(1) New Wish. (2) Typo and tabs in FAQ source.
[exim.git] / src / src / acl.c
CommitLineData
475fe28a 1/* $Cambridge: exim/src/src/acl.c,v 1.28 2005/04/06 14:03:53 ph10 Exp $ */
059ec3d9
PH
2
3/*************************************************
4* Exim - an Internet mail transport agent *
5*************************************************/
6
c988f1f4 7/* Copyright (c) University of Cambridge 1995 - 2005 */
059ec3d9
PH
8/* See the file NOTICE for conditions of use and distribution. */
9
10/* Code for handling Access Control Lists (ACLs) */
11
12#include "exim.h"
13
14
15/* Default callout timeout */
16
17#define CALLOUT_TIMEOUT_DEFAULT 30
18
19/* ACL verb codes - keep in step with the table of verbs that follows */
20
21enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
22 ACL_WARN };
23
24/* ACL verbs */
25
26static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
28 US"warn" };
29
30/* For each verb, the condition for which "message" is used */
31
32static int msgcond[] = { FAIL, OK, OK, FAIL, OK, FAIL, OK };
33
34/* ACL condition and modifier codes - keep in step with the table that
35follows. */
36
8523533c
TK
37enum { ACLC_ACL, ACLC_AUTHENTICATED,
38#ifdef EXPERIMENTAL_BRIGHTMAIL
39 ACLC_BMI_OPTIN,
40#endif
41ACLC_CONDITION, ACLC_CONTROL,
42#ifdef WITH_CONTENT_SCAN
43 ACLC_DECODE,
44#endif
45 ACLC_DELAY,
46#ifdef WITH_OLD_DEMIME
47 ACLC_DEMIME,
8e669ac1 48#endif
fb2274d4
TK
49#ifdef EXPERIMENTAL_DOMAINKEYS
50 ACLC_DK_DOMAIN_SOURCE,
51 ACLC_DK_POLICY,
52 ACLC_DK_SENDER_DOMAINS,
53 ACLC_DK_SENDER_LOCAL_PARTS,
54 ACLC_DK_SENDERS,
55 ACLC_DK_STATUS,
56#endif
8523533c
TK
57 ACLC_DNSLISTS, ACLC_DOMAINS, ACLC_ENCRYPTED, ACLC_ENDPASS,
58 ACLC_HOSTS, ACLC_LOCAL_PARTS, ACLC_LOG_MESSAGE, ACLC_LOGWRITE,
59#ifdef WITH_CONTENT_SCAN
60 ACLC_MALWARE,
61#endif
62 ACLC_MESSAGE,
63#ifdef WITH_CONTENT_SCAN
64 ACLC_MIME_REGEX,
65#endif
66 ACLC_RECIPIENTS,
67#ifdef WITH_CONTENT_SCAN
68 ACLC_REGEX,
69#endif
70 ACLC_SENDER_DOMAINS, ACLC_SENDERS, ACLC_SET,
71#ifdef WITH_CONTENT_SCAN
8e669ac1 72 ACLC_SPAM,
8523533c
TK
73#endif
74#ifdef EXPERIMENTAL_SPF
75 ACLC_SPF,
76#endif
77 ACLC_VERIFY };
059ec3d9
PH
78
79/* ACL conditions/modifiers: "delay", "control", "endpass", "message",
80"log_message", "logwrite", and "set" are modifiers that look like conditions
81but always return TRUE. They are used for their side effects. */
82
8523533c
TK
83static uschar *conditions[] = { US"acl", US"authenticated",
84#ifdef EXPERIMENTAL_BRIGHTMAIL
85 US"bmi_optin",
86#endif
87 US"condition",
8e669ac1 88 US"control",
8523533c
TK
89#ifdef WITH_CONTENT_SCAN
90 US"decode",
91#endif
92 US"delay",
93#ifdef WITH_OLD_DEMIME
94 US"demime",
95#endif
fb2274d4 96#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH
97 US"dk_domain_source",
98 US"dk_policy",
99 US"dk_sender_domains",
100 US"dk_sender_local_parts",
101 US"dk_senders",
102 US"dk_status",
fb2274d4 103#endif
8523533c 104 US"dnslists", US"domains", US"encrypted",
059ec3d9 105 US"endpass", US"hosts", US"local_parts", US"log_message", US"logwrite",
8523533c
TK
106#ifdef WITH_CONTENT_SCAN
107 US"malware",
108#endif
109 US"message",
110#ifdef WITH_CONTENT_SCAN
111 US"mime_regex",
112#endif
113 US"recipients",
114#ifdef WITH_CONTENT_SCAN
115 US"regex",
116#endif
117 US"sender_domains", US"senders", US"set",
118#ifdef WITH_CONTENT_SCAN
119 US"spam",
120#endif
121#ifdef EXPERIMENTAL_SPF
122 US"spf",
123#endif
059ec3d9 124 US"verify" };
8e669ac1 125
c5fcb476
PH
126/* ACL control names */
127
128static uschar *controls[] = { US"error", US"caseful_local_part",
129 US"caselower_local_part", US"enforce_sync", US"no_enforce_sync", US"freeze",
8e669ac1 130 US"queue_only", US"submission", US"no_multiline"};
059ec3d9
PH
131
132/* Flags to indicate for which conditions /modifiers a string expansion is done
133at the outer level. In the other cases, expansion already occurs in the
134checking functions. */
135
136static uschar cond_expand_at_top[] = {
137 TRUE, /* acl */
138 FALSE, /* authenticated */
8523533c
TK
139#ifdef EXPERIMENTAL_BRIGHTMAIL
140 TRUE, /* bmi_optin */
8e669ac1 141#endif
059ec3d9
PH
142 TRUE, /* condition */
143 TRUE, /* control */
8523533c
TK
144#ifdef WITH_CONTENT_SCAN
145 TRUE, /* decode */
146#endif
059ec3d9 147 TRUE, /* delay */
8523533c
TK
148#ifdef WITH_OLD_DEMIME
149 TRUE, /* demime */
150#endif
fb2274d4 151#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH
152 TRUE, /* dk_domain_source */
153 TRUE, /* dk_policy */
154 TRUE, /* dk_sender_domains */
e715ad22 155 TRUE, /* dk_sender_local_parts */
7f45268c
PH
156 TRUE, /* dk_senders */
157 TRUE, /* dk_status */
fb2274d4 158#endif
059ec3d9
PH
159 TRUE, /* dnslists */
160 FALSE, /* domains */
161 FALSE, /* encrypted */
162 TRUE, /* endpass */
163 FALSE, /* hosts */
164 FALSE, /* local_parts */
165 TRUE, /* log_message */
166 TRUE, /* logwrite */
8523533c
TK
167#ifdef WITH_CONTENT_SCAN
168 TRUE, /* malware */
169#endif
059ec3d9 170 TRUE, /* message */
8523533c
TK
171#ifdef WITH_CONTENT_SCAN
172 TRUE, /* mime_regex */
173#endif
059ec3d9 174 FALSE, /* recipients */
8523533c
TK
175#ifdef WITH_CONTENT_SCAN
176 TRUE, /* regex */
177#endif
059ec3d9
PH
178 FALSE, /* sender_domains */
179 FALSE, /* senders */
180 TRUE, /* set */
8523533c
TK
181#ifdef WITH_CONTENT_SCAN
182 TRUE, /* spam */
183#endif
184#ifdef EXPERIMENTAL_SPF
185 TRUE, /* spf */
186#endif
059ec3d9
PH
187 TRUE /* verify */
188};
189
190/* Flags to identify the modifiers */
191
192static uschar cond_modifiers[] = {
193 FALSE, /* acl */
194 FALSE, /* authenticated */
8523533c
TK
195#ifdef EXPERIMENTAL_BRIGHTMAIL
196 TRUE, /* bmi_optin */
8e669ac1 197#endif
059ec3d9
PH
198 FALSE, /* condition */
199 TRUE, /* control */
8523533c
TK
200#ifdef WITH_CONTENT_SCAN
201 FALSE, /* decode */
202#endif
059ec3d9 203 TRUE, /* delay */
8523533c
TK
204#ifdef WITH_OLD_DEMIME
205 FALSE, /* demime */
206#endif
fb2274d4 207#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH
208 FALSE, /* dk_domain_source */
209 FALSE, /* dk_policy */
210 FALSE, /* dk_sender_domains */
e715ad22 211 FALSE, /* dk_sender_local_parts */
7f45268c
PH
212 FALSE, /* dk_senders */
213 FALSE, /* dk_status */
fb2274d4 214#endif
059ec3d9
PH
215 FALSE, /* dnslists */
216 FALSE, /* domains */
217 FALSE, /* encrypted */
218 TRUE, /* endpass */
219 FALSE, /* hosts */
220 FALSE, /* local_parts */
221 TRUE, /* log_message */
8523533c
TK
222 TRUE, /* logwrite */
223#ifdef WITH_CONTENT_SCAN
224 FALSE, /* malware */
225#endif
059ec3d9 226 TRUE, /* message */
8523533c
TK
227#ifdef WITH_CONTENT_SCAN
228 FALSE, /* mime_regex */
229#endif
059ec3d9 230 FALSE, /* recipients */
8523533c
TK
231#ifdef WITH_CONTENT_SCAN
232 FALSE, /* regex */
233#endif
059ec3d9
PH
234 FALSE, /* sender_domains */
235 FALSE, /* senders */
236 TRUE, /* set */
8523533c
TK
237#ifdef WITH_CONTENT_SCAN
238 FALSE, /* spam */
239#endif
240#ifdef EXPERIMENTAL_SPF
241 FALSE, /* spf */
242#endif
059ec3d9
PH
243 FALSE /* verify */
244};
245
c5fcb476 246/* Bit map vector of which conditions are not allowed at certain times. For
2f079f46
PH
247each condition, there's a bitmap of dis-allowed times. For some, it is easier
248to specify the negation of a small number of allowed times. */
059ec3d9
PH
249
250static unsigned int cond_forbids[] = {
251 0, /* acl */
8e669ac1 252
059ec3d9
PH
253 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* authenticated */
254 (1<<ACL_WHERE_HELO),
8e669ac1 255
8523533c 256#ifdef EXPERIMENTAL_BRIGHTMAIL
3864bb8e 257 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
8523533c
TK
258 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
259 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
8e669ac1 260 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
8523533c
TK
261 (1<<ACL_WHERE_MAILAUTH)|
262 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
263 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA),
264#endif
8e669ac1 265
059ec3d9 266 0, /* condition */
8e669ac1 267
059ec3d9 268 /* Certain types of control are always allowed, so we let it through
2f079f46 269 always and check in the control processing itself. */
8e669ac1 270
059ec3d9 271 0, /* control */
8e669ac1 272
8523533c 273#ifdef WITH_CONTENT_SCAN
2f079f46
PH
274 (unsigned int)
275 ~(1<<ACL_WHERE_MIME), /* decode */
8523533c
TK
276#endif
277
059ec3d9 278 0, /* delay */
8e669ac1 279
f7b63901 280#ifdef WITH_OLD_DEMIME
2f079f46
PH
281 (unsigned int)
282 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* demime */
8523533c 283#endif
8e669ac1 284
fb2274d4 285#ifdef EXPERIMENTAL_DOMAINKEYS
2f079f46 286 (1<<ACL_WHERE_AUTH)| /* dk_domain_source */
fb2274d4
TK
287 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
288 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
289 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
290 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
291 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
292 (1<<ACL_WHERE_VRFY),
84330b7b 293
2f079f46 294 (1<<ACL_WHERE_AUTH)| /* dk_policy */
fb2274d4
TK
295 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
296 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
297 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
298 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
299 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
300 (1<<ACL_WHERE_VRFY),
84330b7b 301
2f079f46 302 (1<<ACL_WHERE_AUTH)| /* dk_sender_domains */
fb2274d4
TK
303 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
304 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
305 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
306 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
307 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
308 (1<<ACL_WHERE_VRFY),
84330b7b 309
2f079f46 310 (1<<ACL_WHERE_AUTH)| /* dk_sender_local_parts */
fb2274d4
TK
311 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
312 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
313 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
314 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
315 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
316 (1<<ACL_WHERE_VRFY),
