dnslists: permit use with explicit key(s) in nonsmtp ACLs. Bug 1748
[exim.git] / src / src / acl.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2015 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 /* Code for handling Access Control Lists (ACLs) */
9
10 #include "exim.h"
11
12
13 /* Default callout timeout */
14
15 #define CALLOUT_TIMEOUT_DEFAULT 30
16
17 /* ACL verb codes - keep in step with the table of verbs that follows */
18
19 enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
20 ACL_WARN };
21
22 /* ACL verbs */
23
24 static uschar *verbs[] = {
25 US"accept",
26 US"defer",
27 US"deny",
28 US"discard",
29 US"drop",
30 US"require",
31 US"warn" };
32
33 /* For each verb, the conditions for which "message" or "log_message" are used
34 are held as a bitmap. This is to avoid expanding the strings unnecessarily. For
35 "accept", the FAIL case is used only after "endpass", but that is selected in
36 the code. */
37
38 static int msgcond[] = {
39 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* accept */
40 (1<<OK), /* defer */
41 (1<<OK), /* deny */
42 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* discard */
43 (1<<OK), /* drop */
44 (1<<FAIL) | (1<<FAIL_DROP), /* require */
45 (1<<OK) /* warn */
46 };
47
48 /* ACL condition and modifier codes - keep in step with the table that
49 follows, and the cond_expand_at_top and uschar cond_modifiers tables lower
50 down. */
51
52 enum { ACLC_ACL,
53 ACLC_ADD_HEADER,
54 ACLC_AUTHENTICATED,
55 #ifdef EXPERIMENTAL_BRIGHTMAIL
56 ACLC_BMI_OPTIN,
57 #endif
58 ACLC_CONDITION,
59 ACLC_CONTINUE,
60 ACLC_CONTROL,
61 #ifdef EXPERIMENTAL_DCC
62 ACLC_DCC,
63 #endif
64 #ifdef WITH_CONTENT_SCAN
65 ACLC_DECODE,
66 #endif
67 ACLC_DELAY,
68 #ifdef WITH_OLD_DEMIME
69 ACLC_DEMIME,
70 #endif
71 #ifndef DISABLE_DKIM
72 ACLC_DKIM_SIGNER,
73 ACLC_DKIM_STATUS,
74 #endif
75 #ifdef EXPERIMENTAL_DMARC
76 ACLC_DMARC_STATUS,
77 #endif
78 ACLC_DNSLISTS,
79 ACLC_DOMAINS,
80 ACLC_ENCRYPTED,
81 ACLC_ENDPASS,
82 ACLC_HOSTS,
83 ACLC_LOCAL_PARTS,
84 ACLC_LOG_MESSAGE,
85 ACLC_LOG_REJECT_TARGET,
86 ACLC_LOGWRITE,
87 #ifdef WITH_CONTENT_SCAN
88 ACLC_MALWARE,
89 #endif
90 ACLC_MESSAGE,
91 #ifdef WITH_CONTENT_SCAN
92 ACLC_MIME_REGEX,
93 #endif
94 ACLC_RATELIMIT,
95 ACLC_RECIPIENTS,
96 #ifdef WITH_CONTENT_SCAN
97 ACLC_REGEX,
98 #endif
99 ACLC_REMOVE_HEADER,
100 ACLC_SENDER_DOMAINS,
101 ACLC_SENDERS,
102 ACLC_SET,
103 #ifdef WITH_CONTENT_SCAN
104 ACLC_SPAM,
105 #endif
106 #ifdef EXPERIMENTAL_SPF
107 ACLC_SPF,
108 ACLC_SPF_GUESS,
109 #endif
110 ACLC_UDPSEND,
111 ACLC_VERIFY };
112
113 /* ACL conditions/modifiers: "delay", "control", "continue", "endpass",
114 "message", "log_message", "log_reject_target", "logwrite", and "set" are
115 modifiers that look like conditions but always return TRUE. They are used for
116 their side effects. */
117
118 static uschar *conditions[] = {
119 US"acl",
120 US"add_header",
121 US"authenticated",
122 #ifdef EXPERIMENTAL_BRIGHTMAIL
123 US"bmi_optin",
124 #endif
125 US"condition",
126 US"continue",
127 US"control",
128 #ifdef EXPERIMENTAL_DCC
129 US"dcc",
130 #endif
131 #ifdef WITH_CONTENT_SCAN
132 US"decode",
133 #endif
134 US"delay",
135 #ifdef WITH_OLD_DEMIME
136 US"demime",
137 #endif
138 #ifndef DISABLE_DKIM
139 US"dkim_signers",
140 US"dkim_status",
141 #endif
142 #ifdef EXPERIMENTAL_DMARC
143 US"dmarc_status",
144 #endif
145 US"dnslists",
146 US"domains",
147 US"encrypted",
148 US"endpass",
149 US"hosts",
150 US"local_parts",
151 US"log_message",
152 US"log_reject_target",
153 US"logwrite",
154 #ifdef WITH_CONTENT_SCAN
155 US"malware",
156 #endif
157 US"message",
158 #ifdef WITH_CONTENT_SCAN
159 US"mime_regex",
160 #endif
161 US"ratelimit",
162 US"recipients",
163 #ifdef WITH_CONTENT_SCAN
164 US"regex",
165 #endif
166 US"remove_header",
167 US"sender_domains", US"senders", US"set",
168 #ifdef WITH_CONTENT_SCAN
169 US"spam",
170 #endif
171 #ifdef EXPERIMENTAL_SPF
172 US"spf",
173 US"spf_guess",
174 #endif
175 US"udpsend",
176 US"verify" };
177
178
179 /* Return values from decode_control(); keep in step with the table of names
180 that follows! */
181
182 enum {
183 CONTROL_AUTH_UNADVERTISED,
184 #ifdef EXPERIMENTAL_BRIGHTMAIL
185 CONTROL_BMI_RUN,
186 #endif
187 CONTROL_DEBUG,
188 #ifndef DISABLE_DKIM
189 CONTROL_DKIM_VERIFY,
190 #endif
191 #ifdef EXPERIMENTAL_DMARC
192 CONTROL_DMARC_VERIFY,
193 CONTROL_DMARC_FORENSIC,
194 #endif
195 CONTROL_DSCP,
196 CONTROL_ERROR,
197 CONTROL_CASEFUL_LOCAL_PART,
198 CONTROL_CASELOWER_LOCAL_PART,
199 CONTROL_CUTTHROUGH_DELIVERY,
200 CONTROL_ENFORCE_SYNC,
201 CONTROL_NO_ENFORCE_SYNC,
202 CONTROL_FREEZE,
203 CONTROL_QUEUE_ONLY,
204 CONTROL_SUBMISSION,
205 CONTROL_SUPPRESS_LOCAL_FIXUPS,
206 #ifdef WITH_CONTENT_SCAN
207 CONTROL_NO_MBOX_UNSPOOL,
208 #endif
209 CONTROL_FAKEDEFER,
210 CONTROL_FAKEREJECT,
211 #ifdef SUPPORT_I18N
212 CONTROL_UTF8_DOWNCONVERT,
213 #endif
214 CONTROL_NO_MULTILINE,
215 CONTROL_NO_PIPELINING,
216 CONTROL_NO_DELAY_FLUSH,
217 CONTROL_NO_CALLOUT_FLUSH
218 };
219
220 /* ACL control names; keep in step with the table above! This list is used for
221 turning ids into names. The actual list of recognized names is in the variable
222 control_def controls_list[] below. The fact that there are two lists is a mess
223 and should be tidied up. */
224
225 static uschar *controls[] = {
226 US"allow_auth_unadvertised",
227 #ifdef EXPERIMENTAL_BRIGHTMAIL
228 US"bmi_run",
229 #endif
230 US"debug",
231 #ifndef DISABLE_DKIM
232 US"dkim_disable_verify",
233 #endif
234 #ifdef EXPERIMENTAL_DMARC
235 US"dmarc_disable_verify",
236 US"dmarc_enable_forensic",
237 #endif
238 US"dscp",
239 US"error",
240 US"caseful_local_part",
241 US"caselower_local_part",
242 US"cutthrough_delivery",
243 US"enforce_sync",
244 US"no_enforce_sync",
245 US"freeze",
246 US"queue_only",
247 US"submission",
248 US"suppress_local_fixups",
249 #ifdef WITH_CONTENT_SCAN
250 US"no_mbox_unspool",
251 #endif
252 US"fakedefer",
253 US"fakereject",
254 #ifdef SUPPORT_I18N
255 US"utf8_downconvert",
256 #endif
257 US"no_multiline_responses",
258 US"no_pipelining",
259 US"no_delay_flush",
260 US"no_callout_flush"
261 };
262
263 /* Flags to indicate for which conditions/modifiers a string expansion is done
264 at the outer level. In the other cases, expansion already occurs in the
265 checking functions. */
266
267 static uschar cond_expand_at_top[] = {
268 FALSE, /* acl */
269 TRUE, /* add_header */
270 FALSE, /* authenticated */
271 #ifdef EXPERIMENTAL_BRIGHTMAIL
272 TRUE, /* bmi_optin */
273 #endif
274 TRUE, /* condition */
275 TRUE, /* continue */
276 TRUE, /* control */
277 #ifdef EXPERIMENTAL_DCC
278 TRUE, /* dcc */
279 #endif
280 #ifdef WITH_CONTENT_SCAN
281 TRUE, /* decode */
282 #endif
283 TRUE, /* delay */
284 #ifdef WITH_OLD_DEMIME
285 TRUE, /* demime */
286 #endif
287 #ifndef DISABLE_DKIM
288 TRUE, /* dkim_signers */
289 TRUE, /* dkim_status */
290 #endif
291 #ifdef EXPERIMENTAL_DMARC
292 TRUE, /* dmarc_status */
293 #endif
294 TRUE, /* dnslists */
295 FALSE, /* domains */
296 FALSE, /* encrypted */
297 TRUE, /* endpass */
298 FALSE, /* hosts */
299 FALSE, /* local_parts */
300 TRUE, /* log_message */
301 TRUE, /* log_reject_target */
302 TRUE, /* logwrite */
303 #ifdef WITH_CONTENT_SCAN
304 TRUE, /* malware */
305 #endif
306 TRUE, /* message */
307 #ifdef WITH_CONTENT_SCAN
308 TRUE, /* mime_regex */
309 #endif
310 TRUE, /* ratelimit */
311 FALSE, /* recipients */
312 #ifdef WITH_CONTENT_SCAN
313 TRUE, /* regex */
314 #endif
315 TRUE, /* remove_header */
316 FALSE, /* sender_domains */
317 FALSE, /* senders */
318 TRUE, /* set */
319 #ifdef WITH_CONTENT_SCAN
320 TRUE, /* spam */
321 #endif
322 #ifdef EXPERIMENTAL_SPF
323 TRUE, /* spf */
324 TRUE, /* spf_guess */
325 #endif
326 TRUE, /* udpsend */
327 TRUE /* verify */
328 };
329
330 /* Flags to identify the modifiers */
331
332 static uschar cond_modifiers[] = {
333 FALSE, /* acl */
334 TRUE, /* add_header */
335 FALSE, /* authenticated */
336 #ifdef EXPERIMENTAL_BRIGHTMAIL
337 TRUE, /* bmi_optin */
338 #endif
339 FALSE, /* condition */
340 TRUE, /* continue */
341 TRUE, /* control */
342 #ifdef EXPERIMENTAL_DCC
343 FALSE, /* dcc */
344 #endif
345 #ifdef WITH_CONTENT_SCAN
346 FALSE, /* decode */
347 #endif
348 TRUE, /* delay */
349 #ifdef WITH_OLD_DEMIME
350 FALSE, /* demime */
351 #endif
352 #ifndef DISABLE_DKIM
353 FALSE, /* dkim_signers */
354 FALSE, /* dkim_status */
355 #endif
356 #ifdef EXPERIMENTAL_DMARC
357 FALSE, /* dmarc_status */
358 #endif
359 FALSE, /* dnslists */
360 FALSE, /* domains */
361 FALSE, /* encrypted */
362 TRUE, /* endpass */
363 FALSE, /* hosts */
364 FALSE, /* local_parts */
365 TRUE, /* log_message */
366 TRUE, /* log_reject_target */
367 TRUE, /* logwrite */
368 #ifdef WITH_CONTENT_SCAN
369 FALSE, /* malware */
370 #endif
371 TRUE, /* message */
372 #ifdef WITH_CONTENT_SCAN
373 FALSE, /* mime_regex */
374 #endif
375 FALSE, /* ratelimit */
376 FALSE, /* recipients */
377 #ifdef WITH_CONTENT_SCAN
378 FALSE, /* regex */
379 #endif
380 TRUE, /* remove_header */
381 FALSE, /* sender_domains */
382 FALSE, /* senders */
383 TRUE, /* set */
384 #ifdef WITH_CONTENT_SCAN
385 FALSE, /* spam */
386 #endif
387 #ifdef EXPERIMENTAL_SPF
388 FALSE, /* spf */
389 FALSE, /* spf_guess */
390 #endif
391 TRUE, /* udpsend */
392 FALSE /* verify */
393 };
394
395 /* Bit map vector of which conditions and modifiers are not allowed at certain
396 times. For each condition and modifier, there's a bitmap of dis-allowed times.
