projects / exim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Fix "regex" condition not being available in MIME ACL
[exim.git] / src / src / acl.c
1 /* $Cambridge: exim/src/src/acl.c,v 1.22 2005/03/09 13:16:29 tom Exp $ */
2
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
6
7 /* Copyright (c) University of Cambridge 1995 - 2005 */
8 /* See the file NOTICE for conditions of use and distribution. */
9
10 /* Code for handling Access Control Lists (ACLs) */
11
12 #include "exim.h"
13
14
15 /* Default callout timeout */
16
17 #define CALLOUT_TIMEOUT_DEFAULT 30
18
19 /* ACL verb codes - keep in step with the table of verbs that follows */
20
21 enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
22 ACL_WARN };
23
24 /* ACL verbs */
25
26 static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
28 US"warn" };
29
30 /* For each verb, the condition for which "message" is used */
31
32 static int msgcond[] = { FAIL, OK, OK, FAIL, OK, FAIL, OK };
33
34 /* ACL condition and modifier codes - keep in step with the table that
35 follows. */
36
37 enum { ACLC_ACL, ACLC_AUTHENTICATED,
38 #ifdef EXPERIMENTAL_BRIGHTMAIL
39 ACLC_BMI_OPTIN,
40 #endif
41 ACLC_CONDITION, ACLC_CONTROL,
42 #ifdef WITH_CONTENT_SCAN
43 ACLC_DECODE,
44 #endif
45 ACLC_DELAY,
46 #ifdef WITH_OLD_DEMIME
47 ACLC_DEMIME,
48 #endif
49 #ifdef EXPERIMENTAL_DOMAINKEYS
50 ACLC_DK_DOMAIN_SOURCE,
51 ACLC_DK_POLICY,
52 ACLC_DK_SENDER_DOMAINS,
53 ACLC_DK_SENDER_LOCAL_PARTS,
54 ACLC_DK_SENDERS,
55 ACLC_DK_STATUS,
56 #endif
57 ACLC_DNSLISTS, ACLC_DOMAINS, ACLC_ENCRYPTED, ACLC_ENDPASS,
58 ACLC_HOSTS, ACLC_LOCAL_PARTS, ACLC_LOG_MESSAGE, ACLC_LOGWRITE,
59 #ifdef WITH_CONTENT_SCAN
60 ACLC_MALWARE,
61 #endif
62 ACLC_MESSAGE,
63 #ifdef WITH_CONTENT_SCAN
64 ACLC_MIME_REGEX,
65 #endif
66 ACLC_RECIPIENTS,
67 #ifdef WITH_CONTENT_SCAN
68 ACLC_REGEX,
69 #endif
70 ACLC_SENDER_DOMAINS, ACLC_SENDERS, ACLC_SET,
71 #ifdef WITH_CONTENT_SCAN
72 ACLC_SPAM,
73 #endif
74 #ifdef EXPERIMENTAL_SPF
75 ACLC_SPF,
76 #endif
77 ACLC_VERIFY };
78
79 /* ACL conditions/modifiers: "delay", "control", "endpass", "message",
80 "log_message", "logwrite", and "set" are modifiers that look like conditions
81 but always return TRUE. They are used for their side effects. */
82
83 static uschar *conditions[] = { US"acl", US"authenticated",
84 #ifdef EXPERIMENTAL_BRIGHTMAIL
85 US"bmi_optin",
86 #endif
87 US"condition",
88 US"control",
89 #ifdef WITH_CONTENT_SCAN
90 US"decode",
91 #endif
92 US"delay",
93 #ifdef WITH_OLD_DEMIME
94 US"demime",
95 #endif
96 #ifdef EXPERIMENTAL_DOMAINKEYS
97 US"dk_domain_source",
98 US"dk_policy",
99 US"dk_sender_domains",
100 US"dk_sender_local_parts",
101 US"dk_senders",
102 US"dk_status",
103 #endif
104 US"dnslists", US"domains", US"encrypted",
105 US"endpass", US"hosts", US"local_parts", US"log_message", US"logwrite",
106 #ifdef WITH_CONTENT_SCAN
107 US"malware",
108 #endif
109 US"message",
110 #ifdef WITH_CONTENT_SCAN
111 US"mime_regex",
112 #endif
113 US"recipients",
114 #ifdef WITH_CONTENT_SCAN
115 US"regex",
116 #endif
117 US"sender_domains", US"senders", US"set",
118 #ifdef WITH_CONTENT_SCAN
119 US"spam",
120 #endif
121 #ifdef EXPERIMENTAL_SPF
122 US"spf",
123 #endif
124 US"verify" };
125
126 /* ACL control names */
127
128 static uschar *controls[] = { US"error", US"caseful_local_part",
129 US"caselower_local_part", US"enforce_sync", US"no_enforce_sync", US"freeze",
130 US"queue_only", US"submission", US"no_multiline"};
131
132 /* Flags to indicate for which conditions /modifiers a string expansion is done
133 at the outer level. In the other cases, expansion already occurs in the
134 checking functions. */
135
136 static uschar cond_expand_at_top[] = {
137 TRUE, /* acl */
138 FALSE, /* authenticated */
139 #ifdef EXPERIMENTAL_BRIGHTMAIL
140 TRUE, /* bmi_optin */
141 #endif
142 TRUE, /* condition */
143 TRUE, /* control */
144 #ifdef WITH_CONTENT_SCAN
145 TRUE, /* decode */
146 #endif
147 TRUE, /* delay */
148 #ifdef WITH_OLD_DEMIME
149 TRUE, /* demime */
150 #endif
151 #ifdef EXPERIMENTAL_DOMAINKEYS
152 TRUE,
153 TRUE,
154 TRUE,
155 TRUE,
156 TRUE,
157 TRUE,
158 #endif
159 TRUE, /* dnslists */
160 FALSE, /* domains */
161 FALSE, /* encrypted */
162 TRUE, /* endpass */
163 FALSE, /* hosts */
164 FALSE, /* local_parts */
165 TRUE, /* log_message */
166 TRUE, /* logwrite */
167 #ifdef WITH_CONTENT_SCAN
168 TRUE, /* malware */
169 #endif
170 TRUE, /* message */
171 #ifdef WITH_CONTENT_SCAN
172 TRUE, /* mime_regex */
173 #endif
174 FALSE, /* recipients */
175 #ifdef WITH_CONTENT_SCAN
176 TRUE, /* regex */
177 #endif
178 FALSE, /* sender_domains */
179 FALSE, /* senders */
180 TRUE, /* set */
181 #ifdef WITH_CONTENT_SCAN
182 TRUE, /* spam */
183 #endif
184 #ifdef EXPERIMENTAL_SPF
185 TRUE, /* spf */
186 #endif
187 TRUE /* verify */
188 };
189
190 /* Flags to identify the modifiers */
191
192 static uschar cond_modifiers[] = {
193 FALSE, /* acl */
194 FALSE, /* authenticated */
195 #ifdef EXPERIMENTAL_BRIGHTMAIL
196 TRUE, /* bmi_optin */
197 #endif
198 FALSE, /* condition */
199 TRUE, /* control */
200 #ifdef WITH_CONTENT_SCAN
201 FALSE, /* decode */
202 #endif
203 TRUE, /* delay */
204 #ifdef WITH_OLD_DEMIME
205 FALSE, /* demime */
206 #endif
207 #ifdef EXPERIMENTAL_DOMAINKEYS
208 FALSE,
209 FALSE,
210 FALSE,
211 FALSE,
212 FALSE,
213 FALSE,
214 #endif
215 FALSE, /* dnslists */
216 FALSE, /* domains */
217 FALSE, /* encrypted */
218 TRUE, /* endpass */
219 FALSE, /* hosts */
220 FALSE, /* local_parts */
221 TRUE, /* log_message */
222 TRUE, /* logwrite */
223 #ifdef WITH_CONTENT_SCAN
224 FALSE, /* malware */
225 #endif
226 TRUE, /* message */
227 #ifdef WITH_CONTENT_SCAN
228 FALSE, /* mime_regex */
229 #endif
230 FALSE, /* recipients */
231 #ifdef WITH_CONTENT_SCAN
232 FALSE, /* regex */
233 #endif
234 FALSE, /* sender_domains */
235 FALSE, /* senders */
236 TRUE, /* set */
237 #ifdef WITH_CONTENT_SCAN
238 FALSE, /* spam */
239 #endif
240 #ifdef EXPERIMENTAL_SPF
241 FALSE, /* spf */
242 #endif
243 FALSE /* verify */
244 };
245
246 /* Bit map vector of which conditions are not allowed at certain times. For
247 each condition, there's a bitmap of dis-allowed times. */
248
249 static unsigned int cond_forbids[] = {
250 0, /* acl */
251
252 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* authenticated */
253 (1<<ACL_WHERE_HELO),
254
255 #ifdef EXPERIMENTAL_BRIGHTMAIL
256 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
257 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
258 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
259 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
260 (1<<ACL_WHERE_MAILAUTH)|
261 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
262 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA),
263 #endif
264
265 0, /* condition */
266
267 /* Certain types of control are always allowed, so we let it through
268 always and check in the control processing itself */
269
270 0, /* control */
271
272 #ifdef WITH_CONTENT_SCAN
273 (1<<ACL_WHERE_AUTH)| /* decode */
274 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
275 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
276 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
277 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
278 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
279 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_RCPT),
280 #endif
281
282 0, /* delay */
283
284 #ifdef WITH_OLD_DEMIME
285 (1<<ACL_WHERE_AUTH)| /* demime */
286 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
287 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
288 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
289 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
290 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
291 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
292 #endif
293
294 #ifdef EXPERIMENTAL_DOMAINKEYS
295 (1<<ACL_WHERE_AUTH)|
296 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
297 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
298 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
299 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
300 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
301 (1<<ACL_WHERE_VRFY),
302
303 (1<<ACL_WHERE_AUTH)|
304 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
305 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
306 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
307 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
308 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
309 (1<<ACL_WHERE_VRFY),
310
311 (1<<ACL_WHERE_AUTH)|
312 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
313 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
314 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
315 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
316 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
317 (1<<ACL_WHERE_VRFY),
318
319 (1<<ACL_WHERE_AUTH)|
320 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
321 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
322 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
323 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
324 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
325 (1<<ACL_WHERE_VRFY),
326
327 (1<<ACL_WHERE_AUTH)|
328 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
329 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
330 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
331 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
332 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
333 (1<<ACL_WHERE_VRFY),
334
335 (1<<ACL_WHERE_AUTH)|
336 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
337 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
338 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
339 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
340 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
341 (1<<ACL_WHERE_VRFY),
342 #endif
343
344 (1<<ACL_WHERE_NOTSMTP), /* dnslists */
345
346 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* domains */
347 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
348 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
349 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
350 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
351 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
352 (1<<ACL_WHERE_VRFY),
353
354 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* encrypted */
355 (1<<ACL_WHERE_HELO),
356
357 0, /* endpass */
358
359 (1<<ACL_WHERE_NOTSMTP), /* hosts */
360
361 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* local_parts */
362 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
363 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
364 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
365 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
366 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
367 (1<<ACL_WHERE_VRFY),
368
369 0, /* log_message */
370
371 0, /* logwrite */
372
373 #ifdef WITH_CONTENT_SCAN
374 (1<<ACL_WHERE_AUTH)| /* malware */
375 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
376 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
377 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
378 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
379 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
380 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
381 #endif
382
383 0, /* message */
384
385 #ifdef WITH_CONTENT_SCAN
