1 /* $Cambridge: exim/src/src/acl.c,v 1.28 2005/04/06 14:03:53 ph10 Exp $ */
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
7 /* Copyright (c) University of Cambridge 1995 - 2005 */
8 /* See the file NOTICE for conditions of use and distribution. */
10 /* Code for handling Access Control Lists (ACLs) */
15 /* Default callout timeout */
17 #define CALLOUT_TIMEOUT_DEFAULT 30
19 /* ACL verb codes - keep in step with the table of verbs that follows */
21 enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
26 static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
30 /* For each verb, the condition for which "message" is used */
32 static int msgcond[] = { FAIL, OK, OK, FAIL, OK, FAIL, OK };
34 /* ACL condition and modifier codes - keep in step with the table that
37 enum { ACLC_ACL, ACLC_AUTHENTICATED,
38 #ifdef EXPERIMENTAL_BRIGHTMAIL
41 ACLC_CONDITION, ACLC_CONTROL,
42 #ifdef WITH_CONTENT_SCAN
46 #ifdef WITH_OLD_DEMIME
49 #ifdef EXPERIMENTAL_DOMAINKEYS
50 ACLC_DK_DOMAIN_SOURCE,
52 ACLC_DK_SENDER_DOMAINS,
53 ACLC_DK_SENDER_LOCAL_PARTS,
57 ACLC_DNSLISTS, ACLC_DOMAINS, ACLC_ENCRYPTED, ACLC_ENDPASS,
58 ACLC_HOSTS, ACLC_LOCAL_PARTS, ACLC_LOG_MESSAGE, ACLC_LOGWRITE,
59 #ifdef WITH_CONTENT_SCAN
63 #ifdef WITH_CONTENT_SCAN
67 #ifdef WITH_CONTENT_SCAN
70 ACLC_SENDER_DOMAINS, ACLC_SENDERS, ACLC_SET,
71 #ifdef WITH_CONTENT_SCAN
74 #ifdef EXPERIMENTAL_SPF
79 /* ACL conditions/modifiers: "delay", "control", "endpass", "message",
80 "log_message", "logwrite", and "set" are modifiers that look like conditions
81 but always return TRUE. They are used for their side effects. */
83 static uschar *conditions[] = { US"acl", US"authenticated",
84 #ifdef EXPERIMENTAL_BRIGHTMAIL
89 #ifdef WITH_CONTENT_SCAN
93 #ifdef WITH_OLD_DEMIME
96 #ifdef EXPERIMENTAL_DOMAINKEYS
99 US"dk_sender_domains",
100 US"dk_sender_local_parts",
104 US"dnslists", US"domains", US"encrypted",
105 US"endpass", US"hosts", US"local_parts", US"log_message", US"logwrite",
106 #ifdef WITH_CONTENT_SCAN
110 #ifdef WITH_CONTENT_SCAN
114 #ifdef WITH_CONTENT_SCAN
117 US"sender_domains", US"senders", US"set",
118 #ifdef WITH_CONTENT_SCAN
121 #ifdef EXPERIMENTAL_SPF
126 /* ACL control names */
128 static uschar *controls[] = { US"error", US"caseful_local_part",
129 US"caselower_local_part", US"enforce_sync", US"no_enforce_sync", US"freeze",
130 US"queue_only", US"submission", US"no_multiline"};
132 /* Flags to indicate for which conditions /modifiers a string expansion is done
133 at the outer level. In the other cases, expansion already occurs in the
134 checking functions. */
136 static uschar cond_expand_at_top[] = {
138 FALSE, /* authenticated */
139 #ifdef EXPERIMENTAL_BRIGHTMAIL
140 TRUE, /* bmi_optin */
142 TRUE, /* condition */
144 #ifdef WITH_CONTENT_SCAN
148 #ifdef WITH_OLD_DEMIME
151 #ifdef EXPERIMENTAL_DOMAINKEYS
152 TRUE, /* dk_domain_source */
153 TRUE, /* dk_policy */
154 TRUE, /* dk_sender_domains */
155 TRUE, /* dk_sender_local_parts */
156 TRUE, /* dk_senders */
157 TRUE, /* dk_status */
161 FALSE, /* encrypted */
164 FALSE, /* local_parts */
165 TRUE, /* log_message */
167 #ifdef WITH_CONTENT_SCAN
171 #ifdef WITH_CONTENT_SCAN
172 TRUE, /* mime_regex */
174 FALSE, /* recipients */
175 #ifdef WITH_CONTENT_SCAN
178 FALSE, /* sender_domains */
181 #ifdef WITH_CONTENT_SCAN
184 #ifdef EXPERIMENTAL_SPF
190 /* Flags to identify the modifiers */
192 static uschar cond_modifiers[] = {
194 FALSE, /* authenticated */
195 #ifdef EXPERIMENTAL_BRIGHTMAIL
196 TRUE, /* bmi_optin */
198 FALSE, /* condition */
200 #ifdef WITH_CONTENT_SCAN
204 #ifdef WITH_OLD_DEMIME
207 #ifdef EXPERIMENTAL_DOMAINKEYS
208 FALSE, /* dk_domain_source */
209 FALSE, /* dk_policy */
210 FALSE, /* dk_sender_domains */
211 FALSE, /* dk_sender_local_parts */
212 FALSE, /* dk_senders */
213 FALSE, /* dk_status */
215 FALSE, /* dnslists */
217 FALSE, /* encrypted */
220 FALSE, /* local_parts */
221 TRUE, /* log_message */
223 #ifdef WITH_CONTENT_SCAN
227 #ifdef WITH_CONTENT_SCAN
228 FALSE, /* mime_regex */
230 FALSE, /* recipients */
231 #ifdef WITH_CONTENT_SCAN
234 FALSE, /* sender_domains */
237 #ifdef WITH_CONTENT_SCAN
240 #ifdef EXPERIMENTAL_SPF
246 /* Bit map vector of which conditions are not allowed at certain times. For
247 each condition, there's a bitmap of dis-allowed times. For some, it is easier
248 to specify the negation of a small number of allowed times. */
250 static unsigned int cond_forbids[] = {
253 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* authenticated */
256 #ifdef EXPERIMENTAL_BRIGHTMAIL
257 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
258 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
259 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
260 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
261 (1<<ACL_WHERE_MAILAUTH)|
262 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
263 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA),
268 /* Certain types of control are always allowed, so we let it through
269 always and check in the control processing itself. */
273 #ifdef WITH_CONTENT_SCAN
275 ~(1<<ACL_WHERE_MIME), /* decode */
280 #ifdef WITH_OLD_DEMIME
282 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* demime */
285 #ifdef EXPERIMENTAL_DOMAINKEYS
286 (1<<ACL_WHERE_AUTH)| /* dk_domain_source */
287 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
288 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
289 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
290 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
291 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
294 (1<<ACL_WHERE_AUTH)| /* dk_policy */
295 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
296 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
297 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
298 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
299 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
302 (1<<ACL_WHERE_AUTH)| /* dk_sender_domains */
303 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
304 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
305 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
306 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
307 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
310 (1<<ACL_WHERE_AUTH)| /* dk_sender_local_parts */
311 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
312 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
313 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
314 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
315 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
318 (1<<ACL_WHERE_AUTH)| /* dk_senders */
319 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
320 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
321 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
322 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
323 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
326 (1<<ACL_WHERE_AUTH)| /* dk_status */
327 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
328 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
329 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
330 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
331 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
335 (1<<ACL_WHERE_NOTSMTP), /* dnslists */
338 ~(1<<ACL_WHERE_RCPT), /* domains */
340 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* encrypted */
345 (1<<ACL_WHERE_NOTSMTP), /* hosts */
348 ~(1<<ACL_WHERE_RCPT), /* local_parts */
354 #ifdef WITH_CONTENT_SCAN
356 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* malware */
361 #ifdef WITH_CONTENT_SCAN
363 ~(1<<ACL_WHERE_MIME), /* mime_regex */
367 ~(1<<ACL_WHERE_RCPT), /* recipients */
369 #ifdef WITH_CONTENT_SCAN
371 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* regex */
372 (1<<ACL_WHERE_MIME)),
375 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
377 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
378 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