397 For some, it is easier to specify the negation of a small number of allowed
398 times. */
399
400 static unsigned int cond_forbids[] = {
401 0, /* acl */
402
403 (unsigned int)
404 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* add_header */
405 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
406 #ifndef DISABLE_PRDR
407 (1<<ACL_WHERE_PRDR)|
408 #endif
409 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
410 (1<<ACL_WHERE_DKIM)|
411 (1<<ACL_WHERE_NOTSMTP_START)),
412
413 (1<<ACL_WHERE_NOTSMTP)| /* authenticated */
414 (1<<ACL_WHERE_NOTSMTP_START)|
415 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO),
416
417 #ifdef EXPERIMENTAL_BRIGHTMAIL
418 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
419 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
420 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
421 #ifndef DISABLE_PRDR
422 (1<<ACL_WHERE_PRDR)|
423 #endif
424 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
425 (1<<ACL_WHERE_MAILAUTH)|
426 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
427 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA)|
428 (1<<ACL_WHERE_NOTSMTP_START),
429 #endif
430
431 0, /* condition */
432
433 0, /* continue */
434
435 /* Certain types of control are always allowed, so we let it through
436 always and check in the control processing itself. */
437
438 0, /* control */
439
440 #ifdef EXPERIMENTAL_DCC
441 (unsigned int)
442 ~((1<<ACL_WHERE_DATA)| /* dcc */
443 #ifndef DISABLE_PRDR
444 (1<<ACL_WHERE_PRDR)|
445 #endif
446 (1<<ACL_WHERE_NOTSMTP)),
447 #endif
448
449 #ifdef WITH_CONTENT_SCAN
450 (unsigned int)
451 ~(1<<ACL_WHERE_MIME), /* decode */
452 #endif
453
454 (1<<ACL_WHERE_NOTQUIT), /* delay */
455
456 #ifdef WITH_OLD_DEMIME
457 (unsigned int)
458 ~((1<<ACL_WHERE_DATA)| /* demime */
459 #ifndef DISABLE_PRDR
460 (1<<ACL_WHERE_PRDR)|
461 #endif
462 (1<<ACL_WHERE_NOTSMTP)),
463 #endif
464
465 #ifndef DISABLE_DKIM
466 (unsigned int)
467 ~(1<<ACL_WHERE_DKIM), /* dkim_signers */
468
469 (unsigned int)
470 ~(1<<ACL_WHERE_DKIM), /* dkim_status */
471 #endif
472
473 #ifdef EXPERIMENTAL_DMARC
474 (unsigned int)
475 ~(1<<ACL_WHERE_DATA), /* dmarc_status */
476 #endif
477
478 /* Explicit key lookups can be made in non-smtp ACLs so pass
479 always and check in the verify processing itself. */
480
481 0, /* dnslists */
482
483 (unsigned int)
484 ~((1<<ACL_WHERE_RCPT) /* domains */
485 #ifndef DISABLE_PRDR
486 |(1<<ACL_WHERE_PRDR)
487 #endif
488 ),
489
490 (1<<ACL_WHERE_NOTSMTP)| /* encrypted */
491 (1<<ACL_WHERE_CONNECT)|
492 (1<<ACL_WHERE_NOTSMTP_START)|
493 (1<<ACL_WHERE_HELO),
494
495 0, /* endpass */
496
497 (1<<ACL_WHERE_NOTSMTP)| /* hosts */
498 (1<<ACL_WHERE_NOTSMTP_START),
499
500 (unsigned int)
501 ~((1<<ACL_WHERE_RCPT) /* local_parts */
502 #ifndef DISABLE_PRDR
503 |(1<<ACL_WHERE_PRDR)
504 #endif
505 ),
506
507 0, /* log_message */
508
509 0, /* log_reject_target */
510
511 0, /* logwrite */
512
513 #ifdef WITH_CONTENT_SCAN
514 (unsigned int)
515 ~((1<<ACL_WHERE_DATA)| /* malware */
516 #ifndef DISABLE_PRDR
517 (1<<ACL_WHERE_PRDR)|
518 #endif
519 (1<<ACL_WHERE_NOTSMTP)),
520 #endif
521
522 0, /* message */
523
524 #ifdef WITH_CONTENT_SCAN
525 (unsigned int)
526 ~(1<<ACL_WHERE_MIME), /* mime_regex */
527 #endif
528
529 0, /* ratelimit */
530
531 (unsigned int)
532 ~(1<<ACL_WHERE_RCPT), /* recipients */
533
534 #ifdef WITH_CONTENT_SCAN
535 (unsigned int)
536 ~((1<<ACL_WHERE_DATA)| /* regex */
537 #ifndef DISABLE_PRDR
538 (1<<ACL_WHERE_PRDR)|
539 #endif
540 (1<<ACL_WHERE_NOTSMTP)|
541 (1<<ACL_WHERE_MIME)),
542 #endif
543
544 (unsigned int)
545 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* remove_header */
546 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
547 #ifndef DISABLE_PRDR
548 (1<<ACL_WHERE_PRDR)|
549 #endif
550 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
551 (1<<ACL_WHERE_NOTSMTP_START)),
552
553 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
554 (1<<ACL_WHERE_HELO)|
555 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
556 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
557 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
558
559 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
560 (1<<ACL_WHERE_HELO)|
561 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
562 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
563 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
564
565 0, /* set */
566
567 #ifdef WITH_CONTENT_SCAN
568 (unsigned int)
569 ~((1<<ACL_WHERE_DATA)| /* spam */
570 #ifndef DISABLE_PRDR
571 (1<<ACL_WHERE_PRDR)|
572 #endif
573 (1<<ACL_WHERE_NOTSMTP)),
574 #endif
575
576 #ifdef EXPERIMENTAL_SPF
577 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
578 (1<<ACL_WHERE_HELO)|
579 (1<<ACL_WHERE_MAILAUTH)|
580 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
581 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
582 (1<<ACL_WHERE_NOTSMTP)|
583 (1<<ACL_WHERE_NOTSMTP_START),
584
585 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf_guess */
586 (1<<ACL_WHERE_HELO)|
587 (1<<ACL_WHERE_MAILAUTH)|
588 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
589 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
590 (1<<ACL_WHERE_NOTSMTP)|
591 (1<<ACL_WHERE_NOTSMTP_START),
592 #endif
593
594 0, /* udpsend */
595
596 /* Certain types of verify are always allowed, so we let it through
597 always and check in the verify function itself */
598
599 0 /* verify */
600 };
601
602
603 /* Bit map vector of which controls are not allowed at certain times. For
604 each control, there's a bitmap of dis-allowed times. For some, it is easier to
605 specify the negation of a small number of allowed times. */
606
607 static unsigned int control_forbids[] = {
608 (unsigned int)
609 ~((1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)), /* allow_auth_unadvertised */
610
611 #ifdef EXPERIMENTAL_BRIGHTMAIL
612 0, /* bmi_run */
613 #endif
614
615 0, /* debug */
616
617 #ifndef DISABLE_DKIM
618 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dkim_disable_verify */
619 # ifndef DISABLE_PRDR
620 (1<<ACL_WHERE_PRDR)|
621 # endif
622 (1<<ACL_WHERE_NOTSMTP_START),
623 #endif
624
625 #ifdef EXPERIMENTAL_DMARC
626 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dmarc_disable_verify */
627 (1<<ACL_WHERE_NOTSMTP_START),
628 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dmarc_enable_forensic */
629 (1<<ACL_WHERE_NOTSMTP_START),
630 #endif
631
632 (1<<ACL_WHERE_NOTSMTP)|
633 (1<<ACL_WHERE_NOTSMTP_START)|
634 (1<<ACL_WHERE_NOTQUIT), /* dscp */
635
636 0, /* error */
637
638 (unsigned int)
639 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
640
641 (unsigned int)
642 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
643
644 (unsigned int)
645 0, /* cutthrough_delivery */
646
647 (1<<ACL_WHERE_NOTSMTP)| /* enforce_sync */
648 (1<<ACL_WHERE_NOTSMTP_START),
649
650 (1<<ACL_WHERE_NOTSMTP)| /* no_enforce_sync */
651 (1<<ACL_WHERE_NOTSMTP_START),
652
653 (unsigned int)
654 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
655 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
656 // (1<<ACL_WHERE_PRDR)| /* Not allow one user to freeze for all */
657 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
658
659 (unsigned int)
660 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
661 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
662 // (1<<ACL_WHERE_PRDR)| /* Not allow one user to freeze for all */
663 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
664
665 (unsigned int)
666 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
667 (1<<ACL_WHERE_PREDATA)),
668
669 (unsigned int)
670 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* suppress_local_fixups */
671 (1<<ACL_WHERE_PREDATA)|
672 (1<<ACL_WHERE_NOTSMTP_START)),
673
674 #ifdef WITH_CONTENT_SCAN
675 (unsigned int)
676 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
677 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
678 // (1<<ACL_WHERE_PRDR)| /* Not allow one user to freeze for all */
679 (1<<ACL_WHERE_MIME)),
680 #endif
681
682 (unsigned int)
683 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakedefer */
684 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
685 #ifndef DISABLE_PRDR
686 (1<<ACL_WHERE_PRDR)|
687 #endif
688 (1<<ACL_WHERE_MIME)),
689
690 (unsigned int)
691 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
692 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
693 #ifndef DISABLE_PRDR
694 (1<<ACL_WHERE_PRDR)|
695 #endif
696 (1<<ACL_WHERE_MIME)),
697
698 #ifdef SUPPORT_I18N
699 0, /* utf8_downconvert */
700 #endif
701
702 (1<<ACL_WHERE_NOTSMTP)| /* no_multiline */
703 (1<<ACL_WHERE_NOTSMTP_START),
704
705 (1<<ACL_WHERE_NOTSMTP)| /* no_pipelining */
706 (1<<ACL_WHERE_NOTSMTP_START),
707
708 (1<<ACL_WHERE_NOTSMTP)| /* no_delay_flush */
709 (1<<ACL_WHERE_NOTSMTP_START),
710
711 (1<<ACL_WHERE_NOTSMTP)| /* no_callout_flush */
712 (1<<ACL_WHERE_NOTSMTP_START)
713 };
714
715 /* Structure listing various control arguments, with their characteristics. */
716
717 typedef struct control_def {
718 uschar *name;
719 int value; /* CONTROL_xxx value */
720 BOOL has_option; /* Has /option(s) following */
721 } control_def;
722
723 static control_def controls_list[] = {
724 { US"allow_auth_unadvertised", CONTROL_AUTH_UNADVERTISED, FALSE },
725 #ifdef EXPERIMENTAL_BRIGHTMAIL
726 { US"bmi_run", CONTROL_BMI_RUN, FALSE },
727 #endif
728 { US"debug", CONTROL_DEBUG, TRUE },
729 #ifndef DISABLE_DKIM
730 { US"dkim_disable_verify", CONTROL_DKIM_VERIFY, FALSE },
731 #endif
732 #ifdef EXPERIMENTAL_DMARC
733 { US"dmarc_disable_verify", CONTROL_DMARC_VERIFY, FALSE },
734 { US"dmarc_enable_forensic", CONTROL_DMARC_FORENSIC, FALSE },
735 #endif
736 { US"dscp", CONTROL_DSCP, TRUE },
737 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE },
738 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE },
739 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE },
740 { US"freeze", CONTROL_FREEZE, TRUE },
741 { US"no_callout_flush", CONTROL_NO_CALLOUT_FLUSH, FALSE },
742 { US"no_delay_flush", CONTROL_NO_DELAY_FLUSH, FALSE },
743 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE },
744 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE },
745 { US"no_pipelining", CONTROL_NO_PIPELINING, FALSE },
746 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE },
747 #ifdef WITH_CONTENT_SCAN
748 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE },
749 #endif
750 { US"fakedefer", CONTROL_FAKEDEFER, TRUE },
751 { US"fakereject", CONTROL_FAKEREJECT, TRUE },
752 { US"submission", CONTROL_SUBMISSION, TRUE },
753 { US"suppress_local_fixups", CONTROL_SUPPRESS_LOCAL_FIXUPS, FALSE },
754 { US"cutthrough_delivery", CONTROL_CUTTHROUGH_DELIVERY, FALSE },
755 #ifdef SUPPORT_I18N
756 { US"utf8_downconvert", CONTROL_UTF8_DOWNCONVERT, TRUE }
757 #endif
758 };
759
760 /* Support data structures for Client SMTP Authorization. acl_verify_csa()
761 caches its result in a tree to avoid repeated DNS queries. The result is an
762 integer code which is used as an index into the following tables of
763 explanatory strings and verification return codes. */
764
765 static tree_node *csa_cache = NULL;
766
767 enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
768 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
769
770 /* The acl_verify_csa() return code is translated into an acl_verify() return
771 code using the following table. It is OK unless the client is definitely not
772 authorized. This is because CSA is supposed to be optional for sending sites,
773 so recipients should not be too strict about checking it - especially because
774 DNS problems are quite likely to occur. It's possible to use $csa_status in
775 further ACL conditions to distinguish ok, unknown, and defer if required, but
776 the aim is to make the usual configuration simple. */
777
778 static int csa_return_code[] = {
779 OK, OK, OK, OK,
780 FAIL, FAIL, FAIL, FAIL
781 };
782
783 static uschar *csa_status_string[] = {
784 US"unknown", US"ok", US"defer", US"defer",
785 US"fail", US"fail", US"fail", US"fail"
786 };
787
788 static uschar *csa_reason_string[] = {
789 US"unknown",
790 US"ok",
791 US"deferred (SRV lookup failed)",
792 US"deferred (target address lookup failed)",
793 US"failed (explicit authorization required)",
794 US"failed (host name not authorized)",
795 US"failed (no authorized addresses)",
796 US"failed (client address mismatch)"
797 };
798
799 /* Options for the ratelimit condition. Note that there are two variants of
800 the per_rcpt option, depending on the ACL that is used to measure the rate.
801 However any ACL must be able to look up per_rcpt rates in /noupdate mode,
802 so the two variants must have the same internal representation as well as
803 the same configuration string. */
804
805 enum {
806 RATE_PER_WHAT, RATE_PER_CLASH, RATE_PER_ADDR, RATE_PER_BYTE, RATE_PER_CMD,
807 RATE_PER_CONN, RATE_PER_MAIL, RATE_PER_RCPT, RATE_PER_ALLRCPTS
808 };
809
810 #define RATE_SET(var,new) \
811 (((var) == RATE_PER_WHAT) ? ((var) = RATE_##new) : ((var) = RATE_PER_CLASH))
812
813 static uschar *ratelimit_option_string[] = {
814 US"?", US"!", US"per_addr", US"per_byte", US"per_cmd",
815 US"per_conn", US"per_mail", US"per_rcpt", US"per_rcpt"
816 };
817
818 /* Enable recursion between acl_check_internal() and acl_check_condition() */
819
820 static int acl_check_wargs(int, address_item *, const uschar *, int, uschar **,
821 uschar **);
822
823
824 /*************************************************
825 * Pick out name from list *
826 *************************************************/
827
828 /* Use a binary chop method
829
830 Arguments:
831 name name to find
832 list list of names
833 end size of list
834
835 Returns: offset in list, or -1 if not found
836 */
837
838 static int
839 acl_checkname(uschar *name, uschar **list, int end)
840 {
841 int start = 0;
842
843 while (start < end)
844 {
845 int mid = (start + end)/2;
846 int c = Ustrcmp(name, list[mid]);
847 if (c == 0) return mid;
848 if (c < 0) end = mid; else start = mid + 1;
849 }
850
851 return -1;
852 }
853
854
855 /*************************************************
856 * Read and parse one ACL *
857 *************************************************/
858
859 /* This function is called both from readconf in order to parse the ACLs in the
860 configuration file, and also when an ACL is encountered dynamically (e.g. as
861 the result of an expansion). It is given a function to call in order to
862 retrieve the lines of the ACL. This function handles skipping comments and
863 blank lines (where relevant).
864
865 Arguments:
866 func function to get next line of ACL
867 error where to put an error message
868
869 Returns: pointer to ACL, or NULL
870 NULL can be legal (empty ACL); in this case error will be NULL
871 */
872
873 acl_block *
874 acl_read(uschar *(*func)(void), uschar **error)
875 {
876 acl_block *yield = NULL;
877 acl_block **lastp = &yield;
878 acl_block *this = NULL;
879 acl_condition_block *cond;
880 acl_condition_block **condp = NULL;
881 uschar *s;
882
883 *error = NULL;
884
885 while ((s = (*func)()) != NULL)
886 {
887 int v, c;
888 BOOL negated = FALSE;
889 uschar *saveline = s;
890 uschar name[64];
891
892 /* Conditions (but not verbs) are allowed to be negated by an initial
893 exclamation mark. */
894
895 while (isspace(*s)) s++;
896 if (*s == '!')