84330b7b 317
2f079f46 318 (1<<ACL_WHERE_AUTH)| /* dk_senders */
fb2274d4
TK
319 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
320 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
321 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
322 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
323 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
324 (1<<ACL_WHERE_VRFY),
84330b7b 325
2f079f46 326 (1<<ACL_WHERE_AUTH)| /* dk_status */
fb2274d4
TK
327 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
328 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
329 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
330 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
331 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
332 (1<<ACL_WHERE_VRFY),
333#endif
334
059ec3d9
PH
335 (1<<ACL_WHERE_NOTSMTP), /* dnslists */
336
2f079f46
PH
337 (unsigned int)
338 ~(1<<ACL_WHERE_RCPT), /* domains */
059ec3d9
PH
339
340 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* encrypted */
341 (1<<ACL_WHERE_HELO),
8e669ac1 342
059ec3d9 343 0, /* endpass */
8e669ac1 344
059ec3d9
PH
345 (1<<ACL_WHERE_NOTSMTP), /* hosts */
346
2f079f46
PH
347 (unsigned int)
348 ~(1<<ACL_WHERE_RCPT), /* local_parts */
059ec3d9
PH
349
350 0, /* log_message */
8e669ac1 351
059ec3d9 352 0, /* logwrite */
8e669ac1 353
8523533c 354#ifdef WITH_CONTENT_SCAN
2f079f46
PH
355 (unsigned int)
356 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* malware */
8523533c
TK
357#endif
358
059ec3d9
PH
359 0, /* message */
360
8523533c 361#ifdef WITH_CONTENT_SCAN
2f079f46
PH
362 (unsigned int)
363 ~(1<<ACL_WHERE_MIME), /* mime_regex */
8523533c
TK
364#endif
365
2f079f46
PH
366 (unsigned int)
367 ~(1<<ACL_WHERE_RCPT), /* recipients */
059ec3d9 368
8523533c 369#ifdef WITH_CONTENT_SCAN
2f079f46
PH
370 (unsigned int)
371 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* regex */
372 (1<<ACL_WHERE_MIME)),
8523533c
TK
373#endif
374
059ec3d9
PH
375 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
376 (1<<ACL_WHERE_HELO)|
377 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
378 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
379 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
380
381 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
382 (1<<ACL_WHERE_HELO)|
383 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
384 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
385 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
386
387 0, /* set */
388
8523533c 389#ifdef WITH_CONTENT_SCAN
2f079f46
PH
390 (unsigned int)
391 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* spam */
8523533c
TK
392#endif
393
394#ifdef EXPERIMENTAL_SPF
395 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
396 (1<<ACL_WHERE_HELO)|
397 (1<<ACL_WHERE_MAILAUTH)|
398 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
399 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
400#endif
401
059ec3d9
PH
402 /* Certain types of verify are always allowed, so we let it through
403 always and check in the verify function itself */
404
405 0 /* verify */
059ec3d9
PH
406};
407
408
409/* Return values from decode_control() */
410
8e669ac1 411enum {
8523533c
TK
412#ifdef EXPERIMENTAL_BRIGHTMAIL
413 CONTROL_BMI_RUN,
8e669ac1 414#endif
fb2274d4
TK
415#ifdef EXPERIMENTAL_DOMAINKEYS
416 CONTROL_DK_VERIFY,
417#endif
8523533c 418 CONTROL_ERROR, CONTROL_CASEFUL_LOCAL_PART, CONTROL_CASELOWER_LOCAL_PART,
059ec3d9 419 CONTROL_ENFORCE_SYNC, CONTROL_NO_ENFORCE_SYNC, CONTROL_FREEZE,
8523533c
TK
420 CONTROL_QUEUE_ONLY, CONTROL_SUBMISSION,
421#ifdef WITH_CONTENT_SCAN
8e669ac1 422 CONTROL_NO_MBOX_UNSPOOL,
8523533c 423#endif
0f9b0483 424 CONTROL_FAKEREJECT, CONTROL_NO_MULTILINE };
059ec3d9 425
c5fcb476
PH
426/* Bit map vector of which controls are not allowed at certain times. For
427each control, there's a bitmap of dis-allowed times. For some, it is easier to
428specify the negation of a small number of allowed times. */
429
430static unsigned int control_forbids[] = {
8523533c
TK
431#ifdef EXPERIMENTAL_BRIGHTMAIL
432 0, /* bmi_run */
433#endif
fb2274d4 434#ifdef EXPERIMENTAL_DOMAINKEYS
e715ad22 435 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), /* dk_verify */
fb2274d4 436#endif
3e11c26b 437
c5fcb476 438 0, /* error */
8e669ac1
PH
439
440 (unsigned int)
c5fcb476 441 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
8e669ac1
PH
442
443 (unsigned int)
c5fcb476 444 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
8e669ac1 445
c5fcb476 446 (1<<ACL_WHERE_NOTSMTP), /* enforce_sync */
8e669ac1 447
c5fcb476 448 (1<<ACL_WHERE_NOTSMTP), /* no_enforce_sync */
8e669ac1
PH
449
450 (unsigned int)
c5fcb476
PH
451 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
452 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 453 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH
454
455 (unsigned int)
c5fcb476
PH
456 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
457 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 458 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH
459
460 (unsigned int)
c5fcb476 461 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
8e669ac1 462 (1<<ACL_WHERE_PREDATA)),
8523533c
TK
463
464#ifdef WITH_CONTENT_SCAN
8e669ac1 465 (unsigned int)
14d57970 466 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
e715ad22
TK
467 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
468 (1<<ACL_WHERE_MIME)),
8523533c 469#endif
a6c4ab60 470
8e669ac1 471 (unsigned int)
a6c4ab60 472 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
e715ad22
TK
473 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
474 (1<<ACL_WHERE_MIME)),
8523533c 475
c5fcb476
PH
476 (1<<ACL_WHERE_NOTSMTP) /* no_multiline */
477};
478
479/* Structure listing various control arguments, with their characteristics. */
059ec3d9
PH
480
481typedef struct control_def {
482 uschar *name;
483 int value; /* CONTROL_xxx value */
059ec3d9
PH
484 BOOL has_option; /* Has /option(s) following */
485} control_def;
486
487static control_def controls_list[] = {
8523533c
TK
488#ifdef EXPERIMENTAL_BRIGHTMAIL
489 { US"bmi_run", CONTROL_BMI_RUN, FALSE},
490#endif
fb2274d4
TK
491#ifdef EXPERIMENTAL_DOMAINKEYS
492 { US"dk_verify", CONTROL_DK_VERIFY, FALSE},
493#endif
c5fcb476
PH
494 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE},
495 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE},
496 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE},
497 { US"freeze", CONTROL_FREEZE, FALSE},
498 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE},
499 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE},
500 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE},
8523533c
TK
501#ifdef WITH_CONTENT_SCAN
502 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE},
8523533c 503#endif
0f9b0483 504 { US"fakereject", CONTROL_FAKEREJECT, TRUE},
c5fcb476 505 { US"submission", CONTROL_SUBMISSION, TRUE}
059ec3d9
PH
506 };
507
508/* Enable recursion between acl_check_internal() and acl_check_condition() */
509
510static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
511 uschar **);
512
513
514/*************************************************
515* Pick out name from list *
516*************************************************/
517
518/* Use a binary chop method
519
520Arguments:
521 name name to find
522 list list of names
523 end size of list
524
525Returns: offset in list, or -1 if not found
526*/
527
528static int
529acl_checkname(uschar *name, uschar **list, int end)
530{
531int start = 0;
532
533while (start < end)
534 {
535 int mid = (start + end)/2;
536 int c = Ustrcmp(name, list[mid]);
537 if (c == 0) return mid;
538 if (c < 0) end = mid; else start = mid + 1;
539 }
540
541return -1;
542}
543
544
545/*************************************************
546* Read and parse one ACL *
547*************************************************/
548
549/* This function is called both from readconf in order to parse the ACLs in the
550configuration file, and also when an ACL is encountered dynamically (e.g. as
551the result of an expansion). It is given a function to call in order to
552retrieve the lines of the ACL. This function handles skipping comments and
553blank lines (where relevant).
554
555Arguments:
556 func function to get next line of ACL
557 error where to put an error message
558
559Returns: pointer to ACL, or NULL
560 NULL can be legal (empty ACL); in this case error will be NULL
561*/
562
563acl_block *
564acl_read(uschar *(*func)(void), uschar **error)
565{
566acl_block *yield = NULL;
567acl_block **lastp = &yield;
568acl_block *this = NULL;
569acl_condition_block *cond;
570acl_condition_block **condp = NULL;
571uschar *s;
572
573*error = NULL;
574
575while ((s = (*func)()) != NULL)
576 {
577 int v, c;
578 BOOL negated = FALSE;
579 uschar *saveline = s;
580 uschar name[64];
581
582 /* Conditions (but not verbs) are allowed to be negated by an initial
583 exclamation mark. */
584
585 while (isspace(*s)) s++;
586 if (*s == '!')
587 {
588 negated = TRUE;
589 s++;
590 }
591
cf00dad6
PH
592 /* Read the name of a verb or a condition, or the start of a new ACL, which
593 can be started by a name, or by a macro definition. */
059ec3d9
PH
594
595 s = readconf_readname(name, sizeof(name), s);
cf00dad6 596 if (*s == ':' || isupper(name[0] && *s == '=')) return yield;
059ec3d9
PH
597
598 /* If a verb is unrecognized, it may be another condition or modifier that
599 continues the previous verb. */
600
601 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
602 if (v < 0)
603 {
604 if (this == NULL)
605 {
606 *error = string_sprintf("unknown ACL verb in \"%s\"", saveline);
607 return NULL;
608 }
609 }
610
611 /* New verb */
612
613 else
614 {
615 if (negated)
616 {
617 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
618 return NULL;
619 }
620 this = store_get(sizeof(acl_block));
621 *lastp = this;
622 lastp = &(this->next);
623 this->next = NULL;
624 this->verb = v;
625 this->condition = NULL;
626 condp = &(this->condition);
627 if (*s == 0) continue; /* No condition on this line */
628 if (*s == '!')
