projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
New doc section explaining TLS SNI
[exim.git] / src / src / acl.c
CommitLineData
059ec3d9
PH		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
0a49a7a4 5/* Copyright (c) University of Cambridge 1995 - 2009 */
059ec3d9
PH		 6/* See the file NOTICE for conditions of use and distribution. */
7
8/* Code for handling Access Control Lists (ACLs) */
9
10#include "exim.h"
11
12
13/* Default callout timeout */
14
15#define CALLOUT_TIMEOUT_DEFAULT 30
16
17/* ACL verb codes - keep in step with the table of verbs that follows */
18
19enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
20 ACL_WARN };
21
22/* ACL verbs */
23
24static uschar *verbs[] =
25 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
26 US"warn" };
27
4e88a19f
PH		 28/* For each verb, the conditions for which "message" or "log_message" are used
29are held as a bitmap. This is to avoid expanding the strings unnecessarily. For
30"accept", the FAIL case is used only after "endpass", but that is selected in
31the code. */
32
33static int msgcond[] = {
34 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* accept */
35 (1<<OK), /* defer */
36 (1<<OK), /* deny */
37 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* discard */
38 (1<<OK), /* drop */
39 (1<<FAIL) | (1<<FAIL_DROP), /* require */
40 (1<<OK) /* warn */
41 };
059ec3d9
PH		 42
43/* ACL condition and modifier codes - keep in step with the table that
71fafd95
PH		 44follows, and the cond_expand_at_top and uschar cond_modifiers tables lower
45down. */
059ec3d9 46
71fafd95
PH		 47enum { ACLC_ACL,
48 ACLC_ADD_HEADER,
49 ACLC_AUTHENTICATED,
8523533c
TK		 50#ifdef EXPERIMENTAL_BRIGHTMAIL
51 ACLC_BMI_OPTIN,
52#endif
71fafd95 53 ACLC_CONDITION,
c3611384 54 ACLC_CONTINUE,
71fafd95 55 ACLC_CONTROL,
6a8f9482
TK		 56#ifdef EXPERIMENTAL_DCC
57 ACLC_DCC,
58#endif
8523533c
TK		 59#ifdef WITH_CONTENT_SCAN
60 ACLC_DECODE,
61#endif
62 ACLC_DELAY,
63#ifdef WITH_OLD_DEMIME
64 ACLC_DEMIME,
fb2274d4 65#endif
80a47a2c
TK		 66#ifndef DISABLE_DKIM
67 ACLC_DKIM_SIGNER,
68 ACLC_DKIM_STATUS,
8e669ac1 69#endif
71fafd95
PH		 70 ACLC_DNSLISTS,
71 ACLC_DOMAINS,
72 ACLC_ENCRYPTED,
73 ACLC_ENDPASS,
74 ACLC_HOSTS,
75 ACLC_LOCAL_PARTS,
76 ACLC_LOG_MESSAGE,
6ea85e9a 77 ACLC_LOG_REJECT_TARGET,
71fafd95 78 ACLC_LOGWRITE,
8523533c
TK		 79#ifdef WITH_CONTENT_SCAN
80 ACLC_MALWARE,
81#endif
82 ACLC_MESSAGE,
83#ifdef WITH_CONTENT_SCAN
84 ACLC_MIME_REGEX,
85#endif
870f6ba8 86 ACLC_RATELIMIT,
8523533c
TK		 87 ACLC_RECIPIENTS,
88#ifdef WITH_CONTENT_SCAN
89 ACLC_REGEX,
90#endif
71fafd95
PH		 91 ACLC_SENDER_DOMAINS,
92 ACLC_SENDERS,
93 ACLC_SET,
8523533c 94#ifdef WITH_CONTENT_SCAN
8e669ac1 95 ACLC_SPAM,
8523533c
TK		 96#endif
97#ifdef EXPERIMENTAL_SPF
98 ACLC_SPF,
65a7d8c3 99 ACLC_SPF_GUESS,
8523533c
TK		 100#endif
101 ACLC_VERIFY };
059ec3d9 102
c3611384
PH		 103/* ACL conditions/modifiers: "delay", "control", "continue", "endpass",
104"message", "log_message", "log_reject_target", "logwrite", and "set" are
105modifiers that look like conditions but always return TRUE. They are used for
106their side effects. */
059ec3d9 107
9a26b6b2
PH		 108static uschar *conditions[] = {
109 US"acl",
71fafd95 110 US"add_header",
9a26b6b2 111 US"authenticated",
8523533c
TK		 112#ifdef EXPERIMENTAL_BRIGHTMAIL
113 US"bmi_optin",
114#endif
115 US"condition",
c3611384 116 US"continue",
8e669ac1 117 US"control",
6a8f9482
TK		 118#ifdef EXPERIMENTAL_DCC
119 US"dcc",
120#endif
8523533c
TK		 121#ifdef WITH_CONTENT_SCAN
122 US"decode",
123#endif
124 US"delay",
125#ifdef WITH_OLD_DEMIME
126 US"demime",
fb2274d4 127#endif
80a47a2c
TK		 128#ifndef DISABLE_DKIM
129 US"dkim_signers",
130 US"dkim_status",
8523533c 131#endif
6ea85e9a
PH		 132 US"dnslists",
133 US"domains",
134 US"encrypted",
135 US"endpass",
136 US"hosts",
137 US"local_parts",
138 US"log_message",
139 US"log_reject_target",
140 US"logwrite",
8523533c
TK		 141#ifdef WITH_CONTENT_SCAN
142 US"malware",
143#endif
144 US"message",
145#ifdef WITH_CONTENT_SCAN
146 US"mime_regex",
147#endif
870f6ba8 148 US"ratelimit",
8523533c
TK		 149 US"recipients",
150#ifdef WITH_CONTENT_SCAN
151 US"regex",
152#endif
153 US"sender_domains", US"senders", US"set",
154#ifdef WITH_CONTENT_SCAN
155 US"spam",
156#endif
157#ifdef EXPERIMENTAL_SPF
158 US"spf",
65a7d8c3 159 US"spf_guess",
8523533c 160#endif
059ec3d9 161 US"verify" };
8e669ac1 162
c5fcb476 163
9a26b6b2
PH		 164/* Return values from decode_control(); keep in step with the table of names
165that follows! */
166
167enum {
c46782ef
PH		 168 CONTROL_AUTH_UNADVERTISED,
169 #ifdef EXPERIMENTAL_BRIGHTMAIL
9a26b6b2 170 CONTROL_BMI_RUN,
c46782ef 171 #endif
ed7f7860 172 CONTROL_DEBUG,
80a47a2c 173 #ifndef DISABLE_DKIM
f7572e5a
TK		 174 CONTROL_DKIM_VERIFY,
175 #endif
c46782ef
PH		 176 CONTROL_ERROR,
177 CONTROL_CASEFUL_LOCAL_PART,
178 CONTROL_CASELOWER_LOCAL_PART,
179 CONTROL_ENFORCE_SYNC,
180 CONTROL_NO_ENFORCE_SYNC,
181 CONTROL_FREEZE,
182 CONTROL_QUEUE_ONLY,
183 CONTROL_SUBMISSION,
184 CONTROL_SUPPRESS_LOCAL_FIXUPS,
185 #ifdef WITH_CONTENT_SCAN
9a26b6b2 186 CONTROL_NO_MBOX_UNSPOOL,
c46782ef
PH		 187 #endif
188 CONTROL_FAKEDEFER,
189 CONTROL_FAKEREJECT,
cf8b11a5 190 CONTROL_NO_MULTILINE,
047bdd8c 191 CONTROL_NO_PIPELINING,
4c590bd1
PH		 192 CONTROL_NO_DELAY_FLUSH,
193 CONTROL_NO_CALLOUT_FLUSH
c46782ef 194};
9a26b6b2 195
8800895a
PH		 196/* ACL control names; keep in step with the table above! This list is used for
197turning ids into names. The actual list of recognized names is in the variable
198control_def controls_list[] below. The fact that there are two lists is a mess
199and should be tidied up. */
9a26b6b2
PH		 200
201static uschar *controls[] = {
c46782ef 202 US"allow_auth_unadvertised",
9a26b6b2
PH		 203 #ifdef EXPERIMENTAL_BRIGHTMAIL
204 US"bmi_run",
205 #endif
ed7f7860 206 US"debug",
80a47a2c
TK		 207 #ifndef DISABLE_DKIM
208 US"dkim_disable_verify",
f7572e5a 209 #endif
c46782ef
PH		 210 US"error",
211 US"caseful_local_part",
212 US"caselower_local_part",
213 US"enforce_sync",
214 US"no_enforce_sync",
215 US"freeze",
216 US"queue_only",
217 US"submission",
218 US"suppress_local_fixups",
9a26b6b2
PH		 219 #ifdef WITH_CONTENT_SCAN
220 US"no_mbox_unspool",
221 #endif
cf8b11a5
PH		 222 US"fakedefer",
223 US"fakereject",
aa6dc513 224 US"no_multiline_responses",
cf8b11a5 225 US"no_pipelining",
4c590bd1
PH		 226 US"no_delay_flush",
227 US"no_callout_flush"
c46782ef 228};
059ec3d9 229
047bdd8c 230/* Flags to indicate for which conditions/modifiers a string expansion is done
059ec3d9
PH		 231at the outer level. In the other cases, expansion already occurs in the
232checking functions. */
233
234static uschar cond_expand_at_top[] = {
235 TRUE, /* acl */
3e536984 236 TRUE, /* add_header */
059ec3d9 237 FALSE, /* authenticated */
8523533c
TK		 238#ifdef EXPERIMENTAL_BRIGHTMAIL
239 TRUE, /* bmi_optin */
8e669ac1 240#endif
059ec3d9 241 TRUE, /* condition */
c3611384 242 TRUE, /* continue */
059ec3d9 243 TRUE, /* control */
6a8f9482
TK		 244#ifdef EXPERIMENTAL_DCC
245 TRUE, /* dcc */
246#endif
8523533c
TK		 247#ifdef WITH_CONTENT_SCAN
248 TRUE, /* decode */
249#endif
059ec3d9 250 TRUE, /* delay */
8523533c
TK		 251#ifdef WITH_OLD_DEMIME
252 TRUE, /* demime */
fb2274d4 253#endif
80a47a2c
TK		 254#ifndef DISABLE_DKIM
255 TRUE, /* dkim_signers */
256 TRUE, /* dkim_status */
8523533c 257#endif
059ec3d9
PH		 258 TRUE, /* dnslists */
259 FALSE, /* domains */
260 FALSE, /* encrypted */
261 TRUE, /* endpass */
262 FALSE, /* hosts */
263 FALSE, /* local_parts */
264 TRUE, /* log_message */
6ea85e9a 265 TRUE, /* log_reject_target */
059ec3d9 266 TRUE, /* logwrite */
8523533c
TK		 267#ifdef WITH_CONTENT_SCAN
268 TRUE, /* malware */
269#endif
059ec3d9 270 TRUE, /* message */
8523533c
TK		 271#ifdef WITH_CONTENT_SCAN
272 TRUE, /* mime_regex */
273#endif
870f6ba8 274 TRUE, /* ratelimit */
059ec3d9 275 FALSE, /* recipients */
8523533c
TK		 276#ifdef WITH_CONTENT_SCAN
277 TRUE, /* regex */
278#endif
059ec3d9
PH		 279 FALSE, /* sender_domains */
280 FALSE, /* senders */
281 TRUE, /* set */
8523533c
TK		 282#ifdef WITH_CONTENT_SCAN
283 TRUE, /* spam */
284#endif
285#ifdef EXPERIMENTAL_SPF
286 TRUE, /* spf */
65a7d8c3 287 TRUE, /* spf_guess */
8523533c 288#endif
059ec3d9
PH		 289 TRUE /* verify */
290};
291
292/* Flags to identify the modifiers */
293
294static uschar cond_modifiers[] = {
295 FALSE, /* acl */
3e536984 296 TRUE, /* add_header */
059ec3d9 297 FALSE, /* authenticated */
8523533c
TK		 298#ifdef EXPERIMENTAL_BRIGHTMAIL
299 TRUE, /* bmi_optin */
8e669ac1 300#endif
059ec3d9 301 FALSE, /* condition */
c3611384 302 TRUE, /* continue */
059ec3d9 303 TRUE, /* control */
6a8f9482
TK		 304#ifdef EXPERIMENTAL_DCC
305 FALSE, /* dcc */
306#endif
8523533c
TK		 307#ifdef WITH_CONTENT_SCAN
308 FALSE, /* decode */
309#endif
059ec3d9 310 TRUE, /* delay */
8523533c
TK		 311#ifdef WITH_OLD_DEMIME
312 FALSE, /* demime */
fb2274d4 313#endif
80a47a2c
TK		 314#ifndef DISABLE_DKIM
315 FALSE, /* dkim_signers */
316 FALSE, /* dkim_status */
8523533c 317#endif
059ec3d9
PH		 318 FALSE, /* dnslists */
319 FALSE, /* domains */
320 FALSE, /* encrypted */
321 TRUE, /* endpass */
322 FALSE, /* hosts */
323 FALSE, /* local_parts */
324 TRUE, /* log_message */
6ea85e9a 325 TRUE, /* log_reject_target */
8523533c
TK		 326 TRUE, /* logwrite */
327#ifdef WITH_CONTENT_SCAN
328 FALSE, /* malware */
329#endif
059ec3d9 330 TRUE, /* message */
8523533c
TK		 331#ifdef WITH_CONTENT_SCAN
332 FALSE, /* mime_regex */
333#endif
870f6ba8 334 FALSE, /* ratelimit */
059ec3d9 335 FALSE, /* recipients */
8523533c
TK		 336#ifdef WITH_CONTENT_SCAN
337 FALSE, /* regex */
338#endif
059ec3d9
PH		 339 FALSE, /* sender_domains */
340 FALSE, /* senders */
341 TRUE, /* set */
8523533c
TK		 342#ifdef WITH_CONTENT_SCAN
343 FALSE, /* spam */
344#endif
345#ifdef EXPERIMENTAL_SPF
346 FALSE, /* spf */
65a7d8c3 347 FALSE, /* spf_guess */
8523533c 348#endif
059ec3d9
PH		 349 FALSE /* verify */
350};
351
c3611384 352/* Bit map vector of which conditions and modifiers are not allowed at certain
8f128379
PH		 353times. For each condition and modifier, there's a bitmap of dis-allowed times.