897 {
898 negated = TRUE;
899 s++;
900 }
901
902 /* Read the name of a verb or a condition, or the start of a new ACL, which
903 can be started by a name, or by a macro definition. */
904
905 s = readconf_readname(name, sizeof(name), s);
906 if (*s == ':' || (isupper(name[0]) && *s == '=')) return yield;
907
908 /* If a verb is unrecognized, it may be another condition or modifier that
909 continues the previous verb. */
910
911 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
912 if (v < 0)
913 {
914 if (this == NULL)
915 {
916 *error = string_sprintf("unknown ACL verb \"%s\" in \"%s\"", name,
917 saveline);
918 return NULL;
919 }
920 }
921
922 /* New verb */
923
924 else
925 {
926 if (negated)
927 {
928 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
929 return NULL;
930 }
931 this = store_get(sizeof(acl_block));
932 *lastp = this;
933 lastp = &(this->next);
934 this->next = NULL;
935 this->verb = v;
936 this->condition = NULL;
937 condp = &(this->condition);
938 if (*s == 0) continue; /* No condition on this line */
939 if (*s == '!')
940 {
941 negated = TRUE;
942 s++;
943 }
944 s = readconf_readname(name, sizeof(name), s); /* Condition name */
945 }
946
947 /* Handle a condition or modifier. */
948
949 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
950 if (c < 0)
951 {
952 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
953 saveline);
954 return NULL;
955 }
956
957 /* The modifiers may not be negated */
958
959 if (negated && cond_modifiers[c])
960 {
961 *error = string_sprintf("ACL error: negation is not allowed with "
962 "\"%s\"", conditions[c]);
963 return NULL;
964 }
965
966 /* ENDPASS may occur only with ACCEPT or DISCARD. */
967
968 if (c == ACLC_ENDPASS &&
969 this->verb != ACL_ACCEPT &&
970 this->verb != ACL_DISCARD)
971 {
972 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
973 conditions[c], verbs[this->verb]);
974 return NULL;
975 }
976
977 cond = store_get(sizeof(acl_condition_block));
978 cond->next = NULL;
979 cond->type = c;
980 cond->u.negated = negated;
981
982 *condp = cond;
983 condp = &(cond->next);
984
985 /* The "set" modifier is different in that its argument is "name=value"
986 rather than just a value, and we can check the validity of the name, which
987 gives us a variable name to insert into the data block. The original ACL
988 variable names were acl_c0 ... acl_c9 and acl_m0 ... acl_m9. This was
989 extended to 20 of each type, but after that people successfully argued for
990 arbitrary names. In the new scheme, the names must start with acl_c or acl_m.
991 After that, we allow alphanumerics and underscores, but the first character
992 after c or m must be a digit or an underscore. This retains backwards
993 compatibility. */
994
995 if (c == ACLC_SET)
996 {
997 uschar *endptr;
998
999 if (Ustrncmp(s, "acl_c", 5) != 0 &&
1000 Ustrncmp(s, "acl_m", 5) != 0)
1001 {
1002 *error = string_sprintf("invalid variable name after \"set\" in ACL "
1003 "modifier \"set %s\" (must start \"acl_c\" or \"acl_m\")", s);
1004 return NULL;
1005 }
1006
1007 endptr = s + 5;
1008 if (!isdigit(*endptr) && *endptr != '_')
1009 {
1010 *error = string_sprintf("invalid variable name after \"set\" in ACL "
1011 "modifier \"set %s\" (digit or underscore must follow acl_c or acl_m)",
1012 s);
1013 return NULL;
1014 }
1015
1016 while (*endptr != 0 && *endptr != '=' && !isspace(*endptr))
1017 {
1018 if (!isalnum(*endptr) && *endptr != '_')
1019 {
1020 *error = string_sprintf("invalid character \"%c\" in variable name "
1021 "in ACL modifier \"set %s\"", *endptr, s);
1022 return NULL;
1023 }
1024 endptr++;
1025 }
1026
1027 cond->u.varname = string_copyn(s + 4, endptr - s - 4);
1028 s = endptr;
1029 while (isspace(*s)) s++;
1030 }
1031
1032 /* For "set", we are now positioned for the data. For the others, only
1033 "endpass" has no data */
1034
1035 if (c != ACLC_ENDPASS)
1036 {
1037 if (*s++ != '=')
1038 {
1039 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
1040 cond_modifiers[c]? US"modifier" : US"condition");
1041 return NULL;
1042 }
1043 while (isspace(*s)) s++;
1044 cond->arg = string_copy(s);
1045 }
1046 }
1047
1048 return yield;
1049 }
1050
1051
1052
1053 /*************************************************
1054 * Set up added header line(s) *
1055 *************************************************/
1056
1057 /* This function is called by the add_header modifier, and also from acl_warn()
1058 to implement the now-deprecated way of adding header lines using "message" on a
1059 "warn" verb. The argument is treated as a sequence of header lines which are
1060 added to a chain, provided there isn't an identical one already there.
1061
1062 Argument: string of header lines
1063 Returns: nothing
1064 */
1065
1066 static void
1067 setup_header(const uschar *hstring)
1068 {
1069 const uschar *p, *q;
1070 int hlen = Ustrlen(hstring);
1071
1072 /* Ignore any leading newlines */
1073 while (*hstring == '\n') hstring++, hlen--;
1074
1075 /* An empty string does nothing; ensure exactly one final newline. */
1076 if (hlen <= 0) return;
1077 if (hstring[--hlen] != '\n')
1078 q = string_sprintf("%s\n", hstring);
1079 else if (hstring[hlen-1] == '\n')
1080 {
1081 uschar * s = string_copy(hstring);
1082 while(s[--hlen] == '\n')
1083 s[hlen+1] = '\0';
1084 q = s;
1085 }
1086 else
1087 q = hstring;
1088
1089 /* Loop for multiple header lines, taking care about continuations */
1090
1091 for (p = q; *p != 0; )
1092 {
1093 const uschar *s;
1094 uschar * hdr;
1095 int newtype = htype_add_bot;
1096 header_line **hptr = &acl_added_headers;
1097
1098 /* Find next header line within the string */
1099
1100 for (;;)
1101 {
1102 q = Ustrchr(q, '\n');
1103 if (*(++q) != ' ' && *q != '\t') break;
1104 }
1105
1106 /* If the line starts with a colon, interpret the instruction for where to
1107 add it. This temporarily sets up a new type. */
1108
1109 if (*p == ':')
1110 {
1111 if (strncmpic(p, US":after_received:", 16) == 0)
1112 {
1113 newtype = htype_add_rec;
1114 p += 16;
1115 }
1116 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
1117 {
1118 newtype = htype_add_rfc;
1119 p += 14;
1120 }
1121 else if (strncmpic(p, US":at_start:", 10) == 0)
1122 {
1123 newtype = htype_add_top;
1124 p += 10;
1125 }
1126 else if (strncmpic(p, US":at_end:", 8) == 0)
1127 {
1128 newtype = htype_add_bot;
1129 p += 8;
1130 }
1131 while (*p == ' ' || *p == '\t') p++;
1132 }
1133
1134 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
1135 to the front of it. */
1136
1137 for (s = p; s < q - 1; s++)
1138 {
1139 if (*s == ':' || !isgraph(*s)) break;
1140 }
1141
1142 hdr = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", (int) (q - p), p);
1143 hlen = Ustrlen(hdr);
1144
1145 /* See if this line has already been added */
1146
1147 while (*hptr != NULL)
1148 {
1149 if (Ustrncmp((*hptr)->text, hdr, hlen) == 0) break;
1150 hptr = &((*hptr)->next);
1151 }
1152
1153 /* Add if not previously present */
1154
1155 if (*hptr == NULL)
1156 {
1157 header_line *h = store_get(sizeof(header_line));
1158 h->text = hdr;
1159 h->next = NULL;
1160 h->type = newtype;
1161 h->slen = hlen;
1162 *hptr = h;
1163 hptr = &(h->next);
1164 }
1165
1166 /* Advance for next header line within the string */
1167
1168 p = q;
1169 }
1170 }
1171
1172
1173
1174 /*************************************************
1175 * List the added header lines *
1176 *************************************************/
1177 uschar *
1178 fn_hdrs_added(void)
1179 {
1180 uschar * ret = NULL;
1181 header_line * h = acl_added_headers;
1182 uschar * s;
1183 uschar * cp;
1184 int size = 0;
1185 int ptr = 0;
1186
1187 if (!h) return NULL;
1188
1189 do
1190 {
1191 s = h->text;
1192 while ((cp = Ustrchr(s, '\n')) != NULL)
1193 {
1194 if (cp[1] == '\0') break;
1195
1196 /* contains embedded newline; needs doubling */
1197 ret = string_cat(ret, &size, &ptr, s, cp-s+1);
1198 ret = string_cat(ret, &size, &ptr, US"\n", 1);
1199 s = cp+1;
1200 }
1201 /* last bit of header */
1202
1203 ret = string_cat(ret, &size, &ptr, s, cp-s+1); /* newline-sep list */
1204 }
1205 while((h = h->next));
1206
1207 ret[ptr-1] = '\0'; /* overwrite last newline */
1208 return ret;
1209 }
1210
1211
1212 /*************************************************
1213 * Set up removed header line(s) *
1214 *************************************************/
1215
1216 /* This function is called by the remove_header modifier. The argument is
1217 treated as a sequence of header names which are added to a colon separated
1218 list, provided there isn't an identical one already there.
1219
1220 Argument: string of header names
1221 Returns: nothing
1222 */
1223
1224 static void
1225 setup_remove_header(const uschar *hnames)
1226 {
1227 if (*hnames != 0)
1228 acl_removed_headers = acl_removed_headers
1229 ? string_sprintf("%s : %s", acl_removed_headers, hnames)
1230 : string_copy(hnames);
1231 }
1232
1233
1234
1235 /*************************************************
1236 * Handle warnings *
1237 *************************************************/
1238
1239 /* This function is called when a WARN verb's conditions are true. It adds to
1240 the message's headers, and/or writes information to the log. In each case, this
1241 only happens once (per message for headers, per connection for log).
1242
1243 ** NOTE: The header adding action using the "message" setting is historic, and
1244 its use is now deprecated. The new add_header modifier should be used instead.
1245
1246 Arguments:
1247 where ACL_WHERE_xxxx indicating which ACL this is
1248 user_message message for adding to headers
1249 log_message message for logging, if different
1250
1251 Returns: nothing
1252 */
1253
1254 static void
1255 acl_warn(int where, uschar *user_message, uschar *log_message)
1256 {
1257 if (log_message != NULL && log_message != user_message)
1258 {
1259 uschar *text;
1260 string_item *logged;
1261
1262 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
1263 string_printing(log_message));
1264
1265 /* If a sender verification has failed, and the log message is "sender verify
1266 failed", add the failure message. */
1267
1268 if (sender_verified_failed != NULL &&
1269 sender_verified_failed->message != NULL &&
1270 strcmpic(log_message, US"sender verify failed") == 0)
1271 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
1272
1273 /* Search previously logged warnings. They are kept in malloc
1274 store so they can be freed at the start of a new message. */
1275
1276 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
1277 if (Ustrcmp(logged->text, text) == 0) break;
1278
1279 if (logged == NULL)
1280 {
1281 int length = Ustrlen(text) + 1;
1282 log_write(0, LOG_MAIN, "%s", text);
1283 logged = store_malloc(sizeof(string_item) + length);
1284 logged->text = (uschar *)logged + sizeof(string_item);
1285 memcpy(logged->text, text, length);
1286 logged->next = acl_warn_logged;
1287 acl_warn_logged = logged;
1288 }
1289 }
1290
1291 /* If there's no user message, we are done. */
1292
1293 if (user_message == NULL) return;
1294
1295 /* If this isn't a message ACL, we can't do anything with a user message.
1296 Log an error. */
1297
1298 if (where > ACL_WHERE_NOTSMTP)
1299 {
1300 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
1301 "found in a non-message (%s) ACL: cannot specify header lines here: "
1302 "message ignored", acl_wherenames[where]);
1303 return;
1304 }
1305
1306 /* The code for setting up header lines is now abstracted into a separate
1307 function so that it can be used for the add_header modifier as well. */
1308
1309 setup_header(user_message);
1310 }
1311
1312
1313
1314 /*************************************************
1315 * Verify and check reverse DNS *
1316 *************************************************/
1317
1318 /* Called from acl_verify() below. We look up the host name(s) of the client IP
1319 address if this has not yet been done. The host_name_lookup() function checks
1320 that one of these names resolves to an address list that contains the client IP
1321 address, so we don't actually have to do the check here.
1322
1323 Arguments:
1324 user_msgptr pointer for user message
1325 log_msgptr pointer for log message
1326
1327 Returns: OK verification condition succeeded
1328 FAIL verification failed
1329 DEFER there was a problem verifying
1330 */
1331
1332 static int
1333 acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
1334 {
1335 int rc;
1336
1337 user_msgptr = user_msgptr; /* stop compiler warning */
1338
1339 /* Previous success */
1340
1341 if (sender_host_name != NULL) return OK;
1342
1343 /* Previous failure */
1344
1345 if (host_lookup_failed)
1346 {
1347 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
1348 return FAIL;
1349 }
1350
1351 /* Need to do a lookup */
1352
1353 HDEBUG(D_acl)
1354 debug_printf("looking up host name to force name/address consistency check\n");
1355
1356 if ((rc = host_name_lookup()) != OK)
1357 {
1358 *log_msgptr = (rc == DEFER)?
1359 US"host lookup deferred for reverse lookup check"
1360 :
1361 string_sprintf("host lookup failed for reverse lookup check%s",
1362 host_lookup_msg);
1363 return rc; /* DEFER or FAIL */
1364 }
1365
1366 host_build_sender_fullhost();
1367 return OK;
1368 }
1369
1370
1371
1372 /*************************************************
1373 * Check client IP address matches CSA target *
1374 *************************************************/
1375
1376 /* Called from acl_verify_csa() below. This routine scans a section of a DNS
1377 response for address records belonging to the CSA target hostname. The section
1378 is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
1379 If one of the addresses matches the client's IP address, then the client is
1380 authorized by CSA. If there are target IP addresses but none of them match
1381 then the client is using an unauthorized IP address. If there are no target IP
1382 addresses then the client cannot be using an authorized IP address. (This is
1383 an odd configuration - why didn't the SRV record have a weight of 1 instead?)
