Add compile-time checks for various tables being in alphabetical order.
[exim.git] / src / src / acl.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
c4ceed07 5/* Copyright (c) University of Cambridge 1995 - 2012 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
8/* Code for handling Access Control Lists (ACLs) */
9
10#include "exim.h"
11
12
13/* Default callout timeout */
14
15#define CALLOUT_TIMEOUT_DEFAULT 30
16
17/* ACL verb codes - keep in step with the table of verbs that follows */
18
19enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
20 ACL_WARN };
21
22/* ACL verbs */
23
f9d04f08
JH
24static uschar *verbs[] = {
25 US"accept",
26 US"defer",
27 US"deny",
28 US"discard",
29 US"drop",
30 US"require",
059ec3d9
PH
31 US"warn" };
32
4e88a19f
PH
33/* For each verb, the conditions for which "message" or "log_message" are used
34are held as a bitmap. This is to avoid expanding the strings unnecessarily. For
35"accept", the FAIL case is used only after "endpass", but that is selected in
36the code. */
37
38static int msgcond[] = {
39 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* accept */
40 (1<<OK), /* defer */
41 (1<<OK), /* deny */
42 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* discard */
43 (1<<OK), /* drop */
44 (1<<FAIL) | (1<<FAIL_DROP), /* require */
45 (1<<OK) /* warn */
46 };
059ec3d9
PH
47
48/* ACL condition and modifier codes - keep in step with the table that
71fafd95
PH
49follows, and the cond_expand_at_top and uschar cond_modifiers tables lower
50down. */
059ec3d9 51
71fafd95
PH
52enum { ACLC_ACL,
53 ACLC_ADD_HEADER,
54 ACLC_AUTHENTICATED,
8523533c
TK
55#ifdef EXPERIMENTAL_BRIGHTMAIL
56 ACLC_BMI_OPTIN,
57#endif
71fafd95 58 ACLC_CONDITION,
c3611384 59 ACLC_CONTINUE,
71fafd95 60 ACLC_CONTROL,
6a8f9482
TK
61#ifdef EXPERIMENTAL_DCC
62 ACLC_DCC,
63#endif
8523533c
TK
64#ifdef WITH_CONTENT_SCAN
65 ACLC_DECODE,
66#endif
67 ACLC_DELAY,
68#ifdef WITH_OLD_DEMIME
69 ACLC_DEMIME,
8e669ac1 70#endif
80a47a2c
TK
71#ifndef DISABLE_DKIM
72 ACLC_DKIM_SIGNER,
73 ACLC_DKIM_STATUS,
fb2274d4 74#endif
4840604e
TL
75#ifdef EXPERIMENTAL_DMARC
76 ACLC_DMARC_STATUS,
77#endif
71fafd95
PH
78 ACLC_DNSLISTS,
79 ACLC_DOMAINS,
80 ACLC_ENCRYPTED,
81 ACLC_ENDPASS,
82 ACLC_HOSTS,
83 ACLC_LOCAL_PARTS,
84 ACLC_LOG_MESSAGE,
6ea85e9a 85 ACLC_LOG_REJECT_TARGET,
71fafd95 86 ACLC_LOGWRITE,
8523533c
TK
87#ifdef WITH_CONTENT_SCAN
88 ACLC_MALWARE,
89#endif
90 ACLC_MESSAGE,
91#ifdef WITH_CONTENT_SCAN
92 ACLC_MIME_REGEX,
93#endif
870f6ba8 94 ACLC_RATELIMIT,
8523533c
TK
95 ACLC_RECIPIENTS,
96#ifdef WITH_CONTENT_SCAN
97 ACLC_REGEX,
98#endif
e7568d51 99 ACLC_REMOVE_HEADER,
71fafd95
PH
100 ACLC_SENDER_DOMAINS,
101 ACLC_SENDERS,
102 ACLC_SET,
8523533c 103#ifdef WITH_CONTENT_SCAN
8e669ac1 104 ACLC_SPAM,
8523533c
TK
105#endif
106#ifdef EXPERIMENTAL_SPF
107 ACLC_SPF,
65a7d8c3 108 ACLC_SPF_GUESS,
8523533c
TK
109#endif
110 ACLC_VERIFY };
059ec3d9 111
c3611384
PH
112/* ACL conditions/modifiers: "delay", "control", "continue", "endpass",
113"message", "log_message", "log_reject_target", "logwrite", and "set" are
114modifiers that look like conditions but always return TRUE. They are used for
115their side effects. */
059ec3d9 116
9a26b6b2
PH
117static uschar *conditions[] = {
118 US"acl",
71fafd95 119 US"add_header",
9a26b6b2 120 US"authenticated",
8523533c
TK
121#ifdef EXPERIMENTAL_BRIGHTMAIL
122 US"bmi_optin",
123#endif
124 US"condition",
c3611384 125 US"continue",
8e669ac1 126 US"control",
6a8f9482
TK
127#ifdef EXPERIMENTAL_DCC
128 US"dcc",
129#endif
8523533c
TK
130#ifdef WITH_CONTENT_SCAN
131 US"decode",
132#endif
133 US"delay",
134#ifdef WITH_OLD_DEMIME
135 US"demime",
136#endif
80a47a2c
TK
137#ifndef DISABLE_DKIM
138 US"dkim_signers",
139 US"dkim_status",
fb2274d4 140#endif
4840604e
TL
141#ifdef EXPERIMENTAL_DMARC
142 US"dmarc_status",
143#endif
6ea85e9a
PH
144 US"dnslists",
145 US"domains",
146 US"encrypted",
147 US"endpass",
148 US"hosts",
149 US"local_parts",
150 US"log_message",
151 US"log_reject_target",
152 US"logwrite",
8523533c
TK
153#ifdef WITH_CONTENT_SCAN
154 US"malware",
155#endif
156 US"message",
157#ifdef WITH_CONTENT_SCAN
158 US"mime_regex",
159#endif
870f6ba8 160 US"ratelimit",
8523533c
TK
161 US"recipients",
162#ifdef WITH_CONTENT_SCAN
163 US"regex",
164#endif
e7568d51 165 US"remove_header",
8523533c
TK
166 US"sender_domains", US"senders", US"set",
167#ifdef WITH_CONTENT_SCAN
168 US"spam",
169#endif
170#ifdef EXPERIMENTAL_SPF
171 US"spf",
65a7d8c3 172 US"spf_guess",
8523533c 173#endif
059ec3d9 174 US"verify" };
8e669ac1 175
c5fcb476 176
9a26b6b2
PH
177/* Return values from decode_control(); keep in step with the table of names
178that follows! */
179
180enum {
c46782ef
PH
181 CONTROL_AUTH_UNADVERTISED,
182 #ifdef EXPERIMENTAL_BRIGHTMAIL
9a26b6b2 183 CONTROL_BMI_RUN,
c46782ef 184 #endif
ed7f7860 185 CONTROL_DEBUG,
80a47a2c 186 #ifndef DISABLE_DKIM
f7572e5a
TK
187 CONTROL_DKIM_VERIFY,
188 #endif
4840604e
TL
189 #ifdef EXPERIMENTAL_DMARC
190 CONTROL_DMARC_VERIFY,
191 CONTROL_DMARC_FORENSIC,
192 #endif
13363eba 193 CONTROL_DSCP,
c46782ef
PH
194 CONTROL_ERROR,
195 CONTROL_CASEFUL_LOCAL_PART,
196 CONTROL_CASELOWER_LOCAL_PART,
e4bdf652 197 CONTROL_CUTTHROUGH_DELIVERY,
c46782ef
PH
198 CONTROL_ENFORCE_SYNC,
199 CONTROL_NO_ENFORCE_SYNC,
200 CONTROL_FREEZE,
201 CONTROL_QUEUE_ONLY,
202 CONTROL_SUBMISSION,
203 CONTROL_SUPPRESS_LOCAL_FIXUPS,
204 #ifdef WITH_CONTENT_SCAN
9a26b6b2 205 CONTROL_NO_MBOX_UNSPOOL,
c46782ef
PH
206 #endif
207 CONTROL_FAKEDEFER,
208 CONTROL_FAKEREJECT,
cf8b11a5 209 CONTROL_NO_MULTILINE,
047bdd8c 210 CONTROL_NO_PIPELINING,
4c590bd1
PH
211 CONTROL_NO_DELAY_FLUSH,
212 CONTROL_NO_CALLOUT_FLUSH
c46782ef 213};
9a26b6b2 214
8800895a
PH
215/* ACL control names; keep in step with the table above! This list is used for
216turning ids into names. The actual list of recognized names is in the variable
217control_def controls_list[] below. The fact that there are two lists is a mess
218and should be tidied up. */
9a26b6b2
PH
219
220static uschar *controls[] = {
c46782ef 221 US"allow_auth_unadvertised",
9a26b6b2
PH
222 #ifdef EXPERIMENTAL_BRIGHTMAIL
223 US"bmi_run",
224 #endif
ed7f7860 225 US"debug",
80a47a2c
TK
226 #ifndef DISABLE_DKIM
227 US"dkim_disable_verify",
f7572e5a 228 #endif
4840604e
TL
229 #ifdef EXPERIMENTAL_DMARC
230 US"dmarc_disable_verify",
231 US"dmarc_enable_forensic",
232 #endif
13363eba 233 US"dscp",
c46782ef
PH
234 US"error",
235 US"caseful_local_part",
236 US"caselower_local_part",
e4bdf652 237 US"cutthrough_delivery",
c46782ef
PH
238 US"enforce_sync",
239 US"no_enforce_sync",
240 US"freeze",
241 US"queue_only",
242 US"submission",
243 US"suppress_local_fixups",
9a26b6b2
PH
244 #ifdef WITH_CONTENT_SCAN
245 US"no_mbox_unspool",
246 #endif
cf8b11a5
PH
247 US"fakedefer",
248 US"fakereject",
aa6dc513 249 US"no_multiline_responses",
cf8b11a5 250 US"no_pipelining",
4c590bd1
PH
251 US"no_delay_flush",
252 US"no_callout_flush"
c46782ef 253};
059ec3d9 254
047bdd8c 255/* Flags to indicate for which conditions/modifiers a string expansion is done
059ec3d9
PH
256at the outer level. In the other cases, expansion already occurs in the
257checking functions. */
258
259static uschar cond_expand_at_top[] = {
7421ecab 260 FALSE, /* acl */
3e536984 261 TRUE, /* add_header */
059ec3d9 262 FALSE, /* authenticated */
8523533c
TK
263#ifdef EXPERIMENTAL_BRIGHTMAIL
264 TRUE, /* bmi_optin */
8e669ac1 265#endif
059ec3d9 266 TRUE, /* condition */
c3611384 267 TRUE, /* continue */
059ec3d9 268 TRUE, /* control */
6a8f9482
TK
269#ifdef EXPERIMENTAL_DCC
270 TRUE, /* dcc */
271#endif
8523533c
TK
272#ifdef WITH_CONTENT_SCAN
273 TRUE, /* decode */
274#endif
059ec3d9 275 TRUE, /* delay */
8523533c
TK
276#ifdef WITH_OLD_DEMIME
277 TRUE, /* demime */
278#endif
80a47a2c
TK
279#ifndef DISABLE_DKIM
280 TRUE, /* dkim_signers */
281 TRUE, /* dkim_status */
fb2274d4 282#endif
4840604e
TL
283#ifdef EXPERIMENTAL_DMARC
284 TRUE, /* dmarc_status */
285#endif
059ec3d9
PH
286 TRUE, /* dnslists */
287 FALSE, /* domains */
288 FALSE, /* encrypted */
289 TRUE, /* endpass */
290 FALSE, /* hosts */
291 FALSE, /* local_parts */
292 TRUE, /* log_message */
6ea85e9a 293 TRUE, /* log_reject_target */
059ec3d9 294 TRUE, /* logwrite */
8523533c
TK
295#ifdef WITH_CONTENT_SCAN
296 TRUE, /* malware */
297#endif
059ec3d9 298 TRUE, /* message */
8523533c
TK
299#ifdef WITH_CONTENT_SCAN
300 TRUE, /* mime_regex */
301#endif
870f6ba8 302 TRUE, /* ratelimit */
059ec3d9 303 FALSE, /* recipients */
8523533c
TK
304#ifdef WITH_CONTENT_SCAN
305 TRUE, /* regex */
306#endif
e7568d51 307 TRUE, /* remove_header */
059ec3d9
PH
308 FALSE, /* sender_domains */
309 FALSE, /* senders */
310 TRUE, /* set */
8523533c
TK
311#ifdef WITH_CONTENT_SCAN
312 TRUE, /* spam */
313#endif
314#ifdef EXPERIMENTAL_SPF
315 TRUE, /* spf */
65a7d8c3 316 TRUE, /* spf_guess */
8523533c 317#endif
059ec3d9
PH
318 TRUE /* verify */
319};
320
321/* Flags to identify the modifiers */
322
323static uschar cond_modifiers[] = {
324 FALSE, /* acl */
3e536984 325 TRUE, /* add_header */
059ec3d9 326 FALSE, /* authenticated */
8523533c
TK
327#ifdef EXPERIMENTAL_BRIGHTMAIL
328 TRUE, /* bmi_optin */
8e669ac1 329#endif
059ec3d9 330 FALSE, /* condition */
c3611384 331 TRUE, /* continue */
059ec3d9 332 TRUE, /* control */
6a8f9482
TK
333#ifdef EXPERIMENTAL_DCC
334 FALSE, /* dcc */
335#endif
8523533c
TK
336#ifdef WITH_CONTENT_SCAN
337 FALSE, /* decode */
338#endif
059ec3d9 339 TRUE, /* delay */
8523533c
TK
340#ifdef WITH_OLD_DEMIME
341 FALSE, /* demime */
342#endif
80a47a2c
TK
343#ifndef DISABLE_DKIM
344 FALSE, /* dkim_signers */
345 FALSE, /* dkim_status */
fb2274d4 346#endif
4840604e
TL
347#ifdef EXPERIMENTAL_DMARC
348 FALSE, /* dmarc_status */
349#endif
059ec3d9
PH
350 FALSE, /* dnslists */
351 FALSE, /* domains */
352 FALSE, /* encrypted */
353 TRUE, /* endpass */
354 FALSE, /* hosts */
355 FALSE, /* local_parts */
356 TRUE, /* log_message */
6ea85e9a 357 TRUE, /* log_reject_target */
8523533c
TK
358 TRUE, /* logwrite */
359#ifdef WITH_CONTENT_SCAN
360 FALSE, /* malware */
361#endif
059ec3d9 362 TRUE, /* message */
8523533c
TK
363#ifdef WITH_CONTENT_SCAN
364 FALSE, /* mime_regex */
365#endif
870f6ba8 366 FALSE, /* ratelimit */
059ec3d9 367 FALSE, /* recipients */
8523533c
TK
368#ifdef WITH_CONTENT_SCAN
369 FALSE, /* regex */
370#endif
e7568d51 371 TRUE, /* remove_header */
059ec3d9
PH
372 FALSE, /* sender_domains */
373 FALSE, /* senders */
374 TRUE, /* set */
8523533c
TK
375#ifdef WITH_CONTENT_SCAN
376 FALSE, /* spam */
377#endif
378#ifdef EXPERIMENTAL_SPF
379 FALSE, /* spf */
65a7d8c3 380 FALSE, /* spf_guess */
8523533c 381#endif
059ec3d9
PH
382 FALSE /* verify */
383};
384
c3611384 385/* Bit map vector of which conditions and modifiers are not allowed at certain
8f128379
PH
386times. For each condition and modifier, there's a bitmap of dis-allowed times.
