1 /* $Cambridge: exim/src/src/acl.c,v 1.72 2007/02/06 12:19:27 ph10 Exp $ */
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
7 /* Copyright (c) University of Cambridge 1995 - 2007 */
8 /* See the file NOTICE for conditions of use and distribution. */
10 /* Code for handling Access Control Lists (ACLs) */
15 /* Default callout timeout */
17 #define CALLOUT_TIMEOUT_DEFAULT 30
19 /* ACL verb codes - keep in step with the table of verbs that follows */
21 enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
26 static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
30 /* For each verb, the conditions for which "message" or "log_message" are used
31 are held as a bitmap. This is to avoid expanding the strings unnecessarily. For
32 "accept", the FAIL case is used only after "endpass", but that is selected in
35 static int msgcond[] = {
36 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* accept */
39 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* discard */
41 (1<<FAIL) | (1<<FAIL_DROP), /* require */
45 /* ACL condition and modifier codes - keep in step with the table that
46 follows, and the cond_expand_at_top and uschar cond_modifiers tables lower
52 #ifdef EXPERIMENTAL_BRIGHTMAIL
57 #ifdef WITH_CONTENT_SCAN
61 #ifdef WITH_OLD_DEMIME
64 #ifdef EXPERIMENTAL_DOMAINKEYS
65 ACLC_DK_DOMAIN_SOURCE,
67 ACLC_DK_SENDER_DOMAINS,
68 ACLC_DK_SENDER_LOCAL_PARTS,
79 ACLC_LOG_REJECT_TARGET,
81 #ifdef WITH_CONTENT_SCAN
85 #ifdef WITH_CONTENT_SCAN
90 #ifdef WITH_CONTENT_SCAN
96 #ifdef WITH_CONTENT_SCAN
99 #ifdef EXPERIMENTAL_SPF
104 /* ACL conditions/modifiers: "delay", "control", "endpass", "message",
105 "log_message", "log_reject_target", "logwrite", and "set" are modifiers that
106 look like conditions but always return TRUE. They are used for their side
109 static uschar *conditions[] = {
113 #ifdef EXPERIMENTAL_BRIGHTMAIL
118 #ifdef WITH_CONTENT_SCAN
122 #ifdef WITH_OLD_DEMIME
125 #ifdef EXPERIMENTAL_DOMAINKEYS
126 US"dk_domain_source",
128 US"dk_sender_domains",
129 US"dk_sender_local_parts",
140 US"log_reject_target",
142 #ifdef WITH_CONTENT_SCAN
146 #ifdef WITH_CONTENT_SCAN
151 #ifdef WITH_CONTENT_SCAN
154 US"sender_domains", US"senders", US"set",
155 #ifdef WITH_CONTENT_SCAN
158 #ifdef EXPERIMENTAL_SPF
164 /* Return values from decode_control(); keep in step with the table of names
168 CONTROL_AUTH_UNADVERTISED,
169 #ifdef EXPERIMENTAL_BRIGHTMAIL
172 #ifdef EXPERIMENTAL_DOMAINKEYS
176 CONTROL_CASEFUL_LOCAL_PART,
177 CONTROL_CASELOWER_LOCAL_PART,
178 CONTROL_ENFORCE_SYNC,
179 CONTROL_NO_ENFORCE_SYNC,
183 CONTROL_SUPPRESS_LOCAL_FIXUPS,
184 #ifdef WITH_CONTENT_SCAN
185 CONTROL_NO_MBOX_UNSPOOL,
189 CONTROL_NO_MULTILINE,
190 CONTROL_NO_PIPELINING,
191 CONTROL_NO_DELAY_FLUSH,
192 CONTROL_NO_CALLOUT_FLUSH
195 /* ACL control names; keep in step with the table above! This list is used for
196 turning ids into names. The actual list of recognized names is in the variable
197 control_def controls_list[] below. The fact that there are two lists is a mess
198 and should be tidied up. */
200 static uschar *controls[] = {
201 US"allow_auth_unadvertised",
202 #ifdef EXPERIMENTAL_BRIGHTMAIL
205 #ifdef EXPERIMENTAL_DOMAINKEYS
209 US"caseful_local_part",
210 US"caselower_local_part",
216 US"suppress_local_fixups",
217 #ifdef WITH_CONTENT_SCAN
228 /* Flags to indicate for which conditions/modifiers a string expansion is done
229 at the outer level. In the other cases, expansion already occurs in the
230 checking functions. */
232 static uschar cond_expand_at_top[] = {
234 TRUE, /* add_header */
235 FALSE, /* authenticated */
236 #ifdef EXPERIMENTAL_BRIGHTMAIL
237 TRUE, /* bmi_optin */
239 TRUE, /* condition */
241 #ifdef WITH_CONTENT_SCAN
245 #ifdef WITH_OLD_DEMIME
248 #ifdef EXPERIMENTAL_DOMAINKEYS
249 TRUE, /* dk_domain_source */
250 TRUE, /* dk_policy */
251 TRUE, /* dk_sender_domains */
252 TRUE, /* dk_sender_local_parts */
253 TRUE, /* dk_senders */
254 TRUE, /* dk_status */
258 FALSE, /* encrypted */
261 FALSE, /* local_parts */
262 TRUE, /* log_message */
263 TRUE, /* log_reject_target */
265 #ifdef WITH_CONTENT_SCAN
269 #ifdef WITH_CONTENT_SCAN
270 TRUE, /* mime_regex */
272 TRUE, /* ratelimit */
273 FALSE, /* recipients */
274 #ifdef WITH_CONTENT_SCAN
277 FALSE, /* sender_domains */
280 #ifdef WITH_CONTENT_SCAN
283 #ifdef EXPERIMENTAL_SPF
289 /* Flags to identify the modifiers */
291 static uschar cond_modifiers[] = {
293 TRUE, /* add_header */
294 FALSE, /* authenticated */
295 #ifdef EXPERIMENTAL_BRIGHTMAIL
296 TRUE, /* bmi_optin */
298 FALSE, /* condition */
300 #ifdef WITH_CONTENT_SCAN
304 #ifdef WITH_OLD_DEMIME
307 #ifdef EXPERIMENTAL_DOMAINKEYS
308 FALSE, /* dk_domain_source */
309 FALSE, /* dk_policy */
310 FALSE, /* dk_sender_domains */
311 FALSE, /* dk_sender_local_parts */
312 FALSE, /* dk_senders */
313 FALSE, /* dk_status */
315 FALSE, /* dnslists */
317 FALSE, /* encrypted */
320 FALSE, /* local_parts */
321 TRUE, /* log_message */
322 TRUE, /* log_reject_target */
324 #ifdef WITH_CONTENT_SCAN
328 #ifdef WITH_CONTENT_SCAN
329 FALSE, /* mime_regex */
331 FALSE, /* ratelimit */
332 FALSE, /* recipients */
333 #ifdef WITH_CONTENT_SCAN
336 FALSE, /* sender_domains */
339 #ifdef WITH_CONTENT_SCAN
342 #ifdef EXPERIMENTAL_SPF
348 /* Bit map vector of which conditions are not allowed at certain times. For
349 each condition, there's a bitmap of dis-allowed times. For some, it is easier
350 to specify the negation of a small number of allowed times. */
352 static unsigned int cond_forbids[] = {
356 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* add_header */
357 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
358 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
359 (1<<ACL_WHERE_NOTSMTP_START)),
361 (1<<ACL_WHERE_NOTSMTP)| /* authenticated */
362 (1<<ACL_WHERE_NOTSMTP_START)|
363 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO),
365 #ifdef EXPERIMENTAL_BRIGHTMAIL
366 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
367 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
368 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
369 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
370 (1<<ACL_WHERE_MAILAUTH)|
371 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
372 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA)|
373 (1<<ACL_WHERE_NOTSMTP_START),
378 /* Certain types of control are always allowed, so we let it through
379 always and check in the control processing itself. */
383 #ifdef WITH_CONTENT_SCAN