629 {
630 negated = TRUE;
631 s++;
632 }
633 s = readconf_readname(name, sizeof(name), s); /* Condition name */
634 }
635
636 /* Handle a condition or modifier. */
637
638 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
639 if (c < 0)
640 {
641 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
642 saveline);
643 return NULL;
644 }
645
646 /* The modifiers may not be negated */
647
648 if (negated && cond_modifiers[c])
649 {
650 *error = string_sprintf("ACL error: negation is not allowed with "
651 "\"%s\"", conditions[c]);
652 return NULL;
653 }
654
655 /* ENDPASS may occur only with ACCEPT or DISCARD. */
656
657 if (c == ACLC_ENDPASS &&
658 this->verb != ACL_ACCEPT &&
659 this->verb != ACL_DISCARD)
660 {
661 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
662 conditions[c], verbs[this->verb]);
663 return NULL;
664 }
665
666 cond = store_get(sizeof(acl_condition_block));
667 cond->next = NULL;
668 cond->type = c;
669 cond->u.negated = negated;
670
671 *condp = cond;
672 condp = &(cond->next);
673
674 /* The "set" modifier is different in that its argument is "name=value"
675 rather than just a value, and we can check the validity of the name, which
676 gives us a variable number to insert into the data block. */
677
678 if (c == ACLC_SET)
679 {
680 if (Ustrncmp(s, "acl_", 4) != 0 || (s[4] != 'c' && s[4] != 'm') ||
681 !isdigit(s[5]) || (!isspace(s[6]) && s[6] != '='))
682 {
683 *error = string_sprintf("unrecognized name after \"set\" in ACL "
684 "modifier \"set %s\"", s);
685 return NULL;
686 }
687
688 cond->u.varnumber = s[5] - '0';
689 if (s[4] == 'm') cond->u.varnumber += ACL_C_MAX;
690 s += 6;
691 while (isspace(*s)) s++;
692 }
693
694 /* For "set", we are now positioned for the data. For the others, only
695 "endpass" has no data */
696
697 if (c != ACLC_ENDPASS)
698 {
699 if (*s++ != '=')
700 {
701 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
702 cond_modifiers[c]? US"modifier" : US"condition");
703 return NULL;
704 }
705 while (isspace(*s)) s++;
706 cond->arg = string_copy(s);
707 }
708 }
709
710return yield;
711}
712
713
714
715/*************************************************
716* Handle warnings *
717*************************************************/
718
719/* This function is called when a WARN verb's conditions are true. It adds to
720the message's headers, and/or writes information to the log. In each case, this
721only happens once (per message for headers, per connection for log).
722
723Arguments:
724 where ACL_WHERE_xxxx indicating which ACL this is
725 user_message message for adding to headers
726 log_message message for logging, if different
727
728Returns: nothing
729*/
730
731static void
732acl_warn(int where, uschar *user_message, uschar *log_message)
733{
734int hlen;
735
736if (log_message != NULL && log_message != user_message)
737 {
738 uschar *text;
739 string_item *logged;
740
741 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
742 string_printing(log_message));
743
744 /* If a sender verification has failed, and the log message is "sender verify
745 failed", add the failure message. */
746
747 if (sender_verified_failed != NULL &&
748 sender_verified_failed->message != NULL &&
749 strcmpic(log_message, US"sender verify failed") == 0)
750 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
751
752 /* Search previously logged warnings. They are kept in malloc store so they
753 can be freed at the start of a new message. */
754
755 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
756 if (Ustrcmp(logged->text, text) == 0) break;
757
758 if (logged == NULL)
759 {
760 int length = Ustrlen(text) + 1;
761 log_write(0, LOG_MAIN, "%s", text);
762 logged = store_malloc(sizeof(string_item) + length);
763 logged->text = (uschar *)logged + sizeof(string_item);
764 memcpy(logged->text, text, length);
765 logged->next = acl_warn_logged;
766 acl_warn_logged = logged;
767 }
768 }
769
770/* If there's no user message, we are done. */
771
772if (user_message == NULL) return;
773
774/* If this isn't a message ACL, we can't do anything with a user message.
775Log an error. */
776
777if (where > ACL_WHERE_NOTSMTP)
778 {
779 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
780 "found in a non-message (%s) ACL: cannot specify header lines here: "
781 "message ignored", acl_wherenames[where]);
782 return;
783 }
784
785/* Treat the user message as a sequence of one or more header lines. */
786
787hlen = Ustrlen(user_message);
788if (hlen > 0)
789 {
790 uschar *text, *p, *q;
791
792 /* Add a final newline if not present */
793
794 text = ((user_message)[hlen-1] == '\n')? user_message :
795 string_sprintf("%s\n", user_message);
796
797 /* Loop for multiple header lines, taking care about continuations */
798
799 for (p = q = text; *p != 0; )
800 {
801 uschar *s;
802 int newtype = htype_add_bot;
803 header_line **hptr = &acl_warn_headers;
804
805 /* Find next header line within the string */
806
807 for (;;)
808 {
809 q = Ustrchr(q, '\n');
810 if (*(++q) != ' ' && *q != '\t') break;
811 }
812
813 /* If the line starts with a colon, interpret the instruction for where to
814 add it. This temporarily sets up a new type. */
815
816 if (*p == ':')
817 {
818 if (strncmpic(p, US":after_received:", 16) == 0)
819 {
820 newtype = htype_add_rec;
821 p += 16;
822 }
8523533c
TK
823 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
824 {
825 newtype = htype_add_rfc;
826 p += 14;
8e669ac1 827 }
059ec3d9
PH
828 else if (strncmpic(p, US":at_start:", 10) == 0)
829 {
830 newtype = htype_add_top;
831 p += 10;
832 }
833 else if (strncmpic(p, US":at_end:", 8) == 0)
834 {
835 newtype = htype_add_bot;
836 p += 8;
837 }
838 while (*p == ' ' || *p == '\t') p++;
839 }
840
841 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
842 to the front of it. */
843
844 for (s = p; s < q - 1; s++)
845 {
846 if (*s == ':' || !isgraph(*s)) break;
847 }
848
849 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
850 hlen = Ustrlen(s);
851
852 /* See if this line has already been added */
853
854 while (*hptr != NULL)
855 {
856 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
857 hptr = &((*hptr)->next);
858 }
859
860 /* Add if not previously present */
861
862 if (*hptr == NULL)
863 {
864 header_line *h = store_get(sizeof(header_line));
865 h->text = s;
866 h->next = NULL;
867 h->type = newtype;
868 h->slen = hlen;
869 *hptr = h;
870 hptr = &(h->next);
871 }
872
873 /* Advance for next header line within the string */
874
875 p = q;
876 }
877 }
878}
879
880
881
882/*************************************************
883* Verify and check reverse DNS *
884*************************************************/
885
886/* Called from acl_verify() below. We look up the host name(s) of the client IP
887address if this has not yet been done. The host_name_lookup() function checks
888that one of these names resolves to an address list that contains the client IP
889address, so we don't actually have to do the check here.
890
891Arguments:
892 user_msgptr pointer for user message
893 log_msgptr pointer for log message
894
895Returns: OK verification condition succeeded
896 FAIL verification failed
897 DEFER there was a problem verifying
898*/
899
900static int
901acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
902{
903int rc;
904
905user_msgptr = user_msgptr; /* stop compiler warning */
906
907/* Previous success */
908
909if (sender_host_name != NULL) return OK;
910
911/* Previous failure */
912
913if (host_lookup_failed)
914 {
915 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
916 return FAIL;
917 }
918
919/* Need to do a lookup */
920
921HDEBUG(D_acl)
922 debug_printf("looking up host name to force name/address consistency check\n");
923
924if ((rc = host_name_lookup()) != OK)
925 {
926 *log_msgptr = (rc == DEFER)?
927 US"host lookup deferred for reverse lookup check"
928 :
929 string_sprintf("host lookup failed for reverse lookup check%s",
930 host_lookup_msg);
931 return rc; /* DEFER or FAIL */
932 }
933
934host_build_sender_fullhost();
935return OK;
936}
937
938
939
940/*************************************************
941* Handle verification (address & other) *
942*************************************************/
943
944/* This function implements the "verify" condition. It is called when
945encountered in any ACL, because some tests are almost always permitted. Some
946just don't make sense, and always fail (for example, an attempt to test a host
947lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
948
949Arguments:
950 where where called from
951 addr the recipient address that the ACL is handling, or NULL
952 arg the argument of "verify"
953 user_msgptr pointer for user message
954 log_msgptr pointer for log message
955 basic_errno where to put verify errno
956
957Returns: OK verification condition succeeded
958 FAIL verification failed
959 DEFER there was a problem verifying
960 ERROR syntax error
961*/
962
963static int
964acl_verify(int where, address_item *addr, uschar *arg,
965 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
966{
967int sep = '/';
968int callout = -1;
969int callout_overall = -1;
4deaf07d 970int callout_connect = -1;
059ec3d9
PH
971int verify_options = 0;
972int rc;
973BOOL verify_header_sender = FALSE;
974BOOL defer_ok = FALSE;
975BOOL callout_defer_ok = FALSE;
976BOOL no_details = FALSE;
977address_item *sender_vaddr = NULL;
978uschar *verify_sender_address = NULL;
979uschar *pm_mailfrom = NULL;
980uschar *se_mailfrom = NULL;
596875b3
PH
981
982/* Some of the verify items have slash-separated options; some do not. Diagnose
983an error if options are given for items that don't expect them. This code has
984now got very message. Refactoring to use a table would be a good idea one day.
