ACL: control = queue/first_pass_route
[exim.git] / src / src / acl.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 /* Code for handling Access Control Lists (ACLs) */
9
10 #include "exim.h"
11
12
13 /* Default callout timeout */
14
15 #define CALLOUT_TIMEOUT_DEFAULT 30
16
17 /* ACL verb codes - keep in step with the table of verbs that follows */
18
19 enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
20 ACL_WARN };
21
22 /* ACL verbs */
23
24 static uschar *verbs[] = {
25 [ACL_ACCEPT] = US"accept",
26 [ACL_DEFER] = US"defer",
27 [ACL_DENY] = US"deny",
28 [ACL_DISCARD] = US"discard",
29 [ACL_DROP] = US"drop",
30 [ACL_REQUIRE] = US"require",
31 [ACL_WARN] = US"warn"
32 };
33
34 /* For each verb, the conditions for which "message" or "log_message" are used
35 are held as a bitmap. This is to avoid expanding the strings unnecessarily. For
36 "accept", the FAIL case is used only after "endpass", but that is selected in
37 the code. */
38
39 static int msgcond[] = {
40 [ACL_ACCEPT] = BIT(OK) | BIT(FAIL) | BIT(FAIL_DROP),
41 [ACL_DEFER] = BIT(OK),
42 [ACL_DENY] = BIT(OK),
43 [ACL_DISCARD] = BIT(OK) | BIT(FAIL) | BIT(FAIL_DROP),
44 [ACL_DROP] = BIT(OK),
45 [ACL_REQUIRE] = BIT(FAIL) | BIT(FAIL_DROP),
46 [ACL_WARN] = BIT(OK)
47 };
48
49 /* ACL condition and modifier codes - keep in step with the table that
50 follows.
51 down. */
52
53 enum { ACLC_ACL,
54 ACLC_ADD_HEADER,
55 ACLC_AUTHENTICATED,
56 #ifdef EXPERIMENTAL_BRIGHTMAIL
57 ACLC_BMI_OPTIN,
58 #endif
59 ACLC_CONDITION,
60 ACLC_CONTINUE,
61 ACLC_CONTROL,
62 #ifdef EXPERIMENTAL_DCC
63 ACLC_DCC,
64 #endif
65 #ifdef WITH_CONTENT_SCAN
66 ACLC_DECODE,
67 #endif
68 ACLC_DELAY,
69 #ifndef DISABLE_DKIM
70 ACLC_DKIM_SIGNER,
71 ACLC_DKIM_STATUS,
72 #endif
73 #ifdef SUPPORT_DMARC
74 ACLC_DMARC_STATUS,
75 #endif
76 ACLC_DNSLISTS,
77 ACLC_DOMAINS,
78 ACLC_ENCRYPTED,
79 ACLC_ENDPASS,
80 ACLC_HOSTS,
81 ACLC_LOCAL_PARTS,
82 ACLC_LOG_MESSAGE,
83 ACLC_LOG_REJECT_TARGET,
84 ACLC_LOGWRITE,
85 #ifdef WITH_CONTENT_SCAN
86 ACLC_MALWARE,
87 #endif
88 ACLC_MESSAGE,
89 #ifdef WITH_CONTENT_SCAN
90 ACLC_MIME_REGEX,
91 #endif
92 ACLC_QUEUE,
93 ACLC_RATELIMIT,
94 ACLC_RECIPIENTS,
95 #ifdef WITH_CONTENT_SCAN
96 ACLC_REGEX,
97 #endif
98 ACLC_REMOVE_HEADER,
99 ACLC_SENDER_DOMAINS,
100 ACLC_SENDERS,
101 ACLC_SET,
102 #ifdef WITH_CONTENT_SCAN
103 ACLC_SPAM,
104 #endif
105 #ifdef SUPPORT_SPF
106 ACLC_SPF,
107 ACLC_SPF_GUESS,
108 #endif
109 ACLC_UDPSEND,
110 ACLC_VERIFY };
111
112 /* ACL conditions/modifiers: "delay", "control", "continue", "endpass",
113 "message", "log_message", "log_reject_target", "logwrite", "queue" and "set" are
114 modifiers that look like conditions but always return TRUE. They are used for
115 their side effects. */
116
117 typedef struct condition_def {
118 uschar *name;
119
120 /* Flag to indicate the condition/modifier has a string expansion done
121 at the outer level. In the other cases, expansion already occurs in the
122 checking functions. */
123 BOOL expand_at_top:1;
124
125 BOOL is_modifier:1;
126
127 /* Bit map vector of which conditions and modifiers are not allowed at certain
128 times. For each condition and modifier, there's a bitmap of dis-allowed times.
129 For some, it is easier to specify the negation of a small number of allowed
130 times. */
131 unsigned forbids;
132
133 } condition_def;
134
135 static condition_def conditions[] = {
136 [ACLC_ACL] = { US"acl", FALSE, FALSE, 0 },
137
138 [ACLC_ADD_HEADER] = { US"add_header", TRUE, TRUE,
139 (unsigned int)
140 ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
141 ACL_BIT_PREDATA | ACL_BIT_DATA |
142 #ifndef DISABLE_PRDR
143 ACL_BIT_PRDR |
144 #endif
145 ACL_BIT_MIME | ACL_BIT_NOTSMTP |
146 ACL_BIT_DKIM |
147 ACL_BIT_NOTSMTP_START),
148 },
149
150 [ACLC_AUTHENTICATED] = { US"authenticated", FALSE, FALSE,
151 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START |
152 ACL_BIT_CONNECT | ACL_BIT_HELO,
153 },
154 #ifdef EXPERIMENTAL_BRIGHTMAIL
155 [ACLC_BMI_OPTIN] = { US"bmi_optin", TRUE, TRUE,
156 ACL_BIT_AUTH |
157 ACL_BIT_CONNECT | ACL_BIT_HELO |
158 ACL_BIT_DATA | ACL_BIT_MIME |
159 # ifndef DISABLE_PRDR
160 ACL_BIT_PRDR |
161 # endif
162 ACL_BIT_ETRN | ACL_BIT_EXPN |
163 ACL_BIT_MAILAUTH |
164 ACL_BIT_MAIL | ACL_BIT_STARTTLS |
165 ACL_BIT_VRFY | ACL_BIT_PREDATA |
166 ACL_BIT_NOTSMTP_START,
167 },
168 #endif
169 [ACLC_CONDITION] = { US"condition", TRUE, FALSE, 0 },
170 [ACLC_CONTINUE] = { US"continue", TRUE, TRUE, 0 },
171
172 /* Certain types of control are always allowed, so we let it through
173 always and check in the control processing itself. */
174 [ACLC_CONTROL] = { US"control", TRUE, TRUE, 0 },
175
176 #ifdef EXPERIMENTAL_DCC
177 [ACLC_DCC] = { US"dcc", TRUE, FALSE,
178 (unsigned int)
179 ~(ACL_BIT_DATA |
180 # ifndef DISABLE_PRDR
181 ACL_BIT_PRDR |
182 # endif
183 ACL_BIT_NOTSMTP),
184 },
185 #endif
186 #ifdef WITH_CONTENT_SCAN
187 [ACLC_DECODE] = { US"decode", TRUE, FALSE, (unsigned int) ~ACL_BIT_MIME },
188
189 #endif
190 [ACLC_DELAY] = { US"delay", TRUE, TRUE, ACL_BIT_NOTQUIT },
191 #ifndef DISABLE_DKIM
192 [ACLC_DKIM_SIGNER] = { US"dkim_signers", TRUE, FALSE, (unsigned int) ~ACL_BIT_DKIM },
193 [ACLC_DKIM_STATUS] = { US"dkim_status", TRUE, FALSE, (unsigned int) ~ACL_BIT_DKIM },
194 #endif
195 #ifdef SUPPORT_DMARC
196 [ACLC_DMARC_STATUS] = { US"dmarc_status", TRUE, FALSE, (unsigned int) ~ACL_BIT_DATA },
197 #endif
198
199 /* Explicit key lookups can be made in non-smtp ACLs so pass
200 always and check in the verify processing itself. */
201 [ACLC_DNSLISTS] = { US"dnslists", TRUE, FALSE, 0 },
202
203 [ACLC_DOMAINS] = { US"domains", FALSE, FALSE,
204 (unsigned int)
205 ~(ACL_BIT_RCPT | ACL_BIT_VRFY
206 #ifndef DISABLE_PRDR
207 |ACL_BIT_PRDR
208 #endif
209 ),
210 },
211 [ACLC_ENCRYPTED] = { US"encrypted", FALSE, FALSE,
212 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START |
213 ACL_BIT_HELO,
214 },
215
216 [ACLC_ENDPASS] = { US"endpass", TRUE, TRUE, 0 },
217
218 [ACLC_HOSTS] = { US"hosts", FALSE, FALSE,
219 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START,
220 },
221 [ACLC_LOCAL_PARTS] = { US"local_parts", FALSE, FALSE,
222 (unsigned int)
223 ~(ACL_BIT_RCPT | ACL_BIT_VRFY
224 #ifndef DISABLE_PRDR
225 | ACL_BIT_PRDR
226 #endif
227 ),
228 },
229
230 [ACLC_LOG_MESSAGE] = { US"log_message", TRUE, TRUE, 0 },
231 [ACLC_LOG_REJECT_TARGET] = { US"log_reject_target", TRUE, TRUE, 0 },
232 [ACLC_LOGWRITE] = { US"logwrite", TRUE, TRUE, 0 },
233
234 #ifdef WITH_CONTENT_SCAN
235 [ACLC_MALWARE] = { US"malware", TRUE, FALSE,
236 (unsigned int)
237 ~(ACL_BIT_DATA |
238 # ifndef DISABLE_PRDR
239 ACL_BIT_PRDR |
240 # endif
241 ACL_BIT_NOTSMTP),
242 },
243 #endif
244
245 [ACLC_MESSAGE] = { US"message", TRUE, TRUE, 0 },
246 #ifdef WITH_CONTENT_SCAN
247 [ACLC_MIME_REGEX] = { US"mime_regex", TRUE, FALSE, (unsigned int) ~ACL_BIT_MIME },
248 #endif
249
250 [ACLC_QUEUE] = { US"queue", TRUE, TRUE,
251 ACL_BIT_NOTSMTP |
252 #ifndef DISABLE_PRDR
253 ACL_BIT_PRDR |
254 #endif
255 ACL_BIT_DATA,
256 },
257
258 [ACLC_RATELIMIT] = { US"ratelimit", TRUE, FALSE, 0 },
259 [ACLC_RECIPIENTS] = { US"recipients", FALSE, FALSE, (unsigned int) ~ACL_BIT_RCPT },
260
261 #ifdef WITH_CONTENT_SCAN
262 [ACLC_REGEX] = { US"regex", TRUE, FALSE,
263 (unsigned int)
264 ~(ACL_BIT_DATA |
265 # ifndef DISABLE_PRDR
266 ACL_BIT_PRDR |
267 # endif
268 ACL_BIT_NOTSMTP |
269 ACL_BIT_MIME),
270 },
271
272 #endif
273 [ACLC_REMOVE_HEADER] = { US"remove_header", TRUE, TRUE,
274 (unsigned int)
275 ~(ACL_BIT_MAIL|ACL_BIT_RCPT |
276 ACL_BIT_PREDATA | ACL_BIT_DATA |
277 #ifndef DISABLE_PRDR
278 ACL_BIT_PRDR |
279 #endif
280 ACL_BIT_MIME | ACL_BIT_NOTSMTP |
281 ACL_BIT_NOTSMTP_START),
282 },
283 [ACLC_SENDER_DOMAINS] = { US"sender_domains", FALSE, FALSE,
284 ACL_BIT_AUTH | ACL_BIT_CONNECT |
285 ACL_BIT_HELO |
286 ACL_BIT_MAILAUTH | ACL_BIT_QUIT |
287 ACL_BIT_ETRN | ACL_BIT_EXPN |
288 ACL_BIT_STARTTLS | ACL_BIT_VRFY,
289 },
290 [ACLC_SENDERS] = { US"senders", FALSE, FALSE,
291 ACL_BIT_AUTH | ACL_BIT_CONNECT |
292 ACL_BIT_HELO |
293 ACL_BIT_MAILAUTH | ACL_BIT_QUIT |
294 ACL_BIT_ETRN | ACL_BIT_EXPN |
295 ACL_BIT_STARTTLS | ACL_BIT_VRFY,
296 },
297
298 [ACLC_SET] = { US"set", TRUE, TRUE, 0 },
299
300 #ifdef WITH_CONTENT_SCAN
301 [ACLC_SPAM] = { US"spam", TRUE, FALSE,
302 (unsigned int) ~(ACL_BIT_DATA |
303 # ifndef DISABLE_PRDR
304 ACL_BIT_PRDR |
305 # endif
306 ACL_BIT_NOTSMTP),
307 },
308 #endif
309 #ifdef SUPPORT_SPF
310 [ACLC_SPF] = { US"spf", TRUE, FALSE,
311 ACL_BIT_AUTH | ACL_BIT_CONNECT |
312 ACL_BIT_HELO | ACL_BIT_MAILAUTH |
313 ACL_BIT_ETRN | ACL_BIT_EXPN |
314 ACL_BIT_STARTTLS | ACL_BIT_VRFY |
315 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START,
316 },
317 [ACLC_SPF_GUESS] = { US"spf_guess", TRUE, FALSE,
318 ACL_BIT_AUTH | ACL_BIT_CONNECT |
319 ACL_BIT_HELO | ACL_BIT_MAILAUTH |
320 ACL_BIT_ETRN | ACL_BIT_EXPN |
321 ACL_BIT_STARTTLS | ACL_BIT_VRFY |
322 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START,
323 },
324 #endif
325 [ACLC_UDPSEND] = { US"udpsend", TRUE, TRUE, 0 },
326
327 /* Certain types of verify are always allowed, so we let it through
328 always and check in the verify function itself */
329 [ACLC_VERIFY] = { US"verify", TRUE, FALSE, 0 },
330 };
331
332
333
334 /* Return values from decode_control(); used as index so keep in step
335 with the controls_list table that follows! */
336
337 enum {
338 CONTROL_AUTH_UNADVERTISED,
339 #ifdef EXPERIMENTAL_BRIGHTMAIL
340 CONTROL_BMI_RUN,
341 #endif
342 CONTROL_CASEFUL_LOCAL_PART,
343 CONTROL_CASELOWER_LOCAL_PART,
344 CONTROL_CUTTHROUGH_DELIVERY,
345 CONTROL_DEBUG,
346 #ifndef DISABLE_DKIM
347 CONTROL_DKIM_VERIFY,
348 #endif
349 #ifdef SUPPORT_DMARC
350 CONTROL_DMARC_VERIFY,
351 CONTROL_DMARC_FORENSIC,
352 #endif
353 CONTROL_DSCP,
354 CONTROL_ENFORCE_SYNC,
355 CONTROL_ERROR, /* pseudo-value for decode errors */
356 CONTROL_FAKEDEFER,
357 CONTROL_FAKEREJECT,
358 CONTROL_FREEZE,
359
360 CONTROL_NO_CALLOUT_FLUSH,
361 CONTROL_NO_DELAY_FLUSH,
362 CONTROL_NO_ENFORCE_SYNC,
363 #ifdef WITH_CONTENT_SCAN
364 CONTROL_NO_MBOX_UNSPOOL,
365 #endif
366 CONTROL_NO_MULTILINE,
367 CONTROL_NO_PIPELINING,
368
369 CONTROL_QUEUE,
370 CONTROL_QUEUE_ONLY,
371 CONTROL_SUBMISSION,
372 CONTROL_SUPPRESS_LOCAL_FIXUPS,
373 #ifdef SUPPORT_I18N
374 CONTROL_UTF8_DOWNCONVERT,
375 #endif
376 };
377
378
379
380 /* Structure listing various control arguments, with their characteristics.