379 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
381 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
383 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
384 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
385 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
389 #ifdef WITH_CONTENT_SCAN
391 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* spam */
394 #ifdef EXPERIMENTAL_SPF
395 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
397 (1<<ACL_WHERE_MAILAUTH)|
398 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
399 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
402 /* Certain types of verify are always allowed, so we let it through
403 always and check in the verify function itself */
409 /* Return values from decode_control() */
412 #ifdef EXPERIMENTAL_BRIGHTMAIL
415 #ifdef EXPERIMENTAL_DOMAINKEYS
418 CONTROL_ERROR, CONTROL_CASEFUL_LOCAL_PART, CONTROL_CASELOWER_LOCAL_PART,
419 CONTROL_ENFORCE_SYNC, CONTROL_NO_ENFORCE_SYNC, CONTROL_FREEZE,
420 CONTROL_QUEUE_ONLY, CONTROL_SUBMISSION,
421 #ifdef WITH_CONTENT_SCAN
422 CONTROL_NO_MBOX_UNSPOOL,
424 CONTROL_FAKEREJECT, CONTROL_NO_MULTILINE };
426 /* Bit map vector of which controls are not allowed at certain times. For
427 each control, there's a bitmap of dis-allowed times. For some, it is easier to
428 specify the negation of a small number of allowed times. */
430 static unsigned int control_forbids[] = {
431 #ifdef EXPERIMENTAL_BRIGHTMAIL
434 #ifdef EXPERIMENTAL_DOMAINKEYS
435 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), /* dk_verify */
441 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
444 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
446 (1<<ACL_WHERE_NOTSMTP), /* enforce_sync */
448 (1<<ACL_WHERE_NOTSMTP), /* no_enforce_sync */
451 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
452 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
453 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
456 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
457 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
458 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
461 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
462 (1<<ACL_WHERE_PREDATA)),
464 #ifdef WITH_CONTENT_SCAN
466 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
467 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
468 (1<<ACL_WHERE_MIME)),
472 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
473 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
474 (1<<ACL_WHERE_MIME)),
476 (1<<ACL_WHERE_NOTSMTP) /* no_multiline */
479 /* Structure listing various control arguments, with their characteristics. */
481 typedef struct control_def {
483 int value; /* CONTROL_xxx value */
484 BOOL has_option; /* Has /option(s) following */
487 static control_def controls_list[] = {
488 #ifdef EXPERIMENTAL_BRIGHTMAIL
489 { US"bmi_run", CONTROL_BMI_RUN, FALSE},
491 #ifdef EXPERIMENTAL_DOMAINKEYS
492 { US"dk_verify", CONTROL_DK_VERIFY, FALSE},
494 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE},
495 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE},
496 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE},
497 { US"freeze", CONTROL_FREEZE, FALSE},
498 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE},
499 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE},
500 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE},
501 #ifdef WITH_CONTENT_SCAN
502 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE},
504 { US"fakereject", CONTROL_FAKEREJECT, TRUE},
505 { US"submission", CONTROL_SUBMISSION, TRUE}
508 /* Enable recursion between acl_check_internal() and acl_check_condition() */
510 static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
514 /*************************************************
515 * Pick out name from list *
516 *************************************************/
518 /* Use a binary chop method
525 Returns: offset in list, or -1 if not found
529 acl_checkname(uschar *name, uschar **list, int end)
535 int mid = (start + end)/2;
536 int c = Ustrcmp(name, list[mid]);
537 if (c == 0) return mid;
538 if (c < 0) end = mid; else start = mid + 1;
545 /*************************************************
546 * Read and parse one ACL *
547 *************************************************/
549 /* This function is called both from readconf in order to parse the ACLs in the
550 configuration file, and also when an ACL is encountered dynamically (e.g. as
551 the result of an expansion). It is given a function to call in order to
552 retrieve the lines of the ACL. This function handles skipping comments and
553 blank lines (where relevant).
556 func function to get next line of ACL
557 error where to put an error message
559 Returns: pointer to ACL, or NULL
560 NULL can be legal (empty ACL); in this case error will be NULL
564 acl_read(uschar *(*func)(void), uschar **error)
566 acl_block *yield = NULL;
567 acl_block **lastp = &yield;
568 acl_block *this = NULL;
569 acl_condition_block *cond;
570 acl_condition_block **condp = NULL;
575 while ((s = (*func)()) != NULL)
578 BOOL negated = FALSE;
579 uschar *saveline = s;
582 /* Conditions (but not verbs) are allowed to be negated by an initial
585 while (isspace(*s)) s++;
592 /* Read the name of a verb or a condition, or the start of a new ACL, which
593 can be started by a name, or by a macro definition. */
595 s = readconf_readname(name, sizeof(name), s);
596 if (*s == ':' || isupper(name[0] && *s == '=')) return yield;
598 /* If a verb is unrecognized, it may be another condition or modifier that
599 continues the previous verb. */
601 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
606 *error = string_sprintf("unknown ACL verb in \"%s\"", saveline);
617 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
620 this = store_get(sizeof(acl_block));
622 lastp = &(this->next);
625 this->condition = NULL;
626 condp = &(this->condition);
627 if (*s == 0) continue; /* No condition on this line */
633 s = readconf_readname(name, sizeof(name), s); /* Condition name */
636 /* Handle a condition or modifier. */
638 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
641 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
646 /* The modifiers may not be negated */
648 if (negated && cond_modifiers[c])
650 *error = string_sprintf("ACL error: negation is not allowed with "
651 "\"%s\"", conditions[c]);
655 /* ENDPASS may occur only with ACCEPT or DISCARD. */
657 if (c == ACLC_ENDPASS &&
658 this->verb != ACL_ACCEPT &&
659 this->verb != ACL_DISCARD)
661 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
662 conditions[c], verbs[this->verb]);
666 cond = store_get(sizeof(acl_condition_block));
669 cond->u.negated = negated;
672 condp = &(cond->next);
674 /* The "set" modifier is different in that its argument is "name=value"
675 rather than just a value, and we can check the validity of the name, which
676 gives us a variable number to insert into the data block. */
680 if (Ustrncmp(s, "acl_", 4) != 0 || (s[4] != 'c' && s[4] != 'm') ||
681 !isdigit(s[5]) || (!isspace(s[6]) && s[6] != '='))
683 *error = string_sprintf("unrecognized name after \"set\" in ACL "
684 "modifier \"set %s\"", s);
688 cond->u.varnumber = s[5] - '0';
689 if (s[4] == 'm') cond->u.varnumber += ACL_C_MAX;
691 while (isspace(*s)) s++;
694 /* For "set", we are now positioned for the data. For the others, only
695 "endpass" has no data */
697 if (c != ACLC_ENDPASS)
701 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
702 cond_modifiers[c]? US"modifier" : US"condition");
705 while (isspace(*s)) s++;
706 cond->arg = string_copy(s);
715 /*************************************************
717 *************************************************/
719 /* This function is called when a WARN verb's conditions are true. It adds to
720 the message's headers, and/or writes information to the log. In each case, this
721 only happens once (per message for headers, per connection for log).
