Implemented control=allow_auth_unadvertised.

[exim.git] / src / src / acl.c

diff --git a/src/src/acl.c b/src/src/acl.c
index f4788d19e55b94a8c575c688f96530a6900391e1..2a7b5afe8c836d03bd5a887679a29189534c2be6 100644 (file)
--- a/src/src/acl.c
+++ b/src/src/acl.c
@@ -1,10 +1,10 @@
-/* $Cambridge: exim/src/src/acl.c,v 1.43 2005/08/02 15:19:20 ph10 Exp $ */
+/* $Cambridge: exim/src/src/acl.c,v 1.56 2006/03/02 12:25:48 ph10 Exp $ */
 
 /*************************************************
 *     Exim - an Internet mail transport agent    *
 *************************************************/
 
-/* Copyright (c) University of Cambridge 1995 - 2005 */
+/* Copyright (c) University of Cambridge 1995 - 2006 */
 /* See the file NOTICE for conditions of use and distribution. */
 
 /* Code for handling Access Control Lists (ACLs) */
@@ -132,36 +132,57 @@ static uschar *conditions[] = {
 that follows! */
 
 enum {
-#ifdef EXPERIMENTAL_BRIGHTMAIL
+  CONTROL_AUTH_UNADVERTISED,
+  #ifdef EXPERIMENTAL_BRIGHTMAIL
   CONTROL_BMI_RUN,
-#endif
-#ifdef EXPERIMENTAL_DOMAINKEYS
+  #endif
+  #ifdef EXPERIMENTAL_DOMAINKEYS
   CONTROL_DK_VERIFY,
-#endif
-  CONTROL_ERROR, CONTROL_CASEFUL_LOCAL_PART, CONTROL_CASELOWER_LOCAL_PART,
-  CONTROL_ENFORCE_SYNC, CONTROL_NO_ENFORCE_SYNC, CONTROL_FREEZE,
-  CONTROL_QUEUE_ONLY, CONTROL_SUBMISSION,
-#ifdef WITH_CONTENT_SCAN
+  #endif
+  CONTROL_ERROR,
+  CONTROL_CASEFUL_LOCAL_PART,
+  CONTROL_CASELOWER_LOCAL_PART,
+  CONTROL_ENFORCE_SYNC,
+  CONTROL_NO_ENFORCE_SYNC,
+  CONTROL_FREEZE,
+  CONTROL_QUEUE_ONLY,
+  CONTROL_SUBMISSION,
+  CONTROL_SUPPRESS_LOCAL_FIXUPS,
+  #ifdef WITH_CONTENT_SCAN
   CONTROL_NO_MBOX_UNSPOOL,
-#endif
-  CONTROL_FAKEDEFER, CONTROL_FAKEREJECT, CONTROL_NO_MULTILINE };
+  #endif
+  CONTROL_FAKEDEFER,
+  CONTROL_FAKEREJECT,
+  CONTROL_NO_MULTILINE
+};
 
-/* ACL control names; keep in step with the table above! */
+/* ACL control names; keep in step with the table above! This list is used for
+turning ids into names. The actual list of recognized names is in the variable
+control_def controls_list[] below. The fact that there are two lists is a mess
+and should be tidied up. */
 
 static uschar *controls[] = {
+  US"allow_auth_unadvertised",
   #ifdef EXPERIMENTAL_BRIGHTMAIL
   US"bmi_run",
   #endif
   #ifdef EXPERIMENTAL_DOMAINKEYS
   US"dk_verify",
   #endif
-  US"error", US"caseful_local_part",
-  US"caselower_local_part", US"enforce_sync", US"no_enforce_sync", US"freeze",
-  US"queue_only", US"submission",
+  US"error",
+  US"caseful_local_part",
+  US"caselower_local_part",
+  US"enforce_sync",
+  US"no_enforce_sync",
+  US"freeze",
+  US"queue_only",
+  US"submission",
+  US"suppress_local_fixups",
   #ifdef WITH_CONTENT_SCAN
   US"no_mbox_unspool",
   #endif
-  US"no_multiline"};
+  US"no_multiline"
+};
 
