git/ACKNOWLEDGMENTS: coerce charset of git tools
[exim.git] / src / src / acl.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2012 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 /* Code for handling Access Control Lists (ACLs) */
9
10 #include "exim.h"
11
12
13 /* Default callout timeout */
14
15 #define CALLOUT_TIMEOUT_DEFAULT 30
16
17 /* ACL verb codes - keep in step with the table of verbs that follows */
18
19 enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
20 ACL_WARN };
21
22 /* ACL verbs */
23
24 static uschar *verbs[] =
25 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
26 US"warn" };
27
28 /* For each verb, the conditions for which "message" or "log_message" are used
29 are held as a bitmap. This is to avoid expanding the strings unnecessarily. For
30 "accept", the FAIL case is used only after "endpass", but that is selected in
31 the code. */
32
33 static int msgcond[] = {
34 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* accept */
35 (1<<OK), /* defer */
36 (1<<OK), /* deny */
37 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* discard */
38 (1<<OK), /* drop */
39 (1<<FAIL) | (1<<FAIL_DROP), /* require */
40 (1<<OK) /* warn */
41 };
42
43 /* ACL condition and modifier codes - keep in step with the table that
44 follows, and the cond_expand_at_top and uschar cond_modifiers tables lower
45 down. */
46
47 enum { ACLC_ACL,
48 ACLC_ADD_HEADER,
49 ACLC_AUTHENTICATED,
50 #ifdef EXPERIMENTAL_BRIGHTMAIL
51 ACLC_BMI_OPTIN,
52 #endif
53 ACLC_CONDITION,
54 ACLC_CONTINUE,
55 ACLC_CONTROL,
56 #ifdef EXPERIMENTAL_DCC
57 ACLC_DCC,
58 #endif
59 #ifdef WITH_CONTENT_SCAN
60 ACLC_DECODE,
61 #endif
62 ACLC_DELAY,
63 #ifdef WITH_OLD_DEMIME
64 ACLC_DEMIME,
65 #endif
66 #ifndef DISABLE_DKIM
67 ACLC_DKIM_SIGNER,
68 ACLC_DKIM_STATUS,
69 #endif
70 ACLC_DNSLISTS,
71 ACLC_DOMAINS,
72 ACLC_ENCRYPTED,
73 ACLC_ENDPASS,
74 ACLC_HOSTS,
75 ACLC_LOCAL_PARTS,
76 ACLC_LOG_MESSAGE,
77 ACLC_LOG_REJECT_TARGET,
78 ACLC_LOGWRITE,
79 #ifdef WITH_CONTENT_SCAN
80 ACLC_MALWARE,
81 #endif
82 ACLC_MESSAGE,
83 #ifdef WITH_CONTENT_SCAN
84 ACLC_MIME_REGEX,
85 #endif
86 ACLC_RATELIMIT,
87 ACLC_RECIPIENTS,
88 #ifdef WITH_CONTENT_SCAN
89 ACLC_REGEX,
90 #endif
91 ACLC_SENDER_DOMAINS,
92 ACLC_SENDERS,
93 ACLC_SET,
94 #ifdef WITH_CONTENT_SCAN
95 ACLC_SPAM,
96 #endif
97 #ifdef EXPERIMENTAL_SPF
98 ACLC_SPF,
99 ACLC_SPF_GUESS,
100 #endif
101 ACLC_VERIFY };
102
103 /* ACL conditions/modifiers: "delay", "control", "continue", "endpass",
104 "message", "log_message", "log_reject_target", "logwrite", and "set" are
105 modifiers that look like conditions but always return TRUE. They are used for
106 their side effects. */
107
108 static uschar *conditions[] = {
109 US"acl",
110 US"add_header",
111 US"authenticated",
112 #ifdef EXPERIMENTAL_BRIGHTMAIL
113 US"bmi_optin",
114 #endif
115 US"condition",
116 US"continue",
117 US"control",
118 #ifdef EXPERIMENTAL_DCC
119 US"dcc",
120 #endif
121 #ifdef WITH_CONTENT_SCAN
122 US"decode",
123 #endif
124 US"delay",
125 #ifdef WITH_OLD_DEMIME
126 US"demime",
127 #endif
128 #ifndef DISABLE_DKIM
129 US"dkim_signers",
130 US"dkim_status",
131 #endif
132 US"dnslists",
133 US"domains",
134 US"encrypted",
135 US"endpass",
136 US"hosts",
137 US"local_parts",
138 US"log_message",
139 US"log_reject_target",
140 US"logwrite",
141 #ifdef WITH_CONTENT_SCAN
142 US"malware",
143 #endif
144 US"message",
145 #ifdef WITH_CONTENT_SCAN
146 US"mime_regex",
147 #endif
148 US"ratelimit",
149 US"recipients",
150 #ifdef WITH_CONTENT_SCAN
151 US"regex",
152 #endif
153 US"sender_domains", US"senders", US"set",
154 #ifdef WITH_CONTENT_SCAN
155 US"spam",
156 #endif
157 #ifdef EXPERIMENTAL_SPF
158 US"spf",
159 US"spf_guess",
160 #endif
161 US"verify" };
162
163
164 /* Return values from decode_control(); keep in step with the table of names
165 that follows! */
166
167 enum {
168 CONTROL_AUTH_UNADVERTISED,
169 #ifdef EXPERIMENTAL_BRIGHTMAIL
170 CONTROL_BMI_RUN,
171 #endif
172 CONTROL_DEBUG,
173 #ifndef DISABLE_DKIM
174 CONTROL_DKIM_VERIFY,
175 #endif
176 CONTROL_DSCP,
177 CONTROL_ERROR,
178 CONTROL_CASEFUL_LOCAL_PART,
179 CONTROL_CASELOWER_LOCAL_PART,
180 CONTROL_CUTTHROUGH_DELIVERY,
181 CONTROL_ENFORCE_SYNC,
182 CONTROL_NO_ENFORCE_SYNC,
183 CONTROL_FREEZE,
184 CONTROL_QUEUE_ONLY,
185 CONTROL_SUBMISSION,
186 CONTROL_SUPPRESS_LOCAL_FIXUPS,
187 #ifdef WITH_CONTENT_SCAN
188 CONTROL_NO_MBOX_UNSPOOL,
189 #endif
190 CONTROL_FAKEDEFER,
191 CONTROL_FAKEREJECT,
192 CONTROL_NO_MULTILINE,
193 CONTROL_NO_PIPELINING,
194 CONTROL_NO_DELAY_FLUSH,
195 CONTROL_NO_CALLOUT_FLUSH
196 };
197
198 /* ACL control names; keep in step with the table above! This list is used for
199 turning ids into names. The actual list of recognized names is in the variable
200 control_def controls_list[] below. The fact that there are two lists is a mess
201 and should be tidied up. */
202
203 static uschar *controls[] = {
204 US"allow_auth_unadvertised",
205 #ifdef EXPERIMENTAL_BRIGHTMAIL
206 US"bmi_run",
207 #endif
208 US"debug",
209 #ifndef DISABLE_DKIM
210 US"dkim_disable_verify",
211 #endif
212 US"dscp",
213 US"error",
214 US"caseful_local_part",
215 US"caselower_local_part",
216 US"cutthrough_delivery",
217 US"enforce_sync",
218 US"no_enforce_sync",
219 US"freeze",
220 US"queue_only",
221 US"submission",
222 US"suppress_local_fixups",
223 #ifdef WITH_CONTENT_SCAN
224 US"no_mbox_unspool",
225 #endif
226 US"fakedefer",
227 US"fakereject",
228 US"no_multiline_responses",
229 US"no_pipelining",
230 US"no_delay_flush",
231 US"no_callout_flush"
232 };
233
234 /* Flags to indicate for which conditions/modifiers a string expansion is done
235 at the outer level. In the other cases, expansion already occurs in the
236 checking functions. */
237
238 static uschar cond_expand_at_top[] = {
239 TRUE, /* acl */
240 TRUE, /* add_header */
241 FALSE, /* authenticated */
242 #ifdef EXPERIMENTAL_BRIGHTMAIL
243 TRUE, /* bmi_optin */
244 #endif
245 TRUE, /* condition */
246 TRUE, /* continue */
247 TRUE, /* control */
248 #ifdef EXPERIMENTAL_DCC
249 TRUE, /* dcc */
250 #endif
251 #ifdef WITH_CONTENT_SCAN
252 TRUE, /* decode */
253 #endif
254 TRUE, /* delay */
255 #ifdef WITH_OLD_DEMIME
256 TRUE, /* demime */
257 #endif
258 #ifndef DISABLE_DKIM
259 TRUE, /* dkim_signers */
260 TRUE, /* dkim_status */
261 #endif
262 TRUE, /* dnslists */
263 FALSE, /* domains */
264 FALSE, /* encrypted */
265 TRUE, /* endpass */
266 FALSE, /* hosts */
267 FALSE, /* local_parts */
268 TRUE, /* log_message */
269 TRUE, /* log_reject_target */
270 TRUE, /* logwrite */
271 #ifdef WITH_CONTENT_SCAN
272 TRUE, /* malware */
273 #endif
274 TRUE, /* message */
275 #ifdef WITH_CONTENT_SCAN
276 TRUE, /* mime_regex */
277 #endif
278 TRUE, /* ratelimit */
279 FALSE, /* recipients */
280 #ifdef WITH_CONTENT_SCAN
281 TRUE, /* regex */
282 #endif
283 FALSE, /* sender_domains */
284 FALSE, /* senders */
285 TRUE, /* set */
286 #ifdef WITH_CONTENT_SCAN
287 TRUE, /* spam */
288 #endif
289 #ifdef EXPERIMENTAL_SPF
290 TRUE, /* spf */
291 TRUE, /* spf_guess */
292 #endif
293 TRUE /* verify */
294 };
295
296 /* Flags to identify the modifiers */
297
298 static uschar cond_modifiers[] = {
299 FALSE, /* acl */
300 TRUE, /* add_header */
301 FALSE, /* authenticated */
302 #ifdef EXPERIMENTAL_BRIGHTMAIL
303 TRUE, /* bmi_optin */
304 #endif
305 FALSE, /* condition */
306 TRUE, /* continue */
307 TRUE, /* control */
308 #ifdef EXPERIMENTAL_DCC
309 FALSE, /* dcc */
310 #endif
311 #ifdef WITH_CONTENT_SCAN
312 FALSE, /* decode */
313 #endif
314 TRUE, /* delay */
315 #ifdef WITH_OLD_DEMIME
316 FALSE, /* demime */
317 #endif
318 #ifndef DISABLE_DKIM
319 FALSE, /* dkim_signers */
320 FALSE, /* dkim_status */
321 #endif
322 FALSE, /* dnslists */
323 FALSE, /* domains */
324 FALSE, /* encrypted */
325 TRUE, /* endpass */
326 FALSE, /* hosts */
327 FALSE, /* local_parts */
328 TRUE, /* log_message */
329 TRUE, /* log_reject_target */
330 TRUE, /* logwrite */
331 #ifdef WITH_CONTENT_SCAN
332 FALSE, /* malware */
333 #endif
334 TRUE, /* message */
335 #ifdef WITH_CONTENT_SCAN
336 FALSE, /* mime_regex */
337 #endif
338 FALSE, /* ratelimit */
339 FALSE, /* recipients */
340 #ifdef WITH_CONTENT_SCAN
341 FALSE, /* regex */
342 #endif
343 FALSE, /* sender_domains */
344 FALSE, /* senders */
345 TRUE, /* set */
346 #ifdef WITH_CONTENT_SCAN
347 FALSE, /* spam */
348 #endif
349 #ifdef EXPERIMENTAL_SPF
350 FALSE, /* spf */
351 FALSE, /* spf_guess */
352 #endif
353 FALSE /* verify */
354 };
355
356 /* Bit map vector of which conditions and modifiers are not allowed at certain
357 times. For each condition and modifier, there's a bitmap of dis-allowed times.
