1 /* $Cambridge: exim/src/src/acl.c,v 1.25 2005/03/15 15:36:41 ph10 Exp $ */
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
7 /* Copyright (c) University of Cambridge 1995 - 2005 */
8 /* See the file NOTICE for conditions of use and distribution. */
10 /* Code for handling Access Control Lists (ACLs) */
15 /* Default callout timeout */
17 #define CALLOUT_TIMEOUT_DEFAULT 30
19 /* ACL verb codes - keep in step with the table of verbs that follows */
21 enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
26 static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
30 /* For each verb, the condition for which "message" is used */
32 static int msgcond[] = { FAIL, OK, OK, FAIL, OK, FAIL, OK };
34 /* ACL condition and modifier codes - keep in step with the table that
37 enum { ACLC_ACL, ACLC_AUTHENTICATED,
38 #ifdef EXPERIMENTAL_BRIGHTMAIL
41 ACLC_CONDITION, ACLC_CONTROL,
42 #ifdef WITH_CONTENT_SCAN
46 #ifdef WITH_OLD_DEMIME
49 #ifdef EXPERIMENTAL_DOMAINKEYS
50 ACLC_DK_DOMAIN_SOURCE,
52 ACLC_DK_SENDER_DOMAINS,
53 ACLC_DK_SENDER_LOCAL_PARTS,
57 ACLC_DNSLISTS, ACLC_DOMAINS, ACLC_ENCRYPTED, ACLC_ENDPASS,
58 ACLC_HOSTS, ACLC_LOCAL_PARTS, ACLC_LOG_MESSAGE, ACLC_LOGWRITE,
59 #ifdef WITH_CONTENT_SCAN
63 #ifdef WITH_CONTENT_SCAN
67 #ifdef WITH_CONTENT_SCAN
70 ACLC_SENDER_DOMAINS, ACLC_SENDERS, ACLC_SET,
71 #ifdef WITH_CONTENT_SCAN
74 #ifdef EXPERIMENTAL_SPF
79 /* ACL conditions/modifiers: "delay", "control", "endpass", "message",
80 "log_message", "logwrite", and "set" are modifiers that look like conditions
81 but always return TRUE. They are used for their side effects. */
83 static uschar *conditions[] = { US"acl", US"authenticated",
84 #ifdef EXPERIMENTAL_BRIGHTMAIL
89 #ifdef WITH_CONTENT_SCAN
93 #ifdef WITH_OLD_DEMIME
96 #ifdef EXPERIMENTAL_DOMAINKEYS
99 US"dk_sender_domains",
100 US"dk_sender_local_parts",
104 US"dnslists", US"domains", US"encrypted",
105 US"endpass", US"hosts", US"local_parts", US"log_message", US"logwrite",
106 #ifdef WITH_CONTENT_SCAN
110 #ifdef WITH_CONTENT_SCAN
114 #ifdef WITH_CONTENT_SCAN
117 US"sender_domains", US"senders", US"set",
118 #ifdef WITH_CONTENT_SCAN
121 #ifdef EXPERIMENTAL_SPF
126 /* ACL control names */
128 static uschar *controls[] = { US"error", US"caseful_local_part",
129 US"caselower_local_part", US"enforce_sync", US"no_enforce_sync", US"freeze",
130 US"queue_only", US"submission", US"no_multiline"};
132 /* Flags to indicate for which conditions /modifiers a string expansion is done
133 at the outer level. In the other cases, expansion already occurs in the
134 checking functions. */
136 static uschar cond_expand_at_top[] = {
138 FALSE, /* authenticated */
139 #ifdef EXPERIMENTAL_BRIGHTMAIL
140 TRUE, /* bmi_optin */
142 TRUE, /* condition */
144 #ifdef WITH_CONTENT_SCAN
148 #ifdef WITH_OLD_DEMIME
151 #ifdef EXPERIMENTAL_DOMAINKEYS
152 TRUE, /* dk_domain_source */
153 TRUE, /* dk_policy */
154 TRUE, /* dk_sender_domains */
155 TRUE, /* dk_sender_local_parts */
156 TRUE, /* dk_senders */
157 TRUE, /* dk_status */
161 FALSE, /* encrypted */
164 FALSE, /* local_parts */
165 TRUE, /* log_message */
167 #ifdef WITH_CONTENT_SCAN
171 #ifdef WITH_CONTENT_SCAN
172 TRUE, /* mime_regex */
174 FALSE, /* recipients */
175 #ifdef WITH_CONTENT_SCAN
178 FALSE, /* sender_domains */
181 #ifdef WITH_CONTENT_SCAN
184 #ifdef EXPERIMENTAL_SPF
190 /* Flags to identify the modifiers */
192 static uschar cond_modifiers[] = {
194 FALSE, /* authenticated */
195 #ifdef EXPERIMENTAL_BRIGHTMAIL
196 TRUE, /* bmi_optin */
198 FALSE, /* condition */
200 #ifdef WITH_CONTENT_SCAN
204 #ifdef WITH_OLD_DEMIME
207 #ifdef EXPERIMENTAL_DOMAINKEYS
208 FALSE, /* dk_domain_source */
209 FALSE, /* dk_policy */
210 FALSE, /* dk_sender_domains */
211 FALSE, /* dk_sender_local_parts */
212 FALSE, /* dk_senders */
213 FALSE, /* dk_status */
215 FALSE, /* dnslists */
217 FALSE, /* encrypted */
220 FALSE, /* local_parts */
221 TRUE, /* log_message */
223 #ifdef WITH_CONTENT_SCAN
227 #ifdef WITH_CONTENT_SCAN
228 FALSE, /* mime_regex */
230 FALSE, /* recipients */
231 #ifdef WITH_CONTENT_SCAN
234 FALSE, /* sender_domains */
237 #ifdef WITH_CONTENT_SCAN
240 #ifdef EXPERIMENTAL_SPF
246 /* Bit map vector of which conditions are not allowed at certain times. For
247 each condition, there's a bitmap of dis-allowed times. */
249 static unsigned int cond_forbids[] = {
252 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* authenticated */
255 #ifdef EXPERIMENTAL_BRIGHTMAIL
256 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
257 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
258 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
259 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
260 (1<<ACL_WHERE_MAILAUTH)|
261 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
262 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA),
267 /* Certain types of control are always allowed, so we let it through
268 always and check in the control processing itself */
272 #ifdef WITH_CONTENT_SCAN
273 (1<<ACL_WHERE_AUTH)| /* decode */
274 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
275 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
276 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
277 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
278 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
279 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_RCPT),
284 #ifdef WITH_OLD_DEMIME
285 (1<<ACL_WHERE_AUTH)| /* demime */
286 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
287 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
288 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
289 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
290 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
291 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
294 #ifdef EXPERIMENTAL_DOMAINKEYS
295 (1<<ACL_WHERE_AUTH)| /* dk_domain_source */
296 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
297 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
298 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
299 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
300 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
303 (1<<ACL_WHERE_AUTH)| /* dk_policy */
304 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
305 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
306 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
307 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
308 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
311 (1<<ACL_WHERE_AUTH)| /* dk_sender_domains */
312 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
313 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
314 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
315 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
316 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
319 (1<<ACL_WHERE_AUTH)| /* dk_sender_local_parts */
320 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
321 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
322 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
323 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
324 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
327 (1<<ACL_WHERE_AUTH)| /* dk_senders */
328 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
329 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
330 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
331 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
332 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
335 (1<<ACL_WHERE_AUTH)| /* dk_status */
336 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
337 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
338 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
339 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
340 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
344 (1<<ACL_WHERE_NOTSMTP), /* dnslists */
346 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* domains */
347 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
348 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
349 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
350 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
351 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
354 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* encrypted */
359 (1<<ACL_WHERE_NOTSMTP), /* hosts */
361 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* local_parts */
362 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
363 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
364 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
365 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
366 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
373 #ifdef WITH_CONTENT_SCAN
374 (1<<ACL_WHERE_AUTH)| /* malware */
375 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
376 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
377 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
378 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
379 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
380 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
385 #ifdef WITH_CONTENT_SCAN
386 (1<<ACL_WHERE_AUTH)| /* mime_regex */
387 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
388 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
389 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