385 ~(1<<ACL_WHERE_MIME), /* decode */
390 #ifdef WITH_OLD_DEMIME
392 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* demime */
395 #ifdef EXPERIMENTAL_DOMAINKEYS
396 (1<<ACL_WHERE_AUTH)| /* dk_domain_source */
397 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
398 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
399 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
400 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
401 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
402 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
404 (1<<ACL_WHERE_AUTH)| /* dk_policy */
405 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
406 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
407 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
408 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
409 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
410 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
412 (1<<ACL_WHERE_AUTH)| /* dk_sender_domains */
413 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
414 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
415 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
416 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
417 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
418 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
420 (1<<ACL_WHERE_AUTH)| /* dk_sender_local_parts */
421 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
422 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
423 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
424 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
425 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
426 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
428 (1<<ACL_WHERE_AUTH)| /* dk_senders */
429 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
430 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
431 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
432 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
433 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
434 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
436 (1<<ACL_WHERE_AUTH)| /* dk_status */
437 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
438 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
439 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
440 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
441 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
442 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
445 (1<<ACL_WHERE_NOTSMTP)| /* dnslists */
446 (1<<ACL_WHERE_NOTSMTP_START),
449 ~(1<<ACL_WHERE_RCPT), /* domains */
451 (1<<ACL_WHERE_NOTSMTP)| /* encrypted */
452 (1<<ACL_WHERE_CONNECT)|
453 (1<<ACL_WHERE_NOTSMTP_START)|
458 (1<<ACL_WHERE_NOTSMTP)| /* hosts */
459 (1<<ACL_WHERE_NOTSMTP_START),
462 ~(1<<ACL_WHERE_RCPT), /* local_parts */
466 0, /* log_reject_target */
470 #ifdef WITH_CONTENT_SCAN
472 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* malware */
477 #ifdef WITH_CONTENT_SCAN
479 ~(1<<ACL_WHERE_MIME), /* mime_regex */
485 ~(1<<ACL_WHERE_RCPT), /* recipients */
487 #ifdef WITH_CONTENT_SCAN
489 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* regex */
490 (1<<ACL_WHERE_MIME)),
493 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
495 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
496 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
497 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
499 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
501 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
502 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
503 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
507 #ifdef WITH_CONTENT_SCAN
509 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* spam */
512 #ifdef EXPERIMENTAL_SPF
513 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
515 (1<<ACL_WHERE_MAILAUTH)|
516 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
517 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
518 (1<<ACL_WHERE_NOTSMTP)|
519 (1<<ACL_WHERE_NOTSMTP_START),
522 /* Certain types of verify are always allowed, so we let it through
523 always and check in the verify function itself */
529 /* Bit map vector of which controls are not allowed at certain times. For
530 each control, there's a bitmap of dis-allowed times. For some, it is easier to
531 specify the negation of a small number of allowed times. */
533 static unsigned int control_forbids[] = {
535 ~((1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)), /* allow_auth_unadvertised */
537 #ifdef EXPERIMENTAL_BRIGHTMAIL
541 #ifdef EXPERIMENTAL_DOMAINKEYS
542 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dk_verify */
543 (1<<ACL_WHERE_NOTSMTP_START),
549 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
552 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
554 (1<<ACL_WHERE_NOTSMTP)| /* enforce_sync */
555 (1<<ACL_WHERE_NOTSMTP_START),
557 (1<<ACL_WHERE_NOTSMTP)| /* no_enforce_sync */
558 (1<<ACL_WHERE_NOTSMTP_START),
561 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
562 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
563 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
566 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
567 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
568 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
571 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
572 (1<<ACL_WHERE_PREDATA)),
575 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* suppress_local_fixups */
576 (1<<ACL_WHERE_PREDATA)|
577 (1<<ACL_WHERE_NOTSMTP_START)),
579 #ifdef WITH_CONTENT_SCAN
581 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
582 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
583 (1<<ACL_WHERE_MIME)),
587 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakedefer */
588 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
589 (1<<ACL_WHERE_MIME)),
592 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
593 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
594 (1<<ACL_WHERE_MIME)),
596 (1<<ACL_WHERE_NOTSMTP)| /* no_multiline */
597 (1<<ACL_WHERE_NOTSMTP_START),
599 (1<<ACL_WHERE_NOTSMTP)| /* no_pipelining */
600 (1<<ACL_WHERE_NOTSMTP_START),
602 (1<<ACL_WHERE_NOTSMTP)| /* no_delay_flush */
603 (1<<ACL_WHERE_NOTSMTP_START),
605 (1<<ACL_WHERE_NOTSMTP)| /* no_callout_flush */
606 (1<<ACL_WHERE_NOTSMTP_START)
609 /* Structure listing various control arguments, with their characteristics. */
