projects / exim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Fix compiler warnings in acl.c for bitmaps specified as ~something in
[exim.git] / src / src / acl.c
1 /* $Cambridge: exim/src/src/acl.c,v 1.14 2005/01/12 12:51:55 ph10 Exp $ */
2
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
6
7 /* Copyright (c) University of Cambridge 1995 - 2005 */
8 /* See the file NOTICE for conditions of use and distribution. */
9
10 /* Code for handling Access Control Lists (ACLs) */
11
12 #include "exim.h"
13
14
15 /* Default callout timeout */
16
17 #define CALLOUT_TIMEOUT_DEFAULT 30
18
19 /* ACL verb codes - keep in step with the table of verbs that follows */
20
21 enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
22 ACL_WARN };
23
24 /* ACL verbs */
25
26 static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
28 US"warn" };
29
30 /* For each verb, the condition for which "message" is used */
31
32 static int msgcond[] = { FAIL, OK, OK, FAIL, OK, FAIL, OK };
33
34 /* ACL condition and modifier codes - keep in step with the table that
35 follows. */
36
37 enum { ACLC_ACL, ACLC_AUTHENTICATED,
38 #ifdef EXPERIMENTAL_BRIGHTMAIL
39 ACLC_BMI_OPTIN,
40 #endif
41 ACLC_CONDITION, ACLC_CONTROL,
42 #ifdef WITH_CONTENT_SCAN
43 ACLC_DECODE,
44 #endif
45 ACLC_DELAY,
46 #ifdef WITH_OLD_DEMIME
47 ACLC_DEMIME,
48 #endif
49 ACLC_DNSLISTS, ACLC_DOMAINS, ACLC_ENCRYPTED, ACLC_ENDPASS,
50 ACLC_HOSTS, ACLC_LOCAL_PARTS, ACLC_LOG_MESSAGE, ACLC_LOGWRITE,
51 #ifdef WITH_CONTENT_SCAN
52 ACLC_MALWARE,
53 #endif
54 ACLC_MESSAGE,
55 #ifdef WITH_CONTENT_SCAN
56 ACLC_MIME_REGEX,
57 #endif
58 ACLC_RECIPIENTS,
59 #ifdef WITH_CONTENT_SCAN
60 ACLC_REGEX,
61 #endif
62 ACLC_SENDER_DOMAINS, ACLC_SENDERS, ACLC_SET,
63 #ifdef WITH_CONTENT_SCAN
64 ACLC_SPAM,
65 #endif
66 #ifdef EXPERIMENTAL_SPF
67 ACLC_SPF,
68 #endif
69 ACLC_VERIFY };
70
71 /* ACL conditions/modifiers: "delay", "control", "endpass", "message",
72 "log_message", "logwrite", and "set" are modifiers that look like conditions
73 but always return TRUE. They are used for their side effects. */
74
75 static uschar *conditions[] = { US"acl", US"authenticated",
76 #ifdef EXPERIMENTAL_BRIGHTMAIL
77 US"bmi_optin",
78 #endif
79 US"condition",
80 US"control",
81 #ifdef WITH_CONTENT_SCAN
82 US"decode",
83 #endif
84 US"delay",
85 #ifdef WITH_OLD_DEMIME
86 US"demime",
87 #endif
88 US"dnslists", US"domains", US"encrypted",
89 US"endpass", US"hosts", US"local_parts", US"log_message", US"logwrite",
90 #ifdef WITH_CONTENT_SCAN
91 US"malware",
92 #endif
93 US"message",
94 #ifdef WITH_CONTENT_SCAN
95 US"mime_regex",
96 #endif
97 US"recipients",
98 #ifdef WITH_CONTENT_SCAN
99 US"regex",
100 #endif
101 US"sender_domains", US"senders", US"set",
102 #ifdef WITH_CONTENT_SCAN
103 US"spam",
104 #endif
105 #ifdef EXPERIMENTAL_SPF
106 US"spf",
107 #endif
108 US"verify" };
109
110 /* ACL control names */
111
112 static uschar *controls[] = { US"error", US"caseful_local_part",
113 US"caselower_local_part", US"enforce_sync", US"no_enforce_sync", US"freeze",
114 US"queue_only", US"submission", US"no_multiline"};
115
116 /* Flags to indicate for which conditions /modifiers a string expansion is done
117 at the outer level. In the other cases, expansion already occurs in the
118 checking functions. */
119
120 static uschar cond_expand_at_top[] = {
121 TRUE, /* acl */
122 FALSE, /* authenticated */
123 #ifdef EXPERIMENTAL_BRIGHTMAIL
124 TRUE, /* bmi_optin */
125 #endif
126 TRUE, /* condition */
127 TRUE, /* control */
128 #ifdef WITH_CONTENT_SCAN
129 TRUE, /* decode */
130 #endif
131 TRUE, /* delay */
132 #ifdef WITH_OLD_DEMIME
133 TRUE, /* demime */
134 #endif
135 TRUE, /* dnslists */
136 FALSE, /* domains */
137 FALSE, /* encrypted */
138 TRUE, /* endpass */
139 FALSE, /* hosts */
140 FALSE, /* local_parts */
141 TRUE, /* log_message */
142 TRUE, /* logwrite */
143 #ifdef WITH_CONTENT_SCAN
144 TRUE, /* malware */
145 #endif
146 TRUE, /* message */
147 #ifdef WITH_CONTENT_SCAN
148 TRUE, /* mime_regex */
149 #endif
150 FALSE, /* recipients */
151 #ifdef WITH_CONTENT_SCAN
152 TRUE, /* regex */
153 #endif
154 FALSE, /* sender_domains */
155 FALSE, /* senders */
156 TRUE, /* set */
157 #ifdef WITH_CONTENT_SCAN
158 TRUE, /* spam */
159 #endif
160 #ifdef EXPERIMENTAL_SPF
161 TRUE, /* spf */
162 #endif
163 TRUE /* verify */
164 };
165
166 /* Flags to identify the modifiers */
167
168 static uschar cond_modifiers[] = {
169 FALSE, /* acl */
170 FALSE, /* authenticated */
171 #ifdef EXPERIMENTAL_BRIGHTMAIL
172 TRUE, /* bmi_optin */
173 #endif
174 FALSE, /* condition */
175 TRUE, /* control */
176 #ifdef WITH_CONTENT_SCAN
177 FALSE, /* decode */
178 #endif
179 TRUE, /* delay */
180 #ifdef WITH_OLD_DEMIME
181 FALSE, /* demime */
182 #endif
183 FALSE, /* dnslists */
184 FALSE, /* domains */
185 FALSE, /* encrypted */
186 TRUE, /* endpass */
187 FALSE, /* hosts */
188 FALSE, /* local_parts */
189 TRUE, /* log_message */
190 TRUE, /* logwrite */
191 #ifdef WITH_CONTENT_SCAN
192 FALSE, /* malware */
193 #endif
194 TRUE, /* message */
195 #ifdef WITH_CONTENT_SCAN
196 FALSE, /* mime_regex */
197 #endif
198 FALSE, /* recipients */
199 #ifdef WITH_CONTENT_SCAN
200 FALSE, /* regex */
201 #endif
202 FALSE, /* sender_domains */
203 FALSE, /* senders */
204 TRUE, /* set */
205 #ifdef WITH_CONTENT_SCAN
206 FALSE, /* spam */
207 #endif
208 #ifdef EXPERIMENTAL_SPF
209 FALSE, /* spf */
210 #endif
211 FALSE /* verify */
212 };
213
214 /* Bit map vector of which conditions are not allowed at certain times. For
215 each condition, there's a bitmap of dis-allowed times. */
216
217 static unsigned int cond_forbids[] = {
218 0, /* acl */
219
220 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* authenticated */
221 (1<<ACL_WHERE_HELO),
222
223 #ifdef EXPERIMENTAL_BRIGHTMAIL
224 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
225 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
226 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
227 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
228 (1<<ACL_WHERE_MAILAUTH)|
229 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
230 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA),
231 #endif
232
233 0, /* condition */
234
235 /* Certain types of control are always allowed, so we let it through
236 always and check in the control processing itself */
237
238 0, /* control */
239
240 #ifdef WITH_CONTENT_SCAN
241 (1<<ACL_WHERE_AUTH)| /* decode */
242 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
243 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
244 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
245 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
246 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
247 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_RCPT),
248 #endif
249
250 0, /* delay */
251
252 #ifdef WITH_OLD_DEMIME
253 (1<<ACL_WHERE_AUTH)| /* demime */
254 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
255 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
256 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
257 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
258 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
259 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
260 #endif
261
262 (1<<ACL_WHERE_NOTSMTP), /* dnslists */
263
264 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* domains */
265 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
266 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
267 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
268 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
269 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
270 (1<<ACL_WHERE_VRFY),
271
272 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* encrypted */
273 (1<<ACL_WHERE_HELO),
274
275 0, /* endpass */
276
277 (1<<ACL_WHERE_NOTSMTP), /* hosts */
278
279 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* local_parts */
280 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
281 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
282 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
283 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
284 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
285 (1<<ACL_WHERE_VRFY),
286
287 0, /* log_message */
288
289 0, /* logwrite */
290
291 #ifdef WITH_CONTENT_SCAN
292 (1<<ACL_WHERE_AUTH)| /* malware */
293 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
294 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
295 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
296 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
297 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
298 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
299 #endif
300
301 0, /* message */
302
303 #ifdef WITH_CONTENT_SCAN
304 (1<<ACL_WHERE_AUTH)| /* mime_regex */
305 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
306 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
307 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
308 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
309 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
310 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_RCPT),
311 #endif
312
313 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* recipients */
314 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
315 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
316 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
317 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
318 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
319 (1<<ACL_WHERE_VRFY),
320
321 #ifdef WITH_CONTENT_SCAN
322 (1<<ACL_WHERE_AUTH)| /* regex */
323 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
324 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
325 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
326 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
327 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