985*/
986
987uschar *slash = Ustrchr(arg, '/');
059ec3d9
PH
988uschar *list = arg;
989uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
990
991if (ss == NULL) goto BAD_VERIFY;
992
993/* Handle name/address consistency verification in a separate function. */
994
995if (strcmpic(ss, US"reverse_host_lookup") == 0)
996 {
596875b3 997 if (slash != NULL) goto NO_OPTIONS;
059ec3d9
PH
998 if (sender_host_address == NULL) return OK;
999 return acl_verify_reverse(user_msgptr, log_msgptr);
1000 }
1001
1002/* TLS certificate verification is done at STARTTLS time; here we just
1003test whether it was successful or not. (This is for optional verification; for
1004mandatory verification, the connection doesn't last this long.) */
1005
1006if (strcmpic(ss, US"certificate") == 0)
1007 {
596875b3 1008 if (slash != NULL) goto NO_OPTIONS;
059ec3d9
PH
1009 if (tls_certificate_verified) return OK;
1010 *user_msgptr = US"no verified certificate";
1011 return FAIL;
1012 }
1013
1014/* We can test the result of optional HELO verification */
1015
596875b3
PH
1016if (strcmpic(ss, US"helo") == 0)
1017 {
1018 if (slash != NULL) goto NO_OPTIONS;
1019 return helo_verified? OK : FAIL;
1020 }
059ec3d9 1021
596875b3
PH
1022/* Check that all relevant header lines have the correct syntax. If there is
1023a syntax error, we return details of the error to the sender if configured to
1024send out full details. (But a "message" setting on the ACL can override, as
1025always). */
059ec3d9 1026
596875b3 1027if (strcmpic(ss, US"header_syntax") == 0)
059ec3d9 1028 {
596875b3 1029 if (slash != NULL) goto NO_OPTIONS;
059ec3d9
PH
1030 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
1031 {
1032 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
1033 "(only possible in ACL for DATA)", acl_wherenames[where]);
1034 return ERROR;
1035 }
596875b3
PH
1036 rc = verify_check_headers(log_msgptr);
1037 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1038 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1039 return rc;
1040 }
059ec3d9 1041
059ec3d9 1042
596875b3
PH
1043/* The remaining verification tests check recipient and sender addresses,
1044either from the envelope or from the header. There are a number of
1045slash-separated options that are common to all of them. */
059ec3d9 1046
059ec3d9 1047
596875b3
PH
1048/* Check that there is at least one verifiable sender address in the relevant
1049header lines. This can be followed by callout and defer options, just like
1050sender and recipient. */
059ec3d9 1051
596875b3
PH
1052if (strcmpic(ss, US"header_sender") == 0)
1053 {
1054 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
1055 {
1056 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
1057 "(only possible in ACL for DATA)", acl_wherenames[where]);
1058 return ERROR;
1059 }
1060 verify_header_sender = TRUE;
059ec3d9
PH
1061 }
1062
1063/* Otherwise, first item in verify argument must be "sender" or "recipient".
1064In the case of a sender, this can optionally be followed by an address to use
1065in place of the actual sender (rare special-case requirement). */
1066
1067else if (strncmpic(ss, US"sender", 6) == 0)
1068 {
1069 uschar *s = ss + 6;
1070 if (where > ACL_WHERE_NOTSMTP)
1071 {
1072 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1073 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1074 acl_wherenames[where]);
1075 return ERROR;
1076 }
1077 if (*s == 0)
1078 verify_sender_address = sender_address;
1079 else
1080 {
1081 while (isspace(*s)) s++;
1082 if (*s++ != '=') goto BAD_VERIFY;
1083 while (isspace(*s)) s++;
1084 verify_sender_address = string_copy(s);
1085 }
1086 }
1087else
1088 {
1089 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1090 if (addr == NULL)
1091 {
1092 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1093 "(only possible for RCPT)", acl_wherenames[where]);
1094 return ERROR;
1095 }
1096 }
1097
596875b3
PH
1098/* Remaining items are optional; they apply to sender and recipient
1099verification, including "header sender" verification. */
059ec3d9
PH
1100
1101while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1102 != NULL)
1103 {
1104 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1105 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1106
1107 /* These two old options are left for backwards compatibility */
1108
1109 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1110 {
1111 callout_defer_ok = TRUE;
1112 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1113 }
1114
1115 else if (strcmpic(ss, US"check_postmaster") == 0)
1116 {
1117 pm_mailfrom = US"";
1118 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1119 }
1120
1121 /* The callout option has a number of sub-options, comma separated */
1122
1123 else if (strncmpic(ss, US"callout", 7) == 0)
1124 {
1125 callout = CALLOUT_TIMEOUT_DEFAULT;
1126 ss += 7;
1127 if (*ss != 0)
1128 {
1129 while (isspace(*ss)) ss++;
1130 if (*ss++ == '=')
1131 {
1132 int optsep = ',';
1133 uschar *opt;
1134 uschar buffer[256];
1135 while (isspace(*ss)) ss++;
8e669ac1
PH
1136
1137 /* This callout option handling code has become a mess as new options
1138 have been added in an ad hoc manner. It should be tidied up into some
4deaf07d 1139 kind of table-driven thing. */
8e669ac1 1140
059ec3d9
PH
1141 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1142 != NULL)
1143 {
1144 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1145 else if (strcmpic(opt, US"no_cache") == 0)
1146 verify_options |= vopt_callout_no_cache;
1147 else if (strcmpic(opt, US"random") == 0)
1148 verify_options |= vopt_callout_random;
1149 else if (strcmpic(opt, US"use_sender") == 0)
1150 verify_options |= vopt_callout_recipsender;
1151 else if (strcmpic(opt, US"use_postmaster") == 0)
1152 verify_options |= vopt_callout_recippmaster;
1153 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
1154
1155 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1156 {
1157 if (!verify_header_sender)
1158 {
1159 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1160 "callout option only for verify=header_sender (detected in ACL "
1161 "condition \"%s\")", arg);
1162 return ERROR;
1163 }
1164 opt += 8;
1165 while (isspace(*opt)) opt++;
1166 if (*opt++ != '=')
1167 {
1168 *log_msgptr = string_sprintf("'=' expected after "
1169 "\"mailfrom\" in ACL condition \"%s\"", arg);
1170 return ERROR;
1171 }
1172 while (isspace(*opt)) opt++;
1173 se_mailfrom = string_copy(opt);
1174 }
1175
1176 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1177 {
1178 opt += 19;
1179 while (isspace(*opt)) opt++;
1180 if (*opt++ != '=')
1181 {
1182 *log_msgptr = string_sprintf("'=' expected after "
1183 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1184 return ERROR;
1185 }
1186 while (isspace(*opt)) opt++;
1187 pm_mailfrom = string_copy(opt);
1188 }
1189
1190 else if (strncmpic(opt, US"maxwait", 7) == 0)
1191 {
1192 opt += 7;
1193 while (isspace(*opt)) opt++;
1194 if (*opt++ != '=')
1195 {
1196 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1197 "ACL condition \"%s\"", arg);
1198 return ERROR;
1199 }
1200 while (isspace(*opt)) opt++;
1201 callout_overall = readconf_readtime(opt, 0, FALSE);
1202 if (callout_overall < 0)
1203 {
1204 *log_msgptr = string_sprintf("bad time value in ACL condition "
1205 "\"verify %s\"", arg);
1206 return ERROR;
1207 }
1208 }
4deaf07d
PH
1209 else if (strncmpic(opt, US"connect", 7) == 0)
1210 {
1211 opt += 7;
1212 while (isspace(*opt)) opt++;
1213 if (*opt++ != '=')
1214 {
1215 *log_msgptr = string_sprintf("'=' expected after "
1216 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1217 return ERROR;
1218 }
1219 while (isspace(*opt)) opt++;
1220 callout_connect = readconf_readtime(opt, 0, FALSE);
1221 if (callout_connect < 0)
1222 {
1223 *log_msgptr = string_sprintf("bad time value in ACL condition "
1224 "\"verify %s\"", arg);
1225 return ERROR;
1226 }
1227 }
059ec3d9
PH
1228 else /* Plain time is callout connect/command timeout */
1229 {
1230 callout = readconf_readtime(opt, 0, FALSE);
1231 if (callout < 0)
1232 {
1233 *log_msgptr = string_sprintf("bad time value in ACL condition "
1234 "\"verify %s\"", arg);
1235 return ERROR;
1236 }
1237 }
1238 }
1239 }
1240 else
1241 {
1242 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1243 "ACL condition \"%s\"", arg);
1244 return ERROR;
1245 }
1246 }
1247 }
1248
1249 /* Option not recognized */
1250
1251 else
1252 {
1253 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1254 "condition \"verify %s\"", ss, arg);
1255 return ERROR;
1256 }
1257 }
1258
1259if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1260 (vopt_callout_recipsender|vopt_callout_recippmaster))
1261 {
1262 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1263 "for a recipient callout";
1264 return ERROR;
1265 }
1266
1267/* Handle sender-in-header verification. Default the user message to the log
1268message if giving out verification details. */
1269
1270if (verify_header_sender)
1271 {
8e669ac1 1272 int verrno;
059ec3d9 1273 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
fe5b5d0b
PH
1274 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1275 &verrno);
1276 if (rc != OK)
8e669ac1 1277 {
fe5b5d0b
PH
1278 *basic_errno = verrno;
1279 if (smtp_return_error_details)
1280 {
1281 if (*user_msgptr == NULL && *log_msgptr != NULL)
1282 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1283 if (rc == DEFER) acl_temp_details = TRUE;
1284 }
8e669ac1 1285 }
059ec3d9
PH
1286 }
1287
1288/* Handle a sender address. The default is to verify *the* sender address, but
1289optionally a different address can be given, for special requirements. If the
1290address is empty, we are dealing with a bounce message that has no sender, so
1291we cannot do any checking. If the real sender address gets rewritten during
1292verification (e.g. DNS widening), set the flag to stop it being rewritten again
1293during message reception.
1294
1295A list of verified "sender" addresses is kept to try to avoid doing to much
1296work repetitively when there are multiple recipients in a message and they all
1297require sender verification. However, when callouts are involved, it gets too
1298complicated because different recipients may require different callout options.
1299Therefore, we always do a full sender verify when any kind of callout is
1300specified. Caching elsewhere, for instance in the DNS resolver and in the
1301callout handling, should ensure that this is not terribly inefficient. */
1302
1303else if (verify_sender_address != NULL)
1304 {
1305 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1306 != 0)
1307 {
1308 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1309 "sender verify callout";
1310 return ERROR;
1311 }
1312
1313 sender_vaddr = verify_checked_sender(verify_sender_address);
1314 if (sender_vaddr != NULL && /* Previously checked */
1315 callout <= 0) /* No callout needed this time */
1316 {
1317 /* If the "routed" flag is set, it means that routing worked before, so
1318 this check can give OK (the saved return code value, if set, belongs to a
1319 callout that was done previously). If the "routed" flag is not set, routing
1320 must have failed, so we use the saved return code. */
1321
1322 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1323 {
1324 rc = sender_vaddr->special_action;
1325 *basic_errno = sender_vaddr->basic_errno;
1326 }
1327 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1328 }
1329
1330 /* Do a new verification, and cache the result. The cache is used to avoid
1331 verifying the sender multiple times for multiple RCPTs when callouts are not
1332 specified (see comments above).