611 typedef struct control_def {
613 int value; /* CONTROL_xxx value */
614 BOOL has_option; /* Has /option(s) following */
617 static control_def controls_list[] = {
618 { US"allow_auth_unadvertised", CONTROL_AUTH_UNADVERTISED, FALSE },
619 #ifdef EXPERIMENTAL_BRIGHTMAIL
620 { US"bmi_run", CONTROL_BMI_RUN, FALSE },
622 #ifdef EXPERIMENTAL_DOMAINKEYS
623 { US"dk_verify", CONTROL_DK_VERIFY, FALSE },
625 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE },
626 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE },
627 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE },
628 { US"freeze", CONTROL_FREEZE, TRUE },
629 { US"no_callout_flush", CONTROL_NO_CALLOUT_FLUSH, FALSE },
630 { US"no_delay_flush", CONTROL_NO_DELAY_FLUSH, FALSE },
631 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE },
632 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE },
633 { US"no_pipelining", CONTROL_NO_PIPELINING, FALSE },
634 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE },
635 #ifdef WITH_CONTENT_SCAN
636 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE },
638 { US"fakedefer", CONTROL_FAKEDEFER, TRUE },
639 { US"fakereject", CONTROL_FAKEREJECT, TRUE },
640 { US"submission", CONTROL_SUBMISSION, TRUE },
641 { US"suppress_local_fixups", CONTROL_SUPPRESS_LOCAL_FIXUPS, FALSE }
644 /* Support data structures for Client SMTP Authorization. acl_verify_csa()
645 caches its result in a tree to avoid repeated DNS queries. The result is an
646 integer code which is used as an index into the following tables of
647 explanatory strings and verification return codes. */
649 static tree_node *csa_cache = NULL;
651 enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
652 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
654 /* The acl_verify_csa() return code is translated into an acl_verify() return
655 code using the following table. It is OK unless the client is definitely not
656 authorized. This is because CSA is supposed to be optional for sending sites,
657 so recipients should not be too strict about checking it - especially because
658 DNS problems are quite likely to occur. It's possible to use $csa_status in
659 further ACL conditions to distinguish ok, unknown, and defer if required, but
660 the aim is to make the usual configuration simple. */
662 static int csa_return_code[] = {
664 FAIL, FAIL, FAIL, FAIL
667 static uschar *csa_status_string[] = {
668 US"unknown", US"ok", US"defer", US"defer",
669 US"fail", US"fail", US"fail", US"fail"
672 static uschar *csa_reason_string[] = {
675 US"deferred (SRV lookup failed)",
676 US"deferred (target address lookup failed)",
677 US"failed (explicit authorization required)",
678 US"failed (host name not authorized)",
679 US"failed (no authorized addresses)",
680 US"failed (client address mismatch)"
683 /* Enable recursion between acl_check_internal() and acl_check_condition() */
685 static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
689 /*************************************************
690 * Pick out name from list *
691 *************************************************/
693 /* Use a binary chop method
700 Returns: offset in list, or -1 if not found
704 acl_checkname(uschar *name, uschar **list, int end)
710 int mid = (start + end)/2;
711 int c = Ustrcmp(name, list[mid]);
712 if (c == 0) return mid;
713 if (c < 0) end = mid; else start = mid + 1;
720 /*************************************************
721 * Read and parse one ACL *
722 *************************************************/
724 /* This function is called both from readconf in order to parse the ACLs in the
725 configuration file, and also when an ACL is encountered dynamically (e.g. as
726 the result of an expansion). It is given a function to call in order to
727 retrieve the lines of the ACL. This function handles skipping comments and
728 blank lines (where relevant).
731 func function to get next line of ACL
732 error where to put an error message
734 Returns: pointer to ACL, or NULL
735 NULL can be legal (empty ACL); in this case error will be NULL
739 acl_read(uschar *(*func)(void), uschar **error)
741 acl_block *yield = NULL;
742 acl_block **lastp = &yield;
743 acl_block *this = NULL;
744 acl_condition_block *cond;
745 acl_condition_block **condp = NULL;
750 while ((s = (*func)()) != NULL)
753 BOOL negated = FALSE;
754 uschar *saveline = s;
757 /* Conditions (but not verbs) are allowed to be negated by an initial
760 while (isspace(*s)) s++;
767 /* Read the name of a verb or a condition, or the start of a new ACL, which
768 can be started by a name, or by a macro definition. */
770 s = readconf_readname(name, sizeof(name), s);
771 if (*s == ':' || (isupper(name[0]) && *s == '=')) return yield;
773 /* If a verb is unrecognized, it may be another condition or modifier that
774 continues the previous verb. */
776 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
781 *error = string_sprintf("unknown ACL verb \"%s\" in \"%s\"", name,
793 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
796 this = store_get(sizeof(acl_block));
798 lastp = &(this->next);
801 this->condition = NULL;
802 condp = &(this->condition);
803 if (*s == 0) continue; /* No condition on this line */
809 s = readconf_readname(name, sizeof(name), s); /* Condition name */
812 /* Handle a condition or modifier. */
814 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
817 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
822 /* The modifiers may not be negated */
824 if (negated && cond_modifiers[c])
826 *error = string_sprintf("ACL error: negation is not allowed with "
827 "\"%s\"", conditions[c]);
831 /* ENDPASS may occur only with ACCEPT or DISCARD. */
833 if (c == ACLC_ENDPASS &&
834 this->verb != ACL_ACCEPT &&
835 this->verb != ACL_DISCARD)
837 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
838 conditions[c], verbs[this->verb]);
842 cond = store_get(sizeof(acl_condition_block));
845 cond->u.negated = negated;
848 condp = &(cond->next);
850 /* The "set" modifier is different in that its argument is "name=value"
851 rather than just a value, and we can check the validity of the name, which
852 gives us a variable name to insert into the data block. The original ACL
853 variable names were acl_c0 ... acl_c9 and acl_m0 ... acl_m9. This was
854 extended to 20 of each type, but after that people successfully argued for
855 arbitrary names. In the new scheme, the names must start with acl_c or acl_m.
