Fix condition and control permission tables for the MIME ACL
[exim.git] / src / src / acl.c
CommitLineData
e715ad22 1/* $Cambridge: exim/src/src/acl.c,v 1.23 2005/03/09 14:36:54 tom Exp $ */
059ec3d9
PH
2
3/*************************************************
4* Exim - an Internet mail transport agent *
5*************************************************/
6
c988f1f4 7/* Copyright (c) University of Cambridge 1995 - 2005 */
059ec3d9
PH
8/* See the file NOTICE for conditions of use and distribution. */
9
10/* Code for handling Access Control Lists (ACLs) */
11
12#include "exim.h"
13
14
15/* Default callout timeout */
16
17#define CALLOUT_TIMEOUT_DEFAULT 30
18
19/* ACL verb codes - keep in step with the table of verbs that follows */
20
21enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
22 ACL_WARN };
23
24/* ACL verbs */
25
26static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
28 US"warn" };
29
30/* For each verb, the condition for which "message" is used */
31
32static int msgcond[] = { FAIL, OK, OK, FAIL, OK, FAIL, OK };
33
34/* ACL condition and modifier codes - keep in step with the table that
35follows. */
36
8523533c
TK
37enum { ACLC_ACL, ACLC_AUTHENTICATED,
38#ifdef EXPERIMENTAL_BRIGHTMAIL
39 ACLC_BMI_OPTIN,
40#endif
41ACLC_CONDITION, ACLC_CONTROL,
42#ifdef WITH_CONTENT_SCAN
43 ACLC_DECODE,
44#endif
45 ACLC_DELAY,
46#ifdef WITH_OLD_DEMIME
47 ACLC_DEMIME,
8e669ac1 48#endif
fb2274d4
TK
49#ifdef EXPERIMENTAL_DOMAINKEYS
50 ACLC_DK_DOMAIN_SOURCE,
51 ACLC_DK_POLICY,
52 ACLC_DK_SENDER_DOMAINS,
53 ACLC_DK_SENDER_LOCAL_PARTS,
54 ACLC_DK_SENDERS,
55 ACLC_DK_STATUS,
56#endif
8523533c
TK
57 ACLC_DNSLISTS, ACLC_DOMAINS, ACLC_ENCRYPTED, ACLC_ENDPASS,
58 ACLC_HOSTS, ACLC_LOCAL_PARTS, ACLC_LOG_MESSAGE, ACLC_LOGWRITE,
59#ifdef WITH_CONTENT_SCAN
60 ACLC_MALWARE,
61#endif
62 ACLC_MESSAGE,
63#ifdef WITH_CONTENT_SCAN
64 ACLC_MIME_REGEX,
65#endif
66 ACLC_RECIPIENTS,
67#ifdef WITH_CONTENT_SCAN
68 ACLC_REGEX,
69#endif
70 ACLC_SENDER_DOMAINS, ACLC_SENDERS, ACLC_SET,
71#ifdef WITH_CONTENT_SCAN
8e669ac1 72 ACLC_SPAM,
8523533c
TK
73#endif
74#ifdef EXPERIMENTAL_SPF
75 ACLC_SPF,
76#endif
77 ACLC_VERIFY };
059ec3d9
PH
78
79/* ACL conditions/modifiers: "delay", "control", "endpass", "message",
80"log_message", "logwrite", and "set" are modifiers that look like conditions
81but always return TRUE. They are used for their side effects. */
82
8523533c
TK
83static uschar *conditions[] = { US"acl", US"authenticated",
84#ifdef EXPERIMENTAL_BRIGHTMAIL
85 US"bmi_optin",
86#endif
87 US"condition",
8e669ac1 88 US"control",
8523533c
TK
89#ifdef WITH_CONTENT_SCAN
90 US"decode",
91#endif
92 US"delay",
93#ifdef WITH_OLD_DEMIME
94 US"demime",
95#endif
fb2274d4 96#ifdef EXPERIMENTAL_DOMAINKEYS
e715ad22
TK
97 US"dk_domain_source",
98 US"dk_policy",
99 US"dk_sender_domains",
100 US"dk_sender_local_parts",
101 US"dk_senders",
102 US"dk_status",
fb2274d4 103#endif
8523533c 104 US"dnslists", US"domains", US"encrypted",
059ec3d9 105 US"endpass", US"hosts", US"local_parts", US"log_message", US"logwrite",
8523533c
TK
106#ifdef WITH_CONTENT_SCAN
107 US"malware",
108#endif
109 US"message",
110#ifdef WITH_CONTENT_SCAN
111 US"mime_regex",
112#endif
113 US"recipients",
114#ifdef WITH_CONTENT_SCAN
115 US"regex",
116#endif
117 US"sender_domains", US"senders", US"set",
118#ifdef WITH_CONTENT_SCAN
119 US"spam",
120#endif
121#ifdef EXPERIMENTAL_SPF
122 US"spf",
123#endif
059ec3d9 124 US"verify" };
8e669ac1 125
c5fcb476
PH
126/* ACL control names */
127
128static uschar *controls[] = { US"error", US"caseful_local_part",
129 US"caselower_local_part", US"enforce_sync", US"no_enforce_sync", US"freeze",
8e669ac1 130 US"queue_only", US"submission", US"no_multiline"};
059ec3d9
PH
131
132/* Flags to indicate for which conditions /modifiers a string expansion is done
133at the outer level. In the other cases, expansion already occurs in the
134checking functions. */
135
136static uschar cond_expand_at_top[] = {
137 TRUE, /* acl */
138 FALSE, /* authenticated */
8523533c
TK
139#ifdef EXPERIMENTAL_BRIGHTMAIL
140 TRUE, /* bmi_optin */
8e669ac1 141#endif
059ec3d9
PH
142 TRUE, /* condition */
143 TRUE, /* control */
8523533c
TK
144#ifdef WITH_CONTENT_SCAN
145 TRUE, /* decode */
146#endif
059ec3d9 147 TRUE, /* delay */
8523533c
TK
148#ifdef WITH_OLD_DEMIME
149 TRUE, /* demime */
150#endif
fb2274d4 151#ifdef EXPERIMENTAL_DOMAINKEYS
e715ad22
TK
152 TRUE, /* dk_domain_source */
153 TRUE, /* dk_policy */
154 TRUE, /* dk_sender_domains */
155 TRUE, /* dk_sender_local_parts */
156 TRUE, /* dk_senders */
157 TRUE, /* dk_status */
fb2274d4 158#endif
059ec3d9
PH
159 TRUE, /* dnslists */
160 FALSE, /* domains */
161 FALSE, /* encrypted */
162 TRUE, /* endpass */
163 FALSE, /* hosts */
164 FALSE, /* local_parts */
165 TRUE, /* log_message */
166 TRUE, /* logwrite */
8523533c
TK
167#ifdef WITH_CONTENT_SCAN
168 TRUE, /* malware */
169#endif
059ec3d9 170 TRUE, /* message */
8523533c
TK
171#ifdef WITH_CONTENT_SCAN
172 TRUE, /* mime_regex */
173#endif
059ec3d9 174 FALSE, /* recipients */
8523533c
TK
175#ifdef WITH_CONTENT_SCAN
176 TRUE, /* regex */
177#endif
059ec3d9
PH
178 FALSE, /* sender_domains */
179 FALSE, /* senders */
180 TRUE, /* set */
8523533c
TK
181#ifdef WITH_CONTENT_SCAN
182 TRUE, /* spam */
183#endif
184#ifdef EXPERIMENTAL_SPF
185 TRUE, /* spf */
186#endif
059ec3d9
PH
187 TRUE /* verify */
188};
189
190/* Flags to identify the modifiers */
191
192static uschar cond_modifiers[] = {
193 FALSE, /* acl */
194 FALSE, /* authenticated */
8523533c
TK
195#ifdef EXPERIMENTAL_BRIGHTMAIL
196 TRUE, /* bmi_optin */
8e669ac1 197#endif
059ec3d9
PH
198 FALSE, /* condition */
199 TRUE, /* control */
8523533c
TK
200#ifdef WITH_CONTENT_SCAN
201 FALSE, /* decode */
202#endif
059ec3d9 203 TRUE, /* delay */
8523533c
TK
204#ifdef WITH_OLD_DEMIME
205 FALSE, /* demime */
206#endif
fb2274d4 207#ifdef EXPERIMENTAL_DOMAINKEYS
e715ad22
TK
208 FALSE, /* dk_domain_source */
209 FALSE, /* dk_policy */
210 FALSE, /* dk_sender_domains */
211 FALSE, /* dk_sender_local_parts */
212 FALSE, /* dk_senders */
213 FALSE, /* dk_status */
fb2274d4 214#endif
059ec3d9
PH
215 FALSE, /* dnslists */
216 FALSE, /* domains */
217 FALSE, /* encrypted */
218 TRUE, /* endpass */
219 FALSE, /* hosts */
220 FALSE, /* local_parts */
221 TRUE, /* log_message */
8523533c
TK
222 TRUE, /* logwrite */
223#ifdef WITH_CONTENT_SCAN
224 FALSE, /* malware */
225#endif
059ec3d9 226 TRUE, /* message */
8523533c
TK
227#ifdef WITH_CONTENT_SCAN
228 FALSE, /* mime_regex */
229#endif
059ec3d9 230 FALSE, /* recipients */
8523533c
TK
231#ifdef WITH_CONTENT_SCAN
232 FALSE, /* regex */
233#endif
059ec3d9
PH
234 FALSE, /* sender_domains */
235 FALSE, /* senders */
236 TRUE, /* set */
8523533c
TK
237#ifdef WITH_CONTENT_SCAN
238 FALSE, /* spam */
239#endif
240#ifdef EXPERIMENTAL_SPF
241 FALSE, /* spf */
242#endif
059ec3d9
PH
243 FALSE /* verify */
244};
245
c5fcb476
PH
246/* Bit map vector of which conditions are not allowed at certain times. For
247each condition, there's a bitmap of dis-allowed times. */
059ec3d9
PH
248
249static unsigned int cond_forbids[] = {
250 0, /* acl */
8e669ac1 251
059ec3d9
PH
252 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* authenticated */
253 (1<<ACL_WHERE_HELO),
8e669ac1 254
8523533c 255#ifdef EXPERIMENTAL_BRIGHTMAIL
3864bb8e 256 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
8523533c
TK
257 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
258 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
8e669ac1 259 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
8523533c
TK
260 (1<<ACL_WHERE_MAILAUTH)|
261 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
262 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA),
263#endif
8e669ac1 264
059ec3d9 265 0, /* condition */
8e669ac1 266
059ec3d9
PH
267 /* Certain types of control are always allowed, so we let it through
268 always and check in the control processing itself */
8e669ac1 269
059ec3d9 270 0, /* control */
8e669ac1 271
8523533c 272#ifdef WITH_CONTENT_SCAN
3864bb8e 273 (1<<ACL_WHERE_AUTH)| /* decode */
8523533c
TK
274 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
275 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
276 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
277 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
278 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
279 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_RCPT),
280#endif
281
059ec3d9 282 0, /* delay */
8e669ac1 283
f7b63901 284#ifdef WITH_OLD_DEMIME
3864bb8e 285 (1<<ACL_WHERE_AUTH)| /* demime */
8523533c
TK
286 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
287 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
288 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
289 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
290 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
291 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
292#endif
8e669ac1 293
fb2274d4 294#ifdef EXPERIMENTAL_DOMAINKEYS
e715ad22 295 (1<<ACL_WHERE_AUTH)| /* dk_domain_source */
fb2274d4
TK
296 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
297 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
298 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
299 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
300 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
301 (1<<ACL_WHERE_VRFY),
84330b7b 302
e715ad22 303 (1<<ACL_WHERE_AUTH)| /* dk_policy */
fb2274d4
TK
304 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
305 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
306 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
307 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
308 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
309 (1<<ACL_WHERE_VRFY),
84330b7b 310
e715ad22 311 (1<<ACL_WHERE_AUTH)| /* dk_sender_domains */
fb2274d4
TK
312 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
313 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
314 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
315 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
316 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
317 (1<<ACL_WHERE_VRFY),
84330b7b 318
e715ad22 319 (1<<ACL_WHERE_AUTH)| /* dk_sender_local_parts */
fb2274d4
TK
320 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
321 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
322 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
323 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
324 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
325 (1<<ACL_WHERE_VRFY),
84330b7b 326
e715ad22 327 (1<<ACL_WHERE_AUTH)| /* dk_senders */
fb2274d4
TK
328 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
329 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
330 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