1384
1385 Arguments:
1386 dnsa the DNS answer block
1387 dnss a DNS scan block for us to use
1388 reset option specifing what portion to scan, as described above
1389 target the target hostname to use for matching RR names
1390
1391 Returns: CSA_OK successfully authorized
1392 CSA_FAIL_MISMATCH addresses found but none matched
1393 CSA_FAIL_NOADDR no target addresses found
1394 */
1395
1396 static int
1397 acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1398 uschar *target)
1399 {
1400 dns_record *rr;
1401 dns_address *da;
1402
1403 BOOL target_found = FALSE;
1404
1405 for (rr = dns_next_rr(dnsa, dnss, reset);
1406 rr != NULL;
1407 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1408 {
1409 /* Check this is an address RR for the target hostname. */
1410
1411 if (rr->type != T_A
1412 #if HAVE_IPV6
1413 && rr->type != T_AAAA
1414 #endif
1415 ) continue;
1416
1417 if (strcmpic(target, rr->name) != 0) continue;
1418
1419 target_found = TRUE;
1420
1421 /* Turn the target address RR into a list of textual IP addresses and scan
1422 the list. There may be more than one if it is an A6 RR. */
1423
1424 for (da = dns_address_from_rr(dnsa, rr); da != NULL; da = da->next)
1425 {
1426 /* If the client IP address matches the target IP address, it's good! */
1427
1428 DEBUG(D_acl) debug_printf("CSA target address is %s\n", da->address);
1429
1430 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1431 }
1432 }
1433
1434 /* If we found some target addresses but none of them matched, the client is
1435 using an unauthorized IP address, otherwise the target has no authorized IP
1436 addresses. */
1437
1438 if (target_found) return CSA_FAIL_MISMATCH;
1439 else return CSA_FAIL_NOADDR;
1440 }
1441
1442
1443
1444 /*************************************************
1445 * Verify Client SMTP Authorization *
1446 *************************************************/
1447
1448 /* Called from acl_verify() below. This routine calls dns_lookup_special()
1449 to find the CSA SRV record corresponding to the domain argument, or
1450 $sender_helo_name if no argument is provided. It then checks that the
1451 client is authorized, and that its IP address corresponds to the SRV
1452 target's address by calling acl_verify_csa_address() above. The address
1453 should have been returned in the DNS response's ADDITIONAL section, but if
1454 not we perform another DNS lookup to get it.
1455
1456 Arguments:
1457 domain pointer to optional parameter following verify = csa
1458
1459 Returns: CSA_UNKNOWN no valid CSA record found
1460 CSA_OK successfully authorized
1461 CSA_FAIL_* client is definitely not authorized
1462 CSA_DEFER_* there was a DNS problem
1463 */
1464
1465 static int
1466 acl_verify_csa(const uschar *domain)
1467 {
1468 tree_node *t;
1469 const uschar *found;
1470 uschar *p;
1471 int priority, weight, port;
1472 dns_answer dnsa;
1473 dns_scan dnss;
1474 dns_record *rr;
1475 int rc, type;
1476 uschar target[256];
1477
1478 /* Work out the domain we are using for the CSA lookup. The default is the
1479 client's HELO domain. If the client has not said HELO, use its IP address
1480 instead. If it's a local client (exim -bs), CSA isn't applicable. */
1481
1482 while (isspace(*domain) && *domain != '\0') ++domain;
1483 if (*domain == '\0') domain = sender_helo_name;
1484 if (domain == NULL) domain = sender_host_address;
1485 if (sender_host_address == NULL) return CSA_UNKNOWN;
1486
1487 /* If we have an address literal, strip off the framing ready for turning it
1488 into a domain. The framing consists of matched square brackets possibly
1489 containing a keyword and a colon before the actual IP address. */
1490
1491 if (domain[0] == '[')
1492 {
1493 const uschar *start = Ustrchr(domain, ':');
1494 if (start == NULL) start = domain;
1495 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1496 }
1497
1498 /* Turn domains that look like bare IP addresses into domains in the reverse
1499 DNS. This code also deals with address literals and $sender_host_address. It's
1500 not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1501 address literals, but it's probably the most friendly thing to do. This is an
1502 extension to CSA, so we allow it to be turned off for proper conformance. */
1503
1504 if (string_is_ip_address(domain, NULL) != 0)
1505 {
1506 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1507 dns_build_reverse(domain, target);
1508 domain = target;
1509 }
1510
1511 /* Find out if we've already done the CSA check for this domain. If we have,
1512 return the same result again. Otherwise build a new cached result structure
1513 for this domain. The name is filled in now, and the value is filled in when
1514 we return from this function. */
1515
1516 t = tree_search(csa_cache, domain);
1517 if (t != NULL) return t->data.val;
1518
1519 t = store_get_perm(sizeof(tree_node) + Ustrlen(domain));
1520 Ustrcpy(t->name, domain);
1521 (void)tree_insertnode(&csa_cache, t);
1522
1523 /* Now we are ready to do the actual DNS lookup(s). */
1524
1525 found = domain;
1526 switch (dns_special_lookup(&dnsa, domain, T_CSA, &found))
1527 {
1528 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1529
1530 default:
1531 return t->data.val = CSA_DEFER_SRV;
1532
1533 /* If we found nothing, the client's authorization is unknown. */
1534
1535 case DNS_NOMATCH:
1536 case DNS_NODATA:
1537 return t->data.val = CSA_UNKNOWN;
1538
1539 /* We got something! Go on to look at the reply in more detail. */
1540
1541 case DNS_SUCCEED:
1542 break;
1543 }
1544
1545 /* Scan the reply for well-formed CSA SRV records. */
1546
1547 for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
1548 rr != NULL;
1549 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
1550 {
1551 if (rr->type != T_SRV) continue;
1552
1553 /* Extract the numerical SRV fields (p is incremented) */
1554
1555 p = rr->data;
1556 GETSHORT(priority, p);
1557 GETSHORT(weight, p);
1558 GETSHORT(port, p);
1559
1560 DEBUG(D_acl)
1561 debug_printf("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1562
1563 /* Check the CSA version number */
1564
1565 if (priority != 1) continue;
1566
1567 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1568 found by dns_special_lookup() is a parent of the one we asked for), we check
1569 the subdomain assertions in the port field. At the moment there's only one
1570 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1571 SRV records of their own. */
1572
1573 if (Ustrcmp(found, domain) != 0)
1574 {
1575 if (port & 1)
1576 return t->data.val = CSA_FAIL_EXPLICIT;
1577 else
1578 return t->data.val = CSA_UNKNOWN;
1579 }
1580
1581 /* This CSA SRV record refers directly to our domain, so we check the value
1582 in the weight field to work out the domain's authorization. 0 and 1 are
1583 unauthorized; 3 means the client is authorized but we can't check the IP
1584 address in order to authenticate it, so we treat it as unknown; values
1585 greater than 3 are undefined. */
1586
1587 if (weight < 2) return t->data.val = CSA_FAIL_DOMAIN;
1588
1589 if (weight > 2) continue;
1590
1591 /* Weight == 2, which means the domain is authorized. We must check that the
1592 client's IP address is listed as one of the SRV target addresses. Save the
1593 target hostname then break to scan the additional data for its addresses. */
1594
1595 (void)dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
1596 (DN_EXPAND_ARG4_TYPE)target, sizeof(target));
1597
1598 DEBUG(D_acl) debug_printf("CSA target is %s\n", target);
1599
1600 break;
1601 }
1602
1603 /* If we didn't break the loop then no appropriate records were found. */
1604
1605 if (rr == NULL) return t->data.val = CSA_UNKNOWN;
1606
1607 /* Do not check addresses if the target is ".", in accordance with RFC 2782.
1608 A target of "." indicates there are no valid addresses, so the client cannot
1609 be authorized. (This is an odd configuration because weight=2 target=. is
1610 equivalent to weight=1, but we check for it in order to keep load off the
1611 root name servers.) Note that dn_expand() turns "." into "". */
1612
1613 if (Ustrcmp(target, "") == 0) return t->data.val = CSA_FAIL_NOADDR;
1614
1615 /* Scan the additional section of the CSA SRV reply for addresses belonging
1616 to the target. If the name server didn't return any additional data (e.g.
1617 because it does not fully support SRV records), we need to do another lookup
1618 to obtain the target addresses; otherwise we have a definitive result. */
1619
1620 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ADDITIONAL, target);
1621 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1622
1623 /* The DNS lookup type corresponds to the IP version used by the client. */
1624
1625 #if HAVE_IPV6
1626 if (Ustrchr(sender_host_address, ':') != NULL)
1627 type = T_AAAA;
1628 else
1629 #endif /* HAVE_IPV6 */
1630 type = T_A;
1631
1632
1633 lookup_dnssec_authenticated = NULL;
1634 switch (dns_lookup(&dnsa, target, type, NULL))
1635 {
1636 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1637
1638 default:
1639 return t->data.val = CSA_DEFER_ADDR;
1640
1641 /* If the query succeeded, scan the addresses and return the result. */
1642
1643 case DNS_SUCCEED:
1644 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ANSWERS, target);
1645 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1646 /* else fall through */
1647
1648 /* If the target has no IP addresses, the client cannot have an authorized
1649 IP address. However, if the target site uses A6 records (not AAAA records)
1650 we have to do yet another lookup in order to check them. */
1651
1652 case DNS_NOMATCH:
1653 case DNS_NODATA:
1654 return t->data.val = CSA_FAIL_NOADDR;
1655 }
1656 }
1657
1658
1659
1660 /*************************************************
1661 * Handle verification (address & other) *
1662 *************************************************/
1663
1664 enum { VERIFY_REV_HOST_LKUP, VERIFY_CERT, VERIFY_HELO, VERIFY_CSA, VERIFY_HDR_SYNTAX,
1665 VERIFY_NOT_BLIND, VERIFY_HDR_SNDR, VERIFY_SNDR, VERIFY_RCPT,
1666 VERIFY_HDR_NAMES_ASCII
1667 };
1668 typedef struct {
1669 uschar * name;
1670 int value;
1671 unsigned where_allowed; /* bitmap */
1672 BOOL no_options; /* Never has /option(s) following */
1673 unsigned alt_opt_sep; /* >0 Non-/ option separator (custom parser) */
1674 } verify_type_t;
1675 static verify_type_t verify_type_list[] = {
1676 { US"reverse_host_lookup", VERIFY_REV_HOST_LKUP, ~0, FALSE, 0 },
1677 { US"certificate", VERIFY_CERT, ~0, TRUE, 0 },
1678 { US"helo", VERIFY_HELO, ~0, TRUE, 0 },
1679 { US"csa", VERIFY_CSA, ~0, FALSE, 0 },
1680 { US"header_syntax", VERIFY_HDR_SYNTAX, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), TRUE, 0 },
1681 { US"not_blind", VERIFY_NOT_BLIND, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), TRUE, 0 },
1682 { US"header_sender", VERIFY_HDR_SNDR, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), FALSE, 0 },
1683 { US"sender", VERIFY_SNDR, (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)
1684 |(1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP),
1685 FALSE, 6 },
1686 { US"recipient", VERIFY_RCPT, (1<<ACL_WHERE_RCPT), FALSE, 0 },
1687 { US"header_names_ascii", VERIFY_HDR_NAMES_ASCII, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), TRUE, 0 }
1688 };
1689
1690
1691 enum { CALLOUT_DEFER_OK, CALLOUT_NOCACHE, CALLOUT_RANDOM, CALLOUT_USE_SENDER,
1692 CALLOUT_USE_POSTMASTER, CALLOUT_POSTMASTER, CALLOUT_FULLPOSTMASTER,
1693 CALLOUT_MAILFROM, CALLOUT_POSTMASTER_MAILFROM, CALLOUT_MAXWAIT, CALLOUT_CONNECT,
1694 CALLOUT_TIME
1695 };
1696 typedef struct {
1697 uschar * name;
1698 int value;
1699 int flag;
1700 BOOL has_option; /* Has =option(s) following */
1701 BOOL timeval; /* Has a time value */
1702 } callout_opt_t;
1703 static callout_opt_t callout_opt_list[] = {
1704 { US"defer_ok", CALLOUT_DEFER_OK, 0, FALSE, FALSE },
1705 { US"no_cache", CALLOUT_NOCACHE, vopt_callout_no_cache, FALSE, FALSE },
1706 { US"random", CALLOUT_RANDOM, vopt_callout_random, FALSE, FALSE },
1707 { US"use_sender", CALLOUT_USE_SENDER, vopt_callout_recipsender, FALSE, FALSE },
1708 { US"use_postmaster", CALLOUT_USE_POSTMASTER,vopt_callout_recippmaster, FALSE, FALSE },
1709 { US"postmaster_mailfrom",CALLOUT_POSTMASTER_MAILFROM,0, TRUE, FALSE },
1710 { US"postmaster", CALLOUT_POSTMASTER, 0, FALSE, FALSE },
1711 { US"fullpostmaster", CALLOUT_FULLPOSTMASTER,vopt_callout_fullpm, FALSE, FALSE },
1712 { US"mailfrom", CALLOUT_MAILFROM, 0, TRUE, FALSE },
1713 { US"maxwait", CALLOUT_MAXWAIT, 0, TRUE, TRUE },
1714 { US"connect", CALLOUT_CONNECT, 0, TRUE, TRUE },
1715 { NULL, CALLOUT_TIME, 0, FALSE, TRUE }
1716 };
1717
1718
1719
1720 /* This function implements the "verify" condition. It is called when
1721 encountered in any ACL, because some tests are almost always permitted. Some
1722 just don't make sense, and always fail (for example, an attempt to test a host
1723 lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1724
1725 Arguments:
1726 where where called from
1727 addr the recipient address that the ACL is handling, or NULL
1728 arg the argument of "verify"
1729 user_msgptr pointer for user message
1730 log_msgptr pointer for log message
1731 basic_errno where to put verify errno
1732
1733 Returns: OK verification condition succeeded
1734 FAIL verification failed
1735 DEFER there was a problem verifying
1736 ERROR syntax error
1737 */
1738
1739 static int
1740 acl_verify(int where, address_item *addr, const uschar *arg,
1741 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1742 {
1743 int sep = '/';
1744 int callout = -1;
1745 int callout_overall = -1;
1746 int callout_connect = -1;
1747 int verify_options = 0;
1748 int rc;
1749 BOOL verify_header_sender = FALSE;
1750 BOOL defer_ok = FALSE;
1751 BOOL callout_defer_ok = FALSE;
1752 BOOL no_details = FALSE;
1753 BOOL success_on_redirect = FALSE;
1754 address_item *sender_vaddr = NULL;
1755 uschar *verify_sender_address = NULL;
1756 uschar *pm_mailfrom = NULL;
1757 uschar *se_mailfrom = NULL;
1758
1759 /* Some of the verify items have slash-separated options; some do not. Diagnose
1760 an error if options are given for items that don't expect them.