 /* Flags to indicate for which conditions /modifiers a string expansion is done
 at the outer level. In the other cases, expansion already occurs in the
@@ -449,12 +470,16 @@ each control, there's a bitmap of dis-allowed times. For some, it is easier to
 specify the negation of a small number of allowed times. */
 
 static unsigned int control_forbids[] = {
-#ifdef EXPERIMENTAL_BRIGHTMAIL
+  (unsigned int)
+  ~((1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)),   /* allow_auth_unadvertised */
+
+  #ifdef EXPERIMENTAL_BRIGHTMAIL
   0,                                               /* bmi_run */
-#endif
-#ifdef EXPERIMENTAL_DOMAINKEYS
+  #endif
+
+  #ifdef EXPERIMENTAL_DOMAINKEYS
   (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP),      /* dk_verify */
-#endif
+  #endif
 
   0,                                               /* error */
 
@@ -482,12 +507,16 @@ static unsigned int control_forbids[] = {
   ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)|       /* submission */
     (1<<ACL_WHERE_PREDATA)),
 
-#ifdef WITH_CONTENT_SCAN
+  (unsigned int)
+  ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)|       /* suppress_local_fixups */
+    (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_PREDATA)),
+
+  #ifdef WITH_CONTENT_SCAN
   (unsigned int)
   ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)|       /* no_mbox_unspool */
     (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
     (1<<ACL_WHERE_MIME)),
-#endif
+  #endif
 
   (unsigned int)
   ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)|       /* fakedefer */
@@ -511,25 +540,27 @@ typedef struct control_def {
 } control_def;
 
 static control_def controls_list[] = {
+  { US"allow_auth_unadvertised", CONTROL_AUTH_UNADVERTISED, FALSE },
 #ifdef EXPERIMENTAL_BRIGHTMAIL
-  { US"bmi_run",                CONTROL_BMI_RUN, FALSE},
+  { US"bmi_run",                 CONTROL_BMI_RUN, FALSE },
 #endif
 #ifdef EXPERIMENTAL_DOMAINKEYS
-  { US"dk_verify",              CONTROL_DK_VERIFY, FALSE},
-#endif
-  { US"caseful_local_part",     CONTROL_CASEFUL_LOCAL_PART, FALSE},
-  { US"caselower_local_part",   CONTROL_CASELOWER_LOCAL_PART, FALSE},
-  { US"enforce_sync",           CONTROL_ENFORCE_SYNC, FALSE},
-  { US"freeze",                 CONTROL_FREEZE, FALSE},
-  { US"no_enforce_sync",        CONTROL_NO_ENFORCE_SYNC, FALSE},
-  { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE},
-  { US"queue_only",             CONTROL_QUEUE_ONLY, FALSE},
+  { US"dk_verify",               CONTROL_DK_VERIFY, FALSE },
+#endif
+  { US"caseful_local_part",      CONTROL_CASEFUL_LOCAL_PART, FALSE },
+  { US"caselower_local_part",    CONTROL_CASELOWER_LOCAL_PART, FALSE },
+  { US"enforce_sync",            CONTROL_ENFORCE_SYNC, FALSE },
+  { US"freeze",                  CONTROL_FREEZE, TRUE },
+  { US"no_enforce_sync",         CONTROL_NO_ENFORCE_SYNC, FALSE },
+  { US"no_multiline_responses",  CONTROL_NO_MULTILINE, FALSE },
+  { US"queue_only",              CONTROL_QUEUE_ONLY, FALSE },
 #ifdef WITH_CONTENT_SCAN
-  { US"no_mbox_unspool",        CONTROL_NO_MBOX_UNSPOOL, FALSE},
+  { US"no_mbox_unspool",         CONTROL_NO_MBOX_UNSPOOL, FALSE },
 #endif
-  { US"fakedefer",              CONTROL_FAKEDEFER, TRUE},
-  { US"fakereject",             CONTROL_FAKEREJECT, TRUE},
-  { US"submission",             CONTROL_SUBMISSION, TRUE}
+  { US"fakedefer",               CONTROL_FAKEDEFER, TRUE },
+  { US"fakereject",              CONTROL_FAKEREJECT, TRUE },
+  { US"submission",              CONTROL_SUBMISSION, TRUE },
+  { US"suppress_local_fixups",   CONTROL_SUPPRESS_LOCAL_FIXUPS, FALSE }
   };
 