358 For some, it is easier to specify the negation of a small number of allowed
359 times. */
360
361 static unsigned int cond_forbids[] = {
362 0, /* acl */
363
364 (unsigned int)
365 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* add_header */
366 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
367 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
368 (1<<ACL_WHERE_DKIM)|
369 (1<<ACL_WHERE_NOTSMTP_START)),
370
371 (1<<ACL_WHERE_NOTSMTP)| /* authenticated */
372 (1<<ACL_WHERE_NOTSMTP_START)|
373 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO),
374
375 #ifdef EXPERIMENTAL_BRIGHTMAIL
376 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
377 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
378 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
379 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
380 (1<<ACL_WHERE_MAILAUTH)|
381 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
382 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA)|
383 (1<<ACL_WHERE_NOTSMTP_START),
384 #endif
385
386 0, /* condition */
387
388 0, /* continue */
389
390 /* Certain types of control are always allowed, so we let it through
391 always and check in the control processing itself. */
392
393 0, /* control */
394
395 #ifdef EXPERIMENTAL_DCC
396 (unsigned int)
397 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* dcc */
398 #endif
399
400 #ifdef WITH_CONTENT_SCAN
401 (unsigned int)
402 ~(1<<ACL_WHERE_MIME), /* decode */
403 #endif
404
405 (1<<ACL_WHERE_NOTQUIT), /* delay */
406
407 #ifdef WITH_OLD_DEMIME
408 (unsigned int)
409 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* demime */
410 #endif
411
412 #ifndef DISABLE_DKIM
413 (unsigned int)
414 ~(1<<ACL_WHERE_DKIM), /* dkim_signers */
415
416 (unsigned int)
417 ~(1<<ACL_WHERE_DKIM), /* dkim_status */
418 #endif
419
420 (1<<ACL_WHERE_NOTSMTP)| /* dnslists */
421 (1<<ACL_WHERE_NOTSMTP_START),
422
423 (unsigned int)
424 ~(1<<ACL_WHERE_RCPT), /* domains */
425
426 (1<<ACL_WHERE_NOTSMTP)| /* encrypted */
427 (1<<ACL_WHERE_CONNECT)|
428 (1<<ACL_WHERE_NOTSMTP_START)|
429 (1<<ACL_WHERE_HELO),
430
431 0, /* endpass */
432
433 (1<<ACL_WHERE_NOTSMTP)| /* hosts */
434 (1<<ACL_WHERE_NOTSMTP_START),
435
436 (unsigned int)
437 ~(1<<ACL_WHERE_RCPT), /* local_parts */
438
439 0, /* log_message */
440
441 0, /* log_reject_target */
442
443 0, /* logwrite */
444
445 #ifdef WITH_CONTENT_SCAN
446 (unsigned int)
447 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* malware */
448 #endif
449
450 0, /* message */
451
452 #ifdef WITH_CONTENT_SCAN
453 (unsigned int)
454 ~(1<<ACL_WHERE_MIME), /* mime_regex */
455 #endif
456
457 0, /* ratelimit */
458
459 (unsigned int)
460 ~(1<<ACL_WHERE_RCPT), /* recipients */
461
462 #ifdef WITH_CONTENT_SCAN
463 (unsigned int)
464 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* regex */
465 (1<<ACL_WHERE_MIME)),
466 #endif
467
468 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
469 (1<<ACL_WHERE_HELO)|
470 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
471 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
472 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
473
474 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
475 (1<<ACL_WHERE_HELO)|
476 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
477 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
478 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
479
480 0, /* set */
481
482 #ifdef WITH_CONTENT_SCAN
483 (unsigned int)
484 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* spam */
485 #endif
486
487 #ifdef EXPERIMENTAL_SPF
488 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
489 (1<<ACL_WHERE_HELO)|
490 (1<<ACL_WHERE_MAILAUTH)|
491 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
492 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
493 (1<<ACL_WHERE_NOTSMTP)|
494 (1<<ACL_WHERE_NOTSMTP_START),
495
496 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf_guess */
497 (1<<ACL_WHERE_HELO)|
498 (1<<ACL_WHERE_MAILAUTH)|
499 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
500 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
501 (1<<ACL_WHERE_NOTSMTP)|
502 (1<<ACL_WHERE_NOTSMTP_START),
503 #endif
504
505 /* Certain types of verify are always allowed, so we let it through
506 always and check in the verify function itself */
507
508 0 /* verify */
509 };
510
511
512 /* Bit map vector of which controls are not allowed at certain times. For
513 each control, there's a bitmap of dis-allowed times. For some, it is easier to
514 specify the negation of a small number of allowed times. */
515
516 static unsigned int control_forbids[] = {
517 (unsigned int)
518 ~((1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)), /* allow_auth_unadvertised */
519
520 #ifdef EXPERIMENTAL_BRIGHTMAIL
521 0, /* bmi_run */
522 #endif
523
524 0, /* debug */
525
526 #ifndef DISABLE_DKIM
527 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dkim_disable_verify */
528 (1<<ACL_WHERE_NOTSMTP_START),
529 #endif
530
531 (1<<ACL_WHERE_NOTSMTP)|
532 (1<<ACL_WHERE_NOTSMTP_START)|
533 (1<<ACL_WHERE_NOTQUIT), /* dscp */
534
535 0, /* error */
536
537 (unsigned int)
538 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
539
540 (unsigned int)
541 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
542
543 (unsigned int)
544 0, /* cutthrough_delivery */
545
546 (1<<ACL_WHERE_NOTSMTP)| /* enforce_sync */
547 (1<<ACL_WHERE_NOTSMTP_START),
548
549 (1<<ACL_WHERE_NOTSMTP)| /* no_enforce_sync */
550 (1<<ACL_WHERE_NOTSMTP_START),
551
552 (unsigned int)
553 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
554 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
555 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
556
557 (unsigned int)
558 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
559 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
560 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
561
562 (unsigned int)
563 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
564 (1<<ACL_WHERE_PREDATA)),
565
566 (unsigned int)
567 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* suppress_local_fixups */
568 (1<<ACL_WHERE_PREDATA)|
569 (1<<ACL_WHERE_NOTSMTP_START)),
570
571 #ifdef WITH_CONTENT_SCAN
572 (unsigned int)
573 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
574 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
575 (1<<ACL_WHERE_MIME)),
576 #endif
577
578 (unsigned int)
579 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakedefer */
580 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
581 (1<<ACL_WHERE_MIME)),
582
583 (unsigned int)
584 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
585 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
586 (1<<ACL_WHERE_MIME)),
587
588 (1<<ACL_WHERE_NOTSMTP)| /* no_multiline */
589 (1<<ACL_WHERE_NOTSMTP_START),
590
591 (1<<ACL_WHERE_NOTSMTP)| /* no_pipelining */
592 (1<<ACL_WHERE_NOTSMTP_START),
593
594 (1<<ACL_WHERE_NOTSMTP)| /* no_delay_flush */
595 (1<<ACL_WHERE_NOTSMTP_START),
596
597 (1<<ACL_WHERE_NOTSMTP)| /* no_callout_flush */
598 (1<<ACL_WHERE_NOTSMTP_START)
599 };
600
601 /* Structure listing various control arguments, with their characteristics. */
602
603 typedef struct control_def {
604 uschar *name;
605 int value; /* CONTROL_xxx value */
606 BOOL has_option; /* Has /option(s) following */
607 } control_def;
608
609 static control_def controls_list[] = {
610 { US"allow_auth_unadvertised", CONTROL_AUTH_UNADVERTISED, FALSE },
611 #ifdef EXPERIMENTAL_BRIGHTMAIL
612 { US"bmi_run", CONTROL_BMI_RUN, FALSE },
613 #endif
614 { US"debug", CONTROL_DEBUG, TRUE },
615 #ifndef DISABLE_DKIM
616 { US"dkim_disable_verify", CONTROL_DKIM_VERIFY, FALSE },
617 #endif
618 { US"dscp", CONTROL_DSCP, TRUE },
619 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE },
620 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE },
621 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE },
622 { US"freeze", CONTROL_FREEZE, TRUE },
623 { US"no_callout_flush", CONTROL_NO_CALLOUT_FLUSH, FALSE },
624 { US"no_delay_flush", CONTROL_NO_DELAY_FLUSH, FALSE },
625 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE },
626 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE },
627 { US"no_pipelining", CONTROL_NO_PIPELINING, FALSE },
628 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE },
629 #ifdef WITH_CONTENT_SCAN
630 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE },
631 #endif
632 { US"fakedefer", CONTROL_FAKEDEFER, TRUE },
633 { US"fakereject", CONTROL_FAKEREJECT, TRUE },
634 { US"submission", CONTROL_SUBMISSION, TRUE },
635 { US"suppress_local_fixups", CONTROL_SUPPRESS_LOCAL_FIXUPS, FALSE },
636 { US"cutthrough_delivery", CONTROL_CUTTHROUGH_DELIVERY, FALSE }
637 };
638
639 /* Support data structures for Client SMTP Authorization. acl_verify_csa()
640 caches its result in a tree to avoid repeated DNS queries. The result is an
641 integer code which is used as an index into the following tables of
642 explanatory strings and verification return codes. */
643
644 static tree_node *csa_cache = NULL;
645
646 enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
647 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
648
649 /* The acl_verify_csa() return code is translated into an acl_verify() return
650 code using the following table. It is OK unless the client is definitely not
651 authorized. This is because CSA is supposed to be optional for sending sites,
652 so recipients should not be too strict about checking it - especially because
653 DNS problems are quite likely to occur. It's possible to use $csa_status in
654 further ACL conditions to distinguish ok, unknown, and defer if required, but
655 the aim is to make the usual configuration simple. */
656
657 static int csa_return_code[] = {
658 OK, OK, OK, OK,
659 FAIL, FAIL, FAIL, FAIL
660 };
661
662 static uschar *csa_status_string[] = {
663 US"unknown", US"ok", US"defer", US"defer",
664 US"fail", US"fail", US"fail", US"fail"
665 };
666
667 static uschar *csa_reason_string[] = {
668 US"unknown",
669 US"ok",
670 US"deferred (SRV lookup failed)",
671 US"deferred (target address lookup failed)",
672 US"failed (explicit authorization required)",
673 US"failed (host name not authorized)",
674 US"failed (no authorized addresses)",
675 US"failed (client address mismatch)"
676 };
677
678 /* Options for the ratelimit condition. Note that there are two variants of
679 the per_rcpt option, depending on the ACL that is used to measure the rate.
680 However any ACL must be able to look up per_rcpt rates in /noupdate mode,
681 so the two variants must have the same internal representation as well as
682 the same configuration string. */
683
684 enum {
685 RATE_PER_WHAT, RATE_PER_CLASH, RATE_PER_ADDR, RATE_PER_BYTE, RATE_PER_CMD,
686 RATE_PER_CONN, RATE_PER_MAIL, RATE_PER_RCPT, RATE_PER_ALLRCPTS
687 };
688
689 #define RATE_SET(var,new) \
690 (((var) == RATE_PER_WHAT) ? ((var) = RATE_##new) : ((var) = RATE_PER_CLASH))
691
692 static uschar *ratelimit_option_string[] = {
693 US"?", US"!", US"per_addr", US"per_byte", US"per_cmd",
694 US"per_conn", US"per_mail", US"per_rcpt", US"per_rcpt"
695 };
696
697 /* Enable recursion between acl_check_internal() and acl_check_condition() */
698
699 static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
700 uschar **);
701
702
703 /*************************************************
704 * Pick out name from list *
705 *************************************************/
706
707 /* Use a binary chop method
708
709 Arguments:
710 name name to find
711 list list of names
712 end size of list
713
714 Returns: offset in list, or -1 if not found
715 */
716
717 static int
718 acl_checkname(uschar *name, uschar **list, int end)
719 {
720 int start = 0;
721
722 while (start < end)
723 {
724 int mid = (start + end)/2;
725 int c = Ustrcmp(name, list[mid]);
726 if (c == 0) return mid;
727 if (c < 0) end = mid; else start = mid + 1;
728 }
729
730 return -1;
731 }
732
733
734 /*************************************************
735 * Read and parse one ACL *
736 *************************************************/
737
738 /* This function is called both from readconf in order to parse the ACLs in the
739 configuration file, and also when an ACL is encountered dynamically (e.g. as
740 the result of an expansion). It is given a function to call in order to
741 retrieve the lines of the ACL. This function handles skipping comments and
742 blank lines (where relevant).
743
744 Arguments:
745 func function to get next line of ACL
746 error where to put an error message
747
748 Returns: pointer to ACL, or NULL
749 NULL can be legal (empty ACL); in this case error will be NULL
750 */
751
752 acl_block *
753 acl_read(uschar *(*func)(void), uschar **error)
754 {
755 acl_block *yield = NULL;
756 acl_block **lastp = &yield;
757 acl_block *this = NULL;
758 acl_condition_block *cond;
759 acl_condition_block **condp = NULL;
760 uschar *s;
761
762 *error = NULL;
763
764 while ((s = (*func)()) != NULL)
765 {
766 int v, c;
767 BOOL negated = FALSE;
768 uschar *saveline = s;
769 uschar name[64];
770
771 /* Conditions (but not verbs) are allowed to be negated by an initial
772 exclamation mark. */
773
774 while (isspace(*s)) s++;
775 if (*s == '!')
776 {
777 negated = TRUE;
778 s++;
779 }
780
781 /* Read the name of a verb or a condition, or the start of a new ACL, which
782 can be started by a name, or by a macro definition. */
783
784 s = readconf_readname(name, sizeof(name), s);
785 if (*s == ':' || (isupper(name[0]) && *s == '=')) return yield;
786
787 /* If a verb is unrecognized, it may be another condition or modifier that
788 continues the previous verb. */
789
790 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
791 if (v < 0)
792 {
793 if (this == NULL)
794 {
795 *error = string_sprintf("unknown ACL verb \"%s\" in \"%s\"", name,
796 saveline);
797 return NULL;
798 }
799 }
800
801 /* New verb */
802
803 else
804 {
805 if (negated)
806 {
807 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
808 return NULL;
809 }
810 this = store_get(sizeof(acl_block));
811 *lastp = this;
812 lastp = &(this->next);
813 this->next = NULL;
814 this->verb = v;
815 this->condition = NULL;
816 condp = &(this->condition);
817 if (*s == 0) continue; /* No condition on this line */
818 if (*s == '!')
819 {
820 negated = TRUE;
821 s++;
822 }
823 s = readconf_readname(name, sizeof(name), s); /* Condition name */
824 }
825
826 /* Handle a condition or modifier. */
827
828 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
829 if (c < 0)
830 {
831 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
832 saveline);
833 return NULL;
834 }
835
836 /* The modifiers may not be negated */
837
838 if (negated && cond_modifiers[c])
839 {
840 *error = string_sprintf("ACL error: negation is not allowed with "
841 "\"%s\"", conditions[c]);
842 return NULL;
843 }
844
845 /* ENDPASS may occur only with ACCEPT or DISCARD. */
846
847 if (c == ACLC_ENDPASS &&
848 this->verb != ACL_ACCEPT &&
849 this->verb != ACL_DISCARD)
850 {
851 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
852 conditions[c], verbs[this->verb]);
853 return NULL;
854 }
855
856 cond = store_get(sizeof(acl_condition_block));
857 cond->next = NULL;
858 cond->type = c;
859 cond->u.negated = negated;
860
861 *condp = cond;
862 condp = &(cond->next);
863
864 /* The "set" modifier is different in that its argument is "name=value"
865 rather than just a value, and we can check the validity of the name, which
866 gives us a variable name to insert into the data block. The original ACL
867 variable names were acl_c0 ... acl_c9 and acl_m0 ... acl_m9. This was
868 extended to 20 of each type, but after that people successfully argued for
869 arbitrary names. In the new scheme, the names must start with acl_c or acl_m.
870 After that, we allow alphanumerics and underscores, but the first character
871 after c or m must be a digit or an underscore. This retains backwards
872 compatibility. */
873
874 if (c == ACLC_SET)
875 {
876 uschar *endptr;
877
878 if (Ustrncmp(s, "acl_c", 5) != 0 &&
879 Ustrncmp(s, "acl_m", 5) != 0)
880 {
881 *error = string_sprintf("invalid variable name after \"set\" in ACL "
882 "modifier \"set %s\" (must start \"acl_c\" or \"acl_m\")", s);
883 return NULL;
884 }
885
886 endptr = s + 5;
887 if (!isdigit(*endptr) && *endptr != '_')
888 {
889 *error = string_sprintf("invalid variable name after \"set\" in ACL "
890 "modifier \"set %s\" (digit or underscore must follow acl_c or acl_m)",
891 s);
892 return NULL;
893 }
894
895 while (*endptr != 0 && *endptr != '=' && !isspace(*endptr))
896 {
897 if (!isalnum(*endptr) && *endptr != '_')
898 {
899 *error = string_sprintf("invalid character \"%c\" in variable name "
900 "in ACL modifier \"set %s\"", *endptr, s);
901 return NULL;
902 }
903 endptr++;
904 }
905
906 cond->u.varname = string_copyn(s + 4, endptr - s - 4);
907 s = endptr;
908 while (isspace(*s)) s++;
909 }
910
911 /* For "set", we are now positioned for the data. For the others, only
912 "endpass" has no data */
913
914 if (c != ACLC_ENDPASS)
915 {
916 if (*s++ != '=')
917 {
918 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
919 cond_modifiers[c]? US"modifier" : US"condition");
920 return NULL;
921 }
922 while (isspace(*s)) s++;
923 cond->arg = string_copy(s);
924 }
925 }
926
927 return yield;
928 }
929
930
931
932 /*************************************************
933 * Set up added header line(s) *
934 *************************************************/
935
936 /* This function is called by the add_header modifier, and also from acl_warn()
937 to implement the now-deprecated way of adding header lines using "message" on a
938 "warn" verb. The argument is treated as a sequence of header lines which are
939 added to a chain, provided there isn't an identical one already there.