387For some, it is easier to specify the negation of a small number of allowed
388times. */
059ec3d9
PH
389
390static unsigned int cond_forbids[] = {
391 0, /* acl */
8e669ac1 392
71fafd95 393 (unsigned int)
45b91596 394 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* add_header */
71fafd95 395 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
fd98a5c6
JH
396 #ifdef EXPERIMENTAL_PRDR
397 (1<<ACL_WHERE_PRDR)|
398 #endif
45b91596 399 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
67caae1f 400 (1<<ACL_WHERE_DKIM)|
45b91596 401 (1<<ACL_WHERE_NOTSMTP_START)),
71fafd95 402
45b91596
PH
403 (1<<ACL_WHERE_NOTSMTP)| /* authenticated */
404 (1<<ACL_WHERE_NOTSMTP_START)|
405 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO),
8e669ac1 406
71fafd95 407 #ifdef EXPERIMENTAL_BRIGHTMAIL
3864bb8e 408 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
8523533c
TK
409 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
410 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
fd98a5c6
JH
411 #ifdef EXPERIMENTAL_PRDR
412 (1<<ACL_WHERE_PRDR)|
413 #endif
8e669ac1 414 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
8523533c
TK
415 (1<<ACL_WHERE_MAILAUTH)|
416 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596
PH
417 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA)|
418 (1<<ACL_WHERE_NOTSMTP_START),
71fafd95 419 #endif
8e669ac1 420
059ec3d9 421 0, /* condition */
8e669ac1 422
c3611384
PH
423 0, /* continue */
424
059ec3d9 425 /* Certain types of control are always allowed, so we let it through
2f079f46 426 always and check in the control processing itself. */
8e669ac1 427
059ec3d9 428 0, /* control */
8e669ac1 429
6a8f9482
TK
430 #ifdef EXPERIMENTAL_DCC
431 (unsigned int)
fd98a5c6
JH
432 ~((1<<ACL_WHERE_DATA)| /* dcc */
433 #ifdef EXPERIMENTAL_PRDR
434 (1<<ACL_WHERE_PRDR)|
435 #endif /* EXPERIMENTAL_PRDR */
436 (1<<ACL_WHERE_NOTSMTP)),
6a8f9482
TK
437 #endif
438
71fafd95 439 #ifdef WITH_CONTENT_SCAN
2f079f46
PH
440 (unsigned int)
441 ~(1<<ACL_WHERE_MIME), /* decode */
71fafd95 442 #endif
8523533c 443
8f128379 444 (1<<ACL_WHERE_NOTQUIT), /* delay */
8e669ac1 445
71fafd95 446 #ifdef WITH_OLD_DEMIME
2f079f46 447 (unsigned int)
fd98a5c6
JH
448 ~((1<<ACL_WHERE_DATA)| /* demime */
449 #ifdef EXPERIMENTAL_PRDR
450 (1<<ACL_WHERE_PRDR)|
451 #endif /* EXPERIMENTAL_PRDR */
452 (1<<ACL_WHERE_NOTSMTP)),
71fafd95 453 #endif
8e669ac1 454
80a47a2c
TK
455 #ifndef DISABLE_DKIM
456 (unsigned int)
457 ~(1<<ACL_WHERE_DKIM), /* dkim_signers */
84330b7b 458
80a47a2c
TK
459 (unsigned int)
460 ~(1<<ACL_WHERE_DKIM), /* dkim_status */
71fafd95 461 #endif
fb2274d4 462
4840604e
TL
463 #ifdef EXPERIMENTAL_DMARC
464 (unsigned int)
465 ~(1<<ACL_WHERE_DATA), /* dmarc_status */
466 #endif
467
45b91596
PH
468 (1<<ACL_WHERE_NOTSMTP)| /* dnslists */
469 (1<<ACL_WHERE_NOTSMTP_START),
059ec3d9 470
2f079f46 471 (unsigned int)
fd98a5c6
JH
472 ~((1<<ACL_WHERE_RCPT) /* domains */
473 #ifdef EXPERIMENTAL_PRDR
474 |(1<<ACL_WHERE_PRDR)
475 #endif
476 ),
059ec3d9 477
45b91596
PH
478 (1<<ACL_WHERE_NOTSMTP)| /* encrypted */
479 (1<<ACL_WHERE_CONNECT)|
480 (1<<ACL_WHERE_NOTSMTP_START)|
059ec3d9 481 (1<<ACL_WHERE_HELO),
8e669ac1 482
059ec3d9 483 0, /* endpass */
8e669ac1 484
45b91596
PH
485 (1<<ACL_WHERE_NOTSMTP)| /* hosts */
486 (1<<ACL_WHERE_NOTSMTP_START),
059ec3d9 487
2f079f46 488 (unsigned int)
fd98a5c6
JH
489 ~((1<<ACL_WHERE_RCPT) /* local_parts */
490 #ifdef EXPERIMENTAL_PRDR
491 |(1<<ACL_WHERE_PRDR)
492 #endif
493 ),
059ec3d9
PH
494
495 0, /* log_message */
8e669ac1 496
6ea85e9a
PH
497 0, /* log_reject_target */
498
059ec3d9 499 0, /* logwrite */
8e669ac1 500
71fafd95 501 #ifdef WITH_CONTENT_SCAN
2f079f46 502 (unsigned int)
fd98a5c6
JH
503 ~((1<<ACL_WHERE_DATA)| /* malware */
504 #ifdef EXPERIMENTAL_PRDR
505 (1<<ACL_WHERE_PRDR)|
506 #endif /* EXPERIMENTAL_PRDR */
507 (1<<ACL_WHERE_NOTSMTP)),
71fafd95 508 #endif
8523533c 509
059ec3d9
PH
510 0, /* message */
511
71fafd95 512 #ifdef WITH_CONTENT_SCAN
2f079f46
PH
513 (unsigned int)
514 ~(1<<ACL_WHERE_MIME), /* mime_regex */
71fafd95 515 #endif
8523533c 516
870f6ba8
TF
517 0, /* ratelimit */
518
2f079f46
PH
519 (unsigned int)
520 ~(1<<ACL_WHERE_RCPT), /* recipients */
059ec3d9 521
71fafd95 522 #ifdef WITH_CONTENT_SCAN
2f079f46 523 (unsigned int)
fd98a5c6
JH
524 ~((1<<ACL_WHERE_DATA)| /* regex */
525 #ifdef EXPERIMENTAL_PRDR
526 (1<<ACL_WHERE_PRDR)|
527 #endif /* EXPERIMENTAL_PRDR */
528 (1<<ACL_WHERE_NOTSMTP)|
2f079f46 529 (1<<ACL_WHERE_MIME)),
71fafd95 530 #endif
8523533c 531
e7568d51
TL
532 (unsigned int)
533 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* remove_header */
534 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
fd98a5c6
JH
535 #ifdef EXPERIMENTAL_PRDR
536 (1<<ACL_WHERE_PRDR)|
537 #endif
e7568d51
TL
538 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
539 (1<<ACL_WHERE_NOTSMTP_START)),
540
059ec3d9
PH
541 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
542 (1<<ACL_WHERE_HELO)|
543 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
544 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
545 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
546
547 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
548 (1<<ACL_WHERE_HELO)|
549 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
550 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
551 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
552
553 0, /* set */
554
71fafd95 555 #ifdef WITH_CONTENT_SCAN
2f079f46 556 (unsigned int)
fd98a5c6
JH
557 ~((1<<ACL_WHERE_DATA)| /* spam */
558 #ifdef EXPERIMENTAL_PRDR
559 (1<<ACL_WHERE_PRDR)|
560 #endif /* EXPERIMENTAL_PRDR */
561 (1<<ACL_WHERE_NOTSMTP)),
71fafd95 562 #endif
8523533c 563
71fafd95 564 #ifdef EXPERIMENTAL_SPF
8523533c
TK
565 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
566 (1<<ACL_WHERE_HELO)|
567 (1<<ACL_WHERE_MAILAUTH)|
568 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
45b91596
PH
569 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
570 (1<<ACL_WHERE_NOTSMTP)|
571 (1<<ACL_WHERE_NOTSMTP_START),
65a7d8c3
NM
572
573 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf_guess */
574 (1<<ACL_WHERE_HELO)|
575 (1<<ACL_WHERE_MAILAUTH)|
576 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
577 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
578 (1<<ACL_WHERE_NOTSMTP)|
579 (1<<ACL_WHERE_NOTSMTP_START),
71fafd95 580 #endif
8523533c 581
059ec3d9
PH
582 /* Certain types of verify are always allowed, so we let it through
583 always and check in the verify function itself */
584
585 0 /* verify */
059ec3d9
PH
586};
587
588
c5fcb476
PH
589/* Bit map vector of which controls are not allowed at certain times. For
590each control, there's a bitmap of dis-allowed times. For some, it is easier to
591specify the negation of a small number of allowed times. */
592
593static unsigned int control_forbids[] = {
c46782ef
PH
594 (unsigned int)
595 ~((1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)), /* allow_auth_unadvertised */
596
597 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c 598 0, /* bmi_run */
c46782ef
PH
599 #endif
600
ed7f7860
PP
601 0, /* debug */
602
80a47a2c
TK
603 #ifndef DISABLE_DKIM
604 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dkim_disable_verify */
fd98a5c6
JH
605 #ifdef EXPERIMENTAL_PRDR
606 (1<<ACL_WHERE_PRDR)|
607 #endif /* EXPERIMENTAL_PRDR */
f7572e5a
TK
608 (1<<ACL_WHERE_NOTSMTP_START),
609 #endif
610
4840604e
TL
611 #ifdef EXPERIMENTAL_DMARC
612 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dmarc_disable_verify */
613 (1<<ACL_WHERE_NOTSMTP_START),
614 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dmarc_enable_forensic */
615 (1<<ACL_WHERE_NOTSMTP_START),
616 #endif
617
13363eba
PP
618 (1<<ACL_WHERE_NOTSMTP)|
619 (1<<ACL_WHERE_NOTSMTP_START)|
620 (1<<ACL_WHERE_NOTQUIT), /* dscp */
621
c5fcb476 622 0, /* error */
8e669ac1
PH
623
624 (unsigned int)
c5fcb476 625 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
8e669ac1
PH
626
627 (unsigned int)
c5fcb476 628 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
8e669ac1 629
e4bdf652
JH
630 (unsigned int)
631 0, /* cutthrough_delivery */
632
45b91596
PH
633 (1<<ACL_WHERE_NOTSMTP)| /* enforce_sync */
634 (1<<ACL_WHERE_NOTSMTP_START),
8e669ac1 635
45b91596
PH
636 (1<<ACL_WHERE_NOTSMTP)| /* no_enforce_sync */
637 (1<<ACL_WHERE_NOTSMTP_START),
8e669ac1
PH
638
639 (unsigned int)
c5fcb476
PH
640 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
641 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
fd98a5c6 642 // (1<<ACL_WHERE_PRDR)| /* Not allow one user to freeze for all */
e715ad22 643 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH
644
645 (unsigned int)
c5fcb476
PH
646 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
647 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
fd98a5c6 648 // (1<<ACL_WHERE_PRDR)| /* Not allow one user to freeze for all */
e715ad22 649 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH
650
651 (unsigned int)
c5fcb476 652 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
8e669ac1 653 (1<<ACL_WHERE_PREDATA)),
8523533c 654
8800895a
PH
655 (unsigned int)
656 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* suppress_local_fixups */
45b91596
PH
657 (1<<ACL_WHERE_PREDATA)|
658 (1<<ACL_WHERE_NOTSMTP_START)),
8800895a 659
c46782ef 660 #ifdef WITH_CONTENT_SCAN
8e669ac1 661 (unsigned int)
14d57970 662 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
e715ad22 663 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
fd98a5c6 664 // (1<<ACL_WHERE_PRDR)| /* Not allow one user to freeze for all */
e715ad22 665 (1<<ACL_WHERE_MIME)),
c46782ef 666 #endif
a6c4ab60 667
8e669ac1 668 (unsigned int)
29aba418
TF
669 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakedefer */
670 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
fd98a5c6
JH
671 #ifdef EXPERIMENTAL_PRDR
672 (1<<ACL_WHERE_PRDR)|
673 #endif /* EXPERIMENTAL_PRDR */
29aba418
TF
674 (1<<ACL_WHERE_MIME)),
675
676 (unsigned int)
a6c4ab60 677 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
e715ad22 678 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
fd98a5c6
JH
679 #ifdef EXPERIMENTAL_PRDR
680 (1<<ACL_WHERE_PRDR)|
681 #endif /* EXPERIMENTAL_PRDR */
e715ad22 682 (1<<ACL_WHERE_MIME)),
8523533c 683
45b91596 684 (1<<ACL_WHERE_NOTSMTP)| /* no_multiline */
cf8b11a5
PH
685 (1<<ACL_WHERE_NOTSMTP_START),
686
687 (1<<ACL_WHERE_NOTSMTP)| /* no_pipelining */
047bdd8c
PH
688 (1<<ACL_WHERE_NOTSMTP_START),
689
690 (1<<ACL_WHERE_NOTSMTP)| /* no_delay_flush */
4c590bd1
PH
691 (1<<ACL_WHERE_NOTSMTP_START),
692
693 (1<<ACL_WHERE_NOTSMTP)| /* no_callout_flush */
45b91596 694 (1<<ACL_WHERE_NOTSMTP_START)
c5fcb476
PH
695};
696
697/* Structure listing various control arguments, with their characteristics. */
059ec3d9
PH
698
699typedef struct control_def {
700 uschar *name;
701 int value; /* CONTROL_xxx value */
059ec3d9
PH
702 BOOL has_option; /* Has /option(s) following */
703} control_def;
704
705static control_def controls_list[] = {
c46782ef 706 { US"allow_auth_unadvertised", CONTROL_AUTH_UNADVERTISED, FALSE },
8523533c 707#ifdef EXPERIMENTAL_BRIGHTMAIL
c46782ef 708 { US"bmi_run", CONTROL_BMI_RUN, FALSE },
8523533c 709#endif
ed7f7860 710 { US"debug", CONTROL_DEBUG, TRUE },
80a47a2c
TK
711#ifndef DISABLE_DKIM
712 { US"dkim_disable_verify", CONTROL_DKIM_VERIFY, FALSE },
f7572e5a 713#endif
4840604e
TL
714#ifdef EXPERIMENTAL_DMARC
715 { US"dmarc_disable_verify", CONTROL_DMARC_VERIFY, FALSE },
716 { US"dmarc_enable_forensic", CONTROL_DMARC_FORENSIC, FALSE },
717#endif
13363eba 718 { US"dscp", CONTROL_DSCP, TRUE },
c46782ef
PH
719 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE },
720 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE },
721 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE },
722 { US"freeze", CONTROL_FREEZE, TRUE },
4c590bd1 723 { US"no_callout_flush", CONTROL_NO_CALLOUT_FLUSH, FALSE },
047bdd8c 724 { US"no_delay_flush", CONTROL_NO_DELAY_FLUSH, FALSE },
c46782ef
PH
725 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE },
726 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE },
cf8b11a5 727 { US"no_pipelining", CONTROL_NO_PIPELINING, FALSE },
c46782ef 728 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE },
8523533c 729#ifdef WITH_CONTENT_SCAN
c46782ef 730 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE },
8523533c 731#endif
c46782ef
PH
732 { US"fakedefer", CONTROL_FAKEDEFER, TRUE },
733 { US"fakereject", CONTROL_FAKEREJECT, TRUE },
734 { US"submission", CONTROL_SUBMISSION, TRUE },
e4bdf652
JH
735 { US"suppress_local_fixups", CONTROL_SUPPRESS_LOCAL_FIXUPS, FALSE },
736 { US"cutthrough_delivery", CONTROL_CUTTHROUGH_DELIVERY, FALSE }
059ec3d9
PH
737 };
738
e5a9dba6
PH
739/* Support data structures for Client SMTP Authorization. acl_verify_csa()
740caches its result in a tree to avoid repeated DNS queries. The result is an
741integer code which is used as an index into the following tables of
742explanatory strings and verification return codes. */
743
744static tree_node *csa_cache = NULL;
745
746enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
747 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
748
749/* The acl_verify_csa() return code is translated into an acl_verify() return
750code using the following table. It is OK unless the client is definitely not
751authorized. This is because CSA is supposed to be optional for sending sites,
752so recipients should not be too strict about checking it - especially because
753DNS problems are quite likely to occur. It's possible to use $csa_status in
754further ACL conditions to distinguish ok, unknown, and defer if required, but
755the aim is to make the usual configuration simple. */
756
757static int csa_return_code[] = {
758 OK, OK, OK, OK,
759 FAIL, FAIL, FAIL, FAIL
760};
761
762static uschar *csa_status_string[] = {
763 US"unknown", US"ok", US"defer", US"defer",
764 US"fail", US"fail", US"fail", US"fail"
765};
766
767static uschar *csa_reason_string[] = {
768 US"unknown",
769 US"ok",
770 US"deferred (SRV lookup failed)",
771 US"deferred (target address lookup failed)",
772 US"failed (explicit authorization required)",
773 US"failed (host name not authorized)",
774 US"failed (no authorized addresses)",
775 US"failed (client address mismatch)"
776};
777
c99ce5c9
TF
778/* Options for the ratelimit condition. Note that there are two variants of
779the per_rcpt option, depending on the ACL that is used to measure the rate.
780However any ACL must be able to look up per_rcpt rates in /noupdate mode,
781so the two variants must have the same internal representation as well as
782the same configuration string. */
783
784enum {
785 RATE_PER_WHAT, RATE_PER_CLASH, RATE_PER_ADDR, RATE_PER_BYTE, RATE_PER_CMD,
786 RATE_PER_CONN, RATE_PER_MAIL, RATE_PER_RCPT, RATE_PER_ALLRCPTS
787};
788
789#define RATE_SET(var,new) \
790 (((var) == RATE_PER_WHAT) ? ((var) = RATE_##new) : ((var) = RATE_PER_CLASH))
791
792static uschar *ratelimit_option_string[] = {
793 US"?", US"!", US"per_addr", US"per_byte", US"per_cmd",
794 US"per_conn", US"per_mail", US"per_rcpt", US"per_rcpt"
795};
796
059ec3d9
PH
797/* Enable recursion between acl_check_internal() and acl_check_condition() */
798
f60d98e8
JH
799static int acl_check_wargs(int, address_item *, uschar *, int, uschar **,
800 uschar **);
059ec3d9
PH
801
802
803/*************************************************
804* Pick out name from list *
805*************************************************/
806
807/* Use a binary chop method
808
809Arguments:
810 name name to find
811 list list of names
812 end size of list
813
814Returns: offset in list, or -1 if not found
815*/
816
817static int
818acl_checkname(uschar *name, uschar **list, int end)
819{
820int start = 0;
821
822while (start < end)
823 {
824 int mid = (start + end)/2;
825 int c = Ustrcmp(name, list[mid]);
826 if (c == 0) return mid;
827 if (c < 0) end = mid; else start = mid + 1;
828 }
829
830return -1;
831}
832
833
834/*************************************************
835* Read and parse one ACL *
836*************************************************/
837
838/* This function is called both from readconf in order to parse the ACLs in the
839configuration file, and also when an ACL is encountered dynamically (e.g. as
840the result of an expansion). It is given a function to call in order to
841retrieve the lines of the ACL. This function handles skipping comments and
842blank lines (where relevant).
843
844Arguments:
845 func function to get next line of ACL
846 error where to put an error message
847
848Returns: pointer to ACL, or NULL
849 NULL can be legal (empty ACL); in this case error will be NULL
850*/
851
852acl_block *
853acl_read(uschar *(*func)(void), uschar **error)
854{
855acl_block *yield = NULL;
856acl_block **lastp = &yield;
857acl_block *this = NULL;
858acl_condition_block *cond;
859acl_condition_block **condp = NULL;
860uschar *s;
861
862*error = NULL;
863
864while ((s = (*func)()) != NULL)
865 {
866 int v, c;
867 BOOL negated = FALSE;
868 uschar *saveline = s;
869 uschar name[64];
870
871 /* Conditions (but not verbs) are allowed to be negated by an initial
872 exclamation mark. */
873
874 while (isspace(*s)) s++;
875 if (*s == '!')