 /* Support data structures for Client SMTP Authorization. acl_verify_csa()
@@ -743,17 +774,33 @@ while ((s = (*func)()) != NULL)
 
   if (c == ACLC_SET)
     {
-    if (Ustrncmp(s, "acl_", 4) != 0 || (s[4] != 'c' && s[4] != 'm') ||
-        !isdigit(s[5]) || (!isspace(s[6]) && s[6] != '='))
+    int offset, max, n;
+    uschar *endptr;
+
+    if (Ustrncmp(s, "acl_", 4) != 0) goto BAD_ACL_VAR;
+    if (s[4] == 'c')
+      {
+      offset = 0;
+      max = ACL_CVARS;
+      }
+    else if (s[4] == 'm')
       {
-      *error = string_sprintf("unrecognized name after \"set\" in ACL "
-        "modifier \"set %s\"", s);
+      offset = ACL_CVARS;
+      max = ACL_MVARS;
+      }
+    else goto BAD_ACL_VAR;
+
+    n = Ustrtoul(s + 5, &endptr, 10);
+    if ((*endptr != 0 && *endptr != '=' && !isspace(*endptr)) || n >= max)
+      {
+      BAD_ACL_VAR:
+      *error = string_sprintf("syntax error or unrecognized name after "
+        "\"set\" in ACL modifier \"set %s\"", s);
       return NULL;
       }
 
-    cond->u.varnumber = s[5] - '0';
-    if (s[4] == 'm') cond->u.varnumber += ACL_C_MAX;
-    s += 6;
+    cond->u.varnumber = n + offset;
+    s = endptr;
     while (isspace(*s)) s++;
     }
 
@@ -1137,7 +1184,7 @@ not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
 address literals, but it's probably the most friendly thing to do. This is an
 extension to CSA, so we allow it to be turned off for proper conformance. */
 
-if (string_is_ip_address(domain, NULL))
+if (string_is_ip_address(domain, NULL) != 0)
   {
   if (!dns_csa_use_reverse) return CSA_UNKNOWN;
   dns_build_reverse(domain, target);
@@ -1382,10 +1429,8 @@ occurred earlier. If not, we can attempt the verification now. */
 if (strcmpic(ss, US"helo") == 0)
   {
   if (slash != NULL) goto NO_OPTIONS;
-  if (helo_verified) return OK;
-  if (helo_verify_failed) return FAIL;
-  if (smtp_verify_helo()) return helo_verified? OK : FAIL;
-  return DEFER;
+  if (!helo_verified && !helo_verify_failed) smtp_verify_helo();
+  return helo_verified? OK : FAIL;
   }
 
 /* Do Client SMTP Authorization checks in a separate function, and turn the
@@ -1409,18 +1454,29 @@ always). */
 if (strcmpic(ss, US"header_syntax") == 0)
   {
   if (slash != NULL) goto NO_OPTIONS;
-  if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
-    {
-    *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
-      "(only possible in ACL for DATA)", acl_wherenames[where]);
-    return ERROR;
-    }
+  if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
   rc = verify_check_headers(log_msgptr);
   if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
     *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
   return rc;
   }
 
+/* Check that no recipient of this message is "blind", that is, every envelope
+recipient must be mentioned in either To: or Cc:. */
+
+if (strcmpic(ss, US"not_blind") == 0)
+  {
+  if (slash != NULL) goto NO_OPTIONS;
+  if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
+  rc = verify_check_notblind();
+  if (rc != OK)
+    {
+    *log_msgptr = string_sprintf("bcc recipient detected");
+    if (smtp_return_error_details)
+      *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
+    }
+  return rc;
+  }
 
 /* The remaining verification tests check recipient and sender addresses,
 either from the envelope or from the header. There are a number of
@@ -1433,12 +1489,7 @@ sender and recipient. */
 
 if (strcmpic(ss, US"header_sender") == 0)
   {
-  if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
-    {
-    *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
-      "(only possible in ACL for DATA)", acl_wherenames[where]);
-    return ERROR;
-    }
+  if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
   verify_header_sender = TRUE;
   }
 