331 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
332 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
333 (1<<ACL_WHERE_VRFY),
84330b7b 334
e715ad22 335 (1<<ACL_WHERE_AUTH)| /* dk_status */
fb2274d4
TK
336 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
337 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
338 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
339 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
340 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
341 (1<<ACL_WHERE_VRFY),
342#endif
343
059ec3d9
PH
344 (1<<ACL_WHERE_NOTSMTP), /* dnslists */
345
346 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* domains */
347 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
348 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
349 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
350 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
351 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
352 (1<<ACL_WHERE_VRFY),
353
354 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* encrypted */
355 (1<<ACL_WHERE_HELO),
8e669ac1 356
059ec3d9 357 0, /* endpass */
8e669ac1 358
059ec3d9
PH
359 (1<<ACL_WHERE_NOTSMTP), /* hosts */
360
361 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* local_parts */
362 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
363 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
364 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
365 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
366 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
367 (1<<ACL_WHERE_VRFY),
368
369 0, /* log_message */
8e669ac1 370
059ec3d9 371 0, /* logwrite */
8e669ac1 372
8523533c 373#ifdef WITH_CONTENT_SCAN
3864bb8e 374 (1<<ACL_WHERE_AUTH)| /* malware */
8523533c
TK
375 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
376 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
377 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
378 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
379 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
380 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
381#endif
382
059ec3d9
PH
383 0, /* message */
384
8523533c 385#ifdef WITH_CONTENT_SCAN
3864bb8e 386 (1<<ACL_WHERE_AUTH)| /* mime_regex */
8523533c
TK
387 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
388 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
389 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
390 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
391 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
392 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_RCPT),
393#endif
394
059ec3d9
PH
395 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* recipients */
396 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
397 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
398 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
399 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
400 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
401 (1<<ACL_WHERE_VRFY),
402
8523533c 403#ifdef WITH_CONTENT_SCAN
3864bb8e 404 (1<<ACL_WHERE_AUTH)| /* regex */
8523533c
TK
405 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
406 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
407 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
408 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
409 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
82c6549e 410 (1<<ACL_WHERE_VRFY),
8523533c
TK
411#endif
412
059ec3d9
PH
413 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
414 (1<<ACL_WHERE_HELO)|
415 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
416 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
417 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
418
419 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
420 (1<<ACL_WHERE_HELO)|
421 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
422 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
423 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
424
425 0, /* set */
426
8523533c 427#ifdef WITH_CONTENT_SCAN
3864bb8e 428 (1<<ACL_WHERE_AUTH)| /* spam */
8523533c
TK
429 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
430 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
431 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
432 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
433 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
434 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
435#endif
436
437#ifdef EXPERIMENTAL_SPF
438 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
439 (1<<ACL_WHERE_HELO)|
440 (1<<ACL_WHERE_MAILAUTH)|
441 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
442 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
443#endif
444
059ec3d9
PH
445 /* Certain types of verify are always allowed, so we let it through
446 always and check in the verify function itself */
447
448 0 /* verify */
059ec3d9
PH
449};
450
451
452/* Return values from decode_control() */
453
8e669ac1 454enum {
8523533c
TK
455#ifdef EXPERIMENTAL_BRIGHTMAIL
456 CONTROL_BMI_RUN,
8e669ac1 457#endif
fb2274d4
TK
458#ifdef EXPERIMENTAL_DOMAINKEYS
459 CONTROL_DK_VERIFY,
460#endif
8523533c 461 CONTROL_ERROR, CONTROL_CASEFUL_LOCAL_PART, CONTROL_CASELOWER_LOCAL_PART,
059ec3d9 462 CONTROL_ENFORCE_SYNC, CONTROL_NO_ENFORCE_SYNC, CONTROL_FREEZE,
8523533c
TK
463 CONTROL_QUEUE_ONLY, CONTROL_SUBMISSION,
464#ifdef WITH_CONTENT_SCAN
8e669ac1 465 CONTROL_NO_MBOX_UNSPOOL,
8523533c 466#endif
0f9b0483 467 CONTROL_FAKEREJECT, CONTROL_NO_MULTILINE };
059ec3d9 468
c5fcb476
PH
469/* Bit map vector of which controls are not allowed at certain times. For
470each control, there's a bitmap of dis-allowed times. For some, it is easier to
471specify the negation of a small number of allowed times. */
472
473static unsigned int control_forbids[] = {
8523533c
TK
474#ifdef EXPERIMENTAL_BRIGHTMAIL
475 0, /* bmi_run */
476#endif
fb2274d4 477#ifdef EXPERIMENTAL_DOMAINKEYS
e715ad22 478 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), /* dk_verify */
fb2274d4 479#endif
3e11c26b 480
c5fcb476 481 0, /* error */
8e669ac1
PH
482
483 (unsigned int)
c5fcb476 484 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
8e669ac1
PH
485
486 (unsigned int)
c5fcb476 487 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
8e669ac1 488
c5fcb476 489 (1<<ACL_WHERE_NOTSMTP), /* enforce_sync */
8e669ac1 490
c5fcb476 491 (1<<ACL_WHERE_NOTSMTP), /* no_enforce_sync */
8e669ac1
PH
492
493 (unsigned int)
c5fcb476
PH
494 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
495 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 496 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH
497
498 (unsigned int)
c5fcb476
PH
499 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
500 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 501 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH
502
503 (unsigned int)
c5fcb476 504 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
8e669ac1 505 (1<<ACL_WHERE_PREDATA)),
8523533c
TK
506
507#ifdef WITH_CONTENT_SCAN
8e669ac1 508 (unsigned int)
14d57970 509 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
e715ad22
TK
510 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
511 (1<<ACL_WHERE_MIME)),
8523533c 512#endif
a6c4ab60 513
8e669ac1 514 (unsigned int)
a6c4ab60 515 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
e715ad22
TK
516 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
517 (1<<ACL_WHERE_MIME)),
8523533c 518
c5fcb476
PH
519 (1<<ACL_WHERE_NOTSMTP) /* no_multiline */
520};
521
522/* Structure listing various control arguments, with their characteristics. */
059ec3d9
PH
523
524typedef struct control_def {
525 uschar *name;
526 int value; /* CONTROL_xxx value */
059ec3d9
PH
527 BOOL has_option; /* Has /option(s) following */
528} control_def;
529
530static control_def controls_list[] = {
8523533c
TK
531#ifdef EXPERIMENTAL_BRIGHTMAIL
532 { US"bmi_run", CONTROL_BMI_RUN, FALSE},
533#endif
fb2274d4
TK
534#ifdef EXPERIMENTAL_DOMAINKEYS
535 { US"dk_verify", CONTROL_DK_VERIFY, FALSE},
536#endif
c5fcb476
PH
537 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE},
538 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE},
539 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE},
540 { US"freeze", CONTROL_FREEZE, FALSE},
541 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE},
542 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE},
543 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE},
8523533c
TK
544#ifdef WITH_CONTENT_SCAN
545 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE},
8523533c 546#endif
0f9b0483 547 { US"fakereject", CONTROL_FAKEREJECT, TRUE},
c5fcb476 548 { US"submission", CONTROL_SUBMISSION, TRUE}
059ec3d9
PH
549 };
550
551/* Enable recursion between acl_check_internal() and acl_check_condition() */
552
553static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
554 uschar **);
555
556
557/*************************************************
558* Pick out name from list *
559*************************************************/
560
561/* Use a binary chop method
562
563Arguments:
564 name name to find
565 list list of names
566 end size of list
567
568Returns: offset in list, or -1 if not found
569*/
570
571static int
572acl_checkname(uschar *name, uschar **list, int end)
573{
574int start = 0;
575
576while (start < end)
577 {
578 int mid = (start + end)/2;
579 int c = Ustrcmp(name, list[mid]);
580 if (c == 0) return mid;
581 if (c < 0) end = mid; else start = mid + 1;
582 }
583
584return -1;
585}
586
587
588/*************************************************
589* Read and parse one ACL *
590*************************************************/
591
592/* This function is called both from readconf in order to parse the ACLs in the
593configuration file, and also when an ACL is encountered dynamically (e.g. as
594the result of an expansion). It is given a function to call in order to
595retrieve the lines of the ACL. This function handles skipping comments and
596blank lines (where relevant).
597
598Arguments:
599 func function to get next line of ACL
600 error where to put an error message
601
602Returns: pointer to ACL, or NULL
603 NULL can be legal (empty ACL); in this case error will be NULL
604*/
605
606acl_block *
607acl_read(uschar *(*func)(void), uschar **error)
608{
609acl_block *yield = NULL;
610acl_block **lastp = &yield;
611acl_block *this = NULL;
612acl_condition_block *cond;
613acl_condition_block **condp = NULL;
614uschar *s;
615
616*error = NULL;
617
618while ((s = (*func)()) != NULL)
619 {
620 int v, c;
621 BOOL negated = FALSE;
622 uschar *saveline = s;
623 uschar name[64];
624
625 /* Conditions (but not verbs) are allowed to be negated by an initial
626 exclamation mark. */
627
628 while (isspace(*s)) s++;
629 if (*s == '!')