940
941 Argument: string of header lines
942 Returns: nothing
943 */
944
945 static void
946 setup_header(uschar *hstring)
947 {
948 uschar *p, *q;
949 int hlen = Ustrlen(hstring);
950
951 /* An empty string does nothing; otherwise add a final newline if necessary. */
952
953 if (hlen <= 0) return;
954 if (hstring[hlen-1] != '\n') hstring = string_sprintf("%s\n", hstring);
955
956 /* Loop for multiple header lines, taking care about continuations */
957
958 for (p = q = hstring; *p != 0; )
959 {
960 uschar *s;
961 int newtype = htype_add_bot;
962 header_line **hptr = &acl_added_headers;
963
964 /* Find next header line within the string */
965
966 for (;;)
967 {
968 q = Ustrchr(q, '\n');
969 if (*(++q) != ' ' && *q != '\t') break;
970 }
971
972 /* If the line starts with a colon, interpret the instruction for where to
973 add it. This temporarily sets up a new type. */
974
975 if (*p == ':')
976 {
977 if (strncmpic(p, US":after_received:", 16) == 0)
978 {
979 newtype = htype_add_rec;
980 p += 16;
981 }
982 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
983 {
984 newtype = htype_add_rfc;
985 p += 14;
986 }
987 else if (strncmpic(p, US":at_start:", 10) == 0)
988 {
989 newtype = htype_add_top;
990 p += 10;
991 }
992 else if (strncmpic(p, US":at_end:", 8) == 0)
993 {
994 newtype = htype_add_bot;
995 p += 8;
996 }
997 while (*p == ' ' || *p == '\t') p++;
998 }
999
1000 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
1001 to the front of it. */
1002
1003 for (s = p; s < q - 1; s++)
1004 {
1005 if (*s == ':' || !isgraph(*s)) break;
1006 }
1007
1008 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", (int) (q - p), p);
1009 hlen = Ustrlen(s);
1010
1011 /* See if this line has already been added */
1012
1013 while (*hptr != NULL)
1014 {
1015 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
1016 hptr = &((*hptr)->next);
1017 }
1018
1019 /* Add if not previously present */
1020
1021 if (*hptr == NULL)
1022 {
1023 header_line *h = store_get(sizeof(header_line));
1024 h->text = s;
1025 h->next = NULL;
1026 h->type = newtype;
1027 h->slen = hlen;
1028 *hptr = h;
1029 hptr = &(h->next);
1030 }
1031
1032 /* Advance for next header line within the string */
1033
1034 p = q;
1035 }
1036 }
1037
1038
1039
1040
1041 /*************************************************
1042 * Handle warnings *
1043 *************************************************/
1044
1045 /* This function is called when a WARN verb's conditions are true. It adds to
1046 the message's headers, and/or writes information to the log. In each case, this
1047 only happens once (per message for headers, per connection for log).
1048
1049 ** NOTE: The header adding action using the "message" setting is historic, and
1050 its use is now deprecated. The new add_header modifier should be used instead.
1051
1052 Arguments:
1053 where ACL_WHERE_xxxx indicating which ACL this is
1054 user_message message for adding to headers
1055 log_message message for logging, if different
1056
1057 Returns: nothing
1058 */
1059
1060 static void
1061 acl_warn(int where, uschar *user_message, uschar *log_message)
1062 {
1063 if (log_message != NULL && log_message != user_message)
1064 {
1065 uschar *text;
1066 string_item *logged;
1067
1068 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
1069 string_printing(log_message));
1070
1071 /* If a sender verification has failed, and the log message is "sender verify
1072 failed", add the failure message. */
1073
1074 if (sender_verified_failed != NULL &&
1075 sender_verified_failed->message != NULL &&
1076 strcmpic(log_message, US"sender verify failed") == 0)
1077 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
1078
1079 /* Search previously logged warnings. They are kept in malloc
1080 store so they can be freed at the start of a new message. */
1081
1082 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
1083 if (Ustrcmp(logged->text, text) == 0) break;
1084
1085 if (logged == NULL)
1086 {
1087 int length = Ustrlen(text) + 1;
1088 log_write(0, LOG_MAIN, "%s", text);
1089 logged = store_malloc(sizeof(string_item) + length);
1090 logged->text = (uschar *)logged + sizeof(string_item);
1091 memcpy(logged->text, text, length);
1092 logged->next = acl_warn_logged;
1093 acl_warn_logged = logged;
1094 }
1095 }
1096
1097 /* If there's no user message, we are done. */
1098
1099 if (user_message == NULL) return;
1100
1101 /* If this isn't a message ACL, we can't do anything with a user message.
1102 Log an error. */
1103
1104 if (where > ACL_WHERE_NOTSMTP)
1105 {
1106 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
1107 "found in a non-message (%s) ACL: cannot specify header lines here: "
1108 "message ignored", acl_wherenames[where]);
1109 return;
1110 }
1111
1112 /* The code for setting up header lines is now abstracted into a separate
1113 function so that it can be used for the add_header modifier as well. */
1114
1115 setup_header(user_message);
1116 }
1117
1118
1119
1120 /*************************************************
1121 * Verify and check reverse DNS *
1122 *************************************************/
1123
1124 /* Called from acl_verify() below. We look up the host name(s) of the client IP
1125 address if this has not yet been done. The host_name_lookup() function checks
1126 that one of these names resolves to an address list that contains the client IP
1127 address, so we don't actually have to do the check here.
1128
1129 Arguments:
1130 user_msgptr pointer for user message
1131 log_msgptr pointer for log message
1132
1133 Returns: OK verification condition succeeded
1134 FAIL verification failed
1135 DEFER there was a problem verifying
1136 */
1137
1138 static int
1139 acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
1140 {
1141 int rc;
1142
1143 user_msgptr = user_msgptr; /* stop compiler warning */
1144
1145 /* Previous success */
1146
1147 if (sender_host_name != NULL) return OK;
1148
1149 /* Previous failure */
1150
1151 if (host_lookup_failed)
1152 {
1153 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
1154 return FAIL;
1155 }
1156
1157 /* Need to do a lookup */
1158
1159 HDEBUG(D_acl)
1160 debug_printf("looking up host name to force name/address consistency check\n");
1161
1162 if ((rc = host_name_lookup()) != OK)
1163 {
1164 *log_msgptr = (rc == DEFER)?
1165 US"host lookup deferred for reverse lookup check"
1166 :
1167 string_sprintf("host lookup failed for reverse lookup check%s",
1168 host_lookup_msg);
1169 return rc; /* DEFER or FAIL */
1170 }
1171
1172 host_build_sender_fullhost();
1173 return OK;
1174 }
1175
1176
1177
1178 /*************************************************
1179 * Check client IP address matches CSA target *
1180 *************************************************/
1181
1182 /* Called from acl_verify_csa() below. This routine scans a section of a DNS
1183 response for address records belonging to the CSA target hostname. The section
1184 is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
1185 If one of the addresses matches the client's IP address, then the client is
1186 authorized by CSA. If there are target IP addresses but none of them match
1187 then the client is using an unauthorized IP address. If there are no target IP
1188 addresses then the client cannot be using an authorized IP address. (This is
1189 an odd configuration - why didn't the SRV record have a weight of 1 instead?)
1190
1191 Arguments:
1192 dnsa the DNS answer block
1193 dnss a DNS scan block for us to use
1194 reset option specifing what portion to scan, as described above
1195 target the target hostname to use for matching RR names
1196
1197 Returns: CSA_OK successfully authorized
1198 CSA_FAIL_MISMATCH addresses found but none matched
1199 CSA_FAIL_NOADDR no target addresses found
1200 */
1201
1202 static int
1203 acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1204 uschar *target)
1205 {
1206 dns_record *rr;
1207 dns_address *da;
1208
1209 BOOL target_found = FALSE;
1210
1211 for (rr = dns_next_rr(dnsa, dnss, reset);
1212 rr != NULL;
1213 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1214 {
1215 /* Check this is an address RR for the target hostname. */
1216
1217 if (rr->type != T_A
1218 #if HAVE_IPV6
1219 && rr->type != T_AAAA
1220 #ifdef SUPPORT_A6
1221 && rr->type != T_A6
1222 #endif
1223 #endif
1224 ) continue;
1225
1226 if (strcmpic(target, rr->name) != 0) continue;
1227
1228 target_found = TRUE;
1229
1230 /* Turn the target address RR into a list of textual IP addresses and scan
1231 the list. There may be more than one if it is an A6 RR. */
1232
1233 for (da = dns_address_from_rr(dnsa, rr); da != NULL; da = da->next)
1234 {
1235 /* If the client IP address matches the target IP address, it's good! */
1236
1237 DEBUG(D_acl) debug_printf("CSA target address is %s\n", da->address);
1238
1239 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1240 }
1241 }
1242
1243 /* If we found some target addresses but none of them matched, the client is
1244 using an unauthorized IP address, otherwise the target has no authorized IP
1245 addresses. */
1246
1247 if (target_found) return CSA_FAIL_MISMATCH;
1248 else return CSA_FAIL_NOADDR;
1249 }
1250
1251
1252
1253 /*************************************************
1254 * Verify Client SMTP Authorization *
1255 *************************************************/
1256
1257 /* Called from acl_verify() below. This routine calls dns_lookup_special()
1258 to find the CSA SRV record corresponding to the domain argument, or
1259 $sender_helo_name if no argument is provided. It then checks that the
1260 client is authorized, and that its IP address corresponds to the SRV
1261 target's address by calling acl_verify_csa_address() above. The address
1262 should have been returned in the DNS response's ADDITIONAL section, but if
1263 not we perform another DNS lookup to get it.
1264
1265 Arguments:
1266 domain pointer to optional parameter following verify = csa
1267
1268 Returns: CSA_UNKNOWN no valid CSA record found
1269 CSA_OK successfully authorized
1270 CSA_FAIL_* client is definitely not authorized
1271 CSA_DEFER_* there was a DNS problem
1272 */
1273
1274 static int
1275 acl_verify_csa(uschar *domain)
1276 {
1277 tree_node *t;
1278 uschar *found, *p;
1279 int priority, weight, port;
1280 dns_answer dnsa;
1281 dns_scan dnss;
1282 dns_record *rr;
1283 int rc, type;
1284 uschar target[256];
1285
1286 /* Work out the domain we are using for the CSA lookup. The default is the
1287 client's HELO domain. If the client has not said HELO, use its IP address
1288 instead. If it's a local client (exim -bs), CSA isn't applicable. */
1289
1290 while (isspace(*domain) && *domain != '\0') ++domain;
1291 if (*domain == '\0') domain = sender_helo_name;
1292 if (domain == NULL) domain = sender_host_address;
1293 if (sender_host_address == NULL) return CSA_UNKNOWN;
1294
1295 /* If we have an address literal, strip off the framing ready for turning it
1296 into a domain. The framing consists of matched square brackets possibly
1297 containing a keyword and a colon before the actual IP address. */
1298
1299 if (domain[0] == '[')
1300 {
1301 uschar *start = Ustrchr(domain, ':');
1302 if (start == NULL) start = domain;
1303 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1304 }
1305
1306 /* Turn domains that look like bare IP addresses into domains in the reverse
1307 DNS. This code also deals with address literals and $sender_host_address. It's
1308 not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1309 address literals, but it's probably the most friendly thing to do. This is an
1310 extension to CSA, so we allow it to be turned off for proper conformance. */
1311
1312 if (string_is_ip_address(domain, NULL) != 0)
1313 {
1314 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1315 dns_build_reverse(domain, target);
1316 domain = target;
1317 }
1318
1319 /* Find out if we've already done the CSA check for this domain. If we have,
1320 return the same result again. Otherwise build a new cached result structure
1321 for this domain. The name is filled in now, and the value is filled in when
1322 we return from this function. */
1323
1324 t = tree_search(csa_cache, domain);
1325 if (t != NULL) return t->data.val;
1326
1327 t = store_get_perm(sizeof(tree_node) + Ustrlen(domain));
1328 Ustrcpy(t->name, domain);
1329 (void)tree_insertnode(&csa_cache, t);
1330
1331 /* Now we are ready to do the actual DNS lookup(s). */
1332
1333 found = domain;
1334 switch (dns_special_lookup(&dnsa, domain, T_CSA, &found))
1335 {
1336 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1337
1338 default:
1339 return t->data.val = CSA_DEFER_SRV;
1340
1341 /* If we found nothing, the client's authorization is unknown. */
1342
1343 case DNS_NOMATCH:
1344 case DNS_NODATA:
1345 return t->data.val = CSA_UNKNOWN;
1346
1347 /* We got something! Go on to look at the reply in more detail. */
1348
1349 case DNS_SUCCEED:
1350 break;
1351 }
1352
1353 /* Scan the reply for well-formed CSA SRV records. */
1354
1355 for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
1356 rr != NULL;
1357 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
1358 {
1359 if (rr->type != T_SRV) continue;
1360
1361 /* Extract the numerical SRV fields (p is incremented) */
1362
1363 p = rr->data;
1364 GETSHORT(priority, p);
1365 GETSHORT(weight, p);
1366 GETSHORT(port, p);
1367
1368 DEBUG(D_acl)
1369 debug_printf("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1370
1371 /* Check the CSA version number */
1372
1373 if (priority != 1) continue;
1374
1375 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1376 found by dns_special_lookup() is a parent of the one we asked for), we check
1377 the subdomain assertions in the port field. At the moment there's only one
1378 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1379 SRV records of their own. */
1380
1381 if (found != domain)
1382 {
1383 if (port & 1)
1384 return t->data.val = CSA_FAIL_EXPLICIT;
1385 else
1386 return t->data.val = CSA_UNKNOWN;
1387 }
1388
1389 /* This CSA SRV record refers directly to our domain, so we check the value
1390 in the weight field to work out the domain's authorization. 0 and 1 are
1391 unauthorized; 3 means the client is authorized but we can't check the IP
1392 address in order to authenticate it, so we treat it as unknown; values
1393 greater than 3 are undefined. */
1394
1395 if (weight < 2) return t->data.val = CSA_FAIL_DOMAIN;
1396
1397 if (weight > 2) continue;
1398
1399 /* Weight == 2, which means the domain is authorized. We must check that the
1400 client's IP address is listed as one of the SRV target addresses. Save the
1401 target hostname then break to scan the additional data for its addresses. */
1402
1403 (void)dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
1404 (DN_EXPAND_ARG4_TYPE)target, sizeof(target));
1405
1406 DEBUG(D_acl) debug_printf("CSA target is %s\n", target);
1407
1408 break;
1409 }
1410
1411 /* If we didn't break the loop then no appropriate records were found. */
1412
1413 if (rr == NULL) return t->data.val = CSA_UNKNOWN;
1414
1415 /* Do not check addresses if the target is ".", in accordance with RFC 2782.