354For some, it is easier to specify the negation of a small number of allowed
355times. */
059ec3d9
PH		 356
357static unsigned int cond_forbids[] = {
358 0, /* acl */
8e669ac1 359
71fafd95 360 (unsigned int)
45b91596 361 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* add_header */
71fafd95 362 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
45b91596 363 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
67caae1f 364 (1<<ACL_WHERE_DKIM)|
45b91596 365 (1<<ACL_WHERE_NOTSMTP_START)),
71fafd95 366
45b91596
PH		 367 (1<<ACL_WHERE_NOTSMTP)| /* authenticated */
368 (1<<ACL_WHERE_NOTSMTP_START)|
369 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO),
8e669ac1 370
71fafd95 371 #ifdef EXPERIMENTAL_BRIGHTMAIL
3864bb8e 372 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
8523533c
TK		 373 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
374 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
8e669ac1 375 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
8523533c
TK		 376 (1<<ACL_WHERE_MAILAUTH)|
377 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596
PH		 378 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA)|
379 (1<<ACL_WHERE_NOTSMTP_START),
71fafd95 380 #endif
8e669ac1 381
059ec3d9 382 0, /* condition */
8e669ac1 383
c3611384
PH		 384 0, /* continue */
385
059ec3d9 386 /* Certain types of control are always allowed, so we let it through
2f079f46 387 always and check in the control processing itself. */
8e669ac1 388
059ec3d9 389 0, /* control */
8e669ac1 390
6a8f9482
TK		 391 #ifdef EXPERIMENTAL_DCC
392 (unsigned int)
393 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* dcc */
394 #endif
395
71fafd95 396 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 397 (unsigned int)
398 ~(1<<ACL_WHERE_MIME), /* decode */
71fafd95 399 #endif
8523533c 400
8f128379 401 (1<<ACL_WHERE_NOTQUIT), /* delay */
8e669ac1 402
71fafd95 403 #ifdef WITH_OLD_DEMIME
2f079f46
PH		 404 (unsigned int)
405 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* demime */
71fafd95 406 #endif
8e669ac1 407
80a47a2c
TK		 408 #ifndef DISABLE_DKIM
409 (unsigned int)
410 ~(1<<ACL_WHERE_DKIM), /* dkim_signers */
84330b7b 411
80a47a2c
TK		 412 (unsigned int)
413 ~(1<<ACL_WHERE_DKIM), /* dkim_status */
71fafd95 414 #endif
fb2274d4 415
45b91596
PH		 416 (1<<ACL_WHERE_NOTSMTP)| /* dnslists */
417 (1<<ACL_WHERE_NOTSMTP_START),
059ec3d9 418
2f079f46
PH		 419 (unsigned int)
420 ~(1<<ACL_WHERE_RCPT), /* domains */
059ec3d9 421
45b91596
PH		 422 (1<<ACL_WHERE_NOTSMTP)| /* encrypted */
423 (1<<ACL_WHERE_CONNECT)|
424 (1<<ACL_WHERE_NOTSMTP_START)|
059ec3d9 425 (1<<ACL_WHERE_HELO),
8e669ac1 426
059ec3d9 427 0, /* endpass */
8e669ac1 428
45b91596
PH		 429 (1<<ACL_WHERE_NOTSMTP)| /* hosts */
430 (1<<ACL_WHERE_NOTSMTP_START),
059ec3d9 431
2f079f46
PH		 432 (unsigned int)
433 ~(1<<ACL_WHERE_RCPT), /* local_parts */
059ec3d9
PH		 434
435 0, /* log_message */
8e669ac1 436
6ea85e9a
PH		 437 0, /* log_reject_target */
438
059ec3d9 439 0, /* logwrite */
8e669ac1 440
71fafd95 441 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 442 (unsigned int)
443 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* malware */
71fafd95 444 #endif
8523533c 445
059ec3d9
PH		 446 0, /* message */
447
71fafd95 448 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 449 (unsigned int)
450 ~(1<<ACL_WHERE_MIME), /* mime_regex */
71fafd95 451 #endif
8523533c 452
870f6ba8
TF		 453 0, /* ratelimit */
454
2f079f46
PH		 455 (unsigned int)
456 ~(1<<ACL_WHERE_RCPT), /* recipients */
059ec3d9 457
71fafd95 458 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 459 (unsigned int)
460 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* regex */
461 (1<<ACL_WHERE_MIME)),
71fafd95 462 #endif
8523533c 463
059ec3d9
PH		 464 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
465 (1<<ACL_WHERE_HELO)|
466 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
467 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
468 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
469
470 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
471 (1<<ACL_WHERE_HELO)|
472 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
473 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
474 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
475
476 0, /* set */
477
71fafd95 478 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 479 (unsigned int)
480 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* spam */
71fafd95 481 #endif
8523533c 482
71fafd95 483 #ifdef EXPERIMENTAL_SPF
8523533c
TK		 484 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
485 (1<<ACL_WHERE_HELO)|
486 (1<<ACL_WHERE_MAILAUTH)|
487 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
45b91596
PH		 488 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
489 (1<<ACL_WHERE_NOTSMTP)|
490 (1<<ACL_WHERE_NOTSMTP_START),
65a7d8c3
NM		 491
492 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf_guess */
493 (1<<ACL_WHERE_HELO)|
494 (1<<ACL_WHERE_MAILAUTH)|
495 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
496 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
497 (1<<ACL_WHERE_NOTSMTP)|
498 (1<<ACL_WHERE_NOTSMTP_START),
71fafd95 499 #endif
8523533c 500
059ec3d9
PH		 501 /* Certain types of verify are always allowed, so we let it through
502 always and check in the verify function itself */
503
504 0 /* verify */
059ec3d9
PH		 505};
506
507
c5fcb476
PH		 508/* Bit map vector of which controls are not allowed at certain times. For
509each control, there's a bitmap of dis-allowed times. For some, it is easier to
510specify the negation of a small number of allowed times. */
511
512static unsigned int control_forbids[] = {
c46782ef
PH		 513 (unsigned int)
514 ~((1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)), /* allow_auth_unadvertised */
515
516 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c 517 0, /* bmi_run */
c46782ef
PH		 518 #endif
519
ed7f7860
PP		 520 0, /* debug */
521
80a47a2c
TK		 522 #ifndef DISABLE_DKIM
523 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dkim_disable_verify */
f7572e5a
TK		 524 (1<<ACL_WHERE_NOTSMTP_START),
525 #endif
526
c5fcb476 527 0, /* error */
8e669ac1
PH		 528
529 (unsigned int)
c5fcb476 530 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
8e669ac1
PH		 531
532 (unsigned int)
c5fcb476 533 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
8e669ac1 534
45b91596
PH		 535 (1<<ACL_WHERE_NOTSMTP)| /* enforce_sync */
536 (1<<ACL_WHERE_NOTSMTP_START),
8e669ac1 537
45b91596
PH		 538 (1<<ACL_WHERE_NOTSMTP)| /* no_enforce_sync */
539 (1<<ACL_WHERE_NOTSMTP_START),
8e669ac1
PH		 540
541 (unsigned int)
c5fcb476
PH		 542 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
543 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 544 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 545
546 (unsigned int)
c5fcb476
PH		 547 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
548 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 549 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 550
551 (unsigned int)
c5fcb476 552 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
8e669ac1 553 (1<<ACL_WHERE_PREDATA)),
8523533c 554
8800895a
PH		 555 (unsigned int)
556 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* suppress_local_fixups */
45b91596
PH		 557 (1<<ACL_WHERE_PREDATA)|
558 (1<<ACL_WHERE_NOTSMTP_START)),
8800895a 559
c46782ef 560 #ifdef WITH_CONTENT_SCAN
8e669ac1 561 (unsigned int)
14d57970 562 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
e715ad22
TK		 563 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
564 (1<<ACL_WHERE_MIME)),
c46782ef 565 #endif
a6c4ab60 566
29aba418
TF		 567 (unsigned int)
568 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakedefer */
569 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
570 (1<<ACL_WHERE_MIME)),
571
8e669ac1 572 (unsigned int)
a6c4ab60 573 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
e715ad22
TK		 574 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
575 (1<<ACL_WHERE_MIME)),
8523533c 576
45b91596 577 (1<<ACL_WHERE_NOTSMTP)| /* no_multiline */
cf8b11a5
PH		 578 (1<<ACL_WHERE_NOTSMTP_START),
579
580 (1<<ACL_WHERE_NOTSMTP)| /* no_pipelining */
047bdd8c
PH		 581 (1<<ACL_WHERE_NOTSMTP_START),
582
583 (1<<ACL_WHERE_NOTSMTP)| /* no_delay_flush */
4c590bd1
PH		 584 (1<<ACL_WHERE_NOTSMTP_START),
585
586 (1<<ACL_WHERE_NOTSMTP)| /* no_callout_flush */
45b91596 587 (1<<ACL_WHERE_NOTSMTP_START)
c5fcb476
PH		 588};
589
590/* Structure listing various control arguments, with their characteristics. */
059ec3d9
PH		 591
592typedef struct control_def {
593 uschar *name;
594 int value; /* CONTROL_xxx value */
059ec3d9
PH		 595 BOOL has_option; /* Has /option(s) following */
596} control_def;
597
598static control_def controls_list[] = {
c46782ef 599 { US"allow_auth_unadvertised", CONTROL_AUTH_UNADVERTISED, FALSE },
8523533c 600#ifdef EXPERIMENTAL_BRIGHTMAIL
c46782ef 601 { US"bmi_run", CONTROL_BMI_RUN, FALSE },
fb2274d4 602#endif
ed7f7860 603 { US"debug", CONTROL_DEBUG, TRUE },
80a47a2c
TK		 604#ifndef DISABLE_DKIM
605 { US"dkim_disable_verify", CONTROL_DKIM_VERIFY, FALSE },
8523533c 606#endif
c46782ef
PH		 607 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE },
608 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE },
609 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE },
610 { US"freeze", CONTROL_FREEZE, TRUE },
4c590bd1 611 { US"no_callout_flush", CONTROL_NO_CALLOUT_FLUSH, FALSE },
047bdd8c 612 { US"no_delay_flush", CONTROL_NO_DELAY_FLUSH, FALSE },
c46782ef
PH		 613 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE },
614 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE },
cf8b11a5 615 { US"no_pipelining", CONTROL_NO_PIPELINING, FALSE },
c46782ef 616 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE },
8523533c 617#ifdef WITH_CONTENT_SCAN
c46782ef 618 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE },
8523533c 619#endif
c46782ef
PH		 620 { US"fakedefer", CONTROL_FAKEDEFER, TRUE },
621 { US"fakereject", CONTROL_FAKEREJECT, TRUE },
622 { US"submission", CONTROL_SUBMISSION, TRUE },
623 { US"suppress_local_fixups", CONTROL_SUPPRESS_LOCAL_FIXUPS, FALSE }
059ec3d9
PH		 624 };
625
e5a9dba6
PH		 626/* Support data structures for Client SMTP Authorization. acl_verify_csa()
627caches its result in a tree to avoid repeated DNS queries. The result is an
628integer code which is used as an index into the following tables of
629explanatory strings and verification return codes. */
630
631static tree_node *csa_cache = NULL;
632
633enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
634 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
635
636/* The acl_verify_csa() return code is translated into an acl_verify() return
637code using the following table. It is OK unless the client is definitely not
638authorized. This is because CSA is supposed to be optional for sending sites,
639so recipients should not be too strict about checking it - especially because
640DNS problems are quite likely to occur. It's possible to use $csa_status in
641further ACL conditions to distinguish ok, unknown, and defer if required, but
642the aim is to make the usual configuration simple. */
643
644static int csa_return_code[] = {
645 OK, OK, OK, OK,
646 FAIL, FAIL, FAIL, FAIL
647};
648
649static uschar *csa_status_string[] = {
650 US"unknown", US"ok", US"defer", US"defer",
651 US"fail", US"fail", US"fail", US"fail"
652};
653
654static uschar *csa_reason_string[] = {
655 US"unknown",
656 US"ok",
657 US"deferred (SRV lookup failed)",
658 US"deferred (target address lookup failed)",
659 US"failed (explicit authorization required)",
660 US"failed (host name not authorized)",
661 US"failed (no authorized addresses)",
662 US"failed (client address mismatch)"
663};
664
c99ce5c9
TF		 665/* Options for the ratelimit condition. Note that there are two variants of
666the per_rcpt option, depending on the ACL that is used to measure the rate.
667However any ACL must be able to look up per_rcpt rates in /noupdate mode,
668so the two variants must have the same internal representation as well as
669the same configuration string. */
670
671enum {
672 RATE_PER_WHAT, RATE_PER_CLASH, RATE_PER_ADDR, RATE_PER_BYTE, RATE_PER_CMD,
673 RATE_PER_CONN, RATE_PER_MAIL, RATE_PER_RCPT, RATE_PER_ALLRCPTS
674};
675
676#define RATE_SET(var,new) \
677 (((var) == RATE_PER_WHAT) ? ((var) = RATE_##new) : ((var) = RATE_PER_CLASH))
678
679static uschar *ratelimit_option_string[] = {
680 US"?", US"!", US"per_addr", US"per_byte", US"per_cmd",
681 US"per_conn", US"per_mail", US"per_rcpt", US"per_rcpt"
682};
683
059ec3d9
PH		 684/* Enable recursion between acl_check_internal() and acl_check_condition() */
685
686static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
687 uschar **);
688
689
690/*************************************************
691* Pick out name from list *
692*************************************************/
693
694/* Use a binary chop method
695
696Arguments:
697 name name to find
698 list list of names
699 end size of list
700
701Returns: offset in list, or -1 if not found
702*/
703
704static int
705acl_checkname(uschar *name, uschar **list, int end)
706{
707int start = 0;
708
709while (start < end)
710 {
711 int mid = (start + end)/2;
712 int c = Ustrcmp(name, list[mid]);
713 if (c == 0) return mid;
714 if (c < 0) end = mid; else start = mid + 1;
715 }
716
717return -1;
718}
719
720
721/*************************************************
722* Read and parse one ACL *
723*************************************************/
724
725/* This function is called both from readconf in order to parse the ACLs in the
726configuration file, and also when an ACL is encountered dynamically (e.g. as
727the result of an expansion). It is given a function to call in order to
728retrieve the lines of the ACL. This function handles skipping comments and
729blank lines (where relevant).
730
731Arguments:
732 func function to get next line of ACL
733 error where to put an error message
734
735Returns: pointer to ACL, or NULL
736 NULL can be legal (empty ACL); in this case error will be NULL
737*/
738
739acl_block *
740acl_read(uschar *(*func)(void), uschar **error)
741{
742acl_block *yield = NULL;
743acl_block **lastp = &yield;
744acl_block *this = NULL;
745acl_condition_block *cond;
746acl_condition_block **condp = NULL;
747uschar *s;
748
749*error = NULL;
750
751while ((s = (*func)()) != NULL)
752 {
753 int v, c;
754 BOOL negated = FALSE;
755 uschar *saveline = s;
756 uschar name[64];
757
758 /* Conditions (but not verbs) are allowed to be negated by an initial
759 exclamation mark. */
760
761 while (isspace(*s)) s++;
762 if (*s == '!')
763 {
764 negated = TRUE;
765 s++;
766 }
767
cf00dad6
PH		 768 /* Read the name of a verb or a condition, or the start of a new ACL, which
769 can be started by a name, or by a macro definition. */
059ec3d9
PH		 770
771 s = readconf_readname(name, sizeof(name), s);
b8dc3e4a 772 if (*s == ':' || (isupper(name[0]) && *s == '=')) return yield;
059ec3d9
PH		 773
774 /* If a verb is unrecognized, it may be another condition or modifier that
775 continues the previous verb. */
776
777 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
778 if (v < 0)
779 {
780 if (this == NULL)
781 {
4e167a8c
PH		 782 *error = string_sprintf("unknown ACL verb \"%s\" in \"%s\"", name,
783 saveline);
059ec3d9
PH		 784 return NULL;
785 }
786 }
787
788 /* New verb */
789
790 else
791 {
792 if (negated)
793 {
794 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
795 return NULL;
796 }
797 this = store_get(sizeof(acl_block));
798 *lastp = this;
799 lastp = &(this->next);
800 this->next = NULL;
801 this->verb = v;
802 this->condition = NULL;
803 condp = &(this->condition);
804 if (*s == 0) continue; /* No condition on this line */
805 if (*s == '!')
806 {
807 negated = TRUE;
808 s++;
809 }
810 s = readconf_readname(name, sizeof(name), s); /* Condition name */
811 }
812
813 /* Handle a condition or modifier. */
814
815 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
816 if (c < 0)
817 {
818 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
819 saveline);
820 return NULL;
821 }
822
823 /* The modifiers may not be negated */
824
825 if (negated && cond_modifiers[c])
826 {
827 *error = string_sprintf("ACL error: negation is not allowed with "
828 "\"%s\"", conditions[c]);
829 return NULL;
830 }
831
832 /* ENDPASS may occur only with ACCEPT or DISCARD. */
833
834 if (c == ACLC_ENDPASS &&
835 this->verb != ACL_ACCEPT &&
836 this->verb != ACL_DISCARD)
837 {
838 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
839 conditions[c], verbs[this->verb]);
840 return NULL;
841 }
842
843 cond = store_get(sizeof(acl_condition_block));
844 cond->next = NULL;
845 cond->type = c;
846 cond->u.negated = negated;
847
848 *condp = cond;
849 condp = &(cond->next);
850
851 /* The "set" modifier is different in that its argument is "name=value"
852 rather than just a value, and we can check the validity of the name, which
38a0a95f
PH		 853 gives us a variable name to insert into the data block. The original ACL
854 variable names were acl_c0 ... acl_c9 and acl_m0 ... acl_m9. This was
855 extended to 20 of each type, but after that people successfully argued for
641cb756
PH		 856 arbitrary names. In the new scheme, the names must start with acl_c or acl_m.
857 After that, we allow alphanumerics and underscores, but the first character
858 after c or m must be a digit or an underscore. This retains backwards
859 compatibility. */
059ec3d9
PH		 860
861 if (c == ACLC_SET)
862 {
47ca6d6c
PH		 863 uschar *endptr;
864
38a0a95f
PH		 865 if (Ustrncmp(s, "acl_c", 5) != 0 &&
866 Ustrncmp(s, "acl_m", 5) != 0)
47ca6d6c 867 {
38a0a95f
PH		 868 *error = string_sprintf("invalid variable name after \"set\" in ACL "
869 "modifier \"set %s\" (must start \"acl_c\" or \"acl_m\")", s);
870 return NULL;
47ca6d6c 871 }
38a0a95f
PH		 872
873 endptr = s + 5;
641cb756
PH		 874 if (!isdigit(*endptr) && *endptr != '_')
875 {
876 *error = string_sprintf("invalid variable name after \"set\" in ACL "
877 "modifier \"set %s\" (digit or underscore must follow acl_c or acl_m)",
878 s);
879 return NULL;
880 }
881
38a0a95f 882 while (*endptr != 0 && *endptr != '=' && !isspace(*endptr))
47ca6d6c 883 {
38a0a95f
PH		 884 if (!isalnum(*endptr) && *endptr != '_')
885 {
886 *error = string_sprintf("invalid character \"%c\" in variable name "
887 "in ACL modifier \"set %s\"", *endptr, s);
888 return NULL;
889 }
890 endptr++;
47ca6d6c 891 }
47ca6d6c 892
38a0a95f 893 cond->u.varname = string_copyn(s + 4, endptr - s - 4);
47ca6d6c 894 s = endptr;
059ec3d9
PH		 895 while (isspace(*s)) s++;
896 }
897
898 /* For "set", we are now positioned for the data. For the others, only
899 "endpass" has no data */
900
901 if (c != ACLC_ENDPASS)
902 {
903 if (*s++ != '=')
904 {
905 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
906 cond_modifiers[c]? US"modifier" : US"condition");
907 return NULL;
908 }
909 while (isspace(*s)) s++;
910 cond->arg = string_copy(s);
911 }
912 }
913
914return yield;
915}
916
917
918
71fafd95
PH		 919/*************************************************
920* Set up added header line(s) *
921*************************************************/
922
923/* This function is called by the add_header modifier, and also from acl_warn()
924to implement the now-deprecated way of adding header lines using "message" on a
925"warn" verb. The argument is treated as a sequence of header lines which are
926added to a chain, provided there isn't an identical one already there.
