projects / exim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
1. Diagnose an error if options are given for those "verify=" things that
[exim.git] / src / src / acl.c
1 /* $Cambridge: exim/src/src/acl.c,v 1.25 2005/03/15 15:36:41 ph10 Exp $ */
2
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
6
7 /* Copyright (c) University of Cambridge 1995 - 2005 */
8 /* See the file NOTICE for conditions of use and distribution. */
9
10 /* Code for handling Access Control Lists (ACLs) */
11
12 #include "exim.h"
13
14
15 /* Default callout timeout */
16
17 #define CALLOUT_TIMEOUT_DEFAULT 30
18
19 /* ACL verb codes - keep in step with the table of verbs that follows */
20
21 enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
22 ACL_WARN };
23
24 /* ACL verbs */
25
26 static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
28 US"warn" };
29
30 /* For each verb, the condition for which "message" is used */
31
32 static int msgcond[] = { FAIL, OK, OK, FAIL, OK, FAIL, OK };
33
34 /* ACL condition and modifier codes - keep in step with the table that
35 follows. */
36
37 enum { ACLC_ACL, ACLC_AUTHENTICATED,
38 #ifdef EXPERIMENTAL_BRIGHTMAIL
39 ACLC_BMI_OPTIN,
40 #endif
41 ACLC_CONDITION, ACLC_CONTROL,
42 #ifdef WITH_CONTENT_SCAN
43 ACLC_DECODE,
44 #endif
45 ACLC_DELAY,
46 #ifdef WITH_OLD_DEMIME
47 ACLC_DEMIME,
48 #endif
49 #ifdef EXPERIMENTAL_DOMAINKEYS
50 ACLC_DK_DOMAIN_SOURCE,
51 ACLC_DK_POLICY,
52 ACLC_DK_SENDER_DOMAINS,
53 ACLC_DK_SENDER_LOCAL_PARTS,
54 ACLC_DK_SENDERS,
55 ACLC_DK_STATUS,
56 #endif
57 ACLC_DNSLISTS, ACLC_DOMAINS, ACLC_ENCRYPTED, ACLC_ENDPASS,
58 ACLC_HOSTS, ACLC_LOCAL_PARTS, ACLC_LOG_MESSAGE, ACLC_LOGWRITE,
59 #ifdef WITH_CONTENT_SCAN
60 ACLC_MALWARE,
61 #endif
62 ACLC_MESSAGE,
63 #ifdef WITH_CONTENT_SCAN
64 ACLC_MIME_REGEX,
65 #endif
66 ACLC_RECIPIENTS,
67 #ifdef WITH_CONTENT_SCAN
68 ACLC_REGEX,
69 #endif
70 ACLC_SENDER_DOMAINS, ACLC_SENDERS, ACLC_SET,
71 #ifdef WITH_CONTENT_SCAN
72 ACLC_SPAM,
73 #endif
74 #ifdef EXPERIMENTAL_SPF
75 ACLC_SPF,
76 #endif
77 ACLC_VERIFY };
78
79 /* ACL conditions/modifiers: "delay", "control", "endpass", "message",
80 "log_message", "logwrite", and "set" are modifiers that look like conditions
81 but always return TRUE. They are used for their side effects. */
82
83 static uschar *conditions[] = { US"acl", US"authenticated",
84 #ifdef EXPERIMENTAL_BRIGHTMAIL
85 US"bmi_optin",
86 #endif
87 US"condition",
88 US"control",
89 #ifdef WITH_CONTENT_SCAN
90 US"decode",
91 #endif
92 US"delay",
93 #ifdef WITH_OLD_DEMIME
94 US"demime",
95 #endif
96 #ifdef EXPERIMENTAL_DOMAINKEYS
97 US"dk_domain_source",
98 US"dk_policy",
99 US"dk_sender_domains",
100 US"dk_sender_local_parts",
101 US"dk_senders",
102 US"dk_status",
103 #endif
104 US"dnslists", US"domains", US"encrypted",
105 US"endpass", US"hosts", US"local_parts", US"log_message", US"logwrite",
106 #ifdef WITH_CONTENT_SCAN
107 US"malware",
108 #endif
109 US"message",
110 #ifdef WITH_CONTENT_SCAN
111 US"mime_regex",
112 #endif
113 US"recipients",
114 #ifdef WITH_CONTENT_SCAN
115 US"regex",
116 #endif
117 US"sender_domains", US"senders", US"set",
118 #ifdef WITH_CONTENT_SCAN
119 US"spam",
120 #endif
121 #ifdef EXPERIMENTAL_SPF
122 US"spf",
123 #endif
124 US"verify" };
125
126 /* ACL control names */
127
128 static uschar *controls[] = { US"error", US"caseful_local_part",
129 US"caselower_local_part", US"enforce_sync", US"no_enforce_sync", US"freeze",
130 US"queue_only", US"submission", US"no_multiline"};
131
132 /* Flags to indicate for which conditions /modifiers a string expansion is done
133 at the outer level. In the other cases, expansion already occurs in the
134 checking functions. */
135
136 static uschar cond_expand_at_top[] = {
137 TRUE, /* acl */
138 FALSE, /* authenticated */
139 #ifdef EXPERIMENTAL_BRIGHTMAIL
140 TRUE, /* bmi_optin */
141 #endif
142 TRUE, /* condition */
143 TRUE, /* control */
144 #ifdef WITH_CONTENT_SCAN
145 TRUE, /* decode */
146 #endif
147 TRUE, /* delay */
148 #ifdef WITH_OLD_DEMIME
149 TRUE, /* demime */
150 #endif
151 #ifdef EXPERIMENTAL_DOMAINKEYS
152 TRUE, /* dk_domain_source */
153 TRUE, /* dk_policy */
154 TRUE, /* dk_sender_domains */
155 TRUE, /* dk_sender_local_parts */
156 TRUE, /* dk_senders */
157 TRUE, /* dk_status */
158 #endif
159 TRUE, /* dnslists */
160 FALSE, /* domains */
161 FALSE, /* encrypted */
162 TRUE, /* endpass */
163 FALSE, /* hosts */
164 FALSE, /* local_parts */
165 TRUE, /* log_message */
166 TRUE, /* logwrite */
167 #ifdef WITH_CONTENT_SCAN
168 TRUE, /* malware */
169 #endif
170 TRUE, /* message */
171 #ifdef WITH_CONTENT_SCAN
172 TRUE, /* mime_regex */
173 #endif
174 FALSE, /* recipients */
175 #ifdef WITH_CONTENT_SCAN
176 TRUE, /* regex */
177 #endif
178 FALSE, /* sender_domains */
179 FALSE, /* senders */
180 TRUE, /* set */
181 #ifdef WITH_CONTENT_SCAN
182 TRUE, /* spam */
183 #endif
184 #ifdef EXPERIMENTAL_SPF
185 TRUE, /* spf */
186 #endif
187 TRUE /* verify */
188 };
189
190 /* Flags to identify the modifiers */
191
192 static uschar cond_modifiers[] = {
193 FALSE, /* acl */
194 FALSE, /* authenticated */
195 #ifdef EXPERIMENTAL_BRIGHTMAIL
196 TRUE, /* bmi_optin */
197 #endif
198 FALSE, /* condition */
199 TRUE, /* control */
200 #ifdef WITH_CONTENT_SCAN
201 FALSE, /* decode */
202 #endif
203 TRUE, /* delay */
204 #ifdef WITH_OLD_DEMIME
205 FALSE, /* demime */
206 #endif
207 #ifdef EXPERIMENTAL_DOMAINKEYS
208 FALSE, /* dk_domain_source */
209 FALSE, /* dk_policy */
210 FALSE, /* dk_sender_domains */
211 FALSE, /* dk_sender_local_parts */
212 FALSE, /* dk_senders */
213 FALSE, /* dk_status */
214 #endif
215 FALSE, /* dnslists */
216 FALSE, /* domains */
217 FALSE, /* encrypted */
218 TRUE, /* endpass */
219 FALSE, /* hosts */
220 FALSE, /* local_parts */
221 TRUE, /* log_message */
222 TRUE, /* logwrite */
223 #ifdef WITH_CONTENT_SCAN
224 FALSE, /* malware */
225 #endif
226 TRUE, /* message */
227 #ifdef WITH_CONTENT_SCAN
228 FALSE, /* mime_regex */
229 #endif
230 FALSE, /* recipients */
231 #ifdef WITH_CONTENT_SCAN
232 FALSE, /* regex */
233 #endif
234 FALSE, /* sender_domains */
235 FALSE, /* senders */
236 TRUE, /* set */
237 #ifdef WITH_CONTENT_SCAN
238 FALSE, /* spam */
239 #endif
240 #ifdef EXPERIMENTAL_SPF
241 FALSE, /* spf */
242 #endif
243 FALSE /* verify */
244 };
245
246 /* Bit map vector of which conditions are not allowed at certain times. For
247 each condition, there's a bitmap of dis-allowed times. */
248
249 static unsigned int cond_forbids[] = {
250 0, /* acl */
251
252 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* authenticated */
253 (1<<ACL_WHERE_HELO),
254
255 #ifdef EXPERIMENTAL_BRIGHTMAIL
256 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
257 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
258 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
259 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
260 (1<<ACL_WHERE_MAILAUTH)|
261 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
262 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA),
263 #endif
264
265 0, /* condition */
266
267 /* Certain types of control are always allowed, so we let it through
268 always and check in the control processing itself */
269
270 0, /* control */
271
272 #ifdef WITH_CONTENT_SCAN
273 (1<<ACL_WHERE_AUTH)| /* decode */
274 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
275 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
276 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
277 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
278 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
279 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_RCPT),
280 #endif
281
282 0, /* delay */
283
284 #ifdef WITH_OLD_DEMIME
285 (1<<ACL_WHERE_AUTH)| /* demime */
286 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
287 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
288 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
289 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
290 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
291 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
292 #endif
293
294 #ifdef EXPERIMENTAL_DOMAINKEYS
295 (1<<ACL_WHERE_AUTH)| /* dk_domain_source */
296 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
297 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
298 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
299 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
300 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
301 (1<<ACL_WHERE_VRFY),
302
303 (1<<ACL_WHERE_AUTH)| /* dk_policy */
304 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
305 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
306 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
307 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
308 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
309 (1<<ACL_WHERE_VRFY),
310
311 (1<<ACL_WHERE_AUTH)| /* dk_sender_domains */
312 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
313 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
314 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
315 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
316 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
317 (1<<ACL_WHERE_VRFY),
318
319 (1<<ACL_WHERE_AUTH)| /* dk_sender_local_parts */
320 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
321 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
322 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
323 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
324 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
325 (1<<ACL_WHERE_VRFY),
326
327 (1<<ACL_WHERE_AUTH)| /* dk_senders */
328 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
329 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
330 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
331 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
332 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
333 (1<<ACL_WHERE_VRFY),
334
335 (1<<ACL_WHERE_AUTH)| /* dk_status */
336 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
337 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
338 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
339 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
340 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
341 (1<<ACL_WHERE_VRFY),
342 #endif
343
344 (1<<ACL_WHERE_NOTSMTP), /* dnslists */
345
346 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* domains */
347 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
