Add compile-time checks for various tables being in alphabetical order.
[exim.git] / src / src / acl.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2012 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 /* Code for handling Access Control Lists (ACLs) */
9
10 #include "exim.h"
11
12
13 /* Default callout timeout */
14
15 #define CALLOUT_TIMEOUT_DEFAULT 30
16
17 /* ACL verb codes - keep in step with the table of verbs that follows */
18
19 enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
20 ACL_WARN };
21
22 /* ACL verbs */
23
24 static uschar *verbs[] = {
25 US"accept",
26 US"defer",
27 US"deny",
28 US"discard",
29 US"drop",
30 US"require",
31 US"warn" };
32
33 /* For each verb, the conditions for which "message" or "log_message" are used
34 are held as a bitmap. This is to avoid expanding the strings unnecessarily. For
35 "accept", the FAIL case is used only after "endpass", but that is selected in
36 the code. */
37
38 static int msgcond[] = {
39 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* accept */
40 (1<<OK), /* defer */
41 (1<<OK), /* deny */
42 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* discard */
43 (1<<OK), /* drop */
44 (1<<FAIL) | (1<<FAIL_DROP), /* require */
45 (1<<OK) /* warn */
46 };
47
48 /* ACL condition and modifier codes - keep in step with the table that
49 follows, and the cond_expand_at_top and uschar cond_modifiers tables lower
50 down. */
51
52 enum { ACLC_ACL,
53 ACLC_ADD_HEADER,
54 ACLC_AUTHENTICATED,
55 #ifdef EXPERIMENTAL_BRIGHTMAIL
56 ACLC_BMI_OPTIN,
57 #endif
58 ACLC_CONDITION,
59 ACLC_CONTINUE,
60 ACLC_CONTROL,
61 #ifdef EXPERIMENTAL_DCC
62 ACLC_DCC,
63 #endif
64 #ifdef WITH_CONTENT_SCAN
65 ACLC_DECODE,
66 #endif
67 ACLC_DELAY,
68 #ifdef WITH_OLD_DEMIME
69 ACLC_DEMIME,
70 #endif
71 #ifndef DISABLE_DKIM
72 ACLC_DKIM_SIGNER,
73 ACLC_DKIM_STATUS,
74 #endif
75 #ifdef EXPERIMENTAL_DMARC
76 ACLC_DMARC_STATUS,
77 #endif
78 ACLC_DNSLISTS,
79 ACLC_DOMAINS,
80 ACLC_ENCRYPTED,
81 ACLC_ENDPASS,
82 ACLC_HOSTS,
83 ACLC_LOCAL_PARTS,
84 ACLC_LOG_MESSAGE,
85 ACLC_LOG_REJECT_TARGET,
86 ACLC_LOGWRITE,
87 #ifdef WITH_CONTENT_SCAN
88 ACLC_MALWARE,
89 #endif
90 ACLC_MESSAGE,
91 #ifdef WITH_CONTENT_SCAN
92 ACLC_MIME_REGEX,
93 #endif
94 ACLC_RATELIMIT,
95 ACLC_RECIPIENTS,
96 #ifdef WITH_CONTENT_SCAN
97 ACLC_REGEX,
98 #endif
99 ACLC_REMOVE_HEADER,
100 ACLC_SENDER_DOMAINS,
101 ACLC_SENDERS,
102 ACLC_SET,
103 #ifdef WITH_CONTENT_SCAN
104 ACLC_SPAM,
105 #endif
106 #ifdef EXPERIMENTAL_SPF
107 ACLC_SPF,
108 ACLC_SPF_GUESS,
109 #endif
110 ACLC_VERIFY };
111
112 /* ACL conditions/modifiers: "delay", "control", "continue", "endpass",
113 "message", "log_message", "log_reject_target", "logwrite", and "set" are
114 modifiers that look like conditions but always return TRUE. They are used for
115 their side effects. */
116
117 static uschar *conditions[] = {
118 US"acl",
119 US"add_header",
120 US"authenticated",
121 #ifdef EXPERIMENTAL_BRIGHTMAIL
122 US"bmi_optin",
123 #endif
124 US"condition",
125 US"continue",
126 US"control",
127 #ifdef EXPERIMENTAL_DCC
128 US"dcc",
129 #endif
130 #ifdef WITH_CONTENT_SCAN
131 US"decode",
132 #endif
133 US"delay",
134 #ifdef WITH_OLD_DEMIME
135 US"demime",
136 #endif
137 #ifndef DISABLE_DKIM
138 US"dkim_signers",
139 US"dkim_status",
140 #endif
141 #ifdef EXPERIMENTAL_DMARC
142 US"dmarc_status",
143 #endif
144 US"dnslists",
145 US"domains",
146 US"encrypted",
147 US"endpass",
148 US"hosts",
149 US"local_parts",
150 US"log_message",
151 US"log_reject_target",
152 US"logwrite",
153 #ifdef WITH_CONTENT_SCAN
154 US"malware",
155 #endif
156 US"message",
157 #ifdef WITH_CONTENT_SCAN
158 US"mime_regex",
159 #endif
160 US"ratelimit",
161 US"recipients",
162 #ifdef WITH_CONTENT_SCAN
163 US"regex",
164 #endif
165 US"remove_header",
166 US"sender_domains", US"senders", US"set",
167 #ifdef WITH_CONTENT_SCAN
168 US"spam",
169 #endif
170 #ifdef EXPERIMENTAL_SPF
171 US"spf",
172 US"spf_guess",
173 #endif
174 US"verify" };
175
176
177 /* Return values from decode_control(); keep in step with the table of names
178 that follows! */
179
180 enum {
181 CONTROL_AUTH_UNADVERTISED,
182 #ifdef EXPERIMENTAL_BRIGHTMAIL
183 CONTROL_BMI_RUN,
184 #endif
185 CONTROL_DEBUG,
186 #ifndef DISABLE_DKIM
187 CONTROL_DKIM_VERIFY,
188 #endif
189 #ifdef EXPERIMENTAL_DMARC
190 CONTROL_DMARC_VERIFY,
191 CONTROL_DMARC_FORENSIC,
192 #endif
193 CONTROL_DSCP,
194 CONTROL_ERROR,
195 CONTROL_CASEFUL_LOCAL_PART,
196 CONTROL_CASELOWER_LOCAL_PART,
197 CONTROL_CUTTHROUGH_DELIVERY,
198 CONTROL_ENFORCE_SYNC,
199 CONTROL_NO_ENFORCE_SYNC,
200 CONTROL_FREEZE,
201 CONTROL_QUEUE_ONLY,
202 CONTROL_SUBMISSION,
203 CONTROL_SUPPRESS_LOCAL_FIXUPS,
204 #ifdef WITH_CONTENT_SCAN
205 CONTROL_NO_MBOX_UNSPOOL,
206 #endif
207 CONTROL_FAKEDEFER,
208 CONTROL_FAKEREJECT,
209 CONTROL_NO_MULTILINE,
210 CONTROL_NO_PIPELINING,
211 CONTROL_NO_DELAY_FLUSH,
212 CONTROL_NO_CALLOUT_FLUSH
213 };
214
215 /* ACL control names; keep in step with the table above! This list is used for
216 turning ids into names. The actual list of recognized names is in the variable
217 control_def controls_list[] below. The fact that there are two lists is a mess
218 and should be tidied up. */
219
220 static uschar *controls[] = {
221 US"allow_auth_unadvertised",
222 #ifdef EXPERIMENTAL_BRIGHTMAIL
223 US"bmi_run",
224 #endif
225 US"debug",
226 #ifndef DISABLE_DKIM
227 US"dkim_disable_verify",
228 #endif
229 #ifdef EXPERIMENTAL_DMARC
230 US"dmarc_disable_verify",
231 US"dmarc_enable_forensic",
232 #endif
233 US"dscp",
234 US"error",
235 US"caseful_local_part",
236 US"caselower_local_part",
237 US"cutthrough_delivery",
238 US"enforce_sync",
239 US"no_enforce_sync",
240 US"freeze",
241 US"queue_only",
242 US"submission",
243 US"suppress_local_fixups",
244 #ifdef WITH_CONTENT_SCAN
245 US"no_mbox_unspool",
246 #endif
247 US"fakedefer",
248 US"fakereject",
249 US"no_multiline_responses",
250 US"no_pipelining",
251 US"no_delay_flush",
252 US"no_callout_flush"
253 };
254
255 /* Flags to indicate for which conditions/modifiers a string expansion is done
256 at the outer level. In the other cases, expansion already occurs in the
257 checking functions. */
258
259 static uschar cond_expand_at_top[] = {
260 FALSE, /* acl */
261 TRUE, /* add_header */
262 FALSE, /* authenticated */
263 #ifdef EXPERIMENTAL_BRIGHTMAIL
264 TRUE, /* bmi_optin */
265 #endif
266 TRUE, /* condition */
267 TRUE, /* continue */
268 TRUE, /* control */
269 #ifdef EXPERIMENTAL_DCC
270 TRUE, /* dcc */
271 #endif
272 #ifdef WITH_CONTENT_SCAN
273 TRUE, /* decode */
274 #endif
275 TRUE, /* delay */
276 #ifdef WITH_OLD_DEMIME
277 TRUE, /* demime */
278 #endif
279 #ifndef DISABLE_DKIM
280 TRUE, /* dkim_signers */
281 TRUE, /* dkim_status */
282 #endif
283 #ifdef EXPERIMENTAL_DMARC
284 TRUE, /* dmarc_status */
285 #endif
286 TRUE, /* dnslists */
287 FALSE, /* domains */
288 FALSE, /* encrypted */
289 TRUE, /* endpass */
290 FALSE, /* hosts */
291 FALSE, /* local_parts */
292 TRUE, /* log_message */
293 TRUE, /* log_reject_target */
294 TRUE, /* logwrite */
295 #ifdef WITH_CONTENT_SCAN
296 TRUE, /* malware */
297 #endif
298 TRUE, /* message */
299 #ifdef WITH_CONTENT_SCAN
300 TRUE, /* mime_regex */
301 #endif
302 TRUE, /* ratelimit */
303 FALSE, /* recipients */
304 #ifdef WITH_CONTENT_SCAN
305 TRUE, /* regex */
306 #endif
307 TRUE, /* remove_header */
308 FALSE, /* sender_domains */
309 FALSE, /* senders */
310 TRUE, /* set */
311 #ifdef WITH_CONTENT_SCAN
312 TRUE, /* spam */
313 #endif
314 #ifdef EXPERIMENTAL_SPF
315 TRUE, /* spf */
316 TRUE, /* spf_guess */
317 #endif
318 TRUE /* verify */
319 };
320
321 /* Flags to identify the modifiers */
322
323 static uschar cond_modifiers[] = {
324 FALSE, /* acl */
325 TRUE, /* add_header */
326 FALSE, /* authenticated */
327 #ifdef EXPERIMENTAL_BRIGHTMAIL
328 TRUE, /* bmi_optin */
329 #endif
330 FALSE, /* condition */
331 TRUE, /* continue */
332 TRUE, /* control */
333 #ifdef EXPERIMENTAL_DCC
334 FALSE, /* dcc */
335 #endif
336 #ifdef WITH_CONTENT_SCAN
337 FALSE, /* decode */
338 #endif
339 TRUE, /* delay */
340 #ifdef WITH_OLD_DEMIME
341 FALSE, /* demime */
342 #endif
343 #ifndef DISABLE_DKIM
344 FALSE, /* dkim_signers */
345 FALSE, /* dkim_status */
346 #endif
347 #ifdef EXPERIMENTAL_DMARC
348 FALSE, /* dmarc_status */
349 #endif
350 FALSE, /* dnslists */
351 FALSE, /* domains */
352 FALSE, /* encrypted */
353 TRUE, /* endpass */
354 FALSE, /* hosts */
355 FALSE, /* local_parts */
356 TRUE, /* log_message */
357 TRUE, /* log_reject_target */
358 TRUE, /* logwrite */
359 #ifdef WITH_CONTENT_SCAN
360 FALSE, /* malware */
361 #endif
362 TRUE, /* message */
363 #ifdef WITH_CONTENT_SCAN
364 FALSE, /* mime_regex */
365 #endif
366 FALSE, /* ratelimit */
367 FALSE, /* recipients */
368 #ifdef WITH_CONTENT_SCAN
369 FALSE, /* regex */
370 #endif
371 TRUE, /* remove_header */
372 FALSE, /* sender_domains */
373 FALSE, /* senders */
374 TRUE, /* set */
375 #ifdef WITH_CONTENT_SCAN
376 FALSE, /* spam */
377 #endif
378 #ifdef EXPERIMENTAL_SPF
379 FALSE, /* spf */
380 FALSE, /* spf_guess */
381 #endif
382 FALSE /* verify */
383 };
384
385 /* Bit map vector of which conditions and modifiers are not allowed at certain
386 times. For each condition and modifier, there's a bitmap of dis-allowed times.