856 After that, we allow alphanumerics and underscores, but the first character
857 after c or m must be a digit or an underscore. This retains backwards
864 if (Ustrncmp(s, "acl_c", 5) != 0 &&
865 Ustrncmp(s, "acl_m", 5) != 0)
867 *error = string_sprintf("invalid variable name after \"set\" in ACL "
868 "modifier \"set %s\" (must start \"acl_c\" or \"acl_m\")", s);
873 if (!isdigit(*endptr) && *endptr != '_')
875 *error = string_sprintf("invalid variable name after \"set\" in ACL "
876 "modifier \"set %s\" (digit or underscore must follow acl_c or acl_m)",
881 while (*endptr != 0 && *endptr != '=' && !isspace(*endptr))
883 if (!isalnum(*endptr) && *endptr != '_')
885 *error = string_sprintf("invalid character \"%c\" in variable name "
886 "in ACL modifier \"set %s\"", *endptr, s);
892 cond->u.varname = string_copyn(s + 4, endptr - s - 4);
894 while (isspace(*s)) s++;
897 /* For "set", we are now positioned for the data. For the others, only
898 "endpass" has no data */
900 if (c != ACLC_ENDPASS)
904 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
905 cond_modifiers[c]? US"modifier" : US"condition");
908 while (isspace(*s)) s++;
909 cond->arg = string_copy(s);
918 /*************************************************
919 * Set up added header line(s) *
920 *************************************************/
922 /* This function is called by the add_header modifier, and also from acl_warn()
923 to implement the now-deprecated way of adding header lines using "message" on a
924 "warn" verb. The argument is treated as a sequence of header lines which are
925 added to a chain, provided there isn't an identical one already there.
927 Argument: string of header lines
932 setup_header(uschar *hstring)
935 int hlen = Ustrlen(hstring);
937 /* An empty string does nothing; otherwise add a final newline if necessary. */
939 if (hlen <= 0) return;
940 if (hstring[hlen-1] != '\n') hstring = string_sprintf("%s\n", hstring);
942 /* Loop for multiple header lines, taking care about continuations */
944 for (p = q = hstring; *p != 0; )
947 int newtype = htype_add_bot;
948 header_line **hptr = &acl_added_headers;
950 /* Find next header line within the string */
954 q = Ustrchr(q, '\n');
955 if (*(++q) != ' ' && *q != '\t') break;
958 /* If the line starts with a colon, interpret the instruction for where to
959 add it. This temporarily sets up a new type. */
963 if (strncmpic(p, US":after_received:", 16) == 0)
965 newtype = htype_add_rec;
968 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
970 newtype = htype_add_rfc;
973 else if (strncmpic(p, US":at_start:", 10) == 0)
975 newtype = htype_add_top;
978 else if (strncmpic(p, US":at_end:", 8) == 0)
980 newtype = htype_add_bot;
983 while (*p == ' ' || *p == '\t') p++;
986 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
987 to the front of it. */
989 for (s = p; s < q - 1; s++)
991 if (*s == ':' || !isgraph(*s)) break;
994 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
997 /* See if this line has already been added */
999 while (*hptr != NULL)
1001 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
1002 hptr = &((*hptr)->next);
1005 /* Add if not previously present */
1009 header_line *h = store_get(sizeof(header_line));
1018 /* Advance for next header line within the string */
1027 /*************************************************
1029 *************************************************/
1031 /* This function is called when a WARN verb's conditions are true. It adds to
1032 the message's headers, and/or writes information to the log. In each case, this
1033 only happens once (per message for headers, per connection for log).
1035 ** NOTE: The header adding action using the "message" setting is historic, and
1036 its use is now deprecated. The new add_header modifier should be used instead.
1039 where ACL_WHERE_xxxx indicating which ACL this is
1040 user_message message for adding to headers
1041 log_message message for logging, if different
1047 acl_warn(int where, uschar *user_message, uschar *log_message)
1049 if (log_message != NULL && log_message != user_message)
1052 string_item *logged;
1054 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
1055 string_printing(log_message));
1057 /* If a sender verification has failed, and the log message is "sender verify
1058 failed", add the failure message. */
1060 if (sender_verified_failed != NULL &&
1061 sender_verified_failed->message != NULL &&
1062 strcmpic(log_message, US"sender verify failed") == 0)
1063 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
1065 /* Search previously logged warnings. They are kept in malloc
1066 store so they can be freed at the start of a new message. */
1068 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
1069 if (Ustrcmp(logged->text, text) == 0) break;
1073 int length = Ustrlen(text) + 1;
1074 log_write(0, LOG_MAIN, "%s", text);
1075 logged = store_malloc(sizeof(string_item) + length);
1076 logged->text = (uschar *)logged + sizeof(string_item);
1077 memcpy(logged->text, text, length);
1078 logged->next = acl_warn_logged;
1079 acl_warn_logged = logged;
1083 /* If there's no user message, we are done. */
1085 if (user_message == NULL) return;
1087 /* If this isn't a message ACL, we can't do anything with a user message.
1090 if (where > ACL_WHERE_NOTSMTP)
1092 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
1093 "found in a non-message (%s) ACL: cannot specify header lines here: "
1094 "message ignored", acl_wherenames[where]);
1098 /* The code for setting up header lines is now abstracted into a separate
1099 function so that it can be used for the add_header modifier as well. */
1101 setup_header(user_message);
1106 /*************************************************
1107 * Verify and check reverse DNS *
1108 *************************************************/
1110 /* Called from acl_verify() below. We look up the host name(s) of the client IP
1111 address if this has not yet been done. The host_name_lookup() function checks
1112 that one of these names resolves to an address list that contains the client IP
1113 address, so we don't actually have to do the check here.
1116 user_msgptr pointer for user message
1117 log_msgptr pointer for log message
1119 Returns: OK verification condition succeeded
1120 FAIL verification failed
1121 DEFER there was a problem verifying
1125 acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
1129 user_msgptr = user_msgptr; /* stop compiler warning */
1131 /* Previous success */
1133 if (sender_host_name != NULL) return OK;
1135 /* Previous failure */
1137 if (host_lookup_failed)
1139 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
1143 /* Need to do a lookup */
1146 debug_printf("looking up host name to force name/address consistency check\n");
1148 if ((rc = host_name_lookup()) != OK)
1150 *log_msgptr = (rc == DEFER)?
1151 US"host lookup deferred for reverse lookup check"
1153 string_sprintf("host lookup failed for reverse lookup check%s",
1155 return rc; /* DEFER or FAIL */
1158 host_build_sender_fullhost();
1164 /*************************************************
1165 * Check client IP address matches CSA target *
1166 *************************************************/
1168 /* Called from acl_verify_csa() below. This routine scans a section of a DNS
1169 response for address records belonging to the CSA target hostname. The section
1170 is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
1171 If one of the addresses matches the client's IP address, then the client is
1172 authorized by CSA. If there are target IP addresses but none of them match
1173 then the client is using an unauthorized IP address. If there are no target IP
1174 addresses then the client cannot be using an authorized IP address. (This is
1175 an odd configuration - why didn't the SRV record have a weight of 1 instead?)