348 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
349 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
350 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
351 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
352 (1<<ACL_WHERE_VRFY),
353
354 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* encrypted */
355 (1<<ACL_WHERE_HELO),
356
357 0, /* endpass */
358
359 (1<<ACL_WHERE_NOTSMTP), /* hosts */
360
361 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* local_parts */
362 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
363 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
364 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
365 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
366 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
367 (1<<ACL_WHERE_VRFY),
368
369 0, /* log_message */
370
371 0, /* logwrite */
372
373 #ifdef WITH_CONTENT_SCAN
374 (1<<ACL_WHERE_AUTH)| /* malware */
375 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
376 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
377 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
378 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
379 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
380 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
381 #endif
382
383 0, /* message */
384
385 #ifdef WITH_CONTENT_SCAN
386 (1<<ACL_WHERE_AUTH)| /* mime_regex */
387 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
388 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
389 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
390 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
391 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
392 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_RCPT),
393 #endif
394
395 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* recipients */
396 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
397 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
398 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
399 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
400 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
401 (1<<ACL_WHERE_VRFY),
402
403 #ifdef WITH_CONTENT_SCAN
404 (1<<ACL_WHERE_AUTH)| /* regex */
405 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
406 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
407 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
408 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
409 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
410 (1<<ACL_WHERE_VRFY),
411 #endif
412
413 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
414 (1<<ACL_WHERE_HELO)|
415 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
416 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
417 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
418
419 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
420 (1<<ACL_WHERE_HELO)|
421 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
422 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
423 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
424
425 0, /* set */
426
427 #ifdef WITH_CONTENT_SCAN
428 (1<<ACL_WHERE_AUTH)| /* spam */
429 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
430 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
431 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
432 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
433 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
434 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
435 #endif
436
437 #ifdef EXPERIMENTAL_SPF
438 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
439 (1<<ACL_WHERE_HELO)|
440 (1<<ACL_WHERE_MAILAUTH)|
441 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
442 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
443 #endif
444
445 /* Certain types of verify are always allowed, so we let it through
446 always and check in the verify function itself */
447
448 0 /* verify */
449 };
450
451
452 /* Return values from decode_control() */
453
454 enum {
455 #ifdef EXPERIMENTAL_BRIGHTMAIL
456 CONTROL_BMI_RUN,
457 #endif
458 #ifdef EXPERIMENTAL_DOMAINKEYS
459 CONTROL_DK_VERIFY,
460 #endif
461 CONTROL_ERROR, CONTROL_CASEFUL_LOCAL_PART, CONTROL_CASELOWER_LOCAL_PART,
462 CONTROL_ENFORCE_SYNC, CONTROL_NO_ENFORCE_SYNC, CONTROL_FREEZE,
463 CONTROL_QUEUE_ONLY, CONTROL_SUBMISSION,
464 #ifdef WITH_CONTENT_SCAN
465 CONTROL_NO_MBOX_UNSPOOL,
466 #endif
467 CONTROL_FAKEREJECT, CONTROL_NO_MULTILINE };
468
469 /* Bit map vector of which controls are not allowed at certain times. For
470 each control, there's a bitmap of dis-allowed times. For some, it is easier to
471 specify the negation of a small number of allowed times. */
472
473 static unsigned int control_forbids[] = {
474 #ifdef EXPERIMENTAL_BRIGHTMAIL
475 0, /* bmi_run */
476 #endif
477 #ifdef EXPERIMENTAL_DOMAINKEYS
478 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), /* dk_verify */
479 #endif
480
481 0, /* error */
482
483 (unsigned int)
484 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
485
486 (unsigned int)
487 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
488
489 (1<<ACL_WHERE_NOTSMTP), /* enforce_sync */
490
491 (1<<ACL_WHERE_NOTSMTP), /* no_enforce_sync */
492
493 (unsigned int)
494 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
495 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
496 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
497
498 (unsigned int)
499 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
500 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
501 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
502
503 (unsigned int)
504 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
505 (1<<ACL_WHERE_PREDATA)),
506
507 #ifdef WITH_CONTENT_SCAN
508 (unsigned int)
509 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
510 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
511 (1<<ACL_WHERE_MIME)),
512 #endif
513
514 (unsigned int)
515 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
516 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
517 (1<<ACL_WHERE_MIME)),
518
519 (1<<ACL_WHERE_NOTSMTP) /* no_multiline */
520 };
521
522 /* Structure listing various control arguments, with their characteristics. */
523
524 typedef struct control_def {
525 uschar *name;
526 int value; /* CONTROL_xxx value */
527 BOOL has_option; /* Has /option(s) following */
528 } control_def;
529
530 static control_def controls_list[] = {
531 #ifdef EXPERIMENTAL_BRIGHTMAIL
532 { US"bmi_run", CONTROL_BMI_RUN, FALSE},
533 #endif
534 #ifdef EXPERIMENTAL_DOMAINKEYS
535 { US"dk_verify", CONTROL_DK_VERIFY, FALSE},
536 #endif
537 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE},
538 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE},
539 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE},
540 { US"freeze", CONTROL_FREEZE, FALSE},
541 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE},
542 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE},
543 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE},
544 #ifdef WITH_CONTENT_SCAN
545 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE},
546 #endif
547 { US"fakereject", CONTROL_FAKEREJECT, TRUE},
548 { US"submission", CONTROL_SUBMISSION, TRUE}
549 };
550
551 /* Enable recursion between acl_check_internal() and acl_check_condition() */
552
553 static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
554 uschar **);
555
556
557 /*************************************************
558 * Pick out name from list *
559 *************************************************/
560
561 /* Use a binary chop method
562
563 Arguments:
564 name name to find
565 list list of names
566 end size of list
567
568 Returns: offset in list, or -1 if not found
569 */
570
571 static int
572 acl_checkname(uschar *name, uschar **list, int end)
573 {
574 int start = 0;
575
576 while (start < end)
577 {
578 int mid = (start + end)/2;
579 int c = Ustrcmp(name, list[mid]);
580 if (c == 0) return mid;
581 if (c < 0) end = mid; else start = mid + 1;
582 }
583
584 return -1;
585 }
586
587
588 /*************************************************
589 * Read and parse one ACL *
590 *************************************************/
591
592 /* This function is called both from readconf in order to parse the ACLs in the
593 configuration file, and also when an ACL is encountered dynamically (e.g. as
594 the result of an expansion). It is given a function to call in order to
595 retrieve the lines of the ACL. This function handles skipping comments and
596 blank lines (where relevant).
597
598 Arguments:
599 func function to get next line of ACL
600 error where to put an error message
601
602 Returns: pointer to ACL, or NULL
603 NULL can be legal (empty ACL); in this case error will be NULL
604 */
605
606 acl_block *
607 acl_read(uschar *(*func)(void), uschar **error)
608 {
609 acl_block *yield = NULL;
610 acl_block **lastp = &yield;
611 acl_block *this = NULL;
612 acl_condition_block *cond;
613 acl_condition_block **condp = NULL;
614 uschar *s;
615
616 *error = NULL;
617
618 while ((s = (*func)()) != NULL)
619 {
620 int v, c;
621 BOOL negated = FALSE;
622 uschar *saveline = s;
623 uschar name[64];
624
625 /* Conditions (but not verbs) are allowed to be negated by an initial
626 exclamation mark. */
627
628 while (isspace(*s)) s++;
629 if (*s == '!')
630 {
631 negated = TRUE;
632 s++;
633 }
634
635 /* Read the name of a verb or a condition, or the start of a new ACL */
636
637 s = readconf_readname(name, sizeof(name), s);
638 if (*s == ':')
639 {
640 if (negated || name[0] == 0)
641 {
642 *error = string_sprintf("malformed ACL name in \"%s\"", saveline);
643 return NULL;
644 }
645 break;
646 }
647
648 /* If a verb is unrecognized, it may be another condition or modifier that
649 continues the previous verb. */
650
651 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
652 if (v < 0)
653 {
654 if (this == NULL)
655 {
656 *error = string_sprintf("unknown ACL verb in \"%s\"", saveline);
657 return NULL;
658 }
659 }
660
661 /* New verb */
662
663 else
664 {
665 if (negated)
666 {
667 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
668 return NULL;
669 }
670 this = store_get(sizeof(acl_block));
671 *lastp = this;
672 lastp = &(this->next);
673 this->next = NULL;
674 this->verb = v;
675 this->condition = NULL;
676 condp = &(this->condition);
677 if (*s == 0) continue; /* No condition on this line */
678 if (*s == '!')
