projects / exim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Forbid both "unseen" and "one_time" on redirect routers.
[exim.git] / src / src / acl.c
1 /* $Cambridge: exim/src/src/acl.c,v 1.24 2005/03/15 11:37:21 ph10 Exp $ */
2
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
6
7 /* Copyright (c) University of Cambridge 1995 - 2005 */
8 /* See the file NOTICE for conditions of use and distribution. */
9
10 /* Code for handling Access Control Lists (ACLs) */
11
12 #include "exim.h"
13
14
15 /* Default callout timeout */
16
17 #define CALLOUT_TIMEOUT_DEFAULT 30
18
19 /* ACL verb codes - keep in step with the table of verbs that follows */
20
21 enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
22 ACL_WARN };
23
24 /* ACL verbs */
25
26 static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
28 US"warn" };
29
30 /* For each verb, the condition for which "message" is used */
31
32 static int msgcond[] = { FAIL, OK, OK, FAIL, OK, FAIL, OK };
33
34 /* ACL condition and modifier codes - keep in step with the table that
35 follows. */
36
37 enum { ACLC_ACL, ACLC_AUTHENTICATED,
38 #ifdef EXPERIMENTAL_BRIGHTMAIL
39 ACLC_BMI_OPTIN,
40 #endif
41 ACLC_CONDITION, ACLC_CONTROL,
42 #ifdef WITH_CONTENT_SCAN
43 ACLC_DECODE,
44 #endif
45 ACLC_DELAY,
46 #ifdef WITH_OLD_DEMIME
47 ACLC_DEMIME,
48 #endif
49 #ifdef EXPERIMENTAL_DOMAINKEYS
50 ACLC_DK_DOMAIN_SOURCE,
51 ACLC_DK_POLICY,
52 ACLC_DK_SENDER_DOMAINS,
53 ACLC_DK_SENDER_LOCAL_PARTS,
54 ACLC_DK_SENDERS,
55 ACLC_DK_STATUS,
56 #endif
57 ACLC_DNSLISTS, ACLC_DOMAINS, ACLC_ENCRYPTED, ACLC_ENDPASS,
58 ACLC_HOSTS, ACLC_LOCAL_PARTS, ACLC_LOG_MESSAGE, ACLC_LOGWRITE,
59 #ifdef WITH_CONTENT_SCAN
60 ACLC_MALWARE,
61 #endif
62 ACLC_MESSAGE,
63 #ifdef WITH_CONTENT_SCAN
64 ACLC_MIME_REGEX,
65 #endif
66 ACLC_RECIPIENTS,
67 #ifdef WITH_CONTENT_SCAN
68 ACLC_REGEX,
69 #endif
70 ACLC_SENDER_DOMAINS, ACLC_SENDERS, ACLC_SET,
71 #ifdef WITH_CONTENT_SCAN
72 ACLC_SPAM,
73 #endif
74 #ifdef EXPERIMENTAL_SPF
75 ACLC_SPF,
76 #endif
77 ACLC_VERIFY };
78
79 /* ACL conditions/modifiers: "delay", "control", "endpass", "message",
80 "log_message", "logwrite", and "set" are modifiers that look like conditions
81 but always return TRUE. They are used for their side effects. */
82
83 static uschar *conditions[] = { US"acl", US"authenticated",
84 #ifdef EXPERIMENTAL_BRIGHTMAIL
85 US"bmi_optin",
86 #endif
87 US"condition",
88 US"control",
89 #ifdef WITH_CONTENT_SCAN
90 US"decode",
91 #endif
92 US"delay",
93 #ifdef WITH_OLD_DEMIME
94 US"demime",
95 #endif
96 #ifdef EXPERIMENTAL_DOMAINKEYS
97 US"dk_domain_source",
98 US"dk_policy",
99 US"dk_sender_domains",
100 US"dk_sender_local_parts",
101 US"dk_senders",
102 US"dk_status",
103 #endif
104 US"dnslists", US"domains", US"encrypted",
105 US"endpass", US"hosts", US"local_parts", US"log_message", US"logwrite",
106 #ifdef WITH_CONTENT_SCAN
107 US"malware",
108 #endif
109 US"message",
110 #ifdef WITH_CONTENT_SCAN
111 US"mime_regex",
112 #endif
113 US"recipients",
114 #ifdef WITH_CONTENT_SCAN
115 US"regex",
116 #endif
117 US"sender_domains", US"senders", US"set",
118 #ifdef WITH_CONTENT_SCAN
119 US"spam",
120 #endif
121 #ifdef EXPERIMENTAL_SPF
122 US"spf",
123 #endif
124 US"verify" };
125
126 /* ACL control names */
127
128 static uschar *controls[] = { US"error", US"caseful_local_part",
129 US"caselower_local_part", US"enforce_sync", US"no_enforce_sync", US"freeze",
130 US"queue_only", US"submission", US"no_multiline"};
131
132 /* Flags to indicate for which conditions /modifiers a string expansion is done
133 at the outer level. In the other cases, expansion already occurs in the
134 checking functions. */
135
136 static uschar cond_expand_at_top[] = {
137 TRUE, /* acl */
138 FALSE, /* authenticated */
139 #ifdef EXPERIMENTAL_BRIGHTMAIL
140 TRUE, /* bmi_optin */
141 #endif
142 TRUE, /* condition */
143 TRUE, /* control */
144 #ifdef WITH_CONTENT_SCAN
145 TRUE, /* decode */
146 #endif
147 TRUE, /* delay */
148 #ifdef WITH_OLD_DEMIME
149 TRUE, /* demime */
150 #endif
151 #ifdef EXPERIMENTAL_DOMAINKEYS
152 TRUE, /* dk_domain_source */
153 TRUE, /* dk_policy */
154 TRUE, /* dk_sender_domains */
155 TRUE, /* dk_sender_local_parts */
156 TRUE, /* dk_senders */
157 TRUE, /* dk_status */
158 #endif
159 TRUE, /* dnslists */
160 FALSE, /* domains */
161 FALSE, /* encrypted */
162 TRUE, /* endpass */
163 FALSE, /* hosts */
164 FALSE, /* local_parts */
165 TRUE, /* log_message */
166 TRUE, /* logwrite */
167 #ifdef WITH_CONTENT_SCAN
168 TRUE, /* malware */
169 #endif
170 TRUE, /* message */
171 #ifdef WITH_CONTENT_SCAN
172 TRUE, /* mime_regex */
173 #endif
174 FALSE, /* recipients */
175 #ifdef WITH_CONTENT_SCAN
176 TRUE, /* regex */
177 #endif
178 FALSE, /* sender_domains */
179 FALSE, /* senders */
180 TRUE, /* set */
181 #ifdef WITH_CONTENT_SCAN
182 TRUE, /* spam */
183 #endif
184 #ifdef EXPERIMENTAL_SPF
185 TRUE, /* spf */
186 #endif
187 TRUE /* verify */
188 };
189
190 /* Flags to identify the modifiers */
191
192 static uschar cond_modifiers[] = {
193 FALSE, /* acl */
194 FALSE, /* authenticated */
195 #ifdef EXPERIMENTAL_BRIGHTMAIL
196 TRUE, /* bmi_optin */
197 #endif
198 FALSE, /* condition */
199 TRUE, /* control */
200 #ifdef WITH_CONTENT_SCAN
201 FALSE, /* decode */
202 #endif
203 TRUE, /* delay */
204 #ifdef WITH_OLD_DEMIME
205 FALSE, /* demime */
206 #endif
207 #ifdef EXPERIMENTAL_DOMAINKEYS
208 FALSE, /* dk_domain_source */
209 FALSE, /* dk_policy */
210 FALSE, /* dk_sender_domains */
211 FALSE, /* dk_sender_local_parts */
212 FALSE, /* dk_senders */
213 FALSE, /* dk_status */
214 #endif
215 FALSE, /* dnslists */
216 FALSE, /* domains */
217 FALSE, /* encrypted */
218 TRUE, /* endpass */
219 FALSE, /* hosts */
220 FALSE, /* local_parts */
221 TRUE, /* log_message */
222 TRUE, /* logwrite */
223 #ifdef WITH_CONTENT_SCAN
224 FALSE, /* malware */
225 #endif
226 TRUE, /* message */
227 #ifdef WITH_CONTENT_SCAN
228 FALSE, /* mime_regex */
229 #endif
230 FALSE, /* recipients */
231 #ifdef WITH_CONTENT_SCAN
232 FALSE, /* regex */
233 #endif
234 FALSE, /* sender_domains */
235 FALSE, /* senders */
236 TRUE, /* set */
237 #ifdef WITH_CONTENT_SCAN
238 FALSE, /* spam */
239 #endif
240 #ifdef EXPERIMENTAL_SPF
241 FALSE, /* spf */
242 #endif
243 FALSE /* verify */
244 };
245
246 /* Bit map vector of which conditions are not allowed at certain times. For
247 each condition, there's a bitmap of dis-allowed times. */
248
249 static unsigned int cond_forbids[] = {
250 0, /* acl */
251
252 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* authenticated */
253 (1<<ACL_WHERE_HELO),
254
255 #ifdef EXPERIMENTAL_BRIGHTMAIL
256 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
257 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
258 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
259 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
260 (1<<ACL_WHERE_MAILAUTH)|
261 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
262 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA),
263 #endif
264
265 0, /* condition */
266
267 /* Certain types of control are always allowed, so we let it through
268 always and check in the control processing itself */
269
270 0, /* control */
271
272 #ifdef WITH_CONTENT_SCAN
273 (1<<ACL_WHERE_AUTH)| /* decode */
274 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
275 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
276 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
277 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
278 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
279 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_RCPT),
280 #endif
281
282 0, /* delay */
283
284 #ifdef WITH_OLD_DEMIME
285 (1<<ACL_WHERE_AUTH)| /* demime */
286 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
287 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
288 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
289 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
290 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
291 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
292 #endif
293
294 #ifdef EXPERIMENTAL_DOMAINKEYS
295 (1<<ACL_WHERE_AUTH)| /* dk_domain_source */
296 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
297 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
298 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
299 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
300 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
301 (1<<ACL_WHERE_VRFY),
302
303 (1<<ACL_WHERE_AUTH)| /* dk_policy */
304 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
305 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
306 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
307 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
308 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
309 (1<<ACL_WHERE_VRFY),
310
311 (1<<ACL_WHERE_AUTH)| /* dk_sender_domains */
312 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
313 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
314 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
315 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
316 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
317 (1<<ACL_WHERE_VRFY),
318
319 (1<<ACL_WHERE_AUTH)| /* dk_sender_local_parts */
320 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
321 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
322 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
323 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
324 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
325 (1<<ACL_WHERE_VRFY),
326
327 (1<<ACL_WHERE_AUTH)| /* dk_senders */
328 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
329 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
330 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
331 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
332 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
333 (1<<ACL_WHERE_VRFY),
334
335 (1<<ACL_WHERE_AUTH)| /* dk_status */
336 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
337 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
338 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
339 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
340 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
341 (1<<ACL_WHERE_VRFY),
342 #endif
343
344 (1<<ACL_WHERE_NOTSMTP), /* dnslists */
345
346 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* domains */
347 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