1333
1334 The cache is also used on failure to give details in response to the first
1335 RCPT that gets bounced for this reason. However, this can be suppressed by
1336 the no_details option, which sets the flag that says "this detail has already
1337 been sent". The cache normally contains just one address, but there may be
1338 more in esoteric circumstances. */
1339
1340 else
1341 {
1342 BOOL routed = TRUE;
2a3eea10 1343 uschar *save_address_data = deliver_address_data;
8e669ac1 1344
059ec3d9
PH
1345 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1346 if (no_details) setflag(sender_vaddr, af_sverify_told);
1347 if (verify_sender_address[0] != 0)
1348 {
1349 /* If this is the real sender address, save the unrewritten version
1350 for use later in receive. Otherwise, set a flag so that rewriting the
1351 sender in verify_address() does not update sender_address. */
1352
1353 if (verify_sender_address == sender_address)
1354 sender_address_unrewritten = sender_address;
1355 else
1356 verify_options |= vopt_fake_sender;
1357
1358 /* The recipient, qualify, and expn options are never set in
1359 verify_options. */
1360
1361 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
4deaf07d 1362 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
059ec3d9
PH
1363
1364 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1365
1366 if (rc == OK)
1367 {
1368 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1369 {
1370 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1371 verify_sender_address, sender_vaddr->address);
1372 }
1373 else
1374 {
1375 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1376 verify_sender_address);
1377 }
1378 }
1379 else *basic_errno = sender_vaddr->basic_errno;
1380 }
1381 else rc = OK; /* Null sender */
1382
1383 /* Cache the result code */
1384
1385 if (routed) setflag(sender_vaddr, af_verify_routed);
1386 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1387 sender_vaddr->special_action = rc;
1388 sender_vaddr->next = sender_verified_list;
1389 sender_verified_list = sender_vaddr;
8e669ac1
PH
1390
1391 /* Restore the recipient address data, which might have been clobbered by
2a3eea10 1392 the sender verification. */
8e669ac1 1393
2a3eea10 1394 deliver_address_data = save_address_data;
059ec3d9 1395 }
8e669ac1 1396
2a3eea10
PH
1397 /* Put the sender address_data value into $sender_address_data */
1398
8e669ac1 1399 sender_address_data = sender_vaddr->p.address_data;
059ec3d9
PH
1400 }
1401
1402/* A recipient address just gets a straightforward verify; again we must handle
1403the DEFER overrides. */
1404
1405else
1406 {
1407 address_item addr2;
1408
1409 /* We must use a copy of the address for verification, because it might
1410 get rewritten. */
1411
1412 addr2 = *addr;
1413 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
4deaf07d 1414 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
059ec3d9 1415 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
8e669ac1 1416
059ec3d9 1417 *log_msgptr = addr2.message;
8e669ac1 1418 *user_msgptr = (addr2.user_message != NULL)?
6729cf78 1419 addr2.user_message : addr2.message;
059ec3d9
PH
1420 *basic_errno = addr2.basic_errno;
1421
1422 /* Make $address_data visible */
1423 deliver_address_data = addr2.p.address_data;
1424 }
1425
1426/* We have a result from the relevant test. Handle defer overrides first. */
1427
1428if (rc == DEFER && (defer_ok ||
1429 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1430 {
1431 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1432 defer_ok? "defer_ok" : "callout_defer_ok");
1433 rc = OK;
1434 }
1435
1436/* If we've failed a sender, set up a recipient message, and point
1437sender_verified_failed to the address item that actually failed. */
1438
1439if (rc != OK && verify_sender_address != NULL)
1440 {
1441 if (rc != DEFER)
1442 {
1443 *log_msgptr = *user_msgptr = US"Sender verify failed";
1444 }
1445 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1446 {
1447 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1448 }
1449 else
1450 {
1451 *log_msgptr = US"Could not complete sender verify callout";
1452 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1453 *log_msgptr;
1454 }
1455
1456 sender_verified_failed = sender_vaddr;
1457 }
1458
1459/* Verifying an address messes up the values of $domain and $local_part,
1460so reset them before returning if this is a RCPT ACL. */
1461
1462if (addr != NULL)
1463 {
1464 deliver_domain = addr->domain;
1465 deliver_localpart = addr->local_part;
1466 }
1467return rc;
1468
1469/* Syntax errors in the verify argument come here. */
1470
1471BAD_VERIFY:
1472*log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
596875b3
PH
1473 "\"helo\", \"header_syntax\", \"header_sender\" or "
1474 "\"reverse_host_lookup\" at start of ACL condition "
059ec3d9
PH
1475 "\"verify %s\"", arg);
1476return ERROR;
596875b3
PH
1477
1478/* Options supplied when not allowed come here */
1479
1480NO_OPTIONS:
1481*log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1482 "(this verify item has no options)", arg);
1483return ERROR;
059ec3d9
PH
1484}
1485
1486
1487
1488
1489/*************************************************
1490* Check argument for control= modifier *
1491*************************************************/
1492
1493/* Called from acl_check_condition() below
1494
1495Arguments:
1496 arg the argument string for control=
1497 pptr set to point to the terminating character
1498 where which ACL we are in
1499 log_msgptr for error messages
1500
1501Returns: CONTROL_xxx value
1502*/
1503
1504static int
1505decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
1506{
1507int len;
1508control_def *d;
1509
1510for (d = controls_list;
1511 d < controls_list + sizeof(controls_list)/sizeof(control_def);
1512 d++)
1513 {
1514 len = Ustrlen(d->name);
1515 if (Ustrncmp(d->name, arg, len) == 0) break;
1516 }
1517
1518if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
1519 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
1520 {
1521 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1522 return CONTROL_ERROR;
1523 }
1524
059ec3d9
PH
1525*pptr = arg + len;
1526return d->value;
1527}
1528
1529
1530
1531/*************************************************
1532* Handle conditions/modifiers on an ACL item *
1533*************************************************/
1534
1535/* Called from acl_check() below.
1536
1537Arguments:
1538 verb ACL verb
1539 cb ACL condition block - if NULL, result is OK
1540 where where called from
1541 addr the address being checked for RCPT, or NULL
1542 level the nesting level
1543 epp pointer to pass back TRUE if "endpass" encountered
1544 (applies only to "accept" and "discard")
1545 user_msgptr user message pointer
1546 log_msgptr log message pointer
1547 basic_errno pointer to where to put verify error
1548
1549Returns: OK - all conditions are met
1550 DISCARD - an "acl" condition returned DISCARD - only allowed
1551 for "accept" or "discard" verbs
1552 FAIL - at least one condition fails
1553 FAIL_DROP - an "acl" condition returned FAIL_DROP
1554 DEFER - can't tell at the moment (typically, lookup defer,
1555 but can be temporary callout problem)
1556 ERROR - ERROR from nested ACL or expansion failure or other
1557 error
1558*/
1559
1560static int
1561acl_check_condition(int verb, acl_condition_block *cb, int where,
1562 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
1563 uschar **log_msgptr, int *basic_errno)
1564{
1565uschar *user_message = NULL;
1566uschar *log_message = NULL;
1567uschar *p;
1568int rc = OK;
8523533c
TK
1569#ifdef WITH_CONTENT_SCAN
1570int sep = '/';
1571#endif
059ec3d9
PH
1572
1573for (; cb != NULL; cb = cb->next)
1574 {
1575 uschar *arg;
8e669ac1 1576 int control_type;
059ec3d9
PH
1577
1578 /* The message and log_message items set up messages to be used in
1579 case of rejection. They are expanded later. */
1580
1581 if (cb->type == ACLC_MESSAGE)
1582 {
1583 user_message = cb->arg;
1584 continue;
1585 }
1586
1587 if (cb->type == ACLC_LOG_MESSAGE)
1588 {
1589 log_message = cb->arg;
1590 continue;
1591 }
1592
1593 /* The endpass "condition" just sets a flag to show it occurred. This is
1594 checked at compile time to be on an "accept" or "discard" item. */
1595
1596 if (cb->type == ACLC_ENDPASS)
1597 {
1598 *epp = TRUE;
1599 continue;
1600 }
1601
1602 /* For other conditions and modifiers, the argument is expanded now for some
1603 of them, but not for all, because expansion happens down in some lower level
1604 checking functions in some cases. */
1605
1606 if (cond_expand_at_top[cb->type])
1607 {
1608 arg = expand_string(cb->arg);
1609 if (arg == NULL)
1610 {
1611 if (expand_string_forcedfail) continue;
1612 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
1613 cb->arg, expand_string_message);
1614 return search_find_defer? DEFER : ERROR;
1615 }
1616 }
1617 else arg = cb->arg;
1618
1619 /* Show condition, and expanded condition if it's different */
1620
1621 HDEBUG(D_acl)
1622 {
1623 int lhswidth = 0;
1624 debug_printf("check %s%s %n",
1625 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
1626 conditions[cb->type], &lhswidth);
1627
1628 if (cb->type == ACLC_SET)
1629 {
1630 int n = cb->u.varnumber;
1631 int t = (n < ACL_C_MAX)? 'c' : 'm';
1632 if (n >= ACL_C_MAX) n -= ACL_C_MAX;
1633 debug_printf("acl_%c%d ", t, n);
1634 lhswidth += 7;
1635 }
1636
1637 debug_printf("= %s\n", cb->arg);
1638
1639 if (arg != cb->arg)
1640 debug_printf("%.*s= %s\n", lhswidth,
1641 US" ", CS arg);
1642 }
1643
1644 /* Check that this condition makes sense at this time */
1645
1646 if ((cond_forbids[cb->type] & (1 << where)) != 0)
1647 {
1648 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
1649 cond_modifiers[cb->type]? "use" : "test",
1650 conditions[cb->type], acl_wherenames[where]);
1651 return ERROR;
1652 }
1653
1654 /* Run the appropriate test for each condition, or take the appropriate
1655 action for the remaining modifiers. */
1656
1657 switch(cb->type)
1658 {
1659 /* A nested ACL that returns "discard" makes sense only for an "accept" or
1660 "discard" verb. */
1661
1662 case ACLC_ACL:
1663 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
1664 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
1665 {
1666 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