1178 dnsa the DNS answer block
1179 dnss a DNS scan block for us to use
1180 reset option specifing what portion to scan, as described above
1181 target the target hostname to use for matching RR names
1183 Returns: CSA_OK successfully authorized
1184 CSA_FAIL_MISMATCH addresses found but none matched
1185 CSA_FAIL_NOADDR no target addresses found
1189 acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1195 BOOL target_found = FALSE;
1197 for (rr = dns_next_rr(dnsa, dnss, reset);
1199 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1201 /* Check this is an address RR for the target hostname. */
1205 && rr->type != T_AAAA
1212 if (strcmpic(target, rr->name) != 0) continue;
1214 target_found = TRUE;
1216 /* Turn the target address RR into a list of textual IP addresses and scan
1217 the list. There may be more than one if it is an A6 RR. */
1219 for (da = dns_address_from_rr(dnsa, rr); da != NULL; da = da->next)
1221 /* If the client IP address matches the target IP address, it's good! */
1223 DEBUG(D_acl) debug_printf("CSA target address is %s\n", da->address);
1225 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1229 /* If we found some target addresses but none of them matched, the client is
1230 using an unauthorized IP address, otherwise the target has no authorized IP
1233 if (target_found) return CSA_FAIL_MISMATCH;
1234 else return CSA_FAIL_NOADDR;
1239 /*************************************************
1240 * Verify Client SMTP Authorization *
1241 *************************************************/
1243 /* Called from acl_verify() below. This routine calls dns_lookup_special()
1244 to find the CSA SRV record corresponding to the domain argument, or
1245 $sender_helo_name if no argument is provided. It then checks that the
1246 client is authorized, and that its IP address corresponds to the SRV
1247 target's address by calling acl_verify_csa_address() above. The address
1248 should have been returned in the DNS response's ADDITIONAL section, but if
1249 not we perform another DNS lookup to get it.
1252 domain pointer to optional parameter following verify = csa
1254 Returns: CSA_UNKNOWN no valid CSA record found
1255 CSA_OK successfully authorized
1256 CSA_FAIL_* client is definitely not authorized
1257 CSA_DEFER_* there was a DNS problem
1261 acl_verify_csa(uschar *domain)
1265 int priority, weight, port;
1272 /* Work out the domain we are using for the CSA lookup. The default is the
1273 client's HELO domain. If the client has not said HELO, use its IP address
1274 instead. If it's a local client (exim -bs), CSA isn't applicable. */
1276 while (isspace(*domain) && *domain != '\0') ++domain;
1277 if (*domain == '\0') domain = sender_helo_name;
1278 if (domain == NULL) domain = sender_host_address;
1279 if (sender_host_address == NULL) return CSA_UNKNOWN;
1281 /* If we have an address literal, strip off the framing ready for turning it
1282 into a domain. The framing consists of matched square brackets possibly
1283 containing a keyword and a colon before the actual IP address. */
1285 if (domain[0] == '[')
1287 uschar *start = Ustrchr(domain, ':');
1288 if (start == NULL) start = domain;
1289 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1292 /* Turn domains that look like bare IP addresses into domains in the reverse
1293 DNS. This code also deals with address literals and $sender_host_address. It's
1294 not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1295 address literals, but it's probably the most friendly thing to do. This is an
1296 extension to CSA, so we allow it to be turned off for proper conformance. */
1298 if (string_is_ip_address(domain, NULL) != 0)
1300 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1301 dns_build_reverse(domain, target);
1305 /* Find out if we've already done the CSA check for this domain. If we have,
1306 return the same result again. Otherwise build a new cached result structure
1307 for this domain. The name is filled in now, and the value is filled in when
1308 we return from this function. */
1310 t = tree_search(csa_cache, domain);
1311 if (t != NULL) return t->data.val;
1313 t = store_get_perm(sizeof(tree_node) + Ustrlen(domain));
1314 Ustrcpy(t->name, domain);
1315 (void)tree_insertnode(&csa_cache, t);
1317 /* Now we are ready to do the actual DNS lookup(s). */
1320 switch (dns_special_lookup(&dnsa, domain, T_CSA, &found))
1322 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1325 return t->data.val = CSA_DEFER_SRV;
1327 /* If we found nothing, the client's authorization is unknown. */
1331 return t->data.val = CSA_UNKNOWN;
1333 /* We got something! Go on to look at the reply in more detail. */
1339 /* Scan the reply for well-formed CSA SRV records. */
1341 for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
1343 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
1345 if (rr->type != T_SRV) continue;
1347 /* Extract the numerical SRV fields (p is incremented) */
1350 GETSHORT(priority, p);
1351 GETSHORT(weight, p);
1355 debug_printf("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1357 /* Check the CSA version number */
1359 if (priority != 1) continue;
1361 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1362 found by dns_special_lookup() is a parent of the one we asked for), we check
1363 the subdomain assertions in the port field. At the moment there's only one
1364 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1365 SRV records of their own. */
1367 if (found != domain)
1370 return t->data.val = CSA_FAIL_EXPLICIT;
1372 return t->data.val = CSA_UNKNOWN;
1375 /* This CSA SRV record refers directly to our domain, so we check the value
1376 in the weight field to work out the domain's authorization. 0 and 1 are
1377 unauthorized; 3 means the client is authorized but we can't check the IP
1378 address in order to authenticate it, so we treat it as unknown; values
1379 greater than 3 are undefined. */
1381 if (weight < 2) return t->data.val = CSA_FAIL_DOMAIN;
1383 if (weight > 2) continue;
1385 /* Weight == 2, which means the domain is authorized. We must check that the
1386 client's IP address is listed as one of the SRV target addresses. Save the
1387 target hostname then break to scan the additional data for its addresses. */
1389 (void)dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
1390 (DN_EXPAND_ARG4_TYPE)target, sizeof(target));
1392 DEBUG(D_acl) debug_printf("CSA target is %s\n", target);
1397 /* If we didn't break the loop then no appropriate records were found. */
1399 if (rr == NULL) return t->data.val = CSA_UNKNOWN;
1401 /* Do not check addresses if the target is ".", in accordance with RFC 2782.
