projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Tidying
[exim.git] / src / src / acl.c
CommitLineData
059ec3d9
PH		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
3386088d 5/* Copyright (c) University of Cambridge 1995 - 2015 */
059ec3d9
PH		 6/* See the file NOTICE for conditions of use and distribution. */
7
8/* Code for handling Access Control Lists (ACLs) */
9
10#include "exim.h"
11
12
13/* Default callout timeout */
14
15#define CALLOUT_TIMEOUT_DEFAULT 30
16
17/* ACL verb codes - keep in step with the table of verbs that follows */
18
19enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
20 ACL_WARN };
21
22/* ACL verbs */
23
f9d04f08
JH		 24static uschar *verbs[] = {
25 US"accept",
26 US"defer",
27 US"deny",
28 US"discard",
29 US"drop",
30 US"require",
059ec3d9
PH		 31 US"warn" };
32
4e88a19f
PH		 33/* For each verb, the conditions for which "message" or "log_message" are used
34are held as a bitmap. This is to avoid expanding the strings unnecessarily. For
35"accept", the FAIL case is used only after "endpass", but that is selected in
36the code. */
37
38static int msgcond[] = {
39 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* accept */
40 (1<<OK), /* defer */
41 (1<<OK), /* deny */
42 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* discard */
43 (1<<OK), /* drop */
44 (1<<FAIL) | (1<<FAIL_DROP), /* require */
45 (1<<OK) /* warn */
46 };
059ec3d9
PH		 47
48/* ACL condition and modifier codes - keep in step with the table that
71fafd95
PH		 49follows, and the cond_expand_at_top and uschar cond_modifiers tables lower
50down. */
059ec3d9 51
71fafd95
PH		 52enum { ACLC_ACL,
53 ACLC_ADD_HEADER,
54 ACLC_AUTHENTICATED,
8523533c
TK		 55#ifdef EXPERIMENTAL_BRIGHTMAIL
56 ACLC_BMI_OPTIN,
57#endif
71fafd95 58 ACLC_CONDITION,
c3611384 59 ACLC_CONTINUE,
71fafd95 60 ACLC_CONTROL,
6a8f9482
TK		 61#ifdef EXPERIMENTAL_DCC
62 ACLC_DCC,
63#endif
8523533c
TK		 64#ifdef WITH_CONTENT_SCAN
65 ACLC_DECODE,
66#endif
67 ACLC_DELAY,
68#ifdef WITH_OLD_DEMIME
69 ACLC_DEMIME,
fb2274d4 70#endif
80a47a2c
TK		 71#ifndef DISABLE_DKIM
72 ACLC_DKIM_SIGNER,
73 ACLC_DKIM_STATUS,
4840604e
TL		 74#endif
75#ifdef EXPERIMENTAL_DMARC
76 ACLC_DMARC_STATUS,
8e669ac1 77#endif
71fafd95
PH		 78 ACLC_DNSLISTS,
79 ACLC_DOMAINS,
80 ACLC_ENCRYPTED,
81 ACLC_ENDPASS,
82 ACLC_HOSTS,
83 ACLC_LOCAL_PARTS,
84 ACLC_LOG_MESSAGE,
6ea85e9a 85 ACLC_LOG_REJECT_TARGET,
71fafd95 86 ACLC_LOGWRITE,
8523533c
TK		 87#ifdef WITH_CONTENT_SCAN
88 ACLC_MALWARE,
89#endif
90 ACLC_MESSAGE,
91#ifdef WITH_CONTENT_SCAN
92 ACLC_MIME_REGEX,
93#endif
870f6ba8 94 ACLC_RATELIMIT,
8523533c
TK		 95 ACLC_RECIPIENTS,
96#ifdef WITH_CONTENT_SCAN
97 ACLC_REGEX,
98#endif
e7568d51 99 ACLC_REMOVE_HEADER,
71fafd95
PH		 100 ACLC_SENDER_DOMAINS,
101 ACLC_SENDERS,
102 ACLC_SET,
8523533c 103#ifdef WITH_CONTENT_SCAN
8e669ac1 104 ACLC_SPAM,
8523533c
TK		 105#endif
106#ifdef EXPERIMENTAL_SPF
107 ACLC_SPF,
65a7d8c3 108 ACLC_SPF_GUESS,
8523533c 109#endif
b0019c78 110 ACLC_UDPSEND,
8523533c 111 ACLC_VERIFY };
059ec3d9 112
c3611384
PH		 113/* ACL conditions/modifiers: "delay", "control", "continue", "endpass",
114"message", "log_message", "log_reject_target", "logwrite", and "set" are
115modifiers that look like conditions but always return TRUE. They are used for
116their side effects. */
059ec3d9 117
9a26b6b2
PH		 118static uschar *conditions[] = {
119 US"acl",
71fafd95 120 US"add_header",
9a26b6b2 121 US"authenticated",
8523533c
TK		 122#ifdef EXPERIMENTAL_BRIGHTMAIL
123 US"bmi_optin",
124#endif
125 US"condition",
c3611384 126 US"continue",
8e669ac1 127 US"control",
6a8f9482
TK		 128#ifdef EXPERIMENTAL_DCC
129 US"dcc",
130#endif
8523533c
TK		 131#ifdef WITH_CONTENT_SCAN
132 US"decode",
133#endif
134 US"delay",
135#ifdef WITH_OLD_DEMIME
136 US"demime",
fb2274d4 137#endif
80a47a2c
TK		 138#ifndef DISABLE_DKIM
139 US"dkim_signers",
140 US"dkim_status",
4840604e
TL		 141#endif
142#ifdef EXPERIMENTAL_DMARC
143 US"dmarc_status",
8523533c 144#endif
6ea85e9a
PH		 145 US"dnslists",
146 US"domains",
147 US"encrypted",
148 US"endpass",
149 US"hosts",
150 US"local_parts",
151 US"log_message",
152 US"log_reject_target",
153 US"logwrite",
8523533c
TK		 154#ifdef WITH_CONTENT_SCAN
155 US"malware",
156#endif
157 US"message",
158#ifdef WITH_CONTENT_SCAN
159 US"mime_regex",
160#endif
870f6ba8 161 US"ratelimit",
8523533c
TK		 162 US"recipients",
163#ifdef WITH_CONTENT_SCAN
164 US"regex",
165#endif
e7568d51 166 US"remove_header",
8523533c
TK		 167 US"sender_domains", US"senders", US"set",
168#ifdef WITH_CONTENT_SCAN
169 US"spam",
170#endif
171#ifdef EXPERIMENTAL_SPF
172 US"spf",
65a7d8c3 173 US"spf_guess",
8523533c 174#endif
b0019c78 175 US"udpsend",
059ec3d9 176 US"verify" };
8e669ac1 177
c5fcb476 178
9a26b6b2
PH		 179/* Return values from decode_control(); keep in step with the table of names
180that follows! */
181
182enum {
c46782ef 183 CONTROL_AUTH_UNADVERTISED,
3c8b3577 184#ifdef EXPERIMENTAL_BRIGHTMAIL
9a26b6b2 185 CONTROL_BMI_RUN,
3c8b3577 186#endif
ed7f7860 187 CONTROL_DEBUG,
3c8b3577 188#ifndef DISABLE_DKIM
f7572e5a 189 CONTROL_DKIM_VERIFY,
3c8b3577
JH		 190#endif
191#ifdef EXPERIMENTAL_DMARC
4840604e
TL		 192 CONTROL_DMARC_VERIFY,
193 CONTROL_DMARC_FORENSIC,
3c8b3577 194#endif
13363eba 195 CONTROL_DSCP,
c46782ef
PH		 196 CONTROL_ERROR,
197 CONTROL_CASEFUL_LOCAL_PART,
198 CONTROL_CASELOWER_LOCAL_PART,
e4bdf652 199 CONTROL_CUTTHROUGH_DELIVERY,
c46782ef
PH		 200 CONTROL_ENFORCE_SYNC,
201 CONTROL_NO_ENFORCE_SYNC,
202 CONTROL_FREEZE,
203 CONTROL_QUEUE_ONLY,
204 CONTROL_SUBMISSION,
205 CONTROL_SUPPRESS_LOCAL_FIXUPS,
3c8b3577 206#ifdef WITH_CONTENT_SCAN
9a26b6b2 207 CONTROL_NO_MBOX_UNSPOOL,
3c8b3577 208#endif
c46782ef
PH		 209 CONTROL_FAKEDEFER,
210 CONTROL_FAKEREJECT,
8c5d388a 211#ifdef SUPPORT_I18N
3c8b3577
JH		 212 CONTROL_UTF8_DOWNCONVERT,
213#endif
cf8b11a5 214 CONTROL_NO_MULTILINE,
047bdd8c 215 CONTROL_NO_PIPELINING,
4c590bd1
PH		 216 CONTROL_NO_DELAY_FLUSH,
217 CONTROL_NO_CALLOUT_FLUSH
c46782ef 218};
9a26b6b2 219
8800895a
PH		 220/* ACL control names; keep in step with the table above! This list is used for
221turning ids into names. The actual list of recognized names is in the variable
222control_def controls_list[] below. The fact that there are two lists is a mess
223and should be tidied up. */
9a26b6b2
PH		 224
225static uschar *controls[] = {
c46782ef 226 US"allow_auth_unadvertised",
3c8b3577 227#ifdef EXPERIMENTAL_BRIGHTMAIL
9a26b6b2 228 US"bmi_run",
3c8b3577 229#endif
ed7f7860 230 US"debug",
3c8b3577 231#ifndef DISABLE_DKIM
80a47a2c 232 US"dkim_disable_verify",
3c8b3577
JH		 233#endif
234#ifdef EXPERIMENTAL_DMARC
4840604e
TL		 235 US"dmarc_disable_verify",
236 US"dmarc_enable_forensic",
3c8b3577 237#endif
13363eba 238 US"dscp",
c46782ef
PH		 239 US"error",
240 US"caseful_local_part",
241 US"caselower_local_part",
e4bdf652 242 US"cutthrough_delivery",
c46782ef
PH		 243 US"enforce_sync",
244 US"no_enforce_sync",
245 US"freeze",
246 US"queue_only",
247 US"submission",
248 US"suppress_local_fixups",
3c8b3577 249#ifdef WITH_CONTENT_SCAN
9a26b6b2 250 US"no_mbox_unspool",
3c8b3577 251#endif
cf8b11a5
PH		 252 US"fakedefer",
253 US"fakereject",
8c5d388a 254#ifdef SUPPORT_I18N
3c8b3577
JH		 255 US"utf8_downconvert",
256#endif
aa6dc513 257 US"no_multiline_responses",
cf8b11a5 258 US"no_pipelining",
4c590bd1
PH		 259 US"no_delay_flush",
260 US"no_callout_flush"
c46782ef 261};
059ec3d9 262
047bdd8c 263/* Flags to indicate for which conditions/modifiers a string expansion is done
059ec3d9
PH		 264at the outer level. In the other cases, expansion already occurs in the
265checking functions. */
266
267static uschar cond_expand_at_top[] = {
7421ecab 268 FALSE, /* acl */
3e536984 269 TRUE, /* add_header */
059ec3d9 270 FALSE, /* authenticated */
8523533c
TK		 271#ifdef EXPERIMENTAL_BRIGHTMAIL
272 TRUE, /* bmi_optin */
8e669ac1 273#endif
059ec3d9 274 TRUE, /* condition */
c3611384 275 TRUE, /* continue */
059ec3d9 276 TRUE, /* control */
6a8f9482
TK		 277#ifdef EXPERIMENTAL_DCC
278 TRUE, /* dcc */
279#endif
8523533c
TK		 280#ifdef WITH_CONTENT_SCAN
281 TRUE, /* decode */
282#endif
059ec3d9 283 TRUE, /* delay */
8523533c
TK		 284#ifdef WITH_OLD_DEMIME
285 TRUE, /* demime */
fb2274d4 286#endif
80a47a2c
TK		 287#ifndef DISABLE_DKIM
288 TRUE, /* dkim_signers */
289 TRUE, /* dkim_status */
4840604e
TL		 290#endif
291#ifdef EXPERIMENTAL_DMARC
292 TRUE, /* dmarc_status */
8523533c 293#endif
059ec3d9
PH		 294 TRUE, /* dnslists */
295 FALSE, /* domains */
296 FALSE, /* encrypted */
297 TRUE, /* endpass */
298 FALSE, /* hosts */
299 FALSE, /* local_parts */
300 TRUE, /* log_message */
6ea85e9a 301 TRUE, /* log_reject_target */
059ec3d9 302 TRUE, /* logwrite */
8523533c
TK		 303#ifdef WITH_CONTENT_SCAN
304 TRUE, /* malware */
305#endif
059ec3d9 306 TRUE, /* message */
8523533c
TK		 307#ifdef WITH_CONTENT_SCAN
308 TRUE, /* mime_regex */
309#endif
870f6ba8 310 TRUE, /* ratelimit */
059ec3d9 311 FALSE, /* recipients */
8523533c
TK		 312#ifdef WITH_CONTENT_SCAN
313 TRUE, /* regex */
314#endif
e7568d51 315 TRUE, /* remove_header */
059ec3d9
PH		 316 FALSE, /* sender_domains */
317 FALSE, /* senders */
318 TRUE, /* set */
8523533c
TK		 319#ifdef WITH_CONTENT_SCAN
320 TRUE, /* spam */
321#endif
322#ifdef EXPERIMENTAL_SPF
323 TRUE, /* spf */
65a7d8c3 324 TRUE, /* spf_guess */
8523533c 325#endif
b0019c78 326 TRUE, /* udpsend */
059ec3d9
PH		 327 TRUE /* verify */
328};
329
330/* Flags to identify the modifiers */
331
332static uschar cond_modifiers[] = {
333 FALSE, /* acl */
3e536984 334 TRUE, /* add_header */
059ec3d9 335 FALSE, /* authenticated */
8523533c
TK		 336#ifdef EXPERIMENTAL_BRIGHTMAIL
337 TRUE, /* bmi_optin */
8e669ac1 338#endif
059ec3d9 339 FALSE, /* condition */
c3611384 340 TRUE, /* continue */
059ec3d9 341 TRUE, /* control */
6a8f9482
TK		 342#ifdef EXPERIMENTAL_DCC
343 FALSE, /* dcc */
344#endif
8523533c
TK		 345#ifdef WITH_CONTENT_SCAN
346 FALSE, /* decode */
347#endif
059ec3d9 348 TRUE, /* delay */
8523533c
TK		 349#ifdef WITH_OLD_DEMIME
350 FALSE, /* demime */
fb2274d4 351#endif
80a47a2c
TK		 352#ifndef DISABLE_DKIM
353 FALSE, /* dkim_signers */
354 FALSE, /* dkim_status */
4840604e
TL		 355#endif
356#ifdef EXPERIMENTAL_DMARC
357 FALSE, /* dmarc_status */
8523533c 358#endif
059ec3d9
PH		 359 FALSE, /* dnslists */
360 FALSE, /* domains */
361 FALSE, /* encrypted */
362 TRUE, /* endpass */
363 FALSE, /* hosts */
364 FALSE, /* local_parts */
365 TRUE, /* log_message */
6ea85e9a 366 TRUE, /* log_reject_target */
8523533c
TK		 367 TRUE, /* logwrite */
368#ifdef WITH_CONTENT_SCAN
369 FALSE, /* malware */
370#endif
059ec3d9 371 TRUE, /* message */
8523533c
TK		 372#ifdef WITH_CONTENT_SCAN
373 FALSE, /* mime_regex */
374#endif
870f6ba8 375 FALSE, /* ratelimit */
059ec3d9 376 FALSE, /* recipients */
8523533c
TK		 377#ifdef WITH_CONTENT_SCAN
378 FALSE, /* regex */
379#endif
e7568d51 380 TRUE, /* remove_header */
059ec3d9
PH		 381 FALSE, /* sender_domains */
382 FALSE, /* senders */
383 TRUE, /* set */
8523533c
TK		 384#ifdef WITH_CONTENT_SCAN
385 FALSE, /* spam */
386#endif
387#ifdef EXPERIMENTAL_SPF
388 FALSE, /* spf */
65a7d8c3 389 FALSE, /* spf_guess */
8523533c 390#endif
b0019c78 391 TRUE, /* udpsend */
059ec3d9
PH		 392 FALSE /* verify */
393};
394
c3611384 395/* Bit map vector of which conditions and modifiers are not allowed at certain
8f128379
PH		 396times. For each condition and modifier, there's a bitmap of dis-allowed times.