1416 A target of "." indicates there are no valid addresses, so the client cannot
1417 be authorized. (This is an odd configuration because weight=2 target=. is
1418 equivalent to weight=1, but we check for it in order to keep load off the
1419 root name servers.) Note that dn_expand() turns "." into "". */
1420
1421 if (Ustrcmp(target, "") == 0) return t->data.val = CSA_FAIL_NOADDR;
1422
1423 /* Scan the additional section of the CSA SRV reply for addresses belonging
1424 to the target. If the name server didn't return any additional data (e.g.
1425 because it does not fully support SRV records), we need to do another lookup
1426 to obtain the target addresses; otherwise we have a definitive result. */
1427
1428 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ADDITIONAL, target);
1429 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1430
1431 /* The DNS lookup type corresponds to the IP version used by the client. */
1432
1433 #if HAVE_IPV6
1434 if (Ustrchr(sender_host_address, ':') != NULL)
1435 type = T_AAAA;
1436 else
1437 #endif /* HAVE_IPV6 */
1438 type = T_A;
1439
1440
1441 #if HAVE_IPV6 && defined(SUPPORT_A6)
1442 DNS_LOOKUP_AGAIN:
1443 #endif
1444
1445 switch (dns_lookup(&dnsa, target, type, NULL))
1446 {
1447 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1448
1449 default:
1450 return t->data.val = CSA_DEFER_ADDR;
1451
1452 /* If the query succeeded, scan the addresses and return the result. */
1453
1454 case DNS_SUCCEED:
1455 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ANSWERS, target);
1456 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1457 /* else fall through */
1458
1459 /* If the target has no IP addresses, the client cannot have an authorized
1460 IP address. However, if the target site uses A6 records (not AAAA records)
1461 we have to do yet another lookup in order to check them. */
1462
1463 case DNS_NOMATCH:
1464 case DNS_NODATA:
1465
1466 #if HAVE_IPV6 && defined(SUPPORT_A6)
1467 if (type == T_AAAA) { type = T_A6; goto DNS_LOOKUP_AGAIN; }
1468 #endif
1469
1470 return t->data.val = CSA_FAIL_NOADDR;
1471 }
1472 }
1473
1474
1475
1476 /*************************************************
1477 * Handle verification (address & other) *
1478 *************************************************/
1479
1480 enum { VERIFY_REV_HOST_LKUP, VERIFY_CERT, VERIFY_HELO, VERIFY_CSA, VERIFY_HDR_SYNTAX,
1481 VERIFY_NOT_BLIND, VERIFY_HDR_SNDR, VERIFY_SNDR, VERIFY_RCPT
1482 };
1483 typedef struct {
1484 uschar * name;
1485 int value;
1486 unsigned where_allowed; /* bitmap */
1487 BOOL no_options; /* Never has /option(s) following */
1488 unsigned alt_opt_sep; /* >0 Non-/ option separator (custom parser) */
1489 } verify_type_t;
1490 static verify_type_t verify_type_list[] = {
1491 { US"reverse_host_lookup", VERIFY_REV_HOST_LKUP, ~0, TRUE, 0 },
1492 { US"certificate", VERIFY_CERT, ~0, TRUE, 0 },
1493 { US"helo", VERIFY_HELO, ~0, TRUE, 0 },
1494 { US"csa", VERIFY_CSA, ~0, FALSE, 0 },
1495 { US"header_syntax", VERIFY_HDR_SYNTAX, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), TRUE, 0 },
1496 { US"not_blind", VERIFY_NOT_BLIND, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), TRUE, 0 },
1497 { US"header_sender", VERIFY_HDR_SNDR, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), FALSE, 0 },
1498 { US"sender", VERIFY_SNDR, (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)
1499 |(1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP),
1500 FALSE, 6 },
1501 { US"recipient", VERIFY_RCPT, (1<<ACL_WHERE_RCPT), FALSE, 0 }
1502 };
1503
1504
1505 enum { CALLOUT_DEFER_OK, CALLOUT_NOCACHE, CALLOUT_RANDOM, CALLOUT_USE_SENDER,
1506 CALLOUT_USE_POSTMASTER, CALLOUT_POSTMASTER, CALLOUT_FULLPOSTMASTER,
1507 CALLOUT_MAILFROM, CALLOUT_POSTMASTER_MAILFROM, CALLOUT_MAXWAIT, CALLOUT_CONNECT,
1508 CALLOUT_TIME
1509 };
1510 typedef struct {
1511 uschar * name;
1512 int value;
1513 int flag;
1514 BOOL has_option; /* Has =option(s) following */
1515 BOOL timeval; /* Has a time value */
1516 } callout_opt_t;
1517 static callout_opt_t callout_opt_list[] = {
1518 { US"defer_ok", CALLOUT_DEFER_OK, 0, FALSE, FALSE },
1519 { US"no_cache", CALLOUT_NOCACHE, vopt_callout_no_cache, FALSE, FALSE },
1520 { US"random", CALLOUT_RANDOM, vopt_callout_random, FALSE, FALSE },
1521 { US"use_sender", CALLOUT_USE_SENDER, vopt_callout_recipsender, FALSE, FALSE },
1522 { US"use_postmaster", CALLOUT_USE_POSTMASTER,vopt_callout_recippmaster, FALSE, FALSE },
1523 { US"postmaster_mailfrom",CALLOUT_POSTMASTER_MAILFROM,0, TRUE, FALSE },
1524 { US"postmaster", CALLOUT_POSTMASTER, 0, FALSE, FALSE },
1525 { US"fullpostmaster", CALLOUT_FULLPOSTMASTER,vopt_callout_fullpm, FALSE, FALSE },
1526 { US"mailfrom", CALLOUT_MAILFROM, 0, TRUE, FALSE },
1527 { US"maxwait", CALLOUT_MAXWAIT, 0, TRUE, TRUE },
1528 { US"connect", CALLOUT_CONNECT, 0, TRUE, TRUE },
1529 { NULL, CALLOUT_TIME, 0, FALSE, TRUE }
1530 };
1531
1532
1533
1534 /* This function implements the "verify" condition. It is called when
1535 encountered in any ACL, because some tests are almost always permitted. Some
1536 just don't make sense, and always fail (for example, an attempt to test a host
1537 lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1538
1539 Arguments:
1540 where where called from
1541 addr the recipient address that the ACL is handling, or NULL
1542 arg the argument of "verify"
1543 user_msgptr pointer for user message
1544 log_msgptr pointer for log message
1545 basic_errno where to put verify errno
1546
1547 Returns: OK verification condition succeeded
1548 FAIL verification failed
1549 DEFER there was a problem verifying
1550 ERROR syntax error
1551 */
1552
1553 static int
1554 acl_verify(int where, address_item *addr, uschar *arg,
1555 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1556 {
1557 int sep = '/';
1558 int callout = -1;
1559 int callout_overall = -1;
1560 int callout_connect = -1;
1561 int verify_options = 0;
1562 int rc;
1563 BOOL verify_header_sender = FALSE;
1564 BOOL defer_ok = FALSE;
1565 BOOL callout_defer_ok = FALSE;
1566 BOOL no_details = FALSE;
1567 BOOL success_on_redirect = FALSE;
1568 address_item *sender_vaddr = NULL;
1569 uschar *verify_sender_address = NULL;
1570 uschar *pm_mailfrom = NULL;
1571 uschar *se_mailfrom = NULL;
1572
1573 /* Some of the verify items have slash-separated options; some do not. Diagnose
1574 an error if options are given for items that don't expect them.
1575 */
1576
1577 uschar *slash = Ustrchr(arg, '/');
1578 uschar *list = arg;
1579 uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
1580 verify_type_t * vp;
1581
1582 if (ss == NULL) goto BAD_VERIFY;
1583
1584 /* Handle name/address consistency verification in a separate function. */
1585
1586 for (vp= verify_type_list;
1587 (char *)vp < (char *)verify_type_list + sizeof(verify_type_list);
1588 vp++
1589 )
1590 if (vp->alt_opt_sep ? strncmpic(ss, vp->name, vp->alt_opt_sep) == 0
1591 : strcmpic (ss, vp->name) == 0)
1592 break;
1593 if ((char *)vp >= (char *)verify_type_list + sizeof(verify_type_list))
1594 goto BAD_VERIFY;
1595
1596 if (vp->no_options && slash != NULL)
1597 {
1598 *log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1599 "(this verify item has no options)", arg);
1600 return ERROR;
1601 }
1602 if (!(vp->where_allowed & (1<<where)))
1603 {
1604 *log_msgptr = string_sprintf("cannot verify %s in ACL for %s", vp->name, acl_wherenames[where]);
1605 return ERROR;
1606 }
1607 switch(vp->value)
1608 {
1609 case VERIFY_REV_HOST_LKUP:
1610 if (sender_host_address == NULL) return OK;
1611 return acl_verify_reverse(user_msgptr, log_msgptr);
1612
1613 case VERIFY_CERT:
1614 /* TLS certificate verification is done at STARTTLS time; here we just
1615 test whether it was successful or not. (This is for optional verification; for
1616 mandatory verification, the connection doesn't last this long.) */
1617
1618 if (tls_in.certificate_verified) return OK;
1619 *user_msgptr = US"no verified certificate";
1620 return FAIL;
1621
1622 case VERIFY_HELO:
1623 /* We can test the result of optional HELO verification that might have
1624 occurred earlier. If not, we can attempt the verification now. */
1625
1626 if (!helo_verified && !helo_verify_failed) smtp_verify_helo();
1627 return helo_verified? OK : FAIL;
1628
1629 case VERIFY_CSA:
1630 /* Do Client SMTP Authorization checks in a separate function, and turn the
1631 result code into user-friendly strings. */
1632
1633 rc = acl_verify_csa(list);
1634 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1635 csa_reason_string[rc]);
1636 csa_status = csa_status_string[rc];
1637 DEBUG(D_acl) debug_printf("CSA result %s\n", csa_status);
1638 return csa_return_code[rc];
1639
1640 case VERIFY_HDR_SYNTAX:
1641 /* Check that all relevant header lines have the correct syntax. If there is
1642 a syntax error, we return details of the error to the sender if configured to
1643 send out full details. (But a "message" setting on the ACL can override, as
1644 always). */
1645
1646 rc = verify_check_headers(log_msgptr);
1647 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1648 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1649 return rc;
1650
1651 case VERIFY_NOT_BLIND:
1652 /* Check that no recipient of this message is "blind", that is, every envelope
1653 recipient must be mentioned in either To: or Cc:. */
1654
1655 rc = verify_check_notblind();
1656 if (rc != OK)
1657 {
1658 *log_msgptr = string_sprintf("bcc recipient detected");
1659 if (smtp_return_error_details)
1660 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1661 }
1662 return rc;
1663
1664 /* The remaining verification tests check recipient and sender addresses,
1665 either from the envelope or from the header. There are a number of
1666 slash-separated options that are common to all of them. */
1667
1668 case VERIFY_HDR_SNDR:
1669 verify_header_sender = TRUE;
1670 break;
1671
1672 case VERIFY_SNDR:
1673 /* In the case of a sender, this can optionally be followed by an address to use
1674 in place of the actual sender (rare special-case requirement). */
1675 {
1676 uschar *s = ss + 6;
1677 if (*s == 0)
1678 verify_sender_address = sender_address;
1679 else
1680 {
1681 while (isspace(*s)) s++;
1682 if (*s++ != '=') goto BAD_VERIFY;
1683 while (isspace(*s)) s++;
1684 verify_sender_address = string_copy(s);
1685 }
1686 }
1687 break;
1688
1689 case VERIFY_RCPT:
1690 break;
1691 }
1692
1693
1694
1695 /* Remaining items are optional; they apply to sender and recipient
1696 verification, including "header sender" verification. */
1697
1698 while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1699 != NULL)
1700 {
1701 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1702 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1703 else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
1704
1705 /* These two old options are left for backwards compatibility */
1706
1707 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1708 {
1709 callout_defer_ok = TRUE;
1710 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1711 }
1712
1713 else if (strcmpic(ss, US"check_postmaster") == 0)
1714 {
1715 pm_mailfrom = US"";
1716 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1717 }
1718
1719 /* The callout option has a number of sub-options, comma separated */
1720
1721 else if (strncmpic(ss, US"callout", 7) == 0)
1722 {
1723 callout = CALLOUT_TIMEOUT_DEFAULT;
1724 ss += 7;
1725 if (*ss != 0)
1726 {
1727 while (isspace(*ss)) ss++;
1728 if (*ss++ == '=')
1729 {
1730 int optsep = ',';
1731 uschar *opt;
1732 uschar buffer[256];
1733 while (isspace(*ss)) ss++;
1734
1735 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1736 != NULL)
1737 {
1738 callout_opt_t * op;
1739 double period = 1.0F;
1740
1741 for (op= callout_opt_list; op->name; op++)
1742 if (strncmpic(opt, op->name, Ustrlen(op->name)) == 0)
1743 break;
1744
1745 verify_options |= op->flag;
1746 if (op->has_option)
1747 {
1748 opt += Ustrlen(op->name);
1749 while (isspace(*opt)) opt++;
1750 if (*opt++ != '=')
1751 {
1752 *log_msgptr = string_sprintf("'=' expected after "
1753 "\"%s\" in ACL verify condition \"%s\"", op->name, arg);
1754 return ERROR;
1755 }
1756 while (isspace(*opt)) opt++;
1757 }
1758 if (op->timeval)
1759 {
1760 period = readconf_readtime(opt, 0, FALSE);
1761 if (period < 0)
1762 {
1763 *log_msgptr = string_sprintf("bad time value in ACL condition "
1764 "\"verify %s\"", arg);
1765 return ERROR;
1766 }
1767 }
1768
1769 switch(op->value)
1770 {
1771 case CALLOUT_DEFER_OK: callout_defer_ok = TRUE; break;
1772 case CALLOUT_POSTMASTER: pm_mailfrom = US""; break;
1773 case CALLOUT_FULLPOSTMASTER: pm_mailfrom = US""; break;
1774 case CALLOUT_MAILFROM:
1775 if (!verify_header_sender)
1776 {
1777 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1778 "callout option only for verify=header_sender (detected in ACL "
1779 "condition \"%s\")", arg);
1780 return ERROR;
1781 }
1782 se_mailfrom = string_copy(opt);
1783 break;
1784 case CALLOUT_POSTMASTER_MAILFROM: pm_mailfrom = string_copy(opt); break;
1785 case CALLOUT_MAXWAIT: callout_overall = period; break;
1786 case CALLOUT_CONNECT: callout_connect = period; break;
1787 case CALLOUT_TIME: callout = period; break;
1788 }
1789 }
1790 }
1791 else
1792 {
1793 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1794 "ACL condition \"%s\"", arg);
1795 return ERROR;
1796 }
1797 }
1798 }
1799
1800 /* Option not recognized */
1801
1802 else
1803 {
1804 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1805 "condition \"verify %s\"", ss, arg);
1806 return ERROR;
1807 }
1808 }
1809
1810 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1811 (vopt_callout_recipsender|vopt_callout_recippmaster))
1812 {
1813 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1814 "for a recipient callout";
1815 return ERROR;
1816 }
1817
1818 /* Handle sender-in-header verification. Default the user message to the log
1819 message if giving out verification details. */
1820
1821 if (verify_header_sender)
1822 {
1823 int verrno;
1824 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
1825 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1826 &verrno);
1827 if (rc != OK)
1828 {
1829 *basic_errno = verrno;
1830 if (smtp_return_error_details)
1831 {
1832 if (*user_msgptr == NULL && *log_msgptr != NULL)
1833 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1834 if (rc == DEFER) acl_temp_details = TRUE;
1835 }
1836 }
1837 }
1838
1839 /* Handle a sender address. The default is to verify *the* sender address, but
1840 optionally a different address can be given, for special requirements. If the
1841 address is empty, we are dealing with a bounce message that has no sender, so
1842 we cannot do any checking. If the real sender address gets rewritten during
1843 verification (e.g. DNS widening), set the flag to stop it being rewritten again
1844 during message reception.