1761 */
1762
1763 uschar *slash = Ustrchr(arg, '/');
1764 const uschar *list = arg;
1765 uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
1766 verify_type_t * vp;
1767
1768 if (ss == NULL) goto BAD_VERIFY;
1769
1770 /* Handle name/address consistency verification in a separate function. */
1771
1772 for (vp= verify_type_list;
1773 (char *)vp < (char *)verify_type_list + sizeof(verify_type_list);
1774 vp++
1775 )
1776 if (vp->alt_opt_sep ? strncmpic(ss, vp->name, vp->alt_opt_sep) == 0
1777 : strcmpic (ss, vp->name) == 0)
1778 break;
1779 if ((char *)vp >= (char *)verify_type_list + sizeof(verify_type_list))
1780 goto BAD_VERIFY;
1781
1782 if (vp->no_options && slash != NULL)
1783 {
1784 *log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1785 "(this verify item has no options)", arg);
1786 return ERROR;
1787 }
1788 if (!(vp->where_allowed & (1<<where)))
1789 {
1790 *log_msgptr = string_sprintf("cannot verify %s in ACL for %s", vp->name, acl_wherenames[where]);
1791 return ERROR;
1792 }
1793 switch(vp->value)
1794 {
1795 case VERIFY_REV_HOST_LKUP:
1796 if (sender_host_address == NULL) return OK;
1797 if ((rc = acl_verify_reverse(user_msgptr, log_msgptr)) == DEFER)
1798 while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)))
1799 if (strcmpic(ss, US"defer_ok") == 0)
1800 return OK;
1801 return rc;
1802
1803 case VERIFY_CERT:
1804 /* TLS certificate verification is done at STARTTLS time; here we just
1805 test whether it was successful or not. (This is for optional verification; for
1806 mandatory verification, the connection doesn't last this long.) */
1807
1808 if (tls_in.certificate_verified) return OK;
1809 *user_msgptr = US"no verified certificate";
1810 return FAIL;
1811
1812 case VERIFY_HELO:
1813 /* We can test the result of optional HELO verification that might have
1814 occurred earlier. If not, we can attempt the verification now. */
1815
1816 if (!helo_verified && !helo_verify_failed) smtp_verify_helo();
1817 return helo_verified? OK : FAIL;
1818
1819 case VERIFY_CSA:
1820 /* Do Client SMTP Authorization checks in a separate function, and turn the
1821 result code into user-friendly strings. */
1822
1823 rc = acl_verify_csa(list);
1824 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1825 csa_reason_string[rc]);
1826 csa_status = csa_status_string[rc];
1827 DEBUG(D_acl) debug_printf("CSA result %s\n", csa_status);
1828 return csa_return_code[rc];
1829
1830 case VERIFY_HDR_SYNTAX:
1831 /* Check that all relevant header lines have the correct syntax. If there is
1832 a syntax error, we return details of the error to the sender if configured to
1833 send out full details. (But a "message" setting on the ACL can override, as
1834 always). */
1835
1836 rc = verify_check_headers(log_msgptr);
1837 if (rc != OK && *log_msgptr)
1838 if (smtp_return_error_details)
1839 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1840 else
1841 acl_verify_message = *log_msgptr;
1842 return rc;
1843
1844 case VERIFY_HDR_NAMES_ASCII:
1845 /* Check that all header names are true 7 bit strings
1846 See RFC 5322, 2.2. and RFC 6532, 3. */
1847
1848 rc = verify_check_header_names_ascii(log_msgptr);
1849 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1850 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1851 return rc;
1852
1853 case VERIFY_NOT_BLIND:
1854 /* Check that no recipient of this message is "blind", that is, every envelope
1855 recipient must be mentioned in either To: or Cc:. */
1856
1857 rc = verify_check_notblind();
1858 if (rc != OK)
1859 {
1860 *log_msgptr = string_sprintf("bcc recipient detected");
1861 if (smtp_return_error_details)
1862 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1863 }
1864 return rc;
1865
1866 /* The remaining verification tests check recipient and sender addresses,
1867 either from the envelope or from the header. There are a number of
1868 slash-separated options that are common to all of them. */
1869
1870 case VERIFY_HDR_SNDR:
1871 verify_header_sender = TRUE;
1872 break;
1873
1874 case VERIFY_SNDR:
1875 /* In the case of a sender, this can optionally be followed by an address to use
1876 in place of the actual sender (rare special-case requirement). */
1877 {
1878 uschar *s = ss + 6;
1879 if (*s == 0)
1880 verify_sender_address = sender_address;
1881 else
1882 {
1883 while (isspace(*s)) s++;
1884 if (*s++ != '=') goto BAD_VERIFY;
1885 while (isspace(*s)) s++;
1886 verify_sender_address = string_copy(s);
1887 }
1888 }
1889 break;
1890
1891 case VERIFY_RCPT:
1892 break;
1893 }
1894
1895
1896
1897 /* Remaining items are optional; they apply to sender and recipient
1898 verification, including "header sender" verification. */
1899
1900 while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1901 != NULL)
1902 {
1903 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1904 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1905 else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
1906
1907 /* These two old options are left for backwards compatibility */
1908
1909 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1910 {
1911 callout_defer_ok = TRUE;
1912 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1913 }
1914
1915 else if (strcmpic(ss, US"check_postmaster") == 0)
1916 {
1917 pm_mailfrom = US"";
1918 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1919 }
1920
1921 /* The callout option has a number of sub-options, comma separated */
1922
1923 else if (strncmpic(ss, US"callout", 7) == 0)
1924 {
1925 callout = CALLOUT_TIMEOUT_DEFAULT;
1926 ss += 7;
1927 if (*ss != 0)
1928 {
1929 while (isspace(*ss)) ss++;
1930 if (*ss++ == '=')
1931 {
1932 const uschar * sublist = ss;
1933 int optsep = ',';
1934 uschar *opt;
1935 uschar buffer[256];
1936 while (isspace(*sublist)) sublist++;
1937
1938 while ((opt = string_nextinlist(&sublist, &optsep, buffer, sizeof(buffer)))
1939 != NULL)
1940 {
1941 callout_opt_t * op;
1942 double period = 1.0F;
1943
1944 for (op= callout_opt_list; op->name; op++)
1945 if (strncmpic(opt, op->name, Ustrlen(op->name)) == 0)
1946 break;
1947
1948 verify_options |= op->flag;
1949 if (op->has_option)
1950 {
1951 opt += Ustrlen(op->name);
1952 while (isspace(*opt)) opt++;
1953 if (*opt++ != '=')
1954 {
1955 *log_msgptr = string_sprintf("'=' expected after "
1956 "\"%s\" in ACL verify condition \"%s\"", op->name, arg);
1957 return ERROR;
1958 }
1959 while (isspace(*opt)) opt++;
1960 }
1961 if (op->timeval)
1962 {
1963 period = readconf_readtime(opt, 0, FALSE);
1964 if (period < 0)
1965 {
1966 *log_msgptr = string_sprintf("bad time value in ACL condition "
1967 "\"verify %s\"", arg);
1968 return ERROR;
1969 }
1970 }
1971
1972 switch(op->value)
1973 {
1974 case CALLOUT_DEFER_OK: callout_defer_ok = TRUE; break;
1975 case CALLOUT_POSTMASTER: pm_mailfrom = US""; break;
1976 case CALLOUT_FULLPOSTMASTER: pm_mailfrom = US""; break;
1977 case CALLOUT_MAILFROM:
1978 if (!verify_header_sender)
1979 {
1980 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1981 "callout option only for verify=header_sender (detected in ACL "
1982 "condition \"%s\")", arg);
1983 return ERROR;
1984 }
1985 se_mailfrom = string_copy(opt);
1986 break;
1987 case CALLOUT_POSTMASTER_MAILFROM: pm_mailfrom = string_copy(opt); break;
1988 case CALLOUT_MAXWAIT: callout_overall = period; break;
1989 case CALLOUT_CONNECT: callout_connect = period; break;
1990 case CALLOUT_TIME: callout = period; break;
1991 }
1992 }
1993 }
1994 else
1995 {
1996 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1997 "ACL condition \"%s\"", arg);
1998 return ERROR;
1999 }
2000 }
2001 }
2002
2003 /* Option not recognized */
2004
2005 else
2006 {
2007 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
2008 "condition \"verify %s\"", ss, arg);
2009 return ERROR;
2010 }
2011 }
2012
2013 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
2014 (vopt_callout_recipsender|vopt_callout_recippmaster))
2015 {
2016 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
2017 "for a recipient callout";
2018 return ERROR;
2019 }
2020
2021 /* Handle sender-in-header verification. Default the user message to the log
2022 message if giving out verification details. */
2023
2024 if (verify_header_sender)
2025 {
2026 int verrno;
2027 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
2028 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
2029 &verrno);
2030 if (rc != OK)
2031 {
2032 *basic_errno = verrno;
2033 if (smtp_return_error_details)
2034 {
2035 if (*user_msgptr == NULL && *log_msgptr != NULL)
2036 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
2037 if (rc == DEFER) acl_temp_details = TRUE;
2038 }
2039 }
2040 }
2041
2042 /* Handle a sender address. The default is to verify *the* sender address, but
2043 optionally a different address can be given, for special requirements. If the
2044 address is empty, we are dealing with a bounce message that has no sender, so
2045 we cannot do any checking. If the real sender address gets rewritten during
2046 verification (e.g. DNS widening), set the flag to stop it being rewritten again
2047 during message reception.
2048
2049 A list of verified "sender" addresses is kept to try to avoid doing to much
2050 work repetitively when there are multiple recipients in a message and they all
2051 require sender verification. However, when callouts are involved, it gets too
2052 complicated because different recipients may require different callout options.
2053 Therefore, we always do a full sender verify when any kind of callout is
2054 specified. Caching elsewhere, for instance in the DNS resolver and in the
2055 callout handling, should ensure that this is not terribly inefficient. */
2056
2057 else if (verify_sender_address != NULL)
2058 {
2059 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
2060 != 0)
2061 {
2062 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
2063 "sender verify callout";
2064 return ERROR;
2065 }
2066
2067 sender_vaddr = verify_checked_sender(verify_sender_address);
2068 if (sender_vaddr != NULL && /* Previously checked */
2069 callout <= 0) /* No callout needed this time */
2070 {
2071 /* If the "routed" flag is set, it means that routing worked before, so
2072 this check can give OK (the saved return code value, if set, belongs to a
2073 callout that was done previously). If the "routed" flag is not set, routing
2074 must have failed, so we use the saved return code. */
2075
2076 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
2077 {
2078 rc = sender_vaddr->special_action;
2079 *basic_errno = sender_vaddr->basic_errno;
2080 }
2081 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
2082 }
2083
2084 /* Do a new verification, and cache the result. The cache is used to avoid
2085 verifying the sender multiple times for multiple RCPTs when callouts are not
2086 specified (see comments above).
2087
2088 The cache is also used on failure to give details in response to the first
2089 RCPT that gets bounced for this reason. However, this can be suppressed by
2090 the no_details option, which sets the flag that says "this detail has already
2091 been sent". The cache normally contains just one address, but there may be
2092 more in esoteric circumstances. */
2093
2094 else
2095 {
2096 BOOL routed = TRUE;
2097 uschar *save_address_data = deliver_address_data;
2098
2099 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
2100 #ifdef SUPPORT_I18N
2101 if ((sender_vaddr->prop.utf8_msg = message_smtputf8))
2102 {
2103 sender_vaddr->prop.utf8_downcvt = message_utf8_downconvert == 1;
2104 sender_vaddr->prop.utf8_downcvt_maybe = message_utf8_downconvert == -1;
2105 }
2106 #endif
2107 if (no_details) setflag(sender_vaddr, af_sverify_told);
2108 if (verify_sender_address[0] != 0)
2109 {
2110 /* If this is the real sender address, save the unrewritten version
2111 for use later in receive. Otherwise, set a flag so that rewriting the
2112 sender in verify_address() does not update sender_address. */
2113
2114 if (verify_sender_address == sender_address)
2115 sender_address_unrewritten = sender_address;
2116 else
2117 verify_options |= vopt_fake_sender;
2118
2119 if (success_on_redirect)
2120 verify_options |= vopt_success_on_redirect;
2121
2122 /* The recipient, qualify, and expn options are never set in
2123 verify_options. */
2124
2125 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
2126 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
2127
2128 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
2129
2130 if (rc == OK)
2131 {
2132 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
2133 {
2134 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
2135 verify_sender_address, sender_vaddr->address);
2136 }
2137 else
2138 {
2139 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
2140 verify_sender_address);
2141 }
2142 }
2143 else *basic_errno = sender_vaddr->basic_errno;
2144 }
2145 else rc = OK; /* Null sender */
2146
2147 /* Cache the result code */
2148
2149 if (routed) setflag(sender_vaddr, af_verify_routed);
2150 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
2151 sender_vaddr->special_action = rc;
2152 sender_vaddr->next = sender_verified_list;
2153 sender_verified_list = sender_vaddr;
2154
2155 /* Restore the recipient address data, which might have been clobbered by
2156 the sender verification. */
2157
2158 deliver_address_data = save_address_data;
2159 }
2160
2161 /* Put the sender address_data value into $sender_address_data */
2162
2163 sender_address_data = sender_vaddr->prop.address_data;
2164 }
2165
2166 /* A recipient address just gets a straightforward verify; again we must handle
2167 the DEFER overrides. */
2168
2169 else
2170 {
2171 address_item addr2;
2172
2173 if (success_on_redirect)
2174 verify_options |= vopt_success_on_redirect;
2175
2176 /* We must use a copy of the address for verification, because it might
2177 get rewritten. */
2178
2179 addr2 = *addr;
2180 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
2181 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
2182 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
2183
2184 *basic_errno = addr2.basic_errno;
2185 *log_msgptr = addr2.message;
2186 *user_msgptr = (addr2.user_message != NULL)?
2187 addr2.user_message : addr2.message;
2188
2189 /* Allow details for temporary error if the address is so flagged. */
2190 if (testflag((&addr2), af_pass_message)) acl_temp_details = TRUE;
2191
2192 /* Make $address_data visible */
2193 deliver_address_data = addr2.prop.address_data;
2194 }
2195
2196 /* We have a result from the relevant test. Handle defer overrides first. */
2197
2198 if (rc == DEFER && (defer_ok ||
2199 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
2200 {
2201 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
2202 defer_ok? "defer_ok" : "callout_defer_ok");
2203 rc = OK;
2204 }
2205
2206 /* If we've failed a sender, set up a recipient message, and point
2207 sender_verified_failed to the address item that actually failed. */
2208
2209 if (rc != OK && verify_sender_address != NULL)
2210 {
2211 if (rc != DEFER)
2212 *log_msgptr = *user_msgptr = US"Sender verify failed";
2213 else if (*basic_errno != ERRNO_CALLOUTDEFER)
2214 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
2215 else
2216 {
2217 *log_msgptr = US"Could not complete sender verify callout";
2218 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
2219 *log_msgptr;
2220 }
2221
2222 sender_verified_failed = sender_vaddr;
2223 }
2224
2225 /* Verifying an address messes up the values of $domain and $local_part,
2226 so reset them before returning if this is a RCPT ACL. */
2227
2228 if (addr != NULL)
2229 {
2230 deliver_domain = addr->domain;
2231 deliver_localpart = addr->local_part;
2232 }
2233 return rc;
2234
2235 /* Syntax errors in the verify argument come here. */
2236
2237 BAD_VERIFY:
2238 *log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
2239 "\"helo\", \"header_syntax\", \"header_sender\", \"header_names_ascii\" "
2240 "or \"reverse_host_lookup\" at start of ACL condition "
2241 "\"verify %s\"", arg);
2242 return ERROR;
2243 }
2244
2245
2246
2247
2248 /*************************************************
2249 * Check argument for control= modifier *
2250 *************************************************/
2251
2252 /* Called from acl_check_condition() below
2253
2254 Arguments:
2255 arg the argument string for control=
2256 pptr set to point to the terminating character
2257 where which ACL we are in
2258 log_msgptr for error messages
2259
2260 Returns: CONTROL_xxx value
2261 */
2262
2263 static int
2264 decode_control(const uschar *arg, const uschar **pptr, int where, uschar **log_msgptr)
2265 {
2266 int len;
2267 control_def *d;
2268
2269 for (d = controls_list;
2270 d < controls_list + sizeof(controls_list)/sizeof(control_def);
2271 d++)
2272 {
2273 len = Ustrlen(d->name);
2274 if (Ustrncmp(d->name, arg, len) == 0) break;
2275 }
2276
2277 if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
2278 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
2279 {
2280 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2281 return CONTROL_ERROR;
2282 }
2283
2284 *pptr = arg + len;
2285 return d->value;
2286 }
2287
2288
2289
2290
2291 /*************************************************
2292 * Return a ratelimit error *
2293 *************************************************/
2294
2295 /* Called from acl_ratelimit() below
2296
2297 Arguments:
2298 log_msgptr for error messages
2299 format format string
2300 ... supplementary arguments
2301 ss ratelimit option name
2302 where ACL_WHERE_xxxx indicating which ACL this is
2303
2304 Returns: ERROR
2305 */
2306
2307 static int
2308 ratelimit_error(uschar **log_msgptr, const char *format, ...)