386 (1<<ACL_WHERE_AUTH)| /* mime_regex */
387 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
388 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
389 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
390 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
391 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
392 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_RCPT),
393 #endif
394
395 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* recipients */
396 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
397 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
398 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
399 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
400 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
401 (1<<ACL_WHERE_VRFY),
402
403 #ifdef WITH_CONTENT_SCAN
404 (1<<ACL_WHERE_AUTH)| /* regex */
405 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
406 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
407 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
408 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
409 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
410 (1<<ACL_WHERE_VRFY),
411 #endif
412
413 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
414 (1<<ACL_WHERE_HELO)|
415 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
416 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
417 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
418
419 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
420 (1<<ACL_WHERE_HELO)|
421 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
422 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
423 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
424
425 0, /* set */
426
427 #ifdef WITH_CONTENT_SCAN
428 (1<<ACL_WHERE_AUTH)| /* spam */
429 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
430 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
431 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
432 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
433 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
434 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
435 #endif
436
437 #ifdef EXPERIMENTAL_SPF
438 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
439 (1<<ACL_WHERE_HELO)|
440 (1<<ACL_WHERE_MAILAUTH)|
441 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
442 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
443 #endif
444
445 /* Certain types of verify are always allowed, so we let it through
446 always and check in the verify function itself */
447
448 0 /* verify */
449 };
450
451
452 /* Return values from decode_control() */
453
454 enum {
455 #ifdef EXPERIMENTAL_BRIGHTMAIL
456 CONTROL_BMI_RUN,
457 #endif
458 #ifdef EXPERIMENTAL_DOMAINKEYS
459 CONTROL_DK_VERIFY,
460 #endif
461 CONTROL_ERROR, CONTROL_CASEFUL_LOCAL_PART, CONTROL_CASELOWER_LOCAL_PART,
462 CONTROL_ENFORCE_SYNC, CONTROL_NO_ENFORCE_SYNC, CONTROL_FREEZE,
463 CONTROL_QUEUE_ONLY, CONTROL_SUBMISSION,
464 #ifdef WITH_CONTENT_SCAN
465 CONTROL_NO_MBOX_UNSPOOL,
466 #endif
467 CONTROL_FAKEREJECT, CONTROL_NO_MULTILINE };
468
469 /* Bit map vector of which controls are not allowed at certain times. For
470 each control, there's a bitmap of dis-allowed times. For some, it is easier to
471 specify the negation of a small number of allowed times. */
472
473 static unsigned int control_forbids[] = {
474 #ifdef EXPERIMENTAL_BRIGHTMAIL
475 0, /* bmi_run */
476 #endif
477 #ifdef EXPERIMENTAL_DOMAINKEYS
478 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA), /* dk_verify */
479 #endif
480
481 0, /* error */
482
483 (unsigned int)
484 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
485
486 (unsigned int)
487 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
488
489 (1<<ACL_WHERE_NOTSMTP), /* enforce_sync */
490
491 (1<<ACL_WHERE_NOTSMTP), /* no_enforce_sync */
492
493 (unsigned int)
494 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
495 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
496 (1<<ACL_WHERE_NOTSMTP)),
497
498 (unsigned int)
499 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
500 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
501 (1<<ACL_WHERE_NOTSMTP)),
502
503 (unsigned int)
504 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
505 (1<<ACL_WHERE_PREDATA)),
506
507 #ifdef WITH_CONTENT_SCAN
508 (unsigned int)
509 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
510 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)),
511 #endif
512
513 (unsigned int)
514 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
515 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)),
516
517 (1<<ACL_WHERE_NOTSMTP) /* no_multiline */
518 };
519
520 /* Structure listing various control arguments, with their characteristics. */
521
522 typedef struct control_def {
523 uschar *name;
524 int value; /* CONTROL_xxx value */
525 BOOL has_option; /* Has /option(s) following */
526 } control_def;
527
528 static control_def controls_list[] = {
529 #ifdef EXPERIMENTAL_BRIGHTMAIL
530 { US"bmi_run", CONTROL_BMI_RUN, FALSE},
531 #endif
532 #ifdef EXPERIMENTAL_DOMAINKEYS
533 { US"dk_verify", CONTROL_DK_VERIFY, FALSE},
534 #endif
535 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE},
536 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE},
537 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE},
538 { US"freeze", CONTROL_FREEZE, FALSE},
539 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE},
540 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE},
541 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE},
542 #ifdef WITH_CONTENT_SCAN
543 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE},
544 #endif
545 { US"fakereject", CONTROL_FAKEREJECT, TRUE},
546 { US"submission", CONTROL_SUBMISSION, TRUE}
547 };
548
549 /* Enable recursion between acl_check_internal() and acl_check_condition() */
550
551 static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
552 uschar **);
553
554
555 /*************************************************
556 * Pick out name from list *
557 *************************************************/
558
559 /* Use a binary chop method
560
561 Arguments:
562 name name to find
563 list list of names
564 end size of list
565
566 Returns: offset in list, or -1 if not found
567 */
568
569 static int
570 acl_checkname(uschar *name, uschar **list, int end)
571 {
572 int start = 0;
573
574 while (start < end)
575 {
576 int mid = (start + end)/2;
577 int c = Ustrcmp(name, list[mid]);
578 if (c == 0) return mid;
579 if (c < 0) end = mid; else start = mid + 1;
580 }
581
582 return -1;
583 }
584
585
586 /*************************************************
587 * Read and parse one ACL *
588 *************************************************/
589
590 /* This function is called both from readconf in order to parse the ACLs in the
591 configuration file, and also when an ACL is encountered dynamically (e.g. as
592 the result of an expansion). It is given a function to call in order to
593 retrieve the lines of the ACL. This function handles skipping comments and
594 blank lines (where relevant).
595
596 Arguments:
597 func function to get next line of ACL
598 error where to put an error message
599
600 Returns: pointer to ACL, or NULL
601 NULL can be legal (empty ACL); in this case error will be NULL
602 */
603
604 acl_block *
605 acl_read(uschar *(*func)(void), uschar **error)
606 {
607 acl_block *yield = NULL;
608 acl_block **lastp = &yield;
609 acl_block *this = NULL;
610 acl_condition_block *cond;
611 acl_condition_block **condp = NULL;
612 uschar *s;
613
614 *error = NULL;
615
616 while ((s = (*func)()) != NULL)
617 {
618 int v, c;
619 BOOL negated = FALSE;
620 uschar *saveline = s;
621 uschar name[64];
622
623 /* Conditions (but not verbs) are allowed to be negated by an initial
624 exclamation mark. */
625
626 while (isspace(*s)) s++;
627 if (*s == '!')
628 {
629 negated = TRUE;
630 s++;
631 }
632
633 /* Read the name of a verb or a condition, or the start of a new ACL */
634
635 s = readconf_readname(name, sizeof(name), s);
636 if (*s == ':')
637 {
638 if (negated || name[0] == 0)
639 {
640 *error = string_sprintf("malformed ACL name in \"%s\"", saveline);
641 return NULL;
642 }
643 break;
644 }
645
646 /* If a verb is unrecognized, it may be another condition or modifier that
647 continues the previous verb. */
648
649 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
650 if (v < 0)
651 {
652 if (this == NULL)
653 {
654 *error = string_sprintf("unknown ACL verb in \"%s\"", saveline);
655 return NULL;
656 }
657 }
658
659 /* New verb */
660
661 else
662 {
663 if (negated)
664 {
665 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
666 return NULL;
667 }
668 this = store_get(sizeof(acl_block));
669 *lastp = this;
670 lastp = &(this->next);
671 this->next = NULL;
672 this->verb = v;
673 this->condition = NULL;
674 condp = &(this->condition);
675 if (*s == 0) continue; /* No condition on this line */
676 if (*s == '!')
677 {
678 negated = TRUE;
679 s++;
680 }
681 s = readconf_readname(name, sizeof(name), s); /* Condition name */
682 }
683
684 /* Handle a condition or modifier. */
685
686 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
687 if (c < 0)
688 {
689 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
690 saveline);
691 return NULL;
692 }
693
694 /* The modifiers may not be negated */
695
696 if (negated && cond_modifiers[c])
697 {
698 *error = string_sprintf("ACL error: negation is not allowed with "
699 "\"%s\"", conditions[c]);
700 return NULL;
701 }
702
703 /* ENDPASS may occur only with ACCEPT or DISCARD. */
704
705 if (c == ACLC_ENDPASS &&
706 this->verb != ACL_ACCEPT &&
707 this->verb != ACL_DISCARD)
708 {
709 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
710 conditions[c], verbs[this->verb]);
711 return NULL;
712 }
713
714 cond = store_get(sizeof(acl_condition_block));
715 cond->next = NULL;
716 cond->type = c;
717 cond->u.negated = negated;
718
719 *condp = cond;
720 condp = &(cond->next);
721
722 /* The "set" modifier is different in that its argument is "name=value"
723 rather than just a value, and we can check the validity of the name, which
724 gives us a variable number to insert into the data block. */
725
726 if (c == ACLC_SET)
727 {
728 if (Ustrncmp(s, "acl_", 4) != 0 || (s[4] != 'c' && s[4] != 'm') ||
729 !isdigit(s[5]) || (!isspace(s[6]) && s[6] != '='))
730 {
731 *error = string_sprintf("unrecognized name after \"set\" in ACL "
732 "modifier \"set %s\"", s);
733 return NULL;
734 }
735
736 cond->u.varnumber = s[5] - '0';
737 if (s[4] == 'm') cond->u.varnumber += ACL_C_MAX;
738 s += 6;
739 while (isspace(*s)) s++;
740 }
741
742 /* For "set", we are now positioned for the data. For the others, only
743 "endpass" has no data */
744
745 if (c != ACLC_ENDPASS)
746 {
747 if (*s++ != '=')
748 {
749 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
750 cond_modifiers[c]? US"modifier" : US"condition");
751 return NULL;
752 }
753 while (isspace(*s)) s++;
754 cond->arg = string_copy(s);
755 }
756 }
757
758 return yield;
759 }
760
761
762
763 /*************************************************
764 * Handle warnings *
765 *************************************************/
766
767 /* This function is called when a WARN verb's conditions are true. It adds to
768 the message's headers, and/or writes information to the log. In each case, this
769 only happens once (per message for headers, per connection for log).