328 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
329 #endif
330
331 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
332 (1<<ACL_WHERE_HELO)|
333 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
334 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
335 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
336
337 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
338 (1<<ACL_WHERE_HELO)|
339 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
340 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
341 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
342
343 0, /* set */
344
345 #ifdef WITH_CONTENT_SCAN
346 (1<<ACL_WHERE_AUTH)| /* spam */
347 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
348 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
349 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
350 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
351 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
352 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
353 #endif
354
355 #ifdef EXPERIMENTAL_SPF
356 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
357 (1<<ACL_WHERE_HELO)|
358 (1<<ACL_WHERE_MAILAUTH)|
359 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
360 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
361 #endif
362
363 /* Certain types of verify are always allowed, so we let it through
364 always and check in the verify function itself */
365
366 0 /* verify */
367 };
368
369
370 /* Return values from decode_control() */
371
372 enum {
373 #ifdef EXPERIMENTAL_BRIGHTMAIL
374 CONTROL_BMI_RUN,
375 #endif
376 CONTROL_ERROR, CONTROL_CASEFUL_LOCAL_PART, CONTROL_CASELOWER_LOCAL_PART,
377 CONTROL_ENFORCE_SYNC, CONTROL_NO_ENFORCE_SYNC, CONTROL_FREEZE,
378 CONTROL_QUEUE_ONLY, CONTROL_SUBMISSION,
379 #ifdef WITH_CONTENT_SCAN
380 CONTROL_NO_MBOX_UNSPOOL,
381 #endif
382 CONTROL_FAKEREJECT, CONTROL_NO_MULTILINE };
383
384 /* Bit map vector of which controls are not allowed at certain times. For
385 each control, there's a bitmap of dis-allowed times. For some, it is easier to
386 specify the negation of a small number of allowed times. */
387
388 static unsigned int control_forbids[] = {
389 #ifdef EXPERIMENTAL_BRIGHTMAIL
390 0, /* bmi_run */
391 #endif
392
393 0, /* error */
394
395 (unsigned int)
396 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
397
398 (unsigned int)
399 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
400
401 (1<<ACL_WHERE_NOTSMTP), /* enforce_sync */
402
403 (1<<ACL_WHERE_NOTSMTP), /* no_enforce_sync */
404
405 (unsigned int)
406 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
407 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
408 (1<<ACL_WHERE_NOTSMTP)),
409
410 (unsigned int)
411 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
412 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
413 (1<<ACL_WHERE_NOTSMTP)),
414
415 (unsigned int)
416 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
417 (1<<ACL_WHERE_PREDATA)),
418
419 #ifdef WITH_CONTENT_SCAN
420 (1<<ACL_WHERE_NOTSMTP), /* no_mbox_unspool */
421 #endif
422
423 (unsigned int)
424 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
425 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)),
426
427 (1<<ACL_WHERE_NOTSMTP) /* no_multiline */
428 };
429
430 /* Structure listing various control arguments, with their characteristics. */
431
432 typedef struct control_def {
433 uschar *name;
434 int value; /* CONTROL_xxx value */
435 BOOL has_option; /* Has /option(s) following */
436 } control_def;
437
438 static control_def controls_list[] = {
439 #ifdef EXPERIMENTAL_BRIGHTMAIL
440 { US"bmi_run", CONTROL_BMI_RUN, FALSE},
441 #endif
442 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE},
443 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE},
444 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE},
445 { US"freeze", CONTROL_FREEZE, FALSE},
446 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE},
447 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE},
448 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE},
449 #ifdef WITH_CONTENT_SCAN
450 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE},
451 #endif
452 { US"fakereject", CONTROL_FAKEREJECT, TRUE},
453 { US"submission", CONTROL_SUBMISSION, TRUE}
454 };
455
456 /* Enable recursion between acl_check_internal() and acl_check_condition() */
457
458 static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
459 uschar **);
460
461
462 /*************************************************
463 * Pick out name from list *
464 *************************************************/
465
466 /* Use a binary chop method
467
468 Arguments:
469 name name to find
470 list list of names
471 end size of list
472
473 Returns: offset in list, or -1 if not found
474 */
475
476 static int
477 acl_checkname(uschar *name, uschar **list, int end)
478 {
479 int start = 0;
480
481 while (start < end)
482 {
483 int mid = (start + end)/2;
484 int c = Ustrcmp(name, list[mid]);
485 if (c == 0) return mid;
486 if (c < 0) end = mid; else start = mid + 1;
487 }
488
489 return -1;
490 }
491
492
493 /*************************************************
494 * Read and parse one ACL *
495 *************************************************/
496
497 /* This function is called both from readconf in order to parse the ACLs in the
498 configuration file, and also when an ACL is encountered dynamically (e.g. as
499 the result of an expansion). It is given a function to call in order to
500 retrieve the lines of the ACL. This function handles skipping comments and
501 blank lines (where relevant).
502
503 Arguments:
504 func function to get next line of ACL
505 error where to put an error message
506
507 Returns: pointer to ACL, or NULL
508 NULL can be legal (empty ACL); in this case error will be NULL
509 */
510
511 acl_block *
512 acl_read(uschar *(*func)(void), uschar **error)
513 {
514 acl_block *yield = NULL;
515 acl_block **lastp = &yield;
516 acl_block *this = NULL;
517 acl_condition_block *cond;
518 acl_condition_block **condp = NULL;
519 uschar *s;
520
521 *error = NULL;
522
523 while ((s = (*func)()) != NULL)
524 {
525 int v, c;
526 BOOL negated = FALSE;
527 uschar *saveline = s;
528 uschar name[64];
529
530 /* Conditions (but not verbs) are allowed to be negated by an initial
531 exclamation mark. */
532
533 while (isspace(*s)) s++;
534 if (*s == '!')
535 {
536 negated = TRUE;
537 s++;
538 }
539
540 /* Read the name of a verb or a condition, or the start of a new ACL */
541
542 s = readconf_readname(name, sizeof(name), s);
543 if (*s == ':')
544 {
545 if (negated || name[0] == 0)
546 {
547 *error = string_sprintf("malformed ACL name in \"%s\"", saveline);
548 return NULL;
549 }
550 break;
551 }
552
553 /* If a verb is unrecognized, it may be another condition or modifier that
554 continues the previous verb. */
555
556 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
557 if (v < 0)
558 {
559 if (this == NULL)
560 {
561 *error = string_sprintf("unknown ACL verb in \"%s\"", saveline);
562 return NULL;
563 }
564 }
565
566 /* New verb */
567
568 else
569 {
570 if (negated)
571 {
572 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
573 return NULL;
574 }
575 this = store_get(sizeof(acl_block));
576 *lastp = this;
577 lastp = &(this->next);
578 this->next = NULL;
579 this->verb = v;
580 this->condition = NULL;
581 condp = &(this->condition);
582 if (*s == 0) continue; /* No condition on this line */
583 if (*s == '!')
584 {
585 negated = TRUE;
586 s++;
587 }
588 s = readconf_readname(name, sizeof(name), s); /* Condition name */
589 }
590
591 /* Handle a condition or modifier. */
592
593 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
594 if (c < 0)
595 {
596 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
597 saveline);
598 return NULL;
599 }
600
601 /* The modifiers may not be negated */
602
603 if (negated && cond_modifiers[c])
604 {
605 *error = string_sprintf("ACL error: negation is not allowed with "
606 "\"%s\"", conditions[c]);
607 return NULL;
608 }
609
610 /* ENDPASS may occur only with ACCEPT or DISCARD. */
611
612 if (c == ACLC_ENDPASS &&
613 this->verb != ACL_ACCEPT &&
614 this->verb != ACL_DISCARD)
615 {
616 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
617 conditions[c], verbs[this->verb]);
618 return NULL;
619 }
620
621 cond = store_get(sizeof(acl_condition_block));
622 cond->next = NULL;
623 cond->type = c;
624 cond->u.negated = negated;
625
626 *condp = cond;
627 condp = &(cond->next);
628
629 /* The "set" modifier is different in that its argument is "name=value"
630 rather than just a value, and we can check the validity of the name, which
631 gives us a variable number to insert into the data block. */
632
633 if (c == ACLC_SET)
634 {
635 if (Ustrncmp(s, "acl_", 4) != 0 || (s[4] != 'c' && s[4] != 'm') ||
636 !isdigit(s[5]) || (!isspace(s[6]) && s[6] != '='))
637 {
638 *error = string_sprintf("unrecognized name after \"set\" in ACL "
639 "modifier \"set %s\"", s);
640 return NULL;
641 }
642
643 cond->u.varnumber = s[5] - '0';
644 if (s[4] == 'm') cond->u.varnumber += ACL_C_MAX;
645 s += 6;
646 while (isspace(*s)) s++;
647 }
648
649 /* For "set", we are now positioned for the data. For the others, only
650 "endpass" has no data */
651
652 if (c != ACLC_ENDPASS)
653 {
654 if (*s++ != '=')
655 {
656 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
657 cond_modifiers[c]? US"modifier" : US"condition");
658 return NULL;
659 }
660 while (isspace(*s)) s++;
661 cond->arg = string_copy(s);
662 }
663 }
664
665 return yield;
666 }
667
668
669
670 /*************************************************
671 * Handle warnings *
672 *************************************************/
673
674 /* This function is called when a WARN verb's conditions are true. It adds to
675 the message's headers, and/or writes information to the log. In each case, this
676 only happens once (per message for headers, per connection for log).