1402 A target of "." indicates there are no valid addresses, so the client cannot
1403 be authorized. (This is an odd configuration because weight=2 target=. is
1404 equivalent to weight=1, but we check for it in order to keep load off the
1405 root name servers.) Note that dn_expand() turns "." into "". */
1407 if (Ustrcmp(target, "") == 0) return t->data.val = CSA_FAIL_NOADDR;
1409 /* Scan the additional section of the CSA SRV reply for addresses belonging
1410 to the target. If the name server didn't return any additional data (e.g.
1411 because it does not fully support SRV records), we need to do another lookup
1412 to obtain the target addresses; otherwise we have a definitive result. */
1414 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ADDITIONAL, target);
1415 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1417 /* The DNS lookup type corresponds to the IP version used by the client. */
1420 if (Ustrchr(sender_host_address, ':') != NULL)
1423 #endif /* HAVE_IPV6 */
1427 #if HAVE_IPV6 && defined(SUPPORT_A6)
1431 switch (dns_lookup(&dnsa, target, type, NULL))
1433 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1436 return t->data.val = CSA_DEFER_ADDR;
1438 /* If the query succeeded, scan the addresses and return the result. */
1441 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ANSWERS, target);
1442 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1443 /* else fall through */
1445 /* If the target has no IP addresses, the client cannot have an authorized
1446 IP address. However, if the target site uses A6 records (not AAAA records)
1447 we have to do yet another lookup in order to check them. */
1452 #if HAVE_IPV6 && defined(SUPPORT_A6)
1453 if (type == T_AAAA) { type = T_A6; goto DNS_LOOKUP_AGAIN; }
1456 return t->data.val = CSA_FAIL_NOADDR;
1462 /*************************************************
1463 * Handle verification (address & other) *
1464 *************************************************/
1466 /* This function implements the "verify" condition. It is called when
1467 encountered in any ACL, because some tests are almost always permitted. Some
1468 just don't make sense, and always fail (for example, an attempt to test a host
1469 lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1472 where where called from
1473 addr the recipient address that the ACL is handling, or NULL
1474 arg the argument of "verify"
1475 user_msgptr pointer for user message
1476 log_msgptr pointer for log message
1477 basic_errno where to put verify errno
1479 Returns: OK verification condition succeeded
1480 FAIL verification failed
1481 DEFER there was a problem verifying
1486 acl_verify(int where, address_item *addr, uschar *arg,
1487 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1491 int callout_overall = -1;
1492 int callout_connect = -1;
1493 int verify_options = 0;
1495 BOOL verify_header_sender = FALSE;
1496 BOOL defer_ok = FALSE;
1497 BOOL callout_defer_ok = FALSE;
1498 BOOL no_details = FALSE;
1499 BOOL success_on_redirect = FALSE;
1500 address_item *sender_vaddr = NULL;
1501 uschar *verify_sender_address = NULL;
1502 uschar *pm_mailfrom = NULL;
1503 uschar *se_mailfrom = NULL;
1505 /* Some of the verify items have slash-separated options; some do not. Diagnose
1506 an error if options are given for items that don't expect them. This code has
1507 now got very message. Refactoring to use a table would be a good idea one day.
1510 uschar *slash = Ustrchr(arg, '/');
1512 uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
1514 if (ss == NULL) goto BAD_VERIFY;
1516 /* Handle name/address consistency verification in a separate function. */
1518 if (strcmpic(ss, US"reverse_host_lookup") == 0)
1520 if (slash != NULL) goto NO_OPTIONS;
1521 if (sender_host_address == NULL) return OK;
1522 return acl_verify_reverse(user_msgptr, log_msgptr);
1525 /* TLS certificate verification is done at STARTTLS time; here we just
1526 test whether it was successful or not. (This is for optional verification; for
1527 mandatory verification, the connection doesn't last this long.) */
1529 if (strcmpic(ss, US"certificate") == 0)
1531 if (slash != NULL) goto NO_OPTIONS;
1532 if (tls_certificate_verified) return OK;
1533 *user_msgptr = US"no verified certificate";
1537 /* We can test the result of optional HELO verification that might have
1538 occurred earlier. If not, we can attempt the verification now. */
1540 if (strcmpic(ss, US"helo") == 0)
1542 if (slash != NULL) goto NO_OPTIONS;
1543 if (!helo_verified && !helo_verify_failed) smtp_verify_helo();
1544 return helo_verified? OK : FAIL;
1547 /* Do Client SMTP Authorization checks in a separate function, and turn the
1548 result code into user-friendly strings. */
1550 if (strcmpic(ss, US"csa") == 0)
1552 rc = acl_verify_csa(list);
1553 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1554 csa_reason_string[rc]);
1555 csa_status = csa_status_string[rc];
1556 DEBUG(D_acl) debug_printf("CSA result %s\n", csa_status);
1557 return csa_return_code[rc];
1560 /* Check that all relevant header lines have the correct syntax. If there is
1561 a syntax error, we return details of the error to the sender if configured to
1562 send out full details. (But a "message" setting on the ACL can override, as
1565 if (strcmpic(ss, US"header_syntax") == 0)
1567 if (slash != NULL) goto NO_OPTIONS;
1568 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
1569 rc = verify_check_headers(log_msgptr);
1570 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1571 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1575 /* Check that no recipient of this message is "blind", that is, every envelope
1576 recipient must be mentioned in either To: or Cc:. */
1578 if (strcmpic(ss, US"not_blind") == 0)
1580 if (slash != NULL) goto NO_OPTIONS;
1581 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
1582 rc = verify_check_notblind();
1585 *log_msgptr = string_sprintf("bcc recipient detected");
1586 if (smtp_return_error_details)
1587 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1592 /* The remaining verification tests check recipient and sender addresses,
1593 either from the envelope or from the header. There are a number of
1594 slash-separated options that are common to all of them. */
1597 /* Check that there is at least one verifiable sender address in the relevant
1598 header lines. This can be followed by callout and defer options, just like
1599 sender and recipient. */
1601 if (strcmpic(ss, US"header_sender") == 0)
1603 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
1604 verify_header_sender = TRUE;
1607 /* Otherwise, first item in verify argument must be "sender" or "recipient".