770
771 Arguments:
772 where ACL_WHERE_xxxx indicating which ACL this is
773 user_message message for adding to headers
774 log_message message for logging, if different
775
776 Returns: nothing
777 */
778
779 static void
780 acl_warn(int where, uschar *user_message, uschar *log_message)
781 {
782 int hlen;
783
784 if (log_message != NULL && log_message != user_message)
785 {
786 uschar *text;
787 string_item *logged;
788
789 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
790 string_printing(log_message));
791
792 /* If a sender verification has failed, and the log message is "sender verify
793 failed", add the failure message. */
794
795 if (sender_verified_failed != NULL &&
796 sender_verified_failed->message != NULL &&
797 strcmpic(log_message, US"sender verify failed") == 0)
798 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
799
800 /* Search previously logged warnings. They are kept in malloc store so they
801 can be freed at the start of a new message. */
802
803 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
804 if (Ustrcmp(logged->text, text) == 0) break;
805
806 if (logged == NULL)
807 {
808 int length = Ustrlen(text) + 1;
809 log_write(0, LOG_MAIN, "%s", text);
810 logged = store_malloc(sizeof(string_item) + length);
811 logged->text = (uschar *)logged + sizeof(string_item);
812 memcpy(logged->text, text, length);
813 logged->next = acl_warn_logged;
814 acl_warn_logged = logged;
815 }
816 }
817
818 /* If there's no user message, we are done. */
819
820 if (user_message == NULL) return;
821
822 /* If this isn't a message ACL, we can't do anything with a user message.
823 Log an error. */
824
825 if (where > ACL_WHERE_NOTSMTP)
826 {
827 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
828 "found in a non-message (%s) ACL: cannot specify header lines here: "
829 "message ignored", acl_wherenames[where]);
830 return;
831 }
832
833 /* Treat the user message as a sequence of one or more header lines. */
834
835 hlen = Ustrlen(user_message);
836 if (hlen > 0)
837 {
838 uschar *text, *p, *q;
839
840 /* Add a final newline if not present */
841
842 text = ((user_message)[hlen-1] == '\n')? user_message :
843 string_sprintf("%s\n", user_message);
844
845 /* Loop for multiple header lines, taking care about continuations */
846
847 for (p = q = text; *p != 0; )
848 {
849 uschar *s;
850 int newtype = htype_add_bot;
851 header_line **hptr = &acl_warn_headers;
852
853 /* Find next header line within the string */
854
855 for (;;)
856 {
857 q = Ustrchr(q, '\n');
858 if (*(++q) != ' ' && *q != '\t') break;
859 }
860
861 /* If the line starts with a colon, interpret the instruction for where to
862 add it. This temporarily sets up a new type. */
863
864 if (*p == ':')
865 {
866 if (strncmpic(p, US":after_received:", 16) == 0)
867 {
868 newtype = htype_add_rec;
869 p += 16;
870 }
871 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
872 {
873 newtype = htype_add_rfc;
874 p += 14;
875 }
876 else if (strncmpic(p, US":at_start:", 10) == 0)
877 {
878 newtype = htype_add_top;
879 p += 10;
880 }
881 else if (strncmpic(p, US":at_end:", 8) == 0)
882 {
883 newtype = htype_add_bot;
884 p += 8;
885 }
886 while (*p == ' ' || *p == '\t') p++;
887 }
888
889 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
890 to the front of it. */
891
892 for (s = p; s < q - 1; s++)
893 {
894 if (*s == ':' || !isgraph(*s)) break;
895 }
896
897 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
898 hlen = Ustrlen(s);
899
900 /* See if this line has already been added */
901
902 while (*hptr != NULL)
903 {
904 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
905 hptr = &((*hptr)->next);
906 }
907
908 /* Add if not previously present */
909
910 if (*hptr == NULL)
911 {
912 header_line *h = store_get(sizeof(header_line));
913 h->text = s;
914 h->next = NULL;
915 h->type = newtype;
916 h->slen = hlen;
917 *hptr = h;
918 hptr = &(h->next);
919 }
920
921 /* Advance for next header line within the string */
922
923 p = q;
924 }
925 }
926 }
927
928
929
930 /*************************************************
931 * Verify and check reverse DNS *
932 *************************************************/
933
934 /* Called from acl_verify() below. We look up the host name(s) of the client IP
935 address if this has not yet been done. The host_name_lookup() function checks
936 that one of these names resolves to an address list that contains the client IP
937 address, so we don't actually have to do the check here.
938
939 Arguments:
940 user_msgptr pointer for user message
941 log_msgptr pointer for log message
942
943 Returns: OK verification condition succeeded
944 FAIL verification failed
945 DEFER there was a problem verifying
946 */
947
948 static int
949 acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
950 {
951 int rc;
952
953 user_msgptr = user_msgptr; /* stop compiler warning */
954
955 /* Previous success */
956
957 if (sender_host_name != NULL) return OK;
958
959 /* Previous failure */
960
961 if (host_lookup_failed)
962 {
963 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
964 return FAIL;
965 }
966
967 /* Need to do a lookup */
968
969 HDEBUG(D_acl)
970 debug_printf("looking up host name to force name/address consistency check\n");
971
972 if ((rc = host_name_lookup()) != OK)
973 {
974 *log_msgptr = (rc == DEFER)?
975 US"host lookup deferred for reverse lookup check"
976 :
977 string_sprintf("host lookup failed for reverse lookup check%s",
978 host_lookup_msg);
979 return rc; /* DEFER or FAIL */
980 }
981
982 host_build_sender_fullhost();
983 return OK;
984 }
985
986
987
988 /*************************************************
989 * Handle verification (address & other) *
990 *************************************************/
991
992 /* This function implements the "verify" condition. It is called when
993 encountered in any ACL, because some tests are almost always permitted. Some
994 just don't make sense, and always fail (for example, an attempt to test a host
995 lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
996
997 Arguments:
998 where where called from
999 addr the recipient address that the ACL is handling, or NULL
1000 arg the argument of "verify"
1001 user_msgptr pointer for user message
1002 log_msgptr pointer for log message
1003 basic_errno where to put verify errno
1004
1005 Returns: OK verification condition succeeded
1006 FAIL verification failed
1007 DEFER there was a problem verifying
1008 ERROR syntax error
1009 */
1010
1011 static int
1012 acl_verify(int where, address_item *addr, uschar *arg,
1013 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1014 {
1015 int sep = '/';
1016 int callout = -1;
1017 int callout_overall = -1;
1018 int callout_connect = -1;
1019 int verify_options = 0;
1020 int rc;
1021 BOOL verify_header_sender = FALSE;
1022 BOOL defer_ok = FALSE;
1023 BOOL callout_defer_ok = FALSE;
1024 BOOL no_details = FALSE;
1025 address_item *sender_vaddr = NULL;
1026 uschar *verify_sender_address = NULL;
1027 uschar *pm_mailfrom = NULL;
1028 uschar *se_mailfrom = NULL;
1029 uschar *list = arg;
1030 uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
1031
1032 if (ss == NULL) goto BAD_VERIFY;
1033
1034 /* Handle name/address consistency verification in a separate function. */
1035
1036 if (strcmpic(ss, US"reverse_host_lookup") == 0)
1037 {
1038 if (sender_host_address == NULL) return OK;
1039 return acl_verify_reverse(user_msgptr, log_msgptr);
1040 }
1041
1042 /* TLS certificate verification is done at STARTTLS time; here we just
1043 test whether it was successful or not. (This is for optional verification; for
1044 mandatory verification, the connection doesn't last this long.) */
1045
1046 if (strcmpic(ss, US"certificate") == 0)
1047 {
1048 if (tls_certificate_verified) return OK;
1049 *user_msgptr = US"no verified certificate";
1050 return FAIL;
1051 }
1052
1053 /* We can test the result of optional HELO verification */
1054
1055 if (strcmpic(ss, US"helo") == 0) return helo_verified? OK : FAIL;
1056
1057 /* Handle header verification options - permitted only after DATA or a non-SMTP
1058 message. */
1059
1060 if (strncmpic(ss, US"header_", 7) == 0)
1061 {
1062 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
1063 {
1064 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
1065 "(only possible in ACL for DATA)", acl_wherenames[where]);
1066 return ERROR;
1067 }
1068
1069 /* Check that all relevant header lines have the correct syntax. If there is
1070 a syntax error, we return details of the error to the sender if configured to
1071 send out full details. (But a "message" setting on the ACL can override, as
1072 always). */
1073
1074 if (strcmpic(ss+7, US"syntax") == 0)
1075 {
1076 int rc = verify_check_headers(log_msgptr);
1077 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1078 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1079 return rc;
1080 }
1081
1082 /* Check that there is at least one verifiable sender address in the relevant
1083 header lines. This can be followed by callout and defer options, just like
1084 sender and recipient. */
1085
1086 else if (strcmpic(ss+7, US"sender") == 0) verify_header_sender = TRUE;
1087
1088 /* Unknown verify argument starting with "header_" */
1089
1090 else goto BAD_VERIFY;
1091 }
1092
1093 /* Otherwise, first item in verify argument must be "sender" or "recipient".