397For some, it is easier to specify the negation of a small number of allowed
398times. */
059ec3d9
PH		 399
400static unsigned int cond_forbids[] = {
401 0, /* acl */
8e669ac1 402
71fafd95 403 (unsigned int)
45b91596 404 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* add_header */
71fafd95 405 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
8ccd00b1 406 #ifndef DISABLE_PRDR
fd98a5c6
JH		 407 (1<<ACL_WHERE_PRDR)|
408 #endif
45b91596 409 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
67caae1f 410 (1<<ACL_WHERE_DKIM)|
45b91596 411 (1<<ACL_WHERE_NOTSMTP_START)),
71fafd95 412
45b91596
PH		 413 (1<<ACL_WHERE_NOTSMTP)| /* authenticated */
414 (1<<ACL_WHERE_NOTSMTP_START)|
415 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO),
8e669ac1 416
71fafd95 417 #ifdef EXPERIMENTAL_BRIGHTMAIL
3864bb8e 418 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
8523533c
TK		 419 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
420 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
8ccd00b1 421 #ifndef DISABLE_PRDR
fd98a5c6
JH		 422 (1<<ACL_WHERE_PRDR)|
423 #endif
8e669ac1 424 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
8523533c
TK		 425 (1<<ACL_WHERE_MAILAUTH)|
426 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596
PH		 427 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA)|
428 (1<<ACL_WHERE_NOTSMTP_START),
71fafd95 429 #endif
8e669ac1 430
059ec3d9 431 0, /* condition */
8e669ac1 432
c3611384
PH		 433 0, /* continue */
434
059ec3d9 435 /* Certain types of control are always allowed, so we let it through
2f079f46 436 always and check in the control processing itself. */
8e669ac1 437
059ec3d9 438 0, /* control */
8e669ac1 439
6a8f9482
TK		 440 #ifdef EXPERIMENTAL_DCC
441 (unsigned int)
fd98a5c6 442 ~((1<<ACL_WHERE_DATA)| /* dcc */
8ccd00b1 443 #ifndef DISABLE_PRDR
fd98a5c6 444 (1<<ACL_WHERE_PRDR)|
8ccd00b1 445 #endif
fd98a5c6 446 (1<<ACL_WHERE_NOTSMTP)),
6a8f9482
TK		 447 #endif
448
71fafd95 449 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 450 (unsigned int)
451 ~(1<<ACL_WHERE_MIME), /* decode */
71fafd95 452 #endif
8523533c 453
8f128379 454 (1<<ACL_WHERE_NOTQUIT), /* delay */
8e669ac1 455
71fafd95 456 #ifdef WITH_OLD_DEMIME
2f079f46 457 (unsigned int)
fd98a5c6 458 ~((1<<ACL_WHERE_DATA)| /* demime */
8ccd00b1 459 #ifndef DISABLE_PRDR
fd98a5c6 460 (1<<ACL_WHERE_PRDR)|
8ccd00b1 461 #endif
fd98a5c6 462 (1<<ACL_WHERE_NOTSMTP)),
71fafd95 463 #endif
8e669ac1 464
80a47a2c
TK		 465 #ifndef DISABLE_DKIM
466 (unsigned int)
467 ~(1<<ACL_WHERE_DKIM), /* dkim_signers */
84330b7b 468
80a47a2c
TK		 469 (unsigned int)
470 ~(1<<ACL_WHERE_DKIM), /* dkim_status */
71fafd95 471 #endif
fb2274d4 472
4840604e
TL		 473 #ifdef EXPERIMENTAL_DMARC
474 (unsigned int)
475 ~(1<<ACL_WHERE_DATA), /* dmarc_status */
476 #endif
477
379ba7d0
JH		 478 /* Explicit key lookups can be made in non-smtp ACLs so pass
479 always and check in the verify processing itself. */
480
481 0, /* dnslists */
059ec3d9 482
2f079f46 483 (unsigned int)
fd98a5c6 484 ~((1<<ACL_WHERE_RCPT) /* domains */
8ccd00b1 485 #ifndef DISABLE_PRDR
fd98a5c6
JH		 486 |(1<<ACL_WHERE_PRDR)
487 #endif
488 ),
059ec3d9 489
45b91596
PH		 490 (1<<ACL_WHERE_NOTSMTP)| /* encrypted */
491 (1<<ACL_WHERE_CONNECT)|
492 (1<<ACL_WHERE_NOTSMTP_START)|
059ec3d9 493 (1<<ACL_WHERE_HELO),
8e669ac1 494
059ec3d9 495 0, /* endpass */
8e669ac1 496
45b91596
PH		 497 (1<<ACL_WHERE_NOTSMTP)| /* hosts */
498 (1<<ACL_WHERE_NOTSMTP_START),
059ec3d9 499
2f079f46 500 (unsigned int)
fd98a5c6 501 ~((1<<ACL_WHERE_RCPT) /* local_parts */
2e6afa4f 502 #ifndef DISABLE_PRDR
fd98a5c6
JH		 503 |(1<<ACL_WHERE_PRDR)
504 #endif
505 ),
059ec3d9
PH		 506
507 0, /* log_message */
8e669ac1 508
6ea85e9a
PH		 509 0, /* log_reject_target */
510
059ec3d9 511 0, /* logwrite */
8e669ac1 512
71fafd95 513 #ifdef WITH_CONTENT_SCAN
2f079f46 514 (unsigned int)
fd98a5c6 515 ~((1<<ACL_WHERE_DATA)| /* malware */
8ccd00b1 516 #ifndef DISABLE_PRDR
fd98a5c6 517 (1<<ACL_WHERE_PRDR)|
8ccd00b1 518 #endif
fd98a5c6 519 (1<<ACL_WHERE_NOTSMTP)),
71fafd95 520 #endif
8523533c 521
059ec3d9
PH		 522 0, /* message */
523
71fafd95 524 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 525 (unsigned int)
526 ~(1<<ACL_WHERE_MIME), /* mime_regex */
71fafd95 527 #endif
8523533c 528
870f6ba8
TF		 529 0, /* ratelimit */
530
2f079f46
PH		 531 (unsigned int)
532 ~(1<<ACL_WHERE_RCPT), /* recipients */
059ec3d9 533
71fafd95 534 #ifdef WITH_CONTENT_SCAN
2f079f46 535 (unsigned int)
fd98a5c6 536 ~((1<<ACL_WHERE_DATA)| /* regex */
8ccd00b1 537 #ifndef DISABLE_PRDR
fd98a5c6 538 (1<<ACL_WHERE_PRDR)|
8ccd00b1 539 #endif
fd98a5c6 540 (1<<ACL_WHERE_NOTSMTP)|
2f079f46 541 (1<<ACL_WHERE_MIME)),
71fafd95 542 #endif
8523533c 543
e7568d51
TL		 544 (unsigned int)
545 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* remove_header */
546 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
8ccd00b1 547 #ifndef DISABLE_PRDR
fd98a5c6
JH		 548 (1<<ACL_WHERE_PRDR)|
549 #endif
e7568d51
TL		 550 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
551 (1<<ACL_WHERE_NOTSMTP_START)),
552
059ec3d9
PH		 553 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
554 (1<<ACL_WHERE_HELO)|
555 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
556 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
557 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
558
559 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
560 (1<<ACL_WHERE_HELO)|
561 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
562 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
563 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
564
565 0, /* set */
566
71fafd95 567 #ifdef WITH_CONTENT_SCAN
2f079f46 568 (unsigned int)
fd98a5c6 569 ~((1<<ACL_WHERE_DATA)| /* spam */
8ccd00b1 570 #ifndef DISABLE_PRDR
fd98a5c6 571 (1<<ACL_WHERE_PRDR)|
8ccd00b1 572 #endif
fd98a5c6 573 (1<<ACL_WHERE_NOTSMTP)),
71fafd95 574 #endif
8523533c 575
71fafd95 576 #ifdef EXPERIMENTAL_SPF
8523533c
TK		 577 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
578 (1<<ACL_WHERE_HELO)|
579 (1<<ACL_WHERE_MAILAUTH)|
580 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
45b91596
PH		 581 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
582 (1<<ACL_WHERE_NOTSMTP)|
583 (1<<ACL_WHERE_NOTSMTP_START),
65a7d8c3
NM		 584
585 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf_guess */
586 (1<<ACL_WHERE_HELO)|
587 (1<<ACL_WHERE_MAILAUTH)|
588 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
589 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
590 (1<<ACL_WHERE_NOTSMTP)|
591 (1<<ACL_WHERE_NOTSMTP_START),
71fafd95 592 #endif
8523533c 593
b0019c78
TF		 594 0, /* udpsend */
595
059ec3d9
PH		 596 /* Certain types of verify are always allowed, so we let it through
597 always and check in the verify function itself */
598
599 0 /* verify */
059ec3d9
PH		 600};
601
602
c5fcb476
PH		 603/* Bit map vector of which controls are not allowed at certain times. For
604each control, there's a bitmap of dis-allowed times. For some, it is easier to
605specify the negation of a small number of allowed times. */
606
607static unsigned int control_forbids[] = {
c46782ef
PH		 608 (unsigned int)
609 ~((1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)), /* allow_auth_unadvertised */
610
3c8b3577 611#ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c 612 0, /* bmi_run */
3c8b3577 613#endif
c46782ef 614
ed7f7860
PP		 615 0, /* debug */
616
3c8b3577 617#ifndef DISABLE_DKIM
80a47a2c 618 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dkim_disable_verify */
3c8b3577 619# ifndef DISABLE_PRDR
fd98a5c6 620 (1<<ACL_WHERE_PRDR)|
3c8b3577 621# endif
f7572e5a 622 (1<<ACL_WHERE_NOTSMTP_START),
3c8b3577 623#endif
f7572e5a 624
3c8b3577 625#ifdef EXPERIMENTAL_DMARC
4840604e
TL		 626 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dmarc_disable_verify */
627 (1<<ACL_WHERE_NOTSMTP_START),
628 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dmarc_enable_forensic */
629 (1<<ACL_WHERE_NOTSMTP_START),
3c8b3577 630#endif
4840604e 631
13363eba
PP		 632 (1<<ACL_WHERE_NOTSMTP)|
633 (1<<ACL_WHERE_NOTSMTP_START)|
634 (1<<ACL_WHERE_NOTQUIT), /* dscp */
635
c5fcb476 636 0, /* error */
8e669ac1
PH		 637
638 (unsigned int)
c5fcb476 639 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
8e669ac1
PH		 640
641 (unsigned int)
c5fcb476 642 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
8e669ac1 643
e4bdf652
JH		 644 (unsigned int)
645 0, /* cutthrough_delivery */
646
45b91596
PH		 647 (1<<ACL_WHERE_NOTSMTP)| /* enforce_sync */
648 (1<<ACL_WHERE_NOTSMTP_START),
8e669ac1 649
45b91596
PH		 650 (1<<ACL_WHERE_NOTSMTP)| /* no_enforce_sync */
651 (1<<ACL_WHERE_NOTSMTP_START),
8e669ac1
PH		 652
653 (unsigned int)
c5fcb476
PH		 654 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
655 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
fd98a5c6 656 // (1<<ACL_WHERE_PRDR)| /* Not allow one user to freeze for all */
e715ad22 657 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 658
659 (unsigned int)
c5fcb476
PH		 660 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
661 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
fd98a5c6 662 // (1<<ACL_WHERE_PRDR)| /* Not allow one user to freeze for all */
e715ad22 663 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 664
665 (unsigned int)
c5fcb476 666 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
8e669ac1 667 (1<<ACL_WHERE_PREDATA)),
8523533c 668
8800895a
PH		 669 (unsigned int)
670 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* suppress_local_fixups */
45b91596
PH		 671 (1<<ACL_WHERE_PREDATA)|
672 (1<<ACL_WHERE_NOTSMTP_START)),
8800895a 673
3c8b3577 674#ifdef WITH_CONTENT_SCAN
8e669ac1 675 (unsigned int)
14d57970 676 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
e715ad22 677 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
fd98a5c6 678 // (1<<ACL_WHERE_PRDR)| /* Not allow one user to freeze for all */
e715ad22 679 (1<<ACL_WHERE_MIME)),
3c8b3577 680#endif
a6c4ab60 681
29aba418
TF		 682 (unsigned int)
683 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakedefer */
684 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
3c8b3577 685#ifndef DISABLE_PRDR
fd98a5c6 686 (1<<ACL_WHERE_PRDR)|
3c8b3577 687#endif
29aba418
TF		 688 (1<<ACL_WHERE_MIME)),
689
8e669ac1 690 (unsigned int)
a6c4ab60 691 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
e715ad22 692 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
3c8b3577 693#ifndef DISABLE_PRDR
fd98a5c6 694 (1<<ACL_WHERE_PRDR)|
3c8b3577 695#endif
e715ad22 696 (1<<ACL_WHERE_MIME)),
8523533c 697
8c5d388a 698#ifdef SUPPORT_I18N
3c8b3577
JH		 699 0, /* utf8_downconvert */
700#endif
701
45b91596 702 (1<<ACL_WHERE_NOTSMTP)| /* no_multiline */
cf8b11a5
PH		 703 (1<<ACL_WHERE_NOTSMTP_START),
704
705 (1<<ACL_WHERE_NOTSMTP)| /* no_pipelining */
047bdd8c
PH		 706 (1<<ACL_WHERE_NOTSMTP_START),
707
708 (1<<ACL_WHERE_NOTSMTP)| /* no_delay_flush */
4c590bd1
PH		 709 (1<<ACL_WHERE_NOTSMTP_START),
710
711 (1<<ACL_WHERE_NOTSMTP)| /* no_callout_flush */
45b91596 712 (1<<ACL_WHERE_NOTSMTP_START)
c5fcb476
PH		 713};
714
715/* Structure listing various control arguments, with their characteristics. */
059ec3d9
PH		 716
717typedef struct control_def {
718 uschar *name;
719 int value; /* CONTROL_xxx value */
059ec3d9
PH		 720 BOOL has_option; /* Has /option(s) following */
721} control_def;
722
723static control_def controls_list[] = {
3c8b3577 724 { US"allow_auth_unadvertised", CONTROL_AUTH_UNADVERTISED, FALSE },
8523533c 725#ifdef EXPERIMENTAL_BRIGHTMAIL
3c8b3577 726 { US"bmi_run", CONTROL_BMI_RUN, FALSE },
fb2274d4 727#endif
3c8b3577 728 { US"debug", CONTROL_DEBUG, TRUE },
80a47a2c 729#ifndef DISABLE_DKIM
3c8b3577 730 { US"dkim_disable_verify", CONTROL_DKIM_VERIFY, FALSE },
4840604e
TL		 731#endif
732#ifdef EXPERIMENTAL_DMARC
3c8b3577
JH		 733 { US"dmarc_disable_verify", CONTROL_DMARC_VERIFY, FALSE },
734 { US"dmarc_enable_forensic", CONTROL_DMARC_FORENSIC, FALSE },
8523533c 735#endif
3c8b3577
JH		 736 { US"dscp", CONTROL_DSCP, TRUE },
737 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE },
738 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE },
739 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE },
740 { US"freeze", CONTROL_FREEZE, TRUE },
741 { US"no_callout_flush", CONTROL_NO_CALLOUT_FLUSH, FALSE },
742 { US"no_delay_flush", CONTROL_NO_DELAY_FLUSH, FALSE },
743 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE },
744 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE },
745 { US"no_pipelining", CONTROL_NO_PIPELINING, FALSE },
746 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE },
8523533c 747#ifdef WITH_CONTENT_SCAN
3c8b3577 748 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE },
8523533c 749#endif
3c8b3577
JH		 750 { US"fakedefer", CONTROL_FAKEDEFER, TRUE },
751 { US"fakereject", CONTROL_FAKEREJECT, TRUE },
752 { US"submission", CONTROL_SUBMISSION, TRUE },
e4bdf652 753 { US"suppress_local_fixups", CONTROL_SUPPRESS_LOCAL_FIXUPS, FALSE },
3c8b3577 754 { US"cutthrough_delivery", CONTROL_CUTTHROUGH_DELIVERY, FALSE },
8c5d388a 755#ifdef SUPPORT_I18N
3c8b3577
JH		 756 { US"utf8_downconvert", CONTROL_UTF8_DOWNCONVERT, TRUE }
757#endif
059ec3d9
PH		 758 };
759
e5a9dba6
PH		 760/* Support data structures for Client SMTP Authorization. acl_verify_csa()
761caches its result in a tree to avoid repeated DNS queries. The result is an
762integer code which is used as an index into the following tables of
763explanatory strings and verification return codes. */
764
765static tree_node *csa_cache = NULL;
766
767enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
768 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
769
770/* The acl_verify_csa() return code is translated into an acl_verify() return
771code using the following table. It is OK unless the client is definitely not
772authorized. This is because CSA is supposed to be optional for sending sites,
773so recipients should not be too strict about checking it - especially because
774DNS problems are quite likely to occur. It's possible to use $csa_status in
775further ACL conditions to distinguish ok, unknown, and defer if required, but
776the aim is to make the usual configuration simple. */
777
778static int csa_return_code[] = {
779 OK, OK, OK, OK,
780 FAIL, FAIL, FAIL, FAIL
781};
782
783static uschar *csa_status_string[] = {
784 US"unknown", US"ok", US"defer", US"defer",
785 US"fail", US"fail", US"fail", US"fail"
786};
787
788static uschar *csa_reason_string[] = {
789 US"unknown",
790 US"ok",
791 US"deferred (SRV lookup failed)",
792 US"deferred (target address lookup failed)",
793 US"failed (explicit authorization required)",
794 US"failed (host name not authorized)",
795 US"failed (no authorized addresses)",
796 US"failed (client address mismatch)"
797};
798
c99ce5c9
TF		 799/* Options for the ratelimit condition. Note that there are two variants of
800the per_rcpt option, depending on the ACL that is used to measure the rate.
801However any ACL must be able to look up per_rcpt rates in /noupdate mode,
802so the two variants must have the same internal representation as well as
803the same configuration string. */
804
805enum {
806 RATE_PER_WHAT, RATE_PER_CLASH, RATE_PER_ADDR, RATE_PER_BYTE, RATE_PER_CMD,
807 RATE_PER_CONN, RATE_PER_MAIL, RATE_PER_RCPT, RATE_PER_ALLRCPTS
808};
809
810#define RATE_SET(var,new) \
811 (((var) == RATE_PER_WHAT) ? ((var) = RATE_##new) : ((var) = RATE_PER_CLASH))
812
813static uschar *ratelimit_option_string[] = {
814 US"?", US"!", US"per_addr", US"per_byte", US"per_cmd",
815 US"per_conn", US"per_mail", US"per_rcpt", US"per_rcpt"
816};
817
059ec3d9
PH		 818/* Enable recursion between acl_check_internal() and acl_check_condition() */
819
55414b25 820static int acl_check_wargs(int, address_item *, const uschar *, int, uschar **,
f60d98e8 821 uschar **);
059ec3d9
PH		 822
823
824/*************************************************
825* Pick out name from list *
826*************************************************/
827
828/* Use a binary chop method
829
830Arguments:
831 name name to find
832 list list of names
833 end size of list
834
835Returns: offset in list, or -1 if not found
836*/
837
838static int
839acl_checkname(uschar *name, uschar **list, int end)
840{
841int start = 0;
842
843while (start < end)
844 {
845 int mid = (start + end)/2;
846 int c = Ustrcmp(name, list[mid]);
847 if (c == 0) return mid;
848 if (c < 0) end = mid; else start = mid + 1;
849 }
850
851return -1;
852}
853
854
855/*************************************************
856* Read and parse one ACL *
857*************************************************/
858
859/* This function is called both from readconf in order to parse the ACLs in the
860configuration file, and also when an ACL is encountered dynamically (e.g. as
861the result of an expansion). It is given a function to call in order to
862retrieve the lines of the ACL. This function handles skipping comments and
863blank lines (where relevant).
864
865Arguments:
866 func function to get next line of ACL
867 error where to put an error message
868
869Returns: pointer to ACL, or NULL
870 NULL can be legal (empty ACL); in this case error will be NULL
871*/
872
873acl_block *
874acl_read(uschar *(*func)(void), uschar **error)
875{
876acl_block *yield = NULL;
877acl_block **lastp = &yield;
878acl_block *this = NULL;
879acl_condition_block *cond;
880acl_condition_block **condp = NULL;
881uschar *s;
882
883*error = NULL;
884
885while ((s = (*func)()) != NULL)
886 {
887 int v, c;
888 BOOL negated = FALSE;
889 uschar *saveline = s;
890 uschar name[64];
891
892 /* Conditions (but not verbs) are allowed to be negated by an initial
893 exclamation mark. */
894
895 while (isspace(*s)) s++;
896 if (*s == '!')
897 {
898 negated = TRUE;
899 s++;
900 }
901
cf00dad6
PH		 902 /* Read the name of a verb or a condition, or the start of a new ACL, which
903 can be started by a name, or by a macro definition. */
059ec3d9
PH		 904
905 s = readconf_readname(name, sizeof(name), s);
b8dc3e4a 906 if (*s == ':' || (isupper(name[0]) && *s == '=')) return yield;
059ec3d9
PH		 907
908 /* If a verb is unrecognized, it may be another condition or modifier that
909 continues the previous verb. */
910
911 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
912 if (v < 0)
913 {
914 if (this == NULL)
915 {
4e167a8c
PH		 916 *error = string_sprintf("unknown ACL verb \"%s\" in \"%s\"", name,
917 saveline);
059ec3d9
PH		 918 return NULL;
919 }
920 }
921
922 /* New verb */
923
924 else
925 {
926 if (negated)
927 {
928 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
929 return NULL;
930 }
931 this = store_get(sizeof(acl_block));
932 *lastp = this;
933 lastp = &(this->next);
934 this->next = NULL;
935 this->verb = v;
936 this->condition = NULL;
937 condp = &(this->condition);
938 if (*s == 0) continue; /* No condition on this line */
939 if (*s == '!')
940 {
941 negated = TRUE;
942 s++;
943 }
944 s = readconf_readname(name, sizeof(name), s); /* Condition name */
945 }
946
947 /* Handle a condition or modifier. */
948
949 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
950 if (c < 0)
951 {
952 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
953 saveline);
954 return NULL;
955 }
956
957 /* The modifiers may not be negated */
958
959 if (negated && cond_modifiers[c])
960 {
961 *error = string_sprintf("ACL error: negation is not allowed with "
962 "\"%s\"", conditions[c]);
963 return NULL;
964 }
965
966 /* ENDPASS may occur only with ACCEPT or DISCARD. */
967
968 if (c == ACLC_ENDPASS &&
969 this->verb != ACL_ACCEPT &&
970 this->verb != ACL_DISCARD)
971 {
972 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
973 conditions[c], verbs[this->verb]);
974 return NULL;
975 }
976
977 cond = store_get(sizeof(acl_condition_block));
978 cond->next = NULL;
979 cond->type = c;
980 cond->u.negated = negated;
981
982 *condp = cond;
983 condp = &(cond->next);
984
985 /* The "set" modifier is different in that its argument is "name=value"
986 rather than just a value, and we can check the validity of the name, which
38a0a95f
PH		 987 gives us a variable name to insert into the data block. The original ACL
988 variable names were acl_c0 ... acl_c9 and acl_m0 ... acl_m9. This was
989 extended to 20 of each type, but after that people successfully argued for
641cb756
PH		 990 arbitrary names. In the new scheme, the names must start with acl_c or acl_m.
991 After that, we allow alphanumerics and underscores, but the first character
992 after c or m must be a digit or an underscore. This retains backwards
993 compatibility. */
059ec3d9
PH		 994
995 if (c == ACLC_SET)
996 {
47ca6d6c
PH		 997 uschar *endptr;
998
38a0a95f
PH		 999 if (Ustrncmp(s, "acl_c", 5) != 0 &&
1000 Ustrncmp(s, "acl_m", 5) != 0)
47ca6d6c 1001 {
38a0a95f
PH		 1002 *error = string_sprintf("invalid variable name after \"set\" in ACL "
1003 "modifier \"set %s\" (must start \"acl_c\" or \"acl_m\")", s);
1004 return NULL;
47ca6d6c 1005 }
38a0a95f
PH		 1006
1007 endptr = s + 5;
641cb756
PH		 1008 if (!isdigit(*endptr) && *endptr != '_')
1009 {
1010 *error = string_sprintf("invalid variable name after \"set\" in ACL "
1011 "modifier \"set %s\" (digit or underscore must follow acl_c or acl_m)",
1012 s);
1013 return NULL;
1014 }
1015
38a0a95f 1016 while (*endptr != 0 && *endptr != '=' && !isspace(*endptr))
47ca6d6c 1017 {
38a0a95f
PH		 1018 if (!isalnum(*endptr) && *endptr != '_')
1019 {
1020 *error = string_sprintf("invalid character \"%c\" in variable name "
1021 "in ACL modifier \"set %s\"", *endptr, s);
1022 return NULL;
1023 }
1024 endptr++;
47ca6d6c 1025 }
47ca6d6c 1026
38a0a95f 1027 cond->u.varname = string_copyn(s + 4, endptr - s - 4);
47ca6d6c 1028 s = endptr;
059ec3d9
PH		 1029 while (isspace(*s)) s++;
1030 }
1031
1032 /* For "set", we are now positioned for the data. For the others, only
1033 "endpass" has no data */
1034
1035 if (c != ACLC_ENDPASS)
1036 {
1037 if (*s++ != '=')
1038 {
1039 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
1040 cond_modifiers[c]? US"modifier" : US"condition");
1041 return NULL;
1042 }
1043 while (isspace(*s)) s++;
1044 cond->arg = string_copy(s);
1045 }
1046 }
1047
1048return yield;
1049}
1050
1051
1052
71fafd95
PH		 1053/*************************************************
1054* Set up added header line(s) *
1055*************************************************/
1056
1057/* This function is called by the add_header modifier, and also from acl_warn()
1058to implement the now-deprecated way of adding header lines using "message" on a
1059"warn" verb. The argument is treated as a sequence of header lines which are
1060added to a chain, provided there isn't an identical one already there.