387 For some, it is easier to specify the negation of a small number of allowed
388 times. */
389
390 static unsigned int cond_forbids[] = {
391 0, /* acl */
392
393 (unsigned int)
394 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* add_header */
395 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
396 #ifdef EXPERIMENTAL_PRDR
397 (1<<ACL_WHERE_PRDR)|
398 #endif
399 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
400 (1<<ACL_WHERE_DKIM)|
401 (1<<ACL_WHERE_NOTSMTP_START)),
402
403 (1<<ACL_WHERE_NOTSMTP)| /* authenticated */
404 (1<<ACL_WHERE_NOTSMTP_START)|
405 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO),
406
407 #ifdef EXPERIMENTAL_BRIGHTMAIL
408 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
409 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
410 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
411 #ifdef EXPERIMENTAL_PRDR
412 (1<<ACL_WHERE_PRDR)|
413 #endif
414 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
415 (1<<ACL_WHERE_MAILAUTH)|
416 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
417 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA)|
418 (1<<ACL_WHERE_NOTSMTP_START),
419 #endif
420
421 0, /* condition */
422
423 0, /* continue */
424
425 /* Certain types of control are always allowed, so we let it through
426 always and check in the control processing itself. */
427
428 0, /* control */
429
430 #ifdef EXPERIMENTAL_DCC
431 (unsigned int)
432 ~((1<<ACL_WHERE_DATA)| /* dcc */
433 #ifdef EXPERIMENTAL_PRDR
434 (1<<ACL_WHERE_PRDR)|
435 #endif /* EXPERIMENTAL_PRDR */
436 (1<<ACL_WHERE_NOTSMTP)),
437 #endif
438
439 #ifdef WITH_CONTENT_SCAN
440 (unsigned int)
441 ~(1<<ACL_WHERE_MIME), /* decode */
442 #endif
443
444 (1<<ACL_WHERE_NOTQUIT), /* delay */
445
446 #ifdef WITH_OLD_DEMIME
447 (unsigned int)
448 ~((1<<ACL_WHERE_DATA)| /* demime */
449 #ifdef EXPERIMENTAL_PRDR
450 (1<<ACL_WHERE_PRDR)|
451 #endif /* EXPERIMENTAL_PRDR */
452 (1<<ACL_WHERE_NOTSMTP)),
453 #endif
454
455 #ifndef DISABLE_DKIM
456 (unsigned int)
457 ~(1<<ACL_WHERE_DKIM), /* dkim_signers */
458
459 (unsigned int)
460 ~(1<<ACL_WHERE_DKIM), /* dkim_status */
461 #endif
462
463 #ifdef EXPERIMENTAL_DMARC
464 (unsigned int)
465 ~(1<<ACL_WHERE_DATA), /* dmarc_status */
466 #endif
467
468 (1<<ACL_WHERE_NOTSMTP)| /* dnslists */
469 (1<<ACL_WHERE_NOTSMTP_START),
470
471 (unsigned int)
472 ~((1<<ACL_WHERE_RCPT) /* domains */
473 #ifdef EXPERIMENTAL_PRDR
474 |(1<<ACL_WHERE_PRDR)
475 #endif
476 ),
477
478 (1<<ACL_WHERE_NOTSMTP)| /* encrypted */
479 (1<<ACL_WHERE_CONNECT)|
480 (1<<ACL_WHERE_NOTSMTP_START)|
481 (1<<ACL_WHERE_HELO),
482
483 0, /* endpass */
484
485 (1<<ACL_WHERE_NOTSMTP)| /* hosts */
486 (1<<ACL_WHERE_NOTSMTP_START),
487
488 (unsigned int)
489 ~((1<<ACL_WHERE_RCPT) /* local_parts */
490 #ifdef EXPERIMENTAL_PRDR
491 |(1<<ACL_WHERE_PRDR)
492 #endif
493 ),
494
495 0, /* log_message */
496
497 0, /* log_reject_target */
498
499 0, /* logwrite */
500
501 #ifdef WITH_CONTENT_SCAN
502 (unsigned int)
503 ~((1<<ACL_WHERE_DATA)| /* malware */
504 #ifdef EXPERIMENTAL_PRDR
505 (1<<ACL_WHERE_PRDR)|
506 #endif /* EXPERIMENTAL_PRDR */
507 (1<<ACL_WHERE_NOTSMTP)),
508 #endif
509
510 0, /* message */
511
512 #ifdef WITH_CONTENT_SCAN
513 (unsigned int)
514 ~(1<<ACL_WHERE_MIME), /* mime_regex */
515 #endif
516
517 0, /* ratelimit */
518
519 (unsigned int)
520 ~(1<<ACL_WHERE_RCPT), /* recipients */
521
522 #ifdef WITH_CONTENT_SCAN
523 (unsigned int)
524 ~((1<<ACL_WHERE_DATA)| /* regex */
525 #ifdef EXPERIMENTAL_PRDR
526 (1<<ACL_WHERE_PRDR)|
527 #endif /* EXPERIMENTAL_PRDR */
528 (1<<ACL_WHERE_NOTSMTP)|
529 (1<<ACL_WHERE_MIME)),
530 #endif
531
532 (unsigned int)
533 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* remove_header */
534 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
535 #ifdef EXPERIMENTAL_PRDR
536 (1<<ACL_WHERE_PRDR)|
537 #endif
538 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
539 (1<<ACL_WHERE_NOTSMTP_START)),
540
541 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
542 (1<<ACL_WHERE_HELO)|
543 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
544 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
545 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
546
547 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
548 (1<<ACL_WHERE_HELO)|
549 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
550 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
551 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
552
553 0, /* set */
554
555 #ifdef WITH_CONTENT_SCAN
556 (unsigned int)
557 ~((1<<ACL_WHERE_DATA)| /* spam */
558 #ifdef EXPERIMENTAL_PRDR
559 (1<<ACL_WHERE_PRDR)|
560 #endif /* EXPERIMENTAL_PRDR */
561 (1<<ACL_WHERE_NOTSMTP)),
562 #endif
563
564 #ifdef EXPERIMENTAL_SPF
565 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
566 (1<<ACL_WHERE_HELO)|
567 (1<<ACL_WHERE_MAILAUTH)|
568 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
569 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
570 (1<<ACL_WHERE_NOTSMTP)|
571 (1<<ACL_WHERE_NOTSMTP_START),
572
573 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf_guess */
574 (1<<ACL_WHERE_HELO)|
575 (1<<ACL_WHERE_MAILAUTH)|
576 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
577 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
578 (1<<ACL_WHERE_NOTSMTP)|
579 (1<<ACL_WHERE_NOTSMTP_START),
580 #endif
581
582 /* Certain types of verify are always allowed, so we let it through
583 always and check in the verify function itself */
584
585 0 /* verify */
586 };
587
588
589 /* Bit map vector of which controls are not allowed at certain times. For
590 each control, there's a bitmap of dis-allowed times. For some, it is easier to
591 specify the negation of a small number of allowed times. */
592
593 static unsigned int control_forbids[] = {
594 (unsigned int)
595 ~((1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)), /* allow_auth_unadvertised */
596
597 #ifdef EXPERIMENTAL_BRIGHTMAIL
598 0, /* bmi_run */
599 #endif
600
601 0, /* debug */
602
603 #ifndef DISABLE_DKIM
604 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dkim_disable_verify */
605 #ifdef EXPERIMENTAL_PRDR
606 (1<<ACL_WHERE_PRDR)|
607 #endif /* EXPERIMENTAL_PRDR */
608 (1<<ACL_WHERE_NOTSMTP_START),
609 #endif
610
611 #ifdef EXPERIMENTAL_DMARC
612 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dmarc_disable_verify */
613 (1<<ACL_WHERE_NOTSMTP_START),
614 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dmarc_enable_forensic */
615 (1<<ACL_WHERE_NOTSMTP_START),
616 #endif
617
618 (1<<ACL_WHERE_NOTSMTP)|
619 (1<<ACL_WHERE_NOTSMTP_START)|
620 (1<<ACL_WHERE_NOTQUIT), /* dscp */
621
622 0, /* error */
623
624 (unsigned int)
625 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
626
627 (unsigned int)
628 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
629
630 (unsigned int)
631 0, /* cutthrough_delivery */
632
633 (1<<ACL_WHERE_NOTSMTP)| /* enforce_sync */
634 (1<<ACL_WHERE_NOTSMTP_START),
635
636 (1<<ACL_WHERE_NOTSMTP)| /* no_enforce_sync */
637 (1<<ACL_WHERE_NOTSMTP_START),
638
639 (unsigned int)
640 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
641 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
642 // (1<<ACL_WHERE_PRDR)| /* Not allow one user to freeze for all */
643 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
644
645 (unsigned int)
646 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
647 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
648 // (1<<ACL_WHERE_PRDR)| /* Not allow one user to freeze for all */
649 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
650
651 (unsigned int)
652 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
653 (1<<ACL_WHERE_PREDATA)),
654
655 (unsigned int)
656 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* suppress_local_fixups */
657 (1<<ACL_WHERE_PREDATA)|
658 (1<<ACL_WHERE_NOTSMTP_START)),
659
660 #ifdef WITH_CONTENT_SCAN
661 (unsigned int)
662 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
663 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
664 // (1<<ACL_WHERE_PRDR)| /* Not allow one user to freeze for all */
665 (1<<ACL_WHERE_MIME)),
666 #endif
667
668 (unsigned int)
669 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakedefer */
670 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
671 #ifdef EXPERIMENTAL_PRDR
672 (1<<ACL_WHERE_PRDR)|
673 #endif /* EXPERIMENTAL_PRDR */
674 (1<<ACL_WHERE_MIME)),
675
676 (unsigned int)
677 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
678 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
679 #ifdef EXPERIMENTAL_PRDR
680 (1<<ACL_WHERE_PRDR)|
681 #endif /* EXPERIMENTAL_PRDR */
682 (1<<ACL_WHERE_MIME)),
683
684 (1<<ACL_WHERE_NOTSMTP)| /* no_multiline */
685 (1<<ACL_WHERE_NOTSMTP_START),
686
687 (1<<ACL_WHERE_NOTSMTP)| /* no_pipelining */
688 (1<<ACL_WHERE_NOTSMTP_START),
689
690 (1<<ACL_WHERE_NOTSMTP)| /* no_delay_flush */
691 (1<<ACL_WHERE_NOTSMTP_START),
692
693 (1<<ACL_WHERE_NOTSMTP)| /* no_callout_flush */
694 (1<<ACL_WHERE_NOTSMTP_START)
695 };
696
697 /* Structure listing various control arguments, with their characteristics. */
698
699 typedef struct control_def {
700 uschar *name;
701 int value; /* CONTROL_xxx value */
702 BOOL has_option; /* Has /option(s) following */
703 } control_def;
704
705 static control_def controls_list[] = {
706 { US"allow_auth_unadvertised", CONTROL_AUTH_UNADVERTISED, FALSE },
707 #ifdef EXPERIMENTAL_BRIGHTMAIL
708 { US"bmi_run", CONTROL_BMI_RUN, FALSE },
709 #endif
710 { US"debug", CONTROL_DEBUG, TRUE },
711 #ifndef DISABLE_DKIM
712 { US"dkim_disable_verify", CONTROL_DKIM_VERIFY, FALSE },
713 #endif
714 #ifdef EXPERIMENTAL_DMARC
715 { US"dmarc_disable_verify", CONTROL_DMARC_VERIFY, FALSE },
716 { US"dmarc_enable_forensic", CONTROL_DMARC_FORENSIC, FALSE },
717 #endif
718 { US"dscp", CONTROL_DSCP, TRUE },
719 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE },
720 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE },
721 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE },
722 { US"freeze", CONTROL_FREEZE, TRUE },
723 { US"no_callout_flush", CONTROL_NO_CALLOUT_FLUSH, FALSE },
724 { US"no_delay_flush", CONTROL_NO_DELAY_FLUSH, FALSE },
725 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE },
726 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE },
727 { US"no_pipelining", CONTROL_NO_PIPELINING, FALSE },
728 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE },
729 #ifdef WITH_CONTENT_SCAN
730 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE },
731 #endif
732 { US"fakedefer", CONTROL_FAKEDEFER, TRUE },
733 { US"fakereject", CONTROL_FAKEREJECT, TRUE },
734 { US"submission", CONTROL_SUBMISSION, TRUE },
735 { US"suppress_local_fixups", CONTROL_SUPPRESS_LOCAL_FIXUPS, FALSE },
736 { US"cutthrough_delivery", CONTROL_CUTTHROUGH_DELIVERY, FALSE }
737 };
738
739 /* Support data structures for Client SMTP Authorization. acl_verify_csa()
740 caches its result in a tree to avoid repeated DNS queries. The result is an
741 integer code which is used as an index into the following tables of
742 explanatory strings and verification return codes. */
743
744 static tree_node *csa_cache = NULL;
745
746 enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
747 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
748
749 /* The acl_verify_csa() return code is translated into an acl_verify() return
750 code using the following table. It is OK unless the client is definitely not
751 authorized. This is because CSA is supposed to be optional for sending sites,
752 so recipients should not be too strict about checking it - especially because
753 DNS problems are quite likely to occur. It's possible to use $csa_status in
754 further ACL conditions to distinguish ok, unknown, and defer if required, but
755 the aim is to make the usual configuration simple. */
756
757 static int csa_return_code[] = {
758 OK, OK, OK, OK,
759 FAIL, FAIL, FAIL, FAIL
760 };
761
762 static uschar *csa_status_string[] = {
763 US"unknown", US"ok", US"defer", US"defer",
764 US"fail", US"fail", US"fail", US"fail"
765 };
766
767 static uschar *csa_reason_string[] = {
768 US"unknown",
769 US"ok",
770 US"deferred (SRV lookup failed)",
771 US"deferred (target address lookup failed)",
772 US"failed (explicit authorization required)",
773 US"failed (host name not authorized)",
774 US"failed (no authorized addresses)",
775 US"failed (client address mismatch)"
776 };
777
778 /* Options for the ratelimit condition. Note that there are two variants of
779 the per_rcpt option, depending on the ACL that is used to measure the rate.
780 However any ACL must be able to look up per_rcpt rates in /noupdate mode,
781 so the two variants must have the same internal representation as well as
782 the same configuration string. */
783
784 enum {
785 RATE_PER_WHAT, RATE_PER_CLASH, RATE_PER_ADDR, RATE_PER_BYTE, RATE_PER_CMD,
786 RATE_PER_CONN, RATE_PER_MAIL, RATE_PER_RCPT, RATE_PER_ALLRCPTS
787 };
788
789 #define RATE_SET(var,new) \
790 (((var) == RATE_PER_WHAT) ? ((var) = RATE_##new) : ((var) = RATE_PER_CLASH))
791
792 static uschar *ratelimit_option_string[] = {
793 US"?", US"!", US"per_addr", US"per_byte", US"per_cmd",
794 US"per_conn", US"per_mail", US"per_rcpt", US"per_rcpt"
795 };
796
797 /* Enable recursion between acl_check_internal() and acl_check_condition() */
798
799 static int acl_check_wargs(int, address_item *, uschar *, int, uschar **,
800 uschar **);
801
802
803 /*************************************************
804 * Pick out name from list *
805 *************************************************/
806
807 /* Use a binary chop method
808
809 Arguments:
810 name name to find
811 list list of names
812 end size of list
813
814 Returns: offset in list, or -1 if not found
815 */
816
817 static int
818 acl_checkname(uschar *name, uschar **list, int end)
819 {
820 int start = 0;
821
822 while (start < end)
823 {
824 int mid = (start + end)/2;
825 int c = Ustrcmp(name, list[mid]);
826 if (c == 0) return mid;
827 if (c < 0) end = mid; else start = mid + 1;
828 }
829
830 return -1;
831 }
832
833
834 /*************************************************
835 * Read and parse one ACL *
836 *************************************************/
837
838 /* This function is called both from readconf in order to parse the ACLs in the
839 configuration file, and also when an ACL is encountered dynamically (e.g. as
840 the result of an expansion). It is given a function to call in order to
841 retrieve the lines of the ACL. This function handles skipping comments and
842 blank lines (where relevant).
843
844 Arguments:
845 func function to get next line of ACL
846 error where to put an error message
847
848 Returns: pointer to ACL, or NULL
849 NULL can be legal (empty ACL); in this case error will be NULL
850 */
851
852 acl_block *
853 acl_read(uschar *(*func)(void), uschar **error)
854 {
855 acl_block *yield = NULL;
856 acl_block **lastp = &yield;
857 acl_block *this = NULL;
858 acl_condition_block *cond;
859 acl_condition_block **condp = NULL;
860 uschar *s;
861
862 *error = NULL;
863
864 while ((s = (*func)()) != NULL)
865 {
866 int v, c;
867 BOOL negated = FALSE;
868 uschar *saveline = s;
869 uschar name[64];
870
871 /* Conditions (but not verbs) are allowed to be negated by an initial
872 exclamation mark. */
873
874 while (isspace(*s)) s++;
875 if (*s == '!')
