projects / exim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Kjetil Homme's patch for extended macro features (redefinition,
[exim.git] / src / src / acl.c
1 /* $Cambridge: exim/src/src/acl.c,v 1.27 2005/04/05 13:58:35 ph10 Exp $ */
2
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
6
7 /* Copyright (c) University of Cambridge 1995 - 2005 */
8 /* See the file NOTICE for conditions of use and distribution. */
9
10 /* Code for handling Access Control Lists (ACLs) */
11
12 #include "exim.h"
13
14
15 /* Default callout timeout */
16
17 #define CALLOUT_TIMEOUT_DEFAULT 30
18
19 /* ACL verb codes - keep in step with the table of verbs that follows */
20
21 enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
22 ACL_WARN };
23
24 /* ACL verbs */
25
26 static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
28 US"warn" };
29
30 /* For each verb, the condition for which "message" is used */
31
32 static int msgcond[] = { FAIL, OK, OK, FAIL, OK, FAIL, OK };
33
34 /* ACL condition and modifier codes - keep in step with the table that
35 follows. */
36
37 enum { ACLC_ACL, ACLC_AUTHENTICATED,
38 #ifdef EXPERIMENTAL_BRIGHTMAIL
39 ACLC_BMI_OPTIN,
40 #endif
41 ACLC_CONDITION, ACLC_CONTROL,
42 #ifdef WITH_CONTENT_SCAN
43 ACLC_DECODE,
44 #endif
45 ACLC_DELAY,
46 #ifdef WITH_OLD_DEMIME
47 ACLC_DEMIME,
48 #endif
49 #ifdef EXPERIMENTAL_DOMAINKEYS
50 ACLC_DK_DOMAIN_SOURCE,
51 ACLC_DK_POLICY,
52 ACLC_DK_SENDER_DOMAINS,
53 ACLC_DK_SENDER_LOCAL_PARTS,
54 ACLC_DK_SENDERS,
55 ACLC_DK_STATUS,
56 #endif
57 ACLC_DNSLISTS, ACLC_DOMAINS, ACLC_ENCRYPTED, ACLC_ENDPASS,
58 ACLC_HOSTS, ACLC_LOCAL_PARTS, ACLC_LOG_MESSAGE, ACLC_LOGWRITE,
59 #ifdef WITH_CONTENT_SCAN
60 ACLC_MALWARE,
61 #endif
62 ACLC_MESSAGE,
63 #ifdef WITH_CONTENT_SCAN
64 ACLC_MIME_REGEX,
65 #endif
66 ACLC_RECIPIENTS,
67 #ifdef WITH_CONTENT_SCAN
68 ACLC_REGEX,
69 #endif
70 ACLC_SENDER_DOMAINS, ACLC_SENDERS, ACLC_SET,
71 #ifdef WITH_CONTENT_SCAN
72 ACLC_SPAM,
73 #endif
74 #ifdef EXPERIMENTAL_SPF
75 ACLC_SPF,
76 #endif
77 ACLC_VERIFY };
78
79 /* ACL conditions/modifiers: "delay", "control", "endpass", "message",
80 "log_message", "logwrite", and "set" are modifiers that look like conditions
81 but always return TRUE. They are used for their side effects. */
82
83 static uschar *conditions[] = { US"acl", US"authenticated",
84 #ifdef EXPERIMENTAL_BRIGHTMAIL
85 US"bmi_optin",
86 #endif
87 US"condition",
88 US"control",
89 #ifdef WITH_CONTENT_SCAN
90 US"decode",
91 #endif
92 US"delay",
93 #ifdef WITH_OLD_DEMIME
94 US"demime",
95 #endif
96 #ifdef EXPERIMENTAL_DOMAINKEYS
97 US"dk_domain_source",
98 US"dk_policy",
99 US"dk_sender_domains",
100 US"dk_sender_local_parts",
101 US"dk_senders",
102 US"dk_status",
103 #endif
104 US"dnslists", US"domains", US"encrypted",
105 US"endpass", US"hosts", US"local_parts", US"log_message", US"logwrite",
106 #ifdef WITH_CONTENT_SCAN
107 US"malware",
108 #endif
109 US"message",
110 #ifdef WITH_CONTENT_SCAN
111 US"mime_regex",
112 #endif
113 US"recipients",
114 #ifdef WITH_CONTENT_SCAN
115 US"regex",
116 #endif
117 US"sender_domains", US"senders", US"set",
118 #ifdef WITH_CONTENT_SCAN
119 US"spam",
120 #endif
121 #ifdef EXPERIMENTAL_SPF
122 US"spf",
123 #endif
124 US"verify" };
125
126 /* ACL control names */
127
128 static uschar *controls[] = { US"error", US"caseful_local_part",
129 US"caselower_local_part", US"enforce_sync", US"no_enforce_sync", US"freeze",
130 US"queue_only", US"submission", US"no_multiline"};
131
132 /* Flags to indicate for which conditions /modifiers a string expansion is done
133 at the outer level. In the other cases, expansion already occurs in the
134 checking functions. */
135
136 static uschar cond_expand_at_top[] = {
137 TRUE, /* acl */
138 FALSE, /* authenticated */
139 #ifdef EXPERIMENTAL_BRIGHTMAIL
140 TRUE, /* bmi_optin */
141 #endif
142 TRUE, /* condition */
143 TRUE, /* control */
144 #ifdef WITH_CONTENT_SCAN
145 TRUE, /* decode */
146 #endif
147 TRUE, /* delay */
148 #ifdef WITH_OLD_DEMIME
149 TRUE, /* demime */
150 #endif
151 #ifdef EXPERIMENTAL_DOMAINKEYS
152 TRUE, /* dk_domain_source */
153 TRUE, /* dk_policy */
154 TRUE, /* dk_sender_domains */
155 TRUE, /* dk_sender_local_parts */
156 TRUE, /* dk_senders */
157 TRUE, /* dk_status */
158 #endif
159 TRUE, /* dnslists */
160 FALSE, /* domains */
161 FALSE, /* encrypted */
162 TRUE, /* endpass */
163 FALSE, /* hosts */
164 FALSE, /* local_parts */
165 TRUE, /* log_message */
166 TRUE, /* logwrite */
167 #ifdef WITH_CONTENT_SCAN
168 TRUE, /* malware */
169 #endif
170 TRUE, /* message */
171 #ifdef WITH_CONTENT_SCAN
172 TRUE, /* mime_regex */
173 #endif
174 FALSE, /* recipients */
175 #ifdef WITH_CONTENT_SCAN
176 TRUE, /* regex */
177 #endif
178 FALSE, /* sender_domains */
179 FALSE, /* senders */
180 TRUE, /* set */
181 #ifdef WITH_CONTENT_SCAN
182 TRUE, /* spam */
183 #endif
184 #ifdef EXPERIMENTAL_SPF
185 TRUE, /* spf */
186 #endif
187 TRUE /* verify */
188 };
189
190 /* Flags to identify the modifiers */
191
192 static uschar cond_modifiers[] = {
193 FALSE, /* acl */
194 FALSE, /* authenticated */
195 #ifdef EXPERIMENTAL_BRIGHTMAIL
196 TRUE, /* bmi_optin */
197 #endif
198 FALSE, /* condition */
199 TRUE, /* control */
200 #ifdef WITH_CONTENT_SCAN
201 FALSE, /* decode */
202 #endif
203 TRUE, /* delay */
204 #ifdef WITH_OLD_DEMIME
205 FALSE, /* demime */
206 #endif
207 #ifdef EXPERIMENTAL_DOMAINKEYS
208 FALSE, /* dk_domain_source */
209 FALSE, /* dk_policy */
210 FALSE, /* dk_sender_domains */
211 FALSE, /* dk_sender_local_parts */
212 FALSE, /* dk_senders */
213 FALSE, /* dk_status */
214 #endif
215 FALSE, /* dnslists */
216 FALSE, /* domains */
217 FALSE, /* encrypted */
218 TRUE, /* endpass */
219 FALSE, /* hosts */
220 FALSE, /* local_parts */
221 TRUE, /* log_message */
222 TRUE, /* logwrite */
223 #ifdef WITH_CONTENT_SCAN
224 FALSE, /* malware */
225 #endif
226 TRUE, /* message */
227 #ifdef WITH_CONTENT_SCAN
228 FALSE, /* mime_regex */
229 #endif
230 FALSE, /* recipients */
231 #ifdef WITH_CONTENT_SCAN
232 FALSE, /* regex */
233 #endif
234 FALSE, /* sender_domains */
235 FALSE, /* senders */
236 TRUE, /* set */
237 #ifdef WITH_CONTENT_SCAN
238 FALSE, /* spam */
239 #endif
240 #ifdef EXPERIMENTAL_SPF
241 FALSE, /* spf */
242 #endif
243 FALSE /* verify */
244 };
245
246 /* Bit map vector of which conditions are not allowed at certain times. For
247 each condition, there's a bitmap of dis-allowed times. For some, it is easier
248 to specify the negation of a small number of allowed times. */
249
250 static unsigned int cond_forbids[] = {
251 0, /* acl */
252
253 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* authenticated */
254 (1<<ACL_WHERE_HELO),
255
256 #ifdef EXPERIMENTAL_BRIGHTMAIL
257 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
258 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
259 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
260 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
261 (1<<ACL_WHERE_MAILAUTH)|
262 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
263 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA),
264 #endif
265
266 0, /* condition */
267
268 /* Certain types of control are always allowed, so we let it through
269 always and check in the control processing itself. */
270
271 0, /* control */
272
273 #ifdef WITH_CONTENT_SCAN
274 (unsigned int)
275 ~(1<<ACL_WHERE_MIME), /* decode */
276 #endif
277
278 0, /* delay */
279
280 #ifdef WITH_OLD_DEMIME
281 (unsigned int)
282 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* demime */
283 #endif
284
285 #ifdef EXPERIMENTAL_DOMAINKEYS
286 (1<<ACL_WHERE_AUTH)| /* dk_domain_source */
287 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
288 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
289 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
290 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
291 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
292 (1<<ACL_WHERE_VRFY),
293
294 (1<<ACL_WHERE_AUTH)| /* dk_policy */
295 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
296 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
297 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
298 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
299 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
300 (1<<ACL_WHERE_VRFY),
301
302 (1<<ACL_WHERE_AUTH)| /* dk_sender_domains */
303 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
304 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
305 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
306 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
307 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
308 (1<<ACL_WHERE_VRFY),
309
310 (1<<ACL_WHERE_AUTH)| /* dk_sender_local_parts */
311 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
312 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
313 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
314 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
315 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
316 (1<<ACL_WHERE_VRFY),
317
318 (1<<ACL_WHERE_AUTH)| /* dk_senders */
319 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
320 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
321 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
322 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
323 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
324 (1<<ACL_WHERE_VRFY),
325
326 (1<<ACL_WHERE_AUTH)| /* dk_status */
327 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
328 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
329 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
330 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
331 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
332 (1<<ACL_WHERE_VRFY),
333 #endif
334
335 (1<<ACL_WHERE_NOTSMTP), /* dnslists */
336
337 (unsigned int)
338 ~(1<<ACL_WHERE_RCPT), /* domains */
339
340 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* encrypted */
341 (1<<ACL_WHERE_HELO),
342
343 0, /* endpass */
344
345 (1<<ACL_WHERE_NOTSMTP), /* hosts */
346
347 (unsigned int)
348 ~(1<<ACL_WHERE_RCPT), /* local_parts */
349
350 0, /* log_message */
351
352 0, /* logwrite */
353
354 #ifdef WITH_CONTENT_SCAN
355 (unsigned int)
356 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* malware */
357 #endif
358
359 0, /* message */
360