876 {
877 negated = TRUE;
878 s++;
879 }
880
cf00dad6
PH
881 /* Read the name of a verb or a condition, or the start of a new ACL, which
882 can be started by a name, or by a macro definition. */
059ec3d9
PH
883
884 s = readconf_readname(name, sizeof(name), s);
b8dc3e4a 885 if (*s == ':' || (isupper(name[0]) && *s == '=')) return yield;
059ec3d9
PH
886
887 /* If a verb is unrecognized, it may be another condition or modifier that
888 continues the previous verb. */
889
890 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
891 if (v < 0)
892 {
893 if (this == NULL)
894 {
4e167a8c
PH
895 *error = string_sprintf("unknown ACL verb \"%s\" in \"%s\"", name,
896 saveline);
059ec3d9
PH
897 return NULL;
898 }
899 }
900
901 /* New verb */
902
903 else
904 {
905 if (negated)
906 {
907 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
908 return NULL;
909 }
910 this = store_get(sizeof(acl_block));
911 *lastp = this;
912 lastp = &(this->next);
913 this->next = NULL;
914 this->verb = v;
915 this->condition = NULL;
916 condp = &(this->condition);
917 if (*s == 0) continue; /* No condition on this line */
918 if (*s == '!')
919 {
920 negated = TRUE;
921 s++;
922 }
923 s = readconf_readname(name, sizeof(name), s); /* Condition name */
924 }
925
926 /* Handle a condition or modifier. */
927
928 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
929 if (c < 0)
930 {
931 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
932 saveline);
933 return NULL;
934 }
935
936 /* The modifiers may not be negated */
937
938 if (negated && cond_modifiers[c])
939 {
940 *error = string_sprintf("ACL error: negation is not allowed with "
941 "\"%s\"", conditions[c]);
942 return NULL;
943 }
944
945 /* ENDPASS may occur only with ACCEPT or DISCARD. */
946
947 if (c == ACLC_ENDPASS &&
948 this->verb != ACL_ACCEPT &&
949 this->verb != ACL_DISCARD)
950 {
951 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
952 conditions[c], verbs[this->verb]);
953 return NULL;
954 }
955
956 cond = store_get(sizeof(acl_condition_block));
957 cond->next = NULL;
958 cond->type = c;
959 cond->u.negated = negated;
960
961 *condp = cond;
962 condp = &(cond->next);
963
964 /* The "set" modifier is different in that its argument is "name=value"
965 rather than just a value, and we can check the validity of the name, which
38a0a95f
PH
966 gives us a variable name to insert into the data block. The original ACL
967 variable names were acl_c0 ... acl_c9 and acl_m0 ... acl_m9. This was
968 extended to 20 of each type, but after that people successfully argued for
641cb756
PH
969 arbitrary names. In the new scheme, the names must start with acl_c or acl_m.
970 After that, we allow alphanumerics and underscores, but the first character
971 after c or m must be a digit or an underscore. This retains backwards
972 compatibility. */
059ec3d9
PH
973
974 if (c == ACLC_SET)
975 {
47ca6d6c
PH
976 uschar *endptr;
977
38a0a95f
PH
978 if (Ustrncmp(s, "acl_c", 5) != 0 &&
979 Ustrncmp(s, "acl_m", 5) != 0)
47ca6d6c 980 {
38a0a95f
PH
981 *error = string_sprintf("invalid variable name after \"set\" in ACL "
982 "modifier \"set %s\" (must start \"acl_c\" or \"acl_m\")", s);
983 return NULL;
47ca6d6c 984 }
38a0a95f
PH
985
986 endptr = s + 5;
641cb756
PH
987 if (!isdigit(*endptr) && *endptr != '_')
988 {
989 *error = string_sprintf("invalid variable name after \"set\" in ACL "
990 "modifier \"set %s\" (digit or underscore must follow acl_c or acl_m)",
991 s);
992 return NULL;
993 }
994
38a0a95f 995 while (*endptr != 0 && *endptr != '=' && !isspace(*endptr))
47ca6d6c 996 {
38a0a95f
PH
997 if (!isalnum(*endptr) && *endptr != '_')
998 {
999 *error = string_sprintf("invalid character \"%c\" in variable name "
1000 "in ACL modifier \"set %s\"", *endptr, s);
1001 return NULL;
1002 }
1003 endptr++;
47ca6d6c 1004 }
47ca6d6c 1005
38a0a95f 1006 cond->u.varname = string_copyn(s + 4, endptr - s - 4);
47ca6d6c 1007 s = endptr;
059ec3d9
PH
1008 while (isspace(*s)) s++;
1009 }
1010
1011 /* For "set", we are now positioned for the data. For the others, only
1012 "endpass" has no data */
1013
1014 if (c != ACLC_ENDPASS)
1015 {
1016 if (*s++ != '=')
1017 {
1018 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
1019 cond_modifiers[c]? US"modifier" : US"condition");
1020 return NULL;
1021 }
1022 while (isspace(*s)) s++;
1023 cond->arg = string_copy(s);
1024 }
1025 }
1026
1027return yield;
1028}
1029
1030
1031
1032/*************************************************
71fafd95
PH
1033* Set up added header line(s) *
1034*************************************************/
1035
1036/* This function is called by the add_header modifier, and also from acl_warn()
1037to implement the now-deprecated way of adding header lines using "message" on a
1038"warn" verb. The argument is treated as a sequence of header lines which are
1039added to a chain, provided there isn't an identical one already there.
1040
1041Argument: string of header lines
1042Returns: nothing
1043*/
1044
1045static void
1046setup_header(uschar *hstring)
1047{
1048uschar *p, *q;
1049int hlen = Ustrlen(hstring);
1050
b1b05573
JH
1051/* Ignore any leading newlines */
1052while (*hstring == '\n') hstring++, hlen--;
71fafd95 1053
b1b05573 1054/* An empty string does nothing; ensure exactly one final newline. */
71fafd95 1055if (hlen <= 0) return;
b1b05573
JH
1056if (hstring[--hlen] != '\n') hstring = string_sprintf("%s\n", hstring);
1057else while(hstring[--hlen] == '\n') hstring[hlen+1] = '\0';
71fafd95
PH
1058
1059/* Loop for multiple header lines, taking care about continuations */
1060
1061for (p = q = hstring; *p != 0; )
1062 {
1063 uschar *s;
1064 int newtype = htype_add_bot;
1065 header_line **hptr = &acl_added_headers;
1066
1067 /* Find next header line within the string */
1068
1069 for (;;)
1070 {
1071 q = Ustrchr(q, '\n');
1072 if (*(++q) != ' ' && *q != '\t') break;
1073 }
1074
1075 /* If the line starts with a colon, interpret the instruction for where to
1076 add it. This temporarily sets up a new type. */
1077
1078 if (*p == ':')
1079 {
1080 if (strncmpic(p, US":after_received:", 16) == 0)
1081 {
1082 newtype = htype_add_rec;
1083 p += 16;
1084 }
1085 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
1086 {
1087 newtype = htype_add_rfc;
1088 p += 14;
1089 }
1090 else if (strncmpic(p, US":at_start:", 10) == 0)
1091 {
1092 newtype = htype_add_top;
1093 p += 10;
1094 }
1095 else if (strncmpic(p, US":at_end:", 8) == 0)
1096 {
1097 newtype = htype_add_bot;
1098 p += 8;
1099 }
1100 while (*p == ' ' || *p == '\t') p++;
1101 }
1102
1103 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
1104 to the front of it. */
1105
1106 for (s = p; s < q - 1; s++)
1107 {
1108 if (*s == ':' || !isgraph(*s)) break;
1109 }
1110
438257ba 1111 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", (int) (q - p), p);
71fafd95
PH
1112 hlen = Ustrlen(s);
1113
1114 /* See if this line has already been added */
1115
1116 while (*hptr != NULL)
1117 {
1118 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
1119 hptr = &((*hptr)->next);
1120 }
1121
1122 /* Add if not previously present */
1123
1124 if (*hptr == NULL)
1125 {
1126 header_line *h = store_get(sizeof(header_line));
1127 h->text = s;
1128 h->next = NULL;
1129 h->type = newtype;
1130 h->slen = hlen;
1131 *hptr = h;
1132 hptr = &(h->next);
1133 }
1134
1135 /* Advance for next header line within the string */
1136
1137 p = q;
1138 }
1139}
1140
1141
1142
e7568d51 1143/*************************************************
362145b5
JH
1144* List the added header lines *
1145*************************************************/
1146uschar *
1147fn_hdrs_added(void)
1148{
1149uschar * ret = NULL;
1150header_line * h = acl_added_headers;
1151uschar * s;
1152uschar * cp;
1153int size = 0;
1154int ptr = 0;
1155
1156if (!h) return NULL;
1157
1158do
1159 {
1160 s = h->text;
1161 while ((cp = Ustrchr(s, '\n')) != NULL)
1162 {
1163 if (cp[1] == '\0') break;
1164
1165 /* contains embedded newline; needs doubling */
1166 ret = string_cat(ret, &size, &ptr, s, cp-s+1);
6d9cfc47 1167 ret = string_cat(ret, &size, &ptr, US"\n", 1);
362145b5
JH
1168 s = cp+1;
1169 }
1170 /* last bit of header */
1171
1172 ret = string_cat(ret, &size, &ptr, s, cp-s+1); /* newline-sep list */
1173 }
6d9cfc47 1174while((h = h->next));
362145b5
JH
1175
1176ret[ptr-1] = '\0'; /* overwrite last newline */
1177return ret;
1178}
1179
1180
1181/*************************************************
e7568d51
TL
1182* Set up removed header line(s) *
1183*************************************************/
1184
1185/* This function is called by the remove_header modifier. The argument is
1186treated as a sequence of header names which are added to a colon separated
1187list, provided there isn't an identical one already there.
1188
1189Argument: string of header names
1190Returns: nothing
1191*/
1192
1193static void
1194setup_remove_header(uschar *hnames)
1195{
1196if (*hnames != 0)
1197 {
1198 if (acl_removed_headers == NULL)
1199 acl_removed_headers = hnames;
1200 else
1201 acl_removed_headers = string_sprintf("%s : %s", acl_removed_headers, hnames);
1202 }
1203}
1204
1205
71fafd95
PH
1206
1207/*************************************************
059ec3d9
PH
1208* Handle warnings *
1209*************************************************/
1210
1211/* This function is called when a WARN verb's conditions are true. It adds to
1212the message's headers, and/or writes information to the log. In each case, this
1213only happens once (per message for headers, per connection for log).
1214
71fafd95
PH
1215** NOTE: The header adding action using the "message" setting is historic, and
1216its use is now deprecated. The new add_header modifier should be used instead.
1217
059ec3d9
PH
1218Arguments:
1219 where ACL_WHERE_xxxx indicating which ACL this is
1220 user_message message for adding to headers
1221 log_message message for logging, if different
1222
1223Returns: nothing
1224*/
1225
1226static void
1227acl_warn(int where, uschar *user_message, uschar *log_message)
1228{
059ec3d9
PH
1229if (log_message != NULL && log_message != user_message)
1230 {
1231 uschar *text;
1232 string_item *logged;
1233
1234 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
1235 string_printing(log_message));
1236
1237 /* If a sender verification has failed, and the log message is "sender verify
1238 failed", add the failure message. */
1239
1240 if (sender_verified_failed != NULL &&
1241 sender_verified_failed->message != NULL &&
1242 strcmpic(log_message, US"sender verify failed") == 0)
1243 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
1244
9c7a242c
PH
1245 /* Search previously logged warnings. They are kept in malloc
1246 store so they can be freed at the start of a new message. */
059ec3d9
PH
1247
1248 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
1249 if (Ustrcmp(logged->text, text) == 0) break;
1250
1251 if (logged == NULL)
1252 {
1253 int length = Ustrlen(text) + 1;
1254 log_write(0, LOG_MAIN, "%s", text);
1255 logged = store_malloc(sizeof(string_item) + length);
1256 logged->text = (uschar *)logged + sizeof(string_item);
1257 memcpy(logged->text, text, length);
1258 logged->next = acl_warn_logged;
1259 acl_warn_logged = logged;
1260 }
1261 }
1262
1263/* If there's no user message, we are done. */
1264
1265if (user_message == NULL) return;
1266
1267/* If this isn't a message ACL, we can't do anything with a user message.
1268Log an error. */
1269
1270if (where > ACL_WHERE_NOTSMTP)
1271 {
1272 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
1273 "found in a non-message (%s) ACL: cannot specify header lines here: "
1274 "message ignored", acl_wherenames[where]);
1275 return;
1276 }
1277
71fafd95
PH
1278/* The code for setting up header lines is now abstracted into a separate
1279function so that it can be used for the add_header modifier as well. */
059ec3d9 1280
71fafd95 1281setup_header(user_message);
059ec3d9
PH
1282}
1283
1284
1285
1286/*************************************************
1287* Verify and check reverse DNS *
1288*************************************************/
1289
1290/* Called from acl_verify() below. We look up the host name(s) of the client IP
1291address if this has not yet been done. The host_name_lookup() function checks
1292that one of these names resolves to an address list that contains the client IP
1293address, so we don't actually have to do the check here.
1294
1295Arguments:
1296 user_msgptr pointer for user message
1297 log_msgptr pointer for log message
1298
1299Returns: OK verification condition succeeded
1300 FAIL verification failed
1301 DEFER there was a problem verifying
1302*/
1303
1304static int
1305acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
1306{
1307int rc;
1308
1309user_msgptr = user_msgptr; /* stop compiler warning */
1310
1311/* Previous success */
1312
1313if (sender_host_name != NULL) return OK;
1314
1315/* Previous failure */
1316
1317if (host_lookup_failed)
1318 {
1319 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
1320 return FAIL;
1321 }
1322
1323/* Need to do a lookup */
1324
1325HDEBUG(D_acl)
1326 debug_printf("looking up host name to force name/address consistency check\n");
1327
1328if ((rc = host_name_lookup()) != OK)
1329 {
1330 *log_msgptr = (rc == DEFER)?
1331 US"host lookup deferred for reverse lookup check"
1332 :
1333 string_sprintf("host lookup failed for reverse lookup check%s",
1334 host_lookup_msg);
1335 return rc; /* DEFER or FAIL */
1336 }
1337
1338host_build_sender_fullhost();
1339return OK;
1340}
1341
1342
1343
1344/*************************************************
e5a9dba6
PH
1345* Check client IP address matches CSA target *
1346*************************************************/
1347
1348/* Called from acl_verify_csa() below. This routine scans a section of a DNS
1349response for address records belonging to the CSA target hostname. The section
1350is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
1351If one of the addresses matches the client's IP address, then the client is
1352authorized by CSA. If there are target IP addresses but none of them match
1353then the client is using an unauthorized IP address. If there are no target IP
1354addresses then the client cannot be using an authorized IP address. (This is
1355an odd configuration - why didn't the SRV record have a weight of 1 instead?)
1356
1357Arguments:
1358 dnsa the DNS answer block
1359 dnss a DNS scan block for us to use
1360 reset option specifing what portion to scan, as described above
1361 target the target hostname to use for matching RR names
1362
1363Returns: CSA_OK successfully authorized
1364 CSA_FAIL_MISMATCH addresses found but none matched
1365 CSA_FAIL_NOADDR no target addresses found
1366*/
1367
1368static int
1369acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1370 uschar *target)
1371{
1372dns_record *rr;
1373dns_address *da;
1374
1375BOOL target_found = FALSE;
1376
1377for (rr = dns_next_rr(dnsa, dnss, reset);
1378 rr != NULL;
1379 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1380 {
1381 /* Check this is an address RR for the target hostname. */
1382
1383 if (rr->type != T_A
1384 #if HAVE_IPV6
1385 && rr->type != T_AAAA
1386 #ifdef SUPPORT_A6
1387 && rr->type != T_A6
1388 #endif
1389 #endif
1390 ) continue;
1391
1392 if (strcmpic(target, rr->name) != 0) continue;
1393
1394 target_found = TRUE;
1395
1396 /* Turn the target address RR into a list of textual IP addresses and scan
1397 the list. There may be more than one if it is an A6 RR. */
1398
1399 for (da = dns_address_from_rr(dnsa, rr); da != NULL; da = da->next)
1400 {
1401 /* If the client IP address matches the target IP address, it's good! */
1402
1403 DEBUG(D_acl) debug_printf("CSA target address is %s\n", da->address);
1404
1405 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1406 }
1407 }
1408
1409/* If we found some target addresses but none of them matched, the client is
1410using an unauthorized IP address, otherwise the target has no authorized IP
1411addresses. */
1412
1413if (target_found) return CSA_FAIL_MISMATCH;
1414else return CSA_FAIL_NOADDR;
1415}
1416
1417
1418
1419/*************************************************
1420* Verify Client SMTP Authorization *
1421*************************************************/
1422
1423/* Called from acl_verify() below. This routine calls dns_lookup_special()
1424to find the CSA SRV record corresponding to the domain argument, or
1425$sender_helo_name if no argument is provided. It then checks that the
1426client is authorized, and that its IP address corresponds to the SRV
1427target's address by calling acl_verify_csa_address() above. The address
1428should have been returned in the DNS response's ADDITIONAL section, but if
1429not we perform another DNS lookup to get it.