390 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
391 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
392 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_RCPT),
395 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* recipients */
396 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
397 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
398 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
399 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
400 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
403 #ifdef WITH_CONTENT_SCAN
404 (1<<ACL_WHERE_AUTH)| /* regex */
405 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
406 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
407 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
408 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
409 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
413 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
415 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
416 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
417 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
419 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
421 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
422 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
423 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
427 #ifdef WITH_CONTENT_SCAN
428 (1<<ACL_WHERE_AUTH)| /* spam */
429 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
430 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
431 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
432 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
433 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
434 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
437 #ifdef EXPERIMENTAL_SPF
438 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
440 (1<<ACL_WHERE_MAILAUTH)|
441 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
442 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
445 /* Certain types of verify are always allowed, so we let it through
446 always and check in the verify function itself */
452 /* Return values from decode_control() */
455 #ifdef EXPERIMENTAL_BRIGHTMAIL
458 #ifdef EXPERIMENTAL_DOMAINKEYS
461 CONTROL_ERROR, CONTROL_CASEFUL_LOCAL_PART, CONTROL_CASELOWER_LOCAL_PART,
462 CONTROL_ENFORCE_SYNC, CONTROL_NO_ENFORCE_SYNC, CONTROL_FREEZE,
463 CONTROL_QUEUE_ONLY, CONTROL_SUBMISSION,
464 #ifdef WITH_CONTENT_SCAN
465 CONTROL_NO_MBOX_UNSPOOL,
467 CONTROL_FAKEREJECT, CONTROL_NO_MULTILINE };
469 /* Bit map vector of which controls are not allowed at certain times. For
470 each control, there's a bitmap of dis-allowed times. For some, it is easier to
471 specify the negation of a small number of allowed times. */
473 static unsigned int control_forbids[] = {
474 #ifdef EXPERIMENTAL_BRIGHTMAIL
477 #ifdef EXPERIMENTAL_DOMAINKEYS
478 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), /* dk_verify */
484 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
487 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
489 (1<<ACL_WHERE_NOTSMTP), /* enforce_sync */
491 (1<<ACL_WHERE_NOTSMTP), /* no_enforce_sync */
494 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
495 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
496 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
499 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
500 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
501 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
504 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
505 (1<<ACL_WHERE_PREDATA)),
507 #ifdef WITH_CONTENT_SCAN
509 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
510 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
511 (1<<ACL_WHERE_MIME)),
515 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
516 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
517 (1<<ACL_WHERE_MIME)),
519 (1<<ACL_WHERE_NOTSMTP) /* no_multiline */
522 /* Structure listing various control arguments, with their characteristics. */
524 typedef struct control_def {
526 int value; /* CONTROL_xxx value */
527 BOOL has_option; /* Has /option(s) following */
530 static control_def controls_list[] = {
531 #ifdef EXPERIMENTAL_BRIGHTMAIL
532 { US"bmi_run", CONTROL_BMI_RUN, FALSE},
534 #ifdef EXPERIMENTAL_DOMAINKEYS
535 { US"dk_verify", CONTROL_DK_VERIFY, FALSE},
537 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE},
538 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE},
539 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE},
540 { US"freeze", CONTROL_FREEZE, FALSE},
541 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE},
542 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE},
543 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE},
544 #ifdef WITH_CONTENT_SCAN
545 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE},
547 { US"fakereject", CONTROL_FAKEREJECT, TRUE},
548 { US"submission", CONTROL_SUBMISSION, TRUE}
551 /* Enable recursion between acl_check_internal() and acl_check_condition() */
553 static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
557 /*************************************************
558 * Pick out name from list *
559 *************************************************/
561 /* Use a binary chop method
568 Returns: offset in list, or -1 if not found
572 acl_checkname(uschar *name, uschar **list, int end)
578 int mid = (start + end)/2;
579 int c = Ustrcmp(name, list[mid]);
580 if (c == 0) return mid;
581 if (c < 0) end = mid; else start = mid + 1;
588 /*************************************************
589 * Read and parse one ACL *
590 *************************************************/
592 /* This function is called both from readconf in order to parse the ACLs in the
593 configuration file, and also when an ACL is encountered dynamically (e.g. as
594 the result of an expansion). It is given a function to call in order to
595 retrieve the lines of the ACL. This function handles skipping comments and
596 blank lines (where relevant).
599 func function to get next line of ACL
600 error where to put an error message
602 Returns: pointer to ACL, or NULL
603 NULL can be legal (empty ACL); in this case error will be NULL
607 acl_read(uschar *(*func)(void), uschar **error)
609 acl_block *yield = NULL;
610 acl_block **lastp = &yield;
611 acl_block *this = NULL;
612 acl_condition_block *cond;
613 acl_condition_block **condp = NULL;
618 while ((s = (*func)()) != NULL)
621 BOOL negated = FALSE;
622 uschar *saveline = s;
625 /* Conditions (but not verbs) are allowed to be negated by an initial
628 while (isspace(*s)) s++;
635 /* Read the name of a verb or a condition, or the start of a new ACL */
637 s = readconf_readname(name, sizeof(name), s);
640 if (negated || name[0] == 0)
642 *error = string_sprintf("malformed ACL name in \"%s\"", saveline);
648 /* If a verb is unrecognized, it may be another condition or modifier that
649 continues the previous verb. */
651 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
656 *error = string_sprintf("unknown ACL verb in \"%s\"", saveline);
667 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
670 this = store_get(sizeof(acl_block));
672 lastp = &(this->next);
675 this->condition = NULL;
676 condp = &(this->condition);
677 if (*s == 0) continue; /* No condition on this line */
683 s = readconf_readname(name, sizeof(name), s); /* Condition name */
686 /* Handle a condition or modifier. */
688 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
691 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
696 /* The modifiers may not be negated */
698 if (negated && cond_modifiers[c])
700 *error = string_sprintf("ACL error: negation is not allowed with "
701 "\"%s\"", conditions[c]);
705 /* ENDPASS may occur only with ACCEPT or DISCARD. */
707 if (c == ACLC_ENDPASS &&
708 this->verb != ACL_ACCEPT &&
709 this->verb != ACL_DISCARD)
711 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
712 conditions[c], verbs[this->verb]);
716 cond = store_get(sizeof(acl_condition_block));
719 cond->u.negated = negated;
722 condp = &(cond->next);
724 /* The "set" modifier is different in that its argument is "name=value"
725 rather than just a value, and we can check the validity of the name, which
726 gives us a variable number to insert into the data block. */
730 if (Ustrncmp(s, "acl_", 4) != 0 || (s[4] != 'c' && s[4] != 'm') ||
731 !isdigit(s[5]) || (!isspace(s[6]) && s[6] != '='))
733 *error = string_sprintf("unrecognized name after \"set\" in ACL "
734 "modifier \"set %s\"", s);
738 cond->u.varnumber = s[5] - '0';
739 if (s[4] == 'm') cond->u.varnumber += ACL_C_MAX;
741 while (isspace(*s)) s++;
744 /* For "set", we are now positioned for the data. For the others, only
745 "endpass" has no data */
747 if (c != ACLC_ENDPASS)
751 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
752 cond_modifiers[c]? US"modifier" : US"condition");
755 while (isspace(*s)) s++;
756 cond->arg = string_copy(s);
765 /*************************************************
767 *************************************************/
769 /* This function is called when a WARN verb's conditions are true. It adds to
770 the message's headers, and/or writes information to the log. In each case, this
771 only happens once (per message for headers, per connection for log).