361 #ifdef WITH_CONTENT_SCAN
362 (unsigned int)
363 ~(1<<ACL_WHERE_MIME), /* mime_regex */
364 #endif
365
366 (unsigned int)
367 ~(1<<ACL_WHERE_RCPT), /* recipients */
368
369 #ifdef WITH_CONTENT_SCAN
370 (unsigned int)
371 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* regex */
372 (1<<ACL_WHERE_MIME)),
373 #endif
374
375 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
376 (1<<ACL_WHERE_HELO)|
377 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
378 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
379 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
380
381 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
382 (1<<ACL_WHERE_HELO)|
383 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
384 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
385 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
386
387 0, /* set */
388
389 #ifdef WITH_CONTENT_SCAN
390 (unsigned int)
391 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* spam */
392 #endif
393
394 #ifdef EXPERIMENTAL_SPF
395 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
396 (1<<ACL_WHERE_HELO)|
397 (1<<ACL_WHERE_MAILAUTH)|
398 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
399 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
400 #endif
401
402 /* Certain types of verify are always allowed, so we let it through
403 always and check in the verify function itself */
404
405 0 /* verify */
406 };
407
408
409 /* Return values from decode_control() */
410
411 enum {
412 #ifdef EXPERIMENTAL_BRIGHTMAIL
413 CONTROL_BMI_RUN,
414 #endif
415 #ifdef EXPERIMENTAL_DOMAINKEYS
416 CONTROL_DK_VERIFY,
417 #endif
418 CONTROL_ERROR, CONTROL_CASEFUL_LOCAL_PART, CONTROL_CASELOWER_LOCAL_PART,
419 CONTROL_ENFORCE_SYNC, CONTROL_NO_ENFORCE_SYNC, CONTROL_FREEZE,
420 CONTROL_QUEUE_ONLY, CONTROL_SUBMISSION,
421 #ifdef WITH_CONTENT_SCAN
422 CONTROL_NO_MBOX_UNSPOOL,
423 #endif
424 CONTROL_FAKEREJECT, CONTROL_NO_MULTILINE };
425
426 /* Bit map vector of which controls are not allowed at certain times. For
427 each control, there's a bitmap of dis-allowed times. For some, it is easier to
428 specify the negation of a small number of allowed times. */
429
430 static unsigned int control_forbids[] = {
431 #ifdef EXPERIMENTAL_BRIGHTMAIL
432 0, /* bmi_run */
433 #endif
434 #ifdef EXPERIMENTAL_DOMAINKEYS
435 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), /* dk_verify */
436 #endif
437
438 0, /* error */
439
440 (unsigned int)
441 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
442
443 (unsigned int)
444 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
445
446 (1<<ACL_WHERE_NOTSMTP), /* enforce_sync */
447
448 (1<<ACL_WHERE_NOTSMTP), /* no_enforce_sync */
449
450 (unsigned int)
451 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
452 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
453 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
454
455 (unsigned int)
456 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
457 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
458 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
459
460 (unsigned int)
461 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
462 (1<<ACL_WHERE_PREDATA)),
463
464 #ifdef WITH_CONTENT_SCAN
465 (unsigned int)
466 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
467 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
468 (1<<ACL_WHERE_MIME)),
469 #endif
470
471 (unsigned int)
472 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
473 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
474 (1<<ACL_WHERE_MIME)),
475
476 (1<<ACL_WHERE_NOTSMTP) /* no_multiline */
477 };
478
479 /* Structure listing various control arguments, with their characteristics. */
480
481 typedef struct control_def {
482 uschar *name;
483 int value; /* CONTROL_xxx value */
484 BOOL has_option; /* Has /option(s) following */
485 } control_def;
486
487 static control_def controls_list[] = {
488 #ifdef EXPERIMENTAL_BRIGHTMAIL
489 { US"bmi_run", CONTROL_BMI_RUN, FALSE},
490 #endif
491 #ifdef EXPERIMENTAL_DOMAINKEYS
492 { US"dk_verify", CONTROL_DK_VERIFY, FALSE},
493 #endif
494 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE},
495 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE},
496 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE},
497 { US"freeze", CONTROL_FREEZE, FALSE},
498 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE},
499 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE},
500 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE},
501 #ifdef WITH_CONTENT_SCAN
502 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE},
503 #endif
504 { US"fakereject", CONTROL_FAKEREJECT, TRUE},
505 { US"submission", CONTROL_SUBMISSION, TRUE}
506 };
507
508 /* Enable recursion between acl_check_internal() and acl_check_condition() */
509
510 static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
511 uschar **);
512
513
514 /*************************************************
515 * Pick out name from list *
516 *************************************************/
517
518 /* Use a binary chop method
519
520 Arguments:
521 name name to find
522 list list of names
523 end size of list
524
525 Returns: offset in list, or -1 if not found
526 */
527
528 static int
529 acl_checkname(uschar *name, uschar **list, int end)
530 {
531 int start = 0;
532
533 while (start < end)
534 {
535 int mid = (start + end)/2;
536 int c = Ustrcmp(name, list[mid]);
537 if (c == 0) return mid;
538 if (c < 0) end = mid; else start = mid + 1;
539 }
540
541 return -1;
542 }
543
544
545 /*************************************************
546 * Read and parse one ACL *
547 *************************************************/
548
549 /* This function is called both from readconf in order to parse the ACLs in the
550 configuration file, and also when an ACL is encountered dynamically (e.g. as
551 the result of an expansion). It is given a function to call in order to
552 retrieve the lines of the ACL. This function handles skipping comments and
553 blank lines (where relevant).
554
555 Arguments:
556 func function to get next line of ACL
557 error where to put an error message
558
559 Returns: pointer to ACL, or NULL
560 NULL can be legal (empty ACL); in this case error will be NULL
561 */
562
563 acl_block *
564 acl_read(uschar *(*func)(void), uschar **error)
565 {
566 acl_block *yield = NULL;
567 acl_block **lastp = &yield;
568 acl_block *this = NULL;
569 acl_condition_block *cond;
570 acl_condition_block **condp = NULL;
571 uschar *s;
572
573 *error = NULL;
574
575 while ((s = (*func)()) != NULL)
576 {
577 int v, c;
578 BOOL negated = FALSE;
579 uschar *saveline = s;
580 uschar name[64];
581
582 /* Conditions (but not verbs) are allowed to be negated by an initial
583 exclamation mark. */
584
585 while (isspace(*s)) s++;
586 if (*s == '!')
587 {
588 negated = TRUE;
589 s++;
590 }
591
592 /* Read the name of a verb or a condition, or the start of a new ACL, which
593 can be started by a name, or by a macro definition. */
594
595 s = readconf_readname(name, sizeof(name), s);
596 if (*s == ':' || isupper(name[0] && *s == '=')) return yield;
597
598 /* If a verb is unrecognized, it may be another condition or modifier that
599 continues the previous verb. */
600
601 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
602 if (v < 0)
603 {
604 if (this == NULL)
605 {
606 *error = string_sprintf("unknown ACL verb in \"%s\"", saveline);
607 return NULL;
608 }
609 }
610
611 /* New verb */
612
613 else
614 {
615 if (negated)
616 {
617 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
618 return NULL;
619 }
620 this = store_get(sizeof(acl_block));
621 *lastp = this;
622 lastp = &(this->next);
623 this->next = NULL;
624 this->verb = v;
625 this->condition = NULL;
626 condp = &(this->condition);
627 if (*s == 0) continue; /* No condition on this line */
628 if (*s == '!')
629 {
630 negated = TRUE;
631 s++;
632 }
633 s = readconf_readname(name, sizeof(name), s); /* Condition name */
634 }
635
636 /* Handle a condition or modifier. */
637
638 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
639 if (c < 0)
640 {
641 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
642 saveline);
643 return NULL;
644 }
645
646 /* The modifiers may not be negated */
647
648 if (negated && cond_modifiers[c])
649 {
650 *error = string_sprintf("ACL error: negation is not allowed with "
651 "\"%s\"", conditions[c]);
652 return NULL;
653 }
654
655 /* ENDPASS may occur only with ACCEPT or DISCARD. */
656
657 if (c == ACLC_ENDPASS &&
658 this->verb != ACL_ACCEPT &&
659 this->verb != ACL_DISCARD)
660 {
661 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
662 conditions[c], verbs[this->verb]);
663 return NULL;
664 }
665
666 cond = store_get(sizeof(acl_condition_block));
667 cond->next = NULL;
668 cond->type = c;
669 cond->u.negated = negated;
670
671 *condp = cond;
672 condp = &(cond->next);
673
674 /* The "set" modifier is different in that its argument is "name=value"
675 rather than just a value, and we can check the validity of the name, which
676 gives us a variable number to insert into the data block. */
677
678 if (c == ACLC_SET)
679 {
680 if (Ustrncmp(s, "acl_", 4) != 0 || (s[4] != 'c' && s[4] != 'm') ||
681 !isdigit(s[5]) || (!isspace(s[6]) && s[6] != '='))
682 {
683 *error = string_sprintf("unrecognized name after \"set\" in ACL "
684 "modifier \"set %s\"", s);
685 return NULL;
686 }
687
688 cond->u.varnumber = s[5] - '0';
689 if (s[4] == 'm') cond->u.varnumber += ACL_C_MAX;
690 s += 6;
691 while (isspace(*s)) s++;
692 }
693
694 /* For "set", we are now positioned for the data. For the others, only
695 "endpass" has no data */
696
697 if (c != ACLC_ENDPASS)
698 {
699 if (*s++ != '=')
700 {
701 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
702 cond_modifiers[c]? US"modifier" : US"condition");
703 return NULL;
704 }
705 while (isspace(*s)) s++;
706 cond->arg = string_copy(s);
707 }
708 }
709
710 return yield;
711 }
712
713
714
715 /*************************************************
716 * Handle warnings *
717 *************************************************/
718
719 /* This function is called when a WARN verb's conditions are true. It adds to
720 the message's headers, and/or writes information to the log. In each case, this
721 only happens once (per message for headers, per connection for log).