348 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
349 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
350 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
351 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
352 (1<<ACL_WHERE_VRFY),
353
354 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* encrypted */
355 (1<<ACL_WHERE_HELO),
356
357 0, /* endpass */
358
359 (1<<ACL_WHERE_NOTSMTP), /* hosts */
360
361 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* local_parts */
362 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
363 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
364 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
365 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
366 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
367 (1<<ACL_WHERE_VRFY),
368
369 0, /* log_message */
370
371 0, /* logwrite */
372
373 #ifdef WITH_CONTENT_SCAN
374 (1<<ACL_WHERE_AUTH)| /* malware */
375 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
376 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
377 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
378 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
379 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
380 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
381 #endif
382
383 0, /* message */
384
385 #ifdef WITH_CONTENT_SCAN
386 (1<<ACL_WHERE_AUTH)| /* mime_regex */
387 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
388 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
389 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
390 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
391 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
392 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_RCPT),
393 #endif
394
395 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* recipients */
396 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
397 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
398 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
399 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
400 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
401 (1<<ACL_WHERE_VRFY),
402
403 #ifdef WITH_CONTENT_SCAN
404 (1<<ACL_WHERE_AUTH)| /* regex */
405 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
406 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
407 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
408 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
409 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
410 (1<<ACL_WHERE_VRFY),
411 #endif
412
413 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
414 (1<<ACL_WHERE_HELO)|
415 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
416 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
417 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
418
419 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
420 (1<<ACL_WHERE_HELO)|
421 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
422 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
423 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
424
425 0, /* set */
426
427 #ifdef WITH_CONTENT_SCAN
428 (1<<ACL_WHERE_AUTH)| /* spam */
429 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
430 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
431 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
432 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
433 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
434 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
435 #endif
436
437 #ifdef EXPERIMENTAL_SPF
438 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
439 (1<<ACL_WHERE_HELO)|
440 (1<<ACL_WHERE_MAILAUTH)|
441 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
442 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
443 #endif
444
445 /* Certain types of verify are always allowed, so we let it through
446 always and check in the verify function itself */
447
448 0 /* verify */
449 };
450
451
452 /* Return values from decode_control() */
453
454 enum {
455 #ifdef EXPERIMENTAL_BRIGHTMAIL
456 CONTROL_BMI_RUN,
457 #endif
458 #ifdef EXPERIMENTAL_DOMAINKEYS
459 CONTROL_DK_VERIFY,
460 #endif
461 CONTROL_ERROR, CONTROL_CASEFUL_LOCAL_PART, CONTROL_CASELOWER_LOCAL_PART,
462 CONTROL_ENFORCE_SYNC, CONTROL_NO_ENFORCE_SYNC, CONTROL_FREEZE,
463 CONTROL_QUEUE_ONLY, CONTROL_SUBMISSION,
464 #ifdef WITH_CONTENT_SCAN
465 CONTROL_NO_MBOX_UNSPOOL,
466 #endif
467 CONTROL_FAKEREJECT, CONTROL_NO_MULTILINE };
468
469 /* Bit map vector of which controls are not allowed at certain times. For
470 each control, there's a bitmap of dis-allowed times. For some, it is easier to
471 specify the negation of a small number of allowed times. */
472
473 static unsigned int control_forbids[] = {
474 #ifdef EXPERIMENTAL_BRIGHTMAIL
475 0, /* bmi_run */
476 #endif
477 #ifdef EXPERIMENTAL_DOMAINKEYS
478 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), /* dk_verify */
479 #endif
480
481 0, /* error */
482
483 (unsigned int)
484 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
485
486 (unsigned int)
487 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
488
489 (1<<ACL_WHERE_NOTSMTP), /* enforce_sync */
490
491 (1<<ACL_WHERE_NOTSMTP), /* no_enforce_sync */
492
493 (unsigned int)
494 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
495 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
496 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
497
498 (unsigned int)
499 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
500 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
501 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
502
503 (unsigned int)
504 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
505 (1<<ACL_WHERE_PREDATA)),
506
507 #ifdef WITH_CONTENT_SCAN
508 (unsigned int)
509 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
510 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
511 (1<<ACL_WHERE_MIME)),
512 #endif
513
514 (unsigned int)
515 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
516 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
517 (1<<ACL_WHERE_MIME)),
518
519 (1<<ACL_WHERE_NOTSMTP) /* no_multiline */
520 };
521
522 /* Structure listing various control arguments, with their characteristics. */
523
524 typedef struct control_def {
525 uschar *name;
526 int value; /* CONTROL_xxx value */
527 BOOL has_option; /* Has /option(s) following */
528 } control_def;
529
530 static control_def controls_list[] = {
531 #ifdef EXPERIMENTAL_BRIGHTMAIL
532 { US"bmi_run", CONTROL_BMI_RUN, FALSE},
533 #endif
534 #ifdef EXPERIMENTAL_DOMAINKEYS
535 { US"dk_verify", CONTROL_DK_VERIFY, FALSE},
536 #endif
537 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE},
538 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE},
539 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE},
540 { US"freeze", CONTROL_FREEZE, FALSE},
541 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE},
542 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE},
543 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE},
544 #ifdef WITH_CONTENT_SCAN
545 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE},
546 #endif
547 { US"fakereject", CONTROL_FAKEREJECT, TRUE},
548 { US"submission", CONTROL_SUBMISSION, TRUE}
549 };
550
551 /* Enable recursion between acl_check_internal() and acl_check_condition() */
552
553 static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
554 uschar **);
555
556
557 /*************************************************
558 * Pick out name from list *
559 *************************************************/
560
561 /* Use a binary chop method
562
563 Arguments:
564 name name to find
565 list list of names
566 end size of list
567
568 Returns: offset in list, or -1 if not found
569 */
570
571 static int
572 acl_checkname(uschar *name, uschar **list, int end)
573 {
574 int start = 0;
575
576 while (start < end)
577 {
578 int mid = (start + end)/2;
579 int c = Ustrcmp(name, list[mid]);
580 if (c == 0) return mid;
581 if (c < 0) end = mid; else start = mid + 1;
582 }
583
584 return -1;
585 }
586
587
588 /*************************************************
589 * Read and parse one ACL *
590 *************************************************/
591
592 /* This function is called both from readconf in order to parse the ACLs in the
593 configuration file, and also when an ACL is encountered dynamically (e.g. as
594 the result of an expansion). It is given a function to call in order to
595 retrieve the lines of the ACL. This function handles skipping comments and
596 blank lines (where relevant).
597
598 Arguments:
599 func function to get next line of ACL
600 error where to put an error message
601
602 Returns: pointer to ACL, or NULL
603 NULL can be legal (empty ACL); in this case error will be NULL
604 */
605
606 acl_block *
607 acl_read(uschar *(*func)(void), uschar **error)
608 {
609 acl_block *yield = NULL;
610 acl_block **lastp = &yield;
611 acl_block *this = NULL;
612 acl_condition_block *cond;
613 acl_condition_block **condp = NULL;
614 uschar *s;
615
616 *error = NULL;
617
618 while ((s = (*func)()) != NULL)
619 {
620 int v, c;
621 BOOL negated = FALSE;
622 uschar *saveline = s;
623 uschar name[64];
624
625 /* Conditions (but not verbs) are allowed to be negated by an initial
626 exclamation mark. */
627
628 while (isspace(*s)) s++;
629 if (*s == '!')
630 {
631 negated = TRUE;
632 s++;
633 }
634
635 /* Read the name of a verb or a condition, or the start of a new ACL */
636
637 s = readconf_readname(name, sizeof(name), s);
638 if (*s == ':')
639 {
640 if (negated || name[0] == 0)
641 {
642 *error = string_sprintf("malformed ACL name in \"%s\"", saveline);
643 return NULL;
644 }
645 break;
646 }
647
648 /* If a verb is unrecognized, it may be another condition or modifier that
649 continues the previous verb. */
650
651 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
652 if (v < 0)
653 {
654 if (this == NULL)
655 {
656 *error = string_sprintf("unknown ACL verb in \"%s\"", saveline);
657 return NULL;
658 }
659 }
660
661 /* New verb */
662
663 else
664 {
665 if (negated)
666 {
667 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
668 return NULL;
669 }
670 this = store_get(sizeof(acl_block));
671 *lastp = this;
672 lastp = &(this->next);
673 this->next = NULL;
674 this->verb = v;
675 this->condition = NULL;
676 condp = &(this->condition);
677 if (*s == 0) continue; /* No condition on this line */
678 if (*s == '!')