927
928Argument: string of header lines
929Returns: nothing
930*/
931
932static void
933setup_header(uschar *hstring)
934{
935uschar *p, *q;
936int hlen = Ustrlen(hstring);
937
938/* An empty string does nothing; otherwise add a final newline if necessary. */
939
940if (hlen <= 0) return;
941if (hstring[hlen-1] != '\n') hstring = string_sprintf("%s\n", hstring);
942
943/* Loop for multiple header lines, taking care about continuations */
944
945for (p = q = hstring; *p != 0; )
946 {
947 uschar *s;
948 int newtype = htype_add_bot;
949 header_line **hptr = &acl_added_headers;
950
951 /* Find next header line within the string */
952
953 for (;;)
954 {
955 q = Ustrchr(q, '\n');
956 if (*(++q) != ' ' && *q != '\t') break;
957 }
958
959 /* If the line starts with a colon, interpret the instruction for where to
960 add it. This temporarily sets up a new type. */
961
962 if (*p == ':')
963 {
964 if (strncmpic(p, US":after_received:", 16) == 0)
965 {
966 newtype = htype_add_rec;
967 p += 16;
968 }
969 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
970 {
971 newtype = htype_add_rfc;
972 p += 14;
973 }
974 else if (strncmpic(p, US":at_start:", 10) == 0)
975 {
976 newtype = htype_add_top;
977 p += 10;
978 }
979 else if (strncmpic(p, US":at_end:", 8) == 0)
980 {
981 newtype = htype_add_bot;
982 p += 8;
983 }
984 while (*p == ' ' || *p == '\t') p++;
985 }
986
987 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
988 to the front of it. */
989
990 for (s = p; s < q - 1; s++)
991 {
992 if (*s == ':' || !isgraph(*s)) break;
993 }
994
438257ba 995 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", (int) (q - p), p);
71fafd95
PH		 996 hlen = Ustrlen(s);
997
998 /* See if this line has already been added */
999
1000 while (*hptr != NULL)
1001 {
1002 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
1003 hptr = &((*hptr)->next);
1004 }
1005
1006 /* Add if not previously present */
1007
1008 if (*hptr == NULL)
1009 {
1010 header_line *h = store_get(sizeof(header_line));
1011 h->text = s;
1012 h->next = NULL;
1013 h->type = newtype;
1014 h->slen = hlen;
1015 *hptr = h;
1016 hptr = &(h->next);
1017 }
1018
1019 /* Advance for next header line within the string */
1020
1021 p = q;
1022 }
1023}
1024
1025
1026
1027
059ec3d9
PH		 1028/*************************************************
1029* Handle warnings *
1030*************************************************/
1031
1032/* This function is called when a WARN verb's conditions are true. It adds to
1033the message's headers, and/or writes information to the log. In each case, this
1034only happens once (per message for headers, per connection for log).
1035
71fafd95
PH		 1036** NOTE: The header adding action using the "message" setting is historic, and
1037its use is now deprecated. The new add_header modifier should be used instead.
1038
059ec3d9
PH		 1039Arguments:
1040 where ACL_WHERE_xxxx indicating which ACL this is
1041 user_message message for adding to headers
1042 log_message message for logging, if different
1043
1044Returns: nothing
1045*/
1046
1047static void
1048acl_warn(int where, uschar *user_message, uschar *log_message)
1049{
059ec3d9
PH		 1050if (log_message != NULL && log_message != user_message)
1051 {
1052 uschar *text;
1053 string_item *logged;
1054
1055 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
1056 string_printing(log_message));
1057
1058 /* If a sender verification has failed, and the log message is "sender verify
1059 failed", add the failure message. */
1060
1061 if (sender_verified_failed != NULL &&
1062 sender_verified_failed->message != NULL &&
1063 strcmpic(log_message, US"sender verify failed") == 0)
1064 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
1065
9c7a242c
PH		 1066 /* Search previously logged warnings. They are kept in malloc
1067 store so they can be freed at the start of a new message. */
059ec3d9
PH		 1068
1069 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
1070 if (Ustrcmp(logged->text, text) == 0) break;
1071
1072 if (logged == NULL)
1073 {
1074 int length = Ustrlen(text) + 1;
1075 log_write(0, LOG_MAIN, "%s", text);
1076 logged = store_malloc(sizeof(string_item) + length);
1077 logged->text = (uschar *)logged + sizeof(string_item);
1078 memcpy(logged->text, text, length);
1079 logged->next = acl_warn_logged;
1080 acl_warn_logged = logged;
1081 }
1082 }
1083
1084/* If there's no user message, we are done. */
1085
1086if (user_message == NULL) return;
1087
1088/* If this isn't a message ACL, we can't do anything with a user message.
1089Log an error. */
1090
1091if (where > ACL_WHERE_NOTSMTP)
1092 {
1093 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
1094 "found in a non-message (%s) ACL: cannot specify header lines here: "
1095 "message ignored", acl_wherenames[where]);
1096 return;
1097 }
1098
71fafd95
PH		 1099/* The code for setting up header lines is now abstracted into a separate
1100function so that it can be used for the add_header modifier as well. */
059ec3d9 1101
71fafd95 1102setup_header(user_message);
059ec3d9
PH		 1103}
1104
1105
1106
1107/*************************************************
1108* Verify and check reverse DNS *
1109*************************************************/
1110
1111/* Called from acl_verify() below. We look up the host name(s) of the client IP
1112address if this has not yet been done. The host_name_lookup() function checks
1113that one of these names resolves to an address list that contains the client IP
1114address, so we don't actually have to do the check here.
1115
1116Arguments:
1117 user_msgptr pointer for user message
1118 log_msgptr pointer for log message
1119
1120Returns: OK verification condition succeeded
1121 FAIL verification failed
1122 DEFER there was a problem verifying
1123*/
1124
1125static int
1126acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
1127{
1128int rc;
1129
1130user_msgptr = user_msgptr; /* stop compiler warning */
1131
1132/* Previous success */
1133
1134if (sender_host_name != NULL) return OK;
1135
1136/* Previous failure */
1137
1138if (host_lookup_failed)
1139 {
1140 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
1141 return FAIL;
1142 }
1143
1144/* Need to do a lookup */
1145
1146HDEBUG(D_acl)
1147 debug_printf("looking up host name to force name/address consistency check\n");
1148
1149if ((rc = host_name_lookup()) != OK)
1150 {
1151 *log_msgptr = (rc == DEFER)?
1152 US"host lookup deferred for reverse lookup check"
1153 :
1154 string_sprintf("host lookup failed for reverse lookup check%s",
1155 host_lookup_msg);
1156 return rc; /* DEFER or FAIL */
1157 }
1158
1159host_build_sender_fullhost();
1160return OK;
1161}
1162
1163
1164
e5a9dba6
PH		 1165/*************************************************
1166* Check client IP address matches CSA target *
1167*************************************************/
1168
1169/* Called from acl_verify_csa() below. This routine scans a section of a DNS
1170response for address records belonging to the CSA target hostname. The section
1171is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
1172If one of the addresses matches the client's IP address, then the client is
1173authorized by CSA. If there are target IP addresses but none of them match
1174then the client is using an unauthorized IP address. If there are no target IP
1175addresses then the client cannot be using an authorized IP address. (This is
1176an odd configuration - why didn't the SRV record have a weight of 1 instead?)
1177
1178Arguments:
1179 dnsa the DNS answer block
1180 dnss a DNS scan block for us to use
1181 reset option specifing what portion to scan, as described above
1182 target the target hostname to use for matching RR names
1183
1184Returns: CSA_OK successfully authorized
1185 CSA_FAIL_MISMATCH addresses found but none matched
1186 CSA_FAIL_NOADDR no target addresses found
1187*/
1188
1189static int
1190acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1191 uschar *target)
1192{
1193dns_record *rr;
1194dns_address *da;
1195
1196BOOL target_found = FALSE;
1197
1198for (rr = dns_next_rr(dnsa, dnss, reset);
1199 rr != NULL;
1200 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1201 {
1202 /* Check this is an address RR for the target hostname. */
1203
1204 if (rr->type != T_A
1205 #if HAVE_IPV6
1206 && rr->type != T_AAAA
1207 #ifdef SUPPORT_A6
1208 && rr->type != T_A6
1209 #endif
1210 #endif
1211 ) continue;
1212
1213 if (strcmpic(target, rr->name) != 0) continue;
1214
1215 target_found = TRUE;
1216
1217 /* Turn the target address RR into a list of textual IP addresses and scan
1218 the list. There may be more than one if it is an A6 RR. */
1219
1220 for (da = dns_address_from_rr(dnsa, rr); da != NULL; da = da->next)
1221 {
1222 /* If the client IP address matches the target IP address, it's good! */
1223
1224 DEBUG(D_acl) debug_printf("CSA target address is %s\n", da->address);
1225
1226 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1227 }
1228 }
1229
1230/* If we found some target addresses but none of them matched, the client is
1231using an unauthorized IP address, otherwise the target has no authorized IP
1232addresses. */
1233
1234if (target_found) return CSA_FAIL_MISMATCH;
1235else return CSA_FAIL_NOADDR;
1236}
1237
1238
1239
1240/*************************************************
1241* Verify Client SMTP Authorization *
1242*************************************************/
1243
1244/* Called from acl_verify() below. This routine calls dns_lookup_special()
1245to find the CSA SRV record corresponding to the domain argument, or
1246$sender_helo_name if no argument is provided. It then checks that the
1247client is authorized, and that its IP address corresponds to the SRV
1248target's address by calling acl_verify_csa_address() above. The address
1249should have been returned in the DNS response's ADDITIONAL section, but if
1250not we perform another DNS lookup to get it.
1251
1252Arguments:
1253 domain pointer to optional parameter following verify = csa
1254
1255Returns: CSA_UNKNOWN no valid CSA record found
1256 CSA_OK successfully authorized
1257 CSA_FAIL_* client is definitely not authorized
1258 CSA_DEFER_* there was a DNS problem
1259*/
1260
1261static int
1262acl_verify_csa(uschar *domain)
1263{
1264tree_node *t;
1265uschar *found, *p;
1266int priority, weight, port;
1267dns_answer dnsa;
1268dns_scan dnss;
1269dns_record *rr;
1270int rc, type;
1271uschar target[256];
1272
1273/* Work out the domain we are using for the CSA lookup. The default is the
1274client's HELO domain. If the client has not said HELO, use its IP address
1275instead. If it's a local client (exim -bs), CSA isn't applicable. */
1276
1277while (isspace(*domain) && *domain != '\0') ++domain;
1278if (*domain == '\0') domain = sender_helo_name;
1279if (domain == NULL) domain = sender_host_address;
1280if (sender_host_address == NULL) return CSA_UNKNOWN;
1281
1282/* If we have an address literal, strip off the framing ready for turning it
1283into a domain. The framing consists of matched square brackets possibly
1284containing a keyword and a colon before the actual IP address. */
1285
1286if (domain[0] == '[')
1287 {
1288 uschar *start = Ustrchr(domain, ':');
1289 if (start == NULL) start = domain;
1290 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1291 }
1292
1293/* Turn domains that look like bare IP addresses into domains in the reverse
1294DNS. This code also deals with address literals and $sender_host_address. It's
1295not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1296address literals, but it's probably the most friendly thing to do. This is an
1297extension to CSA, so we allow it to be turned off for proper conformance. */
1298
7e66e54d 1299if (string_is_ip_address(domain, NULL) != 0)
e5a9dba6
PH		 1300 {
1301 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1302 dns_build_reverse(domain, target);
1303 domain = target;
1304 }
1305
1306/* Find out if we've already done the CSA check for this domain. If we have,
1307return the same result again. Otherwise build a new cached result structure
1308for this domain. The name is filled in now, and the value is filled in when
1309we return from this function. */
1310
1311t = tree_search(csa_cache, domain);
1312if (t != NULL) return t->data.val;
1313
1314t = store_get_perm(sizeof(tree_node) + Ustrlen(domain));
1315Ustrcpy(t->name, domain);
1316(void)tree_insertnode(&csa_cache, t);
1317
1318/* Now we are ready to do the actual DNS lookup(s). */
1319
28e6ef29 1320found = domain;
e5a9dba6
PH		 1321switch (dns_special_lookup(&dnsa, domain, T_CSA, &found))
1322 {
1323 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1324
1325 default:
1326 return t->data.val = CSA_DEFER_SRV;
1327
1328 /* If we found nothing, the client's authorization is unknown. */
1329
1330 case DNS_NOMATCH:
1331 case DNS_NODATA:
1332 return t->data.val = CSA_UNKNOWN;
1333
1334 /* We got something! Go on to look at the reply in more detail. */
1335
1336 case DNS_SUCCEED:
1337 break;
1338 }
1339
1340/* Scan the reply for well-formed CSA SRV records. */
1341
1342for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
1343 rr != NULL;
1344 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
1345 {
1346 if (rr->type != T_SRV) continue;
1347
1348 /* Extract the numerical SRV fields (p is incremented) */
1349
1350 p = rr->data;
1351 GETSHORT(priority, p);
1352 GETSHORT(weight, p);
1353 GETSHORT(port, p);
1354
1355 DEBUG(D_acl)
1356 debug_printf("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1357
1358 /* Check the CSA version number */
1359
1360 if (priority != 1) continue;
1361
1362 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1363 found by dns_special_lookup() is a parent of the one we asked for), we check
1364 the subdomain assertions in the port field. At the moment there's only one
1365 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1366 SRV records of their own. */
1367
1368 if (found != domain)
1369 {
1370 if (port & 1)
1371 return t->data.val = CSA_FAIL_EXPLICIT;
1372 else
1373 return t->data.val = CSA_UNKNOWN;
1374 }
1375
1376 /* This CSA SRV record refers directly to our domain, so we check the value
1377 in the weight field to work out the domain's authorization. 0 and 1 are
1378 unauthorized; 3 means the client is authorized but we can't check the IP
1379 address in order to authenticate it, so we treat it as unknown; values
1380 greater than 3 are undefined. */
1381
1382 if (weight < 2) return t->data.val = CSA_FAIL_DOMAIN;
1383
1384 if (weight > 2) continue;
1385
1386 /* Weight == 2, which means the domain is authorized. We must check that the
1387 client's IP address is listed as one of the SRV target addresses. Save the
1388 target hostname then break to scan the additional data for its addresses. */
1389
1390 (void)dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
1391 (DN_EXPAND_ARG4_TYPE)target, sizeof(target));
1392
1393 DEBUG(D_acl) debug_printf("CSA target is %s\n", target);
1394
1395 break;
1396 }
1397
1398/* If we didn't break the loop then no appropriate records were found. */
1399
1400if (rr == NULL) return t->data.val = CSA_UNKNOWN;
1401
1402/* Do not check addresses if the target is ".", in accordance with RFC 2782.
1403A target of "." indicates there are no valid addresses, so the client cannot
1404be authorized. (This is an odd configuration because weight=2 target=. is
1405equivalent to weight=1, but we check for it in order to keep load off the
1406root name servers.) Note that dn_expand() turns "." into "". */
1407
1408if (Ustrcmp(target, "") == 0) return t->data.val = CSA_FAIL_NOADDR;
1409
1410/* Scan the additional section of the CSA SRV reply for addresses belonging
1411to the target. If the name server didn't return any additional data (e.g.
1412because it does not fully support SRV records), we need to do another lookup
1413to obtain the target addresses; otherwise we have a definitive result. */
1414
1415rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ADDITIONAL, target);
1416if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1417
1418/* The DNS lookup type corresponds to the IP version used by the client. */
1419
1420#if HAVE_IPV6
1421if (Ustrchr(sender_host_address, ':') != NULL)
1422 type = T_AAAA;
1423else
1424#endif /* HAVE_IPV6 */
1425 type = T_A;
1426
1427
1428#if HAVE_IPV6 && defined(SUPPORT_A6)
1429DNS_LOOKUP_AGAIN:
1430#endif
1431
1432switch (dns_lookup(&dnsa, target, type, NULL))
1433 {
1434 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1435
1436 default:
1437 return t->data.val = CSA_DEFER_ADDR;
1438
1439 /* If the query succeeded, scan the addresses and return the result. */
1440
1441 case DNS_SUCCEED:
1442 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ANSWERS, target);
1443 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1444 /* else fall through */
1445
1446 /* If the target has no IP addresses, the client cannot have an authorized
1447 IP address. However, if the target site uses A6 records (not AAAA records)
1448 we have to do yet another lookup in order to check them. */
1449
1450 case DNS_NOMATCH:
1451 case DNS_NODATA:
1452
1453 #if HAVE_IPV6 && defined(SUPPORT_A6)
1454 if (type == T_AAAA) { type = T_A6; goto DNS_LOOKUP_AGAIN; }
1455 #endif
1456
1457 return t->data.val = CSA_FAIL_NOADDR;
1458 }
1459}
1460
1461
1462
059ec3d9
PH		 1463/*************************************************
1464* Handle verification (address & other) *
1465*************************************************/
1466
89583014
JH		 1467enum { VERIFY_REV_HOST_LKUP, VERIFY_CERT, VERIFY_HELO, VERIFY_CSA, VERIFY_HDR_SYNTAX,
1468 VERIFY_NOT_BLIND, VERIFY_HDR_SNDR, VERIFY_SNDR, VERIFY_RCPT
1469 };
1470typedef struct {
1471 uschar * name;
1472 int value;
1473 unsigned where_allowed; /* bitmap */
1474 BOOL no_options; /* Never has /option(s) following */
1475 unsigned alt_opt_sep; /* >0 Non-/ option separator (custom parser) */
1476 } verify_type_t;
1477static verify_type_t verify_type_list[] = {
1478 { US"reverse_host_lookup", VERIFY_REV_HOST_LKUP, ~0, TRUE, 0 },
1479 { US"certificate", VERIFY_CERT, ~0, TRUE, 0 },
1480 { US"helo", VERIFY_HELO, ~0, TRUE, 0 },
1481 { US"csa", VERIFY_CSA, ~0, FALSE, 0 },
1482 { US"header_syntax", VERIFY_HDR_SYNTAX, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), TRUE, 0 },
1483 { US"not_blind", VERIFY_NOT_BLIND, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), TRUE, 0 },
1484 { US"header_sender", VERIFY_HDR_SNDR, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), FALSE, 0 },
1485 { US"sender", VERIFY_SNDR, (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)
1486 |(1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP),
1487 FALSE, 6 },
1488 { US"recipient", VERIFY_RCPT, (1<<ACL_WHERE_RCPT), FALSE, 0 }
1489 };
1490
1491
1492enum { CALLOUT_DEFER_OK, CALLOUT_NOCACHE, CALLOUT_RANDOM, CALLOUT_USE_SENDER,
1493 CALLOUT_USE_POSTMASTER, CALLOUT_POSTMASTER, CALLOUT_FULLPOSTMASTER,
1494 CALLOUT_MAILFROM, CALLOUT_POSTMASTER_MAILFROM, CALLOUT_MAXWAIT, CALLOUT_CONNECT,
1495 CALLOUT_TIME
1496 };
1497typedef struct {
1498 uschar * name;
1499 int value;
1500 int flag;
1501 BOOL has_option; /* Has =option(s) following */
1502 BOOL timeval; /* Has a time value */
1503 } callout_opt_t;
1504static callout_opt_t callout_opt_list[] = {
1505 { US"defer_ok", CALLOUT_DEFER_OK, 0, FALSE, FALSE },
1506 { US"no_cache", CALLOUT_NOCACHE, vopt_callout_no_cache, FALSE, FALSE },
1507 { US"random", CALLOUT_RANDOM, vopt_callout_random, FALSE, FALSE },
1508 { US"use_sender", CALLOUT_USE_SENDER, vopt_callout_recipsender, FALSE, FALSE },
1509 { US"use_postmaster", CALLOUT_USE_POSTMASTER,vopt_callout_recippmaster, FALSE, FALSE },
1510 { US"postmaster_mailfrom",CALLOUT_POSTMASTER_MAILFROM,0, TRUE, FALSE },
1511 { US"postmaster", CALLOUT_POSTMASTER, 0, FALSE, FALSE },
1512 { US"fullpostmaster", CALLOUT_FULLPOSTMASTER,vopt_callout_fullpm, FALSE, FALSE },
1513 { US"mailfrom", CALLOUT_MAILFROM, 0, TRUE, FALSE },
1514 { US"maxwait", CALLOUT_MAXWAIT, 0, TRUE, TRUE },
1515 { US"connect", CALLOUT_CONNECT, 0, TRUE, TRUE },
1516 { NULL, CALLOUT_TIME, 0, FALSE, TRUE }
1517 };
1518
1519
1520
059ec3d9
PH		 1521/* This function implements the "verify" condition. It is called when
1522encountered in any ACL, because some tests are almost always permitted. Some
1523just don't make sense, and always fail (for example, an attempt to test a host
1524lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1525
1526Arguments:
1527 where where called from
1528 addr the recipient address that the ACL is handling, or NULL
1529 arg the argument of "verify"
1530 user_msgptr pointer for user message
1531 log_msgptr pointer for log message
1532 basic_errno where to put verify errno
1533
1534Returns: OK verification condition succeeded
1535 FAIL verification failed
1536 DEFER there was a problem verifying
1537 ERROR syntax error
1538*/
1539
1540static int
1541acl_verify(int where, address_item *addr, uschar *arg,
1542 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1543{
1544int sep = '/';
1545int callout = -1;
1546int callout_overall = -1;
4deaf07d 1547int callout_connect = -1;
059ec3d9
PH		 1548int verify_options = 0;
1549int rc;
1550BOOL verify_header_sender = FALSE;
1551BOOL defer_ok = FALSE;
1552BOOL callout_defer_ok = FALSE;
1553BOOL no_details = FALSE;
eafd343b 1554BOOL success_on_redirect = FALSE;
059ec3d9
PH		 1555address_item *sender_vaddr = NULL;
1556uschar *verify_sender_address = NULL;
1557uschar *pm_mailfrom = NULL;
1558uschar *se_mailfrom = NULL;
596875b3
PH		 1559
1560/* Some of the verify items have slash-separated options; some do not. Diagnose
89583014 1561an error if options are given for items that don't expect them.