1845
1846 A list of verified "sender" addresses is kept to try to avoid doing to much
1847 work repetitively when there are multiple recipients in a message and they all
1848 require sender verification. However, when callouts are involved, it gets too
1849 complicated because different recipients may require different callout options.
1850 Therefore, we always do a full sender verify when any kind of callout is
1851 specified. Caching elsewhere, for instance in the DNS resolver and in the
1852 callout handling, should ensure that this is not terribly inefficient. */
1853
1854 else if (verify_sender_address != NULL)
1855 {
1856 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1857 != 0)
1858 {
1859 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1860 "sender verify callout";
1861 return ERROR;
1862 }
1863
1864 sender_vaddr = verify_checked_sender(verify_sender_address);
1865 if (sender_vaddr != NULL && /* Previously checked */
1866 callout <= 0) /* No callout needed this time */
1867 {
1868 /* If the "routed" flag is set, it means that routing worked before, so
1869 this check can give OK (the saved return code value, if set, belongs to a
1870 callout that was done previously). If the "routed" flag is not set, routing
1871 must have failed, so we use the saved return code. */
1872
1873 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1874 {
1875 rc = sender_vaddr->special_action;
1876 *basic_errno = sender_vaddr->basic_errno;
1877 }
1878 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1879 }
1880
1881 /* Do a new verification, and cache the result. The cache is used to avoid
1882 verifying the sender multiple times for multiple RCPTs when callouts are not
1883 specified (see comments above).
1884
1885 The cache is also used on failure to give details in response to the first
1886 RCPT that gets bounced for this reason. However, this can be suppressed by
1887 the no_details option, which sets the flag that says "this detail has already
1888 been sent". The cache normally contains just one address, but there may be
1889 more in esoteric circumstances. */
1890
1891 else
1892 {
1893 BOOL routed = TRUE;
1894 uschar *save_address_data = deliver_address_data;
1895
1896 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1897 if (no_details) setflag(sender_vaddr, af_sverify_told);
1898 if (verify_sender_address[0] != 0)
1899 {
1900 /* If this is the real sender address, save the unrewritten version
1901 for use later in receive. Otherwise, set a flag so that rewriting the
1902 sender in verify_address() does not update sender_address. */
1903
1904 if (verify_sender_address == sender_address)
1905 sender_address_unrewritten = sender_address;
1906 else
1907 verify_options |= vopt_fake_sender;
1908
1909 if (success_on_redirect)
1910 verify_options |= vopt_success_on_redirect;
1911
1912 /* The recipient, qualify, and expn options are never set in
1913 verify_options. */
1914
1915 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
1916 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
1917
1918 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1919
1920 if (rc == OK)
1921 {
1922 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1923 {
1924 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1925 verify_sender_address, sender_vaddr->address);
1926 }
1927 else
1928 {
1929 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1930 verify_sender_address);
1931 }
1932 }
1933 else *basic_errno = sender_vaddr->basic_errno;
1934 }
1935 else rc = OK; /* Null sender */
1936
1937 /* Cache the result code */
1938
1939 if (routed) setflag(sender_vaddr, af_verify_routed);
1940 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1941 sender_vaddr->special_action = rc;
1942 sender_vaddr->next = sender_verified_list;
1943 sender_verified_list = sender_vaddr;
1944
1945 /* Restore the recipient address data, which might have been clobbered by
1946 the sender verification. */
1947
1948 deliver_address_data = save_address_data;
1949 }
1950
1951 /* Put the sender address_data value into $sender_address_data */
1952
1953 sender_address_data = sender_vaddr->p.address_data;
1954 }
1955
1956 /* A recipient address just gets a straightforward verify; again we must handle
1957 the DEFER overrides. */
1958
1959 else
1960 {
1961 address_item addr2;
1962
1963 if (success_on_redirect)
1964 verify_options |= vopt_success_on_redirect;
1965
1966 /* We must use a copy of the address for verification, because it might
1967 get rewritten. */
1968
1969 addr2 = *addr;
1970 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
1971 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
1972 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1973
1974 *basic_errno = addr2.basic_errno;
1975 *log_msgptr = addr2.message;
1976 *user_msgptr = (addr2.user_message != NULL)?
1977 addr2.user_message : addr2.message;
1978
1979 /* Allow details for temporary error if the address is so flagged. */
1980 if (testflag((&addr2), af_pass_message)) acl_temp_details = TRUE;
1981
1982 /* Make $address_data visible */
1983 deliver_address_data = addr2.p.address_data;
1984 }
1985
1986 /* We have a result from the relevant test. Handle defer overrides first. */
1987
1988 if (rc == DEFER && (defer_ok ||
1989 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1990 {
1991 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1992 defer_ok? "defer_ok" : "callout_defer_ok");
1993 rc = OK;
1994 }
1995
1996 /* If we've failed a sender, set up a recipient message, and point
1997 sender_verified_failed to the address item that actually failed. */
1998
1999 if (rc != OK && verify_sender_address != NULL)
2000 {
2001 if (rc != DEFER)
2002 {
2003 *log_msgptr = *user_msgptr = US"Sender verify failed";
2004 }
2005 else if (*basic_errno != ERRNO_CALLOUTDEFER)
2006 {
2007 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
2008 }
2009 else
2010 {
2011 *log_msgptr = US"Could not complete sender verify callout";
2012 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
2013 *log_msgptr;
2014 }
2015
2016 sender_verified_failed = sender_vaddr;
2017 }
2018
2019 /* Verifying an address messes up the values of $domain and $local_part,
2020 so reset them before returning if this is a RCPT ACL. */
2021
2022 if (addr != NULL)
2023 {
2024 deliver_domain = addr->domain;
2025 deliver_localpart = addr->local_part;
2026 }
2027 return rc;
2028
2029 /* Syntax errors in the verify argument come here. */
2030
2031 BAD_VERIFY:
2032 *log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
2033 "\"helo\", \"header_syntax\", \"header_sender\" or "
2034 "\"reverse_host_lookup\" at start of ACL condition "
2035 "\"verify %s\"", arg);
2036 return ERROR;
2037 }
2038
2039
2040
2041
2042 /*************************************************
2043 * Check argument for control= modifier *
2044 *************************************************/
2045
2046 /* Called from acl_check_condition() below
2047
2048 Arguments:
2049 arg the argument string for control=
2050 pptr set to point to the terminating character
2051 where which ACL we are in
2052 log_msgptr for error messages
2053
2054 Returns: CONTROL_xxx value
2055 */
2056
2057 static int
2058 decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
2059 {
2060 int len;
2061 control_def *d;
2062
2063 for (d = controls_list;
2064 d < controls_list + sizeof(controls_list)/sizeof(control_def);
2065 d++)
2066 {
2067 len = Ustrlen(d->name);
2068 if (Ustrncmp(d->name, arg, len) == 0) break;
2069 }
2070
2071 if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
2072 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
2073 {
2074 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2075 return CONTROL_ERROR;
2076 }
2077
2078 *pptr = arg + len;
2079 return d->value;
2080 }
2081
2082
2083
2084
2085 /*************************************************
2086 * Return a ratelimit error *
2087 *************************************************/
2088
2089 /* Called from acl_ratelimit() below
2090
2091 Arguments:
2092 log_msgptr for error messages
2093 format format string
2094 ... supplementary arguments
2095 ss ratelimit option name
2096 where ACL_WHERE_xxxx indicating which ACL this is
2097
2098 Returns: ERROR
2099 */
2100
2101 static int
2102 ratelimit_error(uschar **log_msgptr, const char *format, ...)
2103 {
2104 va_list ap;
2105 uschar buffer[STRING_SPRINTF_BUFFER_SIZE];
2106 va_start(ap, format);
2107 if (!string_vformat(buffer, sizeof(buffer), format, ap))
2108 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
2109 "string_sprintf expansion was longer than " SIZE_T_FMT, sizeof(buffer));
2110 va_end(ap);
2111 *log_msgptr = string_sprintf(
2112 "error in arguments to \"ratelimit\" condition: %s", buffer);
2113 return ERROR;
2114 }
2115
2116
2117
2118
2119 /*************************************************
2120 * Handle rate limiting *
2121 *************************************************/
2122
2123 /* Called by acl_check_condition() below to calculate the result
2124 of the ACL ratelimit condition.
2125
2126 Note that the return value might be slightly unexpected: if the
2127 sender's rate is above the limit then the result is OK. This is
2128 similar to the dnslists condition, and is so that you can write
2129 ACL clauses like: defer ratelimit = 15 / 1h
2130
2131 Arguments:
2132 arg the option string for ratelimit=
2133 where ACL_WHERE_xxxx indicating which ACL this is
2134 log_msgptr for error messages
2135
2136 Returns: OK - Sender's rate is above limit
2137 FAIL - Sender's rate is below limit
2138 DEFER - Problem opening ratelimit database
2139 ERROR - Syntax error in options.
2140 */
2141
2142 static int
2143 acl_ratelimit(uschar *arg, int where, uschar **log_msgptr)
2144 {
2145 double limit, period, count;
2146 uschar *ss;
2147 uschar *key = NULL;
2148 uschar *unique = NULL;
2149 int sep = '/';
2150 BOOL leaky = FALSE, strict = FALSE, readonly = FALSE;
2151 BOOL noupdate = FALSE, badacl = FALSE;
2152 int mode = RATE_PER_WHAT;
2153 int old_pool, rc;
2154 tree_node **anchor, *t;
2155 open_db dbblock, *dbm;
2156 int dbdb_size;
2157 dbdata_ratelimit *dbd;
2158 dbdata_ratelimit_unique *dbdb;
2159 struct timeval tv;
2160
2161 /* Parse the first two options and record their values in expansion
2162 variables. These variables allow the configuration to have informative
2163 error messages based on rate limits obtained from a table lookup. */
2164
2165 /* First is the maximum number of messages per period / maximum burst
2166 size, which must be greater than or equal to zero. Zero is useful for
2167 rate measurement as opposed to rate limiting. */
2168
2169 sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0);
2170 if (sender_rate_limit == NULL)
2171 limit = -1.0;
2172 else
2173 {
2174 limit = Ustrtod(sender_rate_limit, &ss);
2175 if (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
2176 else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
2177 else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
2178 }
2179 if (limit < 0.0 || *ss != '\0')
2180 return ratelimit_error(log_msgptr,
2181 "\"%s\" is not a positive number", sender_rate_limit);
2182
2183 /* Second is the rate measurement period / exponential smoothing time
2184 constant. This must be strictly greater than zero, because zero leads to
2185 run-time division errors. */
2186
2187 sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0);
2188 if (sender_rate_period == NULL) period = -1.0;
2189 else period = readconf_readtime(sender_rate_period, 0, FALSE);
2190 if (period <= 0.0)
2191 return ratelimit_error(log_msgptr,
2192 "\"%s\" is not a time value", sender_rate_period);
2193
2194 /* By default we are counting one of something, but the per_rcpt,
2195 per_byte, and count options can change this. */
2196
2197 count = 1.0;
2198
2199 /* Parse the other options. */
2200
2201 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2202 != NULL)
2203 {
2204 if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
2205 else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
2206 else if (strcmpic(ss, US"noupdate") == 0) noupdate = TRUE;
2207 else if (strcmpic(ss, US"readonly") == 0) readonly = TRUE;
2208 else if (strcmpic(ss, US"per_cmd") == 0) RATE_SET(mode, PER_CMD);
2209 else if (strcmpic(ss, US"per_conn") == 0)
2210 {
2211 RATE_SET(mode, PER_CONN);
2212 if (where == ACL_WHERE_NOTSMTP || where == ACL_WHERE_NOTSMTP_START)
2213 badacl = TRUE;
2214 }
2215 else if (strcmpic(ss, US"per_mail") == 0)
2216 {
2217 RATE_SET(mode, PER_MAIL);
2218 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2219 }
2220 else if (strcmpic(ss, US"per_rcpt") == 0)
2221 {
2222 /* If we are running in the RCPT ACL, then we'll count the recipients
2223 one by one, but if we are running when we have accumulated the whole
2224 list then we'll add them all in one batch. */
2225 if (where == ACL_WHERE_RCPT)
2226 RATE_SET(mode, PER_RCPT);
2227 else if (where >= ACL_WHERE_PREDATA && where <= ACL_WHERE_NOTSMTP)
2228 RATE_SET(mode, PER_ALLRCPTS), count = (double)recipients_count;
2229 else if (where == ACL_WHERE_MAIL || where > ACL_WHERE_NOTSMTP)
2230 RATE_SET(mode, PER_RCPT), badacl = TRUE;
2231 }
2232 else if (strcmpic(ss, US"per_byte") == 0)
2233 {
2234 /* If we have not yet received the message data and there was no SIZE
2235 declaration on the MAIL comand, then it's safe to just use a value of
2236 zero and let the recorded rate decay as if nothing happened. */
2237 RATE_SET(mode, PER_MAIL);
2238 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2239 else count = message_size < 0 ? 0.0 : (double)message_size;
2240 }
2241 else if (strcmpic(ss, US"per_addr") == 0)
2242 {
2243 RATE_SET(mode, PER_RCPT);
2244 if (where != ACL_WHERE_RCPT) badacl = TRUE, unique = US"*";
2245 else unique = string_sprintf("%s@%s", deliver_localpart, deliver_domain);
2246 }
2247 else if (strncmpic(ss, US"count=", 6) == 0)
2248 {
2249 uschar *e;
2250 count = Ustrtod(ss+6, &e);
2251 if (count < 0.0 || *e != '\0')
2252 return ratelimit_error(log_msgptr,
2253 "\"%s\" is not a positive number", ss);
2254 }
2255 else if (strncmpic(ss, US"unique=", 7) == 0)
2256 unique = string_copy(ss + 7);
2257 else if (key == NULL)
2258 key = string_copy(ss);
2259 else
2260 key = string_sprintf("%s/%s", key, ss);
2261 }
2262
2263 /* Sanity check. When the badacl flag is set the update mode must either
2264 be readonly (which is the default if it is omitted) or, for backwards
2265 compatibility, a combination of noupdate and strict or leaky. */
2266
2267 if (mode == RATE_PER_CLASH)
2268 return ratelimit_error(log_msgptr, "conflicting per_* options");
2269 if (leaky + strict + readonly > 1)
2270 return ratelimit_error(log_msgptr, "conflicting update modes");
2271 if (badacl && (leaky || strict) && !noupdate)
2272 return ratelimit_error(log_msgptr,
2273 "\"%s\" must not have /leaky or /strict option in %s ACL",
2274 ratelimit_option_string[mode], acl_wherenames[where]);
2275
2276 /* Set the default values of any unset options. In readonly mode we
2277 perform the rate computation without any increment so that its value
2278 decays to eventually allow over-limit senders through. */
2279
2280 if (noupdate) readonly = TRUE, leaky = strict = FALSE;
2281 if (badacl) readonly = TRUE;
2282 if (readonly) count = 0.0;
2283 if (!strict && !readonly) leaky = TRUE;
2284 if (mode == RATE_PER_WHAT) mode = RATE_PER_MAIL;
2285
2286 /* Create the lookup key. If there is no explicit key, use sender_host_address.