679 {
680 negated = TRUE;
681 s++;
682 }
683 s = readconf_readname(name, sizeof(name), s); /* Condition name */
684 }
685
686 /* Handle a condition or modifier. */
687
688 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
689 if (c < 0)
690 {
691 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
692 saveline);
693 return NULL;
694 }
695
696 /* The modifiers may not be negated */
697
698 if (negated && cond_modifiers[c])
699 {
700 *error = string_sprintf("ACL error: negation is not allowed with "
701 "\"%s\"", conditions[c]);
702 return NULL;
703 }
704
705 /* ENDPASS may occur only with ACCEPT or DISCARD. */
706
707 if (c == ACLC_ENDPASS &&
708 this->verb != ACL_ACCEPT &&
709 this->verb != ACL_DISCARD)
710 {
711 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
712 conditions[c], verbs[this->verb]);
713 return NULL;
714 }
715
716 cond = store_get(sizeof(acl_condition_block));
717 cond->next = NULL;
718 cond->type = c;
719 cond->u.negated = negated;
720
721 *condp = cond;
722 condp = &(cond->next);
723
724 /* The "set" modifier is different in that its argument is "name=value"
725 rather than just a value, and we can check the validity of the name, which
726 gives us a variable number to insert into the data block. */
727
728 if (c == ACLC_SET)
729 {
730 if (Ustrncmp(s, "acl_", 4) != 0 || (s[4] != 'c' && s[4] != 'm') ||
731 !isdigit(s[5]) || (!isspace(s[6]) && s[6] != '='))
732 {
733 *error = string_sprintf("unrecognized name after \"set\" in ACL "
734 "modifier \"set %s\"", s);
735 return NULL;
736 }
737
738 cond->u.varnumber = s[5] - '0';
739 if (s[4] == 'm') cond->u.varnumber += ACL_C_MAX;
740 s += 6;
741 while (isspace(*s)) s++;
742 }
743
744 /* For "set", we are now positioned for the data. For the others, only
745 "endpass" has no data */
746
747 if (c != ACLC_ENDPASS)
748 {
749 if (*s++ != '=')
750 {
751 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
752 cond_modifiers[c]? US"modifier" : US"condition");
753 return NULL;
754 }
755 while (isspace(*s)) s++;
756 cond->arg = string_copy(s);
757 }
758 }
759
760 return yield;
761 }
762
763
764
765 /*************************************************
766 * Handle warnings *
767 *************************************************/
768
769 /* This function is called when a WARN verb's conditions are true. It adds to
770 the message's headers, and/or writes information to the log. In each case, this
771 only happens once (per message for headers, per connection for log).
772
773 Arguments:
774 where ACL_WHERE_xxxx indicating which ACL this is
775 user_message message for adding to headers
776 log_message message for logging, if different
777
778 Returns: nothing
779 */
780
781 static void
782 acl_warn(int where, uschar *user_message, uschar *log_message)
783 {
784 int hlen;
785
786 if (log_message != NULL && log_message != user_message)
787 {
788 uschar *text;
789 string_item *logged;
790
791 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
792 string_printing(log_message));
793
794 /* If a sender verification has failed, and the log message is "sender verify
795 failed", add the failure message. */
796
797 if (sender_verified_failed != NULL &&
798 sender_verified_failed->message != NULL &&
799 strcmpic(log_message, US"sender verify failed") == 0)
800 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
801
802 /* Search previously logged warnings. They are kept in malloc store so they
803 can be freed at the start of a new message. */
804
805 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
806 if (Ustrcmp(logged->text, text) == 0) break;
807
808 if (logged == NULL)
809 {
810 int length = Ustrlen(text) + 1;
811 log_write(0, LOG_MAIN, "%s", text);
812 logged = store_malloc(sizeof(string_item) + length);
813 logged->text = (uschar *)logged + sizeof(string_item);
814 memcpy(logged->text, text, length);
815 logged->next = acl_warn_logged;
816 acl_warn_logged = logged;
817 }
818 }
819
820 /* If there's no user message, we are done. */
821
822 if (user_message == NULL) return;
823
824 /* If this isn't a message ACL, we can't do anything with a user message.
825 Log an error. */
826
827 if (where > ACL_WHERE_NOTSMTP)
828 {
829 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
830 "found in a non-message (%s) ACL: cannot specify header lines here: "
831 "message ignored", acl_wherenames[where]);
832 return;
833 }
834
835 /* Treat the user message as a sequence of one or more header lines. */
836
837 hlen = Ustrlen(user_message);
838 if (hlen > 0)
839 {
840 uschar *text, *p, *q;
841
842 /* Add a final newline if not present */
843
844 text = ((user_message)[hlen-1] == '\n')? user_message :
845 string_sprintf("%s\n", user_message);
846
847 /* Loop for multiple header lines, taking care about continuations */
848
849 for (p = q = text; *p != 0; )
850 {
851 uschar *s;
852 int newtype = htype_add_bot;
853 header_line **hptr = &acl_warn_headers;
854
855 /* Find next header line within the string */
856
857 for (;;)
858 {
859 q = Ustrchr(q, '\n');
860 if (*(++q) != ' ' && *q != '\t') break;
861 }
862
863 /* If the line starts with a colon, interpret the instruction for where to
864 add it. This temporarily sets up a new type. */
865
866 if (*p == ':')
867 {
868 if (strncmpic(p, US":after_received:", 16) == 0)
869 {
870 newtype = htype_add_rec;
871 p += 16;
872 }
873 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
874 {
875 newtype = htype_add_rfc;
876 p += 14;
877 }
878 else if (strncmpic(p, US":at_start:", 10) == 0)
879 {
880 newtype = htype_add_top;
881 p += 10;
882 }
883 else if (strncmpic(p, US":at_end:", 8) == 0)
884 {
885 newtype = htype_add_bot;
886 p += 8;
887 }
888 while (*p == ' ' || *p == '\t') p++;
889 }
890
891 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
892 to the front of it. */
893
894 for (s = p; s < q - 1; s++)
895 {
896 if (*s == ':' || !isgraph(*s)) break;
897 }
898
899 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
900 hlen = Ustrlen(s);
901
902 /* See if this line has already been added */
903
904 while (*hptr != NULL)
905 {
906 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
907 hptr = &((*hptr)->next);
908 }
909
910 /* Add if not previously present */
911
912 if (*hptr == NULL)
913 {
914 header_line *h = store_get(sizeof(header_line));
915 h->text = s;
916 h->next = NULL;
917 h->type = newtype;
918 h->slen = hlen;
919 *hptr = h;
920 hptr = &(h->next);
921 }
922
923 /* Advance for next header line within the string */
924
925 p = q;
926 }
927 }
928 }
929
930
931
932 /*************************************************
933 * Verify and check reverse DNS *
934 *************************************************/
935
936 /* Called from acl_verify() below. We look up the host name(s) of the client IP
937 address if this has not yet been done. The host_name_lookup() function checks
938 that one of these names resolves to an address list that contains the client IP
939 address, so we don't actually have to do the check here.
940
941 Arguments:
942 user_msgptr pointer for user message
943 log_msgptr pointer for log message
944
945 Returns: OK verification condition succeeded
946 FAIL verification failed
947 DEFER there was a problem verifying
948 */
949
950 static int
951 acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
952 {
953 int rc;
954
955 user_msgptr = user_msgptr; /* stop compiler warning */
956
957 /* Previous success */
958
959 if (sender_host_name != NULL) return OK;
960
961 /* Previous failure */
962
963 if (host_lookup_failed)
964 {
965 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
966 return FAIL;
967 }
968
969 /* Need to do a lookup */
970
971 HDEBUG(D_acl)
972 debug_printf("looking up host name to force name/address consistency check\n");
973
974 if ((rc = host_name_lookup()) != OK)
975 {
976 *log_msgptr = (rc == DEFER)?
977 US"host lookup deferred for reverse lookup check"
978 :
979 string_sprintf("host lookup failed for reverse lookup check%s",
980 host_lookup_msg);
981 return rc; /* DEFER or FAIL */
982 }
983
984 host_build_sender_fullhost();
985 return OK;
986 }
987
988
989
990 /*************************************************
991 * Handle verification (address & other) *
992 *************************************************/
993
994 /* This function implements the "verify" condition. It is called when
995 encountered in any ACL, because some tests are almost always permitted. Some
996 just don't make sense, and always fail (for example, an attempt to test a host
997 lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
998
999 Arguments:
1000 where where called from
1001 addr the recipient address that the ACL is handling, or NULL
1002 arg the argument of "verify"
1003 user_msgptr pointer for user message
1004 log_msgptr pointer for log message
1005 basic_errno where to put verify errno
1006
1007 Returns: OK verification condition succeeded
1008 FAIL verification failed
1009 DEFER there was a problem verifying
1010 ERROR syntax error
1011 */
1012
1013 static int
1014 acl_verify(int where, address_item *addr, uschar *arg,
1015 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1016 {
1017 int sep = '/';
1018 int callout = -1;
1019 int callout_overall = -1;
1020 int callout_connect = -1;
1021 int verify_options = 0;
1022 int rc;
1023 BOOL verify_header_sender = FALSE;
1024 BOOL defer_ok = FALSE;
1025 BOOL callout_defer_ok = FALSE;
1026 BOOL no_details = FALSE;
1027 address_item *sender_vaddr = NULL;
1028 uschar *verify_sender_address = NULL;
1029 uschar *pm_mailfrom = NULL;
1030 uschar *se_mailfrom = NULL;
1031 uschar *list = arg;
1032 uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
1033
1034 if (ss == NULL) goto BAD_VERIFY;
1035
1036 /* Handle name/address consistency verification in a separate function. */
1037
1038 if (strcmpic(ss, US"reverse_host_lookup") == 0)
1039 {
1040 if (sender_host_address == NULL) return OK;
1041 return acl_verify_reverse(user_msgptr, log_msgptr);
1042 }
1043
1044 /* TLS certificate verification is done at STARTTLS time; here we just
1045 test whether it was successful or not. (This is for optional verification; for
1046 mandatory verification, the connection doesn't last this long.) */
1047
1048 if (strcmpic(ss, US"certificate") == 0)
1049 {
1050 if (tls_certificate_verified) return OK;
1051 *user_msgptr = US"no verified certificate";
1052 return FAIL;
1053 }
1054
1055 /* We can test the result of optional HELO verification */
1056
1057 if (strcmpic(ss, US"helo") == 0) return helo_verified? OK : FAIL;
1058
1059 /* Handle header verification options - permitted only after DATA or a non-SMTP
1060 message. */
1061
1062 if (strncmpic(ss, US"header_", 7) == 0)
1063 {
1064 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
1065 {
1066 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
1067 "(only possible in ACL for DATA)", acl_wherenames[where]);
1068 return ERROR;
1069 }
1070
1071 /* Check that all relevant header lines have the correct syntax. If there is
1072 a syntax error, we return details of the error to the sender if configured to
1073 send out full details. (But a "message" setting on the ACL can override, as
1074 always). */
1075
1076 if (strcmpic(ss+7, US"syntax") == 0)
1077 {
1078 int rc = verify_check_headers(log_msgptr);
1079 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1080 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1081 return rc;
1082 }
1083
1084 /* Check that there is at least one verifiable sender address in the relevant
1085 header lines. This can be followed by callout and defer options, just like
1086 sender and recipient. */
1087
1088 else if (strcmpic(ss+7, US"sender") == 0) verify_header_sender = TRUE;
1089
1090 /* Unknown verify argument starting with "header_" */
1091
1092 else goto BAD_VERIFY;
1093 }
1094
1095 /* Otherwise, first item in verify argument must be "sender" or "recipient".