1061
1062Argument: string of header lines
1063Returns: nothing
1064*/
1065
1066static void
55414b25 1067setup_header(const uschar *hstring)
71fafd95 1068{
55414b25 1069const uschar *p, *q;
71fafd95
PH		 1070int hlen = Ustrlen(hstring);
1071
b1b05573
JH		 1072/* Ignore any leading newlines */
1073while (*hstring == '\n') hstring++, hlen--;
71fafd95 1074
b1b05573 1075/* An empty string does nothing; ensure exactly one final newline. */
71fafd95 1076if (hlen <= 0) return;
55414b25
JH		 1077if (hstring[--hlen] != '\n')
1078 q = string_sprintf("%s\n", hstring);
1079else if (hstring[hlen-1] == '\n')
1080 {
1081 uschar * s = string_copy(hstring);
1082 while(s[--hlen] == '\n')
1083 s[hlen+1] = '\0';
1084 q = s;
1085 }
1086else
1087 q = hstring;
71fafd95
PH		 1088
1089/* Loop for multiple header lines, taking care about continuations */
1090
55414b25 1091for (p = q; *p != 0; )
71fafd95 1092 {
55414b25
JH		 1093 const uschar *s;
1094 uschar * hdr;
71fafd95
PH		 1095 int newtype = htype_add_bot;
1096 header_line **hptr = &acl_added_headers;
1097
1098 /* Find next header line within the string */
1099
1100 for (;;)
1101 {
1102 q = Ustrchr(q, '\n');
1103 if (*(++q) != ' ' && *q != '\t') break;
1104 }
1105
1106 /* If the line starts with a colon, interpret the instruction for where to
1107 add it. This temporarily sets up a new type. */
1108
1109 if (*p == ':')
1110 {
1111 if (strncmpic(p, US":after_received:", 16) == 0)
1112 {
1113 newtype = htype_add_rec;
1114 p += 16;
1115 }
1116 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
1117 {
1118 newtype = htype_add_rfc;
1119 p += 14;
1120 }
1121 else if (strncmpic(p, US":at_start:", 10) == 0)
1122 {
1123 newtype = htype_add_top;
1124 p += 10;
1125 }
1126 else if (strncmpic(p, US":at_end:", 8) == 0)
1127 {
1128 newtype = htype_add_bot;
1129 p += 8;
1130 }
1131 while (*p == ' ' || *p == '\t') p++;
1132 }
1133
1134 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
1135 to the front of it. */
1136
1137 for (s = p; s < q - 1; s++)
1138 {
1139 if (*s == ':' || !isgraph(*s)) break;
1140 }
1141
55414b25
JH		 1142 hdr = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", (int) (q - p), p);
1143 hlen = Ustrlen(hdr);
71fafd95
PH		 1144
1145 /* See if this line has already been added */
1146
1147 while (*hptr != NULL)
1148 {
55414b25 1149 if (Ustrncmp((*hptr)->text, hdr, hlen) == 0) break;
71fafd95
PH		 1150 hptr = &((*hptr)->next);
1151 }
1152
1153 /* Add if not previously present */
1154
1155 if (*hptr == NULL)
1156 {
1157 header_line *h = store_get(sizeof(header_line));
55414b25 1158 h->text = hdr;
71fafd95
PH		 1159 h->next = NULL;
1160 h->type = newtype;
1161 h->slen = hlen;
1162 *hptr = h;
1163 hptr = &(h->next);
1164 }
1165
1166 /* Advance for next header line within the string */
1167
1168 p = q;
1169 }
1170}
1171
1172
1173
362145b5
JH		 1174/*************************************************
1175* List the added header lines *
1176*************************************************/
1177uschar *
1178fn_hdrs_added(void)
1179{
1180uschar * ret = NULL;
1181header_line * h = acl_added_headers;
1182uschar * s;
1183uschar * cp;
1184int size = 0;
1185int ptr = 0;
1186
1187if (!h) return NULL;
1188
1189do
1190 {
1191 s = h->text;
1192 while ((cp = Ustrchr(s, '\n')) != NULL)
1193 {
1194 if (cp[1] == '\0') break;
1195
1196 /* contains embedded newline; needs doubling */
1197 ret = string_cat(ret, &size, &ptr, s, cp-s+1);
6d9cfc47 1198 ret = string_cat(ret, &size, &ptr, US"\n", 1);
362145b5
JH		 1199 s = cp+1;
1200 }
1201 /* last bit of header */
1202
1203 ret = string_cat(ret, &size, &ptr, s, cp-s+1); /* newline-sep list */
1204 }
6d9cfc47 1205while((h = h->next));
362145b5
JH		 1206
1207ret[ptr-1] = '\0'; /* overwrite last newline */
1208return ret;
1209}
1210
1211
e7568d51
TL		 1212/*************************************************
1213* Set up removed header line(s) *
1214*************************************************/
1215
1216/* This function is called by the remove_header modifier. The argument is
1217treated as a sequence of header names which are added to a colon separated
1218list, provided there isn't an identical one already there.
1219
1220Argument: string of header names
1221Returns: nothing
1222*/
1223
1224static void
55414b25 1225setup_remove_header(const uschar *hnames)
e7568d51
TL		 1226{
1227if (*hnames != 0)
55414b25
JH		 1228 acl_removed_headers = acl_removed_headers
1229 ? string_sprintf("%s : %s", acl_removed_headers, hnames)
1230 : string_copy(hnames);
e7568d51
TL		 1231}
1232
1233
71fafd95 1234
059ec3d9
PH		 1235/*************************************************
1236* Handle warnings *
1237*************************************************/
1238
1239/* This function is called when a WARN verb's conditions are true. It adds to
1240the message's headers, and/or writes information to the log. In each case, this
1241only happens once (per message for headers, per connection for log).
1242
71fafd95
PH		 1243** NOTE: The header adding action using the "message" setting is historic, and
1244its use is now deprecated. The new add_header modifier should be used instead.
1245
059ec3d9
PH		 1246Arguments:
1247 where ACL_WHERE_xxxx indicating which ACL this is
1248 user_message message for adding to headers
1249 log_message message for logging, if different
1250
1251Returns: nothing
1252*/
1253
1254static void
1255acl_warn(int where, uschar *user_message, uschar *log_message)
1256{
059ec3d9
PH		 1257if (log_message != NULL && log_message != user_message)
1258 {
1259 uschar *text;
1260 string_item *logged;
1261
1262 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
1263 string_printing(log_message));
1264
1265 /* If a sender verification has failed, and the log message is "sender verify
1266 failed", add the failure message. */
1267
1268 if (sender_verified_failed != NULL &&
1269 sender_verified_failed->message != NULL &&
1270 strcmpic(log_message, US"sender verify failed") == 0)
1271 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
1272
9c7a242c
PH		 1273 /* Search previously logged warnings. They are kept in malloc
1274 store so they can be freed at the start of a new message. */
059ec3d9
PH		 1275
1276 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
1277 if (Ustrcmp(logged->text, text) == 0) break;
1278
1279 if (logged == NULL)
1280 {
1281 int length = Ustrlen(text) + 1;
1282 log_write(0, LOG_MAIN, "%s", text);
1283 logged = store_malloc(sizeof(string_item) + length);
1284 logged->text = (uschar *)logged + sizeof(string_item);
1285 memcpy(logged->text, text, length);
1286 logged->next = acl_warn_logged;
1287 acl_warn_logged = logged;
1288 }
1289 }
1290
1291/* If there's no user message, we are done. */
1292
1293if (user_message == NULL) return;
1294
1295/* If this isn't a message ACL, we can't do anything with a user message.
1296Log an error. */
1297
1298if (where > ACL_WHERE_NOTSMTP)
1299 {
1300 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
1301 "found in a non-message (%s) ACL: cannot specify header lines here: "
1302 "message ignored", acl_wherenames[where]);
1303 return;
1304 }
1305
71fafd95
PH		 1306/* The code for setting up header lines is now abstracted into a separate
1307function so that it can be used for the add_header modifier as well. */
059ec3d9 1308
71fafd95 1309setup_header(user_message);
059ec3d9
PH		 1310}
1311
1312
1313
1314/*************************************************
1315* Verify and check reverse DNS *
1316*************************************************/
1317
1318/* Called from acl_verify() below. We look up the host name(s) of the client IP
1319address if this has not yet been done. The host_name_lookup() function checks
1320that one of these names resolves to an address list that contains the client IP
1321address, so we don't actually have to do the check here.
1322
1323Arguments:
1324 user_msgptr pointer for user message
1325 log_msgptr pointer for log message
1326
1327Returns: OK verification condition succeeded
1328 FAIL verification failed
1329 DEFER there was a problem verifying
1330*/
1331
1332static int
1333acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
1334{
1335int rc;
1336
1337user_msgptr = user_msgptr; /* stop compiler warning */
1338
1339/* Previous success */
1340
1341if (sender_host_name != NULL) return OK;
1342
1343/* Previous failure */
1344
1345if (host_lookup_failed)
1346 {
1347 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
1348 return FAIL;
1349 }
1350
1351/* Need to do a lookup */
1352
1353HDEBUG(D_acl)
1354 debug_printf("looking up host name to force name/address consistency check\n");
1355
1356if ((rc = host_name_lookup()) != OK)
1357 {
1358 *log_msgptr = (rc == DEFER)?
1359 US"host lookup deferred for reverse lookup check"
1360 :
1361 string_sprintf("host lookup failed for reverse lookup check%s",
1362 host_lookup_msg);
1363 return rc; /* DEFER or FAIL */
1364 }
1365
1366host_build_sender_fullhost();
1367return OK;
1368}
1369
1370
1371
e5a9dba6
PH		 1372/*************************************************
1373* Check client IP address matches CSA target *
1374*************************************************/
1375
1376/* Called from acl_verify_csa() below. This routine scans a section of a DNS
1377response for address records belonging to the CSA target hostname. The section
1378is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
1379If one of the addresses matches the client's IP address, then the client is
1380authorized by CSA. If there are target IP addresses but none of them match
1381then the client is using an unauthorized IP address. If there are no target IP
1382addresses then the client cannot be using an authorized IP address. (This is
1383an odd configuration - why didn't the SRV record have a weight of 1 instead?)
1384
1385Arguments:
1386 dnsa the DNS answer block
1387 dnss a DNS scan block for us to use
1388 reset option specifing what portion to scan, as described above
1389 target the target hostname to use for matching RR names
1390
1391Returns: CSA_OK successfully authorized
1392 CSA_FAIL_MISMATCH addresses found but none matched
1393 CSA_FAIL_NOADDR no target addresses found
1394*/
1395
1396static int
1397acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1398 uschar *target)
1399{
1400dns_record *rr;
1401dns_address *da;
1402
1403BOOL target_found = FALSE;
1404
1405for (rr = dns_next_rr(dnsa, dnss, reset);
1406 rr != NULL;
1407 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1408 {
1409 /* Check this is an address RR for the target hostname. */
1410
1411 if (rr->type != T_A
1412 #if HAVE_IPV6
1413 && rr->type != T_AAAA
e5a9dba6
PH		 1414 #endif
1415 ) continue;
1416
1417 if (strcmpic(target, rr->name) != 0) continue;
1418
1419 target_found = TRUE;
1420
1421 /* Turn the target address RR into a list of textual IP addresses and scan
1422 the list. There may be more than one if it is an A6 RR. */
1423
1424 for (da = dns_address_from_rr(dnsa, rr); da != NULL; da = da->next)
1425 {
1426 /* If the client IP address matches the target IP address, it's good! */
1427
1428 DEBUG(D_acl) debug_printf("CSA target address is %s\n", da->address);
1429
1430 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1431 }
1432 }
1433
1434/* If we found some target addresses but none of them matched, the client is
1435using an unauthorized IP address, otherwise the target has no authorized IP
1436addresses. */
1437
1438if (target_found) return CSA_FAIL_MISMATCH;
1439else return CSA_FAIL_NOADDR;
1440}
1441
1442
1443
1444/*************************************************
1445* Verify Client SMTP Authorization *
1446*************************************************/
1447
1448/* Called from acl_verify() below. This routine calls dns_lookup_special()
1449to find the CSA SRV record corresponding to the domain argument, or
1450$sender_helo_name if no argument is provided. It then checks that the
1451client is authorized, and that its IP address corresponds to the SRV
1452target's address by calling acl_verify_csa_address() above. The address
1453should have been returned in the DNS response's ADDITIONAL section, but if
1454not we perform another DNS lookup to get it.
1455
1456Arguments:
1457 domain pointer to optional parameter following verify = csa
1458
1459Returns: CSA_UNKNOWN no valid CSA record found
1460 CSA_OK successfully authorized
1461 CSA_FAIL_* client is definitely not authorized
1462 CSA_DEFER_* there was a DNS problem
1463*/
1464
1465static int
55414b25 1466acl_verify_csa(const uschar *domain)
e5a9dba6
PH		 1467{
1468tree_node *t;
55414b25
JH		 1469const uschar *found;
1470uschar *p;
e5a9dba6
PH		 1471int priority, weight, port;
1472dns_answer dnsa;
1473dns_scan dnss;
1474dns_record *rr;
1475int rc, type;
1476uschar target[256];
1477
1478/* Work out the domain we are using for the CSA lookup. The default is the
1479client's HELO domain. If the client has not said HELO, use its IP address
1480instead. If it's a local client (exim -bs), CSA isn't applicable. */
1481
1482while (isspace(*domain) && *domain != '\0') ++domain;
1483if (*domain == '\0') domain = sender_helo_name;
1484if (domain == NULL) domain = sender_host_address;
1485if (sender_host_address == NULL) return CSA_UNKNOWN;
1486
1487/* If we have an address literal, strip off the framing ready for turning it
1488into a domain. The framing consists of matched square brackets possibly
1489containing a keyword and a colon before the actual IP address. */
1490
1491if (domain[0] == '[')
1492 {
55414b25 1493 const uschar *start = Ustrchr(domain, ':');
e5a9dba6
PH		 1494 if (start == NULL) start = domain;
1495 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1496 }
1497
1498/* Turn domains that look like bare IP addresses into domains in the reverse
1499DNS. This code also deals with address literals and $sender_host_address. It's
1500not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1501address literals, but it's probably the most friendly thing to do. This is an
1502extension to CSA, so we allow it to be turned off for proper conformance. */
1503
7e66e54d 1504if (string_is_ip_address(domain, NULL) != 0)
e5a9dba6
PH		 1505 {
1506 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1507 dns_build_reverse(domain, target);
1508 domain = target;
1509 }
1510
1511/* Find out if we've already done the CSA check for this domain. If we have,
1512return the same result again. Otherwise build a new cached result structure
1513for this domain. The name is filled in now, and the value is filled in when
1514we return from this function. */
1515
1516t = tree_search(csa_cache, domain);
1517if (t != NULL) return t->data.val;
1518
1519t = store_get_perm(sizeof(tree_node) + Ustrlen(domain));
1520Ustrcpy(t->name, domain);
1521(void)tree_insertnode(&csa_cache, t);
1522
1523/* Now we are ready to do the actual DNS lookup(s). */
1524
28e6ef29 1525found = domain;
e5a9dba6
PH		 1526switch (dns_special_lookup(&dnsa, domain, T_CSA, &found))
1527 {
1528 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1529
1530 default:
1531 return t->data.val = CSA_DEFER_SRV;
1532
1533 /* If we found nothing, the client's authorization is unknown. */
1534
1535 case DNS_NOMATCH:
1536 case DNS_NODATA:
1537 return t->data.val = CSA_UNKNOWN;
1538
1539 /* We got something! Go on to look at the reply in more detail. */
1540
1541 case DNS_SUCCEED:
1542 break;
1543 }
1544
1545/* Scan the reply for well-formed CSA SRV records. */
1546
1547for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
1548 rr != NULL;
1549 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
1550 {
1551 if (rr->type != T_SRV) continue;
1552
1553 /* Extract the numerical SRV fields (p is incremented) */
1554
1555 p = rr->data;
1556 GETSHORT(priority, p);
1557 GETSHORT(weight, p);
1558 GETSHORT(port, p);
1559
1560 DEBUG(D_acl)
1561 debug_printf("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1562
1563 /* Check the CSA version number */
1564
1565 if (priority != 1) continue;
1566
1567 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1568 found by dns_special_lookup() is a parent of the one we asked for), we check
1569 the subdomain assertions in the port field. At the moment there's only one
1570 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1571 SRV records of their own. */
1572
1dc92d5a 1573 if (Ustrcmp(found, domain) != 0)
e5a9dba6
PH		 1574 {
1575 if (port & 1)
1576 return t->data.val = CSA_FAIL_EXPLICIT;
1577 else
1578 return t->data.val = CSA_UNKNOWN;
1579 }
1580
1581 /* This CSA SRV record refers directly to our domain, so we check the value
1582 in the weight field to work out the domain's authorization. 0 and 1 are
1583 unauthorized; 3 means the client is authorized but we can't check the IP
1584 address in order to authenticate it, so we treat it as unknown; values
1585 greater than 3 are undefined. */
1586
1587 if (weight < 2) return t->data.val = CSA_FAIL_DOMAIN;
1588
1589 if (weight > 2) continue;
1590
1591 /* Weight == 2, which means the domain is authorized. We must check that the
1592 client's IP address is listed as one of the SRV target addresses. Save the
1593 target hostname then break to scan the additional data for its addresses. */
1594
1595 (void)dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
1596 (DN_EXPAND_ARG4_TYPE)target, sizeof(target));
1597
1598 DEBUG(D_acl) debug_printf("CSA target is %s\n", target);
1599
1600 break;
1601 }
1602
1603/* If we didn't break the loop then no appropriate records were found. */
1604
1605if (rr == NULL) return t->data.val = CSA_UNKNOWN;
1606
1607/* Do not check addresses if the target is ".", in accordance with RFC 2782.
1608A target of "." indicates there are no valid addresses, so the client cannot
1609be authorized. (This is an odd configuration because weight=2 target=. is
1610equivalent to weight=1, but we check for it in order to keep load off the
1611root name servers.) Note that dn_expand() turns "." into "". */
1612
1613if (Ustrcmp(target, "") == 0) return t->data.val = CSA_FAIL_NOADDR;
1614
1615/* Scan the additional section of the CSA SRV reply for addresses belonging
1616to the target. If the name server didn't return any additional data (e.g.
1617because it does not fully support SRV records), we need to do another lookup
1618to obtain the target addresses; otherwise we have a definitive result. */
1619
1620rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ADDITIONAL, target);
1621if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1622
1623/* The DNS lookup type corresponds to the IP version used by the client. */
1624
1625#if HAVE_IPV6
1626if (Ustrchr(sender_host_address, ':') != NULL)
1627 type = T_AAAA;
1628else
1629#endif /* HAVE_IPV6 */
1630 type = T_A;
1631
1632
4e0983dc 1633lookup_dnssec_authenticated = NULL;
e5a9dba6
PH		 1634switch (dns_lookup(&dnsa, target, type, NULL))
1635 {
1636 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1637
1638 default:
cc00f4af 1639 return t->data.val = CSA_DEFER_ADDR;
e5a9dba6
PH		 1640
1641 /* If the query succeeded, scan the addresses and return the result. */
1642
1643 case DNS_SUCCEED:
cc00f4af
JH		 1644 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ANSWERS, target);
1645 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1646 /* else fall through */
e5a9dba6
PH		 1647
1648 /* If the target has no IP addresses, the client cannot have an authorized
1649 IP address. However, if the target site uses A6 records (not AAAA records)
1650 we have to do yet another lookup in order to check them. */
1651
1652 case DNS_NOMATCH:
1653 case DNS_NODATA:
cc00f4af 1654 return t->data.val = CSA_FAIL_NOADDR;
e5a9dba6
PH		 1655 }
1656}
1657
1658
1659
059ec3d9
PH		 1660/*************************************************
1661* Handle verification (address & other) *
1662*************************************************/
1663
89583014 1664enum { VERIFY_REV_HOST_LKUP, VERIFY_CERT, VERIFY_HELO, VERIFY_CSA, VERIFY_HDR_SYNTAX,
770747fd
MFM		 1665 VERIFY_NOT_BLIND, VERIFY_HDR_SNDR, VERIFY_SNDR, VERIFY_RCPT,
1666 VERIFY_HDR_NAMES_ASCII
89583014
JH		 1667 };
1668typedef struct {
1669 uschar * name;
1670 int value;
1671 unsigned where_allowed; /* bitmap */
1672 BOOL no_options; /* Never has /option(s) following */
1673 unsigned alt_opt_sep; /* >0 Non-/ option separator (custom parser) */
1674 } verify_type_t;
1675static verify_type_t verify_type_list[] = {
7e8360e6 1676 { US"reverse_host_lookup", VERIFY_REV_HOST_LKUP, ~0, FALSE, 0 },
89583014
JH		 1677 { US"certificate", VERIFY_CERT, ~0, TRUE, 0 },
1678 { US"helo", VERIFY_HELO, ~0, TRUE, 0 },
1679 { US"csa", VERIFY_CSA, ~0, FALSE, 0 },
1680 { US"header_syntax", VERIFY_HDR_SYNTAX, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), TRUE, 0 },
1681 { US"not_blind", VERIFY_NOT_BLIND, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), TRUE, 0 },
1682 { US"header_sender", VERIFY_HDR_SNDR, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), FALSE, 0 },
1683 { US"sender", VERIFY_SNDR, (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)
1684 |(1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP),
1685 FALSE, 6 },
770747fd
MFM		 1686 { US"recipient", VERIFY_RCPT, (1<<ACL_WHERE_RCPT), FALSE, 0 },
1687 { US"header_names_ascii", VERIFY_HDR_NAMES_ASCII, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), TRUE, 0 }
89583014
JH		 1688 };
1689
1690
1691enum { CALLOUT_DEFER_OK, CALLOUT_NOCACHE, CALLOUT_RANDOM, CALLOUT_USE_SENDER,
1692 CALLOUT_USE_POSTMASTER, CALLOUT_POSTMASTER, CALLOUT_FULLPOSTMASTER,
1693 CALLOUT_MAILFROM, CALLOUT_POSTMASTER_MAILFROM, CALLOUT_MAXWAIT, CALLOUT_CONNECT,
1694 CALLOUT_TIME
1695 };
1696typedef struct {
1697 uschar * name;
1698 int value;
1699 int flag;
1700 BOOL has_option; /* Has =option(s) following */
1701 BOOL timeval; /* Has a time value */
1702 } callout_opt_t;
1703static callout_opt_t callout_opt_list[] = {
1704 { US"defer_ok", CALLOUT_DEFER_OK, 0, FALSE, FALSE },
1705 { US"no_cache", CALLOUT_NOCACHE, vopt_callout_no_cache, FALSE, FALSE },
1706 { US"random", CALLOUT_RANDOM, vopt_callout_random, FALSE, FALSE },
1707 { US"use_sender", CALLOUT_USE_SENDER, vopt_callout_recipsender, FALSE, FALSE },
1708 { US"use_postmaster", CALLOUT_USE_POSTMASTER,vopt_callout_recippmaster, FALSE, FALSE },
1709 { US"postmaster_mailfrom",CALLOUT_POSTMASTER_MAILFROM,0, TRUE, FALSE },
1710 { US"postmaster", CALLOUT_POSTMASTER, 0, FALSE, FALSE },
1711 { US"fullpostmaster", CALLOUT_FULLPOSTMASTER,vopt_callout_fullpm, FALSE, FALSE },
1712 { US"mailfrom", CALLOUT_MAILFROM, 0, TRUE, FALSE },
1713 { US"maxwait", CALLOUT_MAXWAIT, 0, TRUE, TRUE },
1714 { US"connect", CALLOUT_CONNECT, 0, TRUE, TRUE },
1715 { NULL, CALLOUT_TIME, 0, FALSE, TRUE }
1716 };
1717
1718
1719
059ec3d9
PH		 1720/* This function implements the "verify" condition. It is called when
1721encountered in any ACL, because some tests are almost always permitted. Some
1722just don't make sense, and always fail (for example, an attempt to test a host
1723lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1724
1725Arguments:
1726 where where called from
1727 addr the recipient address that the ACL is handling, or NULL
1728 arg the argument of "verify"
1729 user_msgptr pointer for user message
1730 log_msgptr pointer for log message
1731 basic_errno where to put verify errno
1732
1733Returns: OK verification condition succeeded
1734 FAIL verification failed
1735 DEFER there was a problem verifying
1736 ERROR syntax error
1737*/
1738
1739static int
55414b25 1740acl_verify(int where, address_item *addr, const uschar *arg,
059ec3d9
PH		 1741 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1742{
1743int sep = '/';
1744int callout = -1;
1745int callout_overall = -1;
4deaf07d 1746int callout_connect = -1;
059ec3d9
PH		 1747int verify_options = 0;
1748int rc;
1749BOOL verify_header_sender = FALSE;
1750BOOL defer_ok = FALSE;
1751BOOL callout_defer_ok = FALSE;
1752BOOL no_details = FALSE;
eafd343b 1753BOOL success_on_redirect = FALSE;
059ec3d9
PH		 1754address_item *sender_vaddr = NULL;
1755uschar *verify_sender_address = NULL;
1756uschar *pm_mailfrom = NULL;
1757uschar *se_mailfrom = NULL;
596875b3
PH		 1758
1759/* Some of the verify items have slash-separated options; some do not. Diagnose
89583014 1760an error if options are given for items that don't expect them.