2287 If there is no sender_host_address (e.g. -bs or acl_not_smtp) then we simply
2288 omit it. The smoothing constant (sender_rate_period) and the per_xxx options
2289 are added to the key because they alter the meaning of the stored data. */
2290
2291 if (key == NULL)
2292 key = (sender_host_address == NULL)? US"" : sender_host_address;
2293
2294 key = string_sprintf("%s/%s/%s%s",
2295 sender_rate_period,
2296 ratelimit_option_string[mode],
2297 unique == NULL ? "" : "unique/",
2298 key);
2299
2300 HDEBUG(D_acl)
2301 debug_printf("ratelimit condition count=%.0f %.1f/%s\n", count, limit, key);
2302
2303 /* See if we have already computed the rate by looking in the relevant tree.
2304 For per-connection rate limiting, store tree nodes and dbdata in the permanent
2305 pool so that they survive across resets. In readonly mode we only remember the
2306 result for the rest of this command in case a later command changes it. After
2307 this bit of logic the code is independent of the per_* mode. */
2308
2309 old_pool = store_pool;
2310
2311 if (readonly)
2312 anchor = &ratelimiters_cmd;
2313 else switch(mode) {
2314 case RATE_PER_CONN:
2315 anchor = &ratelimiters_conn;
2316 store_pool = POOL_PERM;
2317 break;
2318 case RATE_PER_BYTE:
2319 case RATE_PER_MAIL:
2320 case RATE_PER_ALLRCPTS:
2321 anchor = &ratelimiters_mail;
2322 break;
2323 case RATE_PER_ADDR:
2324 case RATE_PER_CMD:
2325 case RATE_PER_RCPT:
2326 anchor = &ratelimiters_cmd;
2327 break;
2328 default:
2329 anchor = NULL; /* silence an "unused" complaint */
2330 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
2331 "internal ACL error: unknown ratelimit mode %d", mode);
2332 break;
2333 }
2334
2335 t = tree_search(*anchor, key);
2336 if (t != NULL)
2337 {
2338 dbd = t->data.ptr;
2339 /* The following few lines duplicate some of the code below. */
2340 rc = (dbd->rate < limit)? FAIL : OK;
2341 store_pool = old_pool;
2342 sender_rate = string_sprintf("%.1f", dbd->rate);
2343 HDEBUG(D_acl)
2344 debug_printf("ratelimit found pre-computed rate %s\n", sender_rate);
2345 return rc;
2346 }
2347
2348 /* We aren't using a pre-computed rate, so get a previously recorded rate
2349 from the database, which will be updated and written back if required. */
2350
2351 dbm = dbfn_open(US"ratelimit", O_RDWR, &dbblock, TRUE);
2352 if (dbm == NULL)
2353 {
2354 store_pool = old_pool;
2355 sender_rate = NULL;
2356 HDEBUG(D_acl) debug_printf("ratelimit database not available\n");
2357 *log_msgptr = US"ratelimit database not available";
2358 return DEFER;
2359 }
2360 dbdb = dbfn_read_with_length(dbm, key, &dbdb_size);
2361 dbd = NULL;
2362
2363 gettimeofday(&tv, NULL);
2364
2365 if (dbdb != NULL)
2366 {
2367 /* Locate the basic ratelimit block inside the DB data. */
2368 HDEBUG(D_acl) debug_printf("ratelimit found key in database\n");
2369 dbd = &dbdb->dbd;
2370
2371 /* Forget the old Bloom filter if it is too old, so that we count each
2372 repeating event once per period. We don't simply clear and re-use the old
2373 filter because we want its size to change if the limit changes. Note that
2374 we keep the dbd pointer for copying the rate into the new data block. */
2375
2376 if(unique != NULL && tv.tv_sec > dbdb->bloom_epoch + period)
2377 {
2378 HDEBUG(D_acl) debug_printf("ratelimit discarding old Bloom filter\n");
2379 dbdb = NULL;
2380 }
2381
2382 /* Sanity check. */
2383
2384 if(unique != NULL && dbdb_size < sizeof(*dbdb))
2385 {
2386 HDEBUG(D_acl) debug_printf("ratelimit discarding undersize Bloom filter\n");
2387 dbdb = NULL;
2388 }
2389 }
2390
2391 /* Allocate a new data block if the database lookup failed
2392 or the Bloom filter passed its age limit. */
2393
2394 if (dbdb == NULL)
2395 {
2396 if (unique == NULL)
2397 {
2398 /* No Bloom filter. This basic ratelimit block is initialized below. */
2399 HDEBUG(D_acl) debug_printf("ratelimit creating new rate data block\n");
2400 dbdb_size = sizeof(*dbd);
2401 dbdb = store_get(dbdb_size);
2402 }
2403 else
2404 {
2405 int extra;
2406 HDEBUG(D_acl) debug_printf("ratelimit creating new Bloom filter\n");
2407
2408 /* See the long comment below for an explanation of the magic number 2.
2409 The filter has a minimum size in case the rate limit is very small;
2410 this is determined by the definition of dbdata_ratelimit_unique. */
2411
2412 extra = (int)limit * 2 - sizeof(dbdb->bloom);
2413 if (extra < 0) extra = 0;
2414 dbdb_size = sizeof(*dbdb) + extra;
2415 dbdb = store_get(dbdb_size);
2416 dbdb->bloom_epoch = tv.tv_sec;
2417 dbdb->bloom_size = sizeof(dbdb->bloom) + extra;
2418 memset(dbdb->bloom, 0, dbdb->bloom_size);
2419
2420 /* Preserve any basic ratelimit data (which is our longer-term memory)
2421 by copying it from the discarded block. */
2422
2423 if (dbd != NULL)
2424 {
2425 dbdb->dbd = *dbd;
2426 dbd = &dbdb->dbd;
2427 }
2428 }
2429 }
2430
2431 /* If we are counting unique events, find out if this event is new or not.
2432 If the client repeats the event during the current period then it should be
2433 counted. We skip this code in readonly mode for efficiency, because any
2434 changes to the filter will be discarded and because count is already set to
2435 zero. */
2436
2437 if (unique != NULL && !readonly)
2438 {
2439 /* We identify unique events using a Bloom filter. (You can find my
2440 notes on Bloom filters at http://fanf.livejournal.com/81696.html)
2441 With the per_addr option, an "event" is a recipient address, though the
2442 user can use the unique option to define their own events. We only count
2443 an event if we have not seen it before.
2444
2445 We size the filter according to the rate limit, which (in leaky mode)
2446 is the limit on the population of the filter. We allow 16 bits of space
2447 per entry (see the construction code above) and we set (up to) 8 of them
2448 when inserting an element (see the loop below). The probability of a false
2449 positive (an event we have not seen before but which we fail to count) is
2450
2451 size = limit * 16
2452 numhash = 8
2453 allzero = exp(-numhash * pop / size)
2454 = exp(-0.5 * pop / limit)
2455 fpr = pow(1 - allzero, numhash)
2456
2457 For senders at the limit the fpr is 0.06% or 1 in 1700
2458 and for senders at half the limit it is 0.0006% or 1 in 170000
2459
2460 In strict mode the Bloom filter can fill up beyond the normal limit, in
2461 which case the false positive rate will rise. This means that the
2462 measured rate for very fast senders can bogusly drop off after a while.
2463
2464 At twice the limit, the fpr is 2.5% or 1 in 40
2465 At four times the limit, it is 31% or 1 in 3.2
2466
2467 It takes ln(pop/limit) periods for an over-limit burst of pop events to
2468 decay below the limit, and if this is more than one then the Bloom filter
2469 will be discarded before the decay gets that far. The false positive rate
2470 at this threshold is 9.3% or 1 in 10.7. */
2471
2472 BOOL seen;
2473 unsigned n, hash, hinc;
2474 uschar md5sum[16];
2475 md5 md5info;
2476
2477 /* Instead of using eight independent hash values, we combine two values
2478 using the formula h1 + n * h2. This does not harm the Bloom filter's
2479 performance, and means the amount of hash we need is independent of the
2480 number of bits we set in the filter. */
2481
2482 md5_start(&md5info);
2483 md5_end(&md5info, unique, Ustrlen(unique), md5sum);
2484 hash = md5sum[0] | md5sum[1] << 8 | md5sum[2] << 16 | md5sum[3] << 24;
2485 hinc = md5sum[4] | md5sum[5] << 8 | md5sum[6] << 16 | md5sum[7] << 24;
2486
2487 /* Scan the bits corresponding to this event. A zero bit means we have
2488 not seen it before. Ensure all bits are set to record this event. */
2489
2490 HDEBUG(D_acl) debug_printf("ratelimit checking uniqueness of %s\n", unique);
2491
2492 seen = TRUE;
2493 for (n = 0; n < 8; n++, hash += hinc)
2494 {
2495 int bit = 1 << (hash % 8);
2496 int byte = (hash / 8) % dbdb->bloom_size;
2497 if ((dbdb->bloom[byte] & bit) == 0)
2498 {
2499 dbdb->bloom[byte] |= bit;
2500 seen = FALSE;
2501 }
2502 }
2503
2504 /* If this event has occurred before, do not count it. */
2505
2506 if (seen)
2507 {
2508 HDEBUG(D_acl) debug_printf("ratelimit event found in Bloom filter\n");
2509 count = 0.0;
2510 }
2511 else
2512 HDEBUG(D_acl) debug_printf("ratelimit event added to Bloom filter\n");
2513 }
2514
2515 /* If there was no previous ratelimit data block for this key, initialize
2516 the new one, otherwise update the block from the database. The initial rate
2517 is what would be computed by the code below for an infinite interval. */
2518
2519 if (dbd == NULL)
2520 {
2521 HDEBUG(D_acl) debug_printf("ratelimit initializing new key's rate data\n");
2522 dbd = &dbdb->dbd;
2523 dbd->time_stamp = tv.tv_sec;
2524 dbd->time_usec = tv.tv_usec;
2525 dbd->rate = count;
2526 }
2527 else
2528 {
2529 /* The smoothed rate is computed using an exponentially weighted moving
2530 average adjusted for variable sampling intervals. The standard EWMA for
2531 a fixed sampling interval is: f'(t) = (1 - a) * f(t) + a * f'(t - 1)
2532 where f() is the measured value and f'() is the smoothed value.
2533
2534 Old data decays out of the smoothed value exponentially, such that data n
2535 samples old is multiplied by a^n. The exponential decay time constant p
2536 is defined such that data p samples old is multiplied by 1/e, which means
2537 that a = exp(-1/p). We can maintain the same time constant for a variable
2538 sampling interval i by using a = exp(-i/p).
2539
2540 The rate we are measuring is messages per period, suitable for directly
2541 comparing with the limit. The average rate between now and the previous
2542 message is period / interval, which we feed into the EWMA as the sample.
2543
2544 It turns out that the number of messages required for the smoothed rate
2545 to reach the limit when they are sent in a burst is equal to the limit.
2546 This can be seen by analysing the value of the smoothed rate after N
2547 messages sent at even intervals. Let k = (1 - a) * p/i
2548
2549 rate_1 = (1 - a) * p/i + a * rate_0
2550 = k + a * rate_0
2551 rate_2 = k + a * rate_1
2552 = k + a * k + a^2 * rate_0
2553 rate_3 = k + a * k + a^2 * k + a^3 * rate_0
2554 rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
2555 = rate_0 * a^N + k * (1 - a^N) / (1 - a)
2556 = rate_0 * a^N + p/i * (1 - a^N)
2557
2558 When N is large, a^N -> 0 so rate_N -> p/i as desired.
2559
2560 rate_N = p/i + (rate_0 - p/i) * a^N
2561 a^N = (rate_N - p/i) / (rate_0 - p/i)
2562 N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
2563 N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
2564
2565 Numerical analysis of the above equation, setting the computed rate to
2566 increase from rate_0 = 0 to rate_N = limit, shows that for large sending
2567 rates, p/i, the number of messages N = limit. So limit serves as both the
2568 maximum rate measured in messages per period, and the maximum number of
2569 messages that can be sent in a fast burst. */
2570
2571 double this_time = (double)tv.tv_sec
2572 + (double)tv.tv_usec / 1000000.0;
2573 double prev_time = (double)dbd->time_stamp
2574 + (double)dbd->time_usec / 1000000.0;
2575
2576 /* We must avoid division by zero, and deal gracefully with the clock going
2577 backwards. If we blunder ahead when time is in reverse then the computed
2578 rate will be bogus. To be safe we clamp interval to a very small number. */
2579
2580 double interval = this_time - prev_time <= 0.0 ? 1e-9
2581 : this_time - prev_time;
2582
2583 double i_over_p = interval / period;
2584 double a = exp(-i_over_p);
2585
2586 /* Combine the instantaneous rate (period / interval) with the previous rate
2587 using the smoothing factor a. In order to measure sized events, multiply the
2588 instantaneous rate by the count of bytes or recipients etc. */
2589
2590 dbd->time_stamp = tv.tv_sec;
2591 dbd->time_usec = tv.tv_usec;
2592 dbd->rate = (1 - a) * count / i_over_p + a * dbd->rate;
2593
2594 /* When events are very widely spaced the computed rate tends towards zero.