1094 In the case of a sender, this can optionally be followed by an address to use
1095 in place of the actual sender (rare special-case requirement). */
1096
1097 else if (strncmpic(ss, US"sender", 6) == 0)
1098 {
1099 uschar *s = ss + 6;
1100 if (where > ACL_WHERE_NOTSMTP)
1101 {
1102 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1103 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1104 acl_wherenames[where]);
1105 return ERROR;
1106 }
1107 if (*s == 0)
1108 verify_sender_address = sender_address;
1109 else
1110 {
1111 while (isspace(*s)) s++;
1112 if (*s++ != '=') goto BAD_VERIFY;
1113 while (isspace(*s)) s++;
1114 verify_sender_address = string_copy(s);
1115 }
1116 }
1117 else
1118 {
1119 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1120 if (addr == NULL)
1121 {
1122 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1123 "(only possible for RCPT)", acl_wherenames[where]);
1124 return ERROR;
1125 }
1126 }
1127
1128 /* Remaining items are optional */
1129
1130 while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1131 != NULL)
1132 {
1133 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1134 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1135
1136 /* These two old options are left for backwards compatibility */
1137
1138 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1139 {
1140 callout_defer_ok = TRUE;
1141 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1142 }
1143
1144 else if (strcmpic(ss, US"check_postmaster") == 0)
1145 {
1146 pm_mailfrom = US"";
1147 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1148 }
1149
1150 /* The callout option has a number of sub-options, comma separated */
1151
1152 else if (strncmpic(ss, US"callout", 7) == 0)
1153 {
1154 callout = CALLOUT_TIMEOUT_DEFAULT;
1155 ss += 7;
1156 if (*ss != 0)
1157 {
1158 while (isspace(*ss)) ss++;
1159 if (*ss++ == '=')
1160 {
1161 int optsep = ',';
1162 uschar *opt;
1163 uschar buffer[256];
1164 while (isspace(*ss)) ss++;
1165
1166 /* This callout option handling code has become a mess as new options
1167 have been added in an ad hoc manner. It should be tidied up into some
1168 kind of table-driven thing. */
1169
1170 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1171 != NULL)
1172 {
1173 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1174 else if (strcmpic(opt, US"no_cache") == 0)
1175 verify_options |= vopt_callout_no_cache;
1176 else if (strcmpic(opt, US"random") == 0)
1177 verify_options |= vopt_callout_random;
1178 else if (strcmpic(opt, US"use_sender") == 0)
1179 verify_options |= vopt_callout_recipsender;
1180 else if (strcmpic(opt, US"use_postmaster") == 0)
1181 verify_options |= vopt_callout_recippmaster;
1182 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
1183
1184 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1185 {
1186 if (!verify_header_sender)
1187 {
1188 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1189 "callout option only for verify=header_sender (detected in ACL "
1190 "condition \"%s\")", arg);
1191 return ERROR;
1192 }
1193 opt += 8;
1194 while (isspace(*opt)) opt++;
1195 if (*opt++ != '=')
1196 {
1197 *log_msgptr = string_sprintf("'=' expected after "
1198 "\"mailfrom\" in ACL condition \"%s\"", arg);
1199 return ERROR;
1200 }
1201 while (isspace(*opt)) opt++;
1202 se_mailfrom = string_copy(opt);
1203 }
1204
1205 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1206 {
1207 opt += 19;
1208 while (isspace(*opt)) opt++;
1209 if (*opt++ != '=')
1210 {
1211 *log_msgptr = string_sprintf("'=' expected after "
1212 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1213 return ERROR;
1214 }
1215 while (isspace(*opt)) opt++;
1216 pm_mailfrom = string_copy(opt);
1217 }
1218
1219 else if (strncmpic(opt, US"maxwait", 7) == 0)
1220 {
1221 opt += 7;
1222 while (isspace(*opt)) opt++;
1223 if (*opt++ != '=')
1224 {
1225 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1226 "ACL condition \"%s\"", arg);
1227 return ERROR;
1228 }
1229 while (isspace(*opt)) opt++;
1230 callout_overall = readconf_readtime(opt, 0, FALSE);
1231 if (callout_overall < 0)
1232 {
1233 *log_msgptr = string_sprintf("bad time value in ACL condition "
1234 "\"verify %s\"", arg);
1235 return ERROR;
1236 }
1237 }
1238 else if (strncmpic(opt, US"connect", 7) == 0)
1239 {
1240 opt += 7;
1241 while (isspace(*opt)) opt++;
1242 if (*opt++ != '=')
1243 {
1244 *log_msgptr = string_sprintf("'=' expected after "
1245 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1246 return ERROR;
1247 }
1248 while (isspace(*opt)) opt++;
1249 callout_connect = readconf_readtime(opt, 0, FALSE);
1250 if (callout_connect < 0)
1251 {
1252 *log_msgptr = string_sprintf("bad time value in ACL condition "
1253 "\"verify %s\"", arg);
1254 return ERROR;
1255 }
1256 }
1257 else /* Plain time is callout connect/command timeout */
1258 {
1259 callout = readconf_readtime(opt, 0, FALSE);
1260 if (callout < 0)
1261 {
1262 *log_msgptr = string_sprintf("bad time value in ACL condition "
1263 "\"verify %s\"", arg);
1264 return ERROR;
1265 }
1266 }
1267 }
1268 }
1269 else
1270 {
1271 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1272 "ACL condition \"%s\"", arg);
1273 return ERROR;
1274 }
1275 }
1276 }
1277
1278 /* Option not recognized */
1279
1280 else
1281 {
1282 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1283 "condition \"verify %s\"", ss, arg);
1284 return ERROR;
1285 }
1286 }
1287
1288 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1289 (vopt_callout_recipsender|vopt_callout_recippmaster))
1290 {
1291 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1292 "for a recipient callout";
1293 return ERROR;
1294 }
1295
1296 /* Handle sender-in-header verification. Default the user message to the log
1297 message if giving out verification details. */
1298
1299 if (verify_header_sender)
1300 {
1301 int verrno;
1302 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
1303 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1304 &verrno);
1305 if (rc != OK)
1306 {
1307 *basic_errno = verrno;
1308 if (smtp_return_error_details)
1309 {
1310 if (*user_msgptr == NULL && *log_msgptr != NULL)
1311 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1312 if (rc == DEFER) acl_temp_details = TRUE;
1313 }
1314 }
1315 }
1316
1317 /* Handle a sender address. The default is to verify *the* sender address, but
1318 optionally a different address can be given, for special requirements. If the
1319 address is empty, we are dealing with a bounce message that has no sender, so
1320 we cannot do any checking. If the real sender address gets rewritten during
1321 verification (e.g. DNS widening), set the flag to stop it being rewritten again
1322 during message reception.
1323
1324 A list of verified "sender" addresses is kept to try to avoid doing to much
1325 work repetitively when there are multiple recipients in a message and they all
1326 require sender verification. However, when callouts are involved, it gets too
1327 complicated because different recipients may require different callout options.
1328 Therefore, we always do a full sender verify when any kind of callout is
1329 specified. Caching elsewhere, for instance in the DNS resolver and in the
1330 callout handling, should ensure that this is not terribly inefficient. */
1331
1332 else if (verify_sender_address != NULL)
1333 {
1334 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1335 != 0)
1336 {
1337 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1338 "sender verify callout";
1339 return ERROR;
1340 }
1341
1342 sender_vaddr = verify_checked_sender(verify_sender_address);
1343 if (sender_vaddr != NULL && /* Previously checked */
1344 callout <= 0) /* No callout needed this time */
1345 {
1346 /* If the "routed" flag is set, it means that routing worked before, so
1347 this check can give OK (the saved return code value, if set, belongs to a
1348 callout that was done previously). If the "routed" flag is not set, routing
1349 must have failed, so we use the saved return code. */
1350
1351 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1352 {
1353 rc = sender_vaddr->special_action;
1354 *basic_errno = sender_vaddr->basic_errno;
1355 }
1356 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1357 }
1358
1359 /* Do a new verification, and cache the result. The cache is used to avoid
1360 verifying the sender multiple times for multiple RCPTs when callouts are not
1361 specified (see comments above).
1362
1363 The cache is also used on failure to give details in response to the first
1364 RCPT that gets bounced for this reason. However, this can be suppressed by
1365 the no_details option, which sets the flag that says "this detail has already
1366 been sent". The cache normally contains just one address, but there may be
1367 more in esoteric circumstances. */
1368
1369 else
1370 {
1371 BOOL routed = TRUE;
1372 uschar *save_address_data = deliver_address_data;
1373
1374 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1375 if (no_details) setflag(sender_vaddr, af_sverify_told);
1376 if (verify_sender_address[0] != 0)
1377 {
1378 /* If this is the real sender address, save the unrewritten version
1379 for use later in receive. Otherwise, set a flag so that rewriting the
1380 sender in verify_address() does not update sender_address. */
1381
1382 if (verify_sender_address == sender_address)
1383 sender_address_unrewritten = sender_address;
1384 else
1385 verify_options |= vopt_fake_sender;
1386
1387 /* The recipient, qualify, and expn options are never set in
1388 verify_options. */
1389
1390 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
1391 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
1392
1393 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1394
1395 if (rc == OK)
1396 {
1397 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1398 {
1399 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1400 verify_sender_address, sender_vaddr->address);
1401 }
1402 else
1403 {
1404 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1405 verify_sender_address);
1406 }
1407 }
1408 else *basic_errno = sender_vaddr->basic_errno;
1409 }
1410 else rc = OK; /* Null sender */
1411
1412 /* Cache the result code */
1413
1414 if (routed) setflag(sender_vaddr, af_verify_routed);
1415 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1416 sender_vaddr->special_action = rc;
1417 sender_vaddr->next = sender_verified_list;
1418 sender_verified_list = sender_vaddr;
1419
1420 /* Restore the recipient address data, which might have been clobbered by
1421 the sender verification. */
1422
1423 deliver_address_data = save_address_data;
1424 }
1425
1426 /* Put the sender address_data value into $sender_address_data */
1427
1428 sender_address_data = sender_vaddr->p.address_data;
1429 }
1430
1431 /* A recipient address just gets a straightforward verify; again we must handle
1432 the DEFER overrides. */
1433
1434 else
1435 {
1436 address_item addr2;
1437
1438 /* We must use a copy of the address for verification, because it might
1439 get rewritten. */
1440
1441 addr2 = *addr;
1442 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
1443 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
1444 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1445
1446 *log_msgptr = addr2.message;
1447 *user_msgptr = (addr2.user_message != NULL)?