876 {
877 negated = TRUE;
878 s++;
879 }
880
881 /* Read the name of a verb or a condition, or the start of a new ACL, which
882 can be started by a name, or by a macro definition. */
883
884 s = readconf_readname(name, sizeof(name), s);
885 if (*s == ':' || (isupper(name[0]) && *s == '=')) return yield;
886
887 /* If a verb is unrecognized, it may be another condition or modifier that
888 continues the previous verb. */
889
890 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
891 if (v < 0)
892 {
893 if (this == NULL)
894 {
895 *error = string_sprintf("unknown ACL verb \"%s\" in \"%s\"", name,
896 saveline);
897 return NULL;
898 }
899 }
900
901 /* New verb */
902
903 else
904 {
905 if (negated)
906 {
907 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
908 return NULL;
909 }
910 this = store_get(sizeof(acl_block));
911 *lastp = this;
912 lastp = &(this->next);
913 this->next = NULL;
914 this->verb = v;
915 this->condition = NULL;
916 condp = &(this->condition);
917 if (*s == 0) continue; /* No condition on this line */
918 if (*s == '!')
919 {
920 negated = TRUE;
921 s++;
922 }
923 s = readconf_readname(name, sizeof(name), s); /* Condition name */
924 }
925
926 /* Handle a condition or modifier. */
927
928 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
929 if (c < 0)
930 {
931 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
932 saveline);
933 return NULL;
934 }
935
936 /* The modifiers may not be negated */
937
938 if (negated && cond_modifiers[c])
939 {
940 *error = string_sprintf("ACL error: negation is not allowed with "
941 "\"%s\"", conditions[c]);
942 return NULL;
943 }
944
945 /* ENDPASS may occur only with ACCEPT or DISCARD. */
946
947 if (c == ACLC_ENDPASS &&
948 this->verb != ACL_ACCEPT &&
949 this->verb != ACL_DISCARD)
950 {
951 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
952 conditions[c], verbs[this->verb]);
953 return NULL;
954 }
955
956 cond = store_get(sizeof(acl_condition_block));
957 cond->next = NULL;
958 cond->type = c;
959 cond->u.negated = negated;
960
961 *condp = cond;
962 condp = &(cond->next);
963
964 /* The "set" modifier is different in that its argument is "name=value"
965 rather than just a value, and we can check the validity of the name, which
966 gives us a variable name to insert into the data block. The original ACL
967 variable names were acl_c0 ... acl_c9 and acl_m0 ... acl_m9. This was
968 extended to 20 of each type, but after that people successfully argued for
969 arbitrary names. In the new scheme, the names must start with acl_c or acl_m.
970 After that, we allow alphanumerics and underscores, but the first character
971 after c or m must be a digit or an underscore. This retains backwards
972 compatibility. */
973
974 if (c == ACLC_SET)
975 {
976 uschar *endptr;
977
978 if (Ustrncmp(s, "acl_c", 5) != 0 &&
979 Ustrncmp(s, "acl_m", 5) != 0)
980 {
981 *error = string_sprintf("invalid variable name after \"set\" in ACL "
982 "modifier \"set %s\" (must start \"acl_c\" or \"acl_m\")", s);
983 return NULL;
984 }
985
986 endptr = s + 5;
987 if (!isdigit(*endptr) && *endptr != '_')
988 {
989 *error = string_sprintf("invalid variable name after \"set\" in ACL "
990 "modifier \"set %s\" (digit or underscore must follow acl_c or acl_m)",
991 s);
992 return NULL;
993 }
994
995 while (*endptr != 0 && *endptr != '=' && !isspace(*endptr))
996 {
997 if (!isalnum(*endptr) && *endptr != '_')
998 {
999 *error = string_sprintf("invalid character \"%c\" in variable name "
1000 "in ACL modifier \"set %s\"", *endptr, s);
1001 return NULL;
1002 }
1003 endptr++;
1004 }
1005
1006 cond->u.varname = string_copyn(s + 4, endptr - s - 4);
1007 s = endptr;
1008 while (isspace(*s)) s++;
1009 }
1010
1011 /* For "set", we are now positioned for the data. For the others, only
1012 "endpass" has no data */
1013
1014 if (c != ACLC_ENDPASS)
1015 {
1016 if (*s++ != '=')
1017 {
1018 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
1019 cond_modifiers[c]? US"modifier" : US"condition");
1020 return NULL;
1021 }
1022 while (isspace(*s)) s++;
1023 cond->arg = string_copy(s);
1024 }
1025 }
1026
1027 return yield;
1028 }
1029
1030
1031
1032 /*************************************************
1033 * Set up added header line(s) *
1034 *************************************************/
1035
1036 /* This function is called by the add_header modifier, and also from acl_warn()
1037 to implement the now-deprecated way of adding header lines using "message" on a
1038 "warn" verb. The argument is treated as a sequence of header lines which are
1039 added to a chain, provided there isn't an identical one already there.
1040
1041 Argument: string of header lines
1042 Returns: nothing
1043 */
1044
1045 static void
1046 setup_header(uschar *hstring)
1047 {
1048 uschar *p, *q;
1049 int hlen = Ustrlen(hstring);
1050
1051 /* Ignore any leading newlines */
1052 while (*hstring == '\n') hstring++, hlen--;
1053
1054 /* An empty string does nothing; ensure exactly one final newline. */
1055 if (hlen <= 0) return;
1056 if (hstring[--hlen] != '\n') hstring = string_sprintf("%s\n", hstring);
1057 else while(hstring[--hlen] == '\n') hstring[hlen+1] = '\0';
1058
1059 /* Loop for multiple header lines, taking care about continuations */
1060
1061 for (p = q = hstring; *p != 0; )
1062 {
1063 uschar *s;
1064 int newtype = htype_add_bot;
1065 header_line **hptr = &acl_added_headers;
1066
1067 /* Find next header line within the string */
1068
1069 for (;;)
1070 {
1071 q = Ustrchr(q, '\n');
1072 if (*(++q) != ' ' && *q != '\t') break;
1073 }
1074
1075 /* If the line starts with a colon, interpret the instruction for where to
1076 add it. This temporarily sets up a new type. */
1077
1078 if (*p == ':')
1079 {
1080 if (strncmpic(p, US":after_received:", 16) == 0)
1081 {
1082 newtype = htype_add_rec;
1083 p += 16;
1084 }
1085 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
1086 {
1087 newtype = htype_add_rfc;
1088 p += 14;
1089 }
1090 else if (strncmpic(p, US":at_start:", 10) == 0)
1091 {
1092 newtype = htype_add_top;
1093 p += 10;
1094 }
1095 else if (strncmpic(p, US":at_end:", 8) == 0)
1096 {
1097 newtype = htype_add_bot;
1098 p += 8;
1099 }
1100 while (*p == ' ' || *p == '\t') p++;
1101 }
1102
1103 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
1104 to the front of it. */
1105
1106 for (s = p; s < q - 1; s++)
1107 {
1108 if (*s == ':' || !isgraph(*s)) break;
1109 }
1110
1111 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", (int) (q - p), p);
1112 hlen = Ustrlen(s);
1113
1114 /* See if this line has already been added */
1115
1116 while (*hptr != NULL)
1117 {
1118 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
1119 hptr = &((*hptr)->next);
1120 }
1121
1122 /* Add if not previously present */
1123
1124 if (*hptr == NULL)
1125 {
1126 header_line *h = store_get(sizeof(header_line));
1127 h->text = s;
1128 h->next = NULL;
1129 h->type = newtype;
1130 h->slen = hlen;
1131 *hptr = h;
1132 hptr = &(h->next);
1133 }
1134
1135 /* Advance for next header line within the string */
1136
1137 p = q;
1138 }
1139 }
1140
1141
1142
1143 /*************************************************
1144 * List the added header lines *
1145 *************************************************/
1146 uschar *
1147 fn_hdrs_added(void)
1148 {
1149 uschar * ret = NULL;
1150 header_line * h = acl_added_headers;
1151 uschar * s;
1152 uschar * cp;
1153 int size = 0;
1154 int ptr = 0;
1155
1156 if (!h) return NULL;
1157
1158 do
1159 {
1160 s = h->text;
1161 while ((cp = Ustrchr(s, '\n')) != NULL)
1162 {
1163 if (cp[1] == '\0') break;
1164
1165 /* contains embedded newline; needs doubling */
1166 ret = string_cat(ret, &size, &ptr, s, cp-s+1);
1167 ret = string_cat(ret, &size, &ptr, US"\n", 1);
1168 s = cp+1;
1169 }
1170 /* last bit of header */
1171
1172 ret = string_cat(ret, &size, &ptr, s, cp-s+1); /* newline-sep list */
1173 }
1174 while((h = h->next));
1175
1176 ret[ptr-1] = '\0'; /* overwrite last newline */
1177 return ret;
1178 }
1179
1180
1181 /*************************************************
1182 * Set up removed header line(s) *
1183 *************************************************/
1184
1185 /* This function is called by the remove_header modifier. The argument is
1186 treated as a sequence of header names which are added to a colon separated
1187 list, provided there isn't an identical one already there.
1188
1189 Argument: string of header names
1190 Returns: nothing
1191 */
1192
1193 static void
1194 setup_remove_header(uschar *hnames)
1195 {
1196 if (*hnames != 0)
1197 {
1198 if (acl_removed_headers == NULL)
1199 acl_removed_headers = hnames;
1200 else
1201 acl_removed_headers = string_sprintf("%s : %s", acl_removed_headers, hnames);
1202 }
1203 }
1204
1205
1206
1207 /*************************************************
1208 * Handle warnings *
1209 *************************************************/
1210
1211 /* This function is called when a WARN verb's conditions are true. It adds to
1212 the message's headers, and/or writes information to the log. In each case, this
1213 only happens once (per message for headers, per connection for log).
1214
1215 ** NOTE: The header adding action using the "message" setting is historic, and
1216 its use is now deprecated. The new add_header modifier should be used instead.
1217
1218 Arguments:
1219 where ACL_WHERE_xxxx indicating which ACL this is
1220 user_message message for adding to headers
1221 log_message message for logging, if different
1222
1223 Returns: nothing
1224 */
1225
1226 static void
1227 acl_warn(int where, uschar *user_message, uschar *log_message)
1228 {
1229 if (log_message != NULL && log_message != user_message)
1230 {
1231 uschar *text;
1232 string_item *logged;
1233
1234 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
1235 string_printing(log_message));
1236
1237 /* If a sender verification has failed, and the log message is "sender verify
1238 failed", add the failure message. */
1239
1240 if (sender_verified_failed != NULL &&
1241 sender_verified_failed->message != NULL &&
1242 strcmpic(log_message, US"sender verify failed") == 0)
1243 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
1244
1245 /* Search previously logged warnings. They are kept in malloc
1246 store so they can be freed at the start of a new message. */
1247
1248 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
1249 if (Ustrcmp(logged->text, text) == 0) break;
1250
1251 if (logged == NULL)
1252 {
1253 int length = Ustrlen(text) + 1;
1254 log_write(0, LOG_MAIN, "%s", text);
1255 logged = store_malloc(sizeof(string_item) + length);
1256 logged->text = (uschar *)logged + sizeof(string_item);
1257 memcpy(logged->text, text, length);
1258 logged->next = acl_warn_logged;
1259 acl_warn_logged = logged;
1260 }
1261 }
1262
1263 /* If there's no user message, we are done. */
1264
1265 if (user_message == NULL) return;
1266
1267 /* If this isn't a message ACL, we can't do anything with a user message.
1268 Log an error. */
1269
1270 if (where > ACL_WHERE_NOTSMTP)
1271 {
1272 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
1273 "found in a non-message (%s) ACL: cannot specify header lines here: "
1274 "message ignored", acl_wherenames[where]);
1275 return;
1276 }
1277
1278 /* The code for setting up header lines is now abstracted into a separate
1279 function so that it can be used for the add_header modifier as well. */
1280
1281 setup_header(user_message);
1282 }
1283
1284
1285
1286 /*************************************************
1287 * Verify and check reverse DNS *
1288 *************************************************/
1289
1290 /* Called from acl_verify() below. We look up the host name(s) of the client IP
1291 address if this has not yet been done. The host_name_lookup() function checks
1292 that one of these names resolves to an address list that contains the client IP
1293 address, so we don't actually have to do the check here.
1294
1295 Arguments:
1296 user_msgptr pointer for user message
1297 log_msgptr pointer for log message
1298
1299 Returns: OK verification condition succeeded
1300 FAIL verification failed
1301 DEFER there was a problem verifying
1302 */
1303
1304 static int
1305 acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
1306 {
1307 int rc;
1308
1309 user_msgptr = user_msgptr; /* stop compiler warning */
1310
1311 /* Previous success */
1312
1313 if (sender_host_name != NULL) return OK;
1314
1315 /* Previous failure */
1316
1317 if (host_lookup_failed)
1318 {
1319 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
1320 return FAIL;
1321 }
1322
1323 /* Need to do a lookup */
1324
1325 HDEBUG(D_acl)
1326 debug_printf("looking up host name to force name/address consistency check\n");
1327
1328 if ((rc = host_name_lookup()) != OK)
1329 {
1330 *log_msgptr = (rc == DEFER)?
1331 US"host lookup deferred for reverse lookup check"
1332 :
1333 string_sprintf("host lookup failed for reverse lookup check%s",
1334 host_lookup_msg);
1335 return rc; /* DEFER or FAIL */
1336 }
1337
1338 host_build_sender_fullhost();
1339 return OK;
1340 }
1341
1342
1343
1344 /*************************************************
1345 * Check client IP address matches CSA target *
1346 *************************************************/
1347
1348 /* Called from acl_verify_csa() below. This routine scans a section of a DNS
1349 response for address records belonging to the CSA target hostname. The section
1350 is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
1351 If one of the addresses matches the client's IP address, then the client is
1352 authorized by CSA. If there are target IP addresses but none of them match
1353 then the client is using an unauthorized IP address. If there are no target IP
1354 addresses then the client cannot be using an authorized IP address. (This is
1355 an odd configuration - why didn't the SRV record have a weight of 1 instead?)
