projects / exim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Use "system" message for $acl_verify_message if there is no "user"
[exim.git] / src / src / acl.c
1 /* $Cambridge: exim/src/src/acl.c,v 1.17 2005/01/12 15:41:27 ph10 Exp $ */
2
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
6
7 /* Copyright (c) University of Cambridge 1995 - 2005 */
8 /* See the file NOTICE for conditions of use and distribution. */
9
10 /* Code for handling Access Control Lists (ACLs) */
11
12 #include "exim.h"
13
14
15 /* Default callout timeout */
16
17 #define CALLOUT_TIMEOUT_DEFAULT 30
18
19 /* ACL verb codes - keep in step with the table of verbs that follows */
20
21 enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
22 ACL_WARN };
23
24 /* ACL verbs */
25
26 static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
28 US"warn" };
29
30 /* For each verb, the condition for which "message" is used */
31
32 static int msgcond[] = { FAIL, OK, OK, FAIL, OK, FAIL, OK };
33
34 /* ACL condition and modifier codes - keep in step with the table that
35 follows. */
36
37 enum { ACLC_ACL, ACLC_AUTHENTICATED,
38 #ifdef EXPERIMENTAL_BRIGHTMAIL
39 ACLC_BMI_OPTIN,
40 #endif
41 ACLC_CONDITION, ACLC_CONTROL,
42 #ifdef WITH_CONTENT_SCAN
43 ACLC_DECODE,
44 #endif
45 ACLC_DELAY,
46 #ifdef WITH_OLD_DEMIME
47 ACLC_DEMIME,
48 #endif
49 ACLC_DNSLISTS, ACLC_DOMAINS, ACLC_ENCRYPTED, ACLC_ENDPASS,
50 ACLC_HOSTS, ACLC_LOCAL_PARTS, ACLC_LOG_MESSAGE, ACLC_LOGWRITE,
51 #ifdef WITH_CONTENT_SCAN
52 ACLC_MALWARE,
53 #endif
54 ACLC_MESSAGE,
55 #ifdef WITH_CONTENT_SCAN
56 ACLC_MIME_REGEX,
57 #endif
58 ACLC_RECIPIENTS,
59 #ifdef WITH_CONTENT_SCAN
60 ACLC_REGEX,
61 #endif
62 ACLC_SENDER_DOMAINS, ACLC_SENDERS, ACLC_SET,
63 #ifdef WITH_CONTENT_SCAN
64 ACLC_SPAM,
65 #endif
66 #ifdef EXPERIMENTAL_SPF
67 ACLC_SPF,
68 #endif
69 ACLC_VERIFY };
70
71 /* ACL conditions/modifiers: "delay", "control", "endpass", "message",
72 "log_message", "logwrite", and "set" are modifiers that look like conditions
73 but always return TRUE. They are used for their side effects. */
74
75 static uschar *conditions[] = { US"acl", US"authenticated",
76 #ifdef EXPERIMENTAL_BRIGHTMAIL
77 US"bmi_optin",
78 #endif
79 US"condition",
80 US"control",
81 #ifdef WITH_CONTENT_SCAN
82 US"decode",
83 #endif
84 US"delay",
85 #ifdef WITH_OLD_DEMIME
86 US"demime",
87 #endif
88 US"dnslists", US"domains", US"encrypted",
89 US"endpass", US"hosts", US"local_parts", US"log_message", US"logwrite",
90 #ifdef WITH_CONTENT_SCAN
91 US"malware",
92 #endif
93 US"message",
94 #ifdef WITH_CONTENT_SCAN
95 US"mime_regex",
96 #endif
97 US"recipients",
98 #ifdef WITH_CONTENT_SCAN
99 US"regex",
100 #endif
101 US"sender_domains", US"senders", US"set",
102 #ifdef WITH_CONTENT_SCAN
103 US"spam",
104 #endif
105 #ifdef EXPERIMENTAL_SPF
106 US"spf",
107 #endif
108 US"verify" };
109
110 /* ACL control names */
111
112 static uschar *controls[] = { US"error", US"caseful_local_part",
113 US"caselower_local_part", US"enforce_sync", US"no_enforce_sync", US"freeze",
114 US"queue_only", US"submission", US"no_multiline"};
115
116 /* Flags to indicate for which conditions /modifiers a string expansion is done
117 at the outer level. In the other cases, expansion already occurs in the
118 checking functions. */
119
120 static uschar cond_expand_at_top[] = {
121 TRUE, /* acl */
122 FALSE, /* authenticated */
123 #ifdef EXPERIMENTAL_BRIGHTMAIL
124 TRUE, /* bmi_optin */
125 #endif
126 TRUE, /* condition */
127 TRUE, /* control */
128 #ifdef WITH_CONTENT_SCAN
129 TRUE, /* decode */
130 #endif
131 TRUE, /* delay */
132 #ifdef WITH_OLD_DEMIME
133 TRUE, /* demime */
134 #endif
135 TRUE, /* dnslists */
136 FALSE, /* domains */
137 FALSE, /* encrypted */
138 TRUE, /* endpass */
139 FALSE, /* hosts */
140 FALSE, /* local_parts */
141 TRUE, /* log_message */
142 TRUE, /* logwrite */
143 #ifdef WITH_CONTENT_SCAN
144 TRUE, /* malware */
145 #endif
146 TRUE, /* message */
147 #ifdef WITH_CONTENT_SCAN
148 TRUE, /* mime_regex */
149 #endif
150 FALSE, /* recipients */
151 #ifdef WITH_CONTENT_SCAN
152 TRUE, /* regex */
153 #endif
154 FALSE, /* sender_domains */
155 FALSE, /* senders */
156 TRUE, /* set */
157 #ifdef WITH_CONTENT_SCAN
158 TRUE, /* spam */
159 #endif
160 #ifdef EXPERIMENTAL_SPF
161 TRUE, /* spf */
162 #endif
163 TRUE /* verify */
164 };
165
166 /* Flags to identify the modifiers */
167
168 static uschar cond_modifiers[] = {
169 FALSE, /* acl */
170 FALSE, /* authenticated */
171 #ifdef EXPERIMENTAL_BRIGHTMAIL
172 TRUE, /* bmi_optin */
173 #endif
174 FALSE, /* condition */
175 TRUE, /* control */
176 #ifdef WITH_CONTENT_SCAN
177 FALSE, /* decode */
178 #endif
179 TRUE, /* delay */
180 #ifdef WITH_OLD_DEMIME
181 FALSE, /* demime */
182 #endif
183 FALSE, /* dnslists */
184 FALSE, /* domains */
185 FALSE, /* encrypted */
186 TRUE, /* endpass */
187 FALSE, /* hosts */
188 FALSE, /* local_parts */
189 TRUE, /* log_message */
190 TRUE, /* logwrite */
191 #ifdef WITH_CONTENT_SCAN
192 FALSE, /* malware */
193 #endif
194 TRUE, /* message */
195 #ifdef WITH_CONTENT_SCAN
196 FALSE, /* mime_regex */
197 #endif
198 FALSE, /* recipients */
199 #ifdef WITH_CONTENT_SCAN
200 FALSE, /* regex */
201 #endif
202 FALSE, /* sender_domains */
203 FALSE, /* senders */
204 TRUE, /* set */
205 #ifdef WITH_CONTENT_SCAN
206 FALSE, /* spam */
207 #endif
208 #ifdef EXPERIMENTAL_SPF
209 FALSE, /* spf */
210 #endif
211 FALSE /* verify */
212 };
213
214 /* Bit map vector of which conditions are not allowed at certain times. For
215 each condition, there's a bitmap of dis-allowed times. */
216
217 static unsigned int cond_forbids[] = {
218 0, /* acl */
219
220 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* authenticated */
221 (1<<ACL_WHERE_HELO),
222
223 #ifdef EXPERIMENTAL_BRIGHTMAIL
224 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
225 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
226 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
227 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
228 (1<<ACL_WHERE_MAILAUTH)|
229 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
230 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA),
231 #endif
232
233 0, /* condition */
234
235 /* Certain types of control are always allowed, so we let it through
236 always and check in the control processing itself */
237
238 0, /* control */
239
240 #ifdef WITH_CONTENT_SCAN
241 (1<<ACL_WHERE_AUTH)| /* decode */
242 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
243 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
244 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
245 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
246 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
247 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_RCPT),
248 #endif
249
250 0, /* delay */
251
252 #ifdef WITH_OLD_DEMIME
253 (1<<ACL_WHERE_AUTH)| /* demime */
254 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
255 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
256 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
257 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
258 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
259 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
260 #endif
261
262 (1<<ACL_WHERE_NOTSMTP), /* dnslists */
263
264 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* domains */
265 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
266 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
267 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
268 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
269 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
270 (1<<ACL_WHERE_VRFY),
271
272 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* encrypted */
273 (1<<ACL_WHERE_HELO),
274
275 0, /* endpass */
276
277 (1<<ACL_WHERE_NOTSMTP), /* hosts */
278
279 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* local_parts */
280 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
281 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
282 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
283 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
284 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
285 (1<<ACL_WHERE_VRFY),
286
287 0, /* log_message */
288
289 0, /* logwrite */
290
291 #ifdef WITH_CONTENT_SCAN
292 (1<<ACL_WHERE_AUTH)| /* malware */
293 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
294 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
295 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
296 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
297 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
298 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
299 #endif
300
301 0, /* message */
302
303 #ifdef WITH_CONTENT_SCAN
304 (1<<ACL_WHERE_AUTH)| /* mime_regex */
305 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
306 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
307 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
308 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
309 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
310 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_RCPT),
311 #endif
312
313 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* recipients */
314 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
315 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
316 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
317 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
318 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
319 (1<<ACL_WHERE_VRFY),
320
321 #ifdef WITH_CONTENT_SCAN
322 (1<<ACL_WHERE_AUTH)| /* regex */
323 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
324 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
325 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
326 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
327 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
328 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