1430
1431Arguments:
1432 domain pointer to optional parameter following verify = csa
1433
1434Returns: CSA_UNKNOWN no valid CSA record found
1435 CSA_OK successfully authorized
1436 CSA_FAIL_* client is definitely not authorized
1437 CSA_DEFER_* there was a DNS problem
1438*/
1439
1440static int
1441acl_verify_csa(uschar *domain)
1442{
1443tree_node *t;
1444uschar *found, *p;
1445int priority, weight, port;
1446dns_answer dnsa;
1447dns_scan dnss;
1448dns_record *rr;
1449int rc, type;
1450uschar target[256];
1451
1452/* Work out the domain we are using for the CSA lookup. The default is the
1453client's HELO domain. If the client has not said HELO, use its IP address
1454instead. If it's a local client (exim -bs), CSA isn't applicable. */
1455
1456while (isspace(*domain) && *domain != '\0') ++domain;
1457if (*domain == '\0') domain = sender_helo_name;
1458if (domain == NULL) domain = sender_host_address;
1459if (sender_host_address == NULL) return CSA_UNKNOWN;
1460
1461/* If we have an address literal, strip off the framing ready for turning it
1462into a domain. The framing consists of matched square brackets possibly
1463containing a keyword and a colon before the actual IP address. */
1464
1465if (domain[0] == '[')
1466 {
1467 uschar *start = Ustrchr(domain, ':');
1468 if (start == NULL) start = domain;
1469 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1470 }
1471
1472/* Turn domains that look like bare IP addresses into domains in the reverse
1473DNS. This code also deals with address literals and $sender_host_address. It's
1474not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1475address literals, but it's probably the most friendly thing to do. This is an
1476extension to CSA, so we allow it to be turned off for proper conformance. */
1477
7e66e54d 1478if (string_is_ip_address(domain, NULL) != 0)
e5a9dba6
PH
1479 {
1480 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1481 dns_build_reverse(domain, target);
1482 domain = target;
1483 }
1484
1485/* Find out if we've already done the CSA check for this domain. If we have,
1486return the same result again. Otherwise build a new cached result structure
1487for this domain. The name is filled in now, and the value is filled in when
1488we return from this function. */
1489
1490t = tree_search(csa_cache, domain);
1491if (t != NULL) return t->data.val;
1492
1493t = store_get_perm(sizeof(tree_node) + Ustrlen(domain));
1494Ustrcpy(t->name, domain);
1495(void)tree_insertnode(&csa_cache, t);
1496
1497/* Now we are ready to do the actual DNS lookup(s). */
1498
28e6ef29 1499found = domain;
e5a9dba6
PH
1500switch (dns_special_lookup(&dnsa, domain, T_CSA, &found))
1501 {
1502 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1503
1504 default:
1505 return t->data.val = CSA_DEFER_SRV;
1506
1507 /* If we found nothing, the client's authorization is unknown. */
1508
1509 case DNS_NOMATCH:
1510 case DNS_NODATA:
1511 return t->data.val = CSA_UNKNOWN;
1512
1513 /* We got something! Go on to look at the reply in more detail. */
1514
1515 case DNS_SUCCEED:
1516 break;
1517 }
1518
1519/* Scan the reply for well-formed CSA SRV records. */
1520
1521for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
1522 rr != NULL;
1523 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
1524 {
1525 if (rr->type != T_SRV) continue;
1526
1527 /* Extract the numerical SRV fields (p is incremented) */
1528
1529 p = rr->data;
1530 GETSHORT(priority, p);
1531 GETSHORT(weight, p);
1532 GETSHORT(port, p);
1533
1534 DEBUG(D_acl)
1535 debug_printf("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1536
1537 /* Check the CSA version number */
1538
1539 if (priority != 1) continue;
1540
1541 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1542 found by dns_special_lookup() is a parent of the one we asked for), we check
1543 the subdomain assertions in the port field. At the moment there's only one
1544 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1545 SRV records of their own. */
1546
1547 if (found != domain)
1548 {
1549 if (port & 1)
1550 return t->data.val = CSA_FAIL_EXPLICIT;
1551 else
1552 return t->data.val = CSA_UNKNOWN;
1553 }
1554
1555 /* This CSA SRV record refers directly to our domain, so we check the value
1556 in the weight field to work out the domain's authorization. 0 and 1 are
1557 unauthorized; 3 means the client is authorized but we can't check the IP
1558 address in order to authenticate it, so we treat it as unknown; values
1559 greater than 3 are undefined. */
1560
1561 if (weight < 2) return t->data.val = CSA_FAIL_DOMAIN;
1562
1563 if (weight > 2) continue;
1564
1565 /* Weight == 2, which means the domain is authorized. We must check that the
1566 client's IP address is listed as one of the SRV target addresses. Save the
1567 target hostname then break to scan the additional data for its addresses. */
1568
1569 (void)dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
1570 (DN_EXPAND_ARG4_TYPE)target, sizeof(target));
1571
1572 DEBUG(D_acl) debug_printf("CSA target is %s\n", target);
1573
1574 break;
1575 }
1576
1577/* If we didn't break the loop then no appropriate records were found. */
1578
1579if (rr == NULL) return t->data.val = CSA_UNKNOWN;
1580
1581/* Do not check addresses if the target is ".", in accordance with RFC 2782.
1582A target of "." indicates there are no valid addresses, so the client cannot
1583be authorized. (This is an odd configuration because weight=2 target=. is
1584equivalent to weight=1, but we check for it in order to keep load off the
1585root name servers.) Note that dn_expand() turns "." into "". */
1586
1587if (Ustrcmp(target, "") == 0) return t->data.val = CSA_FAIL_NOADDR;
1588
1589/* Scan the additional section of the CSA SRV reply for addresses belonging
1590to the target. If the name server didn't return any additional data (e.g.
1591because it does not fully support SRV records), we need to do another lookup
1592to obtain the target addresses; otherwise we have a definitive result. */
1593
1594rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ADDITIONAL, target);
1595if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1596
1597/* The DNS lookup type corresponds to the IP version used by the client. */
1598
1599#if HAVE_IPV6
1600if (Ustrchr(sender_host_address, ':') != NULL)
1601 type = T_AAAA;
1602else
1603#endif /* HAVE_IPV6 */
1604 type = T_A;
1605
1606
1607#if HAVE_IPV6 && defined(SUPPORT_A6)
1608DNS_LOOKUP_AGAIN:
1609#endif
1610
1611switch (dns_lookup(&dnsa, target, type, NULL))
1612 {
1613 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1614
1615 default:
1616 return t->data.val = CSA_DEFER_ADDR;
1617
1618 /* If the query succeeded, scan the addresses and return the result. */
1619
1620 case DNS_SUCCEED:
1621 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ANSWERS, target);
1622 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1623 /* else fall through */
1624
1625 /* If the target has no IP addresses, the client cannot have an authorized
1626 IP address. However, if the target site uses A6 records (not AAAA records)
1627 we have to do yet another lookup in order to check them. */
1628
1629 case DNS_NOMATCH:
1630 case DNS_NODATA:
1631
1632 #if HAVE_IPV6 && defined(SUPPORT_A6)
1633 if (type == T_AAAA) { type = T_A6; goto DNS_LOOKUP_AGAIN; }
1634 #endif
1635
1636 return t->data.val = CSA_FAIL_NOADDR;
1637 }
1638}
1639
1640
1641
1642/*************************************************
059ec3d9
PH
1643* Handle verification (address & other) *
1644*************************************************/
1645
89583014
JH
1646enum { VERIFY_REV_HOST_LKUP, VERIFY_CERT, VERIFY_HELO, VERIFY_CSA, VERIFY_HDR_SYNTAX,
1647 VERIFY_NOT_BLIND, VERIFY_HDR_SNDR, VERIFY_SNDR, VERIFY_RCPT
1648 };
1649typedef struct {
1650 uschar * name;
1651 int value;
1652 unsigned where_allowed; /* bitmap */
1653 BOOL no_options; /* Never has /option(s) following */
1654 unsigned alt_opt_sep; /* >0 Non-/ option separator (custom parser) */
1655 } verify_type_t;
1656static verify_type_t verify_type_list[] = {
1657 { US"reverse_host_lookup", VERIFY_REV_HOST_LKUP, ~0, TRUE, 0 },
1658 { US"certificate", VERIFY_CERT, ~0, TRUE, 0 },
1659 { US"helo", VERIFY_HELO, ~0, TRUE, 0 },
1660 { US"csa", VERIFY_CSA, ~0, FALSE, 0 },
1661 { US"header_syntax", VERIFY_HDR_SYNTAX, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), TRUE, 0 },
1662 { US"not_blind", VERIFY_NOT_BLIND, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), TRUE, 0 },
1663 { US"header_sender", VERIFY_HDR_SNDR, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), FALSE, 0 },
1664 { US"sender", VERIFY_SNDR, (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)
1665 |(1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP),
1666 FALSE, 6 },
1667 { US"recipient", VERIFY_RCPT, (1<<ACL_WHERE_RCPT), FALSE, 0 }
1668 };
1669
1670
1671enum { CALLOUT_DEFER_OK, CALLOUT_NOCACHE, CALLOUT_RANDOM, CALLOUT_USE_SENDER,
1672 CALLOUT_USE_POSTMASTER, CALLOUT_POSTMASTER, CALLOUT_FULLPOSTMASTER,
1673 CALLOUT_MAILFROM, CALLOUT_POSTMASTER_MAILFROM, CALLOUT_MAXWAIT, CALLOUT_CONNECT,
1674 CALLOUT_TIME
1675 };
1676typedef struct {
1677 uschar * name;
1678 int value;
1679 int flag;
1680 BOOL has_option; /* Has =option(s) following */
1681 BOOL timeval; /* Has a time value */
1682 } callout_opt_t;
1683static callout_opt_t callout_opt_list[] = {
1684 { US"defer_ok", CALLOUT_DEFER_OK, 0, FALSE, FALSE },
1685 { US"no_cache", CALLOUT_NOCACHE, vopt_callout_no_cache, FALSE, FALSE },
1686 { US"random", CALLOUT_RANDOM, vopt_callout_random, FALSE, FALSE },
1687 { US"use_sender", CALLOUT_USE_SENDER, vopt_callout_recipsender, FALSE, FALSE },
1688 { US"use_postmaster", CALLOUT_USE_POSTMASTER,vopt_callout_recippmaster, FALSE, FALSE },
1689 { US"postmaster_mailfrom",CALLOUT_POSTMASTER_MAILFROM,0, TRUE, FALSE },
1690 { US"postmaster", CALLOUT_POSTMASTER, 0, FALSE, FALSE },
1691 { US"fullpostmaster", CALLOUT_FULLPOSTMASTER,vopt_callout_fullpm, FALSE, FALSE },
1692 { US"mailfrom", CALLOUT_MAILFROM, 0, TRUE, FALSE },
1693 { US"maxwait", CALLOUT_MAXWAIT, 0, TRUE, TRUE },
1694 { US"connect", CALLOUT_CONNECT, 0, TRUE, TRUE },
1695 { NULL, CALLOUT_TIME, 0, FALSE, TRUE }
1696 };
1697
1698
1699
059ec3d9
PH
1700/* This function implements the "verify" condition. It is called when
1701encountered in any ACL, because some tests are almost always permitted. Some
1702just don't make sense, and always fail (for example, an attempt to test a host
1703lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1704
1705Arguments:
1706 where where called from
1707 addr the recipient address that the ACL is handling, or NULL
1708 arg the argument of "verify"
1709 user_msgptr pointer for user message
1710 log_msgptr pointer for log message
1711 basic_errno where to put verify errno
1712
1713Returns: OK verification condition succeeded
1714 FAIL verification failed
1715 DEFER there was a problem verifying
1716 ERROR syntax error
1717*/
1718
1719static int
1720acl_verify(int where, address_item *addr, uschar *arg,
1721 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1722{
1723int sep = '/';
1724int callout = -1;
1725int callout_overall = -1;
4deaf07d 1726int callout_connect = -1;
059ec3d9
PH
1727int verify_options = 0;
1728int rc;
1729BOOL verify_header_sender = FALSE;
1730BOOL defer_ok = FALSE;
1731BOOL callout_defer_ok = FALSE;
1732BOOL no_details = FALSE;
eafd343b 1733BOOL success_on_redirect = FALSE;
059ec3d9
PH
1734address_item *sender_vaddr = NULL;
1735uschar *verify_sender_address = NULL;
1736uschar *pm_mailfrom = NULL;
1737uschar *se_mailfrom = NULL;
596875b3
PH
1738
1739/* Some of the verify items have slash-separated options; some do not. Diagnose
89583014 1740an error if options are given for items that don't expect them.
596875b3
PH
1741*/
1742
1743uschar *slash = Ustrchr(arg, '/');
059ec3d9
PH
1744uschar *list = arg;
1745uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
89583014 1746verify_type_t * vp;
059ec3d9
PH
1747
1748if (ss == NULL) goto BAD_VERIFY;
1749
1750/* Handle name/address consistency verification in a separate function. */
1751
89583014
JH
1752for (vp= verify_type_list;
1753 (char *)vp < (char *)verify_type_list + sizeof(verify_type_list);
1754 vp++
1755 )
1756 if (vp->alt_opt_sep ? strncmpic(ss, vp->name, vp->alt_opt_sep) == 0
1757 : strcmpic (ss, vp->name) == 0)
1758 break;
1759if ((char *)vp >= (char *)verify_type_list + sizeof(verify_type_list))
1760 goto BAD_VERIFY;
1761
1762if (vp->no_options && slash != NULL)
059ec3d9 1763 {
89583014
JH
1764 *log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1765 "(this verify item has no options)", arg);
1766 return ERROR;
059ec3d9 1767 }
89583014 1768if (!(vp->where_allowed & (1<<where)))
059ec3d9 1769 {
89583014
JH
1770 *log_msgptr = string_sprintf("cannot verify %s in ACL for %s", vp->name, acl_wherenames[where]);
1771 return ERROR;
059ec3d9 1772 }
89583014 1773switch(vp->value)
596875b3 1774 {
89583014
JH
1775 case VERIFY_REV_HOST_LKUP:
1776 if (sender_host_address == NULL) return OK;
1777 return acl_verify_reverse(user_msgptr, log_msgptr);
059ec3d9 1778
89583014
JH
1779 case VERIFY_CERT:
1780 /* TLS certificate verification is done at STARTTLS time; here we just
1781 test whether it was successful or not. (This is for optional verification; for
1782 mandatory verification, the connection doesn't last this long.) */
e5a9dba6 1783
817d9f57 1784 if (tls_in.certificate_verified) return OK;
89583014
JH
1785 *user_msgptr = US"no verified certificate";
1786 return FAIL;
e5a9dba6 1787
89583014
JH
1788 case VERIFY_HELO:
1789 /* We can test the result of optional HELO verification that might have
1790 occurred earlier. If not, we can attempt the verification now. */
059ec3d9 1791
89583014
JH
1792 if (!helo_verified && !helo_verify_failed) smtp_verify_helo();
1793 return helo_verified? OK : FAIL;
059ec3d9 1794
89583014
JH
1795 case VERIFY_CSA:
1796 /* Do Client SMTP Authorization checks in a separate function, and turn the
1797 result code into user-friendly strings. */
1c41c9cc 1798
89583014
JH
1799 rc = acl_verify_csa(list);
1800 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1801 csa_reason_string[rc]);
1802 csa_status = csa_status_string[rc];
1803 DEBUG(D_acl) debug_printf("CSA result %s\n", csa_status);
1804 return csa_return_code[rc];
1805
1806 case VERIFY_HDR_SYNTAX:
1807 /* Check that all relevant header lines have the correct syntax. If there is
1808 a syntax error, we return details of the error to the sender if configured to
1809 send out full details. (But a "message" setting on the ACL can override, as
1810 always). */
1811
1812 rc = verify_check_headers(log_msgptr);
1813 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1c41c9cc 1814 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
89583014 1815 return rc;
059ec3d9 1816
89583014
JH
1817 case VERIFY_NOT_BLIND:
1818 /* Check that no recipient of this message is "blind", that is, every envelope
1819 recipient must be mentioned in either To: or Cc:. */
059ec3d9 1820
89583014
JH
1821 rc = verify_check_notblind();
1822 if (rc != OK)
1823 {
1824 *log_msgptr = string_sprintf("bcc recipient detected");
1825 if (smtp_return_error_details)
1826 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1827 }
1828 return rc;
059ec3d9 1829
89583014
JH
1830 /* The remaining verification tests check recipient and sender addresses,
1831 either from the envelope or from the header. There are a number of
1832 slash-separated options that are common to all of them. */
059ec3d9 1833
89583014
JH
1834 case VERIFY_HDR_SNDR:
1835 verify_header_sender = TRUE;
1836 break;
059ec3d9 1837
89583014
JH
1838 case VERIFY_SNDR:
1839 /* In the case of a sender, this can optionally be followed by an address to use
1840 in place of the actual sender (rare special-case requirement). */
059ec3d9 1841 {
89583014
JH
1842 uschar *s = ss + 6;
1843 if (*s == 0)
1844 verify_sender_address = sender_address;
1845 else
1846 {
1847 while (isspace(*s)) s++;
1848 if (*s++ != '=') goto BAD_VERIFY;
1849 while (isspace(*s)) s++;
1850 verify_sender_address = string_copy(s);
1851 }
059ec3d9 1852 }
89583014
JH
1853 break;
1854
1855 case VERIFY_RCPT:
1856 break;
059ec3d9
PH
1857 }
1858
89583014
JH
1859
1860
596875b3
PH
1861/* Remaining items are optional; they apply to sender and recipient
1862verification, including "header sender" verification. */
059ec3d9
PH
1863
1864while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1865 != NULL)
1866 {
1867 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1868 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
eafd343b 1869 else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
059ec3d9
PH
1870
1871 /* These two old options are left for backwards compatibility */
1872
1873 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1874 {
1875 callout_defer_ok = TRUE;
1876 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1877 }
1878
1879 else if (strcmpic(ss, US"check_postmaster") == 0)
1880 {
1881 pm_mailfrom = US"";
1882 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1883 }
1884
1885 /* The callout option has a number of sub-options, comma separated */
1886
1887 else if (strncmpic(ss, US"callout", 7) == 0)
1888 {
1889 callout = CALLOUT_TIMEOUT_DEFAULT;
1890 ss += 7;
1891 if (*ss != 0)
1892 {
1893 while (isspace(*ss)) ss++;
1894 if (*ss++ == '=')
1895 {
1896 int optsep = ',';
1897 uschar *opt;
1898 uschar buffer[256];
1899 while (isspace(*ss)) ss++;
8e669ac1 1900
059ec3d9
PH
1901 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1902 != NULL)
1903 {
89583014 1904 callout_opt_t * op;
438257ba 1905 double period = 1.0F;
059ec3d9 1906
89583014 1907 for (op= callout_opt_list; op->name; op++)
438257ba 1908 if (strncmpic(opt, op->name, Ustrlen(op->name)) == 0)
89583014 1909 break;
059ec3d9 1910
89583014
JH
1911 verify_options |= op->flag;
1912 if (op->has_option)
1913 {
438257ba 1914 opt += Ustrlen(op->name);
4deaf07d
PH
1915 while (isspace(*opt)) opt++;
1916 if (*opt++ != '=')
1917 {
1918 *log_msgptr = string_sprintf("'=' expected after "
89583014 1919 "\"%s\" in ACL verify condition \"%s\"", op->name, arg);
4deaf07d
PH
1920 return ERROR;
1921 }
1922 while (isspace(*opt)) opt++;
89583014
JH
1923 }
1924 if (op->timeval)
1925 {
1926 period = readconf_readtime(opt, 0, FALSE);
1927 if (period < 0)
4deaf07d
PH
1928 {
1929 *log_msgptr = string_sprintf("bad time value in ACL condition "
1930 "\"verify %s\"", arg);
1931 return ERROR;
1932 }
89583014
JH
1933 }
1934
1935 switch(op->value)
1936 {
1937 case CALLOUT_DEFER_OK: callout_defer_ok = TRUE; break;
1938 case CALLOUT_POSTMASTER: pm_mailfrom = US""; break;
1939 case CALLOUT_FULLPOSTMASTER: pm_mailfrom = US""; break;
1940 case CALLOUT_MAILFROM:
1941 if (!verify_header_sender)
1942 {
1943 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1944 "callout option only for verify=header_sender (detected in ACL "
1945 "condition \"%s\")", arg);
1946 return ERROR;
1947 }
1948 se_mailfrom = string_copy(opt);
1949 break;
1950 case CALLOUT_POSTMASTER_MAILFROM: pm_mailfrom = string_copy(opt); break;
1951 case CALLOUT_MAXWAIT: callout_overall = period; break;
1952 case CALLOUT_CONNECT: callout_connect = period; break;
1953 case CALLOUT_TIME: callout = period; break;
1954 }
059ec3d9
PH
1955 }
1956 }
1957 else
1958 {
1959 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1960 "ACL condition \"%s\"", arg);
1961 return ERROR;
1962 }
1963 }
1964 }
1965
1966 /* Option not recognized */
1967
1968 else
1969 {
1970 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1971 "condition \"verify %s\"", ss, arg);
1972 return ERROR;
1973 }
1974 }
1975
1976if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1977 (vopt_callout_recipsender|vopt_callout_recippmaster))
1978 {
1979 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1980 "for a recipient callout";
1981 return ERROR;
1982 }
1983
1984/* Handle sender-in-header verification. Default the user message to the log
1985message if giving out verification details. */
1986
1987if (verify_header_sender)
1988 {
8e669ac1 1989 int verrno;
059ec3d9 1990 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
fe5b5d0b
PH
1991 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1992 &verrno);
1993 if (rc != OK)
8e669ac1 1994 {
fe5b5d0b
PH
1995 *basic_errno = verrno;
1996 if (smtp_return_error_details)
1997 {
1998 if (*user_msgptr == NULL && *log_msgptr != NULL)
1999 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
2000 if (rc == DEFER) acl_temp_details = TRUE;
2001 }
8e669ac1 2002 }
059ec3d9
PH
2003 }
2004
2005/* Handle a sender address. The default is to verify *the* sender address, but
2006optionally a different address can be given, for special requirements. If the
2007address is empty, we are dealing with a bounce message that has no sender, so
2008we cannot do any checking. If the real sender address gets rewritten during
2009verification (e.g. DNS widening), set the flag to stop it being rewritten again
2010during message reception.