679 {
680 negated = TRUE;
681 s++;
682 }
683 s = readconf_readname(name, sizeof(name), s); /* Condition name */
684 }
685
686 /* Handle a condition or modifier. */
687
688 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
689 if (c < 0)
690 {
691 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
692 saveline);
693 return NULL;
694 }
695
696 /* The modifiers may not be negated */
697
698 if (negated && cond_modifiers[c])
699 {
700 *error = string_sprintf("ACL error: negation is not allowed with "
701 "\"%s\"", conditions[c]);
702 return NULL;
703 }
704
705 /* ENDPASS may occur only with ACCEPT or DISCARD. */
706
707 if (c == ACLC_ENDPASS &&
708 this->verb != ACL_ACCEPT &&
709 this->verb != ACL_DISCARD)
710 {
711 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
712 conditions[c], verbs[this->verb]);
713 return NULL;
714 }
715
716 cond = store_get(sizeof(acl_condition_block));
717 cond->next = NULL;
718 cond->type = c;
719 cond->u.negated = negated;
720
721 *condp = cond;
722 condp = &(cond->next);
723
724 /* The "set" modifier is different in that its argument is "name=value"
725 rather than just a value, and we can check the validity of the name, which
726 gives us a variable number to insert into the data block. */
727
728 if (c == ACLC_SET)
729 {
730 if (Ustrncmp(s, "acl_", 4) != 0 || (s[4] != 'c' && s[4] != 'm') ||
731 !isdigit(s[5]) || (!isspace(s[6]) && s[6] != '='))
732 {
733 *error = string_sprintf("unrecognized name after \"set\" in ACL "
734 "modifier \"set %s\"", s);
735 return NULL;
736 }
737
738 cond->u.varnumber = s[5] - '0';
739 if (s[4] == 'm') cond->u.varnumber += ACL_C_MAX;
740 s += 6;
741 while (isspace(*s)) s++;
742 }
743
744 /* For "set", we are now positioned for the data. For the others, only
745 "endpass" has no data */
746
747 if (c != ACLC_ENDPASS)
748 {
749 if (*s++ != '=')
750 {
751 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
752 cond_modifiers[c]? US"modifier" : US"condition");
753 return NULL;
754 }
755 while (isspace(*s)) s++;
756 cond->arg = string_copy(s);
757 }
758 }
759
760 return yield;
761 }
762
763
764
765 /*************************************************
766 * Handle warnings *
767 *************************************************/
768
769 /* This function is called when a WARN verb's conditions are true. It adds to
770 the message's headers, and/or writes information to the log. In each case, this
771 only happens once (per message for headers, per connection for log).
772
773 Arguments:
774 where ACL_WHERE_xxxx indicating which ACL this is
775 user_message message for adding to headers
776 log_message message for logging, if different
777
778 Returns: nothing
779 */
780
781 static void
782 acl_warn(int where, uschar *user_message, uschar *log_message)
783 {
784 int hlen;
785
786 if (log_message != NULL && log_message != user_message)
787 {
788 uschar *text;
789 string_item *logged;
790
791 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
792 string_printing(log_message));
793
794 /* If a sender verification has failed, and the log message is "sender verify
795 failed", add the failure message. */
796
797 if (sender_verified_failed != NULL &&
798 sender_verified_failed->message != NULL &&
799 strcmpic(log_message, US"sender verify failed") == 0)
800 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
801
802 /* Search previously logged warnings. They are kept in malloc store so they
803 can be freed at the start of a new message. */
804
805 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
806 if (Ustrcmp(logged->text, text) == 0) break;
807
808 if (logged == NULL)
809 {
810 int length = Ustrlen(text) + 1;
811 log_write(0, LOG_MAIN, "%s", text);
812 logged = store_malloc(sizeof(string_item) + length);
813 logged->text = (uschar *)logged + sizeof(string_item);
814 memcpy(logged->text, text, length);
815 logged->next = acl_warn_logged;
816 acl_warn_logged = logged;
817 }
818 }
819
820 /* If there's no user message, we are done. */
821
822 if (user_message == NULL) return;
823
824 /* If this isn't a message ACL, we can't do anything with a user message.
825 Log an error. */
826
827 if (where > ACL_WHERE_NOTSMTP)
828 {
829 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
830 "found in a non-message (%s) ACL: cannot specify header lines here: "
831 "message ignored", acl_wherenames[where]);
832 return;
833 }
834
835 /* Treat the user message as a sequence of one or more header lines. */
836
837 hlen = Ustrlen(user_message);
838 if (hlen > 0)
839 {
840 uschar *text, *p, *q;
841
842 /* Add a final newline if not present */
843
844 text = ((user_message)[hlen-1] == '\n')? user_message :
845 string_sprintf("%s\n", user_message);
846
847 /* Loop for multiple header lines, taking care about continuations */
848
849 for (p = q = text; *p != 0; )
850 {
851 uschar *s;
852 int newtype = htype_add_bot;
853 header_line **hptr = &acl_warn_headers;
854
855 /* Find next header line within the string */
856
857 for (;;)
858 {
859 q = Ustrchr(q, '\n');
860 if (*(++q) != ' ' && *q != '\t') break;
861 }
862
863 /* If the line starts with a colon, interpret the instruction for where to
864 add it. This temporarily sets up a new type. */
865
866 if (*p == ':')
867 {
868 if (strncmpic(p, US":after_received:", 16) == 0)
869 {
870 newtype = htype_add_rec;
871 p += 16;
872 }
873 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
874 {
875 newtype = htype_add_rfc;
876 p += 14;
877 }
878 else if (strncmpic(p, US":at_start:", 10) == 0)
879 {
880 newtype = htype_add_top;
881 p += 10;
882 }
883 else if (strncmpic(p, US":at_end:", 8) == 0)
884 {
885 newtype = htype_add_bot;
886 p += 8;
887 }
888 while (*p == ' ' || *p == '\t') p++;
889 }
890
891 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
892 to the front of it. */
893
894 for (s = p; s < q - 1; s++)
895 {
896 if (*s == ':' || !isgraph(*s)) break;
897 }
898
899 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
900 hlen = Ustrlen(s);
901
902 /* See if this line has already been added */
903
904 while (*hptr != NULL)
905 {
906 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
907 hptr = &((*hptr)->next);
908 }
909
910 /* Add if not previously present */
911
912 if (*hptr == NULL)
913 {
914 header_line *h = store_get(sizeof(header_line));
915 h->text = s;
916 h->next = NULL;
917 h->type = newtype;
918 h->slen = hlen;
919 *hptr = h;
920 hptr = &(h->next);
921 }
922
923 /* Advance for next header line within the string */
924
925 p = q;
926 }
927 }
928 }
929
930
931
932 /*************************************************
933 * Verify and check reverse DNS *
934 *************************************************/
935
936 /* Called from acl_verify() below. We look up the host name(s) of the client IP
937 address if this has not yet been done. The host_name_lookup() function checks
938 that one of these names resolves to an address list that contains the client IP
939 address, so we don't actually have to do the check here.
940
941 Arguments:
942 user_msgptr pointer for user message
943 log_msgptr pointer for log message
944
945 Returns: OK verification condition succeeded
946 FAIL verification failed
947 DEFER there was a problem verifying
948 */
949
950 static int
951 acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
952 {
953 int rc;
954
955 user_msgptr = user_msgptr; /* stop compiler warning */
956
957 /* Previous success */
958
959 if (sender_host_name != NULL) return OK;
960
961 /* Previous failure */
962
963 if (host_lookup_failed)
964 {
965 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
966 return FAIL;
967 }
968
969 /* Need to do a lookup */
970
971 HDEBUG(D_acl)
972 debug_printf("looking up host name to force name/address consistency check\n");
973
974 if ((rc = host_name_lookup()) != OK)
975 {
976 *log_msgptr = (rc == DEFER)?
977 US"host lookup deferred for reverse lookup check"
978 :
979 string_sprintf("host lookup failed for reverse lookup check%s",
980 host_lookup_msg);
981 return rc; /* DEFER or FAIL */
982 }
983
984 host_build_sender_fullhost();
985 return OK;
986 }
987
988
989
990 /*************************************************
991 * Handle verification (address & other) *
992 *************************************************/
993
994 /* This function implements the "verify" condition. It is called when
995 encountered in any ACL, because some tests are almost always permitted. Some
996 just don't make sense, and always fail (for example, an attempt to test a host
997 lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
998
999 Arguments:
1000 where where called from
1001 addr the recipient address that the ACL is handling, or NULL
1002 arg the argument of "verify"
1003 user_msgptr pointer for user message
1004 log_msgptr pointer for log message
1005 basic_errno where to put verify errno
1006
1007 Returns: OK verification condition succeeded
1008 FAIL verification failed
1009 DEFER there was a problem verifying
1010 ERROR syntax error
1011 */
1012
1013 static int
1014 acl_verify(int where, address_item *addr, uschar *arg,
1015 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1016 {
1017 int sep = '/';
1018 int callout = -1;
1019 int callout_overall = -1;
1020 int callout_connect = -1;
1021 int verify_options = 0;
1022 int rc;
1023 BOOL verify_header_sender = FALSE;
1024 BOOL defer_ok = FALSE;
1025 BOOL callout_defer_ok = FALSE;
1026 BOOL no_details = FALSE;
1027 address_item *sender_vaddr = NULL;
1028 uschar *verify_sender_address = NULL;
1029 uschar *pm_mailfrom = NULL;
1030 uschar *se_mailfrom = NULL;
1031
1032 /* Some of the verify items have slash-separated options; some do not. Diagnose
1033 an error if options are given for items that don't expect them. This code has
1034 now got very message. Refactoring to use a table would be a good idea one day.
1035 */
1036
1037 uschar *slash = Ustrchr(arg, '/');
1038 uschar *list = arg;
1039 uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
1040
1041 if (ss == NULL) goto BAD_VERIFY;
1042
1043 /* Handle name/address consistency verification in a separate function. */
1044
1045 if (strcmpic(ss, US"reverse_host_lookup") == 0)
1046 {
1047 if (slash != NULL) goto NO_OPTIONS;
1048 if (sender_host_address == NULL) return OK;
1049 return acl_verify_reverse(user_msgptr, log_msgptr);
1050 }
1051
1052 /* TLS certificate verification is done at STARTTLS time; here we just
1053 test whether it was successful or not. (This is for optional verification; for
1054 mandatory verification, the connection doesn't last this long.) */
1055
1056 if (strcmpic(ss, US"certificate") == 0)
1057 {
1058 if (slash != NULL) goto NO_OPTIONS;
1059 if (tls_certificate_verified) return OK;
1060 *user_msgptr = US"no verified certificate";
1061 return FAIL;
1062 }
1063
1064 /* We can test the result of optional HELO verification */
1065
1066 if (strcmpic(ss, US"helo") == 0)
1067 {
1068 if (slash != NULL) goto NO_OPTIONS;
1069 return helo_verified? OK : FAIL;
1070 }
1071
1072 /* Check that all relevant header lines have the correct syntax. If there is
1073 a syntax error, we return details of the error to the sender if configured to
1074 send out full details. (But a "message" setting on the ACL can override, as
1075 always). */
1076
1077 if (strcmpic(ss, US"header_syntax") == 0)
1078 {
1079 if (slash != NULL) goto NO_OPTIONS;
1080 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
1081 {
1082 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
1083 "(only possible in ACL for DATA)", acl_wherenames[where]);
1084 return ERROR;
1085 }
1086 rc = verify_check_headers(log_msgptr);
1087 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1088 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1089 return rc;
1090 }
1091
1092
1093 /* The remaining verification tests check recipient and sender addresses,
1094 either from the envelope or from the header. There are a number of
1095 slash-separated options that are common to all of them. */
1096
1097
1098 /* Check that there is at least one verifiable sender address in the relevant
1099 header lines. This can be followed by callout and defer options, just like
1100 sender and recipient. */
1101
1102 if (strcmpic(ss, US"header_sender") == 0)
1103 {
1104 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
1105 {
1106 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
1107 "(only possible in ACL for DATA)", acl_wherenames[where]);
1108 return ERROR;
1109 }
1110 verify_header_sender = TRUE;
1111 }
1112
1113 /* Otherwise, first item in verify argument must be "sender" or "recipient".