329 #endif
330
331 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
332 (1<<ACL_WHERE_HELO)|
333 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
334 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
335 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
336
337 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
338 (1<<ACL_WHERE_HELO)|
339 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
340 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
341 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
342
343 0, /* set */
344
345 #ifdef WITH_CONTENT_SCAN
346 (1<<ACL_WHERE_AUTH)| /* spam */
347 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
348 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
349 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
350 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
351 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
352 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
353 #endif
354
355 #ifdef EXPERIMENTAL_SPF
356 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
357 (1<<ACL_WHERE_HELO)|
358 (1<<ACL_WHERE_MAILAUTH)|
359 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
360 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
361 #endif
362
363 /* Certain types of verify are always allowed, so we let it through
364 always and check in the verify function itself */
365
366 0 /* verify */
367 };
368
369
370 /* Return values from decode_control() */
371
372 enum {
373 #ifdef EXPERIMENTAL_BRIGHTMAIL
374 CONTROL_BMI_RUN,
375 #endif
376 CONTROL_ERROR, CONTROL_CASEFUL_LOCAL_PART, CONTROL_CASELOWER_LOCAL_PART,
377 CONTROL_ENFORCE_SYNC, CONTROL_NO_ENFORCE_SYNC, CONTROL_FREEZE,
378 CONTROL_QUEUE_ONLY, CONTROL_SUBMISSION,
379 #ifdef WITH_CONTENT_SCAN
380 CONTROL_NO_MBOX_UNSPOOL,
381 #endif
382 CONTROL_FAKEREJECT, CONTROL_NO_MULTILINE };
383
384 /* Bit map vector of which controls are not allowed at certain times. For
385 each control, there's a bitmap of dis-allowed times. For some, it is easier to
386 specify the negation of a small number of allowed times. */
387
388 static unsigned int control_forbids[] = {
389 #ifdef EXPERIMENTAL_BRIGHTMAIL
390 0, /* bmi_run */
391 #endif
392
393 0, /* error */
394
395 (unsigned int)
396 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
397
398 (unsigned int)
399 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
400
401 (1<<ACL_WHERE_NOTSMTP), /* enforce_sync */
402
403 (1<<ACL_WHERE_NOTSMTP), /* no_enforce_sync */
404
405 (unsigned int)
406 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
407 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
408 (1<<ACL_WHERE_NOTSMTP)),
409
410 (unsigned int)
411 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
412 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
413 (1<<ACL_WHERE_NOTSMTP)),
414
415 (unsigned int)
416 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
417 (1<<ACL_WHERE_PREDATA)),
418
419 #ifdef WITH_CONTENT_SCAN
420 (unsigned int)
421 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
422 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)),
423 #endif
424
425 (unsigned int)
426 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
427 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)),
428
429 (1<<ACL_WHERE_NOTSMTP) /* no_multiline */
430 };
431
432 /* Structure listing various control arguments, with their characteristics. */
433
434 typedef struct control_def {
435 uschar *name;
436 int value; /* CONTROL_xxx value */
437 BOOL has_option; /* Has /option(s) following */
438 } control_def;
439
440 static control_def controls_list[] = {
441 #ifdef EXPERIMENTAL_BRIGHTMAIL
442 { US"bmi_run", CONTROL_BMI_RUN, FALSE},
443 #endif
444 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE},
445 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE},
446 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE},
447 { US"freeze", CONTROL_FREEZE, FALSE},
448 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE},
449 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE},
450 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE},
451 #ifdef WITH_CONTENT_SCAN
452 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE},
453 #endif
454 { US"fakereject", CONTROL_FAKEREJECT, TRUE},
455 { US"submission", CONTROL_SUBMISSION, TRUE}
456 };
457
458 /* Enable recursion between acl_check_internal() and acl_check_condition() */
459
460 static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
461 uschar **);
462
463
464 /*************************************************
465 * Pick out name from list *
466 *************************************************/
467
468 /* Use a binary chop method
469
470 Arguments:
471 name name to find
472 list list of names
473 end size of list
474
475 Returns: offset in list, or -1 if not found
476 */
477
478 static int
479 acl_checkname(uschar *name, uschar **list, int end)
480 {
481 int start = 0;
482
483 while (start < end)
484 {
485 int mid = (start + end)/2;
486 int c = Ustrcmp(name, list[mid]);
487 if (c == 0) return mid;
488 if (c < 0) end = mid; else start = mid + 1;
489 }
490
491 return -1;
492 }
493
494
495 /*************************************************
496 * Read and parse one ACL *
497 *************************************************/
498
499 /* This function is called both from readconf in order to parse the ACLs in the
500 configuration file, and also when an ACL is encountered dynamically (e.g. as
501 the result of an expansion). It is given a function to call in order to
502 retrieve the lines of the ACL. This function handles skipping comments and
503 blank lines (where relevant).
504
505 Arguments:
506 func function to get next line of ACL
507 error where to put an error message
508
509 Returns: pointer to ACL, or NULL
510 NULL can be legal (empty ACL); in this case error will be NULL
511 */
512
513 acl_block *
514 acl_read(uschar *(*func)(void), uschar **error)
515 {
516 acl_block *yield = NULL;
517 acl_block **lastp = &yield;
518 acl_block *this = NULL;
519 acl_condition_block *cond;
520 acl_condition_block **condp = NULL;
521 uschar *s;
522
523 *error = NULL;
524
525 while ((s = (*func)()) != NULL)
526 {
527 int v, c;
528 BOOL negated = FALSE;
529 uschar *saveline = s;
530 uschar name[64];
531
532 /* Conditions (but not verbs) are allowed to be negated by an initial
533 exclamation mark. */
534
535 while (isspace(*s)) s++;
536 if (*s == '!')
537 {
538 negated = TRUE;
539 s++;
540 }
541
542 /* Read the name of a verb or a condition, or the start of a new ACL */
543
544 s = readconf_readname(name, sizeof(name), s);
545 if (*s == ':')
546 {
547 if (negated || name[0] == 0)
548 {
549 *error = string_sprintf("malformed ACL name in \"%s\"", saveline);
550 return NULL;
551 }
552 break;
553 }
554
555 /* If a verb is unrecognized, it may be another condition or modifier that
556 continues the previous verb. */
557
558 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
559 if (v < 0)
560 {
561 if (this == NULL)
562 {
563 *error = string_sprintf("unknown ACL verb in \"%s\"", saveline);
564 return NULL;
565 }
566 }
567
568 /* New verb */
569
570 else
571 {
572 if (negated)
573 {
574 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
575 return NULL;
576 }
577 this = store_get(sizeof(acl_block));
578 *lastp = this;
579 lastp = &(this->next);
580 this->next = NULL;
581 this->verb = v;
582 this->condition = NULL;
583 condp = &(this->condition);
584 if (*s == 0) continue; /* No condition on this line */
585 if (*s == '!')
586 {
587 negated = TRUE;
588 s++;
589 }
590 s = readconf_readname(name, sizeof(name), s); /* Condition name */
591 }
592
593 /* Handle a condition or modifier. */
594
595 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
596 if (c < 0)
597 {
598 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
599 saveline);
600 return NULL;
601 }
602
603 /* The modifiers may not be negated */
604
605 if (negated && cond_modifiers[c])
606 {
607 *error = string_sprintf("ACL error: negation is not allowed with "
608 "\"%s\"", conditions[c]);
609 return NULL;
610 }
611
612 /* ENDPASS may occur only with ACCEPT or DISCARD. */
613
614 if (c == ACLC_ENDPASS &&
615 this->verb != ACL_ACCEPT &&
616 this->verb != ACL_DISCARD)
617 {
618 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
619 conditions[c], verbs[this->verb]);
620 return NULL;
621 }
622
623 cond = store_get(sizeof(acl_condition_block));
624 cond->next = NULL;
625 cond->type = c;
626 cond->u.negated = negated;
627
628 *condp = cond;
629 condp = &(cond->next);
630
631 /* The "set" modifier is different in that its argument is "name=value"
632 rather than just a value, and we can check the validity of the name, which
633 gives us a variable number to insert into the data block. */
634
635 if (c == ACLC_SET)
636 {
637 if (Ustrncmp(s, "acl_", 4) != 0 || (s[4] != 'c' && s[4] != 'm') ||
638 !isdigit(s[5]) || (!isspace(s[6]) && s[6] != '='))
639 {
640 *error = string_sprintf("unrecognized name after \"set\" in ACL "
641 "modifier \"set %s\"", s);
642 return NULL;
643 }
644
645 cond->u.varnumber = s[5] - '0';
646 if (s[4] == 'm') cond->u.varnumber += ACL_C_MAX;
647 s += 6;
648 while (isspace(*s)) s++;
649 }
650
651 /* For "set", we are now positioned for the data. For the others, only
652 "endpass" has no data */
653
654 if (c != ACLC_ENDPASS)
655 {
656 if (*s++ != '=')
657 {
658 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
659 cond_modifiers[c]? US"modifier" : US"condition");
660 return NULL;
661 }
662 while (isspace(*s)) s++;
663 cond->arg = string_copy(s);
664 }
665 }
666
667 return yield;
668 }
669
670
671
672 /*************************************************
673 * Handle warnings *
674 *************************************************/
675
676 /* This function is called when a WARN verb's conditions are true. It adds to
677 the message's headers, and/or writes information to the log. In each case, this
678 only happens once (per message for headers, per connection for log).