1096 In the case of a sender, this can optionally be followed by an address to use
1097 in place of the actual sender (rare special-case requirement). */
1098
1099 else if (strncmpic(ss, US"sender", 6) == 0)
1100 {
1101 uschar *s = ss + 6;
1102 if (where > ACL_WHERE_NOTSMTP)
1103 {
1104 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1105 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1106 acl_wherenames[where]);
1107 return ERROR;
1108 }
1109 if (*s == 0)
1110 verify_sender_address = sender_address;
1111 else
1112 {
1113 while (isspace(*s)) s++;
1114 if (*s++ != '=') goto BAD_VERIFY;
1115 while (isspace(*s)) s++;
1116 verify_sender_address = string_copy(s);
1117 }
1118 }
1119 else
1120 {
1121 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1122 if (addr == NULL)
1123 {
1124 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1125 "(only possible for RCPT)", acl_wherenames[where]);
1126 return ERROR;
1127 }
1128 }
1129
1130 /* Remaining items are optional */
1131
1132 while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1133 != NULL)
1134 {
1135 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1136 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1137
1138 /* These two old options are left for backwards compatibility */
1139
1140 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1141 {
1142 callout_defer_ok = TRUE;
1143 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1144 }
1145
1146 else if (strcmpic(ss, US"check_postmaster") == 0)
1147 {
1148 pm_mailfrom = US"";
1149 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1150 }
1151
1152 /* The callout option has a number of sub-options, comma separated */
1153
1154 else if (strncmpic(ss, US"callout", 7) == 0)
1155 {
1156 callout = CALLOUT_TIMEOUT_DEFAULT;
1157 ss += 7;
1158 if (*ss != 0)
1159 {
1160 while (isspace(*ss)) ss++;
1161 if (*ss++ == '=')
1162 {
1163 int optsep = ',';
1164 uschar *opt;
1165 uschar buffer[256];
1166 while (isspace(*ss)) ss++;
1167
1168 /* This callout option handling code has become a mess as new options
1169 have been added in an ad hoc manner. It should be tidied up into some
1170 kind of table-driven thing. */
1171
1172 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1173 != NULL)
1174 {
1175 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1176 else if (strcmpic(opt, US"no_cache") == 0)
1177 verify_options |= vopt_callout_no_cache;
1178 else if (strcmpic(opt, US"random") == 0)
1179 verify_options |= vopt_callout_random;
1180 else if (strcmpic(opt, US"use_sender") == 0)
1181 verify_options |= vopt_callout_recipsender;
1182 else if (strcmpic(opt, US"use_postmaster") == 0)
1183 verify_options |= vopt_callout_recippmaster;
1184 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
1185
1186 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1187 {
1188 if (!verify_header_sender)
1189 {
1190 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1191 "callout option only for verify=header_sender (detected in ACL "
1192 "condition \"%s\")", arg);
1193 return ERROR;
1194 }
1195 opt += 8;
1196 while (isspace(*opt)) opt++;
1197 if (*opt++ != '=')
1198 {
1199 *log_msgptr = string_sprintf("'=' expected after "
1200 "\"mailfrom\" in ACL condition \"%s\"", arg);
1201 return ERROR;
1202 }
1203 while (isspace(*opt)) opt++;
1204 se_mailfrom = string_copy(opt);
1205 }
1206
1207 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1208 {
1209 opt += 19;
1210 while (isspace(*opt)) opt++;
1211 if (*opt++ != '=')
1212 {
1213 *log_msgptr = string_sprintf("'=' expected after "
1214 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1215 return ERROR;
1216 }
1217 while (isspace(*opt)) opt++;
1218 pm_mailfrom = string_copy(opt);
1219 }
1220
1221 else if (strncmpic(opt, US"maxwait", 7) == 0)
1222 {
1223 opt += 7;
1224 while (isspace(*opt)) opt++;
1225 if (*opt++ != '=')
1226 {
1227 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1228 "ACL condition \"%s\"", arg);
1229 return ERROR;
1230 }
1231 while (isspace(*opt)) opt++;
1232 callout_overall = readconf_readtime(opt, 0, FALSE);
1233 if (callout_overall < 0)
1234 {
1235 *log_msgptr = string_sprintf("bad time value in ACL condition "
1236 "\"verify %s\"", arg);
1237 return ERROR;
1238 }
1239 }
1240 else if (strncmpic(opt, US"connect", 7) == 0)
1241 {
1242 opt += 7;
1243 while (isspace(*opt)) opt++;
1244 if (*opt++ != '=')
1245 {
1246 *log_msgptr = string_sprintf("'=' expected after "
1247 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1248 return ERROR;
1249 }
1250 while (isspace(*opt)) opt++;
1251 callout_connect = readconf_readtime(opt, 0, FALSE);
1252 if (callout_connect < 0)
1253 {
1254 *log_msgptr = string_sprintf("bad time value in ACL condition "
1255 "\"verify %s\"", arg);
1256 return ERROR;
1257 }
1258 }
1259 else /* Plain time is callout connect/command timeout */
1260 {
1261 callout = readconf_readtime(opt, 0, FALSE);
1262 if (callout < 0)
1263 {
1264 *log_msgptr = string_sprintf("bad time value in ACL condition "
1265 "\"verify %s\"", arg);
1266 return ERROR;
1267 }
1268 }
1269 }
1270 }
1271 else
1272 {
1273 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1274 "ACL condition \"%s\"", arg);
1275 return ERROR;
1276 }
1277 }
1278 }
1279
1280 /* Option not recognized */
1281
1282 else
1283 {
1284 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1285 "condition \"verify %s\"", ss, arg);
1286 return ERROR;
1287 }
1288 }
1289
1290 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1291 (vopt_callout_recipsender|vopt_callout_recippmaster))
1292 {
1293 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1294 "for a recipient callout";
1295 return ERROR;
1296 }
1297
1298 /* Handle sender-in-header verification. Default the user message to the log
1299 message if giving out verification details. */
1300
1301 if (verify_header_sender)
1302 {
1303 int verrno;
1304 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
1305 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1306 &verrno);
1307 if (rc != OK)
1308 {
1309 *basic_errno = verrno;
1310 if (smtp_return_error_details)
1311 {
1312 if (*user_msgptr == NULL && *log_msgptr != NULL)
1313 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1314 if (rc == DEFER) acl_temp_details = TRUE;
1315 }
1316 }
1317 }
1318
1319 /* Handle a sender address. The default is to verify *the* sender address, but
1320 optionally a different address can be given, for special requirements. If the
1321 address is empty, we are dealing with a bounce message that has no sender, so
1322 we cannot do any checking. If the real sender address gets rewritten during
1323 verification (e.g. DNS widening), set the flag to stop it being rewritten again
1324 during message reception.
1325
1326 A list of verified "sender" addresses is kept to try to avoid doing to much
1327 work repetitively when there are multiple recipients in a message and they all
1328 require sender verification. However, when callouts are involved, it gets too
1329 complicated because different recipients may require different callout options.
1330 Therefore, we always do a full sender verify when any kind of callout is
1331 specified. Caching elsewhere, for instance in the DNS resolver and in the
1332 callout handling, should ensure that this is not terribly inefficient. */
1333
1334 else if (verify_sender_address != NULL)
1335 {
1336 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1337 != 0)
1338 {
1339 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1340 "sender verify callout";
1341 return ERROR;
1342 }
1343
1344 sender_vaddr = verify_checked_sender(verify_sender_address);
1345 if (sender_vaddr != NULL && /* Previously checked */
1346 callout <= 0) /* No callout needed this time */
1347 {
1348 /* If the "routed" flag is set, it means that routing worked before, so
1349 this check can give OK (the saved return code value, if set, belongs to a
1350 callout that was done previously). If the "routed" flag is not set, routing
1351 must have failed, so we use the saved return code. */
1352
1353 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1354 {
1355 rc = sender_vaddr->special_action;
1356 *basic_errno = sender_vaddr->basic_errno;
1357 }
1358 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1359 }
1360
1361 /* Do a new verification, and cache the result. The cache is used to avoid
1362 verifying the sender multiple times for multiple RCPTs when callouts are not
1363 specified (see comments above).
1364
1365 The cache is also used on failure to give details in response to the first
1366 RCPT that gets bounced for this reason. However, this can be suppressed by
1367 the no_details option, which sets the flag that says "this detail has already
1368 been sent". The cache normally contains just one address, but there may be
1369 more in esoteric circumstances. */
1370
1371 else
1372 {
1373 BOOL routed = TRUE;
1374 uschar *save_address_data = deliver_address_data;
1375
1376 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1377 if (no_details) setflag(sender_vaddr, af_sverify_told);
1378 if (verify_sender_address[0] != 0)
1379 {
1380 /* If this is the real sender address, save the unrewritten version
1381 for use later in receive. Otherwise, set a flag so that rewriting the
1382 sender in verify_address() does not update sender_address. */
1383
1384 if (verify_sender_address == sender_address)
1385 sender_address_unrewritten = sender_address;
1386 else
1387 verify_options |= vopt_fake_sender;
1388
1389 /* The recipient, qualify, and expn options are never set in
1390 verify_options. */
1391
1392 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
1393 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
1394
1395 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1396
1397 if (rc == OK)
1398 {
1399 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1400 {
1401 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1402 verify_sender_address, sender_vaddr->address);
1403 }
1404 else
1405 {
1406 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1407 verify_sender_address);
1408 }
1409 }
1410 else *basic_errno = sender_vaddr->basic_errno;
1411 }
1412 else rc = OK; /* Null sender */
1413
1414 /* Cache the result code */
1415
1416 if (routed) setflag(sender_vaddr, af_verify_routed);
1417 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1418 sender_vaddr->special_action = rc;
1419 sender_vaddr->next = sender_verified_list;
1420 sender_verified_list = sender_vaddr;
1421
1422 /* Restore the recipient address data, which might have been clobbered by
1423 the sender verification. */
1424
1425 deliver_address_data = save_address_data;
1426 }
1427
1428 /* Put the sender address_data value into $sender_address_data */
1429
1430 sender_address_data = sender_vaddr->p.address_data;
1431 }
1432
1433 /* A recipient address just gets a straightforward verify; again we must handle
1434 the DEFER overrides. */
1435
1436 else
1437 {
1438 address_item addr2;
1439
1440 /* We must use a copy of the address for verification, because it might
1441 get rewritten. */
1442
1443 addr2 = *addr;
1444 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
1445 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
1446 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1447
1448 *log_msgptr = addr2.message;
1449 *user_msgptr = (addr2.user_message != NULL)?