722
723 Arguments:
724 where ACL_WHERE_xxxx indicating which ACL this is
725 user_message message for adding to headers
726 log_message message for logging, if different
727
728 Returns: nothing
729 */
730
731 static void
732 acl_warn(int where, uschar *user_message, uschar *log_message)
733 {
734 int hlen;
735
736 if (log_message != NULL && log_message != user_message)
737 {
738 uschar *text;
739 string_item *logged;
740
741 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
742 string_printing(log_message));
743
744 /* If a sender verification has failed, and the log message is "sender verify
745 failed", add the failure message. */
746
747 if (sender_verified_failed != NULL &&
748 sender_verified_failed->message != NULL &&
749 strcmpic(log_message, US"sender verify failed") == 0)
750 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
751
752 /* Search previously logged warnings. They are kept in malloc store so they
753 can be freed at the start of a new message. */
754
755 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
756 if (Ustrcmp(logged->text, text) == 0) break;
757
758 if (logged == NULL)
759 {
760 int length = Ustrlen(text) + 1;
761 log_write(0, LOG_MAIN, "%s", text);
762 logged = store_malloc(sizeof(string_item) + length);
763 logged->text = (uschar *)logged + sizeof(string_item);
764 memcpy(logged->text, text, length);
765 logged->next = acl_warn_logged;
766 acl_warn_logged = logged;
767 }
768 }
769
770 /* If there's no user message, we are done. */
771
772 if (user_message == NULL) return;
773
774 /* If this isn't a message ACL, we can't do anything with a user message.
775 Log an error. */
776
777 if (where > ACL_WHERE_NOTSMTP)
778 {
779 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
780 "found in a non-message (%s) ACL: cannot specify header lines here: "
781 "message ignored", acl_wherenames[where]);
782 return;
783 }
784
785 /* Treat the user message as a sequence of one or more header lines. */
786
787 hlen = Ustrlen(user_message);
788 if (hlen > 0)
789 {
790 uschar *text, *p, *q;
791
792 /* Add a final newline if not present */
793
794 text = ((user_message)[hlen-1] == '\n')? user_message :
795 string_sprintf("%s\n", user_message);
796
797 /* Loop for multiple header lines, taking care about continuations */
798
799 for (p = q = text; *p != 0; )
800 {
801 uschar *s;
802 int newtype = htype_add_bot;
803 header_line **hptr = &acl_warn_headers;
804
805 /* Find next header line within the string */
806
807 for (;;)
808 {
809 q = Ustrchr(q, '\n');
810 if (*(++q) != ' ' && *q != '\t') break;
811 }
812
813 /* If the line starts with a colon, interpret the instruction for where to
814 add it. This temporarily sets up a new type. */
815
816 if (*p == ':')
817 {
818 if (strncmpic(p, US":after_received:", 16) == 0)
819 {
820 newtype = htype_add_rec;
821 p += 16;
822 }
823 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
824 {
825 newtype = htype_add_rfc;
826 p += 14;
827 }
828 else if (strncmpic(p, US":at_start:", 10) == 0)
829 {
830 newtype = htype_add_top;
831 p += 10;
832 }
833 else if (strncmpic(p, US":at_end:", 8) == 0)
834 {
835 newtype = htype_add_bot;
836 p += 8;
837 }
838 while (*p == ' ' || *p == '\t') p++;
839 }
840
841 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
842 to the front of it. */
843
844 for (s = p; s < q - 1; s++)
845 {
846 if (*s == ':' || !isgraph(*s)) break;
847 }
848
849 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
850 hlen = Ustrlen(s);
851
852 /* See if this line has already been added */
853
854 while (*hptr != NULL)
855 {
856 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
857 hptr = &((*hptr)->next);
858 }
859
860 /* Add if not previously present */
861
862 if (*hptr == NULL)
863 {
864 header_line *h = store_get(sizeof(header_line));
865 h->text = s;
866 h->next = NULL;
867 h->type = newtype;
868 h->slen = hlen;
869 *hptr = h;
870 hptr = &(h->next);
871 }
872
873 /* Advance for next header line within the string */
874
875 p = q;
876 }
877 }
878 }
879
880
881
882 /*************************************************
883 * Verify and check reverse DNS *
884 *************************************************/
885
886 /* Called from acl_verify() below. We look up the host name(s) of the client IP
887 address if this has not yet been done. The host_name_lookup() function checks
888 that one of these names resolves to an address list that contains the client IP
889 address, so we don't actually have to do the check here.
890
891 Arguments:
892 user_msgptr pointer for user message
893 log_msgptr pointer for log message
894
895 Returns: OK verification condition succeeded
896 FAIL verification failed
897 DEFER there was a problem verifying
898 */
899
900 static int
901 acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
902 {
903 int rc;
904
905 user_msgptr = user_msgptr; /* stop compiler warning */
906
907 /* Previous success */
908
909 if (sender_host_name != NULL) return OK;
910
911 /* Previous failure */
912
913 if (host_lookup_failed)
914 {
915 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
916 return FAIL;
917 }
918
919 /* Need to do a lookup */
920
921 HDEBUG(D_acl)
922 debug_printf("looking up host name to force name/address consistency check\n");
923
924 if ((rc = host_name_lookup()) != OK)
925 {
926 *log_msgptr = (rc == DEFER)?
927 US"host lookup deferred for reverse lookup check"
928 :
929 string_sprintf("host lookup failed for reverse lookup check%s",
930 host_lookup_msg);
931 return rc; /* DEFER or FAIL */
932 }
933
934 host_build_sender_fullhost();
935 return OK;
936 }
937
938
939
940 /*************************************************
941 * Handle verification (address & other) *
942 *************************************************/
943
944 /* This function implements the "verify" condition. It is called when
945 encountered in any ACL, because some tests are almost always permitted. Some
946 just don't make sense, and always fail (for example, an attempt to test a host
947 lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
948
949 Arguments:
950 where where called from
951 addr the recipient address that the ACL is handling, or NULL
952 arg the argument of "verify"
953 user_msgptr pointer for user message
954 log_msgptr pointer for log message
955 basic_errno where to put verify errno
956
957 Returns: OK verification condition succeeded
958 FAIL verification failed
959 DEFER there was a problem verifying
960 ERROR syntax error
961 */
962
963 static int
964 acl_verify(int where, address_item *addr, uschar *arg,
965 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
966 {
967 int sep = '/';
968 int callout = -1;
969 int callout_overall = -1;
970 int callout_connect = -1;
971 int verify_options = 0;
972 int rc;
973 BOOL verify_header_sender = FALSE;
974 BOOL defer_ok = FALSE;
975 BOOL callout_defer_ok = FALSE;
976 BOOL no_details = FALSE;
977 address_item *sender_vaddr = NULL;
978 uschar *verify_sender_address = NULL;
979 uschar *pm_mailfrom = NULL;
980 uschar *se_mailfrom = NULL;
981
982 /* Some of the verify items have slash-separated options; some do not. Diagnose
983 an error if options are given for items that don't expect them. This code has
984 now got very message. Refactoring to use a table would be a good idea one day.
985 */
986
987 uschar *slash = Ustrchr(arg, '/');
988 uschar *list = arg;
989 uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
990
991 if (ss == NULL) goto BAD_VERIFY;
992
993 /* Handle name/address consistency verification in a separate function. */
994
995 if (strcmpic(ss, US"reverse_host_lookup") == 0)
996 {
997 if (slash != NULL) goto NO_OPTIONS;
998 if (sender_host_address == NULL) return OK;
999 return acl_verify_reverse(user_msgptr, log_msgptr);
1000 }
1001
1002 /* TLS certificate verification is done at STARTTLS time; here we just
1003 test whether it was successful or not. (This is for optional verification; for
1004 mandatory verification, the connection doesn't last this long.) */
1005
1006 if (strcmpic(ss, US"certificate") == 0)
1007 {
1008 if (slash != NULL) goto NO_OPTIONS;
1009 if (tls_certificate_verified) return OK;
1010 *user_msgptr = US"no verified certificate";
1011 return FAIL;
1012 }
1013
1014 /* We can test the result of optional HELO verification */
1015
1016 if (strcmpic(ss, US"helo") == 0)
1017 {
1018 if (slash != NULL) goto NO_OPTIONS;
1019 return helo_verified? OK : FAIL;
1020 }
1021
1022 /* Check that all relevant header lines have the correct syntax. If there is
1023 a syntax error, we return details of the error to the sender if configured to
1024 send out full details. (But a "message" setting on the ACL can override, as
1025 always). */
1026
1027 if (strcmpic(ss, US"header_syntax") == 0)
1028 {
1029 if (slash != NULL) goto NO_OPTIONS;
1030 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
1031 {
1032 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
1033 "(only possible in ACL for DATA)", acl_wherenames[where]);
1034 return ERROR;
1035 }
1036 rc = verify_check_headers(log_msgptr);
1037 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1038 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1039 return rc;
1040 }
1041
1042
1043 /* The remaining verification tests check recipient and sender addresses,
1044 either from the envelope or from the header. There are a number of
1045 slash-separated options that are common to all of them. */
1046
1047
1048 /* Check that there is at least one verifiable sender address in the relevant
1049 header lines. This can be followed by callout and defer options, just like
1050 sender and recipient. */
1051
1052 if (strcmpic(ss, US"header_sender") == 0)
1053 {
1054 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
1055 {
1056 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
1057 "(only possible in ACL for DATA)", acl_wherenames[where]);
1058 return ERROR;
1059 }
1060 verify_header_sender = TRUE;
1061 }
1062
1063 /* Otherwise, first item in verify argument must be "sender" or "recipient".