596875b3
PH		 1562*/
1563
1564uschar *slash = Ustrchr(arg, '/');
059ec3d9
PH		 1565uschar *list = arg;
1566uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
89583014 1567verify_type_t * vp;
059ec3d9
PH		 1568
1569if (ss == NULL) goto BAD_VERIFY;
1570
1571/* Handle name/address consistency verification in a separate function. */
1572
89583014
JH		 1573for (vp= verify_type_list;
1574 (char *)vp < (char *)verify_type_list + sizeof(verify_type_list);
1575 vp++
1576 )
1577 if (vp->alt_opt_sep ? strncmpic(ss, vp->name, vp->alt_opt_sep) == 0
1578 : strcmpic (ss, vp->name) == 0)
1579 break;
1580if ((char *)vp >= (char *)verify_type_list + sizeof(verify_type_list))
1581 goto BAD_VERIFY;
1582
1583if (vp->no_options && slash != NULL)
059ec3d9 1584 {
89583014
JH		 1585 *log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1586 "(this verify item has no options)", arg);
1587 return ERROR;
059ec3d9 1588 }
89583014 1589if (!(vp->where_allowed & (1<<where)))
059ec3d9 1590 {
89583014
JH		 1591 *log_msgptr = string_sprintf("cannot verify %s in ACL for %s", vp->name, acl_wherenames[where]);
1592 return ERROR;
059ec3d9 1593 }
89583014 1594switch(vp->value)
596875b3 1595 {
89583014
JH		 1596 case VERIFY_REV_HOST_LKUP:
1597 if (sender_host_address == NULL) return OK;
1598 return acl_verify_reverse(user_msgptr, log_msgptr);
059ec3d9 1599
89583014
JH		 1600 case VERIFY_CERT:
1601 /* TLS certificate verification is done at STARTTLS time; here we just
1602 test whether it was successful or not. (This is for optional verification; for
1603 mandatory verification, the connection doesn't last this long.) */
e5a9dba6 1604
89583014
JH		 1605 if (tls_certificate_verified) return OK;
1606 *user_msgptr = US"no verified certificate";
1607 return FAIL;
e5a9dba6 1608
89583014
JH		 1609 case VERIFY_HELO:
1610 /* We can test the result of optional HELO verification that might have
1611 occurred earlier. If not, we can attempt the verification now. */
059ec3d9 1612
89583014
JH		 1613 if (!helo_verified && !helo_verify_failed) smtp_verify_helo();
1614 return helo_verified? OK : FAIL;
059ec3d9 1615
89583014
JH		 1616 case VERIFY_CSA:
1617 /* Do Client SMTP Authorization checks in a separate function, and turn the
1618 result code into user-friendly strings. */
1c41c9cc 1619
89583014
JH		 1620 rc = acl_verify_csa(list);
1621 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1622 csa_reason_string[rc]);
1623 csa_status = csa_status_string[rc];
1624 DEBUG(D_acl) debug_printf("CSA result %s\n", csa_status);
1625 return csa_return_code[rc];
1626
1627 case VERIFY_HDR_SYNTAX:
1628 /* Check that all relevant header lines have the correct syntax. If there is
1629 a syntax error, we return details of the error to the sender if configured to
1630 send out full details. (But a "message" setting on the ACL can override, as
1631 always). */
1632
1633 rc = verify_check_headers(log_msgptr);
1634 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1c41c9cc 1635 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
89583014 1636 return rc;
059ec3d9 1637
89583014
JH		 1638 case VERIFY_NOT_BLIND:
1639 /* Check that no recipient of this message is "blind", that is, every envelope
1640 recipient must be mentioned in either To: or Cc:. */
059ec3d9 1641
89583014
JH		 1642 rc = verify_check_notblind();
1643 if (rc != OK)
1644 {
1645 *log_msgptr = string_sprintf("bcc recipient detected");
1646 if (smtp_return_error_details)
1647 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1648 }
1649 return rc;
059ec3d9 1650
89583014
JH		 1651 /* The remaining verification tests check recipient and sender addresses,
1652 either from the envelope or from the header. There are a number of
1653 slash-separated options that are common to all of them. */
059ec3d9 1654
89583014
JH		 1655 case VERIFY_HDR_SNDR:
1656 verify_header_sender = TRUE;
1657 break;
059ec3d9 1658
89583014
JH		 1659 case VERIFY_SNDR:
1660 /* In the case of a sender, this can optionally be followed by an address to use
1661 in place of the actual sender (rare special-case requirement). */
059ec3d9 1662 {
89583014
JH		 1663 uschar *s = ss + 6;
1664 if (*s == 0)
1665 verify_sender_address = sender_address;
1666 else
1667 {
1668 while (isspace(*s)) s++;
1669 if (*s++ != '=') goto BAD_VERIFY;
1670 while (isspace(*s)) s++;
1671 verify_sender_address = string_copy(s);
1672 }
059ec3d9 1673 }
89583014
JH		 1674 break;
1675
1676 case VERIFY_RCPT:
1677 break;
059ec3d9
PH		 1678 }
1679
89583014
JH		 1680
1681
596875b3
PH		 1682/* Remaining items are optional; they apply to sender and recipient
1683verification, including "header sender" verification. */
059ec3d9
PH		 1684
1685while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1686 != NULL)
1687 {
1688 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1689 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
eafd343b 1690 else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
059ec3d9
PH		 1691
1692 /* These two old options are left for backwards compatibility */
1693
1694 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1695 {
1696 callout_defer_ok = TRUE;
1697 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1698 }
1699
1700 else if (strcmpic(ss, US"check_postmaster") == 0)
1701 {
1702 pm_mailfrom = US"";
1703 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1704 }
1705
1706 /* The callout option has a number of sub-options, comma separated */
1707
1708 else if (strncmpic(ss, US"callout", 7) == 0)
1709 {
1710 callout = CALLOUT_TIMEOUT_DEFAULT;
1711 ss += 7;
1712 if (*ss != 0)
1713 {
1714 while (isspace(*ss)) ss++;
1715 if (*ss++ == '=')
1716 {
1717 int optsep = ',';
1718 uschar *opt;
1719 uschar buffer[256];
1720 while (isspace(*ss)) ss++;
8e669ac1 1721
059ec3d9
PH		 1722 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1723 != NULL)
1724 {
89583014 1725 callout_opt_t * op;
438257ba 1726 double period = 1.0F;
059ec3d9 1727
89583014 1728 for (op= callout_opt_list; op->name; op++)
438257ba 1729 if (strncmpic(opt, op->name, Ustrlen(op->name)) == 0)
89583014 1730 break;
059ec3d9 1731
89583014
JH		 1732 verify_options |= op->flag;
1733 if (op->has_option)
1734 {
438257ba 1735 opt += Ustrlen(op->name);
4deaf07d
PH		 1736 while (isspace(*opt)) opt++;
1737 if (*opt++ != '=')
1738 {
1739 *log_msgptr = string_sprintf("'=' expected after "
89583014 1740 "\"%s\" in ACL verify condition \"%s\"", op->name, arg);
4deaf07d
PH		 1741 return ERROR;
1742 }
1743 while (isspace(*opt)) opt++;
89583014
JH		 1744 }
1745 if (op->timeval)
1746 {
1747 period = readconf_readtime(opt, 0, FALSE);
1748 if (period < 0)
4deaf07d
PH		 1749 {
1750 *log_msgptr = string_sprintf("bad time value in ACL condition "
1751 "\"verify %s\"", arg);
1752 return ERROR;
1753 }
89583014
JH		 1754 }
1755
1756 switch(op->value)
1757 {
1758 case CALLOUT_DEFER_OK: callout_defer_ok = TRUE; break;
1759 case CALLOUT_POSTMASTER: pm_mailfrom = US""; break;
1760 case CALLOUT_FULLPOSTMASTER: pm_mailfrom = US""; break;
1761 case CALLOUT_MAILFROM:
1762 if (!verify_header_sender)
1763 {
1764 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1765 "callout option only for verify=header_sender (detected in ACL "
1766 "condition \"%s\")", arg);
1767 return ERROR;
1768 }
1769 se_mailfrom = string_copy(opt);
1770 break;
1771 case CALLOUT_POSTMASTER_MAILFROM: pm_mailfrom = string_copy(opt); break;
1772 case CALLOUT_MAXWAIT: callout_overall = period; break;
1773 case CALLOUT_CONNECT: callout_connect = period; break;
1774 case CALLOUT_TIME: callout = period; break;
1775 }
059ec3d9
PH		 1776 }
1777 }
1778 else
1779 {
1780 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1781 "ACL condition \"%s\"", arg);
1782 return ERROR;
1783 }
1784 }
1785 }
1786
1787 /* Option not recognized */
1788
1789 else
1790 {
1791 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1792 "condition \"verify %s\"", ss, arg);
1793 return ERROR;
1794 }
1795 }
1796
1797if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1798 (vopt_callout_recipsender|vopt_callout_recippmaster))
1799 {
1800 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1801 "for a recipient callout";
1802 return ERROR;
1803 }
1804
1805/* Handle sender-in-header verification. Default the user message to the log
1806message if giving out verification details. */
1807
1808if (verify_header_sender)
1809 {
8e669ac1 1810 int verrno;
059ec3d9 1811 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
fe5b5d0b
PH		 1812 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1813 &verrno);
1814 if (rc != OK)
8e669ac1 1815 {
fe5b5d0b
PH		 1816 *basic_errno = verrno;
1817 if (smtp_return_error_details)
1818 {
1819 if (*user_msgptr == NULL && *log_msgptr != NULL)
1820 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1821 if (rc == DEFER) acl_temp_details = TRUE;
1822 }
8e669ac1 1823 }
059ec3d9
PH		 1824 }
1825
1826/* Handle a sender address. The default is to verify *the* sender address, but
1827optionally a different address can be given, for special requirements. If the
1828address is empty, we are dealing with a bounce message that has no sender, so
1829we cannot do any checking. If the real sender address gets rewritten during
1830verification (e.g. DNS widening), set the flag to stop it being rewritten again
1831during message reception.
1832
1833A list of verified "sender" addresses is kept to try to avoid doing to much
1834work repetitively when there are multiple recipients in a message and they all
1835require sender verification. However, when callouts are involved, it gets too
1836complicated because different recipients may require different callout options.
1837Therefore, we always do a full sender verify when any kind of callout is
1838specified. Caching elsewhere, for instance in the DNS resolver and in the
1839callout handling, should ensure that this is not terribly inefficient. */
1840
1841else if (verify_sender_address != NULL)
1842 {
1843 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1844 != 0)
1845 {
1846 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1847 "sender verify callout";
1848 return ERROR;
1849 }
1850
1851 sender_vaddr = verify_checked_sender(verify_sender_address);
1852 if (sender_vaddr != NULL && /* Previously checked */
1853 callout <= 0) /* No callout needed this time */
1854 {
1855 /* If the "routed" flag is set, it means that routing worked before, so
1856 this check can give OK (the saved return code value, if set, belongs to a
1857 callout that was done previously). If the "routed" flag is not set, routing
1858 must have failed, so we use the saved return code. */
1859
1860 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1861 {
1862 rc = sender_vaddr->special_action;
1863 *basic_errno = sender_vaddr->basic_errno;
1864 }
1865 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1866 }
1867
1868 /* Do a new verification, and cache the result. The cache is used to avoid
1869 verifying the sender multiple times for multiple RCPTs when callouts are not
1870 specified (see comments above).
1871
1872 The cache is also used on failure to give details in response to the first
1873 RCPT that gets bounced for this reason. However, this can be suppressed by
1874 the no_details option, which sets the flag that says "this detail has already
1875 been sent". The cache normally contains just one address, but there may be
1876 more in esoteric circumstances. */
1877
1878 else
1879 {
1880 BOOL routed = TRUE;
2a3eea10 1881 uschar *save_address_data = deliver_address_data;
8e669ac1 1882
059ec3d9
PH		 1883 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1884 if (no_details) setflag(sender_vaddr, af_sverify_told);
1885 if (verify_sender_address[0] != 0)
1886 {
1887 /* If this is the real sender address, save the unrewritten version
1888 for use later in receive. Otherwise, set a flag so that rewriting the
1889 sender in verify_address() does not update sender_address. */
1890
1891 if (verify_sender_address == sender_address)
1892 sender_address_unrewritten = sender_address;
1893 else
1894 verify_options |= vopt_fake_sender;
1895
eafd343b
TK		 1896 if (success_on_redirect)
1897 verify_options |= vopt_success_on_redirect;
1898
059ec3d9
PH		 1899 /* The recipient, qualify, and expn options are never set in
1900 verify_options. */
1901
1902 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
4deaf07d 1903 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
059ec3d9
PH		 1904
1905 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1906
1907 if (rc == OK)
1908 {
1909 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1910 {
1911 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1912 verify_sender_address, sender_vaddr->address);
1913 }
1914 else
1915 {
1916 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1917 verify_sender_address);
1918 }
1919 }
1920 else *basic_errno = sender_vaddr->basic_errno;
1921 }
1922 else rc = OK; /* Null sender */
1923
1924 /* Cache the result code */
1925
1926 if (routed) setflag(sender_vaddr, af_verify_routed);
1927 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1928 sender_vaddr->special_action = rc;
1929 sender_vaddr->next = sender_verified_list;
1930 sender_verified_list = sender_vaddr;
8e669ac1
PH		 1931
1932 /* Restore the recipient address data, which might have been clobbered by
2a3eea10 1933 the sender verification. */
8e669ac1 1934
2a3eea10 1935 deliver_address_data = save_address_data;
059ec3d9 1936 }
8e669ac1 1937
2a3eea10
PH		 1938 /* Put the sender address_data value into $sender_address_data */
1939
8e669ac1 1940 sender_address_data = sender_vaddr->p.address_data;
059ec3d9
PH		 1941 }
1942
1943/* A recipient address just gets a straightforward verify; again we must handle
1944the DEFER overrides. */
1945
1946else
1947 {
1948 address_item addr2;
1949
eafd343b
TK		 1950 if (success_on_redirect)
1951 verify_options |= vopt_success_on_redirect;
1952
059ec3d9
PH		 1953 /* We must use a copy of the address for verification, because it might
1954 get rewritten. */
1955
1956 addr2 = *addr;
1957 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
4deaf07d 1958 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
059ec3d9 1959 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
8e669ac1 1960
42855d71 1961 *basic_errno = addr2.basic_errno;
059ec3d9 1962 *log_msgptr = addr2.message;
8e669ac1 1963 *user_msgptr = (addr2.user_message != NULL)?