1450 addr2.user_message : addr2.message;
1451 *basic_errno = addr2.basic_errno;
1452
1453 /* Make $address_data visible */
1454 deliver_address_data = addr2.p.address_data;
1455 }
1456
1457 /* We have a result from the relevant test. Handle defer overrides first. */
1458
1459 if (rc == DEFER && (defer_ok ||
1460 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1461 {
1462 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1463 defer_ok? "defer_ok" : "callout_defer_ok");
1464 rc = OK;
1465 }
1466
1467 /* If we've failed a sender, set up a recipient message, and point
1468 sender_verified_failed to the address item that actually failed. */
1469
1470 if (rc != OK && verify_sender_address != NULL)
1471 {
1472 if (rc != DEFER)
1473 {
1474 *log_msgptr = *user_msgptr = US"Sender verify failed";
1475 }
1476 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1477 {
1478 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1479 }
1480 else
1481 {
1482 *log_msgptr = US"Could not complete sender verify callout";
1483 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1484 *log_msgptr;
1485 }
1486
1487 sender_verified_failed = sender_vaddr;
1488 }
1489
1490 /* Verifying an address messes up the values of $domain and $local_part,
1491 so reset them before returning if this is a RCPT ACL. */
1492
1493 if (addr != NULL)
1494 {
1495 deliver_domain = addr->domain;
1496 deliver_localpart = addr->local_part;
1497 }
1498 return rc;
1499
1500 /* Syntax errors in the verify argument come here. */
1501
1502 BAD_VERIFY:
1503 *log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
1504 "\"header_syntax\" or \"header_sender\" at start of ACL condition "
1505 "\"verify %s\"", arg);
1506 return ERROR;
1507 }
1508
1509
1510
1511
1512 /*************************************************
1513 * Check argument for control= modifier *
1514 *************************************************/
1515
1516 /* Called from acl_check_condition() below
1517
1518 Arguments:
1519 arg the argument string for control=
1520 pptr set to point to the terminating character
1521 where which ACL we are in
1522 log_msgptr for error messages
1523
1524 Returns: CONTROL_xxx value
1525 */
1526
1527 static int
1528 decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
1529 {
1530 int len;
1531 control_def *d;
1532
1533 for (d = controls_list;
1534 d < controls_list + sizeof(controls_list)/sizeof(control_def);
1535 d++)
1536 {
1537 len = Ustrlen(d->name);
1538 if (Ustrncmp(d->name, arg, len) == 0) break;
1539 }
1540
1541 if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
1542 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
1543 {
1544 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1545 return CONTROL_ERROR;
1546 }
1547
1548 *pptr = arg + len;
1549 return d->value;
1550 }
1551
1552
1553
1554 /*************************************************
1555 * Handle conditions/modifiers on an ACL item *
1556 *************************************************/
1557
1558 /* Called from acl_check() below.
1559
1560 Arguments:
1561 verb ACL verb
1562 cb ACL condition block - if NULL, result is OK
1563 where where called from
1564 addr the address being checked for RCPT, or NULL
1565 level the nesting level
1566 epp pointer to pass back TRUE if "endpass" encountered
1567 (applies only to "accept" and "discard")
1568 user_msgptr user message pointer
1569 log_msgptr log message pointer
1570 basic_errno pointer to where to put verify error
1571
1572 Returns: OK - all conditions are met
1573 DISCARD - an "acl" condition returned DISCARD - only allowed
1574 for "accept" or "discard" verbs
1575 FAIL - at least one condition fails
1576 FAIL_DROP - an "acl" condition returned FAIL_DROP
1577 DEFER - can't tell at the moment (typically, lookup defer,
1578 but can be temporary callout problem)
1579 ERROR - ERROR from nested ACL or expansion failure or other
1580 error
1581 */
1582
1583 static int
1584 acl_check_condition(int verb, acl_condition_block *cb, int where,
1585 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
1586 uschar **log_msgptr, int *basic_errno)
1587 {
1588 uschar *user_message = NULL;
1589 uschar *log_message = NULL;
1590 uschar *p;
1591 int rc = OK;
1592 #ifdef WITH_CONTENT_SCAN
1593 int sep = '/';
1594 #endif
1595
1596 for (; cb != NULL; cb = cb->next)
1597 {
1598 uschar *arg;
1599 int control_type;
1600
1601 /* The message and log_message items set up messages to be used in
1602 case of rejection. They are expanded later. */
1603
1604 if (cb->type == ACLC_MESSAGE)
1605 {
1606 user_message = cb->arg;
1607 continue;
1608 }
1609
1610 if (cb->type == ACLC_LOG_MESSAGE)
1611 {
1612 log_message = cb->arg;
1613 continue;
1614 }
1615
1616 /* The endpass "condition" just sets a flag to show it occurred. This is
1617 checked at compile time to be on an "accept" or "discard" item. */
1618
1619 if (cb->type == ACLC_ENDPASS)
1620 {
1621 *epp = TRUE;
1622 continue;
1623 }
1624
1625 /* For other conditions and modifiers, the argument is expanded now for some
1626 of them, but not for all, because expansion happens down in some lower level
1627 checking functions in some cases. */
1628
1629 if (cond_expand_at_top[cb->type])
1630 {
1631 arg = expand_string(cb->arg);
1632 if (arg == NULL)
1633 {
1634 if (expand_string_forcedfail) continue;
1635 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
1636 cb->arg, expand_string_message);
1637 return search_find_defer? DEFER : ERROR;
1638 }
1639 }
1640 else arg = cb->arg;
1641
1642 /* Show condition, and expanded condition if it's different */
1643
1644 HDEBUG(D_acl)
1645 {
1646 int lhswidth = 0;
1647 debug_printf("check %s%s %n",
1648 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
1649 conditions[cb->type], &lhswidth);
1650
1651 if (cb->type == ACLC_SET)
1652 {
1653 int n = cb->u.varnumber;
1654 int t = (n < ACL_C_MAX)? 'c' : 'm';
1655 if (n >= ACL_C_MAX) n -= ACL_C_MAX;
1656 debug_printf("acl_%c%d ", t, n);
1657 lhswidth += 7;
1658 }
1659
1660 debug_printf("= %s\n", cb->arg);
1661
1662 if (arg != cb->arg)
1663 debug_printf("%.*s= %s\n", lhswidth,
1664 US" ", CS arg);
1665 }
1666
1667 /* Check that this condition makes sense at this time */
1668
1669 if ((cond_forbids[cb->type] & (1 << where)) != 0)
1670 {
1671 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
1672 cond_modifiers[cb->type]? "use" : "test",
1673 conditions[cb->type], acl_wherenames[where]);
1674 return ERROR;
1675 }
1676
1677 /* Run the appropriate test for each condition, or take the appropriate
1678 action for the remaining modifiers. */
1679
1680 switch(cb->type)
1681 {
1682 /* A nested ACL that returns "discard" makes sense only for an "accept" or
1683 "discard" verb. */
1684
1685 case ACLC_ACL:
1686 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
1687 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
1688 {
1689 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
1690 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
1691 verbs[verb]);
1692 return ERROR;
1693 }
1694 break;
1695
1696 case ACLC_AUTHENTICATED:
1697 rc = (sender_host_authenticated == NULL)? FAIL :
1698 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
1699 TRUE, NULL);
1700 break;
1701
1702 #ifdef EXPERIMENTAL_BRIGHTMAIL
1703 case ACLC_BMI_OPTIN:
1704 {
1705 int old_pool = store_pool;
1706 store_pool = POOL_PERM;
1707 bmi_current_optin = string_copy(arg);
1708 store_pool = old_pool;
1709 }
1710 break;
1711 #endif
1712
1713 case ACLC_CONDITION:
1714 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
1715 rc = (Uatoi(arg) == 0)? FAIL : OK;
1716 else
1717 rc = (strcmpic(arg, US"no") == 0 ||
1718 strcmpic(arg, US"false") == 0)? FAIL :
1719 (strcmpic(arg, US"yes") == 0 ||
1720 strcmpic(arg, US"true") == 0)? OK : DEFER;
1721 if (rc == DEFER)
1722 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
1723 break;
1724
1725 case ACLC_CONTROL:
1726 control_type = decode_control(arg, &p, where, log_msgptr);
1727
1728 /* Check if this control makes sense at this time */
1729
1730 if ((control_forbids[control_type] & (1 << where)) != 0)
1731 {
1732 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
1733 controls[control_type], acl_wherenames[where]);
1734 return ERROR;
1735 }
1736
1737 switch(control_type)
1738 {
1739 #ifdef EXPERIMENTAL_BRIGHTMAIL
1740 case CONTROL_BMI_RUN:
1741 bmi_run = 1;
1742 break;
1743 #endif
1744 #ifdef EXPERIMENTAL_DOMAINKEYS
1745 case CONTROL_DK_VERIFY:
1746 dk_do_verify = 1;
1747 break;
1748 #endif
1749 case CONTROL_ERROR:
1750 return ERROR;
1751
1752 case CONTROL_CASEFUL_LOCAL_PART:
1753 deliver_localpart = addr->cc_local_part;
1754 break;
1755
1756 case CONTROL_CASELOWER_LOCAL_PART:
1757 deliver_localpart = addr->lc_local_part;
1758 break;
1759
1760 case CONTROL_ENFORCE_SYNC:
1761 smtp_enforce_sync = TRUE;
1762 break;
1763
1764 case CONTROL_NO_ENFORCE_SYNC:
1765 smtp_enforce_sync = FALSE;
1766 break;
1767
1768 #ifdef WITH_CONTENT_SCAN
1769 case CONTROL_NO_MBOX_UNSPOOL:
1770 no_mbox_unspool = TRUE;
1771 break;
1772 #endif
1773
1774 case CONTROL_NO_MULTILINE:
1775 no_multiline_responses = TRUE;
1776 break;
1777
1778 case CONTROL_FAKEREJECT:
1779 fake_reject = TRUE;
1780 if (*p == '/')
1781 {
1782 uschar *pp = p + 1;
1783 while (*pp != 0) pp++;
1784 fake_reject_text = expand_string(string_copyn(p+1, pp-p));
1785 p = pp;
1786 }
1787 else
1788 {
1789 /* Explicitly reset to default string */
1790 fake_reject_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
1791 }
1792 break;
1793
1794 case CONTROL_FREEZE:
1795 deliver_freeze = TRUE;
1796 deliver_frozen_at = time(NULL);
1797 break;
1798
1799 case CONTROL_QUEUE_ONLY:
1800 queue_only_policy = TRUE;
1801 break;
1802
1803 case CONTROL_SUBMISSION:
1804 submission_mode = TRUE;
1805 while (*p == '/')
1806 {
1807 if (Ustrncmp(p, "/sender_retain", 14) == 0)
1808 {
1809 p += 14;
1810 active_local_sender_retain = TRUE;
1811 active_local_from_check = FALSE;
1812 }
1813 else if (Ustrncmp(p, "/domain=", 8) == 0)
1814 {
1815 uschar *pp = p + 8;
1816 while (*pp != 0 && *pp != '/') pp++;
1817 submission_domain = string_copyn(p+8, pp-p);
1818 p = pp;
1819 }
1820 else break;
1821 }
1822 if (*p != 0)
1823 {