1608 In the case of a sender, this can optionally be followed by an address to use
1609 in place of the actual sender (rare special-case requirement). */
1611 else if (strncmpic(ss, US"sender", 6) == 0)
1614 if (where > ACL_WHERE_NOTSMTP)
1616 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1617 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1618 acl_wherenames[where]);
1622 verify_sender_address = sender_address;
1625 while (isspace(*s)) s++;
1626 if (*s++ != '=') goto BAD_VERIFY;
1627 while (isspace(*s)) s++;
1628 verify_sender_address = string_copy(s);
1633 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1636 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1637 "(only possible for RCPT)", acl_wherenames[where]);
1642 /* Remaining items are optional; they apply to sender and recipient
1643 verification, including "header sender" verification. */
1645 while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1648 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1649 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1650 else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
1652 /* These two old options are left for backwards compatibility */
1654 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1656 callout_defer_ok = TRUE;
1657 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1660 else if (strcmpic(ss, US"check_postmaster") == 0)
1663 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1666 /* The callout option has a number of sub-options, comma separated */
1668 else if (strncmpic(ss, US"callout", 7) == 0)
1670 callout = CALLOUT_TIMEOUT_DEFAULT;
1674 while (isspace(*ss)) ss++;
1680 while (isspace(*ss)) ss++;
1682 /* This callout option handling code has become a mess as new options
1683 have been added in an ad hoc manner. It should be tidied up into some
1684 kind of table-driven thing. */
1686 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1689 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1690 else if (strcmpic(opt, US"no_cache") == 0)
1691 verify_options |= vopt_callout_no_cache;
1692 else if (strcmpic(opt, US"random") == 0)
1693 verify_options |= vopt_callout_random;
1694 else if (strcmpic(opt, US"use_sender") == 0)
1695 verify_options |= vopt_callout_recipsender;
1696 else if (strcmpic(opt, US"use_postmaster") == 0)
1697 verify_options |= vopt_callout_recippmaster;
1698 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
1699 else if (strcmpic(opt, US"fullpostmaster") == 0)
1702 verify_options |= vopt_callout_fullpm;
1705 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1707 if (!verify_header_sender)
1709 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1710 "callout option only for verify=header_sender (detected in ACL "
1711 "condition \"%s\")", arg);
1715 while (isspace(*opt)) opt++;
1718 *log_msgptr = string_sprintf("'=' expected after "
1719 "\"mailfrom\" in ACL condition \"%s\"", arg);
1722 while (isspace(*opt)) opt++;
1723 se_mailfrom = string_copy(opt);
1726 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1729 while (isspace(*opt)) opt++;
1732 *log_msgptr = string_sprintf("'=' expected after "
1733 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1736 while (isspace(*opt)) opt++;
1737 pm_mailfrom = string_copy(opt);
1740 else if (strncmpic(opt, US"maxwait", 7) == 0)
1743 while (isspace(*opt)) opt++;
1746 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1747 "ACL condition \"%s\"", arg);
1750 while (isspace(*opt)) opt++;
1751 callout_overall = readconf_readtime(opt, 0, FALSE);
1752 if (callout_overall < 0)
1754 *log_msgptr = string_sprintf("bad time value in ACL condition "
1755 "\"verify %s\"", arg);
1759 else if (strncmpic(opt, US"connect", 7) == 0)
1762 while (isspace(*opt)) opt++;
1765 *log_msgptr = string_sprintf("'=' expected after "
1766 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1769 while (isspace(*opt)) opt++;
1770 callout_connect = readconf_readtime(opt, 0, FALSE);
1771 if (callout_connect < 0)
1773 *log_msgptr = string_sprintf("bad time value in ACL condition "
1774 "\"verify %s\"", arg);
1778 else /* Plain time is callout connect/command timeout */
1780 callout = readconf_readtime(opt, 0, FALSE);
1783 *log_msgptr = string_sprintf("bad time value in ACL condition "
1784 "\"verify %s\"", arg);
1792 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1793 "ACL condition \"%s\"", arg);
1799 /* Option not recognized */
1803 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1804 "condition \"verify %s\"", ss, arg);
1809 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1810 (vopt_callout_recipsender|vopt_callout_recippmaster))
1812 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1813 "for a recipient callout";
1817 /* Handle sender-in-header verification. Default the user message to the log
1818 message if giving out verification details. */
1820 if (verify_header_sender)
1823 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
1824 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1828 *basic_errno = verrno;
1829 if (smtp_return_error_details)
1831 if (*user_msgptr == NULL && *log_msgptr != NULL)
1832 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1833 if (rc == DEFER) acl_temp_details = TRUE;
1838 /* Handle a sender address. The default is to verify *the* sender address, but
1839 optionally a different address can be given, for special requirements. If the
1840 address is empty, we are dealing with a bounce message that has no sender, so
1841 we cannot do any checking. If the real sender address gets rewritten during
1842 verification (e.g. DNS widening), set the flag to stop it being rewritten again
1843 during message reception.
1845 A list of verified "sender" addresses is kept to try to avoid doing to much
1846 work repetitively when there are multiple recipients in a message and they all
1847 require sender verification. However, when callouts are involved, it gets too
1848 complicated because different recipients may require different callout options.
1849 Therefore, we always do a full sender verify when any kind of callout is
1850 specified. Caching elsewhere, for instance in the DNS resolver and in the
1851 callout handling, should ensure that this is not terribly inefficient. */
1853 else if (verify_sender_address != NULL)
1855 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1858 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1859 "sender verify callout";
1863 sender_vaddr = verify_checked_sender(verify_sender_address);
1864 if (sender_vaddr != NULL && /* Previously checked */
1865 callout <= 0) /* No callout needed this time */
1867 /* If the "routed" flag is set, it means that routing worked before, so
1868 this check can give OK (the saved return code value, if set, belongs to a
1869 callout that was done previously). If the "routed" flag is not set, routing
1870 must have failed, so we use the saved return code. */
1872 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1874 rc = sender_vaddr->special_action;
1875 *basic_errno = sender_vaddr->basic_errno;
1877 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1880 /* Do a new verification, and cache the result. The cache is used to avoid
1881 verifying the sender multiple times for multiple RCPTs when callouts are not
1882 specified (see comments above).