677
678 Arguments:
679 where ACL_WHERE_xxxx indicating which ACL this is
680 user_message message for adding to headers
681 log_message message for logging, if different
682
683 Returns: nothing
684 */
685
686 static void
687 acl_warn(int where, uschar *user_message, uschar *log_message)
688 {
689 int hlen;
690
691 if (log_message != NULL && log_message != user_message)
692 {
693 uschar *text;
694 string_item *logged;
695
696 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
697 string_printing(log_message));
698
699 /* If a sender verification has failed, and the log message is "sender verify
700 failed", add the failure message. */
701
702 if (sender_verified_failed != NULL &&
703 sender_verified_failed->message != NULL &&
704 strcmpic(log_message, US"sender verify failed") == 0)
705 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
706
707 /* Search previously logged warnings. They are kept in malloc store so they
708 can be freed at the start of a new message. */
709
710 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
711 if (Ustrcmp(logged->text, text) == 0) break;
712
713 if (logged == NULL)
714 {
715 int length = Ustrlen(text) + 1;
716 log_write(0, LOG_MAIN, "%s", text);
717 logged = store_malloc(sizeof(string_item) + length);
718 logged->text = (uschar *)logged + sizeof(string_item);
719 memcpy(logged->text, text, length);
720 logged->next = acl_warn_logged;
721 acl_warn_logged = logged;
722 }
723 }
724
725 /* If there's no user message, we are done. */
726
727 if (user_message == NULL) return;
728
729 /* If this isn't a message ACL, we can't do anything with a user message.
730 Log an error. */
731
732 if (where > ACL_WHERE_NOTSMTP)
733 {
734 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
735 "found in a non-message (%s) ACL: cannot specify header lines here: "
736 "message ignored", acl_wherenames[where]);
737 return;
738 }
739
740 /* Treat the user message as a sequence of one or more header lines. */
741
742 hlen = Ustrlen(user_message);
743 if (hlen > 0)
744 {
745 uschar *text, *p, *q;
746
747 /* Add a final newline if not present */
748
749 text = ((user_message)[hlen-1] == '\n')? user_message :
750 string_sprintf("%s\n", user_message);
751
752 /* Loop for multiple header lines, taking care about continuations */
753
754 for (p = q = text; *p != 0; )
755 {
756 uschar *s;
757 int newtype = htype_add_bot;
758 header_line **hptr = &acl_warn_headers;
759
760 /* Find next header line within the string */
761
762 for (;;)
763 {
764 q = Ustrchr(q, '\n');
765 if (*(++q) != ' ' && *q != '\t') break;
766 }
767
768 /* If the line starts with a colon, interpret the instruction for where to
769 add it. This temporarily sets up a new type. */
770
771 if (*p == ':')
772 {
773 if (strncmpic(p, US":after_received:", 16) == 0)
774 {
775 newtype = htype_add_rec;
776 p += 16;
777 }
778 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
779 {
780 newtype = htype_add_rfc;
781 p += 14;
782 }
783 else if (strncmpic(p, US":at_start:", 10) == 0)
784 {
785 newtype = htype_add_top;
786 p += 10;
787 }
788 else if (strncmpic(p, US":at_end:", 8) == 0)
789 {
790 newtype = htype_add_bot;
791 p += 8;
792 }
793 while (*p == ' ' || *p == '\t') p++;
794 }
795
796 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
797 to the front of it. */
798
799 for (s = p; s < q - 1; s++)
800 {
801 if (*s == ':' || !isgraph(*s)) break;
802 }
803
804 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
805 hlen = Ustrlen(s);
806
807 /* See if this line has already been added */
808
809 while (*hptr != NULL)
810 {
811 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
812 hptr = &((*hptr)->next);
813 }
814
815 /* Add if not previously present */
816
817 if (*hptr == NULL)
818 {
819 header_line *h = store_get(sizeof(header_line));
820 h->text = s;
821 h->next = NULL;
822 h->type = newtype;
823 h->slen = hlen;
824 *hptr = h;
825 hptr = &(h->next);
826 }
827
828 /* Advance for next header line within the string */
829
830 p = q;
831 }
832 }
833 }
834
835
836
837 /*************************************************
838 * Verify and check reverse DNS *
839 *************************************************/
840
841 /* Called from acl_verify() below. We look up the host name(s) of the client IP
842 address if this has not yet been done. The host_name_lookup() function checks
843 that one of these names resolves to an address list that contains the client IP
844 address, so we don't actually have to do the check here.
845
846 Arguments:
847 user_msgptr pointer for user message
848 log_msgptr pointer for log message
849
850 Returns: OK verification condition succeeded
851 FAIL verification failed
852 DEFER there was a problem verifying
853 */
854
855 static int
856 acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
857 {
858 int rc;
859
860 user_msgptr = user_msgptr; /* stop compiler warning */
861
862 /* Previous success */
863
864 if (sender_host_name != NULL) return OK;
865
866 /* Previous failure */
867
868 if (host_lookup_failed)
869 {
870 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
871 return FAIL;
872 }
873
874 /* Need to do a lookup */
875
876 HDEBUG(D_acl)
877 debug_printf("looking up host name to force name/address consistency check\n");
878
879 if ((rc = host_name_lookup()) != OK)
880 {
881 *log_msgptr = (rc == DEFER)?
882 US"host lookup deferred for reverse lookup check"
883 :
884 string_sprintf("host lookup failed for reverse lookup check%s",
885 host_lookup_msg);
886 return rc; /* DEFER or FAIL */
887 }
888
889 host_build_sender_fullhost();
890 return OK;
891 }
892
893
894
895 /*************************************************
896 * Handle verification (address & other) *
897 *************************************************/
898
899 /* This function implements the "verify" condition. It is called when
900 encountered in any ACL, because some tests are almost always permitted. Some
901 just don't make sense, and always fail (for example, an attempt to test a host
902 lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
903
904 Arguments:
905 where where called from
906 addr the recipient address that the ACL is handling, or NULL
907 arg the argument of "verify"
908 user_msgptr pointer for user message
909 log_msgptr pointer for log message
910 basic_errno where to put verify errno
911
912 Returns: OK verification condition succeeded
913 FAIL verification failed
914 DEFER there was a problem verifying
915 ERROR syntax error
916 */
917
918 static int
919 acl_verify(int where, address_item *addr, uschar *arg,
920 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
921 {
922 int sep = '/';
923 int callout = -1;
924 int callout_overall = -1;
925 int callout_connect = -1;
926 int verify_options = 0;
927 int rc;
928 BOOL verify_header_sender = FALSE;
929 BOOL defer_ok = FALSE;
930 BOOL callout_defer_ok = FALSE;
931 BOOL no_details = FALSE;
932 address_item *sender_vaddr = NULL;
933 uschar *verify_sender_address = NULL;
934 uschar *pm_mailfrom = NULL;
935 uschar *se_mailfrom = NULL;
936 uschar *list = arg;
937 uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
938
939 if (ss == NULL) goto BAD_VERIFY;
940
941 /* Handle name/address consistency verification in a separate function. */
942
943 if (strcmpic(ss, US"reverse_host_lookup") == 0)
944 {
945 if (sender_host_address == NULL) return OK;
946 return acl_verify_reverse(user_msgptr, log_msgptr);
947 }
948
949 /* TLS certificate verification is done at STARTTLS time; here we just
950 test whether it was successful or not. (This is for optional verification; for
951 mandatory verification, the connection doesn't last this long.) */
952
953 if (strcmpic(ss, US"certificate") == 0)
954 {
955 if (tls_certificate_verified) return OK;
956 *user_msgptr = US"no verified certificate";
957 return FAIL;
958 }
959
960 /* We can test the result of optional HELO verification */
961
962 if (strcmpic(ss, US"helo") == 0) return helo_verified? OK : FAIL;
963
964 /* Handle header verification options - permitted only after DATA or a non-SMTP
965 message. */
966
967 if (strncmpic(ss, US"header_", 7) == 0)
968 {
969 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
970 {
971 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
972 "(only possible in ACL for DATA)", acl_wherenames[where]);
973 return ERROR;
974 }
975
976 /* Check that all relevant header lines have the correct syntax. If there is
977 a syntax error, we return details of the error to the sender if configured to
978 send out full details. (But a "message" setting on the ACL can override, as
979 always). */
980
981 if (strcmpic(ss+7, US"syntax") == 0)
982 {
983 int rc = verify_check_headers(log_msgptr);
984 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
985 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
986 return rc;
987 }
988
989 /* Check that there is at least one verifiable sender address in the relevant
990 header lines. This can be followed by callout and defer options, just like
991 sender and recipient. */
992
993 else if (strcmpic(ss+7, US"sender") == 0) verify_header_sender = TRUE;
994
995 /* Unknown verify argument starting with "header_" */
996
997 else goto BAD_VERIFY;
998 }
999
1000 /* Otherwise, first item in verify argument must be "sender" or "recipient".