1448 addr2.user_message : addr2.message;
1449 *basic_errno = addr2.basic_errno;
1450
1451 /* Make $address_data visible */
1452 deliver_address_data = addr2.p.address_data;
1453 }
1454
1455 /* We have a result from the relevant test. Handle defer overrides first. */
1456
1457 if (rc == DEFER && (defer_ok ||
1458 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1459 {
1460 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1461 defer_ok? "defer_ok" : "callout_defer_ok");
1462 rc = OK;
1463 }
1464
1465 /* If we've failed a sender, set up a recipient message, and point
1466 sender_verified_failed to the address item that actually failed. */
1467
1468 if (rc != OK && verify_sender_address != NULL)
1469 {
1470 if (rc != DEFER)
1471 {
1472 *log_msgptr = *user_msgptr = US"Sender verify failed";
1473 }
1474 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1475 {
1476 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1477 }
1478 else
1479 {
1480 *log_msgptr = US"Could not complete sender verify callout";
1481 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1482 *log_msgptr;
1483 }
1484
1485 sender_verified_failed = sender_vaddr;
1486 }
1487
1488 /* Verifying an address messes up the values of $domain and $local_part,
1489 so reset them before returning if this is a RCPT ACL. */
1490
1491 if (addr != NULL)
1492 {
1493 deliver_domain = addr->domain;
1494 deliver_localpart = addr->local_part;
1495 }
1496 return rc;
1497
1498 /* Syntax errors in the verify argument come here. */
1499
1500 BAD_VERIFY:
1501 *log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
1502 "\"header_syntax\" or \"header_sender\" at start of ACL condition "
1503 "\"verify %s\"", arg);
1504 return ERROR;
1505 }
1506
1507
1508
1509
1510 /*************************************************
1511 * Check argument for control= modifier *
1512 *************************************************/
1513
1514 /* Called from acl_check_condition() below
1515
1516 Arguments:
1517 arg the argument string for control=
1518 pptr set to point to the terminating character
1519 where which ACL we are in
1520 log_msgptr for error messages
1521
1522 Returns: CONTROL_xxx value
1523 */
1524
1525 static int
1526 decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
1527 {
1528 int len;
1529 control_def *d;
1530
1531 for (d = controls_list;
1532 d < controls_list + sizeof(controls_list)/sizeof(control_def);
1533 d++)
1534 {
1535 len = Ustrlen(d->name);
1536 if (Ustrncmp(d->name, arg, len) == 0) break;
1537 }
1538
1539 if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
1540 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
1541 {
1542 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1543 return CONTROL_ERROR;
1544 }
1545
1546 *pptr = arg + len;
1547 return d->value;
1548 }
1549
1550
1551
1552 /*************************************************
1553 * Handle conditions/modifiers on an ACL item *
1554 *************************************************/
1555
1556 /* Called from acl_check() below.
1557
1558 Arguments:
1559 verb ACL verb
1560 cb ACL condition block - if NULL, result is OK
1561 where where called from
1562 addr the address being checked for RCPT, or NULL
1563 level the nesting level
1564 epp pointer to pass back TRUE if "endpass" encountered
1565 (applies only to "accept" and "discard")
1566 user_msgptr user message pointer
1567 log_msgptr log message pointer
1568 basic_errno pointer to where to put verify error
1569
1570 Returns: OK - all conditions are met
1571 DISCARD - an "acl" condition returned DISCARD - only allowed
1572 for "accept" or "discard" verbs
1573 FAIL - at least one condition fails
1574 FAIL_DROP - an "acl" condition returned FAIL_DROP
1575 DEFER - can't tell at the moment (typically, lookup defer,
1576 but can be temporary callout problem)
1577 ERROR - ERROR from nested ACL or expansion failure or other
1578 error
1579 */
1580
1581 static int
1582 acl_check_condition(int verb, acl_condition_block *cb, int where,
1583 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
1584 uschar **log_msgptr, int *basic_errno)
1585 {
1586 uschar *user_message = NULL;
1587 uschar *log_message = NULL;
1588 uschar *p;
1589 int rc = OK;
1590 #ifdef WITH_CONTENT_SCAN
1591 int sep = '/';
1592 #endif
1593
1594 for (; cb != NULL; cb = cb->next)
1595 {
1596 uschar *arg;
1597 int control_type;
1598
1599 /* The message and log_message items set up messages to be used in
1600 case of rejection. They are expanded later. */
1601
1602 if (cb->type == ACLC_MESSAGE)
1603 {
1604 user_message = cb->arg;
1605 continue;
1606 }
1607
1608 if (cb->type == ACLC_LOG_MESSAGE)
1609 {
1610 log_message = cb->arg;
1611 continue;
1612 }
1613
1614 /* The endpass "condition" just sets a flag to show it occurred. This is
1615 checked at compile time to be on an "accept" or "discard" item. */
1616
1617 if (cb->type == ACLC_ENDPASS)
1618 {
1619 *epp = TRUE;
1620 continue;
1621 }
1622
1623 /* For other conditions and modifiers, the argument is expanded now for some
1624 of them, but not for all, because expansion happens down in some lower level
1625 checking functions in some cases. */
1626
1627 if (cond_expand_at_top[cb->type])
1628 {
1629 arg = expand_string(cb->arg);
1630 if (arg == NULL)
1631 {
1632 if (expand_string_forcedfail) continue;
1633 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
1634 cb->arg, expand_string_message);
1635 return search_find_defer? DEFER : ERROR;
1636 }
1637 }
1638 else arg = cb->arg;
1639
1640 /* Show condition, and expanded condition if it's different */
1641
1642 HDEBUG(D_acl)
1643 {
1644 int lhswidth = 0;
1645 debug_printf("check %s%s %n",
1646 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
1647 conditions[cb->type], &lhswidth);
1648
1649 if (cb->type == ACLC_SET)
1650 {
1651 int n = cb->u.varnumber;
1652 int t = (n < ACL_C_MAX)? 'c' : 'm';
1653 if (n >= ACL_C_MAX) n -= ACL_C_MAX;
1654 debug_printf("acl_%c%d ", t, n);
1655 lhswidth += 7;
1656 }
1657
1658 debug_printf("= %s\n", cb->arg);
1659
1660 if (arg != cb->arg)
1661 debug_printf("%.*s= %s\n", lhswidth,
1662 US" ", CS arg);
1663 }
1664
1665 /* Check that this condition makes sense at this time */
1666
1667 if ((cond_forbids[cb->type] & (1 << where)) != 0)
1668 {
1669 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
1670 cond_modifiers[cb->type]? "use" : "test",
1671 conditions[cb->type], acl_wherenames[where]);
1672 return ERROR;
1673 }
1674
1675 /* Run the appropriate test for each condition, or take the appropriate
1676 action for the remaining modifiers. */
1677
1678 switch(cb->type)
1679 {
1680 /* A nested ACL that returns "discard" makes sense only for an "accept" or
1681 "discard" verb. */
1682
1683 case ACLC_ACL:
1684 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
1685 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
1686 {
1687 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
1688 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
1689 verbs[verb]);
1690 return ERROR;
1691 }
1692 break;
1693
1694 case ACLC_AUTHENTICATED:
1695 rc = (sender_host_authenticated == NULL)? FAIL :
1696 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
1697 TRUE, NULL);
1698 break;
1699
1700 #ifdef EXPERIMENTAL_BRIGHTMAIL
1701 case ACLC_BMI_OPTIN:
1702 {
1703 int old_pool = store_pool;
1704 store_pool = POOL_PERM;
1705 bmi_current_optin = string_copy(arg);
1706 store_pool = old_pool;
1707 }
1708 break;
1709 #endif
1710
1711 case ACLC_CONDITION:
1712 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
1713 rc = (Uatoi(arg) == 0)? FAIL : OK;
1714 else
1715 rc = (strcmpic(arg, US"no") == 0 ||
1716 strcmpic(arg, US"false") == 0)? FAIL :
1717 (strcmpic(arg, US"yes") == 0 ||
1718 strcmpic(arg, US"true") == 0)? OK : DEFER;
1719 if (rc == DEFER)
1720 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
1721 break;
1722
1723 case ACLC_CONTROL:
1724 control_type = decode_control(arg, &p, where, log_msgptr);
1725
1726 /* Check if this control makes sense at this time */
1727
1728 if ((control_forbids[control_type] & (1 << where)) != 0)
1729 {
1730 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
1731 controls[control_type], acl_wherenames[where]);
1732 return ERROR;
1733 }
1734
1735 switch(control_type)
1736 {
1737 #ifdef EXPERIMENTAL_BRIGHTMAIL
1738 case CONTROL_BMI_RUN:
1739 bmi_run = 1;
1740 break;
1741 #endif
1742 #ifdef EXPERIMENTAL_DOMAINKEYS
1743 case CONTROL_DK_VERIFY:
1744 dk_do_verify = 1;
1745 break;
1746 #endif
1747 case CONTROL_ERROR:
1748 return ERROR;
1749
1750 case CONTROL_CASEFUL_LOCAL_PART:
1751 deliver_localpart = addr->cc_local_part;
1752 break;
1753
1754 case CONTROL_CASELOWER_LOCAL_PART:
1755 deliver_localpart = addr->lc_local_part;
1756 break;
1757
1758 case CONTROL_ENFORCE_SYNC:
1759 smtp_enforce_sync = TRUE;
1760 break;
1761
1762 case CONTROL_NO_ENFORCE_SYNC:
1763 smtp_enforce_sync = FALSE;
1764 break;
1765
1766 #ifdef WITH_CONTENT_SCAN
1767 case CONTROL_NO_MBOX_UNSPOOL:
1768 no_mbox_unspool = TRUE;
1769 break;
1770 #endif
1771
1772 case CONTROL_NO_MULTILINE:
1773 no_multiline_responses = TRUE;
1774 break;
1775
1776 case CONTROL_FAKEREJECT:
1777 fake_reject = TRUE;
1778 if (*p == '/')
1779 {
1780 uschar *pp = p + 1;
1781 while (*pp != 0) pp++;
1782 fake_reject_text = expand_string(string_copyn(p+1, pp-p));
1783 p = pp;
1784 }
1785 else
1786 {
1787 /* Explicitly reset to default string */
1788 fake_reject_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
1789 }
1790 break;
1791
1792 case CONTROL_FREEZE:
1793 deliver_freeze = TRUE;
1794 deliver_frozen_at = time(NULL);
1795 break;
1796
1797 case CONTROL_QUEUE_ONLY:
1798 queue_only_policy = TRUE;
1799 break;
1800
1801 case CONTROL_SUBMISSION:
1802 submission_mode = TRUE;
1803 while (*p == '/')
1804 {
1805 if (Ustrncmp(p, "/sender_retain", 14) == 0)
1806 {
1807 p += 14;
1808 active_local_sender_retain = TRUE;
1809 active_local_from_check = FALSE;
1810 }
1811 else if (Ustrncmp(p, "/domain=", 8) == 0)
1812 {
1813 uschar *pp = p + 8;
1814 while (*pp != 0 && *pp != '/') pp++;
1815 submission_domain = string_copyn(p+8, pp-p);
1816 p = pp;
1817 }
1818 else break;
1819 }
1820 if (*p != 0)
1821 {