1356
1357 Arguments:
1358 dnsa the DNS answer block
1359 dnss a DNS scan block for us to use
1360 reset option specifing what portion to scan, as described above
1361 target the target hostname to use for matching RR names
1362
1363 Returns: CSA_OK successfully authorized
1364 CSA_FAIL_MISMATCH addresses found but none matched
1365 CSA_FAIL_NOADDR no target addresses found
1366 */
1367
1368 static int
1369 acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1370 uschar *target)
1371 {
1372 dns_record *rr;
1373 dns_address *da;
1374
1375 BOOL target_found = FALSE;
1376
1377 for (rr = dns_next_rr(dnsa, dnss, reset);
1378 rr != NULL;
1379 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1380 {
1381 /* Check this is an address RR for the target hostname. */
1382
1383 if (rr->type != T_A
1384 #if HAVE_IPV6
1385 && rr->type != T_AAAA
1386 #ifdef SUPPORT_A6
1387 && rr->type != T_A6
1388 #endif
1389 #endif
1390 ) continue;
1391
1392 if (strcmpic(target, rr->name) != 0) continue;
1393
1394 target_found = TRUE;
1395
1396 /* Turn the target address RR into a list of textual IP addresses and scan
1397 the list. There may be more than one if it is an A6 RR. */
1398
1399 for (da = dns_address_from_rr(dnsa, rr); da != NULL; da = da->next)
1400 {
1401 /* If the client IP address matches the target IP address, it's good! */
1402
1403 DEBUG(D_acl) debug_printf("CSA target address is %s\n", da->address);
1404
1405 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1406 }
1407 }
1408
1409 /* If we found some target addresses but none of them matched, the client is
1410 using an unauthorized IP address, otherwise the target has no authorized IP
1411 addresses. */
1412
1413 if (target_found) return CSA_FAIL_MISMATCH;
1414 else return CSA_FAIL_NOADDR;
1415 }
1416
1417
1418
1419 /*************************************************
1420 * Verify Client SMTP Authorization *
1421 *************************************************/
1422
1423 /* Called from acl_verify() below. This routine calls dns_lookup_special()
1424 to find the CSA SRV record corresponding to the domain argument, or
1425 $sender_helo_name if no argument is provided. It then checks that the
1426 client is authorized, and that its IP address corresponds to the SRV
1427 target's address by calling acl_verify_csa_address() above. The address
1428 should have been returned in the DNS response's ADDITIONAL section, but if
1429 not we perform another DNS lookup to get it.
1430
1431 Arguments:
1432 domain pointer to optional parameter following verify = csa
1433
1434 Returns: CSA_UNKNOWN no valid CSA record found
1435 CSA_OK successfully authorized
1436 CSA_FAIL_* client is definitely not authorized
1437 CSA_DEFER_* there was a DNS problem
1438 */
1439
1440 static int
1441 acl_verify_csa(uschar *domain)
1442 {
1443 tree_node *t;
1444 uschar *found, *p;
1445 int priority, weight, port;
1446 dns_answer dnsa;
1447 dns_scan dnss;
1448 dns_record *rr;
1449 int rc, type;
1450 uschar target[256];
1451
1452 /* Work out the domain we are using for the CSA lookup. The default is the
1453 client's HELO domain. If the client has not said HELO, use its IP address
1454 instead. If it's a local client (exim -bs), CSA isn't applicable. */
1455
1456 while (isspace(*domain) && *domain != '\0') ++domain;
1457 if (*domain == '\0') domain = sender_helo_name;
1458 if (domain == NULL) domain = sender_host_address;
1459 if (sender_host_address == NULL) return CSA_UNKNOWN;
1460
1461 /* If we have an address literal, strip off the framing ready for turning it
1462 into a domain. The framing consists of matched square brackets possibly
1463 containing a keyword and a colon before the actual IP address. */
1464
1465 if (domain[0] == '[')
1466 {
1467 uschar *start = Ustrchr(domain, ':');
1468 if (start == NULL) start = domain;
1469 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1470 }
1471
1472 /* Turn domains that look like bare IP addresses into domains in the reverse
1473 DNS. This code also deals with address literals and $sender_host_address. It's
1474 not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1475 address literals, but it's probably the most friendly thing to do. This is an
1476 extension to CSA, so we allow it to be turned off for proper conformance. */
1477
1478 if (string_is_ip_address(domain, NULL) != 0)
1479 {
1480 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1481 dns_build_reverse(domain, target);
1482 domain = target;
1483 }
1484
1485 /* Find out if we've already done the CSA check for this domain. If we have,
1486 return the same result again. Otherwise build a new cached result structure
1487 for this domain. The name is filled in now, and the value is filled in when
1488 we return from this function. */
1489
1490 t = tree_search(csa_cache, domain);
1491 if (t != NULL) return t->data.val;
1492
1493 t = store_get_perm(sizeof(tree_node) + Ustrlen(domain));
1494 Ustrcpy(t->name, domain);
1495 (void)tree_insertnode(&csa_cache, t);
1496
1497 /* Now we are ready to do the actual DNS lookup(s). */
1498
1499 found = domain;
1500 switch (dns_special_lookup(&dnsa, domain, T_CSA, &found))
1501 {
1502 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1503
1504 default:
1505 return t->data.val = CSA_DEFER_SRV;
1506
1507 /* If we found nothing, the client's authorization is unknown. */
1508
1509 case DNS_NOMATCH:
1510 case DNS_NODATA:
1511 return t->data.val = CSA_UNKNOWN;
1512
1513 /* We got something! Go on to look at the reply in more detail. */
1514
1515 case DNS_SUCCEED:
1516 break;
1517 }
1518
1519 /* Scan the reply for well-formed CSA SRV records. */
1520
1521 for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
1522 rr != NULL;
1523 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
1524 {
1525 if (rr->type != T_SRV) continue;
1526
1527 /* Extract the numerical SRV fields (p is incremented) */
1528
1529 p = rr->data;
1530 GETSHORT(priority, p);
1531 GETSHORT(weight, p);
1532 GETSHORT(port, p);
1533
1534 DEBUG(D_acl)
1535 debug_printf("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1536
1537 /* Check the CSA version number */
1538
1539 if (priority != 1) continue;
1540
1541 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1542 found by dns_special_lookup() is a parent of the one we asked for), we check
1543 the subdomain assertions in the port field. At the moment there's only one
1544 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1545 SRV records of their own. */
1546
1547 if (found != domain)
1548 {
1549 if (port & 1)
1550 return t->data.val = CSA_FAIL_EXPLICIT;
1551 else
1552 return t->data.val = CSA_UNKNOWN;
1553 }
1554
1555 /* This CSA SRV record refers directly to our domain, so we check the value
1556 in the weight field to work out the domain's authorization. 0 and 1 are
1557 unauthorized; 3 means the client is authorized but we can't check the IP
1558 address in order to authenticate it, so we treat it as unknown; values
1559 greater than 3 are undefined. */
1560
1561 if (weight < 2) return t->data.val = CSA_FAIL_DOMAIN;
1562
1563 if (weight > 2) continue;
1564
1565 /* Weight == 2, which means the domain is authorized. We must check that the
1566 client's IP address is listed as one of the SRV target addresses. Save the
1567 target hostname then break to scan the additional data for its addresses. */
1568
1569 (void)dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
1570 (DN_EXPAND_ARG4_TYPE)target, sizeof(target));
1571
1572 DEBUG(D_acl) debug_printf("CSA target is %s\n", target);
1573
1574 break;
1575 }
1576
1577 /* If we didn't break the loop then no appropriate records were found. */
1578
1579 if (rr == NULL) return t->data.val = CSA_UNKNOWN;
1580
1581 /* Do not check addresses if the target is ".", in accordance with RFC 2782.
1582 A target of "." indicates there are no valid addresses, so the client cannot
1583 be authorized. (This is an odd configuration because weight=2 target=. is
1584 equivalent to weight=1, but we check for it in order to keep load off the
1585 root name servers.) Note that dn_expand() turns "." into "". */
1586
1587 if (Ustrcmp(target, "") == 0) return t->data.val = CSA_FAIL_NOADDR;
1588
1589 /* Scan the additional section of the CSA SRV reply for addresses belonging
1590 to the target. If the name server didn't return any additional data (e.g.
1591 because it does not fully support SRV records), we need to do another lookup
1592 to obtain the target addresses; otherwise we have a definitive result. */
1593
1594 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ADDITIONAL, target);
1595 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1596
1597 /* The DNS lookup type corresponds to the IP version used by the client. */
1598
1599 #if HAVE_IPV6
1600 if (Ustrchr(sender_host_address, ':') != NULL)
1601 type = T_AAAA;
1602 else
1603 #endif /* HAVE_IPV6 */
1604 type = T_A;
1605
1606
1607 #if HAVE_IPV6 && defined(SUPPORT_A6)
1608 DNS_LOOKUP_AGAIN:
1609 #endif
1610
1611 switch (dns_lookup(&dnsa, target, type, NULL))
1612 {
1613 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1614
1615 default:
1616 return t->data.val = CSA_DEFER_ADDR;
1617
1618 /* If the query succeeded, scan the addresses and return the result. */
1619
1620 case DNS_SUCCEED:
1621 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ANSWERS, target);
1622 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1623 /* else fall through */
1624
1625 /* If the target has no IP addresses, the client cannot have an authorized
1626 IP address. However, if the target site uses A6 records (not AAAA records)
1627 we have to do yet another lookup in order to check them. */
1628
1629 case DNS_NOMATCH:
1630 case DNS_NODATA:
1631
1632 #if HAVE_IPV6 && defined(SUPPORT_A6)
1633 if (type == T_AAAA) { type = T_A6; goto DNS_LOOKUP_AGAIN; }
1634 #endif
1635
1636 return t->data.val = CSA_FAIL_NOADDR;
1637 }
1638 }
1639
1640
1641
1642 /*************************************************
1643 * Handle verification (address & other) *
1644 *************************************************/
1645
1646 enum { VERIFY_REV_HOST_LKUP, VERIFY_CERT, VERIFY_HELO, VERIFY_CSA, VERIFY_HDR_SYNTAX,
1647 VERIFY_NOT_BLIND, VERIFY_HDR_SNDR, VERIFY_SNDR, VERIFY_RCPT
1648 };
1649 typedef struct {
1650 uschar * name;
1651 int value;
1652 unsigned where_allowed; /* bitmap */
1653 BOOL no_options; /* Never has /option(s) following */
1654 unsigned alt_opt_sep; /* >0 Non-/ option separator (custom parser) */
1655 } verify_type_t;
1656 static verify_type_t verify_type_list[] = {
1657 { US"reverse_host_lookup", VERIFY_REV_HOST_LKUP, ~0, TRUE, 0 },
1658 { US"certificate", VERIFY_CERT, ~0, TRUE, 0 },
1659 { US"helo", VERIFY_HELO, ~0, TRUE, 0 },
1660 { US"csa", VERIFY_CSA, ~0, FALSE, 0 },
1661 { US"header_syntax", VERIFY_HDR_SYNTAX, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), TRUE, 0 },
1662 { US"not_blind", VERIFY_NOT_BLIND, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), TRUE, 0 },
1663 { US"header_sender", VERIFY_HDR_SNDR, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), FALSE, 0 },
1664 { US"sender", VERIFY_SNDR, (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)
1665 |(1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP),
1666 FALSE, 6 },
1667 { US"recipient", VERIFY_RCPT, (1<<ACL_WHERE_RCPT), FALSE, 0 }
1668 };
1669
1670
1671 enum { CALLOUT_DEFER_OK, CALLOUT_NOCACHE, CALLOUT_RANDOM, CALLOUT_USE_SENDER,
1672 CALLOUT_USE_POSTMASTER, CALLOUT_POSTMASTER, CALLOUT_FULLPOSTMASTER,
1673 CALLOUT_MAILFROM, CALLOUT_POSTMASTER_MAILFROM, CALLOUT_MAXWAIT, CALLOUT_CONNECT,
1674 CALLOUT_TIME
1675 };
1676 typedef struct {
1677 uschar * name;
1678 int value;
1679 int flag;
1680 BOOL has_option; /* Has =option(s) following */
1681 BOOL timeval; /* Has a time value */
1682 } callout_opt_t;
1683 static callout_opt_t callout_opt_list[] = {
1684 { US"defer_ok", CALLOUT_DEFER_OK, 0, FALSE, FALSE },
1685 { US"no_cache", CALLOUT_NOCACHE, vopt_callout_no_cache, FALSE, FALSE },
1686 { US"random", CALLOUT_RANDOM, vopt_callout_random, FALSE, FALSE },
1687 { US"use_sender", CALLOUT_USE_SENDER, vopt_callout_recipsender, FALSE, FALSE },
1688 { US"use_postmaster", CALLOUT_USE_POSTMASTER,vopt_callout_recippmaster, FALSE, FALSE },
1689 { US"postmaster_mailfrom",CALLOUT_POSTMASTER_MAILFROM,0, TRUE, FALSE },
1690 { US"postmaster", CALLOUT_POSTMASTER, 0, FALSE, FALSE },
1691 { US"fullpostmaster", CALLOUT_FULLPOSTMASTER,vopt_callout_fullpm, FALSE, FALSE },
1692 { US"mailfrom", CALLOUT_MAILFROM, 0, TRUE, FALSE },
1693 { US"maxwait", CALLOUT_MAXWAIT, 0, TRUE, TRUE },
1694 { US"connect", CALLOUT_CONNECT, 0, TRUE, TRUE },
1695 { NULL, CALLOUT_TIME, 0, FALSE, TRUE }
1696 };
1697
1698
1699
1700 /* This function implements the "verify" condition. It is called when
1701 encountered in any ACL, because some tests are almost always permitted. Some
1702 just don't make sense, and always fail (for example, an attempt to test a host
1703 lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1704
1705 Arguments:
1706 where where called from
1707 addr the recipient address that the ACL is handling, or NULL
1708 arg the argument of "verify"
1709 user_msgptr pointer for user message
1710 log_msgptr pointer for log message
1711 basic_errno where to put verify errno
1712
1713 Returns: OK verification condition succeeded
1714 FAIL verification failed
1715 DEFER there was a problem verifying
1716 ERROR syntax error
1717 */
1718
1719 static int
1720 acl_verify(int where, address_item *addr, uschar *arg,
1721 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1722 {
1723 int sep = '/';
1724 int callout = -1;
1725 int callout_overall = -1;
1726 int callout_connect = -1;
1727 int verify_options = 0;
1728 int rc;
1729 BOOL verify_header_sender = FALSE;
1730 BOOL defer_ok = FALSE;
1731 BOOL callout_defer_ok = FALSE;
1732 BOOL no_details = FALSE;
1733 BOOL success_on_redirect = FALSE;
1734 address_item *sender_vaddr = NULL;
1735 uschar *verify_sender_address = NULL;
1736 uschar *pm_mailfrom = NULL;
1737 uschar *se_mailfrom = NULL;
1738
1739 /* Some of the verify items have slash-separated options; some do not. Diagnose
1740 an error if options are given for items that don't expect them.