596875b3
PH		 1761*/
1762
1763uschar *slash = Ustrchr(arg, '/');
55414b25 1764const uschar *list = arg;
059ec3d9 1765uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
89583014 1766verify_type_t * vp;
059ec3d9
PH		 1767
1768if (ss == NULL) goto BAD_VERIFY;
1769
1770/* Handle name/address consistency verification in a separate function. */
1771
89583014
JH		 1772for (vp= verify_type_list;
1773 (char *)vp < (char *)verify_type_list + sizeof(verify_type_list);
1774 vp++
1775 )
1776 if (vp->alt_opt_sep ? strncmpic(ss, vp->name, vp->alt_opt_sep) == 0
1777 : strcmpic (ss, vp->name) == 0)
1778 break;
1779if ((char *)vp >= (char *)verify_type_list + sizeof(verify_type_list))
1780 goto BAD_VERIFY;
1781
1782if (vp->no_options && slash != NULL)
059ec3d9 1783 {
89583014
JH		 1784 *log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1785 "(this verify item has no options)", arg);
1786 return ERROR;
059ec3d9 1787 }
89583014 1788if (!(vp->where_allowed & (1<<where)))
059ec3d9 1789 {
89583014
JH		 1790 *log_msgptr = string_sprintf("cannot verify %s in ACL for %s", vp->name, acl_wherenames[where]);
1791 return ERROR;
059ec3d9 1792 }
89583014 1793switch(vp->value)
596875b3 1794 {
89583014
JH		 1795 case VERIFY_REV_HOST_LKUP:
1796 if (sender_host_address == NULL) return OK;
7e8360e6
JH		 1797 if ((rc = acl_verify_reverse(user_msgptr, log_msgptr)) == DEFER)
1798 while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)))
1799 if (strcmpic(ss, US"defer_ok") == 0)
1800 return OK;
1801 return rc;
059ec3d9 1802
89583014
JH		 1803 case VERIFY_CERT:
1804 /* TLS certificate verification is done at STARTTLS time; here we just
1805 test whether it was successful or not. (This is for optional verification; for
1806 mandatory verification, the connection doesn't last this long.) */
e5a9dba6 1807
3703d818
JH		 1808 if (tls_in.certificate_verified) return OK;
1809 *user_msgptr = US"no verified certificate";
1810 return FAIL;
e5a9dba6 1811
89583014
JH		 1812 case VERIFY_HELO:
1813 /* We can test the result of optional HELO verification that might have
1814 occurred earlier. If not, we can attempt the verification now. */
059ec3d9 1815
3703d818
JH		 1816 if (!helo_verified && !helo_verify_failed) smtp_verify_helo();
1817 return helo_verified? OK : FAIL;
059ec3d9 1818
89583014
JH		 1819 case VERIFY_CSA:
1820 /* Do Client SMTP Authorization checks in a separate function, and turn the
1821 result code into user-friendly strings. */
1c41c9cc 1822
3703d818
JH		 1823 rc = acl_verify_csa(list);
1824 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
89583014 1825 csa_reason_string[rc]);
3703d818
JH		 1826 csa_status = csa_status_string[rc];
1827 DEBUG(D_acl) debug_printf("CSA result %s\n", csa_status);
1828 return csa_return_code[rc];
89583014
JH		 1829
1830 case VERIFY_HDR_SYNTAX:
1831 /* Check that all relevant header lines have the correct syntax. If there is
1832 a syntax error, we return details of the error to the sender if configured to
1833 send out full details. (But a "message" setting on the ACL can override, as
1834 always). */
1835
1836 rc = verify_check_headers(log_msgptr);
3703d818
JH		 1837 if (rc != OK && *log_msgptr)
1838 if (smtp_return_error_details)
1839 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1840 else
1841 acl_verify_message = *log_msgptr;
89583014 1842 return rc;
059ec3d9 1843
770747fd
MFM		 1844 case VERIFY_HDR_NAMES_ASCII:
1845 /* Check that all header names are true 7 bit strings
1846 See RFC 5322, 2.2. and RFC 6532, 3. */
1847
1848 rc = verify_check_header_names_ascii(log_msgptr);
1849 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1850 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1851 return rc;
1852
89583014
JH		 1853 case VERIFY_NOT_BLIND:
1854 /* Check that no recipient of this message is "blind", that is, every envelope
1855 recipient must be mentioned in either To: or Cc:. */
059ec3d9 1856
89583014
JH		 1857 rc = verify_check_notblind();
1858 if (rc != OK)
1859 {
1860 *log_msgptr = string_sprintf("bcc recipient detected");
1861 if (smtp_return_error_details)
1862 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1863 }
1864 return rc;
059ec3d9 1865
89583014
JH		 1866 /* The remaining verification tests check recipient and sender addresses,
1867 either from the envelope or from the header. There are a number of
1868 slash-separated options that are common to all of them. */
059ec3d9 1869
89583014
JH		 1870 case VERIFY_HDR_SNDR:
1871 verify_header_sender = TRUE;
1872 break;
059ec3d9 1873
89583014
JH		 1874 case VERIFY_SNDR:
1875 /* In the case of a sender, this can optionally be followed by an address to use
1876 in place of the actual sender (rare special-case requirement). */
059ec3d9 1877 {
89583014
JH		 1878 uschar *s = ss + 6;
1879 if (*s == 0)
1880 verify_sender_address = sender_address;
1881 else
1882 {
1883 while (isspace(*s)) s++;
1884 if (*s++ != '=') goto BAD_VERIFY;
1885 while (isspace(*s)) s++;
1886 verify_sender_address = string_copy(s);
1887 }
059ec3d9 1888 }
89583014
JH		 1889 break;
1890
1891 case VERIFY_RCPT:
1892 break;
059ec3d9
PH		 1893 }
1894
89583014
JH		 1895
1896
596875b3
PH		 1897/* Remaining items are optional; they apply to sender and recipient
1898verification, including "header sender" verification. */
059ec3d9
PH		 1899
1900while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1901 != NULL)
1902 {
1903 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1904 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
eafd343b 1905 else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
059ec3d9
PH		 1906
1907 /* These two old options are left for backwards compatibility */
1908
1909 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1910 {
1911 callout_defer_ok = TRUE;
1912 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1913 }
1914
1915 else if (strcmpic(ss, US"check_postmaster") == 0)
1916 {
1917 pm_mailfrom = US"";
1918 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1919 }
1920
1921 /* The callout option has a number of sub-options, comma separated */
1922
1923 else if (strncmpic(ss, US"callout", 7) == 0)
1924 {
1925 callout = CALLOUT_TIMEOUT_DEFAULT;
1926 ss += 7;
1927 if (*ss != 0)
1928 {
1929 while (isspace(*ss)) ss++;
1930 if (*ss++ == '=')
1931 {
55414b25 1932 const uschar * sublist = ss;
059ec3d9
PH		 1933 int optsep = ',';
1934 uschar *opt;
1935 uschar buffer[256];
55414b25 1936 while (isspace(*sublist)) sublist++;
8e669ac1 1937
55414b25 1938 while ((opt = string_nextinlist(&sublist, &optsep, buffer, sizeof(buffer)))
059ec3d9
PH		 1939 != NULL)
1940 {
89583014 1941 callout_opt_t * op;
438257ba 1942 double period = 1.0F;
059ec3d9 1943
89583014 1944 for (op= callout_opt_list; op->name; op++)
438257ba 1945 if (strncmpic(opt, op->name, Ustrlen(op->name)) == 0)
89583014 1946 break;
059ec3d9 1947
89583014
JH		 1948 verify_options |= op->flag;
1949 if (op->has_option)
1950 {
438257ba 1951 opt += Ustrlen(op->name);
4deaf07d
PH		 1952 while (isspace(*opt)) opt++;
1953 if (*opt++ != '=')
1954 {
1955 *log_msgptr = string_sprintf("'=' expected after "
89583014 1956 "\"%s\" in ACL verify condition \"%s\"", op->name, arg);
4deaf07d
PH		 1957 return ERROR;
1958 }
1959 while (isspace(*opt)) opt++;
89583014
JH		 1960 }
1961 if (op->timeval)
1962 {
1963 period = readconf_readtime(opt, 0, FALSE);
1964 if (period < 0)
4deaf07d
PH		 1965 {
1966 *log_msgptr = string_sprintf("bad time value in ACL condition "
1967 "\"verify %s\"", arg);
1968 return ERROR;
1969 }
89583014
JH		 1970 }
1971
1972 switch(op->value)
1973 {
1974 case CALLOUT_DEFER_OK: callout_defer_ok = TRUE; break;
1975 case CALLOUT_POSTMASTER: pm_mailfrom = US""; break;
1976 case CALLOUT_FULLPOSTMASTER: pm_mailfrom = US""; break;
1977 case CALLOUT_MAILFROM:
1978 if (!verify_header_sender)
1979 {
1980 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1981 "callout option only for verify=header_sender (detected in ACL "
1982 "condition \"%s\")", arg);
1983 return ERROR;
1984 }
1985 se_mailfrom = string_copy(opt);
1986 break;
1987 case CALLOUT_POSTMASTER_MAILFROM: pm_mailfrom = string_copy(opt); break;
1988 case CALLOUT_MAXWAIT: callout_overall = period; break;
1989 case CALLOUT_CONNECT: callout_connect = period; break;
1990 case CALLOUT_TIME: callout = period; break;
1991 }
059ec3d9
PH		 1992 }
1993 }
1994 else
1995 {
1996 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1997 "ACL condition \"%s\"", arg);
1998 return ERROR;
1999 }
2000 }
2001 }
2002
2003 /* Option not recognized */
2004
2005 else
2006 {
2007 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
2008 "condition \"verify %s\"", ss, arg);
2009 return ERROR;
2010 }
2011 }
2012
2013if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
2014 (vopt_callout_recipsender|vopt_callout_recippmaster))
2015 {
2016 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
2017 "for a recipient callout";
2018 return ERROR;
2019 }
2020
2021/* Handle sender-in-header verification. Default the user message to the log
2022message if giving out verification details. */
2023
2024if (verify_header_sender)
2025 {
8e669ac1 2026 int verrno;
059ec3d9 2027 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
fe5b5d0b
PH		 2028 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
2029 &verrno);
2030 if (rc != OK)
8e669ac1 2031 {
fe5b5d0b
PH		 2032 *basic_errno = verrno;
2033 if (smtp_return_error_details)
2034 {
2035 if (*user_msgptr == NULL && *log_msgptr != NULL)
2036 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
2037 if (rc == DEFER) acl_temp_details = TRUE;
2038 }
8e669ac1 2039 }
059ec3d9
PH		 2040 }
2041
2042/* Handle a sender address. The default is to verify *the* sender address, but
2043optionally a different address can be given, for special requirements. If the
2044address is empty, we are dealing with a bounce message that has no sender, so
2045we cannot do any checking. If the real sender address gets rewritten during
2046verification (e.g. DNS widening), set the flag to stop it being rewritten again
2047during message reception.
2048
2049A list of verified "sender" addresses is kept to try to avoid doing to much
2050work repetitively when there are multiple recipients in a message and they all
2051require sender verification. However, when callouts are involved, it gets too
2052complicated because different recipients may require different callout options.
2053Therefore, we always do a full sender verify when any kind of callout is
2054specified. Caching elsewhere, for instance in the DNS resolver and in the
2055callout handling, should ensure that this is not terribly inefficient. */
2056
2057else if (verify_sender_address != NULL)
2058 {
2059 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
2060 != 0)
2061 {
2062 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
2063 "sender verify callout";
2064 return ERROR;
2065 }
2066
2067 sender_vaddr = verify_checked_sender(verify_sender_address);
2068 if (sender_vaddr != NULL && /* Previously checked */
2069 callout <= 0) /* No callout needed this time */
2070 {
2071 /* If the "routed" flag is set, it means that routing worked before, so
2072 this check can give OK (the saved return code value, if set, belongs to a
2073 callout that was done previously). If the "routed" flag is not set, routing
2074 must have failed, so we use the saved return code. */
2075
2076 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
2077 {
2078 rc = sender_vaddr->special_action;
2079 *basic_errno = sender_vaddr->basic_errno;
2080 }
2081 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
2082 }
2083
2084 /* Do a new verification, and cache the result. The cache is used to avoid
2085 verifying the sender multiple times for multiple RCPTs when callouts are not
2086 specified (see comments above).
2087
2088 The cache is also used on failure to give details in response to the first
2089 RCPT that gets bounced for this reason. However, this can be suppressed by
2090 the no_details option, which sets the flag that says "this detail has already
2091 been sent". The cache normally contains just one address, but there may be
2092 more in esoteric circumstances. */
2093
2094 else
2095 {
2096 BOOL routed = TRUE;
2a3eea10 2097 uschar *save_address_data = deliver_address_data;
8e669ac1 2098
059ec3d9 2099 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
8c5d388a 2100#ifdef SUPPORT_I18N
3c8b3577
JH		 2101 if ((sender_vaddr->prop.utf8_msg = message_smtputf8))
2102 {
2103 sender_vaddr->prop.utf8_downcvt = message_utf8_downconvert == 1;
2104 sender_vaddr->prop.utf8_downcvt_maybe = message_utf8_downconvert == -1;
2105 }
f358d5e0 2106#endif
059ec3d9
PH		 2107 if (no_details) setflag(sender_vaddr, af_sverify_told);
2108 if (verify_sender_address[0] != 0)
2109 {
2110 /* If this is the real sender address, save the unrewritten version
2111 for use later in receive. Otherwise, set a flag so that rewriting the
2112 sender in verify_address() does not update sender_address. */
2113
2114 if (verify_sender_address == sender_address)
2115 sender_address_unrewritten = sender_address;
2116 else
2117 verify_options |= vopt_fake_sender;
2118
eafd343b
TK		 2119 if (success_on_redirect)
2120 verify_options |= vopt_success_on_redirect;
2121
059ec3d9
PH		 2122 /* The recipient, qualify, and expn options are never set in
2123 verify_options. */
2124
2125 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
4deaf07d 2126 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
059ec3d9
PH		 2127
2128 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
2129
2130 if (rc == OK)
2131 {
2132 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
2133 {
2134 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
2135 verify_sender_address, sender_vaddr->address);
2136 }
2137 else
2138 {
2139 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
2140 verify_sender_address);
2141 }
2142 }
2143 else *basic_errno = sender_vaddr->basic_errno;
2144 }
2145 else rc = OK; /* Null sender */
2146
2147 /* Cache the result code */
2148
2149 if (routed) setflag(sender_vaddr, af_verify_routed);
2150 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
2151 sender_vaddr->special_action = rc;
2152 sender_vaddr->next = sender_verified_list;
2153 sender_verified_list = sender_vaddr;
8e669ac1
PH		 2154
2155 /* Restore the recipient address data, which might have been clobbered by
2a3eea10 2156 the sender verification. */
8e669ac1 2157
2a3eea10 2158 deliver_address_data = save_address_data;
059ec3d9 2159 }
8e669ac1 2160
2a3eea10
PH		 2161 /* Put the sender address_data value into $sender_address_data */
2162
d43cbe25 2163 sender_address_data = sender_vaddr->prop.address_data;
059ec3d9
PH		 2164 }
2165
2166/* A recipient address just gets a straightforward verify; again we must handle
2167the DEFER overrides. */
2168
2169else
2170 {
2171 address_item addr2;
2172
eafd343b
TK		 2173 if (success_on_redirect)
2174 verify_options |= vopt_success_on_redirect;
2175
059ec3d9
PH		 2176 /* We must use a copy of the address for verification, because it might
2177 get rewritten. */
2178
2179 addr2 = *addr;
2180 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
4deaf07d 2181 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
059ec3d9 2182 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
8e669ac1 2183
42855d71 2184 *basic_errno = addr2.basic_errno;
059ec3d9 2185 *log_msgptr = addr2.message;
8e669ac1 2186 *user_msgptr = (addr2.user_message != NULL)?
6729cf78 2187 addr2.user_message : addr2.message;
42855d71
PH		 2188
2189 /* Allow details for temporary error if the address is so flagged. */
2190 if (testflag((&addr2), af_pass_message)) acl_temp_details = TRUE;
059ec3d9
PH		 2191
2192 /* Make $address_data visible */
d43cbe25 2193 deliver_address_data = addr2.prop.address_data;
059ec3d9
PH		 2194 }
2195
2196/* We have a result from the relevant test. Handle defer overrides first. */
2197
2198if (rc == DEFER && (defer_ok ||
2199 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
2200 {
2201 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
2202 defer_ok? "defer_ok" : "callout_defer_ok");
2203 rc = OK;
2204 }
2205
2206/* If we've failed a sender, set up a recipient message, and point
2207sender_verified_failed to the address item that actually failed. */
2208
2209if (rc != OK && verify_sender_address != NULL)
2210 {
2211 if (rc != DEFER)
059ec3d9 2212 *log_msgptr = *user_msgptr = US"Sender verify failed";
059ec3d9 2213 else if (*basic_errno != ERRNO_CALLOUTDEFER)
059ec3d9 2214 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
059ec3d9
PH		 2215 else
2216 {
2217 *log_msgptr = US"Could not complete sender verify callout";
2218 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
2219 *log_msgptr;
2220 }
2221
2222 sender_verified_failed = sender_vaddr;
2223 }
2224
2225/* Verifying an address messes up the values of $domain and $local_part,
2226so reset them before returning if this is a RCPT ACL. */
2227
2228if (addr != NULL)
2229 {
2230 deliver_domain = addr->domain;
2231 deliver_localpart = addr->local_part;
2232 }
2233return rc;
2234
2235/* Syntax errors in the verify argument come here. */
2236
2237BAD_VERIFY:
2238*log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
770747fd
MFM		 2239 "\"helo\", \"header_syntax\", \"header_sender\", \"header_names_ascii\" "
2240 "or \"reverse_host_lookup\" at start of ACL condition "
059ec3d9
PH		 2241 "\"verify %s\"", arg);
2242return ERROR;
2243}
2244
2245
2246
2247
2248/*************************************************
2249* Check argument for control= modifier *
2250*************************************************/
2251
2252/* Called from acl_check_condition() below
2253
2254Arguments:
2255 arg the argument string for control=
2256 pptr set to point to the terminating character
2257 where which ACL we are in
2258 log_msgptr for error messages
2259
2260Returns: CONTROL_xxx value
2261*/
2262
2263static int
55414b25 2264decode_control(const uschar *arg, const uschar **pptr, int where, uschar **log_msgptr)
059ec3d9
PH		 2265{
2266int len;
2267control_def *d;
2268
2269for (d = controls_list;
2270 d < controls_list + sizeof(controls_list)/sizeof(control_def);
2271 d++)
2272 {
2273 len = Ustrlen(d->name);
2274 if (Ustrncmp(d->name, arg, len) == 0) break;
2275 }
2276
2277if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
2278 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
2279 {
2280 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2281 return CONTROL_ERROR;
2282 }
2283
059ec3d9
PH		 2284*pptr = arg + len;
2285return d->value;
2286}
2287
2288
2289
c99ce5c9
TF		 2290
2291/*************************************************
2292* Return a ratelimit error *
2293*************************************************/
2294
2295/* Called from acl_ratelimit() below
2296
2297Arguments:
2298 log_msgptr for error messages
2299 format format string
2300 ... supplementary arguments
2301 ss ratelimit option name
2302 where ACL_WHERE_xxxx indicating which ACL this is
2303
2304Returns: ERROR
2305*/
2306
2307static int
2308ratelimit_error(uschar **log_msgptr, const char *format, ...)
2309{
2310va_list ap;
2311uschar buffer[STRING_SPRINTF_BUFFER_SIZE];
2312va_start(ap, format);
2313if (!string_vformat(buffer, sizeof(buffer), format, ap))
2314 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
ef840681 2315 "string_sprintf expansion was longer than " SIZE_T_FMT, sizeof(buffer));
c99ce5c9
TF		 2316va_end(ap);
2317*log_msgptr = string_sprintf(
2318 "error in arguments to \"ratelimit\" condition: %s", buffer);
2319return ERROR;
2320}
2321
2322
2323
2324
870f6ba8
TF		 2325/*************************************************
2326* Handle rate limiting *
2327*************************************************/
2328
2329/* Called by acl_check_condition() below to calculate the result
2330of the ACL ratelimit condition.