679
680 Arguments:
681 where ACL_WHERE_xxxx indicating which ACL this is
682 user_message message for adding to headers
683 log_message message for logging, if different
684
685 Returns: nothing
686 */
687
688 static void
689 acl_warn(int where, uschar *user_message, uschar *log_message)
690 {
691 int hlen;
692
693 if (log_message != NULL && log_message != user_message)
694 {
695 uschar *text;
696 string_item *logged;
697
698 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
699 string_printing(log_message));
700
701 /* If a sender verification has failed, and the log message is "sender verify
702 failed", add the failure message. */
703
704 if (sender_verified_failed != NULL &&
705 sender_verified_failed->message != NULL &&
706 strcmpic(log_message, US"sender verify failed") == 0)
707 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
708
709 /* Search previously logged warnings. They are kept in malloc store so they
710 can be freed at the start of a new message. */
711
712 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
713 if (Ustrcmp(logged->text, text) == 0) break;
714
715 if (logged == NULL)
716 {
717 int length = Ustrlen(text) + 1;
718 log_write(0, LOG_MAIN, "%s", text);
719 logged = store_malloc(sizeof(string_item) + length);
720 logged->text = (uschar *)logged + sizeof(string_item);
721 memcpy(logged->text, text, length);
722 logged->next = acl_warn_logged;
723 acl_warn_logged = logged;
724 }
725 }
726
727 /* If there's no user message, we are done. */
728
729 if (user_message == NULL) return;
730
731 /* If this isn't a message ACL, we can't do anything with a user message.
732 Log an error. */
733
734 if (where > ACL_WHERE_NOTSMTP)
735 {
736 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
737 "found in a non-message (%s) ACL: cannot specify header lines here: "
738 "message ignored", acl_wherenames[where]);
739 return;
740 }
741
742 /* Treat the user message as a sequence of one or more header lines. */
743
744 hlen = Ustrlen(user_message);
745 if (hlen > 0)
746 {
747 uschar *text, *p, *q;
748
749 /* Add a final newline if not present */
750
751 text = ((user_message)[hlen-1] == '\n')? user_message :
752 string_sprintf("%s\n", user_message);
753
754 /* Loop for multiple header lines, taking care about continuations */
755
756 for (p = q = text; *p != 0; )
757 {
758 uschar *s;
759 int newtype = htype_add_bot;
760 header_line **hptr = &acl_warn_headers;
761
762 /* Find next header line within the string */
763
764 for (;;)
765 {
766 q = Ustrchr(q, '\n');
767 if (*(++q) != ' ' && *q != '\t') break;
768 }
769
770 /* If the line starts with a colon, interpret the instruction for where to
771 add it. This temporarily sets up a new type. */
772
773 if (*p == ':')
774 {
775 if (strncmpic(p, US":after_received:", 16) == 0)
776 {
777 newtype = htype_add_rec;
778 p += 16;
779 }
780 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
781 {
782 newtype = htype_add_rfc;
783 p += 14;
784 }
785 else if (strncmpic(p, US":at_start:", 10) == 0)
786 {
787 newtype = htype_add_top;
788 p += 10;
789 }
790 else if (strncmpic(p, US":at_end:", 8) == 0)
791 {
792 newtype = htype_add_bot;
793 p += 8;
794 }
795 while (*p == ' ' || *p == '\t') p++;
796 }
797
798 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
799 to the front of it. */
800
801 for (s = p; s < q - 1; s++)
802 {
803 if (*s == ':' || !isgraph(*s)) break;
804 }
805
806 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
807 hlen = Ustrlen(s);
808
809 /* See if this line has already been added */
810
811 while (*hptr != NULL)
812 {
813 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
814 hptr = &((*hptr)->next);
815 }
816
817 /* Add if not previously present */
818
819 if (*hptr == NULL)
820 {
821 header_line *h = store_get(sizeof(header_line));
822 h->text = s;
823 h->next = NULL;
824 h->type = newtype;
825 h->slen = hlen;
826 *hptr = h;
827 hptr = &(h->next);
828 }
829
830 /* Advance for next header line within the string */
831
832 p = q;
833 }
834 }
835 }
836
837
838
839 /*************************************************
840 * Verify and check reverse DNS *
841 *************************************************/
842
843 /* Called from acl_verify() below. We look up the host name(s) of the client IP
844 address if this has not yet been done. The host_name_lookup() function checks
845 that one of these names resolves to an address list that contains the client IP
846 address, so we don't actually have to do the check here.
847
848 Arguments:
849 user_msgptr pointer for user message
850 log_msgptr pointer for log message
851
852 Returns: OK verification condition succeeded
853 FAIL verification failed
854 DEFER there was a problem verifying
855 */
856
857 static int
858 acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
859 {
860 int rc;
861
862 user_msgptr = user_msgptr; /* stop compiler warning */
863
864 /* Previous success */
865
866 if (sender_host_name != NULL) return OK;
867
868 /* Previous failure */
869
870 if (host_lookup_failed)
871 {
872 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
873 return FAIL;
874 }
875
876 /* Need to do a lookup */
877
878 HDEBUG(D_acl)
879 debug_printf("looking up host name to force name/address consistency check\n");
880
881 if ((rc = host_name_lookup()) != OK)
882 {
883 *log_msgptr = (rc == DEFER)?
884 US"host lookup deferred for reverse lookup check"
885 :
886 string_sprintf("host lookup failed for reverse lookup check%s",
887 host_lookup_msg);
888 return rc; /* DEFER or FAIL */
889 }
890
891 host_build_sender_fullhost();
892 return OK;
893 }
894
895
896
897 /*************************************************
898 * Handle verification (address & other) *
899 *************************************************/
900
901 /* This function implements the "verify" condition. It is called when
902 encountered in any ACL, because some tests are almost always permitted. Some
903 just don't make sense, and always fail (for example, an attempt to test a host
904 lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
905
906 Arguments:
907 where where called from
908 addr the recipient address that the ACL is handling, or NULL
909 arg the argument of "verify"
910 user_msgptr pointer for user message
911 log_msgptr pointer for log message
912 basic_errno where to put verify errno
913
914 Returns: OK verification condition succeeded
915 FAIL verification failed
916 DEFER there was a problem verifying
917 ERROR syntax error
918 */
919
920 static int
921 acl_verify(int where, address_item *addr, uschar *arg,
922 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
923 {
924 int sep = '/';
925 int callout = -1;
926 int callout_overall = -1;
927 int callout_connect = -1;
928 int verify_options = 0;
929 int rc;
930 BOOL verify_header_sender = FALSE;
931 BOOL defer_ok = FALSE;
932 BOOL callout_defer_ok = FALSE;
933 BOOL no_details = FALSE;
934 address_item *sender_vaddr = NULL;
935 uschar *verify_sender_address = NULL;
936 uschar *pm_mailfrom = NULL;
937 uschar *se_mailfrom = NULL;
938 uschar *list = arg;
939 uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
940
941 if (ss == NULL) goto BAD_VERIFY;
942
943 /* Handle name/address consistency verification in a separate function. */
944
945 if (strcmpic(ss, US"reverse_host_lookup") == 0)
946 {
947 if (sender_host_address == NULL) return OK;
948 return acl_verify_reverse(user_msgptr, log_msgptr);
949 }
950
951 /* TLS certificate verification is done at STARTTLS time; here we just
952 test whether it was successful or not. (This is for optional verification; for
953 mandatory verification, the connection doesn't last this long.) */
954
955 if (strcmpic(ss, US"certificate") == 0)
956 {
957 if (tls_certificate_verified) return OK;
958 *user_msgptr = US"no verified certificate";
959 return FAIL;
960 }
961
962 /* We can test the result of optional HELO verification */
963
964 if (strcmpic(ss, US"helo") == 0) return helo_verified? OK : FAIL;
965
966 /* Handle header verification options - permitted only after DATA or a non-SMTP
967 message. */
968
969 if (strncmpic(ss, US"header_", 7) == 0)
970 {
971 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
972 {
973 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
974 "(only possible in ACL for DATA)", acl_wherenames[where]);
975 return ERROR;
976 }
977
978 /* Check that all relevant header lines have the correct syntax. If there is
979 a syntax error, we return details of the error to the sender if configured to
980 send out full details. (But a "message" setting on the ACL can override, as
981 always). */
982
983 if (strcmpic(ss+7, US"syntax") == 0)
984 {
985 int rc = verify_check_headers(log_msgptr);
986 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
987 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
988 return rc;
989 }
990
991 /* Check that there is at least one verifiable sender address in the relevant
992 header lines. This can be followed by callout and defer options, just like
993 sender and recipient. */
994
995 else if (strcmpic(ss+7, US"sender") == 0) verify_header_sender = TRUE;
996
997 /* Unknown verify argument starting with "header_" */
998
999 else goto BAD_VERIFY;
1000 }
1001
1002 /* Otherwise, first item in verify argument must be "sender" or "recipient".