2309 {
2310 va_list ap;
2311 uschar buffer[STRING_SPRINTF_BUFFER_SIZE];
2312 va_start(ap, format);
2313 if (!string_vformat(buffer, sizeof(buffer), format, ap))
2314 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
2315 "string_sprintf expansion was longer than " SIZE_T_FMT, sizeof(buffer));
2316 va_end(ap);
2317 *log_msgptr = string_sprintf(
2318 "error in arguments to \"ratelimit\" condition: %s", buffer);
2319 return ERROR;
2320 }
2321
2322
2323
2324
2325 /*************************************************
2326 * Handle rate limiting *
2327 *************************************************/
2328
2329 /* Called by acl_check_condition() below to calculate the result
2330 of the ACL ratelimit condition.
2331
2332 Note that the return value might be slightly unexpected: if the
2333 sender's rate is above the limit then the result is OK. This is
2334 similar to the dnslists condition, and is so that you can write
2335 ACL clauses like: defer ratelimit = 15 / 1h
2336
2337 Arguments:
2338 arg the option string for ratelimit=
2339 where ACL_WHERE_xxxx indicating which ACL this is
2340 log_msgptr for error messages
2341
2342 Returns: OK - Sender's rate is above limit
2343 FAIL - Sender's rate is below limit
2344 DEFER - Problem opening ratelimit database
2345 ERROR - Syntax error in options.
2346 */
2347
2348 static int
2349 acl_ratelimit(const uschar *arg, int where, uschar **log_msgptr)
2350 {
2351 double limit, period, count;
2352 uschar *ss;
2353 uschar *key = NULL;
2354 uschar *unique = NULL;
2355 int sep = '/';
2356 BOOL leaky = FALSE, strict = FALSE, readonly = FALSE;
2357 BOOL noupdate = FALSE, badacl = FALSE;
2358 int mode = RATE_PER_WHAT;
2359 int old_pool, rc;
2360 tree_node **anchor, *t;
2361 open_db dbblock, *dbm;
2362 int dbdb_size;
2363 dbdata_ratelimit *dbd;
2364 dbdata_ratelimit_unique *dbdb;
2365 struct timeval tv;
2366
2367 /* Parse the first two options and record their values in expansion
2368 variables. These variables allow the configuration to have informative
2369 error messages based on rate limits obtained from a table lookup. */
2370
2371 /* First is the maximum number of messages per period / maximum burst
2372 size, which must be greater than or equal to zero. Zero is useful for
2373 rate measurement as opposed to rate limiting. */
2374
2375 sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0);
2376 if (sender_rate_limit == NULL)
2377 {
2378 limit = -1.0;
2379 ss = NULL; /* compiler quietening */
2380 }
2381 else
2382 {
2383 limit = Ustrtod(sender_rate_limit, &ss);
2384 if (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
2385 else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
2386 else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
2387 }
2388 if (limit < 0.0 || *ss != '\0')
2389 return ratelimit_error(log_msgptr,
2390 "\"%s\" is not a positive number", sender_rate_limit);
2391
2392 /* Second is the rate measurement period / exponential smoothing time
2393 constant. This must be strictly greater than zero, because zero leads to
2394 run-time division errors. */
2395
2396 sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0);
2397 if (sender_rate_period == NULL) period = -1.0;
2398 else period = readconf_readtime(sender_rate_period, 0, FALSE);
2399 if (period <= 0.0)
2400 return ratelimit_error(log_msgptr,
2401 "\"%s\" is not a time value", sender_rate_period);
2402
2403 /* By default we are counting one of something, but the per_rcpt,
2404 per_byte, and count options can change this. */
2405
2406 count = 1.0;
2407
2408 /* Parse the other options. */
2409
2410 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2411 != NULL)
2412 {
2413 if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
2414 else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
2415 else if (strcmpic(ss, US"noupdate") == 0) noupdate = TRUE;
2416 else if (strcmpic(ss, US"readonly") == 0) readonly = TRUE;
2417 else if (strcmpic(ss, US"per_cmd") == 0) RATE_SET(mode, PER_CMD);
2418 else if (strcmpic(ss, US"per_conn") == 0)
2419 {
2420 RATE_SET(mode, PER_CONN);
2421 if (where == ACL_WHERE_NOTSMTP || where == ACL_WHERE_NOTSMTP_START)
2422 badacl = TRUE;
2423 }
2424 else if (strcmpic(ss, US"per_mail") == 0)
2425 {
2426 RATE_SET(mode, PER_MAIL);
2427 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2428 }
2429 else if (strcmpic(ss, US"per_rcpt") == 0)
2430 {
2431 /* If we are running in the RCPT ACL, then we'll count the recipients
2432 one by one, but if we are running when we have accumulated the whole
2433 list then we'll add them all in one batch. */
2434 if (where == ACL_WHERE_RCPT)
2435 RATE_SET(mode, PER_RCPT);
2436 else if (where >= ACL_WHERE_PREDATA && where <= ACL_WHERE_NOTSMTP)
2437 RATE_SET(mode, PER_ALLRCPTS), count = (double)recipients_count;
2438 else if (where == ACL_WHERE_MAIL || where > ACL_WHERE_NOTSMTP)
2439 RATE_SET(mode, PER_RCPT), badacl = TRUE;
2440 }
2441 else if (strcmpic(ss, US"per_byte") == 0)
2442 {
2443 /* If we have not yet received the message data and there was no SIZE
2444 declaration on the MAIL comand, then it's safe to just use a value of
2445 zero and let the recorded rate decay as if nothing happened. */
2446 RATE_SET(mode, PER_MAIL);
2447 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2448 else count = message_size < 0 ? 0.0 : (double)message_size;
2449 }
2450 else if (strcmpic(ss, US"per_addr") == 0)
2451 {
2452 RATE_SET(mode, PER_RCPT);
2453 if (where != ACL_WHERE_RCPT) badacl = TRUE, unique = US"*";
2454 else unique = string_sprintf("%s@%s", deliver_localpart, deliver_domain);
2455 }
2456 else if (strncmpic(ss, US"count=", 6) == 0)
2457 {
2458 uschar *e;
2459 count = Ustrtod(ss+6, &e);
2460 if (count < 0.0 || *e != '\0')
2461 return ratelimit_error(log_msgptr,
2462 "\"%s\" is not a positive number", ss);
2463 }
2464 else if (strncmpic(ss, US"unique=", 7) == 0)
2465 unique = string_copy(ss + 7);
2466 else if (key == NULL)
2467 key = string_copy(ss);
2468 else
2469 key = string_sprintf("%s/%s", key, ss);
2470 }
2471
2472 /* Sanity check. When the badacl flag is set the update mode must either
2473 be readonly (which is the default if it is omitted) or, for backwards
2474 compatibility, a combination of noupdate and strict or leaky. */
2475
2476 if (mode == RATE_PER_CLASH)
2477 return ratelimit_error(log_msgptr, "conflicting per_* options");
2478 if (leaky + strict + readonly > 1)
2479 return ratelimit_error(log_msgptr, "conflicting update modes");
2480 if (badacl && (leaky || strict) && !noupdate)
2481 return ratelimit_error(log_msgptr,
2482 "\"%s\" must not have /leaky or /strict option in %s ACL",
2483 ratelimit_option_string[mode], acl_wherenames[where]);
2484
2485 /* Set the default values of any unset options. In readonly mode we
2486 perform the rate computation without any increment so that its value
2487 decays to eventually allow over-limit senders through. */
2488
2489 if (noupdate) readonly = TRUE, leaky = strict = FALSE;
2490 if (badacl) readonly = TRUE;
2491 if (readonly) count = 0.0;
2492 if (!strict && !readonly) leaky = TRUE;
2493 if (mode == RATE_PER_WHAT) mode = RATE_PER_MAIL;
2494
2495 /* Create the lookup key. If there is no explicit key, use sender_host_address.
2496 If there is no sender_host_address (e.g. -bs or acl_not_smtp) then we simply
2497 omit it. The smoothing constant (sender_rate_period) and the per_xxx options
2498 are added to the key because they alter the meaning of the stored data. */
2499
2500 if (key == NULL)
2501 key = (sender_host_address == NULL)? US"" : sender_host_address;
2502
2503 key = string_sprintf("%s/%s/%s%s",
2504 sender_rate_period,
2505 ratelimit_option_string[mode],
2506 unique == NULL ? "" : "unique/",
2507 key);
2508
2509 HDEBUG(D_acl)
2510 debug_printf("ratelimit condition count=%.0f %.1f/%s\n", count, limit, key);
2511
2512 /* See if we have already computed the rate by looking in the relevant tree.
2513 For per-connection rate limiting, store tree nodes and dbdata in the permanent
2514 pool so that they survive across resets. In readonly mode we only remember the
2515 result for the rest of this command in case a later command changes it. After
2516 this bit of logic the code is independent of the per_* mode. */
2517
2518 old_pool = store_pool;
2519
2520 if (readonly)
2521 anchor = &ratelimiters_cmd;
2522 else switch(mode) {
2523 case RATE_PER_CONN:
2524 anchor = &ratelimiters_conn;
2525 store_pool = POOL_PERM;
2526 break;
2527 case RATE_PER_BYTE:
2528 case RATE_PER_MAIL:
2529 case RATE_PER_ALLRCPTS:
2530 anchor = &ratelimiters_mail;
2531 break;
2532 case RATE_PER_ADDR:
2533 case RATE_PER_CMD:
2534 case RATE_PER_RCPT:
2535 anchor = &ratelimiters_cmd;
2536 break;
2537 default:
2538 anchor = NULL; /* silence an "unused" complaint */
2539 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
2540 "internal ACL error: unknown ratelimit mode %d", mode);
2541 break;
2542 }
2543
2544 t = tree_search(*anchor, key);
2545 if (t != NULL)
2546 {
2547 dbd = t->data.ptr;
2548 /* The following few lines duplicate some of the code below. */
2549 rc = (dbd->rate < limit)? FAIL : OK;
2550 store_pool = old_pool;
2551 sender_rate = string_sprintf("%.1f", dbd->rate);
2552 HDEBUG(D_acl)
2553 debug_printf("ratelimit found pre-computed rate %s\n", sender_rate);
2554 return rc;
2555 }
2556
2557 /* We aren't using a pre-computed rate, so get a previously recorded rate
2558 from the database, which will be updated and written back if required. */
2559
2560 dbm = dbfn_open(US"ratelimit", O_RDWR, &dbblock, TRUE);
2561 if (dbm == NULL)
2562 {
2563 store_pool = old_pool;
2564 sender_rate = NULL;
2565 HDEBUG(D_acl) debug_printf("ratelimit database not available\n");
2566 *log_msgptr = US"ratelimit database not available";
2567 return DEFER;
2568 }
2569 dbdb = dbfn_read_with_length(dbm, key, &dbdb_size);
2570 dbd = NULL;
2571
2572 gettimeofday(&tv, NULL);
2573
2574 if (dbdb != NULL)
2575 {
2576 /* Locate the basic ratelimit block inside the DB data. */
2577 HDEBUG(D_acl) debug_printf("ratelimit found key in database\n");
2578 dbd = &dbdb->dbd;
2579
2580 /* Forget the old Bloom filter if it is too old, so that we count each
2581 repeating event once per period. We don't simply clear and re-use the old
2582 filter because we want its size to change if the limit changes. Note that
2583 we keep the dbd pointer for copying the rate into the new data block. */
2584
2585 if(unique != NULL && tv.tv_sec > dbdb->bloom_epoch + period)
2586 {
2587 HDEBUG(D_acl) debug_printf("ratelimit discarding old Bloom filter\n");
2588 dbdb = NULL;
2589 }
2590
2591 /* Sanity check. */
2592
2593 if(unique != NULL && dbdb_size < sizeof(*dbdb))
2594 {
2595 HDEBUG(D_acl) debug_printf("ratelimit discarding undersize Bloom filter\n");
2596 dbdb = NULL;
2597 }
2598 }
2599
2600 /* Allocate a new data block if the database lookup failed
2601 or the Bloom filter passed its age limit. */
2602
2603 if (dbdb == NULL)
2604 {
2605 if (unique == NULL)
2606 {
2607 /* No Bloom filter. This basic ratelimit block is initialized below. */
2608 HDEBUG(D_acl) debug_printf("ratelimit creating new rate data block\n");
2609 dbdb_size = sizeof(*dbd);
2610 dbdb = store_get(dbdb_size);
2611 }
2612 else
2613 {
2614 int extra;
2615 HDEBUG(D_acl) debug_printf("ratelimit creating new Bloom filter\n");
2616
2617 /* See the long comment below for an explanation of the magic number 2.
2618 The filter has a minimum size in case the rate limit is very small;
2619 this is determined by the definition of dbdata_ratelimit_unique. */
2620
2621 extra = (int)limit * 2 - sizeof(dbdb->bloom);
2622 if (extra < 0) extra = 0;
2623 dbdb_size = sizeof(*dbdb) + extra;
2624 dbdb = store_get(dbdb_size);
2625 dbdb->bloom_epoch = tv.tv_sec;
2626 dbdb->bloom_size = sizeof(dbdb->bloom) + extra;
2627 memset(dbdb->bloom, 0, dbdb->bloom_size);
2628
2629 /* Preserve any basic ratelimit data (which is our longer-term memory)
2630 by copying it from the discarded block. */
2631
2632 if (dbd != NULL)
2633 {
2634 dbdb->dbd = *dbd;
2635 dbd = &dbdb->dbd;
2636 }
2637 }
2638 }
2639
2640 /* If we are counting unique events, find out if this event is new or not.