1001 In the case of a sender, this can optionally be followed by an address to use
1002 in place of the actual sender (rare special-case requirement). */
1003
1004 else if (strncmpic(ss, US"sender", 6) == 0)
1005 {
1006 uschar *s = ss + 6;
1007 if (where > ACL_WHERE_NOTSMTP)
1008 {
1009 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1010 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1011 acl_wherenames[where]);
1012 return ERROR;
1013 }
1014 if (*s == 0)
1015 verify_sender_address = sender_address;
1016 else
1017 {
1018 while (isspace(*s)) s++;
1019 if (*s++ != '=') goto BAD_VERIFY;
1020 while (isspace(*s)) s++;
1021 verify_sender_address = string_copy(s);
1022 }
1023 }
1024 else
1025 {
1026 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1027 if (addr == NULL)
1028 {
1029 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1030 "(only possible for RCPT)", acl_wherenames[where]);
1031 return ERROR;
1032 }
1033 }
1034
1035 /* Remaining items are optional */
1036
1037 while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1038 != NULL)
1039 {
1040 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1041 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1042
1043 /* These two old options are left for backwards compatibility */
1044
1045 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1046 {
1047 callout_defer_ok = TRUE;
1048 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1049 }
1050
1051 else if (strcmpic(ss, US"check_postmaster") == 0)
1052 {
1053 pm_mailfrom = US"";
1054 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1055 }
1056
1057 /* The callout option has a number of sub-options, comma separated */
1058
1059 else if (strncmpic(ss, US"callout", 7) == 0)
1060 {
1061 callout = CALLOUT_TIMEOUT_DEFAULT;
1062 ss += 7;
1063 if (*ss != 0)
1064 {
1065 while (isspace(*ss)) ss++;
1066 if (*ss++ == '=')
1067 {
1068 int optsep = ',';
1069 uschar *opt;
1070 uschar buffer[256];
1071 while (isspace(*ss)) ss++;
1072
1073 /* This callout option handling code has become a mess as new options
1074 have been added in an ad hoc manner. It should be tidied up into some
1075 kind of table-driven thing. */
1076
1077 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1078 != NULL)
1079 {
1080 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1081 else if (strcmpic(opt, US"no_cache") == 0)
1082 verify_options |= vopt_callout_no_cache;
1083 else if (strcmpic(opt, US"random") == 0)
1084 verify_options |= vopt_callout_random;
1085 else if (strcmpic(opt, US"use_sender") == 0)
1086 verify_options |= vopt_callout_recipsender;
1087 else if (strcmpic(opt, US"use_postmaster") == 0)
1088 verify_options |= vopt_callout_recippmaster;
1089 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
1090
1091 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1092 {
1093 if (!verify_header_sender)
1094 {
1095 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1096 "callout option only for verify=header_sender (detected in ACL "
1097 "condition \"%s\")", arg);
1098 return ERROR;
1099 }
1100 opt += 8;
1101 while (isspace(*opt)) opt++;
1102 if (*opt++ != '=')
1103 {
1104 *log_msgptr = string_sprintf("'=' expected after "
1105 "\"mailfrom\" in ACL condition \"%s\"", arg);
1106 return ERROR;
1107 }
1108 while (isspace(*opt)) opt++;
1109 se_mailfrom = string_copy(opt);
1110 }
1111
1112 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1113 {
1114 opt += 19;
1115 while (isspace(*opt)) opt++;
1116 if (*opt++ != '=')
1117 {
1118 *log_msgptr = string_sprintf("'=' expected after "
1119 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1120 return ERROR;
1121 }
1122 while (isspace(*opt)) opt++;
1123 pm_mailfrom = string_copy(opt);
1124 }
1125
1126 else if (strncmpic(opt, US"maxwait", 7) == 0)
1127 {
1128 opt += 7;
1129 while (isspace(*opt)) opt++;
1130 if (*opt++ != '=')
1131 {
1132 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1133 "ACL condition \"%s\"", arg);
1134 return ERROR;
1135 }
1136 while (isspace(*opt)) opt++;
1137 callout_overall = readconf_readtime(opt, 0, FALSE);
1138 if (callout_overall < 0)
1139 {
1140 *log_msgptr = string_sprintf("bad time value in ACL condition "
1141 "\"verify %s\"", arg);
1142 return ERROR;
1143 }
1144 }
1145 else if (strncmpic(opt, US"connect", 7) == 0)
1146 {
1147 opt += 7;
1148 while (isspace(*opt)) opt++;
1149 if (*opt++ != '=')
1150 {
1151 *log_msgptr = string_sprintf("'=' expected after "
1152 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1153 return ERROR;
1154 }
1155 while (isspace(*opt)) opt++;
1156 callout_connect = readconf_readtime(opt, 0, FALSE);
1157 if (callout_connect < 0)
1158 {
1159 *log_msgptr = string_sprintf("bad time value in ACL condition "
1160 "\"verify %s\"", arg);
1161 return ERROR;
1162 }
1163 }
1164 else /* Plain time is callout connect/command timeout */
1165 {
1166 callout = readconf_readtime(opt, 0, FALSE);
1167 if (callout < 0)
1168 {
1169 *log_msgptr = string_sprintf("bad time value in ACL condition "
1170 "\"verify %s\"", arg);
1171 return ERROR;
1172 }
1173 }
1174 }
1175 }
1176 else
1177 {
1178 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1179 "ACL condition \"%s\"", arg);
1180 return ERROR;
1181 }
1182 }
1183 }
1184
1185 /* Option not recognized */
1186
1187 else
1188 {
1189 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1190 "condition \"verify %s\"", ss, arg);
1191 return ERROR;
1192 }
1193 }
1194
1195 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1196 (vopt_callout_recipsender|vopt_callout_recippmaster))
1197 {
1198 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1199 "for a recipient callout";
1200 return ERROR;
1201 }
1202
1203 /* Handle sender-in-header verification. Default the user message to the log
1204 message if giving out verification details. */
1205
1206 if (verify_header_sender)
1207 {
1208 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
1209 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options);
1210 if (smtp_return_error_details)
1211 {
1212 if (*user_msgptr == NULL && *log_msgptr != NULL)
1213 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1214 if (rc == DEFER) acl_temp_details = TRUE;
1215 }
1216 }
1217
1218 /* Handle a sender address. The default is to verify *the* sender address, but
1219 optionally a different address can be given, for special requirements. If the
1220 address is empty, we are dealing with a bounce message that has no sender, so
1221 we cannot do any checking. If the real sender address gets rewritten during
1222 verification (e.g. DNS widening), set the flag to stop it being rewritten again
1223 during message reception.
1224
1225 A list of verified "sender" addresses is kept to try to avoid doing to much
1226 work repetitively when there are multiple recipients in a message and they all
1227 require sender verification. However, when callouts are involved, it gets too
1228 complicated because different recipients may require different callout options.
1229 Therefore, we always do a full sender verify when any kind of callout is
1230 specified. Caching elsewhere, for instance in the DNS resolver and in the
1231 callout handling, should ensure that this is not terribly inefficient. */
1232
1233 else if (verify_sender_address != NULL)
1234 {
1235 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1236 != 0)
1237 {
1238 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1239 "sender verify callout";
1240 return ERROR;
1241 }
1242
1243 sender_vaddr = verify_checked_sender(verify_sender_address);
1244 if (sender_vaddr != NULL && /* Previously checked */
1245 callout <= 0) /* No callout needed this time */
1246 {
1247 /* If the "routed" flag is set, it means that routing worked before, so
1248 this check can give OK (the saved return code value, if set, belongs to a
1249 callout that was done previously). If the "routed" flag is not set, routing
1250 must have failed, so we use the saved return code. */
1251
1252 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1253 {
1254 rc = sender_vaddr->special_action;
1255 *basic_errno = sender_vaddr->basic_errno;
1256 }
1257 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1258 }
1259
1260 /* Do a new verification, and cache the result. The cache is used to avoid
1261 verifying the sender multiple times for multiple RCPTs when callouts are not
1262 specified (see comments above).