630 {
631 negated = TRUE;
632 s++;
633 }
634
635 /* Read the name of a verb or a condition, or the start of a new ACL */
636
637 s = readconf_readname(name, sizeof(name), s);
638 if (*s == ':')
639 {
640 if (negated || name[0] == 0)
641 {
642 *error = string_sprintf("malformed ACL name in \"%s\"", saveline);
643 return NULL;
644 }
645 break;
646 }
647
648 /* If a verb is unrecognized, it may be another condition or modifier that
649 continues the previous verb. */
650
651 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
652 if (v < 0)
653 {
654 if (this == NULL)
655 {
656 *error = string_sprintf("unknown ACL verb in \"%s\"", saveline);
657 return NULL;
658 }
659 }
660
661 /* New verb */
662
663 else
664 {
665 if (negated)
666 {
667 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
668 return NULL;
669 }
670 this = store_get(sizeof(acl_block));
671 *lastp = this;
672 lastp = &(this->next);
673 this->next = NULL;
674 this->verb = v;
675 this->condition = NULL;
676 condp = &(this->condition);
677 if (*s == 0) continue; /* No condition on this line */
678 if (*s == '!')
679 {
680 negated = TRUE;
681 s++;
682 }
683 s = readconf_readname(name, sizeof(name), s); /* Condition name */
684 }
685
686 /* Handle a condition or modifier. */
687
688 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
689 if (c < 0)
690 {
691 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
692 saveline);
693 return NULL;
694 }
695
696 /* The modifiers may not be negated */
697
698 if (negated && cond_modifiers[c])
699 {
700 *error = string_sprintf("ACL error: negation is not allowed with "
701 "\"%s\"", conditions[c]);
702 return NULL;
703 }
704
705 /* ENDPASS may occur only with ACCEPT or DISCARD. */
706
707 if (c == ACLC_ENDPASS &&
708 this->verb != ACL_ACCEPT &&
709 this->verb != ACL_DISCARD)
710 {
711 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
712 conditions[c], verbs[this->verb]);
713 return NULL;
714 }
715
716 cond = store_get(sizeof(acl_condition_block));
717 cond->next = NULL;
718 cond->type = c;
719 cond->u.negated = negated;
720
721 *condp = cond;
722 condp = &(cond->next);
723
724 /* The "set" modifier is different in that its argument is "name=value"
725 rather than just a value, and we can check the validity of the name, which
726 gives us a variable number to insert into the data block. */
727
728 if (c == ACLC_SET)
729 {
730 if (Ustrncmp(s, "acl_", 4) != 0 || (s[4] != 'c' && s[4] != 'm') ||
731 !isdigit(s[5]) || (!isspace(s[6]) && s[6] != '='))
732 {
733 *error = string_sprintf("unrecognized name after \"set\" in ACL "
734 "modifier \"set %s\"", s);
735 return NULL;
736 }
737
738 cond->u.varnumber = s[5] - '0';
739 if (s[4] == 'm') cond->u.varnumber += ACL_C_MAX;
740 s += 6;
741 while (isspace(*s)) s++;
742 }
743
744 /* For "set", we are now positioned for the data. For the others, only
745 "endpass" has no data */
746
747 if (c != ACLC_ENDPASS)
748 {
749 if (*s++ != '=')
750 {
751 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
752 cond_modifiers[c]? US"modifier" : US"condition");
753 return NULL;
754 }
755 while (isspace(*s)) s++;
756 cond->arg = string_copy(s);
757 }
758 }
759
760return yield;
761}
762
763
764
765/*************************************************
766* Handle warnings *
767*************************************************/
768
769/* This function is called when a WARN verb's conditions are true. It adds to
770the message's headers, and/or writes information to the log. In each case, this
771only happens once (per message for headers, per connection for log).
772
773Arguments:
774 where ACL_WHERE_xxxx indicating which ACL this is
775 user_message message for adding to headers
776 log_message message for logging, if different
777
778Returns: nothing
779*/
780
781static void
782acl_warn(int where, uschar *user_message, uschar *log_message)
783{
784int hlen;
785
786if (log_message != NULL && log_message != user_message)
787 {
788 uschar *text;
789 string_item *logged;
790
791 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
792 string_printing(log_message));
793
794 /* If a sender verification has failed, and the log message is "sender verify
795 failed", add the failure message. */
796
797 if (sender_verified_failed != NULL &&
798 sender_verified_failed->message != NULL &&
799 strcmpic(log_message, US"sender verify failed") == 0)
800 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
801
802 /* Search previously logged warnings. They are kept in malloc store so they
803 can be freed at the start of a new message. */
804
805 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
806 if (Ustrcmp(logged->text, text) == 0) break;
807
808 if (logged == NULL)
809 {
810 int length = Ustrlen(text) + 1;
811 log_write(0, LOG_MAIN, "%s", text);
812 logged = store_malloc(sizeof(string_item) + length);
813 logged->text = (uschar *)logged + sizeof(string_item);
814 memcpy(logged->text, text, length);
815 logged->next = acl_warn_logged;
816 acl_warn_logged = logged;
817 }
818 }
819
820/* If there's no user message, we are done. */
821
822if (user_message == NULL) return;
823
824/* If this isn't a message ACL, we can't do anything with a user message.
825Log an error. */
826
827if (where > ACL_WHERE_NOTSMTP)
828 {
829 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
830 "found in a non-message (%s) ACL: cannot specify header lines here: "
831 "message ignored", acl_wherenames[where]);
832 return;
833 }
834
835/* Treat the user message as a sequence of one or more header lines. */
836
837hlen = Ustrlen(user_message);
838if (hlen > 0)
839 {
840 uschar *text, *p, *q;
841
842 /* Add a final newline if not present */
843
844 text = ((user_message)[hlen-1] == '\n')? user_message :
845 string_sprintf("%s\n", user_message);
846
847 /* Loop for multiple header lines, taking care about continuations */
848
849 for (p = q = text; *p != 0; )
850 {
851 uschar *s;
852 int newtype = htype_add_bot;
853 header_line **hptr = &acl_warn_headers;
854
855 /* Find next header line within the string */
856
857 for (;;)
858 {
859 q = Ustrchr(q, '\n');
860 if (*(++q) != ' ' && *q != '\t') break;
861 }
862
863 /* If the line starts with a colon, interpret the instruction for where to
864 add it. This temporarily sets up a new type. */
865
866 if (*p == ':')
867 {
868 if (strncmpic(p, US":after_received:", 16) == 0)
869 {
870 newtype = htype_add_rec;
871 p += 16;
872 }
8523533c
TK
873 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
874 {
875 newtype = htype_add_rfc;
876 p += 14;
8e669ac1 877 }
059ec3d9
PH
878 else if (strncmpic(p, US":at_start:", 10) == 0)
879 {
880 newtype = htype_add_top;
881 p += 10;
882 }
883 else if (strncmpic(p, US":at_end:", 8) == 0)
884 {
885 newtype = htype_add_bot;
886 p += 8;
887 }
888 while (*p == ' ' || *p == '\t') p++;
889 }
890
891 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
892 to the front of it. */
893
894 for (s = p; s < q - 1; s++)
895 {
896 if (*s == ':' || !isgraph(*s)) break;
897 }
898
899 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
900 hlen = Ustrlen(s);
901
902 /* See if this line has already been added */
903
904 while (*hptr != NULL)
905 {
906 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
907 hptr = &((*hptr)->next);
908 }
909
910 /* Add if not previously present */
911
912 if (*hptr == NULL)
913 {
914 header_line *h = store_get(sizeof(header_line));
915 h->text = s;
916 h->next = NULL;
917 h->type = newtype;
918 h->slen = hlen;
919 *hptr = h;
920 hptr = &(h->next);
921 }
922
923 /* Advance for next header line within the string */
924
925 p = q;
926 }
927 }
928}
929
930
931
932/*************************************************
933* Verify and check reverse DNS *
934*************************************************/
935
936/* Called from acl_verify() below. We look up the host name(s) of the client IP
937address if this has not yet been done. The host_name_lookup() function checks
938that one of these names resolves to an address list that contains the client IP
939address, so we don't actually have to do the check here.
940
941Arguments:
942 user_msgptr pointer for user message
943 log_msgptr pointer for log message
944
945Returns: OK verification condition succeeded
946 FAIL verification failed
947 DEFER there was a problem verifying
948*/
949
950static int
951acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
952{
953int rc;
954
955user_msgptr = user_msgptr; /* stop compiler warning */
956
957/* Previous success */
958
959if (sender_host_name != NULL) return OK;
960
961/* Previous failure */
962
963if (host_lookup_failed)
964 {
965 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
966 return FAIL;
967 }
968
969/* Need to do a lookup */
970
971HDEBUG(D_acl)
972 debug_printf("looking up host name to force name/address consistency check\n");
973
974if ((rc = host_name_lookup()) != OK)
975 {
976 *log_msgptr = (rc == DEFER)?
977 US"host lookup deferred for reverse lookup check"
978 :
979 string_sprintf("host lookup failed for reverse lookup check%s",
980 host_lookup_msg);
981 return rc; /* DEFER or FAIL */
982 }
983
984host_build_sender_fullhost();
985return OK;
986}
987
988
989
990/*************************************************
991* Handle verification (address & other) *
992*************************************************/
993
994/* This function implements the "verify" condition. It is called when
995encountered in any ACL, because some tests are almost always permitted. Some
996just don't make sense, and always fail (for example, an attempt to test a host
997lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
998
999Arguments:
1000 where where called from
1001 addr the recipient address that the ACL is handling, or NULL
1002 arg the argument of "verify"
1003 user_msgptr pointer for user message
1004 log_msgptr pointer for log message
1005 basic_errno where to put verify errno
1006
1007Returns: OK verification condition succeeded
1008 FAIL verification failed
1009 DEFER there was a problem verifying
1010 ERROR syntax error
1011*/
1012
1013static int
1014acl_verify(int where, address_item *addr, uschar *arg,
1015 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1016{
1017int sep = '/';
1018int callout = -1;
1019int callout_overall = -1;
4deaf07d 1020int callout_connect = -1;
059ec3d9
PH
1021int verify_options = 0;
1022int rc;
1023BOOL verify_header_sender = FALSE;
1024BOOL defer_ok = FALSE;
1025BOOL callout_defer_ok = FALSE;
1026BOOL no_details = FALSE;
1027address_item *sender_vaddr = NULL;
1028uschar *verify_sender_address = NULL;
1029uschar *pm_mailfrom = NULL;
1030uschar *se_mailfrom = NULL;
1031uschar *list = arg;
1032uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
1033
1034if (ss == NULL) goto BAD_VERIFY;
1035
1036/* Handle name/address consistency verification in a separate function. */
1037
1038if (strcmpic(ss, US"reverse_host_lookup") == 0)
1039 {
1040 if (sender_host_address == NULL) return OK;
1041 return acl_verify_reverse(user_msgptr, log_msgptr);
1042 }
1043
1044/* TLS certificate verification is done at STARTTLS time; here we just
1045test whether it was successful or not. (This is for optional verification; for
1046mandatory verification, the connection doesn't last this long.) */
1047
1048if (strcmpic(ss, US"certificate") == 0)
1049 {
1050 if (tls_certificate_verified) return OK;
1051 *user_msgptr = US"no verified certificate";
1052 return FAIL;
1053 }
1054
1055/* We can test the result of optional HELO verification */
1056
1057if (strcmpic(ss, US"helo") == 0) return helo_verified? OK : FAIL;
1058
1059/* Handle header verification options - permitted only after DATA or a non-SMTP
1060message. */
1061
1062if (strncmpic(ss, US"header_", 7) == 0)
1063 {
1064 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
1065 {
1066 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
1067 "(only possible in ACL for DATA)", acl_wherenames[where]);
1068 return ERROR;
1069 }
1070
1071 /* Check that all relevant header lines have the correct syntax. If there is
1072 a syntax error, we return details of the error to the sender if configured to
1073 send out full details. (But a "message" setting on the ACL can override, as
1074 always). */
1075
1076 if (strcmpic(ss+7, US"syntax") == 0)
1077 {
1078 int rc = verify_check_headers(log_msgptr);
1079 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1080 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1081 return rc;
1082 }
1083
1084 /* Check that there is at least one verifiable sender address in the relevant
1085 header lines. This can be followed by callout and defer options, just like
1086 sender and recipient. */
1087
1088 else if (strcmpic(ss+7, US"sender") == 0) verify_header_sender = TRUE;
1089
1090 /* Unknown verify argument starting with "header_" */
1091
1092 else goto BAD_VERIFY;
1093 }
1094
1095/* Otherwise, first item in verify argument must be "sender" or "recipient".