1741 */
1742
1743 uschar *slash = Ustrchr(arg, '/');
1744 uschar *list = arg;
1745 uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
1746 verify_type_t * vp;
1747
1748 if (ss == NULL) goto BAD_VERIFY;
1749
1750 /* Handle name/address consistency verification in a separate function. */
1751
1752 for (vp= verify_type_list;
1753 (char *)vp < (char *)verify_type_list + sizeof(verify_type_list);
1754 vp++
1755 )
1756 if (vp->alt_opt_sep ? strncmpic(ss, vp->name, vp->alt_opt_sep) == 0
1757 : strcmpic (ss, vp->name) == 0)
1758 break;
1759 if ((char *)vp >= (char *)verify_type_list + sizeof(verify_type_list))
1760 goto BAD_VERIFY;
1761
1762 if (vp->no_options && slash != NULL)
1763 {
1764 *log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1765 "(this verify item has no options)", arg);
1766 return ERROR;
1767 }
1768 if (!(vp->where_allowed & (1<<where)))
1769 {
1770 *log_msgptr = string_sprintf("cannot verify %s in ACL for %s", vp->name, acl_wherenames[where]);
1771 return ERROR;
1772 }
1773 switch(vp->value)
1774 {
1775 case VERIFY_REV_HOST_LKUP:
1776 if (sender_host_address == NULL) return OK;
1777 return acl_verify_reverse(user_msgptr, log_msgptr);
1778
1779 case VERIFY_CERT:
1780 /* TLS certificate verification is done at STARTTLS time; here we just
1781 test whether it was successful or not. (This is for optional verification; for
1782 mandatory verification, the connection doesn't last this long.) */
1783
1784 if (tls_in.certificate_verified) return OK;
1785 *user_msgptr = US"no verified certificate";
1786 return FAIL;
1787
1788 case VERIFY_HELO:
1789 /* We can test the result of optional HELO verification that might have
1790 occurred earlier. If not, we can attempt the verification now. */
1791
1792 if (!helo_verified && !helo_verify_failed) smtp_verify_helo();
1793 return helo_verified? OK : FAIL;
1794
1795 case VERIFY_CSA:
1796 /* Do Client SMTP Authorization checks in a separate function, and turn the
1797 result code into user-friendly strings. */
1798
1799 rc = acl_verify_csa(list);
1800 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1801 csa_reason_string[rc]);
1802 csa_status = csa_status_string[rc];
1803 DEBUG(D_acl) debug_printf("CSA result %s\n", csa_status);
1804 return csa_return_code[rc];
1805
1806 case VERIFY_HDR_SYNTAX:
1807 /* Check that all relevant header lines have the correct syntax. If there is
1808 a syntax error, we return details of the error to the sender if configured to
1809 send out full details. (But a "message" setting on the ACL can override, as
1810 always). */
1811
1812 rc = verify_check_headers(log_msgptr);
1813 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1814 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1815 return rc;
1816
1817 case VERIFY_NOT_BLIND:
1818 /* Check that no recipient of this message is "blind", that is, every envelope
1819 recipient must be mentioned in either To: or Cc:. */
1820
1821 rc = verify_check_notblind();
1822 if (rc != OK)
1823 {
1824 *log_msgptr = string_sprintf("bcc recipient detected");
1825 if (smtp_return_error_details)
1826 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1827 }
1828 return rc;
1829
1830 /* The remaining verification tests check recipient and sender addresses,
1831 either from the envelope or from the header. There are a number of
1832 slash-separated options that are common to all of them. */
1833
1834 case VERIFY_HDR_SNDR:
1835 verify_header_sender = TRUE;
1836 break;
1837
1838 case VERIFY_SNDR:
1839 /* In the case of a sender, this can optionally be followed by an address to use
1840 in place of the actual sender (rare special-case requirement). */
1841 {
1842 uschar *s = ss + 6;
1843 if (*s == 0)
1844 verify_sender_address = sender_address;
1845 else
1846 {
1847 while (isspace(*s)) s++;
1848 if (*s++ != '=') goto BAD_VERIFY;
1849 while (isspace(*s)) s++;
1850 verify_sender_address = string_copy(s);
1851 }
1852 }
1853 break;
1854
1855 case VERIFY_RCPT:
1856 break;
1857 }
1858
1859
1860
1861 /* Remaining items are optional; they apply to sender and recipient
1862 verification, including "header sender" verification. */
1863
1864 while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1865 != NULL)
1866 {
1867 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1868 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1869 else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
1870
1871 /* These two old options are left for backwards compatibility */
1872
1873 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1874 {
1875 callout_defer_ok = TRUE;
1876 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1877 }
1878
1879 else if (strcmpic(ss, US"check_postmaster") == 0)
1880 {
1881 pm_mailfrom = US"";
1882 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1883 }
1884
1885 /* The callout option has a number of sub-options, comma separated */
1886
1887 else if (strncmpic(ss, US"callout", 7) == 0)
1888 {
1889 callout = CALLOUT_TIMEOUT_DEFAULT;
1890 ss += 7;
1891 if (*ss != 0)
1892 {
1893 while (isspace(*ss)) ss++;
1894 if (*ss++ == '=')
1895 {
1896 int optsep = ',';
1897 uschar *opt;
1898 uschar buffer[256];
1899 while (isspace(*ss)) ss++;
1900
1901 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1902 != NULL)
1903 {
1904 callout_opt_t * op;
1905 double period = 1.0F;
1906
1907 for (op= callout_opt_list; op->name; op++)
1908 if (strncmpic(opt, op->name, Ustrlen(op->name)) == 0)
1909 break;
1910
1911 verify_options |= op->flag;
1912 if (op->has_option)
1913 {
1914 opt += Ustrlen(op->name);
1915 while (isspace(*opt)) opt++;
1916 if (*opt++ != '=')
1917 {
1918 *log_msgptr = string_sprintf("'=' expected after "
1919 "\"%s\" in ACL verify condition \"%s\"", op->name, arg);
1920 return ERROR;
1921 }
1922 while (isspace(*opt)) opt++;
1923 }
1924 if (op->timeval)
1925 {
1926 period = readconf_readtime(opt, 0, FALSE);
1927 if (period < 0)
1928 {
1929 *log_msgptr = string_sprintf("bad time value in ACL condition "
1930 "\"verify %s\"", arg);
1931 return ERROR;
1932 }
1933 }
1934
1935 switch(op->value)
1936 {
1937 case CALLOUT_DEFER_OK: callout_defer_ok = TRUE; break;
1938 case CALLOUT_POSTMASTER: pm_mailfrom = US""; break;
1939 case CALLOUT_FULLPOSTMASTER: pm_mailfrom = US""; break;
1940 case CALLOUT_MAILFROM:
1941 if (!verify_header_sender)
1942 {
1943 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1944 "callout option only for verify=header_sender (detected in ACL "
1945 "condition \"%s\")", arg);
1946 return ERROR;
1947 }
1948 se_mailfrom = string_copy(opt);
1949 break;
1950 case CALLOUT_POSTMASTER_MAILFROM: pm_mailfrom = string_copy(opt); break;
1951 case CALLOUT_MAXWAIT: callout_overall = period; break;
1952 case CALLOUT_CONNECT: callout_connect = period; break;
1953 case CALLOUT_TIME: callout = period; break;
1954 }
1955 }
1956 }
1957 else
1958 {
1959 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1960 "ACL condition \"%s\"", arg);
1961 return ERROR;
1962 }
1963 }
1964 }
1965
1966 /* Option not recognized */
1967
1968 else
1969 {
1970 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1971 "condition \"verify %s\"", ss, arg);
1972 return ERROR;
1973 }
1974 }
1975
1976 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1977 (vopt_callout_recipsender|vopt_callout_recippmaster))
1978 {
1979 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1980 "for a recipient callout";
1981 return ERROR;
1982 }
1983
1984 /* Handle sender-in-header verification. Default the user message to the log
1985 message if giving out verification details. */
1986
1987 if (verify_header_sender)
1988 {
1989 int verrno;
1990 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
1991 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1992 &verrno);
1993 if (rc != OK)
1994 {
1995 *basic_errno = verrno;
1996 if (smtp_return_error_details)
1997 {
1998 if (*user_msgptr == NULL && *log_msgptr != NULL)
1999 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
2000 if (rc == DEFER) acl_temp_details = TRUE;
2001 }
2002 }
2003 }
2004
2005 /* Handle a sender address. The default is to verify *the* sender address, but
2006 optionally a different address can be given, for special requirements. If the
2007 address is empty, we are dealing with a bounce message that has no sender, so
2008 we cannot do any checking. If the real sender address gets rewritten during
2009 verification (e.g. DNS widening), set the flag to stop it being rewritten again
2010 during message reception.
2011
2012 A list of verified "sender" addresses is kept to try to avoid doing to much
2013 work repetitively when there are multiple recipients in a message and they all
2014 require sender verification. However, when callouts are involved, it gets too
2015 complicated because different recipients may require different callout options.
2016 Therefore, we always do a full sender verify when any kind of callout is
2017 specified. Caching elsewhere, for instance in the DNS resolver and in the
2018 callout handling, should ensure that this is not terribly inefficient. */
2019
2020 else if (verify_sender_address != NULL)
2021 {
2022 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
2023 != 0)
2024 {
2025 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
2026 "sender verify callout";
2027 return ERROR;
2028 }
2029
2030 sender_vaddr = verify_checked_sender(verify_sender_address);
2031 if (sender_vaddr != NULL && /* Previously checked */
2032 callout <= 0) /* No callout needed this time */
2033 {
2034 /* If the "routed" flag is set, it means that routing worked before, so
2035 this check can give OK (the saved return code value, if set, belongs to a
2036 callout that was done previously). If the "routed" flag is not set, routing
2037 must have failed, so we use the saved return code. */
2038
2039 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
2040 {
2041 rc = sender_vaddr->special_action;
2042 *basic_errno = sender_vaddr->basic_errno;
2043 }
2044 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
2045 }
2046
2047 /* Do a new verification, and cache the result. The cache is used to avoid
2048 verifying the sender multiple times for multiple RCPTs when callouts are not
2049 specified (see comments above).
2050
2051 The cache is also used on failure to give details in response to the first
2052 RCPT that gets bounced for this reason. However, this can be suppressed by
2053 the no_details option, which sets the flag that says "this detail has already
2054 been sent". The cache normally contains just one address, but there may be
2055 more in esoteric circumstances. */
2056
2057 else
2058 {
2059 BOOL routed = TRUE;
2060 uschar *save_address_data = deliver_address_data;
2061
2062 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
2063 if (no_details) setflag(sender_vaddr, af_sverify_told);
2064 if (verify_sender_address[0] != 0)
2065 {
2066 /* If this is the real sender address, save the unrewritten version
2067 for use later in receive. Otherwise, set a flag so that rewriting the
2068 sender in verify_address() does not update sender_address. */
2069
2070 if (verify_sender_address == sender_address)
2071 sender_address_unrewritten = sender_address;
2072 else
2073 verify_options |= vopt_fake_sender;
2074
2075 if (success_on_redirect)
2076 verify_options |= vopt_success_on_redirect;
2077
2078 /* The recipient, qualify, and expn options are never set in
2079 verify_options. */
2080
2081 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
2082 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
2083
2084 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
2085
2086 if (rc == OK)
2087 {
2088 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
2089 {
2090 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
2091 verify_sender_address, sender_vaddr->address);
2092 }
2093 else
2094 {
2095 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
2096 verify_sender_address);
2097 }
2098 }
2099 else *basic_errno = sender_vaddr->basic_errno;
2100 }
2101 else rc = OK; /* Null sender */
2102
2103 /* Cache the result code */
2104
2105 if (routed) setflag(sender_vaddr, af_verify_routed);
2106 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
2107 sender_vaddr->special_action = rc;
2108 sender_vaddr->next = sender_verified_list;
2109 sender_verified_list = sender_vaddr;
2110
2111 /* Restore the recipient address data, which might have been clobbered by
2112 the sender verification. */
2113
2114 deliver_address_data = save_address_data;
2115 }
2116
2117 /* Put the sender address_data value into $sender_address_data */
2118
2119 sender_address_data = sender_vaddr->p.address_data;
2120 }
2121
2122 /* A recipient address just gets a straightforward verify; again we must handle
2123 the DEFER overrides. */
2124
2125 else
2126 {
2127 address_item addr2;
2128
2129 if (success_on_redirect)
2130 verify_options |= vopt_success_on_redirect;
2131
2132 /* We must use a copy of the address for verification, because it might
2133 get rewritten. */
2134
2135 addr2 = *addr;
2136 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
2137 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
2138 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
2139
2140 *basic_errno = addr2.basic_errno;
2141 *log_msgptr = addr2.message;
2142 *user_msgptr = (addr2.user_message != NULL)?
2143 addr2.user_message : addr2.message;
2144
2145 /* Allow details for temporary error if the address is so flagged. */
2146 if (testflag((&addr2), af_pass_message)) acl_temp_details = TRUE;
2147
2148 /* Make $address_data visible */
2149 deliver_address_data = addr2.p.address_data;
2150 }
2151
2152 /* We have a result from the relevant test. Handle defer overrides first. */
2153
2154 if (rc == DEFER && (defer_ok ||
2155 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
2156 {
2157 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
2158 defer_ok? "defer_ok" : "callout_defer_ok");
2159 rc = OK;
2160 }
2161
2162 /* If we've failed a sender, set up a recipient message, and point
2163 sender_verified_failed to the address item that actually failed. */
2164
2165 if (rc != OK && verify_sender_address != NULL)
2166 {
2167 if (rc != DEFER)
2168 {
2169 *log_msgptr = *user_msgptr = US"Sender verify failed";
2170 }
2171 else if (*basic_errno != ERRNO_CALLOUTDEFER)
2172 {
2173 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
2174 }
2175 else
2176 {
2177 *log_msgptr = US"Could not complete sender verify callout";
2178 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
2179 *log_msgptr;
2180 }
2181
2182 sender_verified_failed = sender_vaddr;
2183 }
2184
2185 /* Verifying an address messes up the values of $domain and $local_part,
2186 so reset them before returning if this is a RCPT ACL. */
2187
2188 if (addr != NULL)
2189 {
2190 deliver_domain = addr->domain;
2191 deliver_localpart = addr->local_part;
2192 }
2193 return rc;
2194
2195 /* Syntax errors in the verify argument come here. */
2196
2197 BAD_VERIFY:
2198 *log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
2199 "\"helo\", \"header_syntax\", \"header_sender\" or "
2200 "\"reverse_host_lookup\" at start of ACL condition "
2201 "\"verify %s\"", arg);
2202 return ERROR;
2203 }
2204
2205
2206
2207
2208 /*************************************************
2209 * Check argument for control= modifier *
2210 *************************************************/
2211
2212 /* Called from acl_check_condition() below
2213
2214 Arguments:
2215 arg the argument string for control=
2216 pptr set to point to the terminating character
2217 where which ACL we are in
2218 log_msgptr for error messages
2219
2220 Returns: CONTROL_xxx value
2221 */
2222
2223 static int
2224 decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
2225 {
2226 int len;
2227 control_def *d;
2228
2229 for (d = controls_list;
2230 d < controls_list + sizeof(controls_list)/sizeof(control_def);
2231 d++)
2232 {
2233 len = Ustrlen(d->name);
2234 if (Ustrncmp(d->name, arg, len) == 0) break;
2235 }
2236
2237 if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
2238 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
2239 {
2240 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2241 return CONTROL_ERROR;
2242 }
2243
2244 *pptr = arg + len;
2245 return d->value;
2246 }
2247
2248
2249
2250
2251 /*************************************************
2252 * Return a ratelimit error *
2253 *************************************************/
2254
2255 /* Called from acl_ratelimit() below
2256
2257 Arguments:
2258 log_msgptr for error messages
2259 format format string
2260 ... supplementary arguments
2261 ss ratelimit option name
2262 where ACL_WHERE_xxxx indicating which ACL this is
2263
2264 Returns: ERROR
2265 */
2266
2267 static int
2268 ratelimit_error(uschar **log_msgptr, const char *format, ...)
