl_text[statbuf.st_size] = 0;
f1e894f3 3297 (void)close(fd);
059ec3d9
PH		 3298
3299 acl_name = string_sprintf("ACL \"%s\"", ss);
3300 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
3301 }
3302 }
3303
3304/* Parse an ACL that is still in text form. If it came from a file, remember it
3305in the ACL tree, having read it into the POOL_PERM store pool so that it
3306persists between multiple messages. */
3307
3308if (acl == NULL)
3309 {
3310 int old_pool = store_pool;
3311 if (fd >= 0) store_pool = POOL_PERM;
3312 acl = acl_read(acl_getline, log_msgptr);
3313 store_pool = old_pool;
3314 if (acl == NULL && *log_msgptr != NULL) return ERROR;
3315 if (fd >= 0)
3316 {
3317 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
3318 Ustrcpy(t->name, ss);
3319 t->data.ptr = acl;
3320 (void)tree_insertnode(&acl_anchor, t);
3321 }
3322 }
3323
3324/* Now we have an ACL to use. It's possible it may be NULL. */
3325
3326while (acl != NULL)
3327 {
3328 int cond;
3329 int basic_errno = 0;
3330 BOOL endpass_seen = FALSE;
3331
3332 *log_msgptr = *user_msgptr = NULL;
3333 acl_temp_details = FALSE;
3334
3335 if (where == ACL_WHERE_QUIT &&
3336 acl->verb != ACL_ACCEPT &&
3337 acl->verb != ACL_WARN)
3338 {
3339 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
3340 verbs[acl->verb]);
3341 return ERROR;
3342 }
3343
3344 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
3345
3346 /* Clear out any search error message from a previous check before testing
3347 this condition. */
3348
3349 search_error_message = NULL;
3350 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
3351 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
3352
3353 /* Handle special returns: DEFER causes a return except on a WARN verb;
3354 ERROR always causes a return. */
3355
3356 switch (cond)
3357 {
3358 case DEFER:
3359 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
3360 if (basic_errno != ERRNO_CALLOUTDEFER)
3361 {
3362 if (search_error_message != NULL && *search_error_message != 0)
3363 *log_msgptr = search_error_message;
3364 if (smtp_return_error_details) acl_temp_details = TRUE;
3365 }
3366 else
3367 {
3368 acl_temp_details = TRUE;
3369 }
3370 if (acl->verb != ACL_WARN) return DEFER;
3371 break;
3372
3373 default: /* Paranoia */
3374 case ERROR:
3375 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
3376 return ERROR;
3377
3378 case OK:
3379 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
3380 verbs[acl->verb]);
3381 break;
3382
3383 case FAIL:
3384 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
3385 break;
3386
3387 /* DISCARD and DROP can happen only from a nested ACL condition, and
3388 DISCARD can happen only for an "accept" or "discard" verb. */
3389
3390 case DISCARD:
3391 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
3392 verbs[acl->verb]);
3393 break;
3394
3395 case FAIL_DROP:
3396 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
3397 verbs[acl->verb]);
3398 break;
3399 }
3400
3401 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
3402 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
3403 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
3404
3405 switch(acl->verb)
3406 {
3407 case ACL_ACCEPT:
3408 if (cond == OK || cond == DISCARD) return cond;
3409 if (endpass_seen)
3410 {
3411 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
3412 return cond;
3413 }
3414 break;
3415
3416 case ACL_DEFER:
3417 if (cond == OK)
3418 {
3419 acl_temp_details = TRUE;
3420 return DEFER;
3421 }
3422 break;
3423
3424 case ACL_DENY:
3425 if (cond == OK) return FAIL;
3426 break;
3427
3428 case ACL_DISCARD:
3429 if (cond == OK || cond == DISCARD) return DISCARD;
3430 if (endpass_seen)
3431 {
3432 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
3433 return cond;
3434 }
3435 break;
3436
3437 case ACL_DROP:
3438 if (cond == OK) return FAIL_DROP;
3439 break;
3440
3441 case ACL_REQUIRE:
3442 if (cond != OK) return cond;
3443 break;
3444
3445 case ACL_WARN:
3446 if (cond == OK)
3447 acl_warn(where, *user_msgptr, *log_msgptr);
49826d12 3448 else if (cond == DEFER && (log_extra_selector & LX_acl_warn_skipped) != 0)
9c7a242c
PH		 3449 log_write(0, LOG_MAIN, "%s Warning: ACL \"warn\" statement skipped: "
3450 "condition test deferred%s%s", host_and_ident(TRUE),
3451 (*log_msgptr == NULL)? US"" : US": ",
3452 (*log_msgptr == NULL)? US"" : *log_msgptr);
059ec3d9
PH		 3453 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
3454 break;
3455
3456 default:
3457 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
3458 acl->verb);
3459 break;
3460 }
3461
3462 /* Pass to the next ACL item */
3463
3464 acl = acl->next;
3465 }
3466
3467/* We have reached the end of the ACL. This is an implicit DENY. */
3468
3469HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
3470return FAIL;
3471}
3472
3473
3474/*************************************************
3475* Check access using an ACL *
3476*************************************************/
3477
3478/* This is the external interface for ACL checks. It sets up an address and the
3479expansions for $domain and $local_part when called after RCPT, then calls
3480acl_check_internal() to do the actual work.