1114 In the case of a sender, this can optionally be followed by an address to use
1115 in place of the actual sender (rare special-case requirement). */
1116
1117 else if (strncmpic(ss, US"sender", 6) == 0)
1118 {
1119 uschar *s = ss + 6;
1120 if (where > ACL_WHERE_NOTSMTP)
1121 {
1122 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1123 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1124 acl_wherenames[where]);
1125 return ERROR;
1126 }
1127 if (*s == 0)
1128 verify_sender_address = sender_address;
1129 else
1130 {
1131 while (isspace(*s)) s++;
1132 if (*s++ != '=') goto BAD_VERIFY;
1133 while (isspace(*s)) s++;
1134 verify_sender_address = string_copy(s);
1135 }
1136 }
1137 else
1138 {
1139 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1140 if (addr == NULL)
1141 {
1142 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1143 "(only possible for RCPT)", acl_wherenames[where]);
1144 return ERROR;
1145 }
1146 }
1147
1148 /* Remaining items are optional; they apply to sender and recipient
1149 verification, including "header sender" verification. */
1150
1151 while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1152 != NULL)
1153 {
1154 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1155 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1156
1157 /* These two old options are left for backwards compatibility */
1158
1159 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1160 {
1161 callout_defer_ok = TRUE;
1162 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1163 }
1164
1165 else if (strcmpic(ss, US"check_postmaster") == 0)
1166 {
1167 pm_mailfrom = US"";
1168 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1169 }
1170
1171 /* The callout option has a number of sub-options, comma separated */
1172
1173 else if (strncmpic(ss, US"callout", 7) == 0)
1174 {
1175 callout = CALLOUT_TIMEOUT_DEFAULT;
1176 ss += 7;
1177 if (*ss != 0)
1178 {
1179 while (isspace(*ss)) ss++;
1180 if (*ss++ == '=')
1181 {
1182 int optsep = ',';
1183 uschar *opt;
1184 uschar buffer[256];
1185 while (isspace(*ss)) ss++;
1186
1187 /* This callout option handling code has become a mess as new options
1188 have been added in an ad hoc manner. It should be tidied up into some
1189 kind of table-driven thing. */
1190
1191 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1192 != NULL)
1193 {
1194 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1195 else if (strcmpic(opt, US"no_cache") == 0)
1196 verify_options |= vopt_callout_no_cache;
1197 else if (strcmpic(opt, US"random") == 0)
1198 verify_options |= vopt_callout_random;
1199 else if (strcmpic(opt, US"use_sender") == 0)
1200 verify_options |= vopt_callout_recipsender;
1201 else if (strcmpic(opt, US"use_postmaster") == 0)
1202 verify_options |= vopt_callout_recippmaster;
1203 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
1204
1205 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1206 {
1207 if (!verify_header_sender)
1208 {
1209 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1210 "callout option only for verify=header_sender (detected in ACL "
1211 "condition \"%s\")", arg);
1212 return ERROR;
1213 }
1214 opt += 8;
1215 while (isspace(*opt)) opt++;
1216 if (*opt++ != '=')
1217 {
1218 *log_msgptr = string_sprintf("'=' expected after "
1219 "\"mailfrom\" in ACL condition \"%s\"", arg);
1220 return ERROR;
1221 }
1222 while (isspace(*opt)) opt++;
1223 se_mailfrom = string_copy(opt);
1224 }
1225
1226 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1227 {
1228 opt += 19;
1229 while (isspace(*opt)) opt++;
1230 if (*opt++ != '=')
1231 {
1232 *log_msgptr = string_sprintf("'=' expected after "
1233 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1234 return ERROR;
1235 }
1236 while (isspace(*opt)) opt++;
1237 pm_mailfrom = string_copy(opt);
1238 }
1239
1240 else if (strncmpic(opt, US"maxwait", 7) == 0)
1241 {
1242 opt += 7;
1243 while (isspace(*opt)) opt++;
1244 if (*opt++ != '=')
1245 {
1246 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1247 "ACL condition \"%s\"", arg);
1248 return ERROR;
1249 }
1250 while (isspace(*opt)) opt++;
1251 callout_overall = readconf_readtime(opt, 0, FALSE);
1252 if (callout_overall < 0)
1253 {
1254 *log_msgptr = string_sprintf("bad time value in ACL condition "
1255 "\"verify %s\"", arg);
1256 return ERROR;
1257 }
1258 }
1259 else if (strncmpic(opt, US"connect", 7) == 0)
1260 {
1261 opt += 7;
1262 while (isspace(*opt)) opt++;
1263 if (*opt++ != '=')
1264 {
1265 *log_msgptr = string_sprintf("'=' expected after "
1266 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1267 return ERROR;
1268 }
1269 while (isspace(*opt)) opt++;
1270 callout_connect = readconf_readtime(opt, 0, FALSE);
1271 if (callout_connect < 0)
1272 {
1273 *log_msgptr = string_sprintf("bad time value in ACL condition "
1274 "\"verify %s\"", arg);
1275 return ERROR;
1276 }
1277 }
1278 else /* Plain time is callout connect/command timeout */
1279 {
1280 callout = readconf_readtime(opt, 0, FALSE);
1281 if (callout < 0)
1282 {
1283 *log_msgptr = string_sprintf("bad time value in ACL condition "
1284 "\"verify %s\"", arg);
1285 return ERROR;
1286 }
1287 }
1288 }
1289 }
1290 else
1291 {
1292 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1293 "ACL condition \"%s\"", arg);
1294 return ERROR;
1295 }
1296 }
1297 }
1298
1299 /* Option not recognized */
1300
1301 else
1302 {
1303 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1304 "condition \"verify %s\"", ss, arg);
1305 return ERROR;
1306 }
1307 }
1308
1309 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1310 (vopt_callout_recipsender|vopt_callout_recippmaster))
1311 {
1312 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1313 "for a recipient callout";
1314 return ERROR;
1315 }
1316
1317 /* Handle sender-in-header verification. Default the user message to the log
1318 message if giving out verification details. */
1319
1320 if (verify_header_sender)
1321 {
1322 int verrno;
1323 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
1324 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1325 &verrno);
1326 if (rc != OK)
1327 {
1328 *basic_errno = verrno;
1329 if (smtp_return_error_details)
1330 {
1331 if (*user_msgptr == NULL && *log_msgptr != NULL)
1332 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1333 if (rc == DEFER) acl_temp_details = TRUE;
1334 }
1335 }
1336 }
1337
1338 /* Handle a sender address. The default is to verify *the* sender address, but
1339 optionally a different address can be given, for special requirements. If the
1340 address is empty, we are dealing with a bounce message that has no sender, so
1341 we cannot do any checking. If the real sender address gets rewritten during
1342 verification (e.g. DNS widening), set the flag to stop it being rewritten again
1343 during message reception.
1344
1345 A list of verified "sender" addresses is kept to try to avoid doing to much
1346 work repetitively when there are multiple recipients in a message and they all
1347 require sender verification. However, when callouts are involved, it gets too
1348 complicated because different recipients may require different callout options.
1349 Therefore, we always do a full sender verify when any kind of callout is
1350 specified. Caching elsewhere, for instance in the DNS resolver and in the
1351 callout handling, should ensure that this is not terribly inefficient. */
1352
1353 else if (verify_sender_address != NULL)
1354 {
1355 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1356 != 0)
1357 {
1358 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1359 "sender verify callout";
1360 return ERROR;
1361 }
1362
1363 sender_vaddr = verify_checked_sender(verify_sender_address);
1364 if (sender_vaddr != NULL && /* Previously checked */
1365 callout <= 0) /* No callout needed this time */
1366 {
1367 /* If the "routed" flag is set, it means that routing worked before, so
1368 this check can give OK (the saved return code value, if set, belongs to a
1369 callout that was done previously). If the "routed" flag is not set, routing
1370 must have failed, so we use the saved return code. */
1371
1372 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1373 {
1374 rc = sender_vaddr->special_action;
1375 *basic_errno = sender_vaddr->basic_errno;
1376 }
1377 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1378 }
1379
1380 /* Do a new verification, and cache the result. The cache is used to avoid
1381 verifying the sender multiple times for multiple RCPTs when callouts are not
1382 specified (see comments above).
1383
1384 The cache is also used on failure to give details in response to the first
1385 RCPT that gets bounced for this reason. However, this can be suppressed by
1386 the no_details option, which sets the flag that says "this detail has already
1387 been sent". The cache normally contains just one address, but there may be
1388 more in esoteric circumstances. */
1389
1390 else
1391 {
1392 BOOL routed = TRUE;
1393 uschar *save_address_data = deliver_address_data;
1394
1395 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1396 if (no_details) setflag(sender_vaddr, af_sverify_told);
1397 if (verify_sender_address[0] != 0)
1398 {
1399 /* If this is the real sender address, save the unrewritten version
1400 for use later in receive. Otherwise, set a flag so that rewriting the
1401 sender in verify_address() does not update sender_address. */
1402
1403 if (verify_sender_address == sender_address)
1404 sender_address_unrewritten = sender_address;
1405 else
1406 verify_options |= vopt_fake_sender;
1407
1408 /* The recipient, qualify, and expn options are never set in
1409 verify_options. */
1410
1411 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
1412 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
1413
1414 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1415
1416 if (rc == OK)
1417 {
1418 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1419 {
1420 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1421 verify_sender_address, sender_vaddr->address);
1422 }
1423 else
1424 {
1425 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1426 verify_sender_address);
1427 }
1428 }
1429 else *basic_errno = sender_vaddr->basic_errno;
1430 }
1431 else rc = OK; /* Null sender */
1432
1433 /* Cache the result code */
1434
1435 if (routed) setflag(sender_vaddr, af_verify_routed);
1436 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1437 sender_vaddr->special_action = rc;
1438 sender_vaddr->next = sender_verified_list;
1439 sender_verified_list = sender_vaddr;
1440
1441 /* Restore the recipient address data, which might have been clobbered by
1442 the sender verification. */
1443
1444 deliver_address_data = save_address_data;
1445 }
1446
1447 /* Put the sender address_data value into $sender_address_data */
1448
1449 sender_address_data = sender_vaddr->p.address_data;
1450 }
1451
1452 /* A recipient address just gets a straightforward verify; again we must handle
1453 the DEFER overrides. */
1454
1455 else
1456 {
1457 address_item addr2;
1458
1459 /* We must use a copy of the address for verification, because it might
1460 get rewritten. */
1461
1462 addr2 = *addr;
1463 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
1464 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
1465 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1466
1467 *log_msgptr = addr2.message;
1468 *user_msgptr = (addr2.user_message != NULL)?