1003 In the case of a sender, this can optionally be followed by an address to use
1004 in place of the actual sender (rare special-case requirement). */
1005
1006 else if (strncmpic(ss, US"sender", 6) == 0)
1007 {
1008 uschar *s = ss + 6;
1009 if (where > ACL_WHERE_NOTSMTP)
1010 {
1011 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1012 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1013 acl_wherenames[where]);
1014 return ERROR;
1015 }
1016 if (*s == 0)
1017 verify_sender_address = sender_address;
1018 else
1019 {
1020 while (isspace(*s)) s++;
1021 if (*s++ != '=') goto BAD_VERIFY;
1022 while (isspace(*s)) s++;
1023 verify_sender_address = string_copy(s);
1024 }
1025 }
1026 else
1027 {
1028 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1029 if (addr == NULL)
1030 {
1031 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1032 "(only possible for RCPT)", acl_wherenames[where]);
1033 return ERROR;
1034 }
1035 }
1036
1037 /* Remaining items are optional */
1038
1039 while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1040 != NULL)
1041 {
1042 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1043 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1044
1045 /* These two old options are left for backwards compatibility */
1046
1047 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1048 {
1049 callout_defer_ok = TRUE;
1050 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1051 }
1052
1053 else if (strcmpic(ss, US"check_postmaster") == 0)
1054 {
1055 pm_mailfrom = US"";
1056 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1057 }
1058
1059 /* The callout option has a number of sub-options, comma separated */
1060
1061 else if (strncmpic(ss, US"callout", 7) == 0)
1062 {
1063 callout = CALLOUT_TIMEOUT_DEFAULT;
1064 ss += 7;
1065 if (*ss != 0)
1066 {
1067 while (isspace(*ss)) ss++;
1068 if (*ss++ == '=')
1069 {
1070 int optsep = ',';
1071 uschar *opt;
1072 uschar buffer[256];
1073 while (isspace(*ss)) ss++;
1074
1075 /* This callout option handling code has become a mess as new options
1076 have been added in an ad hoc manner. It should be tidied up into some
1077 kind of table-driven thing. */
1078
1079 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1080 != NULL)
1081 {
1082 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1083 else if (strcmpic(opt, US"no_cache") == 0)
1084 verify_options |= vopt_callout_no_cache;
1085 else if (strcmpic(opt, US"random") == 0)
1086 verify_options |= vopt_callout_random;
1087 else if (strcmpic(opt, US"use_sender") == 0)
1088 verify_options |= vopt_callout_recipsender;
1089 else if (strcmpic(opt, US"use_postmaster") == 0)
1090 verify_options |= vopt_callout_recippmaster;
1091 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
1092
1093 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1094 {
1095 if (!verify_header_sender)
1096 {
1097 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1098 "callout option only for verify=header_sender (detected in ACL "
1099 "condition \"%s\")", arg);
1100 return ERROR;
1101 }
1102 opt += 8;
1103 while (isspace(*opt)) opt++;
1104 if (*opt++ != '=')
1105 {
1106 *log_msgptr = string_sprintf("'=' expected after "
1107 "\"mailfrom\" in ACL condition \"%s\"", arg);
1108 return ERROR;
1109 }
1110 while (isspace(*opt)) opt++;
1111 se_mailfrom = string_copy(opt);
1112 }
1113
1114 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1115 {
1116 opt += 19;
1117 while (isspace(*opt)) opt++;
1118 if (*opt++ != '=')
1119 {
1120 *log_msgptr = string_sprintf("'=' expected after "
1121 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1122 return ERROR;
1123 }
1124 while (isspace(*opt)) opt++;
1125 pm_mailfrom = string_copy(opt);
1126 }
1127
1128 else if (strncmpic(opt, US"maxwait", 7) == 0)
1129 {
1130 opt += 7;
1131 while (isspace(*opt)) opt++;
1132 if (*opt++ != '=')
1133 {
1134 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1135 "ACL condition \"%s\"", arg);
1136 return ERROR;
1137 }
1138 while (isspace(*opt)) opt++;
1139 callout_overall = readconf_readtime(opt, 0, FALSE);
1140 if (callout_overall < 0)
1141 {
1142 *log_msgptr = string_sprintf("bad time value in ACL condition "
1143 "\"verify %s\"", arg);
1144 return ERROR;
1145 }
1146 }
1147 else if (strncmpic(opt, US"connect", 7) == 0)
1148 {
1149 opt += 7;
1150 while (isspace(*opt)) opt++;
1151 if (*opt++ != '=')
1152 {
1153 *log_msgptr = string_sprintf("'=' expected after "
1154 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1155 return ERROR;
1156 }
1157 while (isspace(*opt)) opt++;
1158 callout_connect = readconf_readtime(opt, 0, FALSE);
1159 if (callout_connect < 0)
1160 {
1161 *log_msgptr = string_sprintf("bad time value in ACL condition "
1162 "\"verify %s\"", arg);
1163 return ERROR;
1164 }
1165 }
1166 else /* Plain time is callout connect/command timeout */
1167 {
1168 callout = readconf_readtime(opt, 0, FALSE);
1169 if (callout < 0)
1170 {
1171 *log_msgptr = string_sprintf("bad time value in ACL condition "
1172 "\"verify %s\"", arg);
1173 return ERROR;
1174 }
1175 }
1176 }
1177 }
1178 else
1179 {
1180 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1181 "ACL condition \"%s\"", arg);
1182 return ERROR;
1183 }
1184 }
1185 }
1186
1187 /* Option not recognized */
1188
1189 else
1190 {
1191 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1192 "condition \"verify %s\"", ss, arg);
1193 return ERROR;
1194 }
1195 }
1196
1197 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1198 (vopt_callout_recipsender|vopt_callout_recippmaster))
1199 {
1200 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1201 "for a recipient callout";
1202 return ERROR;
1203 }
1204
1205 /* Handle sender-in-header verification. Default the user message to the log
1206 message if giving out verification details. */
1207
1208 if (verify_header_sender)
1209 {
1210 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
1211 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options);
1212 if (smtp_return_error_details)
1213 {
1214 if (*user_msgptr == NULL && *log_msgptr != NULL)
1215 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1216 if (rc == DEFER) acl_temp_details = TRUE;
1217 }
1218 }
1219
1220 /* Handle a sender address. The default is to verify *the* sender address, but
1221 optionally a different address can be given, for special requirements. If the
1222 address is empty, we are dealing with a bounce message that has no sender, so
1223 we cannot do any checking. If the real sender address gets rewritten during
1224 verification (e.g. DNS widening), set the flag to stop it being rewritten again
1225 during message reception.
1226
1227 A list of verified "sender" addresses is kept to try to avoid doing to much
1228 work repetitively when there are multiple recipients in a message and they all
1229 require sender verification. However, when callouts are involved, it gets too
1230 complicated because different recipients may require different callout options.
1231 Therefore, we always do a full sender verify when any kind of callout is
1232 specified. Caching elsewhere, for instance in the DNS resolver and in the
1233 callout handling, should ensure that this is not terribly inefficient. */
1234
1235 else if (verify_sender_address != NULL)
1236 {
1237 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1238 != 0)
1239 {
1240 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1241 "sender verify callout";
1242 return ERROR;
1243 }
1244
1245 sender_vaddr = verify_checked_sender(verify_sender_address);
1246 if (sender_vaddr != NULL && /* Previously checked */
1247 callout <= 0) /* No callout needed this time */
1248 {
1249 /* If the "routed" flag is set, it means that routing worked before, so
1250 this check can give OK (the saved return code value, if set, belongs to a
1251 callout that was done previously). If the "routed" flag is not set, routing
1252 must have failed, so we use the saved return code. */
1253
1254 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1255 {
1256 rc = sender_vaddr->special_action;
1257 *basic_errno = sender_vaddr->basic_errno;
1258 }
1259 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1260 }
1261
1262 /* Do a new verification, and cache the result. The cache is used to avoid
1263 verifying the sender multiple times for multiple RCPTs when callouts are not
1264 specified (see comments above).
1265
1266 The cache is also used on failure to give details in response to the first
1267 RCPT that gets bounced for this reason. However, this can be suppressed by
1268 the no_details option, which sets the flag that says "this detail has already
1269 been sent". The cache normally contains just one address, but there may be
1270 more in esoteric circumstances. */
1271
1272 else
1273 {
1274 BOOL routed = TRUE;
1275 uschar *save_address_data = deliver_address_data;
1276
1277 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1278 if (no_details) setflag(sender_vaddr, af_sverify_told);
1279 if (verify_sender_address[0] != 0)
1280 {
1281 /* If this is the real sender address, save the unrewritten version
1282 for use later in receive. Otherwise, set a flag so that rewriting the
1283 sender in verify_address() does not update sender_address. */
1284
1285 if (verify_sender_address == sender_address)
1286 sender_address_unrewritten = sender_address;
1287 else
1288 verify_options |= vopt_fake_sender;
1289
1290 /* The recipient, qualify, and expn options are never set in
1291 verify_options. */
1292
1293 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
1294 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
1295
1296 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1297
1298 if (rc == OK)
1299 {
1300 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1301 {
1302 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1303 verify_sender_address, sender_vaddr->address);
1304 }
1305 else
1306 {
1307 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1308 verify_sender_address);
1309 }
1310 }
1311 else *basic_errno = sender_vaddr->basic_errno;
1312 }
1313 else rc = OK; /* Null sender */
1314
1315 /* Cache the result code */
1316
1317 if (routed) setflag(sender_vaddr, af_verify_routed);
1318 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1319 sender_vaddr->special_action = rc;
1320 sender_vaddr->next = sender_verified_list;
1321 sender_verified_list = sender_vaddr;
1322
1323 /* Restore the recipient address data, which might have been clobbered by
1324 the sender verification. */
1325
1326 deliver_address_data = save_address_data;
1327 }
1328
1329 /* Put the sender address_data value into $sender_address_data */
1330
1331 sender_address_data = sender_vaddr->p.address_data;
1332 }
1333
1334 /* A recipient address just gets a straightforward verify; again we must handle
1335 the DEFER overrides. */
1336
1337 else
1338 {
1339 address_item addr2;
1340
1341 /* We must use a copy of the address for verification, because it might
1342 get rewritten. */
1343
1344 addr2 = *addr;
1345 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
1346 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
1347 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1348
1349 *log_msgptr = addr2.message;
1350 *user_msgptr = (addr2.user_message != NULL)?