2011
2012A list of verified "sender" addresses is kept to try to avoid doing to much
2013work repetitively when there are multiple recipients in a message and they all
2014require sender verification. However, when callouts are involved, it gets too
2015complicated because different recipients may require different callout options.
2016Therefore, we always do a full sender verify when any kind of callout is
2017specified. Caching elsewhere, for instance in the DNS resolver and in the
2018callout handling, should ensure that this is not terribly inefficient. */
2019
2020else if (verify_sender_address != NULL)
2021 {
2022 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
2023 != 0)
2024 {
2025 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
2026 "sender verify callout";
2027 return ERROR;
2028 }
2029
2030 sender_vaddr = verify_checked_sender(verify_sender_address);
2031 if (sender_vaddr != NULL && /* Previously checked */
2032 callout <= 0) /* No callout needed this time */
2033 {
2034 /* If the "routed" flag is set, it means that routing worked before, so
2035 this check can give OK (the saved return code value, if set, belongs to a
2036 callout that was done previously). If the "routed" flag is not set, routing
2037 must have failed, so we use the saved return code. */
2038
2039 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
2040 {
2041 rc = sender_vaddr->special_action;
2042 *basic_errno = sender_vaddr->basic_errno;
2043 }
2044 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
2045 }
2046
2047 /* Do a new verification, and cache the result. The cache is used to avoid
2048 verifying the sender multiple times for multiple RCPTs when callouts are not
2049 specified (see comments above).
2050
2051 The cache is also used on failure to give details in response to the first
2052 RCPT that gets bounced for this reason. However, this can be suppressed by
2053 the no_details option, which sets the flag that says "this detail has already
2054 been sent". The cache normally contains just one address, but there may be
2055 more in esoteric circumstances. */
2056
2057 else
2058 {
2059 BOOL routed = TRUE;
2a3eea10 2060 uschar *save_address_data = deliver_address_data;
8e669ac1 2061
059ec3d9
PH
2062 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
2063 if (no_details) setflag(sender_vaddr, af_sverify_told);
2064 if (verify_sender_address[0] != 0)
2065 {
2066 /* If this is the real sender address, save the unrewritten version
2067 for use later in receive. Otherwise, set a flag so that rewriting the
2068 sender in verify_address() does not update sender_address. */
2069
2070 if (verify_sender_address == sender_address)
2071 sender_address_unrewritten = sender_address;
2072 else
2073 verify_options |= vopt_fake_sender;
2074
eafd343b
TK
2075 if (success_on_redirect)
2076 verify_options |= vopt_success_on_redirect;
2077
059ec3d9
PH
2078 /* The recipient, qualify, and expn options are never set in
2079 verify_options. */
2080
2081 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
4deaf07d 2082 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
059ec3d9
PH
2083
2084 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
2085
2086 if (rc == OK)
2087 {
2088 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
2089 {
2090 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
2091 verify_sender_address, sender_vaddr->address);
2092 }
2093 else
2094 {
2095 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
2096 verify_sender_address);
2097 }
2098 }
2099 else *basic_errno = sender_vaddr->basic_errno;
2100 }
2101 else rc = OK; /* Null sender */
2102
2103 /* Cache the result code */
2104
2105 if (routed) setflag(sender_vaddr, af_verify_routed);
2106 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
2107 sender_vaddr->special_action = rc;
2108 sender_vaddr->next = sender_verified_list;
2109 sender_verified_list = sender_vaddr;
8e669ac1
PH
2110
2111 /* Restore the recipient address data, which might have been clobbered by
2a3eea10 2112 the sender verification. */
8e669ac1 2113
2a3eea10 2114 deliver_address_data = save_address_data;
059ec3d9 2115 }
8e669ac1 2116
2a3eea10
PH
2117 /* Put the sender address_data value into $sender_address_data */
2118
8e669ac1 2119 sender_address_data = sender_vaddr->p.address_data;
059ec3d9
PH
2120 }
2121
2122/* A recipient address just gets a straightforward verify; again we must handle
2123the DEFER overrides. */
2124
2125else
2126 {
2127 address_item addr2;
2128
eafd343b
TK
2129 if (success_on_redirect)
2130 verify_options |= vopt_success_on_redirect;
2131
059ec3d9
PH
2132 /* We must use a copy of the address for verification, because it might
2133 get rewritten. */
2134
2135 addr2 = *addr;
2136 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
4deaf07d 2137 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
059ec3d9 2138 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
8e669ac1 2139
42855d71 2140 *basic_errno = addr2.basic_errno;
059ec3d9 2141 *log_msgptr = addr2.message;
8e669ac1 2142 *user_msgptr = (addr2.user_message != NULL)?
6729cf78 2143 addr2.user_message : addr2.message;
42855d71
PH
2144
2145 /* Allow details for temporary error if the address is so flagged. */
2146 if (testflag((&addr2), af_pass_message)) acl_temp_details = TRUE;
059ec3d9
PH
2147
2148 /* Make $address_data visible */
2149 deliver_address_data = addr2.p.address_data;
2150 }
2151
2152/* We have a result from the relevant test. Handle defer overrides first. */
2153
2154if (rc == DEFER && (defer_ok ||
2155 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
2156 {
2157 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
2158 defer_ok? "defer_ok" : "callout_defer_ok");
2159 rc = OK;
2160 }
2161
2162/* If we've failed a sender, set up a recipient message, and point
2163sender_verified_failed to the address item that actually failed. */
2164
2165if (rc != OK && verify_sender_address != NULL)
2166 {
2167 if (rc != DEFER)
2168 {
2169 *log_msgptr = *user_msgptr = US"Sender verify failed";
2170 }
2171 else if (*basic_errno != ERRNO_CALLOUTDEFER)
2172 {
2173 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
2174 }
2175 else
2176 {
2177 *log_msgptr = US"Could not complete sender verify callout";
2178 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
2179 *log_msgptr;
2180 }
2181
2182 sender_verified_failed = sender_vaddr;
2183 }
2184
2185/* Verifying an address messes up the values of $domain and $local_part,
2186so reset them before returning if this is a RCPT ACL. */
2187
2188if (addr != NULL)
2189 {
2190 deliver_domain = addr->domain;
2191 deliver_localpart = addr->local_part;
2192 }
2193return rc;
2194
2195/* Syntax errors in the verify argument come here. */
2196
2197BAD_VERIFY:
2198*log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
596875b3
PH
2199 "\"helo\", \"header_syntax\", \"header_sender\" or "
2200 "\"reverse_host_lookup\" at start of ACL condition "
059ec3d9
PH
2201 "\"verify %s\"", arg);
2202return ERROR;
2203}
2204
2205
2206
2207
2208/*************************************************
2209* Check argument for control= modifier *
2210*************************************************/
2211
2212/* Called from acl_check_condition() below
2213
2214Arguments:
2215 arg the argument string for control=
2216 pptr set to point to the terminating character
2217 where which ACL we are in
2218 log_msgptr for error messages
2219
2220Returns: CONTROL_xxx value
2221*/
2222
2223static int
2224decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
2225{
2226int len;
2227control_def *d;
2228
2229for (d = controls_list;
2230 d < controls_list + sizeof(controls_list)/sizeof(control_def);
2231 d++)
2232 {
2233 len = Ustrlen(d->name);
2234 if (Ustrncmp(d->name, arg, len) == 0) break;
2235 }
2236
2237if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
2238 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
2239 {
2240 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2241 return CONTROL_ERROR;
2242 }
2243
059ec3d9
PH
2244*pptr = arg + len;
2245return d->value;
2246}
2247
2248
2249
c99ce5c9
TF
2250
2251/*************************************************
2252* Return a ratelimit error *
2253*************************************************/
2254
2255/* Called from acl_ratelimit() below
2256
2257Arguments:
2258 log_msgptr for error messages
2259 format format string
2260 ... supplementary arguments
2261 ss ratelimit option name
2262 where ACL_WHERE_xxxx indicating which ACL this is
2263
2264Returns: ERROR
2265*/
2266
2267static int
2268ratelimit_error(uschar **log_msgptr, const char *format, ...)
2269{
2270va_list ap;
2271uschar buffer[STRING_SPRINTF_BUFFER_SIZE];
2272va_start(ap, format);
2273if (!string_vformat(buffer, sizeof(buffer), format, ap))
2274 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
ef840681 2275 "string_sprintf expansion was longer than " SIZE_T_FMT, sizeof(buffer));
c99ce5c9
TF
2276va_end(ap);
2277*log_msgptr = string_sprintf(
2278 "error in arguments to \"ratelimit\" condition: %s", buffer);
2279return ERROR;
2280}
2281
2282
2283
2284
059ec3d9 2285/*************************************************
870f6ba8
TF
2286* Handle rate limiting *
2287*************************************************/
2288
2289/* Called by acl_check_condition() below to calculate the result
2290of the ACL ratelimit condition.
2291
2292Note that the return value might be slightly unexpected: if the
2293sender's rate is above the limit then the result is OK. This is
2294similar to the dnslists condition, and is so that you can write
2295ACL clauses like: defer ratelimit = 15 / 1h
2296
2297Arguments:
2298 arg the option string for ratelimit=
90fc3069 2299 where ACL_WHERE_xxxx indicating which ACL this is
870f6ba8
TF
2300 log_msgptr for error messages
2301
2302Returns: OK - Sender's rate is above limit
2303 FAIL - Sender's rate is below limit
2304 DEFER - Problem opening ratelimit database
2305 ERROR - Syntax error in options.
2306*/
2307
2308static int
90fc3069 2309acl_ratelimit(uschar *arg, int where, uschar **log_msgptr)
870f6ba8 2310{
c99ce5c9 2311double limit, period, count;
8f240103
PH
2312uschar *ss;
2313uschar *key = NULL;
c99ce5c9 2314uschar *unique = NULL;
870f6ba8 2315int sep = '/';
c99ce5c9
TF
2316BOOL leaky = FALSE, strict = FALSE, readonly = FALSE;
2317BOOL noupdate = FALSE, badacl = FALSE;
2318int mode = RATE_PER_WHAT;
870f6ba8
TF
2319int old_pool, rc;
2320tree_node **anchor, *t;
2321open_db dbblock, *dbm;
c99ce5c9 2322int dbdb_size;
870f6ba8 2323dbdata_ratelimit *dbd;
c99ce5c9 2324dbdata_ratelimit_unique *dbdb;
870f6ba8
TF
2325struct timeval tv;
2326
2327/* Parse the first two options and record their values in expansion
2328variables. These variables allow the configuration to have informative
2329error messages based on rate limits obtained from a table lookup. */
2330
c99ce5c9 2331/* First is the maximum number of messages per period / maximum burst
870f6ba8
TF
2332size, which must be greater than or equal to zero. Zero is useful for
2333rate measurement as opposed to rate limiting. */
2334
2335sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0);
2336if (sender_rate_limit == NULL)
2337 limit = -1.0;
2338else
2339 {
2340 limit = Ustrtod(sender_rate_limit, &ss);
2341 if (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
2342 else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
2343 else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
2344 }
c99ce5c9
TF
2345if (limit < 0.0 || *ss != '\0')
2346 return ratelimit_error(log_msgptr,
2347 "\"%s\" is not a positive number", sender_rate_limit);
870f6ba8 2348
c99ce5c9 2349/* Second is the rate measurement period / exponential smoothing time
870f6ba8
TF
2350constant. This must be strictly greater than zero, because zero leads to
2351run-time division errors. */
2352
2353sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0);
2354if (sender_rate_period == NULL) period = -1.0;
2355else period = readconf_readtime(sender_rate_period, 0, FALSE);
2356if (period <= 0.0)
c99ce5c9
TF
2357 return ratelimit_error(log_msgptr,
2358 "\"%s\" is not a time value", sender_rate_period);
2359
2360/* By default we are counting one of something, but the per_rcpt,
2361per_byte, and count options can change this. */
2362
2363count = 1.0;
870f6ba8 2364
c99ce5c9 2365/* Parse the other options. */
870f6ba8
TF
2366
2367while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2368 != NULL)
2369 {
2370 if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
2371 else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
8f240103 2372 else if (strcmpic(ss, US"noupdate") == 0) noupdate = TRUE;
c99ce5c9
TF
2373 else if (strcmpic(ss, US"readonly") == 0) readonly = TRUE;
2374 else if (strcmpic(ss, US"per_cmd") == 0) RATE_SET(mode, PER_CMD);
2375 else if (strcmpic(ss, US"per_conn") == 0)
2376 {
2377 RATE_SET(mode, PER_CONN);
2378 if (where == ACL_WHERE_NOTSMTP || where == ACL_WHERE_NOTSMTP_START)
2379 badacl = TRUE;
2380 }
2381 else if (strcmpic(ss, US"per_mail") == 0)
2382 {
2383 RATE_SET(mode, PER_MAIL);
2384 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2385 }
2386 else if (strcmpic(ss, US"per_rcpt") == 0)
2387 {
2388 /* If we are running in the RCPT ACL, then we'll count the recipients
2389 one by one, but if we are running when we have accumulated the whole
2390 list then we'll add them all in one batch. */
2391 if (where == ACL_WHERE_RCPT)
2392 RATE_SET(mode, PER_RCPT);
2393 else if (where >= ACL_WHERE_PREDATA && where <= ACL_WHERE_NOTSMTP)
2394 RATE_SET(mode, PER_ALLRCPTS), count = (double)recipients_count;
2395 else if (where == ACL_WHERE_MAIL || where > ACL_WHERE_NOTSMTP)
2396 RATE_SET(mode, PER_RCPT), badacl = TRUE;
2397 }
2398 else if (strcmpic(ss, US"per_byte") == 0)
2399 {
2400 /* If we have not yet received the message data and there was no SIZE
2401 declaration on the MAIL comand, then it's safe to just use a value of
2402 zero and let the recorded rate decay as if nothing happened. */
2403 RATE_SET(mode, PER_MAIL);
2404 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2405 else count = message_size < 0 ? 0.0 : (double)message_size;
2406 }
2407 else if (strcmpic(ss, US"per_addr") == 0)
2408 {
2409 RATE_SET(mode, PER_RCPT);
438257ba 2410 if (where != ACL_WHERE_RCPT) badacl = TRUE, unique = US"*";
c99ce5c9
TF
2411 else unique = string_sprintf("%s@%s", deliver_localpart, deliver_domain);
2412 }
2413 else if (strncmpic(ss, US"count=", 6) == 0)
2414 {
2415 uschar *e;
2416 count = Ustrtod(ss+6, &e);
2417 if (count < 0.0 || *e != '\0')
2418 return ratelimit_error(log_msgptr,
2419 "\"%s\" is not a positive number", ss);
2420 }
2421 else if (strncmpic(ss, US"unique=", 7) == 0)
2422 unique = string_copy(ss + 7);
2423 else if (key == NULL)
2424 key = string_copy(ss);
2425 else
2426 key = string_sprintf("%s/%s", key, ss);
870f6ba8
TF
2427 }
2428
c99ce5c9
TF
2429/* Sanity check. When the badacl flag is set the update mode must either
2430be readonly (which is the default if it is omitted) or, for backwards
2431compatibility, a combination of noupdate and strict or leaky. */
2432
2433if (mode == RATE_PER_CLASH)
2434 return ratelimit_error(log_msgptr, "conflicting per_* options");
2435if (leaky + strict + readonly > 1)
2436 return ratelimit_error(log_msgptr, "conflicting update modes");
2437if (badacl && (leaky || strict) && !noupdate)
2438 return ratelimit_error(log_msgptr,
2439 "\"%s\" must not have /leaky or /strict option in %s ACL",
2440 ratelimit_option_string[mode], acl_wherenames[where]);
2441
2442/* Set the default values of any unset options. In readonly mode we
2443perform the rate computation without any increment so that its value
2444decays to eventually allow over-limit senders through. */
2445
2446if (noupdate) readonly = TRUE, leaky = strict = FALSE;
2447if (badacl) readonly = TRUE;
2448if (readonly) count = 0.0;
2449if (!strict && !readonly) leaky = TRUE;
2450if (mode == RATE_PER_WHAT) mode = RATE_PER_MAIL;
870f6ba8 2451
8f240103
PH
2452/* Create the lookup key. If there is no explicit key, use sender_host_address.