381 For each control, there's a bitmap of dis-allowed times. For some, it is easier
382 to specify the negation of a small number of allowed times. */
383
384 typedef struct control_def {
385 uschar *name;
386 BOOL has_option; /* Has /option(s) following */
387 unsigned forbids; /* bitmap of dis-allowed times */
388 } control_def;
389
390 static control_def controls_list[] = {
391 /* name has_option forbids */
392 [CONTROL_AUTH_UNADVERTISED] =
393 { US"allow_auth_unadvertised", FALSE,
394 (unsigned)
395 ~(ACL_BIT_CONNECT | ACL_BIT_HELO)
396 },
397 #ifdef EXPERIMENTAL_BRIGHTMAIL
398 [CONTROL_BMI_RUN] =
399 { US"bmi_run", FALSE, 0 },
400 #endif
401 [CONTROL_CASEFUL_LOCAL_PART] =
402 { US"caseful_local_part", FALSE, (unsigned) ~ACL_BIT_RCPT },
403 [CONTROL_CASELOWER_LOCAL_PART] =
404 { US"caselower_local_part", FALSE, (unsigned) ~ACL_BIT_RCPT },
405 [CONTROL_CUTTHROUGH_DELIVERY] =
406 { US"cutthrough_delivery", TRUE, 0 },
407 [CONTROL_DEBUG] =
408 { US"debug", TRUE, 0 },
409
410 #ifndef DISABLE_DKIM
411 [CONTROL_DKIM_VERIFY] =
412 { US"dkim_disable_verify", FALSE,
413 ACL_BIT_DATA | ACL_BIT_NOTSMTP |
414 # ifndef DISABLE_PRDR
415 ACL_BIT_PRDR |
416 # endif
417 ACL_BIT_NOTSMTP_START
418 },
419 #endif
420
421 #ifdef SUPPORT_DMARC
422 [CONTROL_DMARC_VERIFY] =
423 { US"dmarc_disable_verify", FALSE,
424 ACL_BIT_DATA | ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
425 },
426 [CONTROL_DMARC_FORENSIC] =
427 { US"dmarc_enable_forensic", FALSE,
428 ACL_BIT_DATA | ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
429 },
430 #endif
431
432 [CONTROL_DSCP] =
433 { US"dscp", TRUE,
434 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START | ACL_BIT_NOTQUIT
435 },
436 [CONTROL_ENFORCE_SYNC] =
437 { US"enforce_sync", FALSE,
438 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
439 },
440
441 /* Pseudo-value for decode errors */
442 [CONTROL_ERROR] =
443 { US"error", FALSE, 0 },
444
445 [CONTROL_FAKEDEFER] =
446 { US"fakedefer", TRUE,
447 (unsigned)
448 ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
449 ACL_BIT_PREDATA | ACL_BIT_DATA |
450 #ifndef DISABLE_PRDR
451 ACL_BIT_PRDR |
452 #endif
453 ACL_BIT_MIME)
454 },
455 [CONTROL_FAKEREJECT] =
456 { US"fakereject", TRUE,
457 (unsigned)
458 ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
459 ACL_BIT_PREDATA | ACL_BIT_DATA |
460 #ifndef DISABLE_PRDR
461 ACL_BIT_PRDR |
462 #endif
463 ACL_BIT_MIME)
464 },
465 [CONTROL_FREEZE] =
466 { US"freeze", TRUE,
467 (unsigned)
468 ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
469 ACL_BIT_PREDATA | ACL_BIT_DATA |
470 // ACL_BIT_PRDR| /* Not allow one user to freeze for all */
471 ACL_BIT_NOTSMTP | ACL_BIT_MIME)
472 },
473
474 [CONTROL_NO_CALLOUT_FLUSH] =
475 { US"no_callout_flush", FALSE,
476 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
477 },
478 [CONTROL_NO_DELAY_FLUSH] =
479 { US"no_delay_flush", FALSE,
480 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
481 },
482
483 [CONTROL_NO_ENFORCE_SYNC] =
484 { US"no_enforce_sync", FALSE,
485 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
486 },
487 #ifdef WITH_CONTENT_SCAN
488 [CONTROL_NO_MBOX_UNSPOOL] =
489 { US"no_mbox_unspool", FALSE,
490 (unsigned)
491 ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
492 ACL_BIT_PREDATA | ACL_BIT_DATA |
493 // ACL_BIT_PRDR| /* Not allow one user to freeze for all */
494 ACL_BIT_MIME)
495 },
496 #endif
497 [CONTROL_NO_MULTILINE] =
498 { US"no_multiline_responses", FALSE,
499 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
500 },
501 [CONTROL_NO_PIPELINING] =
502 { US"no_pipelining", FALSE,
503 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
504 },
505
506 [CONTROL_QUEUE] =
507 { US"queue", TRUE,
508 (unsigned)
509 ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
510 ACL_BIT_PREDATA | ACL_BIT_DATA |
511 // ACL_BIT_PRDR| /* Not allow one user to freeze for all */
512 ACL_BIT_NOTSMTP | ACL_BIT_MIME)
513 },
514 [CONTROL_QUEUE_ONLY] =
515 { US"queue_only", TRUE,
516 (unsigned)
517 ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
518 ACL_BIT_PREDATA | ACL_BIT_DATA |
519 // ACL_BIT_PRDR| /* Not allow one user to freeze for all */
520 ACL_BIT_NOTSMTP | ACL_BIT_MIME)
521 },
522
523
524 [CONTROL_SUBMISSION] =
525 { US"submission", TRUE,
526 (unsigned)
527 ~(ACL_BIT_MAIL | ACL_BIT_RCPT | ACL_BIT_PREDATA)
528 },
529 [CONTROL_SUPPRESS_LOCAL_FIXUPS] =
530 { US"suppress_local_fixups", FALSE,
531 (unsigned)
532 ~(ACL_BIT_MAIL | ACL_BIT_RCPT | ACL_BIT_PREDATA |
533 ACL_BIT_NOTSMTP_START)
534 },
535 #ifdef SUPPORT_I18N
536 [CONTROL_UTF8_DOWNCONVERT] =
537 { US"utf8_downconvert", TRUE, (unsigned) ~(ACL_BIT_RCPT | ACL_BIT_VRFY)
538 }
539 #endif
540 };
541
542 /* Support data structures for Client SMTP Authorization. acl_verify_csa()
543 caches its result in a tree to avoid repeated DNS queries. The result is an
544 integer code which is used as an index into the following tables of
545 explanatory strings and verification return codes. */
546
547 static tree_node *csa_cache = NULL;
548
549 enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
550 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
551
552 /* The acl_verify_csa() return code is translated into an acl_verify() return
553 code using the following table. It is OK unless the client is definitely not
554 authorized. This is because CSA is supposed to be optional for sending sites,
555 so recipients should not be too strict about checking it - especially because
556 DNS problems are quite likely to occur. It's possible to use $csa_status in
557 further ACL conditions to distinguish ok, unknown, and defer if required, but
558 the aim is to make the usual configuration simple. */
559
560 static int csa_return_code[] = {
561 [CSA_UNKNOWN] = OK,
562 [CSA_OK] = OK,
563 [CSA_DEFER_SRV] = OK,
564 [CSA_DEFER_ADDR] = OK,
565 [CSA_FAIL_EXPLICIT] = FAIL,
566 [CSA_FAIL_DOMAIN] = FAIL,
567 [CSA_FAIL_NOADDR] = FAIL,
568 [CSA_FAIL_MISMATCH] = FAIL
569 };
570
571 static uschar *csa_status_string[] = {
572 [CSA_UNKNOWN] = US"unknown",
573 [CSA_OK] = US"ok",
574 [CSA_DEFER_SRV] = US"defer",
575 [CSA_DEFER_ADDR] = US"defer",
576 [CSA_FAIL_EXPLICIT] = US"fail",
577 [CSA_FAIL_DOMAIN] = US"fail",
578 [CSA_FAIL_NOADDR] = US"fail",
579 [CSA_FAIL_MISMATCH] = US"fail"
580 };
581
582 static uschar *csa_reason_string[] = {
583 [CSA_UNKNOWN] = US"unknown",
584 [CSA_OK] = US"ok",
585 [CSA_DEFER_SRV] = US"deferred (SRV lookup failed)",
586 [CSA_DEFER_ADDR] = US"deferred (target address lookup failed)",
587 [CSA_FAIL_EXPLICIT] = US"failed (explicit authorization required)",
588 [CSA_FAIL_DOMAIN] = US"failed (host name not authorized)",
589 [CSA_FAIL_NOADDR] = US"failed (no authorized addresses)",
590 [CSA_FAIL_MISMATCH] = US"failed (client address mismatch)"
591 };
592
593 /* Options for the ratelimit condition. Note that there are two variants of
594 the per_rcpt option, depending on the ACL that is used to measure the rate.
595 However any ACL must be able to look up per_rcpt rates in /noupdate mode,
596 so the two variants must have the same internal representation as well as
597 the same configuration string. */
598
599 enum {
600 RATE_PER_WHAT, RATE_PER_CLASH, RATE_PER_ADDR, RATE_PER_BYTE, RATE_PER_CMD,
601 RATE_PER_CONN, RATE_PER_MAIL, RATE_PER_RCPT, RATE_PER_ALLRCPTS
602 };
603
604 #define RATE_SET(var,new) \
605 (((var) == RATE_PER_WHAT) ? ((var) = RATE_##new) : ((var) = RATE_PER_CLASH))
606
607 static uschar *ratelimit_option_string[] = {
608 [RATE_PER_WHAT] = US"?",
609 [RATE_PER_CLASH] = US"!",
610 [RATE_PER_ADDR] = US"per_addr",
611 [RATE_PER_BYTE] = US"per_byte",
612 [RATE_PER_CMD] = US"per_cmd",
613 [RATE_PER_CONN] = US"per_conn",
614 [RATE_PER_MAIL] = US"per_mail",
615 [RATE_PER_RCPT] = US"per_rcpt",
616 [RATE_PER_ALLRCPTS] = US"per_rcpt"
617 };
618
619 /* Enable recursion between acl_check_internal() and acl_check_condition() */
620
621 static int acl_check_wargs(int, address_item *, const uschar *, uschar **,
622 uschar **);
623
624
625 /*************************************************
626 * Find control in list *
627 *************************************************/
628
629 /* The lists are always in order, so binary chop can be used.
630
631 Arguments:
632 name the control name to search for
633 ol the first entry in the control list
634 last one more than the offset of the last entry in the control list
635
636 Returns: index of a control entry, or -1 if not found
637 */
638
639 static int
640 find_control(const uschar * name, control_def * ol, int last)
641 {
642 for (int first = 0; last > first; )
643 {
644 int middle = (first + last)/2;
645 uschar * s = ol[middle].name;
646 int c = Ustrncmp(name, s, Ustrlen(s));
647 if (c == 0) return middle;
648 else if (c > 0) first = middle + 1;
649 else last = middle;
650 }
651 return -1;
652 }
653
654
655
656 /*************************************************
657 * Pick out condition from list *
658 *************************************************/
659
660 /* Use a binary chop method
661
662 Arguments:
663 name name to find
664 list list of conditions
665 end size of list
666
667 Returns: offset in list, or -1 if not found
668 */
669
670 static int
671 acl_checkcondition(uschar * name, condition_def * list, int end)
672 {
673 for (int start = 0; start < end; )
674 {
675 int mid = (start + end)/2;
676 int c = Ustrcmp(name, list[mid].name);
677 if (c == 0) return mid;
678 if (c < 0) end = mid;
679 else start = mid + 1;
680 }
681 return -1;
682 }
683
684
685 /*************************************************
686 * Pick out name from list *
687 *************************************************/
688
689 /* Use a binary chop method
690
691 Arguments:
692 name name to find
693 list list of names
694 end size of list
695
696 Returns: offset in list, or -1 if not found
697 */
698
699 static int
700 acl_checkname(uschar *name, uschar **list, int end)
701 {
702 for (int start = 0; start < end; )
703 {
704 int mid = (start + end)/2;
705 int c = Ustrcmp(name, list[mid]);
706 if (c == 0) return mid;
707 if (c < 0) end = mid; else start = mid + 1;
708 }
709
710 return -1;
711 }
712
713
714 /*************************************************
715 * Read and parse one ACL *
716 *************************************************/
717
718 /* This function is called both from readconf in order to parse the ACLs in the
719 configuration file, and also when an ACL is encountered dynamically (e.g. as
720 the result of an expansion). It is given a function to call in order to
721 retrieve the lines of the ACL. This function handles skipping comments and
722 blank lines (where relevant).
723
724 Arguments:
725 func function to get next line of ACL
726 error where to put an error message
727
728 Returns: pointer to ACL, or NULL
729 NULL can be legal (empty ACL); in this case error will be NULL
730 */
731
732 acl_block *
733 acl_read(uschar *(*func)(void), uschar **error)
734 {
735 acl_block *yield = NULL;
736 acl_block **lastp = &yield;
737 acl_block *this = NULL;
738 acl_condition_block *cond;
739 acl_condition_block **condp = NULL;
740 uschar * s;
741
742 *error = NULL;
743
744 while ((s = (*func)()) != NULL)
745 {
746 int v, c;
747 BOOL negated = FALSE;
748 uschar *saveline = s;
749 uschar name[64];
750
751 /* Conditions (but not verbs) are allowed to be negated by an initial
752 exclamation mark. */
753
754 while (isspace(*s)) s++;
755 if (*s == '!')
756 {
757 negated = TRUE;
758 s++;
759 }
760
761 /* Read the name of a verb or a condition, or the start of a new ACL, which
762 can be started by a name, or by a macro definition. */
763
764 s = readconf_readname(name, sizeof(name), s);
765 if (*s == ':' || (isupper(name[0]) && *s == '=')) return yield;
766
767 /* If a verb is unrecognized, it may be another condition or modifier that
768 continues the previous verb. */
769
770 if ((v = acl_checkname(name, verbs, nelem(verbs))) < 0)
771 {
772 if (!this)
773 {
774 *error = string_sprintf("unknown ACL verb \"%s\" in \"%s\"", name,
775 saveline);
776 return NULL;
777 }
778 }
779
780 /* New verb */
781
782 else
783 {
784 if (negated)
785 {
786 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
787 return NULL;
788 }
789 this = store_get(sizeof(acl_block), FALSE);
790 *lastp = this;
791 lastp = &(this->next);
792 this->next = NULL;
793 this->condition = NULL;
794 this->verb = v;
795 this->srcline = config_lineno; /* for debug output */
796 this->srcfile = config_filename; /**/
797 condp = &(this->condition);
798 if (*s == 0) continue; /* No condition on this line */
799 if (*s == '!')
800 {
801 negated = TRUE;
802 s++;
803 }
804 s = readconf_readname(name, sizeof(name), s); /* Condition name */
805 }
806
807 /* Handle a condition or modifier. */
808
809 if ((c = acl_checkcondition(name, conditions, nelem(conditions))) < 0)
810 {
811 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
812 saveline);
813 return NULL;
814 }
815
816 /* The modifiers may not be negated */
817
818 if (negated && conditions[c].is_modifier)
819 {
820 *error = string_sprintf("ACL error: negation is not allowed with "
821 "\"%s\"", conditions[c].name);
822 return NULL;
823 }
824
825 /* ENDPASS may occur only with ACCEPT or DISCARD. */
826
827 if (c == ACLC_ENDPASS &&
828 this->verb != ACL_ACCEPT &&
829 this->verb != ACL_DISCARD)
830 {
831 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
832 conditions[c].name, verbs[this->verb]);
833 return NULL;
834 }
835
836 cond = store_get(sizeof(acl_condition_block), FALSE);
837 cond->next = NULL;
838 cond->type = c;
839 cond->u.negated = negated;
840
841 *condp = cond;
842 condp = &(cond->next);
843
844 /* The "set" modifier is different in that its argument is "name=value"
845 rather than just a value, and we can check the validity of the name, which
846 gives us a variable name to insert into the data block. The original ACL
847 variable names were acl_c0 ... acl_c9 and acl_m0 ... acl_m9. This was
848 extended to 20 of each type, but after that people successfully argued for
849 arbitrary names. In the new scheme, the names must start with acl_c or acl_m.