2595 Although this is accurate it turns out not to be useful for our purposes,
2596 especially when the first event after a long silence is the start of a spam
2597 run. A more useful model is that the rate for an isolated event should be the
2598 size of the event per the period size, ignoring the lack of events outside
2599 the current period and regardless of where the event falls in the period. So,
2600 if the interval was so long that the calculated rate is unhelpfully small, we
2601 re-intialize the rate. In the absence of higher-rate bursts, the condition
2602 below is true if the interval is greater than the period. */
2603
2604 if (dbd->rate < count) dbd->rate = count;
2605 }
2606
2607 /* Clients sending at the limit are considered to be over the limit.
2608 This matters for edge cases such as a limit of zero, when the client
2609 should be completely blocked. */
2610
2611 rc = (dbd->rate < limit)? FAIL : OK;
2612
2613 /* Update the state if the rate is low or if we are being strict. If we
2614 are in leaky mode and the sender's rate is too high, we do not update
2615 the recorded rate in order to avoid an over-aggressive sender's retry
2616 rate preventing them from getting any email through. If readonly is set,
2617 neither leaky nor strict are set, so we do not do any updates. */
2618
2619 if ((rc == FAIL && leaky) || strict)
2620 {
2621 dbfn_write(dbm, key, dbdb, dbdb_size);
2622 HDEBUG(D_acl) debug_printf("ratelimit db updated\n");
2623 }
2624 else
2625 {
2626 HDEBUG(D_acl) debug_printf("ratelimit db not updated: %s\n",
2627 readonly? "readonly mode" : "over the limit, but leaky");
2628 }
2629
2630 dbfn_close(dbm);
2631
2632 /* Store the result in the tree for future reference. */
2633
2634 t = store_get(sizeof(tree_node) + Ustrlen(key));
2635 t->data.ptr = dbd;
2636 Ustrcpy(t->name, key);
2637 (void)tree_insertnode(anchor, t);
2638
2639 /* We create the formatted version of the sender's rate very late in
2640 order to ensure that it is done using the correct storage pool. */
2641
2642 store_pool = old_pool;
2643 sender_rate = string_sprintf("%.1f", dbd->rate);
2644
2645 HDEBUG(D_acl)
2646 debug_printf("ratelimit computed rate %s\n", sender_rate);
2647
2648 return rc;
2649 }
2650
2651
2652
2653 /*************************************************
2654 * Handle conditions/modifiers on an ACL item *
2655 *************************************************/
2656
2657 /* Called from acl_check() below.
2658
2659 Arguments:
2660 verb ACL verb
2661 cb ACL condition block - if NULL, result is OK
2662 where where called from
2663 addr the address being checked for RCPT, or NULL
2664 level the nesting level
2665 epp pointer to pass back TRUE if "endpass" encountered
2666 (applies only to "accept" and "discard")
2667 user_msgptr user message pointer
2668 log_msgptr log message pointer
2669 basic_errno pointer to where to put verify error
2670
2671 Returns: OK - all conditions are met
2672 DISCARD - an "acl" condition returned DISCARD - only allowed
2673 for "accept" or "discard" verbs
2674 FAIL - at least one condition fails
2675 FAIL_DROP - an "acl" condition returned FAIL_DROP
2676 DEFER - can't tell at the moment (typically, lookup defer,
2677 but can be temporary callout problem)
2678 ERROR - ERROR from nested ACL or expansion failure or other
2679 error
2680 */
2681
2682 static int
2683 acl_check_condition(int verb, acl_condition_block *cb, int where,
2684 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
2685 uschar **log_msgptr, int *basic_errno)
2686 {
2687 uschar *user_message = NULL;
2688 uschar *log_message = NULL;
2689 uschar *debug_tag = NULL;
2690 uschar *debug_opts = NULL;
2691 uschar *p = NULL;
2692 int rc = OK;
2693 #ifdef WITH_CONTENT_SCAN
2694 int sep = '/';
2695 #endif
2696
2697 for (; cb != NULL; cb = cb->next)
2698 {
2699 uschar *arg;
2700 int control_type;
2701
2702 /* The message and log_message items set up messages to be used in
2703 case of rejection. They are expanded later. */
2704
2705 if (cb->type == ACLC_MESSAGE)
2706 {
2707 user_message = cb->arg;
2708 continue;
2709 }
2710
2711 if (cb->type == ACLC_LOG_MESSAGE)
2712 {
2713 log_message = cb->arg;
2714 continue;
2715 }
2716
2717 /* The endpass "condition" just sets a flag to show it occurred. This is
2718 checked at compile time to be on an "accept" or "discard" item. */
2719
2720 if (cb->type == ACLC_ENDPASS)
2721 {
2722 *epp = TRUE;
2723 continue;
2724 }
2725
2726 /* For other conditions and modifiers, the argument is expanded now for some
2727 of them, but not for all, because expansion happens down in some lower level
2728 checking functions in some cases. */
2729
2730 if (cond_expand_at_top[cb->type])
2731 {
2732 arg = expand_string(cb->arg);
2733 if (arg == NULL)
2734 {
2735 if (expand_string_forcedfail) continue;
2736 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
2737 cb->arg, expand_string_message);
2738 return search_find_defer? DEFER : ERROR;
2739 }
2740 }
2741 else arg = cb->arg;
2742
2743 /* Show condition, and expanded condition if it's different */
2744
2745 HDEBUG(D_acl)
2746 {
2747 int lhswidth = 0;
2748 debug_printf("check %s%s %n",
2749 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
2750 conditions[cb->type], &lhswidth);
2751
2752 if (cb->type == ACLC_SET)
2753 {
2754 debug_printf("acl_%s ", cb->u.varname);
2755 lhswidth += 5 + Ustrlen(cb->u.varname);
2756 }
2757
2758 debug_printf("= %s\n", cb->arg);
2759
2760 if (arg != cb->arg)
2761 debug_printf("%.*s= %s\n", lhswidth,
2762 US" ", CS arg);
2763 }
2764
2765 /* Check that this condition makes sense at this time */
2766
2767 if ((cond_forbids[cb->type] & (1 << where)) != 0)
2768 {
2769 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
2770 cond_modifiers[cb->type]? "use" : "test",
2771 conditions[cb->type], acl_wherenames[where]);
2772 return ERROR;
2773 }
2774
2775 /* Run the appropriate test for each condition, or take the appropriate
2776 action for the remaining modifiers. */
2777
2778 switch(cb->type)
2779 {
2780 case ACLC_ADD_HEADER:
2781 setup_header(arg);
2782 break;
2783
2784 /* A nested ACL that returns "discard" makes sense only for an "accept" or
2785 "discard" verb. */
2786
2787 case ACLC_ACL:
2788 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
2789 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
2790 {
2791 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
2792 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
2793 verbs[verb]);
2794 return ERROR;
2795 }
2796 break;
2797
2798 case ACLC_AUTHENTICATED:
2799 rc = (sender_host_authenticated == NULL)? FAIL :
2800 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
2801 TRUE, NULL);
2802 break;
2803
2804 #ifdef EXPERIMENTAL_BRIGHTMAIL
2805 case ACLC_BMI_OPTIN:
2806 {
2807 int old_pool = store_pool;
2808 store_pool = POOL_PERM;
2809 bmi_current_optin = string_copy(arg);
2810 store_pool = old_pool;
2811 }
2812 break;
2813 #endif
2814
2815 case ACLC_CONDITION:
2816 /* The true/false parsing here should be kept in sync with that used in
2817 expand.c when dealing with ECOND_BOOL so that we don't have too many
2818 different definitions of what can be a boolean. */
2819 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
2820 rc = (Uatoi(arg) == 0)? FAIL : OK;
2821 else
2822 rc = (strcmpic(arg, US"no") == 0 ||
2823 strcmpic(arg, US"false") == 0)? FAIL :
2824 (strcmpic(arg, US"yes") == 0 ||
2825 strcmpic(arg, US"true") == 0)? OK : DEFER;
2826 if (rc == DEFER)
2827 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
2828 break;
2829
2830 case ACLC_CONTINUE: /* Always succeeds */
2831 break;
2832
2833 case ACLC_CONTROL:
2834 control_type = decode_control(arg, &p, where, log_msgptr);
2835
2836 /* Check if this control makes sense at this time */
2837
2838 if ((control_forbids[control_type] & (1 << where)) != 0)
2839 {
2840 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
2841 controls[control_type], acl_wherenames[where]);
2842 return ERROR;
2843 }
2844
2845 switch(control_type)
2846 {
2847 case CONTROL_AUTH_UNADVERTISED:
2848 allow_auth_unadvertised = TRUE;
2849 break;
2850
2851 #ifdef EXPERIMENTAL_BRIGHTMAIL
2852 case CONTROL_BMI_RUN:
2853 bmi_run = 1;
2854 break;
2855 #endif
2856
2857 #ifndef DISABLE_DKIM
2858 case CONTROL_DKIM_VERIFY:
2859 dkim_disable_verify = TRUE;
2860 break;
2861 #endif
2862
2863 case CONTROL_DSCP:
2864 if (*p == '/')
2865 {
2866 int fd, af, level, optname, value;
2867 /* If we are acting on stdin, the setsockopt may fail if stdin is not
2868 a socket; we can accept that, we'll just debug-log failures anyway. */
2869 fd = fileno(smtp_in);
2870 af = ip_get_address_family(fd);
2871 if (af < 0)
2872 {
2873 HDEBUG(D_acl)
2874 debug_printf("smtp input is probably not a socket [%s], not setting DSCP\n",
2875 strerror(errno));
2876 break;
2877 }
2878 if (dscp_lookup(p+1, af, &level, &optname, &value))
2879 {
2880 if (setsockopt(fd, level, optname, &value, sizeof(value)) < 0)
2881 {
2882 HDEBUG(D_acl) debug_printf("failed to set input DSCP[%s]: %s\n",
2883 p+1, strerror(errno));
2884 }
2885 else
2886 {
2887 HDEBUG(D_acl) debug_printf("set input DSCP to \"%s\"\n", p+1);
2888 }
2889 }
2890 else
2891 {
2892 *log_msgptr = string_sprintf("unrecognised DSCP value in \"control=%s\"", arg);
2893 return ERROR;
2894 }
2895 }
2896 else
2897 {
2898 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2899 return ERROR;
2900 }
2901 break;
2902
2903 case CONTROL_ERROR:
2904 return ERROR;
2905
2906 case CONTROL_CASEFUL_LOCAL_PART:
2907 deliver_localpart = addr->cc_local_part;
2908 break;
2909
2910 case CONTROL_CASELOWER_LOCAL_PART:
2911 deliver_localpart = addr->lc_local_part;
2912 break;
2913
2914 case CONTROL_ENFORCE_SYNC:
2915 smtp_enforce_sync = TRUE;
2916 break;
2917
2918 case CONTROL_NO_ENFORCE_SYNC:
2919 smtp_enforce_sync = FALSE;
2920 break;
2921
2922 #ifdef WITH_CONTENT_SCAN
2923 case CONTROL_NO_MBOX_UNSPOOL:
2924 no_mbox_unspool = TRUE;
2925 break;
2926 #endif
2927
2928 case CONTROL_NO_MULTILINE:
2929 no_multiline_responses = TRUE;
2930 break;
2931
2932 case CONTROL_NO_PIPELINING:
2933 pipelining_enable = FALSE;
2934 break;
2935
2936 case CONTROL_NO_DELAY_FLUSH:
2937 disable_delay_flush = TRUE;
2938 break;
2939
2940 case CONTROL_NO_CALLOUT_FLUSH:
2941 disable_callout_flush = TRUE;
2942 break;
2943
2944 case CONTROL_FAKEDEFER:
2945 case CONTROL_FAKEREJECT:
2946 fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
2947 if (*p == '/')
2948 {
2949 uschar *pp = p + 1;
2950 while (*pp != 0) pp++;
2951 fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
2952 p = pp;
2953 }
2954 else
2955 {
2956 /* Explicitly reset to default string */
2957 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
2958 }
2959 break;
2960
2961 case CONTROL_FREEZE:
2962 deliver_freeze = TRUE;
2963 deliver_frozen_at = time(NULL);
2964 freeze_tell = freeze_tell_config; /* Reset to configured value */
2965 if (Ustrncmp(p, "/no_tell", 8) == 0)
2966 {
2967 p += 8;
2968 freeze_tell = NULL;
2969 }
2970 if (*p != 0)
2971 {
2972 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2973 return ERROR;
2974 }
2975 break;
2976
2977 case CONTROL_QUEUE_ONLY:
2978 queue_only_policy = TRUE;
2979 break;
2980
2981 case CONTROL_SUBMISSION:
2982 originator_name = US"";
2983 submission_mode = TRUE;
2984 while (*p == '/')
2985 {
2986 if (Ustrncmp(p, "/sender_retain", 14) == 0)
2987 {
2988 p += 14;
2989 active_local_sender_retain = TRUE;
2990 active_local_from_check = FALSE;
2991 }
2992 else if (Ustrncmp(p, "/domain=", 8) == 0)
2993 {
2994 uschar *pp = p + 8;
2995 while (*pp != 0 && *pp != '/') pp++;
2996 submission_domain = string_copyn(p+8, pp-p-8);
2997 p = pp;
2998 }
2999 /* The name= option must be last, because it swallows the rest of
3000 the string. */
3001 else if (Ustrncmp(p, "/name=", 6) == 0)
3002 {
3003 uschar *pp = p + 6;
3004 while (*pp != 0) pp++;
3005 submission_name = string_copy(parse_fix_phrase(p+6, pp-p-6,
3006 big_buffer, big_buffer_size));
3007 p = pp;
3008 }
3009 else break;
3010 }
3011 if (*p != 0)
3012 {
3013 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3014 return ERROR;
3015 }
3016 break;
3017
3018 case CONTROL_DEBUG:
3019 while (*p == '/')
3020 {
3021 if (Ustrncmp(p, "/tag=", 5) == 0)
3022 {
3023 uschar *pp = p + 5;
3024 while (*pp != '\0' && *pp != '/') pp++;
3025 debug_tag = string_copyn(p+5, pp-p-5);
3026 p = pp;
3027 }
3028 else if (Ustrncmp(p, "/opts=", 6) == 0)
3029 {
3030 uschar *pp = p + 6;
3031 while (*pp != '\0' && *pp != '/') pp++;
3032 debug_opts = string_copyn(p+6, pp-p-6);
3033 p = pp;
3034 }
3035 }
3036 debug_logging_activate(debug_tag, debug_opts);
3037 break;
3038
3039 case CONTROL_SUPPRESS_LOCAL_FIXUPS:
3040 suppress_local_fixups = TRUE;
3041 break;
3042
3043 case CONTROL_CUTTHROUGH_DELIVERY:
3044 if (deliver_freeze)
3045 {
3046 *log_msgptr = string_sprintf("\"control=%s\" on frozen item", arg);
3047 return ERROR;
3048 }
3049 if (queue_only_policy)
3050 {
3051 *log_msgptr = string_sprintf("\"control=%s\" on queue-only item", arg);
3052 return ERROR;
3053 }
3054 cutthrough_delivery = TRUE;
3055 break;
3056 }
3057 break;
3058
3059 #ifdef EXPERIMENTAL_DCC
3060 case ACLC_DCC:
3061 {
3062 /* Seperate the regular expression and any optional parameters. */
3063 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3064 /* Run the dcc backend. */
3065 rc = dcc_process(&ss);
3066 /* Modify return code based upon the existance of options. */
3067 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3068 != NULL) {
3069 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3070 {
3071 /* FAIL so that the message is passed to the next ACL */
3072 rc = FAIL;
3073 }
3074 }
3075 }
3076 break;
3077 #endif
3078
3079 #ifdef WITH_CONTENT_SCAN
3080 case ACLC_DECODE:
3081 rc = mime_decode(&arg);
3082 break;
3083 #endif
3084
3085 case ACLC_DELAY:
3086 {
3087 int delay = readconf_readtime(arg, 0, FALSE);
3088 if (delay < 0)
3089 {
3090 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
3091 "modifier: \"%s\" is not a time value", arg);
3092 return ERROR;
3093 }
3094 else
3095 {
3096 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
3097 delay);
3098 if (host_checking)
3099 {
3100 HDEBUG(D_acl)
3101 debug_printf("delay skipped in -bh checking mode\n");
3102 }
3103
3104 /* It appears to be impossible to detect that a TCP/IP connection has
3105 gone away without reading from it. This means that we cannot shorten
3106 the delay below if the client goes away, because we cannot discover
3107 that the client has closed its end of the connection. (The connection
3108 is actually in a half-closed state, waiting for the server to close its
3109 end.) It would be nice to be able to detect this state, so that the
3110 Exim process is not held up unnecessarily. However, it seems that we
3111 can't. The poll() function does not do the right thing, and in any case
3112 it is not always available.