1263
1264 The cache is also used on failure to give details in response to the first
1265 RCPT that gets bounced for this reason. However, this can be suppressed by
1266 the no_details option, which sets the flag that says "this detail has already
1267 been sent". The cache normally contains just one address, but there may be
1268 more in esoteric circumstances. */
1269
1270 else
1271 {
1272 BOOL routed = TRUE;
1273 uschar *save_address_data = deliver_address_data;
1274
1275 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1276 if (no_details) setflag(sender_vaddr, af_sverify_told);
1277 if (verify_sender_address[0] != 0)
1278 {
1279 /* If this is the real sender address, save the unrewritten version
1280 for use later in receive. Otherwise, set a flag so that rewriting the
1281 sender in verify_address() does not update sender_address. */
1282
1283 if (verify_sender_address == sender_address)
1284 sender_address_unrewritten = sender_address;
1285 else
1286 verify_options |= vopt_fake_sender;
1287
1288 /* The recipient, qualify, and expn options are never set in
1289 verify_options. */
1290
1291 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
1292 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
1293
1294 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1295
1296 if (rc == OK)
1297 {
1298 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1299 {
1300 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1301 verify_sender_address, sender_vaddr->address);
1302 }
1303 else
1304 {
1305 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1306 verify_sender_address);
1307 }
1308 }
1309 else *basic_errno = sender_vaddr->basic_errno;
1310 }
1311 else rc = OK; /* Null sender */
1312
1313 /* Cache the result code */
1314
1315 if (routed) setflag(sender_vaddr, af_verify_routed);
1316 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1317 sender_vaddr->special_action = rc;
1318 sender_vaddr->next = sender_verified_list;
1319 sender_verified_list = sender_vaddr;
1320
1321 /* Restore the recipient address data, which might have been clobbered by
1322 the sender verification. */
1323
1324 deliver_address_data = save_address_data;
1325 }
1326
1327 /* Put the sender address_data value into $sender_address_data */
1328
1329 sender_address_data = sender_vaddr->p.address_data;
1330 }
1331
1332 /* A recipient address just gets a straightforward verify; again we must handle
1333 the DEFER overrides. */
1334
1335 else
1336 {
1337 address_item addr2;
1338
1339 /* We must use a copy of the address for verification, because it might
1340 get rewritten. */
1341
1342 addr2 = *addr;
1343 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
1344 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
1345 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1346 *log_msgptr = addr2.message;
1347 *user_msgptr = addr2.user_message;
1348 *basic_errno = addr2.basic_errno;
1349
1350 /* Make $address_data visible */
1351 deliver_address_data = addr2.p.address_data;
1352 }
1353
1354 /* We have a result from the relevant test. Handle defer overrides first. */
1355
1356 if (rc == DEFER && (defer_ok ||
1357 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1358 {
1359 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1360 defer_ok? "defer_ok" : "callout_defer_ok");
1361 rc = OK;
1362 }
1363
1364 /* If we've failed a sender, set up a recipient message, and point
1365 sender_verified_failed to the address item that actually failed. */
1366
1367 if (rc != OK && verify_sender_address != NULL)
1368 {
1369 if (rc != DEFER)
1370 {
1371 *log_msgptr = *user_msgptr = US"Sender verify failed";
1372 }
1373 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1374 {
1375 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1376 }
1377 else
1378 {
1379 *log_msgptr = US"Could not complete sender verify callout";
1380 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1381 *log_msgptr;
1382 }
1383
1384 sender_verified_failed = sender_vaddr;
1385 }
1386
1387 /* Verifying an address messes up the values of $domain and $local_part,
1388 so reset them before returning if this is a RCPT ACL. */
1389
1390 if (addr != NULL)
1391 {
1392 deliver_domain = addr->domain;
1393 deliver_localpart = addr->local_part;
1394 }
1395 return rc;
1396
1397 /* Syntax errors in the verify argument come here. */
1398
1399 BAD_VERIFY:
1400 *log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
1401 "\"header_syntax\" or \"header_sender\" at start of ACL condition "
1402 "\"verify %s\"", arg);
1403 return ERROR;
1404 }
1405
1406
1407
1408
1409 /*************************************************
1410 * Check argument for control= modifier *
1411 *************************************************/
1412
1413 /* Called from acl_check_condition() below
1414
1415 Arguments:
1416 arg the argument string for control=
1417 pptr set to point to the terminating character
1418 where which ACL we are in
1419 log_msgptr for error messages
1420
1421 Returns: CONTROL_xxx value
1422 */
1423
1424 static int
1425 decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
1426 {
1427 int len;
1428 control_def *d;
1429
1430 for (d = controls_list;
1431 d < controls_list + sizeof(controls_list)/sizeof(control_def);
1432 d++)
1433 {
1434 len = Ustrlen(d->name);
1435 if (Ustrncmp(d->name, arg, len) == 0) break;
1436 }
1437
1438 if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
1439 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
1440 {
1441 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1442 return CONTROL_ERROR;
1443 }
1444
1445 *pptr = arg + len;
1446 return d->value;
1447 }
1448
1449
1450
1451 /*************************************************
1452 * Handle conditions/modifiers on an ACL item *
1453 *************************************************/
1454
1455 /* Called from acl_check() below.
1456
1457 Arguments:
1458 verb ACL verb
1459 cb ACL condition block - if NULL, result is OK
1460 where where called from
1461 addr the address being checked for RCPT, or NULL
1462 level the nesting level
1463 epp pointer to pass back TRUE if "endpass" encountered
1464 (applies only to "accept" and "discard")
1465 user_msgptr user message pointer
1466 log_msgptr log message pointer
1467 basic_errno pointer to where to put verify error
1468
1469 Returns: OK - all conditions are met
1470 DISCARD - an "acl" condition returned DISCARD - only allowed
1471 for "accept" or "discard" verbs
1472 FAIL - at least one condition fails
1473 FAIL_DROP - an "acl" condition returned FAIL_DROP
1474 DEFER - can't tell at the moment (typically, lookup defer,
1475 but can be temporary callout problem)
1476 ERROR - ERROR from nested ACL or expansion failure or other
1477 error
1478 */
1479
1480 static int
1481 acl_check_condition(int verb, acl_condition_block *cb, int where,
1482 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
1483 uschar **log_msgptr, int *basic_errno)
1484 {
1485 uschar *user_message = NULL;
1486 uschar *log_message = NULL;
1487 uschar *p;
1488 int rc = OK;
1489 #ifdef WITH_CONTENT_SCAN
1490 int sep = '/';
1491 #endif
1492
1493 for (; cb != NULL; cb = cb->next)
1494 {
1495 uschar *arg;
1496 int control_type;
1497
1498 /* The message and log_message items set up messages to be used in
1499 case of rejection. They are expanded later. */
1500
1501 if (cb->type == ACLC_MESSAGE)
1502 {
1503 user_message = cb->arg;
1504 continue;
1505 }
1506
1507 if (cb->type == ACLC_LOG_MESSAGE)
1508 {
1509 log_message = cb->arg;
1510 continue;
1511 }
1512
1513 /* The endpass "condition" just sets a flag to show it occurred. This is
1514 checked at compile time to be on an "accept" or "discard" item. */
1515
1516 if (cb->type == ACLC_ENDPASS)
1517 {
1518 *epp = TRUE;
1519 continue;
1520 }
1521
1522 /* For other conditions and modifiers, the argument is expanded now for some
1523 of them, but not for all, because expansion happens down in some lower level
1524 checking functions in some cases. */
1525
1526 if (cond_expand_at_top[cb->type])
1527 {
1528 arg = expand_string(cb->arg);
1529 if (arg == NULL)
1530 {
1531 if (expand_string_forcedfail) continue;
1532 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
1533 cb->arg, expand_string_message);
1534 return search_find_defer? DEFER : ERROR;
1535 }
1536 }
1537 else arg = cb->arg;
1538
1539 /* Show condition, and expanded condition if it's different */
1540
1541 HDEBUG(D_acl)
1542 {
1543 int lhswidth = 0;
1544 debug_printf("check %s%s %n",
1545 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
1546 conditions[cb->type], &lhswidth);
1547
1548 if (cb->type == ACLC_SET)
1549 {
1550 int n = cb->u.varnumber;
1551 int t = (n < ACL_C_MAX)? 'c' : 'm';
1552 if (n >= ACL_C_MAX) n -= ACL_C_MAX;
1553 debug_printf("acl_%c%d ", t, n);
1554 lhswidth += 7;
1555 }
1556
1557 debug_printf("= %s\n", cb->arg);
1558
1559 if (arg != cb->arg)
1560 debug_printf("%.*s= %s\n", lhswidth,
1561 US" ", CS arg);
1562 }
1563
1564 /* Check that this condition makes sense at this time */
1565
1566 if ((cond_forbids[cb->type] & (1 << where)) != 0)
1567 {
1568 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
1569 cond_modifiers[cb->type]? "use" : "test",
1570 conditions[cb->type], acl_wherenames[where]);
1571 return ERROR;
1572 }
1573
1574 /* Run the appropriate test for each condition, or take the appropriate
1575 action for the remaining modifiers. */
1576
1577 switch(cb->type)
1578 {
1579 /* A nested ACL that returns "discard" makes sense only for an "accept" or
1580 "discard" verb. */
1581
1582 case ACLC_ACL:
1583 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
1584 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
1585 {
1586 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
1587 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
1588 verbs[verb]);
1589 return ERROR;
1590 }
1591 break;
1592
1593 case ACLC_AUTHENTICATED:
1594 rc = (sender_host_authenticated == NULL)? FAIL :
1595 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