1469 addr2.user_message : addr2.message;
1470 *basic_errno = addr2.basic_errno;
1471
1472 /* Make $address_data visible */
1473 deliver_address_data = addr2.p.address_data;
1474 }
1475
1476 /* We have a result from the relevant test. Handle defer overrides first. */
1477
1478 if (rc == DEFER && (defer_ok ||
1479 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1480 {
1481 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1482 defer_ok? "defer_ok" : "callout_defer_ok");
1483 rc = OK;
1484 }
1485
1486 /* If we've failed a sender, set up a recipient message, and point
1487 sender_verified_failed to the address item that actually failed. */
1488
1489 if (rc != OK && verify_sender_address != NULL)
1490 {
1491 if (rc != DEFER)
1492 {
1493 *log_msgptr = *user_msgptr = US"Sender verify failed";
1494 }
1495 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1496 {
1497 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1498 }
1499 else
1500 {
1501 *log_msgptr = US"Could not complete sender verify callout";
1502 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1503 *log_msgptr;
1504 }
1505
1506 sender_verified_failed = sender_vaddr;
1507 }
1508
1509 /* Verifying an address messes up the values of $domain and $local_part,
1510 so reset them before returning if this is a RCPT ACL. */
1511
1512 if (addr != NULL)
1513 {
1514 deliver_domain = addr->domain;
1515 deliver_localpart = addr->local_part;
1516 }
1517 return rc;
1518
1519 /* Syntax errors in the verify argument come here. */
1520
1521 BAD_VERIFY:
1522 *log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
1523 "\"helo\", \"header_syntax\", \"header_sender\" or "
1524 "\"reverse_host_lookup\" at start of ACL condition "
1525 "\"verify %s\"", arg);
1526 return ERROR;
1527
1528 /* Options supplied when not allowed come here */
1529
1530 NO_OPTIONS:
1531 *log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1532 "(this verify item has no options)", arg);
1533 return ERROR;
1534 }
1535
1536
1537
1538
1539 /*************************************************
1540 * Check argument for control= modifier *
1541 *************************************************/
1542
1543 /* Called from acl_check_condition() below
1544
1545 Arguments:
1546 arg the argument string for control=
1547 pptr set to point to the terminating character
1548 where which ACL we are in
1549 log_msgptr for error messages
1550
1551 Returns: CONTROL_xxx value
1552 */
1553
1554 static int
1555 decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
1556 {
1557 int len;
1558 control_def *d;
1559
1560 for (d = controls_list;
1561 d < controls_list + sizeof(controls_list)/sizeof(control_def);
1562 d++)
1563 {
1564 len = Ustrlen(d->name);
1565 if (Ustrncmp(d->name, arg, len) == 0) break;
1566 }
1567
1568 if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
1569 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
1570 {
1571 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1572 return CONTROL_ERROR;
1573 }
1574
1575 *pptr = arg + len;
1576 return d->value;
1577 }
1578
1579
1580
1581 /*************************************************
1582 * Handle conditions/modifiers on an ACL item *
1583 *************************************************/
1584
1585 /* Called from acl_check() below.
1586
1587 Arguments:
1588 verb ACL verb
1589 cb ACL condition block - if NULL, result is OK
1590 where where called from
1591 addr the address being checked for RCPT, or NULL
1592 level the nesting level
1593 epp pointer to pass back TRUE if "endpass" encountered
1594 (applies only to "accept" and "discard")
1595 user_msgptr user message pointer
1596 log_msgptr log message pointer
1597 basic_errno pointer to where to put verify error
1598
1599 Returns: OK - all conditions are met
1600 DISCARD - an "acl" condition returned DISCARD - only allowed
1601 for "accept" or "discard" verbs
1602 FAIL - at least one condition fails
1603 FAIL_DROP - an "acl" condition returned FAIL_DROP
1604 DEFER - can't tell at the moment (typically, lookup defer,
1605 but can be temporary callout problem)
1606 ERROR - ERROR from nested ACL or expansion failure or other
1607 error
1608 */
1609
1610 static int
1611 acl_check_condition(int verb, acl_condition_block *cb, int where,
1612 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
1613 uschar **log_msgptr, int *basic_errno)
1614 {
1615 uschar *user_message = NULL;
1616 uschar *log_message = NULL;
1617 uschar *p;
1618 int rc = OK;
1619 #ifdef WITH_CONTENT_SCAN
1620 int sep = '/';
1621 #endif
1622
1623 for (; cb != NULL; cb = cb->next)
1624 {
1625 uschar *arg;
1626 int control_type;
1627
1628 /* The message and log_message items set up messages to be used in
1629 case of rejection. They are expanded later. */
1630
1631 if (cb->type == ACLC_MESSAGE)
1632 {
1633 user_message = cb->arg;
1634 continue;
1635 }
1636
1637 if (cb->type == ACLC_LOG_MESSAGE)
1638 {
1639 log_message = cb->arg;
1640 continue;
1641 }
1642
1643 /* The endpass "condition" just sets a flag to show it occurred. This is
1644 checked at compile time to be on an "accept" or "discard" item. */
1645
1646 if (cb->type == ACLC_ENDPASS)
1647 {
1648 *epp = TRUE;
1649 continue;
1650 }
1651
1652 /* For other conditions and modifiers, the argument is expanded now for some
1653 of them, but not for all, because expansion happens down in some lower level
1654 checking functions in some cases. */
1655
1656 if (cond_expand_at_top[cb->type])
1657 {
1658 arg = expand_string(cb->arg);
1659 if (arg == NULL)
1660 {
1661 if (expand_string_forcedfail) continue;
1662 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
1663 cb->arg, expand_string_message);
1664 return search_find_defer? DEFER : ERROR;
1665 }
1666 }
1667 else arg = cb->arg;
1668
1669 /* Show condition, and expanded condition if it's different */
1670
1671 HDEBUG(D_acl)
1672 {
1673 int lhswidth = 0;
1674 debug_printf("check %s%s %n",
1675 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
1676 conditions[cb->type], &lhswidth);
1677
1678 if (cb->type == ACLC_SET)
1679 {
1680 int n = cb->u.varnumber;
1681 int t = (n < ACL_C_MAX)? 'c' : 'm';
1682 if (n >= ACL_C_MAX) n -= ACL_C_MAX;
1683 debug_printf("acl_%c%d ", t, n);
1684 lhswidth += 7;
1685 }
1686
1687 debug_printf("= %s\n", cb->arg);
1688
1689 if (arg != cb->arg)
1690 debug_printf("%.*s= %s\n", lhswidth,
1691 US" ", CS arg);
1692 }
1693
1694 /* Check that this condition makes sense at this time */
1695
1696 if ((cond_forbids[cb->type] & (1 << where)) != 0)
1697 {
1698 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
1699 cond_modifiers[cb->type]? "use" : "test",
1700 conditions[cb->type], acl_wherenames[where]);
1701 return ERROR;
1702 }
1703
1704 /* Run the appropriate test for each condition, or take the appropriate
1705 action for the remaining modifiers. */
1706
1707 switch(cb->type)
1708 {
1709 /* A nested ACL that returns "discard" makes sense only for an "accept" or
1710 "discard" verb. */
1711
1712 case ACLC_ACL:
1713 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
1714 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
1715 {
1716 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
1717 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
1718 verbs[verb]);
1719 return ERROR;
1720 }
1721 break;
1722
1723 case ACLC_AUTHENTICATED:
1724 rc = (sender_host_authenticated == NULL)? FAIL :
1725 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
1726 TRUE, NULL);
1727 break;
1728
1729 #ifdef EXPERIMENTAL_BRIGHTMAIL
1730 case ACLC_BMI_OPTIN:
1731 {
1732 int old_pool = store_pool;
1733 store_pool = POOL_PERM;
1734 bmi_current_optin = string_copy(arg);
1735 store_pool = old_pool;
1736 }
1737 break;
1738 #endif
1739
1740 case ACLC_CONDITION:
1741 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
1742 rc = (Uatoi(arg) == 0)? FAIL : OK;
1743 else
1744 rc = (strcmpic(arg, US"no") == 0 ||
1745 strcmpic(arg, US"false") == 0)? FAIL :
1746 (strcmpic(arg, US"yes") == 0 ||
1747 strcmpic(arg, US"true") == 0)? OK : DEFER;
1748 if (rc == DEFER)
1749 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
1750 break;
1751
1752 case ACLC_CONTROL:
1753 control_type = decode_control(arg, &p, where, log_msgptr);
1754
1755 /* Check if this control makes sense at this time */
1756
1757 if ((control_forbids[control_type] & (1 << where)) != 0)
1758 {
1759 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
1760 controls[control_type], acl_wherenames[where]);
1761 return ERROR;
1762 }
1763
1764 switch(control_type)
1765 {
1766 #ifdef EXPERIMENTAL_BRIGHTMAIL
1767 case CONTROL_BMI_RUN:
1768 bmi_run = 1;
1769 break;
1770 #endif
1771 #ifdef EXPERIMENTAL_DOMAINKEYS
1772 case CONTROL_DK_VERIFY:
1773 dk_do_verify = 1;
1774 break;
1775 #endif
1776 case CONTROL_ERROR:
1777 return ERROR;
1778
1779 case CONTROL_CASEFUL_LOCAL_PART:
1780 deliver_localpart = addr->cc_local_part;
1781 break;
1782
1783 case CONTROL_CASELOWER_LOCAL_PART:
1784 deliver_localpart = addr->lc_local_part;
1785 break;
1786
1787 case CONTROL_ENFORCE_SYNC:
1788 smtp_enforce_sync = TRUE;
1789 break;
1790
1791 case CONTROL_NO_ENFORCE_SYNC:
1792 smtp_enforce_sync = FALSE;
1793 break;
1794
1795 #ifdef WITH_CONTENT_SCAN
1796 case CONTROL_NO_MBOX_UNSPOOL:
1797 no_mbox_unspool = TRUE;
1798 break;
1799 #endif
1800
1801 case CONTROL_NO_MULTILINE:
1802 no_multiline_responses = TRUE;
1803 break;
1804
1805 case CONTROL_FAKEREJECT:
1806 fake_reject = TRUE;
1807 if (*p == '/')
1808 {
1809 uschar *pp = p + 1;
1810 while (*pp != 0) pp++;
1811 fake_reject_text = expand_string(string_copyn(p+1, pp-p));
1812 p = pp;
1813 }
1814 else
1815 {
1816 /* Explicitly reset to default string */
1817 fake_reject_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
1818 }
1819 break;
1820
1821 case CONTROL_FREEZE:
1822 deliver_freeze = TRUE;
1823 deliver_frozen_at = time(NULL);
1824 break;
1825
1826 case CONTROL_QUEUE_ONLY:
1827 queue_only_policy = TRUE;
1828 break;
1829
1830 case CONTROL_SUBMISSION:
1831 submission_mode = TRUE;
1832 while (*p == '/')
1833 {
1834 if (Ustrncmp(p, "/sender_retain", 14) == 0)
1835 {
1836 p += 14;
1837 active_local_sender_retain = TRUE;
1838 active_local_from_check = FALSE;
1839 }
1840 else if (Ustrncmp(p, "/domain=", 8) == 0)
1841 {
1842 uschar *pp = p + 8;
1843 while (*pp != 0 && *pp != '/') pp++;