1351 addr2.user_message : addr2.message;
1352 *basic_errno = addr2.basic_errno;
1353
1354 /* Make $address_data visible */
1355 deliver_address_data = addr2.p.address_data;
1356 }
1357
1358 /* We have a result from the relevant test. Handle defer overrides first. */
1359
1360 if (rc == DEFER && (defer_ok ||
1361 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1362 {
1363 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1364 defer_ok? "defer_ok" : "callout_defer_ok");
1365 rc = OK;
1366 }
1367
1368 /* If we've failed a sender, set up a recipient message, and point
1369 sender_verified_failed to the address item that actually failed. */
1370
1371 if (rc != OK && verify_sender_address != NULL)
1372 {
1373 if (rc != DEFER)
1374 {
1375 *log_msgptr = *user_msgptr = US"Sender verify failed";
1376 }
1377 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1378 {
1379 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1380 }
1381 else
1382 {
1383 *log_msgptr = US"Could not complete sender verify callout";
1384 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1385 *log_msgptr;
1386 }
1387
1388 sender_verified_failed = sender_vaddr;
1389 }
1390
1391 /* Verifying an address messes up the values of $domain and $local_part,
1392 so reset them before returning if this is a RCPT ACL. */
1393
1394 if (addr != NULL)
1395 {
1396 deliver_domain = addr->domain;
1397 deliver_localpart = addr->local_part;
1398 }
1399 return rc;
1400
1401 /* Syntax errors in the verify argument come here. */
1402
1403 BAD_VERIFY:
1404 *log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
1405 "\"header_syntax\" or \"header_sender\" at start of ACL condition "
1406 "\"verify %s\"", arg);
1407 return ERROR;
1408 }
1409
1410
1411
1412
1413 /*************************************************
1414 * Check argument for control= modifier *
1415 *************************************************/
1416
1417 /* Called from acl_check_condition() below
1418
1419 Arguments:
1420 arg the argument string for control=
1421 pptr set to point to the terminating character
1422 where which ACL we are in
1423 log_msgptr for error messages
1424
1425 Returns: CONTROL_xxx value
1426 */
1427
1428 static int
1429 decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
1430 {
1431 int len;
1432 control_def *d;
1433
1434 for (d = controls_list;
1435 d < controls_list + sizeof(controls_list)/sizeof(control_def);
1436 d++)
1437 {
1438 len = Ustrlen(d->name);
1439 if (Ustrncmp(d->name, arg, len) == 0) break;
1440 }
1441
1442 if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
1443 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
1444 {
1445 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1446 return CONTROL_ERROR;
1447 }
1448
1449 *pptr = arg + len;
1450 return d->value;
1451 }
1452
1453
1454
1455 /*************************************************
1456 * Handle conditions/modifiers on an ACL item *
1457 *************************************************/
1458
1459 /* Called from acl_check() below.
1460
1461 Arguments:
1462 verb ACL verb
1463 cb ACL condition block - if NULL, result is OK
1464 where where called from
1465 addr the address being checked for RCPT, or NULL
1466 level the nesting level
1467 epp pointer to pass back TRUE if "endpass" encountered
1468 (applies only to "accept" and "discard")
1469 user_msgptr user message pointer
1470 log_msgptr log message pointer
1471 basic_errno pointer to where to put verify error
1472
1473 Returns: OK - all conditions are met
1474 DISCARD - an "acl" condition returned DISCARD - only allowed
1475 for "accept" or "discard" verbs
1476 FAIL - at least one condition fails
1477 FAIL_DROP - an "acl" condition returned FAIL_DROP
1478 DEFER - can't tell at the moment (typically, lookup defer,
1479 but can be temporary callout problem)
1480 ERROR - ERROR from nested ACL or expansion failure or other
1481 error
1482 */
1483
1484 static int
1485 acl_check_condition(int verb, acl_condition_block *cb, int where,
1486 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
1487 uschar **log_msgptr, int *basic_errno)
1488 {
1489 uschar *user_message = NULL;
1490 uschar *log_message = NULL;
1491 uschar *p;
1492 int rc = OK;
1493 #ifdef WITH_CONTENT_SCAN
1494 int sep = '/';
1495 #endif
1496
1497 for (; cb != NULL; cb = cb->next)
1498 {
1499 uschar *arg;
1500 int control_type;
1501
1502 /* The message and log_message items set up messages to be used in
1503 case of rejection. They are expanded later. */
1504
1505 if (cb->type == ACLC_MESSAGE)
1506 {
1507 user_message = cb->arg;
1508 continue;
1509 }
1510
1511 if (cb->type == ACLC_LOG_MESSAGE)
1512 {
1513 log_message = cb->arg;
1514 continue;
1515 }
1516
1517 /* The endpass "condition" just sets a flag to show it occurred. This is
1518 checked at compile time to be on an "accept" or "discard" item. */
1519
1520 if (cb->type == ACLC_ENDPASS)
1521 {
1522 *epp = TRUE;
1523 continue;
1524 }
1525
1526 /* For other conditions and modifiers, the argument is expanded now for some
1527 of them, but not for all, because expansion happens down in some lower level
1528 checking functions in some cases. */
1529
1530 if (cond_expand_at_top[cb->type])
1531 {
1532 arg = expand_string(cb->arg);
1533 if (arg == NULL)
1534 {
1535 if (expand_string_forcedfail) continue;
1536 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
1537 cb->arg, expand_string_message);
1538 return search_find_defer? DEFER : ERROR;
1539 }
1540 }
1541 else arg = cb->arg;
1542
1543 /* Show condition, and expanded condition if it's different */
1544
1545 HDEBUG(D_acl)
1546 {
1547 int lhswidth = 0;
1548 debug_printf("check %s%s %n",
1549 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
1550 conditions[cb->type], &lhswidth);
1551
1552 if (cb->type == ACLC_SET)
1553 {
1554 int n = cb->u.varnumber;
1555 int t = (n < ACL_C_MAX)? 'c' : 'm';
1556 if (n >= ACL_C_MAX) n -= ACL_C_MAX;
1557 debug_printf("acl_%c%d ", t, n);
1558 lhswidth += 7;
1559 }
1560
1561 debug_printf("= %s\n", cb->arg);
1562
1563 if (arg != cb->arg)
1564 debug_printf("%.*s= %s\n", lhswidth,
1565 US" ", CS arg);
1566 }
1567
1568 /* Check that this condition makes sense at this time */
1569
1570 if ((cond_forbids[cb->type] & (1 << where)) != 0)
1571 {
1572 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
1573 cond_modifiers[cb->type]? "use" : "test",
1574 conditions[cb->type], acl_wherenames[where]);
1575 return ERROR;
1576 }
1577
1578 /* Run the appropriate test for each condition, or take the appropriate
1579 action for the remaining modifiers. */
1580
1581 switch(cb->type)
1582 {
1583 /* A nested ACL that returns "discard" makes sense only for an "accept" or
1584 "discard" verb. */
1585
1586 case ACLC_ACL:
1587 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
1588 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
1589 {
1590 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
1591 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
1592 verbs[verb]);
1593 return ERROR;
1594 }
1595 break;
1596
1597 case ACLC_AUTHENTICATED:
1598 rc = (sender_host_authenticated == NULL)? FAIL :
1599 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
1600 TRUE, NULL);
1601 break;
1602
1603 #ifdef EXPERIMENTAL_BRIGHTMAIL
1604 case ACLC_BMI_OPTIN:
1605 {
1606 int old_pool = store_pool;
1607 store_pool = POOL_PERM;
1608 bmi_current_optin = string_copy(arg);
1609 store_pool = old_pool;
1610 }
1611 break;
1612 #endif
1613
1614 case ACLC_CONDITION:
1615 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
1616 rc = (Uatoi(arg) == 0)? FAIL : OK;
1617 else
1618 rc = (strcmpic(arg, US"no") == 0 ||
1619 strcmpic(arg, US"false") == 0)? FAIL :
1620 (strcmpic(arg, US"yes") == 0 ||
1621 strcmpic(arg, US"true") == 0)? OK : DEFER;
1622 if (rc == DEFER)
1623 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
1624 break;
1625
1626 case ACLC_CONTROL:
1627 control_type = decode_control(arg, &p, where, log_msgptr);
1628
1629 /* Check if this control makes sense at this time */
1630
1631 if ((control_forbids[control_type] & (1 << where)) != 0)
1632 {
1633 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
1634 controls[control_type], acl_wherenames[where]);
1635 return ERROR;
1636 }
1637
1638 switch(control_type)
1639 {
1640 #ifdef EXPERIMENTAL_BRIGHTMAIL
1641 case CONTROL_BMI_RUN:
1642 bmi_run = 1;
1643 break;
1644 #endif
1645
1646 case CONTROL_ERROR:
1647 return ERROR;
1648
1649 case CONTROL_CASEFUL_LOCAL_PART:
1650 deliver_localpart = addr->cc_local_part;
1651 break;
1652
1653 case CONTROL_CASELOWER_LOCAL_PART:
1654 deliver_localpart = addr->lc_local_part;
1655 break;
1656
1657 case CONTROL_ENFORCE_SYNC:
1658 smtp_enforce_sync = TRUE;
1659 break;
1660
1661 case CONTROL_NO_ENFORCE_SYNC:
1662 smtp_enforce_sync = FALSE;
1663 break;
1664
1665 #ifdef WITH_CONTENT_SCAN
1666 case CONTROL_NO_MBOX_UNSPOOL:
1667 no_mbox_unspool = TRUE;
1668 break;
1669 #endif
1670
1671 case CONTROL_NO_MULTILINE:
1672 no_multiline_responses = TRUE;
1673 break;
1674
1675 case CONTROL_FAKEREJECT:
1676 fake_reject = TRUE;
1677 if (*p == '/')
1678 {
1679 uschar *pp = p + 1;
1680 while (*pp != 0) pp++;
1681 fake_reject_text = expand_string(string_copyn(p+1, pp-p));
1682 p = pp;
1683 }
1684 else
1685 {
1686 /* Explicitly reset to default string */
1687 fake_reject_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
1688 }
1689 break;
1690
1691 case CONTROL_FREEZE:
1692 deliver_freeze = TRUE;
1693 deliver_frozen_at = time(NULL);
1694 break;
1695
1696 case CONTROL_QUEUE_ONLY:
1697 queue_only_policy = TRUE;
1698 break;
1699
1700 case CONTROL_SUBMISSION:
1701 submission_mode = TRUE;
1702 while (*p == '/')
1703 {
1704 if (Ustrncmp(p, "/sender_retain", 14) == 0)
1705 {
1706 p += 14;
1707 active_local_sender_retain = TRUE;
1708 active_local_from_check = FALSE;
1709 }
1710 else if (Ustrncmp(p, "/domain=", 8) == 0)
1711 {
1712 uschar *pp = p + 8;
1713 while (*pp != 0 && *pp != '/') pp++;
1714 submission_domain = string_copyn(p+8, pp-p);
1715 p = pp;
1716 }
1717 else break;
1718 }
1719 if (*p != 0)
1720 {
1721 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1722 return ERROR;
1723 }
1724 break;
1725 }
1726 break;
1727
1728 #ifdef WITH_CONTENT_SCAN
1729 case ACLC_DECODE:
1730 rc = mime_decode(&arg);
1731 break;
1732 #endif
1733
1734 case ACLC_DELAY:
1735 {
1736 int delay = readconf_readtime(arg, 0, FALSE);
1737 if (delay < 0)
1738 {
1739 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
1740 "modifier: \"%s\" is not a time value", arg);
1741 return ERROR;
1742 }
1743 else
1744 {
1745 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
1746 delay);
1747 if (host_checking)
1748 {
1749 HDEBUG(D_acl)
1750 debug_printf("delay skipped in -bh checking mode\n");
1751 }
1752 else
1753 {
1754 while (delay > 0) delay = sleep(delay);
1755 }
1756 }
1757 }
1758 break;
1759
1760 #ifdef WITH_OLD_DEMIME
1761 case ACLC_DEMIME:
1762 rc = demime(&arg);
1763 break;
1764 #endif
1765
1766 case ACLC_DNSLISTS:
1767 rc = verify_check_dnsbl(&arg);
1768 break;
1769
1770 case ACLC_DOMAINS:
1771 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
1772 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
1773 break;
1774
1775 /* The value in tls_cipher is the full cipher name, for example,
1776 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
1777 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
1778 what may in practice come out of the SSL library - which at the time of
1779 writing is poorly documented. */
1780
1781 case ACLC_ENCRYPTED:
1782 if (tls_cipher == NULL) rc = FAIL; else
1783 {
1784 uschar *endcipher = NULL;
1785 uschar *cipher = Ustrchr(tls_cipher, ':');
1786 if (cipher == NULL) cipher = tls_cipher; else
1787 {
1788 endcipher = Ustrchr(++cipher, ':');
1789 if (endcipher != NULL) *endcipher = 0;
1790 }
1791 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
1792 if (endcipher != NULL) *endcipher = ':';
1793 }
1794 break;
1795
1796 /* Use verify_check_this_host() instead of verify_check_host() so that
1797 we can pass over &host_data to catch any looked up data. Once it has been
1798 set, it retains its value so that it's still there if another ACL verb
1799 comes through here and uses the cache. However, we must put it into
1800 permanent store in case it is also expected to be used in a subsequent
1801 message in the same SMTP connection. */
1802
1803 case ACLC_HOSTS:
1804 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
1805 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
1806 if (host_data != NULL) host_data = string_copy_malloc(host_data);
1807 break;
1808
1809 case ACLC_LOCAL_PARTS:
1810 rc = match_isinlist(addr->cc_local_part, &arg, 0,
1811 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
1812 &deliver_localpart_data);
1813 break;
1814
1815 case ACLC_LOGWRITE:
1816 {
1817 int logbits = 0;
1818 uschar *s = arg;
1819 if (*s == ':')
1820 {
1821 s++;
1822 while (*s != ':')
1823 {
1824 if (Ustrncmp(s, "main", 4) == 0)
1825 { logbits |= LOG_MAIN; s += 4; }
1826 else if (Ustrncmp(s, "panic", 5) == 0)
1827 { logbits |= LOG_PANIC; s += 5; }
1828 else if (Ustrncmp(s, "reject", 6) == 0)
1829 { logbits |= LOG_REJECT; s += 6; }
1830 else
1831 {
1832 logbits = LOG_MAIN|LOG_PANIC;
1833 s = string_sprintf(":unknown log name in \"%s\" in "
1834 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
1835 }
1836 if (*s == ',') s++;
1837 }
1838 s++;
1839 }
1840 while (isspace(*s)) s++;
1841 if (logbits == 0) logbits = LOG_MAIN;
1842 log_write(0, logbits, "%s", string_printing(s));
1843 }
1844 break;
1845
1846 #ifdef WITH_CONTENT_SCAN
1847 case ACLC_MALWARE:
1848 {
1849 /* Seperate the regular expression and any optional parameters. */
1850 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
1851 /* Run the malware backend. */
1852 rc = malware(&ss);
1853 /* Modify return code based upon the existance of options. */
1854 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
1855 != NULL) {
1856 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
1857 {
1858 /* FAIL so that the message is passed to the next ACL */
1859 rc = FAIL;
1860 }
1861 }
1862 }
1863 break;
1864
1865 case ACLC_MIME_REGEX:
1866 rc = mime_regex(&arg);
1867 break;
1868 #endif
1869
1870 case ACLC_RECIPIENTS:
1871 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
1872 &recipient_data);
1873 break;
1874
1875 #ifdef WITH_CONTENT_SCAN
1876 case ACLC_REGEX:
1877 rc = regex(&arg);
1878 break;
1879 #endif
1880
1881 case ACLC_SENDER_DOMAINS:
1882 {
1883 uschar *sdomain;
1884 sdomain = Ustrrchr(sender_address, '@');
1885 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
1886 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
1887 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
1888 }
1889 break;
1890
1891 case ACLC_SENDERS:
1892 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
1893 sender_address_cache, -1, 0, &sender_data);
1894 break;
1895
1896 /* Connection variables must persist forever */
1897
1898 case ACLC_SET:
1899 {
1900 int old_pool = store_pool;
1901 if (cb->u.varnumber < ACL_C_MAX) store_pool = POOL_PERM;
1902 acl_var[cb->u.varnumber] = string_copy(arg);
1903 store_pool = old_pool;
1904 }
1905 break;
1906
1907 #ifdef WITH_CONTENT_SCAN
1908 case ACLC_SPAM:
1909 {
1910 /* Seperate the regular expression and any optional parameters. */
1911 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
1912 /* Run the spam backend. */
1913 rc = spam(&ss);
1914 /* Modify return code based upon the existance of options. */
1915 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
1916 != NULL) {
1917 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
1918 {
1919 /* FAIL so that the message is passed to the next ACL */
1920 rc = FAIL;
1921 }
1922 }
1923 }
1924 break;
1925 #endif
1926
1927 #ifdef EXPERIMENTAL_SPF
1928 case ACLC_SPF:
1929 rc = spf_process(&arg, sender_address);
1930 break;
1931 #endif
1932
1933 /* If the verb is WARN, discard any user message from verification, because
1934 such messages are SMTP responses, not header additions. The latter come
1935 only from explicit "message" modifiers. */
1936
1937 case ACLC_VERIFY:
1938 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
1939 if (verb == ACL_WARN) *user_msgptr = NULL;
1940 break;
1941
1942 default:
1943 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
1944 "condition %d", cb->type);
1945 break;
1946 }
1947
1948 /* If a condition was negated, invert OK/FAIL. */
1949
1950 if (!cond_modifiers[cb->type] && cb->u.negated)
1951 {
1952 if (rc == OK) rc = FAIL;
1953 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
1954 }
1955
1956 if (rc != OK) break; /* Conditions loop */
1957 }
1958
1959
1960 /* If the result is the one for which "message" and/or "log_message" are used,
1961 handle the values of these options. Most verbs have but a single return for
1962 which the messages are relevant, but for "discard", it's useful to have the log
1963 message both when it succeeds and when it fails. Also, for an "accept" that
1964 appears in a QUIT ACL, we want to handle the user message. Since only "accept"
1965 and "warn" are permitted in that ACL, we don't need to test the verb.