724 where ACL_WHERE_xxxx indicating which ACL this is
725 user_message message for adding to headers
726 log_message message for logging, if different
732 acl_warn(int where, uschar *user_message, uschar *log_message)
736 if (log_message != NULL && log_message != user_message)
741 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
742 string_printing(log_message));
744 /* If a sender verification has failed, and the log message is "sender verify
745 failed", add the failure message. */
747 if (sender_verified_failed != NULL &&
748 sender_verified_failed->message != NULL &&
749 strcmpic(log_message, US"sender verify failed") == 0)
750 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
752 /* Search previously logged warnings. They are kept in malloc store so they
753 can be freed at the start of a new message. */
755 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
756 if (Ustrcmp(logged->text, text) == 0) break;
760 int length = Ustrlen(text) + 1;
761 log_write(0, LOG_MAIN, "%s", text);
762 logged = store_malloc(sizeof(string_item) + length);
763 logged->text = (uschar *)logged + sizeof(string_item);
764 memcpy(logged->text, text, length);
765 logged->next = acl_warn_logged;
766 acl_warn_logged = logged;
770 /* If there's no user message, we are done. */
772 if (user_message == NULL) return;
774 /* If this isn't a message ACL, we can't do anything with a user message.
777 if (where > ACL_WHERE_NOTSMTP)
779 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
780 "found in a non-message (%s) ACL: cannot specify header lines here: "
781 "message ignored", acl_wherenames[where]);
785 /* Treat the user message as a sequence of one or more header lines. */
787 hlen = Ustrlen(user_message);
790 uschar *text, *p, *q;
792 /* Add a final newline if not present */
794 text = ((user_message)[hlen-1] == '\n')? user_message :
795 string_sprintf("%s\n", user_message);
797 /* Loop for multiple header lines, taking care about continuations */
799 for (p = q = text; *p != 0; )
802 int newtype = htype_add_bot;
803 header_line **hptr = &acl_warn_headers;
805 /* Find next header line within the string */
809 q = Ustrchr(q, '\n');
810 if (*(++q) != ' ' && *q != '\t') break;
813 /* If the line starts with a colon, interpret the instruction for where to
814 add it. This temporarily sets up a new type. */
818 if (strncmpic(p, US":after_received:", 16) == 0)
820 newtype = htype_add_rec;
823 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
825 newtype = htype_add_rfc;
828 else if (strncmpic(p, US":at_start:", 10) == 0)
830 newtype = htype_add_top;
833 else if (strncmpic(p, US":at_end:", 8) == 0)
835 newtype = htype_add_bot;
838 while (*p == ' ' || *p == '\t') p++;
841 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
842 to the front of it. */
844 for (s = p; s < q - 1; s++)
846 if (*s == ':' || !isgraph(*s)) break;
849 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
852 /* See if this line has already been added */
854 while (*hptr != NULL)
856 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
857 hptr = &((*hptr)->next);
860 /* Add if not previously present */
864 header_line *h = store_get(sizeof(header_line));
873 /* Advance for next header line within the string */
882 /*************************************************
883 * Verify and check reverse DNS *
884 *************************************************/
886 /* Called from acl_verify() below. We look up the host name(s) of the client IP
887 address if this has not yet been done. The host_name_lookup() function checks
888 that one of these names resolves to an address list that contains the client IP
889 address, so we don't actually have to do the check here.
892 user_msgptr pointer for user message
893 log_msgptr pointer for log message
895 Returns: OK verification condition succeeded
896 FAIL verification failed
897 DEFER there was a problem verifying
901 acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
905 user_msgptr = user_msgptr; /* stop compiler warning */
907 /* Previous success */
909 if (sender_host_name != NULL) return OK;
911 /* Previous failure */
913 if (host_lookup_failed)
915 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
919 /* Need to do a lookup */
922 debug_printf("looking up host name to force name/address consistency check\n");
924 if ((rc = host_name_lookup()) != OK)
926 *log_msgptr = (rc == DEFER)?
927 US"host lookup deferred for reverse lookup check"
929 string_sprintf("host lookup failed for reverse lookup check%s",
931 return rc; /* DEFER or FAIL */
934 host_build_sender_fullhost();
940 /*************************************************
941 * Handle verification (address & other) *
942 *************************************************/
944 /* This function implements the "verify" condition. It is called when
945 encountered in any ACL, because some tests are almost always permitted. Some
946 just don't make sense, and always fail (for example, an attempt to test a host
947 lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
950 where where called from
951 addr the recipient address that the ACL is handling, or NULL
952 arg the argument of "verify"
953 user_msgptr pointer for user message
954 log_msgptr pointer for log message
955 basic_errno where to put verify errno
957 Returns: OK verification condition succeeded
958 FAIL verification failed
959 DEFER there was a problem verifying
964 acl_verify(int where, address_item *addr, uschar *arg,
965 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
969 int callout_overall = -1;
970 int callout_connect = -1;
971 int verify_options = 0;
973 BOOL verify_header_sender = FALSE;
974 BOOL defer_ok = FALSE;
975 BOOL callout_defer_ok = FALSE;
976 BOOL no_details = FALSE;
977 address_item *sender_vaddr = NULL;
978 uschar *verify_sender_address = NULL;
979 uschar *pm_mailfrom = NULL;
980 uschar *se_mailfrom = NULL;
982 /* Some of the verify items have slash-separated options; some do not. Diagnose
983 an error if options are given for items that don't expect them. This code has
984 now got very message. Refactoring to use a table would be a good idea one day.
987 uschar *slash = Ustrchr(arg, '/');
989 uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
991 if (ss == NULL) goto BAD_VERIFY;
993 /* Handle name/address consistency verification in a separate function. */
995 if (strcmpic(ss, US"reverse_host_lookup") == 0)
997 if (slash != NULL) goto NO_OPTIONS;
998 if (sender_host_address == NULL) return OK;
999 return acl_verify_reverse(user_msgptr, log_msgptr);
1002 /* TLS certificate verification is done at STARTTLS time; here we just
1003 test whether it was successful or not. (This is for optional verification; for
1004 mandatory verification, the connection doesn't last this long.) */
1006 if (strcmpic(ss, US"certificate") == 0)
1008 if (slash != NULL) goto NO_OPTIONS;
1009 if (tls_certificate_verified) return OK;
1010 *user_msgptr = US"no verified certificate";
1014 /* We can test the result of optional HELO verification */
1016 if (strcmpic(ss, US"helo") == 0)
1018 if (slash != NULL) goto NO_OPTIONS;
1019 return helo_verified? OK : FAIL;
1022 /* Check that all relevant header lines have the correct syntax. If there is
1023 a syntax error, we return details of the error to the sender if configured to
1024 send out full details. (But a "message" setting on the ACL can override, as
1027 if (strcmpic(ss, US"header_syntax") == 0)
1029 if (slash != NULL) goto NO_OPTIONS;
1030 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
1032 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
1033 "(only possible in ACL for DATA)", acl_wherenames[where]);
1036 rc = verify_check_headers(log_msgptr);
1037 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1038 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1043 /* The remaining verification tests check recipient and sender addresses,
1044 either from the envelope or from the header. There are a number of
1045 slash-separated options that are common to all of them. */
1048 /* Check that there is at least one verifiable sender address in the relevant
1049 header lines. This can be followed by callout and defer options, just like
1050 sender and recipient. */
1052 if (strcmpic(ss, US"header_sender") == 0)
1054 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
1056 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
1057 "(only possible in ACL for DATA)", acl_wherenames[where]);
1060 verify_header_sender = TRUE;
1063 /* Otherwise, first item in verify argument must be "sender" or "recipient".