1824 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1825 return ERROR;
1826 }
1827 break;
1828 }
1829 break;
1830
1831 #ifdef WITH_CONTENT_SCAN
1832 case ACLC_DECODE:
1833 rc = mime_decode(&arg);
1834 break;
1835 #endif
1836
1837 case ACLC_DELAY:
1838 {
1839 int delay = readconf_readtime(arg, 0, FALSE);
1840 if (delay < 0)
1841 {
1842 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
1843 "modifier: \"%s\" is not a time value", arg);
1844 return ERROR;
1845 }
1846 else
1847 {
1848 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
1849 delay);
1850 if (host_checking)
1851 {
1852 HDEBUG(D_acl)
1853 debug_printf("delay skipped in -bh checking mode\n");
1854 }
1855 else
1856 {
1857 while (delay > 0) delay = sleep(delay);
1858 }
1859 }
1860 }
1861 break;
1862
1863 #ifdef WITH_OLD_DEMIME
1864 case ACLC_DEMIME:
1865 rc = demime(&arg);
1866 break;
1867 #endif
1868
1869 #ifdef EXPERIMENTAL_DOMAINKEYS
1870 case ACLC_DK_DOMAIN_SOURCE:
1871 if (dk_verify_block == NULL) { rc = FAIL; break; };
1872 /* check header source of domain against given string */
1873 switch (dk_verify_block->address_source) {
1874 case DK_EXIM_ADDRESS_FROM_FROM:
1875 rc = match_isinlist(US"from", &arg, 0, NULL,
1876 NULL, MCL_STRING, TRUE, NULL);
1877 break;
1878 case DK_EXIM_ADDRESS_FROM_SENDER:
1879 rc = match_isinlist(US"sender", &arg, 0, NULL,
1880 NULL, MCL_STRING, TRUE, NULL);
1881 break;
1882 case DK_EXIM_ADDRESS_NONE:
1883 rc = match_isinlist(US"none", &arg, 0, NULL,
1884 NULL, MCL_STRING, TRUE, NULL);
1885 break;
1886 }
1887 break;
1888 case ACLC_DK_POLICY:
1889 if (dk_verify_block == NULL) { rc = FAIL; break; };
1890 /* check policy against given string, default FAIL */
1891 rc = FAIL;
1892 if (dk_verify_block->signsall)
1893 rc = match_isinlist(US"signsall", &arg, 0, NULL,
1894 NULL, MCL_STRING, TRUE, NULL);
1895 if (dk_verify_block->testing)
1896 rc = match_isinlist(US"testing", &arg, 0, NULL,
1897 NULL, MCL_STRING, TRUE, NULL);
1898 break;
1899 case ACLC_DK_SENDER_DOMAINS:
1900 if (dk_verify_block == NULL) { rc = FAIL; break; };
1901 if (dk_verify_block->domain != NULL)
1902 rc = match_isinlist(dk_verify_block->domain, &arg, 0, &domainlist_anchor,
1903 NULL, MCL_DOMAIN, TRUE, NULL);
1904 else rc = FAIL;
1905 break;
1906 case ACLC_DK_SENDER_LOCAL_PARTS:
1907 if (dk_verify_block == NULL) { rc = FAIL; break; };
1908 if (dk_verify_block->local_part != NULL)
1909 rc = match_isinlist(dk_verify_block->local_part, &arg, 0, &localpartlist_anchor,
1910 NULL, MCL_LOCALPART, TRUE, NULL);
1911 else rc = FAIL;
1912 break;
1913 case ACLC_DK_SENDERS:
1914 if (dk_verify_block == NULL) { rc = FAIL; break; };
1915 if (dk_verify_block->address != NULL)
1916 rc = match_address_list(dk_verify_block->address, TRUE, TRUE, &arg, NULL, -1, 0, NULL);
1917 else rc = FAIL;
1918 break;
1919 case ACLC_DK_STATUS:
1920 if (dk_verify_block == NULL) { rc = FAIL; break; };
1921 if (dk_verify_block->result > 0) {
1922 switch(dk_verify_block->result) {
1923 case DK_EXIM_RESULT_BAD_FORMAT:
1924 rc = match_isinlist(US"bad format", &arg, 0, NULL,
1925 NULL, MCL_STRING, TRUE, NULL);
1926 break;
1927 case DK_EXIM_RESULT_NO_KEY:
1928 rc = match_isinlist(US"no key", &arg, 0, NULL,
1929 NULL, MCL_STRING, TRUE, NULL);
1930 break;
1931 case DK_EXIM_RESULT_NO_SIGNATURE:
1932 rc = match_isinlist(US"no signature", &arg, 0, NULL,
1933 NULL, MCL_STRING, TRUE, NULL);
1934 break;
1935 case DK_EXIM_RESULT_REVOKED:
1936 rc = match_isinlist(US"revoked", &arg, 0, NULL,
1937 NULL, MCL_STRING, TRUE, NULL);
1938 break;
1939 case DK_EXIM_RESULT_NON_PARTICIPANT:
1940 rc = match_isinlist(US"non-participant", &arg, 0, NULL,
1941 NULL, MCL_STRING, TRUE, NULL);
1942 break;
1943 case DK_EXIM_RESULT_GOOD:
1944 rc = match_isinlist(US"good", &arg, 0, NULL,
1945 NULL, MCL_STRING, TRUE, NULL);
1946 break;
1947 case DK_EXIM_RESULT_BAD:
1948 rc = match_isinlist(US"bad", &arg, 0, NULL,
1949 NULL, MCL_STRING, TRUE, NULL);
1950 break;
1951 }
1952 }
1953 break;
1954 #endif
1955
1956 case ACLC_DNSLISTS:
1957 rc = verify_check_dnsbl(&arg);
1958 break;
1959
1960 case ACLC_DOMAINS:
1961 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
1962 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
1963 break;
1964
1965 /* The value in tls_cipher is the full cipher name, for example,
1966 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
1967 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
1968 what may in practice come out of the SSL library - which at the time of
1969 writing is poorly documented. */
1970
1971 case ACLC_ENCRYPTED:
1972 if (tls_cipher == NULL) rc = FAIL; else
1973 {
1974 uschar *endcipher = NULL;
1975 uschar *cipher = Ustrchr(tls_cipher, ':');
1976 if (cipher == NULL) cipher = tls_cipher; else
1977 {
1978 endcipher = Ustrchr(++cipher, ':');
1979 if (endcipher != NULL) *endcipher = 0;
1980 }
1981 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
1982 if (endcipher != NULL) *endcipher = ':';
1983 }
1984 break;
1985
1986 /* Use verify_check_this_host() instead of verify_check_host() so that
1987 we can pass over &host_data to catch any looked up data. Once it has been
1988 set, it retains its value so that it's still there if another ACL verb
1989 comes through here and uses the cache. However, we must put it into
1990 permanent store in case it is also expected to be used in a subsequent
1991 message in the same SMTP connection. */
1992
1993 case ACLC_HOSTS:
1994 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
1995 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
1996 if (host_data != NULL) host_data = string_copy_malloc(host_data);
1997 break;
1998
1999 case ACLC_LOCAL_PARTS:
2000 rc = match_isinlist(addr->cc_local_part, &arg, 0,
2001 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
2002 &deliver_localpart_data);
2003 break;
2004
2005 case ACLC_LOGWRITE:
2006 {
2007 int logbits = 0;
2008 uschar *s = arg;
2009 if (*s == ':')
2010 {
2011 s++;
2012 while (*s != ':')
2013 {
2014 if (Ustrncmp(s, "main", 4) == 0)
2015 { logbits |= LOG_MAIN; s += 4; }
2016 else if (Ustrncmp(s, "panic", 5) == 0)
2017 { logbits |= LOG_PANIC; s += 5; }
2018 else if (Ustrncmp(s, "reject", 6) == 0)
2019 { logbits |= LOG_REJECT; s += 6; }
2020 else
2021 {
2022 logbits = LOG_MAIN|LOG_PANIC;
2023 s = string_sprintf(":unknown log name in \"%s\" in "
2024 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
2025 }
2026 if (*s == ',') s++;
2027 }
2028 s++;
2029 }
2030 while (isspace(*s)) s++;
2031 if (logbits == 0) logbits = LOG_MAIN;
2032 log_write(0, logbits, "%s", string_printing(s));
2033 }
2034 break;
2035
2036 #ifdef WITH_CONTENT_SCAN
2037 case ACLC_MALWARE:
2038 {
2039 /* Seperate the regular expression and any optional parameters. */
2040 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2041 /* Run the malware backend. */
2042 rc = malware(&ss);
2043 /* Modify return code based upon the existance of options. */
2044 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2045 != NULL) {
2046 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2047 {
2048 /* FAIL so that the message is passed to the next ACL */
2049 rc = FAIL;
2050 }
2051 }
2052 }
2053 break;
2054
2055 case ACLC_MIME_REGEX:
2056 rc = mime_regex(&arg);
2057 break;
2058 #endif
2059
2060 case ACLC_RECIPIENTS:
2061 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
2062 &recipient_data);
2063 break;
2064
2065 #ifdef WITH_CONTENT_SCAN
2066 case ACLC_REGEX:
2067 rc = regex(&arg);
2068 break;
2069 #endif
2070
2071 case ACLC_SENDER_DOMAINS:
2072 {
2073 uschar *sdomain;
2074 sdomain = Ustrrchr(sender_address, '@');
2075 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
2076 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
2077 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
2078 }
2079 break;
2080
2081 case ACLC_SENDERS:
2082 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
2083 sender_address_cache, -1, 0, &sender_data);
2084 break;
2085
2086 /* Connection variables must persist forever */
2087
2088 case ACLC_SET:
2089 {
2090 int old_pool = store_pool;
2091 if (cb->u.varnumber < ACL_C_MAX) store_pool = POOL_PERM;
2092 acl_var[cb->u.varnumber] = string_copy(arg);
2093 store_pool = old_pool;
2094 }
2095 break;
2096
2097 #ifdef WITH_CONTENT_SCAN
2098 case ACLC_SPAM:
2099 {
2100 /* Seperate the regular expression and any optional parameters. */
2101 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2102 /* Run the spam backend. */
2103 rc = spam(&ss);
2104 /* Modify return code based upon the existance of options. */
2105 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2106 != NULL) {
2107 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2108 {
2109 /* FAIL so that the message is passed to the next ACL */
2110 rc = FAIL;
2111 }
2112 }
2113 }
2114 break;
2115 #endif
2116
2117 #ifdef EXPERIMENTAL_SPF
2118 case ACLC_SPF:
2119 rc = spf_process(&arg, sender_address);
2120 break;
2121 #endif
2122
2123 /* If the verb is WARN, discard any user message from verification, because
2124 such messages are SMTP responses, not header additions. The latter come
2125 only from explicit "message" modifiers. */
2126
2127 case ACLC_VERIFY:
2128 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
2129 if (verb == ACL_WARN) *user_msgptr = NULL;
2130 break;
2131
2132 default:
2133 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
2134 "condition %d", cb->type);
2135 break;
2136 }
2137
2138 /* If a condition was negated, invert OK/FAIL. */
2139
2140 if (!cond_modifiers[cb->type] && cb->u.negated)
2141 {
2142 if (rc == OK) rc = FAIL;
2143 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
2144 }
2145
2146 if (rc != OK) break; /* Conditions loop */
2147 }
2148
2149
2150 /* If the result is the one for which "message" and/or "log_message" are used,
2151 handle the values of these options. Most verbs have but a single return for
2152 which the messages are relevant, but for "discard", it's useful to have the log
2153 message both when it succeeds and when it fails. Also, for an "accept" that
2154 appears in a QUIT ACL, we want to handle the user message. Since only "accept"
2155 and "warn" are permitted in that ACL, we don't need to test the verb.