1667 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
1668 verbs[verb]);
1669 return ERROR;
1670 }
1671 break;
1672
1673 case ACLC_AUTHENTICATED:
1674 rc = (sender_host_authenticated == NULL)? FAIL :
1675 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
1676 TRUE, NULL);
1677 break;
1678
8523533c
TK
1679#ifdef EXPERIMENTAL_BRIGHTMAIL
1680 case ACLC_BMI_OPTIN:
1681 {
1682 int old_pool = store_pool;
1683 store_pool = POOL_PERM;
1684 bmi_current_optin = string_copy(arg);
1685 store_pool = old_pool;
1686 }
1687 break;
1688#endif
1689
059ec3d9
PH
1690 case ACLC_CONDITION:
1691 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
1692 rc = (Uatoi(arg) == 0)? FAIL : OK;
1693 else
1694 rc = (strcmpic(arg, US"no") == 0 ||
1695 strcmpic(arg, US"false") == 0)? FAIL :
1696 (strcmpic(arg, US"yes") == 0 ||
1697 strcmpic(arg, US"true") == 0)? OK : DEFER;
1698 if (rc == DEFER)
1699 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
1700 break;
1701
1702 case ACLC_CONTROL:
c5fcb476
PH
1703 control_type = decode_control(arg, &p, where, log_msgptr);
1704
8523533c 1705 /* Check if this control makes sense at this time */
c5fcb476
PH
1706
1707 if ((control_forbids[control_type] & (1 << where)) != 0)
1708 {
1709 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
1710 controls[control_type], acl_wherenames[where]);
1711 return ERROR;
8e669ac1 1712 }
c5fcb476
PH
1713
1714 switch(control_type)
059ec3d9 1715 {
8523533c
TK
1716#ifdef EXPERIMENTAL_BRIGHTMAIL
1717 case CONTROL_BMI_RUN:
1718 bmi_run = 1;
1719 break;
1720#endif
fb2274d4
TK
1721#ifdef EXPERIMENTAL_DOMAINKEYS
1722 case CONTROL_DK_VERIFY:
1723 dk_do_verify = 1;
1724 break;
1725#endif
059ec3d9
PH
1726 case CONTROL_ERROR:
1727 return ERROR;
1728
1729 case CONTROL_CASEFUL_LOCAL_PART:
1730 deliver_localpart = addr->cc_local_part;
1731 break;
1732
1733 case CONTROL_CASELOWER_LOCAL_PART:
1734 deliver_localpart = addr->lc_local_part;
1735 break;
1736
1737 case CONTROL_ENFORCE_SYNC:
1738 smtp_enforce_sync = TRUE;
1739 break;
1740
1741 case CONTROL_NO_ENFORCE_SYNC:
1742 smtp_enforce_sync = FALSE;
1743 break;
1744
8523533c
TK
1745#ifdef WITH_CONTENT_SCAN
1746 case CONTROL_NO_MBOX_UNSPOOL:
1747 no_mbox_unspool = TRUE;
1748 break;
1749#endif
1750
059ec3d9
PH
1751 case CONTROL_NO_MULTILINE:
1752 no_multiline_responses = TRUE;
1753 break;
1754
8523533c
TK
1755 case CONTROL_FAKEREJECT:
1756 fake_reject = TRUE;
1757 if (*p == '/')
8e669ac1 1758 {
8523533c 1759 uschar *pp = p + 1;
8e669ac1 1760 while (*pp != 0) pp++;
8523533c
TK
1761 fake_reject_text = expand_string(string_copyn(p+1, pp-p));
1762 p = pp;
1763 }
1764 else
1765 {
1766 /* Explicitly reset to default string */
dc082449 1767 fake_reject_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
8523533c
TK
1768 }
1769 break;
8523533c 1770
059ec3d9
PH
1771 case CONTROL_FREEZE:
1772 deliver_freeze = TRUE;
1773 deliver_frozen_at = time(NULL);
1774 break;
1775
1776 case CONTROL_QUEUE_ONLY:
1777 queue_only_policy = TRUE;
1778 break;
1779
1780 case CONTROL_SUBMISSION:
1781 submission_mode = TRUE;
69358f02 1782 while (*p == '/')
8e669ac1 1783 {
69358f02
PH
1784 if (Ustrncmp(p, "/sender_retain", 14) == 0)
1785 {
1786 p += 14;
1787 active_local_sender_retain = TRUE;
8e669ac1
PH
1788 active_local_from_check = FALSE;
1789 }
69358f02
PH
1790 else if (Ustrncmp(p, "/domain=", 8) == 0)
1791 {
1792 uschar *pp = p + 8;
8e669ac1 1793 while (*pp != 0 && *pp != '/') pp++;
69358f02 1794 submission_domain = string_copyn(p+8, pp-p);
8e669ac1 1795 p = pp;
69358f02 1796 }
8e669ac1
PH
1797 else break;
1798 }
69358f02 1799 if (*p != 0)
059ec3d9 1800 {
69358f02 1801 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
059ec3d9
PH
1802 return ERROR;
1803 }
1804 break;
1805 }
1806 break;
1807
8523533c
TK
1808#ifdef WITH_CONTENT_SCAN
1809 case ACLC_DECODE:
1810 rc = mime_decode(&arg);
1811 break;
1812#endif
1813
059ec3d9
PH
1814 case ACLC_DELAY:
1815 {
1816 int delay = readconf_readtime(arg, 0, FALSE);
1817 if (delay < 0)
1818 {
1819 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
1820 "modifier: \"%s\" is not a time value", arg);
1821 return ERROR;
1822 }
1823 else
1824 {
1825 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
1826 delay);
1827 if (host_checking)
1828 {
1829 HDEBUG(D_acl)
1830 debug_printf("delay skipped in -bh checking mode\n");
1831 }
8e669ac1 1832 else
86b8287f
PH
1833 {
1834 while (delay > 0) delay = sleep(delay);
8e669ac1 1835 }
059ec3d9
PH
1836 }
1837 }
1838 break;
1839
8523533c
TK
1840#ifdef WITH_OLD_DEMIME
1841 case ACLC_DEMIME:
1842 rc = demime(&arg);
1843 break;
1844#endif
1845
fb2274d4
TK
1846#ifdef EXPERIMENTAL_DOMAINKEYS
1847 case ACLC_DK_DOMAIN_SOURCE:
1848 if (dk_verify_block == NULL) { rc = FAIL; break; };
1849 /* check header source of domain against given string */
1850 switch (dk_verify_block->address_source) {
1851 case DK_EXIM_ADDRESS_FROM_FROM:
1852 rc = match_isinlist(US"from", &arg, 0, NULL,
1853 NULL, MCL_STRING, TRUE, NULL);
1854 break;
1855 case DK_EXIM_ADDRESS_FROM_SENDER:
1856 rc = match_isinlist(US"sender", &arg, 0, NULL,
1857 NULL, MCL_STRING, TRUE, NULL);
1858 break;
1859 case DK_EXIM_ADDRESS_NONE:
1860 rc = match_isinlist(US"none", &arg, 0, NULL,
1861 NULL, MCL_STRING, TRUE, NULL);
1862 break;
1863 }
1864 break;
1865 case ACLC_DK_POLICY:
1866 if (dk_verify_block == NULL) { rc = FAIL; break; };
1867 /* check policy against given string, default FAIL */
1868 rc = FAIL;
1869 if (dk_verify_block->signsall)
1870 rc = match_isinlist(US"signsall", &arg, 0, NULL,
1871 NULL, MCL_STRING, TRUE, NULL);
1872 if (dk_verify_block->testing)
1873 rc = match_isinlist(US"testing", &arg, 0, NULL,
1874 NULL, MCL_STRING, TRUE, NULL);
1875 break;
1876 case ACLC_DK_SENDER_DOMAINS:
1877 if (dk_verify_block == NULL) { rc = FAIL; break; };
1878 if (dk_verify_block->domain != NULL)
1879 rc = match_isinlist(dk_verify_block->domain, &arg, 0, &domainlist_anchor,
1880 NULL, MCL_DOMAIN, TRUE, NULL);
1881 else rc = FAIL;
1882 break;
1883 case ACLC_DK_SENDER_LOCAL_PARTS:
1884 if (dk_verify_block == NULL) { rc = FAIL; break; };
1885 if (dk_verify_block->local_part != NULL)
1886 rc = match_isinlist(dk_verify_block->local_part, &arg, 0, &localpartlist_anchor,
1887 NULL, MCL_LOCALPART, TRUE, NULL);
1888 else rc = FAIL;
1889 break;
1890 case ACLC_DK_SENDERS:
1891 if (dk_verify_block == NULL) { rc = FAIL; break; };
1892 if (dk_verify_block->address != NULL)
1893 rc = match_address_list(dk_verify_block->address, TRUE, TRUE, &arg, NULL, -1, 0, NULL);
1894 else rc = FAIL;
1895 break;
1896 case ACLC_DK_STATUS:
1897 if (dk_verify_block == NULL) { rc = FAIL; break; };
1898 if (dk_verify_block->result > 0) {
1899 switch(dk_verify_block->result) {
1900 case DK_EXIM_RESULT_BAD_FORMAT:
1901 rc = match_isinlist(US"bad format", &arg, 0, NULL,
1902 NULL, MCL_STRING, TRUE, NULL);
1903 break;
1904 case DK_EXIM_RESULT_NO_KEY:
1905 rc = match_isinlist(US"no key", &arg, 0, NULL,
1906 NULL, MCL_STRING, TRUE, NULL);
1907 break;
1908 case DK_EXIM_RESULT_NO_SIGNATURE:
1909 rc = match_isinlist(US"no signature", &arg, 0, NULL,
1910 NULL, MCL_STRING, TRUE, NULL);
1911 break;
1912 case DK_EXIM_RESULT_REVOKED:
1913 rc = match_isinlist(US"revoked", &arg, 0, NULL,
1914 NULL, MCL_STRING, TRUE, NULL);
1915 break;
1916 case DK_EXIM_RESULT_NON_PARTICIPANT:
1917 rc = match_isinlist(US"non-participant", &arg, 0, NULL,
1918 NULL, MCL_STRING, TRUE, NULL);
1919 break;
1920 case DK_EXIM_RESULT_GOOD:
1921 rc = match_isinlist(US"good", &arg, 0, NULL,
1922 NULL, MCL_STRING, TRUE, NULL);
1923 break;
1924 case DK_EXIM_RESULT_BAD:
1925 rc = match_isinlist(US"bad", &arg, 0, NULL,
1926 NULL, MCL_STRING, TRUE, NULL);
1927 break;
1928 }
1929 }
1930 break;
1931#endif
1932
059ec3d9
PH
1933 case ACLC_DNSLISTS:
1934 rc = verify_check_dnsbl(&arg);
1935 break;
1936
1937 case ACLC_DOMAINS:
1938 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
1939 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
1940 break;
1941
1942 /* The value in tls_cipher is the full cipher name, for example,
1943 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
1944 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
1945 what may in practice come out of the SSL library - which at the time of
1946 writing is poorly documented. */
1947
1948 case ACLC_ENCRYPTED:
1949 if (tls_cipher == NULL) rc = FAIL; else
1950 {
1951 uschar *endcipher = NULL;
1952 uschar *cipher = Ustrchr(tls_cipher, ':');
1953 if (cipher == NULL) cipher = tls_cipher; else
1954 {
1955 endcipher = Ustrchr(++cipher, ':');
1956 if (endcipher != NULL) *endcipher = 0;
1957 }
1958 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
1959 if (endcipher != NULL) *endcipher = ':';
1960 }
1961 break;
1962
1963 /* Use verify_check_this_host() instead of verify_check_host() so that
1964 we can pass over &host_data to catch any looked up data. Once it has been
1965 set, it retains its value so that it's still there if another ACL verb
1966 comes through here and uses the cache. However, we must put it into
1967 permanent store in case it is also expected to be used in a subsequent
1968 message in the same SMTP connection. */
1969
1970 case ACLC_HOSTS:
1971 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
1972 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
1973 if (host_data != NULL) host_data = string_copy_malloc(host_data);
1974 break;
1975
1976 case ACLC_LOCAL_PARTS:
1977 rc = match_isinlist(addr->cc_local_part, &arg, 0,
1978 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
1979 &deliver_localpart_data);
1980 break;
1981
1982 case ACLC_LOGWRITE:
1983 {
1984 int logbits = 0;
1985 uschar *s = arg;
1986 if (*s == ':')
1987 {
1988 s++;
1989 while (*s != ':')
1990 {
1991 if (Ustrncmp(s, "main", 4) == 0)
1992 { logbits |= LOG_MAIN; s += 4; }
1993 else if (Ustrncmp(s, "panic", 5) == 0)
1994 { logbits |= LOG_PANIC; s += 5; }
1995 else if (Ustrncmp(s, "reject", 6) == 0)
1996 { logbits |= LOG_REJECT; s += 6; }
1997 else
1998 {
1999 logbits = LOG_MAIN|LOG_PANIC;
2000 s = string_sprintf(":unknown log name in \"%s\" in "
2001 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
2002 }
2003 if (*s == ',') s++;
2004 }
2005 s++;
2006 }
2007 while (isspace(*s)) s++;
2008 if (logbits == 0) logbits = LOG_MAIN;
2009 log_write(0, logbits, "%s", string_printing(s));
2010 }
2011 break;
8e669ac1 2012
8523533c
TK
2013#ifdef WITH_CONTENT_SCAN