2269 {
2270 va_list ap;
2271 uschar buffer[STRING_SPRINTF_BUFFER_SIZE];
2272 va_start(ap, format);
2273 if (!string_vformat(buffer, sizeof(buffer), format, ap))
2274 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
2275 "string_sprintf expansion was longer than " SIZE_T_FMT, sizeof(buffer));
2276 va_end(ap);
2277 *log_msgptr = string_sprintf(
2278 "error in arguments to \"ratelimit\" condition: %s", buffer);
2279 return ERROR;
2280 }
2281
2282
2283
2284
2285 /*************************************************
2286 * Handle rate limiting *
2287 *************************************************/
2288
2289 /* Called by acl_check_condition() below to calculate the result
2290 of the ACL ratelimit condition.
2291
2292 Note that the return value might be slightly unexpected: if the
2293 sender's rate is above the limit then the result is OK. This is
2294 similar to the dnslists condition, and is so that you can write
2295 ACL clauses like: defer ratelimit = 15 / 1h
2296
2297 Arguments:
2298 arg the option string for ratelimit=
2299 where ACL_WHERE_xxxx indicating which ACL this is
2300 log_msgptr for error messages
2301
2302 Returns: OK - Sender's rate is above limit
2303 FAIL - Sender's rate is below limit
2304 DEFER - Problem opening ratelimit database
2305 ERROR - Syntax error in options.
2306 */
2307
2308 static int
2309 acl_ratelimit(uschar *arg, int where, uschar **log_msgptr)
2310 {
2311 double limit, period, count;
2312 uschar *ss;
2313 uschar *key = NULL;
2314 uschar *unique = NULL;
2315 int sep = '/';
2316 BOOL leaky = FALSE, strict = FALSE, readonly = FALSE;
2317 BOOL noupdate = FALSE, badacl = FALSE;
2318 int mode = RATE_PER_WHAT;
2319 int old_pool, rc;
2320 tree_node **anchor, *t;
2321 open_db dbblock, *dbm;
2322 int dbdb_size;
2323 dbdata_ratelimit *dbd;
2324 dbdata_ratelimit_unique *dbdb;
2325 struct timeval tv;
2326
2327 /* Parse the first two options and record their values in expansion
2328 variables. These variables allow the configuration to have informative
2329 error messages based on rate limits obtained from a table lookup. */
2330
2331 /* First is the maximum number of messages per period / maximum burst
2332 size, which must be greater than or equal to zero. Zero is useful for
2333 rate measurement as opposed to rate limiting. */
2334
2335 sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0);
2336 if (sender_rate_limit == NULL)
2337 limit = -1.0;
2338 else
2339 {
2340 limit = Ustrtod(sender_rate_limit, &ss);
2341 if (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
2342 else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
2343 else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
2344 }
2345 if (limit < 0.0 || *ss != '\0')
2346 return ratelimit_error(log_msgptr,
2347 "\"%s\" is not a positive number", sender_rate_limit);
2348
2349 /* Second is the rate measurement period / exponential smoothing time
2350 constant. This must be strictly greater than zero, because zero leads to
2351 run-time division errors. */
2352
2353 sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0);
2354 if (sender_rate_period == NULL) period = -1.0;
2355 else period = readconf_readtime(sender_rate_period, 0, FALSE);
2356 if (period <= 0.0)
2357 return ratelimit_error(log_msgptr,
2358 "\"%s\" is not a time value", sender_rate_period);
2359
2360 /* By default we are counting one of something, but the per_rcpt,
2361 per_byte, and count options can change this. */
2362
2363 count = 1.0;
2364
2365 /* Parse the other options. */
2366
2367 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2368 != NULL)
2369 {
2370 if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
2371 else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
2372 else if (strcmpic(ss, US"noupdate") == 0) noupdate = TRUE;
2373 else if (strcmpic(ss, US"readonly") == 0) readonly = TRUE;
2374 else if (strcmpic(ss, US"per_cmd") == 0) RATE_SET(mode, PER_CMD);
2375 else if (strcmpic(ss, US"per_conn") == 0)
2376 {
2377 RATE_SET(mode, PER_CONN);
2378 if (where == ACL_WHERE_NOTSMTP || where == ACL_WHERE_NOTSMTP_START)
2379 badacl = TRUE;
2380 }
2381 else if (strcmpic(ss, US"per_mail") == 0)
2382 {
2383 RATE_SET(mode, PER_MAIL);
2384 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2385 }
2386 else if (strcmpic(ss, US"per_rcpt") == 0)
2387 {
2388 /* If we are running in the RCPT ACL, then we'll count the recipients
2389 one by one, but if we are running when we have accumulated the whole
2390 list then we'll add them all in one batch. */
2391 if (where == ACL_WHERE_RCPT)
2392 RATE_SET(mode, PER_RCPT);
2393 else if (where >= ACL_WHERE_PREDATA && where <= ACL_WHERE_NOTSMTP)
2394 RATE_SET(mode, PER_ALLRCPTS), count = (double)recipients_count;
2395 else if (where == ACL_WHERE_MAIL || where > ACL_WHERE_NOTSMTP)
2396 RATE_SET(mode, PER_RCPT), badacl = TRUE;
2397 }
2398 else if (strcmpic(ss, US"per_byte") == 0)
2399 {
2400 /* If we have not yet received the message data and there was no SIZE
2401 declaration on the MAIL comand, then it's safe to just use a value of
2402 zero and let the recorded rate decay as if nothing happened. */
2403 RATE_SET(mode, PER_MAIL);
2404 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2405 else count = message_size < 0 ? 0.0 : (double)message_size;
2406 }
2407 else if (strcmpic(ss, US"per_addr") == 0)
2408 {
2409 RATE_SET(mode, PER_RCPT);
2410 if (where != ACL_WHERE_RCPT) badacl = TRUE, unique = US"*";
2411 else unique = string_sprintf("%s@%s", deliver_localpart, deliver_domain);
2412 }
2413 else if (strncmpic(ss, US"count=", 6) == 0)
2414 {
2415 uschar *e;
2416 count = Ustrtod(ss+6, &e);
2417 if (count < 0.0 || *e != '\0')
2418 return ratelimit_error(log_msgptr,
2419 "\"%s\" is not a positive number", ss);
2420 }
2421 else if (strncmpic(ss, US"unique=", 7) == 0)
2422 unique = string_copy(ss + 7);
2423 else if (key == NULL)
2424 key = string_copy(ss);
2425 else
2426 key = string_sprintf("%s/%s", key, ss);
2427 }
2428
2429 /* Sanity check. When the badacl flag is set the update mode must either
2430 be readonly (which is the default if it is omitted) or, for backwards
2431 compatibility, a combination of noupdate and strict or leaky. */
2432
2433 if (mode == RATE_PER_CLASH)
2434 return ratelimit_error(log_msgptr, "conflicting per_* options");
2435 if (leaky + strict + readonly > 1)
2436 return ratelimit_error(log_msgptr, "conflicting update modes");
2437 if (badacl && (leaky || strict) && !noupdate)
2438 return ratelimit_error(log_msgptr,
2439 "\"%s\" must not have /leaky or /strict option in %s ACL",
2440 ratelimit_option_string[mode], acl_wherenames[where]);
2441
2442 /* Set the default values of any unset options. In readonly mode we
2443 perform the rate computation without any increment so that its value
2444 decays to eventually allow over-limit senders through. */
2445
2446 if (noupdate) readonly = TRUE, leaky = strict = FALSE;
2447 if (badacl) readonly = TRUE;
2448 if (readonly) count = 0.0;
2449 if (!strict && !readonly) leaky = TRUE;
2450 if (mode == RATE_PER_WHAT) mode = RATE_PER_MAIL;
2451
2452 /* Create the lookup key. If there is no explicit key, use sender_host_address.
2453 If there is no sender_host_address (e.g. -bs or acl_not_smtp) then we simply
2454 omit it. The smoothing constant (sender_rate_period) and the per_xxx options
2455 are added to the key because they alter the meaning of the stored data. */
2456
2457 if (key == NULL)
2458 key = (sender_host_address == NULL)? US"" : sender_host_address;
2459
2460 key = string_sprintf("%s/%s/%s%s",
2461 sender_rate_period,
2462 ratelimit_option_string[mode],
2463 unique == NULL ? "" : "unique/",
2464 key);
2465
2466 HDEBUG(D_acl)
2467 debug_printf("ratelimit condition count=%.0f %.1f/%s\n", count, limit, key);
2468
2469 /* See if we have already computed the rate by looking in the relevant tree.
2470 For per-connection rate limiting, store tree nodes and dbdata in the permanent
2471 pool so that they survive across resets. In readonly mode we only remember the
2472 result for the rest of this command in case a later command changes it. After
2473 this bit of logic the code is independent of the per_* mode. */
2474
2475 old_pool = store_pool;
2476
2477 if (readonly)
2478 anchor = &ratelimiters_cmd;
2479 else switch(mode) {
2480 case RATE_PER_CONN:
2481 anchor = &ratelimiters_conn;
2482 store_pool = POOL_PERM;
2483 break;
2484 case RATE_PER_BYTE:
2485 case RATE_PER_MAIL:
2486 case RATE_PER_ALLRCPTS:
2487 anchor = &ratelimiters_mail;
2488 break;
2489 case RATE_PER_ADDR:
2490 case RATE_PER_CMD:
2491 case RATE_PER_RCPT:
2492 anchor = &ratelimiters_cmd;
2493 break;
2494 default:
2495 anchor = NULL; /* silence an "unused" complaint */
2496 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
2497 "internal ACL error: unknown ratelimit mode %d", mode);
2498 break;
2499 }
2500
2501 t = tree_search(*anchor, key);
2502 if (t != NULL)
2503 {
2504 dbd = t->data.ptr;
2505 /* The following few lines duplicate some of the code below. */
2506 rc = (dbd->rate < limit)? FAIL : OK;
2507 store_pool = old_pool;
2508 sender_rate = string_sprintf("%.1f", dbd->rate);
2509 HDEBUG(D_acl)
2510 debug_printf("ratelimit found pre-computed rate %s\n", sender_rate);
2511 return rc;
2512 }
2513
2514 /* We aren't using a pre-computed rate, so get a previously recorded rate
2515 from the database, which will be updated and written back if required. */
2516
2517 dbm = dbfn_open(US"ratelimit", O_RDWR, &dbblock, TRUE);
2518 if (dbm == NULL)
2519 {
2520 store_pool = old_pool;
2521 sender_rate = NULL;
2522 HDEBUG(D_acl) debug_printf("ratelimit database not available\n");
2523 *log_msgptr = US"ratelimit database not available";
2524 return DEFER;
2525 }
2526 dbdb = dbfn_read_with_length(dbm, key, &dbdb_size);
2527 dbd = NULL;
2528
2529 gettimeofday(&tv, NULL);
2530
2531 if (dbdb != NULL)
2532 {
2533 /* Locate the basic ratelimit block inside the DB data. */
2534 HDEBUG(D_acl) debug_printf("ratelimit found key in database\n");
2535 dbd = &dbdb->dbd;
2536
2537 /* Forget the old Bloom filter if it is too old, so that we count each
2538 repeating event once per period. We don't simply clear and re-use the old
2539 filter because we want its size to change if the limit changes. Note that
2540 we keep the dbd pointer for copying the rate into the new data block. */
2541
2542 if(unique != NULL && tv.tv_sec > dbdb->bloom_epoch + period)
2543 {
2544 HDEBUG(D_acl) debug_printf("ratelimit discarding old Bloom filter\n");
2545 dbdb = NULL;
2546 }
2547
2548 /* Sanity check. */
2549
2550 if(unique != NULL && dbdb_size < sizeof(*dbdb))
2551 {
2552 HDEBUG(D_acl) debug_printf("ratelimit discarding undersize Bloom filter\n");
2553 dbdb = NULL;
2554 }
2555 }
2556
2557 /* Allocate a new data block if the database lookup failed
2558 or the Bloom filter passed its age limit. */
2559
2560 if (dbdb == NULL)
2561 {
2562 if (unique == NULL)
2563 {
2564 /* No Bloom filter. This basic ratelimit block is initialized below. */
2565 HDEBUG(D_acl) debug_printf("ratelimit creating new rate data block\n");
2566 dbdb_size = sizeof(*dbd);
2567 dbdb = store_get(dbdb_size);
2568 }
2569 else
2570 {
2571 int extra;
2572 HDEBUG(D_acl) debug_printf("ratelimit creating new Bloom filter\n");
2573
2574 /* See the long comment below for an explanation of the magic number 2.
2575 The filter has a minimum size in case the rate limit is very small;
2576 this is determined by the definition of dbdata_ratelimit_unique. */
2577
2578 extra = (int)limit * 2 - sizeof(dbdb->bloom);
2579 if (extra < 0) extra = 0;
2580 dbdb_size = sizeof(*dbdb) + extra;
2581 dbdb = store_get(dbdb_size);
2582 dbdb->bloom_epoch = tv.tv_sec;
2583 dbdb->bloom_size = sizeof(dbdb->bloom) + extra;
2584 memset(dbdb->bloom, 0, dbdb->bloom_size);
2585
2586 /* Preserve any basic ratelimit data (which is our longer-term memory)
2587 by copying it from the discarded block. */
2588
2589 if (dbd != NULL)
2590 {
2591 dbdb->dbd = *dbd;
2592 dbd = &dbdb->dbd;
2593 }
2594 }
2595 }
2596
2597 /* If we are counting unique events, find out if this event is new or not.
2598 If the client repeats the event during the current period then it should be
2599 counted. We skip this code in readonly mode for efficiency, because any
2600 changes to the filter will be discarded and because count is already set to
2601 zero. */
2602
2603 if (unique != NULL && !readonly)
2604 {
2605 /* We identify unique events using a Bloom filter. (You can find my
2606 notes on Bloom filters at http://fanf.livejournal.com/81696.html)
2607 With the per_addr option, an "event" is a recipient address, though the
2608 user can use the unique option to define their own events. We only count
2609 an event if we have not seen it before.
2610
2611 We size the filter according to the rate limit, which (in leaky mode)
2612 is the limit on the population of the filter. We allow 16 bits of space
2613 per entry (see the construction code above) and we set (up to) 8 of them
2614 when inserting an element (see the loop below). The probability of a false
2615 positive (an event we have not seen before but which we fail to count) is
2616
2617 size = limit * 16
2618 numhash = 8
2619 allzero = exp(-numhash * pop / size)
2620 = exp(-0.5 * pop / limit)
2621 fpr = pow(1 - allzero, numhash)
2622
2623 For senders at the limit the fpr is 0.06% or 1 in 1700
2624 and for senders at half the limit it is 0.0006% or 1 in 170000
2625
2626 In strict mode the Bloom filter can fill up beyond the normal limit, in
2627 which case the false positive rate will rise. This means that the
2628 measured rate for very fast senders can bogusly drop off after a while.