1596 TRUE, NULL);
1597 break;
1598
1599 #ifdef EXPERIMENTAL_BRIGHTMAIL
1600 case ACLC_BMI_OPTIN:
1601 {
1602 int old_pool = store_pool;
1603 store_pool = POOL_PERM;
1604 bmi_current_optin = string_copy(arg);
1605 store_pool = old_pool;
1606 }
1607 break;
1608 #endif
1609
1610 case ACLC_CONDITION:
1611 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
1612 rc = (Uatoi(arg) == 0)? FAIL : OK;
1613 else
1614 rc = (strcmpic(arg, US"no") == 0 ||
1615 strcmpic(arg, US"false") == 0)? FAIL :
1616 (strcmpic(arg, US"yes") == 0 ||
1617 strcmpic(arg, US"true") == 0)? OK : DEFER;
1618 if (rc == DEFER)
1619 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
1620 break;
1621
1622 case ACLC_CONTROL:
1623 control_type = decode_control(arg, &p, where, log_msgptr);
1624
1625 /* Check if this control makes sense at this time */
1626
1627 if ((control_forbids[control_type] & (1 << where)) != 0)
1628 {
1629 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
1630 controls[control_type], acl_wherenames[where]);
1631 return ERROR;
1632 }
1633
1634 switch(control_type)
1635 {
1636 #ifdef EXPERIMENTAL_BRIGHTMAIL
1637 case CONTROL_BMI_RUN:
1638 bmi_run = 1;
1639 break;
1640 #endif
1641
1642 case CONTROL_ERROR:
1643 return ERROR;
1644
1645 case CONTROL_CASEFUL_LOCAL_PART:
1646 deliver_localpart = addr->cc_local_part;
1647 break;
1648
1649 case CONTROL_CASELOWER_LOCAL_PART:
1650 deliver_localpart = addr->lc_local_part;
1651 break;
1652
1653 case CONTROL_ENFORCE_SYNC:
1654 smtp_enforce_sync = TRUE;
1655 break;
1656
1657 case CONTROL_NO_ENFORCE_SYNC:
1658 smtp_enforce_sync = FALSE;
1659 break;
1660
1661 #ifdef WITH_CONTENT_SCAN
1662 case CONTROL_NO_MBOX_UNSPOOL:
1663 no_mbox_unspool = TRUE;
1664 break;
1665 #endif
1666
1667 case CONTROL_NO_MULTILINE:
1668 no_multiline_responses = TRUE;
1669 break;
1670
1671 case CONTROL_FAKEREJECT:
1672 fake_reject = TRUE;
1673 if (*p == '/')
1674 {
1675 uschar *pp = p + 1;
1676 while (*pp != 0) pp++;
1677 fake_reject_text = expand_string(string_copyn(p+1, pp-p));
1678 p = pp;
1679 }
1680 else
1681 {
1682 /* Explicitly reset to default string */
1683 fake_reject_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legit message, it may still be delivered to the target recipient(s).";
1684 }
1685 break;
1686
1687 case CONTROL_FREEZE:
1688 deliver_freeze = TRUE;
1689 deliver_frozen_at = time(NULL);
1690 break;
1691
1692 case CONTROL_QUEUE_ONLY:
1693 queue_only_policy = TRUE;
1694 break;
1695
1696 case CONTROL_SUBMISSION:
1697 submission_mode = TRUE;
1698 while (*p == '/')
1699 {
1700 if (Ustrncmp(p, "/sender_retain", 14) == 0)
1701 {
1702 p += 14;
1703 active_local_sender_retain = TRUE;
1704 active_local_from_check = FALSE;
1705 }
1706 else if (Ustrncmp(p, "/domain=", 8) == 0)
1707 {
1708 uschar *pp = p + 8;
1709 while (*pp != 0 && *pp != '/') pp++;
1710 submission_domain = string_copyn(p+8, pp-p);
1711 p = pp;
1712 }
1713 else break;
1714 }
1715 if (*p != 0)
1716 {
1717 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1718 return ERROR;
1719 }
1720 break;
1721 }
1722 break;
1723
1724 #ifdef WITH_CONTENT_SCAN
1725 case ACLC_DECODE:
1726 rc = mime_decode(&arg);
1727 break;
1728 #endif
1729
1730 case ACLC_DELAY:
1731 {
1732 int delay = readconf_readtime(arg, 0, FALSE);
1733 if (delay < 0)
1734 {
1735 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
1736 "modifier: \"%s\" is not a time value", arg);
1737 return ERROR;
1738 }
1739 else
1740 {
1741 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
1742 delay);
1743 if (host_checking)
1744 {
1745 HDEBUG(D_acl)
1746 debug_printf("delay skipped in -bh checking mode\n");
1747 }
1748 else
1749 {
1750 while (delay > 0) delay = sleep(delay);
1751 }
1752 }
1753 }
1754 break;
1755
1756 #ifdef WITH_OLD_DEMIME
1757 case ACLC_DEMIME:
1758 rc = demime(&arg);
1759 break;
1760 #endif
1761
1762 case ACLC_DNSLISTS:
1763 rc = verify_check_dnsbl(&arg);
1764 break;
1765
1766 case ACLC_DOMAINS:
1767 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
1768 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
1769 break;
1770
1771 /* The value in tls_cipher is the full cipher name, for example,
1772 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
1773 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
1774 what may in practice come out of the SSL library - which at the time of
1775 writing is poorly documented. */
1776
1777 case ACLC_ENCRYPTED:
1778 if (tls_cipher == NULL) rc = FAIL; else
1779 {
1780 uschar *endcipher = NULL;
1781 uschar *cipher = Ustrchr(tls_cipher, ':');
1782 if (cipher == NULL) cipher = tls_cipher; else
1783 {
1784 endcipher = Ustrchr(++cipher, ':');
1785 if (endcipher != NULL) *endcipher = 0;
1786 }
1787 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
1788 if (endcipher != NULL) *endcipher = ':';
1789 }
1790 break;
1791
1792 /* Use verify_check_this_host() instead of verify_check_host() so that
1793 we can pass over &host_data to catch any looked up data. Once it has been
1794 set, it retains its value so that it's still there if another ACL verb
1795 comes through here and uses the cache. However, we must put it into
1796 permanent store in case it is also expected to be used in a subsequent
1797 message in the same SMTP connection. */
1798
1799 case ACLC_HOSTS:
1800 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
1801 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
1802 if (host_data != NULL) host_data = string_copy_malloc(host_data);
1803 break;
1804
1805 case ACLC_LOCAL_PARTS:
1806 rc = match_isinlist(addr->cc_local_part, &arg, 0,
1807 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
1808 &deliver_localpart_data);
1809 break;
1810
1811 case ACLC_LOGWRITE:
1812 {
1813 int logbits = 0;
1814 uschar *s = arg;
1815 if (*s == ':')
1816 {
1817 s++;
1818 while (*s != ':')
1819 {
1820 if (Ustrncmp(s, "main", 4) == 0)
1821 { logbits |= LOG_MAIN; s += 4; }
1822 else if (Ustrncmp(s, "panic", 5) == 0)
1823 { logbits |= LOG_PANIC; s += 5; }
1824 else if (Ustrncmp(s, "reject", 6) == 0)
1825 { logbits |= LOG_REJECT; s += 6; }
1826 else
1827 {
1828 logbits = LOG_MAIN|LOG_PANIC;
1829 s = string_sprintf(":unknown log name in \"%s\" in "
1830 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
1831 }
1832 if (*s == ',') s++;
1833 }
1834 s++;
1835 }
1836 while (isspace(*s)) s++;
1837 if (logbits == 0) logbits = LOG_MAIN;
1838 log_write(0, logbits, "%s", string_printing(s));
1839 }
1840 break;
1841
1842 #ifdef WITH_CONTENT_SCAN
1843 case ACLC_MALWARE:
1844 {
1845 /* Seperate the regular expression and any optional parameters. */
1846 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
1847 /* Run the malware backend. */
1848 rc = malware(&ss);
1849 /* Modify return code based upon the existance of options. */
1850 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
1851 != NULL) {
1852 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
1853 {
1854 /* FAIL so that the message is passed to the next ACL */
1855 rc = FAIL;
1856 }
1857 }
1858 }
1859 break;
1860
1861 case ACLC_MIME_REGEX:
1862 rc = mime_regex(&arg);
1863 break;
1864 #endif
1865
1866 case ACLC_RECIPIENTS:
1867 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
1868 &recipient_data);
1869 break;
1870
1871 #ifdef WITH_CONTENT_SCAN
1872 case ACLC_REGEX:
1873 rc = regex(&arg);
1874 break;
1875 #endif
1876
1877 case ACLC_SENDER_DOMAINS:
1878 {
1879 uschar *sdomain;
1880 sdomain = Ustrrchr(sender_address, '@');
1881 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
1882 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
1883 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
1884 }
1885 break;
1886
1887 case ACLC_SENDERS:
1888 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
1889 sender_address_cache, -1, 0, &sender_data);
1890 break;
1891
1892 /* Connection variables must persist forever */
1893
1894 case ACLC_SET:
1895 {
1896 int old_pool = store_pool;
1897 if (cb->u.varnumber < ACL_C_MAX) store_pool = POOL_PERM;
1898 acl_var[cb->u.varnumber] = string_copy(arg);
1899 store_pool = old_pool;
1900 }
1901 break;
1902
1903 #ifdef WITH_CONTENT_SCAN
1904 case ACLC_SPAM:
1905 {
1906 /* Seperate the regular expression and any optional parameters. */
1907 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
1908 /* Run the spam backend. */
1909 rc = spam(&ss);
1910 /* Modify return code based upon the existance of options. */
1911 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
1912 != NULL) {
1913 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
1914 {
1915 /* FAIL so that the message is passed to the next ACL */
1916 rc = FAIL;
1917 }
1918 }
1919 }
1920 break;
1921 #endif
1922
1923 #ifdef EXPERIMENTAL_SPF
1924 case ACLC_SPF:
1925 rc = spf_process(&arg, sender_address);
1926 break;
1927 #endif
1928
1929 /* If the verb is WARN, discard any user message from verification, because
1930 such messages are SMTP responses, not header additions. The latter come
1931 only from explicit "message" modifiers. */
1932
1933 case ACLC_VERIFY:
1934 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
1935 if (verb == ACL_WARN) *user_msgptr = NULL;
1936 break;
1937
1938 default:
1939 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
1940 "condition %d", cb->type);
1941 break;
1942 }
1943
1944 /* If a condition was negated, invert OK/FAIL. */
1945
1946 if (!cond_modifiers[cb->type] && cb->u.negated)
1947 {
1948 if (rc == OK) rc = FAIL;
1949 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
1950 }
1951
1952 if (rc != OK) break; /* Conditions loop */
1953 }
1954
1955
1956 /* If the result is the one for which "message" and/or "log_message" are used,
1957 handle the values of these options. Most verbs have but a single return for
1958 which the messages are relevant, but for "discard", it's useful to have the log
1959 message both when it succeeds and when it fails. Also, for an "accept" that
1960 appears in a QUIT ACL, we want to handle the user message. Since only "accept"
1961 and "warn" are permitted in that ACL, we don't need to test the verb.