850 After that, we allow alphanumerics and underscores, but the first character
851 after c or m must be a digit or an underscore. This retains backwards
852 compatibility. */
853
854 if (c == ACLC_SET)
855 #ifndef DISABLE_DKIM
856 if ( Ustrncmp(s, "dkim_verify_status", 18) == 0
857 || Ustrncmp(s, "dkim_verify_reason", 18) == 0)
858 {
859 uschar * endptr = s+18;
860
861 if (isalnum(*endptr))
862 {
863 *error = string_sprintf("invalid variable name after \"set\" in ACL "
864 "modifier \"set %s\" "
865 "(only \"dkim_verify_status\" or \"dkim_verify_reason\" permitted)",
866 s);
867 return NULL;
868 }
869 cond->u.varname = string_copyn(s, 18);
870 s = endptr;
871 while (isspace(*s)) s++;
872 }
873 else
874 #endif
875 {
876 uschar *endptr;
877
878 if (Ustrncmp(s, "acl_c", 5) != 0 && Ustrncmp(s, "acl_m", 5) != 0)
879 {
880 *error = string_sprintf("invalid variable name after \"set\" in ACL "
881 "modifier \"set %s\" (must start \"acl_c\" or \"acl_m\")", s);
882 return NULL;
883 }
884
885 endptr = s + 5;
886 if (!isdigit(*endptr) && *endptr != '_')
887 {
888 *error = string_sprintf("invalid variable name after \"set\" in ACL "
889 "modifier \"set %s\" (digit or underscore must follow acl_c or acl_m)",
890 s);
891 return NULL;
892 }
893
894 while (*endptr && *endptr != '=' && !isspace(*endptr))
895 {
896 if (!isalnum(*endptr) && *endptr != '_')
897 {
898 *error = string_sprintf("invalid character \"%c\" in variable name "
899 "in ACL modifier \"set %s\"", *endptr, s);
900 return NULL;
901 }
902 endptr++;
903 }
904
905 cond->u.varname = string_copyn(s + 4, endptr - s - 4);
906 s = endptr;
907 while (isspace(*s)) s++;
908 }
909
910 /* For "set", we are now positioned for the data. For the others, only
911 "endpass" has no data */
912
913 if (c != ACLC_ENDPASS)
914 {
915 if (*s++ != '=')
916 {
917 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
918 conditions[c].is_modifier ? US"modifier" : US"condition");
919 return NULL;
920 }
921 while (isspace(*s)) s++;
922 cond->arg = string_copy(s);
923 }
924 }
925
926 return yield;
927 }
928
929
930
931 /*************************************************
932 * Set up added header line(s) *
933 *************************************************/
934
935 /* This function is called by the add_header modifier, and also from acl_warn()
936 to implement the now-deprecated way of adding header lines using "message" on a
937 "warn" verb. The argument is treated as a sequence of header lines which are
938 added to a chain, provided there isn't an identical one already there.
939
940 Argument: string of header lines
941 Returns: nothing
942 */
943
944 static void
945 setup_header(const uschar *hstring)
946 {
947 const uschar *p, *q;
948 int hlen = Ustrlen(hstring);
949
950 /* Ignore any leading newlines */
951 while (*hstring == '\n') hstring++, hlen--;
952
953 /* An empty string does nothing; ensure exactly one final newline. */
954 if (hlen <= 0) return;
955 if (hstring[--hlen] != '\n') /* no newline */
956 q = string_sprintf("%s\n", hstring);
957 else if (hstring[hlen-1] == '\n') /* double newline */
958 {
959 uschar * s = string_copy(hstring);
960 while(s[--hlen] == '\n')
961 s[hlen+1] = '\0';
962 q = s;
963 }
964 else
965 q = hstring;
966
967 /* Loop for multiple header lines, taking care about continuations */
968
969 for (p = q; *p; p = q)
970 {
971 const uschar *s;
972 uschar * hdr;
973 int newtype = htype_add_bot;
974 header_line **hptr = &acl_added_headers;
975
976 /* Find next header line within the string */
977
978 for (;;)
979 {
980 q = Ustrchr(q, '\n'); /* we know there was a newline */
981 if (*++q != ' ' && *q != '\t') break;
982 }
983
984 /* If the line starts with a colon, interpret the instruction for where to
985 add it. This temporarily sets up a new type. */
986
987 if (*p == ':')
988 {
989 if (strncmpic(p, US":after_received:", 16) == 0)
990 {
991 newtype = htype_add_rec;
992 p += 16;
993 }
994 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
995 {
996 newtype = htype_add_rfc;
997 p += 14;
998 }
999 else if (strncmpic(p, US":at_start:", 10) == 0)
1000 {
1001 newtype = htype_add_top;
1002 p += 10;
1003 }
1004 else if (strncmpic(p, US":at_end:", 8) == 0)
1005 {
1006 newtype = htype_add_bot;
1007 p += 8;
1008 }
1009 while (*p == ' ' || *p == '\t') p++;
1010 }
1011
1012 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
1013 to the front of it. */
1014
1015 for (s = p; s < q - 1; s++)
1016 if (*s == ':' || !isgraph(*s)) break;
1017
1018 hdr = string_sprintf("%s%.*s", *s == ':' ? "" : "X-ACL-Warn: ", (int) (q - p), p);
1019 hlen = Ustrlen(hdr);
1020
1021 /* See if this line has already been added */
1022
1023 while (*hptr)
1024 {
1025 if (Ustrncmp((*hptr)->text, hdr, hlen) == 0) break;
1026 hptr = &(*hptr)->next;
1027 }
1028
1029 /* Add if not previously present */
1030
1031 if (!*hptr)
1032 {
1033 /* The header_line struct itself is not tainted, though it points to
1034 possibly tainted data. */
1035 header_line * h = store_get(sizeof(header_line), FALSE);
1036 h->text = hdr;
1037 h->next = NULL;
1038 h->type = newtype;
1039 h->slen = hlen;
1040 *hptr = h;
1041 hptr = &h->next;
1042 }
1043 }
1044 }
1045
1046
1047
1048 /*************************************************
1049 * List the added header lines *
1050 *************************************************/
1051 uschar *
1052 fn_hdrs_added(void)
1053 {
1054 gstring * g = NULL;
1055
1056 for (header_line * h = acl_added_headers; h; h = h->next)
1057 {
1058 int i = h->slen;
1059 if (h->text[i-1] == '\n') i--;
1060 g = string_append_listele_n(g, '\n', h->text, i);
1061 }
1062
1063 return g ? g->s : NULL;
1064 }
1065
1066
1067 /*************************************************
1068 * Set up removed header line(s) *
1069 *************************************************/
1070
1071 /* This function is called by the remove_header modifier. The argument is
1072 treated as a sequence of header names which are added to a colon separated
1073 list, provided there isn't an identical one already there.
1074
1075 Argument: string of header names
1076 Returns: nothing
1077 */
1078
1079 static void
1080 setup_remove_header(const uschar *hnames)
1081 {
1082 if (*hnames)
1083 acl_removed_headers = acl_removed_headers
1084 ? string_sprintf("%s : %s", acl_removed_headers, hnames)
1085 : string_copy(hnames);
1086 }
1087
1088
1089
1090 /*************************************************
1091 * Handle warnings *
1092 *************************************************/
1093
1094 /* This function is called when a WARN verb's conditions are true. It adds to
1095 the message's headers, and/or writes information to the log. In each case, this
1096 only happens once (per message for headers, per connection for log).
1097
1098 ** NOTE: The header adding action using the "message" setting is historic, and
1099 its use is now deprecated. The new add_header modifier should be used instead.
1100
1101 Arguments:
1102 where ACL_WHERE_xxxx indicating which ACL this is
1103 user_message message for adding to headers
1104 log_message message for logging, if different
1105
1106 Returns: nothing
1107 */
1108
1109 static void
1110 acl_warn(int where, uschar *user_message, uschar *log_message)
1111 {
1112 if (log_message != NULL && log_message != user_message)
1113 {
1114 uschar *text;
1115 string_item *logged;
1116
1117 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
1118 string_printing(log_message));
1119
1120 /* If a sender verification has failed, and the log message is "sender verify
1121 failed", add the failure message. */
1122
1123 if (sender_verified_failed != NULL &&
1124 sender_verified_failed->message != NULL &&
1125 strcmpic(log_message, US"sender verify failed") == 0)
1126 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
1127
1128 /* Search previously logged warnings. They are kept in malloc
1129 store so they can be freed at the start of a new message. */
1130
1131 for (logged = acl_warn_logged; logged; logged = logged->next)
1132 if (Ustrcmp(logged->text, text) == 0) break;
1133
1134 if (!logged)
1135 {
1136 int length = Ustrlen(text) + 1;
1137 log_write(0, LOG_MAIN, "%s", text);
1138 logged = store_malloc(sizeof(string_item) + length);
1139 logged->text = US logged + sizeof(string_item);
1140 memcpy(logged->text, text, length);
1141 logged->next = acl_warn_logged;
1142 acl_warn_logged = logged;
1143 }
1144 }
1145
1146 /* If there's no user message, we are done. */
1147
1148 if (!user_message) return;
1149
1150 /* If this isn't a message ACL, we can't do anything with a user message.
1151 Log an error. */
1152
1153 if (where > ACL_WHERE_NOTSMTP)
1154 {
1155 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
1156 "found in a non-message (%s) ACL: cannot specify header lines here: "
1157 "message ignored", acl_wherenames[where]);
1158 return;
1159 }
1160
1161 /* The code for setting up header lines is now abstracted into a separate
1162 function so that it can be used for the add_header modifier as well. */
1163
1164 setup_header(user_message);
1165 }
1166
1167
1168
1169 /*************************************************
1170 * Verify and check reverse DNS *
1171 *************************************************/
1172
1173 /* Called from acl_verify() below. We look up the host name(s) of the client IP
1174 address if this has not yet been done. The host_name_lookup() function checks
1175 that one of these names resolves to an address list that contains the client IP
1176 address, so we don't actually have to do the check here.
1177
1178 Arguments:
1179 user_msgptr pointer for user message
1180 log_msgptr pointer for log message
1181
1182 Returns: OK verification condition succeeded
1183 FAIL verification failed
1184 DEFER there was a problem verifying
1185 */
1186
1187 static int
1188 acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
1189 {
1190 int rc;
1191
1192 user_msgptr = user_msgptr; /* stop compiler warning */
1193
1194 /* Previous success */
1195
1196 if (sender_host_name != NULL) return OK;
1197
1198 /* Previous failure */
1199
1200 if (host_lookup_failed)
1201 {
1202 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
1203 return FAIL;
1204 }
1205
1206 /* Need to do a lookup */
1207
1208 HDEBUG(D_acl)
1209 debug_printf_indent("looking up host name to force name/address consistency check\n");
1210
1211 if ((rc = host_name_lookup()) != OK)
1212 {
1213 *log_msgptr = rc == DEFER
1214 ? US"host lookup deferred for reverse lookup check"
1215 : string_sprintf("host lookup failed for reverse lookup check%s",
1216 host_lookup_msg);
1217 return rc; /* DEFER or FAIL */
1218 }
1219
1220 host_build_sender_fullhost();
1221 return OK;
1222 }
1223
1224
1225
1226 /*************************************************
1227 * Check client IP address matches CSA target *
1228 *************************************************/
1229
1230 /* Called from acl_verify_csa() below. This routine scans a section of a DNS
1231 response for address records belonging to the CSA target hostname. The section
1232 is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
1233 If one of the addresses matches the client's IP address, then the client is
1234 authorized by CSA. If there are target IP addresses but none of them match
1235 then the client is using an unauthorized IP address. If there are no target IP
1236 addresses then the client cannot be using an authorized IP address. (This is
1237 an odd configuration - why didn't the SRV record have a weight of 1 instead?)
1238
1239 Arguments:
1240 dnsa the DNS answer block
1241 dnss a DNS scan block for us to use
1242 reset option specifying what portion to scan, as described above
1243 target the target hostname to use for matching RR names
1244
1245 Returns: CSA_OK successfully authorized
1246 CSA_FAIL_MISMATCH addresses found but none matched
1247 CSA_FAIL_NOADDR no target addresses found
1248 */
1249
1250 static int
1251 acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1252 uschar *target)
1253 {
1254 int rc = CSA_FAIL_NOADDR;
1255
1256 for (dns_record * rr = dns_next_rr(dnsa, dnss, reset);
1257 rr;
1258 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1259 {
1260 /* Check this is an address RR for the target hostname. */
1261
1262 if (rr->type != T_A
1263 #if HAVE_IPV6
1264 && rr->type != T_AAAA
1265 #endif
1266 ) continue;
1267
1268 if (strcmpic(target, rr->name) != 0) continue;
1269
1270 rc = CSA_FAIL_MISMATCH;
1271
1272 /* Turn the target address RR into a list of textual IP addresses and scan
1273 the list. There may be more than one if it is an A6 RR. */
1274
1275 for (dns_address * da = dns_address_from_rr(dnsa, rr); da; da = da->next)
1276 {
1277 /* If the client IP address matches the target IP address, it's good! */
1278
1279 DEBUG(D_acl) debug_printf_indent("CSA target address is %s\n", da->address);
1280
1281 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1282 }
1283 }
1284
1285 /* If we found some target addresses but none of them matched, the client is
1286 using an unauthorized IP address, otherwise the target has no authorized IP
1287 addresses. */
1288
1289 return rc;
1290 }
1291
1292
1293
1294 /*************************************************
1295 * Verify Client SMTP Authorization *
1296 *************************************************/
1297
1298 /* Called from acl_verify() below. This routine calls dns_lookup_special()
1299 to find the CSA SRV record corresponding to the domain argument, or
1300 $sender_helo_name if no argument is provided. It then checks that the
1301 client is authorized, and that its IP address corresponds to the SRV
1302 target's address by calling acl_verify_csa_address() above. The address
1303 should have been returned in the DNS response's ADDITIONAL section, but if
1304 not we perform another DNS lookup to get it.