1064 In the case of a sender, this can optionally be followed by an address to use
1065 in place of the actual sender (rare special-case requirement). */
1067 else if (strncmpic(ss, US"sender", 6) == 0)
1070 if (where > ACL_WHERE_NOTSMTP)
1072 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1073 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1074 acl_wherenames[where]);
1078 verify_sender_address = sender_address;
1081 while (isspace(*s)) s++;
1082 if (*s++ != '=') goto BAD_VERIFY;
1083 while (isspace(*s)) s++;
1084 verify_sender_address = string_copy(s);
1089 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1092 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1093 "(only possible for RCPT)", acl_wherenames[where]);
1098 /* Remaining items are optional; they apply to sender and recipient
1099 verification, including "header sender" verification. */
1101 while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1104 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1105 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1107 /* These two old options are left for backwards compatibility */
1109 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1111 callout_defer_ok = TRUE;
1112 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1115 else if (strcmpic(ss, US"check_postmaster") == 0)
1118 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1121 /* The callout option has a number of sub-options, comma separated */
1123 else if (strncmpic(ss, US"callout", 7) == 0)
1125 callout = CALLOUT_TIMEOUT_DEFAULT;
1129 while (isspace(*ss)) ss++;
1135 while (isspace(*ss)) ss++;
1137 /* This callout option handling code has become a mess as new options
1138 have been added in an ad hoc manner. It should be tidied up into some
1139 kind of table-driven thing. */
1141 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1144 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1145 else if (strcmpic(opt, US"no_cache") == 0)
1146 verify_options |= vopt_callout_no_cache;
1147 else if (strcmpic(opt, US"random") == 0)
1148 verify_options |= vopt_callout_random;
1149 else if (strcmpic(opt, US"use_sender") == 0)
1150 verify_options |= vopt_callout_recipsender;
1151 else if (strcmpic(opt, US"use_postmaster") == 0)
1152 verify_options |= vopt_callout_recippmaster;
1153 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
1155 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1157 if (!verify_header_sender)
1159 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1160 "callout option only for verify=header_sender (detected in ACL "
1161 "condition \"%s\")", arg);
1165 while (isspace(*opt)) opt++;
1168 *log_msgptr = string_sprintf("'=' expected after "
1169 "\"mailfrom\" in ACL condition \"%s\"", arg);
1172 while (isspace(*opt)) opt++;
1173 se_mailfrom = string_copy(opt);
1176 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1179 while (isspace(*opt)) opt++;
1182 *log_msgptr = string_sprintf("'=' expected after "
1183 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1186 while (isspace(*opt)) opt++;
1187 pm_mailfrom = string_copy(opt);
1190 else if (strncmpic(opt, US"maxwait", 7) == 0)
1193 while (isspace(*opt)) opt++;
1196 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1197 "ACL condition \"%s\"", arg);
1200 while (isspace(*opt)) opt++;
1201 callout_overall = readconf_readtime(opt, 0, FALSE);
1202 if (callout_overall < 0)
1204 *log_msgptr = string_sprintf("bad time value in ACL condition "
1205 "\"verify %s\"", arg);
1209 else if (strncmpic(opt, US"connect", 7) == 0)
1212 while (isspace(*opt)) opt++;
1215 *log_msgptr = string_sprintf("'=' expected after "
1216 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1219 while (isspace(*opt)) opt++;
1220 callout_connect = readconf_readtime(opt, 0, FALSE);
1221 if (callout_connect < 0)
1223 *log_msgptr = string_sprintf("bad time value in ACL condition "
1224 "\"verify %s\"", arg);
1228 else /* Plain time is callout connect/command timeout */
1230 callout = readconf_readtime(opt, 0, FALSE);
1233 *log_msgptr = string_sprintf("bad time value in ACL condition "
1234 "\"verify %s\"", arg);
1242 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1243 "ACL condition \"%s\"", arg);
1249 /* Option not recognized */
1253 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1254 "condition \"verify %s\"", ss, arg);
1259 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1260 (vopt_callout_recipsender|vopt_callout_recippmaster))
1262 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1263 "for a recipient callout";
1267 /* Handle sender-in-header verification. Default the user message to the log
1268 message if giving out verification details. */
1270 if (verify_header_sender)
1273 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
1274 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1278 *basic_errno = verrno;
1279 if (smtp_return_error_details)
1281 if (*user_msgptr == NULL && *log_msgptr != NULL)
1282 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1283 if (rc == DEFER) acl_temp_details = TRUE;
1288 /* Handle a sender address. The default is to verify *the* sender address, but
1289 optionally a different address can be given, for special requirements. If the
1290 address is empty, we are dealing with a bounce message that has no sender, so
1291 we cannot do any checking. If the real sender address gets rewritten during
1292 verification (e.g. DNS widening), set the flag to stop it being rewritten again
1293 during message reception.
1295 A list of verified "sender" addresses is kept to try to avoid doing to much
1296 work repetitively when there are multiple recipients in a message and they all
1297 require sender verification. However, when callouts are involved, it gets too
1298 complicated because different recipients may require different callout options.
1299 Therefore, we always do a full sender verify when any kind of callout is
1300 specified. Caching elsewhere, for instance in the DNS resolver and in the
1301 callout handling, should ensure that this is not terribly inefficient. */
1303 else if (verify_sender_address != NULL)
1305 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1308 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1309 "sender verify callout";
1313 sender_vaddr = verify_checked_sender(verify_sender_address);
1314 if (sender_vaddr != NULL && /* Previously checked */
1315 callout <= 0) /* No callout needed this time */
1317 /* If the "routed" flag is set, it means that routing worked before, so
1318 this check can give OK (the saved return code value, if set, belongs to a
1319 callout that was done previously). If the "routed" flag is not set, routing
1320 must have failed, so we use the saved return code. */
1322 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1324 rc = sender_vaddr->special_action;
1325 *basic_errno = sender_vaddr->basic_errno;
1327 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1330 /* Do a new verification, and cache the result. The cache is used to avoid
1331 verifying the sender multiple times for multiple RCPTs when callouts are not
1332 specified (see comments above).
1334 The cache is also used on failure to give details in response to the first
1335 RCPT that gets bounced for this reason. However, this can be suppressed by
1336 the no_details option, which sets the flag that says "this detail has already
1337 been sent". The cache normally contains just one address, but there may be
1338 more in esoteric circumstances. */
1343 uschar *save_address_data = deliver_address_data;
1345 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1346 if (no_details) setflag(sender_vaddr, af_sverify_told);
1347 if (verify_sender_address[0] != 0)
1349 /* If this is the real sender address, save the unrewritten version
1350 for use later in receive. Otherwise, set a flag so that rewriting the
1351 sender in verify_address() does not update sender_address. */
1353 if (verify_sender_address == sender_address)
1354 sender_address_unrewritten = sender_address;
1356 verify_options |= vopt_fake_sender;
1358 /* The recipient, qualify, and expn options are never set in
1361 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
1362 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
1364 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1368 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1370 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1371 verify_sender_address, sender_vaddr->address);
1375 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1376 verify_sender_address);
1379 else *basic_errno = sender_vaddr->basic_errno;
1381 else rc = OK; /* Null sender */
1383 /* Cache the result code */
1385 if (routed) setflag(sender_vaddr, af_verify_routed);
1386 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1387 sender_vaddr->special_action = rc;
1388 sender_vaddr->next = sender_verified_list;
1389 sender_verified_list = sender_vaddr;
1391 /* Restore the recipient address data, which might have been clobbered by
1392 the sender verification. */
1394 deliver_address_data = save_address_data;
1397 /* Put the sender address_data value into $sender_address_data */
1399 sender_address_data = sender_vaddr->p.address_data;
1402 /* A recipient address just gets a straightforward verify; again we must handle
1403 the DEFER overrides. */
1409 /* We must use a copy of the address for verification, because it might
1413 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
1414 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
1415 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1417 *log_msgptr = addr2.message;
1418 *user_msgptr = (addr2.user_message != NULL)?