1962
1963 These modifiers act in different ways:
1964
1965 "message" is a user message that will be included in an SMTP response. Unless
1966 it is empty, it overrides any previously set user message.
1967
1968 "log_message" is a non-user message, and it adds to any existing non-user
1969 message that is already set.
1970
1971 If there isn't a log message set, we make it the same as the user message. */
1972
1973 if (((rc == FAIL_DROP)? FAIL : rc) == msgcond[verb] ||
1974 (verb == ACL_DISCARD && rc == OK) ||
1975 (where == ACL_WHERE_QUIT))
1976 {
1977 uschar *expmessage;
1978
1979 /* If the verb is "warn", messages generated by conditions (verification or
1980 nested ACLs) are discarded. Only messages specified at this level are used.
1981 However, the value of an existing message is available in $acl_verify_message
1982 during expansions. */
1983
1984 uschar *old_user_msgptr = *user_msgptr;
1985 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
1986
1987 if (verb == ACL_WARN) *log_msgptr = *user_msgptr = NULL;
1988
1989 if (user_message != NULL)
1990 {
1991 acl_verify_message = old_user_msgptr;
1992 expmessage = expand_string(user_message);
1993 if (expmessage == NULL)
1994 {
1995 if (!expand_string_forcedfail)
1996 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
1997 user_message, expand_string_message);
1998 }
1999 else if (expmessage[0] != 0) *user_msgptr = expmessage;
2000 }
2001
2002 if (log_message != NULL)
2003 {
2004 acl_verify_message = old_log_msgptr;
2005 expmessage = expand_string(log_message);
2006 if (expmessage == NULL)
2007 {
2008 if (!expand_string_forcedfail)
2009 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2010 log_message, expand_string_message);
2011 }
2012 else if (expmessage[0] != 0)
2013 {
2014 *log_msgptr = (*log_msgptr == NULL)? expmessage :
2015 string_sprintf("%s: %s", expmessage, *log_msgptr);
2016 }
2017 }
2018
2019 /* If no log message, default it to the user message */
2020
2021 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
2022 }
2023
2024 acl_verify_message = NULL;
2025 return rc;
2026 }
2027
2028
2029
2030
2031
2032 /*************************************************
2033 * Get line from a literal ACL *
2034 *************************************************/
2035
2036 /* This function is passed to acl_read() in order to extract individual lines
2037 of a literal ACL, which we access via static pointers. We can destroy the
2038 contents because this is called only once (the compiled ACL is remembered).
2039
2040 This code is intended to treat the data in the same way as lines in the main
2041 Exim configuration file. That is:
2042
2043 . Leading spaces are ignored.
2044
2045 . A \ at the end of a line is a continuation - trailing spaces after the \
2046 are permitted (this is because I don't believe in making invisible things
2047 significant). Leading spaces on the continued part of a line are ignored.
2048
2049 . Physical lines starting (significantly) with # are totally ignored, and
2050 may appear within a sequence of backslash-continued lines.
2051
2052 . Blank lines are ignored, but will end a sequence of continuations.
2053
2054 Arguments: none
2055 Returns: a pointer to the next line
2056 */
2057
2058
2059 static uschar *acl_text; /* Current pointer in the text */
2060 static uschar *acl_text_end; /* Points one past the terminating '0' */
2061
2062
2063 static uschar *
2064 acl_getline(void)
2065 {
2066 uschar *yield;
2067
2068 /* This loop handles leading blank lines and comments. */
2069
2070 for(;;)
2071 {
2072 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
2073 if (*acl_text == 0) return NULL; /* No more data */
2074 yield = acl_text; /* Potential data line */
2075
2076 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2077
2078 /* If we hit the end before a newline, we have the whole logical line. If
2079 it's a comment, there's no more data to be given. Otherwise, yield it. */
2080
2081 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
2082
2083 /* After reaching a newline, end this loop if the physical line does not
2084 start with '#'. If it does, it's a comment, and the loop continues. */
2085
2086 if (*yield != '#') break;
2087 }
2088
2089 /* This loop handles continuations. We know we have some real data, ending in
2090 newline. See if there is a continuation marker at the end (ignoring trailing
2091 white space). We know that *yield is not white space, so no need to test for
2092 cont > yield in the backwards scanning loop. */
2093
2094 for(;;)
2095 {
2096 uschar *cont;
2097 for (cont = acl_text - 1; isspace(*cont); cont--);
2098
2099 /* If no continuation follows, we are done. Mark the end of the line and
2100 return it. */
2101
2102 if (*cont != '\\')
2103 {
2104 *acl_text++ = 0;
2105 return yield;
2106 }
2107
2108 /* We have encountered a continuation. Skip over whitespace at the start of
2109 the next line, and indeed the whole of the next line or lines if they are
2110 comment lines. */
2111
2112 for (;;)
2113 {
2114 while (*(++acl_text) == ' ' || *acl_text == '\t');
2115 if (*acl_text != '#') break;
2116 while (*(++acl_text) != 0 && *acl_text != '\n');
2117 }
2118
2119 /* We have the start of a continuation line. Move all the rest of the data
2120 to join onto the previous line, and then find its end. If the end is not a
2121 newline, we are done. Otherwise loop to look for another continuation. */
2122
2123 memmove(cont, acl_text, acl_text_end - acl_text);
2124 acl_text_end -= acl_text - cont;
2125 acl_text = cont;
2126 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2127 if (*acl_text == 0) return yield;
2128 }
2129
2130 /* Control does not reach here */
2131 }
2132
2133
2134
2135
2136
2137 /*************************************************
2138 * Check access using an ACL *
2139 *************************************************/
2140
2141 /* This function is called from address_check. It may recurse via
2142 acl_check_condition() - hence the use of a level to stop looping. The ACL is
2143 passed as a string which is expanded. A forced failure implies no access check
2144 is required. If the result is a single word, it is taken as the name of an ACL
2145 which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
2146 text, complete with newlines, and parsed as such. In both cases, the ACL check
2147 is then run. This function uses an auxiliary function for acl_read() to call
2148 for reading individual lines of a literal ACL. This is acl_getline(), which
2149 appears immediately above.
2150
2151 Arguments:
2152 where where called from
2153 addr address item when called from RCPT; otherwise NULL
2154 s the input string; NULL is the same as an empty ACL => DENY
2155 level the nesting level
2156 user_msgptr where to put a user error (for SMTP response)
2157 log_msgptr where to put a logging message (not for SMTP response)
2158
2159 Returns: OK access is granted
2160 DISCARD access is apparently granted...
2161 FAIL access is denied
2162 FAIL_DROP access is denied; drop the connection
2163 DEFER can't tell at the moment
2164 ERROR disaster
2165 */
2166
2167 static int
2168 acl_check_internal(int where, address_item *addr, uschar *s, int level,
2169 uschar **user_msgptr, uschar **log_msgptr)
2170 {
2171 int fd = -1;
2172 acl_block *acl = NULL;
2173 uschar *acl_name = US"inline ACL";
2174 uschar *ss;
2175
2176 /* Catch configuration loops */
2177
2178 if (level > 20)
2179 {
2180 *log_msgptr = US"ACL nested too deep: possible loop";
2181 return ERROR;
2182 }
2183
2184 if (s == NULL)
2185 {
2186 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
2187 return FAIL;
2188 }
2189
2190 /* At top level, we expand the incoming string. At lower levels, it has already
2191 been expanded as part of condition processing. */
2192
2193 if (level == 0)
2194 {
2195 ss = expand_string(s);
2196 if (ss == NULL)
2197 {
2198 if (expand_string_forcedfail) return OK;
2199 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
2200 expand_string_message);
2201 return ERROR;
2202 }
2203 }
2204 else ss = s;
2205
2206 while (isspace(*ss))ss++;
2207
2208 /* If we can't find a named ACL, the default is to parse it as an inline one.
2209 (Unless it begins with a slash; non-existent files give rise to an error.) */
2210
2211 acl_text = ss;
2212
2213 /* Handle the case of a string that does not contain any spaces. Look for a
2214 named ACL among those read from the configuration, or a previously read file.