1305
1306 Arguments:
1307 domain pointer to optional parameter following verify = csa
1308
1309 Returns: CSA_UNKNOWN no valid CSA record found
1310 CSA_OK successfully authorized
1311 CSA_FAIL_* client is definitely not authorized
1312 CSA_DEFER_* there was a DNS problem
1313 */
1314
1315 static int
1316 acl_verify_csa(const uschar *domain)
1317 {
1318 tree_node *t;
1319 const uschar *found;
1320 int priority, weight, port;
1321 dns_answer * dnsa = store_get_dns_answer();
1322 dns_scan dnss;
1323 dns_record *rr;
1324 int rc, type;
1325 uschar target[256];
1326
1327 /* Work out the domain we are using for the CSA lookup. The default is the
1328 client's HELO domain. If the client has not said HELO, use its IP address
1329 instead. If it's a local client (exim -bs), CSA isn't applicable. */
1330
1331 while (isspace(*domain) && *domain != '\0') ++domain;
1332 if (*domain == '\0') domain = sender_helo_name;
1333 if (domain == NULL) domain = sender_host_address;
1334 if (sender_host_address == NULL) return CSA_UNKNOWN;
1335
1336 /* If we have an address literal, strip off the framing ready for turning it
1337 into a domain. The framing consists of matched square brackets possibly
1338 containing a keyword and a colon before the actual IP address. */
1339
1340 if (domain[0] == '[')
1341 {
1342 const uschar *start = Ustrchr(domain, ':');
1343 if (start == NULL) start = domain;
1344 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1345 }
1346
1347 /* Turn domains that look like bare IP addresses into domains in the reverse
1348 DNS. This code also deals with address literals and $sender_host_address. It's
1349 not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1350 address literals, but it's probably the most friendly thing to do. This is an
1351 extension to CSA, so we allow it to be turned off for proper conformance. */
1352
1353 if (string_is_ip_address(domain, NULL) != 0)
1354 {
1355 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1356 domain = dns_build_reverse(domain);
1357 }
1358
1359 /* Find out if we've already done the CSA check for this domain. If we have,
1360 return the same result again. Otherwise build a new cached result structure
1361 for this domain. The name is filled in now, and the value is filled in when
1362 we return from this function. */
1363
1364 t = tree_search(csa_cache, domain);
1365 if (t != NULL) return t->data.val;
1366
1367 t = store_get_perm(sizeof(tree_node) + Ustrlen(domain), is_tainted(domain));
1368 Ustrcpy(t->name, domain);
1369 (void)tree_insertnode(&csa_cache, t);
1370
1371 /* Now we are ready to do the actual DNS lookup(s). */
1372
1373 found = domain;
1374 switch (dns_special_lookup(dnsa, domain, T_CSA, &found))
1375 {
1376 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1377
1378 default:
1379 return t->data.val = CSA_DEFER_SRV;
1380
1381 /* If we found nothing, the client's authorization is unknown. */
1382
1383 case DNS_NOMATCH:
1384 case DNS_NODATA:
1385 return t->data.val = CSA_UNKNOWN;
1386
1387 /* We got something! Go on to look at the reply in more detail. */
1388
1389 case DNS_SUCCEED:
1390 break;
1391 }
1392
1393 /* Scan the reply for well-formed CSA SRV records. */
1394
1395 for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
1396 rr;
1397 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == T_SRV)
1398 {
1399 const uschar * p = rr->data;
1400
1401 /* Extract the numerical SRV fields (p is incremented) */
1402
1403 GETSHORT(priority, p);
1404 GETSHORT(weight, p);
1405 GETSHORT(port, p);
1406
1407 DEBUG(D_acl)
1408 debug_printf_indent("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1409
1410 /* Check the CSA version number */
1411
1412 if (priority != 1) continue;
1413
1414 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1415 found by dns_special_lookup() is a parent of the one we asked for), we check
1416 the subdomain assertions in the port field. At the moment there's only one
1417 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1418 SRV records of their own. */
1419
1420 if (Ustrcmp(found, domain) != 0)
1421 return t->data.val = port & 1 ? CSA_FAIL_EXPLICIT : CSA_UNKNOWN;
1422
1423 /* This CSA SRV record refers directly to our domain, so we check the value
1424 in the weight field to work out the domain's authorization. 0 and 1 are
1425 unauthorized; 3 means the client is authorized but we can't check the IP
1426 address in order to authenticate it, so we treat it as unknown; values
1427 greater than 3 are undefined. */
1428
1429 if (weight < 2) return t->data.val = CSA_FAIL_DOMAIN;
1430
1431 if (weight > 2) continue;
1432
1433 /* Weight == 2, which means the domain is authorized. We must check that the
1434 client's IP address is listed as one of the SRV target addresses. Save the
1435 target hostname then break to scan the additional data for its addresses. */
1436
1437 (void)dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, p,
1438 (DN_EXPAND_ARG4_TYPE)target, sizeof(target));
1439
1440 DEBUG(D_acl) debug_printf_indent("CSA target is %s\n", target);
1441
1442 break;
1443 }
1444
1445 /* If we didn't break the loop then no appropriate records were found. */
1446
1447 if (!rr) return t->data.val = CSA_UNKNOWN;
1448
1449 /* Do not check addresses if the target is ".", in accordance with RFC 2782.
1450 A target of "." indicates there are no valid addresses, so the client cannot
1451 be authorized. (This is an odd configuration because weight=2 target=. is
1452 equivalent to weight=1, but we check for it in order to keep load off the
1453 root name servers.) Note that dn_expand() turns "." into "". */
1454
1455 if (Ustrcmp(target, "") == 0) return t->data.val = CSA_FAIL_NOADDR;
1456
1457 /* Scan the additional section of the CSA SRV reply for addresses belonging
1458 to the target. If the name server didn't return any additional data (e.g.
1459 because it does not fully support SRV records), we need to do another lookup
1460 to obtain the target addresses; otherwise we have a definitive result. */
1461
1462 rc = acl_verify_csa_address(dnsa, &dnss, RESET_ADDITIONAL, target);
1463 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1464
1465 /* The DNS lookup type corresponds to the IP version used by the client. */
1466
1467 #if HAVE_IPV6
1468 if (Ustrchr(sender_host_address, ':') != NULL)
1469 type = T_AAAA;
1470 else
1471 #endif /* HAVE_IPV6 */
1472 type = T_A;
1473
1474
1475 lookup_dnssec_authenticated = NULL;
1476 switch (dns_lookup(dnsa, target, type, NULL))
1477 {
1478 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1479
1480 default:
1481 return t->data.val = CSA_DEFER_ADDR;
1482
1483 /* If the query succeeded, scan the addresses and return the result. */
1484
1485 case DNS_SUCCEED:
1486 rc = acl_verify_csa_address(dnsa, &dnss, RESET_ANSWERS, target);
1487 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1488 /* else fall through */
1489
1490 /* If the target has no IP addresses, the client cannot have an authorized
1491 IP address. However, if the target site uses A6 records (not AAAA records)
1492 we have to do yet another lookup in order to check them. */
1493
1494 case DNS_NOMATCH:
1495 case DNS_NODATA:
1496 return t->data.val = CSA_FAIL_NOADDR;
1497 }
1498 }
1499
1500
1501
1502 /*************************************************
1503 * Handle verification (address & other) *
1504 *************************************************/
1505
1506 enum { VERIFY_REV_HOST_LKUP, VERIFY_CERT, VERIFY_HELO, VERIFY_CSA, VERIFY_HDR_SYNTAX,
1507 VERIFY_NOT_BLIND, VERIFY_HDR_SNDR, VERIFY_SNDR, VERIFY_RCPT,
1508 VERIFY_HDR_NAMES_ASCII, VERIFY_ARC
1509 };
1510 typedef struct {
1511 uschar * name;
1512 int value;
1513 unsigned where_allowed; /* bitmap */
1514 BOOL no_options; /* Never has /option(s) following */
1515 unsigned alt_opt_sep; /* >0 Non-/ option separator (custom parser) */
1516 } verify_type_t;
1517 static verify_type_t verify_type_list[] = {
1518 /* name value where no-opt opt-sep */
1519 { US"reverse_host_lookup", VERIFY_REV_HOST_LKUP, (unsigned)~0, FALSE, 0 },
1520 { US"certificate", VERIFY_CERT, (unsigned)~0, TRUE, 0 },
1521 { US"helo", VERIFY_HELO, (unsigned)~0, TRUE, 0 },
1522 { US"csa", VERIFY_CSA, (unsigned)~0, FALSE, 0 },
1523 { US"header_syntax", VERIFY_HDR_SYNTAX, ACL_BIT_DATA | ACL_BIT_NOTSMTP, TRUE, 0 },
1524 { US"not_blind", VERIFY_NOT_BLIND, ACL_BIT_DATA | ACL_BIT_NOTSMTP, FALSE, 0 },
1525 { US"header_sender", VERIFY_HDR_SNDR, ACL_BIT_DATA | ACL_BIT_NOTSMTP, FALSE, 0 },
1526 { US"sender", VERIFY_SNDR, ACL_BIT_MAIL | ACL_BIT_RCPT
1527 |ACL_BIT_PREDATA | ACL_BIT_DATA | ACL_BIT_NOTSMTP,
1528 FALSE, 6 },
1529 { US"recipient", VERIFY_RCPT, ACL_BIT_RCPT, FALSE, 0 },
1530 { US"header_names_ascii", VERIFY_HDR_NAMES_ASCII, ACL_BIT_DATA | ACL_BIT_NOTSMTP, TRUE, 0 },
1531 #ifdef EXPERIMENTAL_ARC
1532 { US"arc", VERIFY_ARC, ACL_BIT_DATA, FALSE , 0 },
1533 #endif
1534 };
1535
1536
1537 enum { CALLOUT_DEFER_OK, CALLOUT_NOCACHE, CALLOUT_RANDOM, CALLOUT_USE_SENDER,
1538 CALLOUT_USE_POSTMASTER, CALLOUT_POSTMASTER, CALLOUT_FULLPOSTMASTER,
1539 CALLOUT_MAILFROM, CALLOUT_POSTMASTER_MAILFROM, CALLOUT_MAXWAIT, CALLOUT_CONNECT,
1540 CALLOUT_HOLD, CALLOUT_TIME /* TIME must be last */
1541 };
1542 typedef struct {
1543 uschar * name;
1544 int value;
1545 int flag;
1546 BOOL has_option; /* Has =option(s) following */
1547 BOOL timeval; /* Has a time value */
1548 } callout_opt_t;
1549 static callout_opt_t callout_opt_list[] = {
1550 /* name value flag has-opt has-time */
1551 { US"defer_ok", CALLOUT_DEFER_OK, 0, FALSE, FALSE },
1552 { US"no_cache", CALLOUT_NOCACHE, vopt_callout_no_cache, FALSE, FALSE },
1553 { US"random", CALLOUT_RANDOM, vopt_callout_random, FALSE, FALSE },
1554 { US"use_sender", CALLOUT_USE_SENDER, vopt_callout_recipsender, FALSE, FALSE },
1555 { US"use_postmaster", CALLOUT_USE_POSTMASTER,vopt_callout_recippmaster, FALSE, FALSE },
1556 { US"postmaster_mailfrom",CALLOUT_POSTMASTER_MAILFROM,0, TRUE, FALSE },
1557 { US"postmaster", CALLOUT_POSTMASTER, 0, FALSE, FALSE },
1558 { US"fullpostmaster", CALLOUT_FULLPOSTMASTER,vopt_callout_fullpm, FALSE, FALSE },
1559 { US"mailfrom", CALLOUT_MAILFROM, 0, TRUE, FALSE },
1560 { US"maxwait", CALLOUT_MAXWAIT, 0, TRUE, TRUE },
1561 { US"connect", CALLOUT_CONNECT, 0, TRUE, TRUE },
1562 { US"hold", CALLOUT_HOLD, vopt_callout_hold, FALSE, FALSE },
1563 { NULL, CALLOUT_TIME, 0, FALSE, TRUE }
1564 };
1565
1566
1567
1568 /* This function implements the "verify" condition. It is called when
1569 encountered in any ACL, because some tests are almost always permitted. Some
1570 just don't make sense, and always fail (for example, an attempt to test a host
1571 lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1572
1573 Arguments:
1574 where where called from
1575 addr the recipient address that the ACL is handling, or NULL
1576 arg the argument of "verify"
1577 user_msgptr pointer for user message
1578 log_msgptr pointer for log message
1579 basic_errno where to put verify errno
1580
1581 Returns: OK verification condition succeeded
1582 FAIL verification failed
1583 DEFER there was a problem verifying
1584 ERROR syntax error
1585 */
1586
1587 static int
1588 acl_verify(int where, address_item *addr, const uschar *arg,
1589 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1590 {
1591 int sep = '/';
1592 int callout = -1;
1593 int callout_overall = -1;
1594 int callout_connect = -1;
1595 int verify_options = 0;
1596 int rc;
1597 BOOL verify_header_sender = FALSE;
1598 BOOL defer_ok = FALSE;
1599 BOOL callout_defer_ok = FALSE;
1600 BOOL no_details = FALSE;
1601 BOOL success_on_redirect = FALSE;
1602 address_item *sender_vaddr = NULL;
1603 uschar *verify_sender_address = NULL;
1604 uschar *pm_mailfrom = NULL;
1605 uschar *se_mailfrom = NULL;
1606
1607 /* Some of the verify items have slash-separated options; some do not. Diagnose
1608 an error if options are given for items that don't expect them.