1419 addr2.user_message : addr2.message;
1420 *basic_errno = addr2.basic_errno;
1422 /* Make $address_data visible */
1423 deliver_address_data = addr2.p.address_data;
1426 /* We have a result from the relevant test. Handle defer overrides first. */
1428 if (rc == DEFER && (defer_ok ||
1429 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1431 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1432 defer_ok? "defer_ok" : "callout_defer_ok");
1436 /* If we've failed a sender, set up a recipient message, and point
1437 sender_verified_failed to the address item that actually failed. */
1439 if (rc != OK && verify_sender_address != NULL)
1443 *log_msgptr = *user_msgptr = US"Sender verify failed";
1445 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1447 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1451 *log_msgptr = US"Could not complete sender verify callout";
1452 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1456 sender_verified_failed = sender_vaddr;
1459 /* Verifying an address messes up the values of $domain and $local_part,
1460 so reset them before returning if this is a RCPT ACL. */
1464 deliver_domain = addr->domain;
1465 deliver_localpart = addr->local_part;
1469 /* Syntax errors in the verify argument come here. */
1472 *log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
1473 "\"helo\", \"header_syntax\", \"header_sender\" or "
1474 "\"reverse_host_lookup\" at start of ACL condition "
1475 "\"verify %s\"", arg);
1478 /* Options supplied when not allowed come here */
1481 *log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1482 "(this verify item has no options)", arg);
1489 /*************************************************
1490 * Check argument for control= modifier *
1491 *************************************************/
1493 /* Called from acl_check_condition() below
1496 arg the argument string for control=
1497 pptr set to point to the terminating character
1498 where which ACL we are in
1499 log_msgptr for error messages
1501 Returns: CONTROL_xxx value
1505 decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
1510 for (d = controls_list;
1511 d < controls_list + sizeof(controls_list)/sizeof(control_def);
1514 len = Ustrlen(d->name);
1515 if (Ustrncmp(d->name, arg, len) == 0) break;
1518 if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
1519 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
1521 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1522 return CONTROL_ERROR;
1531 /*************************************************
1532 * Handle conditions/modifiers on an ACL item *
1533 *************************************************/
1535 /* Called from acl_check() below.
1539 cb ACL condition block - if NULL, result is OK
1540 where where called from
1541 addr the address being checked for RCPT, or NULL
1542 level the nesting level
1543 epp pointer to pass back TRUE if "endpass" encountered
1544 (applies only to "accept" and "discard")
1545 user_msgptr user message pointer
1546 log_msgptr log message pointer
1547 basic_errno pointer to where to put verify error
1549 Returns: OK - all conditions are met
1550 DISCARD - an "acl" condition returned DISCARD - only allowed
1551 for "accept" or "discard" verbs
1552 FAIL - at least one condition fails
1553 FAIL_DROP - an "acl" condition returned FAIL_DROP
1554 DEFER - can't tell at the moment (typically, lookup defer,
1555 but can be temporary callout problem)
1556 ERROR - ERROR from nested ACL or expansion failure or other
1561 acl_check_condition(int verb, acl_condition_block *cb, int where,
1562 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
1563 uschar **log_msgptr, int *basic_errno)
1565 uschar *user_message = NULL;
1566 uschar *log_message = NULL;
1569 #ifdef WITH_CONTENT_SCAN
1573 for (; cb != NULL; cb = cb->next)
1578 /* The message and log_message items set up messages to be used in
1579 case of rejection. They are expanded later. */
1581 if (cb->type == ACLC_MESSAGE)
1583 user_message = cb->arg;
1587 if (cb->type == ACLC_LOG_MESSAGE)
1589 log_message = cb->arg;
1593 /* The endpass "condition" just sets a flag to show it occurred. This is
1594 checked at compile time to be on an "accept" or "discard" item. */
1596 if (cb->type == ACLC_ENDPASS)
1602 /* For other conditions and modifiers, the argument is expanded now for some
1603 of them, but not for all, because expansion happens down in some lower level
1604 checking functions in some cases. */
1606 if (cond_expand_at_top[cb->type])
1608 arg = expand_string(cb->arg);
1611 if (expand_string_forcedfail) continue;
1612 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
1613 cb->arg, expand_string_message);
1614 return search_find_defer? DEFER : ERROR;
1619 /* Show condition, and expanded condition if it's different */
1624 debug_printf("check %s%s %n",
1625 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
1626 conditions[cb->type], &lhswidth);
1628 if (cb->type == ACLC_SET)
1630 int n = cb->u.varnumber;
1631 int t = (n < ACL_C_MAX)? 'c' : 'm';
1632 if (n >= ACL_C_MAX) n -= ACL_C_MAX;
1633 debug_printf("acl_%c%d ", t, n);
1637 debug_printf("= %s\n", cb->arg);
1640 debug_printf("%.*s= %s\n", lhswidth,
1644 /* Check that this condition makes sense at this time */
1646 if ((cond_forbids[cb->type] & (1 << where)) != 0)
1648 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
1649 cond_modifiers[cb->type]? "use" : "test",
1650 conditions[cb->type], acl_wherenames[where]);
1654 /* Run the appropriate test for each condition, or take the appropriate
1655 action for the remaining modifiers. */
1659 /* A nested ACL that returns "discard" makes sense only for an "accept" or
1663 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
1664 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
1666 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
1667 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
1673 case ACLC_AUTHENTICATED:
1674 rc = (sender_host_authenticated == NULL)? FAIL :
1675 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
1679 #ifdef EXPERIMENTAL_BRIGHTMAIL
1680 case ACLC_BMI_OPTIN:
1682 int old_pool = store_pool;
1683 store_pool = POOL_PERM;
1684 bmi_current_optin = string_copy(arg);
1685 store_pool = old_pool;
1690 case ACLC_CONDITION:
1691 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
1692 rc = (Uatoi(arg) == 0)? FAIL : OK;
1694 rc = (strcmpic(arg, US"no") == 0 ||
1695 strcmpic(arg, US"false") == 0)? FAIL :
1696 (strcmpic(arg, US"yes") == 0 ||
1697 strcmpic(arg, US"true") == 0)? OK : DEFER;
1699 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
1703 control_type = decode_control(arg, &p, where, log_msgptr);
1705 /* Check if this control makes sense at this time */
1707 if ((control_forbids[control_type] & (1 << where)) != 0)
1709 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
1710 controls[control_type], acl_wherenames[where]);
1714 switch(control_type)
1716 #ifdef EXPERIMENTAL_BRIGHTMAIL
1717 case CONTROL_BMI_RUN:
1721 #ifdef EXPERIMENTAL_DOMAINKEYS
1722 case CONTROL_DK_VERIFY:
1729 case CONTROL_CASEFUL_LOCAL_PART:
1730 deliver_localpart = addr->cc_local_part;
1733 case CONTROL_CASELOWER_LOCAL_PART:
1734 deliver_localpart = addr->lc_local_part;
1737 case CONTROL_ENFORCE_SYNC:
1738 smtp_enforce_sync = TRUE;
1741 case CONTROL_NO_ENFORCE_SYNC:
1742 smtp_enforce_sync = FALSE;
1745 #ifdef WITH_CONTENT_SCAN
1746 case CONTROL_NO_MBOX_UNSPOOL:
1747 no_mbox_unspool = TRUE;
1751 case CONTROL_NO_MULTILINE:
1752 no_multiline_responses = TRUE;