774 where ACL_WHERE_xxxx indicating which ACL this is
775 user_message message for adding to headers
776 log_message message for logging, if different
782 acl_warn(int where, uschar *user_message, uschar *log_message)
786 if (log_message != NULL && log_message != user_message)
791 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
792 string_printing(log_message));
794 /* If a sender verification has failed, and the log message is "sender verify
795 failed", add the failure message. */
797 if (sender_verified_failed != NULL &&
798 sender_verified_failed->message != NULL &&
799 strcmpic(log_message, US"sender verify failed") == 0)
800 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
802 /* Search previously logged warnings. They are kept in malloc store so they
803 can be freed at the start of a new message. */
805 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
806 if (Ustrcmp(logged->text, text) == 0) break;
810 int length = Ustrlen(text) + 1;
811 log_write(0, LOG_MAIN, "%s", text);
812 logged = store_malloc(sizeof(string_item) + length);
813 logged->text = (uschar *)logged + sizeof(string_item);
814 memcpy(logged->text, text, length);
815 logged->next = acl_warn_logged;
816 acl_warn_logged = logged;
820 /* If there's no user message, we are done. */
822 if (user_message == NULL) return;
824 /* If this isn't a message ACL, we can't do anything with a user message.
827 if (where > ACL_WHERE_NOTSMTP)
829 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
830 "found in a non-message (%s) ACL: cannot specify header lines here: "
831 "message ignored", acl_wherenames[where]);
835 /* Treat the user message as a sequence of one or more header lines. */
837 hlen = Ustrlen(user_message);
840 uschar *text, *p, *q;
842 /* Add a final newline if not present */
844 text = ((user_message)[hlen-1] == '\n')? user_message :
845 string_sprintf("%s\n", user_message);
847 /* Loop for multiple header lines, taking care about continuations */
849 for (p = q = text; *p != 0; )
852 int newtype = htype_add_bot;
853 header_line **hptr = &acl_warn_headers;
855 /* Find next header line within the string */
859 q = Ustrchr(q, '\n');
860 if (*(++q) != ' ' && *q != '\t') break;
863 /* If the line starts with a colon, interpret the instruction for where to
864 add it. This temporarily sets up a new type. */
868 if (strncmpic(p, US":after_received:", 16) == 0)
870 newtype = htype_add_rec;
873 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
875 newtype = htype_add_rfc;
878 else if (strncmpic(p, US":at_start:", 10) == 0)
880 newtype = htype_add_top;
883 else if (strncmpic(p, US":at_end:", 8) == 0)
885 newtype = htype_add_bot;
888 while (*p == ' ' || *p == '\t') p++;
891 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
892 to the front of it. */
894 for (s = p; s < q - 1; s++)
896 if (*s == ':' || !isgraph(*s)) break;
899 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
902 /* See if this line has already been added */
904 while (*hptr != NULL)
906 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
907 hptr = &((*hptr)->next);
910 /* Add if not previously present */
914 header_line *h = store_get(sizeof(header_line));
923 /* Advance for next header line within the string */
932 /*************************************************
933 * Verify and check reverse DNS *
934 *************************************************/
936 /* Called from acl_verify() below. We look up the host name(s) of the client IP
937 address if this has not yet been done. The host_name_lookup() function checks
938 that one of these names resolves to an address list that contains the client IP
939 address, so we don't actually have to do the check here.
942 user_msgptr pointer for user message
943 log_msgptr pointer for log message
945 Returns: OK verification condition succeeded
946 FAIL verification failed
947 DEFER there was a problem verifying
951 acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
955 user_msgptr = user_msgptr; /* stop compiler warning */
957 /* Previous success */
959 if (sender_host_name != NULL) return OK;
961 /* Previous failure */
963 if (host_lookup_failed)
965 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
969 /* Need to do a lookup */
972 debug_printf("looking up host name to force name/address consistency check\n");
974 if ((rc = host_name_lookup()) != OK)
976 *log_msgptr = (rc == DEFER)?
977 US"host lookup deferred for reverse lookup check"
979 string_sprintf("host lookup failed for reverse lookup check%s",
981 return rc; /* DEFER or FAIL */
984 host_build_sender_fullhost();
990 /*************************************************
991 * Handle verification (address & other) *
992 *************************************************/
994 /* This function implements the "verify" condition. It is called when
995 encountered in any ACL, because some tests are almost always permitted. Some
996 just don't make sense, and always fail (for example, an attempt to test a host
997 lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1000 where where called from
1001 addr the recipient address that the ACL is handling, or NULL
1002 arg the argument of "verify"
1003 user_msgptr pointer for user message
1004 log_msgptr pointer for log message
1005 basic_errno where to put verify errno
1007 Returns: OK verification condition succeeded
1008 FAIL verification failed
1009 DEFER there was a problem verifying
1014 acl_verify(int where, address_item *addr, uschar *arg,
1015 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1019 int callout_overall = -1;
1020 int callout_connect = -1;
1021 int verify_options = 0;
1023 BOOL verify_header_sender = FALSE;
1024 BOOL defer_ok = FALSE;
1025 BOOL callout_defer_ok = FALSE;
1026 BOOL no_details = FALSE;
1027 address_item *sender_vaddr = NULL;
1028 uschar *verify_sender_address = NULL;
1029 uschar *pm_mailfrom = NULL;
1030 uschar *se_mailfrom = NULL;
1032 /* Some of the verify items have slash-separated options; some do not. Diagnose
1033 an error if options are given for items that don't expect them. This code has
1034 now got very message. Refactoring to use a table would be a good idea one day.
1037 uschar *slash = Ustrchr(arg, '/');
1039 uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
1041 if (ss == NULL) goto BAD_VERIFY;
1043 /* Handle name/address consistency verification in a separate function. */
1045 if (strcmpic(ss, US"reverse_host_lookup") == 0)
1047 if (slash != NULL) goto NO_OPTIONS;
1048 if (sender_host_address == NULL) return OK;
1049 return acl_verify_reverse(user_msgptr, log_msgptr);
1052 /* TLS certificate verification is done at STARTTLS time; here we just
1053 test whether it was successful or not. (This is for optional verification; for
1054 mandatory verification, the connection doesn't last this long.) */
1056 if (strcmpic(ss, US"certificate") == 0)
1058 if (slash != NULL) goto NO_OPTIONS;
1059 if (tls_certificate_verified) return OK;
1060 *user_msgptr = US"no verified certificate";
1064 /* We can test the result of optional HELO verification */
1066 if (strcmpic(ss, US"helo") == 0)
1068 if (slash != NULL) goto NO_OPTIONS;
1069 return helo_verified? OK : FAIL;
1072 /* Check that all relevant header lines have the correct syntax. If there is
1073 a syntax error, we return details of the error to the sender if configured to
1074 send out full details. (But a "message" setting on the ACL can override, as
1077 if (strcmpic(ss, US"header_syntax") == 0)
1079 if (slash != NULL) goto NO_OPTIONS;
1080 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
1082 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
1083 "(only possible in ACL for DATA)", acl_wherenames[where]);
1086 rc = verify_check_headers(log_msgptr);
1087 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1088 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1093 /* The remaining verification tests check recipient and sender addresses,
1094 either from the envelope or from the header. There are a number of
1095 slash-separated options that are common to all of them. */
1098 /* Check that there is at least one verifiable sender address in the relevant
1099 header lines. This can be followed by callout and defer options, just like
1100 sender and recipient. */
1102 if (strcmpic(ss, US"header_sender") == 0)
1104 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
1106 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
1107 "(only possible in ACL for DATA)", acl_wherenames[where]);
1110 verify_header_sender = TRUE;
1113 /* Otherwise, first item in verify argument must be "sender" or "recipient".