1096In the case of a sender, this can optionally be followed by an address to use
1097in place of the actual sender (rare special-case requirement). */
1098
1099else if (strncmpic(ss, US"sender", 6) == 0)
1100 {
1101 uschar *s = ss + 6;
1102 if (where > ACL_WHERE_NOTSMTP)
1103 {
1104 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1105 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1106 acl_wherenames[where]);
1107 return ERROR;
1108 }
1109 if (*s == 0)
1110 verify_sender_address = sender_address;
1111 else
1112 {
1113 while (isspace(*s)) s++;
1114 if (*s++ != '=') goto BAD_VERIFY;
1115 while (isspace(*s)) s++;
1116 verify_sender_address = string_copy(s);
1117 }
1118 }
1119else
1120 {
1121 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1122 if (addr == NULL)
1123 {
1124 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1125 "(only possible for RCPT)", acl_wherenames[where]);
1126 return ERROR;
1127 }
1128 }
1129
1130/* Remaining items are optional */
1131
1132while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1133 != NULL)
1134 {
1135 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1136 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1137
1138 /* These two old options are left for backwards compatibility */
1139
1140 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1141 {
1142 callout_defer_ok = TRUE;
1143 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1144 }
1145
1146 else if (strcmpic(ss, US"check_postmaster") == 0)
1147 {
1148 pm_mailfrom = US"";
1149 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1150 }
1151
1152 /* The callout option has a number of sub-options, comma separated */
1153
1154 else if (strncmpic(ss, US"callout", 7) == 0)
1155 {
1156 callout = CALLOUT_TIMEOUT_DEFAULT;
1157 ss += 7;
1158 if (*ss != 0)
1159 {
1160 while (isspace(*ss)) ss++;
1161 if (*ss++ == '=')
1162 {
1163 int optsep = ',';
1164 uschar *opt;
1165 uschar buffer[256];
1166 while (isspace(*ss)) ss++;
8e669ac1
PH
1167
1168 /* This callout option handling code has become a mess as new options
1169 have been added in an ad hoc manner. It should be tidied up into some
4deaf07d 1170 kind of table-driven thing. */
8e669ac1 1171
059ec3d9
PH
1172 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1173 != NULL)
1174 {
1175 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1176 else if (strcmpic(opt, US"no_cache") == 0)
1177 verify_options |= vopt_callout_no_cache;
1178 else if (strcmpic(opt, US"random") == 0)
1179 verify_options |= vopt_callout_random;
1180 else if (strcmpic(opt, US"use_sender") == 0)
1181 verify_options |= vopt_callout_recipsender;
1182 else if (strcmpic(opt, US"use_postmaster") == 0)
1183 verify_options |= vopt_callout_recippmaster;
1184 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
1185
1186 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1187 {
1188 if (!verify_header_sender)
1189 {
1190 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1191 "callout option only for verify=header_sender (detected in ACL "
1192 "condition \"%s\")", arg);
1193 return ERROR;
1194 }
1195 opt += 8;
1196 while (isspace(*opt)) opt++;
1197 if (*opt++ != '=')
1198 {
1199 *log_msgptr = string_sprintf("'=' expected after "
1200 "\"mailfrom\" in ACL condition \"%s\"", arg);
1201 return ERROR;
1202 }
1203 while (isspace(*opt)) opt++;
1204 se_mailfrom = string_copy(opt);
1205 }
1206
1207 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1208 {
1209 opt += 19;
1210 while (isspace(*opt)) opt++;
1211 if (*opt++ != '=')
1212 {
1213 *log_msgptr = string_sprintf("'=' expected after "
1214 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1215 return ERROR;
1216 }
1217 while (isspace(*opt)) opt++;
1218 pm_mailfrom = string_copy(opt);
1219 }
1220
1221 else if (strncmpic(opt, US"maxwait", 7) == 0)
1222 {
1223 opt += 7;
1224 while (isspace(*opt)) opt++;
1225 if (*opt++ != '=')
1226 {
1227 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1228 "ACL condition \"%s\"", arg);
1229 return ERROR;
1230 }
1231 while (isspace(*opt)) opt++;
1232 callout_overall = readconf_readtime(opt, 0, FALSE);
1233 if (callout_overall < 0)
1234 {
1235 *log_msgptr = string_sprintf("bad time value in ACL condition "
1236 "\"verify %s\"", arg);
1237 return ERROR;
1238 }
1239 }
4deaf07d
PH
1240 else if (strncmpic(opt, US"connect", 7) == 0)
1241 {
1242 opt += 7;
1243 while (isspace(*opt)) opt++;
1244 if (*opt++ != '=')
1245 {
1246 *log_msgptr = string_sprintf("'=' expected after "
1247 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1248 return ERROR;
1249 }
1250 while (isspace(*opt)) opt++;
1251 callout_connect = readconf_readtime(opt, 0, FALSE);
1252 if (callout_connect < 0)
1253 {
1254 *log_msgptr = string_sprintf("bad time value in ACL condition "
1255 "\"verify %s\"", arg);
1256 return ERROR;
1257 }
1258 }
059ec3d9
PH
1259 else /* Plain time is callout connect/command timeout */
1260 {
1261 callout = readconf_readtime(opt, 0, FALSE);
1262 if (callout < 0)
1263 {
1264 *log_msgptr = string_sprintf("bad time value in ACL condition "
1265 "\"verify %s\"", arg);
1266 return ERROR;
1267 }
1268 }
1269 }
1270 }
1271 else
1272 {
1273 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1274 "ACL condition \"%s\"", arg);
1275 return ERROR;
1276 }
1277 }
1278 }
1279
1280 /* Option not recognized */
1281
1282 else
1283 {
1284 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1285 "condition \"verify %s\"", ss, arg);
1286 return ERROR;
1287 }
1288 }
1289
1290if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1291 (vopt_callout_recipsender|vopt_callout_recippmaster))
1292 {
1293 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1294 "for a recipient callout";
1295 return ERROR;
1296 }
1297
1298/* Handle sender-in-header verification. Default the user message to the log
1299message if giving out verification details. */
1300
1301if (verify_header_sender)
1302 {
8e669ac1 1303 int verrno;
059ec3d9 1304 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
fe5b5d0b
PH
1305 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1306 &verrno);
1307 if (rc != OK)
8e669ac1 1308 {
fe5b5d0b
PH
1309 *basic_errno = verrno;
1310 if (smtp_return_error_details)
1311 {
1312 if (*user_msgptr == NULL && *log_msgptr != NULL)
1313 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1314 if (rc == DEFER) acl_temp_details = TRUE;
1315 }
8e669ac1 1316 }
059ec3d9
PH
1317 }
1318
1319/* Handle a sender address. The default is to verify *the* sender address, but
1320optionally a different address can be given, for special requirements. If the
1321address is empty, we are dealing with a bounce message that has no sender, so
1322we cannot do any checking. If the real sender address gets rewritten during
1323verification (e.g. DNS widening), set the flag to stop it being rewritten again
1324during message reception.
1325
1326A list of verified "sender" addresses is kept to try to avoid doing to much
1327work repetitively when there are multiple recipients in a message and they all
1328require sender verification. However, when callouts are involved, it gets too
1329complicated because different recipients may require different callout options.
1330Therefore, we always do a full sender verify when any kind of callout is
1331specified. Caching elsewhere, for instance in the DNS resolver and in the
1332callout handling, should ensure that this is not terribly inefficient. */
1333
1334else if (verify_sender_address != NULL)
1335 {
1336 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1337 != 0)
1338 {
1339 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1340 "sender verify callout";
1341 return ERROR;
1342 }
1343
1344 sender_vaddr = verify_checked_sender(verify_sender_address);
1345 if (sender_vaddr != NULL && /* Previously checked */
1346 callout <= 0) /* No callout needed this time */
1347 {
1348 /* If the "routed" flag is set, it means that routing worked before, so
1349 this check can give OK (the saved return code value, if set, belongs to a
1350 callout that was done previously). If the "routed" flag is not set, routing
1351 must have failed, so we use the saved return code. */
1352
1353 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1354 {
1355 rc = sender_vaddr->special_action;
1356 *basic_errno = sender_vaddr->basic_errno;
1357 }
1358 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1359 }
1360
1361 /* Do a new verification, and cache the result. The cache is used to avoid
1362 verifying the sender multiple times for multiple RCPTs when callouts are not
1363 specified (see comments above).