@@ -1875,6 +1926,13 @@ NO_OPTIONS:
 *log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
   "(this verify item has no options)", arg);
 return ERROR;
+
+/* Calls in the wrong ACL come here */
+
+WRONG_ACL:
+*log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
+  "(only possible in ACL for DATA)", acl_wherenames[where]);
+return ERROR;
 }
 
 
@@ -2142,16 +2200,16 @@ else
                    + (double)tv.tv_usec / 1000000.0;
   double prev_time = (double)dbd->time_stamp
                    + (double)dbd->time_usec / 1000000.0;
-  double interval = this_time - prev_time;
-
-  double i_over_p = interval / period;
-  double a = exp(-i_over_p);
 
   /* We must avoid division by zero, and deal gracefully with the clock going
   backwards. If we blunder ahead when time is in reverse then the computed
-  rate will become bogusly huge. Clamp i/p to a very small number instead. */
+  rate will be bogus. To be safe we clamp interval to a very small number. */
+
+  double interval = this_time - prev_time <= 0.0 ? 1e-9
+                  : this_time - prev_time;
 
-  if (i_over_p <= 0.0) i_over_p = 1e-9;
+  double i_over_p = interval / period;
+  double a = exp(-i_over_p);
 
   dbd->time_stamp = tv.tv_sec;
   dbd->time_usec = tv.tv_usec;
@@ -2309,8 +2367,8 @@ for (; cb != NULL; cb = cb->next)
     if (cb->type == ACLC_SET)
       {
       int n = cb->u.varnumber;
-      int t = (n < ACL_C_MAX)? 'c' : 'm';
-      if (n >= ACL_C_MAX) n -= ACL_C_MAX;
+      int t = (n < ACL_CVARS)? 'c' : 'm';
+      if (n >= ACL_CVARS) n -= ACL_CVARS;
       debug_printf("acl_%c%d ", t, n);
       lhswidth += 7;
       }
@@ -2339,7 +2397,7 @@ for (; cb != NULL; cb = cb->next)
     {
     /* A nested ACL that returns "discard" makes sense only for an "accept" or
     "discard" verb. */
-
+\
     case ACLC_ACL:
     rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
     if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
@@ -2394,16 +2452,22 @@ for (; cb != NULL; cb = cb->next)
 
     switch(control_type)
       {
-#ifdef EXPERIMENTAL_BRIGHTMAIL
+      case CONTROL_AUTH_UNADVERTISED:
+      allow_auth_unadvertised = TRUE;
+      break;
+
+      #ifdef EXPERIMENTAL_BRIGHTMAIL
       case CONTROL_BMI_RUN:
       bmi_run = 1;
       break;
-#endif
-#ifdef EXPERIMENTAL_DOMAINKEYS
+      #endif
+
+      #ifdef EXPERIMENTAL_DOMAINKEYS
       case CONTROL_DK_VERIFY:
       dk_do_verify = 1;
       break;
-#endif
+      #endif
+
       case CONTROL_ERROR:
       return ERROR;
 
@@ -2423,11 +2487,11 @@ for (; cb != NULL; cb = cb->next)
       smtp_enforce_sync = FALSE;
       break;
 
-#ifdef WITH_CONTENT_SCAN
+      #ifdef WITH_CONTENT_SCAN
       case CONTROL_NO_MBOX_UNSPOOL:
       no_mbox_unspool = TRUE;
       break;
-#endif
+      #endif
 
       case CONTROL_NO_MULTILINE:
       no_multiline_responses = TRUE;
@@ -2453,6 +2517,17 @@ for (; cb != NULL; cb = cb->next)
       case CONTROL_FREEZE:
       deliver_freeze = TRUE;
       deliver_frozen_at = time(NULL);
+      freeze_tell = freeze_tell_config;       /* Reset to configured value */
+      if (Ustrncmp(p, "/no_tell", 8) == 0)
+        {
+        p += 8;
+        freeze_tell = NULL;
+        }
+      if (*p != 0)
+        {
+        *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
+        return ERROR;
+        }
       break;
 