2453If there is no sender_host_address (e.g. -bs or acl_not_smtp) then we simply
2454omit it. The smoothing constant (sender_rate_period) and the per_xxx options
2455are added to the key because they alter the meaning of the stored data. */
2456
2457if (key == NULL)
2458 key = (sender_host_address == NULL)? US"" : sender_host_address;
870f6ba8 2459
c99ce5c9 2460key = string_sprintf("%s/%s/%s%s",
8f240103 2461 sender_rate_period,
c99ce5c9
TF
2462 ratelimit_option_string[mode],
2463 unique == NULL ? "" : "unique/",
8f240103 2464 key);
870f6ba8 2465
c99ce5c9
TF
2466HDEBUG(D_acl)
2467 debug_printf("ratelimit condition count=%.0f %.1f/%s\n", count, limit, key);
870f6ba8 2468
8f240103
PH
2469/* See if we have already computed the rate by looking in the relevant tree.
2470For per-connection rate limiting, store tree nodes and dbdata in the permanent
c99ce5c9
TF
2471pool so that they survive across resets. In readonly mode we only remember the
2472result for the rest of this command in case a later command changes it. After
2473this bit of logic the code is independent of the per_* mode. */
870f6ba8 2474
870f6ba8
TF
2475old_pool = store_pool;
2476
c99ce5c9
TF
2477if (readonly)
2478 anchor = &ratelimiters_cmd;
2479else switch(mode) {
2480case RATE_PER_CONN:
870f6ba8
TF
2481 anchor = &ratelimiters_conn;
2482 store_pool = POOL_PERM;
c99ce5c9
TF
2483 break;
2484case RATE_PER_BYTE:
2485case RATE_PER_MAIL:
2486case RATE_PER_ALLRCPTS:
870f6ba8 2487 anchor = &ratelimiters_mail;
c99ce5c9
TF
2488 break;
2489case RATE_PER_ADDR:
2490case RATE_PER_CMD:
2491case RATE_PER_RCPT:
fe0dab11 2492 anchor = &ratelimiters_cmd;
c99ce5c9
TF
2493 break;
2494default:
3399bb60 2495 anchor = NULL; /* silence an "unused" complaint */
c99ce5c9
TF
2496 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
2497 "internal ACL error: unknown ratelimit mode %d", mode);
2498 break;
2499}
870f6ba8 2500
c99ce5c9
TF
2501t = tree_search(*anchor, key);
2502if (t != NULL)
870f6ba8
TF
2503 {
2504 dbd = t->data.ptr;
2505 /* The following few lines duplicate some of the code below. */
8f240103 2506 rc = (dbd->rate < limit)? FAIL : OK;
870f6ba8
TF
2507 store_pool = old_pool;
2508 sender_rate = string_sprintf("%.1f", dbd->rate);
2509 HDEBUG(D_acl)
2510 debug_printf("ratelimit found pre-computed rate %s\n", sender_rate);
2511 return rc;
2512 }
2513
c99ce5c9
TF
2514/* We aren't using a pre-computed rate, so get a previously recorded rate
2515from the database, which will be updated and written back if required. */
870f6ba8
TF
2516
2517dbm = dbfn_open(US"ratelimit", O_RDWR, &dbblock, TRUE);
2518if (dbm == NULL)
2519 {
2520 store_pool = old_pool;
2521 sender_rate = NULL;
2522 HDEBUG(D_acl) debug_printf("ratelimit database not available\n");
2523 *log_msgptr = US"ratelimit database not available";
2524 return DEFER;
2525 }
c99ce5c9
TF
2526dbdb = dbfn_read_with_length(dbm, key, &dbdb_size);
2527dbd = NULL;
870f6ba8
TF
2528
2529gettimeofday(&tv, NULL);
2530
c99ce5c9
TF
2531if (dbdb != NULL)
2532 {
2533 /* Locate the basic ratelimit block inside the DB data. */
2534 HDEBUG(D_acl) debug_printf("ratelimit found key in database\n");
2535 dbd = &dbdb->dbd;
2536
2537 /* Forget the old Bloom filter if it is too old, so that we count each
2538 repeating event once per period. We don't simply clear and re-use the old
2539 filter because we want its size to change if the limit changes. Note that
2540 we keep the dbd pointer for copying the rate into the new data block. */
2541
2542 if(unique != NULL && tv.tv_sec > dbdb->bloom_epoch + period)
2543 {
2544 HDEBUG(D_acl) debug_printf("ratelimit discarding old Bloom filter\n");
2545 dbdb = NULL;
2546 }
2547
2548 /* Sanity check. */
2549
2550 if(unique != NULL && dbdb_size < sizeof(*dbdb))
2551 {
2552 HDEBUG(D_acl) debug_printf("ratelimit discarding undersize Bloom filter\n");
2553 dbdb = NULL;
2554 }
2555 }
2556
2557/* Allocate a new data block if the database lookup failed
2558or the Bloom filter passed its age limit. */
2559
2560if (dbdb == NULL)
2561 {
2562 if (unique == NULL)
2563 {
2564 /* No Bloom filter. This basic ratelimit block is initialized below. */
2565 HDEBUG(D_acl) debug_printf("ratelimit creating new rate data block\n");
2566 dbdb_size = sizeof(*dbd);
2567 dbdb = store_get(dbdb_size);
2568 }
2569 else
2570 {
2571 int extra;
2572 HDEBUG(D_acl) debug_printf("ratelimit creating new Bloom filter\n");
2573
2574 /* See the long comment below for an explanation of the magic number 2.
2575 The filter has a minimum size in case the rate limit is very small;
2576 this is determined by the definition of dbdata_ratelimit_unique. */
2577
2578 extra = (int)limit * 2 - sizeof(dbdb->bloom);
2579 if (extra < 0) extra = 0;
2580 dbdb_size = sizeof(*dbdb) + extra;
2581 dbdb = store_get(dbdb_size);
2582 dbdb->bloom_epoch = tv.tv_sec;
2583 dbdb->bloom_size = sizeof(dbdb->bloom) + extra;
2584 memset(dbdb->bloom, 0, dbdb->bloom_size);
2585
2586 /* Preserve any basic ratelimit data (which is our longer-term memory)
2587 by copying it from the discarded block. */
2588
2589 if (dbd != NULL)
2590 {
2591 dbdb->dbd = *dbd;
2592 dbd = &dbdb->dbd;
2593 }
2594 }
2595 }
2596
2597/* If we are counting unique events, find out if this event is new or not.
2598If the client repeats the event during the current period then it should be
2599counted. We skip this code in readonly mode for efficiency, because any
2600changes to the filter will be discarded and because count is already set to
2601zero. */
2602
2603if (unique != NULL && !readonly)
2604 {
2605 /* We identify unique events using a Bloom filter. (You can find my
2606 notes on Bloom filters at http://fanf.livejournal.com/81696.html)
2607 With the per_addr option, an "event" is a recipient address, though the
2608 user can use the unique option to define their own events. We only count
2609 an event if we have not seen it before.
2610
2611 We size the filter according to the rate limit, which (in leaky mode)
2612 is the limit on the population of the filter. We allow 16 bits of space
2613 per entry (see the construction code above) and we set (up to) 8 of them
2614 when inserting an element (see the loop below). The probability of a false
2615 positive (an event we have not seen before but which we fail to count) is
2616
2617 size = limit * 16
2618 numhash = 8
2619 allzero = exp(-numhash * pop / size)
2620 = exp(-0.5 * pop / limit)
2621 fpr = pow(1 - allzero, numhash)
2622
2623 For senders at the limit the fpr is 0.06% or 1 in 1700
2624 and for senders at half the limit it is 0.0006% or 1 in 170000
2625
2626 In strict mode the Bloom filter can fill up beyond the normal limit, in
2627 which case the false positive rate will rise. This means that the
2628 measured rate for very fast senders can bogusly drop off after a while.
2629
2630 At twice the limit, the fpr is 2.5% or 1 in 40
2631 At four times the limit, it is 31% or 1 in 3.2
2632
2633 It takes ln(pop/limit) periods for an over-limit burst of pop events to
2634 decay below the limit, and if this is more than one then the Bloom filter
2635 will be discarded before the decay gets that far. The false positive rate
2636 at this threshold is 9.3% or 1 in 10.7. */
2637
2638 BOOL seen;
2639 unsigned n, hash, hinc;
2640 uschar md5sum[16];
2641 md5 md5info;
2642
2643 /* Instead of using eight independent hash values, we combine two values
2644 using the formula h1 + n * h2. This does not harm the Bloom filter's
2645 performance, and means the amount of hash we need is independent of the
2646 number of bits we set in the filter. */
2647
2648 md5_start(&md5info);
2649 md5_end(&md5info, unique, Ustrlen(unique), md5sum);
2650 hash = md5sum[0] | md5sum[1] << 8 | md5sum[2] << 16 | md5sum[3] << 24;
2651 hinc = md5sum[4] | md5sum[5] << 8 | md5sum[6] << 16 | md5sum[7] << 24;
2652
2653 /* Scan the bits corresponding to this event. A zero bit means we have
2654 not seen it before. Ensure all bits are set to record this event. */
2655
2656 HDEBUG(D_acl) debug_printf("ratelimit checking uniqueness of %s\n", unique);
2657
2658 seen = TRUE;
2659 for (n = 0; n < 8; n++, hash += hinc)
2660 {
2661 int bit = 1 << (hash % 8);
2662 int byte = (hash / 8) % dbdb->bloom_size;
2663 if ((dbdb->bloom[byte] & bit) == 0)
2664 {
2665 dbdb->bloom[byte] |= bit;
2666 seen = FALSE;
2667 }
2668 }
2669
2670 /* If this event has occurred before, do not count it. */
2671
2672 if (seen)
2673 {
2674 HDEBUG(D_acl) debug_printf("ratelimit event found in Bloom filter\n");
2675 count = 0.0;
2676 }
2677 else
2678 HDEBUG(D_acl) debug_printf("ratelimit event added to Bloom filter\n");
2679 }
2680
2681/* If there was no previous ratelimit data block for this key, initialize
2682the new one, otherwise update the block from the database. The initial rate
2683is what would be computed by the code below for an infinite interval. */
2684
870f6ba8
TF
2685if (dbd == NULL)
2686 {
c99ce5c9
TF
2687 HDEBUG(D_acl) debug_printf("ratelimit initializing new key's rate data\n");
2688 dbd = &dbdb->dbd;
870f6ba8
TF
2689 dbd->time_stamp = tv.tv_sec;
2690 dbd->time_usec = tv.tv_usec;
c99ce5c9 2691 dbd->rate = count;
870f6ba8
TF
2692 }
2693else
2694 {
2695 /* The smoothed rate is computed using an exponentially weighted moving
2696 average adjusted for variable sampling intervals. The standard EWMA for
2697 a fixed sampling interval is: f'(t) = (1 - a) * f(t) + a * f'(t - 1)
2698 where f() is the measured value and f'() is the smoothed value.
2699
2700 Old data decays out of the smoothed value exponentially, such that data n
2701 samples old is multiplied by a^n. The exponential decay time constant p
2702 is defined such that data p samples old is multiplied by 1/e, which means
2703 that a = exp(-1/p). We can maintain the same time constant for a variable
2704 sampling interval i by using a = exp(-i/p).
2705
2706 The rate we are measuring is messages per period, suitable for directly
2707 comparing with the limit. The average rate between now and the previous
2708 message is period / interval, which we feed into the EWMA as the sample.
2709
2710 It turns out that the number of messages required for the smoothed rate
2711 to reach the limit when they are sent in a burst is equal to the limit.
2712 This can be seen by analysing the value of the smoothed rate after N
2713 messages sent at even intervals. Let k = (1 - a) * p/i
2714
2715 rate_1 = (1 - a) * p/i + a * rate_0
2716 = k + a * rate_0
2717 rate_2 = k + a * rate_1
2718 = k + a * k + a^2 * rate_0
2719 rate_3 = k + a * k + a^2 * k + a^3 * rate_0
2720 rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
2721 = rate_0 * a^N + k * (1 - a^N) / (1 - a)
2722 = rate_0 * a^N + p/i * (1 - a^N)
2723
2724 When N is large, a^N -> 0 so rate_N -> p/i as desired.
2725
2726 rate_N = p/i + (rate_0 - p/i) * a^N
2727 a^N = (rate_N - p/i) / (rate_0 - p/i)
2728 N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
2729 N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
2730
2731 Numerical analysis of the above equation, setting the computed rate to
2732 increase from rate_0 = 0 to rate_N = limit, shows that for large sending
2733 rates, p/i, the number of messages N = limit. So limit serves as both the
2734 maximum rate measured in messages per period, and the maximum number of
2735 messages that can be sent in a fast burst. */
2736
2737 double this_time = (double)tv.tv_sec
2738 + (double)tv.tv_usec / 1000000.0;
2739 double prev_time = (double)dbd->time_stamp
2740 + (double)dbd->time_usec / 1000000.0;
870f6ba8
TF
2741
2742 /* We must avoid division by zero, and deal gracefully with the clock going
2743 backwards. If we blunder ahead when time is in reverse then the computed
e5d5a95f 2744 rate will be bogus. To be safe we clamp interval to a very small number. */
870f6ba8 2745
e5d5a95f
TF
2746 double interval = this_time - prev_time <= 0.0 ? 1e-9
2747 : this_time - prev_time;
2748
2749 double i_over_p = interval / period;
2750 double a = exp(-i_over_p);
870f6ba8 2751
c99ce5c9
TF
2752 /* Combine the instantaneous rate (period / interval) with the previous rate
2753 using the smoothing factor a. In order to measure sized events, multiply the
2754 instantaneous rate by the count of bytes or recipients etc. */
2755
870f6ba8
TF
2756 dbd->time_stamp = tv.tv_sec;
2757 dbd->time_usec = tv.tv_usec;
c99ce5c9
TF
2758 dbd->rate = (1 - a) * count / i_over_p + a * dbd->rate;
2759
2760 /* When events are very widely spaced the computed rate tends towards zero.
2761 Although this is accurate it turns out not to be useful for our purposes,
2762 especially when the first event after a long silence is the start of a spam
2763 run. A more useful model is that the rate for an isolated event should be the
2764 size of the event per the period size, ignoring the lack of events outside
2765 the current period and regardless of where the event falls in the period. So,
2766 if the interval was so long that the calculated rate is unhelpfully small, we
2767 re-intialize the rate. In the absence of higher-rate bursts, the condition
2768 below is true if the interval is greater than the period. */
2769
2770 if (dbd->rate < count) dbd->rate = count;
870f6ba8
TF
2771 }
2772
c99ce5c9
TF
2773/* Clients sending at the limit are considered to be over the limit.