6729cf78 1964 addr2.user_message : addr2.message;
42855d71
PH		 1965
1966 /* Allow details for temporary error if the address is so flagged. */
1967 if (testflag((&addr2), af_pass_message)) acl_temp_details = TRUE;
059ec3d9
PH		 1968
1969 /* Make $address_data visible */
1970 deliver_address_data = addr2.p.address_data;
1971 }
1972
1973/* We have a result from the relevant test. Handle defer overrides first. */
1974
1975if (rc == DEFER && (defer_ok ||
1976 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1977 {
1978 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1979 defer_ok? "defer_ok" : "callout_defer_ok");
1980 rc = OK;
1981 }
1982
1983/* If we've failed a sender, set up a recipient message, and point
1984sender_verified_failed to the address item that actually failed. */
1985
1986if (rc != OK && verify_sender_address != NULL)
1987 {
1988 if (rc != DEFER)
1989 {
1990 *log_msgptr = *user_msgptr = US"Sender verify failed";
1991 }
1992 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1993 {
1994 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1995 }
1996 else
1997 {
1998 *log_msgptr = US"Could not complete sender verify callout";
1999 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
2000 *log_msgptr;
2001 }
2002
2003 sender_verified_failed = sender_vaddr;
2004 }
2005
2006/* Verifying an address messes up the values of $domain and $local_part,
2007so reset them before returning if this is a RCPT ACL. */
2008
2009if (addr != NULL)
2010 {
2011 deliver_domain = addr->domain;
2012 deliver_localpart = addr->local_part;
2013 }
2014return rc;
2015
2016/* Syntax errors in the verify argument come here. */
2017
2018BAD_VERIFY:
2019*log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
596875b3
PH		 2020 "\"helo\", \"header_syntax\", \"header_sender\" or "
2021 "\"reverse_host_lookup\" at start of ACL condition "
059ec3d9
PH		 2022 "\"verify %s\"", arg);
2023return ERROR;
2024}
2025
2026
2027
2028
2029/*************************************************
2030* Check argument for control= modifier *
2031*************************************************/
2032
2033/* Called from acl_check_condition() below
2034
2035Arguments:
2036 arg the argument string for control=
2037 pptr set to point to the terminating character
2038 where which ACL we are in
2039 log_msgptr for error messages
2040
2041Returns: CONTROL_xxx value
2042*/
2043
2044static int
2045decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
2046{
2047int len;
2048control_def *d;
2049
2050for (d = controls_list;
2051 d < controls_list + sizeof(controls_list)/sizeof(control_def);
2052 d++)
2053 {
2054 len = Ustrlen(d->name);
2055 if (Ustrncmp(d->name, arg, len) == 0) break;
2056 }
2057
2058if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
2059 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
2060 {
2061 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2062 return CONTROL_ERROR;
2063 }
2064
059ec3d9
PH		 2065*pptr = arg + len;
2066return d->value;
2067}
2068
2069
2070
c99ce5c9
TF		 2071
2072/*************************************************
2073* Return a ratelimit error *
2074*************************************************/
2075
2076/* Called from acl_ratelimit() below
2077
2078Arguments:
2079 log_msgptr for error messages
2080 format format string
2081 ... supplementary arguments
2082 ss ratelimit option name
2083 where ACL_WHERE_xxxx indicating which ACL this is
2084
2085Returns: ERROR
2086*/
2087
2088static int
2089ratelimit_error(uschar **log_msgptr, const char *format, ...)
2090{
2091va_list ap;
2092uschar buffer[STRING_SPRINTF_BUFFER_SIZE];
2093va_start(ap, format);
2094if (!string_vformat(buffer, sizeof(buffer), format, ap))
2095 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
438257ba 2096 "string_sprintf expansion was longer than %ld", sizeof(buffer));
c99ce5c9
TF		 2097va_end(ap);
2098*log_msgptr = string_sprintf(
2099 "error in arguments to \"ratelimit\" condition: %s", buffer);
2100return ERROR;
2101}
2102
2103
2104
2105
870f6ba8
TF		 2106/*************************************************
2107* Handle rate limiting *
2108*************************************************/
2109
2110/* Called by acl_check_condition() below to calculate the result
2111of the ACL ratelimit condition.
2112
2113Note that the return value might be slightly unexpected: if the
2114sender's rate is above the limit then the result is OK. This is
2115similar to the dnslists condition, and is so that you can write
2116ACL clauses like: defer ratelimit = 15 / 1h
2117
2118Arguments:
2119 arg the option string for ratelimit=
90fc3069 2120 where ACL_WHERE_xxxx indicating which ACL this is
870f6ba8
TF		 2121 log_msgptr for error messages
2122
2123Returns: OK - Sender's rate is above limit
2124 FAIL - Sender's rate is below limit
2125 DEFER - Problem opening ratelimit database
2126 ERROR - Syntax error in options.
2127*/
2128
2129static int
90fc3069 2130acl_ratelimit(uschar *arg, int where, uschar **log_msgptr)
870f6ba8 2131{
c99ce5c9 2132double limit, period, count;
8f240103
PH		 2133uschar *ss;
2134uschar *key = NULL;
c99ce5c9 2135uschar *unique = NULL;
870f6ba8 2136int sep = '/';
c99ce5c9
TF		 2137BOOL leaky = FALSE, strict = FALSE, readonly = FALSE;
2138BOOL noupdate = FALSE, badacl = FALSE;
2139int mode = RATE_PER_WHAT;
870f6ba8
TF		 2140int old_pool, rc;
2141tree_node **anchor, *t;
2142open_db dbblock, *dbm;
c99ce5c9 2143int dbdb_size;
870f6ba8 2144dbdata_ratelimit *dbd;
c99ce5c9 2145dbdata_ratelimit_unique *dbdb;
870f6ba8
TF		 2146struct timeval tv;
2147
2148/* Parse the first two options and record their values in expansion
2149variables. These variables allow the configuration to have informative
2150error messages based on rate limits obtained from a table lookup. */
2151
c99ce5c9 2152/* First is the maximum number of messages per period / maximum burst
870f6ba8
TF		 2153size, which must be greater than or equal to zero. Zero is useful for
2154rate measurement as opposed to rate limiting. */
2155
2156sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0);
2157if (sender_rate_limit == NULL)
2158 limit = -1.0;
2159else
2160 {
2161 limit = Ustrtod(sender_rate_limit, &ss);
2162 if (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
2163 else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
2164 else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
2165 }
c99ce5c9
TF		 2166if (limit < 0.0 || *ss != '\0')
2167 return ratelimit_error(log_msgptr,
2168 "\"%s\" is not a positive number", sender_rate_limit);
870f6ba8 2169
c99ce5c9 2170/* Second is the rate measurement period / exponential smoothing time
870f6ba8
TF		 2171constant. This must be strictly greater than zero, because zero leads to
2172run-time division errors. */
2173
2174sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0);
2175if (sender_rate_period == NULL) period = -1.0;
2176else period = readconf_readtime(sender_rate_period, 0, FALSE);
2177if (period <= 0.0)
c99ce5c9
TF		 2178 return ratelimit_error(log_msgptr,
2179 "\"%s\" is not a time value", sender_rate_period);
2180
2181/* By default we are counting one of something, but the per_rcpt,
2182per_byte, and count options can change this. */
2183
2184count = 1.0;
870f6ba8 2185
c99ce5c9 2186/* Parse the other options. */
870f6ba8
TF		 2187
2188while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2189 != NULL)
2190 {
2191 if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
2192 else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
8f240103 2193 else if (strcmpic(ss, US"noupdate") == 0) noupdate = TRUE;
c99ce5c9
TF		 2194 else if (strcmpic(ss, US"readonly") == 0) readonly = TRUE;
2195 else if (strcmpic(ss, US"per_cmd") == 0) RATE_SET(mode, PER_CMD);
2196 else if (strcmpic(ss, US"per_conn") == 0)
2197 {
2198 RATE_SET(mode, PER_CONN);
2199 if (where == ACL_WHERE_NOTSMTP || where == ACL_WHERE_NOTSMTP_START)
2200 badacl = TRUE;
2201 }
2202 else if (strcmpic(ss, US"per_mail") == 0)
2203 {
2204 RATE_SET(mode, PER_MAIL);
2205 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2206 }
2207 else if (strcmpic(ss, US"per_rcpt") == 0)
2208 {
2209 /* If we are running in the RCPT ACL, then we'll count the recipients
2210 one by one, but if we are running when we have accumulated the whole
2211 list then we'll add them all in one batch. */
2212 if (where == ACL_WHERE_RCPT)
2213 RATE_SET(mode, PER_RCPT);
2214 else if (where >= ACL_WHERE_PREDATA && where <= ACL_WHERE_NOTSMTP)
2215 RATE_SET(mode, PER_ALLRCPTS), count = (double)recipients_count;
2216 else if (where == ACL_WHERE_MAIL || where > ACL_WHERE_NOTSMTP)
2217 RATE_SET(mode, PER_RCPT), badacl = TRUE;
2218 }
2219 else if (strcmpic(ss, US"per_byte") == 0)
2220 {
2221 /* If we have not yet received the message data and there was no SIZE
2222 declaration on the MAIL comand, then it's safe to just use a value of
2223 zero and let the recorded rate decay as if nothing happened. */
2224 RATE_SET(mode, PER_MAIL);
2225 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2226 else count = message_size < 0 ? 0.0 : (double)message_size;
2227 }
2228 else if (strcmpic(ss, US"per_addr") == 0)
2229 {
2230 RATE_SET(mode, PER_RCPT);
438257ba 2231 if (where != ACL_WHERE_RCPT) badacl = TRUE, unique = US"*";
c99ce5c9
TF		 2232 else unique = string_sprintf("%s@%s", deliver_localpart, deliver_domain);
2233 }
2234 else if (strncmpic(ss, US"count=", 6) == 0)
2235 {
2236 uschar *e;
2237 count = Ustrtod(ss+6, &e);
2238 if (count < 0.0 || *e != '\0')
2239 return ratelimit_error(log_msgptr,
2240 "\"%s\" is not a positive number", ss);
2241 }
2242 else if (strncmpic(ss, US"unique=", 7) == 0)
2243 unique = string_copy(ss + 7);
2244 else if (key == NULL)
2245 key = string_copy(ss);
2246 else
2247 key = string_sprintf("%s/%s", key, ss);
870f6ba8
TF		 2248 }
2249
c99ce5c9
TF		 2250/* Sanity check. When the badacl flag is set the update mode must either
2251be readonly (which is the default if it is omitted) or, for backwards
2252compatibility, a combination of noupdate and strict or leaky. */
2253
2254if (mode == RATE_PER_CLASH)
2255 return ratelimit_error(log_msgptr, "conflicting per_* options");
2256if (leaky + strict + readonly > 1)
2257 return ratelimit_error(log_msgptr, "conflicting update modes");
2258if (badacl && (leaky || strict) && !noupdate)
2259 return ratelimit_error(log_msgptr,
2260 "\"%s\" must not have /leaky or /strict option in %s ACL",
2261 ratelimit_option_string[mode], acl_wherenames[where]);
2262
2263/* Set the default values of any unset options. In readonly mode we
2264perform the rate computation without any increment so that its value
2265decays to eventually allow over-limit senders through. */
2266
2267if (noupdate) readonly = TRUE, leaky = strict = FALSE;
2268if (badacl) readonly = TRUE;
2269if (readonly) count = 0.0;
2270if (!strict && !readonly) leaky = TRUE;
2271if (mode == RATE_PER_WHAT) mode = RATE_PER_MAIL;
870f6ba8 2272
8f240103
PH		 2273/* Create the lookup key. If there is no explicit key, use sender_host_address.
2274If there is no sender_host_address (e.g. -bs or acl_not_smtp) then we simply
2275omit it. The smoothing constant (sender_rate_period) and the per_xxx options
2276are added to the key because they alter the meaning of the stored data. */
2277
2278if (key == NULL)
2279 key = (sender_host_address == NULL)? US"" : sender_host_address;
870f6ba8 2280
c99ce5c9 2281key = string_sprintf("%s/%s/%s%s",
8f240103 2282 sender_rate_period,
c99ce5c9
TF		 2283 ratelimit_option_string[mode],
2284 unique == NULL ? "" : "unique/",
8f240103 2285 key);
870f6ba8 2286
c99ce5c9
TF		 2287HDEBUG(D_acl)
2288 debug_printf("ratelimit condition count=%.0f %.1f/%s\n", count, limit, key);
870f6ba8 2289
8f240103
PH		 2290/* See if we have already computed the rate by looking in the relevant tree.
2291For per-connection rate limiting, store tree nodes and dbdata in the permanent
c99ce5c9
TF		 2292pool so that they survive across resets. In readonly mode we only remember the
2293result for the rest of this command in case a later command changes it. After
2294this bit of logic the code is independent of the per_* mode. */
870f6ba8 2295
870f6ba8
TF		 2296old_pool = store_pool;
2297
c99ce5c9
TF		 2298if (readonly)
2299 anchor = &ratelimiters_cmd;
2300else switch(mode) {
2301case RATE_PER_CONN:
870f6ba8
TF		 2302 anchor = &ratelimiters_conn;
2303 store_pool = POOL_PERM;
c99ce5c9
TF		 2304 break;
2305case RATE_PER_BYTE:
2306case RATE_PER_MAIL:
2307case RATE_PER_ALLRCPTS:
870f6ba8 2308 anchor = &ratelimiters_mail;
c99ce5c9
TF		 2309 break;
2310case RATE_PER_ADDR:
2311case RATE_PER_CMD:
2312case RATE_PER_RCPT:
fe0dab11 2313 anchor = &ratelimiters_cmd;
c99ce5c9
TF		 2314 break;
2315default:
3399bb60 2316 anchor = NULL; /* silence an "unused" complaint */
c99ce5c9
TF		 2317 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
2318 "internal ACL error: unknown ratelimit mode %d", mode);
2319 break;
2320}
870f6ba8 2321
c99ce5c9
TF		 2322t = tree_search(*anchor, key);
2323if (t != NULL)
870f6ba8
TF		 2324 {
2325 dbd = t->data.ptr;
2326 /* The following few lines duplicate some of the code below. */
8f240103 2327 rc = (dbd->rate < limit)? FAIL : OK;
870f6ba8
TF		 2328 store_pool = old_pool;
2329 sender_rate = string_sprintf("%.1f", dbd->rate);
2330 HDEBUG(D_acl)
2331 debug_printf("ratelimit found pre-computed rate %s\n", sender_rate);
2332 return rc;
2333 }
2334
c99ce5c9
TF		 2335/* We aren't using a pre-computed rate, so get a previously recorded rate
2336from the database, which will be updated and written back if required. */
870f6ba8
TF		 2337
2338dbm = dbfn_open(US"ratelimit", O_RDWR, &dbblock, TRUE);
2339if (dbm == NULL)
2340 {
2341 store_pool = old_pool;
2342 sender_rate = NULL;
2343 HDEBUG(D_acl) debug_printf("ratelimit database not available\n");
2344 *log_msgptr = US"ratelimit database not available";
2345 return DEFER;
2346 }
c99ce5c9
TF		 2347dbdb = dbfn_read_with_length(dbm, key, &dbdb_size);
2348dbd = NULL;
870f6ba8
TF		 2349
2350gettimeofday(&tv, NULL);
2351
c99ce5c9
TF		 2352if (dbdb != NULL)
2353 {
2354 /* Locate the basic ratelimit block inside the DB data. */
2355 HDEBUG(D_acl) debug_printf("ratelimit found key in database\n");
2356 dbd = &dbdb->dbd;
2357
2358 /* Forget the old Bloom filter if it is too old, so that we count each
2359 repeating event once per period. We don't simply clear and re-use the old
2360 filter because we want its size to change if the limit changes. Note that
2361 we keep the dbd pointer for copying the rate into the new data block. */
2362
2363 if(unique != NULL && tv.tv_sec > dbdb->bloom_epoch + period)
2364 {
2365 HDEBUG(D_acl) debug_printf("ratelimit discarding old Bloom filter\n");
2366 dbdb = NULL;
2367 }
2368
2369 /* Sanity check. */
2370
2371 if(unique != NULL && dbdb_size < sizeof(*dbdb))
2372 {
2373 HDEBUG(D_acl) debug_printf("ratelimit discarding undersize Bloom filter\n");
2374 dbdb = NULL;
2375 }
2376 }
2377
2378/* Allocate a new data block if the database lookup failed
2379or the Bloom filter passed its age limit. */
2380
2381if (dbdb == NULL)
2382 {
2383 if (unique == NULL)
2384 {
2385 /* No Bloom filter. This basic ratelimit block is initialized below. */
2386 HDEBUG(D_acl) debug_printf("ratelimit creating new rate data block\n");
2387 dbdb_size = sizeof(*dbd);
2388 dbdb = store_get(dbdb_size);
2389 }
2390 else
2391 {
2392 int extra;
2393 HDEBUG(D_acl) debug_printf("ratelimit creating new Bloom filter\n");
2394
2395 /* See the long comment below for an explanation of the magic number 2.
2396 The filter has a minimum size in case the rate limit is very small;
2397 this is determined by the definition of dbdata_ratelimit_unique. */
2398
2399 extra = (int)limit * 2 - sizeof(dbdb->bloom);
2400 if (extra < 0) extra = 0;
2401 dbdb_size = sizeof(*dbdb) + extra;
2402 dbdb = store_get(dbdb_size);
2403 dbdb->bloom_epoch = tv.tv_sec;
2404 dbdb->bloom_size = sizeof(dbdb->bloom) + extra;
2405 memset(dbdb->bloom, 0, dbdb->bloom_size);
2406
2407 /* Preserve any basic ratelimit data (which is our longer-term memory)
2408 by copying it from the discarded block. */
2409
2410 if (dbd != NULL)
2411 {
2412 dbdb->dbd = *dbd;
2413 dbd = &dbdb->dbd;
2414 }
2415 }
2416 }
2417
2418/* If we are counting unique events, find out if this event is new or not.
2419If the client repeats the event during the current period then it should be
2420counted. We skip this code in readonly mode for efficiency, because any
2421changes to the filter will be discarded and because count is already set to
2422zero. */
2423
2424if (unique != NULL && !readonly)
2425 {
2426 /* We identify unique events using a Bloom filter. (You can find my
2427 notes on Bloom filters at http://fanf.livejournal.com/81696.html)
2428 With the per_addr option, an "event" is a recipient address, though the
2429 user can use the unique option to define their own events. We only count
2430 an event if we have not seen it before.