2331
2332Note that the return value might be slightly unexpected: if the
2333sender's rate is above the limit then the result is OK. This is
2334similar to the dnslists condition, and is so that you can write
2335ACL clauses like: defer ratelimit = 15 / 1h
2336
2337Arguments:
2338 arg the option string for ratelimit=
90fc3069 2339 where ACL_WHERE_xxxx indicating which ACL this is
870f6ba8
TF		 2340 log_msgptr for error messages
2341
2342Returns: OK - Sender's rate is above limit
2343 FAIL - Sender's rate is below limit
2344 DEFER - Problem opening ratelimit database
2345 ERROR - Syntax error in options.
2346*/
2347
2348static int
55414b25 2349acl_ratelimit(const uschar *arg, int where, uschar **log_msgptr)
870f6ba8 2350{
c99ce5c9 2351double limit, period, count;
8f240103
PH		 2352uschar *ss;
2353uschar *key = NULL;
c99ce5c9 2354uschar *unique = NULL;
870f6ba8 2355int sep = '/';
c99ce5c9
TF		 2356BOOL leaky = FALSE, strict = FALSE, readonly = FALSE;
2357BOOL noupdate = FALSE, badacl = FALSE;
2358int mode = RATE_PER_WHAT;
870f6ba8
TF		 2359int old_pool, rc;
2360tree_node **anchor, *t;
2361open_db dbblock, *dbm;
c99ce5c9 2362int dbdb_size;
870f6ba8 2363dbdata_ratelimit *dbd;
c99ce5c9 2364dbdata_ratelimit_unique *dbdb;
870f6ba8
TF		 2365struct timeval tv;
2366
2367/* Parse the first two options and record their values in expansion
2368variables. These variables allow the configuration to have informative
2369error messages based on rate limits obtained from a table lookup. */
2370
c99ce5c9 2371/* First is the maximum number of messages per period / maximum burst
870f6ba8
TF		 2372size, which must be greater than or equal to zero. Zero is useful for
2373rate measurement as opposed to rate limiting. */
2374
2375sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0);
2376if (sender_rate_limit == NULL)
288644dd 2377 {
870f6ba8 2378 limit = -1.0;
288644dd
JH		 2379 ss = NULL; /* compiler quietening */
2380 }
870f6ba8
TF		 2381else
2382 {
2383 limit = Ustrtod(sender_rate_limit, &ss);
2384 if (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
2385 else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
2386 else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
2387 }
c99ce5c9
TF		 2388if (limit < 0.0 || *ss != '\0')
2389 return ratelimit_error(log_msgptr,
2390 "\"%s\" is not a positive number", sender_rate_limit);
870f6ba8 2391
c99ce5c9 2392/* Second is the rate measurement period / exponential smoothing time
870f6ba8
TF		 2393constant. This must be strictly greater than zero, because zero leads to
2394run-time division errors. */
2395
2396sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0);
2397if (sender_rate_period == NULL) period = -1.0;
2398else period = readconf_readtime(sender_rate_period, 0, FALSE);
2399if (period <= 0.0)
c99ce5c9
TF		 2400 return ratelimit_error(log_msgptr,
2401 "\"%s\" is not a time value", sender_rate_period);
2402
2403/* By default we are counting one of something, but the per_rcpt,
2404per_byte, and count options can change this. */
2405
2406count = 1.0;
870f6ba8 2407
c99ce5c9 2408/* Parse the other options. */
870f6ba8
TF		 2409
2410while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2411 != NULL)
2412 {
2413 if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
2414 else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
8f240103 2415 else if (strcmpic(ss, US"noupdate") == 0) noupdate = TRUE;
c99ce5c9
TF		 2416 else if (strcmpic(ss, US"readonly") == 0) readonly = TRUE;
2417 else if (strcmpic(ss, US"per_cmd") == 0) RATE_SET(mode, PER_CMD);
2418 else if (strcmpic(ss, US"per_conn") == 0)
2419 {
2420 RATE_SET(mode, PER_CONN);
2421 if (where == ACL_WHERE_NOTSMTP || where == ACL_WHERE_NOTSMTP_START)
2422 badacl = TRUE;
2423 }
2424 else if (strcmpic(ss, US"per_mail") == 0)
2425 {
2426 RATE_SET(mode, PER_MAIL);
2427 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2428 }
2429 else if (strcmpic(ss, US"per_rcpt") == 0)
2430 {
2431 /* If we are running in the RCPT ACL, then we'll count the recipients
2432 one by one, but if we are running when we have accumulated the whole
2433 list then we'll add them all in one batch. */
2434 if (where == ACL_WHERE_RCPT)
2435 RATE_SET(mode, PER_RCPT);
2436 else if (where >= ACL_WHERE_PREDATA && where <= ACL_WHERE_NOTSMTP)
2437 RATE_SET(mode, PER_ALLRCPTS), count = (double)recipients_count;
2438 else if (where == ACL_WHERE_MAIL || where > ACL_WHERE_NOTSMTP)
2439 RATE_SET(mode, PER_RCPT), badacl = TRUE;
2440 }
2441 else if (strcmpic(ss, US"per_byte") == 0)
2442 {
2443 /* If we have not yet received the message data and there was no SIZE
2444 declaration on the MAIL comand, then it's safe to just use a value of
2445 zero and let the recorded rate decay as if nothing happened. */
2446 RATE_SET(mode, PER_MAIL);
2447 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2448 else count = message_size < 0 ? 0.0 : (double)message_size;
2449 }
2450 else if (strcmpic(ss, US"per_addr") == 0)
2451 {
2452 RATE_SET(mode, PER_RCPT);
438257ba 2453 if (where != ACL_WHERE_RCPT) badacl = TRUE, unique = US"*";
c99ce5c9
TF		 2454 else unique = string_sprintf("%s@%s", deliver_localpart, deliver_domain);
2455 }
2456 else if (strncmpic(ss, US"count=", 6) == 0)
2457 {
2458 uschar *e;
2459 count = Ustrtod(ss+6, &e);
2460 if (count < 0.0 || *e != '\0')
2461 return ratelimit_error(log_msgptr,
2462 "\"%s\" is not a positive number", ss);
2463 }
2464 else if (strncmpic(ss, US"unique=", 7) == 0)
2465 unique = string_copy(ss + 7);
2466 else if (key == NULL)
2467 key = string_copy(ss);
2468 else
2469 key = string_sprintf("%s/%s", key, ss);
870f6ba8
TF		 2470 }
2471
c99ce5c9
TF		 2472/* Sanity check. When the badacl flag is set the update mode must either
2473be readonly (which is the default if it is omitted) or, for backwards
2474compatibility, a combination of noupdate and strict or leaky. */
2475
2476if (mode == RATE_PER_CLASH)
2477 return ratelimit_error(log_msgptr, "conflicting per_* options");
2478if (leaky + strict + readonly > 1)
2479 return ratelimit_error(log_msgptr, "conflicting update modes");
2480if (badacl && (leaky || strict) && !noupdate)
2481 return ratelimit_error(log_msgptr,
2482 "\"%s\" must not have /leaky or /strict option in %s ACL",
2483 ratelimit_option_string[mode], acl_wherenames[where]);
2484
2485/* Set the default values of any unset options. In readonly mode we
2486perform the rate computation without any increment so that its value
2487decays to eventually allow over-limit senders through. */
2488
2489if (noupdate) readonly = TRUE, leaky = strict = FALSE;
2490if (badacl) readonly = TRUE;
2491if (readonly) count = 0.0;
2492if (!strict && !readonly) leaky = TRUE;
2493if (mode == RATE_PER_WHAT) mode = RATE_PER_MAIL;
870f6ba8 2494
8f240103
PH		 2495/* Create the lookup key. If there is no explicit key, use sender_host_address.
2496If there is no sender_host_address (e.g. -bs or acl_not_smtp) then we simply
2497omit it. The smoothing constant (sender_rate_period) and the per_xxx options
2498are added to the key because they alter the meaning of the stored data. */
2499
2500if (key == NULL)
2501 key = (sender_host_address == NULL)? US"" : sender_host_address;
870f6ba8 2502
c99ce5c9 2503key = string_sprintf("%s/%s/%s%s",
8f240103 2504 sender_rate_period,
c99ce5c9
TF		 2505 ratelimit_option_string[mode],
2506 unique == NULL ? "" : "unique/",
8f240103 2507 key);
870f6ba8 2508
c99ce5c9
TF		 2509HDEBUG(D_acl)
2510 debug_printf("ratelimit condition count=%.0f %.1f/%s\n", count, limit, key);
870f6ba8 2511
8f240103
PH		 2512/* See if we have already computed the rate by looking in the relevant tree.
2513For per-connection rate limiting, store tree nodes and dbdata in the permanent
c99ce5c9
TF		 2514pool so that they survive across resets. In readonly mode we only remember the
2515result for the rest of this command in case a later command changes it. After
2516this bit of logic the code is independent of the per_* mode. */
870f6ba8 2517
870f6ba8
TF		 2518old_pool = store_pool;
2519
c99ce5c9
TF		 2520if (readonly)
2521 anchor = &ratelimiters_cmd;
2522else switch(mode) {
2523case RATE_PER_CONN:
870f6ba8
TF		 2524 anchor = &ratelimiters_conn;
2525 store_pool = POOL_PERM;
c99ce5c9
TF		 2526 break;
2527case RATE_PER_BYTE:
2528case RATE_PER_MAIL:
2529case RATE_PER_ALLRCPTS:
870f6ba8 2530 anchor = &ratelimiters_mail;
c99ce5c9
TF		 2531 break;
2532case RATE_PER_ADDR:
2533case RATE_PER_CMD:
2534case RATE_PER_RCPT:
fe0dab11 2535 anchor = &ratelimiters_cmd;
c99ce5c9
TF		 2536 break;
2537default:
3399bb60 2538 anchor = NULL; /* silence an "unused" complaint */
c99ce5c9
TF		 2539 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
2540 "internal ACL error: unknown ratelimit mode %d", mode);
2541 break;
2542}
870f6ba8 2543
c99ce5c9
TF		 2544t = tree_search(*anchor, key);
2545if (t != NULL)
870f6ba8
TF		 2546 {
2547 dbd = t->data.ptr;
2548 /* The following few lines duplicate some of the code below. */
8f240103 2549 rc = (dbd->rate < limit)? FAIL : OK;
870f6ba8
TF		 2550 store_pool = old_pool;
2551 sender_rate = string_sprintf("%.1f", dbd->rate);
2552 HDEBUG(D_acl)
2553 debug_printf("ratelimit found pre-computed rate %s\n", sender_rate);
2554 return rc;
2555 }
2556
c99ce5c9
TF		 2557/* We aren't using a pre-computed rate, so get a previously recorded rate
2558from the database, which will be updated and written back if required. */
870f6ba8
TF		 2559
2560dbm = dbfn_open(US"ratelimit", O_RDWR, &dbblock, TRUE);
2561if (dbm == NULL)
2562 {
2563 store_pool = old_pool;
2564 sender_rate = NULL;
2565 HDEBUG(D_acl) debug_printf("ratelimit database not available\n");
2566 *log_msgptr = US"ratelimit database not available";
2567 return DEFER;
2568 }
c99ce5c9
TF		 2569dbdb = dbfn_read_with_length(dbm, key, &dbdb_size);
2570dbd = NULL;
870f6ba8
TF		 2571
2572gettimeofday(&tv, NULL);
2573
c99ce5c9
TF		 2574if (dbdb != NULL)
2575 {
2576 /* Locate the basic ratelimit block inside the DB data. */
2577 HDEBUG(D_acl) debug_printf("ratelimit found key in database\n");
2578 dbd = &dbdb->dbd;
2579
2580 /* Forget the old Bloom filter if it is too old, so that we count each
2581 repeating event once per period. We don't simply clear and re-use the old
2582 filter because we want its size to change if the limit changes. Note that
2583 we keep the dbd pointer for copying the rate into the new data block. */
2584
2585 if(unique != NULL && tv.tv_sec > dbdb->bloom_epoch + period)
2586 {
2587 HDEBUG(D_acl) debug_printf("ratelimit discarding old Bloom filter\n");
2588 dbdb = NULL;
2589 }
2590
2591 /* Sanity check. */
2592
2593 if(unique != NULL && dbdb_size < sizeof(*dbdb))
2594 {
2595 HDEBUG(D_acl) debug_printf("ratelimit discarding undersize Bloom filter\n");
2596 dbdb = NULL;
2597 }
2598 }
2599
2600/* Allocate a new data block if the database lookup failed
2601or the Bloom filter passed its age limit. */
2602
2603if (dbdb == NULL)
2604 {
2605 if (unique == NULL)
2606 {
2607 /* No Bloom filter. This basic ratelimit block is initialized below. */
2608 HDEBUG(D_acl) debug_printf("ratelimit creating new rate data block\n");
2609 dbdb_size = sizeof(*dbd);
2610 dbdb = store_get(dbdb_size);
2611 }
2612 else
2613 {
2614 int extra;
2615 HDEBUG(D_acl) debug_printf("ratelimit creating new Bloom filter\n");
2616
2617 /* See the long comment below for an explanation of the magic number 2.
2618 The filter has a minimum size in case the rate limit is very small;
2619 this is determined by the definition of dbdata_ratelimit_unique. */
2620
2621 extra = (int)limit * 2 - sizeof(dbdb->bloom);
2622 if (extra < 0) extra = 0;
2623 dbdb_size = sizeof(*dbdb) + extra;
2624 dbdb = store_get(dbdb_size);
2625 dbdb->bloom_epoch = tv.tv_sec;
2626 dbdb->bloom_size = sizeof(dbdb->bloom) + extra;
2627 memset(dbdb->bloom, 0, dbdb->bloom_size);
2628
2629 /* Preserve any basic ratelimit data (which is our longer-term memory)
2630 by copying it from the discarded block. */
2631
2632 if (dbd != NULL)
2633 {
2634 dbdb->dbd = *dbd;
2635 dbd = &dbdb->dbd;
2636 }
2637 }
2638 }
2639
2640/* If we are counting unique events, find out if this event is new or not.
2641If the client repeats the event during the current period then it should be
2642counted. We skip this code in readonly mode for efficiency, because any
2643changes to the filter will be discarded and because count is already set to
2644zero. */
2645
2646if (unique != NULL && !readonly)
2647 {
2648 /* We identify unique events using a Bloom filter. (You can find my
2649 notes on Bloom filters at http://fanf.livejournal.com/81696.html)
2650 With the per_addr option, an "event" is a recipient address, though the
2651 user can use the unique option to define their own events. We only count
2652 an event if we have not seen it before.
2653
2654 We size the filter according to the rate limit, which (in leaky mode)
2655 is the limit on the population of the filter. We allow 16 bits of space
2656 per entry (see the construction code above) and we set (up to) 8 of them
2657 when inserting an element (see the loop below). The probability of a false
2658 positive (an event we have not seen before but which we fail to count) is
2659
2660 size = limit * 16
2661 numhash = 8
2662 allzero = exp(-numhash * pop / size)
2663 = exp(-0.5 * pop / limit)
2664 fpr = pow(1 - allzero, numhash)
2665
2666 For senders at the limit the fpr is 0.06% or 1 in 1700
2667 and for senders at half the limit it is 0.0006% or 1 in 170000
2668
2669 In strict mode the Bloom filter can fill up beyond the normal limit, in
2670 which case the false positive rate will rise. This means that the
2671 measured rate for very fast senders can bogusly drop off after a while.
2672
2673 At twice the limit, the fpr is 2.5% or 1 in 40
2674 At four times the limit, it is 31% or 1 in 3.2
2675
2676 It takes ln(pop/limit) periods for an over-limit burst of pop events to
2677 decay below the limit, and if this is more than one then the Bloom filter
2678 will be discarded before the decay gets that far. The false positive rate
2679 at this threshold is 9.3% or 1 in 10.7. */
2680
2681 BOOL seen;
2682 unsigned n, hash, hinc;
2683 uschar md5sum[16];
2684 md5 md5info;
2685
2686 /* Instead of using eight independent hash values, we combine two values
2687 using the formula h1 + n * h2. This does not harm the Bloom filter's
2688 performance, and means the amount of hash we need is independent of the
2689 number of bits we set in the filter. */
2690
2691 md5_start(&md5info);
2692 md5_end(&md5info, unique, Ustrlen(unique), md5sum);
2693 hash = md5sum[0] | md5sum[1] << 8 | md5sum[2] << 16 | md5sum[3] << 24;
2694 hinc = md5sum[4] | md5sum[5] << 8 | md5sum[6] << 16 | md5sum[7] << 24;
2695
2696 /* Scan the bits corresponding to this event. A zero bit means we have
2697 not seen it before. Ensure all bits are set to record this event. */
2698
2699 HDEBUG(D_acl) debug_printf("ratelimit checking uniqueness of %s\n", unique);
2700
2701 seen = TRUE;
2702 for (n = 0; n < 8; n++, hash += hinc)
2703 {
2704 int bit = 1 << (hash % 8);
2705 int byte = (hash / 8) % dbdb->bloom_size;
2706 if ((dbdb->bloom[byte] & bit) == 0)
2707 {
2708 dbdb->bloom[byte] |= bit;
2709 seen = FALSE;
2710 }
2711 }
2712
2713 /* If this event has occurred before, do not count it. */
2714
2715 if (seen)
2716 {
2717 HDEBUG(D_acl) debug_printf("ratelimit event found in Bloom filter\n");
2718 count = 0.0;
2719 }
2720 else
2721 HDEBUG(D_acl) debug_printf("ratelimit event added to Bloom filter\n");
2722 }
2723
2724/* If there was no previous ratelimit data block for this key, initialize
2725the new one, otherwise update the block from the database. The initial rate
2726is what would be computed by the code below for an infinite interval. */
2727
870f6ba8
TF		 2728if (dbd == NULL)
2729 {
c99ce5c9
TF		 2730 HDEBUG(D_acl) debug_printf("ratelimit initializing new key's rate data\n");
2731 dbd = &dbdb->dbd;
870f6ba8
TF		 2732 dbd->time_stamp = tv.tv_sec;
2733 dbd->time_usec = tv.tv_usec;
c99ce5c9 2734 dbd->rate = count;
870f6ba8
TF		 2735 }
2736else
2737 {
2738 /* The smoothed rate is computed using an exponentially weighted moving
2739 average adjusted for variable sampling intervals. The standard EWMA for
2740 a fixed sampling interval is: f'(t) = (1 - a) * f(t) + a * f'(t - 1)
2741 where f() is the measured value and f'() is the smoothed value.
2742
2743 Old data decays out of the smoothed value exponentially, such that data n
2744 samples old is multiplied by a^n. The exponential decay time constant p
2745 is defined such that data p samples old is multiplied by 1/e, which means
2746 that a = exp(-1/p). We can maintain the same time constant for a variable
2747 sampling interval i by using a = exp(-i/p).
2748
2749 The rate we are measuring is messages per period, suitable for directly
2750 comparing with the limit. The average rate between now and the previous
2751 message is period / interval, which we feed into the EWMA as the sample.
2752
2753 It turns out that the number of messages required for the smoothed rate
2754 to reach the limit when they are sent in a burst is equal to the limit.
2755 This can be seen by analysing the value of the smoothed rate after N
2756 messages sent at even intervals. Let k = (1 - a) * p/i
2757
2758 rate_1 = (1 - a) * p/i + a * rate_0
2759 = k + a * rate_0
2760 rate_2 = k + a * rate_1
2761 = k + a * k + a^2 * rate_0
2762 rate_3 = k + a * k + a^2 * k + a^3 * rate_0
2763 rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
2764 = rate_0 * a^N + k * (1 - a^N) / (1 - a)
2765 = rate_0 * a^N + p/i * (1 - a^N)
2766
2767 When N is large, a^N -> 0 so rate_N -> p/i as desired.
2768
2769 rate_N = p/i + (rate_0 - p/i) * a^N
2770 a^N = (rate_N - p/i) / (rate_0 - p/i)
2771 N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
2772 N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
2773
2774 Numerical analysis of the above equation, setting the computed rate to
2775 increase from rate_0 = 0 to rate_N = limit, shows that for large sending
2776 rates, p/i, the number of messages N = limit. So limit serves as both the
2777 maximum rate measured in messages per period, and the maximum number of
2778 messages that can be sent in a fast burst. */
2779
2780 double this_time = (double)tv.tv_sec
2781 + (double)tv.tv_usec / 1000000.0;
2782 double prev_time = (double)dbd->time_stamp
2783 + (double)dbd->time_usec / 1000000.0;
870f6ba8
TF		 2784
2785 /* We must avoid division by zero, and deal gracefully with the clock going
2786 backwards. If we blunder ahead when time is in reverse then the computed
e5d5a95f 2787 rate will be bogus. To be safe we clamp interval to a very small number. */
870f6ba8 2788
e5d5a95f
TF		 2789 double interval = this_time - prev_time <= 0.0 ? 1e-9
2790 : this_time - prev_time;
2791
2792 double i_over_p = interval / period;
2793 double a = exp(-i_over_p);
870f6ba8 2794
c99ce5c9
TF		 2795 /* Combine the instantaneous rate (period / interval) with the previous rate
2796 using the smoothing factor a. In order to measure sized events, multiply the
2797 instantaneous rate by the count of bytes or recipients etc. */
2798
870f6ba8
TF		 2799 dbd->time_stamp = tv.tv_sec;
2800 dbd->time_usec = tv.tv_usec;
c99ce5c9
TF		 2801 dbd->rate = (1 - a) * count / i_over_p + a * dbd->rate;
2802
2803 /* When events are very widely spaced the computed rate tends towards zero.
2804 Although this is accurate it turns out not to be useful for our purposes,
2805 especially when the first event after a long silence is the start of a spam
2806 run. A more useful model is that the rate for an isolated event should be the
2807 size of the event per the period size, ignoring the lack of events outside
2808 the current period and regardless of where the event falls in the period. So,
2809 if the interval was so long that the calculated rate is unhelpfully small, we
2810 re-intialize the rate. In the absence of higher-rate bursts, the condition
2811 below is true if the interval is greater than the period. */
2812
2813 if (dbd->rate < count) dbd->rate = count;
870f6ba8
TF		 2814 }
2815
c99ce5c9
TF		 2816/* Clients sending at the limit are considered to be over the limit.