1755 case CONTROL_FAKEREJECT:
1760 while (*pp != 0) pp++;
1761 fake_reject_text = expand_string(string_copyn(p+1, pp-p));
1766 /* Explicitly reset to default string */
1767 fake_reject_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
1771 case CONTROL_FREEZE:
1772 deliver_freeze = TRUE;
1773 deliver_frozen_at = time(NULL);
1776 case CONTROL_QUEUE_ONLY:
1777 queue_only_policy = TRUE;
1780 case CONTROL_SUBMISSION:
1781 submission_mode = TRUE;
1784 if (Ustrncmp(p, "/sender_retain", 14) == 0)
1787 active_local_sender_retain = TRUE;
1788 active_local_from_check = FALSE;
1790 else if (Ustrncmp(p, "/domain=", 8) == 0)
1793 while (*pp != 0 && *pp != '/') pp++;
1794 submission_domain = string_copyn(p+8, pp-p);
1801 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1808 #ifdef WITH_CONTENT_SCAN
1810 rc = mime_decode(&arg);
1816 int delay = readconf_readtime(arg, 0, FALSE);
1819 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
1820 "modifier: \"%s\" is not a time value", arg);
1825 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
1830 debug_printf("delay skipped in -bh checking mode\n");
1834 while (delay > 0) delay = sleep(delay);
1840 #ifdef WITH_OLD_DEMIME
1846 #ifdef EXPERIMENTAL_DOMAINKEYS
1847 case ACLC_DK_DOMAIN_SOURCE:
1848 if (dk_verify_block == NULL) { rc = FAIL; break; };
1849 /* check header source of domain against given string */
1850 switch (dk_verify_block->address_source) {
1851 case DK_EXIM_ADDRESS_FROM_FROM:
1852 rc = match_isinlist(US"from", &arg, 0, NULL,
1853 NULL, MCL_STRING, TRUE, NULL);
1855 case DK_EXIM_ADDRESS_FROM_SENDER:
1856 rc = match_isinlist(US"sender", &arg, 0, NULL,
1857 NULL, MCL_STRING, TRUE, NULL);
1859 case DK_EXIM_ADDRESS_NONE:
1860 rc = match_isinlist(US"none", &arg, 0, NULL,
1861 NULL, MCL_STRING, TRUE, NULL);
1865 case ACLC_DK_POLICY:
1866 if (dk_verify_block == NULL) { rc = FAIL; break; };
1867 /* check policy against given string, default FAIL */
1869 if (dk_verify_block->signsall)
1870 rc = match_isinlist(US"signsall", &arg, 0, NULL,
1871 NULL, MCL_STRING, TRUE, NULL);
1872 if (dk_verify_block->testing)
1873 rc = match_isinlist(US"testing", &arg, 0, NULL,
1874 NULL, MCL_STRING, TRUE, NULL);
1876 case ACLC_DK_SENDER_DOMAINS:
1877 if (dk_verify_block == NULL) { rc = FAIL; break; };
1878 if (dk_verify_block->domain != NULL)
1879 rc = match_isinlist(dk_verify_block->domain, &arg, 0, &domainlist_anchor,
1880 NULL, MCL_DOMAIN, TRUE, NULL);
1883 case ACLC_DK_SENDER_LOCAL_PARTS:
1884 if (dk_verify_block == NULL) { rc = FAIL; break; };
1885 if (dk_verify_block->local_part != NULL)
1886 rc = match_isinlist(dk_verify_block->local_part, &arg, 0, &localpartlist_anchor,
1887 NULL, MCL_LOCALPART, TRUE, NULL);
1890 case ACLC_DK_SENDERS:
1891 if (dk_verify_block == NULL) { rc = FAIL; break; };
1892 if (dk_verify_block->address != NULL)
1893 rc = match_address_list(dk_verify_block->address, TRUE, TRUE, &arg, NULL, -1, 0, NULL);
1896 case ACLC_DK_STATUS:
1897 if (dk_verify_block == NULL) { rc = FAIL; break; };
1898 if (dk_verify_block->result > 0) {
1899 switch(dk_verify_block->result) {
1900 case DK_EXIM_RESULT_BAD_FORMAT:
1901 rc = match_isinlist(US"bad format", &arg, 0, NULL,
1902 NULL, MCL_STRING, TRUE, NULL);
1904 case DK_EXIM_RESULT_NO_KEY:
1905 rc = match_isinlist(US"no key", &arg, 0, NULL,
1906 NULL, MCL_STRING, TRUE, NULL);
1908 case DK_EXIM_RESULT_NO_SIGNATURE:
1909 rc = match_isinlist(US"no signature", &arg, 0, NULL,
1910 NULL, MCL_STRING, TRUE, NULL);
1912 case DK_EXIM_RESULT_REVOKED:
1913 rc = match_isinlist(US"revoked", &arg, 0, NULL,
1914 NULL, MCL_STRING, TRUE, NULL);
1916 case DK_EXIM_RESULT_NON_PARTICIPANT:
1917 rc = match_isinlist(US"non-participant", &arg, 0, NULL,
1918 NULL, MCL_STRING, TRUE, NULL);
1920 case DK_EXIM_RESULT_GOOD:
1921 rc = match_isinlist(US"good", &arg, 0, NULL,
1922 NULL, MCL_STRING, TRUE, NULL);
1924 case DK_EXIM_RESULT_BAD:
1925 rc = match_isinlist(US"bad", &arg, 0, NULL,
1926 NULL, MCL_STRING, TRUE, NULL);
1934 rc = verify_check_dnsbl(&arg);
1938 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
1939 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
1942 /* The value in tls_cipher is the full cipher name, for example,
1943 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
1944 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
1945 what may in practice come out of the SSL library - which at the time of
1946 writing is poorly documented. */
1948 case ACLC_ENCRYPTED:
1949 if (tls_cipher == NULL) rc = FAIL; else
1951 uschar *endcipher = NULL;
1952 uschar *cipher = Ustrchr(tls_cipher, ':');
1953 if (cipher == NULL) cipher = tls_cipher; else
1955 endcipher = Ustrchr(++cipher, ':');
1956 if (endcipher != NULL) *endcipher = 0;
1958 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
1959 if (endcipher != NULL) *endcipher = ':';
1963 /* Use verify_check_this_host() instead of verify_check_host() so that
1964 we can pass over &host_data to catch any looked up data. Once it has been
1965 set, it retains its value so that it's still there if another ACL verb
1966 comes through here and uses the cache. However, we must put it into
1967 permanent store in case it is also expected to be used in a subsequent
1968 message in the same SMTP connection. */
1971 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
1972 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
1973 if (host_data != NULL) host_data = string_copy_malloc(host_data);
1976 case ACLC_LOCAL_PARTS:
1977 rc = match_isinlist(addr->cc_local_part, &arg, 0,
1978 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
1979 &deliver_localpart_data);
1991 if (Ustrncmp(s, "main", 4) == 0)
1992 { logbits |= LOG_MAIN; s += 4; }
1993 else if (Ustrncmp(s, "panic", 5) == 0)
1994 { logbits |= LOG_PANIC; s += 5; }
1995 else if (Ustrncmp(s, "reject", 6) == 0)
1996 { logbits |= LOG_REJECT; s += 6; }
1999 logbits = LOG_MAIN|LOG_PANIC;
2000 s = string_sprintf(":unknown log name in \"%s\" in "
2001 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
2007 while (isspace(*s)) s++;
2008 if (logbits == 0) logbits = LOG_MAIN;
2009 log_write(0, logbits, "%s", string_printing(s));
2013 #ifdef WITH_CONTENT_SCAN
2016 /* Seperate the regular expression and any optional parameters. */
2017 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2018 /* Run the malware backend. */
2020 /* Modify return code based upon the existance of options. */
2021 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2023 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2025 /* FAIL so that the message is passed to the next ACL */
2032 case ACLC_MIME_REGEX:
2033 rc = mime_regex(&arg);
2037 case ACLC_RECIPIENTS:
2038 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
2042 #ifdef WITH_CONTENT_SCAN
2048 case ACLC_SENDER_DOMAINS:
2051 sdomain = Ustrrchr(sender_address, '@');
2052 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
2053 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
2054 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
2059 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
2060 sender_address_cache, -1, 0, &sender_data);
2063 /* Connection variables must persist forever */
2067 int old_pool = store_pool;
2068 if (cb->u.varnumber < ACL_C_MAX) store_pool = POOL_PERM;
2069 acl_var[cb->u.varnumber] = string_copy(arg);
2070 store_pool = old_pool;
2074 #ifdef WITH_CONTENT_SCAN
2077 /* Seperate the regular expression and any optional parameters. */