2641 If the client repeats the event during the current period then it should be
2642 counted. We skip this code in readonly mode for efficiency, because any
2643 changes to the filter will be discarded and because count is already set to
2644 zero. */
2645
2646 if (unique != NULL && !readonly)
2647 {
2648 /* We identify unique events using a Bloom filter. (You can find my
2649 notes on Bloom filters at http://fanf.livejournal.com/81696.html)
2650 With the per_addr option, an "event" is a recipient address, though the
2651 user can use the unique option to define their own events. We only count
2652 an event if we have not seen it before.
2653
2654 We size the filter according to the rate limit, which (in leaky mode)
2655 is the limit on the population of the filter. We allow 16 bits of space
2656 per entry (see the construction code above) and we set (up to) 8 of them
2657 when inserting an element (see the loop below). The probability of a false
2658 positive (an event we have not seen before but which we fail to count) is
2659
2660 size = limit * 16
2661 numhash = 8
2662 allzero = exp(-numhash * pop / size)
2663 = exp(-0.5 * pop / limit)
2664 fpr = pow(1 - allzero, numhash)
2665
2666 For senders at the limit the fpr is 0.06% or 1 in 1700
2667 and for senders at half the limit it is 0.0006% or 1 in 170000
2668
2669 In strict mode the Bloom filter can fill up beyond the normal limit, in
2670 which case the false positive rate will rise. This means that the
2671 measured rate for very fast senders can bogusly drop off after a while.
2672
2673 At twice the limit, the fpr is 2.5% or 1 in 40
2674 At four times the limit, it is 31% or 1 in 3.2
2675
2676 It takes ln(pop/limit) periods for an over-limit burst of pop events to
2677 decay below the limit, and if this is more than one then the Bloom filter
2678 will be discarded before the decay gets that far. The false positive rate
2679 at this threshold is 9.3% or 1 in 10.7. */
2680
2681 BOOL seen;
2682 unsigned n, hash, hinc;
2683 uschar md5sum[16];
2684 md5 md5info;
2685
2686 /* Instead of using eight independent hash values, we combine two values
2687 using the formula h1 + n * h2. This does not harm the Bloom filter's
2688 performance, and means the amount of hash we need is independent of the
2689 number of bits we set in the filter. */
2690
2691 md5_start(&md5info);
2692 md5_end(&md5info, unique, Ustrlen(unique), md5sum);
2693 hash = md5sum[0] | md5sum[1] << 8 | md5sum[2] << 16 | md5sum[3] << 24;
2694 hinc = md5sum[4] | md5sum[5] << 8 | md5sum[6] << 16 | md5sum[7] << 24;
2695
2696 /* Scan the bits corresponding to this event. A zero bit means we have
2697 not seen it before. Ensure all bits are set to record this event. */
2698
2699 HDEBUG(D_acl) debug_printf("ratelimit checking uniqueness of %s\n", unique);
2700
2701 seen = TRUE;
2702 for (n = 0; n < 8; n++, hash += hinc)
2703 {
2704 int bit = 1 << (hash % 8);
2705 int byte = (hash / 8) % dbdb->bloom_size;
2706 if ((dbdb->bloom[byte] & bit) == 0)
2707 {
2708 dbdb->bloom[byte] |= bit;
2709 seen = FALSE;
2710 }
2711 }
2712
2713 /* If this event has occurred before, do not count it. */
2714
2715 if (seen)
2716 {
2717 HDEBUG(D_acl) debug_printf("ratelimit event found in Bloom filter\n");
2718 count = 0.0;
2719 }
2720 else
2721 HDEBUG(D_acl) debug_printf("ratelimit event added to Bloom filter\n");
2722 }
2723
2724 /* If there was no previous ratelimit data block for this key, initialize
2725 the new one, otherwise update the block from the database. The initial rate
2726 is what would be computed by the code below for an infinite interval. */
2727
2728 if (dbd == NULL)
2729 {
2730 HDEBUG(D_acl) debug_printf("ratelimit initializing new key's rate data\n");
2731 dbd = &dbdb->dbd;
2732 dbd->time_stamp = tv.tv_sec;
2733 dbd->time_usec = tv.tv_usec;
2734 dbd->rate = count;
2735 }
2736 else
2737 {
2738 /* The smoothed rate is computed using an exponentially weighted moving
2739 average adjusted for variable sampling intervals. The standard EWMA for
2740 a fixed sampling interval is: f'(t) = (1 - a) * f(t) + a * f'(t - 1)
2741 where f() is the measured value and f'() is the smoothed value.
2742
2743 Old data decays out of the smoothed value exponentially, such that data n
2744 samples old is multiplied by a^n. The exponential decay time constant p
2745 is defined such that data p samples old is multiplied by 1/e, which means
2746 that a = exp(-1/p). We can maintain the same time constant for a variable
2747 sampling interval i by using a = exp(-i/p).
2748
2749 The rate we are measuring is messages per period, suitable for directly
2750 comparing with the limit. The average rate between now and the previous
2751 message is period / interval, which we feed into the EWMA as the sample.
2752
2753 It turns out that the number of messages required for the smoothed rate
2754 to reach the limit when they are sent in a burst is equal to the limit.
2755 This can be seen by analysing the value of the smoothed rate after N
2756 messages sent at even intervals. Let k = (1 - a) * p/i
2757
2758 rate_1 = (1 - a) * p/i + a * rate_0
2759 = k + a * rate_0
2760 rate_2 = k + a * rate_1
2761 = k + a * k + a^2 * rate_0
2762 rate_3 = k + a * k + a^2 * k + a^3 * rate_0
2763 rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
2764 = rate_0 * a^N + k * (1 - a^N) / (1 - a)
2765 = rate_0 * a^N + p/i * (1 - a^N)
2766
2767 When N is large, a^N -> 0 so rate_N -> p/i as desired.
2768
2769 rate_N = p/i + (rate_0 - p/i) * a^N
2770 a^N = (rate_N - p/i) / (rate_0 - p/i)
2771 N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
2772 N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
2773
2774 Numerical analysis of the above equation, setting the computed rate to
2775 increase from rate_0 = 0 to rate_N = limit, shows that for large sending
2776 rates, p/i, the number of messages N = limit. So limit serves as both the
2777 maximum rate measured in messages per period, and the maximum number of
2778 messages that can be sent in a fast burst. */
2779
2780 double this_time = (double)tv.tv_sec
2781 + (double)tv.tv_usec / 1000000.0;
2782 double prev_time = (double)dbd->time_stamp
2783 + (double)dbd->time_usec / 1000000.0;
2784
2785 /* We must avoid division by zero, and deal gracefully with the clock going
2786 backwards. If we blunder ahead when time is in reverse then the computed
2787 rate will be bogus. To be safe we clamp interval to a very small number. */
2788
2789 double interval = this_time - prev_time <= 0.0 ? 1e-9
2790 : this_time - prev_time;
2791
2792 double i_over_p = interval / period;
2793 double a = exp(-i_over_p);
2794
2795 /* Combine the instantaneous rate (period / interval) with the previous rate
2796 using the smoothing factor a. In order to measure sized events, multiply the
2797 instantaneous rate by the count of bytes or recipients etc. */
2798
2799 dbd->time_stamp = tv.tv_sec;
2800 dbd->time_usec = tv.tv_usec;
2801 dbd->rate = (1 - a) * count / i_over_p + a * dbd->rate;
2802
2803 /* When events are very widely spaced the computed rate tends towards zero.
2804 Although this is accurate it turns out not to be useful for our purposes,
2805 especially when the first event after a long silence is the start of a spam
2806 run. A more useful model is that the rate for an isolated event should be the
2807 size of the event per the period size, ignoring the lack of events outside
2808 the current period and regardless of where the event falls in the period. So,
2809 if the interval was so long that the calculated rate is unhelpfully small, we
2810 re-intialize the rate. In the absence of higher-rate bursts, the condition
2811 below is true if the interval is greater than the period. */
2812
2813 if (dbd->rate < count) dbd->rate = count;
2814 }
2815
2816 /* Clients sending at the limit are considered to be over the limit.
2817 This matters for edge cases such as a limit of zero, when the client
2818 should be completely blocked. */
2819
2820 rc = (dbd->rate < limit)? FAIL : OK;
2821
2822 /* Update the state if the rate is low or if we are being strict. If we
2823 are in leaky mode and the sender's rate is too high, we do not update
2824 the recorded rate in order to avoid an over-aggressive sender's retry
2825 rate preventing them from getting any email through. If readonly is set,
2826 neither leaky nor strict are set, so we do not do any updates. */
2827
2828 if ((rc == FAIL && leaky) || strict)
2829 {
2830 dbfn_write(dbm, key, dbdb, dbdb_size);
2831 HDEBUG(D_acl) debug_printf("ratelimit db updated\n");
2832 }
2833 else
2834 {
2835 HDEBUG(D_acl) debug_printf("ratelimit db not updated: %s\n",
2836 readonly? "readonly mode" : "over the limit, but leaky");
2837 }
2838
2839 dbfn_close(dbm);
2840
2841 /* Store the result in the tree for future reference. */
2842
2843 t = store_get(sizeof(tree_node) + Ustrlen(key));
2844 t->data.ptr = dbd;
2845 Ustrcpy(t->name, key);
2846 (void)tree_insertnode(anchor, t);
2847
2848 /* We create the formatted version of the sender's rate very late in
2849 order to ensure that it is done using the correct storage pool. */
2850
2851 store_pool = old_pool;
2852 sender_rate = string_sprintf("%.1f", dbd->rate);
2853
2854 HDEBUG(D_acl)
2855 debug_printf("ratelimit computed rate %s\n", sender_rate);
2856
2857 return rc;
2858 }
2859
2860
2861
2862 /*************************************************
2863 * The udpsend ACL modifier *
2864 *************************************************/
2865
2866 /* Called by acl_check_condition() below.
2867
2868 Arguments:
2869 arg the option string for udpsend=
2870 log_msgptr for error messages
2871
2872 Returns: OK - Completed.
2873 DEFER - Problem with DNS lookup.
2874 ERROR - Syntax error in options.
2875 */
2876
2877 static int
2878 acl_udpsend(const uschar *arg, uschar **log_msgptr)
2879 {
2880 int sep = 0;
2881 uschar *hostname;
2882 uschar *portstr;
2883 uschar *portend;
2884 host_item *h;
2885 int portnum;
2886 int len;
2887 int r, s;
2888 uschar * errstr;
2889
2890 hostname = string_nextinlist(&arg, &sep, NULL, 0);
2891 portstr = string_nextinlist(&arg, &sep, NULL, 0);
2892
2893 if (hostname == NULL)
2894 {
2895 *log_msgptr = US"missing destination host in \"udpsend\" modifier";
2896 return ERROR;
2897 }
2898 if (portstr == NULL)
2899 {
2900 *log_msgptr = US"missing destination port in \"udpsend\" modifier";
2901 return ERROR;
2902 }
2903 if (arg == NULL)
2904 {
2905 *log_msgptr = US"missing datagram payload in \"udpsend\" modifier";
2906 return ERROR;
2907 }
2908 portnum = Ustrtol(portstr, &portend, 10);
2909 if (*portend != '\0')
2910 {
2911 *log_msgptr = US"bad destination port in \"udpsend\" modifier";
2912 return ERROR;
2913 }
2914
2915 /* Make a single-item host list. */
2916 h = store_get(sizeof(host_item));
2917 memset(h, 0, sizeof(host_item));
2918 h->name = hostname;
2919 h->port = portnum;
2920 h->mx = MX_NONE;
2921
2922 if (string_is_ip_address(hostname, NULL))
2923 h->address = hostname, r = HOST_FOUND;
2924 else
2925 r = host_find_byname(h, NULL, 0, NULL, FALSE);
2926 if (r == HOST_FIND_FAILED || r == HOST_FIND_AGAIN)
2927 {
2928 *log_msgptr = US"DNS lookup failed in \"udpsend\" modifier";
2929 return DEFER;
2930 }
2931
2932 HDEBUG(D_acl)
2933 debug_printf("udpsend [%s]:%d %s\n", h->address, portnum, arg);
2934
2935 r = s = ip_connectedsocket(SOCK_DGRAM, h->address, portnum, portnum,
2936 1, NULL, &errstr);
2937 if (r < 0) goto defer;
2938 len = Ustrlen(arg);
2939 r = send(s, arg, len, 0);
2940 if (r < 0)
2941 {
2942 errstr = US strerror(errno);
2943 close(s);
2944 goto defer;
2945 }
2946 close(s);
2947 if (r < len)
2948 {
2949 *log_msgptr =
2950 string_sprintf("\"udpsend\" truncated from %d to %d octets", len, r);
2951 return DEFER;
2952 }
2953
2954 HDEBUG(D_acl)
2955 debug_printf("udpsend %d bytes\n", r);
2956
2957 return OK;
2958
2959 defer:
2960 *log_msgptr = string_sprintf("\"udpsend\" failed: %s", errstr);
2961 return DEFER;
2962 }
2963
2964
2965
2966 /*************************************************
2967 * Handle conditions/modifiers on an ACL item *
2968 *************************************************/
2969
2970 /* Called from acl_check() below.