2629
2630 At twice the limit, the fpr is 2.5% or 1 in 40
2631 At four times the limit, it is 31% or 1 in 3.2
2632
2633 It takes ln(pop/limit) periods for an over-limit burst of pop events to
2634 decay below the limit, and if this is more than one then the Bloom filter
2635 will be discarded before the decay gets that far. The false positive rate
2636 at this threshold is 9.3% or 1 in 10.7. */
2637
2638 BOOL seen;
2639 unsigned n, hash, hinc;
2640 uschar md5sum[16];
2641 md5 md5info;
2642
2643 /* Instead of using eight independent hash values, we combine two values
2644 using the formula h1 + n * h2. This does not harm the Bloom filter's
2645 performance, and means the amount of hash we need is independent of the
2646 number of bits we set in the filter. */
2647
2648 md5_start(&md5info);
2649 md5_end(&md5info, unique, Ustrlen(unique), md5sum);
2650 hash = md5sum[0] | md5sum[1] << 8 | md5sum[2] << 16 | md5sum[3] << 24;
2651 hinc = md5sum[4] | md5sum[5] << 8 | md5sum[6] << 16 | md5sum[7] << 24;
2652
2653 /* Scan the bits corresponding to this event. A zero bit means we have
2654 not seen it before. Ensure all bits are set to record this event. */
2655
2656 HDEBUG(D_acl) debug_printf("ratelimit checking uniqueness of %s\n", unique);
2657
2658 seen = TRUE;
2659 for (n = 0; n < 8; n++, hash += hinc)
2660 {
2661 int bit = 1 << (hash % 8);
2662 int byte = (hash / 8) % dbdb->bloom_size;
2663 if ((dbdb->bloom[byte] & bit) == 0)
2664 {
2665 dbdb->bloom[byte] |= bit;
2666 seen = FALSE;
2667 }
2668 }
2669
2670 /* If this event has occurred before, do not count it. */
2671
2672 if (seen)
2673 {
2674 HDEBUG(D_acl) debug_printf("ratelimit event found in Bloom filter\n");
2675 count = 0.0;
2676 }
2677 else
2678 HDEBUG(D_acl) debug_printf("ratelimit event added to Bloom filter\n");
2679 }
2680
2681 /* If there was no previous ratelimit data block for this key, initialize
2682 the new one, otherwise update the block from the database. The initial rate
2683 is what would be computed by the code below for an infinite interval. */
2684
2685 if (dbd == NULL)
2686 {
2687 HDEBUG(D_acl) debug_printf("ratelimit initializing new key's rate data\n");
2688 dbd = &dbdb->dbd;
2689 dbd->time_stamp = tv.tv_sec;
2690 dbd->time_usec = tv.tv_usec;
2691 dbd->rate = count;
2692 }
2693 else
2694 {
2695 /* The smoothed rate is computed using an exponentially weighted moving
2696 average adjusted for variable sampling intervals. The standard EWMA for
2697 a fixed sampling interval is: f'(t) = (1 - a) * f(t) + a * f'(t - 1)
2698 where f() is the measured value and f'() is the smoothed value.
2699
2700 Old data decays out of the smoothed value exponentially, such that data n
2701 samples old is multiplied by a^n. The exponential decay time constant p
2702 is defined such that data p samples old is multiplied by 1/e, which means
2703 that a = exp(-1/p). We can maintain the same time constant for a variable
2704 sampling interval i by using a = exp(-i/p).
2705
2706 The rate we are measuring is messages per period, suitable for directly
2707 comparing with the limit. The average rate between now and the previous
2708 message is period / interval, which we feed into the EWMA as the sample.
2709
2710 It turns out that the number of messages required for the smoothed rate
2711 to reach the limit when they are sent in a burst is equal to the limit.
2712 This can be seen by analysing the value of the smoothed rate after N
2713 messages sent at even intervals. Let k = (1 - a) * p/i
2714
2715 rate_1 = (1 - a) * p/i + a * rate_0
2716 = k + a * rate_0
2717 rate_2 = k + a * rate_1
2718 = k + a * k + a^2 * rate_0
2719 rate_3 = k + a * k + a^2 * k + a^3 * rate_0
2720 rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
2721 = rate_0 * a^N + k * (1 - a^N) / (1 - a)
2722 = rate_0 * a^N + p/i * (1 - a^N)
2723
2724 When N is large, a^N -> 0 so rate_N -> p/i as desired.
2725
2726 rate_N = p/i + (rate_0 - p/i) * a^N
2727 a^N = (rate_N - p/i) / (rate_0 - p/i)
2728 N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
2729 N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
2730
2731 Numerical analysis of the above equation, setting the computed rate to
2732 increase from rate_0 = 0 to rate_N = limit, shows that for large sending
2733 rates, p/i, the number of messages N = limit. So limit serves as both the
2734 maximum rate measured in messages per period, and the maximum number of
2735 messages that can be sent in a fast burst. */
2736
2737 double this_time = (double)tv.tv_sec
2738 + (double)tv.tv_usec / 1000000.0;
2739 double prev_time = (double)dbd->time_stamp
2740 + (double)dbd->time_usec / 1000000.0;
2741
2742 /* We must avoid division by zero, and deal gracefully with the clock going
2743 backwards. If we blunder ahead when time is in reverse then the computed
2744 rate will be bogus. To be safe we clamp interval to a very small number. */
2745
2746 double interval = this_time - prev_time <= 0.0 ? 1e-9
2747 : this_time - prev_time;
2748
2749 double i_over_p = interval / period;
2750 double a = exp(-i_over_p);
2751
2752 /* Combine the instantaneous rate (period / interval) with the previous rate
2753 using the smoothing factor a. In order to measure sized events, multiply the
2754 instantaneous rate by the count of bytes or recipients etc. */
2755
2756 dbd->time_stamp = tv.tv_sec;
2757 dbd->time_usec = tv.tv_usec;
2758 dbd->rate = (1 - a) * count / i_over_p + a * dbd->rate;
2759
2760 /* When events are very widely spaced the computed rate tends towards zero.
2761 Although this is accurate it turns out not to be useful for our purposes,
2762 especially when the first event after a long silence is the start of a spam
2763 run. A more useful model is that the rate for an isolated event should be the
2764 size of the event per the period size, ignoring the lack of events outside
2765 the current period and regardless of where the event falls in the period. So,
2766 if the interval was so long that the calculated rate is unhelpfully small, we
2767 re-intialize the rate. In the absence of higher-rate bursts, the condition
2768 below is true if the interval is greater than the period. */
2769
2770 if (dbd->rate < count) dbd->rate = count;
2771 }
2772
2773 /* Clients sending at the limit are considered to be over the limit.
2774 This matters for edge cases such as a limit of zero, when the client
2775 should be completely blocked. */
2776
2777 rc = (dbd->rate < limit)? FAIL : OK;
2778
2779 /* Update the state if the rate is low or if we are being strict. If we
2780 are in leaky mode and the sender's rate is too high, we do not update
2781 the recorded rate in order to avoid an over-aggressive sender's retry
2782 rate preventing them from getting any email through. If readonly is set,
2783 neither leaky nor strict are set, so we do not do any updates. */
2784
2785 if ((rc == FAIL && leaky) || strict)
2786 {
2787 dbfn_write(dbm, key, dbdb, dbdb_size);
2788 HDEBUG(D_acl) debug_printf("ratelimit db updated\n");
2789 }
2790 else
2791 {
2792 HDEBUG(D_acl) debug_printf("ratelimit db not updated: %s\n",
2793 readonly? "readonly mode" : "over the limit, but leaky");
2794 }
2795
2796 dbfn_close(dbm);
2797
2798 /* Store the result in the tree for future reference. */
2799
2800 t = store_get(sizeof(tree_node) + Ustrlen(key));
2801 t->data.ptr = dbd;
2802 Ustrcpy(t->name, key);
2803 (void)tree_insertnode(anchor, t);
2804
2805 /* We create the formatted version of the sender's rate very late in
2806 order to ensure that it is done using the correct storage pool. */
2807
2808 store_pool = old_pool;
2809 sender_rate = string_sprintf("%.1f", dbd->rate);
2810
2811 HDEBUG(D_acl)
2812 debug_printf("ratelimit computed rate %s\n", sender_rate);
2813
2814 return rc;
2815 }
2816
2817
2818
2819 /*************************************************
2820 * Handle conditions/modifiers on an ACL item *
2821 *************************************************/
2822
2823 /* Called from acl_check() below.
2824
2825 Arguments:
2826 verb ACL verb
2827 cb ACL condition block - if NULL, result is OK
2828 where where called from
2829 addr the address being checked for RCPT, or NULL
2830 level the nesting level
2831 epp pointer to pass back TRUE if "endpass" encountered
2832 (applies only to "accept" and "discard")
2833 user_msgptr user message pointer
2834 log_msgptr log message pointer
2835 basic_errno pointer to where to put verify error
2836
2837 Returns: OK - all conditions are met
2838 DISCARD - an "acl" condition returned DISCARD - only allowed
2839 for "accept" or "discard" verbs
2840 FAIL - at least one condition fails
2841 FAIL_DROP - an "acl" condition returned FAIL_DROP
2842 DEFER - can't tell at the moment (typically, lookup defer,
2843 but can be temporary callout problem)
2844 ERROR - ERROR from nested ACL or expansion failure or other
2845 error
2846 */
2847
2848 static int
2849 acl_check_condition(int verb, acl_condition_block *cb, int where,
2850 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
2851 uschar **log_msgptr, int *basic_errno)
2852 {
2853 uschar *user_message = NULL;
2854 uschar *log_message = NULL;
2855 uschar *debug_tag = NULL;
2856 uschar *debug_opts = NULL;
2857 uschar *p = NULL;
2858 int rc = OK;
2859 #ifdef WITH_CONTENT_SCAN
2860 int sep = '/';
2861 #endif
2862
2863 for (; cb != NULL; cb = cb->next)
2864 {
2865 uschar *arg;
2866 int control_type;
2867
2868 /* The message and log_message items set up messages to be used in
2869 case of rejection. They are expanded later. */
2870
2871 if (cb->type == ACLC_MESSAGE)
2872 {
2873 user_message = cb->arg;
2874 continue;
2875 }
2876
2877 if (cb->type == ACLC_LOG_MESSAGE)
2878 {
2879 log_message = cb->arg;
2880 continue;
2881 }
2882
2883 /* The endpass "condition" just sets a flag to show it occurred. This is
2884 checked at compile time to be on an "accept" or "discard" item. */
2885
2886 if (cb->type == ACLC_ENDPASS)
2887 {
2888 *epp = TRUE;
2889 continue;
2890 }
2891
2892 /* For other conditions and modifiers, the argument is expanded now for some
2893 of them, but not for all, because expansion happens down in some lower level
2894 checking functions in some cases. */
2895
2896 if (cond_expand_at_top[cb->type])
2897 {
2898 arg = expand_string(cb->arg);
2899 if (arg == NULL)
2900 {
2901 if (expand_string_forcedfail) continue;
2902 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
2903 cb->arg, expand_string_message);
2904 return search_find_defer? DEFER : ERROR;
2905 }
2906 }
2907 else arg = cb->arg;
2908
2909 /* Show condition, and expanded condition if it's different */
2910
2911 HDEBUG(D_acl)
2912 {
2913 int lhswidth = 0;
2914 debug_printf("check %s%s %n",
2915 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
2916 conditions[cb->type], &lhswidth);
2917
2918 if (cb->type == ACLC_SET)
2919 {
2920 debug_printf("acl_%s ", cb->u.varname);
2921 lhswidth += 5 + Ustrlen(cb->u.varname);
2922 }
2923
2924 debug_printf("= %s\n", cb->arg);
2925
2926 if (arg != cb->arg)
2927 debug_printf("%.*s= %s\n", lhswidth,
2928 US" ", CS arg);
2929 }
2930
2931 /* Check that this condition makes sense at this time */
2932
2933 if ((cond_forbids[cb->type] & (1 << where)) != 0)
2934 {
2935 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
2936 cond_modifiers[cb->type]? "use" : "test",
2937 conditions[cb->type], acl_wherenames[where]);
2938 return ERROR;
2939 }
2940
2941 /* Run the appropriate test for each condition, or take the appropriate
2942 action for the remaining modifiers. */
2943
2944 switch(cb->type)
2945 {
2946 case ACLC_ADD_HEADER:
2947 setup_header(arg);
2948 break;
2949
2950 /* A nested ACL that returns "discard" makes sense only for an "accept" or
2951 "discard" verb. */
2952
2953 case ACLC_ACL:
2954 rc = acl_check_wargs(where, addr, arg, level+1, user_msgptr, log_msgptr);
2955 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
2956 {
2957 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
2958 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
2959 verbs[verb]);
2960 return ERROR;
2961 }
2962 break;
2963
2964 case ACLC_AUTHENTICATED:
2965 rc = (sender_host_authenticated == NULL)? FAIL :
2966 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
2967 TRUE, NULL);
2968 break;
2969
2970 #ifdef EXPERIMENTAL_BRIGHTMAIL
2971 case ACLC_BMI_OPTIN:
2972 {
2973 int old_pool = store_pool;
2974 store_pool = POOL_PERM;
2975 bmi_current_optin = string_copy(arg);
2976 store_pool = old_pool;
2977 }
2978 break;
2979 #endif
2980
2981 case ACLC_CONDITION:
2982 /* The true/false parsing here should be kept in sync with that used in
2983 expand.c when dealing with ECOND_BOOL so that we don't have too many
2984 different definitions of what can be a boolean. */
2985 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
2986 rc = (Uatoi(arg) == 0)? FAIL : OK;
2987 else
2988 rc = (strcmpic(arg, US"no") == 0 ||
2989 strcmpic(arg, US"false") == 0)? FAIL :
2990 (strcmpic(arg, US"yes") == 0 ||
2991 strcmpic(arg, US"true") == 0)? OK : DEFER;
2992 if (rc == DEFER)
2993 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
2994 break;
2995
2996 case ACLC_CONTINUE: /* Always succeeds */
2997 break;
2998
2999 case ACLC_CONTROL:
3000 control_type = decode_control(arg, &p, where, log_msgptr);
3001