1114 In the case of a sender, this can optionally be followed by an address to use
1115 in place of the actual sender (rare special-case requirement). */
1117 else if (strncmpic(ss, US"sender", 6) == 0)
1120 if (where > ACL_WHERE_NOTSMTP)
1122 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1123 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1124 acl_wherenames[where]);
1128 verify_sender_address = sender_address;
1131 while (isspace(*s)) s++;
1132 if (*s++ != '=') goto BAD_VERIFY;
1133 while (isspace(*s)) s++;
1134 verify_sender_address = string_copy(s);
1139 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1142 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1143 "(only possible for RCPT)", acl_wherenames[where]);
1148 /* Remaining items are optional; they apply to sender and recipient
1149 verification, including "header sender" verification. */
1151 while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1154 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1155 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1157 /* These two old options are left for backwards compatibility */
1159 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1161 callout_defer_ok = TRUE;
1162 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1165 else if (strcmpic(ss, US"check_postmaster") == 0)
1168 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1171 /* The callout option has a number of sub-options, comma separated */
1173 else if (strncmpic(ss, US"callout", 7) == 0)
1175 callout = CALLOUT_TIMEOUT_DEFAULT;
1179 while (isspace(*ss)) ss++;
1185 while (isspace(*ss)) ss++;
1187 /* This callout option handling code has become a mess as new options
1188 have been added in an ad hoc manner. It should be tidied up into some
1189 kind of table-driven thing. */
1191 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1194 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1195 else if (strcmpic(opt, US"no_cache") == 0)
1196 verify_options |= vopt_callout_no_cache;
1197 else if (strcmpic(opt, US"random") == 0)
1198 verify_options |= vopt_callout_random;
1199 else if (strcmpic(opt, US"use_sender") == 0)
1200 verify_options |= vopt_callout_recipsender;
1201 else if (strcmpic(opt, US"use_postmaster") == 0)
1202 verify_options |= vopt_callout_recippmaster;
1203 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
1205 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1207 if (!verify_header_sender)
1209 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1210 "callout option only for verify=header_sender (detected in ACL "
1211 "condition \"%s\")", arg);
1215 while (isspace(*opt)) opt++;
1218 *log_msgptr = string_sprintf("'=' expected after "
1219 "\"mailfrom\" in ACL condition \"%s\"", arg);
1222 while (isspace(*opt)) opt++;
1223 se_mailfrom = string_copy(opt);
1226 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1229 while (isspace(*opt)) opt++;
1232 *log_msgptr = string_sprintf("'=' expected after "
1233 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1236 while (isspace(*opt)) opt++;
1237 pm_mailfrom = string_copy(opt);
1240 else if (strncmpic(opt, US"maxwait", 7) == 0)
1243 while (isspace(*opt)) opt++;
1246 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1247 "ACL condition \"%s\"", arg);
1250 while (isspace(*opt)) opt++;
1251 callout_overall = readconf_readtime(opt, 0, FALSE);
1252 if (callout_overall < 0)
1254 *log_msgptr = string_sprintf("bad time value in ACL condition "
1255 "\"verify %s\"", arg);
1259 else if (strncmpic(opt, US"connect", 7) == 0)
1262 while (isspace(*opt)) opt++;
1265 *log_msgptr = string_sprintf("'=' expected after "
1266 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1269 while (isspace(*opt)) opt++;
1270 callout_connect = readconf_readtime(opt, 0, FALSE);
1271 if (callout_connect < 0)
1273 *log_msgptr = string_sprintf("bad time value in ACL condition "
1274 "\"verify %s\"", arg);
1278 else /* Plain time is callout connect/command timeout */
1280 callout = readconf_readtime(opt, 0, FALSE);
1283 *log_msgptr = string_sprintf("bad time value in ACL condition "
1284 "\"verify %s\"", arg);
1292 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1293 "ACL condition \"%s\"", arg);
1299 /* Option not recognized */
1303 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1304 "condition \"verify %s\"", ss, arg);
1309 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1310 (vopt_callout_recipsender|vopt_callout_recippmaster))
1312 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1313 "for a recipient callout";
1317 /* Handle sender-in-header verification. Default the user message to the log
1318 message if giving out verification details. */
1320 if (verify_header_sender)
1323 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
1324 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1328 *basic_errno = verrno;
1329 if (smtp_return_error_details)
1331 if (*user_msgptr == NULL && *log_msgptr != NULL)
1332 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1333 if (rc == DEFER) acl_temp_details = TRUE;
1338 /* Handle a sender address. The default is to verify *the* sender address, but
1339 optionally a different address can be given, for special requirements. If the
1340 address is empty, we are dealing with a bounce message that has no sender, so
1341 we cannot do any checking. If the real sender address gets rewritten during
1342 verification (e.g. DNS widening), set the flag to stop it being rewritten again
1343 during message reception.
1345 A list of verified "sender" addresses is kept to try to avoid doing to much
1346 work repetitively when there are multiple recipients in a message and they all
1347 require sender verification. However, when callouts are involved, it gets too
1348 complicated because different recipients may require different callout options.
1349 Therefore, we always do a full sender verify when any kind of callout is
1350 specified. Caching elsewhere, for instance in the DNS resolver and in the
1351 callout handling, should ensure that this is not terribly inefficient. */
1353 else if (verify_sender_address != NULL)
1355 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1358 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1359 "sender verify callout";
1363 sender_vaddr = verify_checked_sender(verify_sender_address);
1364 if (sender_vaddr != NULL && /* Previously checked */
1365 callout <= 0) /* No callout needed this time */
1367 /* If the "routed" flag is set, it means that routing worked before, so
1368 this check can give OK (the saved return code value, if set, belongs to a
1369 callout that was done previously). If the "routed" flag is not set, routing
1370 must have failed, so we use the saved return code. */
1372 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1374 rc = sender_vaddr->special_action;
1375 *basic_errno = sender_vaddr->basic_errno;
1377 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1380 /* Do a new verification, and cache the result. The cache is used to avoid
1381 verifying the sender multiple times for multiple RCPTs when callouts are not
1382 specified (see comments above).
1384 The cache is also used on failure to give details in response to the first
1385 RCPT that gets bounced for this reason. However, this can be suppressed by
1386 the no_details option, which sets the flag that says "this detail has already
1387 been sent". The cache normally contains just one address, but there may be
1388 more in esoteric circumstances. */
1393 uschar *save_address_data = deliver_address_data;
1395 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1396 if (no_details) setflag(sender_vaddr, af_sverify_told);
1397 if (verify_sender_address[0] != 0)
1399 /* If this is the real sender address, save the unrewritten version
1400 for use later in receive. Otherwise, set a flag so that rewriting the
1401 sender in verify_address() does not update sender_address. */
1403 if (verify_sender_address == sender_address)
1404 sender_address_unrewritten = sender_address;
1406 verify_options |= vopt_fake_sender;
1408 /* The recipient, qualify, and expn options are never set in
1411 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
1412 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
1414 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1418 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1420 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1421 verify_sender_address, sender_vaddr->address);
1425 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1426 verify_sender_address);
1429 else *basic_errno = sender_vaddr->basic_errno;
1431 else rc = OK; /* Null sender */
1433 /* Cache the result code */
1435 if (routed) setflag(sender_vaddr, af_verify_routed);
1436 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1437 sender_vaddr->special_action = rc;
1438 sender_vaddr->next = sender_verified_list;
1439 sender_verified_list = sender_vaddr;
1441 /* Restore the recipient address data, which might have been clobbered by
1442 the sender verification. */
1444 deliver_address_data = save_address_data;
1447 /* Put the sender address_data value into $sender_address_data */
1449 sender_address_data = sender_vaddr->p.address_data;
1452 /* A recipient address just gets a straightforward verify; again we must handle
1453 the DEFER overrides. */
1459 /* We must use a copy of the address for verification, because it might
1463 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
1464 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
1465 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1467 *log_msgptr = addr2.message;
1468 *user_msgptr = (addr2.user_message != NULL)?