1064 In the case of a sender, this can optionally be followed by an address to use
1065 in place of the actual sender (rare special-case requirement). */
1066
1067 else if (strncmpic(ss, US"sender", 6) == 0)
1068 {
1069 uschar *s = ss + 6;
1070 if (where > ACL_WHERE_NOTSMTP)
1071 {
1072 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1073 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1074 acl_wherenames[where]);
1075 return ERROR;
1076 }
1077 if (*s == 0)
1078 verify_sender_address = sender_address;
1079 else
1080 {
1081 while (isspace(*s)) s++;
1082 if (*s++ != '=') goto BAD_VERIFY;
1083 while (isspace(*s)) s++;
1084 verify_sender_address = string_copy(s);
1085 }
1086 }
1087 else
1088 {
1089 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1090 if (addr == NULL)
1091 {
1092 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1093 "(only possible for RCPT)", acl_wherenames[where]);
1094 return ERROR;
1095 }
1096 }
1097
1098 /* Remaining items are optional; they apply to sender and recipient
1099 verification, including "header sender" verification. */
1100
1101 while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1102 != NULL)
1103 {
1104 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1105 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1106
1107 /* These two old options are left for backwards compatibility */
1108
1109 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1110 {
1111 callout_defer_ok = TRUE;
1112 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1113 }
1114
1115 else if (strcmpic(ss, US"check_postmaster") == 0)
1116 {
1117 pm_mailfrom = US"";
1118 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1119 }
1120
1121 /* The callout option has a number of sub-options, comma separated */
1122
1123 else if (strncmpic(ss, US"callout", 7) == 0)
1124 {
1125 callout = CALLOUT_TIMEOUT_DEFAULT;
1126 ss += 7;
1127 if (*ss != 0)
1128 {
1129 while (isspace(*ss)) ss++;
1130 if (*ss++ == '=')
1131 {
1132 int optsep = ',';
1133 uschar *opt;
1134 uschar buffer[256];
1135 while (isspace(*ss)) ss++;
1136
1137 /* This callout option handling code has become a mess as new options
1138 have been added in an ad hoc manner. It should be tidied up into some
1139 kind of table-driven thing. */
1140
1141 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1142 != NULL)
1143 {
1144 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1145 else if (strcmpic(opt, US"no_cache") == 0)
1146 verify_options |= vopt_callout_no_cache;
1147 else if (strcmpic(opt, US"random") == 0)
1148 verify_options |= vopt_callout_random;
1149 else if (strcmpic(opt, US"use_sender") == 0)
1150 verify_options |= vopt_callout_recipsender;
1151 else if (strcmpic(opt, US"use_postmaster") == 0)
1152 verify_options |= vopt_callout_recippmaster;
1153 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
1154
1155 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1156 {
1157 if (!verify_header_sender)
1158 {
1159 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1160 "callout option only for verify=header_sender (detected in ACL "
1161 "condition \"%s\")", arg);
1162 return ERROR;
1163 }
1164 opt += 8;
1165 while (isspace(*opt)) opt++;
1166 if (*opt++ != '=')
1167 {
1168 *log_msgptr = string_sprintf("'=' expected after "
1169 "\"mailfrom\" in ACL condition \"%s\"", arg);
1170 return ERROR;
1171 }
1172 while (isspace(*opt)) opt++;
1173 se_mailfrom = string_copy(opt);
1174 }
1175
1176 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1177 {
1178 opt += 19;
1179 while (isspace(*opt)) opt++;
1180 if (*opt++ != '=')
1181 {
1182 *log_msgptr = string_sprintf("'=' expected after "
1183 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1184 return ERROR;
1185 }
1186 while (isspace(*opt)) opt++;
1187 pm_mailfrom = string_copy(opt);
1188 }
1189
1190 else if (strncmpic(opt, US"maxwait", 7) == 0)
1191 {
1192 opt += 7;
1193 while (isspace(*opt)) opt++;
1194 if (*opt++ != '=')
1195 {
1196 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1197 "ACL condition \"%s\"", arg);
1198 return ERROR;
1199 }
1200 while (isspace(*opt)) opt++;
1201 callout_overall = readconf_readtime(opt, 0, FALSE);
1202 if (callout_overall < 0)
1203 {
1204 *log_msgptr = string_sprintf("bad time value in ACL condition "
1205 "\"verify %s\"", arg);
1206 return ERROR;
1207 }
1208 }
1209 else if (strncmpic(opt, US"connect", 7) == 0)
1210 {
1211 opt += 7;
1212 while (isspace(*opt)) opt++;
1213 if (*opt++ != '=')
1214 {
1215 *log_msgptr = string_sprintf("'=' expected after "
1216 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1217 return ERROR;
1218 }
1219 while (isspace(*opt)) opt++;
1220 callout_connect = readconf_readtime(opt, 0, FALSE);
1221 if (callout_connect < 0)
1222 {
1223 *log_msgptr = string_sprintf("bad time value in ACL condition "
1224 "\"verify %s\"", arg);
1225 return ERROR;
1226 }
1227 }
1228 else /* Plain time is callout connect/command timeout */
1229 {
1230 callout = readconf_readtime(opt, 0, FALSE);
1231 if (callout < 0)
1232 {
1233 *log_msgptr = string_sprintf("bad time value in ACL condition "
1234 "\"verify %s\"", arg);
1235 return ERROR;
1236 }
1237 }
1238 }
1239 }
1240 else
1241 {
1242 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1243 "ACL condition \"%s\"", arg);
1244 return ERROR;
1245 }
1246 }
1247 }
1248
1249 /* Option not recognized */
1250
1251 else
1252 {
1253 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1254 "condition \"verify %s\"", ss, arg);
1255 return ERROR;
1256 }
1257 }
1258
1259 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1260 (vopt_callout_recipsender|vopt_callout_recippmaster))
1261 {
1262 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1263 "for a recipient callout";
1264 return ERROR;
1265 }
1266
1267 /* Handle sender-in-header verification. Default the user message to the log
1268 message if giving out verification details. */
1269
1270 if (verify_header_sender)
1271 {
1272 int verrno;
1273 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
1274 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1275 &verrno);
1276 if (rc != OK)
1277 {
1278 *basic_errno = verrno;
1279 if (smtp_return_error_details)
1280 {
1281 if (*user_msgptr == NULL && *log_msgptr != NULL)
1282 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1283 if (rc == DEFER) acl_temp_details = TRUE;
1284 }
1285 }
1286 }
1287
1288 /* Handle a sender address. The default is to verify *the* sender address, but
1289 optionally a different address can be given, for special requirements. If the
1290 address is empty, we are dealing with a bounce message that has no sender, so
1291 we cannot do any checking. If the real sender address gets rewritten during
1292 verification (e.g. DNS widening), set the flag to stop it being rewritten again
1293 during message reception.
1294
1295 A list of verified "sender" addresses is kept to try to avoid doing to much
1296 work repetitively when there are multiple recipients in a message and they all
1297 require sender verification. However, when callouts are involved, it gets too
1298 complicated because different recipients may require different callout options.
1299 Therefore, we always do a full sender verify when any kind of callout is
1300 specified. Caching elsewhere, for instance in the DNS resolver and in the
1301 callout handling, should ensure that this is not terribly inefficient. */
1302
1303 else if (verify_sender_address != NULL)
1304 {
1305 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1306 != 0)
1307 {
1308 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1309 "sender verify callout";
1310 return ERROR;
1311 }
1312
1313 sender_vaddr = verify_checked_sender(verify_sender_address);
1314 if (sender_vaddr != NULL && /* Previously checked */
1315 callout <= 0) /* No callout needed this time */
1316 {
1317 /* If the "routed" flag is set, it means that routing worked before, so
1318 this check can give OK (the saved return code value, if set, belongs to a
1319 callout that was done previously). If the "routed" flag is not set, routing
1320 must have failed, so we use the saved return code. */
1321
1322 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1323 {
1324 rc = sender_vaddr->special_action;
1325 *basic_errno = sender_vaddr->basic_errno;
1326 }
1327 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1328 }
1329
1330 /* Do a new verification, and cache the result. The cache is used to avoid
1331 verifying the sender multiple times for multiple RCPTs when callouts are not
1332 specified (see comments above).
1333
1334 The cache is also used on failure to give details in response to the first
1335 RCPT that gets bounced for this reason. However, this can be suppressed by
1336 the no_details option, which sets the flag that says "this detail has already
1337 been sent". The cache normally contains just one address, but there may be
1338 more in esoteric circumstances. */
1339
1340 else
1341 {
1342 BOOL routed = TRUE;
1343 uschar *save_address_data = deliver_address_data;
1344
1345 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1346 if (no_details) setflag(sender_vaddr, af_sverify_told);
1347 if (verify_sender_address[0] != 0)
1348 {
1349 /* If this is the real sender address, save the unrewritten version
1350 for use later in receive. Otherwise, set a flag so that rewriting the
1351 sender in verify_address() does not update sender_address. */
1352
1353 if (verify_sender_address == sender_address)
1354 sender_address_unrewritten = sender_address;
1355 else
1356 verify_options |= vopt_fake_sender;
1357
1358 /* The recipient, qualify, and expn options are never set in
1359 verify_options. */
1360
1361 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
1362 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
1363
1364 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1365
1366 if (rc == OK)
1367 {
1368 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1369 {
1370 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1371 verify_sender_address, sender_vaddr->address);
1372 }
1373 else
1374 {
1375 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1376 verify_sender_address);
1377 }
1378 }
1379 else *basic_errno = sender_vaddr->basic_errno;
1380 }
1381 else rc = OK; /* Null sender */
1382
1383 /* Cache the result code */
1384
1385 if (routed) setflag(sender_vaddr, af_verify_routed);
1386 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1387 sender_vaddr->special_action = rc;
1388 sender_vaddr->next = sender_verified_list;
1389 sender_verified_list = sender_vaddr;
1390
1391 /* Restore the recipient address data, which might have been clobbered by
1392 the sender verification. */
1393
1394 deliver_address_data = save_address_data;
1395 }
1396
1397 /* Put the sender address_data value into $sender_address_data */
1398
1399 sender_address_data = sender_vaddr->p.address_data;
1400 }
1401
1402 /* A recipient address just gets a straightforward verify; again we must handle
1403 the DEFER overrides. */
1404
1405 else
1406 {
1407 address_item addr2;
1408
1409 /* We must use a copy of the address for verification, because it might
1410 get rewritten. */
1411
1412 addr2 = *addr;
1413 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
1414 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
1415 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1416
1417 *log_msgptr = addr2.message;
1418 *user_msgptr = (addr2.user_message != NULL)?