1609 */
1610
1611 uschar *slash = Ustrchr(arg, '/');
1612 const uschar *list = arg;
1613 uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
1614 verify_type_t * vp;
1615
1616 if (!ss) goto BAD_VERIFY;
1617
1618 /* Handle name/address consistency verification in a separate function. */
1619
1620 for (vp = verify_type_list;
1621 CS vp < CS verify_type_list + sizeof(verify_type_list);
1622 vp++
1623 )
1624 if (vp->alt_opt_sep ? strncmpic(ss, vp->name, vp->alt_opt_sep) == 0
1625 : strcmpic (ss, vp->name) == 0)
1626 break;
1627 if (CS vp >= CS verify_type_list + sizeof(verify_type_list))
1628 goto BAD_VERIFY;
1629
1630 if (vp->no_options && slash)
1631 {
1632 *log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1633 "(this verify item has no options)", arg);
1634 return ERROR;
1635 }
1636 if (!(vp->where_allowed & BIT(where)))
1637 {
1638 *log_msgptr = string_sprintf("cannot verify %s in ACL for %s",
1639 vp->name, acl_wherenames[where]);
1640 return ERROR;
1641 }
1642 switch(vp->value)
1643 {
1644 case VERIFY_REV_HOST_LKUP:
1645 if (!sender_host_address) return OK;
1646 if ((rc = acl_verify_reverse(user_msgptr, log_msgptr)) == DEFER)
1647 while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
1648 if (strcmpic(ss, US"defer_ok") == 0)
1649 return OK;
1650 return rc;
1651
1652 case VERIFY_CERT:
1653 /* TLS certificate verification is done at STARTTLS time; here we just
1654 test whether it was successful or not. (This is for optional verification; for
1655 mandatory verification, the connection doesn't last this long.) */
1656
1657 if (tls_in.certificate_verified) return OK;
1658 *user_msgptr = US"no verified certificate";
1659 return FAIL;
1660
1661 case VERIFY_HELO:
1662 /* We can test the result of optional HELO verification that might have
1663 occurred earlier. If not, we can attempt the verification now. */
1664
1665 if (!f.helo_verified && !f.helo_verify_failed) smtp_verify_helo();
1666 return f.helo_verified ? OK : FAIL;
1667
1668 case VERIFY_CSA:
1669 /* Do Client SMTP Authorization checks in a separate function, and turn the
1670 result code into user-friendly strings. */
1671
1672 rc = acl_verify_csa(list);
1673 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1674 csa_reason_string[rc]);
1675 csa_status = csa_status_string[rc];
1676 DEBUG(D_acl) debug_printf_indent("CSA result %s\n", csa_status);
1677 return csa_return_code[rc];
1678
1679 #ifdef EXPERIMENTAL_ARC
1680 case VERIFY_ARC:
1681 { /* Do Authenticated Received Chain checks in a separate function. */
1682 const uschar * condlist = CUS string_nextinlist(&list, &sep, NULL, 0);
1683 int csep = 0;
1684 uschar * cond;
1685
1686 if (!(arc_state = acl_verify_arc())) return DEFER;
1687 DEBUG(D_acl) debug_printf_indent("ARC verify result %s %s%s%s\n", arc_state,
1688 arc_state_reason ? "(":"", arc_state_reason, arc_state_reason ? ")":"");
1689
1690 if (!condlist) condlist = US"none:pass";
1691 while ((cond = string_nextinlist(&condlist, &csep, NULL, 0)))
1692 if (Ustrcmp(arc_state, cond) == 0) return OK;
1693 return FAIL;
1694 }
1695 #endif
1696
1697 case VERIFY_HDR_SYNTAX:
1698 /* Check that all relevant header lines have the correct 5322-syntax. If there is
1699 a syntax error, we return details of the error to the sender if configured to
1700 send out full details. (But a "message" setting on the ACL can override, as
1701 always). */
1702
1703 rc = verify_check_headers(log_msgptr);
1704 if (rc != OK && *log_msgptr)
1705 if (smtp_return_error_details)
1706 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1707 else
1708 acl_verify_message = *log_msgptr;
1709 return rc;
1710
1711 case VERIFY_HDR_NAMES_ASCII:
1712 /* Check that all header names are true 7 bit strings
1713 See RFC 5322, 2.2. and RFC 6532, 3. */
1714
1715 rc = verify_check_header_names_ascii(log_msgptr);
1716 if (rc != OK && smtp_return_error_details && *log_msgptr)
1717 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1718 return rc;
1719
1720 case VERIFY_NOT_BLIND:
1721 /* Check that no recipient of this message is "blind", that is, every envelope
1722 recipient must be mentioned in either To: or Cc:. */
1723 {
1724 BOOL case_sensitive = TRUE;
1725
1726 while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
1727 if (strcmpic(ss, US"case_insensitive") == 0)
1728 case_sensitive = FALSE;
1729 else
1730 {
1731 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1732 "condition \"verify %s\"", ss, arg);
1733 return ERROR;
1734 }
1735
1736 if ((rc = verify_check_notblind(case_sensitive)) != OK)
1737 {
1738 *log_msgptr = US"bcc recipient detected";
1739 if (smtp_return_error_details)
1740 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1741 }
1742 return rc;
1743 }
1744
1745 /* The remaining verification tests check recipient and sender addresses,
1746 either from the envelope or from the header. There are a number of
1747 slash-separated options that are common to all of them. */
1748
1749 case VERIFY_HDR_SNDR:
1750 verify_header_sender = TRUE;
1751 break;
1752
1753 case VERIFY_SNDR:
1754 /* In the case of a sender, this can optionally be followed by an address to use
1755 in place of the actual sender (rare special-case requirement). */
1756 {
1757 uschar *s = ss + 6;
1758 if (*s == 0)
1759 verify_sender_address = sender_address;
1760 else
1761 {
1762 while (isspace(*s)) s++;
1763 if (*s++ != '=') goto BAD_VERIFY;
1764 while (isspace(*s)) s++;
1765 verify_sender_address = string_copy(s);
1766 }
1767 }
1768 break;
1769
1770 case VERIFY_RCPT:
1771 break;
1772 }
1773
1774
1775
1776 /* Remaining items are optional; they apply to sender and recipient
1777 verification, including "header sender" verification. */
1778
1779 while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)))
1780 {
1781 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1782 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1783 else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
1784
1785 /* These two old options are left for backwards compatibility */
1786
1787 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1788 {
1789 callout_defer_ok = TRUE;
1790 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1791 }
1792
1793 else if (strcmpic(ss, US"check_postmaster") == 0)
1794 {
1795 pm_mailfrom = US"";
1796 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1797 }
1798
1799 /* The callout option has a number of sub-options, comma separated */
1800
1801 else if (strncmpic(ss, US"callout", 7) == 0)
1802 {
1803 callout = CALLOUT_TIMEOUT_DEFAULT;
1804 ss += 7;
1805 if (*ss != 0)
1806 {
1807 while (isspace(*ss)) ss++;
1808 if (*ss++ == '=')
1809 {
1810 const uschar * sublist = ss;
1811 int optsep = ',';
1812 uschar buffer[256];
1813 uschar * opt;
1814
1815 while (isspace(*sublist)) sublist++;
1816 while ((opt = string_nextinlist(&sublist, &optsep, buffer, sizeof(buffer))))
1817 {
1818 callout_opt_t * op;
1819 double period = 1.0F;
1820
1821 for (op= callout_opt_list; op->name; op++)
1822 if (strncmpic(opt, op->name, Ustrlen(op->name)) == 0)
1823 break;
1824
1825 verify_options |= op->flag;
1826 if (op->has_option)
1827 {
1828 opt += Ustrlen(op->name);
1829 while (isspace(*opt)) opt++;
1830 if (*opt++ != '=')
1831 {
1832 *log_msgptr = string_sprintf("'=' expected after "
1833 "\"%s\" in ACL verify condition \"%s\"", op->name, arg);
1834 return ERROR;
1835 }
1836 while (isspace(*opt)) opt++;
1837 }
1838 if (op->timeval && (period = readconf_readtime(opt, 0, FALSE)) < 0)
1839 {
1840 *log_msgptr = string_sprintf("bad time value in ACL condition "
1841 "\"verify %s\"", arg);
1842 return ERROR;
1843 }
1844
1845 switch(op->value)
1846 {
1847 case CALLOUT_DEFER_OK: callout_defer_ok = TRUE; break;
1848 case CALLOUT_POSTMASTER: pm_mailfrom = US""; break;
1849 case CALLOUT_FULLPOSTMASTER: pm_mailfrom = US""; break;
1850 case CALLOUT_MAILFROM:
1851 if (!verify_header_sender)
1852 {
1853 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1854 "callout option only for verify=header_sender (detected in ACL "
1855 "condition \"%s\")", arg);
1856 return ERROR;
1857 }
1858 se_mailfrom = string_copy(opt);
1859 break;
1860 case CALLOUT_POSTMASTER_MAILFROM: pm_mailfrom = string_copy(opt); break;
1861 case CALLOUT_MAXWAIT: callout_overall = period; break;
1862 case CALLOUT_CONNECT: callout_connect = period; break;
1863 case CALLOUT_TIME: callout = period; break;
1864 }
1865 }
1866 }
1867 else
1868 {
1869 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1870 "ACL condition \"%s\"", arg);
1871 return ERROR;
1872 }
1873 }
1874 }
1875
1876 /* Option not recognized */
1877
1878 else
1879 {
1880 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1881 "condition \"verify %s\"", ss, arg);
1882 return ERROR;
1883 }
1884 }
1885
1886 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1887 (vopt_callout_recipsender|vopt_callout_recippmaster))
1888 {
1889 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1890 "for a recipient callout";
1891 return ERROR;
1892 }
1893
1894 /* Handle sender-in-header verification. Default the user message to the log
1895 message if giving out verification details. */
1896
1897 if (verify_header_sender)
1898 {
1899 int verrno;
1900
1901 if ((rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
1902 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1903 &verrno)) != OK)
1904 {
1905 *basic_errno = verrno;
1906 if (smtp_return_error_details)
1907 {
1908 if (!*user_msgptr && *log_msgptr)
1909 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1910 if (rc == DEFER) f.acl_temp_details = TRUE;
1911 }
1912 }
1913 }
1914
1915 /* Handle a sender address. The default is to verify *the* sender address, but
1916 optionally a different address can be given, for special requirements. If the
1917 address is empty, we are dealing with a bounce message that has no sender, so
1918 we cannot do any checking. If the real sender address gets rewritten during
1919 verification (e.g. DNS widening), set the flag to stop it being rewritten again
1920 during message reception.
1921
1922 A list of verified "sender" addresses is kept to try to avoid doing to much
1923 work repetitively when there are multiple recipients in a message and they all
1924 require sender verification. However, when callouts are involved, it gets too
1925 complicated because different recipients may require different callout options.
1926 Therefore, we always do a full sender verify when any kind of callout is
1927 specified. Caching elsewhere, for instance in the DNS resolver and in the
1928 callout handling, should ensure that this is not terribly inefficient. */
1929
1930 else if (verify_sender_address)
1931 {
1932 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)))
1933 {
1934 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1935 "sender verify callout";
1936 return ERROR;
1937 }
1938
1939 sender_vaddr = verify_checked_sender(verify_sender_address);
1940 if (sender_vaddr != NULL && /* Previously checked */
1941 callout <= 0) /* No callout needed this time */
1942 {
1943 /* If the "routed" flag is set, it means that routing worked before, so
1944 this check can give OK (the saved return code value, if set, belongs to a
1945 callout that was done previously). If the "routed" flag is not set, routing
1946 must have failed, so we use the saved return code. */
1947
1948 if (testflag(sender_vaddr, af_verify_routed))
1949 rc = OK;
1950 else
1951 {
1952 rc = sender_vaddr->special_action;
1953 *basic_errno = sender_vaddr->basic_errno;
1954 }
1955 HDEBUG(D_acl) debug_printf_indent("using cached sender verify result\n");
1956 }
1957
1958 /* Do a new verification, and cache the result. The cache is used to avoid
1959 verifying the sender multiple times for multiple RCPTs when callouts are not
1960 specified (see comments above).
1961
1962 The cache is also used on failure to give details in response to the first
1963 RCPT that gets bounced for this reason. However, this can be suppressed by
1964 the no_details option, which sets the flag that says "this detail has already
1965 been sent". The cache normally contains just one address, but there may be
1966 more in esoteric circumstances. */
1967
1968 else
1969 {
1970 BOOL routed = TRUE;
1971 uschar *save_address_data = deliver_address_data;
1972
1973 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1974 #ifdef SUPPORT_I18N
1975 if ((sender_vaddr->prop.utf8_msg = message_smtputf8))
1976 {
1977 sender_vaddr->prop.utf8_downcvt = message_utf8_downconvert == 1;
1978 sender_vaddr->prop.utf8_downcvt_maybe = message_utf8_downconvert == -1;
1979 }
1980 #endif
1981 if (no_details) setflag(sender_vaddr, af_sverify_told);
1982 if (verify_sender_address[0] != 0)
1983 {
1984 /* If this is the real sender address, save the unrewritten version
1985 for use later in receive. Otherwise, set a flag so that rewriting the
1986 sender in verify_address() does not update sender_address. */
1987
1988 if (verify_sender_address == sender_address)
1989 sender_address_unrewritten = sender_address;
1990 else
1991 verify_options |= vopt_fake_sender;
1992
1993 if (success_on_redirect)
1994 verify_options |= vopt_success_on_redirect;
1995
1996 /* The recipient, qualify, and expn options are never set in
1997 verify_options. */
1998
1999 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
2000 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
2001
2002 HDEBUG(D_acl) debug_printf_indent("----------- end verify ------------\n");
2003
2004 if (rc != OK)
2005 *basic_errno = sender_vaddr->basic_errno;
2006 else
2007 DEBUG(D_acl)
2008 {
2009 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
2010 debug_printf_indent("sender %s verified ok as %s\n",
2011 verify_sender_address, sender_vaddr->address);
2012 else
2013 debug_printf_indent("sender %s verified ok\n",
2014 verify_sender_address);
2015 }
2016 }
2017 else
2018 rc = OK; /* Null sender */
2019
2020 /* Cache the result code */
2021
2022 if (routed) setflag(sender_vaddr, af_verify_routed);
2023 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
2024 sender_vaddr->special_action = rc;
2025 sender_vaddr->next = sender_verified_list;
2026 sender_verified_list = sender_vaddr;
2027
2028 /* Restore the recipient address data, which might have been clobbered by
2029 the sender verification. */
2030
2031 deliver_address_data = save_address_data;
2032 }
2033
2034 /* Put the sender address_data value into $sender_address_data */
2035
2036 sender_address_data = sender_vaddr->prop.address_data;
2037 }
2038
2039 /* A recipient address just gets a straightforward verify; again we must handle
2040 the DEFER overrides. */
2041
2042 else
2043 {
2044 address_item addr2;
2045
2046 if (success_on_redirect)
2047 verify_options |= vopt_success_on_redirect;
2048
2049 /* We must use a copy of the address for verification, because it might
2050 get rewritten. */
2051
2052 addr2 = *addr;
2053 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
2054 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
2055 HDEBUG(D_acl) debug_printf_indent("----------- end verify ------------\n");
2056
2057 *basic_errno = addr2.basic_errno;
2058 *log_msgptr = addr2.message;
2059 *user_msgptr = (addr2.user_message != NULL)?
2060 addr2.user_message : addr2.message;
2061
2062 /* Allow details for temporary error if the address is so flagged. */
2063 if (testflag((&addr2), af_pass_message)) f.acl_temp_details = TRUE;
2064
2065 /* Make $address_data visible */
2066 deliver_address_data = addr2.prop.address_data;
2067 }
2068
2069 /* We have a result from the relevant test. Handle defer overrides first. */
2070
2071 if (rc == DEFER && (defer_ok ||
2072 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
2073 {
2074 HDEBUG(D_acl) debug_printf_indent("verify defer overridden by %s\n",
2075 defer_ok? "defer_ok" : "callout_defer_ok");
2076 rc = OK;
2077 }
2078
2079 /* If we've failed a sender, set up a recipient message, and point
2080 sender_verified_failed to the address item that actually failed. */
2081
2082 if (rc != OK && verify_sender_address != NULL)
2083 {
2084 if (rc != DEFER)
2085 *log_msgptr = *user_msgptr = US"Sender verify failed";
2086 else if (*basic_errno != ERRNO_CALLOUTDEFER)
2087 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
2088 else
2089 {
2090 *log_msgptr = US"Could not complete sender verify callout";
2091 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
2092 *log_msgptr;
2093 }
2094
2095 sender_verified_failed = sender_vaddr;
2096 }
2097
2098 /* Verifying an address messes up the values of $domain and $local_part,
2099 so reset them before returning if this is a RCPT ACL. */
2100
2101 if (addr != NULL)
2102 {
2103 deliver_domain = addr->domain;
2104 deliver_localpart = addr->local_part;
2105 }
2106 return rc;
2107
2108 /* Syntax errors in the verify argument come here. */
2109
2110 BAD_VERIFY:
2111 *log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
2112 "\"helo\", \"header_syntax\", \"header_sender\", \"header_names_ascii\" "
2113 "or \"reverse_host_lookup\" at start of ACL condition "
2114 "\"verify %s\"", arg);
2115 return ERROR;
2116 }
2117
2118
2119
2120
2121 /*************************************************
2122 * Check argument for control= modifier *
2123 *************************************************/
2124
2125 /* Called from acl_check_condition() below
2126
2127 Arguments:
2128 arg the argument string for control=
2129 pptr set to point to the terminating character
2130 where which ACL we are in
2131 log_msgptr for error messages
2132
2133 Returns: CONTROL_xxx value
2134 */
2135
2136 static int
2137 decode_control(const uschar *arg, const uschar **pptr, int where, uschar **log_msgptr)
2138 {
2139 int idx, len;
2140 control_def * d;
2141
2142 if ( (idx = find_control(arg, controls_list, nelem(controls_list))) < 0
2143 || ( arg[len = Ustrlen((d = controls_list+idx)->name)] != 0
2144 && (!d->has_option || arg[len] != '/')
2145 ) )
2146 {
2147 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2148 return CONTROL_ERROR;
2149 }
2150
2151 *pptr = arg + len;
2152 return idx;
2153 }
2154
2155
2156
2157
2158 /*************************************************
2159 * Return a ratelimit error *
2160 *************************************************/
2161
2162 /* Called from acl_ratelimit() below
2163
2164 Arguments:
2165 log_msgptr for error messages
2166 format format string
2167 ... supplementary arguments
2168
2169 Returns: ERROR
2170 */
2171
2172 static int
2173 ratelimit_error(uschar **log_msgptr, const char *format, ...)
2174 {
2175 va_list ap;
2176 gstring * g =
2177 string_cat(NULL, US"error in arguments to \"ratelimit\" condition: ");
2178
2179 va_start(ap, format);
2180 g = string_vformat(g, SVFMT_EXTEND|SVFMT_REBUFFER, format, ap);
2181 va_end(ap);
2182
2183 gstring_release_unused(g);
2184 *log_msgptr = string_from_gstring(g);
2185 return ERROR;
2186 }
2187
2188
2189
2190
2191 /*************************************************
2192 * Handle rate limiting *
2193 *************************************************/
2194
2195 /* Called by acl_check_condition() below to calculate the result
2196 of the ACL ratelimit condition.