2431
2432 We size the filter according to the rate limit, which (in leaky mode)
2433 is the limit on the population of the filter. We allow 16 bits of space
2434 per entry (see the construction code above) and we set (up to) 8 of them
2435 when inserting an element (see the loop below). The probability of a false
2436 positive (an event we have not seen before but which we fail to count) is
2437
2438 size = limit * 16
2439 numhash = 8
2440 allzero = exp(-numhash * pop / size)
2441 = exp(-0.5 * pop / limit)
2442 fpr = pow(1 - allzero, numhash)
2443
2444 For senders at the limit the fpr is 0.06% or 1 in 1700
2445 and for senders at half the limit it is 0.0006% or 1 in 170000
2446
2447 In strict mode the Bloom filter can fill up beyond the normal limit, in
2448 which case the false positive rate will rise. This means that the
2449 measured rate for very fast senders can bogusly drop off after a while.
2450
2451 At twice the limit, the fpr is 2.5% or 1 in 40
2452 At four times the limit, it is 31% or 1 in 3.2
2453
2454 It takes ln(pop/limit) periods for an over-limit burst of pop events to
2455 decay below the limit, and if this is more than one then the Bloom filter
2456 will be discarded before the decay gets that far. The false positive rate
2457 at this threshold is 9.3% or 1 in 10.7. */
2458
2459 BOOL seen;
2460 unsigned n, hash, hinc;
2461 uschar md5sum[16];
2462 md5 md5info;
2463
2464 /* Instead of using eight independent hash values, we combine two values
2465 using the formula h1 + n * h2. This does not harm the Bloom filter's
2466 performance, and means the amount of hash we need is independent of the
2467 number of bits we set in the filter. */
2468
2469 md5_start(&md5info);
2470 md5_end(&md5info, unique, Ustrlen(unique), md5sum);
2471 hash = md5sum[0] | md5sum[1] << 8 | md5sum[2] << 16 | md5sum[3] << 24;
2472 hinc = md5sum[4] | md5sum[5] << 8 | md5sum[6] << 16 | md5sum[7] << 24;
2473
2474 /* Scan the bits corresponding to this event. A zero bit means we have
2475 not seen it before. Ensure all bits are set to record this event. */
2476
2477 HDEBUG(D_acl) debug_printf("ratelimit checking uniqueness of %s\n", unique);
2478
2479 seen = TRUE;
2480 for (n = 0; n < 8; n++, hash += hinc)
2481 {
2482 int bit = 1 << (hash % 8);
2483 int byte = (hash / 8) % dbdb->bloom_size;
2484 if ((dbdb->bloom[byte] & bit) == 0)
2485 {
2486 dbdb->bloom[byte] |= bit;
2487 seen = FALSE;
2488 }
2489 }
2490
2491 /* If this event has occurred before, do not count it. */
2492
2493 if (seen)
2494 {
2495 HDEBUG(D_acl) debug_printf("ratelimit event found in Bloom filter\n");
2496 count = 0.0;
2497 }
2498 else
2499 HDEBUG(D_acl) debug_printf("ratelimit event added to Bloom filter\n");
2500 }
2501
2502/* If there was no previous ratelimit data block for this key, initialize
2503the new one, otherwise update the block from the database. The initial rate
2504is what would be computed by the code below for an infinite interval. */
2505
870f6ba8
TF		 2506if (dbd == NULL)
2507 {
c99ce5c9
TF		 2508 HDEBUG(D_acl) debug_printf("ratelimit initializing new key's rate data\n");
2509 dbd = &dbdb->dbd;
870f6ba8
TF		 2510 dbd->time_stamp = tv.tv_sec;
2511 dbd->time_usec = tv.tv_usec;
c99ce5c9 2512 dbd->rate = count;
870f6ba8
TF		 2513 }
2514else
2515 {
2516 /* The smoothed rate is computed using an exponentially weighted moving
2517 average adjusted for variable sampling intervals. The standard EWMA for
2518 a fixed sampling interval is: f'(t) = (1 - a) * f(t) + a * f'(t - 1)
2519 where f() is the measured value and f'() is the smoothed value.
2520
2521 Old data decays out of the smoothed value exponentially, such that data n
2522 samples old is multiplied by a^n. The exponential decay time constant p
2523 is defined such that data p samples old is multiplied by 1/e, which means
2524 that a = exp(-1/p). We can maintain the same time constant for a variable
2525 sampling interval i by using a = exp(-i/p).
2526
2527 The rate we are measuring is messages per period, suitable for directly
2528 comparing with the limit. The average rate between now and the previous
2529 message is period / interval, which we feed into the EWMA as the sample.
2530
2531 It turns out that the number of messages required for the smoothed rate
2532 to reach the limit when they are sent in a burst is equal to the limit.
2533 This can be seen by analysing the value of the smoothed rate after N
2534 messages sent at even intervals. Let k = (1 - a) * p/i
2535
2536 rate_1 = (1 - a) * p/i + a * rate_0
2537 = k + a * rate_0
2538 rate_2 = k + a * rate_1
2539 = k + a * k + a^2 * rate_0
2540 rate_3 = k + a * k + a^2 * k + a^3 * rate_0
2541 rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
2542 = rate_0 * a^N + k * (1 - a^N) / (1 - a)
2543 = rate_0 * a^N + p/i * (1 - a^N)
2544
2545 When N is large, a^N -> 0 so rate_N -> p/i as desired.
2546
2547 rate_N = p/i + (rate_0 - p/i) * a^N
2548 a^N = (rate_N - p/i) / (rate_0 - p/i)
2549 N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
2550 N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
2551
2552 Numerical analysis of the above equation, setting the computed rate to
2553 increase from rate_0 = 0 to rate_N = limit, shows that for large sending
2554 rates, p/i, the number of messages N = limit. So limit serves as both the
2555 maximum rate measured in messages per period, and the maximum number of
2556 messages that can be sent in a fast burst. */
2557
2558 double this_time = (double)tv.tv_sec
2559 + (double)tv.tv_usec / 1000000.0;
2560 double prev_time = (double)dbd->time_stamp
2561 + (double)dbd->time_usec / 1000000.0;
870f6ba8
TF		 2562
2563 /* We must avoid division by zero, and deal gracefully with the clock going
2564 backwards. If we blunder ahead when time is in reverse then the computed
e5d5a95f 2565 rate will be bogus. To be safe we clamp interval to a very small number. */
870f6ba8 2566
e5d5a95f
TF		 2567 double interval = this_time - prev_time <= 0.0 ? 1e-9
2568 : this_time - prev_time;
2569
2570 double i_over_p = interval / period;
2571 double a = exp(-i_over_p);
870f6ba8 2572
c99ce5c9
TF		 2573 /* Combine the instantaneous rate (period / interval) with the previous rate
2574 using the smoothing factor a. In order to measure sized events, multiply the
2575 instantaneous rate by the count of bytes or recipients etc. */
2576
870f6ba8
TF		 2577 dbd->time_stamp = tv.tv_sec;
2578 dbd->time_usec = tv.tv_usec;
c99ce5c9
TF		 2579 dbd->rate = (1 - a) * count / i_over_p + a * dbd->rate;
2580
2581 /* When events are very widely spaced the computed rate tends towards zero.
2582 Although this is accurate it turns out not to be useful for our purposes,
2583 especially when the first event after a long silence is the start of a spam
2584 run. A more useful model is that the rate for an isolated event should be the
2585 size of the event per the period size, ignoring the lack of events outside
2586 the current period and regardless of where the event falls in the period. So,
2587 if the interval was so long that the calculated rate is unhelpfully small, we
2588 re-intialize the rate. In the absence of higher-rate bursts, the condition
2589 below is true if the interval is greater than the period. */
2590
2591 if (dbd->rate < count) dbd->rate = count;
870f6ba8
TF		 2592 }
2593
c99ce5c9
TF		 2594/* Clients sending at the limit are considered to be over the limit.
2595This matters for edge cases such as a limit of zero, when the client
2596should be completely blocked. */
3348576f 2597
8f240103 2598rc = (dbd->rate < limit)? FAIL : OK;
870f6ba8
TF		 2599
2600/* Update the state if the rate is low or if we are being strict. If we
2601are in leaky mode and the sender's rate is too high, we do not update
2602the recorded rate in order to avoid an over-aggressive sender's retry
c99ce5c9
TF		 2603rate preventing them from getting any email through. If readonly is set,
2604neither leaky nor strict are set, so we do not do any updates. */
870f6ba8 2605
c99ce5c9 2606if ((rc == FAIL && leaky) || strict)
8f240103 2607 {
c99ce5c9 2608 dbfn_write(dbm, key, dbdb, dbdb_size);
8f240103
PH		 2609 HDEBUG(D_acl) debug_printf("ratelimit db updated\n");
2610 }
2611else
2612 {
2613 HDEBUG(D_acl) debug_printf("ratelimit db not updated: %s\n",
c99ce5c9 2614 readonly? "readonly mode" : "over the limit, but leaky");
8f240103
PH		 2615 }
2616
870f6ba8
TF		 2617dbfn_close(dbm);
2618
c99ce5c9 2619/* Store the result in the tree for future reference. */
870f6ba8 2620
c99ce5c9
TF		 2621t = store_get(sizeof(tree_node) + Ustrlen(key));
2622t->data.ptr = dbd;
2623Ustrcpy(t->name, key);
2624(void)tree_insertnode(anchor, t);
870f6ba8
TF		 2625
2626/* We create the formatted version of the sender's rate very late in
2627order to ensure that it is done using the correct storage pool. */
2628
2629store_pool = old_pool;
2630sender_rate = string_sprintf("%.1f", dbd->rate);
2631
2632HDEBUG(D_acl)
2633 debug_printf("ratelimit computed rate %s\n", sender_rate);
2634
2635return rc;
2636}
2637
2638
2639
059ec3d9
PH		 2640/*************************************************
2641* Handle conditions/modifiers on an ACL item *
2642*************************************************/
2643
2644/* Called from acl_check() below.
2645
2646Arguments:
2647 verb ACL verb
2648 cb ACL condition block - if NULL, result is OK
2649 where where called from
2650 addr the address being checked for RCPT, or NULL
2651 level the nesting level
2652 epp pointer to pass back TRUE if "endpass" encountered
2653 (applies only to "accept" and "discard")
2654 user_msgptr user message pointer
2655 log_msgptr log message pointer
2656 basic_errno pointer to where to put verify error
2657
2658Returns: OK - all conditions are met
2659 DISCARD - an "acl" condition returned DISCARD - only allowed
2660 for "accept" or "discard" verbs
2661 FAIL - at least one condition fails
2662 FAIL_DROP - an "acl" condition returned FAIL_DROP
2663 DEFER - can't tell at the moment (typically, lookup defer,
2664 but can be temporary callout problem)
2665 ERROR - ERROR from nested ACL or expansion failure or other
2666 error
2667*/
2668
2669static int
2670acl_check_condition(int verb, acl_condition_block *cb, int where,
2671 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
2672 uschar **log_msgptr, int *basic_errno)
2673{
2674uschar *user_message = NULL;
2675uschar *log_message = NULL;
ed7f7860
PP		 2676uschar *debug_tag = NULL;
2677uschar *debug_opts = NULL;
91ecef39 2678uschar *p = NULL;
059ec3d9 2679int rc = OK;
8523533c
TK		 2680#ifdef WITH_CONTENT_SCAN
2681int sep = '/';
2682#endif
059ec3d9
PH		 2683
2684for (; cb != NULL; cb = cb->next)
2685 {
2686 uschar *arg;
8e669ac1 2687 int control_type;
059ec3d9
PH		 2688
2689 /* The message and log_message items set up messages to be used in
2690 case of rejection. They are expanded later. */
2691
2692 if (cb->type == ACLC_MESSAGE)
2693 {
2694 user_message = cb->arg;
2695 continue;
2696 }
2697
2698 if (cb->type == ACLC_LOG_MESSAGE)
2699 {
2700 log_message = cb->arg;
2701 continue;
2702 }
2703
2704 /* The endpass "condition" just sets a flag to show it occurred. This is
2705 checked at compile time to be on an "accept" or "discard" item. */
2706
2707 if (cb->type == ACLC_ENDPASS)
2708 {
2709 *epp = TRUE;
2710 continue;
2711 }
2712
2713 /* For other conditions and modifiers, the argument is expanded now for some
2714 of them, but not for all, because expansion happens down in some lower level
2715 checking functions in some cases. */
2716
2717 if (cond_expand_at_top[cb->type])
2718 {
2719 arg = expand_string(cb->arg);
2720 if (arg == NULL)
2721 {
2722 if (expand_string_forcedfail) continue;
2723 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
2724 cb->arg, expand_string_message);
2725 return search_find_defer? DEFER : ERROR;
2726 }
2727 }
2728 else arg = cb->arg;
2729
2730 /* Show condition, and expanded condition if it's different */
2731
2732 HDEBUG(D_acl)
2733 {
2734 int lhswidth = 0;
2735 debug_printf("check %s%s %n",
2736 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
2737 conditions[cb->type], &lhswidth);
2738
2739 if (cb->type == ACLC_SET)
2740 {
38a0a95f
PH		 2741 debug_printf("acl_%s ", cb->u.varname);
2742 lhswidth += 5 + Ustrlen(cb->u.varname);
059ec3d9
PH		 2743 }
2744
2745 debug_printf("= %s\n", cb->arg);
2746
2747 if (arg != cb->arg)
2748 debug_printf("%.*s= %s\n", lhswidth,
2749 US" ", CS arg);
2750 }
2751
2752 /* Check that this condition makes sense at this time */
2753
2754 if ((cond_forbids[cb->type] & (1 << where)) != 0)
2755 {
2756 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
2757 cond_modifiers[cb->type]? "use" : "test",
2758 conditions[cb->type], acl_wherenames[where]);
2759 return ERROR;
2760 }
2761
2762 /* Run the appropriate test for each condition, or take the appropriate
2763 action for the remaining modifiers. */
2764
2765 switch(cb->type)
2766 {
71fafd95
PH		 2767 case ACLC_ADD_HEADER:
2768 setup_header(arg);
2769 break;
2770
059ec3d9
PH		 2771 /* A nested ACL that returns "discard" makes sense only for an "accept" or
2772 "discard" verb. */
71fafd95 2773
059ec3d9
PH		 2774 case ACLC_ACL:
2775 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
2776 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
2777 {
2778 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
2779 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
2780 verbs[verb]);
2781 return ERROR;
2782 }
2783 break;
2784
2785 case ACLC_AUTHENTICATED:
2786 rc = (sender_host_authenticated == NULL)? FAIL :
2787 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
2788 TRUE, NULL);
2789 break;
2790
71fafd95 2791 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK		 2792 case ACLC_BMI_OPTIN:
2793 {
2794 int old_pool = store_pool;
2795 store_pool = POOL_PERM;
2796 bmi_current_optin = string_copy(arg);
2797 store_pool = old_pool;
2798 }
2799 break;
71fafd95 2800 #endif
8523533c 2801
059ec3d9 2802 case ACLC_CONDITION:
f3766eb5
NM		 2803 /* The true/false parsing here should be kept in sync with that used in
2804 expand.c when dealing with ECOND_BOOL so that we don't have too many
2805 different definitions of what can be a boolean. */
059ec3d9
PH		 2806 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
2807 rc = (Uatoi(arg) == 0)? FAIL : OK;
2808 else
2809 rc = (strcmpic(arg, US"no") == 0 ||
2810 strcmpic(arg, US"false") == 0)? FAIL :
2811 (strcmpic(arg, US"yes") == 0 ||
2812 strcmpic(arg, US"true") == 0)? OK : DEFER;
2813 if (rc == DEFER)
2814 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
2815 break;
2816
c3611384
PH		 2817 case ACLC_CONTINUE: /* Always succeeds */
2818 break;
2819
059ec3d9 2820 case ACLC_CONTROL:
c5fcb476
PH		 2821 control_type = decode_control(arg, &p, where, log_msgptr);
2822
8523533c 2823 /* Check if this control makes sense at this time */
c5fcb476
PH		 2824
2825 if ((control_forbids[control_type] & (1 << where)) != 0)
2826 {
2827 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
2828 controls[control_type], acl_wherenames[where]);
2829 return ERROR;
8e669ac1 2830 }
c5fcb476
PH		 2831
2832 switch(control_type)
059ec3d9 2833 {
c46782ef
PH		 2834 case CONTROL_AUTH_UNADVERTISED:
2835 allow_auth_unadvertised = TRUE;
2836 break;
2837
2838 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK		 2839 case CONTROL_BMI_RUN:
2840 bmi_run = 1;
2841 break;
c46782ef
PH		 2842 #endif
2843
80a47a2c 2844 #ifndef DISABLE_DKIM
f7572e5a 2845 case CONTROL_DKIM_VERIFY:
80a47a2c 2846 dkim_disable_verify = TRUE;
f7572e5a
TK		 2847 break;
2848 #endif
2849
059ec3d9
PH		 2850 case CONTROL_ERROR:
2851 return ERROR;
2852
2853 case CONTROL_CASEFUL_LOCAL_PART:
2854 deliver_localpart = addr->cc_local_part;
2855 break;
2856
2857 case CONTROL_CASELOWER_LOCAL_PART:
2858 deliver_localpart = addr->lc_local_part;
2859 break;
2860
2861 case CONTROL_ENFORCE_SYNC:
2862 smtp_enforce_sync = TRUE;
2863 break;
2864
2865 case CONTROL_NO_ENFORCE_SYNC:
2866 smtp_enforce_sync = FALSE;
2867 break;
2868
c46782ef 2869 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 2870 case CONTROL_NO_MBOX_UNSPOOL:
2871 no_mbox_unspool = TRUE;
2872 break;
c46782ef 2873 #endif
8523533c 2874
059ec3d9
PH		 2875 case CONTROL_NO_MULTILINE:
2876 no_multiline_responses = TRUE;
2877 break;
2878
cf8b11a5
PH		 2879 case CONTROL_NO_PIPELINING:
2880 pipelining_enable = FALSE;
2881 break;
2882
047bdd8c
PH		 2883 case CONTROL_NO_DELAY_FLUSH:
2884 disable_delay_flush = TRUE;
2885 break;
2886
4c590bd1
PH		 2887 case CONTROL_NO_CALLOUT_FLUSH:
2888 disable_callout_flush = TRUE;
2889 break;
2890
29aba418 2891 case CONTROL_FAKEDEFER:
8523533c 2892 case CONTROL_FAKEREJECT:
29aba418 2893 fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
8523533c 2894 if (*p == '/')
8e669ac1 2895 {
8523533c 2896 uschar *pp = p + 1;
8e669ac1 2897 while (*pp != 0) pp++;
29aba418 2898 fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
8523533c
TK		 2899 p = pp;
2900 }
2901 else
2902 {
2903 /* Explicitly reset to default string */
29aba418 2904 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
8523533c
TK		 2905 }
2906 break;
8523533c 2907
059ec3d9
PH		 2908 case CONTROL_FREEZE:
2909 deliver_freeze = TRUE;
2910 deliver_frozen_at = time(NULL);
6a3f1455
PH		 2911 freeze_tell = freeze_tell_config; /* Reset to configured value */
2912 if (Ustrncmp(p, "/no_tell", 8) == 0)
2913 {
2914 p += 8;
2915 freeze_tell = NULL;
2916 }
2917 if (*p != 0)
2918 {
2919 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2920 return ERROR;
2921 }
059ec3d9
PH		 2922 break;
2923
2924 case CONTROL_QUEUE_ONLY:
2925 queue_only_policy = TRUE;
2926 break;
2927
2928 case CONTROL_SUBMISSION:
87ba3f5f 2929 originator_name = US"";
059ec3d9 2930 submission_mode = TRUE;
69358f02 2931 while (*p == '/')
8e669ac1 2932 {
69358f02
PH		 2933 if (Ustrncmp(p, "/sender_retain", 14) == 0)
2934 {
2935 p += 14;
2936 active_local_sender_retain = TRUE;
8e669ac1
PH		 2937 active_local_from_check = FALSE;
2938 }
69358f02
PH		 2939 else if (Ustrncmp(p, "/domain=", 8) == 0)
2940 {
2941 uschar *pp = p + 8;
8e669ac1 2942 while (*pp != 0 && *pp != '/') pp++;
87ba3f5f
PH		 2943 submission_domain = string_copyn(p+8, pp-p-8);
2944 p = pp;
2945 }
8857ccfd
PH		 2946 /* The name= option must be last, because it swallows the rest of
2947 the string. */
87ba3f5f
PH		 2948 else if (Ustrncmp(p, "/name=", 6) == 0)
2949 {
2950 uschar *pp = p + 6;
8857ccfd 2951 while (*pp != 0) pp++;
2fe1a124 2952 submission_name = string_copy(parse_fix_phrase(p+6, pp-p-6,
87ba3f5f 2953 big_buffer, big_buffer_size));
8e669ac1 2954 p = pp;
69358f02 2955 }
8e669ac1
PH		 2956 else break;
2957 }
69358f02 2958 if (*p != 0)
059ec3d9 2959 {
69358f02 2960 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
059ec3d9
PH		 2961 return ERROR;
2962 }
2963 break;
8800895a 2964
ed7f7860
PP		 2965 case CONTROL_DEBUG:
2966 while (*p == '/')
2967 {
2968 if (Ustrncmp(p, "/tag=", 5) == 0)
2969 {
2970 uschar *pp = p + 5;
2971 while (*pp != '\0' && *pp != '/') pp++;
2972 debug_tag = string_copyn(p+5, pp-p-5);
2973 p = pp;
2974 }
2975 else if (Ustrncmp(p, "/opts=", 6) == 0)
2976 {
2977 uschar *pp = p + 6;
2978 while (*pp != '\0' && *pp != '/') pp++;
2979 debug_opts = string_copyn(p+6, pp-p-6);
2980 p = pp;
2981 }
2982 }
2983 debug_logging_activate(debug_tag, debug_opts);
2984 break;
2985
8800895a
PH		 2986 case CONTROL_SUPPRESS_LOCAL_FIXUPS:
2987 suppress_local_fixups = TRUE;
2988 break;
059ec3d9
PH		 2989 }
2990 break;
2991
6a8f9482
TK		 2992 #ifdef EXPERIMENTAL_DCC
2993 case ACLC_DCC:
2994 {
2995 /* Seperate the regular expression and any optional parameters. */
2996 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2997 /* Run the dcc backend. */
2998 rc = dcc_process(&ss);
2999 /* Modify return code based upon the existance of options. */
3000 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3001 != NULL) {
3002 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3003 {
3004 /* FAIL so that the message is passed to the next ACL */
3005 rc = FAIL;
3006 }
3007 }
3008 }
3009 break;
3010 #endif
3011
71fafd95 3012 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 3013 case ACLC_DECODE:
3014 rc = mime_decode(&arg);
3015 break;
71fafd95 3016 #endif
8523533c 3017
059ec3d9
PH		 3018 case ACLC_DELAY:
3019 {
3020 int delay = readconf_readtime(arg, 0, FALSE);
3021 if (delay < 0)
3022 {
3023 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
3024 "modifier: \"%s\" is not a time value", arg);
3025 return ERROR;
3026 }
3027 else
3028 {
3029 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
3030 delay);
3031 if (host_checking)
3032 {
3033 HDEBUG(D_acl)
3034 debug_printf("delay skipped in -bh checking mode\n");
3035 }
010c2d14
PH		 3036
3037 /* It appears to be impossible to detect that a TCP/IP connection has
3038 gone away without reading from it. This means that we cannot shorten
3039 the delay below if the client goes away, because we cannot discover
3040 that the client has closed its end of the connection. (The connection
3041 is actually in a half-closed state, waiting for the server to close its
3042 end.) It would be nice to be able to detect this state, so that the
3043 Exim process is not held up unnecessarily. However, it seems that we
3044 can't. The poll() function does not do the right thing, and in any case
3045 it is not always available.
3046
047bdd8c 3047 NOTE 1: If ever this state of affairs changes, remember that we may be
010c2d14 3048 dealing with stdin/stdout here, in addition to TCP/IP connections.
047bdd8c
PH		 3049 Also, delays may be specified for non-SMTP input, where smtp_out and
3050 smtp_in will be NULL. Whatever is done must work in all cases.
3051
3052 NOTE 2: The added feature of flushing the output before a delay must
3053 apply only to SMTP input. Hence the test for smtp_out being non-NULL.
3054 */
010c2d14 3055
8e669ac1 3056 else
86b8287f 3057 {
14f4a80d 3058 if (smtp_out != NULL && !disable_delay_flush) mac_smtp_fflush();
86b8287f 3059 while (delay > 0) delay = sleep(delay);
8e669ac1 3060 }
059ec3d9
PH		 3061 }
3062 }
3063 break;
3064
71fafd95 3065 #ifdef WITH_OLD_DEMIME
8523533c
TK		 3066 case ACLC_DEMIME:
3067 rc = demime(&arg);
3068 break;
71fafd95 3069 #endif
8523533c 3070
80a47a2c
TK		 3071 #ifndef DISABLE_DKIM
3072 case ACLC_DKIM_SIGNER:
9e5d6b55
TK		 3073 if (dkim_cur_signer != NULL)
3074 rc = match_isinlist(dkim_cur_signer,
80a47a2c 3075 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
80a47a2c 3076 else
80a47a2c 3077 rc = FAIL;
71fafd95
PH		 3078 break;
3079
80a47a2c
TK		 3080 case ACLC_DKIM_STATUS:
3081 rc = match_isinlist(dkim_exim_expand_query(DKIM_VERIFY_STATUS),
3082 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
71fafd95
PH		 3083 break;
3084 #endif
fb2274d4 3085
059ec3d9
PH		 3086 case ACLC_DNSLISTS:
3087 rc = verify_check_dnsbl(&arg);
3088 break;
3089
3090 case ACLC_DOMAINS:
3091 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
3092 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
3093 break;
3094
3095 /* The value in tls_cipher is the full cipher name, for example,
3096 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
3097 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
3098 what may in practice come out of the SSL library - which at the time of
3099 writing is poorly documented. */
3100
3101 case ACLC_ENCRYPTED:
3102 if (tls_cipher == NULL) rc = FAIL; else
3103 {
3104 uschar *endcipher = NULL;
3105 uschar *cipher = Ustrchr(tls_cipher, ':');
3106 if (cipher == NULL) cipher = tls_cipher; else
3107 {
3108 endcipher = Ustrchr(++cipher, ':');
3109 if (endcipher != NULL) *endcipher = 0;
3110 }
3111 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
3112 if (endcipher != NULL) *endcipher = ':';
3113 }
3114 break;
3115
3116 /* Use verify_check_this_host() instead of verify_check_host() so that
3117 we can pass over &host_data to catch any looked up data. Once it has been
3118 set, it retains its value so that it's still there if another ACL verb
3119 comes through here and uses the cache. However, we must put it into
3120 permanent store in case it is also expected to be used in a subsequent
3121 message in the same SMTP connection. */
3122
3123 case ACLC_HOSTS:
3124 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
3125 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
3126 if (host_data != NULL) host_data = string_copy_malloc(host_data);
3127 break;
3128
3129 case ACLC_LOCAL_PARTS:
3130 rc = match_isinlist(addr->cc_local_part, &arg, 0,
3131 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
3132 &deliver_localpart_data);
3133 break;
3134
6ea85e9a
PH		 3135 case ACLC_LOG_REJECT_TARGET:
3136 {
3137 int logbits = 0;
3138 int sep = 0;
3139 uschar *s = arg;
3140 uschar *ss;
3141 while ((ss = string_nextinlist(&s, &sep, big_buffer, big_buffer_size))
3142 != NULL)
3143 {
3144 if (Ustrcmp(ss, "main") == 0) logbits |= LOG_MAIN;
3145 else if (Ustrcmp(ss, "panic") == 0) logbits |= LOG_PANIC;
3146 else if (Ustrcmp(ss, "reject") == 0) logbits |= LOG_REJECT;
3147 else
3148 {
3149 logbits |= LOG_MAIN|LOG_REJECT;
3150 log_write(0, LOG_MAIN|LOG_PANIC, "unknown log name \"%s\" in "
3151 "\"log_reject_target\" in %s ACL", ss, acl_wherenames[where]);
3152 }
3153 }
3154 log_reject_target = logbits;
3155 }
3156 break;
3157
059ec3d9
PH		 3158 case ACLC_LOGWRITE:
3159 {
3160 int logbits = 0;
3161 uschar *s = arg;
3162 if (*s == ':')
3163 {
3164 s++;
3165 while (*s != ':')
3166 {
3167 if (Ustrncmp(s, "main", 4) == 0)
3168 { logbits |= LOG_MAIN; s += 4; }
3169 else if (Ustrncmp(s, "panic", 5) == 0)
3170 { logbits |= LOG_PANIC; s += 5; }
3171 else if (Ustrncmp(s, "reject", 6) == 0)
3172 { logbits |= LOG_REJECT; s += 6; }
3173 else
3174 {
3175 logbits = LOG_MAIN|LOG_PANIC;
3176 s = string_sprintf(":unknown log name in \"%s\" in "
3177 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
3178 }
3179 if (*s == ',') s++;
3180 }
3181 s++;
3182 }
3183 while (isspace(*s)) s++;
6ea85e9a
PH		 3184
3185
059ec3d9
PH		 3186 if (logbits == 0) logbits = LOG_MAIN;
3187 log_write(0, logbits, "%s", string_printing(s));
3188 }
3189 break;
8e669ac1 3190
71fafd95 3191 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 3192 case ACLC_MALWARE:
3193 {
6ea85e9a 3194 /* Separate the regular expression and any optional parameters. */
8523533c
TK		 3195 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3196 /* Run the malware backend. */
3197 rc = malware(&ss);
3198 /* Modify return code based upon the existance of options. */
3199 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3200 != NULL) {
3201 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3202 {
3203 /* FAIL so that the message is passed to the next ACL */
3204 rc = FAIL;
3205 }
3206 }
3207 }
3208 break;
3209
3210 case ACLC_MIME_REGEX:
71fafd95 3211 rc = mime_regex(&arg);
8523533c 3212 break;
71fafd95 3213 #endif
059ec3d9 3214
870f6ba8 3215 case ACLC_RATELIMIT:
90fc3069 3216 rc = acl_ratelimit(arg, where, log_msgptr);
870f6ba8
TF		 3217 break;
3218
059ec3d9
PH		 3219 case ACLC_RECIPIENTS:
3220 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
3221 &recipient_data);
3222 break;
3223
71fafd95
PH		 3224 #ifdef WITH_CONTENT_SCAN
3225 case ACLC_REGEX:
3226 rc = regex(&arg);
8523533c 3227 break;
71fafd95 3228 #endif
8523533c 3229
059ec3d9
PH		 3230 case ACLC_SENDER_DOMAINS:
3231 {
3232 uschar *sdomain;
3233 sdomain = Ustrrchr(sender_address, '@');
3234 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
3235 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
3236 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
3237 }
3238 break;
3239
3240 case ACLC_SENDERS:
3241 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
3242 sender_address_cache, -1, 0, &sender_data);
3243 break;
3244
3245 /* Connection variables must persist forever */
3246
3247 case ACLC_SET:
3248 {
3249 int old_pool = store_pool;
38a0a95f
PH		 3250 if (cb->u.varname[0] == 'c') store_pool = POOL_PERM;
3251 acl_var_create(cb->u.varname)->data.ptr = string_copy(arg);
059ec3d9
PH		 3252 store_pool = old_pool;
3253 }
3254 break;
3255
71fafd95 3256 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 3257 case ACLC_SPAM:
3258 {
3259 /* Seperate the regular expression and any optional parameters. */
3260 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3261 /* Run the spam backend. */
3262 rc = spam(&ss);
3263 /* Modify return code based upon the existance of options. */
3264 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3265 != NULL) {
3266 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3267 {
3268 /* FAIL so that the message is passed to the next ACL */
3269 rc = FAIL;
3270 }
3271 }
3272 }
3273 break;
71fafd95 3274 #endif
8523533c 3275
71fafd95 3276 #ifdef EXPERIMENTAL_SPF
8523533c 3277 case ACLC_SPF:
65a7d8c3
NM		 3278 rc = spf_process(&arg, sender_address, SPF_PROCESS_NORMAL);
3279 break;
3280 case ACLC_SPF_GUESS:
3281 rc = spf_process(&arg, sender_address, SPF_PROCESS_GUESS);
8523533c 3282 break;
71fafd95 3283 #endif
8523533c 3284
059ec3d9
PH		 3285 /* If the verb is WARN, discard any user message from verification, because
3286 such messages are SMTP responses, not header additions. The latter come
475fe28a
PH		 3287 only from explicit "message" modifiers. However, put the user message into
3288 $acl_verify_message so it can be used in subsequent conditions or modifiers
3289 (until something changes it). */
059ec3d9
PH		 3290
3291 case ACLC_VERIFY:
3292 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
475fe28a 3293 acl_verify_message = *user_msgptr;
059ec3d9
PH		 3294 if (verb == ACL_WARN) *user_msgptr = NULL;
3295 break;
3296
3297 default:
3298 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
3299 "condition %d", cb->type);
3300 break;
3301 }
3302
3303 /* If a condition was negated, invert OK/FAIL. */
3304
3305 if (!cond_modifiers[cb->type] && cb->u.negated)
3306 {
3307 if (rc == OK) rc = FAIL;
3308 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
3309 }
3310
3311 if (rc != OK) break; /* Conditions loop */
3312 }
3313
3314
3315/* If the result is the one for which "message" and/or "log_message" are used,
4e88a19f
PH		 3316handle the values of these modifiers. If there isn't a log message set, we make
3317it the same as the user message.
059ec3d9
PH		 3318
3319"message" is a user message that will be included in an SMTP response. Unless
3320it is empty, it overrides any previously set user message.
3321
3322"log_message" is a non-user message, and it adds to any existing non-user
3323message that is already set.
3324
4e88a19f
PH		 3325Most verbs have but a single return for which the messages are relevant, but
3326for "discard", it's useful to have the log message both when it succeeds and
3327when it fails. For "accept", the message is used in the OK case if there is no
3328"endpass", but (for backwards compatibility) in the FAIL case if "endpass" is
3329present. */
059ec3d9 3330
4e88a19f
PH		 3331if (*epp && rc == OK) user_message = NULL;
3332
3333if (((1<<rc) & msgcond[verb]) != 0)
059ec3d9
PH		 3334 {
3335 uschar *expmessage;
4e88a19f
PH		 3336 uschar *old_user_msgptr = *user_msgptr;
3337 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
059ec3d9
PH		 3338
3339 /* If the verb is "warn", messages generated by conditions (verification or
4e88a19f
PH		 3340 nested ACLs) are always discarded. This also happens for acceptance verbs
3341 when they actually do accept. Only messages specified at this level are used.
059ec3d9
PH		 3342 However, the value of an existing message is available in $acl_verify_message
3343 during expansions. */
3344
4e88a19f
PH		 3345 if (verb == ACL_WARN ||
3346 (rc == OK && (verb == ACL_ACCEPT || verb == ACL_DISCARD)))
3347 *log_msgptr = *user_msgptr = NULL;
059ec3d9
PH		 3348
3349 if (user_message != NULL)
3350 {
3351 acl_verify_message = old_user_msgptr;
3352 expmessage = expand_string(user_message);
3353 if (expmessage == NULL)
3354 {
3355 if (!expand_string_forcedfail)
3356 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3357 user_message, expand_string_message);
3358 }
3359 else if (expmessage[0] != 0) *user_msgptr = expmessage;
3360 }
3361
3362 if (log_message != NULL)
3363 {
3364 acl_verify_message = old_log_msgptr;
3365 expmessage = expand_string(log_message);
3366 if (expmessage == NULL)
3367 {
3368 if (!expand_string_forcedfail)
3369 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3370 log_message, expand_string_message);
3371 }
3372 else if (expmessage[0] != 0)
3373 {
3374 *log_msgptr = (*log_msgptr == NULL)? expmessage :
3375 string_sprintf("%s: %s", expmessage, *log_msgptr);
3376 }
3377 }
3378
3379 /* If no log message, default it to the user message */
3380
3381 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
3382 }
3383
3384acl_verify_message = NULL;
3385return rc;
3386}
3387
3388
3389
3390
3391
3392/*************************************************
3393* Get line from a literal ACL *
3394*************************************************/
3395
3396/* This function is passed to acl_read() in order to extract individual lines
3397of a literal ACL, which we access via static pointers. We can destroy the
3398contents because this is called only once (the compiled ACL is remembered).