1966
1967 These modifiers act in different ways:
1968
1969 "message" is a user message that will be included in an SMTP response. Unless
1970 it is empty, it overrides any previously set user message.
1971
1972 "log_message" is a non-user message, and it adds to any existing non-user
1973 message that is already set.
1974
1975 If there isn't a log message set, we make it the same as the user message. */
1976
1977 if (((rc == FAIL_DROP)? FAIL : rc) == msgcond[verb] ||
1978 (verb == ACL_DISCARD && rc == OK) ||
1979 (where == ACL_WHERE_QUIT))
1980 {
1981 uschar *expmessage;
1982
1983 /* If the verb is "warn", messages generated by conditions (verification or
1984 nested ACLs) are discarded. Only messages specified at this level are used.
1985 However, the value of an existing message is available in $acl_verify_message
1986 during expansions. */
1987
1988 uschar *old_user_msgptr = *user_msgptr;
1989 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
1990
1991 if (verb == ACL_WARN) *log_msgptr = *user_msgptr = NULL;
1992
1993 if (user_message != NULL)
1994 {
1995 acl_verify_message = old_user_msgptr;
1996 expmessage = expand_string(user_message);
1997 if (expmessage == NULL)
1998 {
1999 if (!expand_string_forcedfail)
2000 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2001 user_message, expand_string_message);
2002 }
2003 else if (expmessage[0] != 0) *user_msgptr = expmessage;
2004 }
2005
2006 if (log_message != NULL)
2007 {
2008 acl_verify_message = old_log_msgptr;
2009 expmessage = expand_string(log_message);
2010 if (expmessage == NULL)
2011 {
2012 if (!expand_string_forcedfail)
2013 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2014 log_message, expand_string_message);
2015 }
2016 else if (expmessage[0] != 0)
2017 {
2018 *log_msgptr = (*log_msgptr == NULL)? expmessage :
2019 string_sprintf("%s: %s", expmessage, *log_msgptr);
2020 }
2021 }
2022
2023 /* If no log message, default it to the user message */
2024
2025 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
2026 }
2027
2028 acl_verify_message = NULL;
2029 return rc;
2030 }
2031
2032
2033
2034
2035
2036 /*************************************************
2037 * Get line from a literal ACL *
2038 *************************************************/
2039
2040 /* This function is passed to acl_read() in order to extract individual lines
2041 of a literal ACL, which we access via static pointers. We can destroy the
2042 contents because this is called only once (the compiled ACL is remembered).
2043
2044 This code is intended to treat the data in the same way as lines in the main
2045 Exim configuration file. That is:
2046
2047 . Leading spaces are ignored.
2048
2049 . A \ at the end of a line is a continuation - trailing spaces after the \
2050 are permitted (this is because I don't believe in making invisible things
2051 significant). Leading spaces on the continued part of a line are ignored.
2052
2053 . Physical lines starting (significantly) with # are totally ignored, and
2054 may appear within a sequence of backslash-continued lines.
2055
2056 . Blank lines are ignored, but will end a sequence of continuations.
2057
2058 Arguments: none
2059 Returns: a pointer to the next line
2060 */
2061
2062
2063 static uschar *acl_text; /* Current pointer in the text */
2064 static uschar *acl_text_end; /* Points one past the terminating '0' */
2065
2066
2067 static uschar *
2068 acl_getline(void)
2069 {
2070 uschar *yield;
2071
2072 /* This loop handles leading blank lines and comments. */
2073
2074 for(;;)
2075 {
2076 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
2077 if (*acl_text == 0) return NULL; /* No more data */
2078 yield = acl_text; /* Potential data line */
2079
2080 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2081
2082 /* If we hit the end before a newline, we have the whole logical line. If
2083 it's a comment, there's no more data to be given. Otherwise, yield it. */
2084
2085 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
2086
2087 /* After reaching a newline, end this loop if the physical line does not
2088 start with '#'. If it does, it's a comment, and the loop continues. */
2089
2090 if (*yield != '#') break;
2091 }
2092
2093 /* This loop handles continuations. We know we have some real data, ending in
2094 newline. See if there is a continuation marker at the end (ignoring trailing
2095 white space). We know that *yield is not white space, so no need to test for
2096 cont > yield in the backwards scanning loop. */
2097
2098 for(;;)
2099 {
2100 uschar *cont;
2101 for (cont = acl_text - 1; isspace(*cont); cont--);
2102
2103 /* If no continuation follows, we are done. Mark the end of the line and
2104 return it. */
2105
2106 if (*cont != '\\')
2107 {
2108 *acl_text++ = 0;
2109 return yield;
2110 }
2111
2112 /* We have encountered a continuation. Skip over whitespace at the start of
2113 the next line, and indeed the whole of the next line or lines if they are
2114 comment lines. */
2115
2116 for (;;)
2117 {
2118 while (*(++acl_text) == ' ' || *acl_text == '\t');
2119 if (*acl_text != '#') break;
2120 while (*(++acl_text) != 0 && *acl_text != '\n');
2121 }
2122
2123 /* We have the start of a continuation line. Move all the rest of the data
2124 to join onto the previous line, and then find its end. If the end is not a
2125 newline, we are done. Otherwise loop to look for another continuation. */
2126
2127 memmove(cont, acl_text, acl_text_end - acl_text);
2128 acl_text_end -= acl_text - cont;
2129 acl_text = cont;
2130 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2131 if (*acl_text == 0) return yield;
2132 }
2133
2134 /* Control does not reach here */
2135 }
2136
2137
2138
2139
2140
2141 /*************************************************
2142 * Check access using an ACL *
2143 *************************************************/
2144
2145 /* This function is called from address_check. It may recurse via
2146 acl_check_condition() - hence the use of a level to stop looping. The ACL is
2147 passed as a string which is expanded. A forced failure implies no access check
2148 is required. If the result is a single word, it is taken as the name of an ACL
2149 which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
2150 text, complete with newlines, and parsed as such. In both cases, the ACL check
2151 is then run. This function uses an auxiliary function for acl_read() to call
2152 for reading individual lines of a literal ACL. This is acl_getline(), which
2153 appears immediately above.
2154
2155 Arguments:
2156 where where called from
2157 addr address item when called from RCPT; otherwise NULL
2158 s the input string; NULL is the same as an empty ACL => DENY
2159 level the nesting level
2160 user_msgptr where to put a user error (for SMTP response)
2161 log_msgptr where to put a logging message (not for SMTP response)
2162
2163 Returns: OK access is granted
2164 DISCARD access is apparently granted...
2165 FAIL access is denied
2166 FAIL_DROP access is denied; drop the connection
2167 DEFER can't tell at the moment
2168 ERROR disaster
2169 */
2170
2171 static int
2172 acl_check_internal(int where, address_item *addr, uschar *s, int level,
2173 uschar **user_msgptr, uschar **log_msgptr)
2174 {
2175 int fd = -1;
2176 acl_block *acl = NULL;
2177 uschar *acl_name = US"inline ACL";
2178 uschar *ss;
2179
2180 /* Catch configuration loops */
2181
2182 if (level > 20)
2183 {
2184 *log_msgptr = US"ACL nested too deep: possible loop";
2185 return ERROR;
2186 }
2187
2188 if (s == NULL)
2189 {
2190 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
2191 return FAIL;
2192 }
2193
2194 /* At top level, we expand the incoming string. At lower levels, it has already
2195 been expanded as part of condition processing. */
2196
2197 if (level == 0)
2198 {
2199 ss = expand_string(s);
2200 if (ss == NULL)
2201 {
2202 if (expand_string_forcedfail) return OK;
2203 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
2204 expand_string_message);
2205 return ERROR;
2206 }
2207 }
2208 else ss = s;
2209
2210 while (isspace(*ss))ss++;
2211
2212 /* If we can't find a named ACL, the default is to parse it as an inline one.
2213 (Unless it begins with a slash; non-existent files give rise to an error.) */
2214
2215 acl_text = ss;
2216
2217 /* Handle the case of a string that does not contain any spaces. Look for a
2218 named ACL among those read from the configuration, or a previously read file.