2197
2198 Note that the return value might be slightly unexpected: if the
2199 sender's rate is above the limit then the result is OK. This is
2200 similar to the dnslists condition, and is so that you can write
2201 ACL clauses like: defer ratelimit = 15 / 1h
2202
2203 Arguments:
2204 arg the option string for ratelimit=
2205 where ACL_WHERE_xxxx indicating which ACL this is
2206 log_msgptr for error messages
2207
2208 Returns: OK - Sender's rate is above limit
2209 FAIL - Sender's rate is below limit
2210 DEFER - Problem opening ratelimit database
2211 ERROR - Syntax error in options.
2212 */
2213
2214 static int
2215 acl_ratelimit(const uschar *arg, int where, uschar **log_msgptr)
2216 {
2217 double limit, period, count;
2218 uschar *ss;
2219 uschar *key = NULL;
2220 uschar *unique = NULL;
2221 int sep = '/';
2222 BOOL leaky = FALSE, strict = FALSE, readonly = FALSE;
2223 BOOL noupdate = FALSE, badacl = FALSE;
2224 int mode = RATE_PER_WHAT;
2225 int old_pool, rc;
2226 tree_node **anchor, *t;
2227 open_db dbblock, *dbm;
2228 int dbdb_size;
2229 dbdata_ratelimit *dbd;
2230 dbdata_ratelimit_unique *dbdb;
2231 struct timeval tv;
2232
2233 /* Parse the first two options and record their values in expansion
2234 variables. These variables allow the configuration to have informative
2235 error messages based on rate limits obtained from a table lookup. */
2236
2237 /* First is the maximum number of messages per period / maximum burst
2238 size, which must be greater than or equal to zero. Zero is useful for
2239 rate measurement as opposed to rate limiting. */
2240
2241 if (!(sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0)))
2242 return ratelimit_error(log_msgptr, "sender rate limit not set");
2243
2244 limit = Ustrtod(sender_rate_limit, &ss);
2245 if (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
2246 else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
2247 else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
2248
2249 if (limit < 0.0 || *ss != '\0')
2250 return ratelimit_error(log_msgptr,
2251 "\"%s\" is not a positive number", sender_rate_limit);
2252
2253 /* Second is the rate measurement period / exponential smoothing time
2254 constant. This must be strictly greater than zero, because zero leads to
2255 run-time division errors. */
2256
2257 period = !(sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0))
2258 ? -1.0 : readconf_readtime(sender_rate_period, 0, FALSE);
2259 if (period <= 0.0)
2260 return ratelimit_error(log_msgptr,
2261 "\"%s\" is not a time value", sender_rate_period);
2262
2263 /* By default we are counting one of something, but the per_rcpt,
2264 per_byte, and count options can change this. */
2265
2266 count = 1.0;
2267
2268 /* Parse the other options. */
2269
2270 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size)))
2271 {
2272 if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
2273 else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
2274 else if (strcmpic(ss, US"noupdate") == 0) noupdate = TRUE;
2275 else if (strcmpic(ss, US"readonly") == 0) readonly = TRUE;
2276 else if (strcmpic(ss, US"per_cmd") == 0) RATE_SET(mode, PER_CMD);
2277 else if (strcmpic(ss, US"per_conn") == 0)
2278 {
2279 RATE_SET(mode, PER_CONN);
2280 if (where == ACL_WHERE_NOTSMTP || where == ACL_WHERE_NOTSMTP_START)
2281 badacl = TRUE;
2282 }
2283 else if (strcmpic(ss, US"per_mail") == 0)
2284 {
2285 RATE_SET(mode, PER_MAIL);
2286 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2287 }
2288 else if (strcmpic(ss, US"per_rcpt") == 0)
2289 {
2290 /* If we are running in the RCPT ACL, then we'll count the recipients
2291 one by one, but if we are running when we have accumulated the whole
2292 list then we'll add them all in one batch. */
2293 if (where == ACL_WHERE_RCPT)
2294 RATE_SET(mode, PER_RCPT);
2295 else if (where >= ACL_WHERE_PREDATA && where <= ACL_WHERE_NOTSMTP)
2296 RATE_SET(mode, PER_ALLRCPTS), count = (double)recipients_count;
2297 else if (where == ACL_WHERE_MAIL || where > ACL_WHERE_NOTSMTP)
2298 RATE_SET(mode, PER_RCPT), badacl = TRUE;
2299 }
2300 else if (strcmpic(ss, US"per_byte") == 0)
2301 {
2302 /* If we have not yet received the message data and there was no SIZE
2303 declaration on the MAIL command, then it's safe to just use a value of
2304 zero and let the recorded rate decay as if nothing happened. */
2305 RATE_SET(mode, PER_MAIL);
2306 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2307 else count = message_size < 0 ? 0.0 : (double)message_size;
2308 }
2309 else if (strcmpic(ss, US"per_addr") == 0)
2310 {
2311 RATE_SET(mode, PER_RCPT);
2312 if (where != ACL_WHERE_RCPT) badacl = TRUE, unique = US"*";
2313 else unique = string_sprintf("%s@%s", deliver_localpart, deliver_domain);
2314 }
2315 else if (strncmpic(ss, US"count=", 6) == 0)
2316 {
2317 uschar *e;
2318 count = Ustrtod(ss+6, &e);
2319 if (count < 0.0 || *e != '\0')
2320 return ratelimit_error(log_msgptr, "\"%s\" is not a positive number", ss);
2321 }
2322 else if (strncmpic(ss, US"unique=", 7) == 0)
2323 unique = string_copy(ss + 7);
2324 else if (!key)
2325 key = string_copy(ss);
2326 else
2327 key = string_sprintf("%s/%s", key, ss);
2328 }
2329
2330 /* Sanity check. When the badacl flag is set the update mode must either
2331 be readonly (which is the default if it is omitted) or, for backwards
2332 compatibility, a combination of noupdate and strict or leaky. */
2333
2334 if (mode == RATE_PER_CLASH)
2335 return ratelimit_error(log_msgptr, "conflicting per_* options");
2336 if (leaky + strict + readonly > 1)
2337 return ratelimit_error(log_msgptr, "conflicting update modes");
2338 if (badacl && (leaky || strict) && !noupdate)
2339 return ratelimit_error(log_msgptr,
2340 "\"%s\" must not have /leaky or /strict option, or cannot be used in %s ACL",
2341 ratelimit_option_string[mode], acl_wherenames[where]);
2342
2343 /* Set the default values of any unset options. In readonly mode we
2344 perform the rate computation without any increment so that its value
2345 decays to eventually allow over-limit senders through. */
2346
2347 if (noupdate) readonly = TRUE, leaky = strict = FALSE;
2348 if (badacl) readonly = TRUE;
2349 if (readonly) count = 0.0;
2350 if (!strict && !readonly) leaky = TRUE;
2351 if (mode == RATE_PER_WHAT) mode = RATE_PER_MAIL;
2352
2353 /* Create the lookup key. If there is no explicit key, use sender_host_address.
2354 If there is no sender_host_address (e.g. -bs or acl_not_smtp) then we simply
2355 omit it. The smoothing constant (sender_rate_period) and the per_xxx options
2356 are added to the key because they alter the meaning of the stored data. */
2357
2358 if (!key)
2359 key = !sender_host_address ? US"" : sender_host_address;
2360
2361 key = string_sprintf("%s/%s/%s%s",
2362 sender_rate_period,
2363 ratelimit_option_string[mode],
2364 unique == NULL ? "" : "unique/",
2365 key);
2366
2367 HDEBUG(D_acl)
2368 debug_printf_indent("ratelimit condition count=%.0f %.1f/%s\n", count, limit, key);
2369
2370 /* See if we have already computed the rate by looking in the relevant tree.
2371 For per-connection rate limiting, store tree nodes and dbdata in the permanent
2372 pool so that they survive across resets. In readonly mode we only remember the
2373 result for the rest of this command in case a later command changes it. After
2374 this bit of logic the code is independent of the per_* mode. */
2375
2376 old_pool = store_pool;
2377
2378 if (readonly)
2379 anchor = &ratelimiters_cmd;
2380 else switch(mode)
2381 {
2382 case RATE_PER_CONN:
2383 anchor = &ratelimiters_conn;
2384 store_pool = POOL_PERM;
2385 break;
2386 case RATE_PER_BYTE:
2387 case RATE_PER_MAIL:
2388 case RATE_PER_ALLRCPTS:
2389 anchor = &ratelimiters_mail;
2390 break;
2391 case RATE_PER_ADDR:
2392 case RATE_PER_CMD:
2393 case RATE_PER_RCPT:
2394 anchor = &ratelimiters_cmd;
2395 break;
2396 default:
2397 anchor = NULL; /* silence an "unused" complaint */
2398 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
2399 "internal ACL error: unknown ratelimit mode %d", mode);
2400 break;
2401 }
2402
2403 if ((t = tree_search(*anchor, key)))
2404 {
2405 dbd = t->data.ptr;
2406 /* The following few lines duplicate some of the code below. */
2407 rc = (dbd->rate < limit)? FAIL : OK;
2408 store_pool = old_pool;
2409 sender_rate = string_sprintf("%.1f", dbd->rate);
2410 HDEBUG(D_acl)
2411 debug_printf_indent("ratelimit found pre-computed rate %s\n", sender_rate);
2412 return rc;
2413 }
2414
2415 /* We aren't using a pre-computed rate, so get a previously recorded rate
2416 from the database, which will be updated and written back if required. */
2417
2418 if (!(dbm = dbfn_open(US"ratelimit", O_RDWR, &dbblock, TRUE, TRUE)))
2419 {
2420 store_pool = old_pool;
2421 sender_rate = NULL;
2422 HDEBUG(D_acl) debug_printf_indent("ratelimit database not available\n");
2423 *log_msgptr = US"ratelimit database not available";
2424 return DEFER;
2425 }
2426 dbdb = dbfn_read_with_length(dbm, key, &dbdb_size);
2427 dbd = NULL;
2428
2429 gettimeofday(&tv, NULL);
2430
2431 if (dbdb)
2432 {
2433 /* Locate the basic ratelimit block inside the DB data. */
2434 HDEBUG(D_acl) debug_printf_indent("ratelimit found key in database\n");
2435 dbd = &dbdb->dbd;
2436
2437 /* Forget the old Bloom filter if it is too old, so that we count each
2438 repeating event once per period. We don't simply clear and re-use the old
2439 filter because we want its size to change if the limit changes. Note that
2440 we keep the dbd pointer for copying the rate into the new data block. */
2441
2442 if(unique && tv.tv_sec > dbdb->bloom_epoch + period)
2443 {
2444 HDEBUG(D_acl) debug_printf_indent("ratelimit discarding old Bloom filter\n");
2445 dbdb = NULL;
2446 }
2447
2448 /* Sanity check. */
2449
2450 if(unique && dbdb_size < sizeof(*dbdb))
2451 {
2452 HDEBUG(D_acl) debug_printf_indent("ratelimit discarding undersize Bloom filter\n");
2453 dbdb = NULL;
2454 }
2455 }
2456
2457 /* Allocate a new data block if the database lookup failed
2458 or the Bloom filter passed its age limit. */
2459
2460 if (!dbdb)
2461 {
2462 if (!unique)
2463 {
2464 /* No Bloom filter. This basic ratelimit block is initialized below. */
2465 HDEBUG(D_acl) debug_printf_indent("ratelimit creating new rate data block\n");
2466 dbdb_size = sizeof(*dbd);
2467 dbdb = store_get(dbdb_size, FALSE); /* not tainted */
2468 }
2469 else
2470 {
2471 int extra;
2472 HDEBUG(D_acl) debug_printf_indent("ratelimit creating new Bloom filter\n");
2473
2474 /* See the long comment below for an explanation of the magic number 2.
2475 The filter has a minimum size in case the rate limit is very small;
2476 this is determined by the definition of dbdata_ratelimit_unique. */
2477
2478 extra = (int)limit * 2 - sizeof(dbdb->bloom);
2479 if (extra < 0) extra = 0;
2480 dbdb_size = sizeof(*dbdb) + extra;
2481 dbdb = store_get(dbdb_size, FALSE); /* not tainted */
2482 dbdb->bloom_epoch = tv.tv_sec;
2483 dbdb->bloom_size = sizeof(dbdb->bloom) + extra;
2484 memset(dbdb->bloom, 0, dbdb->bloom_size);
2485
2486 /* Preserve any basic ratelimit data (which is our longer-term memory)
2487 by copying it from the discarded block. */
2488
2489 if (dbd)
2490 {
2491 dbdb->dbd = *dbd;
2492 dbd = &dbdb->dbd;
2493 }
2494 }
2495 }
2496
2497 /* If we are counting unique events, find out if this event is new or not.
2498 If the client repeats the event during the current period then it should be
2499 counted. We skip this code in readonly mode for efficiency, because any
2500 changes to the filter will be discarded and because count is already set to
2501 zero. */
2502
2503 if (unique && !readonly)
2504 {
2505 /* We identify unique events using a Bloom filter. (You can find my
2506 notes on Bloom filters at http://fanf.livejournal.com/81696.html)
2507 With the per_addr option, an "event" is a recipient address, though the
2508 user can use the unique option to define their own events. We only count
2509 an event if we have not seen it before.
2510
2511 We size the filter according to the rate limit, which (in leaky mode)
2512 is the limit on the population of the filter. We allow 16 bits of space
2513 per entry (see the construction code above) and we set (up to) 8 of them
2514 when inserting an element (see the loop below). The probability of a false
2515 positive (an event we have not seen before but which we fail to count) is
2516
2517 size = limit * 16
2518 numhash = 8
2519 allzero = exp(-numhash * pop / size)
2520 = exp(-0.5 * pop / limit)
2521 fpr = pow(1 - allzero, numhash)
2522
2523 For senders at the limit the fpr is 0.06% or 1 in 1700
2524 and for senders at half the limit it is 0.0006% or 1 in 170000
2525
2526 In strict mode the Bloom filter can fill up beyond the normal limit, in
2527 which case the false positive rate will rise. This means that the
2528 measured rate for very fast senders can bogusly drop off after a while.
2529
2530 At twice the limit, the fpr is 2.5% or 1 in 40
2531 At four times the limit, it is 31% or 1 in 3.2
2532
2533 It takes ln(pop/limit) periods for an over-limit burst of pop events to
2534 decay below the limit, and if this is more than one then the Bloom filter
2535 will be discarded before the decay gets that far. The false positive rate
2536 at this threshold is 9.3% or 1 in 10.7. */
2537
2538 BOOL seen;
2539 unsigned n, hash, hinc;
2540 uschar md5sum[16];
2541 md5 md5info;
2542
2543 /* Instead of using eight independent hash values, we combine two values
2544 using the formula h1 + n * h2. This does not harm the Bloom filter's
2545 performance, and means the amount of hash we need is independent of the
2546 number of bits we set in the filter. */
2547
2548 md5_start(&md5info);
2549 md5_end(&md5info, unique, Ustrlen(unique), md5sum);
2550 hash = md5sum[0] | md5sum[1] << 8 | md5sum[2] << 16 | md5sum[3] << 24;
2551 hinc = md5sum[4] | md5sum[5] << 8 | md5sum[6] << 16 | md5sum[7] << 24;
2552
2553 /* Scan the bits corresponding to this event. A zero bit means we have
2554 not seen it before. Ensure all bits are set to record this event. */
2555
2556 HDEBUG(D_acl) debug_printf_indent("ratelimit checking uniqueness of %s\n", unique);
2557
2558 seen = TRUE;
2559 for (n = 0; n < 8; n++, hash += hinc)
2560 {
2561 int bit = 1 << (hash % 8);
2562 int byte = (hash / 8) % dbdb->bloom_size;
2563 if ((dbdb->bloom[byte] & bit) == 0)
2564 {
2565 dbdb->bloom[byte] |= bit;
2566 seen = FALSE;
2567 }
2568 }
2569
2570 /* If this event has occurred before, do not count it. */
2571
2572 if (seen)
2573 {
2574 HDEBUG(D_acl) debug_printf_indent("ratelimit event found in Bloom filter\n");
2575 count = 0.0;
2576 }
2577 else
2578 HDEBUG(D_acl) debug_printf_indent("ratelimit event added to Bloom filter\n");
2579 }
2580
2581 /* If there was no previous ratelimit data block for this key, initialize
2582 the new one, otherwise update the block from the database. The initial rate
2583 is what would be computed by the code below for an infinite interval. */
2584
2585 if (!dbd)
2586 {
2587 HDEBUG(D_acl) debug_printf_indent("ratelimit initializing new key's rate data\n");
2588 dbd = &dbdb->dbd;
2589 dbd->time_stamp = tv.tv_sec;
2590 dbd->time_usec = tv.tv_usec;
2591 dbd->rate = count;
2592 }
2593 else
2594 {
2595 /* The smoothed rate is computed using an exponentially weighted moving
2596 average adjusted for variable sampling intervals. The standard EWMA for
2597 a fixed sampling interval is: f'(t) = (1 - a) * f(t) + a * f'(t - 1)
2598 where f() is the measured value and f'() is the smoothed value.