1844 submission_domain = string_copyn(p+8, pp-p);
1845 p = pp;
1846 }
1847 else break;
1848 }
1849 if (*p != 0)
1850 {
1851 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1852 return ERROR;
1853 }
1854 break;
1855 }
1856 break;
1857
1858 #ifdef WITH_CONTENT_SCAN
1859 case ACLC_DECODE:
1860 rc = mime_decode(&arg);
1861 break;
1862 #endif
1863
1864 case ACLC_DELAY:
1865 {
1866 int delay = readconf_readtime(arg, 0, FALSE);
1867 if (delay < 0)
1868 {
1869 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
1870 "modifier: \"%s\" is not a time value", arg);
1871 return ERROR;
1872 }
1873 else
1874 {
1875 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
1876 delay);
1877 if (host_checking)
1878 {
1879 HDEBUG(D_acl)
1880 debug_printf("delay skipped in -bh checking mode\n");
1881 }
1882 else
1883 {
1884 while (delay > 0) delay = sleep(delay);
1885 }
1886 }
1887 }
1888 break;
1889
1890 #ifdef WITH_OLD_DEMIME
1891 case ACLC_DEMIME:
1892 rc = demime(&arg);
1893 break;
1894 #endif
1895
1896 #ifdef EXPERIMENTAL_DOMAINKEYS
1897 case ACLC_DK_DOMAIN_SOURCE:
1898 if (dk_verify_block == NULL) { rc = FAIL; break; };
1899 /* check header source of domain against given string */
1900 switch (dk_verify_block->address_source) {
1901 case DK_EXIM_ADDRESS_FROM_FROM:
1902 rc = match_isinlist(US"from", &arg, 0, NULL,
1903 NULL, MCL_STRING, TRUE, NULL);
1904 break;
1905 case DK_EXIM_ADDRESS_FROM_SENDER:
1906 rc = match_isinlist(US"sender", &arg, 0, NULL,
1907 NULL, MCL_STRING, TRUE, NULL);
1908 break;
1909 case DK_EXIM_ADDRESS_NONE:
1910 rc = match_isinlist(US"none", &arg, 0, NULL,
1911 NULL, MCL_STRING, TRUE, NULL);
1912 break;
1913 }
1914 break;
1915 case ACLC_DK_POLICY:
1916 if (dk_verify_block == NULL) { rc = FAIL; break; };
1917 /* check policy against given string, default FAIL */
1918 rc = FAIL;
1919 if (dk_verify_block->signsall)
1920 rc = match_isinlist(US"signsall", &arg, 0, NULL,
1921 NULL, MCL_STRING, TRUE, NULL);
1922 if (dk_verify_block->testing)
1923 rc = match_isinlist(US"testing", &arg, 0, NULL,
1924 NULL, MCL_STRING, TRUE, NULL);
1925 break;
1926 case ACLC_DK_SENDER_DOMAINS:
1927 if (dk_verify_block == NULL) { rc = FAIL; break; };
1928 if (dk_verify_block->domain != NULL)
1929 rc = match_isinlist(dk_verify_block->domain, &arg, 0, &domainlist_anchor,
1930 NULL, MCL_DOMAIN, TRUE, NULL);
1931 else rc = FAIL;
1932 break;
1933 case ACLC_DK_SENDER_LOCAL_PARTS:
1934 if (dk_verify_block == NULL) { rc = FAIL; break; };
1935 if (dk_verify_block->local_part != NULL)
1936 rc = match_isinlist(dk_verify_block->local_part, &arg, 0, &localpartlist_anchor,
1937 NULL, MCL_LOCALPART, TRUE, NULL);
1938 else rc = FAIL;
1939 break;
1940 case ACLC_DK_SENDERS:
1941 if (dk_verify_block == NULL) { rc = FAIL; break; };
1942 if (dk_verify_block->address != NULL)
1943 rc = match_address_list(dk_verify_block->address, TRUE, TRUE, &arg, NULL, -1, 0, NULL);
1944 else rc = FAIL;
1945 break;
1946 case ACLC_DK_STATUS:
1947 if (dk_verify_block == NULL) { rc = FAIL; break; };
1948 if (dk_verify_block->result > 0) {
1949 switch(dk_verify_block->result) {
1950 case DK_EXIM_RESULT_BAD_FORMAT:
1951 rc = match_isinlist(US"bad format", &arg, 0, NULL,
1952 NULL, MCL_STRING, TRUE, NULL);
1953 break;
1954 case DK_EXIM_RESULT_NO_KEY:
1955 rc = match_isinlist(US"no key", &arg, 0, NULL,
1956 NULL, MCL_STRING, TRUE, NULL);
1957 break;
1958 case DK_EXIM_RESULT_NO_SIGNATURE:
1959 rc = match_isinlist(US"no signature", &arg, 0, NULL,
1960 NULL, MCL_STRING, TRUE, NULL);
1961 break;
1962 case DK_EXIM_RESULT_REVOKED:
1963 rc = match_isinlist(US"revoked", &arg, 0, NULL,
1964 NULL, MCL_STRING, TRUE, NULL);
1965 break;
1966 case DK_EXIM_RESULT_NON_PARTICIPANT:
1967 rc = match_isinlist(US"non-participant", &arg, 0, NULL,
1968 NULL, MCL_STRING, TRUE, NULL);
1969 break;
1970 case DK_EXIM_RESULT_GOOD:
1971 rc = match_isinlist(US"good", &arg, 0, NULL,
1972 NULL, MCL_STRING, TRUE, NULL);
1973 break;
1974 case DK_EXIM_RESULT_BAD:
1975 rc = match_isinlist(US"bad", &arg, 0, NULL,
1976 NULL, MCL_STRING, TRUE, NULL);
1977 break;
1978 }
1979 }
1980 break;
1981 #endif
1982
1983 case ACLC_DNSLISTS:
1984 rc = verify_check_dnsbl(&arg);
1985 break;
1986
1987 case ACLC_DOMAINS:
1988 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
1989 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
1990 break;
1991
1992 /* The value in tls_cipher is the full cipher name, for example,
1993 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
1994 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
1995 what may in practice come out of the SSL library - which at the time of
1996 writing is poorly documented. */
1997
1998 case ACLC_ENCRYPTED:
1999 if (tls_cipher == NULL) rc = FAIL; else
2000 {
2001 uschar *endcipher = NULL;
2002 uschar *cipher = Ustrchr(tls_cipher, ':');
2003 if (cipher == NULL) cipher = tls_cipher; else
2004 {
2005 endcipher = Ustrchr(++cipher, ':');
2006 if (endcipher != NULL) *endcipher = 0;
2007 }
2008 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
2009 if (endcipher != NULL) *endcipher = ':';
2010 }
2011 break;
2012
2013 /* Use verify_check_this_host() instead of verify_check_host() so that
2014 we can pass over &host_data to catch any looked up data. Once it has been
2015 set, it retains its value so that it's still there if another ACL verb
2016 comes through here and uses the cache. However, we must put it into
2017 permanent store in case it is also expected to be used in a subsequent
2018 message in the same SMTP connection. */
2019
2020 case ACLC_HOSTS:
2021 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
2022 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
2023 if (host_data != NULL) host_data = string_copy_malloc(host_data);
2024 break;
2025
2026 case ACLC_LOCAL_PARTS:
2027 rc = match_isinlist(addr->cc_local_part, &arg, 0,
2028 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
2029 &deliver_localpart_data);
2030 break;
2031
2032 case ACLC_LOGWRITE:
2033 {
2034 int logbits = 0;
2035 uschar *s = arg;
2036 if (*s == ':')
2037 {
2038 s++;
2039 while (*s != ':')
2040 {
2041 if (Ustrncmp(s, "main", 4) == 0)
2042 { logbits |= LOG_MAIN; s += 4; }
2043 else if (Ustrncmp(s, "panic", 5) == 0)
2044 { logbits |= LOG_PANIC; s += 5; }
2045 else if (Ustrncmp(s, "reject", 6) == 0)
2046 { logbits |= LOG_REJECT; s += 6; }
2047 else
2048 {
2049 logbits = LOG_MAIN|LOG_PANIC;
2050 s = string_sprintf(":unknown log name in \"%s\" in "
2051 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
2052 }
2053 if (*s == ',') s++;
2054 }
2055 s++;
2056 }
2057 while (isspace(*s)) s++;
2058 if (logbits == 0) logbits = LOG_MAIN;
2059 log_write(0, logbits, "%s", string_printing(s));
2060 }
2061 break;
2062
2063 #ifdef WITH_CONTENT_SCAN
2064 case ACLC_MALWARE:
2065 {
2066 /* Seperate the regular expression and any optional parameters. */
2067 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2068 /* Run the malware backend. */
2069 rc = malware(&ss);
2070 /* Modify return code based upon the existance of options. */
2071 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2072 != NULL) {
2073 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2074 {
2075 /* FAIL so that the message is passed to the next ACL */
2076 rc = FAIL;
2077 }
2078 }
2079 }
2080 break;
2081
2082 case ACLC_MIME_REGEX:
2083 rc = mime_regex(&arg);
2084 break;
2085 #endif
2086
2087 case ACLC_RECIPIENTS:
2088 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
2089 &recipient_data);
2090 break;
2091
2092 #ifdef WITH_CONTENT_SCAN
2093 case ACLC_REGEX:
2094 rc = regex(&arg);
2095 break;
2096 #endif
2097
2098 case ACLC_SENDER_DOMAINS:
2099 {
2100 uschar *sdomain;
2101 sdomain = Ustrrchr(sender_address, '@');
2102 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
2103 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
2104 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
2105 }
2106 break;
2107
2108 case ACLC_SENDERS:
2109 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
2110 sender_address_cache, -1, 0, &sender_data);
2111 break;
2112
2113 /* Connection variables must persist forever */
2114
2115 case ACLC_SET:
2116 {
2117 int old_pool = store_pool;
2118 if (cb->u.varnumber < ACL_C_MAX) store_pool = POOL_PERM;
2119 acl_var[cb->u.varnumber] = string_copy(arg);
2120 store_pool = old_pool;
2121 }
2122 break;
2123
2124 #ifdef WITH_CONTENT_SCAN
2125 case ACLC_SPAM:
2126 {
2127 /* Seperate the regular expression and any optional parameters. */
2128 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2129 /* Run the spam backend. */
2130 rc = spam(&ss);
2131 /* Modify return code based upon the existance of options. */
2132 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2133 != NULL) {
2134 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2135 {
2136 /* FAIL so that the message is passed to the next ACL */
2137 rc = FAIL;
2138 }
2139 }
2140 }
2141 break;
2142 #endif
2143
2144 #ifdef EXPERIMENTAL_SPF
2145 case ACLC_SPF:
2146 rc = spf_process(&arg, sender_address);
2147 break;
2148 #endif
2149
2150 /* If the verb is WARN, discard any user message from verification, because
2151 such messages are SMTP responses, not header additions. The latter come
2152 only from explicit "message" modifiers. */
2153
2154 case ACLC_VERIFY:
2155 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
2156 if (verb == ACL_WARN) *user_msgptr = NULL;
2157 break;
2158
2159 default:
2160 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
2161 "condition %d", cb->type);
2162 break;
2163 }
2164
2165 /* If a condition was negated, invert OK/FAIL. */
2166
2167 if (!cond_modifiers[cb->type] && cb->u.negated)
2168 {
2169 if (rc == OK) rc = FAIL;
2170 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
2171 }
2172
2173 if (rc != OK) break; /* Conditions loop */
2174 }
2175
2176
2177 /* If the result is the one for which "message" and/or "log_message" are used,
2178 handle the values of these options. Most verbs have but a single return for
2179 which the messages are relevant, but for "discard", it's useful to have the log
2180 message both when it succeeds and when it fails. Also, for an "accept" that
2181 appears in a QUIT ACL, we want to handle the user message. Since only "accept"
2182 and "warn" are permitted in that ACL, we don't need to test the verb.