1419 addr2.user_message : addr2.message;
1420 *basic_errno = addr2.basic_errno;
1421
1422 /* Make $address_data visible */
1423 deliver_address_data = addr2.p.address_data;
1424 }
1425
1426 /* We have a result from the relevant test. Handle defer overrides first. */
1427
1428 if (rc == DEFER && (defer_ok ||
1429 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1430 {
1431 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1432 defer_ok? "defer_ok" : "callout_defer_ok");
1433 rc = OK;
1434 }
1435
1436 /* If we've failed a sender, set up a recipient message, and point
1437 sender_verified_failed to the address item that actually failed. */
1438
1439 if (rc != OK && verify_sender_address != NULL)
1440 {
1441 if (rc != DEFER)
1442 {
1443 *log_msgptr = *user_msgptr = US"Sender verify failed";
1444 }
1445 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1446 {
1447 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1448 }
1449 else
1450 {
1451 *log_msgptr = US"Could not complete sender verify callout";
1452 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1453 *log_msgptr;
1454 }
1455
1456 sender_verified_failed = sender_vaddr;
1457 }
1458
1459 /* Verifying an address messes up the values of $domain and $local_part,
1460 so reset them before returning if this is a RCPT ACL. */
1461
1462 if (addr != NULL)
1463 {
1464 deliver_domain = addr->domain;
1465 deliver_localpart = addr->local_part;
1466 }
1467 return rc;
1468
1469 /* Syntax errors in the verify argument come here. */
1470
1471 BAD_VERIFY:
1472 *log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
1473 "\"helo\", \"header_syntax\", \"header_sender\" or "
1474 "\"reverse_host_lookup\" at start of ACL condition "
1475 "\"verify %s\"", arg);
1476 return ERROR;
1477
1478 /* Options supplied when not allowed come here */
1479
1480 NO_OPTIONS:
1481 *log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1482 "(this verify item has no options)", arg);
1483 return ERROR;
1484 }
1485
1486
1487
1488
1489 /*************************************************
1490 * Check argument for control= modifier *
1491 *************************************************/
1492
1493 /* Called from acl_check_condition() below
1494
1495 Arguments:
1496 arg the argument string for control=
1497 pptr set to point to the terminating character
1498 where which ACL we are in
1499 log_msgptr for error messages
1500
1501 Returns: CONTROL_xxx value
1502 */
1503
1504 static int
1505 decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
1506 {
1507 int len;
1508 control_def *d;
1509
1510 for (d = controls_list;
1511 d < controls_list + sizeof(controls_list)/sizeof(control_def);
1512 d++)
1513 {
1514 len = Ustrlen(d->name);
1515 if (Ustrncmp(d->name, arg, len) == 0) break;
1516 }
1517
1518 if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
1519 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
1520 {
1521 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1522 return CONTROL_ERROR;
1523 }
1524
1525 *pptr = arg + len;
1526 return d->value;
1527 }
1528
1529
1530
1531 /*************************************************
1532 * Handle conditions/modifiers on an ACL item *
1533 *************************************************/
1534
1535 /* Called from acl_check() below.
1536
1537 Arguments:
1538 verb ACL verb
1539 cb ACL condition block - if NULL, result is OK
1540 where where called from
1541 addr the address being checked for RCPT, or NULL
1542 level the nesting level
1543 epp pointer to pass back TRUE if "endpass" encountered
1544 (applies only to "accept" and "discard")
1545 user_msgptr user message pointer
1546 log_msgptr log message pointer
1547 basic_errno pointer to where to put verify error
1548
1549 Returns: OK - all conditions are met
1550 DISCARD - an "acl" condition returned DISCARD - only allowed
1551 for "accept" or "discard" verbs
1552 FAIL - at least one condition fails
1553 FAIL_DROP - an "acl" condition returned FAIL_DROP
1554 DEFER - can't tell at the moment (typically, lookup defer,
1555 but can be temporary callout problem)
1556 ERROR - ERROR from nested ACL or expansion failure or other
1557 error
1558 */
1559
1560 static int
1561 acl_check_condition(int verb, acl_condition_block *cb, int where,
1562 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
1563 uschar **log_msgptr, int *basic_errno)
1564 {
1565 uschar *user_message = NULL;
1566 uschar *log_message = NULL;
1567 uschar *p;
1568 int rc = OK;
1569 #ifdef WITH_CONTENT_SCAN
1570 int sep = '/';
1571 #endif
1572
1573 for (; cb != NULL; cb = cb->next)
1574 {
1575 uschar *arg;
1576 int control_type;
1577
1578 /* The message and log_message items set up messages to be used in
1579 case of rejection. They are expanded later. */
1580
1581 if (cb->type == ACLC_MESSAGE)
1582 {
1583 user_message = cb->arg;
1584 continue;
1585 }
1586
1587 if (cb->type == ACLC_LOG_MESSAGE)
1588 {
1589 log_message = cb->arg;
1590 continue;
1591 }
1592
1593 /* The endpass "condition" just sets a flag to show it occurred. This is
1594 checked at compile time to be on an "accept" or "discard" item. */
1595
1596 if (cb->type == ACLC_ENDPASS)
1597 {
1598 *epp = TRUE;
1599 continue;
1600 }
1601
1602 /* For other conditions and modifiers, the argument is expanded now for some
1603 of them, but not for all, because expansion happens down in some lower level
1604 checking functions in some cases. */
1605
1606 if (cond_expand_at_top[cb->type])
1607 {
1608 arg = expand_string(cb->arg);
1609 if (arg == NULL)
1610 {
1611 if (expand_string_forcedfail) continue;
1612 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
1613 cb->arg, expand_string_message);
1614 return search_find_defer? DEFER : ERROR;
1615 }
1616 }
1617 else arg = cb->arg;
1618
1619 /* Show condition, and expanded condition if it's different */
1620
1621 HDEBUG(D_acl)
1622 {
1623 int lhswidth = 0;
1624 debug_printf("check %s%s %n",
1625 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
1626 conditions[cb->type], &lhswidth);
1627
1628 if (cb->type == ACLC_SET)
1629 {
1630 int n = cb->u.varnumber;
1631 int t = (n < ACL_C_MAX)? 'c' : 'm';
1632 if (n >= ACL_C_MAX) n -= ACL_C_MAX;
1633 debug_printf("acl_%c%d ", t, n);
1634 lhswidth += 7;
1635 }
1636
1637 debug_printf("= %s\n", cb->arg);
1638
1639 if (arg != cb->arg)
1640 debug_printf("%.*s= %s\n", lhswidth,
1641 US" ", CS arg);
1642 }
1643
1644 /* Check that this condition makes sense at this time */
1645
1646 if ((cond_forbids[cb->type] & (1 << where)) != 0)
1647 {
1648 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
1649 cond_modifiers[cb->type]? "use" : "test",
1650 conditions[cb->type], acl_wherenames[where]);
1651 return ERROR;
1652 }
1653
1654 /* Run the appropriate test for each condition, or take the appropriate
1655 action for the remaining modifiers. */
1656
1657 switch(cb->type)
1658 {
1659 /* A nested ACL that returns "discard" makes sense only for an "accept" or
1660 "discard" verb. */
1661
1662 case ACLC_ACL:
1663 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
1664 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
1665 {
1666 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
1667 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
1668 verbs[verb]);
1669 return ERROR;
1670 }
1671 break;
1672
1673 case ACLC_AUTHENTICATED:
1674 rc = (sender_host_authenticated == NULL)? FAIL :
1675 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
1676 TRUE, NULL);
1677 break;
1678
1679 #ifdef EXPERIMENTAL_BRIGHTMAIL
1680 case ACLC_BMI_OPTIN:
1681 {
1682 int old_pool = store_pool;
1683 store_pool = POOL_PERM;
1684 bmi_current_optin = string_copy(arg);
1685 store_pool = old_pool;
1686 }
1687 break;
1688 #endif
1689
1690 case ACLC_CONDITION:
1691 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
1692 rc = (Uatoi(arg) == 0)? FAIL : OK;
1693 else
1694 rc = (strcmpic(arg, US"no") == 0 ||
1695 strcmpic(arg, US"false") == 0)? FAIL :
1696 (strcmpic(arg, US"yes") == 0 ||
1697 strcmpic(arg, US"true") == 0)? OK : DEFER;
1698 if (rc == DEFER)
1699 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
1700 break;
1701
1702 case ACLC_CONTROL:
1703 control_type = decode_control(arg, &p, where, log_msgptr);
1704
1705 /* Check if this control makes sense at this time */
1706
1707 if ((control_forbids[control_type] & (1 << where)) != 0)
1708 {
1709 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
1710 controls[control_type], acl_wherenames[where]);
1711 return ERROR;
1712 }
1713
1714 switch(control_type)
1715 {
1716 #ifdef EXPERIMENTAL_BRIGHTMAIL
1717 case CONTROL_BMI_RUN:
1718 bmi_run = 1;
1719 break;
1720 #endif
1721 #ifdef EXPERIMENTAL_DOMAINKEYS
1722 case CONTROL_DK_VERIFY:
1723 dk_do_verify = 1;
1724 break;
1725 #endif
1726 case CONTROL_ERROR:
1727 return ERROR;
1728
1729 case CONTROL_CASEFUL_LOCAL_PART:
1730 deliver_localpart = addr->cc_local_part;
1731 break;
1732
1733 case CONTROL_CASELOWER_LOCAL_PART:
1734 deliver_localpart = addr->lc_local_part;
1735 break;
1736
1737 case CONTROL_ENFORCE_SYNC:
1738 smtp_enforce_sync = TRUE;
1739 break;
1740
1741 case CONTROL_NO_ENFORCE_SYNC:
1742 smtp_enforce_sync = FALSE;
1743 break;
1744
1745 #ifdef WITH_CONTENT_SCAN
1746 case CONTROL_NO_MBOX_UNSPOOL:
1747 no_mbox_unspool = TRUE;
1748 break;
1749 #endif
1750
1751 case CONTROL_NO_MULTILINE:
1752 no_multiline_responses = TRUE;
1753 break;
1754
1755 case CONTROL_FAKEREJECT:
1756 fake_reject = TRUE;
1757 if (*p == '/')
1758 {
1759 uschar *pp = p + 1;
1760 while (*pp != 0) pp++;
1761 fake_reject_text = expand_string(string_copyn(p+1, pp-p));
1762 p = pp;
1763 }
1764 else
1765 {
1766 /* Explicitly reset to default string */
1767 fake_reject_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
1768 }
1769 break;
1770
1771 case CONTROL_FREEZE:
1772 deliver_freeze = TRUE;
1773 deliver_frozen_at = time(NULL);
1774 break;
1775
1776 case CONTROL_QUEUE_ONLY:
1777 queue_only_policy = TRUE;
1778 break;
1779
1780 case CONTROL_SUBMISSION:
1781 submission_mode = TRUE;
1782 while (*p == '/')
1783 {
1784 if (Ustrncmp(p, "/sender_retain", 14) == 0)
1785 {
1786 p += 14;
1787 active_local_sender_retain = TRUE;
1788 active_local_from_check = FALSE;
1789 }
1790 else if (Ustrncmp(p, "/domain=", 8) == 0)
1791 {
1792 uschar *pp = p + 8;
1793 while (*pp != 0 && *pp != '/') pp++;