2078 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2079 /* Run the spam backend. */
2081 /* Modify return code based upon the existance of options. */
2082 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2084 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2086 /* FAIL so that the message is passed to the next ACL */
2094 #ifdef EXPERIMENTAL_SPF
2096 rc = spf_process(&arg, sender_address);
2100 /* If the verb is WARN, discard any user message from verification, because
2101 such messages are SMTP responses, not header additions. The latter come
2102 only from explicit "message" modifiers. However, put the user message into
2103 $acl_verify_message so it can be used in subsequent conditions or modifiers
2104 (until something changes it). */
2107 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
2108 acl_verify_message = *user_msgptr;
2109 if (verb == ACL_WARN) *user_msgptr = NULL;
2113 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
2114 "condition %d", cb->type);
2118 /* If a condition was negated, invert OK/FAIL. */
2120 if (!cond_modifiers[cb->type] && cb->u.negated)
2122 if (rc == OK) rc = FAIL;
2123 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
2126 if (rc != OK) break; /* Conditions loop */
2130 /* If the result is the one for which "message" and/or "log_message" are used,
2131 handle the values of these options. Most verbs have but a single return for
2132 which the messages are relevant, but for "discard", it's useful to have the log
2133 message both when it succeeds and when it fails. Also, for an "accept" that
2134 appears in a QUIT ACL, we want to handle the user message. Since only "accept"
2135 and "warn" are permitted in that ACL, we don't need to test the verb.
2137 These modifiers act in different ways:
2139 "message" is a user message that will be included in an SMTP response. Unless
2140 it is empty, it overrides any previously set user message.
2142 "log_message" is a non-user message, and it adds to any existing non-user
2143 message that is already set.
2145 If there isn't a log message set, we make it the same as the user message. */
2147 if (((rc == FAIL_DROP)? FAIL : rc) == msgcond[verb] ||
2148 (verb == ACL_DISCARD && rc == OK) ||
2149 (where == ACL_WHERE_QUIT))
2153 /* If the verb is "warn", messages generated by conditions (verification or
2154 nested ACLs) are discarded. Only messages specified at this level are used.
2155 However, the value of an existing message is available in $acl_verify_message
2156 during expansions. */
2158 uschar *old_user_msgptr = *user_msgptr;
2159 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
2161 if (verb == ACL_WARN) *log_msgptr = *user_msgptr = NULL;
2163 if (user_message != NULL)
2165 acl_verify_message = old_user_msgptr;
2166 expmessage = expand_string(user_message);
2167 if (expmessage == NULL)
2169 if (!expand_string_forcedfail)
2170 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2171 user_message, expand_string_message);
2173 else if (expmessage[0] != 0) *user_msgptr = expmessage;
2176 if (log_message != NULL)
2178 acl_verify_message = old_log_msgptr;
2179 expmessage = expand_string(log_message);
2180 if (expmessage == NULL)
2182 if (!expand_string_forcedfail)
2183 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2184 log_message, expand_string_message);
2186 else if (expmessage[0] != 0)
2188 *log_msgptr = (*log_msgptr == NULL)? expmessage :
2189 string_sprintf("%s: %s", expmessage, *log_msgptr);
2193 /* If no log message, default it to the user message */
2195 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
2198 acl_verify_message = NULL;
2206 /*************************************************
2207 * Get line from a literal ACL *
2208 *************************************************/
2210 /* This function is passed to acl_read() in order to extract individual lines
2211 of a literal ACL, which we access via static pointers. We can destroy the
2212 contents because this is called only once (the compiled ACL is remembered).
2214 This code is intended to treat the data in the same way as lines in the main
2215 Exim configuration file. That is:
2217 . Leading spaces are ignored.
2219 . A \ at the end of a line is a continuation - trailing spaces after the \
2220 are permitted (this is because I don't believe in making invisible things
2221 significant). Leading spaces on the continued part of a line are ignored.
2223 . Physical lines starting (significantly) with # are totally ignored, and
2224 may appear within a sequence of backslash-continued lines.
2226 . Blank lines are ignored, but will end a sequence of continuations.
2229 Returns: a pointer to the next line
2233 static uschar *acl_text; /* Current pointer in the text */
2234 static uschar *acl_text_end; /* Points one past the terminating '0' */
2242 /* This loop handles leading blank lines and comments. */
2246 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
2247 if (*acl_text == 0) return NULL; /* No more data */
2248 yield = acl_text; /* Potential data line */
2250 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2252 /* If we hit the end before a newline, we have the whole logical line. If
2253 it's a comment, there's no more data to be given. Otherwise, yield it. */
2255 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
2257 /* After reaching a newline, end this loop if the physical line does not
2258 start with '#'. If it does, it's a comment, and the loop continues. */
2260 if (*yield != '#') break;
2263 /* This loop handles continuations. We know we have some real data, ending in
2264 newline. See if there is a continuation marker at the end (ignoring trailing
2265 white space). We know that *yield is not white space, so no need to test for
2266 cont > yield in the backwards scanning loop. */
2271 for (cont = acl_text - 1; isspace(*cont); cont--);
2273 /* If no continuation follows, we are done. Mark the end of the line and
2282 /* We have encountered a continuation. Skip over whitespace at the start of
2283 the next line, and indeed the whole of the next line or lines if they are
2288 while (*(++acl_text) == ' ' || *acl_text == '\t');
2289 if (*acl_text != '#') break;
2290 while (*(++acl_text) != 0 && *acl_text != '\n');
2293 /* We have the start of a continuation line. Move all the rest of the data
2294 to join onto the previous line, and then find its end. If the end is not a
2295 newline, we are done. Otherwise loop to look for another continuation. */
2297 memmove(cont, acl_text, acl_text_end - acl_text);
2298 acl_text_end -= acl_text - cont;
2300 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2301 if (*acl_text == 0) return yield;
2304 /* Control does not reach here */
2311 /*************************************************
2312 * Check access using an ACL *
2313 *************************************************/
2315 /* This function is called from address_check. It may recurse via
2316 acl_check_condition() - hence the use of a level to stop looping. The ACL is
2317 passed as a string which is expanded. A forced failure implies no access check
2318 is required. If the result is a single word, it is taken as the name of an ACL
2319 which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
2320 text, complete with newlines, and parsed as such. In both cases, the ACL check
2321 is then run. This function uses an auxiliary function for acl_read() to call
2322 for reading individual lines of a literal ACL. This is acl_getline(), which
2323 appears immediately above.