2156
2157 These modifiers act in different ways:
2158
2159 "message" is a user message that will be included in an SMTP response. Unless
2160 it is empty, it overrides any previously set user message.
2161
2162 "log_message" is a non-user message, and it adds to any existing non-user
2163 message that is already set.
2164
2165 If there isn't a log message set, we make it the same as the user message. */
2166
2167 if (((rc == FAIL_DROP)? FAIL : rc) == msgcond[verb] ||
2168 (verb == ACL_DISCARD && rc == OK) ||
2169 (where == ACL_WHERE_QUIT))
2170 {
2171 uschar *expmessage;
2172
2173 /* If the verb is "warn", messages generated by conditions (verification or
2174 nested ACLs) are discarded. Only messages specified at this level are used.
2175 However, the value of an existing message is available in $acl_verify_message
2176 during expansions. */
2177
2178 uschar *old_user_msgptr = *user_msgptr;
2179 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
2180
2181 if (verb == ACL_WARN) *log_msgptr = *user_msgptr = NULL;
2182
2183 if (user_message != NULL)
2184 {
2185 acl_verify_message = old_user_msgptr;
2186 expmessage = expand_string(user_message);
2187 if (expmessage == NULL)
2188 {
2189 if (!expand_string_forcedfail)
2190 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2191 user_message, expand_string_message);
2192 }
2193 else if (expmessage[0] != 0) *user_msgptr = expmessage;
2194 }
2195
2196 if (log_message != NULL)
2197 {
2198 acl_verify_message = old_log_msgptr;
2199 expmessage = expand_string(log_message);
2200 if (expmessage == NULL)
2201 {
2202 if (!expand_string_forcedfail)
2203 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2204 log_message, expand_string_message);
2205 }
2206 else if (expmessage[0] != 0)
2207 {
2208 *log_msgptr = (*log_msgptr == NULL)? expmessage :
2209 string_sprintf("%s: %s", expmessage, *log_msgptr);
2210 }
2211 }
2212
2213 /* If no log message, default it to the user message */
2214
2215 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
2216 }
2217
2218 acl_verify_message = NULL;
2219 return rc;
2220 }
2221
2222
2223
2224
2225
2226 /*************************************************
2227 * Get line from a literal ACL *
2228 *************************************************/
2229
2230 /* This function is passed to acl_read() in order to extract individual lines
2231 of a literal ACL, which we access via static pointers. We can destroy the
2232 contents because this is called only once (the compiled ACL is remembered).
2233
2234 This code is intended to treat the data in the same way as lines in the main
2235 Exim configuration file. That is:
2236
2237 . Leading spaces are ignored.
2238
2239 . A \ at the end of a line is a continuation - trailing spaces after the \
2240 are permitted (this is because I don't believe in making invisible things
2241 significant). Leading spaces on the continued part of a line are ignored.
2242
2243 . Physical lines starting (significantly) with # are totally ignored, and
2244 may appear within a sequence of backslash-continued lines.
2245
2246 . Blank lines are ignored, but will end a sequence of continuations.
2247
2248 Arguments: none
2249 Returns: a pointer to the next line
2250 */
2251
2252
2253 static uschar *acl_text; /* Current pointer in the text */
2254 static uschar *acl_text_end; /* Points one past the terminating '0' */
2255
2256
2257 static uschar *
2258 acl_getline(void)
2259 {
2260 uschar *yield;
2261
2262 /* This loop handles leading blank lines and comments. */
2263
2264 for(;;)
2265 {
2266 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
2267 if (*acl_text == 0) return NULL; /* No more data */
2268 yield = acl_text; /* Potential data line */
2269
2270 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2271
2272 /* If we hit the end before a newline, we have the whole logical line. If
2273 it's a comment, there's no more data to be given. Otherwise, yield it. */
2274
2275 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
2276
2277 /* After reaching a newline, end this loop if the physical line does not
2278 start with '#'. If it does, it's a comment, and the loop continues. */
2279
2280 if (*yield != '#') break;
2281 }
2282
2283 /* This loop handles continuations. We know we have some real data, ending in
2284 newline. See if there is a continuation marker at the end (ignoring trailing
2285 white space). We know that *yield is not white space, so no need to test for
2286 cont > yield in the backwards scanning loop. */
2287
2288 for(;;)
2289 {
2290 uschar *cont;
2291 for (cont = acl_text - 1; isspace(*cont); cont--);
2292
2293 /* If no continuation follows, we are done. Mark the end of the line and
2294 return it. */
2295
2296 if (*cont != '\\')
2297 {
2298 *acl_text++ = 0;
2299 return yield;
2300 }
2301
2302 /* We have encountered a continuation. Skip over whitespace at the start of
2303 the next line, and indeed the whole of the next line or lines if they are
2304 comment lines. */
2305
2306 for (;;)
2307 {
2308 while (*(++acl_text) == ' ' || *acl_text == '\t');
2309 if (*acl_text != '#') break;
2310 while (*(++acl_text) != 0 && *acl_text != '\n');
2311 }
2312
2313 /* We have the start of a continuation line. Move all the rest of the data
2314 to join onto the previous line, and then find its end. If the end is not a
2315 newline, we are done. Otherwise loop to look for another continuation. */
2316
2317 memmove(cont, acl_text, acl_text_end - acl_text);
2318 acl_text_end -= acl_text - cont;
2319 acl_text = cont;
2320 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2321 if (*acl_text == 0) return yield;
2322 }
2323
2324 /* Control does not reach here */
2325 }
2326
2327
2328
2329
2330
2331 /*************************************************
2332 * Check access using an ACL *
2333 *************************************************/
2334
2335 /* This function is called from address_check. It may recurse via
2336 acl_check_condition() - hence the use of a level to stop looping. The ACL is
2337 passed as a string which is expanded. A forced failure implies no access check
2338 is required. If the result is a single word, it is taken as the name of an ACL
2339 which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
2340 text, complete with newlines, and parsed as such. In both cases, the ACL check
2341 is then run. This function uses an auxiliary function for acl_read() to call
2342 for reading individual lines of a literal ACL. This is acl_getline(), which
2343 appears immediately above.
2344
2345 Arguments:
2346 where where called from
2347 addr address item when called from RCPT; otherwise NULL
2348 s the input string; NULL is the same as an empty ACL => DENY
2349 level the nesting level
2350 user_msgptr where to put a user error (for SMTP response)
2351 log_msgptr where to put a logging message (not for SMTP response)
2352
2353 Returns: OK access is granted
2354 DISCARD access is apparently granted...
2355 FAIL access is denied
2356 FAIL_DROP access is denied; drop the connection
2357 DEFER can't tell at the moment
2358 ERROR disaster
2359 */
2360
2361 static int
2362 acl_check_internal(int where, address_item *addr, uschar *s, int level,
2363 uschar **user_msgptr, uschar **log_msgptr)
2364 {
2365 int fd = -1;
2366 acl_block *acl = NULL;
2367 uschar *acl_name = US"inline ACL";
2368 uschar *ss;
2369
2370 /* Catch configuration loops */
2371
2372 if (level > 20)
2373 {
2374 *log_msgptr = US"ACL nested too deep: possible loop";
2375 return ERROR;
2376 }
2377
2378 if (s == NULL)
2379 {
2380 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
2381 return FAIL;
2382 }
2383
2384 /* At top level, we expand the incoming string. At lower levels, it has already
2385 been expanded as part of condition processing. */
2386
2387 if (level == 0)
2388 {
2389 ss = expand_string(s);
2390 if (ss == NULL)
2391 {
2392 if (expand_string_forcedfail) return OK;
2393 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
2394 expand_string_message);
2395 return ERROR;
2396 }
2397 }
2398 else ss = s;
2399
2400 while (isspace(*ss))ss++;
2401
2402 /* If we can't find a named ACL, the default is to parse it as an inline one.