2219 It is possible that the pointer to the ACL is NULL if the configuration
2220 contains a name with no data. If not found, and the text begins with '/',
2221 read an ACL from a file, and save it so it can be re-used. */
2222
2223 if (Ustrchr(ss, ' ') == NULL)
2224 {
2225 tree_node *t = tree_search(acl_anchor, ss);
2226 if (t != NULL)
2227 {
2228 acl = (acl_block *)(t->data.ptr);
2229 if (acl == NULL)
2230 {
2231 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
2232 return FAIL;
2233 }
2234 acl_name = string_sprintf("ACL \"%s\"", ss);
2235 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
2236 }
2237
2238 else if (*ss == '/')
2239 {
2240 struct stat statbuf;
2241 fd = Uopen(ss, O_RDONLY, 0);
2242 if (fd < 0)
2243 {
2244 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
2245 strerror(errno));
2246 return ERROR;
2247 }
2248
2249 if (fstat(fd, &statbuf) != 0)
2250 {
2251 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
2252 strerror(errno));
2253 return ERROR;
2254 }
2255
2256 acl_text = store_get(statbuf.st_size + 1);
2257 acl_text_end = acl_text + statbuf.st_size + 1;
2258
2259 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
2260 {
2261 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
2262 ss, strerror(errno));
2263 return ERROR;
2264 }
2265 acl_text[statbuf.st_size] = 0;
2266 close(fd);
2267
2268 acl_name = string_sprintf("ACL \"%s\"", ss);
2269 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
2270 }
2271 }
2272
2273 /* Parse an ACL that is still in text form. If it came from a file, remember it
2274 in the ACL tree, having read it into the POOL_PERM store pool so that it
2275 persists between multiple messages. */
2276
2277 if (acl == NULL)
2278 {
2279 int old_pool = store_pool;
2280 if (fd >= 0) store_pool = POOL_PERM;
2281 acl = acl_read(acl_getline, log_msgptr);
2282 store_pool = old_pool;
2283 if (acl == NULL && *log_msgptr != NULL) return ERROR;
2284 if (fd >= 0)
2285 {
2286 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
2287 Ustrcpy(t->name, ss);
2288 t->data.ptr = acl;
2289 (void)tree_insertnode(&acl_anchor, t);
2290 }
2291 }
2292
2293 /* Now we have an ACL to use. It's possible it may be NULL. */
2294
2295 while (acl != NULL)
2296 {
2297 int cond;
2298 int basic_errno = 0;
2299 BOOL endpass_seen = FALSE;
2300
2301 *log_msgptr = *user_msgptr = NULL;
2302 acl_temp_details = FALSE;
2303
2304 if (where == ACL_WHERE_QUIT &&
2305 acl->verb != ACL_ACCEPT &&
2306 acl->verb != ACL_WARN)
2307 {
2308 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
2309 verbs[acl->verb]);
2310 return ERROR;
2311 }
2312
2313 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
2314
2315 /* Clear out any search error message from a previous check before testing
2316 this condition. */
2317
2318 search_error_message = NULL;
2319 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
2320 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
2321
2322 /* Handle special returns: DEFER causes a return except on a WARN verb;
2323 ERROR always causes a return. */
2324
2325 switch (cond)
2326 {
2327 case DEFER:
2328 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
2329 if (basic_errno != ERRNO_CALLOUTDEFER)
2330 {
2331 if (search_error_message != NULL && *search_error_message != 0)
2332 *log_msgptr = search_error_message;
2333 if (smtp_return_error_details) acl_temp_details = TRUE;
2334 }
2335 else
2336 {
2337 acl_temp_details = TRUE;
2338 }
2339 if (acl->verb != ACL_WARN) return DEFER;
2340 break;
2341
2342 default: /* Paranoia */
2343 case ERROR:
2344 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
2345 return ERROR;
2346
2347 case OK:
2348 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
2349 verbs[acl->verb]);
2350 break;
2351
2352 case FAIL:
2353 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
2354 break;
2355
2356 /* DISCARD and DROP can happen only from a nested ACL condition, and
2357 DISCARD can happen only for an "accept" or "discard" verb. */
2358
2359 case DISCARD:
2360 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
2361 verbs[acl->verb]);
2362 break;
2363
2364 case FAIL_DROP:
2365 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
2366 verbs[acl->verb]);
2367 break;
2368 }
2369
2370 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
2371 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
2372 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
2373
2374 switch(acl->verb)
2375 {
2376 case ACL_ACCEPT:
2377 if (cond == OK || cond == DISCARD) return cond;
2378 if (endpass_seen)
2379 {
2380 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
2381 return cond;
2382 }
2383 break;
2384
2385 case ACL_DEFER:
2386 if (cond == OK)
2387 {
2388 acl_temp_details = TRUE;
2389 return DEFER;
2390 }
2391 break;
2392
2393 case ACL_DENY:
2394 if (cond == OK) return FAIL;
2395 break;
2396
2397 case ACL_DISCARD:
2398 if (cond == OK || cond == DISCARD) return DISCARD;
2399 if (endpass_seen)
2400 {
2401 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
2402 return cond;
2403 }
2404 break;
2405
2406 case ACL_DROP:
2407 if (cond == OK) return FAIL_DROP;
2408 break;
2409
2410 case ACL_REQUIRE:
2411 if (cond != OK) return cond;
2412 break;
2413
2414 case ACL_WARN:
2415 if (cond == OK)
2416 acl_warn(where, *user_msgptr, *log_msgptr);
2417 else if (cond == DEFER)
2418 acl_warn(where, NULL, string_sprintf("ACL \"warn\" statement skipped: "
2419 "condition test deferred: %s",
2420 (*log_msgptr == NULL)? US"" : *log_msgptr));
2421 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
2422 break;
2423
2424 default:
2425 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
2426 acl->verb);
2427 break;
2428 }
2429
2430 /* Pass to the next ACL item */
2431
2432 acl = acl->next;
2433 }
2434
2435 /* We have reached the end of the ACL. This is an implicit DENY. */
2436
2437 HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
2438 return FAIL;
2439 }
2440
2441
2442 /*************************************************
2443 * Check access using an ACL *
2444 *************************************************/
2445
2446 /* This is the external interface for ACL checks. It sets up an address and the
2447 expansions for $domain and $local_part when called after RCPT, then calls
2448 acl_check_internal() to do the actual work.
2449
2450 Arguments:
2451 where ACL_WHERE_xxxx indicating where called from
2452 data_string RCPT address, or SMTP command argument, or NULL
2453 s the input string; NULL is the same as an empty ACL => DENY
2454 user_msgptr where to put a user error (for SMTP response)
2455 log_msgptr where to put a logging message (not for SMTP response)
2456
2457 Returns: OK access is granted by an ACCEPT verb
2458 DISCARD access is granted by a DISCARD verb
2459 FAIL access is denied
2460 FAIL_DROP access is denied; drop the connection
2461 DEFER can't tell at the moment
2462 ERROR disaster
2463 */
2464
2465 int
2466 acl_check(int where, uschar *data_string, uschar *s, uschar **user_msgptr,
2467 uschar **log_msgptr)
2468 {
2469 int rc;
2470 address_item adb;
2471 address_item *addr;
2472
2473 *user_msgptr = *log_msgptr = NULL;
2474 sender_verified_failed = NULL;
2475
2476 if (where == ACL_WHERE_RCPT)
2477 {
2478 adb = address_defaults;
2479 addr = &adb;
2480 addr->address = data_string;
2481 if (deliver_split_address(addr) == DEFER)
2482 {
2483 *log_msgptr = US"defer in percent_hack_domains check";
2484 return DEFER;
2485 }
2486 deliver_domain = addr->domain;
2487 deliver_localpart = addr->local_part;
2488 }
2489 else
2490 {
2491 addr = NULL;
2492 smtp_command_argument = data_string;
2493 }
2494
2495 rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
2496
2497 smtp_command_argument = deliver_domain =
2498 deliver_localpart = deliver_address_data = sender_address_data = NULL;
2499
2500 /* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
2501 ACL, which is really in the middle of an SMTP command. */
2502
2503 if (rc == DISCARD)
2504 {
2505 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
2506 {
2507 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
2508 "ACL", acl_wherenames[where]);
2509 return ERROR;
2510 }
2511 return DISCARD;
2512 }
2513
2514 /* A DROP response is not permitted from MAILAUTH */
2515
2516 if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
2517 {
2518 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
2519 "ACL", acl_wherenames[where]);
2520 return ERROR;
2521 }
2522
2523 /* Before giving an error response, take a look at the length of any user
2524 message, and split it up into multiple lines if possible. */
2525
2526 if (rc != OK && *user_msgptr != NULL && Ustrlen(*user_msgptr) > 75)
2527 {
2528 uschar *s = *user_msgptr = string_copy(*user_msgptr);
2529 uschar *ss = s;
2530
2531 for (;;)
2532 {
2533 int i = 0;
2534 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
2535 if (*ss == 0) break;
2536 if (*ss == '\n')
2537 s = ++ss;
2538 else
2539 {
2540 uschar *t = ss + 1;
2541 uschar *tt = NULL;
2542 while (--t > s + 35)
2543 {
2544 if (*t == ' ')
2545 {
2546 if (t[-1] == ':') { tt = t; break; }
2547 if (tt == NULL) tt = t;
2548 }
2549 }
2550
2551 if (tt == NULL) /* Can't split behind - try ahead */
2552 {
2553 t = ss + 1;
2554 while (*t != 0)
2555 {
2556 if (*t == ' ' || *t == '\n')
2557 { tt = t; break; }
2558 t++;
2559 }
2560 }
2561
2562 if (tt == NULL) break; /* Can't find anywhere to split */
2563 *tt = '\n';
2564 s = ss = tt+1;
2565 }
2566 }
2567 }
2568
2569 return rc;
2570 }
2571
2572 /* End of acl.c */
Unnamed repository; edit this file 'description' to name the repository.