2817This matters for edge cases such as a limit of zero, when the client
2818should be completely blocked. */
3348576f 2819
8f240103 2820rc = (dbd->rate < limit)? FAIL : OK;
870f6ba8
TF		 2821
2822/* Update the state if the rate is low or if we are being strict. If we
2823are in leaky mode and the sender's rate is too high, we do not update
2824the recorded rate in order to avoid an over-aggressive sender's retry
c99ce5c9
TF		 2825rate preventing them from getting any email through. If readonly is set,
2826neither leaky nor strict are set, so we do not do any updates. */
870f6ba8 2827
c99ce5c9 2828if ((rc == FAIL && leaky) || strict)
8f240103 2829 {
c99ce5c9 2830 dbfn_write(dbm, key, dbdb, dbdb_size);
8f240103
PH		 2831 HDEBUG(D_acl) debug_printf("ratelimit db updated\n");
2832 }
2833else
2834 {
2835 HDEBUG(D_acl) debug_printf("ratelimit db not updated: %s\n",
c99ce5c9 2836 readonly? "readonly mode" : "over the limit, but leaky");
8f240103
PH		 2837 }
2838
870f6ba8
TF		 2839dbfn_close(dbm);
2840
c99ce5c9 2841/* Store the result in the tree for future reference. */
870f6ba8 2842
c99ce5c9
TF		 2843t = store_get(sizeof(tree_node) + Ustrlen(key));
2844t->data.ptr = dbd;
2845Ustrcpy(t->name, key);
2846(void)tree_insertnode(anchor, t);
870f6ba8
TF		 2847
2848/* We create the formatted version of the sender's rate very late in
2849order to ensure that it is done using the correct storage pool. */
2850
2851store_pool = old_pool;
2852sender_rate = string_sprintf("%.1f", dbd->rate);
2853
2854HDEBUG(D_acl)
2855 debug_printf("ratelimit computed rate %s\n", sender_rate);
2856
2857return rc;
2858}
2859
2860
2861
b0019c78
TF		 2862/*************************************************
2863* The udpsend ACL modifier *
2864*************************************************/
2865
2866/* Called by acl_check_condition() below.
2867
2868Arguments:
2869 arg the option string for udpsend=
2870 log_msgptr for error messages
2871
2872Returns: OK - Completed.
2873 DEFER - Problem with DNS lookup.
2874 ERROR - Syntax error in options.
2875*/
2876
2877static int
55414b25 2878acl_udpsend(const uschar *arg, uschar **log_msgptr)
b0019c78
TF		 2879{
2880int sep = 0;
2881uschar *hostname;
2882uschar *portstr;
2883uschar *portend;
2884host_item *h;
2885int portnum;
b0019c78
TF		 2886int len;
2887int r, s;
b1f8e4f8 2888uschar * errstr;
b0019c78
TF		 2889
2890hostname = string_nextinlist(&arg, &sep, NULL, 0);
2891portstr = string_nextinlist(&arg, &sep, NULL, 0);
2892
2893if (hostname == NULL)
2894 {
217b0e56 2895 *log_msgptr = US"missing destination host in \"udpsend\" modifier";
b0019c78
TF		 2896 return ERROR;
2897 }
2898if (portstr == NULL)
2899 {
217b0e56 2900 *log_msgptr = US"missing destination port in \"udpsend\" modifier";
b0019c78
TF		 2901 return ERROR;
2902 }
2903if (arg == NULL)
2904 {
217b0e56 2905 *log_msgptr = US"missing datagram payload in \"udpsend\" modifier";
b0019c78
TF		 2906 return ERROR;
2907 }
2908portnum = Ustrtol(portstr, &portend, 10);
2909if (*portend != '\0')
2910 {
217b0e56 2911 *log_msgptr = US"bad destination port in \"udpsend\" modifier";
b0019c78
TF		 2912 return ERROR;
2913 }
2914
2915/* Make a single-item host list. */
2916h = store_get(sizeof(host_item));
2917memset(h, 0, sizeof(host_item));
2918h->name = hostname;
2919h->port = portnum;
2920h->mx = MX_NONE;
2921
2922if (string_is_ip_address(hostname, NULL))
2923 h->address = hostname, r = HOST_FOUND;
2924else
2925 r = host_find_byname(h, NULL, 0, NULL, FALSE);
2926if (r == HOST_FIND_FAILED || r == HOST_FIND_AGAIN)
2927 {
217b0e56 2928 *log_msgptr = US"DNS lookup failed in \"udpsend\" modifier";
b0019c78
TF		 2929 return DEFER;
2930 }
2931
2932HDEBUG(D_acl)
2933 debug_printf("udpsend [%s]:%d %s\n", h->address, portnum, arg);
2934
b1f8e4f8
JH		 2935r = s = ip_connectedsocket(SOCK_DGRAM, h->address, portnum, portnum,
2936 1, NULL, &errstr);
b0019c78 2937if (r < 0) goto defer;
27f9999e 2938len = Ustrlen(arg);
9cb1785a 2939r = send(s, arg, len, 0);
b1f8e4f8
JH		 2940if (r < 0)
2941 {
2942 errstr = US strerror(errno);
2943 close(s);
2944 goto defer;
2945 }
2946close(s);
b0019c78
TF		 2947if (r < len)
2948 {
2949 *log_msgptr =
2950 string_sprintf("\"udpsend\" truncated from %d to %d octets", len, r);
2951 return DEFER;
2952 }
2953
2954HDEBUG(D_acl)
2955 debug_printf("udpsend %d bytes\n", r);
2956
2957return OK;
2958
2959defer:
b1f8e4f8 2960*log_msgptr = string_sprintf("\"udpsend\" failed: %s", errstr);
b0019c78
TF		 2961return DEFER;
2962}
2963
2964
2965
059ec3d9
PH		 2966/*************************************************
2967* Handle conditions/modifiers on an ACL item *
2968*************************************************/
2969
2970/* Called from acl_check() below.
2971
2972Arguments:
2973 verb ACL verb
2974 cb ACL condition block - if NULL, result is OK
2975 where where called from
2976 addr the address being checked for RCPT, or NULL
2977 level the nesting level
2978 epp pointer to pass back TRUE if "endpass" encountered
2979 (applies only to "accept" and "discard")
2980 user_msgptr user message pointer
2981 log_msgptr log message pointer
2982 basic_errno pointer to where to put verify error
2983
2984Returns: OK - all conditions are met
2985 DISCARD - an "acl" condition returned DISCARD - only allowed
2986 for "accept" or "discard" verbs
2987 FAIL - at least one condition fails
2988 FAIL_DROP - an "acl" condition returned FAIL_DROP
2989 DEFER - can't tell at the moment (typically, lookup defer,
2990 but can be temporary callout problem)
2991 ERROR - ERROR from nested ACL or expansion failure or other
2992 error
2993*/
2994
2995static int
2996acl_check_condition(int verb, acl_condition_block *cb, int where,
2997 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
2998 uschar **log_msgptr, int *basic_errno)
2999{
3000uschar *user_message = NULL;
3001uschar *log_message = NULL;
ed7f7860
PP		 3002uschar *debug_tag = NULL;
3003uschar *debug_opts = NULL;
059ec3d9 3004int rc = OK;
8523533c 3005#ifdef WITH_CONTENT_SCAN
0f0c8159 3006int sep = -'/';
8523533c 3007#endif
059ec3d9
PH		 3008
3009for (; cb != NULL; cb = cb->next)
3010 {
55414b25 3011 const uschar *arg;
8e669ac1 3012 int control_type;
059ec3d9
PH		 3013
3014 /* The message and log_message items set up messages to be used in
3015 case of rejection. They are expanded later. */
3016
3017 if (cb->type == ACLC_MESSAGE)
3018 {
187bc588 3019 HDEBUG(D_acl) debug_printf(" message: %s\n", cb->arg);
059ec3d9
PH		 3020 user_message = cb->arg;
3021 continue;
3022 }
3023
3024 if (cb->type == ACLC_LOG_MESSAGE)
3025 {
187bc588 3026 HDEBUG(D_acl) debug_printf("l_message: %s\n", cb->arg);
059ec3d9
PH		 3027 log_message = cb->arg;
3028 continue;
3029 }
3030
3031 /* The endpass "condition" just sets a flag to show it occurred. This is
3032 checked at compile time to be on an "accept" or "discard" item. */
3033
3034 if (cb->type == ACLC_ENDPASS)
3035 {
3036 *epp = TRUE;
3037 continue;
3038 }
3039
3040 /* For other conditions and modifiers, the argument is expanded now for some
3041 of them, but not for all, because expansion happens down in some lower level
3042 checking functions in some cases. */
3043
3044 if (cond_expand_at_top[cb->type])
3045 {
3046 arg = expand_string(cb->arg);
3047 if (arg == NULL)
3048 {
3049 if (expand_string_forcedfail) continue;
3050 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
3051 cb->arg, expand_string_message);
3052 return search_find_defer? DEFER : ERROR;
3053 }
3054 }
3055 else arg = cb->arg;
3056
3057 /* Show condition, and expanded condition if it's different */
3058
3059 HDEBUG(D_acl)
3060 {
3061 int lhswidth = 0;
3062 debug_printf("check %s%s %n",
3063 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
3064 conditions[cb->type], &lhswidth);
3065
3066 if (cb->type == ACLC_SET)
3067 {
38a0a95f
PH		 3068 debug_printf("acl_%s ", cb->u.varname);
3069 lhswidth += 5 + Ustrlen(cb->u.varname);
059ec3d9
PH		 3070 }
3071
3072 debug_printf("= %s\n", cb->arg);
3073
3074 if (arg != cb->arg)
3075 debug_printf("%.*s= %s\n", lhswidth,
3076 US" ", CS arg);
3077 }
3078
3079 /* Check that this condition makes sense at this time */
3080
3081 if ((cond_forbids[cb->type] & (1 << where)) != 0)
3082 {
3083 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
3084 cond_modifiers[cb->type]? "use" : "test",
3085 conditions[cb->type], acl_wherenames[where]);
3086 return ERROR;
3087 }
3088
3089 /* Run the appropriate test for each condition, or take the appropriate
3090 action for the remaining modifiers. */
3091
3092 switch(cb->type)
3093 {
71fafd95
PH		 3094 case ACLC_ADD_HEADER:
3095 setup_header(arg);
3096 break;
3097
059ec3d9
PH		 3098 /* A nested ACL that returns "discard" makes sense only for an "accept" or
3099 "discard" verb. */
71fafd95 3100
059ec3d9 3101 case ACLC_ACL:
f60d98e8 3102 rc = acl_check_wargs(where, addr, arg, level+1, user_msgptr, log_msgptr);
7421ecab
JH		 3103 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
3104 {
3105 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
3106 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
3107 verbs[verb]);
3108 return ERROR;
3109 }
059ec3d9
PH		 3110 break;
3111
3112 case ACLC_AUTHENTICATED:
3113 rc = (sender_host_authenticated == NULL)? FAIL :
3114 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
3115 TRUE, NULL);
3116 break;
3117
71fafd95 3118 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK		 3119 case ACLC_BMI_OPTIN:
3120 {
3121 int old_pool = store_pool;
3122 store_pool = POOL_PERM;
3123 bmi_current_optin = string_copy(arg);
3124 store_pool = old_pool;
3125 }
3126 break;
71fafd95 3127 #endif
8523533c 3128
059ec3d9 3129 case ACLC_CONDITION:
f3766eb5
NM		 3130 /* The true/false parsing here should be kept in sync with that used in
3131 expand.c when dealing with ECOND_BOOL so that we don't have too many
3132 different definitions of what can be a boolean. */
51c7471d
JH		 3133 if (*arg == '-'
3134 ? Ustrspn(arg+1, "0123456789") == Ustrlen(arg+1) /* Negative number */
3135 : Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
059ec3d9
PH		 3136 rc = (Uatoi(arg) == 0)? FAIL : OK;
3137 else
3138 rc = (strcmpic(arg, US"no") == 0 ||
3139 strcmpic(arg, US"false") == 0)? FAIL :
3140 (strcmpic(arg, US"yes") == 0 ||
3141 strcmpic(arg, US"true") == 0)? OK : DEFER;
3142 if (rc == DEFER)
3143 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
3144 break;
3145
c3611384
PH		 3146 case ACLC_CONTINUE: /* Always succeeds */
3147 break;
3148
059ec3d9 3149 case ACLC_CONTROL:
c5fcb476 3150 {
55414b25
JH		 3151 const uschar *p = NULL;
3152 control_type = decode_control(arg, &p, where, log_msgptr);
4840604e 3153
55414b25 3154 /* Check if this control makes sense at this time */
f7572e5a 3155
55414b25
JH		 3156 if ((control_forbids[control_type] & (1 << where)) != 0)
3157 {
3158 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
3159 controls[control_type], acl_wherenames[where]);
3160 return ERROR;
3161 }
8800895a 3162
55414b25
JH		 3163 switch(control_type)
3164 {
3165 case CONTROL_AUTH_UNADVERTISED:
3166 allow_auth_unadvertised = TRUE;
3167 break;
3168
3169 #ifdef EXPERIMENTAL_BRIGHTMAIL
3170 case CONTROL_BMI_RUN:
3171 bmi_run = 1;
3172 break;
3173 #endif
3174
3175 #ifndef DISABLE_DKIM
3176 case CONTROL_DKIM_VERIFY:
3177 dkim_disable_verify = TRUE;
3178 #ifdef EXPERIMENTAL_DMARC
3179 /* Since DKIM was blocked, skip DMARC too */
3180 dmarc_disable_verify = TRUE;
3181 dmarc_enable_forensic = FALSE;
3182 #endif
3183 break;
3184 #endif
3185
3186 #ifdef EXPERIMENTAL_DMARC
3187 case CONTROL_DMARC_VERIFY:
3188 dmarc_disable_verify = TRUE;
3189 break;
3190
3191 case CONTROL_DMARC_FORENSIC:
3192 dmarc_enable_forensic = TRUE;
3193 break;
3194 #endif
3195
3196 case CONTROL_DSCP:
3197 if (*p == '/')
3198 {
3199 int fd, af, level, optname, value;
3200 /* If we are acting on stdin, the setsockopt may fail if stdin is not
3201 a socket; we can accept that, we'll just debug-log failures anyway. */
3202 fd = fileno(smtp_in);
3203 af = ip_get_address_family(fd);
3204 if (af < 0)
3205 {
3206 HDEBUG(D_acl)
3207 debug_printf("smtp input is probably not a socket [%s], not setting DSCP\n",
3208 strerror(errno));
3209 break;
3210 }
3211 if (dscp_lookup(p+1, af, &level, &optname, &value))
3212 {
3213 if (setsockopt(fd, level, optname, &value, sizeof(value)) < 0)
3214 {
3215 HDEBUG(D_acl) debug_printf("failed to set input DSCP[%s]: %s\n",
3216 p+1, strerror(errno));
3217 }
3218 else
3219 {
3220 HDEBUG(D_acl) debug_printf("set input DSCP to \"%s\"\n", p+1);
3221 }
3222 }
3223 else
3224 {
3225 *log_msgptr = string_sprintf("unrecognised DSCP value in \"control=%s\"", arg);
3226 return ERROR;
3227 }
3228 }
3229 else
3230 {
3231 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3232 return ERROR;
3233 }
3234 break;
3235
3236 case CONTROL_ERROR:
3237 return ERROR;
3238
3239 case CONTROL_CASEFUL_LOCAL_PART:
3240 deliver_localpart = addr->cc_local_part;
3241 break;
3242
3243 case CONTROL_CASELOWER_LOCAL_PART:
3244 deliver_localpart = addr->lc_local_part;
3245 break;
3246
3247 case CONTROL_ENFORCE_SYNC:
3248 smtp_enforce_sync = TRUE;
3249 break;
3250
3251 case CONTROL_NO_ENFORCE_SYNC:
3252 smtp_enforce_sync = FALSE;
3253 break;
3254
3255 #ifdef WITH_CONTENT_SCAN
3256 case CONTROL_NO_MBOX_UNSPOOL:
3257 no_mbox_unspool = TRUE;
3258 break;
3259 #endif
3260
3261 case CONTROL_NO_MULTILINE:
3262 no_multiline_responses = TRUE;
3263 break;
3264
3265 case CONTROL_NO_PIPELINING:
3266 pipelining_enable = FALSE;
3267 break;
3268
3269 case CONTROL_NO_DELAY_FLUSH:
3270 disable_delay_flush = TRUE;
3271 break;
3272
3273 case CONTROL_NO_CALLOUT_FLUSH:
3274 disable_callout_flush = TRUE;
3275 break;
3276
3277 case CONTROL_FAKEREJECT:
3278 cancel_cutthrough_connection("fakereject");
3279 case CONTROL_FAKEDEFER:
3280 fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
3281 if (*p == '/')
3282 {
3283 const uschar *pp = p + 1;
3284 while (*pp != 0) pp++;
3285 fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
3286 p = pp;
3287 }
3288 else
3289 {
3290 /* Explicitly reset to default string */
3291 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
3292 }
3293 break;
ed7f7860 3294
55414b25
JH		 3295 case CONTROL_FREEZE:
3296 deliver_freeze = TRUE;
3297 deliver_frozen_at = time(NULL);
3298 freeze_tell = freeze_tell_config; /* Reset to configured value */
3299 if (Ustrncmp(p, "/no_tell", 8) == 0)
3300 {
3301 p += 8;
3302 freeze_tell = NULL;
3303 }
3304 if (*p != 0)
3305 {
3306 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3307 return ERROR;
3308 }
3309 cancel_cutthrough_connection("item frozen");
3310 break;
3311
3312 case CONTROL_QUEUE_ONLY:
3313 queue_only_policy = TRUE;
3314 cancel_cutthrough_connection("queueing forced");
3315 break;
3316
3317 case CONTROL_SUBMISSION:
3318 originator_name = US"";
3319 submission_mode = TRUE;
3320 while (*p == '/')
3321 {
3322 if (Ustrncmp(p, "/sender_retain", 14) == 0)
3323 {
3324 p += 14;
3325 active_local_sender_retain = TRUE;
3326 active_local_from_check = FALSE;
3327 }
3328 else if (Ustrncmp(p, "/domain=", 8) == 0)
3329 {
3330 const uschar *pp = p + 8;
3331 while (*pp != 0 && *pp != '/') pp++;
3332 submission_domain = string_copyn(p+8, pp-p-8);
3333 p = pp;
3334 }
3335 /* The name= option must be last, because it swallows the rest of
3336 the string. */
3337 else if (Ustrncmp(p, "/name=", 6) == 0)
3338 {
3339 const uschar *pp = p + 6;
3340 while (*pp != 0) pp++;
3341 submission_name = string_copy(parse_fix_phrase(p+6, pp-p-6,
3342 big_buffer, big_buffer_size));
3343 p = pp;
3344 }
3345 else break;
3346 }
3347 if (*p != 0)
3348 {
3349 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3350 return ERROR;
3351 }
3352 break;
e4bdf652 3353
55414b25
JH		 3354 case CONTROL_DEBUG:
3355 while (*p == '/')
3356 {
3357 if (Ustrncmp(p, "/tag=", 5) == 0)
3358 {
3359 const uschar *pp = p + 5;
3360 while (*pp != '\0' && *pp != '/') pp++;
3361 debug_tag = string_copyn(p+5, pp-p-5);
3362 p = pp;
3363 }
3364 else if (Ustrncmp(p, "/opts=", 6) == 0)
3365 {
3366 const uschar *pp = p + 6;
3367 while (*pp != '\0' && *pp != '/') pp++;
3368 debug_opts = string_copyn(p+6, pp-p-6);
3369 p = pp;
3370 }
3371 }
3372 debug_logging_activate(debug_tag, debug_opts);
3373 break;
3374
3375 case CONTROL_SUPPRESS_LOCAL_FIXUPS:
3376 suppress_local_fixups = TRUE;
3377 break;
3378
3379 case CONTROL_CUTTHROUGH_DELIVERY:
a2b89db1 3380#ifndef DISABLE_PRDR
55414b25 3381 if (prdr_requested)
a2b89db1
PP		 3382#else
3383 if (0)
3384#endif
55414b25
JH		 3385 /* Too hard to think about for now. We might in future cutthrough
3386 the case where both sides handle prdr and this-node prdr acl
3387 is "accept" */
93a6fce2 3388 *log_msgptr = string_sprintf("PRDR on %s reception\n", arg);
5032d1cf
JH		 3389 else
3390 {
55414b25
JH		 3391 if (deliver_freeze)
3392 *log_msgptr = US"frozen";
3393 else if (queue_only_policy)
3394 *log_msgptr = US"queue-only";
3395 else if (fake_response == FAIL)
3396 *log_msgptr = US"fakereject";
3397 else
3398 {
3399 if (rcpt_count == 1) cutthrough.delivery = TRUE;
3400 break;
3401 }
3402 *log_msgptr = string_sprintf("\"control=%s\" on %s item",
3403 arg, *log_msgptr);
5032d1cf 3404 }
55414b25 3405 return ERROR;
3c8b3577 3406
8c5d388a 3407#ifdef SUPPORT_I18N
3c8b3577
JH		 3408 case CONTROL_UTF8_DOWNCONVERT:
3409 if (*p == '/')
3410 {
921dfc11
JH		 3411 if (p[1] == '1')
3412 {
3413 message_utf8_downconvert = 1;
3414 addr->prop.utf8_downcvt = TRUE;
3415 addr->prop.utf8_downcvt_maybe = FALSE;
3416 p += 2;
3417 break;
3418 }
3419 if (p[1] == '0')
3420 {
3421 message_utf8_downconvert = 0;
3422 addr->prop.utf8_downcvt = FALSE;
3423 addr->prop.utf8_downcvt_maybe = FALSE;
3424 p += 2;
3425 break;
3426 }
3c8b3577 3427 if (p[1] == '-' && p[2] == '1')
921dfc11
JH		 3428 {
3429 message_utf8_downconvert = -1;
3430 addr->prop.utf8_downcvt = FALSE;
3431 addr->prop.utf8_downcvt_maybe = TRUE;
3432 p += 3;
3433 break;
3434 }
3c8b3577
JH		 3435 *log_msgptr = US"bad option value for control=utf8_downconvert";
3436 }
3437 else
3438 {
921dfc11
JH		 3439 message_utf8_downconvert = 1;
3440 addr->prop.utf8_downcvt = TRUE;
3441 addr->prop.utf8_downcvt_maybe = FALSE;
3442 break;
3c8b3577
JH		 3443 }
3444 return ERROR;
8c5d388a 3445#endif
3c8b3577 3446
9171d434 3447 }
55414b25 3448 break;
059ec3d9 3449 }
059ec3d9 3450
6a8f9482
TK		 3451 #ifdef EXPERIMENTAL_DCC
3452 case ACLC_DCC:
3453 {
3454 /* Seperate the regular expression and any optional parameters. */
55414b25
JH		 3455 const uschar * list = arg;
3456 uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
6a8f9482
TK		 3457 /* Run the dcc backend. */
3458 rc = dcc_process(&ss);
3459 /* Modify return code based upon the existance of options. */
3c8b3577 3460 while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)))
6a8f9482 3461 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3c8b3577 3462 rc = FAIL; /* FAIL so that the message is passed to the next ACL */
6a8f9482
TK		 3463 }
3464 break;
3465 #endif
3466
71fafd95 3467 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 3468 case ACLC_DECODE:
3469 rc = mime_decode(&arg);
3470 break;
71fafd95 3471 #endif
8523533c 3472
059ec3d9
PH		 3473 case ACLC_DELAY:
3474 {
3475 int delay = readconf_readtime(arg, 0, FALSE);
3476 if (delay < 0)
3477 {
3478 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
3479 "modifier: \"%s\" is not a time value", arg);
3480 return ERROR;
3481 }
3482 else
3483 {
3484 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
3485 delay);
3486 if (host_checking)
3487 {
3488 HDEBUG(D_acl)
3489 debug_printf("delay skipped in -bh checking mode\n");
3490 }
010c2d14 3491
ae9d18bc
JH		 3492 /* NOTE 1: Remember that we may be
3493 dealing with stdin/stdout here, in addition to TCP/IP connections.