2774This matters for edge cases such as a limit of zero, when the client
2775should be completely blocked. */
3348576f 2776
8f240103 2777rc = (dbd->rate < limit)? FAIL : OK;
870f6ba8
TF
2778
2779/* Update the state if the rate is low or if we are being strict. If we
2780are in leaky mode and the sender's rate is too high, we do not update
2781the recorded rate in order to avoid an over-aggressive sender's retry
c99ce5c9
TF
2782rate preventing them from getting any email through. If readonly is set,
2783neither leaky nor strict are set, so we do not do any updates. */
870f6ba8 2784
c99ce5c9 2785if ((rc == FAIL && leaky) || strict)
8f240103 2786 {
c99ce5c9 2787 dbfn_write(dbm, key, dbdb, dbdb_size);
8f240103
PH
2788 HDEBUG(D_acl) debug_printf("ratelimit db updated\n");
2789 }
2790else
2791 {
2792 HDEBUG(D_acl) debug_printf("ratelimit db not updated: %s\n",
c99ce5c9 2793 readonly? "readonly mode" : "over the limit, but leaky");
8f240103
PH
2794 }
2795
870f6ba8
TF
2796dbfn_close(dbm);
2797
c99ce5c9 2798/* Store the result in the tree for future reference. */
870f6ba8 2799
c99ce5c9
TF
2800t = store_get(sizeof(tree_node) + Ustrlen(key));
2801t->data.ptr = dbd;
2802Ustrcpy(t->name, key);
2803(void)tree_insertnode(anchor, t);
870f6ba8
TF
2804
2805/* We create the formatted version of the sender's rate very late in
2806order to ensure that it is done using the correct storage pool. */
2807
2808store_pool = old_pool;
2809sender_rate = string_sprintf("%.1f", dbd->rate);
2810
2811HDEBUG(D_acl)
2812 debug_printf("ratelimit computed rate %s\n", sender_rate);
2813
2814return rc;
2815}
2816
2817
2818
2819/*************************************************
059ec3d9
PH
2820* Handle conditions/modifiers on an ACL item *
2821*************************************************/
2822
2823/* Called from acl_check() below.
2824
2825Arguments:
2826 verb ACL verb
2827 cb ACL condition block - if NULL, result is OK
2828 where where called from
2829 addr the address being checked for RCPT, or NULL
2830 level the nesting level
2831 epp pointer to pass back TRUE if "endpass" encountered
2832 (applies only to "accept" and "discard")
2833 user_msgptr user message pointer
2834 log_msgptr log message pointer
2835 basic_errno pointer to where to put verify error
2836
2837Returns: OK - all conditions are met
2838 DISCARD - an "acl" condition returned DISCARD - only allowed
2839 for "accept" or "discard" verbs
2840 FAIL - at least one condition fails
2841 FAIL_DROP - an "acl" condition returned FAIL_DROP
2842 DEFER - can't tell at the moment (typically, lookup defer,
2843 but can be temporary callout problem)
2844 ERROR - ERROR from nested ACL or expansion failure or other
2845 error
2846*/
2847
2848static int
2849acl_check_condition(int verb, acl_condition_block *cb, int where,
2850 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
2851 uschar **log_msgptr, int *basic_errno)
2852{
2853uschar *user_message = NULL;
2854uschar *log_message = NULL;
ed7f7860
PP
2855uschar *debug_tag = NULL;
2856uschar *debug_opts = NULL;
91ecef39 2857uschar *p = NULL;
059ec3d9 2858int rc = OK;
8523533c
TK
2859#ifdef WITH_CONTENT_SCAN
2860int sep = '/';
2861#endif
059ec3d9
PH
2862
2863for (; cb != NULL; cb = cb->next)
2864 {
2865 uschar *arg;
8e669ac1 2866 int control_type;
059ec3d9
PH
2867
2868 /* The message and log_message items set up messages to be used in
2869 case of rejection. They are expanded later. */
2870
2871 if (cb->type == ACLC_MESSAGE)
2872 {
2873 user_message = cb->arg;
2874 continue;
2875 }
2876
2877 if (cb->type == ACLC_LOG_MESSAGE)
2878 {
2879 log_message = cb->arg;
2880 continue;
2881 }
2882
2883 /* The endpass "condition" just sets a flag to show it occurred. This is
2884 checked at compile time to be on an "accept" or "discard" item. */
2885
2886 if (cb->type == ACLC_ENDPASS)
2887 {
2888 *epp = TRUE;
2889 continue;
2890 }
2891
2892 /* For other conditions and modifiers, the argument is expanded now for some
2893 of them, but not for all, because expansion happens down in some lower level
2894 checking functions in some cases. */
2895
2896 if (cond_expand_at_top[cb->type])
2897 {
2898 arg = expand_string(cb->arg);
2899 if (arg == NULL)
2900 {
2901 if (expand_string_forcedfail) continue;
2902 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
2903 cb->arg, expand_string_message);
2904 return search_find_defer? DEFER : ERROR;
2905 }
2906 }
2907 else arg = cb->arg;
2908
2909 /* Show condition, and expanded condition if it's different */
2910
2911 HDEBUG(D_acl)
2912 {
2913 int lhswidth = 0;
2914 debug_printf("check %s%s %n",
2915 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
2916 conditions[cb->type], &lhswidth);
2917
2918 if (cb->type == ACLC_SET)
2919 {
38a0a95f
PH
2920 debug_printf("acl_%s ", cb->u.varname);
2921 lhswidth += 5 + Ustrlen(cb->u.varname);
059ec3d9
PH
2922 }
2923
2924 debug_printf("= %s\n", cb->arg);
2925
2926 if (arg != cb->arg)
2927 debug_printf("%.*s= %s\n", lhswidth,
2928 US" ", CS arg);
2929 }
2930
2931 /* Check that this condition makes sense at this time */
2932
2933 if ((cond_forbids[cb->type] & (1 << where)) != 0)
2934 {
2935 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
2936 cond_modifiers[cb->type]? "use" : "test",
2937 conditions[cb->type], acl_wherenames[where]);
2938 return ERROR;
2939 }
2940
2941 /* Run the appropriate test for each condition, or take the appropriate
2942 action for the remaining modifiers. */
2943
2944 switch(cb->type)
2945 {
71fafd95
PH
2946 case ACLC_ADD_HEADER:
2947 setup_header(arg);
2948 break;
2949
059ec3d9
PH
2950 /* A nested ACL that returns "discard" makes sense only for an "accept" or
2951 "discard" verb. */
71fafd95 2952
059ec3d9 2953 case ACLC_ACL:
f60d98e8 2954 rc = acl_check_wargs(where, addr, arg, level+1, user_msgptr, log_msgptr);
7421ecab
JH
2955 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
2956 {
2957 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
2958 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
2959 verbs[verb]);
2960 return ERROR;
2961 }
059ec3d9
PH
2962 break;
2963
2964 case ACLC_AUTHENTICATED:
2965 rc = (sender_host_authenticated == NULL)? FAIL :
2966 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
2967 TRUE, NULL);
2968 break;
2969
71fafd95 2970 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK
2971 case ACLC_BMI_OPTIN:
2972 {
2973 int old_pool = store_pool;
2974 store_pool = POOL_PERM;
2975 bmi_current_optin = string_copy(arg);
2976 store_pool = old_pool;
2977 }
2978 break;
71fafd95 2979 #endif
8523533c 2980
059ec3d9 2981 case ACLC_CONDITION:
f3766eb5
NM
2982 /* The true/false parsing here should be kept in sync with that used in
2983 expand.c when dealing with ECOND_BOOL so that we don't have too many
2984 different definitions of what can be a boolean. */
059ec3d9
PH
2985 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
2986 rc = (Uatoi(arg) == 0)? FAIL : OK;
2987 else
2988 rc = (strcmpic(arg, US"no") == 0 ||
2989 strcmpic(arg, US"false") == 0)? FAIL :
2990 (strcmpic(arg, US"yes") == 0 ||
2991 strcmpic(arg, US"true") == 0)? OK : DEFER;
2992 if (rc == DEFER)
2993 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
2994 break;
2995
c3611384
PH
2996 case ACLC_CONTINUE: /* Always succeeds */
2997 break;
2998
059ec3d9 2999 case ACLC_CONTROL:
c5fcb476
PH
3000 control_type = decode_control(arg, &p, where, log_msgptr);
3001
8523533c 3002 /* Check if this control makes sense at this time */
c5fcb476
PH
3003
3004 if ((control_forbids[control_type] & (1 << where)) != 0)
3005 {
3006 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
3007 controls[control_type], acl_wherenames[where]);
3008 return ERROR;
8e669ac1 3009 }
c5fcb476
PH
3010
3011 switch(control_type)
059ec3d9 3012 {
c46782ef
PH
3013 case CONTROL_AUTH_UNADVERTISED:
3014 allow_auth_unadvertised = TRUE;
3015 break;
3016
3017 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK
3018 case CONTROL_BMI_RUN:
3019 bmi_run = 1;
3020 break;
c46782ef
PH
3021 #endif
3022
80a47a2c 3023 #ifndef DISABLE_DKIM
f7572e5a 3024 case CONTROL_DKIM_VERIFY:
80a47a2c 3025 dkim_disable_verify = TRUE;
4840604e
TL
3026 #ifdef EXPERIMENTAL_DMARC
3027 /* Since DKIM was blocked, skip DMARC too */
3028 dmarc_disable_verify = TRUE;
3029 dmarc_enable_forensic = FALSE;
3030 #endif
3031 break;
3032 #endif
3033
3034 #ifdef EXPERIMENTAL_DMARC
3035 case CONTROL_DMARC_VERIFY:
3036 dmarc_disable_verify = TRUE;
3037 break;
3038
3039 case CONTROL_DMARC_FORENSIC:
3040 dmarc_enable_forensic = TRUE;
f7572e5a
TK
3041 break;
3042 #endif
3043
13363eba
PP
3044 case CONTROL_DSCP:
3045 if (*p == '/')
3046 {
3047 int fd, af, level, optname, value;
3048 /* If we are acting on stdin, the setsockopt may fail if stdin is not
3049 a socket; we can accept that, we'll just debug-log failures anyway. */
3050 fd = fileno(smtp_in);
3051 af = ip_get_address_family(fd);
3052 if (af < 0)
3053 {
3054 HDEBUG(D_acl)
3055 debug_printf("smtp input is probably not a socket [%s], not setting DSCP\n",
3056 strerror(errno));
3057 break;
3058 }
3059 if (dscp_lookup(p+1, af, &level, &optname, &value))
3060 {
3061 if (setsockopt(fd, level, optname, &value, sizeof(value)) < 0)
3062 {
3063 HDEBUG(D_acl) debug_printf("failed to set input DSCP[%s]: %s\n",
3064 p+1, strerror(errno));
3065 }
3066 else
3067 {
3068 HDEBUG(D_acl) debug_printf("set input DSCP to \"%s\"\n", p+1);
3069 }
3070 }
3071 else
3072 {
3073 *log_msgptr = string_sprintf("unrecognised DSCP value in \"control=%s\"", arg);
3074 return ERROR;
3075 }
3076 }
3077 else
3078 {
3079 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3080 return ERROR;
3081 }
3082 break;
3083
059ec3d9
PH
3084 case CONTROL_ERROR:
3085 return ERROR;
3086
3087 case CONTROL_CASEFUL_LOCAL_PART:
3088 deliver_localpart = addr->cc_local_part;
3089 break;
3090
3091 case CONTROL_CASELOWER_LOCAL_PART:
3092 deliver_localpart = addr->lc_local_part;
3093 break;
3094
3095 case CONTROL_ENFORCE_SYNC:
3096 smtp_enforce_sync = TRUE;
3097 break;
3098
3099 case CONTROL_NO_ENFORCE_SYNC:
3100 smtp_enforce_sync = FALSE;
3101 break;
3102
c46782ef 3103 #ifdef WITH_CONTENT_SCAN
8523533c
TK
3104 case CONTROL_NO_MBOX_UNSPOOL:
3105 no_mbox_unspool = TRUE;
3106 break;
c46782ef 3107 #endif
8523533c 3108
059ec3d9
PH
3109 case CONTROL_NO_MULTILINE:
3110 no_multiline_responses = TRUE;
3111 break;
3112
cf8b11a5
PH
3113 case CONTROL_NO_PIPELINING:
3114 pipelining_enable = FALSE;
3115 break;
3116
047bdd8c
PH
3117 case CONTROL_NO_DELAY_FLUSH:
3118 disable_delay_flush = TRUE;
3119 break;
3120
4c590bd1
PH
3121 case CONTROL_NO_CALLOUT_FLUSH:
3122 disable_callout_flush = TRUE;
3123 break;
3124
29aba418 3125 case CONTROL_FAKEDEFER:
8523533c 3126 case CONTROL_FAKEREJECT:
29aba418 3127 fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
8523533c 3128 if (*p == '/')
8e669ac1 3129 {
8523533c 3130 uschar *pp = p + 1;
8e669ac1 3131 while (*pp != 0) pp++;
29aba418 3132 fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
8523533c
TK
3133 p = pp;
3134 }
3135 else
3136 {
3137 /* Explicitly reset to default string */
29aba418 3138 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
8523533c
TK
3139 }
3140 break;
8523533c 3141
059ec3d9
PH
3142 case CONTROL_FREEZE:
3143 deliver_freeze = TRUE;
3144 deliver_frozen_at = time(NULL);
6a3f1455
PH
3145 freeze_tell = freeze_tell_config; /* Reset to configured value */
3146 if (Ustrncmp(p, "/no_tell", 8) == 0)
3147 {
3148 p += 8;
3149 freeze_tell = NULL;
3150 }
3151 if (*p != 0)
3152 {
3153 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3154 return ERROR;
3155 }
059ec3d9
PH
3156 break;
3157
3158 case CONTROL_QUEUE_ONLY:
3159 queue_only_policy = TRUE;
3160 break;
3161
3162 case CONTROL_SUBMISSION:
87ba3f5f 3163 originator_name = US"";
059ec3d9 3164 submission_mode = TRUE;
69358f02 3165 while (*p == '/')
8e669ac1 3166 {
69358f02
PH
3167 if (Ustrncmp(p, "/sender_retain", 14) == 0)
3168 {
3169 p += 14;
3170 active_local_sender_retain = TRUE;
8e669ac1
PH
3171 active_local_from_check = FALSE;
3172 }
69358f02
PH
3173 else if (Ustrncmp(p, "/domain=", 8) == 0)
3174 {
3175 uschar *pp = p + 8;
8e669ac1 3176 while (*pp != 0 && *pp != '/') pp++;
87ba3f5f
PH
3177 submission_domain = string_copyn(p+8, pp-p-8);
3178 p = pp;
3179 }
8857ccfd
PH
3180 /* The name= option must be last, because it swallows the rest of
3181 the string. */
87ba3f5f
PH
3182 else if (Ustrncmp(p, "/name=", 6) == 0)
3183 {
3184 uschar *pp = p + 6;
8857ccfd 3185 while (*pp != 0) pp++;
2fe1a124 3186 submission_name = string_copy(parse_fix_phrase(p+6, pp-p-6,
87ba3f5f 3187 big_buffer, big_buffer_size));
8e669ac1 3188 p = pp;
69358f02 3189 }
8e669ac1
PH
3190 else break;
3191 }
69358f02 3192 if (*p != 0)
059ec3d9 3193 {
69358f02 3194 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
059ec3d9
PH
3195 return ERROR;
3196 }
3197 break;
8800895a 3198
ed7f7860
PP
3199 case CONTROL_DEBUG:
3200 while (*p == '/')
3201 {
3202 if (Ustrncmp(p, "/tag=", 5) == 0)
3203 {
3204 uschar *pp = p + 5;
3205 while (*pp != '\0' && *pp != '/') pp++;
3206 debug_tag = string_copyn(p+5, pp-p-5);
3207 p = pp;
3208 }
3209 else if (Ustrncmp(p, "/opts=", 6) == 0)
3210 {
3211 uschar *pp = p + 6;
3212 while (*pp != '\0' && *pp != '/') pp++;
3213 debug_opts = string_copyn(p+6, pp-p-6);
3214 p = pp;
3215 }
3216 }
3217 debug_logging_activate(debug_tag, debug_opts);
3218 break;
3219
8800895a
PH
3220 case CONTROL_SUPPRESS_LOCAL_FIXUPS:
3221 suppress_local_fixups = TRUE;
3222 break;
e4bdf652
JH
3223
3224 case CONTROL_CUTTHROUGH_DELIVERY:
3225 if (deliver_freeze)
3226 {
3227 *log_msgptr = string_sprintf("\"control=%s\" on frozen item", arg);
3228 return ERROR;
3229 }
3230 if (queue_only_policy)
3231 {
3232 *log_msgptr = string_sprintf("\"control=%s\" on queue-only item", arg);
3233 return ERROR;
3234 }
3235 cutthrough_delivery = TRUE;
3236 break;
059ec3d9
PH
3237 }
3238 break;
3239
6a8f9482
TK
3240 #ifdef EXPERIMENTAL_DCC
3241 case ACLC_DCC:
3242 {
3243 /* Seperate the regular expression and any optional parameters. */
3244 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3245 /* Run the dcc backend. */
3246 rc = dcc_process(&ss);
3247 /* Modify return code based upon the existance of options. */
3248 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3249 != NULL) {
3250 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3251 {
3252 /* FAIL so that the message is passed to the next ACL */
3253 rc = FAIL;
3254 }
3255 }
3256 }
3257 break;
3258 #endif
3259
71fafd95 3260 #ifdef WITH_CONTENT_SCAN
8523533c
TK
3261 case ACLC_DECODE:
3262 rc = mime_decode(&arg);
3263 break;
71fafd95 3264 #endif
8523533c 3265
059ec3d9
PH
3266 case ACLC_DELAY:
3267 {
3268 int delay = readconf_readtime(arg, 0, FALSE);
3269 if (delay < 0)
3270 {
3271 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
3272 "modifier: \"%s\" is not a time value", arg);
3273 return ERROR;
3274 }
3275 else
3276 {
3277 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
3278 delay);
3279 if (host_checking)
3280 {
3281 HDEBUG(D_acl)
3282 debug_printf("delay skipped in -bh checking mode\n");
3283 }
010c2d14
PH
3284
3285 /* It appears to be impossible to detect that a TCP/IP connection has
3286 gone away without reading from it. This means that we cannot shorten
3287 the delay below if the client goes away, because we cannot discover
3288 that the client has closed its end of the connection. (The connection
3289 is actually in a half-closed state, waiting for the server to close its
3290 end.) It would be nice to be able to detect this state, so that the
3291 Exim process is not held up unnecessarily. However, it seems that we
3292 can't. The poll() function does not do the right thing, and in any case
3293 it is not always available.