       case CONTROL_QUEUE_ONLY:
@@ -2477,11 +2552,13 @@ for (; cb != NULL; cb = cb->next)
           submission_domain = string_copyn(p+8, pp-p-8);
           p = pp;
           }
+        /* The name= option must be last, because it swallows the rest of
+        the string. */
         else if (Ustrncmp(p, "/name=", 6) == 0)
           {
           uschar *pp = p + 6;
-          while (*pp != 0 && *pp != '/') pp++;
-          originator_name = string_copy(parse_fix_phrase(p+6, pp-p-6,
+          while (*pp != 0) pp++;
+          submission_name = string_copy(parse_fix_phrase(p+6, pp-p-6,
             big_buffer, big_buffer_size));
           p = pp;
           }
@@ -2493,6 +2570,10 @@ for (; cb != NULL; cb = cb->next)
         return ERROR;
         }
       break;
+
+      case CONTROL_SUPPRESS_LOCAL_FIXUPS:
+      suppress_local_fixups = TRUE;
+      break;
       }
     break;
 
@@ -2776,7 +2857,7 @@ for (; cb != NULL; cb = cb->next)
     case ACLC_SET:
       {
       int old_pool = store_pool;
-      if (cb->u.varnumber < ACL_C_MAX) store_pool = POOL_PERM;
+      if (cb->u.varnumber < ACL_CVARS) store_pool = POOL_PERM;
       acl_var[cb->u.varnumber] = string_copy(arg);
       store_pool = old_pool;
       }
@@ -3295,7 +3376,7 @@ while (acl != NULL)
     case ACL_WARN:
     if (cond == OK)
       acl_warn(where, *user_msgptr, *log_msgptr);
-    else if (cond == DEFER)
+    else if (cond == DEFER && (log_extra_selector & LX_acl_warn_skipped) != 0)
       log_write(0, LOG_MAIN, "%s Warning: ACL \"warn\" statement skipped: "
         "condition test deferred%s%s", host_and_ident(TRUE),
         (*log_msgptr == NULL)? US"" : US": ",
@@ -3331,7 +3412,7 @@ acl_check_internal() to do the actual work.
 
 Arguments:
   where        ACL_WHERE_xxxx indicating where called from
-  data_string  RCPT address, or SMTP command argument, or NULL
+  recipient    RCPT address for RCPT check, else NULL
   s            the input string; NULL is the same as an empty ACL => DENY
   user_msgptr  where to put a user error (for SMTP response)
   log_msgptr   where to put a logging message (not for SMTP response)
@@ -3345,12 +3426,12 @@ Returns:       OK         access is granted by an ACCEPT verb
 */
 
 int
-acl_check(int where, uschar *data_string, uschar *s, uschar **user_msgptr,
+acl_check(int where, uschar *recipient, uschar *s, uschar **user_msgptr,
   uschar **log_msgptr)
 {
 int rc;
 address_item adb;
-address_item *addr;
+address_item *addr = NULL;
 
 *user_msgptr = *log_msgptr = NULL;
 sender_verified_failed = NULL;
@@ -3360,7 +3441,7 @@ if (where == ACL_WHERE_RCPT)
   {
   adb = address_defaults;
   addr = &adb;
-  addr->address = data_string;
+  addr->address = recipient;
   if (deliver_split_address(addr) == DEFER)
     {
     *log_msgptr = US"defer in percent_hack_domains check";
@@ -3369,16 +3450,11 @@ if (where == ACL_WHERE_RCPT)
   deliver_domain = addr->domain;
   deliver_localpart = addr->local_part;
   }
-else
-  {
-  addr = NULL;
-  smtp_command_argument = data_string;
-  }
 
 rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
 
-smtp_command_argument = deliver_domain =
-  deliver_localpart = deliver_address_data = sender_address_data = NULL;
+deliver_domain = deliver_localpart = deliver_address_data =
+  sender_address_data = NULL;
 
 /* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
 ACL, which is really in the middle of an SMTP command. */