2599
2600 Old data decays out of the smoothed value exponentially, such that data n
2601 samples old is multiplied by a^n. The exponential decay time constant p
2602 is defined such that data p samples old is multiplied by 1/e, which means
2603 that a = exp(-1/p). We can maintain the same time constant for a variable
2604 sampling interval i by using a = exp(-i/p).
2605
2606 The rate we are measuring is messages per period, suitable for directly
2607 comparing with the limit. The average rate between now and the previous
2608 message is period / interval, which we feed into the EWMA as the sample.
2609
2610 It turns out that the number of messages required for the smoothed rate
2611 to reach the limit when they are sent in a burst is equal to the limit.
2612 This can be seen by analysing the value of the smoothed rate after N
2613 messages sent at even intervals. Let k = (1 - a) * p/i
2614
2615 rate_1 = (1 - a) * p/i + a * rate_0
2616 = k + a * rate_0
2617 rate_2 = k + a * rate_1
2618 = k + a * k + a^2 * rate_0
2619 rate_3 = k + a * k + a^2 * k + a^3 * rate_0
2620 rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
2621 = rate_0 * a^N + k * (1 - a^N) / (1 - a)
2622 = rate_0 * a^N + p/i * (1 - a^N)
2623
2624 When N is large, a^N -> 0 so rate_N -> p/i as desired.
2625
2626 rate_N = p/i + (rate_0 - p/i) * a^N
2627 a^N = (rate_N - p/i) / (rate_0 - p/i)
2628 N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
2629 N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
2630
2631 Numerical analysis of the above equation, setting the computed rate to
2632 increase from rate_0 = 0 to rate_N = limit, shows that for large sending
2633 rates, p/i, the number of messages N = limit. So limit serves as both the
2634 maximum rate measured in messages per period, and the maximum number of
2635 messages that can be sent in a fast burst. */
2636
2637 double this_time = (double)tv.tv_sec
2638 + (double)tv.tv_usec / 1000000.0;
2639 double prev_time = (double)dbd->time_stamp
2640 + (double)dbd->time_usec / 1000000.0;
2641
2642 /* We must avoid division by zero, and deal gracefully with the clock going
2643 backwards. If we blunder ahead when time is in reverse then the computed
2644 rate will be bogus. To be safe we clamp interval to a very small number. */
2645
2646 double interval = this_time - prev_time <= 0.0 ? 1e-9
2647 : this_time - prev_time;
2648
2649 double i_over_p = interval / period;
2650 double a = exp(-i_over_p);
2651
2652 /* Combine the instantaneous rate (period / interval) with the previous rate
2653 using the smoothing factor a. In order to measure sized events, multiply the
2654 instantaneous rate by the count of bytes or recipients etc. */
2655
2656 dbd->time_stamp = tv.tv_sec;
2657 dbd->time_usec = tv.tv_usec;
2658 dbd->rate = (1 - a) * count / i_over_p + a * dbd->rate;
2659
2660 /* When events are very widely spaced the computed rate tends towards zero.
2661 Although this is accurate it turns out not to be useful for our purposes,
2662 especially when the first event after a long silence is the start of a spam
2663 run. A more useful model is that the rate for an isolated event should be the
2664 size of the event per the period size, ignoring the lack of events outside
2665 the current period and regardless of where the event falls in the period. So,
2666 if the interval was so long that the calculated rate is unhelpfully small, we
2667 re-initialize the rate. In the absence of higher-rate bursts, the condition
2668 below is true if the interval is greater than the period. */
2669
2670 if (dbd->rate < count) dbd->rate = count;
2671 }
2672
2673 /* Clients sending at the limit are considered to be over the limit.
2674 This matters for edge cases such as a limit of zero, when the client
2675 should be completely blocked. */
2676
2677 rc = dbd->rate < limit ? FAIL : OK;
2678
2679 /* Update the state if the rate is low or if we are being strict. If we
2680 are in leaky mode and the sender's rate is too high, we do not update
2681 the recorded rate in order to avoid an over-aggressive sender's retry
2682 rate preventing them from getting any email through. If readonly is set,
2683 neither leaky nor strict are set, so we do not do any updates. */
2684
2685 if ((rc == FAIL && leaky) || strict)
2686 {
2687 dbfn_write(dbm, key, dbdb, dbdb_size);
2688 HDEBUG(D_acl) debug_printf_indent("ratelimit db updated\n");
2689 }
2690 else
2691 {
2692 HDEBUG(D_acl) debug_printf_indent("ratelimit db not updated: %s\n",
2693 readonly? "readonly mode" : "over the limit, but leaky");
2694 }
2695
2696 dbfn_close(dbm);
2697
2698 /* Store the result in the tree for future reference. Take the taint status
2699 from the key for consistency even though it's unlikely we'll ever expand this. */
2700
2701 t = store_get(sizeof(tree_node) + Ustrlen(key), is_tainted(key));
2702 t->data.ptr = dbd;
2703 Ustrcpy(t->name, key);
2704 (void)tree_insertnode(anchor, t);
2705
2706 /* We create the formatted version of the sender's rate very late in
2707 order to ensure that it is done using the correct storage pool. */
2708
2709 store_pool = old_pool;
2710 sender_rate = string_sprintf("%.1f", dbd->rate);
2711
2712 HDEBUG(D_acl)
2713 debug_printf_indent("ratelimit computed rate %s\n", sender_rate);
2714
2715 return rc;
2716 }
2717
2718
2719
2720 /*************************************************
2721 * The udpsend ACL modifier *
2722 *************************************************/
2723
2724 /* Called by acl_check_condition() below.
2725
2726 Arguments:
2727 arg the option string for udpsend=
2728 log_msgptr for error messages
2729
2730 Returns: OK - Completed.
2731 DEFER - Problem with DNS lookup.
2732 ERROR - Syntax error in options.
2733 */
2734
2735 static int
2736 acl_udpsend(const uschar *arg, uschar **log_msgptr)
2737 {
2738 int sep = 0;
2739 uschar *hostname;
2740 uschar *portstr;
2741 uschar *portend;
2742 host_item *h;
2743 int portnum;
2744 int len;
2745 int r, s;
2746 uschar * errstr;
2747
2748 hostname = string_nextinlist(&arg, &sep, NULL, 0);
2749 portstr = string_nextinlist(&arg, &sep, NULL, 0);
2750
2751 if (!hostname)
2752 {
2753 *log_msgptr = US"missing destination host in \"udpsend\" modifier";
2754 return ERROR;
2755 }
2756 if (!portstr)
2757 {
2758 *log_msgptr = US"missing destination port in \"udpsend\" modifier";
2759 return ERROR;
2760 }
2761 if (!arg)
2762 {
2763 *log_msgptr = US"missing datagram payload in \"udpsend\" modifier";
2764 return ERROR;
2765 }
2766 portnum = Ustrtol(portstr, &portend, 10);
2767 if (*portend != '\0')
2768 {
2769 *log_msgptr = US"bad destination port in \"udpsend\" modifier";
2770 return ERROR;
2771 }
2772
2773 /* Make a single-item host list. */
2774 h = store_get(sizeof(host_item), FALSE);
2775 memset(h, 0, sizeof(host_item));
2776 h->name = hostname;
2777 h->port = portnum;
2778 h->mx = MX_NONE;
2779
2780 if (string_is_ip_address(hostname, NULL))
2781 h->address = hostname, r = HOST_FOUND;
2782 else
2783 r = host_find_byname(h, NULL, 0, NULL, FALSE);
2784 if (r == HOST_FIND_FAILED || r == HOST_FIND_AGAIN)
2785 {
2786 *log_msgptr = US"DNS lookup failed in \"udpsend\" modifier";
2787 return DEFER;
2788 }
2789
2790 HDEBUG(D_acl)
2791 debug_printf_indent("udpsend [%s]:%d %s\n", h->address, portnum, arg);
2792
2793 /*XXX this could better use sendto */
2794 r = s = ip_connectedsocket(SOCK_DGRAM, h->address, portnum, portnum,
2795 1, NULL, &errstr, NULL);
2796 if (r < 0) goto defer;
2797 len = Ustrlen(arg);
2798 r = send(s, arg, len, 0);
2799 if (r < 0)
2800 {
2801 errstr = US strerror(errno);
2802 close(s);
2803 goto defer;
2804 }
2805 close(s);
2806 if (r < len)
2807 {
2808 *log_msgptr =
2809 string_sprintf("\"udpsend\" truncated from %d to %d octets", len, r);
2810 return DEFER;
2811 }
2812
2813 HDEBUG(D_acl)
2814 debug_printf_indent("udpsend %d bytes\n", r);
2815
2816 return OK;
2817
2818 defer:
2819 *log_msgptr = string_sprintf("\"udpsend\" failed: %s", errstr);
2820 return DEFER;
2821 }
2822
2823
2824
2825 /*************************************************
2826 * Handle conditions/modifiers on an ACL item *
2827 *************************************************/
2828
2829 /* Called from acl_check() below.
2830
2831 Arguments:
2832 verb ACL verb
2833 cb ACL condition block - if NULL, result is OK
2834 where where called from
2835 addr the address being checked for RCPT, or NULL
2836 level the nesting level
2837 epp pointer to pass back TRUE if "endpass" encountered
2838 (applies only to "accept" and "discard")
2839 user_msgptr user message pointer
2840 log_msgptr log message pointer
2841 basic_errno pointer to where to put verify error
2842
2843 Returns: OK - all conditions are met
2844 DISCARD - an "acl" condition returned DISCARD - only allowed
2845 for "accept" or "discard" verbs
2846 FAIL - at least one condition fails
2847 FAIL_DROP - an "acl" condition returned FAIL_DROP
2848 DEFER - can't tell at the moment (typically, lookup defer,
2849 but can be temporary callout problem)
2850 ERROR - ERROR from nested ACL or expansion failure or other
2851 error
2852 */
2853
2854 static int
2855 acl_check_condition(int verb, acl_condition_block *cb, int where,
2856 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
2857 uschar **log_msgptr, int *basic_errno)
2858 {
2859 uschar *user_message = NULL;
2860 uschar *log_message = NULL;
2861 int rc = OK;
2862 #ifdef WITH_CONTENT_SCAN
2863 int sep = -'/';
2864 #endif
2865
2866 for (; cb; cb = cb->next)
2867 {
2868 const uschar *arg;
2869 int control_type;
2870
2871 /* The message and log_message items set up messages to be used in
2872 case of rejection. They are expanded later. */
2873
2874 if (cb->type == ACLC_MESSAGE)
2875 {
2876 HDEBUG(D_acl) debug_printf_indent(" message: %s\n", cb->arg);
2877 user_message = cb->arg;
2878 continue;
2879 }
2880
2881 if (cb->type == ACLC_LOG_MESSAGE)
2882 {
2883 HDEBUG(D_acl) debug_printf_indent("l_message: %s\n", cb->arg);
2884 log_message = cb->arg;
2885 continue;
2886 }
2887
2888 /* The endpass "condition" just sets a flag to show it occurred. This is
2889 checked at compile time to be on an "accept" or "discard" item. */
2890
2891 if (cb->type == ACLC_ENDPASS)
2892 {
2893 *epp = TRUE;
2894 continue;
2895 }
2896
2897 /* For other conditions and modifiers, the argument is expanded now for some
2898 of them, but not for all, because expansion happens down in some lower level
2899 checking functions in some cases. */
2900
2901 if (!conditions[cb->type].expand_at_top)
2902 arg = cb->arg;
2903 else if (!(arg = expand_string(cb->arg)))
2904 {
2905 if (f.expand_string_forcedfail) continue;
2906 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
2907 cb->arg, expand_string_message);
2908 return f.search_find_defer ? DEFER : ERROR;
2909 }
2910
2911 /* Show condition, and expanded condition if it's different */
2912
2913 HDEBUG(D_acl)
2914 {
2915 int lhswidth = 0;
2916 debug_printf_indent("check %s%s %n",
2917 (!conditions[cb->type].is_modifier && cb->u.negated)? "!":"",
2918 conditions[cb->type].name, &lhswidth);
2919
2920 if (cb->type == ACLC_SET)
2921 {
2922 #ifndef DISABLE_DKIM
2923 if ( Ustrcmp(cb->u.varname, "dkim_verify_status") == 0
2924 || Ustrcmp(cb->u.varname, "dkim_verify_reason") == 0)
2925 {
2926 debug_printf("%s ", cb->u.varname);
2927 lhswidth += 19;
2928 }
2929 else
2930 #endif
2931 {
2932 debug_printf("acl_%s ", cb->u.varname);
2933 lhswidth += 5 + Ustrlen(cb->u.varname);
2934 }
2935 }
2936
2937 debug_printf("= %s\n", cb->arg);
2938
2939 if (arg != cb->arg)
2940 debug_printf("%.*s= %s\n", lhswidth,
2941 US" ", CS arg);
2942 }
2943
2944 /* Check that this condition makes sense at this time */
2945
2946 if ((conditions[cb->type].forbids & (1 << where)) != 0)
2947 {
2948 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
2949 conditions[cb->type].is_modifier ? "use" : "test",
2950 conditions[cb->type].name, acl_wherenames[where]);
2951 return ERROR;
2952 }
2953
2954 /* Run the appropriate test for each condition, or take the appropriate
2955 action for the remaining modifiers. */
2956
2957 switch(cb->type)
2958 {
2959 case ACLC_ADD_HEADER:
2960 setup_header(arg);
2961 break;
2962
2963 /* A nested ACL that returns "discard" makes sense only for an "accept" or
2964 "discard" verb. */
2965
2966 case ACLC_ACL:
2967 rc = acl_check_wargs(where, addr, arg, user_msgptr, log_msgptr);
2968 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
2969 {
2970 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
2971 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
2972 verbs[verb]);
2973 return ERROR;
2974 }
2975 break;
2976
2977 case ACLC_AUTHENTICATED:
2978 rc = sender_host_authenticated ? match_isinlist(sender_host_authenticated,
2979 &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL) : FAIL;
2980 break;
2981
2982 #ifdef EXPERIMENTAL_BRIGHTMAIL