2183
2184 These modifiers act in different ways:
2185
2186 "message" is a user message that will be included in an SMTP response. Unless
2187 it is empty, it overrides any previously set user message.
2188
2189 "log_message" is a non-user message, and it adds to any existing non-user
2190 message that is already set.
2191
2192 If there isn't a log message set, we make it the same as the user message. */
2193
2194 if (((rc == FAIL_DROP)? FAIL : rc) == msgcond[verb] ||
2195 (verb == ACL_DISCARD && rc == OK) ||
2196 (where == ACL_WHERE_QUIT))
2197 {
2198 uschar *expmessage;
2199
2200 /* If the verb is "warn", messages generated by conditions (verification or
2201 nested ACLs) are discarded. Only messages specified at this level are used.
2202 However, the value of an existing message is available in $acl_verify_message
2203 during expansions. */
2204
2205 uschar *old_user_msgptr = *user_msgptr;
2206 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
2207
2208 if (verb == ACL_WARN) *log_msgptr = *user_msgptr = NULL;
2209
2210 if (user_message != NULL)
2211 {
2212 acl_verify_message = old_user_msgptr;
2213 expmessage = expand_string(user_message);
2214 if (expmessage == NULL)
2215 {
2216 if (!expand_string_forcedfail)
2217 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2218 user_message, expand_string_message);
2219 }
2220 else if (expmessage[0] != 0) *user_msgptr = expmessage;
2221 }
2222
2223 if (log_message != NULL)
2224 {
2225 acl_verify_message = old_log_msgptr;
2226 expmessage = expand_string(log_message);
2227 if (expmessage == NULL)
2228 {
2229 if (!expand_string_forcedfail)
2230 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2231 log_message, expand_string_message);
2232 }
2233 else if (expmessage[0] != 0)
2234 {
2235 *log_msgptr = (*log_msgptr == NULL)? expmessage :
2236 string_sprintf("%s: %s", expmessage, *log_msgptr);
2237 }
2238 }
2239
2240 /* If no log message, default it to the user message */
2241
2242 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
2243 }
2244
2245 acl_verify_message = NULL;
2246 return rc;
2247 }
2248
2249
2250
2251
2252
2253 /*************************************************
2254 * Get line from a literal ACL *
2255 *************************************************/
2256
2257 /* This function is passed to acl_read() in order to extract individual lines
2258 of a literal ACL, which we access via static pointers. We can destroy the
2259 contents because this is called only once (the compiled ACL is remembered).
2260
2261 This code is intended to treat the data in the same way as lines in the main
2262 Exim configuration file. That is:
2263
2264 . Leading spaces are ignored.
2265
2266 . A \ at the end of a line is a continuation - trailing spaces after the \
2267 are permitted (this is because I don't believe in making invisible things
2268 significant). Leading spaces on the continued part of a line are ignored.
2269
2270 . Physical lines starting (significantly) with # are totally ignored, and
2271 may appear within a sequence of backslash-continued lines.
2272
2273 . Blank lines are ignored, but will end a sequence of continuations.
2274
2275 Arguments: none
2276 Returns: a pointer to the next line
2277 */
2278
2279
2280 static uschar *acl_text; /* Current pointer in the text */
2281 static uschar *acl_text_end; /* Points one past the terminating '0' */
2282
2283
2284 static uschar *
2285 acl_getline(void)
2286 {
2287 uschar *yield;
2288
2289 /* This loop handles leading blank lines and comments. */
2290
2291 for(;;)
2292 {
2293 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
2294 if (*acl_text == 0) return NULL; /* No more data */
2295 yield = acl_text; /* Potential data line */
2296
2297 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2298
2299 /* If we hit the end before a newline, we have the whole logical line. If
2300 it's a comment, there's no more data to be given. Otherwise, yield it. */
2301
2302 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
2303
2304 /* After reaching a newline, end this loop if the physical line does not
2305 start with '#'. If it does, it's a comment, and the loop continues. */
2306
2307 if (*yield != '#') break;
2308 }
2309
2310 /* This loop handles continuations. We know we have some real data, ending in
2311 newline. See if there is a continuation marker at the end (ignoring trailing
2312 white space). We know that *yield is not white space, so no need to test for
2313 cont > yield in the backwards scanning loop. */
2314
2315 for(;;)
2316 {
2317 uschar *cont;
2318 for (cont = acl_text - 1; isspace(*cont); cont--);
2319
2320 /* If no continuation follows, we are done. Mark the end of the line and
2321 return it. */
2322
2323 if (*cont != '\\')
2324 {
2325 *acl_text++ = 0;
2326 return yield;
2327 }
2328
2329 /* We have encountered a continuation. Skip over whitespace at the start of
2330 the next line, and indeed the whole of the next line or lines if they are
2331 comment lines. */
2332
2333 for (;;)
2334 {
2335 while (*(++acl_text) == ' ' || *acl_text == '\t');
2336 if (*acl_text != '#') break;
2337 while (*(++acl_text) != 0 && *acl_text != '\n');
2338 }
2339
2340 /* We have the start of a continuation line. Move all the rest of the data
2341 to join onto the previous line, and then find its end. If the end is not a
2342 newline, we are done. Otherwise loop to look for another continuation. */
2343
2344 memmove(cont, acl_text, acl_text_end - acl_text);
2345 acl_text_end -= acl_text - cont;
2346 acl_text = cont;
2347 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2348 if (*acl_text == 0) return yield;
2349 }
2350
2351 /* Control does not reach here */
2352 }
2353
2354
2355
2356
2357
2358 /*************************************************
2359 * Check access using an ACL *
2360 *************************************************/
2361
2362 /* This function is called from address_check. It may recurse via
2363 acl_check_condition() - hence the use of a level to stop looping. The ACL is
2364 passed as a string which is expanded. A forced failure implies no access check
2365 is required. If the result is a single word, it is taken as the name of an ACL
2366 which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
2367 text, complete with newlines, and parsed as such. In both cases, the ACL check
2368 is then run. This function uses an auxiliary function for acl_read() to call
2369 for reading individual lines of a literal ACL. This is acl_getline(), which
2370 appears immediately above.
2371
2372 Arguments:
2373 where where called from
2374 addr address item when called from RCPT; otherwise NULL
2375 s the input string; NULL is the same as an empty ACL => DENY
2376 level the nesting level
2377 user_msgptr where to put a user error (for SMTP response)
2378 log_msgptr where to put a logging message (not for SMTP response)
2379
2380 Returns: OK access is granted
2381 DISCARD access is apparently granted...
2382 FAIL access is denied
2383 FAIL_DROP access is denied; drop the connection
2384 DEFER can't tell at the moment
2385 ERROR disaster
2386 */
2387
2388 static int
2389 acl_check_internal(int where, address_item *addr, uschar *s, int level,
2390 uschar **user_msgptr, uschar **log_msgptr)
2391 {
2392 int fd = -1;
2393 acl_block *acl = NULL;
2394 uschar *acl_name = US"inline ACL";
2395 uschar *ss;
2396
2397 /* Catch configuration loops */
2398
2399 if (level > 20)
2400 {
2401 *log_msgptr = US"ACL nested too deep: possible loop";
2402 return ERROR;
2403 }
2404
2405 if (s == NULL)
2406 {
2407 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
2408 return FAIL;
2409 }
2410
2411 /* At top level, we expand the incoming string. At lower levels, it has already
2412 been expanded as part of condition processing. */
2413
2414 if (level == 0)
2415 {
2416 ss = expand_string(s);
2417 if (ss == NULL)
2418 {
2419 if (expand_string_forcedfail) return OK;
2420 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
2421 expand_string_message);
2422 return ERROR;
2423 }
2424 }
2425 else ss = s;
2426
2427 while (isspace(*ss))ss++;
2428
2429 /* If we can't find a named ACL, the default is to parse it as an inline one.