1364
1365 The cache is also used on failure to give details in response to the first
1366 RCPT that gets bounced for this reason. However, this can be suppressed by
1367 the no_details option, which sets the flag that says "this detail has already
1368 been sent". The cache normally contains just one address, but there may be
1369 more in esoteric circumstances. */
1370
1371 else
1372 {
1373 BOOL routed = TRUE;
2a3eea10 1374 uschar *save_address_data = deliver_address_data;
8e669ac1 1375
059ec3d9
PH
1376 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1377 if (no_details) setflag(sender_vaddr, af_sverify_told);
1378 if (verify_sender_address[0] != 0)
1379 {
1380 /* If this is the real sender address, save the unrewritten version
1381 for use later in receive. Otherwise, set a flag so that rewriting the
1382 sender in verify_address() does not update sender_address. */
1383
1384 if (verify_sender_address == sender_address)
1385 sender_address_unrewritten = sender_address;
1386 else
1387 verify_options |= vopt_fake_sender;
1388
1389 /* The recipient, qualify, and expn options are never set in
1390 verify_options. */
1391
1392 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
4deaf07d 1393 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
059ec3d9
PH
1394
1395 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1396
1397 if (rc == OK)
1398 {
1399 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1400 {
1401 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1402 verify_sender_address, sender_vaddr->address);
1403 }
1404 else
1405 {
1406 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1407 verify_sender_address);
1408 }
1409 }
1410 else *basic_errno = sender_vaddr->basic_errno;
1411 }
1412 else rc = OK; /* Null sender */
1413
1414 /* Cache the result code */
1415
1416 if (routed) setflag(sender_vaddr, af_verify_routed);
1417 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1418 sender_vaddr->special_action = rc;
1419 sender_vaddr->next = sender_verified_list;
1420 sender_verified_list = sender_vaddr;
8e669ac1
PH
1421
1422 /* Restore the recipient address data, which might have been clobbered by
2a3eea10 1423 the sender verification. */
8e669ac1 1424
2a3eea10 1425 deliver_address_data = save_address_data;
059ec3d9 1426 }
8e669ac1 1427
2a3eea10
PH
1428 /* Put the sender address_data value into $sender_address_data */
1429
8e669ac1 1430 sender_address_data = sender_vaddr->p.address_data;
059ec3d9
PH
1431 }
1432
1433/* A recipient address just gets a straightforward verify; again we must handle
1434the DEFER overrides. */
1435
1436else
1437 {
1438 address_item addr2;
1439
1440 /* We must use a copy of the address for verification, because it might
1441 get rewritten. */
1442
1443 addr2 = *addr;
1444 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
4deaf07d 1445 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
059ec3d9 1446 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
8e669ac1 1447
059ec3d9 1448 *log_msgptr = addr2.message;
8e669ac1 1449 *user_msgptr = (addr2.user_message != NULL)?
6729cf78 1450 addr2.user_message : addr2.message;
059ec3d9
PH
1451 *basic_errno = addr2.basic_errno;
1452
1453 /* Make $address_data visible */
1454 deliver_address_data = addr2.p.address_data;
1455 }
1456
1457/* We have a result from the relevant test. Handle defer overrides first. */
1458
1459if (rc == DEFER && (defer_ok ||
1460 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1461 {
1462 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1463 defer_ok? "defer_ok" : "callout_defer_ok");
1464 rc = OK;
1465 }
1466
1467/* If we've failed a sender, set up a recipient message, and point
1468sender_verified_failed to the address item that actually failed. */
1469
1470if (rc != OK && verify_sender_address != NULL)
1471 {
1472 if (rc != DEFER)
1473 {
1474 *log_msgptr = *user_msgptr = US"Sender verify failed";
1475 }
1476 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1477 {
1478 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1479 }
1480 else
1481 {
1482 *log_msgptr = US"Could not complete sender verify callout";
1483 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1484 *log_msgptr;
1485 }
1486
1487 sender_verified_failed = sender_vaddr;
1488 }
1489
1490/* Verifying an address messes up the values of $domain and $local_part,
1491so reset them before returning if this is a RCPT ACL. */
1492
1493if (addr != NULL)
1494 {
1495 deliver_domain = addr->domain;
1496 deliver_localpart = addr->local_part;
1497 }
1498return rc;
1499
1500/* Syntax errors in the verify argument come here. */
1501
1502BAD_VERIFY:
1503*log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
1504 "\"header_syntax\" or \"header_sender\" at start of ACL condition "
1505 "\"verify %s\"", arg);
1506return ERROR;
1507}
1508
1509
1510
1511
1512/*************************************************
1513* Check argument for control= modifier *
1514*************************************************/
1515
1516/* Called from acl_check_condition() below
1517
1518Arguments:
1519 arg the argument string for control=
1520 pptr set to point to the terminating character
1521 where which ACL we are in
1522 log_msgptr for error messages
1523
1524Returns: CONTROL_xxx value
1525*/
1526
1527static int
1528decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
1529{
1530int len;
1531control_def *d;
1532
1533for (d = controls_list;
1534 d < controls_list + sizeof(controls_list)/sizeof(control_def);
1535 d++)
1536 {
1537 len = Ustrlen(d->name);
1538 if (Ustrncmp(d->name, arg, len) == 0) break;
1539 }
1540
1541if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
1542 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
1543 {
1544 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1545 return CONTROL_ERROR;
1546 }
1547
059ec3d9
PH
1548*pptr = arg + len;
1549return d->value;
1550}
1551
1552
1553
1554/*************************************************
1555* Handle conditions/modifiers on an ACL item *
1556*************************************************/
1557
1558/* Called from acl_check() below.
1559
1560Arguments:
1561 verb ACL verb
1562 cb ACL condition block - if NULL, result is OK
1563 where where called from
1564 addr the address being checked for RCPT, or NULL
1565 level the nesting level
1566 epp pointer to pass back TRUE if "endpass" encountered
1567 (applies only to "accept" and "discard")
1568 user_msgptr user message pointer
1569 log_msgptr log message pointer
1570 basic_errno pointer to where to put verify error
1571
1572Returns: OK - all conditions are met
1573 DISCARD - an "acl" condition returned DISCARD - only allowed
1574 for "accept" or "discard" verbs
1575 FAIL - at least one condition fails
1576 FAIL_DROP - an "acl" condition returned FAIL_DROP
1577 DEFER - can't tell at the moment (typically, lookup defer,
1578 but can be temporary callout problem)
1579 ERROR - ERROR from nested ACL or expansion failure or other
1580 error
1581*/
1582
1583static int
1584acl_check_condition(int verb, acl_condition_block *cb, int where,
1585 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
1586 uschar **log_msgptr, int *basic_errno)
1587{
1588uschar *user_message = NULL;
1589uschar *log_message = NULL;
1590uschar *p;
1591int rc = OK;
8523533c
TK
1592#ifdef WITH_CONTENT_SCAN
1593int sep = '/';
1594#endif
059ec3d9
PH
1595
1596for (; cb != NULL; cb = cb->next)
1597 {
1598 uschar *arg;
8e669ac1 1599 int control_type;
059ec3d9
PH
1600
1601 /* The message and log_message items set up messages to be used in
1602 case of rejection. They are expanded later. */
1603
1604 if (cb->type == ACLC_MESSAGE)
1605 {
1606 user_message = cb->arg;
1607 continue;
1608 }
1609
1610 if (cb->type == ACLC_LOG_MESSAGE)
1611 {
1612 log_message = cb->arg;
1613 continue;
1614 }
1615
1616 /* The endpass "condition" just sets a flag to show it occurred. This is
1617 checked at compile time to be on an "accept" or "discard" item. */
1618
1619 if (cb->type == ACLC_ENDPASS)
1620 {
1621 *epp = TRUE;
1622 continue;
1623 }
1624
1625 /* For other conditions and modifiers, the argument is expanded now for some
1626 of them, but not for all, because expansion happens down in some lower level
1627 checking functions in some cases. */
1628
1629 if (cond_expand_at_top[cb->type])
1630 {
1631 arg = expand_string(cb->arg);
1632 if (arg == NULL)
1633 {
1634 if (expand_string_forcedfail) continue;
1635 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
1636 cb->arg, expand_string_message);
1637 return search_find_defer? DEFER : ERROR;
1638 }
1639 }
1640 else arg = cb->arg;
1641
1642 /* Show condition, and expanded condition if it's different */
1643
1644 HDEBUG(D_acl)
1645 {
1646 int lhswidth = 0;
1647 debug_printf("check %s%s %n",
1648 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
1649 conditions[cb->type], &lhswidth);
1650
1651 if (cb->type == ACLC_SET)
1652 {
1653 int n = cb->u.varnumber;
1654 int t = (n < ACL_C_MAX)? 'c' : 'm';
1655 if (n >= ACL_C_MAX) n -= ACL_C_MAX;
1656 debug_printf("acl_%c%d ", t, n);
1657 lhswidth += 7;
1658 }
1659
1660 debug_printf("= %s\n", cb->arg);
1661
1662 if (arg != cb->arg)
1663 debug_printf("%.*s= %s\n", lhswidth,
1664 US" ", CS arg);
1665 }
1666
1667 /* Check that this condition makes sense at this time */
1668
1669 if ((cond_forbids[cb->type] & (1 << where)) != 0)
1670 {
1671 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
1672 cond_modifiers[cb->type]? "use" : "test",
1673 conditions[cb->type], acl_wherenames[where]);
1674 return ERROR;
1675 }
1676
1677 /* Run the appropriate test for each condition, or take the appropriate
1678 action for the remaining modifiers. */
1679
1680 switch(cb->type)
1681 {
1682 /* A nested ACL that returns "discard" makes sense only for an "accept" or
1683 "discard" verb. */
1684
1685 case ACLC_ACL:
1686 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
1687 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
1688 {
1689 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
1690 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
1691 verbs[verb]);
1692 return ERROR;
1693 }
1694 break;
1695