2983 case ACLC_BMI_OPTIN:
2984 {
2985 int old_pool = store_pool;
2986 store_pool = POOL_PERM;
2987 bmi_current_optin = string_copy(arg);
2988 store_pool = old_pool;
2989 }
2990 break;
2991 #endif
2992
2993 case ACLC_CONDITION:
2994 /* The true/false parsing here should be kept in sync with that used in
2995 expand.c when dealing with ECOND_BOOL so that we don't have too many
2996 different definitions of what can be a boolean. */
2997 if (*arg == '-'
2998 ? Ustrspn(arg+1, "0123456789") == Ustrlen(arg+1) /* Negative number */
2999 : Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
3000 rc = (Uatoi(arg) == 0)? FAIL : OK;
3001 else
3002 rc = (strcmpic(arg, US"no") == 0 ||
3003 strcmpic(arg, US"false") == 0)? FAIL :
3004 (strcmpic(arg, US"yes") == 0 ||
3005 strcmpic(arg, US"true") == 0)? OK : DEFER;
3006 if (rc == DEFER)
3007 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
3008 break;
3009
3010 case ACLC_CONTINUE: /* Always succeeds */
3011 break;
3012
3013 case ACLC_CONTROL:
3014 {
3015 const uschar *p = NULL;
3016 control_type = decode_control(arg, &p, where, log_msgptr);
3017
3018 /* Check if this control makes sense at this time */
3019
3020 if (controls_list[control_type].forbids & (1 << where))
3021 {
3022 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
3023 controls_list[control_type].name, acl_wherenames[where]);
3024 return ERROR;
3025 }
3026
3027 switch(control_type)
3028 {
3029 case CONTROL_AUTH_UNADVERTISED:
3030 f.allow_auth_unadvertised = TRUE;
3031 break;
3032
3033 #ifdef EXPERIMENTAL_BRIGHTMAIL
3034 case CONTROL_BMI_RUN:
3035 bmi_run = 1;
3036 break;
3037 #endif
3038
3039 #ifndef DISABLE_DKIM
3040 case CONTROL_DKIM_VERIFY:
3041 f.dkim_disable_verify = TRUE;
3042 # ifdef SUPPORT_DMARC
3043 /* Since DKIM was blocked, skip DMARC too */
3044 f.dmarc_disable_verify = TRUE;
3045 f.dmarc_enable_forensic = FALSE;
3046 # endif
3047 break;
3048 #endif
3049
3050 #ifdef SUPPORT_DMARC
3051 case CONTROL_DMARC_VERIFY:
3052 f.dmarc_disable_verify = TRUE;
3053 break;
3054
3055 case CONTROL_DMARC_FORENSIC:
3056 f.dmarc_enable_forensic = TRUE;
3057 break;
3058 #endif
3059
3060 case CONTROL_DSCP:
3061 if (*p == '/')
3062 {
3063 int fd, af, level, optname, value;
3064 /* If we are acting on stdin, the setsockopt may fail if stdin is not
3065 a socket; we can accept that, we'll just debug-log failures anyway. */
3066 fd = fileno(smtp_in);
3067 if ((af = ip_get_address_family(fd)) < 0)
3068 {
3069 HDEBUG(D_acl)
3070 debug_printf_indent("smtp input is probably not a socket [%s], not setting DSCP\n",
3071 strerror(errno));
3072 break;
3073 }
3074 if (dscp_lookup(p+1, af, &level, &optname, &value))
3075 if (setsockopt(fd, level, optname, &value, sizeof(value)) < 0)
3076 {
3077 HDEBUG(D_acl) debug_printf_indent("failed to set input DSCP[%s]: %s\n",
3078 p+1, strerror(errno));
3079 }
3080 else
3081 {
3082 HDEBUG(D_acl) debug_printf_indent("set input DSCP to \"%s\"\n", p+1);
3083 }
3084 else
3085 {
3086 *log_msgptr = string_sprintf("unrecognised DSCP value in \"control=%s\"", arg);
3087 return ERROR;
3088 }
3089 }
3090 else
3091 {
3092 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3093 return ERROR;
3094 }
3095 break;
3096
3097 case CONTROL_ERROR:
3098 return ERROR;
3099
3100 case CONTROL_CASEFUL_LOCAL_PART:
3101 deliver_localpart = addr->cc_local_part;
3102 break;
3103
3104 case CONTROL_CASELOWER_LOCAL_PART:
3105 deliver_localpart = addr->lc_local_part;
3106 break;
3107
3108 case CONTROL_ENFORCE_SYNC:
3109 smtp_enforce_sync = TRUE;
3110 break;
3111
3112 case CONTROL_NO_ENFORCE_SYNC:
3113 smtp_enforce_sync = FALSE;
3114 break;
3115
3116 #ifdef WITH_CONTENT_SCAN
3117 case CONTROL_NO_MBOX_UNSPOOL:
3118 f.no_mbox_unspool = TRUE;
3119 break;
3120 #endif
3121
3122 case CONTROL_NO_MULTILINE:
3123 f.no_multiline_responses = TRUE;
3124 break;
3125
3126 case CONTROL_NO_PIPELINING:
3127 f.pipelining_enable = FALSE;
3128 break;
3129
3130 case CONTROL_NO_DELAY_FLUSH:
3131 f.disable_delay_flush = TRUE;
3132 break;
3133
3134 case CONTROL_NO_CALLOUT_FLUSH:
3135 f.disable_callout_flush = TRUE;
3136 break;
3137
3138 case CONTROL_FAKEREJECT:
3139 cancel_cutthrough_connection(TRUE, US"fakereject");
3140 case CONTROL_FAKEDEFER:
3141 fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
3142 if (*p == '/')
3143 {
3144 const uschar *pp = p + 1;
3145 while (*pp) pp++;
3146 fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
3147 p = pp;
3148 }
3149 else /* Explicitly reset to default string */
3150 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
3151 break;
3152
3153 case CONTROL_FREEZE:
3154 f.deliver_freeze = TRUE;
3155 deliver_frozen_at = time(NULL);
3156 freeze_tell = freeze_tell_config; /* Reset to configured value */
3157 if (Ustrncmp(p, "/no_tell", 8) == 0)
3158 {
3159 p += 8;
3160 freeze_tell = NULL;
3161 }
3162 if (*p)
3163 {
3164 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3165 return ERROR;
3166 }
3167 cancel_cutthrough_connection(TRUE, US"item frozen");
3168 break;
3169
3170 case CONTROL_QUEUE:
3171 case CONTROL_QUEUE_ONLY:
3172 f.queue_only_policy = TRUE;
3173 cancel_cutthrough_connection(TRUE, US"queueing forced");
3174 while (*p == '/')
3175 if (Ustrncmp(p, "/first_pass_route", 17) == 0)
3176 {
3177 p += 17;
3178 f.queue_smtp = TRUE;
3179 }
3180 break;
3181
3182 case CONTROL_SUBMISSION:
3183 originator_name = US"";
3184 f.submission_mode = TRUE;
3185 while (*p == '/')
3186 {
3187 if (Ustrncmp(p, "/sender_retain", 14) == 0)
3188 {
3189 p += 14;
3190 f.active_local_sender_retain = TRUE;
3191 f.active_local_from_check = FALSE;
3192 }
3193 else if (Ustrncmp(p, "/domain=", 8) == 0)
3194 {
3195 const uschar *pp = p + 8;
3196 while (*pp && *pp != '/') pp++;
3197 submission_domain = string_copyn(p+8, pp-p-8);
3198 p = pp;
3199 }
3200 /* The name= option must be last, because it swallows the rest of
3201 the string. */
3202 else if (Ustrncmp(p, "/name=", 6) == 0)
3203 {
3204 const uschar *pp = p + 6;
3205 while (*pp) pp++;
3206 submission_name = string_copy(parse_fix_phrase(p+6, pp-p-6,
3207 big_buffer, big_buffer_size));
3208 p = pp;
3209 }
3210 else break;
3211 }
3212 if (*p)
3213 {
3214 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3215 return ERROR;
3216 }
3217 break;
3218
3219 case CONTROL_DEBUG:
3220 {
3221 uschar * debug_tag = NULL;
3222 uschar * debug_opts = NULL;
3223 BOOL kill = FALSE;
3224
3225 while (*p == '/')
3226 {
3227 const uschar * pp = p+1;
3228 if (Ustrncmp(pp, "tag=", 4) == 0)
3229 {
3230 for (pp += 4; *pp && *pp != '/';) pp++;
3231 debug_tag = string_copyn(p+5, pp-p-5);
3232 }
3233 else if (Ustrncmp(pp, "opts=", 5) == 0)
3234 {
3235 for (pp += 5; *pp && *pp != '/';) pp++;
3236 debug_opts = string_copyn(p+6, pp-p-6);
3237 }
3238 else if (Ustrncmp(pp, "kill", 4) == 0)
3239 {
3240 for (pp += 4; *pp && *pp != '/';) pp++;
3241 kill = TRUE;
3242 }
3243 else
3244 while (*pp && *pp != '/') pp++;
3245 p = pp;
3246 }
3247
3248 if (kill)
3249 debug_logging_stop();
3250 else
3251 debug_logging_activate(debug_tag, debug_opts);
3252 break;
3253 }
3254
3255 case CONTROL_SUPPRESS_LOCAL_FIXUPS:
3256 f.suppress_local_fixups = TRUE;
3257 break;
3258
3259 case CONTROL_CUTTHROUGH_DELIVERY:
3260 {
3261 uschar * ignored = NULL;
3262 #ifndef DISABLE_PRDR
3263 if (prdr_requested)
3264 #else
3265 if (0)
3266 #endif
3267 /* Too hard to think about for now. We might in future cutthrough
3268 the case where both sides handle prdr and this-node prdr acl
3269 is "accept" */
3270 ignored = US"PRDR active";
3271 else
3272 {
3273 if (f.deliver_freeze)
3274 ignored = US"frozen";
3275 else if (f.queue_only_policy)
3276 ignored = US"queue-only";
3277 else if (fake_response == FAIL)
3278 ignored = US"fakereject";
3279 else
3280 {
3281 if (rcpt_count == 1)
3282 {
3283 cutthrough.delivery = TRUE; /* control accepted */
3284 while (*p == '/')
3285 {
3286 const uschar * pp = p+1;
3287 if (Ustrncmp(pp, "defer=", 6) == 0)
3288 {
3289 pp += 6;
3290 if (Ustrncmp(pp, "pass", 4) == 0) cutthrough.defer_pass = TRUE;
3291 /* else if (Ustrncmp(pp, "spool") == 0) ; default */
3292 }
3293 else
3294 while (*pp && *pp != '/') pp++;
3295 p = pp;
3296 }
3297 }
3298 else
3299 ignored = US"nonfirst rcpt";
3300 }
3301 }
3302 DEBUG(D_acl) if (ignored)
3303 debug_printf(" cutthrough request ignored on %s item\n", ignored);
3304 }
3305 break;
3306
3307 #ifdef SUPPORT_I18N
3308 case CONTROL_UTF8_DOWNCONVERT:
3309 if (*p == '/')
3310 {
3311 if (p[1] == '1')
3312 {
3313 message_utf8_downconvert = 1;
3314 addr->prop.utf8_downcvt = TRUE;
3315 addr->prop.utf8_downcvt_maybe = FALSE;
3316 p += 2;
3317 break;
3318 }
3319 if (p[1] == '0')
3320 {
3321 message_utf8_downconvert = 0;
3322 addr->prop.utf8_downcvt = FALSE;
3323 addr->prop.utf8_downcvt_maybe = FALSE;
3324 p += 2;
3325 break;
3326 }
3327 if (p[1] == '-' && p[2] == '1')
3328 {
3329 message_utf8_downconvert = -1;
3330 addr->prop.utf8_downcvt = FALSE;
3331 addr->prop.utf8_downcvt_maybe = TRUE;
3332 p += 3;
3333 break;
3334 }
3335 *log_msgptr = US"bad option value for control=utf8_downconvert";
3336 }
3337 else
3338 {
3339 message_utf8_downconvert = 1;
3340 addr->prop.utf8_downcvt = TRUE;
3341 addr->prop.utf8_downcvt_maybe = FALSE;
3342 break;
3343 }
3344 return ERROR;
3345 #endif
3346
3347 }
3348 break;
3349 }
3350
3351 #ifdef EXPERIMENTAL_DCC
3352 case ACLC_DCC:
3353 {
3354 /* Separate the regular expression and any optional parameters. */
3355 const uschar * list = arg;
3356 uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
3357 /* Run the dcc backend. */
3358 rc = dcc_process(&ss);
3359 /* Modify return code based upon the existence of options. */
3360 while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)))
3361 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3362 rc = FAIL; /* FAIL so that the message is passed to the next ACL */
3363 }
3364 break;
3365 #endif
3366
3367 #ifdef WITH_CONTENT_SCAN
3368 case ACLC_DECODE:
3369 rc = mime_decode(&arg);
3370 break;
3371 #endif
3372
3373 case ACLC_DELAY:
3374 {
3375 int delay = readconf_readtime(arg, 0, FALSE);
3376 if (delay < 0)
3377 {
3378 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
3379 "modifier: \"%s\" is not a time value", arg);
3380 return ERROR;
3381 }
3382 else
3383 {
3384 HDEBUG(D_acl) debug_printf_indent("delay modifier requests %d-second delay\n",
3385 delay);
3386 if (host_checking)
3387 {
3388 HDEBUG(D_acl)
3389 debug_printf_indent("delay skipped in -bh checking mode\n");
3390 }
3391
3392 /* NOTE 1: Remember that we may be
3393 dealing with stdin/stdout here, in addition to TCP/IP connections.
3394 Also, delays may be specified for non-SMTP input, where smtp_out and
3395 smtp_in will be NULL. Whatever is done must work in all cases.
3396
3397 NOTE 2: The added feature of flushing the output before a delay must
3398 apply only to SMTP input. Hence the test for smtp_out being non-NULL.
3399 */
3400
3401 else
3402 {
3403 if (smtp_out && !f.disable_delay_flush)
3404 mac_smtp_fflush();
3405
3406 #if !defined(NO_POLL_H) && defined (POLLRDHUP)
3407 {
3408 struct pollfd p;
3409 nfds_t n = 0;
3410 if (smtp_out)
3411 {
3412 p.fd = fileno(smtp_out);
3413 p.events = POLLRDHUP;
3414 n = 1;
3415 }
3416 if (poll(&p, n, delay*1000) > 0)
3417 HDEBUG(D_acl) debug_printf_indent("delay cancelled by peer close\n");
3418 }
3419 #else
3420 /* Lacking POLLRDHUP it appears to be impossible to detect that a
3421 TCP/IP connection has gone away without reading from it. This means
3422 that we cannot shorten the delay below if the client goes away,
3423 because we cannot discover that the client has closed its end of the
3424 connection. (The connection is actually in a half-closed state,
3425 waiting for the server to close its end.) It would be nice to be able
3426 to detect this state, so that the Exim process is not held up
3427 unnecessarily. However, it seems that we can't. The poll() function
3428 does not do the right thing, and in any case it is not always
3429 available. */
3430
3431 while (delay > 0) delay = sleep(delay);
3432 #endif
3433 }
3434 }
3435 }
3436 break;
3437
3438 #ifndef DISABLE_DKIM
3439 case ACLC_DKIM_SIGNER:
3440 if (dkim_cur_signer)
3441 rc = match_isinlist(dkim_cur_signer,
3442 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
3443 else
3444 rc = FAIL;
3445 break;
3446
3447 case ACLC_DKIM_STATUS:
3448 rc = match_isinlist(dkim_verify_status,
3449 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
3450 break;
3451 #endif
3452
3453 #ifdef SUPPORT_DMARC
3454 case ACLC_DMARC_STATUS:
3455 if (!f.dmarc_has_been_checked)
3456 dmarc_process();
3457 f.dmarc_has_been_checked = TRUE;
3458 /* used long way of dmarc_exim_expand_query() in case we need more
3459 * view into the process in the future. */
3460 rc = match_isinlist(dmarc_exim_expand_query(DMARC_VERIFY_STATUS),
3461 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);