3002 /* Check if this control makes sense at this time */
3003
3004 if ((control_forbids[control_type] & (1 << where)) != 0)
3005 {
3006 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
3007 controls[control_type], acl_wherenames[where]);
3008 return ERROR;
3009 }
3010
3011 switch(control_type)
3012 {
3013 case CONTROL_AUTH_UNADVERTISED:
3014 allow_auth_unadvertised = TRUE;
3015 break;
3016
3017 #ifdef EXPERIMENTAL_BRIGHTMAIL
3018 case CONTROL_BMI_RUN:
3019 bmi_run = 1;
3020 break;
3021 #endif
3022
3023 #ifndef DISABLE_DKIM
3024 case CONTROL_DKIM_VERIFY:
3025 dkim_disable_verify = TRUE;
3026 #ifdef EXPERIMENTAL_DMARC
3027 /* Since DKIM was blocked, skip DMARC too */
3028 dmarc_disable_verify = TRUE;
3029 dmarc_enable_forensic = FALSE;
3030 #endif
3031 break;
3032 #endif
3033
3034 #ifdef EXPERIMENTAL_DMARC
3035 case CONTROL_DMARC_VERIFY:
3036 dmarc_disable_verify = TRUE;
3037 break;
3038
3039 case CONTROL_DMARC_FORENSIC:
3040 dmarc_enable_forensic = TRUE;
3041 break;
3042 #endif
3043
3044 case CONTROL_DSCP:
3045 if (*p == '/')
3046 {
3047 int fd, af, level, optname, value;
3048 /* If we are acting on stdin, the setsockopt may fail if stdin is not
3049 a socket; we can accept that, we'll just debug-log failures anyway. */
3050 fd = fileno(smtp_in);
3051 af = ip_get_address_family(fd);
3052 if (af < 0)
3053 {
3054 HDEBUG(D_acl)
3055 debug_printf("smtp input is probably not a socket [%s], not setting DSCP\n",
3056 strerror(errno));
3057 break;
3058 }
3059 if (dscp_lookup(p+1, af, &level, &optname, &value))
3060 {
3061 if (setsockopt(fd, level, optname, &value, sizeof(value)) < 0)
3062 {
3063 HDEBUG(D_acl) debug_printf("failed to set input DSCP[%s]: %s\n",
3064 p+1, strerror(errno));
3065 }
3066 else
3067 {
3068 HDEBUG(D_acl) debug_printf("set input DSCP to \"%s\"\n", p+1);
3069 }
3070 }
3071 else
3072 {
3073 *log_msgptr = string_sprintf("unrecognised DSCP value in \"control=%s\"", arg);
3074 return ERROR;
3075 }
3076 }
3077 else
3078 {
3079 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3080 return ERROR;
3081 }
3082 break;
3083
3084 case CONTROL_ERROR:
3085 return ERROR;
3086
3087 case CONTROL_CASEFUL_LOCAL_PART:
3088 deliver_localpart = addr->cc_local_part;
3089 break;
3090
3091 case CONTROL_CASELOWER_LOCAL_PART:
3092 deliver_localpart = addr->lc_local_part;
3093 break;
3094
3095 case CONTROL_ENFORCE_SYNC:
3096 smtp_enforce_sync = TRUE;
3097 break;
3098
3099 case CONTROL_NO_ENFORCE_SYNC:
3100 smtp_enforce_sync = FALSE;
3101 break;
3102
3103 #ifdef WITH_CONTENT_SCAN
3104 case CONTROL_NO_MBOX_UNSPOOL:
3105 no_mbox_unspool = TRUE;
3106 break;
3107 #endif
3108
3109 case CONTROL_NO_MULTILINE:
3110 no_multiline_responses = TRUE;
3111 break;
3112
3113 case CONTROL_NO_PIPELINING:
3114 pipelining_enable = FALSE;
3115 break;
3116
3117 case CONTROL_NO_DELAY_FLUSH:
3118 disable_delay_flush = TRUE;
3119 break;
3120
3121 case CONTROL_NO_CALLOUT_FLUSH:
3122 disable_callout_flush = TRUE;
3123 break;
3124
3125 case CONTROL_FAKEDEFER:
3126 case CONTROL_FAKEREJECT:
3127 fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
3128 if (*p == '/')
3129 {
3130 uschar *pp = p + 1;
3131 while (*pp != 0) pp++;
3132 fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
3133 p = pp;
3134 }
3135 else
3136 {
3137 /* Explicitly reset to default string */
3138 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
3139 }
3140 break;
3141
3142 case CONTROL_FREEZE:
3143 deliver_freeze = TRUE;
3144 deliver_frozen_at = time(NULL);
3145 freeze_tell = freeze_tell_config; /* Reset to configured value */
3146 if (Ustrncmp(p, "/no_tell", 8) == 0)
3147 {
3148 p += 8;
3149 freeze_tell = NULL;
3150 }
3151 if (*p != 0)
3152 {
3153 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3154 return ERROR;
3155 }
3156 break;
3157
3158 case CONTROL_QUEUE_ONLY:
3159 queue_only_policy = TRUE;
3160 break;
3161
3162 case CONTROL_SUBMISSION:
3163 originator_name = US"";
3164 submission_mode = TRUE;
3165 while (*p == '/')
3166 {
3167 if (Ustrncmp(p, "/sender_retain", 14) == 0)
3168 {
3169 p += 14;
3170 active_local_sender_retain = TRUE;
3171 active_local_from_check = FALSE;
3172 }
3173 else if (Ustrncmp(p, "/domain=", 8) == 0)
3174 {
3175 uschar *pp = p + 8;
3176 while (*pp != 0 && *pp != '/') pp++;
3177 submission_domain = string_copyn(p+8, pp-p-8);
3178 p = pp;
3179 }
3180 /* The name= option must be last, because it swallows the rest of
3181 the string. */
3182 else if (Ustrncmp(p, "/name=", 6) == 0)
3183 {
3184 uschar *pp = p + 6;
3185 while (*pp != 0) pp++;
3186 submission_name = string_copy(parse_fix_phrase(p+6, pp-p-6,
3187 big_buffer, big_buffer_size));
3188 p = pp;
3189 }
3190 else break;
3191 }
3192 if (*p != 0)
3193 {
3194 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3195 return ERROR;
3196 }
3197 break;
3198
3199 case CONTROL_DEBUG:
3200 while (*p == '/')
3201 {
3202 if (Ustrncmp(p, "/tag=", 5) == 0)
3203 {
3204 uschar *pp = p + 5;
3205 while (*pp != '\0' && *pp != '/') pp++;
3206 debug_tag = string_copyn(p+5, pp-p-5);
3207 p = pp;
3208 }
3209 else if (Ustrncmp(p, "/opts=", 6) == 0)
3210 {
3211 uschar *pp = p + 6;
3212 while (*pp != '\0' && *pp != '/') pp++;
3213 debug_opts = string_copyn(p+6, pp-p-6);
3214 p = pp;
3215 }
3216 }
3217 debug_logging_activate(debug_tag, debug_opts);
3218 break;
3219
3220 case CONTROL_SUPPRESS_LOCAL_FIXUPS:
3221 suppress_local_fixups = TRUE;
3222 break;
3223
3224 case CONTROL_CUTTHROUGH_DELIVERY:
3225 if (deliver_freeze)
3226 {
3227 *log_msgptr = string_sprintf("\"control=%s\" on frozen item", arg);
3228 return ERROR;
3229 }
3230 if (queue_only_policy)
3231 {
3232 *log_msgptr = string_sprintf("\"control=%s\" on queue-only item", arg);
3233 return ERROR;
3234 }
3235 cutthrough_delivery = TRUE;
3236 break;
3237 }
3238 break;
3239
3240 #ifdef EXPERIMENTAL_DCC
3241 case ACLC_DCC:
3242 {
3243 /* Seperate the regular expression and any optional parameters. */
3244 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3245 /* Run the dcc backend. */
3246 rc = dcc_process(&ss);
3247 /* Modify return code based upon the existance of options. */
3248 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3249 != NULL) {
3250 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3251 {
3252 /* FAIL so that the message is passed to the next ACL */
3253 rc = FAIL;
3254 }
3255 }
3256 }
3257 break;
3258 #endif
3259
3260 #ifdef WITH_CONTENT_SCAN
3261 case ACLC_DECODE:
3262 rc = mime_decode(&arg);
3263 break;
3264 #endif
3265
3266 case ACLC_DELAY:
3267 {
3268 int delay = readconf_readtime(arg, 0, FALSE);
3269 if (delay < 0)
3270 {
3271 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
3272 "modifier: \"%s\" is not a time value", arg);
3273 return ERROR;
3274 }
3275 else
3276 {
3277 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
3278 delay);
3279 if (host_checking)
3280 {
3281 HDEBUG(D_acl)
3282 debug_printf("delay skipped in -bh checking mode\n");
3283 }
3284
3285 /* It appears to be impossible to detect that a TCP/IP connection has
3286 gone away without reading from it. This means that we cannot shorten
3287 the delay below if the client goes away, because we cannot discover
3288 that the client has closed its end of the connection. (The connection
3289 is actually in a half-closed state, waiting for the server to close its
3290 end.) It would be nice to be able to detect this state, so that the
3291 Exim process is not held up unnecessarily. However, it seems that we
3292 can't. The poll() function does not do the right thing, and in any case
3293 it is not always available.
3294
3295 NOTE 1: If ever this state of affairs changes, remember that we may be
3296 dealing with stdin/stdout here, in addition to TCP/IP connections.
3297 Also, delays may be specified for non-SMTP input, where smtp_out and
3298 smtp_in will be NULL. Whatever is done must work in all cases.
3299
3300 NOTE 2: The added feature of flushing the output before a delay must
3301 apply only to SMTP input. Hence the test for smtp_out being non-NULL.
3302 */
3303
3304 else
3305 {
3306 if (smtp_out != NULL && !disable_delay_flush) mac_smtp_fflush();
3307 while (delay > 0) delay = sleep(delay);
3308 }
3309 }
3310 }
3311 break;
3312
3313 #ifdef WITH_OLD_DEMIME
3314 case ACLC_DEMIME:
3315 rc = demime(&arg);
3316 break;
3317 #endif
3318
3319 #ifndef DISABLE_DKIM
3320 case ACLC_DKIM_SIGNER:
3321 if (dkim_cur_signer != NULL)
3322 rc = match_isinlist(dkim_cur_signer,
3323 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
3324 else
3325 rc = FAIL;
3326 break;
3327
3328 case ACLC_DKIM_STATUS:
3329 rc = match_isinlist(dkim_exim_expand_query(DKIM_VERIFY_STATUS),
3330 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
3331 break;
3332 #endif
3333
3334 #ifdef EXPERIMENTAL_DMARC
3335 case ACLC_DMARC_STATUS:
3336 if (!dmarc_has_been_checked)
3337 dmarc_process();
3338 dmarc_has_been_checked = TRUE;
3339 /* used long way of dmarc_exim_expand_query() in case we need more
3340 * view into the process in the future. */
3341 rc = match_isinlist(dmarc_exim_expand_query(DMARC_VERIFY_STATUS),
3342 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
3343 break;
3344 #endif
3345
3346 case ACLC_DNSLISTS:
3347 rc = verify_check_dnsbl(&arg);
3348 break;
3349
3350 case ACLC_DOMAINS:
3351 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
3352 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
3353 break;
3354
3355 /* The value in tls_cipher is the full cipher name, for example,
3356 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
3357 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
3358 what may in practice come out of the SSL library - which at the time of
3359 writing is poorly documented. */
3360
3361 case ACLC_ENCRYPTED:
3362 if (tls_in.cipher == NULL) rc = FAIL; else
3363 {
3364 uschar *endcipher = NULL;
3365 uschar *cipher = Ustrchr(tls_in.cipher, ':');
3366 if (cipher == NULL) cipher = tls_in.cipher; else
3367 {
3368 endcipher = Ustrchr(++cipher, ':');
3369 if (endcipher != NULL) *endcipher = 0;
3370 }
3371 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
3372 if (endcipher != NULL) *endcipher = ':';
3373 }
3374 break;
3375
3376 /* Use verify_check_this_host() instead of verify_check_host() so that
3377 we can pass over &host_data to catch any looked up data. Once it has been
3378 set, it retains its value so that it's still there if another ACL verb
3379 comes through here and uses the cache. However, we must put it into
3380 permanent store in case it is also expected to be used in a subsequent
3381 message in the same SMTP connection. */
3382
3383 case ACLC_HOSTS:
3384 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
3385 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
3386 if (host_data != NULL) host_data = string_copy_malloc(host_data);
3387 break;
3388
3389 case ACLC_LOCAL_PARTS:
3390 rc = match_isinlist(addr->cc_local_part, &arg, 0,
3391 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
3392 &deliver_localpart_data);
3393 break;
3394
3395 case ACLC_LOG_REJECT_TARGET:
3396 {
3397 int logbits = 0;
3398 int sep = 0;
3399 uschar *s = arg;
3400 uschar *ss;
3401 while ((ss = string_nextinlist(&s, &sep, big_buffer, big_buffer_size))
3402 != NULL)
3403 {
3404 if (Ustrcmp(ss, "main") == 0) logbits |= LOG_MAIN;
3405 else if (Ustrcmp(ss, "panic") == 0) logbits |= LOG_PANIC;
3406 else if (Ustrcmp(ss, "reject") == 0) logbits |= LOG_REJECT;
3407 else
3408 {
3409 logbits |= LOG_MAIN|LOG_REJECT;
3410 log_write(0, LOG_MAIN|LOG_PANIC, "unknown log name \"%s\" in "
3411 "\"log_reject_target\" in %s ACL", ss, acl_wherenames[where]);
3412 }
3413 }
3414 log_reject_target = logbits;
3415 }
3416 break;
3417
3418 case ACLC_LOGWRITE:
3419 {
3420 int logbits = 0;
3421 uschar *s = arg;
3422 if (*s == ':')
3423 {
3424 s++;
3425 while (*s != ':')
3426 {
3427 if (Ustrncmp(s, "main", 4) == 0)
3428 { logbits |= LOG_MAIN; s += 4; }
3429 else if (Ustrncmp(s, "panic", 5) == 0)
3430 { logbits |= LOG_PANIC; s += 5; }
3431 else if (Ustrncmp(s, "reject", 6) == 0)
3432 { logbits |= LOG_REJECT; s += 6; }
3433 else
3434 {
3435 logbits = LOG_MAIN|LOG_PANIC;
3436 s = string_sprintf(":unknown log name in \"%s\" in "
3437 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
3438 }
3439 if (*s == ',') s++;
3440 }
3441 s++;
3442 }
3443 while (isspace(*s)) s++;
3444
3445
3446 if (logbits == 0) logbits = LOG_MAIN;
3447 log_write(0, logbits, "%s", string_printing(s));
3448 }
3449 break;
3450
3451 #ifdef WITH_CONTENT_SCAN
3452 case ACLC_MALWARE:
3453 {
3454 /* Separate the regular expression and any optional parameters. */
3455 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3456 /* Run the malware backend. */
3457 rc = malware(&ss);
3458 /* Modify return code based upon the existance of options. */
3459 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3460 != NULL) {
3461 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3462 {
3463 /* FAIL so that the message is passed to the next ACL */
3464 rc = FAIL;
3465 }
3466 }
3467 }
3468 break;
3469
3470 case ACLC_MIME_REGEX:
3471 rc = mime_regex(&arg);
3472 break;
3473 #endif
3474
3475 case ACLC_RATELIMIT:
3476 rc = acl_ratelimit(arg, where, log_msgptr);
3477 break;
3478
3479 case ACLC_RECIPIENTS:
3480 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
3481 &recipient_data);
3482 break;