1696 case ACLC_AUTHENTICATED:
1697 rc = (sender_host_authenticated == NULL)? FAIL :
1698 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
1699 TRUE, NULL);
1700 break;
1701
8523533c
TK
1702#ifdef EXPERIMENTAL_BRIGHTMAIL
1703 case ACLC_BMI_OPTIN:
1704 {
1705 int old_pool = store_pool;
1706 store_pool = POOL_PERM;
1707 bmi_current_optin = string_copy(arg);
1708 store_pool = old_pool;
1709 }
1710 break;
1711#endif
1712
059ec3d9
PH
1713 case ACLC_CONDITION:
1714 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
1715 rc = (Uatoi(arg) == 0)? FAIL : OK;
1716 else
1717 rc = (strcmpic(arg, US"no") == 0 ||
1718 strcmpic(arg, US"false") == 0)? FAIL :
1719 (strcmpic(arg, US"yes") == 0 ||
1720 strcmpic(arg, US"true") == 0)? OK : DEFER;
1721 if (rc == DEFER)
1722 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
1723 break;
1724
1725 case ACLC_CONTROL:
c5fcb476
PH
1726 control_type = decode_control(arg, &p, where, log_msgptr);
1727
8523533c 1728 /* Check if this control makes sense at this time */
c5fcb476
PH
1729
1730 if ((control_forbids[control_type] & (1 << where)) != 0)
1731 {
1732 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
1733 controls[control_type], acl_wherenames[where]);
1734 return ERROR;
8e669ac1 1735 }
c5fcb476
PH
1736
1737 switch(control_type)
059ec3d9 1738 {
8523533c
TK
1739#ifdef EXPERIMENTAL_BRIGHTMAIL
1740 case CONTROL_BMI_RUN:
1741 bmi_run = 1;
1742 break;
1743#endif
fb2274d4
TK
1744#ifdef EXPERIMENTAL_DOMAINKEYS
1745 case CONTROL_DK_VERIFY:
1746 dk_do_verify = 1;
1747 break;
1748#endif
059ec3d9
PH
1749 case CONTROL_ERROR:
1750 return ERROR;
1751
1752 case CONTROL_CASEFUL_LOCAL_PART:
1753 deliver_localpart = addr->cc_local_part;
1754 break;
1755
1756 case CONTROL_CASELOWER_LOCAL_PART:
1757 deliver_localpart = addr->lc_local_part;
1758 break;
1759
1760 case CONTROL_ENFORCE_SYNC:
1761 smtp_enforce_sync = TRUE;
1762 break;
1763
1764 case CONTROL_NO_ENFORCE_SYNC:
1765 smtp_enforce_sync = FALSE;
1766 break;
1767
8523533c
TK
1768#ifdef WITH_CONTENT_SCAN
1769 case CONTROL_NO_MBOX_UNSPOOL:
1770 no_mbox_unspool = TRUE;
1771 break;
1772#endif
1773
059ec3d9
PH
1774 case CONTROL_NO_MULTILINE:
1775 no_multiline_responses = TRUE;
1776 break;
1777
8523533c
TK
1778 case CONTROL_FAKEREJECT:
1779 fake_reject = TRUE;
1780 if (*p == '/')
8e669ac1 1781 {
8523533c 1782 uschar *pp = p + 1;
8e669ac1 1783 while (*pp != 0) pp++;
8523533c
TK
1784 fake_reject_text = expand_string(string_copyn(p+1, pp-p));
1785 p = pp;
1786 }
1787 else
1788 {
1789 /* Explicitly reset to default string */
dc082449 1790 fake_reject_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
8523533c
TK
1791 }
1792 break;
8523533c 1793
059ec3d9
PH
1794 case CONTROL_FREEZE:
1795 deliver_freeze = TRUE;
1796 deliver_frozen_at = time(NULL);
1797 break;
1798
1799 case CONTROL_QUEUE_ONLY:
1800 queue_only_policy = TRUE;
1801 break;
1802
1803 case CONTROL_SUBMISSION:
1804 submission_mode = TRUE;
69358f02 1805 while (*p == '/')
8e669ac1 1806 {
69358f02
PH
1807 if (Ustrncmp(p, "/sender_retain", 14) == 0)
1808 {
1809 p += 14;
1810 active_local_sender_retain = TRUE;
8e669ac1
PH
1811 active_local_from_check = FALSE;
1812 }
69358f02
PH
1813 else if (Ustrncmp(p, "/domain=", 8) == 0)
1814 {
1815 uschar *pp = p + 8;
8e669ac1 1816 while (*pp != 0 && *pp != '/') pp++;
69358f02 1817 submission_domain = string_copyn(p+8, pp-p);
8e669ac1 1818 p = pp;
69358f02 1819 }
8e669ac1
PH
1820 else break;
1821 }
69358f02 1822 if (*p != 0)
059ec3d9 1823 {
69358f02 1824 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
059ec3d9
PH
1825 return ERROR;
1826 }
1827 break;
1828 }
1829 break;
1830
8523533c
TK
1831#ifdef WITH_CONTENT_SCAN
1832 case ACLC_DECODE:
1833 rc = mime_decode(&arg);
1834 break;
1835#endif
1836
059ec3d9
PH
1837 case ACLC_DELAY:
1838 {
1839 int delay = readconf_readtime(arg, 0, FALSE);
1840 if (delay < 0)
1841 {
1842 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
1843 "modifier: \"%s\" is not a time value", arg);
1844 return ERROR;
1845 }
1846 else
1847 {
1848 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
1849 delay);
1850 if (host_checking)
1851 {
1852 HDEBUG(D_acl)
1853 debug_printf("delay skipped in -bh checking mode\n");
1854 }
8e669ac1 1855 else
86b8287f
PH
1856 {
1857 while (delay > 0) delay = sleep(delay);
8e669ac1 1858 }
059ec3d9
PH
1859 }
1860 }
1861 break;
1862
8523533c
TK
1863#ifdef WITH_OLD_DEMIME
1864 case ACLC_DEMIME:
1865 rc = demime(&arg);
1866 break;
1867#endif
1868
fb2274d4
TK
1869#ifdef EXPERIMENTAL_DOMAINKEYS
1870 case ACLC_DK_DOMAIN_SOURCE:
1871 if (dk_verify_block == NULL) { rc = FAIL; break; };
1872 /* check header source of domain against given string */
1873 switch (dk_verify_block->address_source) {
1874 case DK_EXIM_ADDRESS_FROM_FROM:
1875 rc = match_isinlist(US"from", &arg, 0, NULL,
1876 NULL, MCL_STRING, TRUE, NULL);
1877 break;
1878 case DK_EXIM_ADDRESS_FROM_SENDER:
1879 rc = match_isinlist(US"sender", &arg, 0, NULL,
1880 NULL, MCL_STRING, TRUE, NULL);
1881 break;
1882 case DK_EXIM_ADDRESS_NONE:
1883 rc = match_isinlist(US"none", &arg, 0, NULL,
1884 NULL, MCL_STRING, TRUE, NULL);
1885 break;
1886 }
1887 break;
1888 case ACLC_DK_POLICY:
1889 if (dk_verify_block == NULL) { rc = FAIL; break; };
1890 /* check policy against given string, default FAIL */
1891 rc = FAIL;
1892 if (dk_verify_block->signsall)
1893 rc = match_isinlist(US"signsall", &arg, 0, NULL,
1894 NULL, MCL_STRING, TRUE, NULL);
1895 if (dk_verify_block->testing)
1896 rc = match_isinlist(US"testing", &arg, 0, NULL,
1897 NULL, MCL_STRING, TRUE, NULL);
1898 break;
1899 case ACLC_DK_SENDER_DOMAINS:
1900 if (dk_verify_block == NULL) { rc = FAIL; break; };
1901 if (dk_verify_block->domain != NULL)
1902 rc = match_isinlist(dk_verify_block->domain, &arg, 0, &domainlist_anchor,
1903 NULL, MCL_DOMAIN, TRUE, NULL);
1904 else rc = FAIL;
1905 break;
1906 case ACLC_DK_SENDER_LOCAL_PARTS:
1907 if (dk_verify_block == NULL) { rc = FAIL; break; };
1908 if (dk_verify_block->local_part != NULL)
1909 rc = match_isinlist(dk_verify_block->local_part, &arg, 0, &localpartlist_anchor,
1910 NULL, MCL_LOCALPART, TRUE, NULL);
1911 else rc = FAIL;
1912 break;
1913 case ACLC_DK_SENDERS:
1914 if (dk_verify_block == NULL) { rc = FAIL; break; };
1915 if (dk_verify_block->address != NULL)
1916 rc = match_address_list(dk_verify_block->address, TRUE, TRUE, &arg, NULL, -1, 0, NULL);
1917 else rc = FAIL;
1918 break;
1919 case ACLC_DK_STATUS:
1920 if (dk_verify_block == NULL) { rc = FAIL; break; };
1921 if (dk_verify_block->result > 0) {
1922 switch(dk_verify_block->result) {
1923 case DK_EXIM_RESULT_BAD_FORMAT:
1924 rc = match_isinlist(US"bad format", &arg, 0, NULL,
1925 NULL, MCL_STRING, TRUE, NULL);
1926 break;
1927 case DK_EXIM_RESULT_NO_KEY:
1928 rc = match_isinlist(US"no key", &arg, 0, NULL,
1929 NULL, MCL_STRING, TRUE, NULL);
1930 break;
1931 case DK_EXIM_RESULT_NO_SIGNATURE:
1932 rc = match_isinlist(US"no signature", &arg, 0, NULL,
1933 NULL, MCL_STRING, TRUE, NULL);
1934 break;
1935 case DK_EXIM_RESULT_REVOKED:
1936 rc = match_isinlist(US"revoked", &arg, 0, NULL,
1937 NULL, MCL_STRING, TRUE, NULL);
1938 break;
1939 case DK_EXIM_RESULT_NON_PARTICIPANT:
1940 rc = match_isinlist(US"non-participant", &arg, 0, NULL,
1941 NULL, MCL_STRING, TRUE, NULL);
1942 break;
1943 case DK_EXIM_RESULT_GOOD:
1944 rc = match_isinlist(US"good", &arg, 0, NULL,
1945 NULL, MCL_STRING, TRUE, NULL);
1946 break;
1947 case DK_EXIM_RESULT_BAD:
1948 rc = match_isinlist(US"bad", &arg, 0, NULL,
1949 NULL, MCL_STRING, TRUE, NULL);
1950 break;
1951 }
1952 }
1953 break;
1954#endif
1955
059ec3d9
PH
1956 case ACLC_DNSLISTS:
1957 rc = verify_check_dnsbl(&arg);
1958 break;
1959
1960 case ACLC_DOMAINS:
1961 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
1962 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
1963 break;
1964
1965 /* The value in tls_cipher is the full cipher name, for example,
1966 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
1967 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
1968 what may in practice come out of the SSL library - which at the time of
1969 writing is poorly documented. */
1970
1971 case ACLC_ENCRYPTED:
1972 if (tls_cipher == NULL) rc = FAIL; else
1973 {
1974 uschar *endcipher = NULL;
1975 uschar *cipher = Ustrchr(tls_cipher, ':');
1976 if (cipher == NULL) cipher = tls_cipher; else
1977 {
1978 endcipher = Ustrchr(++cipher, ':');
1979 if (endcipher != NULL) *endcipher = 0;
1980 }
1981 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
1982 if (endcipher != NULL) *endcipher = ':';
1983 }
1984 break;
1985
1986 /* Use verify_check_this_host() instead of verify_check_host() so that
1987 we can pass over &host_data to catch any looked up data. Once it has been
1988 set, it retains its value so that it's still there if another ACL verb
1989 comes through here and uses the cache. However, we must put it into
1990 permanent store in case it is also expected to be used in a subsequent
1991 message in the same SMTP connection. */
1992
1993 case ACLC_HOSTS:
1994 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
1995 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
1996 if (host_data != NULL) host_data = string_copy_malloc(host_data);
1997 break;
1998
1999 case ACLC_LOCAL_PARTS:
2000 rc = match_isinlist(addr->cc_local_part, &arg, 0,
2001 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
2002 &deliver_localpart_data);
2003 break;
2004
2005 case ACLC_LOGWRITE:
2006 {
2007 int logbits = 0;
2008 uschar *s = arg;
2009 if (*s == ':')
2010 {
2011 s++;
2012 while (*s != ':')
2013 {
2014 if (Ustrncmp(s, "main", 4) == 0)
2015 { logbits |= LOG_MAIN; s += 4; }
2016 else if (Ustrncmp(s, "panic", 5) == 0)
2017 { logbits |= LOG_PANIC; s += 5; }
2018 else if (Ustrncmp(s, "reject", 6) == 0)
2019 { logbits |= LOG_REJECT; s += 6; }
2020 else
2021 {
2022 logbits = LOG_MAIN|LOG_PANIC;
2023 s = string_sprintf(":unknown log name in \"%s\" in "
2024 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
2025 }
2026 if (*s == ',') s++;
2027 }
2028 s++;
2029 }
2030 while (isspace(*s)) s++;
2031 if (logbits == 0) logbits = LOG_MAIN;
2032 log_write(0, logbits, "%s", string_printing(s));
2033 }
2034 break;