1822 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1823 return ERROR;
1824 }
1825 break;
1826 }
1827 break;
1828
1829 #ifdef WITH_CONTENT_SCAN
1830 case ACLC_DECODE:
1831 rc = mime_decode(&arg);
1832 break;
1833 #endif
1834
1835 case ACLC_DELAY:
1836 {
1837 int delay = readconf_readtime(arg, 0, FALSE);
1838 if (delay < 0)
1839 {
1840 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
1841 "modifier: \"%s\" is not a time value", arg);
1842 return ERROR;
1843 }
1844 else
1845 {
1846 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
1847 delay);
1848 if (host_checking)
1849 {
1850 HDEBUG(D_acl)
1851 debug_printf("delay skipped in -bh checking mode\n");
1852 }
1853 else
1854 {
1855 while (delay > 0) delay = sleep(delay);
1856 }
1857 }
1858 }
1859 break;
1860
1861 #ifdef WITH_OLD_DEMIME
1862 case ACLC_DEMIME:
1863 rc = demime(&arg);
1864 break;
1865 #endif
1866
1867 #ifdef EXPERIMENTAL_DOMAINKEYS
1868 case ACLC_DK_DOMAIN_SOURCE:
1869 if (dk_verify_block == NULL) { rc = FAIL; break; };
1870 /* check header source of domain against given string */
1871 switch (dk_verify_block->address_source) {
1872 case DK_EXIM_ADDRESS_FROM_FROM:
1873 rc = match_isinlist(US"from", &arg, 0, NULL,
1874 NULL, MCL_STRING, TRUE, NULL);
1875 break;
1876 case DK_EXIM_ADDRESS_FROM_SENDER:
1877 rc = match_isinlist(US"sender", &arg, 0, NULL,
1878 NULL, MCL_STRING, TRUE, NULL);
1879 break;
1880 case DK_EXIM_ADDRESS_NONE:
1881 rc = match_isinlist(US"none", &arg, 0, NULL,
1882 NULL, MCL_STRING, TRUE, NULL);
1883 break;
1884 }
1885 break;
1886 case ACLC_DK_POLICY:
1887 if (dk_verify_block == NULL) { rc = FAIL; break; };
1888 /* check policy against given string, default FAIL */
1889 rc = FAIL;
1890 if (dk_verify_block->signsall)
1891 rc = match_isinlist(US"signsall", &arg, 0, NULL,
1892 NULL, MCL_STRING, TRUE, NULL);
1893 if (dk_verify_block->testing)
1894 rc = match_isinlist(US"testing", &arg, 0, NULL,
1895 NULL, MCL_STRING, TRUE, NULL);
1896 break;
1897 case ACLC_DK_SENDER_DOMAINS:
1898 if (dk_verify_block == NULL) { rc = FAIL; break; };
1899 if (dk_verify_block->domain != NULL)
1900 rc = match_isinlist(dk_verify_block->domain, &arg, 0, &domainlist_anchor,
1901 NULL, MCL_DOMAIN, TRUE, NULL);
1902 else rc = FAIL;
1903 break;
1904 case ACLC_DK_SENDER_LOCAL_PARTS:
1905 if (dk_verify_block == NULL) { rc = FAIL; break; };
1906 if (dk_verify_block->local_part != NULL)
1907 rc = match_isinlist(dk_verify_block->local_part, &arg, 0, &localpartlist_anchor,
1908 NULL, MCL_LOCALPART, TRUE, NULL);
1909 else rc = FAIL;
1910 break;
1911 case ACLC_DK_SENDERS:
1912 if (dk_verify_block == NULL) { rc = FAIL; break; };
1913 if (dk_verify_block->address != NULL)
1914 rc = match_address_list(dk_verify_block->address, TRUE, TRUE, &arg, NULL, -1, 0, NULL);
1915 else rc = FAIL;
1916 break;
1917 case ACLC_DK_STATUS:
1918 if (dk_verify_block == NULL) { rc = FAIL; break; };
1919 if (dk_verify_block->result > 0) {
1920 switch(dk_verify_block->result) {
1921 case DK_EXIM_RESULT_BAD_FORMAT:
1922 rc = match_isinlist(US"bad format", &arg, 0, NULL,
1923 NULL, MCL_STRING, TRUE, NULL);
1924 break;
1925 case DK_EXIM_RESULT_NO_KEY:
1926 rc = match_isinlist(US"no key", &arg, 0, NULL,
1927 NULL, MCL_STRING, TRUE, NULL);
1928 break;
1929 case DK_EXIM_RESULT_NO_SIGNATURE:
1930 rc = match_isinlist(US"no signature", &arg, 0, NULL,
1931 NULL, MCL_STRING, TRUE, NULL);
1932 break;
1933 case DK_EXIM_RESULT_REVOKED:
1934 rc = match_isinlist(US"revoked", &arg, 0, NULL,
1935 NULL, MCL_STRING, TRUE, NULL);
1936 break;
1937 case DK_EXIM_RESULT_NON_PARTICIPANT:
1938 rc = match_isinlist(US"non-participant", &arg, 0, NULL,
1939 NULL, MCL_STRING, TRUE, NULL);
1940 break;
1941 case DK_EXIM_RESULT_GOOD:
1942 rc = match_isinlist(US"good", &arg, 0, NULL,
1943 NULL, MCL_STRING, TRUE, NULL);
1944 break;
1945 case DK_EXIM_RESULT_BAD:
1946 rc = match_isinlist(US"bad", &arg, 0, NULL,
1947 NULL, MCL_STRING, TRUE, NULL);
1948 break;
1949 }
1950 }
1951 break;
1952 #endif
1953
1954 case ACLC_DNSLISTS:
1955 rc = verify_check_dnsbl(&arg);
1956 break;
1957
1958 case ACLC_DOMAINS:
1959 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
1960 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
1961 break;
1962
1963 /* The value in tls_cipher is the full cipher name, for example,
1964 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
1965 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
1966 what may in practice come out of the SSL library - which at the time of
1967 writing is poorly documented. */
1968
1969 case ACLC_ENCRYPTED:
1970 if (tls_cipher == NULL) rc = FAIL; else
1971 {
1972 uschar *endcipher = NULL;
1973 uschar *cipher = Ustrchr(tls_cipher, ':');
1974 if (cipher == NULL) cipher = tls_cipher; else
1975 {
1976 endcipher = Ustrchr(++cipher, ':');
1977 if (endcipher != NULL) *endcipher = 0;
1978 }
1979 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
1980 if (endcipher != NULL) *endcipher = ':';
1981 }
1982 break;
1983
1984 /* Use verify_check_this_host() instead of verify_check_host() so that
1985 we can pass over &host_data to catch any looked up data. Once it has been
1986 set, it retains its value so that it's still there if another ACL verb
1987 comes through here and uses the cache. However, we must put it into
1988 permanent store in case it is also expected to be used in a subsequent
1989 message in the same SMTP connection. */
1990
1991 case ACLC_HOSTS:
1992 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
1993 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
1994 if (host_data != NULL) host_data = string_copy_malloc(host_data);
1995 break;
1996
1997 case ACLC_LOCAL_PARTS:
1998 rc = match_isinlist(addr->cc_local_part, &arg, 0,
1999 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
2000 &deliver_localpart_data);
2001 break;
2002
2003 case ACLC_LOGWRITE:
2004 {
2005 int logbits = 0;
2006 uschar *s = arg;
2007 if (*s == ':')
2008 {
2009 s++;
2010 while (*s != ':')
2011 {
2012 if (Ustrncmp(s, "main", 4) == 0)
2013 { logbits |= LOG_MAIN; s += 4; }
2014 else if (Ustrncmp(s, "panic", 5) == 0)
2015 { logbits |= LOG_PANIC; s += 5; }
2016 else if (Ustrncmp(s, "reject", 6) == 0)
2017 { logbits |= LOG_REJECT; s += 6; }
2018 else
2019 {
2020 logbits = LOG_MAIN|LOG_PANIC;
2021 s = string_sprintf(":unknown log name in \"%s\" in "
2022 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
2023 }
2024 if (*s == ',') s++;
2025 }
2026 s++;
2027 }
2028 while (isspace(*s)) s++;
2029 if (logbits == 0) logbits = LOG_MAIN;
2030 log_write(0, logbits, "%s", string_printing(s));
2031 }
2032 break;
2033
2034 #ifdef WITH_CONTENT_SCAN
2035 case ACLC_MALWARE:
2036 {
2037 /* Seperate the regular expression and any optional parameters. */
2038 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2039 /* Run the malware backend. */
2040 rc = malware(&ss);
2041 /* Modify return code based upon the existance of options. */
2042 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2043 != NULL) {
2044 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2045 {
2046 /* FAIL so that the message is passed to the next ACL */
2047 rc = FAIL;
2048 }
2049 }
2050 }
2051 break;
2052
2053 case ACLC_MIME_REGEX:
2054 rc = mime_regex(&arg);
2055 break;
2056 #endif
2057
2058 case ACLC_RECIPIENTS:
2059 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
2060 &recipient_data);
2061 break;
2062
2063 #ifdef WITH_CONTENT_SCAN
2064 case ACLC_REGEX:
2065 rc = regex(&arg);
2066 break;
2067 #endif
2068
2069 case ACLC_SENDER_DOMAINS:
2070 {
2071 uschar *sdomain;
2072 sdomain = Ustrrchr(sender_address, '@');
2073 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
2074 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
2075 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
2076 }
2077 break;
2078
2079 case ACLC_SENDERS:
2080 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
2081 sender_address_cache, -1, 0, &sender_data);
2082 break;
2083
2084 /* Connection variables must persist forever */
2085
2086 case ACLC_SET:
2087 {
2088 int old_pool = store_pool;
2089 if (cb->u.varnumber < ACL_C_MAX) store_pool = POOL_PERM;
2090 acl_var[cb->u.varnumber] = string_copy(arg);
2091 store_pool = old_pool;
2092 }
2093 break;
2094
2095 #ifdef WITH_CONTENT_SCAN
2096 case ACLC_SPAM:
2097 {
2098 /* Seperate the regular expression and any optional parameters. */
2099 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2100 /* Run the spam backend. */
2101 rc = spam(&ss);
2102 /* Modify return code based upon the existance of options. */
2103 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2104 != NULL) {
2105 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2106 {
2107 /* FAIL so that the message is passed to the next ACL */
2108 rc = FAIL;
2109 }
2110 }
2111 }
2112 break;
2113 #endif
2114
2115 #ifdef EXPERIMENTAL_SPF
2116 case ACLC_SPF:
2117 rc = spf_process(&arg, sender_address);
2118 break;
2119 #endif
2120
2121 /* If the verb is WARN, discard any user message from verification, because
2122 such messages are SMTP responses, not header additions. The latter come
2123 only from explicit "message" modifiers. */
2124
2125 case ACLC_VERIFY:
2126 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
2127 if (verb == ACL_WARN) *user_msgptr = NULL;
2128 break;
2129
2130 default:
2131 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
2132 "condition %d", cb->type);
2133 break;
2134 }
2135
2136 /* If a condition was negated, invert OK/FAIL. */
2137
2138 if (!cond_modifiers[cb->type] && cb->u.negated)
2139 {
2140 if (rc == OK) rc = FAIL;
2141 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
2142 }
2143
2144 if (rc != OK) break; /* Conditions loop */
2145 }
2146
2147
2148 /* If the result is the one for which "message" and/or "log_message" are used,
2149 handle the values of these options. Most verbs have but a single return for
2150 which the messages are relevant, but for "discard", it's useful to have the log
2151 message both when it succeeds and when it fails. Also, for an "accept" that
2152 appears in a QUIT ACL, we want to handle the user message. Since only "accept"
2153 and "warn" are permitted in that ACL, we don't need to test the verb.