1469 addr2.user_message : addr2.message;
1470 *basic_errno = addr2.basic_errno;
1472 /* Make $address_data visible */
1473 deliver_address_data = addr2.p.address_data;
1476 /* We have a result from the relevant test. Handle defer overrides first. */
1478 if (rc == DEFER && (defer_ok ||
1479 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1481 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1482 defer_ok? "defer_ok" : "callout_defer_ok");
1486 /* If we've failed a sender, set up a recipient message, and point
1487 sender_verified_failed to the address item that actually failed. */
1489 if (rc != OK && verify_sender_address != NULL)
1493 *log_msgptr = *user_msgptr = US"Sender verify failed";
1495 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1497 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1501 *log_msgptr = US"Could not complete sender verify callout";
1502 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1506 sender_verified_failed = sender_vaddr;
1509 /* Verifying an address messes up the values of $domain and $local_part,
1510 so reset them before returning if this is a RCPT ACL. */
1514 deliver_domain = addr->domain;
1515 deliver_localpart = addr->local_part;
1519 /* Syntax errors in the verify argument come here. */
1522 *log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
1523 "\"helo\", \"header_syntax\", \"header_sender\" or "
1524 "\"reverse_host_lookup\" at start of ACL condition "
1525 "\"verify %s\"", arg);
1528 /* Options supplied when not allowed come here */
1531 *log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1532 "(this verify item has no options)", arg);
1539 /*************************************************
1540 * Check argument for control= modifier *
1541 *************************************************/
1543 /* Called from acl_check_condition() below
1546 arg the argument string for control=
1547 pptr set to point to the terminating character
1548 where which ACL we are in
1549 log_msgptr for error messages
1551 Returns: CONTROL_xxx value
1555 decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
1560 for (d = controls_list;
1561 d < controls_list + sizeof(controls_list)/sizeof(control_def);
1564 len = Ustrlen(d->name);
1565 if (Ustrncmp(d->name, arg, len) == 0) break;
1568 if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
1569 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
1571 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1572 return CONTROL_ERROR;
1581 /*************************************************
1582 * Handle conditions/modifiers on an ACL item *
1583 *************************************************/
1585 /* Called from acl_check() below.
1589 cb ACL condition block - if NULL, result is OK
1590 where where called from
1591 addr the address being checked for RCPT, or NULL
1592 level the nesting level
1593 epp pointer to pass back TRUE if "endpass" encountered
1594 (applies only to "accept" and "discard")
1595 user_msgptr user message pointer
1596 log_msgptr log message pointer
1597 basic_errno pointer to where to put verify error
1599 Returns: OK - all conditions are met
1600 DISCARD - an "acl" condition returned DISCARD - only allowed
1601 for "accept" or "discard" verbs
1602 FAIL - at least one condition fails
1603 FAIL_DROP - an "acl" condition returned FAIL_DROP
1604 DEFER - can't tell at the moment (typically, lookup defer,
1605 but can be temporary callout problem)
1606 ERROR - ERROR from nested ACL or expansion failure or other
1611 acl_check_condition(int verb, acl_condition_block *cb, int where,
1612 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
1613 uschar **log_msgptr, int *basic_errno)
1615 uschar *user_message = NULL;
1616 uschar *log_message = NULL;
1619 #ifdef WITH_CONTENT_SCAN
1623 for (; cb != NULL; cb = cb->next)
1628 /* The message and log_message items set up messages to be used in
1629 case of rejection. They are expanded later. */
1631 if (cb->type == ACLC_MESSAGE)
1633 user_message = cb->arg;
1637 if (cb->type == ACLC_LOG_MESSAGE)
1639 log_message = cb->arg;
1643 /* The endpass "condition" just sets a flag to show it occurred. This is
1644 checked at compile time to be on an "accept" or "discard" item. */
1646 if (cb->type == ACLC_ENDPASS)
1652 /* For other conditions and modifiers, the argument is expanded now for some
1653 of them, but not for all, because expansion happens down in some lower level
1654 checking functions in some cases. */
1656 if (cond_expand_at_top[cb->type])
1658 arg = expand_string(cb->arg);
1661 if (expand_string_forcedfail) continue;
1662 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
1663 cb->arg, expand_string_message);
1664 return search_find_defer? DEFER : ERROR;
1669 /* Show condition, and expanded condition if it's different */
1674 debug_printf("check %s%s %n",
1675 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
1676 conditions[cb->type], &lhswidth);
1678 if (cb->type == ACLC_SET)
1680 int n = cb->u.varnumber;
1681 int t = (n < ACL_C_MAX)? 'c' : 'm';
1682 if (n >= ACL_C_MAX) n -= ACL_C_MAX;
1683 debug_printf("acl_%c%d ", t, n);
1687 debug_printf("= %s\n", cb->arg);
1690 debug_printf("%.*s= %s\n", lhswidth,
1694 /* Check that this condition makes sense at this time */
1696 if ((cond_forbids[cb->type] & (1 << where)) != 0)
1698 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
1699 cond_modifiers[cb->type]? "use" : "test",
1700 conditions[cb->type], acl_wherenames[where]);
1704 /* Run the appropriate test for each condition, or take the appropriate
1705 action for the remaining modifiers. */
1709 /* A nested ACL that returns "discard" makes sense only for an "accept" or
1713 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
1714 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
1716 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
1717 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
1723 case ACLC_AUTHENTICATED:
1724 rc = (sender_host_authenticated == NULL)? FAIL :
1725 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
1729 #ifdef EXPERIMENTAL_BRIGHTMAIL
1730 case ACLC_BMI_OPTIN:
1732 int old_pool = store_pool;
1733 store_pool = POOL_PERM;
1734 bmi_current_optin = string_copy(arg);
1735 store_pool = old_pool;
1740 case ACLC_CONDITION:
1741 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
1742 rc = (Uatoi(arg) == 0)? FAIL : OK;
1744 rc = (strcmpic(arg, US"no") == 0 ||
1745 strcmpic(arg, US"false") == 0)? FAIL :
1746 (strcmpic(arg, US"yes") == 0 ||
1747 strcmpic(arg, US"true") == 0)? OK : DEFER;
1749 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
1753 control_type = decode_control(arg, &p, where, log_msgptr);
1755 /* Check if this control makes sense at this time */
1757 if ((control_forbids[control_type] & (1 << where)) != 0)
1759 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
1760 controls[control_type], acl_wherenames[where]);
1764 switch(control_type)
1766 #ifdef EXPERIMENTAL_BRIGHTMAIL
1767 case CONTROL_BMI_RUN:
1771 #ifdef EXPERIMENTAL_DOMAINKEYS
1772 case CONTROL_DK_VERIFY:
1779 case CONTROL_CASEFUL_LOCAL_PART:
1780 deliver_localpart = addr->cc_local_part;
1783 case CONTROL_CASELOWER_LOCAL_PART:
1784 deliver_localpart = addr->lc_local_part;
1787 case CONTROL_ENFORCE_SYNC:
1788 smtp_enforce_sync = TRUE;
1791 case CONTROL_NO_ENFORCE_SYNC:
1792 smtp_enforce_sync = FALSE;
1795 #ifdef WITH_CONTENT_SCAN
1796 case CONTROL_NO_MBOX_UNSPOOL:
1797 no_mbox_unspool = TRUE;