3113
3114 NOTE 1: If ever this state of affairs changes, remember that we may be
3115 dealing with stdin/stdout here, in addition to TCP/IP connections.
3116 Also, delays may be specified for non-SMTP input, where smtp_out and
3117 smtp_in will be NULL. Whatever is done must work in all cases.
3118
3119 NOTE 2: The added feature of flushing the output before a delay must
3120 apply only to SMTP input. Hence the test for smtp_out being non-NULL.
3121 */
3122
3123 else
3124 {
3125 if (smtp_out != NULL && !disable_delay_flush) mac_smtp_fflush();
3126 while (delay > 0) delay = sleep(delay);
3127 }
3128 }
3129 }
3130 break;
3131
3132 #ifdef WITH_OLD_DEMIME
3133 case ACLC_DEMIME:
3134 rc = demime(&arg);
3135 break;
3136 #endif
3137
3138 #ifndef DISABLE_DKIM
3139 case ACLC_DKIM_SIGNER:
3140 if (dkim_cur_signer != NULL)
3141 rc = match_isinlist(dkim_cur_signer,
3142 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
3143 else
3144 rc = FAIL;
3145 break;
3146
3147 case ACLC_DKIM_STATUS:
3148 rc = match_isinlist(dkim_exim_expand_query(DKIM_VERIFY_STATUS),
3149 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
3150 break;
3151 #endif
3152
3153 case ACLC_DNSLISTS:
3154 rc = verify_check_dnsbl(&arg);
3155 break;
3156
3157 case ACLC_DOMAINS:
3158 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
3159 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
3160 break;
3161
3162 /* The value in tls_cipher is the full cipher name, for example,
3163 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
3164 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
3165 what may in practice come out of the SSL library - which at the time of
3166 writing is poorly documented. */
3167
3168 case ACLC_ENCRYPTED:
3169 if (tls_in.cipher == NULL) rc = FAIL; else
3170 {
3171 uschar *endcipher = NULL;
3172 uschar *cipher = Ustrchr(tls_in.cipher, ':');
3173 if (cipher == NULL) cipher = tls_in.cipher; else
3174 {
3175 endcipher = Ustrchr(++cipher, ':');
3176 if (endcipher != NULL) *endcipher = 0;
3177 }
3178 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
3179 if (endcipher != NULL) *endcipher = ':';
3180 }
3181 break;
3182
3183 /* Use verify_check_this_host() instead of verify_check_host() so that
3184 we can pass over &host_data to catch any looked up data. Once it has been
3185 set, it retains its value so that it's still there if another ACL verb
3186 comes through here and uses the cache. However, we must put it into
3187 permanent store in case it is also expected to be used in a subsequent
3188 message in the same SMTP connection. */
3189
3190 case ACLC_HOSTS:
3191 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
3192 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
3193 if (host_data != NULL) host_data = string_copy_malloc(host_data);
3194 break;
3195
3196 case ACLC_LOCAL_PARTS:
3197 rc = match_isinlist(addr->cc_local_part, &arg, 0,
3198 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
3199 &deliver_localpart_data);
3200 break;
3201
3202 case ACLC_LOG_REJECT_TARGET:
3203 {
3204 int logbits = 0;
3205 int sep = 0;
3206 uschar *s = arg;
3207 uschar *ss;
3208 while ((ss = string_nextinlist(&s, &sep, big_buffer, big_buffer_size))
3209 != NULL)
3210 {
3211 if (Ustrcmp(ss, "main") == 0) logbits |= LOG_MAIN;
3212 else if (Ustrcmp(ss, "panic") == 0) logbits |= LOG_PANIC;
3213 else if (Ustrcmp(ss, "reject") == 0) logbits |= LOG_REJECT;
3214 else
3215 {
3216 logbits |= LOG_MAIN|LOG_REJECT;
3217 log_write(0, LOG_MAIN|LOG_PANIC, "unknown log name \"%s\" in "
3218 "\"log_reject_target\" in %s ACL", ss, acl_wherenames[where]);
3219 }
3220 }
3221 log_reject_target = logbits;
3222 }
3223 break;
3224
3225 case ACLC_LOGWRITE:
3226 {
3227 int logbits = 0;
3228 uschar *s = arg;
3229 if (*s == ':')
3230 {
3231 s++;
3232 while (*s != ':')
3233 {
3234 if (Ustrncmp(s, "main", 4) == 0)
3235 { logbits |= LOG_MAIN; s += 4; }
3236 else if (Ustrncmp(s, "panic", 5) == 0)
3237 { logbits |= LOG_PANIC; s += 5; }
3238 else if (Ustrncmp(s, "reject", 6) == 0)
3239 { logbits |= LOG_REJECT; s += 6; }
3240 else
3241 {
3242 logbits = LOG_MAIN|LOG_PANIC;
3243 s = string_sprintf(":unknown log name in \"%s\" in "
3244 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
3245 }
3246 if (*s == ',') s++;
3247 }
3248 s++;
3249 }
3250 while (isspace(*s)) s++;
3251
3252
3253 if (logbits == 0) logbits = LOG_MAIN;
3254 log_write(0, logbits, "%s", string_printing(s));
3255 }
3256 break;
3257
3258 #ifdef WITH_CONTENT_SCAN
3259 case ACLC_MALWARE:
3260 {
3261 /* Separate the regular expression and any optional parameters. */
3262 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3263 /* Run the malware backend. */
3264 rc = malware(&ss);
3265 /* Modify return code based upon the existance of options. */
3266 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3267 != NULL) {
3268 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3269 {
3270 /* FAIL so that the message is passed to the next ACL */
3271 rc = FAIL;
3272 }
3273 }
3274 }
3275 break;
3276
3277 case ACLC_MIME_REGEX:
3278 rc = mime_regex(&arg);
3279 break;
3280 #endif
3281
3282 case ACLC_RATELIMIT:
3283 rc = acl_ratelimit(arg, where, log_msgptr);
3284 break;
3285
3286 case ACLC_RECIPIENTS:
3287 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
3288 &recipient_data);
3289 break;
3290
3291 #ifdef WITH_CONTENT_SCAN
3292 case ACLC_REGEX:
3293 rc = regex(&arg);
3294 break;
3295 #endif
3296
3297 case ACLC_SENDER_DOMAINS:
3298 {
3299 uschar *sdomain;
3300 sdomain = Ustrrchr(sender_address, '@');
3301 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
3302 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
3303 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
3304 }
3305 break;
3306
3307 case ACLC_SENDERS:
3308 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
3309 sender_address_cache, -1, 0, &sender_data);
3310 break;
3311
3312 /* Connection variables must persist forever */
3313
3314 case ACLC_SET:
3315 {
3316 int old_pool = store_pool;
3317 if (cb->u.varname[0] == 'c') store_pool = POOL_PERM;
3318 acl_var_create(cb->u.varname)->data.ptr = string_copy(arg);
3319 store_pool = old_pool;
3320 }
3321 break;
3322
3323 #ifdef WITH_CONTENT_SCAN
3324 case ACLC_SPAM:
3325 {
3326 /* Seperate the regular expression and any optional parameters. */
3327 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3328 /* Run the spam backend. */
3329 rc = spam(&ss);
3330 /* Modify return code based upon the existance of options. */
3331 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3332 != NULL) {
3333 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3334 {
3335 /* FAIL so that the message is passed to the next ACL */
3336 rc = FAIL;
3337 }
3338 }
3339 }
3340 break;
3341 #endif
3342
3343 #ifdef EXPERIMENTAL_SPF
3344 case ACLC_SPF:
3345 rc = spf_process(&arg, sender_address, SPF_PROCESS_NORMAL);
3346 break;
3347 case ACLC_SPF_GUESS:
3348 rc = spf_process(&arg, sender_address, SPF_PROCESS_GUESS);
3349 break;
3350 #endif
3351
3352 /* If the verb is WARN, discard any user message from verification, because
3353 such messages are SMTP responses, not header additions. The latter come
3354 only from explicit "message" modifiers. However, put the user message into
3355 $acl_verify_message so it can be used in subsequent conditions or modifiers
3356 (until something changes it). */
3357
3358 case ACLC_VERIFY:
3359 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
3360 acl_verify_message = *user_msgptr;
3361 if (verb == ACL_WARN) *user_msgptr = NULL;
3362 break;
3363
3364 default:
3365 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
3366 "condition %d", cb->type);
3367 break;
3368 }
3369
3370 /* If a condition was negated, invert OK/FAIL. */
3371
3372 if (!cond_modifiers[cb->type] && cb->u.negated)
3373 {
3374 if (rc == OK) rc = FAIL;
3375 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
3376 }
3377
3378 if (rc != OK) break; /* Conditions loop */
3379 }
3380
3381
3382 /* If the result is the one for which "message" and/or "log_message" are used,
3383 handle the values of these modifiers. If there isn't a log message set, we make
3384 it the same as the user message.
3385
3386 "message" is a user message that will be included in an SMTP response. Unless
3387 it is empty, it overrides any previously set user message.
3388
3389 "log_message" is a non-user message, and it adds to any existing non-user
3390 message that is already set.
3391
3392 Most verbs have but a single return for which the messages are relevant, but
3393 for "discard", it's useful to have the log message both when it succeeds and
3394 when it fails. For "accept", the message is used in the OK case if there is no
3395 "endpass", but (for backwards compatibility) in the FAIL case if "endpass" is
3396 present. */
3397
3398 if (*epp && rc == OK) user_message = NULL;
3399
3400 if (((1<<rc) & msgcond[verb]) != 0)
3401 {
3402 uschar *expmessage;
3403 uschar *old_user_msgptr = *user_msgptr;
3404 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
3405
3406 /* If the verb is "warn", messages generated by conditions (verification or
3407 nested ACLs) are always discarded. This also happens for acceptance verbs
3408 when they actually do accept. Only messages specified at this level are used.
3409 However, the value of an existing message is available in $acl_verify_message
3410 during expansions. */
3411
3412 if (verb == ACL_WARN ||
3413 (rc == OK && (verb == ACL_ACCEPT || verb == ACL_DISCARD)))
3414 *log_msgptr = *user_msgptr = NULL;
3415
3416 if (user_message != NULL)
3417 {
3418 acl_verify_message = old_user_msgptr;
3419 expmessage = expand_string(user_message);
3420 if (expmessage == NULL)
3421 {
3422 if (!expand_string_forcedfail)
3423 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3424 user_message, expand_string_message);
3425 }
3426 else if (expmessage[0] != 0) *user_msgptr = expmessage;
3427 }
3428
3429 if (log_message != NULL)
3430 {
3431 acl_verify_message = old_log_msgptr;
3432 expmessage = expand_string(log_message);
3433 if (expmessage == NULL)
3434 {
3435 if (!expand_string_forcedfail)
3436 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3437 log_message, expand_string_message);
3438 }
3439 else if (expmessage[0] != 0)
3440 {
3441 *log_msgptr = (*log_msgptr == NULL)? expmessage :
3442 string_sprintf("%s: %s", expmessage, *log_msgptr);
3443 }
3444 }
3445
3446 /* If no log message, default it to the user message */
3447
3448 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
3449 }
3450
3451 acl_verify_message = NULL;
3452 return rc;
3453 }
3454
3455
3456
3457
3458
3459 /*************************************************
3460 * Get line from a literal ACL *
3461 *************************************************/
3462
3463 /* This function is passed to acl_read() in order to extract individual lines
3464 of a literal ACL, which we access via static pointers. We can destroy the
3465 contents because this is called only once (the compiled ACL is remembered).
3466
3467 This code is intended to treat the data in the same way as lines in the main
3468 Exim configuration file. That is:
3469
3470 . Leading spaces are ignored.
3471
3472 . A \ at the end of a line is a continuation - trailing spaces after the \
3473 are permitted (this is because I don't believe in making invisible things
3474 significant). Leading spaces on the continued part of a line are ignored.
3475
3476 . Physical lines starting (significantly) with # are totally ignored, and
3477 may appear within a sequence of backslash-continued lines.