2154
2155 These modifiers act in different ways:
2156
2157 "message" is a user message that will be included in an SMTP response. Unless
2158 it is empty, it overrides any previously set user message.
2159
2160 "log_message" is a non-user message, and it adds to any existing non-user
2161 message that is already set.
2162
2163 If there isn't a log message set, we make it the same as the user message. */
2164
2165 if (((rc == FAIL_DROP)? FAIL : rc) == msgcond[verb] ||
2166 (verb == ACL_DISCARD && rc == OK) ||
2167 (where == ACL_WHERE_QUIT))
2168 {
2169 uschar *expmessage;
2170
2171 /* If the verb is "warn", messages generated by conditions (verification or
2172 nested ACLs) are discarded. Only messages specified at this level are used.
2173 However, the value of an existing message is available in $acl_verify_message
2174 during expansions. */
2175
2176 uschar *old_user_msgptr = *user_msgptr;
2177 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
2178
2179 if (verb == ACL_WARN) *log_msgptr = *user_msgptr = NULL;
2180
2181 if (user_message != NULL)
2182 {
2183 acl_verify_message = old_user_msgptr;
2184 expmessage = expand_string(user_message);
2185 if (expmessage == NULL)
2186 {
2187 if (!expand_string_forcedfail)
2188 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2189 user_message, expand_string_message);
2190 }
2191 else if (expmessage[0] != 0) *user_msgptr = expmessage;
2192 }
2193
2194 if (log_message != NULL)
2195 {
2196 acl_verify_message = old_log_msgptr;
2197 expmessage = expand_string(log_message);
2198 if (expmessage == NULL)
2199 {
2200 if (!expand_string_forcedfail)
2201 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2202 log_message, expand_string_message);
2203 }
2204 else if (expmessage[0] != 0)
2205 {
2206 *log_msgptr = (*log_msgptr == NULL)? expmessage :
2207 string_sprintf("%s: %s", expmessage, *log_msgptr);
2208 }
2209 }
2210
2211 /* If no log message, default it to the user message */
2212
2213 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
2214 }
2215
2216 acl_verify_message = NULL;
2217 return rc;
2218 }
2219
2220
2221
2222
2223
2224 /*************************************************
2225 * Get line from a literal ACL *
2226 *************************************************/
2227
2228 /* This function is passed to acl_read() in order to extract individual lines
2229 of a literal ACL, which we access via static pointers. We can destroy the
2230 contents because this is called only once (the compiled ACL is remembered).
2231
2232 This code is intended to treat the data in the same way as lines in the main
2233 Exim configuration file. That is:
2234
2235 . Leading spaces are ignored.
2236
2237 . A \ at the end of a line is a continuation - trailing spaces after the \
2238 are permitted (this is because I don't believe in making invisible things
2239 significant). Leading spaces on the continued part of a line are ignored.
2240
2241 . Physical lines starting (significantly) with # are totally ignored, and
2242 may appear within a sequence of backslash-continued lines.
2243
2244 . Blank lines are ignored, but will end a sequence of continuations.
2245
2246 Arguments: none
2247 Returns: a pointer to the next line
2248 */
2249
2250
2251 static uschar *acl_text; /* Current pointer in the text */
2252 static uschar *acl_text_end; /* Points one past the terminating '0' */
2253
2254
2255 static uschar *
2256 acl_getline(void)
2257 {
2258 uschar *yield;
2259
2260 /* This loop handles leading blank lines and comments. */
2261
2262 for(;;)
2263 {
2264 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
2265 if (*acl_text == 0) return NULL; /* No more data */
2266 yield = acl_text; /* Potential data line */
2267
2268 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2269
2270 /* If we hit the end before a newline, we have the whole logical line. If
2271 it's a comment, there's no more data to be given. Otherwise, yield it. */
2272
2273 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
2274
2275 /* After reaching a newline, end this loop if the physical line does not
2276 start with '#'. If it does, it's a comment, and the loop continues. */
2277
2278 if (*yield != '#') break;
2279 }
2280
2281 /* This loop handles continuations. We know we have some real data, ending in
2282 newline. See if there is a continuation marker at the end (ignoring trailing
2283 white space). We know that *yield is not white space, so no need to test for
2284 cont > yield in the backwards scanning loop. */
2285
2286 for(;;)
2287 {
2288 uschar *cont;
2289 for (cont = acl_text - 1; isspace(*cont); cont--);
2290
2291 /* If no continuation follows, we are done. Mark the end of the line and
2292 return it. */
2293
2294 if (*cont != '\\')
2295 {
2296 *acl_text++ = 0;
2297 return yield;
2298 }
2299
2300 /* We have encountered a continuation. Skip over whitespace at the start of
2301 the next line, and indeed the whole of the next line or lines if they are
2302 comment lines. */
2303
2304 for (;;)
2305 {
2306 while (*(++acl_text) == ' ' || *acl_text == '\t');
2307 if (*acl_text != '#') break;
2308 while (*(++acl_text) != 0 && *acl_text != '\n');
2309 }
2310
2311 /* We have the start of a continuation line. Move all the rest of the data
2312 to join onto the previous line, and then find its end. If the end is not a
2313 newline, we are done. Otherwise loop to look for another continuation. */
2314
2315 memmove(cont, acl_text, acl_text_end - acl_text);
2316 acl_text_end -= acl_text - cont;
2317 acl_text = cont;
2318 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2319 if (*acl_text == 0) return yield;
2320 }
2321
2322 /* Control does not reach here */
2323 }
2324
2325
2326
2327
2328
2329 /*************************************************
2330 * Check access using an ACL *
2331 *************************************************/
2332
2333 /* This function is called from address_check. It may recurse via
2334 acl_check_condition() - hence the use of a level to stop looping. The ACL is
2335 passed as a string which is expanded. A forced failure implies no access check
2336 is required. If the result is a single word, it is taken as the name of an ACL
2337 which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
2338 text, complete with newlines, and parsed as such. In both cases, the ACL check
2339 is then run. This function uses an auxiliary function for acl_read() to call
2340 for reading individual lines of a literal ACL. This is acl_getline(), which
2341 appears immediately above.
2342
2343 Arguments:
2344 where where called from
2345 addr address item when called from RCPT; otherwise NULL
2346 s the input string; NULL is the same as an empty ACL => DENY
2347 level the nesting level
2348 user_msgptr where to put a user error (for SMTP response)
2349 log_msgptr where to put a logging message (not for SMTP response)
2350
2351 Returns: OK access is granted
2352 DISCARD access is apparently granted...
2353 FAIL access is denied
2354 FAIL_DROP access is denied; drop the connection
2355 DEFER can't tell at the moment
2356 ERROR disaster
2357 */
2358
2359 static int
2360 acl_check_internal(int where, address_item *addr, uschar *s, int level,
2361 uschar **user_msgptr, uschar **log_msgptr)
2362 {
2363 int fd = -1;
2364 acl_block *acl = NULL;
2365 uschar *acl_name = US"inline ACL";
2366 uschar *ss;
2367
2368 /* Catch configuration loops */
2369
2370 if (level > 20)
2371 {
2372 *log_msgptr = US"ACL nested too deep: possible loop";
2373 return ERROR;
2374 }
2375
2376 if (s == NULL)
2377 {
2378 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
2379 return FAIL;
2380 }
2381
2382 /* At top level, we expand the incoming string. At lower levels, it has already
2383 been expanded as part of condition processing. */
2384
2385 if (level == 0)
2386 {
2387 ss = expand_string(s);
2388 if (ss == NULL)
2389 {
2390 if (expand_string_forcedfail) return OK;
2391 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
2392 expand_string_message);
2393 return ERROR;
2394 }
2395 }
2396 else ss = s;
2397
2398 while (isspace(*ss))ss++;
2399
2400 /* If we can't find a named ACL, the default is to parse it as an inline one.