2326 where where called from
2327 addr address item when called from RCPT; otherwise NULL
2328 s the input string; NULL is the same as an empty ACL => DENY
2329 level the nesting level
2330 user_msgptr where to put a user error (for SMTP response)
2331 log_msgptr where to put a logging message (not for SMTP response)
2333 Returns: OK access is granted
2334 DISCARD access is apparently granted...
2335 FAIL access is denied
2336 FAIL_DROP access is denied; drop the connection
2337 DEFER can't tell at the moment
2342 acl_check_internal(int where, address_item *addr, uschar *s, int level,
2343 uschar **user_msgptr, uschar **log_msgptr)
2346 acl_block *acl = NULL;
2347 uschar *acl_name = US"inline ACL";
2350 /* Catch configuration loops */
2354 *log_msgptr = US"ACL nested too deep: possible loop";
2360 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
2364 /* At top level, we expand the incoming string. At lower levels, it has already
2365 been expanded as part of condition processing. */
2369 ss = expand_string(s);
2372 if (expand_string_forcedfail) return OK;
2373 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
2374 expand_string_message);
2380 while (isspace(*ss))ss++;
2382 /* If we can't find a named ACL, the default is to parse it as an inline one.
2383 (Unless it begins with a slash; non-existent files give rise to an error.) */
2387 /* Handle the case of a string that does not contain any spaces. Look for a
2388 named ACL among those read from the configuration, or a previously read file.
2389 It is possible that the pointer to the ACL is NULL if the configuration
2390 contains a name with no data. If not found, and the text begins with '/',
2391 read an ACL from a file, and save it so it can be re-used. */
2393 if (Ustrchr(ss, ' ') == NULL)
2395 tree_node *t = tree_search(acl_anchor, ss);
2398 acl = (acl_block *)(t->data.ptr);
2401 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
2404 acl_name = string_sprintf("ACL \"%s\"", ss);
2405 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
2408 else if (*ss == '/')
2410 struct stat statbuf;
2411 fd = Uopen(ss, O_RDONLY, 0);
2414 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
2419 if (fstat(fd, &statbuf) != 0)
2421 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
2426 acl_text = store_get(statbuf.st_size + 1);
2427 acl_text_end = acl_text + statbuf.st_size + 1;
2429 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
2431 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
2432 ss, strerror(errno));
2435 acl_text[statbuf.st_size] = 0;
2438 acl_name = string_sprintf("ACL \"%s\"", ss);
2439 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
2443 /* Parse an ACL that is still in text form. If it came from a file, remember it
2444 in the ACL tree, having read it into the POOL_PERM store pool so that it
2445 persists between multiple messages. */
2449 int old_pool = store_pool;
2450 if (fd >= 0) store_pool = POOL_PERM;
2451 acl = acl_read(acl_getline, log_msgptr);
2452 store_pool = old_pool;
2453 if (acl == NULL && *log_msgptr != NULL) return ERROR;
2456 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
2457 Ustrcpy(t->name, ss);
2459 (void)tree_insertnode(&acl_anchor, t);
2463 /* Now we have an ACL to use. It's possible it may be NULL. */
2468 int basic_errno = 0;
2469 BOOL endpass_seen = FALSE;
2471 *log_msgptr = *user_msgptr = NULL;
2472 acl_temp_details = FALSE;
2474 if (where == ACL_WHERE_QUIT &&
2475 acl->verb != ACL_ACCEPT &&
2476 acl->verb != ACL_WARN)
2478 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
2483 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
2485 /* Clear out any search error message from a previous check before testing
2488 search_error_message = NULL;
2489 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
2490 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
2492 /* Handle special returns: DEFER causes a return except on a WARN verb;
2493 ERROR always causes a return. */
2498 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
2499 if (basic_errno != ERRNO_CALLOUTDEFER)
2501 if (search_error_message != NULL && *search_error_message != 0)
2502 *log_msgptr = search_error_message;
2503 if (smtp_return_error_details) acl_temp_details = TRUE;
2507 acl_temp_details = TRUE;
2509 if (acl->verb != ACL_WARN) return DEFER;
2512 default: /* Paranoia */
2514 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
2518 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
2523 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
2526 /* DISCARD and DROP can happen only from a nested ACL condition, and
2527 DISCARD can happen only for an "accept" or "discard" verb. */
2530 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
2535 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
2540 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
2541 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
2542 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
2547 if (cond == OK || cond == DISCARD) return cond;
2550 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
2558 acl_temp_details = TRUE;
2564 if (cond == OK) return FAIL;
2568 if (cond == OK || cond == DISCARD) return DISCARD;
2571 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
2577 if (cond == OK) return FAIL_DROP;
2581 if (cond != OK) return cond;
2586 acl_warn(where, *user_msgptr, *log_msgptr);
2587 else if (cond == DEFER)
2588 acl_warn(where, NULL, string_sprintf("ACL \"warn\" statement skipped: "
2589 "condition test deferred: %s",
2590 (*log_msgptr == NULL)? US"" : *log_msgptr));
2591 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
2595 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
2600 /* Pass to the next ACL item */
2605 /* We have reached the end of the ACL. This is an implicit DENY. */
2607 HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
2612 /*************************************************
2613 * Check access using an ACL *
2614 *************************************************/
2616 /* This is the external interface for ACL checks. It sets up an address and the
2617 expansions for $domain and $local_part when called after RCPT, then calls
2618 acl_check_internal() to do the actual work.
2621 where ACL_WHERE_xxxx indicating where called from
2622 data_string RCPT address, or SMTP command argument, or NULL
2623 s the input string; NULL is the same as an empty ACL => DENY
2624 user_msgptr where to put a user error (for SMTP response)
2625 log_msgptr where to put a logging message (not for SMTP response)
2627 Returns: OK access is granted by an ACCEPT verb
2628 DISCARD access is granted by a DISCARD verb
2629 FAIL access is denied
2630 FAIL_DROP access is denied; drop the connection
2631 DEFER can't tell at the moment
2636 acl_check(int where, uschar *data_string, uschar *s, uschar **user_msgptr,
2637 uschar **log_msgptr)
2643 *user_msgptr = *log_msgptr = NULL;
2644 sender_verified_failed = NULL;
2646 if (where == ACL_WHERE_RCPT)
2648 adb = address_defaults;
2650 addr->address = data_string;
2651 if (deliver_split_address(addr) == DEFER)
2653 *log_msgptr = US"defer in percent_hack_domains check";
2656 deliver_domain = addr->domain;
2657 deliver_localpart = addr->local_part;
2662 smtp_command_argument = data_string;
2665 rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
2667 smtp_command_argument = deliver_domain =
2668 deliver_localpart = deliver_address_data = sender_address_data = NULL;
2670 /* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
2671 ACL, which is really in the middle of an SMTP command. */
2675 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
2677 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
2678 "ACL", acl_wherenames[where]);
2684 /* A DROP response is not permitted from MAILAUTH */
2686 if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
2688 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
2689 "ACL", acl_wherenames[where]);
2693 /* Before giving an error response, take a look at the length of any user
2694 message, and split it up into multiple lines if possible. */
2696 if (rc != OK && *user_msgptr != NULL && Ustrlen(*user_msgptr) > 75)
2698 uschar *s = *user_msgptr = string_copy(*user_msgptr);
2704 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
2705 if (*ss == 0) break;
2712 while (--t > s + 35)
2716 if (t[-1] == ':') { tt = t; break; }
2717 if (tt == NULL) tt = t;
2721 if (tt == NULL) /* Can't split behind - try ahead */
2726 if (*t == ' ' || *t == '\n')
2732 if (tt == NULL) break; /* Can't find anywhere to split */
git://git.exim.org / exim.git / blob