1794 submission_domain = string_copyn(p+8, pp-p);
1795 p = pp;
1796 }
1797 else break;
1798 }
1799 if (*p != 0)
1800 {
1801 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1802 return ERROR;
1803 }
1804 break;
1805 }
1806 break;
1807
1808 #ifdef WITH_CONTENT_SCAN
1809 case ACLC_DECODE:
1810 rc = mime_decode(&arg);
1811 break;
1812 #endif
1813
1814 case ACLC_DELAY:
1815 {
1816 int delay = readconf_readtime(arg, 0, FALSE);
1817 if (delay < 0)
1818 {
1819 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
1820 "modifier: \"%s\" is not a time value", arg);
1821 return ERROR;
1822 }
1823 else
1824 {
1825 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
1826 delay);
1827 if (host_checking)
1828 {
1829 HDEBUG(D_acl)
1830 debug_printf("delay skipped in -bh checking mode\n");
1831 }
1832 else
1833 {
1834 while (delay > 0) delay = sleep(delay);
1835 }
1836 }
1837 }
1838 break;
1839
1840 #ifdef WITH_OLD_DEMIME
1841 case ACLC_DEMIME:
1842 rc = demime(&arg);
1843 break;
1844 #endif
1845
1846 #ifdef EXPERIMENTAL_DOMAINKEYS
1847 case ACLC_DK_DOMAIN_SOURCE:
1848 if (dk_verify_block == NULL) { rc = FAIL; break; };
1849 /* check header source of domain against given string */
1850 switch (dk_verify_block->address_source) {
1851 case DK_EXIM_ADDRESS_FROM_FROM:
1852 rc = match_isinlist(US"from", &arg, 0, NULL,
1853 NULL, MCL_STRING, TRUE, NULL);
1854 break;
1855 case DK_EXIM_ADDRESS_FROM_SENDER:
1856 rc = match_isinlist(US"sender", &arg, 0, NULL,
1857 NULL, MCL_STRING, TRUE, NULL);
1858 break;
1859 case DK_EXIM_ADDRESS_NONE:
1860 rc = match_isinlist(US"none", &arg, 0, NULL,
1861 NULL, MCL_STRING, TRUE, NULL);
1862 break;
1863 }
1864 break;
1865 case ACLC_DK_POLICY:
1866 if (dk_verify_block == NULL) { rc = FAIL; break; };
1867 /* check policy against given string, default FAIL */
1868 rc = FAIL;
1869 if (dk_verify_block->signsall)
1870 rc = match_isinlist(US"signsall", &arg, 0, NULL,
1871 NULL, MCL_STRING, TRUE, NULL);
1872 if (dk_verify_block->testing)
1873 rc = match_isinlist(US"testing", &arg, 0, NULL,
1874 NULL, MCL_STRING, TRUE, NULL);
1875 break;
1876 case ACLC_DK_SENDER_DOMAINS:
1877 if (dk_verify_block == NULL) { rc = FAIL; break; };
1878 if (dk_verify_block->domain != NULL)
1879 rc = match_isinlist(dk_verify_block->domain, &arg, 0, &domainlist_anchor,
1880 NULL, MCL_DOMAIN, TRUE, NULL);
1881 else rc = FAIL;
1882 break;
1883 case ACLC_DK_SENDER_LOCAL_PARTS:
1884 if (dk_verify_block == NULL) { rc = FAIL; break; };
1885 if (dk_verify_block->local_part != NULL)
1886 rc = match_isinlist(dk_verify_block->local_part, &arg, 0, &localpartlist_anchor,
1887 NULL, MCL_LOCALPART, TRUE, NULL);
1888 else rc = FAIL;
1889 break;
1890 case ACLC_DK_SENDERS:
1891 if (dk_verify_block == NULL) { rc = FAIL; break; };
1892 if (dk_verify_block->address != NULL)
1893 rc = match_address_list(dk_verify_block->address, TRUE, TRUE, &arg, NULL, -1, 0, NULL);
1894 else rc = FAIL;
1895 break;
1896 case ACLC_DK_STATUS:
1897 if (dk_verify_block == NULL) { rc = FAIL; break; };
1898 if (dk_verify_block->result > 0) {
1899 switch(dk_verify_block->result) {
1900 case DK_EXIM_RESULT_BAD_FORMAT:
1901 rc = match_isinlist(US"bad format", &arg, 0, NULL,
1902 NULL, MCL_STRING, TRUE, NULL);
1903 break;
1904 case DK_EXIM_RESULT_NO_KEY:
1905 rc = match_isinlist(US"no key", &arg, 0, NULL,
1906 NULL, MCL_STRING, TRUE, NULL);
1907 break;
1908 case DK_EXIM_RESULT_NO_SIGNATURE:
1909 rc = match_isinlist(US"no signature", &arg, 0, NULL,
1910 NULL, MCL_STRING, TRUE, NULL);
1911 break;
1912 case DK_EXIM_RESULT_REVOKED:
1913 rc = match_isinlist(US"revoked", &arg, 0, NULL,
1914 NULL, MCL_STRING, TRUE, NULL);
1915 break;
1916 case DK_EXIM_RESULT_NON_PARTICIPANT:
1917 rc = match_isinlist(US"non-participant", &arg, 0, NULL,
1918 NULL, MCL_STRING, TRUE, NULL);
1919 break;
1920 case DK_EXIM_RESULT_GOOD:
1921 rc = match_isinlist(US"good", &arg, 0, NULL,
1922 NULL, MCL_STRING, TRUE, NULL);
1923 break;
1924 case DK_EXIM_RESULT_BAD:
1925 rc = match_isinlist(US"bad", &arg, 0, NULL,
1926 NULL, MCL_STRING, TRUE, NULL);
1927 break;
1928 }
1929 }
1930 break;
1931 #endif
1932
1933 case ACLC_DNSLISTS:
1934 rc = verify_check_dnsbl(&arg);
1935 break;
1936
1937 case ACLC_DOMAINS:
1938 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
1939 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
1940 break;
1941
1942 /* The value in tls_cipher is the full cipher name, for example,
1943 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
1944 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
1945 what may in practice come out of the SSL library - which at the time of
1946 writing is poorly documented. */
1947
1948 case ACLC_ENCRYPTED:
1949 if (tls_cipher == NULL) rc = FAIL; else
1950 {
1951 uschar *endcipher = NULL;
1952 uschar *cipher = Ustrchr(tls_cipher, ':');
1953 if (cipher == NULL) cipher = tls_cipher; else
1954 {
1955 endcipher = Ustrchr(++cipher, ':');
1956 if (endcipher != NULL) *endcipher = 0;
1957 }
1958 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
1959 if (endcipher != NULL) *endcipher = ':';
1960 }
1961 break;
1962
1963 /* Use verify_check_this_host() instead of verify_check_host() so that
1964 we can pass over &host_data to catch any looked up data. Once it has been
1965 set, it retains its value so that it's still there if another ACL verb
1966 comes through here and uses the cache. However, we must put it into
1967 permanent store in case it is also expected to be used in a subsequent
1968 message in the same SMTP connection. */
1969
1970 case ACLC_HOSTS:
1971 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
1972 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
1973 if (host_data != NULL) host_data = string_copy_malloc(host_data);
1974 break;
1975
1976 case ACLC_LOCAL_PARTS:
1977 rc = match_isinlist(addr->cc_local_part, &arg, 0,
1978 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
1979 &deliver_localpart_data);
1980 break;
1981
1982 case ACLC_LOGWRITE:
1983 {
1984 int logbits = 0;
1985 uschar *s = arg;
1986 if (*s == ':')
1987 {
1988 s++;
1989 while (*s != ':')
1990 {
1991 if (Ustrncmp(s, "main", 4) == 0)
1992 { logbits |= LOG_MAIN; s += 4; }
1993 else if (Ustrncmp(s, "panic", 5) == 0)
1994 { logbits |= LOG_PANIC; s += 5; }
1995 else if (Ustrncmp(s, "reject", 6) == 0)
1996 { logbits |= LOG_REJECT; s += 6; }
1997 else
1998 {
1999 logbits = LOG_MAIN|LOG_PANIC;
2000 s = string_sprintf(":unknown log name in \"%s\" in "
2001 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
2002 }
2003 if (*s == ',') s++;
2004 }
2005 s++;
2006 }
2007 while (isspace(*s)) s++;
2008 if (logbits == 0) logbits = LOG_MAIN;
2009 log_write(0, logbits, "%s", string_printing(s));
2010 }
2011 break;
2012
2013 #ifdef WITH_CONTENT_SCAN
2014 case ACLC_MALWARE:
2015 {
2016 /* Seperate the regular expression and any optional parameters. */
2017 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2018 /* Run the malware backend. */
2019 rc = malware(&ss);
2020 /* Modify return code based upon the existance of options. */
2021 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2022 != NULL) {
2023 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2024 {
2025 /* FAIL so that the message is passed to the next ACL */
2026 rc = FAIL;
2027 }
2028 }
2029 }
2030 break;
2031
2032 case ACLC_MIME_REGEX:
2033 rc = mime_regex(&arg);
2034 break;
2035 #endif
2036
2037 case ACLC_RECIPIENTS:
2038 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
2039 &recipient_data);
2040 break;
2041
2042 #ifdef WITH_CONTENT_SCAN
2043 case ACLC_REGEX:
2044 rc = regex(&arg);
2045 break;
2046 #endif
2047
2048 case ACLC_SENDER_DOMAINS:
2049 {
2050 uschar *sdomain;
2051 sdomain = Ustrrchr(sender_address, '@');
2052 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
2053 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
2054 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
2055 }
2056 break;
2057
2058 case ACLC_SENDERS:
2059 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
2060 sender_address_cache, -1, 0, &sender_data);
2061 break;
2062
2063 /* Connection variables must persist forever */
2064
2065 case ACLC_SET:
2066 {
2067 int old_pool = store_pool;
2068 if (cb->u.varnumber < ACL_C_MAX) store_pool = POOL_PERM;
2069 acl_var[cb->u.varnumber] = string_copy(arg);
2070 store_pool = old_pool;
2071 }
2072 break;
2073
2074 #ifdef WITH_CONTENT_SCAN
2075 case ACLC_SPAM:
2076 {
2077 /* Seperate the regular expression and any optional parameters. */
2078 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2079 /* Run the spam backend. */
2080 rc = spam(&ss);
2081 /* Modify return code based upon the existance of options. */
2082 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2083 != NULL) {
2084 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2085 {
2086 /* FAIL so that the message is passed to the next ACL */
2087 rc = FAIL;
2088 }
2089 }
2090 }
2091 break;
2092 #endif
2093
2094 #ifdef EXPERIMENTAL_SPF
2095 case ACLC_SPF:
2096 rc = spf_process(&arg, sender_address);
2097 break;
2098 #endif
2099
2100 /* If the verb is WARN, discard any user message from verification, because
2101 such messages are SMTP responses, not header additions. The latter come
2102 only from explicit "message" modifiers. */
2103
2104 case ACLC_VERIFY:
2105 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
2106 if (verb == ACL_WARN) *user_msgptr = NULL;
2107 break;
2108
2109 default:
2110 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
2111 "condition %d", cb->type);
2112 break;
2113 }
2114
2115 /* If a condition was negated, invert OK/FAIL. */
2116
2117 if (!cond_modifiers[cb->type] && cb->u.negated)
2118 {
2119 if (rc == OK) rc = FAIL;
2120 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
2121 }
2122
2123 if (rc != OK) break; /* Conditions loop */
2124 }
2125
2126
2127 /* If the result is the one for which "message" and/or "log_message" are used,
2128 handle the values of these options. Most verbs have but a single return for
2129 which the messages are relevant, but for "discard", it's useful to have the log
2130 message both when it succeeds and when it fails. Also, for an "accept" that
2131 appears in a QUIT ACL, we want to handle the user message. Since only "accept"
2132 and "warn" are permitted in that ACL, we don't need to test the verb.