3494 Also, delays may be specified for non-SMTP input, where smtp_out and
3495 smtp_in will be NULL. Whatever is done must work in all cases.
3496
3497 NOTE 2: The added feature of flushing the output before a delay must
3498 apply only to SMTP input. Hence the test for smtp_out being non-NULL.
3499 */
3500
3501 else
3502 {
3503 if (smtp_out != NULL && !disable_delay_flush)
3504 mac_smtp_fflush();
3505
861a7c51 3506#if !defined(NO_POLL_H) && defined (POLLRDHUP)
ae9d18bc
JH		 3507 {
3508 struct pollfd p;
3509 nfds_t n = 0;
3510 if (smtp_out)
3511 {
3512 p.fd = fileno(smtp_out);
3513 p.events = POLLRDHUP;
3514 n = 1;
3515 }
3516 if (poll(&p, n, delay*1000) > 0)
3517 HDEBUG(D_acl) debug_printf("delay cancelled by peer close\n");
3518 }
3519#else
010c2d14
PH		 3520 /* It appears to be impossible to detect that a TCP/IP connection has
3521 gone away without reading from it. This means that we cannot shorten
3522 the delay below if the client goes away, because we cannot discover
3523 that the client has closed its end of the connection. (The connection
3524 is actually in a half-closed state, waiting for the server to close its
3525 end.) It would be nice to be able to detect this state, so that the
3526 Exim process is not held up unnecessarily. However, it seems that we
3527 can't. The poll() function does not do the right thing, and in any case
3528 it is not always available.
047bdd8c 3529 */
010c2d14 3530
86b8287f 3531 while (delay > 0) delay = sleep(delay);
ae9d18bc 3532#endif
8e669ac1 3533 }
059ec3d9
PH		 3534 }
3535 }
3536 break;
3537
71fafd95 3538 #ifdef WITH_OLD_DEMIME
8523533c
TK		 3539 case ACLC_DEMIME:
3540 rc = demime(&arg);
3541 break;
71fafd95 3542 #endif
8523533c 3543
80a47a2c
TK		 3544 #ifndef DISABLE_DKIM
3545 case ACLC_DKIM_SIGNER:
9e5d6b55
TK		 3546 if (dkim_cur_signer != NULL)
3547 rc = match_isinlist(dkim_cur_signer,
80a47a2c 3548 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
80a47a2c 3549 else
80a47a2c 3550 rc = FAIL;
71fafd95
PH		 3551 break;
3552
80a47a2c
TK		 3553 case ACLC_DKIM_STATUS:
3554 rc = match_isinlist(dkim_exim_expand_query(DKIM_VERIFY_STATUS),
3555 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
71fafd95
PH		 3556 break;
3557 #endif
fb2274d4 3558
4840604e
TL		 3559 #ifdef EXPERIMENTAL_DMARC
3560 case ACLC_DMARC_STATUS:
4a8ce2d8 3561 if (!dmarc_has_been_checked)
4840604e 3562 dmarc_process();
4a8ce2d8 3563 dmarc_has_been_checked = TRUE;
4840604e
TL		 3564 /* used long way of dmarc_exim_expand_query() in case we need more
3565 * view into the process in the future. */
3566 rc = match_isinlist(dmarc_exim_expand_query(DMARC_VERIFY_STATUS),
3567 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
3568 break;
3569 #endif
3570
059ec3d9 3571 case ACLC_DNSLISTS:
379ba7d0 3572 rc = verify_check_dnsbl(where, &arg, log_msgptr);
059ec3d9
PH		 3573 break;
3574
3575 case ACLC_DOMAINS:
3576 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
55414b25 3577 addr->domain_cache, MCL_DOMAIN, TRUE, CUSS &deliver_domain_data);
059ec3d9
PH		 3578 break;
3579
3580 /* The value in tls_cipher is the full cipher name, for example,
3581 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
3582 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
3583 what may in practice come out of the SSL library - which at the time of
3584 writing is poorly documented. */
3585
3586 case ACLC_ENCRYPTED:
817d9f57 3587 if (tls_in.cipher == NULL) rc = FAIL; else
059ec3d9
PH		 3588 {
3589 uschar *endcipher = NULL;
817d9f57
JH		 3590 uschar *cipher = Ustrchr(tls_in.cipher, ':');
3591 if (cipher == NULL) cipher = tls_in.cipher; else
059ec3d9
PH		 3592 {
3593 endcipher = Ustrchr(++cipher, ':');
3594 if (endcipher != NULL) *endcipher = 0;
3595 }
3596 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
3597 if (endcipher != NULL) *endcipher = ':';
3598 }
3599 break;
3600
3601 /* Use verify_check_this_host() instead of verify_check_host() so that
3602 we can pass over &host_data to catch any looked up data. Once it has been
3603 set, it retains its value so that it's still there if another ACL verb
3604 comes through here and uses the cache. However, we must put it into
3605 permanent store in case it is also expected to be used in a subsequent
3606 message in the same SMTP connection. */
3607
3608 case ACLC_HOSTS:
3609 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
55414b25
JH		 3610 (sender_host_address == NULL)? US"" : sender_host_address,
3611 CUSS &host_data);
4a452c43
JH		 3612 if (rc == DEFER) *log_msgptr = search_error_message;
3613 if (host_data) host_data = string_copy_malloc(host_data);
059ec3d9
PH		 3614 break;
3615
3616 case ACLC_LOCAL_PARTS:
3617 rc = match_isinlist(addr->cc_local_part, &arg, 0,
3618 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
55414b25 3619 CUSS &deliver_localpart_data);
059ec3d9
PH		 3620 break;
3621
6ea85e9a
PH		 3622 case ACLC_LOG_REJECT_TARGET:
3623 {
3624 int logbits = 0;
3625 int sep = 0;
55414b25 3626 const uschar *s = arg;
6ea85e9a 3627 uschar *ss;
4a452c43 3628 while ((ss = string_nextinlist(&s, &sep, big_buffer, big_buffer_size)))
6ea85e9a
PH		 3629 {
3630 if (Ustrcmp(ss, "main") == 0) logbits |= LOG_MAIN;
3631 else if (Ustrcmp(ss, "panic") == 0) logbits |= LOG_PANIC;
3632 else if (Ustrcmp(ss, "reject") == 0) logbits |= LOG_REJECT;
3633 else
3634 {
3635 logbits |= LOG_MAIN|LOG_REJECT;
3636 log_write(0, LOG_MAIN|LOG_PANIC, "unknown log name \"%s\" in "
3637 "\"log_reject_target\" in %s ACL", ss, acl_wherenames[where]);
3638 }
3639 }
3640 log_reject_target = logbits;
3641 }
3642 break;
3643
059ec3d9
PH		 3644 case ACLC_LOGWRITE:
3645 {
3646 int logbits = 0;
55414b25 3647 const uschar *s = arg;
059ec3d9
PH		 3648 if (*s == ':')
3649 {
3650 s++;
3651 while (*s != ':')
3652 {
3653 if (Ustrncmp(s, "main", 4) == 0)
3654 { logbits |= LOG_MAIN; s += 4; }
3655 else if (Ustrncmp(s, "panic", 5) == 0)
3656 { logbits |= LOG_PANIC; s += 5; }
3657 else if (Ustrncmp(s, "reject", 6) == 0)
3658 { logbits |= LOG_REJECT; s += 6; }
3659 else
3660 {
3661 logbits = LOG_MAIN|LOG_PANIC;
3662 s = string_sprintf(":unknown log name in \"%s\" in "
3663 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
3664 }
3665 if (*s == ',') s++;
3666 }
3667 s++;
3668 }
3669 while (isspace(*s)) s++;
6ea85e9a
PH		 3670
3671
059ec3d9
PH		 3672 if (logbits == 0) logbits = LOG_MAIN;
3673 log_write(0, logbits, "%s", string_printing(s));
3674 }
3675 break;
8e669ac1 3676
71fafd95 3677 #ifdef WITH_CONTENT_SCAN
0f0c8159 3678 case ACLC_MALWARE: /* Run the malware backend. */
8523533c 3679 {
6ea85e9a 3680 /* Separate the regular expression and any optional parameters. */
55414b25
JH		 3681 const uschar * list = arg;
3682 uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
0f0c8159
JH		 3683 uschar *opt;
3684 BOOL defer_ok = FALSE;
3685 int timeout = 0;
3686
55414b25 3687 while ((opt = string_nextinlist(&list, &sep, NULL, 0)))
0f0c8159
JH		 3688 if (strcmpic(opt, US"defer_ok") == 0)
3689 defer_ok = TRUE;
3690 else if ( strncmpic(opt, US"tmo=", 4) == 0
3691 && (timeout = readconf_readtime(opt+4, '\0', FALSE)) < 0
3692 )
3693 {
3694 *log_msgptr = string_sprintf("bad timeout value in '%s'", opt);
3695 return ERROR;
3696 }
3697
3698 rc = malware(ss, timeout);
3699 if (rc == DEFER && defer_ok)
3700 rc = FAIL; /* FAIL so that the message is passed to the next ACL */
8523533c
TK		 3701 }
3702 break;
3703
3704 case ACLC_MIME_REGEX:
71fafd95 3705 rc = mime_regex(&arg);
8523533c 3706 break;
71fafd95 3707 #endif
059ec3d9 3708
870f6ba8 3709 case ACLC_RATELIMIT:
90fc3069 3710 rc = acl_ratelimit(arg, where, log_msgptr);
870f6ba8
TF		 3711 break;
3712
059ec3d9 3713 case ACLC_RECIPIENTS:
55414b25
JH		 3714 rc = match_address_list((const uschar *)addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
3715 CUSS &recipient_data);
059ec3d9
PH		 3716 break;
3717
71fafd95
PH		 3718 #ifdef WITH_CONTENT_SCAN
3719 case ACLC_REGEX:
3720 rc = regex(&arg);
8523533c 3721 break;
71fafd95 3722 #endif
8523533c 3723
e7568d51
TL		 3724 case ACLC_REMOVE_HEADER:
3725 setup_remove_header(arg);
3726 break;
3727
059ec3d9
PH		 3728 case ACLC_SENDER_DOMAINS:
3729 {
3730 uschar *sdomain;
3731 sdomain = Ustrrchr(sender_address, '@');
3732 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
3733 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
3734 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
3735 }
3736 break;
3737
3738 case ACLC_SENDERS:
55414b25
JH		 3739 rc = match_address_list((const uschar *)sender_address, TRUE, TRUE, &arg,
3740 sender_address_cache, -1, 0, CUSS &sender_data);
059ec3d9
PH		 3741 break;
3742
3743 /* Connection variables must persist forever */
3744
3745 case ACLC_SET:
3746 {
3747 int old_pool = store_pool;
5ef5dd52 3748 if ( cb->u.varname[0] == 'c'
0cbf2b82 3749#ifndef DISABLE_EVENT
5ef5dd52
JB		 3750 || event_name /* An event is being delivered */
3751#endif
3752 )
3753 store_pool = POOL_PERM;
38a0a95f 3754 acl_var_create(cb->u.varname)->data.ptr = string_copy(arg);
059ec3d9
PH		 3755 store_pool = old_pool;
3756 }
3757 break;
3758
71fafd95 3759 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 3760 case ACLC_SPAM:
3761 {
3762 /* Seperate the regular expression and any optional parameters. */
55414b25
JH		 3763 const uschar * list = arg;
3764 uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
8523533c 3765 /* Run the spam backend. */
55414b25 3766 rc = spam(CUSS &ss);
8523533c 3767 /* Modify return code based upon the existance of options. */
55414b25 3768 while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
8523533c
TK		 3769 != NULL) {
3770 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3771 {
3772 /* FAIL so that the message is passed to the next ACL */
3773 rc = FAIL;
3774 }
3775 }
3776 }
3777 break;
71fafd95 3778 #endif
8523533c 3779
71fafd95 3780 #ifdef EXPERIMENTAL_SPF
8523533c 3781 case ACLC_SPF:
65a7d8c3
NM		 3782 rc = spf_process(&arg, sender_address, SPF_PROCESS_NORMAL);
3783 break;
3784 case ACLC_SPF_GUESS:
3785 rc = spf_process(&arg, sender_address, SPF_PROCESS_GUESS);
8523533c 3786 break;
71fafd95 3787 #endif
8523533c 3788
b0019c78
TF		 3789 case ACLC_UDPSEND:
3790 rc = acl_udpsend(arg, log_msgptr);
3791 break;
3792
059ec3d9
PH		 3793 /* If the verb is WARN, discard any user message from verification, because
3794 such messages are SMTP responses, not header additions. The latter come
475fe28a
PH		 3795 only from explicit "message" modifiers. However, put the user message into
3796 $acl_verify_message so it can be used in subsequent conditions or modifiers
3797 (until something changes it). */
059ec3d9
PH		 3798
3799 case ACLC_VERIFY:
3800 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
3703d818
JH		 3801 if (*user_msgptr)
3802 acl_verify_message = *user_msgptr;
059ec3d9
PH		 3803 if (verb == ACL_WARN) *user_msgptr = NULL;
3804 break;
3805
3806 default:
3807 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
3808 "condition %d", cb->type);
3809 break;
3810 }
3811
3812 /* If a condition was negated, invert OK/FAIL. */
3813
3814 if (!cond_modifiers[cb->type] && cb->u.negated)
3815 {
3816 if (rc == OK) rc = FAIL;
3817 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
3818 }
3819
3820 if (rc != OK) break; /* Conditions loop */
3821 }
3822
3823
3824/* If the result is the one for which "message" and/or "log_message" are used,
4e88a19f
PH		 3825handle the values of these modifiers. If there isn't a log message set, we make
3826it the same as the user message.
059ec3d9
PH		 3827
3828"message" is a user message that will be included in an SMTP response. Unless
3829it is empty, it overrides any previously set user message.
3830
3831"log_message" is a non-user message, and it adds to any existing non-user
3832message that is already set.
3833
4e88a19f
PH		 3834Most verbs have but a single return for which the messages are relevant, but
3835for "discard", it's useful to have the log message both when it succeeds and
3836when it fails. For "accept", the message is used in the OK case if there is no
3837"endpass", but (for backwards compatibility) in the FAIL case if "endpass" is
3838present. */
059ec3d9 3839
4e88a19f
PH		 3840if (*epp && rc == OK) user_message = NULL;
3841
3842if (((1<<rc) & msgcond[verb]) != 0)
059ec3d9
PH		 3843 {
3844 uschar *expmessage;
4e88a19f
PH		 3845 uschar *old_user_msgptr = *user_msgptr;
3846 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
059ec3d9
PH		 3847
3848 /* If the verb is "warn", messages generated by conditions (verification or
4e88a19f
PH		 3849 nested ACLs) are always discarded. This also happens for acceptance verbs
3850 when they actually do accept. Only messages specified at this level are used.
059ec3d9
PH		 3851 However, the value of an existing message is available in $acl_verify_message
3852 during expansions. */
3853
4e88a19f
PH		 3854 if (verb == ACL_WARN ||
3855 (rc == OK && (verb == ACL_ACCEPT || verb == ACL_DISCARD)))
3856 *log_msgptr = *user_msgptr = NULL;
059ec3d9
PH		 3857
3858 if (user_message != NULL)
3859 {
3860 acl_verify_message = old_user_msgptr;
3861 expmessage = expand_string(user_message);
3862 if (expmessage == NULL)
3863 {
3864 if (!expand_string_forcedfail)
3865 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3866 user_message, expand_string_message);
3867 }
3868 else if (expmessage[0] != 0) *user_msgptr = expmessage;
3869 }
3870
3871 if (log_message != NULL)
3872 {
3873 acl_verify_message = old_log_msgptr;
3874 expmessage = expand_string(log_message);
3875 if (expmessage == NULL)
3876 {
3877 if (!expand_string_forcedfail)
3878 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3879 log_message, expand_string_message);
3880 }
3881 else if (expmessage[0] != 0)
3882 {
3883 *log_msgptr = (*log_msgptr == NULL)? expmessage :
3884 string_sprintf("%s: %s", expmessage, *log_msgptr);
3885 }
3886 }
3887
3888 /* If no log message, default it to the user message */
3889
3890 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
3891 }
3892
3893acl_verify_message = NULL;
3894return rc;
3895}
3896
3897
3898
3899
3900
3901/*************************************************
3902* Get line from a literal ACL *
3903*************************************************/
3904
3905/* This function is passed to acl_read() in order to extract individual lines
3906of a literal ACL, which we access via static pointers. We can destroy the
3907contents because this is called only once (the compiled ACL is remembered).
3908
3909This code is intended to treat the data in the same way as lines in the main
3910Exim configuration file. That is:
3911
3912 . Leading spaces are ignored.
3913
3914 . A \ at the end of a line is a continuation - trailing spaces after the \
3915 are permitted (this is because I don't believe in making invisible things
3916 significant). Leading spaces on the continued part of a line are ignored.
3917
3918 . Physical lines starting (significantly) with # are totally ignored, and
3919 may appear within a sequence of backslash-continued lines.
3920
3921 . Blank lines are ignored, but will end a sequence of continuations.
3922
3923Arguments: none
3924Returns: a pointer to the next line
3925*/
3926
3927
3928static uschar *acl_text; /* Current pointer in the text */
3929static uschar *acl_text_end; /* Points one past the terminating '0' */
3930
3931
3932static uschar *
3933acl_getline(void)
3934{
3935uschar *yield;
3936
3937/* This loop handles leading blank lines and comments. */
3938
3939for(;;)
3940 {
3941 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
3942 if (*acl_text == 0) return NULL; /* No more data */
3943 yield = acl_text; /* Potential data line */
3944
3945 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3946
3947 /* If we hit the end before a newline, we have the whole logical line. If
3948 it's a comment, there's no more data to be given. Otherwise, yield it. */
3949
3950 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
3951
3952 /* After reaching a newline, end this loop if the physical line does not
3953 start with '#'. If it does, it's a comment, and the loop continues. */
3954
3955 if (*yield != '#') break;
3956 }
3957
3958/* This loop handles continuations. We know we have some real data, ending in
3959newline. See if there is a continuation marker at the end (ignoring trailing
3960white space). We know that *yield is not white space, so no need to test for
3961cont > yield in the backwards scanning loop. */
3962
3963for(;;)
3964 {
3965 uschar *cont;
3966 for (cont = acl_text - 1; isspace(*cont); cont--);
3967
3968 /* If no continuation follows, we are done. Mark the end of the line and
3969 return it. */
3970
3971 if (*cont != '\\')
3972 {
3973 *acl_text++ = 0;
3974 return yield;
3975 }
3976
3977 /* We have encountered a continuation. Skip over whitespace at the start of
3978 the next line, and indeed the whole of the next line or lines if they are
3979 comment lines. */
3980
3981 for (;;)
3982 {
3983 while (*(++acl_text) == ' ' || *acl_text == '\t');
3984 if (*acl_text != '#') break;
3985 while (*(++acl_text) != 0 && *acl_text != '\n');
3986 }
3987
3988 /* We have the start of a continuation line. Move all the rest of the data
3989 to join onto the previous line, and then find its end. If the end is not a
3990 newline, we are done. Otherwise loop to look for another continuation. */
3991
3992 memmove(cont, acl_text, acl_text_end - acl_text);
3993 acl_text_end -= acl_text - cont;
3994 acl_text = cont;
3995 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3996 if (*acl_text == 0) return yield;
3997 }
3998
3999/* Control does not reach here */
4000}
4001
4002
4003
4004
4005
4006/*************************************************
4007* Check access using an ACL *
4008*************************************************/
4009
4010/* This function is called from address_check. It may recurse via
4011acl_check_condition() - hence the use of a level to stop looping. The ACL is
4012passed as a string which is expanded. A forced failure implies no access check
4013is required. If the result is a single word, it is taken as the name of an ACL
4014which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
4015text, complete with newlines, and parsed as such. In both cases, the ACL check
4016is then run. This function uses an auxiliary function for acl_read() to call
4017for reading individual lines of a literal ACL. This is acl_getline(), which
4018appears immediately above.