3294
047bdd8c 3295 NOTE 1: If ever this state of affairs changes, remember that we may be
010c2d14 3296 dealing with stdin/stdout here, in addition to TCP/IP connections.
047bdd8c
PH
3297 Also, delays may be specified for non-SMTP input, where smtp_out and
3298 smtp_in will be NULL. Whatever is done must work in all cases.
3299
3300 NOTE 2: The added feature of flushing the output before a delay must
3301 apply only to SMTP input. Hence the test for smtp_out being non-NULL.
3302 */
010c2d14 3303
8e669ac1 3304 else
86b8287f 3305 {
14f4a80d 3306 if (smtp_out != NULL && !disable_delay_flush) mac_smtp_fflush();
86b8287f 3307 while (delay > 0) delay = sleep(delay);
8e669ac1 3308 }
059ec3d9
PH
3309 }
3310 }
3311 break;
3312
71fafd95 3313 #ifdef WITH_OLD_DEMIME
8523533c
TK
3314 case ACLC_DEMIME:
3315 rc = demime(&arg);
3316 break;
71fafd95 3317 #endif
8523533c 3318
80a47a2c
TK
3319 #ifndef DISABLE_DKIM
3320 case ACLC_DKIM_SIGNER:
9e5d6b55
TK
3321 if (dkim_cur_signer != NULL)
3322 rc = match_isinlist(dkim_cur_signer,
80a47a2c 3323 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
80a47a2c 3324 else
80a47a2c 3325 rc = FAIL;
71fafd95
PH
3326 break;
3327
80a47a2c
TK
3328 case ACLC_DKIM_STATUS:
3329 rc = match_isinlist(dkim_exim_expand_query(DKIM_VERIFY_STATUS),
3330 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
71fafd95
PH
3331 break;
3332 #endif
fb2274d4 3333
4840604e
TL
3334 #ifdef EXPERIMENTAL_DMARC
3335 case ACLC_DMARC_STATUS:
4a8ce2d8 3336 if (!dmarc_has_been_checked)
4840604e 3337 dmarc_process();
4a8ce2d8 3338 dmarc_has_been_checked = TRUE;
4840604e
TL
3339 /* used long way of dmarc_exim_expand_query() in case we need more
3340 * view into the process in the future. */
3341 rc = match_isinlist(dmarc_exim_expand_query(DMARC_VERIFY_STATUS),
3342 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
3343 break;
3344 #endif
3345
059ec3d9
PH
3346 case ACLC_DNSLISTS:
3347 rc = verify_check_dnsbl(&arg);
3348 break;
3349
3350 case ACLC_DOMAINS:
3351 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
3352 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
3353 break;
3354
3355 /* The value in tls_cipher is the full cipher name, for example,
3356 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
3357 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
3358 what may in practice come out of the SSL library - which at the time of
3359 writing is poorly documented. */
3360
3361 case ACLC_ENCRYPTED:
817d9f57 3362 if (tls_in.cipher == NULL) rc = FAIL; else
059ec3d9
PH
3363 {
3364 uschar *endcipher = NULL;
817d9f57
JH
3365 uschar *cipher = Ustrchr(tls_in.cipher, ':');
3366 if (cipher == NULL) cipher = tls_in.cipher; else
059ec3d9
PH
3367 {
3368 endcipher = Ustrchr(++cipher, ':');
3369 if (endcipher != NULL) *endcipher = 0;
3370 }
3371 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
3372 if (endcipher != NULL) *endcipher = ':';
3373 }
3374 break;
3375
3376 /* Use verify_check_this_host() instead of verify_check_host() so that
3377 we can pass over &host_data to catch any looked up data. Once it has been
3378 set, it retains its value so that it's still there if another ACL verb
3379 comes through here and uses the cache. However, we must put it into
3380 permanent store in case it is also expected to be used in a subsequent
3381 message in the same SMTP connection. */
3382
3383 case ACLC_HOSTS:
3384 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
3385 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
3386 if (host_data != NULL) host_data = string_copy_malloc(host_data);
3387 break;
3388
3389 case ACLC_LOCAL_PARTS:
3390 rc = match_isinlist(addr->cc_local_part, &arg, 0,
3391 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
3392 &deliver_localpart_data);
3393 break;
3394
6ea85e9a
PH
3395 case ACLC_LOG_REJECT_TARGET:
3396 {
3397 int logbits = 0;
3398 int sep = 0;
3399 uschar *s = arg;
3400 uschar *ss;
3401 while ((ss = string_nextinlist(&s, &sep, big_buffer, big_buffer_size))
3402 != NULL)
3403 {
3404 if (Ustrcmp(ss, "main") == 0) logbits |= LOG_MAIN;
3405 else if (Ustrcmp(ss, "panic") == 0) logbits |= LOG_PANIC;
3406 else if (Ustrcmp(ss, "reject") == 0) logbits |= LOG_REJECT;
3407 else
3408 {
3409 logbits |= LOG_MAIN|LOG_REJECT;
3410 log_write(0, LOG_MAIN|LOG_PANIC, "unknown log name \"%s\" in "
3411 "\"log_reject_target\" in %s ACL", ss, acl_wherenames[where]);
3412 }
3413 }
3414 log_reject_target = logbits;
3415 }
3416 break;
3417
059ec3d9
PH
3418 case ACLC_LOGWRITE:
3419 {
3420 int logbits = 0;
3421 uschar *s = arg;
3422 if (*s == ':')
3423 {
3424 s++;
3425 while (*s != ':')
3426 {
3427 if (Ustrncmp(s, "main", 4) == 0)
3428 { logbits |= LOG_MAIN; s += 4; }
3429 else if (Ustrncmp(s, "panic", 5) == 0)
3430 { logbits |= LOG_PANIC; s += 5; }
3431 else if (Ustrncmp(s, "reject", 6) == 0)
3432 { logbits |= LOG_REJECT; s += 6; }
3433 else
3434 {
3435 logbits = LOG_MAIN|LOG_PANIC;
3436 s = string_sprintf(":unknown log name in \"%s\" in "
3437 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
3438 }
3439 if (*s == ',') s++;
3440 }
3441 s++;
3442 }
3443 while (isspace(*s)) s++;
6ea85e9a
PH
3444
3445
059ec3d9
PH
3446 if (logbits == 0) logbits = LOG_MAIN;
3447 log_write(0, logbits, "%s", string_printing(s));
3448 }
3449 break;
8e669ac1 3450
71fafd95 3451 #ifdef WITH_CONTENT_SCAN
8523533c
TK
3452 case ACLC_MALWARE:
3453 {
6ea85e9a 3454 /* Separate the regular expression and any optional parameters. */
8523533c
TK
3455 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3456 /* Run the malware backend. */
3457 rc = malware(&ss);
3458 /* Modify return code based upon the existance of options. */
3459 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3460 != NULL) {
3461 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3462 {
3463 /* FAIL so that the message is passed to the next ACL */
3464 rc = FAIL;
3465 }
3466 }
3467 }
3468 break;
3469
3470 case ACLC_MIME_REGEX:
71fafd95 3471 rc = mime_regex(&arg);
8523533c 3472 break;
71fafd95 3473 #endif
059ec3d9 3474
870f6ba8 3475 case ACLC_RATELIMIT:
90fc3069 3476 rc = acl_ratelimit(arg, where, log_msgptr);
870f6ba8
TF
3477 break;
3478
059ec3d9
PH
3479 case ACLC_RECIPIENTS:
3480 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
3481 &recipient_data);
3482 break;
3483
71fafd95
PH
3484 #ifdef WITH_CONTENT_SCAN
3485 case ACLC_REGEX:
3486 rc = regex(&arg);
8523533c 3487 break;
71fafd95 3488 #endif
8523533c 3489
e7568d51
TL
3490 case ACLC_REMOVE_HEADER:
3491 setup_remove_header(arg);
3492 break;
3493
059ec3d9
PH
3494 case ACLC_SENDER_DOMAINS:
3495 {
3496 uschar *sdomain;
3497 sdomain = Ustrrchr(sender_address, '@');
3498 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
3499 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
3500 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
3501 }
3502 break;
3503
3504 case ACLC_SENDERS:
3505 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
3506 sender_address_cache, -1, 0, &sender_data);
3507 break;
3508
3509 /* Connection variables must persist forever */
3510
3511 case ACLC_SET:
3512 {
3513 int old_pool = store_pool;
38a0a95f
PH
3514 if (cb->u.varname[0] == 'c') store_pool = POOL_PERM;
3515 acl_var_create(cb->u.varname)->data.ptr = string_copy(arg);
059ec3d9
PH
3516 store_pool = old_pool;
3517 }
3518 break;
3519
71fafd95 3520 #ifdef WITH_CONTENT_SCAN
8523533c
TK
3521 case ACLC_SPAM:
3522 {
3523 /* Seperate the regular expression and any optional parameters. */
3524 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3525 /* Run the spam backend. */
3526 rc = spam(&ss);
3527 /* Modify return code based upon the existance of options. */
3528 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3529 != NULL) {
3530 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3531 {
3532 /* FAIL so that the message is passed to the next ACL */
3533 rc = FAIL;
3534 }
3535 }
3536 }
3537 break;
71fafd95 3538 #endif
8523533c 3539
71fafd95 3540 #ifdef EXPERIMENTAL_SPF
8523533c 3541 case ACLC_SPF:
65a7d8c3
NM
3542 rc = spf_process(&arg, sender_address, SPF_PROCESS_NORMAL);
3543 break;
3544 case ACLC_SPF_GUESS:
3545 rc = spf_process(&arg, sender_address, SPF_PROCESS_GUESS);
8523533c 3546 break;
71fafd95 3547 #endif
8523533c 3548
059ec3d9
PH
3549 /* If the verb is WARN, discard any user message from verification, because
3550 such messages are SMTP responses, not header additions. The latter come
475fe28a
PH
3551 only from explicit "message" modifiers. However, put the user message into
3552 $acl_verify_message so it can be used in subsequent conditions or modifiers
3553 (until something changes it). */
059ec3d9
PH
3554
3555 case ACLC_VERIFY:
3556 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
475fe28a 3557 acl_verify_message = *user_msgptr;
059ec3d9
PH
3558 if (verb == ACL_WARN) *user_msgptr = NULL;
3559 break;
3560
3561 default:
3562 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
3563 "condition %d", cb->type);
3564 break;
3565 }
3566
3567 /* If a condition was negated, invert OK/FAIL. */
3568
3569 if (!cond_modifiers[cb->type] && cb->u.negated)
3570 {
3571 if (rc == OK) rc = FAIL;
3572 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
3573 }
3574
3575 if (rc != OK) break; /* Conditions loop */
3576 }
3577
3578
3579/* If the result is the one for which "message" and/or "log_message" are used,
4e88a19f
PH
3580handle the values of these modifiers. If there isn't a log message set, we make
3581it the same as the user message.
059ec3d9
PH
3582
3583"message" is a user message that will be included in an SMTP response. Unless
3584it is empty, it overrides any previously set user message.
3585
3586"log_message" is a non-user message, and it adds to any existing non-user
3587message that is already set.
3588
4e88a19f
PH
3589Most verbs have but a single return for which the messages are relevant, but
3590for "discard", it's useful to have the log message both when it succeeds and
3591when it fails. For "accept", the message is used in the OK case if there is no
3592"endpass", but (for backwards compatibility) in the FAIL case if "endpass" is
3593present. */
059ec3d9 3594
4e88a19f
PH
3595if (*epp && rc == OK) user_message = NULL;
3596
3597if (((1<<rc) & msgcond[verb]) != 0)
059ec3d9
PH
3598 {
3599 uschar *expmessage;
4e88a19f
PH
3600 uschar *old_user_msgptr = *user_msgptr;
3601 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
059ec3d9
PH
3602
3603 /* If the verb is "warn", messages generated by conditions (verification or
4e88a19f
PH
3604 nested ACLs) are always discarded. This also happens for acceptance verbs
3605 when they actually do accept. Only messages specified at this level are used.
059ec3d9
PH
3606 However, the value of an existing message is available in $acl_verify_message
3607 during expansions. */
3608
4e88a19f
PH
3609 if (verb == ACL_WARN ||
3610 (rc == OK && (verb == ACL_ACCEPT || verb == ACL_DISCARD)))
3611 *log_msgptr = *user_msgptr = NULL;
059ec3d9
PH
3612
3613 if (user_message != NULL)
3614 {
3615 acl_verify_message = old_user_msgptr;
3616 expmessage = expand_string(user_message);
3617 if (expmessage == NULL)
3618 {
3619 if (!expand_string_forcedfail)
3620 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3621 user_message, expand_string_message);
3622 }
3623 else if (expmessage[0] != 0) *user_msgptr = expmessage;
3624 }
3625
3626 if (log_message != NULL)
3627 {
3628 acl_verify_message = old_log_msgptr;
3629 expmessage = expand_string(log_message);
3630 if (expmessage == NULL)
3631 {
3632 if (!expand_string_forcedfail)
3633 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3634 log_message, expand_string_message);
3635 }
3636 else if (expmessage[0] != 0)
3637 {
3638 *log_msgptr = (*log_msgptr == NULL)? expmessage :
3639 string_sprintf("%s: %s", expmessage, *log_msgptr);
3640 }
3641 }
3642
3643 /* If no log message, default it to the user message */
3644
3645 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
3646 }
3647
3648acl_verify_message = NULL;
3649return rc;
3650}
3651
3652
3653
3654
3655
3656/*************************************************
3657* Get line from a literal ACL *
3658*************************************************/
3659
3660/* This function is passed to acl_read() in order to extract individual lines
3661of a literal ACL, which we access via static pointers. We can destroy the
3662contents because this is called only once (the compiled ACL is remembered).
3663
3664This code is intended to treat the data in the same way as lines in the main
3665Exim configuration file. That is:
3666
3667 . Leading spaces are ignored.
3668
3669 . A \ at the end of a line is a continuation - trailing spaces after the \
3670 are permitted (this is because I don't believe in making invisible things
3671 significant). Leading spaces on the continued part of a line are ignored.
3672
3673 . Physical lines starting (significantly) with # are totally ignored, and
3674 may appear within a sequence of backslash-continued lines.
3675
3676 . Blank lines are ignored, but will end a sequence of continuations.
3677
3678Arguments: none
3679Returns: a pointer to the next line
3680*/
3681
3682
3683static uschar *acl_text; /* Current pointer in the text */
3684static uschar *acl_text_end; /* Points one past the terminating '0' */
3685
3686
3687static uschar *
3688acl_getline(void)
3689{
3690uschar *yield;
3691
3692/* This loop handles leading blank lines and comments. */
3693
3694for(;;)
3695 {
3696 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
3697 if (*acl_text == 0) return NULL; /* No more data */
3698 yield = acl_text; /* Potential data line */
3699
3700 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3701
3702 /* If we hit the end before a newline, we have the whole logical line. If
3703 it's a comment, there's no more data to be given. Otherwise, yield it. */
3704
3705 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
3706
3707 /* After reaching a newline, end this loop if the physical line does not
3708 start with '#'. If it does, it's a comment, and the loop continues. */
3709
3710 if (*yield != '#') break;
3711 }
3712
3713/* This loop handles continuations. We know we have some real data, ending in
3714newline. See if there is a continuation marker at the end (ignoring trailing
3715white space). We know that *yield is not white space, so no need to test for
3716cont > yield in the backwards scanning loop. */
3717
3718for(;;)
3719 {
3720 uschar *cont;
3721 for (cont = acl_text - 1; isspace(*cont); cont--);
3722
3723 /* If no continuation follows, we are done. Mark the end of the line and
3724 return it. */
3725
3726 if (*cont != '\\')
3727 {
3728 *acl_text++ = 0;
3729 return yield;
3730 }
3731
3732 /* We have encountered a continuation. Skip over whitespace at the start of
3733 the next line, and indeed the whole of the next line or lines if they are
3734 comment lines. */
3735
3736 for (;;)
3737 {
3738 while (*(++acl_text) == ' ' || *acl_text == '\t');
3739 if (*acl_text != '#') break;
3740 while (*(++acl_text) != 0 && *acl_text != '\n');
3741 }
3742
3743 /* We have the start of a continuation line. Move all the rest of the data
3744 to join onto the previous line, and then find its end. If the end is not a
3745 newline, we are done. Otherwise loop to look for another continuation. */
3746
3747 memmove(cont, acl_text, acl_text_end - acl_text);
3748 acl_text_end -= acl_text - cont;
3749 acl_text = cont;
3750 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3751 if (*acl_text == 0) return yield;
3752 }
3753
3754/* Control does not reach here */
3755}
3756
3757
3758
3759
3760
3761/*************************************************
3762* Check access using an ACL *
3763*************************************************/
3764
3765/* This function is called from address_check. It may recurse via
3766acl_check_condition() - hence the use of a level to stop looping. The ACL is
3767passed as a string which is expanded. A forced failure implies no access check
3768is required. If the result is a single word, it is taken as the name of an ACL
3769which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
3770text, complete with newlines, and parsed as such. In both cases, the ACL check
3771is then run. This function uses an auxiliary function for acl_read() to call
3772for reading individual lines of a literal ACL. This is acl_getline(), which
3773appears immediately above.
3774
3775Arguments:
3776 where where called from
3777 addr address item when called from RCPT; otherwise NULL
3778 s the input string; NULL is the same as an empty ACL => DENY
3779 level the nesting level
3780 user_msgptr where to put a user error (for SMTP response)
3781 log_msgptr where to put a logging message (not for SMTP response)
3782
3783Returns: OK access is granted
3784 DISCARD access is apparently granted...
3785 FAIL access is denied
3786 FAIL_DROP access is denied; drop the connection
3787 DEFER can't tell at the moment
3788 ERROR disaster
3789*/
3790
3791static int
3792acl_