1801 case CONTROL_NO_MULTILINE:
1802 no_multiline_responses = TRUE;
1805 case CONTROL_FAKEREJECT:
1810 while (*pp != 0) pp++;
1811 fake_reject_text = expand_string(string_copyn(p+1, pp-p));
1816 /* Explicitly reset to default string */
1817 fake_reject_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
1821 case CONTROL_FREEZE:
1822 deliver_freeze = TRUE;
1823 deliver_frozen_at = time(NULL);
1826 case CONTROL_QUEUE_ONLY:
1827 queue_only_policy = TRUE;
1830 case CONTROL_SUBMISSION:
1831 submission_mode = TRUE;
1834 if (Ustrncmp(p, "/sender_retain", 14) == 0)
1837 active_local_sender_retain = TRUE;
1838 active_local_from_check = FALSE;
1840 else if (Ustrncmp(p, "/domain=", 8) == 0)
1843 while (*pp != 0 && *pp != '/') pp++;
1844 submission_domain = string_copyn(p+8, pp-p);
1851 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1858 #ifdef WITH_CONTENT_SCAN
1860 rc = mime_decode(&arg);
1866 int delay = readconf_readtime(arg, 0, FALSE);
1869 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
1870 "modifier: \"%s\" is not a time value", arg);
1875 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
1880 debug_printf("delay skipped in -bh checking mode\n");
1884 while (delay > 0) delay = sleep(delay);
1890 #ifdef WITH_OLD_DEMIME
1896 #ifdef EXPERIMENTAL_DOMAINKEYS
1897 case ACLC_DK_DOMAIN_SOURCE:
1898 if (dk_verify_block == NULL) { rc = FAIL; break; };
1899 /* check header source of domain against given string */
1900 switch (dk_verify_block->address_source) {
1901 case DK_EXIM_ADDRESS_FROM_FROM:
1902 rc = match_isinlist(US"from", &arg, 0, NULL,
1903 NULL, MCL_STRING, TRUE, NULL);
1905 case DK_EXIM_ADDRESS_FROM_SENDER:
1906 rc = match_isinlist(US"sender", &arg, 0, NULL,
1907 NULL, MCL_STRING, TRUE, NULL);
1909 case DK_EXIM_ADDRESS_NONE:
1910 rc = match_isinlist(US"none", &arg, 0, NULL,
1911 NULL, MCL_STRING, TRUE, NULL);
1915 case ACLC_DK_POLICY:
1916 if (dk_verify_block == NULL) { rc = FAIL; break; };
1917 /* check policy against given string, default FAIL */
1919 if (dk_verify_block->signsall)
1920 rc = match_isinlist(US"signsall", &arg, 0, NULL,
1921 NULL, MCL_STRING, TRUE, NULL);
1922 if (dk_verify_block->testing)
1923 rc = match_isinlist(US"testing", &arg, 0, NULL,
1924 NULL, MCL_STRING, TRUE, NULL);
1926 case ACLC_DK_SENDER_DOMAINS:
1927 if (dk_verify_block == NULL) { rc = FAIL; break; };
1928 if (dk_verify_block->domain != NULL)
1929 rc = match_isinlist(dk_verify_block->domain, &arg, 0, &domainlist_anchor,
1930 NULL, MCL_DOMAIN, TRUE, NULL);
1933 case ACLC_DK_SENDER_LOCAL_PARTS:
1934 if (dk_verify_block == NULL) { rc = FAIL; break; };
1935 if (dk_verify_block->local_part != NULL)
1936 rc = match_isinlist(dk_verify_block->local_part, &arg, 0, &localpartlist_anchor,
1937 NULL, MCL_LOCALPART, TRUE, NULL);
1940 case ACLC_DK_SENDERS:
1941 if (dk_verify_block == NULL) { rc = FAIL; break; };
1942 if (dk_verify_block->address != NULL)
1943 rc = match_address_list(dk_verify_block->address, TRUE, TRUE, &arg, NULL, -1, 0, NULL);
1946 case ACLC_DK_STATUS:
1947 if (dk_verify_block == NULL) { rc = FAIL; break; };
1948 if (dk_verify_block->result > 0) {
1949 switch(dk_verify_block->result) {
1950 case DK_EXIM_RESULT_BAD_FORMAT:
1951 rc = match_isinlist(US"bad format", &arg, 0, NULL,
1952 NULL, MCL_STRING, TRUE, NULL);
1954 case DK_EXIM_RESULT_NO_KEY:
1955 rc = match_isinlist(US"no key", &arg, 0, NULL,
1956 NULL, MCL_STRING, TRUE, NULL);
1958 case DK_EXIM_RESULT_NO_SIGNATURE:
1959 rc = match_isinlist(US"no signature", &arg, 0, NULL,
1960 NULL, MCL_STRING, TRUE, NULL);
1962 case DK_EXIM_RESULT_REVOKED:
1963 rc = match_isinlist(US"revoked", &arg, 0, NULL,
1964 NULL, MCL_STRING, TRUE, NULL);
1966 case DK_EXIM_RESULT_NON_PARTICIPANT:
1967 rc = match_isinlist(US"non-participant", &arg, 0, NULL,
1968 NULL, MCL_STRING, TRUE, NULL);
1970 case DK_EXIM_RESULT_GOOD:
1971 rc = match_isinlist(US"good", &arg, 0, NULL,
1972 NULL, MCL_STRING, TRUE, NULL);
1974 case DK_EXIM_RESULT_BAD:
1975 rc = match_isinlist(US"bad", &arg, 0, NULL,
1976 NULL, MCL_STRING, TRUE, NULL);
1984 rc = verify_check_dnsbl(&arg);
1988 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
1989 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
1992 /* The value in tls_cipher is the full cipher name, for example,
1993 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
1994 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
1995 what may in practice come out of the SSL library - which at the time of
1996 writing is poorly documented. */
1998 case ACLC_ENCRYPTED:
1999 if (tls_cipher == NULL) rc = FAIL; else
2001 uschar *endcipher = NULL;
2002 uschar *cipher = Ustrchr(tls_cipher, ':');
2003 if (cipher == NULL) cipher = tls_cipher; else
2005 endcipher = Ustrchr(++cipher, ':');
2006 if (endcipher != NULL) *endcipher = 0;
2008 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
2009 if (endcipher != NULL) *endcipher = ':';
2013 /* Use verify_check_this_host() instead of verify_check_host() so that
2014 we can pass over &host_data to catch any looked up data. Once it has been
2015 set, it retains its value so that it's still there if another ACL verb
2016 comes through here and uses the cache. However, we must put it into
2017 permanent store in case it is also expected to be used in a subsequent
2018 message in the same SMTP connection. */
2021 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
2022 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
2023 if (host_data != NULL) host_data = string_copy_malloc(host_data);
2026 case ACLC_LOCAL_PARTS:
2027 rc = match_isinlist(addr->cc_local_part, &arg, 0,
2028 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
2029 &deliver_localpart_data);
2041 if (Ustrncmp(s, "main", 4) == 0)
2042 { logbits |= LOG_MAIN; s += 4; }
2043 else if (Ustrncmp(s, "panic", 5) == 0)
2044 { logbits |= LOG_PANIC; s += 5; }
2045 else if (Ustrncmp(s, "reject", 6) == 0)
2046 { logbits |= LOG_REJECT; s += 6; }
2049 logbits = LOG_MAIN|LOG_PANIC;
2050 s = string_sprintf(":unknown log name in \"%s\" in "
2051 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
2057 while (isspace(*s)) s++;
2058 if (logbits == 0) logbits = LOG_MAIN;
2059 log_write(0, logbits, "%s", string_printing(s));
2063 #ifdef WITH_CONTENT_SCAN
2066 /* Seperate the regular expression and any optional parameters. */
2067 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2068 /* Run the malware backend. */
2070 /* Modify return code based upon the existance of options. */
2071 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2073 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2075 /* FAIL so that the message is passed to the next ACL */
2082 case ACLC_MIME_REGEX:
2083 rc = mime_regex(&arg);
2087 case ACLC_RECIPIENTS:
2088 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
2092 #ifdef WITH_CONTENT_SCAN
2098 case ACLC_SENDER_DOMAINS:
2101 sdomain = Ustrrchr(sender_address, '@');
2102 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
2103 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
2104 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
2109 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
2110 sender_address_cache, -1, 0, &sender_data);
2113 /* Connection variables must persist forever */
2117 int old_pool = store_pool;
2118 if (cb->u.varnumber < ACL_C_MAX) store_pool = POOL_PERM;
2119 acl_var[cb->u.varnumber] = string_copy(arg);
2120 store_pool = old_pool;
2124 #ifdef WITH_CONTENT_SCAN