8e669ac1 2035
8523533c
TK
2036#ifdef WITH_CONTENT_SCAN
2037 case ACLC_MALWARE:
2038 {
2039 /* Seperate the regular expression and any optional parameters. */
2040 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2041 /* Run the malware backend. */
2042 rc = malware(&ss);
2043 /* Modify return code based upon the existance of options. */
2044 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2045 != NULL) {
2046 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2047 {
2048 /* FAIL so that the message is passed to the next ACL */
2049 rc = FAIL;
2050 }
2051 }
2052 }
2053 break;
2054
2055 case ACLC_MIME_REGEX:
2056 rc = mime_regex(&arg);
2057 break;
2058#endif
059ec3d9
PH
2059
2060 case ACLC_RECIPIENTS:
2061 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
2062 &recipient_data);
2063 break;
2064
8523533c
TK
2065#ifdef WITH_CONTENT_SCAN
2066 case ACLC_REGEX:
2067 rc = regex(&arg);
2068 break;
2069#endif
2070
059ec3d9
PH
2071 case ACLC_SENDER_DOMAINS:
2072 {
2073 uschar *sdomain;
2074 sdomain = Ustrrchr(sender_address, '@');
2075 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
2076 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
2077 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
2078 }
2079 break;
2080
2081 case ACLC_SENDERS:
2082 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
2083 sender_address_cache, -1, 0, &sender_data);
2084 break;
2085
2086 /* Connection variables must persist forever */
2087
2088 case ACLC_SET:
2089 {
2090 int old_pool = store_pool;
2091 if (cb->u.varnumber < ACL_C_MAX) store_pool = POOL_PERM;
2092 acl_var[cb->u.varnumber] = string_copy(arg);
2093 store_pool = old_pool;
2094 }
2095 break;
2096
8523533c
TK
2097#ifdef WITH_CONTENT_SCAN
2098 case ACLC_SPAM:
2099 {
2100 /* Seperate the regular expression and any optional parameters. */
2101 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2102 /* Run the spam backend. */
2103 rc = spam(&ss);
2104 /* Modify return code based upon the existance of options. */
2105 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2106 != NULL) {
2107 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2108 {
2109 /* FAIL so that the message is passed to the next ACL */
2110 rc = FAIL;
2111 }
2112 }
2113 }
2114 break;
2115#endif
2116
2117#ifdef EXPERIMENTAL_SPF
2118 case ACLC_SPF:
2119 rc = spf_process(&arg, sender_address);
2120 break;
2121#endif
2122
059ec3d9
PH
2123 /* If the verb is WARN, discard any user message from verification, because
2124 such messages are SMTP responses, not header additions. The latter come
2125 only from explicit "message" modifiers. */
2126
2127 case ACLC_VERIFY:
2128 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
2129 if (verb == ACL_WARN) *user_msgptr = NULL;
2130 break;
2131
2132 default:
2133 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
2134 "condition %d", cb->type);
2135 break;
2136 }
2137
2138 /* If a condition was negated, invert OK/FAIL. */
2139
2140 if (!cond_modifiers[cb->type] && cb->u.negated)
2141 {
2142 if (rc == OK) rc = FAIL;
2143 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
2144 }
2145
2146 if (rc != OK) break; /* Conditions loop */
2147 }
2148
2149
2150/* If the result is the one for which "message" and/or "log_message" are used,
2151handle the values of these options. Most verbs have but a single return for
2152which the messages are relevant, but for "discard", it's useful to have the log
2153message both when it succeeds and when it fails. Also, for an "accept" that
2154appears in a QUIT ACL, we want to handle the user message. Since only "accept"
2155and "warn" are permitted in that ACL, we don't need to test the verb.
2156
2157These modifiers act in different ways:
2158
2159"message" is a user message that will be included in an SMTP response. Unless
2160it is empty, it overrides any previously set user message.
2161
2162"log_message" is a non-user message, and it adds to any existing non-user
2163message that is already set.
2164
2165If there isn't a log message set, we make it the same as the user message. */
2166
2167if (((rc == FAIL_DROP)? FAIL : rc) == msgcond[verb] ||
2168 (verb == ACL_DISCARD && rc == OK) ||
2169 (where == ACL_WHERE_QUIT))
2170 {
2171 uschar *expmessage;
2172
2173 /* If the verb is "warn", messages generated by conditions (verification or
2174 nested ACLs) are discarded. Only messages specified at this level are used.
2175 However, the value of an existing message is available in $acl_verify_message
2176 during expansions. */
2177
2178 uschar *old_user_msgptr = *user_msgptr;
2179 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
2180
2181 if (verb == ACL_WARN) *log_msgptr = *user_msgptr = NULL;
2182
2183 if (user_message != NULL)
2184 {
2185 acl_verify_message = old_user_msgptr;
2186 expmessage = expand_string(user_message);
2187 if (expmessage == NULL)
2188 {
2189 if (!expand_string_forcedfail)
2190 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2191 user_message, expand_string_message);
2192 }
2193 else if (expmessage[0] != 0) *user_msgptr = expmessage;
2194 }
2195
2196 if (log_message != NULL)
2197 {
2198 acl_verify_message = old_log_msgptr;
2199 expmessage = expand_string(log_message);
2200 if (expmessage == NULL)
2201 {
2202 if (!expand_string_forcedfail)
2203 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2204 log_message, expand_string_message);
2205 }
2206 else if (expmessage[0] != 0)
2207 {
2208 *log_msgptr = (*log_msgptr == NULL)? expmessage :
2209 string_sprintf("%s: %s", expmessage, *log_msgptr);
2210 }
2211 }
2212
2213 /* If no log message, default it to the user message */
2214
2215 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
2216 }
2217
2218acl_verify_message = NULL;
2219return rc;
2220}
2221
2222
2223
2224
2225
2226/*************************************************
2227* Get line from a literal ACL *
2228*************************************************/
2229
2230/* This function is passed to acl_read() in order to extract individual lines
2231of a literal ACL, which we access via static pointers. We can destroy the
2232contents because this is called only once (the compiled ACL is remembered).
2233
2234This code is intended to treat the data in the same way as lines in the main
2235Exim configuration file. That is:
2236
2237 . Leading spaces are ignored.
2238
2239 . A \ at the end of a line is a continuation - trailing spaces after the \
2240 are permitted (this is because I don't believe in making invisible things
2241 significant). Leading spaces on the continued part of a line are ignored.
2242
2243 . Physical lines starting (significantly) with # are totally ignored, and
2244 may appear within a sequence of backslash-continued lines.
2245
2246 . Blank lines are ignored, but will end a sequence of continuations.
2247
2248Arguments: none
2249Returns: a pointer to the next line
2250*/
2251
2252
2253static uschar *acl_text; /* Current pointer in the text */
2254static uschar *acl_text_end; /* Points one past the terminating '0' */
2255
2256
2257static uschar *
2258acl_getline(void)
2259{
2260uschar *yield;
2261
2262/* This loop handles leading blank lines and comments. */
2263
2264for(;;)
2265 {
2266 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
2267 if (*acl_text == 0) return NULL; /* No more data */
2268 yield = acl_text; /* Potential data line */
2269
2270 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2271
2272 /* If we hit the end before a newline, we have the whole logical line. If
2273 it's a comment, there's no more data to be given. Otherwise, yield it. */
2274
2275 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
2276
2277 /* After reaching a newline, end this loop if the physical line does not
2278 start with '#'. If it does, it's a comment, and the loop continues. */
2279
2280 if (*yield != '#') break;
2281 }
2282
2283/* This loop handles continuations. We know we have some real data, ending in
2284newline. See if there is a continuation marker at the end (ignoring trailing
2285white space). We know that *yield is not white space, so no need to test for
2286cont > yield in the backwards scanning loop. */
2287
2288for(;;)
2289 {
2290 uschar *cont;
2291 for (cont = acl_text - 1; isspace(*cont); cont--);
2292
2293 /* If no continuation follows, we are done. Mark the end of the line and
2294 return it. */
2295
2296 if (*cont != '\\')
2297 {
2298 *acl_text++ = 0;
2299 return yield;
2300 }
2301
2302 /* We have encountered a continuation. Skip over whitespace at the start of
2303 the next line, and indeed the whole of the next line or lines if they are
2304 comment lines. */
2305
2306 for (;;)
2307 {
2308 while (*(++acl_text) == ' ' || *acl_text == '\t');
2309 if (*acl_text != '#') break;
2310 while (*(++acl_text) != 0 && *acl_text != '\n');
2311 }
2312
2313 /* We have the start of a continuation line. Move all the rest of the data
2314 to join onto the previous line, and then find its end. If the end is not a
2315 newline, we are done. Otherwise loop to look for another continuation. */
2316
2317 memmove(cont, acl_text, acl_text_end - acl_text);
2318 acl_text_end -= acl_text - cont;
2319 acl_text = cont;
2320 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2321 if (*acl_text == 0) return yield;
2322 }
2323
2324/* Control does not reach here */
2325}
2326
2327
2328
2329
2330
2331/*************************************************
2332* Check access using an ACL *
2333*************************************************/
2334
2335/* This function is called from address_check. It may recurse via
2336acl_check_condition() - hence the use of a level to stop looping. The ACL is
2337passed as a string which is expanded. A forced failure implies no access check
2338is required. If the result is a single word, it is taken as the name of an ACL
2339which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
2340text, complete with newlines, and parsed as such. In both cases, the ACL check
2341is then run. This function uses an auxiliary function for acl_read() to call
2342for reading individual lines of a literal ACL. This is acl_getline(), which
2343appears immediately above.