2971
2972 Arguments:
2973 verb ACL verb
2974 cb ACL condition block - if NULL, result is OK
2975 where where called from
2976 addr the address being checked for RCPT, or NULL
2977 level the nesting level
2978 epp pointer to pass back TRUE if "endpass" encountered
2979 (applies only to "accept" and "discard")
2980 user_msgptr user message pointer
2981 log_msgptr log message pointer
2982 basic_errno pointer to where to put verify error
2983
2984 Returns: OK - all conditions are met
2985 DISCARD - an "acl" condition returned DISCARD - only allowed
2986 for "accept" or "discard" verbs
2987 FAIL - at least one condition fails
2988 FAIL_DROP - an "acl" condition returned FAIL_DROP
2989 DEFER - can't tell at the moment (typically, lookup defer,
2990 but can be temporary callout problem)
2991 ERROR - ERROR from nested ACL or expansion failure or other
2992 error
2993 */
2994
2995 static int
2996 acl_check_condition(int verb, acl_condition_block *cb, int where,
2997 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
2998 uschar **log_msgptr, int *basic_errno)
2999 {
3000 uschar *user_message = NULL;
3001 uschar *log_message = NULL;
3002 uschar *debug_tag = NULL;
3003 uschar *debug_opts = NULL;
3004 int rc = OK;
3005 #ifdef WITH_CONTENT_SCAN
3006 int sep = -'/';
3007 #endif
3008
3009 for (; cb != NULL; cb = cb->next)
3010 {
3011 const uschar *arg;
3012 int control_type;
3013
3014 /* The message and log_message items set up messages to be used in
3015 case of rejection. They are expanded later. */
3016
3017 if (cb->type == ACLC_MESSAGE)
3018 {
3019 HDEBUG(D_acl) debug_printf(" message: %s\n", cb->arg);
3020 user_message = cb->arg;
3021 continue;
3022 }
3023
3024 if (cb->type == ACLC_LOG_MESSAGE)
3025 {
3026 HDEBUG(D_acl) debug_printf("l_message: %s\n", cb->arg);
3027 log_message = cb->arg;
3028 continue;
3029 }
3030
3031 /* The endpass "condition" just sets a flag to show it occurred. This is
3032 checked at compile time to be on an "accept" or "discard" item. */
3033
3034 if (cb->type == ACLC_ENDPASS)
3035 {
3036 *epp = TRUE;
3037 continue;
3038 }
3039
3040 /* For other conditions and modifiers, the argument is expanded now for some
3041 of them, but not for all, because expansion happens down in some lower level
3042 checking functions in some cases. */
3043
3044 if (cond_expand_at_top[cb->type])
3045 {
3046 arg = expand_string(cb->arg);
3047 if (arg == NULL)
3048 {
3049 if (expand_string_forcedfail) continue;
3050 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
3051 cb->arg, expand_string_message);
3052 return search_find_defer? DEFER : ERROR;
3053 }
3054 }
3055 else arg = cb->arg;
3056
3057 /* Show condition, and expanded condition if it's different */
3058
3059 HDEBUG(D_acl)
3060 {
3061 int lhswidth = 0;
3062 debug_printf("check %s%s %n",
3063 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
3064 conditions[cb->type], &lhswidth);
3065
3066 if (cb->type == ACLC_SET)
3067 {
3068 debug_printf("acl_%s ", cb->u.varname);
3069 lhswidth += 5 + Ustrlen(cb->u.varname);
3070 }
3071
3072 debug_printf("= %s\n", cb->arg);
3073
3074 if (arg != cb->arg)
3075 debug_printf("%.*s= %s\n", lhswidth,
3076 US" ", CS arg);
3077 }
3078
3079 /* Check that this condition makes sense at this time */
3080
3081 if ((cond_forbids[cb->type] & (1 << where)) != 0)
3082 {
3083 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
3084 cond_modifiers[cb->type]? "use" : "test",
3085 conditions[cb->type], acl_wherenames[where]);
3086 return ERROR;
3087 }
3088
3089 /* Run the appropriate test for each condition, or take the appropriate
3090 action for the remaining modifiers. */
3091
3092 switch(cb->type)
3093 {
3094 case ACLC_ADD_HEADER:
3095 setup_header(arg);
3096 break;
3097
3098 /* A nested ACL that returns "discard" makes sense only for an "accept" or
3099 "discard" verb. */
3100
3101 case ACLC_ACL:
3102 rc = acl_check_wargs(where, addr, arg, level+1, user_msgptr, log_msgptr);
3103 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
3104 {
3105 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
3106 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
3107 verbs[verb]);
3108 return ERROR;
3109 }
3110 break;
3111
3112 case ACLC_AUTHENTICATED:
3113 rc = (sender_host_authenticated == NULL)? FAIL :
3114 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
3115 TRUE, NULL);
3116 break;
3117
3118 #ifdef EXPERIMENTAL_BRIGHTMAIL
3119 case ACLC_BMI_OPTIN:
3120 {
3121 int old_pool = store_pool;
3122 store_pool = POOL_PERM;
3123 bmi_current_optin = string_copy(arg);
3124 store_pool = old_pool;
3125 }
3126 break;
3127 #endif
3128
3129 case ACLC_CONDITION:
3130 /* The true/false parsing here should be kept in sync with that used in
3131 expand.c when dealing with ECOND_BOOL so that we don't have too many
3132 different definitions of what can be a boolean. */
3133 if (*arg == '-'
3134 ? Ustrspn(arg+1, "0123456789") == Ustrlen(arg+1) /* Negative number */
3135 : Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
3136 rc = (Uatoi(arg) == 0)? FAIL : OK;
3137 else
3138 rc = (strcmpic(arg, US"no") == 0 ||
3139 strcmpic(arg, US"false") == 0)? FAIL :
3140 (strcmpic(arg, US"yes") == 0 ||
3141 strcmpic(arg, US"true") == 0)? OK : DEFER;
3142 if (rc == DEFER)
3143 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
3144 break;
3145
3146 case ACLC_CONTINUE: /* Always succeeds */
3147 break;
3148
3149 case ACLC_CONTROL:
3150 {
3151 const uschar *p = NULL;
3152 control_type = decode_control(arg, &p, where, log_msgptr);
3153
3154 /* Check if this control makes sense at this time */
3155
3156 if ((control_forbids[control_type] & (1 << where)) != 0)
3157 {
3158 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
3159 controls[control_type], acl_wherenames[where]);
3160 return ERROR;
3161 }
3162
3163 switch(control_type)
3164 {
3165 case CONTROL_AUTH_UNADVERTISED:
3166 allow_auth_unadvertised = TRUE;
3167 break;
3168
3169 #ifdef EXPERIMENTAL_BRIGHTMAIL
3170 case CONTROL_BMI_RUN:
3171 bmi_run = 1;
3172 break;
3173 #endif
3174
3175 #ifndef DISABLE_DKIM
3176 case CONTROL_DKIM_VERIFY:
3177 dkim_disable_verify = TRUE;
3178 #ifdef EXPERIMENTAL_DMARC
3179 /* Since DKIM was blocked, skip DMARC too */
3180 dmarc_disable_verify = TRUE;
3181 dmarc_enable_forensic = FALSE;
3182 #endif
3183 break;
3184 #endif
3185
3186 #ifdef EXPERIMENTAL_DMARC
3187 case CONTROL_DMARC_VERIFY:
3188 dmarc_disable_verify = TRUE;
3189 break;
3190
3191 case CONTROL_DMARC_FORENSIC:
3192 dmarc_enable_forensic = TRUE;
3193 break;
3194 #endif
3195
3196 case CONTROL_DSCP:
3197 if (*p == '/')
3198 {
3199 int fd, af, level, optname, value;
3200 /* If we are acting on stdin, the setsockopt may fail if stdin is not
3201 a socket; we can accept that, we'll just debug-log failures anyway. */
3202 fd = fileno(smtp_in);
3203 af = ip_get_address_family(fd);
3204 if (af < 0)
3205 {
3206 HDEBUG(D_acl)
3207 debug_printf("smtp input is probably not a socket [%s], not setting DSCP\n",
3208 strerror(errno));
3209 break;
3210 }
3211 if (dscp_lookup(p+1, af, &level, &optname, &value))
3212 {
3213 if (setsockopt(fd, level, optname, &value, sizeof(value)) < 0)
3214 {
3215 HDEBUG(D_acl) debug_printf("failed to set input DSCP[%s]: %s\n",
3216 p+1, strerror(errno));
3217 }
3218 else
3219 {
3220 HDEBUG(D_acl) debug_printf("set input DSCP to \"%s\"\n", p+1);
3221 }
3222 }
3223 else
3224 {
3225 *log_msgptr = string_sprintf("unrecognised DSCP value in \"control=%s\"", arg);
3226 return ERROR;
3227 }
3228 }
3229 else
3230 {
3231 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3232 return ERROR;
3233 }
3234 break;
3235
3236 case CONTROL_ERROR:
3237 return ERROR;
3238
3239 case CONTROL_CASEFUL_LOCAL_PART:
3240 deliver_localpart = addr->cc_local_part;
3241 break;
3242
3243 case CONTROL_CASELOWER_LOCAL_PART:
3244 deliver_localpart = addr->lc_local_part;
3245 break;
3246
3247 case CONTROL_ENFORCE_SYNC:
3248 smtp_enforce_sync = TRUE;
3249 break;
3250
3251 case CONTROL_NO_ENFORCE_SYNC:
3252 smtp_enforce_sync = FALSE;
3253 break;
3254
3255 #ifdef WITH_CONTENT_SCAN
3256 case CONTROL_NO_MBOX_UNSPOOL:
3257 no_mbox_unspool = TRUE;
3258 break;
3259 #endif
3260
3261 case CONTROL_NO_MULTILINE:
3262 no_multiline_responses = TRUE;
3263 break;
3264
3265 case CONTROL_NO_PIPELINING:
3266 pipelining_enable = FALSE;
3267 break;
3268
3269 case CONTROL_NO_DELAY_FLUSH:
3270 disable_delay_flush = TRUE;
3271 break;
3272
3273 case CONTROL_NO_CALLOUT_FLUSH:
3274 disable_callout_flush = TRUE;
3275 break;
3276
3277 case CONTROL_FAKEREJECT:
3278 cancel_cutthrough_connection("fakereject");
3279 case CONTROL_FAKEDEFER:
3280 fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
3281 if (*p == '/')
3282 {
3283 const uschar *pp = p + 1;
3284 while (*pp != 0) pp++;
3285 fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
3286 p = pp;
3287 }
3288 else
3289 {
3290 /* Explicitly reset to default string */
3291 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
3292 }
3293 break;
3294
3295 case CONTROL_FREEZE:
3296 deliver_freeze = TRUE;
3297 deliver_frozen_at = time(NULL);
3298 freeze_tell = freeze_tell_config; /* Reset to configured value */
3299 if (Ustrncmp(p, "/no_tell", 8) == 0)
3300 {
3301 p += 8;
3302 freeze_tell = NULL;
3303 }
3304 if (*p != 0)
3305 {
3306 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3307 return ERROR;
3308 }
3309 cancel_cutthrough_connection("item frozen");
3310 break;
3311
3312 case CONTROL_QUEUE_ONLY:
3313 queue_only_policy = TRUE;
3314 cancel_cutthrough_connection("queueing forced");
3315 break;
3316
3317 case CONTROL_SUBMISSION:
3318 originator_name = US"";
3319 submission_mode = TRUE;
3320 while (*p == '/')
3321 {
3322 if (Ustrncmp(p, "/sender_retain", 14) == 0)
3323 {
3324 p += 14;
3325 active_local_sender_retain = TRUE;
3326 active_local_from_check = FALSE;
3327 }
3328 else if (Ustrncmp(p, "/domain=", 8) == 0)
3329 {
3330 const uschar *pp = p + 8;
3331 while (*pp != 0 && *pp != '/') pp++;
3332 submission_domain = string_copyn(p+8, pp-p-8);
3333 p = pp;
3334 }
3335 /* The name= option must be last, because it swallows the rest of
3336 the string. */
3337 else if (Ustrncmp(p, "/name=", 6) == 0)
3338 {
3339 const uschar *pp = p + 6;
3340 while (*pp != 0) pp++;
3341 submission_name = string_copy(parse_fix_phrase(p+6, pp-p-6,
3342 big_buffer, big_buffer_size));
3343 p = pp;
3344 }
3345 else break;
3346 }
3347 if (*p != 0)
3348 {
3349 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3350 return ERROR;
3351 }
3352 break;
3353
3354 case CONTROL_DEBUG:
3355 while (*p == '/')
3356 {
3357 if (Ustrncmp(p, "/tag=", 5) == 0)
3358 {
3359 const uschar *pp = p + 5;
3360 while (*pp != '\0' && *pp != '/') pp++;
3361 debug_tag = string_copyn(p+5, pp-p-5);
3362 p = pp;
3363 }
3364 else if (Ustrncmp(p, "/opts=", 6) == 0)
3365 {
3366 const uschar *pp = p + 6;
3367 while (*pp != '\0' && *pp != '/') pp++;
3368 debug_opts = string_copyn(p+6, pp-p-6);
3369 p = pp;
3370 }
3371 }
3372 debug_logging_activate(debug_tag, debug_opts);
3373 break;
3374
3375 case CONTROL_SUPPRESS_LOCAL_FIXUPS:
3376 suppress_local_fixups = TRUE;
3377 break;
3378
3379 case CONTROL_CUTTHROUGH_DELIVERY:
3380 #ifndef DISABLE_PRDR
3381 if (prdr_requested)
3382 #else
3383 if (0)
3384 #endif
3385 /* Too hard to think about for now. We might in future cutthrough
3386 the case where both sides handle prdr and this-node prdr acl
3387 is "accept" */
3388 *log_msgptr = string_sprintf("PRDR on %s reception\n", arg);
3389 else
3390 {
3391 if (deliver_freeze)
3392 *log_msgptr = US"frozen";
3393 else if (queue_only_policy)
3394 *log_msgptr = US"queue-only";
3395 else if (fake_response == FAIL)
3396 *log_msgptr = US"fakereject";
3397 else
3398 {
3399 if (rcpt_count == 1) cutthrough.delivery = TRUE;
3400 break;
3401 }
3402 *log_msgptr = string_sprintf("\"control=%s\" on %s item",
3403 arg, *log_msgptr);
3404 }
3405 return ERROR;
3406
3407 #ifdef SUPPORT_I18N
3408 case CONTROL_UTF8_DOWNCONVERT:
3409 if (*p == '/')
3410 {
3411 if (p[1] == '1')
3412 {
3413 message_utf8_downconvert = 1;
3414 addr->prop.utf8_downcvt = TRUE;
3415 addr->prop.utf8_downcvt_maybe = FALSE;
3416 p += 2;
3417 break;
3418 }
3419 if (p[1] == '0')
3420 {
3421 message_utf8_downconvert = 0;
3422 addr->prop.utf8_downcvt = FALSE;
3423 addr->prop.utf8_downcvt_maybe = FALSE;
3424 p += 2;
3425 break;
3426 }
3427 if (p[1] == '-' && p[2] == '1')
3428 {
3429 message_utf8_downconvert = -1;
3430 addr->prop.utf8_downcvt = FALSE;
3431 addr->prop.utf8_downcvt_maybe = TRUE;
3432 p += 3;
3433 break;
3434 }
3435 *log_msgptr = US"bad option value for control=utf8_downconvert";
3436 }
3437 else
3438 {
3439 message_utf8_downconvert = 1;
3440 addr->prop.utf8_downcvt = TRUE;
3441 addr->prop.utf8_downcvt_maybe = FALSE;
3442 break;
3443 }
3444 return ERROR;
3445 #endif
3446
3447 }
3448 break;
3449 }
3450
3451 #ifdef EXPERIMENTAL_DCC
3452 case ACLC_DCC:
3453 {
3454 /* Seperate the regular expression and any optional parameters. */
3455 const uschar * list = arg;
3456 uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
3457 /* Run the dcc backend. */
3458 rc = dcc_process(&ss);
3459 /* Modify return code based upon the existance of options. */
3460 while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)))
3461 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3462 rc = FAIL; /* FAIL so that the message is passed to the next ACL */
3463 }
3464 break;
3465 #endif
3466
3467 #ifdef WITH_CONTENT_SCAN
3468 case ACLC_DECODE:
3469 rc = mime_decode(&arg);
3470 break;
3471 #endif
3472
3473 case ACLC_DELAY:
3474 {
3475 int delay = readconf_readtime(arg, 0, FALSE);
3476 if (delay < 0)
3477 {
3478 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
3479 "modifier: \"%s\" is not a time value", arg);
3480 return ERROR;
3481 }
3482