3399
3400This code is intended to treat the data in the same way as lines in the main
3401Exim configuration file. That is:
3402
3403 . Leading spaces are ignored.
3404
3405 . A \ at the end of a line is a continuation - trailing spaces after the \
3406 are permitted (this is because I don't believe in making invisible things
3407 significant). Leading spaces on the continued part of a line are ignored.
3408
3409 . Physical lines starting (significantly) with # are totally ignored, and
3410 may appear within a sequence of backslash-continued lines.
3411
3412 . Blank lines are ignored, but will end a sequence of continuations.
3413
3414Arguments: none
3415Returns: a pointer to the next line
3416*/
3417
3418
3419static uschar *acl_text; /* Current pointer in the text */
3420static uschar *acl_text_end; /* Points one past the terminating '0' */
3421
3422
3423static uschar *
3424acl_getline(void)
3425{
3426uschar *yield;
3427
3428/* This loop handles leading blank lines and comments. */
3429
3430for(;;)
3431 {
3432 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
3433 if (*acl_text == 0) return NULL; /* No more data */
3434 yield = acl_text; /* Potential data line */
3435
3436 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3437
3438 /* If we hit the end before a newline, we have the whole logical line. If
3439 it's a comment, there's no more data to be given. Otherwise, yield it. */
3440
3441 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
3442
3443 /* After reaching a newline, end this loop if the physical line does not
3444 start with '#'. If it does, it's a comment, and the loop continues. */
3445
3446 if (*yield != '#') break;
3447 }
3448
3449/* This loop handles continuations. We know we have some real data, ending in
3450newline. See if there is a continuation marker at the end (ignoring trailing
3451white space). We know that *yield is not white space, so no need to test for
3452cont > yield in the backwards scanning loop. */
3453
3454for(;;)
3455 {
3456 uschar *cont;
3457 for (cont = acl_text - 1; isspace(*cont); cont--);
3458
3459 /* If no continuation follows, we are done. Mark the end of the line and
3460 return it. */
3461
3462 if (*cont != '\\')
3463 {
3464 *acl_text++ = 0;
3465 return yield;
3466 }
3467
3468 /* We have encountered a continuation. Skip over whitespace at the start of
3469 the next line, and indeed the whole of the next line or lines if they are
3470 comment lines. */
3471
3472 for (;;)
3473 {
3474 while (*(++acl_text) == ' ' || *acl_text == '\t');
3475 if (*acl_text != '#') break;
3476 while (*(++acl_text) != 0 && *acl_text != '\n');
3477 }
3478
3479 /* We have the start of a continuation line. Move all the rest of the data
3480 to join onto the previous line, and then find its end. If the end is not a
3481 newline, we are done. Otherwise loop to look for another continuation. */
3482
3483 memmove(cont, acl_text, acl_text_end - acl_text);
3484 acl_text_end -= acl_text - cont;
3485 acl_text = cont;
3486 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3487 if (*acl_text == 0) return yield;
3488 }
3489
3490/* Control does not reach here */
3491}
3492
3493
3494
3495
3496
3497/*************************************************
3498* Check access using an ACL *
3499*************************************************/
3500
3501/* This function is called from address_check. It may recurse via
3502acl_check_condition() - hence the use of a level to stop looping. The ACL is
3503passed as a string which is expanded. A forced failure implies no access check
3504is required. If the result is a single word, it is taken as the name of an ACL
3505which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
3506text, complete with newlines, and parsed as such. In both cases, the ACL check
3507is then run. This function uses an auxiliary function for acl_read() to call
3508for reading individual lines of a literal ACL. This is acl_getline(), which
3509appears immediately above.
3510
3511Arguments:
3512 where where called from
3513 addr address item when called from RCPT; otherwise NULL
3514 s the input string; NULL is the same as an empty ACL => DENY
3515 level the nesting level
3516 user_msgptr where to put a user error (for SMTP response)
3517 log_msgptr where to put a logging message (not for SMTP response)
3518
3519Returns: OK access is granted
3520 DISCARD access is apparently granted...
3521 FAIL access is denied
3522 FAIL_DROP access is denied; drop the connection
3523 DEFER can't tell at the moment
3524 ERROR disaster
3525*/
3526
3527static int
3528acl_check_internal(int where, address_item *addr, uschar *s, int level,
3529 uschar **user_msgptr, uschar **log_msgptr)
3530{
3531int fd = -1;
3532acl_block *acl = NULL;
3533uschar *acl_name = US"inline ACL";
3534uschar *ss;
3535
3536/* Catch configuration loops */
3537
3538if (level > 20)
3539 {
3540 *log_msgptr = US"ACL nested too deep: possible loop";
3541 return ERROR;
3542 }
3543
3544if (s == NULL)
3545 {
3546 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
3547 return FAIL;
3548 }
3549
3550/* At top level, we expand the incoming string. At lower levels, it has already
3551been expanded as part of condition processing. */
3552
3553if (level == 0)
3554 {
3555 ss = expand_string(s);
3556 if (ss == NULL)
3557 {
3558 if (expand_string_forcedfail) return OK;
3559 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
3560 expand_string_message);
3561 return ERROR;
3562 }
3563 }
3564else ss = s;
3565
3566while (isspace(*ss))ss++;
3567
3568/* If we can't find a named ACL, the default is to parse it as an inline one.
3569(Unless it begins with a slash; non-existent files give rise to an error.) */
3570
3571acl_text = ss;
3572
3573/* Handle the case of a string that does not contain any spaces. Look for a
3574named ACL among those read from the configuration, or a previously read file.
3575It is possible that the pointer to the ACL is NULL if the configuration
3576contains a name with no data. If not found, and the text begins with '/',
3577read an ACL from a file, and save it so it can be re-used. */
3578
3579if (Ustrchr(ss, ' ') == NULL)
3580 {
3581 tree_node *t = tree_search(acl_anchor, ss);
3582 if (t != NULL)
3583 {
3584 acl = (acl_block *)(t->data.ptr);
3585 if (acl == NULL)
3586 {
3587 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
3588 return FAIL;
3589 }
3590 acl_name = string_sprintf("ACL \"%s\"", ss);
3591 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
3592 }
3593
3594 else if (*ss == '/')
3595 {
3596 struct stat statbuf;
3597 fd = Uopen(ss, O_RDONLY, 0);
3598 if (fd < 0)
3599 {
3600 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
3601 strerror(errno));
3602 return ERROR;
3603 }
3604
3605 if (fstat(fd, &statbuf) != 0)
3606 {
3607 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
3608 strerror(errno));
3609 return ERROR;
3610 }
3611
3612 acl_text = store_get(statbuf.st_size + 1);
3613 acl_text_end = acl_text + statbuf.st_size + 1;
3614
3615 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
3616 {
3617 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
3618 ss, strerror(errno));
3619 return ERROR;
3620 }
3621 acl_text[statbuf.st_size] = 0;
f1e894f3 3622 (void)close(fd);
059ec3d9
PH		 3623
3624 acl_name = string_sprintf("ACL \"%s\"", ss);
3625 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
3626 }
3627 }
3628
3629/* Parse an ACL that is still in text form. If it came from a file, remember it
3630in the ACL tree, having read it into the POOL_PERM store pool so that it
3631persists between multiple messages. */
3632
3633if (acl == NULL)
3634 {
3635 int old_pool = store_pool;
3636 if (fd >= 0) store_pool = POOL_PERM;
3637 acl = acl_read(acl_getline, log_msgptr);
3638 store_pool = old_pool;
3639 if (acl == NULL && *log_msgptr != NULL) return ERROR;
3640 if (fd >= 0)
3641 {
3642 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
3643 Ustrcpy(t->name, ss);
3644 t->data.ptr = acl;
3645 (void)tree_insertnode(&acl_anchor, t);
3646 }
3647 }
3648
3649/* Now we have an ACL to use. It's possible it may be NULL. */
3650
3651while (acl != NULL)
3652 {
3653 int cond;
3654 int basic_errno = 0;
3655 BOOL endpass_seen = FALSE;
3656
3657 *log_msgptr = *user_msgptr = NULL;
3658 acl_temp_details = FALSE;
3659
7353285c 3660 if ((where == ACL_WHERE_QUIT || where == ACL_WHERE_NOTQUIT) &&
059ec3d9
PH		 3661 acl->verb != ACL_ACCEPT &&
3662 acl->verb != ACL_WARN)
3663 {
7353285c 3664 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT or not-QUIT ACL",
059ec3d9
PH		 3665 verbs[acl->verb]);
3666 return ERROR;
3667 }
3668
3669 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
3670
3671 /* Clear out any search error message from a previous check before testing
3672 this condition. */
3673
3674 search_error_message = NULL;
3675 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
3676 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
3677
3678 /* Handle special returns: DEFER causes a return except on a WARN verb;
3679 ERROR always causes a return. */
3680
3681 switch (cond)
3682 {
3683 case DEFER:
6968512f 3684 HDEBUG(D_acl) debug_printf("%s: condition test deferred in %s\n", verbs[acl->verb], acl_name);
059ec3d9
PH		 3685 if (basic_errno != ERRNO_CALLOUTDEFER)
3686 {
3687 if (search_error_message != NULL && *search_error_message != 0)
3688 *log_msgptr = search_error_message;
3689 if (smtp_return_error_details) acl_temp_details = TRUE;
3690 }
3691 else
3692 {
3693 acl_temp_details = TRUE;
3694 }
3695 if (acl->verb != ACL_WARN) return DEFER;
3696 break;
3697
3698 default: /* Paranoia */
3699 case ERROR:
6968512f 3700 HDEBUG(D_acl) debug_printf("%s: condition test error in %s\n", verbs[acl->verb], acl_name);
059ec3d9
PH		 3701 return ERROR;
3702
3703 case OK:
6968512f
JH		 3704 HDEBUG(D_acl) debug_printf("%s: condition test succeeded in %s\n",
3705 verbs[acl->verb], acl_name);
059ec3d9
PH		 3706 break;
3707
3708 case FAIL:
6968512f 3709 HDEBUG(D_acl) debug_printf("%s: condition test failed in %s\n", verbs[acl->verb], acl_name);
059ec3d9
PH		 3710 break;
3711
3712 /* DISCARD and DROP can happen only from a nested ACL condition, and
3713 DISCARD can happen only for an "accept" or "discard" verb. */
3714
3715 case DISCARD:
6968512f
JH		 3716 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\" in %s\n",
3717 verbs[acl->verb], acl_name);
059ec3d9
PH		 3718 break;
3719
3720 case FAIL_DROP:
6968512f
JH		 3721 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\" in %s\n",
3722 verbs[acl->verb], acl_name);
059ec3d9
PH		 3723 break;
3724 }
3725
3726 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
3727 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
3728 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
3729
3730 switch(acl->verb)
3731 {
3732 case ACL_ACCEPT:
3733 if (cond == OK || cond == DISCARD) return cond;
3734 if (endpass_seen)
3735 {
3736 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
3737 return cond;
3738 }
3739 break;
3740
3741 case ACL_DEFER:
3742 if (cond == OK)
3743 {
3744 acl_temp_details = TRUE;
3745 return DEFER;
3746 }
3747 break;
3748
3749 case ACL_DENY:
3750 if (cond == OK) return FAIL;
3751 break;
3752
3753 case ACL_DISCARD:
3754 if (cond == OK || cond == DISCARD) return DISCARD;
3755 if (endpass_seen)
3756 {
3757 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
3758 return cond;
3759 }
3760 break;
3761
3762 case ACL_DROP:
3763 if (cond == OK) return FAIL_DROP;
3764 break;
3765
3766 case ACL_REQUIRE:
3767 if (cond != OK) return cond;
3768 break;
3769
3770 case ACL_WARN:
3771 if (cond == OK)
3772 acl_warn(where, *user_msgptr, *log_msgptr);
49826d12 3773 else if (cond == DEFER && (log_extra_selector & LX_acl_warn_skipped) != 0)
9c7a242c
PH		 3774 log_write(0, LOG_MAIN, "%s Warning: ACL \"warn\" statement skipped: "
3775 "condition test deferred%s%s", host_and_ident(TRUE),
3776 (*log_msgptr == NULL)? US"" : US": ",
3777 (*log_msgptr == NULL)? US"" : *log_msgptr);
059ec3d9
PH		 3778 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
3779 break;
3780
3781 default:
3782 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
3783 acl->verb);
3784 break;
3785 }
3786
3787 /* Pass to the next ACL item */
3788
3789 acl = acl->next;
3790 }
3791
3792/* We have reached the end of the ACL. This is an implicit DENY. */
3793
3794HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
3795return FAIL;
3796}
3797
3798
3799/*************************************************
3800* Check access using an ACL *
3801*************************************************/
3802
3803/* This is the external interface for ACL checks. It sets up an address and the
3804expansions for $domain and $local_part when called after RCPT, then calls
3805acl_check_internal() to do the actual work.
3806
3807Arguments:
3808 where ACL_WHERE_xxxx indicating where called from
64ffc24f 3809 recipient RCPT address for RCPT check, else NULL
059ec3d9
PH		 3810 s the input string; NULL is the same as an empty ACL => DENY
3811 user_msgptr where to put a user error (for SMTP response)
3812 log_msgptr where to put a logging message (not for SMTP response)
3813
3814Returns: OK access is granted by an ACCEPT verb
3815 DISCARD access is granted by a DISCARD verb
3816 FAIL access is denied
3817 FAIL_DROP access is denied; drop the connection
3818 DEFER can't tell at the moment
3819 ERROR disaster
3820*/
3821
3822int
64ffc24f 3823acl_check(int where, uschar *recipient, uschar *s, uschar **user_msgptr,
059ec3d9
PH		 3824 uschar **log_msgptr)
3825{
3826int rc;
3827address_item adb;
64ffc24f 3828address_item *addr = NULL;
059ec3d9
PH		 3829
3830*user_msgptr = *log_msgptr = NULL;
3831sender_verified_failed = NULL;
fe0dab11 3832ratelimiters_cmd = NULL;
6ea85e9a 3833log_reject_target = LOG_MAIN|LOG_REJECT;
059ec3d9
PH		 3834
3835if (where == ACL_WHERE_RCPT)
3836 {
3837 adb = address_defaults;
3838 addr = &adb;
64ffc24f 3839 addr->address = recipient;
059ec3d9
PH		 3840 if (deliver_split_address(addr) == DEFER)
3841 {
3842 *log_msgptr = US"defer in percent_hack_domains check";
3843 return DEFER;
3844 }
3845 deliver_domain = addr->domain;
3846 deliver_localpart = addr->local_part;
3847 }
059ec3d9
PH		 3848
3849rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
3850
64ffc24f
PH		 3851deliver_domain = deliver_localpart = deliver_address_data =
3852 sender_address_data = NULL;
059ec3d9
PH		 3853
3854/* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
3855ACL, which is really in the middle of an SMTP command. */
3856
3857if (rc == DISCARD)
3858 {
3859 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
3860 {
3861 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
3862 "ACL", acl_wherenames[where]);
3863 return ERROR;
3864 }
3865 return DISCARD;
3866 }
3867
3868/* A DROP response is not permitted from MAILAUTH */
3869
3870if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
3871 {
3872 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
3873 "ACL", acl_wherenames[where]);
3874 return ERROR;
3875 }
3876
4e88a19f
PH		 3877/* Before giving a response, take a look at the length of any user message, and
3878split it up into multiple lines if possible. */
059ec3d9 3879
e28326d8
PH		 3880*user_msgptr = string_split_message(*user_msgptr);
3881if (fake_response != OK)
3882 fake_response_text = string_split_message(fake_response_text);
059ec3d9
PH		 3883
3884return rc;
3885}
3886
38a0a95f
PH		 3887
3888
3889/*************************************************
3890* Create ACL variable *
3891*************************************************/
3892
3893/* Create an ACL variable or reuse an existing one. ACL variables are in a
3894binary tree (see tree.c) with acl_var_c and acl_var_m as root nodes.
3895
3896Argument:
3897 name pointer to the variable's name, starting with c or m
3898
3899Returns the pointer to variable's tree node
3900*/
3901
3902tree_node *
3903acl_var_create(uschar *name)
3904{
3905tree_node *node, **root;
3906root = (name[0] == 'c')? &acl_var_c : &acl_var_m;
3907node = tree_search(*root, name);
3908if (node == NULL)
3909 {
3910 node = store_get(sizeof(tree_node) + Ustrlen(name));
3911 Ustrcpy(node->name, name);
3912 (void)tree_insertnode(root, node);
3913 }
3914node->data.ptr = NULL;
3915return node;
3916}
3917
3918
3919
3920/*************************************************
3921* Write an ACL variable in spool format *
3922*************************************************/
3923
3924/* This function is used as a callback for tree_walk when writing variables to
3925the spool file. To retain spool file compatibility, what is written is -aclc or
3926-aclm followed by the rest of the name and the data length, space separated,
3927then the value itself, starting on a new line, and terminated by an additional
3928newline. When we had only numbered ACL variables, the first line might look
3929like this: "-aclc 5 20". Now it might be "-aclc foo 20" for the variable called
3930acl_cfoo.
3931
3932Arguments:
3933 name of the variable
3934 value of the variable
3935 ctx FILE pointer (as a void pointer)
3936
3937Returns: nothing
3938*/
3939
3940void
3941acl_var_write(uschar *name, uschar *value, void *ctx)
3942{
3943FILE *f = (FILE *)ctx;
3944fprintf(f, "-acl%c %s %d\n%s\n", name[0], name+1, Ustrlen(value), value);
3945}
3946
059ec3d9 3947/* End of acl.c */
Unnamed repository; edit this file 'description' to name the repository.