2014 case ACLC_MALWARE:
2015 {
2016 /* Seperate the regular expression and any optional parameters. */
2017 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2018 /* Run the malware backend. */
2019 rc = malware(&ss);
2020 /* Modify return code based upon the existance of options. */
2021 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2022 != NULL) {
2023 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2024 {
2025 /* FAIL so that the message is passed to the next ACL */
2026 rc = FAIL;
2027 }
2028 }
2029 }
2030 break;
2031
2032 case ACLC_MIME_REGEX:
2033 rc = mime_regex(&arg);
2034 break;
2035#endif
059ec3d9
PH
2036
2037 case ACLC_RECIPIENTS:
2038 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
2039 &recipient_data);
2040 break;
2041
8523533c
TK
2042#ifdef WITH_CONTENT_SCAN
2043 case ACLC_REGEX:
2044 rc = regex(&arg);
2045 break;
2046#endif
2047
059ec3d9
PH
2048 case ACLC_SENDER_DOMAINS:
2049 {
2050 uschar *sdomain;
2051 sdomain = Ustrrchr(sender_address, '@');
2052 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
2053 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
2054 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
2055 }
2056 break;
2057
2058 case ACLC_SENDERS:
2059 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
2060 sender_address_cache, -1, 0, &sender_data);
2061 break;
2062
2063 /* Connection variables must persist forever */
2064
2065 case ACLC_SET:
2066 {
2067 int old_pool = store_pool;
2068 if (cb->u.varnumber < ACL_C_MAX) store_pool = POOL_PERM;
2069 acl_var[cb->u.varnumber] = string_copy(arg);
2070 store_pool = old_pool;
2071 }
2072 break;
2073
8523533c
TK
2074#ifdef WITH_CONTENT_SCAN
2075 case ACLC_SPAM:
2076 {
2077 /* Seperate the regular expression and any optional parameters. */
2078 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2079 /* Run the spam backend. */
2080 rc = spam(&ss);
2081 /* Modify return code based upon the existance of options. */
2082 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2083 != NULL) {
2084 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2085 {
2086 /* FAIL so that the message is passed to the next ACL */
2087 rc = FAIL;
2088 }
2089 }
2090 }
2091 break;
2092#endif
2093
2094#ifdef EXPERIMENTAL_SPF
2095 case ACLC_SPF:
2096 rc = spf_process(&arg, sender_address);
2097 break;
2098#endif
2099
059ec3d9
PH
2100 /* If the verb is WARN, discard any user message from verification, because
2101 such messages are SMTP responses, not header additions. The latter come
475fe28a
PH
2102 only from explicit "message" modifiers. However, put the user message into
2103 $acl_verify_message so it can be used in subsequent conditions or modifiers
2104 (until something changes it). */
059ec3d9
PH
2105
2106 case ACLC_VERIFY:
2107 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
475fe28a 2108 acl_verify_message = *user_msgptr;
059ec3d9
PH
2109 if (verb == ACL_WARN) *user_msgptr = NULL;
2110 break;
2111
2112 default:
2113 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
2114 "condition %d", cb->type);
2115 break;
2116 }
2117
2118 /* If a condition was negated, invert OK/FAIL. */
2119
2120 if (!cond_modifiers[cb->type] && cb->u.negated)
2121 {
2122 if (rc == OK) rc = FAIL;
2123 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
2124 }
2125
2126 if (rc != OK) break; /* Conditions loop */
2127 }
2128
2129
2130/* If the result is the one for which "message" and/or "log_message" are used,
2131handle the values of these options. Most verbs have but a single return for
2132which the messages are relevant, but for "discard", it's useful to have the log
2133message both when it succeeds and when it fails. Also, for an "accept" that
2134appears in a QUIT ACL, we want to handle the user message. Since only "accept"
2135and "warn" are permitted in that ACL, we don't need to test the verb.
2136
2137These modifiers act in different ways:
2138
2139"message" is a user message that will be included in an SMTP response. Unless
2140it is empty, it overrides any previously set user message.
2141
2142"log_message" is a non-user message, and it adds to any existing non-user
2143message that is already set.
2144
2145If there isn't a log message set, we make it the same as the user message. */
2146
2147if (((rc == FAIL_DROP)? FAIL : rc) == msgcond[verb] ||
2148 (verb == ACL_DISCARD && rc == OK) ||
2149 (where == ACL_WHERE_QUIT))
2150 {
2151 uschar *expmessage;
2152
2153 /* If the verb is "warn", messages generated by conditions (verification or
2154 nested ACLs) are discarded. Only messages specified at this level are used.
2155 However, the value of an existing message is available in $acl_verify_message
2156 during expansions. */
2157
2158 uschar *old_user_msgptr = *user_msgptr;
2159 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
2160
2161 if (verb == ACL_WARN) *log_msgptr = *user_msgptr = NULL;
2162
2163 if (user_message != NULL)
2164 {
2165 acl_verify_message = old_user_msgptr;
2166 expmessage = expand_string(user_message);
2167 if (expmessage == NULL)
2168 {
2169 if (!expand_string_forcedfail)
2170 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2171 user_message, expand_string_message);
2172 }
2173 else if (expmessage[0] != 0) *user_msgptr = expmessage;
2174 }
2175
2176 if (log_message != NULL)
2177 {
2178 acl_verify_message = old_log_msgptr;
2179 expmessage = expand_string(log_message);
2180 if (expmessage == NULL)
2181 {
2182 if (!expand_string_forcedfail)
2183 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2184 log_message, expand_string_message);
2185 }
2186 else if (expmessage[0] != 0)
2187 {
2188 *log_msgptr = (*log_msgptr == NULL)? expmessage :
2189 string_sprintf("%s: %s", expmessage, *log_msgptr);
2190 }
2191 }
2192
2193 /* If no log message, default it to the user message */
2194
2195 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
2196 }
2197
2198acl_verify_message = NULL;
2199return rc;
2200}
2201
2202
2203
2204
2205
2206/*************************************************
2207* Get line from a literal ACL *
2208*************************************************/
2209
2210/* This function is passed to acl_read() in order to extract individual lines
2211of a literal ACL, which we access via static pointers. We can destroy the
2212contents because this is called only once (the compiled ACL is remembered).
2213
2214This code is intended to treat the data in the same way as lines in the main
2215Exim configuration file. That is:
2216
2217 . Leading spaces are ignored.
2218
2219 . A \ at the end of a line is a continuation - trailing spaces after the \
2220 are permitted (this is because I don't believe in making invisible things
2221 significant). Leading spaces on the continued part of a line are ignored.
2222
2223 . Physical lines starting (significantly) with # are totally ignored, and
2224 may appear within a sequence of backslash-continued lines.
2225
2226 . Blank lines are ignored, but will end a sequence of continuations.
2227
2228Arguments: none
2229Returns: a pointer to the next line
2230*/
2231
2232
2233static uschar *acl_text; /* Current pointer in the text */
2234static uschar *acl_text_end; /* Points one past the terminating '0' */
2235
2236
2237static uschar *
2238acl_getline(void)
2239{
2240uschar *yield;
2241
2242/* This loop handles leading blank lines and comments. */
2243
2244for(;;)
2245 {
2246 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
2247 if (*acl_text == 0) return NULL; /* No more data */
2248 yield = acl_text; /* Potential data line */
2249
2250 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2251
2252 /* If we hit the end before a newline, we have the whole logical line. If
2253 it's a comment, there's no more data to be given. Otherwise, yield it. */
2254
2255 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
2256
2257 /* After reaching a newline, end this loop if the physical line does not
2258 start with '#'. If it does, it's a comment, and the loop continues. */
2259
2260 if (*yield != '#') break;
2261 }
2262
2263/* This loop handles continuations. We know we have some real data, ending in
2264newline. See if there is a continuation marker at the end (ignoring trailing
2265white space). We know that *yield is not white space, so no need to test for
2266cont > yield in the backwards scanning loop. */
2267
2268for(;;)
2269 {
2270 uschar *cont;
2271 for (cont = acl_text - 1; isspace(*cont); cont--);
2272
2273 /* If no continuation follows, we are done. Mark the end of the line and
2274 return it. */
2275
2276 if (*cont != '\\')
2277 {
2278 *acl_text++ = 0;
2279 return yield;
2280 }
2281
2282 /* We have encountered a continuation. Skip over whitespace at the start of
2283 the next line, and indeed the whole of the next line or lines if they are
2284 comment lines. */
2285
2286 for (;;)
2287 {
2288 while (*(++acl_text) == ' ' || *acl_text == '\t');
2289 if (*acl_text != '#') break;
2290 while (*(++acl_text) != 0 && *acl_text != '\n');
2291 }
2292
2293 /* We have the start of a continuation line. Move all the rest of the data
2294 to join onto the previous line, and then find its end. If the end is not a
2295 newline, we are done. Otherwise loop to look for another continuation. */
2296
2297 memmove(cont, acl_text, acl_text_end - acl_text);
2298 acl_text_end -= acl_text - cont;
2299 acl_text = cont;
2300 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2301 if (*acl_text == 0) return yield;
2302 }
2303
2304/* Control does not reach here */
2305}
2306
2307
2308
2309
2310
2311/*************************************************
2312* Check access using an ACL *
2313*************************************************/
2314
2315/* This function is called from address_check. It may recurse via
2316acl_check_condition() - hence the use of a level to stop looping. The ACL is
2317passed as a string which is expanded. A forced failure implies no access check
2318is required. If the result is a single word, it is taken as the name of an ACL
2319which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
2320text, complete with newlines, and parsed as such. In both cases, the ACL check
2321is then run. This function uses an auxiliary function for acl_read() to call
2322for reading individual lines of a literal ACL. This is acl_getline(), which
2323appears immediately above.