2430 (Unless it begins with a slash; non-existent files give rise to an error.) */
2431
2432 acl_text = ss;
2433
2434 /* Handle the case of a string that does not contain any spaces. Look for a
2435 named ACL among those read from the configuration, or a previously read file.
2436 It is possible that the pointer to the ACL is NULL if the configuration
2437 contains a name with no data. If not found, and the text begins with '/',
2438 read an ACL from a file, and save it so it can be re-used. */
2439
2440 if (Ustrchr(ss, ' ') == NULL)
2441 {
2442 tree_node *t = tree_search(acl_anchor, ss);
2443 if (t != NULL)
2444 {
2445 acl = (acl_block *)(t->data.ptr);
2446 if (acl == NULL)
2447 {
2448 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
2449 return FAIL;
2450 }
2451 acl_name = string_sprintf("ACL \"%s\"", ss);
2452 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
2453 }
2454
2455 else if (*ss == '/')
2456 {
2457 struct stat statbuf;
2458 fd = Uopen(ss, O_RDONLY, 0);
2459 if (fd < 0)
2460 {
2461 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
2462 strerror(errno));
2463 return ERROR;
2464 }
2465
2466 if (fstat(fd, &statbuf) != 0)
2467 {
2468 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
2469 strerror(errno));
2470 return ERROR;
2471 }
2472
2473 acl_text = store_get(statbuf.st_size + 1);
2474 acl_text_end = acl_text + statbuf.st_size + 1;
2475
2476 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
2477 {
2478 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
2479 ss, strerror(errno));
2480 return ERROR;
2481 }
2482 acl_text[statbuf.st_size] = 0;
2483 close(fd);
2484
2485 acl_name = string_sprintf("ACL \"%s\"", ss);
2486 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
2487 }
2488 }
2489
2490 /* Parse an ACL that is still in text form. If it came from a file, remember it
2491 in the ACL tree, having read it into the POOL_PERM store pool so that it
2492 persists between multiple messages. */
2493
2494 if (acl == NULL)
2495 {
2496 int old_pool = store_pool;
2497 if (fd >= 0) store_pool = POOL_PERM;
2498 acl = acl_read(acl_getline, log_msgptr);
2499 store_pool = old_pool;
2500 if (acl == NULL && *log_msgptr != NULL) return ERROR;
2501 if (fd >= 0)
2502 {
2503 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
2504 Ustrcpy(t->name, ss);
2505 t->data.ptr = acl;
2506 (void)tree_insertnode(&acl_anchor, t);
2507 }
2508 }
2509
2510 /* Now we have an ACL to use. It's possible it may be NULL. */
2511
2512 while (acl != NULL)
2513 {
2514 int cond;
2515 int basic_errno = 0;
2516 BOOL endpass_seen = FALSE;
2517
2518 *log_msgptr = *user_msgptr = NULL;
2519 acl_temp_details = FALSE;
2520
2521 if (where == ACL_WHERE_QUIT &&
2522 acl->verb != ACL_ACCEPT &&
2523 acl->verb != ACL_WARN)
2524 {
2525 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
2526 verbs[acl->verb]);
2527 return ERROR;
2528 }
2529
2530 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
2531
2532 /* Clear out any search error message from a previous check before testing
2533 this condition. */
2534
2535 search_error_message = NULL;
2536 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
2537 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
2538
2539 /* Handle special returns: DEFER causes a return except on a WARN verb;
2540 ERROR always causes a return. */
2541
2542 switch (cond)
2543 {
2544 case DEFER:
2545 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
2546 if (basic_errno != ERRNO_CALLOUTDEFER)
2547 {
2548 if (search_error_message != NULL && *search_error_message != 0)
2549 *log_msgptr = search_error_message;
2550 if (smtp_return_error_details) acl_temp_details = TRUE;
2551 }
2552 else
2553 {
2554 acl_temp_details = TRUE;
2555 }
2556 if (acl->verb != ACL_WARN) return DEFER;
2557 break;
2558
2559 default: /* Paranoia */
2560 case ERROR:
2561 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
2562 return ERROR;
2563
2564 case OK:
2565 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
2566 verbs[acl->verb]);
2567 break;
2568
2569 case FAIL:
2570 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
2571 break;
2572
2573 /* DISCARD and DROP can happen only from a nested ACL condition, and
2574 DISCARD can happen only for an "accept" or "discard" verb. */
2575
2576 case DISCARD:
2577 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
2578 verbs[acl->verb]);
2579 break;
2580
2581 case FAIL_DROP:
2582 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
2583 verbs[acl->verb]);
2584 break;
2585 }
2586
2587 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
2588 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
2589 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
2590
2591 switch(acl->verb)
2592 {
2593 case ACL_ACCEPT:
2594 if (cond == OK || cond == DISCARD) return cond;
2595 if (endpass_seen)
2596 {
2597 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
2598 return cond;
2599 }
2600 break;
2601
2602 case ACL_DEFER:
2603 if (cond == OK)
2604 {
2605 acl_temp_details = TRUE;
2606 return DEFER;
2607 }
2608 break;
2609
2610 case ACL_DENY:
2611 if (cond == OK) return FAIL;
2612 break;
2613
2614 case ACL_DISCARD:
2615 if (cond == OK || cond == DISCARD) return DISCARD;
2616 if (endpass_seen)
2617 {
2618 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
2619 return cond;
2620 }
2621 break;
2622
2623 case ACL_DROP:
2624 if (cond == OK) return FAIL_DROP;
2625 break;
2626
2627 case ACL_REQUIRE:
2628 if (cond != OK) return cond;
2629 break;
2630
2631 case ACL_WARN:
2632 if (cond == OK)
2633 acl_warn(where, *user_msgptr, *log_msgptr);
2634 else if (cond == DEFER)
2635 acl_warn(where, NULL, string_sprintf("ACL \"warn\" statement skipped: "
2636 "condition test deferred: %s",
2637 (*log_msgptr == NULL)? US"" : *log_msgptr));
2638 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
2639 break;
2640
2641 default:
2642 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
2643 acl->verb);
2644 break;
2645 }
2646
2647 /* Pass to the next ACL item */
2648
2649 acl = acl->next;
2650 }
2651
2652 /* We have reached the end of the ACL. This is an implicit DENY. */
2653
2654 HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
2655 return FAIL;
2656 }
2657
2658
2659 /*************************************************
2660 * Check access using an ACL *
2661 *************************************************/
2662
2663 /* This is the external interface for ACL checks. It sets up an address and the
2664 expansions for $domain and $local_part when called after RCPT, then calls
2665 acl_check_internal() to do the actual work.
2666
2667 Arguments:
2668 where ACL_WHERE_xxxx indicating where called from
2669 data_string RCPT address, or SMTP command argument, or NULL
2670 s the input string; NULL is the same as an empty ACL => DENY
2671 user_msgptr where to put a user error (for SMTP response)
2672 log_msgptr where to put a logging message (not for SMTP response)
2673
2674 Returns: OK access is granted by an ACCEPT verb
2675 DISCARD access is granted by a DISCARD verb
2676 FAIL access is denied
2677 FAIL_DROP access is denied; drop the connection
2678 DEFER can't tell at the moment
2679 ERROR disaster
2680 */
2681
2682 int
2683 acl_check(int where, uschar *data_string, uschar *s, uschar **user_msgptr,
2684 uschar **log_msgptr)
2685 {
2686 int rc;
2687 address_item adb;
2688 address_item *addr;
2689
2690 *user_msgptr = *log_msgptr = NULL;
2691 sender_verified_failed = NULL;
2692
2693 if (where == ACL_WHERE_RCPT)
2694 {
2695 adb = address_defaults;
2696 addr = &adb;
2697 addr->address = data_string;
2698 if (deliver_split_address(addr) == DEFER)
2699 {
2700 *log_msgptr = US"defer in percent_hack_domains check";
2701 return DEFER;
2702 }
2703 deliver_domain = addr->domain;
2704 deliver_localpart = addr->local_part;
2705 }
2706 else
2707 {
2708 addr = NULL;
2709 smtp_command_argument = data_string;
2710 }
2711
2712 rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
2713
2714 smtp_command_argument = deliver_domain =
2715 deliver_localpart = deliver_address_data = sender_address_data = NULL;
2716
2717 /* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
2718 ACL, which is really in the middle of an SMTP command. */
2719
2720 if (rc == DISCARD)
2721 {
2722 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
2723 {
2724 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
2725 "ACL", acl_wherenames[where]);
2726 return ERROR;
2727 }
2728 return DISCARD;
2729 }
2730
2731 /* A DROP response is not permitted from MAILAUTH */
2732
2733 if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
2734 {
2735 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
2736 "ACL", acl_wherenames[where]);
2737 return ERROR;
2738 }
2739
2740 /* Before giving an error response, take a look at the length of any user
2741 message, and split it up into multiple lines if possible. */
2742
2743 if (rc != OK && *user_msgptr != NULL && Ustrlen(*user_msgptr) > 75)
2744 {
2745 uschar *s = *user_msgptr = string_copy(*user_msgptr);
2746 uschar *ss = s;
2747
2748 for (;;)
2749 {
2750 int i = 0;
2751 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
2752 if (*ss == 0) break;
2753 if (*ss == '\n')
2754 s = ++ss;
2755 else
2756 {
2757 uschar *t = ss + 1;
2758 uschar *tt = NULL;
2759 while (--t > s + 35)
2760 {
2761 if (*t == ' ')
2762 {
2763 if (t[-1] == ':') { tt = t; break; }
2764 if (tt == NULL) tt = t;
2765 }
2766 }
2767
2768 if (tt == NULL) /* Can't split behind - try ahead */
2769 {
2770 t = ss + 1;
2771 while (*t != 0)
2772 {
2773 if (*t == ' ' || *t == '\n')
2774 { tt = t; break; }
2775 t++;
2776 }
2777 }
2778
2779 if (tt == NULL) break; /* Can't find anywhere to split */
2780 *tt = '\n';
2781 s = ss = tt+1;
2782 }
2783 }
2784 }
2785
2786 return rc;
2787 }
2788
2789 /* End of acl.c */
Unnamed repository; edit this file 'description' to name the repository.