2127 /* Seperate the regular expression and any optional parameters. */
2128 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2129 /* Run the spam backend. */
2131 /* Modify return code based upon the existance of options. */
2132 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2134 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2136 /* FAIL so that the message is passed to the next ACL */
2144 #ifdef EXPERIMENTAL_SPF
2146 rc = spf_process(&arg, sender_address);
2150 /* If the verb is WARN, discard any user message from verification, because
2151 such messages are SMTP responses, not header additions. The latter come
2152 only from explicit "message" modifiers. */
2155 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
2156 if (verb == ACL_WARN) *user_msgptr = NULL;
2160 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
2161 "condition %d", cb->type);
2165 /* If a condition was negated, invert OK/FAIL. */
2167 if (!cond_modifiers[cb->type] && cb->u.negated)
2169 if (rc == OK) rc = FAIL;
2170 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
2173 if (rc != OK) break; /* Conditions loop */
2177 /* If the result is the one for which "message" and/or "log_message" are used,
2178 handle the values of these options. Most verbs have but a single return for
2179 which the messages are relevant, but for "discard", it's useful to have the log
2180 message both when it succeeds and when it fails. Also, for an "accept" that
2181 appears in a QUIT ACL, we want to handle the user message. Since only "accept"
2182 and "warn" are permitted in that ACL, we don't need to test the verb.
2184 These modifiers act in different ways:
2186 "message" is a user message that will be included in an SMTP response. Unless
2187 it is empty, it overrides any previously set user message.
2189 "log_message" is a non-user message, and it adds to any existing non-user
2190 message that is already set.
2192 If there isn't a log message set, we make it the same as the user message. */
2194 if (((rc == FAIL_DROP)? FAIL : rc) == msgcond[verb] ||
2195 (verb == ACL_DISCARD && rc == OK) ||
2196 (where == ACL_WHERE_QUIT))
2200 /* If the verb is "warn", messages generated by conditions (verification or
2201 nested ACLs) are discarded. Only messages specified at this level are used.
2202 However, the value of an existing message is available in $acl_verify_message
2203 during expansions. */
2205 uschar *old_user_msgptr = *user_msgptr;
2206 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
2208 if (verb == ACL_WARN) *log_msgptr = *user_msgptr = NULL;
2210 if (user_message != NULL)
2212 acl_verify_message = old_user_msgptr;
2213 expmessage = expand_string(user_message);
2214 if (expmessage == NULL)
2216 if (!expand_string_forcedfail)
2217 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2218 user_message, expand_string_message);
2220 else if (expmessage[0] != 0) *user_msgptr = expmessage;
2223 if (log_message != NULL)
2225 acl_verify_message = old_log_msgptr;
2226 expmessage = expand_string(log_message);
2227 if (expmessage == NULL)
2229 if (!expand_string_forcedfail)
2230 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2231 log_message, expand_string_message);
2233 else if (expmessage[0] != 0)
2235 *log_msgptr = (*log_msgptr == NULL)? expmessage :
2236 string_sprintf("%s: %s", expmessage, *log_msgptr);
2240 /* If no log message, default it to the user message */
2242 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
2245 acl_verify_message = NULL;
2253 /*************************************************
2254 * Get line from a literal ACL *
2255 *************************************************/
2257 /* This function is passed to acl_read() in order to extract individual lines
2258 of a literal ACL, which we access via static pointers. We can destroy the
2259 contents because this is called only once (the compiled ACL is remembered).
2261 This code is intended to treat the data in the same way as lines in the main
2262 Exim configuration file. That is:
2264 . Leading spaces are ignored.
2266 . A \ at the end of a line is a continuation - trailing spaces after the \
2267 are permitted (this is because I don't believe in making invisible things
2268 significant). Leading spaces on the continued part of a line are ignored.
2270 . Physical lines starting (significantly) with # are totally ignored, and
2271 may appear within a sequence of backslash-continued lines.
2273 . Blank lines are ignored, but will end a sequence of continuations.
2276 Returns: a pointer to the next line
2280 static uschar *acl_text; /* Current pointer in the text */
2281 static uschar *acl_text_end; /* Points one past the terminating '0' */
2289 /* This loop handles leading blank lines and comments. */
2293 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
2294 if (*acl_text == 0) return NULL; /* No more data */
2295 yield = acl_text; /* Potential data line */
2297 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2299 /* If we hit the end before a newline, we have the whole logical line. If
2300 it's a comment, there's no more data to be given. Otherwise, yield it. */
2302 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
2304 /* After reaching a newline, end this loop if the physical line does not
2305 start with '#'. If it does, it's a comment, and the loop continues. */
2307 if (*yield != '#') break;
2310 /* This loop handles continuations. We know we have some real data, ending in
2311 newline. See if there is a continuation marker at the end (ignoring trailing
2312 white space). We know that *yield is not white space, so no need to test for
2313 cont > yield in the backwards scanning loop. */
2318 for (cont = acl_text - 1; isspace(*cont); cont--);
2320 /* If no continuation follows, we are done. Mark the end of the line and
2329 /* We have encountered a continuation. Skip over whitespace at the start of
2330 the next line, and indeed the whole of the next line or lines if they are
2335 while (*(++acl_text) == ' ' || *acl_text == '\t');
2336 if (*acl_text != '#') break;
2337 while (*(++acl_text) != 0 && *acl_text != '\n');
2340 /* We have the start of a continuation line. Move all the rest of the data
2341 to join onto the previous line, and then find its end. If the end is not a
2342 newline, we are done. Otherwise loop to look for another continuation. */
2344 memmove(cont, acl_text, acl_text_end - acl_text);
2345 acl_text_end -= acl_text - cont;
2347 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2348 if (*acl_text == 0) return yield;
2351 /* Control does not reach here */
2358 /*************************************************
2359 * Check access using an ACL *
2360 *************************************************/
2362 /* This function is called from address_check. It may recurse via
2363 acl_check_condition() - hence the use of a level to stop looping. The ACL is
2364 passed as a string which is expanded. A forced failure implies no access check
2365 is required. If the result is a single word, it is taken as the name of an ACL
2366 which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
2367 text, complete with newlines, and parsed as such. In both cases, the ACL check
2368 is then run. This function uses an auxiliary function for acl_read() to call
2369 for reading individual lines of a literal ACL. This is acl_getline(), which
2370 appears immediately above.