2401 (Unless it begins with a slash; non-existent files give rise to an error.) */
2402
2403 acl_text = ss;
2404
2405 /* Handle the case of a string that does not contain any spaces. Look for a
2406 named ACL among those read from the configuration, or a previously read file.
2407 It is possible that the pointer to the ACL is NULL if the configuration
2408 contains a name with no data. If not found, and the text begins with '/',
2409 read an ACL from a file, and save it so it can be re-used. */
2410
2411 if (Ustrchr(ss, ' ') == NULL)
2412 {
2413 tree_node *t = tree_search(acl_anchor, ss);
2414 if (t != NULL)
2415 {
2416 acl = (acl_block *)(t->data.ptr);
2417 if (acl == NULL)
2418 {
2419 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
2420 return FAIL;
2421 }
2422 acl_name = string_sprintf("ACL \"%s\"", ss);
2423 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
2424 }
2425
2426 else if (*ss == '/')
2427 {
2428 struct stat statbuf;
2429 fd = Uopen(ss, O_RDONLY, 0);
2430 if (fd < 0)
2431 {
2432 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
2433 strerror(errno));
2434 return ERROR;
2435 }
2436
2437 if (fstat(fd, &statbuf) != 0)
2438 {
2439 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
2440 strerror(errno));
2441 return ERROR;
2442 }
2443
2444 acl_text = store_get(statbuf.st_size + 1);
2445 acl_text_end = acl_text + statbuf.st_size + 1;
2446
2447 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
2448 {
2449 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
2450 ss, strerror(errno));
2451 return ERROR;
2452 }
2453 acl_text[statbuf.st_size] = 0;
2454 close(fd);
2455
2456 acl_name = string_sprintf("ACL \"%s\"", ss);
2457 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
2458 }
2459 }
2460
2461 /* Parse an ACL that is still in text form. If it came from a file, remember it
2462 in the ACL tree, having read it into the POOL_PERM store pool so that it
2463 persists between multiple messages. */
2464
2465 if (acl == NULL)
2466 {
2467 int old_pool = store_pool;
2468 if (fd >= 0) store_pool = POOL_PERM;
2469 acl = acl_read(acl_getline, log_msgptr);
2470 store_pool = old_pool;
2471 if (acl == NULL && *log_msgptr != NULL) return ERROR;
2472 if (fd >= 0)
2473 {
2474 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
2475 Ustrcpy(t->name, ss);
2476 t->data.ptr = acl;
2477 (void)tree_insertnode(&acl_anchor, t);
2478 }
2479 }
2480
2481 /* Now we have an ACL to use. It's possible it may be NULL. */
2482
2483 while (acl != NULL)
2484 {
2485 int cond;
2486 int basic_errno = 0;
2487 BOOL endpass_seen = FALSE;
2488
2489 *log_msgptr = *user_msgptr = NULL;
2490 acl_temp_details = FALSE;
2491
2492 if (where == ACL_WHERE_QUIT &&
2493 acl->verb != ACL_ACCEPT &&
2494 acl->verb != ACL_WARN)
2495 {
2496 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
2497 verbs[acl->verb]);
2498 return ERROR;
2499 }
2500
2501 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
2502
2503 /* Clear out any search error message from a previous check before testing
2504 this condition. */
2505
2506 search_error_message = NULL;
2507 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
2508 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
2509
2510 /* Handle special returns: DEFER causes a return except on a WARN verb;
2511 ERROR always causes a return. */
2512
2513 switch (cond)
2514 {
2515 case DEFER:
2516 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
2517 if (basic_errno != ERRNO_CALLOUTDEFER)
2518 {
2519 if (search_error_message != NULL && *search_error_message != 0)
2520 *log_msgptr = search_error_message;
2521 if (smtp_return_error_details) acl_temp_details = TRUE;
2522 }
2523 else
2524 {
2525 acl_temp_details = TRUE;
2526 }
2527 if (acl->verb != ACL_WARN) return DEFER;
2528 break;
2529
2530 default: /* Paranoia */
2531 case ERROR:
2532 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
2533 return ERROR;
2534
2535 case OK:
2536 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
2537 verbs[acl->verb]);
2538 break;
2539
2540 case FAIL:
2541 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
2542 break;
2543
2544 /* DISCARD and DROP can happen only from a nested ACL condition, and
2545 DISCARD can happen only for an "accept" or "discard" verb. */
2546
2547 case DISCARD:
2548 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
2549 verbs[acl->verb]);
2550 break;
2551
2552 case FAIL_DROP:
2553 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
2554 verbs[acl->verb]);
2555 break;
2556 }
2557
2558 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
2559 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
2560 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
2561
2562 switch(acl->verb)
2563 {
2564 case ACL_ACCEPT:
2565 if (cond == OK || cond == DISCARD) return cond;
2566 if (endpass_seen)
2567 {
2568 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
2569 return cond;
2570 }
2571 break;
2572
2573 case ACL_DEFER:
2574 if (cond == OK)
2575 {
2576 acl_temp_details = TRUE;
2577 return DEFER;
2578 }
2579 break;
2580
2581 case ACL_DENY:
2582 if (cond == OK) return FAIL;
2583 break;
2584
2585 case ACL_DISCARD:
2586 if (cond == OK || cond == DISCARD) return DISCARD;
2587 if (endpass_seen)
2588 {
2589 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
2590 return cond;
2591 }
2592 break;
2593
2594 case ACL_DROP:
2595 if (cond == OK) return FAIL_DROP;
2596 break;
2597
2598 case ACL_REQUIRE:
2599 if (cond != OK) return cond;
2600 break;
2601
2602 case ACL_WARN:
2603 if (cond == OK)
2604 acl_warn(where, *user_msgptr, *log_msgptr);
2605 else if (cond == DEFER)
2606 acl_warn(where, NULL, string_sprintf("ACL \"warn\" statement skipped: "
2607 "condition test deferred: %s",
2608 (*log_msgptr == NULL)? US"" : *log_msgptr));
2609 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
2610 break;
2611
2612 default:
2613 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
2614 acl->verb);
2615 break;
2616 }
2617
2618 /* Pass to the next ACL item */
2619
2620 acl = acl->next;
2621 }
2622
2623 /* We have reached the end of the ACL. This is an implicit DENY. */
2624
2625 HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
2626 return FAIL;
2627 }
2628
2629
2630 /*************************************************
2631 * Check access using an ACL *
2632 *************************************************/
2633
2634 /* This is the external interface for ACL checks. It sets up an address and the
2635 expansions for $domain and $local_part when called after RCPT, then calls
2636 acl_check_internal() to do the actual work.
2637
2638 Arguments:
2639 where ACL_WHERE_xxxx indicating where called from
2640 data_string RCPT address, or SMTP command argument, or NULL
2641 s the input string; NULL is the same as an empty ACL => DENY
2642 user_msgptr where to put a user error (for SMTP response)
2643 log_msgptr where to put a logging message (not for SMTP response)
2644
2645 Returns: OK access is granted by an ACCEPT verb
2646 DISCARD access is granted by a DISCARD verb
2647 FAIL access is denied
2648 FAIL_DROP access is denied; drop the connection
2649 DEFER can't tell at the moment
2650 ERROR disaster
2651 */
2652
2653 int
2654 acl_check(int where, uschar *data_string, uschar *s, uschar **user_msgptr,
2655 uschar **log_msgptr)
2656 {
2657 int rc;
2658 address_item adb;
2659 address_item *addr;
2660
2661 *user_msgptr = *log_msgptr = NULL;
2662 sender_verified_failed = NULL;
2663
2664 if (where == ACL_WHERE_RCPT)
2665 {
2666 adb = address_defaults;
2667 addr = &adb;
2668 addr->address = data_string;
2669 if (deliver_split_address(addr) == DEFER)
2670 {
2671 *log_msgptr = US"defer in percent_hack_domains check";
2672 return DEFER;
2673 }
2674 deliver_domain = addr->domain;
2675 deliver_localpart = addr->local_part;
2676 }
2677 else
2678 {
2679 addr = NULL;
2680 smtp_command_argument = data_string;
2681 }
2682
2683 rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
2684
2685 smtp_command_argument = deliver_domain =
2686 deliver_localpart = deliver_address_data = sender_address_data = NULL;
2687
2688 /* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
2689 ACL, which is really in the middle of an SMTP command. */
2690
2691 if (rc == DISCARD)
2692 {
2693 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
2694 {
2695 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
2696 "ACL", acl_wherenames[where]);
2697 return ERROR;
2698 }
2699 return DISCARD;
2700 }
2701
2702 /* A DROP response is not permitted from MAILAUTH */
2703
2704 if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
2705 {
2706 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
2707 "ACL", acl_wherenames[where]);
2708 return ERROR;
2709 }
2710
2711 /* Before giving an error response, take a look at the length of any user
2712 message, and split it up into multiple lines if possible. */
2713
2714 if (rc != OK && *user_msgptr != NULL && Ustrlen(*user_msgptr) > 75)
2715 {
2716 uschar *s = *user_msgptr = string_copy(*user_msgptr);
2717 uschar *ss = s;
2718
2719 for (;;)
2720 {
2721 int i = 0;
2722 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
2723 if (*ss == 0) break;
2724 if (*ss == '\n')
2725 s = ++ss;
2726 else
2727 {
2728 uschar *t = ss + 1;
2729 uschar *tt = NULL;
2730 while (--t > s + 35)
2731 {
2732 if (*t == ' ')
2733 {
2734 if (t[-1] == ':') { tt = t; break; }
2735 if (tt == NULL) tt = t;
2736 }
2737 }
2738
2739 if (tt == NULL) /* Can't split behind - try ahead */
2740 {
2741 t = ss + 1;
2742 while (*t != 0)
2743 {
2744 if (*t == ' ' || *t == '\n')
2745 { tt = t; break; }
2746 t++;
2747 }
2748 }
2749
2750 if (tt == NULL) break; /* Can't find anywhere to split */
2751 *tt = '\n';
2752 s = ss = tt+1;
2753 }
2754 }
2755 }
2756
2757 return rc;
2758 }
2759
2760 /* End of acl.c */
Unnamed repository; edit this file 'description' to name the repository.