2133
2134 These modifiers act in different ways:
2135
2136 "message" is a user message that will be included in an SMTP response. Unless
2137 it is empty, it overrides any previously set user message.
2138
2139 "log_message" is a non-user message, and it adds to any existing non-user
2140 message that is already set.
2141
2142 If there isn't a log message set, we make it the same as the user message. */
2143
2144 if (((rc == FAIL_DROP)? FAIL : rc) == msgcond[verb] ||
2145 (verb == ACL_DISCARD && rc == OK) ||
2146 (where == ACL_WHERE_QUIT))
2147 {
2148 uschar *expmessage;
2149
2150 /* If the verb is "warn", messages generated by conditions (verification or
2151 nested ACLs) are discarded. Only messages specified at this level are used.
2152 However, the value of an existing message is available in $acl_verify_message
2153 during expansions. */
2154
2155 uschar *old_user_msgptr = *user_msgptr;
2156 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
2157
2158 if (verb == ACL_WARN) *log_msgptr = *user_msgptr = NULL;
2159
2160 if (user_message != NULL)
2161 {
2162 acl_verify_message = old_user_msgptr;
2163 expmessage = expand_string(user_message);
2164 if (expmessage == NULL)
2165 {
2166 if (!expand_string_forcedfail)
2167 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2168 user_message, expand_string_message);
2169 }
2170 else if (expmessage[0] != 0) *user_msgptr = expmessage;
2171 }
2172
2173 if (log_message != NULL)
2174 {
2175 acl_verify_message = old_log_msgptr;
2176 expmessage = expand_string(log_message);
2177 if (expmessage == NULL)
2178 {
2179 if (!expand_string_forcedfail)
2180 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2181 log_message, expand_string_message);
2182 }
2183 else if (expmessage[0] != 0)
2184 {
2185 *log_msgptr = (*log_msgptr == NULL)? expmessage :
2186 string_sprintf("%s: %s", expmessage, *log_msgptr);
2187 }
2188 }
2189
2190 /* If no log message, default it to the user message */
2191
2192 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
2193 }
2194
2195 acl_verify_message = NULL;
2196 return rc;
2197 }
2198
2199
2200
2201
2202
2203 /*************************************************
2204 * Get line from a literal ACL *
2205 *************************************************/
2206
2207 /* This function is passed to acl_read() in order to extract individual lines
2208 of a literal ACL, which we access via static pointers. We can destroy the
2209 contents because this is called only once (the compiled ACL is remembered).
2210
2211 This code is intended to treat the data in the same way as lines in the main
2212 Exim configuration file. That is:
2213
2214 . Leading spaces are ignored.
2215
2216 . A \ at the end of a line is a continuation - trailing spaces after the \
2217 are permitted (this is because I don't believe in making invisible things
2218 significant). Leading spaces on the continued part of a line are ignored.
2219
2220 . Physical lines starting (significantly) with # are totally ignored, and
2221 may appear within a sequence of backslash-continued lines.
2222
2223 . Blank lines are ignored, but will end a sequence of continuations.
2224
2225 Arguments: none
2226 Returns: a pointer to the next line
2227 */
2228
2229
2230 static uschar *acl_text; /* Current pointer in the text */
2231 static uschar *acl_text_end; /* Points one past the terminating '0' */
2232
2233
2234 static uschar *
2235 acl_getline(void)
2236 {
2237 uschar *yield;
2238
2239 /* This loop handles leading blank lines and comments. */
2240
2241 for(;;)
2242 {
2243 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
2244 if (*acl_text == 0) return NULL; /* No more data */
2245 yield = acl_text; /* Potential data line */
2246
2247 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2248
2249 /* If we hit the end before a newline, we have the whole logical line. If
2250 it's a comment, there's no more data to be given. Otherwise, yield it. */
2251
2252 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
2253
2254 /* After reaching a newline, end this loop if the physical line does not
2255 start with '#'. If it does, it's a comment, and the loop continues. */
2256
2257 if (*yield != '#') break;
2258 }
2259
2260 /* This loop handles continuations. We know we have some real data, ending in
2261 newline. See if there is a continuation marker at the end (ignoring trailing
2262 white space). We know that *yield is not white space, so no need to test for
2263 cont > yield in the backwards scanning loop. */
2264
2265 for(;;)
2266 {
2267 uschar *cont;
2268 for (cont = acl_text - 1; isspace(*cont); cont--);
2269
2270 /* If no continuation follows, we are done. Mark the end of the line and
2271 return it. */
2272
2273 if (*cont != '\\')
2274 {
2275 *acl_text++ = 0;
2276 return yield;
2277 }
2278
2279 /* We have encountered a continuation. Skip over whitespace at the start of
2280 the next line, and indeed the whole of the next line or lines if they are
2281 comment lines. */
2282
2283 for (;;)
2284 {
2285 while (*(++acl_text) == ' ' || *acl_text == '\t');
2286 if (*acl_text != '#') break;
2287 while (*(++acl_text) != 0 && *acl_text != '\n');
2288 }
2289
2290 /* We have the start of a continuation line. Move all the rest of the data
2291 to join onto the previous line, and then find its end. If the end is not a
2292 newline, we are done. Otherwise loop to look for another continuation. */
2293
2294 memmove(cont, acl_text, acl_text_end - acl_text);
2295 acl_text_end -= acl_text - cont;
2296 acl_text = cont;
2297 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2298 if (*acl_text == 0) return yield;
2299 }
2300
2301 /* Control does not reach here */
2302 }
2303
2304
2305
2306
2307
2308 /*************************************************
2309 * Check access using an ACL *
2310 *************************************************/
2311
2312 /* This function is called from address_check. It may recurse via
2313 acl_check_condition() - hence the use of a level to stop looping. The ACL is
2314 passed as a string which is expanded. A forced failure implies no access check
2315 is required. If the result is a single word, it is taken as the name of an ACL
2316 which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
2317 text, complete with newlines, and parsed as such. In both cases, the ACL check
2318 is then run. This function uses an auxiliary function for acl_read() to call
2319 for reading individual lines of a literal ACL. This is acl_getline(), which
2320 appears immediately above.
2321
2322 Arguments:
2323 where where called from
2324 addr address item when called from RCPT; otherwise NULL
2325 s the input string; NULL is the same as an empty ACL => DENY
2326 level the nesting level
2327 user_msgptr where to put a user error (for SMTP response)
2328 log_msgptr where to put a logging message (not for SMTP response)
2329
2330 Returns: OK access is granted
2331 DISCARD access is apparently granted...
2332 FAIL access is denied
2333 FAIL_DROP access is denied; drop the connection
2334 DEFER can't tell at the moment
2335 ERROR disaster
2336 */
2337
2338 static int
2339 acl_check_internal(int where, address_item *addr, uschar *s, int level,
2340 uschar **user_msgptr, uschar **log_msgptr)
2341 {
2342 int fd = -1;
2343 acl_block *acl = NULL;
2344 uschar *acl_name = US"inline ACL";
2345 uschar *ss;
2346
2347 /* Catch configuration loops */
2348
2349 if (level > 20)
2350 {
2351 *log_msgptr = US"ACL nested too deep: possible loop";
2352 return ERROR;
2353 }
2354
2355 if (s == NULL)
2356 {
2357 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
2358 return FAIL;
2359 }
2360
2361 /* At top level, we expand the incoming string. At lower levels, it has already
2362 been expanded as part of condition processing. */
2363
2364 if (level == 0)
2365 {
2366 ss = expand_string(s);
2367 if (ss == NULL)
2368 {
2369 if (expand_string_forcedfail) return OK;
2370 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
2371 expand_string_message);
2372 return ERROR;
2373 }
2374 }
2375 else ss = s;
2376
2377 while (isspace(*ss))ss++;
2378
2379 /* If we can't find a named ACL, the default is to parse it as an inline one.