2215 It is possible that the pointer to the ACL is NULL if the configuration
2216 contains a name with no data. If not found, and the text begins with '/',
2217 read an ACL from a file, and save it so it can be re-used. */
2218
2219 if (Ustrchr(ss, ' ') == NULL)
2220 {
2221 tree_node *t = tree_search(acl_anchor, ss);
2222 if (t != NULL)
2223 {
2224 acl = (acl_block *)(t->data.ptr);
2225 if (acl == NULL)
2226 {
2227 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
2228 return FAIL;
2229 }
2230 acl_name = string_sprintf("ACL \"%s\"", ss);
2231 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
2232 }
2233
2234 else if (*ss == '/')
2235 {
2236 struct stat statbuf;
2237 fd = Uopen(ss, O_RDONLY, 0);
2238 if (fd < 0)
2239 {
2240 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
2241 strerror(errno));
2242 return ERROR;
2243 }
2244
2245 if (fstat(fd, &statbuf) != 0)
2246 {
2247 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
2248 strerror(errno));
2249 return ERROR;
2250 }
2251
2252 acl_text = store_get(statbuf.st_size + 1);
2253 acl_text_end = acl_text + statbuf.st_size + 1;
2254
2255 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
2256 {
2257 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
2258 ss, strerror(errno));
2259 return ERROR;
2260 }
2261 acl_text[statbuf.st_size] = 0;
2262 close(fd);
2263
2264 acl_name = string_sprintf("ACL \"%s\"", ss);
2265 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
2266 }
2267 }
2268
2269 /* Parse an ACL that is still in text form. If it came from a file, remember it
2270 in the ACL tree, having read it into the POOL_PERM store pool so that it
2271 persists between multiple messages. */
2272
2273 if (acl == NULL)
2274 {
2275 int old_pool = store_pool;
2276 if (fd >= 0) store_pool = POOL_PERM;
2277 acl = acl_read(acl_getline, log_msgptr);
2278 store_pool = old_pool;
2279 if (acl == NULL && *log_msgptr != NULL) return ERROR;
2280 if (fd >= 0)
2281 {
2282 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
2283 Ustrcpy(t->name, ss);
2284 t->data.ptr = acl;
2285 (void)tree_insertnode(&acl_anchor, t);
2286 }
2287 }
2288
2289 /* Now we have an ACL to use. It's possible it may be NULL. */
2290
2291 while (acl != NULL)
2292 {
2293 int cond;
2294 int basic_errno = 0;
2295 BOOL endpass_seen = FALSE;
2296
2297 *log_msgptr = *user_msgptr = NULL;
2298 acl_temp_details = FALSE;
2299
2300 if (where == ACL_WHERE_QUIT &&
2301 acl->verb != ACL_ACCEPT &&
2302 acl->verb != ACL_WARN)
2303 {
2304 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
2305 verbs[acl->verb]);
2306 return ERROR;
2307 }
2308
2309 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
2310
2311 /* Clear out any search error message from a previous check before testing
2312 this condition. */
2313
2314 search_error_message = NULL;
2315 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
2316 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
2317
2318 /* Handle special returns: DEFER causes a return except on a WARN verb;
2319 ERROR always causes a return. */
2320
2321 switch (cond)
2322 {
2323 case DEFER:
2324 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
2325 if (basic_errno != ERRNO_CALLOUTDEFER)
2326 {
2327 if (search_error_message != NULL && *search_error_message != 0)
2328 *log_msgptr = search_error_message;
2329 if (smtp_return_error_details) acl_temp_details = TRUE;
2330 }
2331 else
2332 {
2333 acl_temp_details = TRUE;
2334 }
2335 if (acl->verb != ACL_WARN) return DEFER;
2336 break;
2337
2338 default: /* Paranoia */
2339 case ERROR:
2340 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
2341 return ERROR;
2342
2343 case OK:
2344 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
2345 verbs[acl->verb]);
2346 break;
2347
2348 case FAIL:
2349 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
2350 break;
2351
2352 /* DISCARD and DROP can happen only from a nested ACL condition, and
2353 DISCARD can happen only for an "accept" or "discard" verb. */
2354
2355 case DISCARD:
2356 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
2357 verbs[acl->verb]);
2358 break;
2359
2360 case FAIL_DROP:
2361 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
2362 verbs[acl->verb]);
2363 break;
2364 }
2365
2366 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
2367 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
2368 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
2369
2370 switch(acl->verb)
2371 {
2372 case ACL_ACCEPT:
2373 if (cond == OK || cond == DISCARD) return cond;
2374 if (endpass_seen)
2375 {
2376 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
2377 return cond;
2378 }
2379 break;
2380
2381 case ACL_DEFER:
2382 if (cond == OK)
2383 {
2384 acl_temp_details = TRUE;
2385 return DEFER;
2386 }
2387 break;
2388
2389 case ACL_DENY:
2390 if (cond == OK) return FAIL;
2391 break;
2392
2393 case ACL_DISCARD:
2394 if (cond == OK || cond == DISCARD) return DISCARD;
2395 if (endpass_seen)
2396 {
2397 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
2398 return cond;
2399 }
2400 break;
2401
2402 case ACL_DROP:
2403 if (cond == OK) return FAIL_DROP;
2404 break;
2405
2406 case ACL_REQUIRE:
2407 if (cond != OK) return cond;
2408 break;
2409
2410 case ACL_WARN:
2411 if (cond == OK)
2412 acl_warn(where, *user_msgptr, *log_msgptr);
2413 else if (cond == DEFER)
2414 acl_warn(where, NULL, string_sprintf("ACL \"warn\" statement skipped: "
2415 "condition test deferred: %s",
2416 (*log_msgptr == NULL)? US"" : *log_msgptr));
2417 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
2418 break;
2419
2420 default:
2421 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
2422 acl->verb);
2423 break;
2424 }
2425
2426 /* Pass to the next ACL item */
2427
2428 acl = acl->next;
2429 }
2430
2431 /* We have reached the end of the ACL. This is an implicit DENY. */
2432
2433 HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
2434 return FAIL;
2435 }
2436
2437
2438 /*************************************************
2439 * Check access using an ACL *
2440 *************************************************/
2441
2442 /* This is the external interface for ACL checks. It sets up an address and the
2443 expansions for $domain and $local_part when called after RCPT, then calls
2444 acl_check_internal() to do the actual work.
2445
2446 Arguments:
2447 where ACL_WHERE_xxxx indicating where called from
2448 data_string RCPT address, or SMTP command argument, or NULL
2449 s the input string; NULL is the same as an empty ACL => DENY
2450 user_msgptr where to put a user error (for SMTP response)
2451 log_msgptr where to put a logging message (not for SMTP response)
2452
2453 Returns: OK access is granted by an ACCEPT verb
2454 DISCARD access is granted by a DISCARD verb
2455 FAIL access is denied
2456 FAIL_DROP access is denied; drop the connection
2457 DEFER can't tell at the moment
2458 ERROR disaster
2459 */
2460
2461 int
2462 acl_check(int where, uschar *data_string, uschar *s, uschar **user_msgptr,
2463 uschar **log_msgptr)
2464 {
2465 int rc;
2466 address_item adb;
2467 address_item *addr;
2468
2469 *user_msgptr = *log_msgptr = NULL;
2470 sender_verified_failed = NULL;
2471
2472 if (where == ACL_WHERE_RCPT)
2473 {
2474 adb = address_defaults;
2475 addr = &adb;
2476 addr->address = data_string;
2477 if (deliver_split_address(addr) == DEFER)
2478 {
2479 *log_msgptr = US"defer in percent_hack_domains check";
2480 return DEFER;
2481 }
2482 deliver_domain = addr->domain;
2483 deliver_localpart = addr->local_part;
2484 }
2485 else
2486 {
2487 addr = NULL;
2488 smtp_command_argument = data_string;
2489 }
2490
2491 rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
2492
2493 smtp_command_argument = deliver_domain =
2494 deliver_localpart = deliver_address_data = sender_address_data = NULL;
2495
2496 /* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
2497 ACL, which is really in the middle of an SMTP command. */
2498
2499 if (rc == DISCARD)
2500 {
2501 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
2502 {
2503 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
2504 "ACL", acl_wherenames[where]);
2505 return ERROR;
2506 }
2507 return DISCARD;
2508 }
2509
2510 /* A DROP response is not permitted from MAILAUTH */
2511
2512 if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
2513 {
2514 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
2515 "ACL", acl_wherenames[where]);
2516 return ERROR;
2517 }
2518
2519 /* Before giving an error response, take a look at the length of any user
2520 message, and split it up into multiple lines if possible. */
2521
2522 if (rc != OK && *user_msgptr != NULL && Ustrlen(*user_msgptr) > 75)
2523 {
2524 uschar *s = *user_msgptr = string_copy(*user_msgptr);
2525 uschar *ss = s;
2526
2527 for (;;)
2528 {
2529 int i = 0;
2530 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
2531 if (*ss == 0) break;
2532 if (*ss == '\n')
2533 s = ++ss;
2534 else
2535 {
2536 uschar *t = ss + 1;
2537 uschar *tt = NULL;
2538 while (--t > s + 35)
2539 {
2540 if (*t == ' ')
2541 {
2542 if (t[-1] == ':') { tt = t; break; }
2543 if (tt == NULL) tt = t;
2544 }
2545 }
2546
2547 if (tt == NULL) /* Can't split behind - try ahead */
2548 {
2549 t = ss + 1;
2550 while (*t != 0)
2551 {
2552 if (*t == ' ' || *t == '\n')
2553 { tt = t; break; }
2554 t++;
2555 }
2556 }
2557
2558 if (tt == NULL) break; /* Can't find anywhere to split */
2559 *tt = '\n';
2560 s = ss = tt+1;
2561 }
2562 }
2563 }
2564
2565 return rc;
2566 }
2567
2568 /* End of acl.c */
Unnamed repository; edit this file 'description' to name the repository.