3481
3482Arguments:
3483 where ACL_WHERE_xxxx indicating where called from
64ffc24f 3484 recipient RCPT address for RCPT check, else NULL
059ec3d9
PH		 3485 s the input string; NULL is the same as an empty ACL => DENY
3486 user_msgptr where to put a user error (for SMTP response)
3487 log_msgptr where to put a logging message (not for SMTP response)
3488
3489Returns: OK access is granted by an ACCEPT verb
3490 DISCARD access is granted by a DISCARD verb
3491 FAIL access is denied
3492 FAIL_DROP access is denied; drop the connection
3493 DEFER can't tell at the moment
3494 ERROR disaster
3495*/
3496
3497int
64ffc24f 3498acl_check(int where, uschar *recipient, uschar *s, uschar **user_msgptr,
059ec3d9
PH		 3499 uschar **log_msgptr)
3500{
3501int rc;
3502address_item adb;
64ffc24f 3503address_item *addr = NULL;
059ec3d9
PH		 3504
3505*user_msgptr = *log_msgptr = NULL;
3506sender_verified_failed = NULL;
fe0dab11 3507ratelimiters_cmd = NULL;
059ec3d9
PH		 3508
3509if (where == ACL_WHERE_RCPT)
3510 {
3511 adb = address_defaults;
3512 addr = &adb;
64ffc24f 3513 addr->address = recipient;
059ec3d9
PH		 3514 if (deliver_split_address(addr) == DEFER)
3515 {
3516 *log_msgptr = US"defer in percent_hack_domains check";
3517 return DEFER;
3518 }
3519 deliver_domain = addr->domain;
3520 deliver_localpart = addr->local_part;
3521 }
059ec3d9
PH		 3522
3523rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
3524
64ffc24f
PH		 3525deliver_domain = deliver_localpart = deliver_address_data =
3526 sender_address_data = NULL;
059ec3d9
PH		 3527
3528/* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
3529ACL, which is really in the middle of an SMTP command. */
3530
3531if (rc == DISCARD)
3532 {
3533 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
3534 {
3535 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
3536 "ACL", acl_wherenames[where]);
3537 return ERROR;
3538 }
3539 return DISCARD;
3540 }
3541
3542/* A DROP response is not permitted from MAILAUTH */
3543
3544if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
3545 {
3546 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
3547 "ACL", acl_wherenames[where]);
3548 return ERROR;
3549 }
3550
3551/* Before giving an error response, take a look at the length of any user
3552message, and split it up into multiple lines if possible. */
3553
3554if (rc != OK && *user_msgptr != NULL && Ustrlen(*user_msgptr) > 75)
3555 {
3556 uschar *s = *user_msgptr = string_copy(*user_msgptr);
3557 uschar *ss = s;
3558
3559 for (;;)
3560 {
3561 int i = 0;
3562 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
3563 if (*ss == 0) break;
3564 if (*ss == '\n')
3565 s = ++ss;
3566 else
3567 {
3568 uschar *t = ss + 1;
3569 uschar *tt = NULL;
3570 while (--t > s + 35)
3571 {
3572 if (*t == ' ')
3573 {
3574 if (t[-1] == ':') { tt = t; break; }
3575 if (tt == NULL) tt = t;
3576 }
3577 }
3578
3579 if (tt == NULL) /* Can't split behind - try ahead */
3580 {
3581 t = ss + 1;
3582 while (*t != 0)
3583 {
3584 if (*t == ' ' || *t == '\n')
3585 { tt = t; break; }
3586 t++;
3587 }
3588 }
3589
3590 if (tt == NULL) break; /* Can't find anywhere to split */
3591 *tt = '\n';
3592 s = ss = tt+1;
3593 }
3594 }
3595 }
3596
3597return rc;
3598}
3599
3600/* End of acl.c */
Unnamed repository; edit this file 'description' to name the repository.