2380 (Unless it begins with a slash; non-existent files give rise to an error.) */
2381
2382 acl_text = ss;
2383
2384 /* Handle the case of a string that does not contain any spaces. Look for a
2385 named ACL among those read from the configuration, or a previously read file.
2386 It is possible that the pointer to the ACL is NULL if the configuration
2387 contains a name with no data. If not found, and the text begins with '/',
2388 read an ACL from a file, and save it so it can be re-used. */
2389
2390 if (Ustrchr(ss, ' ') == NULL)
2391 {
2392 tree_node *t = tree_search(acl_anchor, ss);
2393 if (t != NULL)
2394 {
2395 acl = (acl_block *)(t->data.ptr);
2396 if (acl == NULL)
2397 {
2398 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
2399 return FAIL;
2400 }
2401 acl_name = string_sprintf("ACL \"%s\"", ss);
2402 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
2403 }
2404
2405 else if (*ss == '/')
2406 {
2407 struct stat statbuf;
2408 fd = Uopen(ss, O_RDONLY, 0);
2409 if (fd < 0)
2410 {
2411 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
2412 strerror(errno));
2413 return ERROR;
2414 }
2415
2416 if (fstat(fd, &statbuf) != 0)
2417 {
2418 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
2419 strerror(errno));
2420 return ERROR;
2421 }
2422
2423 acl_text = store_get(statbuf.st_size + 1);
2424 acl_text_end = acl_text + statbuf.st_size + 1;
2425
2426 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
2427 {
2428 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
2429 ss, strerror(errno));
2430 return ERROR;
2431 }
2432 acl_text[statbuf.st_size] = 0;
2433 close(fd);
2434
2435 acl_name = string_sprintf("ACL \"%s\"", ss);
2436 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
2437 }
2438 }
2439
2440 /* Parse an ACL that is still in text form. If it came from a file, remember it
2441 in the ACL tree, having read it into the POOL_PERM store pool so that it
2442 persists between multiple messages. */
2443
2444 if (acl == NULL)
2445 {
2446 int old_pool = store_pool;
2447 if (fd >= 0) store_pool = POOL_PERM;
2448 acl = acl_read(acl_getline, log_msgptr);
2449 store_pool = old_pool;
2450 if (acl == NULL && *log_msgptr != NULL) return ERROR;
2451 if (fd >= 0)
2452 {
2453 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
2454 Ustrcpy(t->name, ss);
2455 t->data.ptr = acl;
2456 (void)tree_insertnode(&acl_anchor, t);
2457 }
2458 }
2459
2460 /* Now we have an ACL to use. It's possible it may be NULL. */
2461
2462 while (acl != NULL)
2463 {
2464 int cond;
2465 int basic_errno = 0;
2466 BOOL endpass_seen = FALSE;
2467
2468 *log_msgptr = *user_msgptr = NULL;
2469 acl_temp_details = FALSE;
2470
2471 if (where == ACL_WHERE_QUIT &&
2472 acl->verb != ACL_ACCEPT &&
2473 acl->verb != ACL_WARN)
2474 {
2475 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
2476 verbs[acl->verb]);
2477 return ERROR;
2478 }
2479
2480 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
2481
2482 /* Clear out any search error message from a previous check before testing
2483 this condition. */
2484
2485 search_error_message = NULL;
2486 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
2487 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
2488
2489 /* Handle special returns: DEFER causes a return except on a WARN verb;
2490 ERROR always causes a return. */
2491
2492 switch (cond)
2493 {
2494 case DEFER:
2495 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
2496 if (basic_errno != ERRNO_CALLOUTDEFER)
2497 {
2498 if (search_error_message != NULL && *search_error_message != 0)
2499 *log_msgptr = search_error_message;
2500 if (smtp_return_error_details) acl_temp_details = TRUE;
2501 }
2502 else
2503 {
2504 acl_temp_details = TRUE;
2505 }
2506 if (acl->verb != ACL_WARN) return DEFER;
2507 break;
2508
2509 default: /* Paranoia */
2510 case ERROR:
2511 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
2512 return ERROR;
2513
2514 case OK:
2515 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
2516 verbs[acl->verb]);
2517 break;
2518
2519 case FAIL:
2520 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
2521 break;
2522
2523 /* DISCARD and DROP can happen only from a nested ACL condition, and
2524 DISCARD can happen only for an "accept" or "discard" verb. */
2525
2526 case DISCARD:
2527 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
2528 verbs[acl->verb]);
2529 break;
2530
2531 case FAIL_DROP:
2532 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
2533 verbs[acl->verb]);
2534 break;
2535 }
2536
2537 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
2538 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
2539 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
2540
2541 switch(acl->verb)
2542 {
2543 case ACL_ACCEPT:
2544 if (cond == OK || cond == DISCARD) return cond;
2545 if (endpass_seen)
2546 {
2547 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
2548 return cond;
2549 }
2550 break;
2551
2552 case ACL_DEFER:
2553 if (cond == OK)
2554 {
2555 acl_temp_details = TRUE;
2556 return DEFER;
2557 }
2558 break;
2559
2560 case ACL_DENY:
2561 if (cond == OK) return FAIL;
2562 break;
2563
2564 case ACL_DISCARD:
2565 if (cond == OK || cond == DISCARD) return DISCARD;
2566 if (endpass_seen)
2567 {
2568 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
2569 return cond;
2570 }
2571 break;
2572
2573 case ACL_DROP:
2574 if (cond == OK) return FAIL_DROP;
2575 break;
2576
2577 case ACL_REQUIRE:
2578 if (cond != OK) return cond;
2579 break;
2580
2581 case ACL_WARN:
2582 if (cond == OK)
2583 acl_warn(where, *user_msgptr, *log_msgptr);
2584 else if (cond == DEFER)
2585 acl_warn(where, NULL, string_sprintf("ACL \"warn\" statement skipped: "
2586 "condition test deferred: %s",
2587 (*log_msgptr == NULL)? US"" : *log_msgptr));
2588 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
2589 break;
2590
2591 default:
2592 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
2593 acl->verb);
2594 break;
2595 }
2596
2597 /* Pass to the next ACL item */
2598
2599 acl = acl->next;
2600 }
2601
2602 /* We have reached the end of the ACL. This is an implicit DENY. */
2603
2604 HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
2605 return FAIL;
2606 }
2607
2608
2609 /*************************************************
2610 * Check access using an ACL *
2611 *************************************************/
2612
2613 /* This is the external interface for ACL checks. It sets up an address and the
2614 expansions for $domain and $local_part when called after RCPT, then calls
2615 acl_check_internal() to do the actual work.
2616
2617 Arguments:
2618 where ACL_WHERE_xxxx indicating where called from
2619 data_string RCPT address, or SMTP command argument, or NULL
2620 s the input string; NULL is the same as an empty ACL => DENY
2621 user_msgptr where to put a user error (for SMTP response)
2622 log_msgptr where to put a logging message (not for SMTP response)
2623
2624 Returns: OK access is granted by an ACCEPT verb
2625 DISCARD access is granted by a DISCARD verb
2626 FAIL access is denied
2627 FAIL_DROP access is denied; drop the connection
2628 DEFER can't tell at the moment
2629 ERROR disaster
2630 */
2631
2632 int
2633 acl_check(int where, uschar *data_string, uschar *s, uschar **user_msgptr,
2634 uschar **log_msgptr)
2635 {
2636 int rc;
2637 address_item adb;
2638 address_item *addr;
2639
2640 *user_msgptr = *log_msgptr = NULL;
2641 sender_verified_failed = NULL;
2642
2643 if (where == ACL_WHERE_RCPT)
2644 {
2645 adb = address_defaults;
2646 addr = &adb;
2647 addr->address = data_string;
2648 if (deliver_split_address(addr) == DEFER)
2649 {
2650 *log_msgptr = US"defer in percent_hack_domains check";
2651 return DEFER;
2652 }
2653 deliver_domain = addr->domain;
2654 deliver_localpart = addr->local_part;
2655 }
2656 else
2657 {
2658 addr = NULL;
2659 smtp_command_argument = data_string;
2660 }
2661
2662 rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
2663
2664 smtp_command_argument = deliver_domain =
2665 deliver_localpart = deliver_address_data = sender_address_data = NULL;
2666
2667 /* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
2668 ACL, which is really in the middle of an SMTP command. */
2669
2670 if (rc == DISCARD)
2671 {
2672 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
2673 {
2674 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
2675 "ACL", acl_wherenames[where]);
2676 return ERROR;
2677 }
2678 return DISCARD;
2679 }
2680
2681 /* A DROP response is not permitted from MAILAUTH */
2682
2683 if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
2684 {
2685 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
2686 "ACL", acl_wherenames[where]);
2687 return ERROR;
2688 }
2689
2690 /* Before giving an error response, take a look at the length of any user
2691 message, and split it up into multiple lines if possible. */
2692
2693 if (rc != OK && *user_msgptr != NULL && Ustrlen(*user_msgptr) > 75)
2694 {
2695 uschar *s = *user_msgptr = string_copy(*user_msgptr);
2696 uschar *ss = s;
2697
2698 for (;;)
2699 {
2700 int i = 0;
2701 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
2702 if (*ss == 0) break;
2703 if (*ss == '\n')
2704 s = ++ss;
2705 else
2706 {
2707 uschar *t = ss + 1;
2708 uschar *tt = NULL;
2709 while (--t > s + 35)
2710 {
2711 if (*t == ' ')
2712 {
2713 if (t[-1] == ':') { tt = t; break; }
2714 if (tt == NULL) tt = t;
2715 }
2716 }
2717
2718 if (tt == NULL) /* Can't split behind - try ahead */
2719 {
2720 t = ss + 1;
2721 while (*t != 0)
2722 {
2723 if (*t == ' ' || *t == '\n')
2724 { tt = t; break; }
2725 t++;
2726 }
2727 }
2728
2729 if (tt == NULL) break; /* Can't find anywhere to split */
2730 *tt = '\n';
2731 s = ss = tt+1;
2732 }
2733 }
2734 }
2735
2736 return rc;
2737 }
2738
2739 /* End of acl.c */
Unnamed repository; edit this file 'description' to name the repository.