2373 where where called from
2374 addr address item when called from RCPT; otherwise NULL
2375 s the input string; NULL is the same as an empty ACL => DENY
2376 level the nesting level
2377 user_msgptr where to put a user error (for SMTP response)
2378 log_msgptr where to put a logging message (not for SMTP response)
2380 Returns: OK access is granted
2381 DISCARD access is apparently granted...
2382 FAIL access is denied
2383 FAIL_DROP access is denied; drop the connection
2384 DEFER can't tell at the moment
2389 acl_check_internal(int where, address_item *addr, uschar *s, int level,
2390 uschar **user_msgptr, uschar **log_msgptr)
2393 acl_block *acl = NULL;
2394 uschar *acl_name = US"inline ACL";
2397 /* Catch configuration loops */
2401 *log_msgptr = US"ACL nested too deep: possible loop";
2407 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
2411 /* At top level, we expand the incoming string. At lower levels, it has already
2412 been expanded as part of condition processing. */
2416 ss = expand_string(s);
2419 if (expand_string_forcedfail) return OK;
2420 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
2421 expand_string_message);
2427 while (isspace(*ss))ss++;
2429 /* If we can't find a named ACL, the default is to parse it as an inline one.
2430 (Unless it begins with a slash; non-existent files give rise to an error.) */
2434 /* Handle the case of a string that does not contain any spaces. Look for a
2435 named ACL among those read from the configuration, or a previously read file.
2436 It is possible that the pointer to the ACL is NULL if the configuration
2437 contains a name with no data. If not found, and the text begins with '/',
2438 read an ACL from a file, and save it so it can be re-used. */
2440 if (Ustrchr(ss, ' ') == NULL)
2442 tree_node *t = tree_search(acl_anchor, ss);
2445 acl = (acl_block *)(t->data.ptr);
2448 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
2451 acl_name = string_sprintf("ACL \"%s\"", ss);
2452 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
2455 else if (*ss == '/')
2457 struct stat statbuf;
2458 fd = Uopen(ss, O_RDONLY, 0);
2461 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
2466 if (fstat(fd, &statbuf) != 0)
2468 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
2473 acl_text = store_get(statbuf.st_size + 1);
2474 acl_text_end = acl_text + statbuf.st_size + 1;
2476 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
2478 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
2479 ss, strerror(errno));
2482 acl_text[statbuf.st_size] = 0;
2485 acl_name = string_sprintf("ACL \"%s\"", ss);
2486 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
2490 /* Parse an ACL that is still in text form. If it came from a file, remember it
2491 in the ACL tree, having read it into the POOL_PERM store pool so that it
2492 persists between multiple messages. */
2496 int old_pool = store_pool;
2497 if (fd >= 0) store_pool = POOL_PERM;
2498 acl = acl_read(acl_getline, log_msgptr);
2499 store_pool = old_pool;
2500 if (acl == NULL && *log_msgptr != NULL) return ERROR;
2503 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
2504 Ustrcpy(t->name, ss);
2506 (void)tree_insertnode(&acl_anchor, t);
2510 /* Now we have an ACL to use. It's possible it may be NULL. */
2515 int basic_errno = 0;
2516 BOOL endpass_seen = FALSE;
2518 *log_msgptr = *user_msgptr = NULL;
2519 acl_temp_details = FALSE;
2521 if (where == ACL_WHERE_QUIT &&
2522 acl->verb != ACL_ACCEPT &&
2523 acl->verb != ACL_WARN)
2525 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
2530 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
2532 /* Clear out any search error message from a previous check before testing
2535 search_error_message = NULL;
2536 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
2537 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
2539 /* Handle special returns: DEFER causes a return except on a WARN verb;
2540 ERROR always causes a return. */
2545 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
2546 if (basic_errno != ERRNO_CALLOUTDEFER)
2548 if (search_error_message != NULL && *search_error_message != 0)
2549 *log_msgptr = search_error_message;
2550 if (smtp_return_error_details) acl_temp_details = TRUE;
2554 acl_temp_details = TRUE;
2556 if (acl->verb != ACL_WARN) return DEFER;
2559 default: /* Paranoia */
2561 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
2565 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
2570 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
2573 /* DISCARD and DROP can happen only from a nested ACL condition, and
2574 DISCARD can happen only for an "accept" or "discard" verb. */
2577 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
2582 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
2587 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
2588 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
2589 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
2594 if (cond == OK || cond == DISCARD) return cond;
2597 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
2605 acl_temp_details = TRUE;
2611 if (cond == OK) return FAIL;
2615 if (cond == OK || cond == DISCARD) return DISCARD;
2618 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
2624 if (cond == OK) return FAIL_DROP;
2628 if (cond != OK) return cond;
2633 acl_warn(where, *user_msgptr, *log_msgptr);
2634 else if (cond == DEFER)
2635 acl_warn(where, NULL, string_sprintf("ACL \"warn\" statement skipped: "
2636 "condition test deferred: %s",
2637 (*log_msgptr == NULL)? US"" : *log_msgptr));
2638 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
2642 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
2647 /* Pass to the next ACL item */
2652 /* We have reached the end of the ACL. This is an implicit DENY. */
2654 HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
2659 /*************************************************
2660 * Check access using an ACL *
2661 *************************************************/
2663 /* This is the external interface for ACL checks. It sets up an address and the
2664 expansions for $domain and $local_part when called after RCPT, then calls
2665 acl_check_internal() to do the actual work.
2668 where ACL_WHERE_xxxx indicating where called from
2669 data_string RCPT address, or SMTP command argument, or NULL
2670 s the input string; NULL is the same as an empty ACL => DENY
2671 user_msgptr where to put a user error (for SMTP response)
2672 log_msgptr where to put a logging message (not for SMTP response)
2674 Returns: OK access is granted by an ACCEPT verb
2675 DISCARD access is granted by a DISCARD verb
2676 FAIL access is denied
2677 FAIL_DROP access is denied; drop the connection
2678 DEFER can't tell at the moment
2683 acl_check(int where, uschar *data_string, uschar *s, uschar **user_msgptr,
2684 uschar **log_msgptr)
2690 *user_msgptr = *log_msgptr = NULL;
2691 sender_verified_failed = NULL;
2693 if (where == ACL_WHERE_RCPT)
2695 adb = address_defaults;
2697 addr->address = data_string;
2698 if (deliver_split_address(addr) == DEFER)
2700 *log_msgptr = US"defer in percent_hack_domains check";
2703 deliver_domain = addr->domain;
2704 deliver_localpart = addr->local_part;
2709 smtp_command_argument = data_string;
2712 rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
2714 smtp_command_argument = deliver_domain =
2715 deliver_localpart = deliver_address_data = sender_address_data = NULL;
2717 /* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
2718 ACL, which is really in the middle of an SMTP command. */
2722 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
2724 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
2725 "ACL", acl_wherenames[where]);
2731 /* A DROP response is not permitted from MAILAUTH */
2733 if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
2735 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
2736 "ACL", acl_wherenames[where]);
2740 /* Before giving an error response, take a look at the length of any user
2741 message, and split it up into multiple lines if possible. */
2743 if (rc != OK && *user_msgptr != NULL && Ustrlen(*user_msgptr) > 75)
2745 uschar *s = *user_msgptr = string_copy(*user_msgptr);
2751 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
2752 if (*ss == 0) break;
2759 while (--t > s + 35)
2763 if (t[-1] == ':') { tt = t; break; }
2764 if (tt == NULL) tt = t;
2768 if (tt == NULL) /* Can't split behind - try ahead */
2773 if (*t == ' ' || *t == '\n')
2779 if (tt == NULL) break; /* Can't find anywhere to split */
git://git.exim.org / exim.git / blob