2344
2345Arguments:
2346 where where called from
2347 addr address item when called from RCPT; otherwise NULL
2348 s the input string; NULL is the same as an empty ACL => DENY
2349 level the nesting level
2350 user_msgptr where to put a user error (for SMTP response)
2351 log_msgptr where to put a logging message (not for SMTP response)
2352
2353Returns: OK access is granted
2354 DISCARD access is apparently granted...
2355 FAIL access is denied
2356 FAIL_DROP access is denied; drop the connection
2357 DEFER can't tell at the moment
2358 ERROR disaster
2359*/
2360
2361static int
2362acl_check_internal(int where, address_item *addr, uschar *s, int level,
2363 uschar **user_msgptr, uschar **log_msgptr)
2364{
2365int fd = -1;
2366acl_block *acl = NULL;
2367uschar *acl_name = US"inline ACL";
2368uschar *ss;
2369
2370/* Catch configuration loops */
2371
2372if (level > 20)
2373 {
2374 *log_msgptr = US"ACL nested too deep: possible loop";
2375 return ERROR;
2376 }
2377
2378if (s == NULL)
2379 {
2380 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
2381 return FAIL;
2382 }
2383
2384/* At top level, we expand the incoming string. At lower levels, it has already
2385been expanded as part of condition processing. */
2386
2387if (level == 0)
2388 {
2389 ss = expand_string(s);
2390 if (ss == NULL)
2391 {
2392 if (expand_string_forcedfail) return OK;
2393 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
2394 expand_string_message);
2395 return ERROR;
2396 }
2397 }
2398else ss = s;
2399
2400while (isspace(*ss))ss++;
2401
2402/* If we can't find a named ACL, the default is to parse it as an inline one.
2403(Unless it begins with a slash; non-existent files give rise to an error.) */
2404
2405acl_text = ss;
2406
2407/* Handle the case of a string that does not contain any spaces. Look for a
2408named ACL among those read from the configuration, or a previously read file.
2409It is possible that the pointer to the ACL is NULL if the configuration
2410contains a name with no data. If not found, and the text begins with '/',
2411read an ACL from a file, and save it so it can be re-used. */
2412
2413if (Ustrchr(ss, ' ') == NULL)
2414 {
2415 tree_node *t = tree_search(acl_anchor, ss);
2416 if (t != NULL)
2417 {
2418 acl = (acl_block *)(t->data.ptr);
2419 if (acl == NULL)
2420 {
2421 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
2422 return FAIL;
2423 }
2424 acl_name = string_sprintf("ACL \"%s\"", ss);
2425 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
2426 }
2427
2428 else if (*ss == '/')
2429 {
2430 struct stat statbuf;
2431 fd = Uopen(ss, O_RDONLY, 0);
2432 if (fd < 0)
2433 {
2434 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
2435 strerror(errno));
2436 return ERROR;
2437 }
2438
2439 if (fstat(fd, &statbuf) != 0)
2440 {
2441 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
2442 strerror(errno));
2443 return ERROR;
2444 }
2445
2446 acl_text = store_get(statbuf.st_size + 1);
2447 acl_text_end = acl_text + statbuf.st_size + 1;
2448
2449 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
2450 {
2451 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
2452 ss, strerror(errno));
2453 return ERROR;
2454 }
2455 acl_text[statbuf.st_size] = 0;
2456 close(fd);
2457
2458 acl_name = string_sprintf("ACL \"%s\"", ss);
2459 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
2460 }
2461 }
2462
2463/* Parse an ACL that is still in text form. If it came from a file, remember it
2464in the ACL tree, having read it into the POOL_PERM store pool so that it
2465persists between multiple messages. */
2466
2467if (acl == NULL)
2468 {
2469 int old_pool = store_pool;
2470 if (fd >= 0) store_pool = POOL_PERM;
2471 acl = acl_read(acl_getline, log_msgptr);
2472 store_pool = old_pool;
2473 if (acl == NULL && *log_msgptr != NULL) return ERROR;
2474 if (fd >= 0)
2475 {
2476 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
2477 Ustrcpy(t->name, ss);
2478 t->data.ptr = acl;
2479 (void)tree_insertnode(&acl_anchor, t);
2480 }
2481 }
2482
2483/* Now we have an ACL to use. It's possible it may be NULL. */
2484
2485while (acl != NULL)
2486 {
2487 int cond;
2488 int basic_errno = 0;
2489 BOOL endpass_seen = FALSE;
2490
2491 *log_msgptr = *user_msgptr = NULL;
2492 acl_temp_details = FALSE;
2493
2494 if (where == ACL_WHERE_QUIT &&
2495 acl->verb != ACL_ACCEPT &&
2496 acl->verb != ACL_WARN)
2497 {
2498 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
2499 verbs[acl->verb]);
2500 return ERROR;
2501 }
2502
2503 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
2504
2505 /* Clear out any search error message from a previous check before testing
2506 this condition. */
2507
2508 search_error_message = NULL;
2509 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
2510 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
2511
2512 /* Handle special returns: DEFER causes a return except on a WARN verb;
2513 ERROR always causes a return. */
2514
2515 switch (cond)
2516 {
2517 case DEFER:
2518 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
2519 if (basic_errno != ERRNO_CALLOUTDEFER)
2520 {
2521 if (search_error_message != NULL && *search_error_message != 0)
2522 *log_msgptr = search_error_message;
2523 if (smtp_return_error_details) acl_temp_details = TRUE;
2524 }
2525 else
2526 {
2527 acl_temp_details = TRUE;
2528 }
2529 if (acl->verb != ACL_WARN) return DEFER;
2530 break;
2531
2532 default: /* Paranoia */
2533 case ERROR:
2534 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
2535 return ERROR;
2536
2537 case OK:
2538 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
2539 verbs[acl->verb]);
2540 break;
2541
2542 case FAIL:
2543 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
2544 break;
2545
2546 /* DISCARD and DROP can happen only from a nested ACL condition, and
2547 DISCARD can happen only for an "accept" or "discard" verb. */
2548
2549 case DISCARD:
2550 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
2551 verbs[acl->verb]);
2552 break;
2553
2554 case FAIL_DROP:
2555 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
2556 verbs[acl->verb]);
2557 break;
2558 }
2559
2560 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
2561 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
2562 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
2563
2564 switch(acl->verb)
2565 {
2566 case ACL_ACCEPT:
2567 if (cond == OK || cond == DISCARD) return cond;
2568 if (endpass_seen)
2569 {
2570 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
2571 return cond;
2572 }
2573 break;
2574
2575 case ACL_DEFER:
2576 if (cond == OK)
2577 {
2578 acl_temp_details = TRUE;
2579 return DEFER;
2580 }
2581 break;
2582
2583 case ACL_DENY:
2584 if (cond == OK) return FAIL;
2585 break;
2586
2587 case ACL_DISCARD:
2588 if (cond == OK || cond == DISCARD) return DISCARD;
2589 if (endpass_seen)
2590 {
2591 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
2592 return cond;
2593 }
2594 break;
2595
2596 case ACL_DROP:
2597 if (cond == OK) return FAIL_DROP;
2598 break;
2599
2600 case ACL_REQUIRE:
2601 if (cond != OK) return cond;
2602 break;
2603
2604 case ACL_WARN:
2605 if (cond == OK)
2606 acl_warn(where, *user_msgptr, *log_msgptr);
2607 else if (cond == DEFER)
2608 acl_warn(where, NULL, string_sprintf("ACL \"warn\" statement skipped: "
2609 "condition test deferred: %s",
2610 (*log_msgptr == NULL)? US"" : *log_msgptr));
2611 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
2612 break;
2613
2614 default:
2615 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
2616 acl->verb);
2617 break;
2618 }
2619
2620 /* Pass to the next ACL item */
2621
2622 acl = acl->next;
2623 }
2624
2625/* We have reached the end of the ACL. This is an implicit DENY. */
2626
2627HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
2628return FAIL;
2629}
2630
2631
2632/*************************************************
2633* Check access using an ACL *
2634*************************************************/
2635
2636/* This is the external interface for ACL checks. It sets up an address and the
2637expansions for $domain and $local_part when called after RCPT, then calls
2638acl_check_internal() to do the actual work.
2639
2640Arguments:
2641 where ACL_WHERE_xxxx indicating where called from
2642 data_string RCPT address, or SMTP command argument, or NULL
2643 s the input string; NULL is the same as an empty ACL => DENY
2644 user_msgptr where to put a user error (for SMTP response)
2645 log_msgptr where to put a logging message (not for SMTP response)
2646
2647Returns: OK access is granted by an ACCEPT verb
2648 DISCARD access is granted by a DISCARD verb
2649 FAIL access is denied
2650 FAIL_DROP access is denied; drop the connection
2651 DEFER can't tell at the moment
2652 ERROR disaster
2653*/
2654
2655int
2656acl_check(int where, uschar *data_string, uschar *s, uschar **user_msgptr,
2657 uschar **log_msgptr)
2658{
2659int rc;
2660address_item adb;
2661address_item *addr;
2662
2663*user_msgptr = *log_msgptr = NULL;
2664sender_verified_failed = NULL;
2665
2666if (where == ACL_WHERE_RCPT)
2667 {
2668 adb = address_defaults;
2669 addr = &adb;
2670 addr->address = data_string;
2671 if (deliver_split_address(addr) == DEFER)
2672 {
2673 *log_msgptr = US"defer in percent_hack_domains check";
2674 return DEFER;
2675 }
2676 deliver_domain = addr->domain;
2677 deliver_localpart = addr->local_part;
2678 }
2679else
2680 {
2681 addr = NULL;
2682 smtp_command_argument = data_string;
2683 }
2684
2685rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
2686
2687smtp_command_argument = deliver_domain =
2a3eea10 2688 deliver_localpart = deliver_address_data = sender_address_data = NULL;
059ec3d9
PH
2689
2690/* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
2691ACL, which is really in the middle of an SMTP command. */
2692
2693if (rc == DISCARD)
2694 {
2695 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
2696 {
2697 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
2698 "ACL", acl_wherenames[where]);
2699 return ERROR;
2700 }
2701 return DISCARD;
2702 }
2703
2704/* A DROP response is not permitted from MAILAUTH */
2705
2706if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
2707 {
2708 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
2709 "ACL", acl_wherenames[where]);
2710 return ERROR;
2711 }
2712
2713/* Before giving an error response, take a look at the length of any user
2714message, and split it up into multiple lines if possible. */
2715
2716if (rc != OK && *user_msgptr != NULL && Ustrlen(*user_msgptr) > 75)
2717 {
2718 uschar *s = *user_msgptr = string_copy(*user_msgptr);
2719 uschar *ss = s;
2720
2721 for (;;)
2722 {
2723 int i = 0;
2724 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
2725 if (*ss == 0) break;
2726 if (*ss == '\n')
2727 s = ++ss;
2728 else
2729 {
2730 uschar *t = ss + 1;
2731 uschar *tt = NULL;
2732 while (--t > s + 35)
2733 {
2734 if (*t == ' ')
2735 {
2736 if (t[-1] == ':') { tt = t; break; }
2737 if (tt == NULL) tt = t;
2738 }
2739 }
2740
2741 if (tt == NULL) /* Can't split behind - try ahead */
2742 {
2743 t = ss + 1;
2744 while (*t != 0)
2745 {
2746 if (*t == ' ' || *t == '\n')
2747 { tt = t; break; }
2748 t++;
2749 }
2750 }
2751
2752 if (tt == NULL) break; /* Can't find anywhere to split */
2753 *tt = '\n';
2754 s = ss = tt+1;
2755 }
2756 }
2757 }
2758
2759return rc;
2760}
2761
2762/* End of acl.c */