2403 (Unless it begins with a slash; non-existent files give rise to an error.) */
2404
2405 acl_text = ss;
2406
2407 /* Handle the case of a string that does not contain any spaces. Look for a
2408 named ACL among those read from the configuration, or a previously read file.
2409 It is possible that the pointer to the ACL is NULL if the configuration
2410 contains a name with no data. If not found, and the text begins with '/',
2411 read an ACL from a file, and save it so it can be re-used. */
2412
2413 if (Ustrchr(ss, ' ') == NULL)
2414 {
2415 tree_node *t = tree_search(acl_anchor, ss);
2416 if (t != NULL)
2417 {
2418 acl = (acl_block *)(t->data.ptr);
2419 if (acl == NULL)
2420 {
2421 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
2422 return FAIL;
2423 }
2424 acl_name = string_sprintf("ACL \"%s\"", ss);
2425 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
2426 }
2427
2428 else if (*ss == '/')
2429 {
2430 struct stat statbuf;
2431 fd = Uopen(ss, O_RDONLY, 0);
2432 if (fd < 0)
2433 {
2434 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
2435 strerror(errno));
2436 return ERROR;
2437 }
2438
2439 if (fstat(fd, &statbuf) != 0)
2440 {
2441 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
2442 strerror(errno));
2443 return ERROR;
2444 }
2445
2446 acl_text = store_get(statbuf.st_size + 1);
2447 acl_text_end = acl_text + statbuf.st_size + 1;
2448
2449 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
2450 {
2451 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
2452 ss, strerror(errno));
2453 return ERROR;
2454 }
2455 acl_text[statbuf.st_size] = 0;
2456 close(fd);
2457
2458 acl_name = string_sprintf("ACL \"%s\"", ss);
2459 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
2460 }
2461 }
2462
2463 /* Parse an ACL that is still in text form. If it came from a file, remember it
2464 in the ACL tree, having read it into the POOL_PERM store pool so that it
2465 persists between multiple messages. */
2466
2467 if (acl == NULL)
2468 {
2469 int old_pool = store_pool;
2470 if (fd >= 0) store_pool = POOL_PERM;
2471 acl = acl_read(acl_getline, log_msgptr);
2472 store_pool = old_pool;
2473 if (acl == NULL && *log_msgptr != NULL) return ERROR;
2474 if (fd >= 0)
2475 {
2476 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
2477 Ustrcpy(t->name, ss);
2478 t->data.ptr = acl;
2479 (void)tree_insertnode(&acl_anchor, t);
2480 }
2481 }
2482
2483 /* Now we have an ACL to use. It's possible it may be NULL. */
2484
2485 while (acl != NULL)
2486 {
2487 int cond;
2488 int basic_errno = 0;
2489 BOOL endpass_seen = FALSE;
2490
2491 *log_msgptr = *user_msgptr = NULL;
2492 acl_temp_details = FALSE;
2493
2494 if (where == ACL_WHERE_QUIT &&
2495 acl->verb != ACL_ACCEPT &&
2496 acl->verb != ACL_WARN)
2497 {
2498 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
2499 verbs[acl->verb]);
2500 return ERROR;
2501 }
2502
2503 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
2504
2505 /* Clear out any search error message from a previous check before testing
2506 this condition. */
2507
2508 search_error_message = NULL;
2509 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
2510 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
2511
2512 /* Handle special returns: DEFER causes a return except on a WARN verb;
2513 ERROR always causes a return. */
2514
2515 switch (cond)
2516 {
2517 case DEFER:
2518 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
2519 if (basic_errno != ERRNO_CALLOUTDEFER)
2520 {
2521 if (search_error_message != NULL && *search_error_message != 0)
2522 *log_msgptr = search_error_message;
2523 if (smtp_return_error_details) acl_temp_details = TRUE;
2524 }
2525 else
2526 {
2527 acl_temp_details = TRUE;
2528 }
2529 if (acl->verb != ACL_WARN) return DEFER;
2530 break;
2531
2532 default: /* Paranoia */
2533 case ERROR:
2534 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
2535 return ERROR;
2536
2537 case OK:
2538 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
2539 verbs[acl->verb]);
2540 break;
2541
2542 case FAIL:
2543 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
2544 break;
2545
2546 /* DISCARD and DROP can happen only from a nested ACL condition, and
2547 DISCARD can happen only for an "accept" or "discard" verb. */
2548
2549 case DISCARD:
2550 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
2551 verbs[acl->verb]);
2552 break;
2553
2554 case FAIL_DROP:
2555 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
2556 verbs[acl->verb]);
2557 break;
2558 }
2559
2560 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
2561 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
2562 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
2563
2564 switch(acl->verb)
2565 {
2566 case ACL_ACCEPT:
2567 if (cond == OK || cond == DISCARD) return cond;
2568 if (endpass_seen)
2569 {
2570 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
2571 return cond;
2572 }
2573 break;
2574
2575 case ACL_DEFER:
2576 if (cond == OK)
2577 {
2578 acl_temp_details = TRUE;
2579 return DEFER;
2580 }
2581 break;
2582
2583 case ACL_DENY:
2584 if (cond == OK) return FAIL;
2585 break;
2586
2587 case ACL_DISCARD:
2588 if (cond == OK || cond == DISCARD) return DISCARD;
2589 if (endpass_seen)
2590 {
2591 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
2592 return cond;
2593 }
2594 break;
2595
2596 case ACL_DROP:
2597 if (cond == OK) return FAIL_DROP;
2598 break;
2599
2600 case ACL_REQUIRE:
2601 if (cond != OK) return cond;
2602 break;
2603
2604 case ACL_WARN:
2605 if (cond == OK)
2606 acl_warn(where, *user_msgptr, *log_msgptr);
2607 else if (cond == DEFER)
2608 acl_warn(where, NULL, string_sprintf("ACL \"warn\" statement skipped: "
2609 "condition test deferred: %s",
2610 (*log_msgptr == NULL)? US"" : *log_msgptr));
2611 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
2612 break;
2613
2614 default:
2615 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
2616 acl->verb);
2617 break;
2618 }
2619
2620 /* Pass to the next ACL item */
2621
2622 acl = acl->next;
2623 }
2624
2625 /* We have reached the end of the ACL. This is an implicit DENY. */
2626
2627 HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
2628 return FAIL;
2629 }
2630
2631
2632 /*************************************************
2633 * Check access using an ACL *
2634 *************************************************/
2635
2636 /* This is the external interface for ACL checks. It sets up an address and the
2637 expansions for $domain and $local_part when called after RCPT, then calls
2638 acl_check_internal() to do the actual work.
2639
2640 Arguments:
2641 where ACL_WHERE_xxxx indicating where called from
2642 data_string RCPT address, or SMTP command argument, or NULL
2643 s the input string; NULL is the same as an empty ACL => DENY
2644 user_msgptr where to put a user error (for SMTP response)
2645 log_msgptr where to put a logging message (not for SMTP response)
2646
2647 Returns: OK access is granted by an ACCEPT verb
2648 DISCARD access is granted by a DISCARD verb
2649 FAIL access is denied
2650 FAIL_DROP access is denied; drop the connection
2651 DEFER can't tell at the moment
2652 ERROR disaster
2653 */
2654
2655 int
2656 acl_check(int where, uschar *data_string, uschar *s, uschar **user_msgptr,
2657 uschar **log_msgptr)
2658 {
2659 int rc;
2660 address_item adb;
2661 address_item *addr;
2662
2663 *user_msgptr = *log_msgptr = NULL;
2664 sender_verified_failed = NULL;
2665
2666 if (where == ACL_WHERE_RCPT)
2667 {
2668 adb = address_defaults;
2669 addr = &adb;
2670 addr->address = data_string;
2671 if (deliver_split_address(addr) == DEFER)
2672 {
2673 *log_msgptr = US"defer in percent_hack_domains check";
2674 return DEFER;
2675 }
2676 deliver_domain = addr->domain;
2677 deliver_localpart = addr->local_part;
2678 }
2679 else
2680 {
2681 addr = NULL;
2682 smtp_command_argument = data_string;
2683 }
2684
2685 rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
2686
2687 smtp_command_argument = deliver_domain =
2688 deliver_localpart = deliver_address_data = sender_address_data = NULL;
2689
2690 /* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
2691 ACL, which is really in the middle of an SMTP command. */
2692
2693 if (rc == DISCARD)
2694 {
2695 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
2696 {
2697 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
2698 "ACL", acl_wherenames[where]);
2699 return ERROR;
2700 }
2701 return DISCARD;
2702 }
2703
2704 /* A DROP response is not permitted from MAILAUTH */
2705
2706 if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
2707 {
2708 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
2709 "ACL", acl_wherenames[where]);
2710 return ERROR;
2711 }
2712
2713 /* Before giving an error response, take a look at the length of any user
2714 message, and split it up into multiple lines if possible. */
2715
2716 if (rc != OK && *user_msgptr != NULL && Ustrlen(*user_msgptr) > 75)
2717 {
2718 uschar *s = *user_msgptr = string_copy(*user_msgptr);
2719 uschar *ss = s;
2720
2721 for (;;)
2722 {
2723 int i = 0;
2724 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
2725 if (*ss == 0) break;
2726 if (*ss == '\n')
2727 s = ++ss;
2728 else
2729 {
2730 uschar *t = ss + 1;
2731 uschar *tt = NULL;
2732 while (--t > s + 35)
2733 {
2734 if (*t == ' ')
2735 {
2736 if (t[-1] == ':') { tt = t; break; }
2737 if (tt == NULL) tt = t;
2738 }
2739 }
2740
2741 if (tt == NULL) /* Can't split behind - try ahead */
2742 {
2743 t = ss + 1;
2744 while (*t != 0)
2745 {
2746 if (*t == ' ' || *t == '\n')
2747 { tt = t; break; }
2748 t++;
2749 }
2750 }
2751
2752 if (tt == NULL) break; /* Can't find anywhere to split */
2753 *tt = '\n';
2754 s = ss = tt+1;
2755 }
2756 }
2757 }
2758
2759 return rc;
2760 }
2761
2762 /* End of acl.c */
Unnamed repository; edit this file 'description' to name the repository.