2324
2325Arguments:
2326 where where called from
2327 addr address item when called from RCPT; otherwise NULL
2328 s the input string; NULL is the same as an empty ACL => DENY
2329 level the nesting level
2330 user_msgptr where to put a user error (for SMTP response)
2331 log_msgptr where to put a logging message (not for SMTP response)
2332
2333Returns: OK access is granted
2334 DISCARD access is apparently granted...
2335 FAIL access is denied
2336 FAIL_DROP access is denied; drop the connection
2337 DEFER can't tell at the moment
2338 ERROR disaster
2339*/
2340
2341static int
2342acl_check_internal(int where, address_item *addr, uschar *s, int level,
2343 uschar **user_msgptr, uschar **log_msgptr)
2344{
2345int fd = -1;
2346acl_block *acl = NULL;
2347uschar *acl_name = US"inline ACL";
2348uschar *ss;
2349
2350/* Catch configuration loops */
2351
2352if (level > 20)
2353 {
2354 *log_msgptr = US"ACL nested too deep: possible loop";
2355 return ERROR;
2356 }
2357
2358if (s == NULL)
2359 {
2360 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
2361 return FAIL;
2362 }
2363
2364/* At top level, we expand the incoming string. At lower levels, it has already
2365been expanded as part of condition processing. */
2366
2367if (level == 0)
2368 {
2369 ss = expand_string(s);
2370 if (ss == NULL)
2371 {
2372 if (expand_string_forcedfail) return OK;
2373 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
2374 expand_string_message);
2375 return ERROR;
2376 }
2377 }
2378else ss = s;
2379
2380while (isspace(*ss))ss++;
2381
2382/* If we can't find a named ACL, the default is to parse it as an inline one.
2383(Unless it begins with a slash; non-existent files give rise to an error.) */
2384
2385acl_text = ss;
2386
2387/* Handle the case of a string that does not contain any spaces. Look for a
2388named ACL among those read from the configuration, or a previously read file.
2389It is possible that the pointer to the ACL is NULL if the configuration
2390contains a name with no data. If not found, and the text begins with '/',
2391read an ACL from a file, and save it so it can be re-used. */
2392
2393if (Ustrchr(ss, ' ') == NULL)
2394 {
2395 tree_node *t = tree_search(acl_anchor, ss);
2396 if (t != NULL)
2397 {
2398 acl = (acl_block *)(t->data.ptr);
2399 if (acl == NULL)
2400 {
2401 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
2402 return FAIL;
2403 }
2404 acl_name = string_sprintf("ACL \"%s\"", ss);
2405 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
2406 }
2407
2408 else if (*ss == '/')
2409 {
2410 struct stat statbuf;
2411 fd = Uopen(ss, O_RDONLY, 0);
2412 if (fd < 0)
2413 {
2414 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
2415 strerror(errno));
2416 return ERROR;
2417 }
2418
2419 if (fstat(fd, &statbuf) != 0)
2420 {
2421 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
2422 strerror(errno));
2423 return ERROR;
2424 }
2425
2426 acl_text = store_get(statbuf.st_size + 1);
2427 acl_text_end = acl_text + statbuf.st_size + 1;
2428
2429 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
2430 {
2431 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
2432 ss, strerror(errno));
2433 return ERROR;
2434 }
2435 acl_text[statbuf.st_size] = 0;
2436 close(fd);
2437
2438 acl_name = string_sprintf("ACL \"%s\"", ss);
2439 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
2440 }
2441 }
2442
2443/* Parse an ACL that is still in text form. If it came from a file, remember it
2444in the ACL tree, having read it into the POOL_PERM store pool so that it
2445persists between multiple messages. */
2446
2447if (acl == NULL)
2448 {
2449 int old_pool = store_pool;
2450 if (fd >= 0) store_pool = POOL_PERM;
2451 acl = acl_read(acl_getline, log_msgptr);
2452 store_pool = old_pool;
2453 if (acl == NULL && *log_msgptr != NULL) return ERROR;
2454 if (fd >= 0)
2455 {
2456 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
2457 Ustrcpy(t->name, ss);
2458 t->data.ptr = acl;
2459 (void)tree_insertnode(&acl_anchor, t);
2460 }
2461 }
2462
2463/* Now we have an ACL to use. It's possible it may be NULL. */
2464
2465while (acl != NULL)
2466 {
2467 int cond;
2468 int basic_errno = 0;
2469 BOOL endpass_seen = FALSE;
2470
2471 *log_msgptr = *user_msgptr = NULL;
2472 acl_temp_details = FALSE;
2473
2474 if (where == ACL_WHERE_QUIT &&
2475 acl->verb != ACL_ACCEPT &&
2476 acl->verb != ACL_WARN)
2477 {
2478 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
2479 verbs[acl->verb]);
2480 return ERROR;
2481 }
2482
2483 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
2484
2485 /* Clear out any search error message from a previous check before testing
2486 this condition. */
2487
2488 search_error_message = NULL;
2489 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
2490 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
2491
2492 /* Handle special returns: DEFER causes a return except on a WARN verb;
2493 ERROR always causes a return. */
2494
2495 switch (cond)
2496 {
2497 case DEFER:
2498 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
2499 if (basic_errno != ERRNO_CALLOUTDEFER)
2500 {
2501 if (search_error_message != NULL && *search_error_message != 0)
2502 *log_msgptr = search_error_message;
2503 if (smtp_return_error_details) acl_temp_details = TRUE;
2504 }
2505 else
2506 {
2507 acl_temp_details = TRUE;
2508 }
2509 if (acl->verb != ACL_WARN) return DEFER;
2510 break;
2511
2512 default: /* Paranoia */
2513 case ERROR:
2514 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
2515 return ERROR;
2516
2517 case OK:
2518 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
2519 verbs[acl->verb]);
2520 break;
2521
2522 case FAIL:
2523 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
2524 break;
2525
2526 /* DISCARD and DROP can happen only from a nested ACL condition, and
2527 DISCARD can happen only for an "accept" or "discard" verb. */
2528
2529 case DISCARD:
2530 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
2531 verbs[acl->verb]);
2532 break;
2533
2534 case FAIL_DROP:
2535 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
2536 verbs[acl->verb]);
2537 break;
2538 }
2539
2540 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
2541 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
2542 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
2543
2544 switch(acl->verb)
2545 {
2546 case ACL_ACCEPT:
2547 if (cond == OK || cond == DISCARD) return cond;
2548 if (endpass_seen)
2549 {
2550 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
2551 return cond;
2552 }
2553 break;
2554
2555 case ACL_DEFER:
2556 if (cond == OK)
2557 {
2558 acl_temp_details = TRUE;
2559 return DEFER;
2560 }
2561 break;
2562
2563 case ACL_DENY:
2564 if (cond == OK) return FAIL;
2565 break;
2566
2567 case ACL_DISCARD:
2568 if (cond == OK || cond == DISCARD) return DISCARD;
2569 if (endpass_seen)
2570 {
2571 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
2572 return cond;
2573 }
2574 break;
2575
2576 case ACL_DROP:
2577 if (cond == OK) return FAIL_DROP;
2578 break;
2579
2580 case ACL_REQUIRE:
2581 if (cond != OK) return cond;
2582 break;
2583
2584 case ACL_WARN:
2585 if (cond == OK)
2586 acl_warn(where, *user_msgptr, *log_msgptr);
2587 else if (cond == DEFER)
2588 acl_warn(where, NULL, string_sprintf("ACL \"warn\" statement skipped: "
2589 "condition test deferred: %s",
2590 (*log_msgptr == NULL)? US"" : *log_msgptr));
2591 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
2592 break;
2593
2594 default:
2595 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
2596 acl->verb);
2597 break;
2598 }
2599
2600 /* Pass to the next ACL item */
2601
2602 acl = acl->next;
2603 }
2604
2605/* We have reached the end of the ACL. This is an implicit DENY. */
2606
2607HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
2608return FAIL;
2609}
2610
2611
2612/*************************************************
2613* Check access using an ACL *
2614*************************************************/
2615
2616/* This is the external interface for ACL checks. It sets up an address and the
2617expansions for $domain and $local_part when called after RCPT, then calls
2618acl_check_internal() to do the actual work.
2619
2620Arguments:
2621 where ACL_WHERE_xxxx indicating where called from
2622 data_string RCPT address, or SMTP command argument, or NULL
2623 s the input string; NULL is the same as an empty ACL => DENY
2624 user_msgptr where to put a user error (for SMTP response)
2625 log_msgptr where to put a logging message (not for SMTP response)
2626
2627Returns: OK access is granted by an ACCEPT verb
2628 DISCARD access is granted by a DISCARD verb
2629 FAIL access is denied
2630 FAIL_DROP access is denied; drop the connection
2631 DEFER can't tell at the moment
2632 ERROR disaster
2633*/
2634
2635int
2636acl_check(int where, uschar *data_string, uschar *s, uschar **user_msgptr,
2637 uschar **log_msgptr)
2638{
2639int rc;
2640address_item adb;
2641address_item *addr;
2642
2643*user_msgptr = *log_msgptr = NULL;
2644sender_verified_failed = NULL;
2645
2646if (where == ACL_WHERE_RCPT)
2647 {
2648 adb = address_defaults;
2649 addr = &adb;
2650 addr->address = data_string;
2651 if (deliver_split_address(addr) == DEFER)
2652 {
2653 *log_msgptr = US"defer in percent_hack_domains check";
2654 return DEFER;
2655 }
2656 deliver_domain = addr->domain;
2657 deliver_localpart = addr->local_part;
2658 }
2659else
2660 {
2661 addr = NULL;
2662 smtp_command_argument = data_string;
2663 }
2664
2665rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
2666
2667smtp_command_argument = deliver_domain =
2a3eea10 2668 deliver_localpart = deliver_address_data = sender_address_data = NULL;
059ec3d9
PH
2669
2670/* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
2671ACL, which is really in the middle of an SMTP command. */
2672
2673if (rc == DISCARD)
2674 {
2675 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
2676 {
2677 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
2678 "ACL", acl_wherenames[where]);
2679 return ERROR;
2680 }
2681 return DISCARD;
2682 }
2683
2684/* A DROP response is not permitted from MAILAUTH */
2685
2686if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
2687 {
2688 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
2689 "ACL", acl_wherenames[where]);
2690 return ERROR;
2691 }
2692
2693/* Before giving an error response, take a look at the length of any user
2694message, and split it up into multiple lines if possible. */
2695
2696if (rc != OK && *user_msgptr != NULL && Ustrlen(*user_msgptr) > 75)
2697 {
2698 uschar *s = *user_msgptr = string_copy(*user_msgptr);
2699 uschar *ss = s;
2700
2701 for (;;)
2702 {
2703 int i = 0;
2704 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
2705 if (*ss == 0) break;
2706 if (*ss == '\n')
2707 s = ++ss;
2708 else
2709 {
2710 uschar *t = ss + 1;
2711 uschar *tt = NULL;
2712 while (--t > s + 35)
2713 {
2714 if (*t == ' ')
2715 {
2716 if (t[-1] == ':') { tt = t; break; }
2717 if (tt == NULL) tt = t;
2718 }
2719 }
2720
2721 if (tt == NULL) /* Can't split behind - try ahead */
2722 {
2723 t = ss + 1;
2724 while (*t != 0)
2725 {
2726 if (*t == ' ' || *t == '\n')
2727 { tt = t; break; }
2728 t++;
2729 }
2730 }
2731
2732 if (tt == NULL) break; /* Can't find anywhere to split */
2733 *tt = '\n';
2734 s = ss = tt+1;
2735 }
2736 }
2737 }
2738
2739return rc;
2740}
2741
2742/* End of acl.c */