4019
4020Arguments:
4021 where where called from
4022 addr address item when called from RCPT; otherwise NULL
4023 s the input string; NULL is the same as an empty ACL => DENY
4024 level the nesting level
4025 user_msgptr where to put a user error (for SMTP response)
4026 log_msgptr where to put a logging message (not for SMTP response)
4027
4028Returns: OK access is granted
4029 DISCARD access is apparently granted...
4030 FAIL access is denied
4031 FAIL_DROP access is denied; drop the connection
4032 DEFER can't tell at the moment
4033 ERROR disaster
4034*/
4035
4036static int
4037acl_check_internal(int where, address_item *addr, uschar *s, int level,
4038 uschar **user_msgptr, uschar **log_msgptr)
4039{
4040int fd = -1;
4041acl_block *acl = NULL;
4042uschar *acl_name = US"inline ACL";
4043uschar *ss;
4044
4045/* Catch configuration loops */
4046
4047if (level > 20)
4048 {
4049 *log_msgptr = US"ACL nested too deep: possible loop";
4050 return ERROR;
4051 }
4052
4053if (s == NULL)
4054 {
4055 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
4056 return FAIL;
4057 }
4058
4059/* At top level, we expand the incoming string. At lower levels, it has already
4060been expanded as part of condition processing. */
4061
4062if (level == 0)
4063 {
4064 ss = expand_string(s);
4065 if (ss == NULL)
4066 {
4067 if (expand_string_forcedfail) return OK;
4068 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
4069 expand_string_message);
4070 return ERROR;
4071 }
4072 }
4073else ss = s;
4074
4075while (isspace(*ss))ss++;
4076
4077/* If we can't find a named ACL, the default is to parse it as an inline one.
4078(Unless it begins with a slash; non-existent files give rise to an error.) */
4079
4080acl_text = ss;
4081
4082/* Handle the case of a string that does not contain any spaces. Look for a
4083named ACL among those read from the configuration, or a previously read file.
4084It is possible that the pointer to the ACL is NULL if the configuration
4085contains a name with no data. If not found, and the text begins with '/',
4086read an ACL from a file, and save it so it can be re-used. */
4087
4088if (Ustrchr(ss, ' ') == NULL)
4089 {
4090 tree_node *t = tree_search(acl_anchor, ss);
4091 if (t != NULL)
4092 {
4093 acl = (acl_block *)(t->data.ptr);
4094 if (acl == NULL)
4095 {
4096 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
4097 return FAIL;
4098 }
4099 acl_name = string_sprintf("ACL \"%s\"", ss);
4100 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
4101 }
4102
4103 else if (*ss == '/')
4104 {
4105 struct stat statbuf;
4106 fd = Uopen(ss, O_RDONLY, 0);
4107 if (fd < 0)
4108 {
4109 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
4110 strerror(errno));
4111 return ERROR;
4112 }
4113
4114 if (fstat(fd, &statbuf) != 0)
4115 {
4116 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
4117 strerror(errno));
4118 return ERROR;
4119 }
4120
4121 acl_text = store_get(statbuf.st_size + 1);
4122 acl_text_end = acl_text + statbuf.st_size + 1;
4123
4124 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
4125 {
4126 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
4127 ss, strerror(errno));
4128 return ERROR;
4129 }
4130 acl_text[statbuf.st_size] = 0;
f1e894f3 4131 (void)close(fd);
059ec3d9
PH		 4132
4133 acl_name = string_sprintf("ACL \"%s\"", ss);
4134 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
4135 }
4136 }
4137
4138/* Parse an ACL that is still in text form. If it came from a file, remember it
4139in the ACL tree, having read it into the POOL_PERM store pool so that it
4140persists between multiple messages. */
4141
4142if (acl == NULL)
4143 {
4144 int old_pool = store_pool;
4145 if (fd >= 0) store_pool = POOL_PERM;
4146 acl = acl_read(acl_getline, log_msgptr);
4147 store_pool = old_pool;
4148 if (acl == NULL && *log_msgptr != NULL) return ERROR;
4149 if (fd >= 0)
4150 {
4151 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
4152 Ustrcpy(t->name, ss);
4153 t->data.ptr = acl;
4154 (void)tree_insertnode(&acl_anchor, t);
4155 }
4156 }
4157
4158/* Now we have an ACL to use. It's possible it may be NULL. */
4159
4160while (acl != NULL)
4161 {
4162 int cond;
4163 int basic_errno = 0;
4164 BOOL endpass_seen = FALSE;
82c0c8ea
JH		 4165 BOOL acl_quit_check = level == 0
4166 && (where == ACL_WHERE_QUIT || where == ACL_WHERE_NOTQUIT);
059ec3d9
PH		 4167
4168 *log_msgptr = *user_msgptr = NULL;
4169 acl_temp_details = FALSE;
4170
059ec3d9
PH		 4171 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
4172
4173 /* Clear out any search error message from a previous check before testing
4174 this condition. */
4175
4176 search_error_message = NULL;
4177 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
4178 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
4179
4180 /* Handle special returns: DEFER causes a return except on a WARN verb;
4181 ERROR always causes a return. */
4182
4183 switch (cond)
4184 {
4185 case DEFER:
6968512f 4186 HDEBUG(D_acl) debug_printf("%s: condition test deferred in %s\n", verbs[acl->verb], acl_name);
059ec3d9
PH		 4187 if (basic_errno != ERRNO_CALLOUTDEFER)
4188 {
4189 if (search_error_message != NULL && *search_error_message != 0)
4190 *log_msgptr = search_error_message;
4191 if (smtp_return_error_details) acl_temp_details = TRUE;
4192 }
4193 else
4194 {
4195 acl_temp_details = TRUE;
4196 }
4197 if (acl->verb != ACL_WARN) return DEFER;
4198 break;
4199
4200 default: /* Paranoia */
4201 case ERROR:
6968512f 4202 HDEBUG(D_acl) debug_printf("%s: condition test error in %s\n", verbs[acl->verb], acl_name);
059ec3d9
PH		 4203 return ERROR;
4204
4205 case OK:
6968512f
JH		 4206 HDEBUG(D_acl) debug_printf("%s: condition test succeeded in %s\n",
4207 verbs[acl->verb], acl_name);
059ec3d9
PH		 4208 break;
4209
4210 case FAIL:
6968512f 4211 HDEBUG(D_acl) debug_printf("%s: condition test failed in %s\n", verbs[acl->verb], acl_name);
059ec3d9
PH		 4212 break;
4213
4214 /* DISCARD and DROP can happen only from a nested ACL condition, and
4215 DISCARD can happen only for an "accept" or "discard" verb. */
4216
4217 case DISCARD:
6968512f
JH		 4218 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\" in %s\n",
4219 verbs[acl->verb], acl_name);
059ec3d9
PH		 4220 break;
4221
4222 case FAIL_DROP:
6968512f
JH		 4223 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\" in %s\n",
4224 verbs[acl->verb], acl_name);
059ec3d9
PH		 4225 break;
4226 }
4227
4228 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
4229 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
4230 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
4231
4232 switch(acl->verb)
4233 {
4234 case ACL_ACCEPT:
a7538db1
JH		 4235 if (cond == OK || cond == DISCARD)
4236 {
4237 HDEBUG(D_acl) debug_printf("end of %s: ACCEPT\n", acl_name);
4238 return cond;
4239 }
059ec3d9
PH		 4240 if (endpass_seen)
4241 {
4242 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
4243 return cond;
4244 }
4245 break;
4246
4247 case ACL_DEFER:
4248 if (cond == OK)
4249 {
a7538db1 4250 HDEBUG(D_acl) debug_printf("end of %s: DEFER\n", acl_name);
82c0c8ea 4251 if (acl_quit_check) goto badquit;
059ec3d9
PH		 4252 acl_temp_details = TRUE;
4253 return DEFER;
4254 }
4255 break;
4256
4257 case ACL_DENY:
a7538db1
JH		 4258 if (cond == OK)
4259 {
4260 HDEBUG(D_acl) debug_printf("end of %s: DENY\n", acl_name);
82c0c8ea 4261 if (acl_quit_check) goto badquit;
a7538db1
JH		 4262 return FAIL;
4263 }
059ec3d9
PH		 4264 break;
4265
4266 case ACL_DISCARD:
a7538db1
JH		 4267 if (cond == OK || cond == DISCARD)
4268 {
4269 HDEBUG(D_acl) debug_printf("end of %s: DISCARD\n", acl_name);
82c0c8ea 4270 if (acl_quit_check) goto badquit;
a7538db1
JH		 4271 return DISCARD;
4272 }
059ec3d9
PH		 4273 if (endpass_seen)
4274 {
4275 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
4276 return cond;
4277 }
4278 break;
4279
4280 case ACL_DROP:
a7538db1
JH		 4281 if (cond == OK)
4282 {
4283 HDEBUG(D_acl) debug_printf("end of %s: DROP\n", acl_name);
82c0c8ea 4284 if (acl_quit_check) goto badquit;
a7538db1
JH		 4285 return FAIL_DROP;
4286 }
059ec3d9
PH		 4287 break;
4288
4289 case ACL_REQUIRE:
a7538db1
JH		 4290 if (cond != OK)
4291 {
4292 HDEBUG(D_acl) debug_printf("end of %s: not OK\n", acl_name);
82c0c8ea 4293 if (acl_quit_check) goto badquit;
a7538db1
JH		 4294 return cond;
4295 }
059ec3d9
PH		 4296 break;
4297
4298 case ACL_WARN:
4299 if (cond == OK)
4300 acl_warn(where, *user_msgptr, *log_msgptr);
6c6d6e48 4301 else if (cond == DEFER && LOGGING(acl_warn_skipped))
9c7a242c
PH		 4302 log_write(0, LOG_MAIN, "%s Warning: ACL \"warn\" statement skipped: "
4303 "condition test deferred%s%s", host_and_ident(TRUE),
4304 (*log_msgptr == NULL)? US"" : US": ",
4305 (*log_msgptr == NULL)? US"" : *log_msgptr);
059ec3d9
PH		 4306 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
4307 break;
4308
4309 default:
4310 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
4311 acl->verb);
4312 break;
4313 }
4314
4315 /* Pass to the next ACL item */
4316
4317 acl = acl->next;
4318 }
4319
4320/* We have reached the end of the ACL. This is an implicit DENY. */
4321
4322HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
4323return FAIL;
82c0c8ea
JH		 4324
4325badquit:
4326 *log_msgptr = string_sprintf("QUIT or not-QUIT teplevel ACL may not fail "
4327 "('%s' verb used incorrectly)", verbs[acl->verb]);
4328 return ERROR;
059ec3d9
PH		 4329}
4330
4331
333eea9c
JH		 4332
4333
4334/* Same args as acl_check_internal() above, but the string s is
4335the name of an ACL followed optionally by up to 9 space-separated arguments.
4336The name and args are separately expanded. Args go into $acl_arg globals. */
f60d98e8 4337static int
55414b25 4338acl_check_wargs(int where, address_item *addr, const uschar *s, int level,
333eea9c
JH		 4339 uschar **user_msgptr, uschar **log_msgptr)
4340{
4341uschar * tmp;
bef3ea7f 4342uschar * tmp_arg[9]; /* must match acl_arg[] */
ef21c07d
JH		 4343uschar * sav_arg[9]; /* must match acl_arg[] */
4344int sav_narg;
333eea9c 4345uschar * name;
bef3ea7f 4346int i;
ef21c07d 4347int ret;
333eea9c
JH		 4348
4349if (!(tmp = string_dequote(&s)) || !(name = expand_string(tmp)))
4350 goto bad;
4351
bef3ea7f 4352for (i = 0; i < 9; i++)
333eea9c
JH		 4353 {
4354 while (*s && isspace(*s)) s++;
4355 if (!*s) break;
bef3ea7f 4356 if (!(tmp = string_dequote(&s)) || !(tmp_arg[i] = expand_string(tmp)))
333eea9c
JH		 4357 {
4358 tmp = name;
4359 goto bad;
4360 }
4361 }
ef21c07d
JH		 4362
4363sav_narg = acl_narg;
bef3ea7f 4364acl_narg = i;
ef21c07d
JH		 4365for (i = 0; i < acl_narg; i++)
4366 {
4367 sav_arg[i] = acl_arg[i];
4368 acl_arg[i] = tmp_arg[i];
4369 }
4370while (i < 9)
4371 {
4372 sav_arg[i] = acl_arg[i];
4373 acl_arg[i++] = NULL;
4374 }
4375
4376ret = acl_check_internal(where, addr, name, level, user_msgptr, log_msgptr);
333eea9c 4377
ef21c07d
JH		 4378acl_narg = sav_narg;
4379for (i = 0; i < 9; i++) acl_arg[i] = sav_arg[i];
4380return ret;
333eea9c
JH		 4381
4382bad:
4383if (expand_string_forcedfail) return ERROR;
4384*log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
4385 tmp, expand_string_message);
4386return search_find_defer?DEFER:ERROR;
4387}
4388
4389
4390
059ec3d9
PH		 4391/*************************************************
4392* Check access using an ACL *
4393*************************************************/
4394
faa05a93
JH		 4395/* Alternate interface for ACL, used by expansions */
4396int
05caaeaa 4397acl_eval(int where, uschar *s, uschar **user_msgptr, uschar **log_msgptr)
faa05a93 4398{
faa05a93
JH		 4399address_item adb;
4400address_item *addr = NULL;
4401
4402*user_msgptr = *log_msgptr = NULL;
4403sender_verified_failed = NULL;
4404ratelimiters_cmd = NULL;
4405log_reject_target = LOG_MAIN|LOG_REJECT;
4406
4407if (where == ACL_WHERE_RCPT)
4408 {
4409 adb = address_defaults;
4410 addr = &adb;
05caaeaa
JH		 4411 addr->address = expand_string(US"$local_part@$domain");
4412 addr->domain = deliver_domain;
4413 addr->local_part = deliver_localpart;
4414 addr->cc_local_part = deliver_localpart;
4415 addr->lc_local_part = deliver_localpart;
faa05a93
JH		 4416 }
4417
4418return acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
4419}
4420
4421
4422
059ec3d9
PH		 4423/* This is the external interface for ACL checks. It sets up an address and the
4424expansions for $domain and $local_part when called after RCPT, then calls
4425acl_check_internal() to do the actual work.
4426
4427Arguments:
4428 where ACL_WHERE_xxxx indicating where called from
64ffc24f 4429 recipient RCPT address for RCPT check, else NULL
059ec3d9
PH		 4430 s the input string; NULL is the same as an empty ACL => DENY
4431 user_msgptr where to put a user error (for SMTP response)
4432 log_msgptr where to put a logging message (not for SMTP response)
4433
4434Returns: OK access is granted by an ACCEPT verb
4435 DISCARD access is granted by a DISCARD verb
4436 FAIL access is denied
4437 FAIL_DROP access is denied; drop the connection
4438 DEFER can't tell at the moment
4439 ERROR disaster
4440*/
faa05a93 4441int acl_where = ACL_WHERE_UNKNOWN;
059ec3d9
PH		 4442
4443int
64ffc24f 4444acl_check(int where, uschar *recipient, uschar *s, uschar **user_msgptr,
059ec3d9
PH		 4445 uschar **log_msgptr)
4446{
4447int rc;
4448address_item adb;
64ffc24f 4449address_item *addr = NULL;
059ec3d9
PH		 4450
4451*user_msgptr = *log_msgptr = NULL;
4452sender_verified_failed = NULL;
fe0dab11 4453ratelimiters_cmd = NULL;
6ea85e9a 4454log_reject_target = LOG_MAIN|LOG_REJECT;
059ec3d9 4455
8ccd00b1 4456#ifndef DISABLE_PRDR
5032d1cf 4457if (where == ACL_WHERE_RCPT || where == ACL_WHERE_PRDR)
fd98a5c6 4458#else
5032d1cf 4459if (where == ACL_WHERE_RCPT)
fd98a5c6 4460#endif
059ec3d9
PH		 4461 {
4462 adb = address_defaults;
4463 addr = &adb;
64ffc24f 4464 addr->address = recipient;
059ec3d9
PH		 4465 if (deliver_split_address(addr) == DEFER)
4466 {
4467 *log_msgptr = US"defer in percent_hack_domains check";
4468 return DEFER;
4469 }
8c5d388a 4470#ifdef SUPPORT_I18N
3c8b3577
JH		 4471 if ((addr->prop.utf8_msg = message_smtputf8))
4472 {
4473 addr->prop.utf8_downcvt = message_utf8_downconvert == 1;
4474 addr->prop.utf8_downcvt_maybe = message_utf8_downconvert == -1;
4475 }
9bfc60eb 4476#endif
059ec3d9
PH		 4477 deliver_domain = addr->domain;
4478 deliver_localpart = addr->local_part;
4479 }
059ec3d9 4480
faa05a93 4481acl_where = where;
059ec3d9 4482rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
faa05a93 4483acl_where = ACL_WHERE_UNKNOWN;
059ec3d9 4484
817d9f57
JH		 4485/* Cutthrough - if requested,
4486and WHERE_RCPT and not yet opened conn as result of recipient-verify,
4487and rcpt acl returned accept,
4488and first recipient (cancel on any subsequents)
e4bdf652 4489open one now and run it up to RCPT acceptance.
e4bdf652 4490A failed verify should cancel cutthrough request.
e4bdf652 4491
817d9f57 4492Initial implementation: dual-write to spool.
e4bdf652
JH		 4493Assume the rxd datastream is now being copied byte-for-byte to an open cutthrough connection.
4494
4495Cease cutthrough copy on rxd final dot; do not send one.
4496
4497On a data acl, if not accept and a cutthrough conn is open, hard-close it (no SMTP niceness).
4498
4499On data acl accept, terminate the dataphase on an open cutthrough conn. If accepted or
4500perm-rejected, reflect that to the original sender - and dump the spooled copy.
4501If temp-reject, close the conn (and keep the spooled copy).
4502If conn-failure, no action (and keep the spooled copy).
e4bdf652
JH		 4503*/
4504switch (where)
4505{
4506case ACL_WHERE_RCPT:
8ccd00b1 4507#ifndef DISABLE_PRDR
fd98a5c6
JH		 4508case ACL_WHERE_PRDR:
4509#endif
5032d1cf 4510 if (rc == OK && cutthrough.delivery && rcpt_count > cutthrough.nrcpt)
e4bdf652
JH		 4511 open_cutthrough_connection(addr);
4512 break;
4513
4514case ACL_WHERE_PREDATA:
4515 if( rc == OK )
4516 cutthrough_predata();
4517 else
2e5b33cd 4518 cancel_cutthrough_connection("predata acl not ok");
e4bdf652
JH		 4519 break;
4520
4521case ACL_WHERE_QUIT:
4522case ACL_WHERE_NOTQUIT:
2e5b33cd 4523 cancel_cutthrough_connection("quit or notquit");
e4bdf652
JH		 4524 break;
4525
4526default:
4527 break;
4528}
4529
64ffc24f
PH		 4530deliver_domain = deliver_localpart = deliver_address_data =
4531 sender_address_data = NULL;
059ec3d9
PH		 4532
4533/* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
4534ACL, which is really in the middle of an SMTP command. */
4535
4536if (rc == DISCARD)
4537 {
4538 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
4539 {
4540 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
4541 "ACL", acl_wherenames[where]);
4542 return ERROR;
4543 }
4544 return DISCARD;
4545 }
4546
4547/* A DROP response is not permitted from MAILAUTH */
4548
4549if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
4550 {
4551 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
4552 "ACL", acl_wherenames[where]);
4553 return ERROR;
4554 }
4555
4e88a19f
PH		 4556/* Before giving a response, take a look at the length of any user message, and
4557split it up into multiple lines if possible. */
059ec3d9 4558
e28326d8
PH		 4559*user_msgptr = string_split_message(*user_msgptr);
4560if (fake_response != OK)
4561 fake_response_text = string_split_message(fake_response_text);
059ec3d9
PH		 4562
4563return rc;
4564}
4565
38a0a95f 4566
38a0a95f
PH		 4567/*************************************************
4568* Create ACL variable *
4569*************************************************/
4570
4571/* Create an ACL variable or reuse an existing one. ACL variables are in a
4572binary tree (see tree.c) with acl_var_c and acl_var_m as root nodes.
4573
4574Argument:
4575 name pointer to the variable's name, starting with c or m
4576
4577Returns the pointer to variable's tree node
4578*/
4579
4580tree_node *
4581acl_var_create(uschar *name)
4582{
4583tree_node *node, **root;
4584root = (name[0] == 'c')? &acl_var_c : &acl_var_m;
4585node = tree_search(*root, name);
4586if (node == NULL)
4587 {
4588 node = store_get(sizeof(tree_node) + Ustrlen(name));
4589 Ustrcpy(node->name, name);
4590 (void)tree_insertnode(root, node);
4591 }
4592node->data.ptr = NULL;
4593return node;
4594}
4595
4596
4597
4598/*************************************************
4599* Write an ACL variable in spool format *
4600*************************************************/
4601
4602/* This function is used as a callback for tree_walk when writing variables to
4603the spool file. To retain spool file compatibility, what is written is -aclc or
4604-aclm followed by the rest of the name and the data length, space separated,
4605then the value itself, starting on a new line, and terminated by an additional
4606newline. When we had only numbered ACL variables, the first line might look
4607like this: "-aclc 5 20". Now it might be "-aclc foo 20" for the variable called
4608acl_cfoo.
4609
4610Arguments:
4611 name of the variable
4612 value of the variable
4613 ctx FILE pointer (as a void pointer)
4614
4615Returns: nothing
4616*/
4617
4618void
4619acl_var_write(uschar *name, uschar *value, void *ctx)
4620{
4621FILE *f = (FILE *)ctx;
4622fprintf(f, "-acl%c %s %d\n%s\n", name[0], name+1, Ustrlen(value), value);
4623}
4624
9171d434
JH		 4625/* vi: aw ai sw=2
4626*/
059ec3d9 4627/* End of acl.c */
Unnamed repository; edit this file 'description' to name the repository.