1884 The cache is also used on failure to give details in response to the first
1885 RCPT that gets bounced for this reason. However, this can be suppressed by
1886 the no_details option, which sets the flag that says "this detail has already
1887 been sent". The cache normally contains just one address, but there may be
1888 more in esoteric circumstances. */
1893 uschar *save_address_data = deliver_address_data;
1895 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1896 if (no_details) setflag(sender_vaddr, af_sverify_told);
1897 if (verify_sender_address[0] != 0)
1899 /* If this is the real sender address, save the unrewritten version
1900 for use later in receive. Otherwise, set a flag so that rewriting the
1901 sender in verify_address() does not update sender_address. */
1903 if (verify_sender_address == sender_address)
1904 sender_address_unrewritten = sender_address;
1906 verify_options |= vopt_fake_sender;
1908 if (success_on_redirect)
1909 verify_options |= vopt_success_on_redirect;
1911 /* The recipient, qualify, and expn options are never set in
1914 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
1915 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
1917 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1921 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1923 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1924 verify_sender_address, sender_vaddr->address);
1928 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1929 verify_sender_address);
1932 else *basic_errno = sender_vaddr->basic_errno;
1934 else rc = OK; /* Null sender */
1936 /* Cache the result code */
1938 if (routed) setflag(sender_vaddr, af_verify_routed);
1939 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1940 sender_vaddr->special_action = rc;
1941 sender_vaddr->next = sender_verified_list;
1942 sender_verified_list = sender_vaddr;
1944 /* Restore the recipient address data, which might have been clobbered by
1945 the sender verification. */
1947 deliver_address_data = save_address_data;
1950 /* Put the sender address_data value into $sender_address_data */
1952 sender_address_data = sender_vaddr->p.address_data;
1955 /* A recipient address just gets a straightforward verify; again we must handle
1956 the DEFER overrides. */
1962 if (success_on_redirect)
1963 verify_options |= vopt_success_on_redirect;
1965 /* We must use a copy of the address for verification, because it might
1969 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
1970 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
1971 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1973 *log_msgptr = addr2.message;
1974 *user_msgptr = (addr2.user_message != NULL)?
1975 addr2.user_message : addr2.message;
1976 *basic_errno = addr2.basic_errno;
1978 /* Make $address_data visible */
1979 deliver_address_data = addr2.p.address_data;
1982 /* We have a result from the relevant test. Handle defer overrides first. */
1984 if (rc == DEFER && (defer_ok ||
1985 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1987 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1988 defer_ok? "defer_ok" : "callout_defer_ok");
1992 /* If we've failed a sender, set up a recipient message, and point
1993 sender_verified_failed to the address item that actually failed. */
1995 if (rc != OK && verify_sender_address != NULL)
1999 *log_msgptr = *user_msgptr = US"Sender verify failed";
2001 else if (*basic_errno != ERRNO_CALLOUTDEFER)
2003 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
2007 *log_msgptr = US"Could not complete sender verify callout";
2008 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
2012 sender_verified_failed = sender_vaddr;
2015 /* Verifying an address messes up the values of $domain and $local_part,
2016 so reset them before returning if this is a RCPT ACL. */
2020 deliver_domain = addr->domain;
2021 deliver_localpart = addr->local_part;
2025 /* Syntax errors in the verify argument come here. */
2028 *log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
2029 "\"helo\", \"header_syntax\", \"header_sender\" or "
2030 "\"reverse_host_lookup\" at start of ACL condition "
2031 "\"verify %s\"", arg);
2034 /* Options supplied when not allowed come here */
2037 *log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
2038 "(this verify item has no options)", arg);
2041 /* Calls in the wrong ACL come here */
2044 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
2045 "(only possible in ACL for DATA)", acl_wherenames[where]);
2052 /*************************************************
2053 * Check argument for control= modifier *
2054 *************************************************/
2056 /* Called from acl_check_condition() below
2059 arg the argument string for control=
2060 pptr set to point to the terminating character
2061 where which ACL we are in
2062 log_msgptr for error messages
2064 Returns: CONTROL_xxx value
2068 decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
2073 for (d = controls_list;
2074 d < controls_list + sizeof(controls_list)/sizeof(control_def);
2077 len = Ustrlen(d->name);
2078 if (Ustrncmp(d->name, arg, len) == 0) break;
2081 if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
2082 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
2084 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2085 return CONTROL_ERROR;
2094 /*************************************************
2095 * Handle rate limiting *
2096 *************************************************/
2098 /* Called by acl_check_condition() below to calculate the result
2099 of the ACL ratelimit condition.
2101 Note that the return value might be slightly unexpected: if the
2102 sender's rate is above the limit then the result is OK. This is
2103 similar to the dnslists condition, and is so that you can write
2104 ACL clauses like: defer ratelimit = 15 / 1h
2107 arg the option string for ratelimit=
2108 where ACL_WHERE_xxxx indicating which ACL this is
2109 log_msgptr for error messages
2111 Returns: OK - Sender's rate is above limit
2112 FAIL - Sender's rate is below limit
2113 DEFER - Problem opening ratelimit database
2114 ERROR - Syntax error in options.
2118 acl_ratelimit(uschar *arg, int where, uschar **log_msgptr)
2120 double limit, period;
2123 BOOL have_key = FALSE, leaky = FALSE, strict = FALSE;
2124 BOOL per_byte = FALSE, per_cmd = FALSE, per_conn = FALSE, per_mail = FALSE;
2126 tree_node **anchor, *t;
2127 open_db dbblock, *dbm;
2128 dbdata_ratelimit *dbd;
2131 /* Parse the first two options and record their values in expansion
2132 variables. These variables allow the configuration to have informative
2133 error messages based on rate limits obtained from a table lookup. */
2135 /* First is the maximum number of messages per period and maximum burst
2136 size, which must be greater than or equal to zero. Zero is useful for
2137 rate measurement as opposed to rate limiting. */
2139 sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0);
2140 if (sender_rate_limit == NULL)
2144 limit = Ustrtod(sender_rate_limit, &ss);
2145 if (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
2146 else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
2147 else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
2149 if (limit < 0.0 || *ss != 0)
2151 *log_msgptr = string_sprintf("syntax error in argument for "
2152 "\"ratelimit\" condition: \"%s\" is not a positive number",
2157 /* We use the rest of the argument list following the limit as the
2158 lookup key, because it doesn't make sense to use the same stored data
2159 if the period or options are different. */
2163 /* Second is the rate measurement period and exponential smoothing time
2164 constant. This must be strictly greater than zero, because zero leads to
2165 run-time division errors. */
2167 sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0);
2168 if (sender_rate_period == NULL) period = -1.0;
2169 else period = readconf_readtime(sender_rate_period, 0, FALSE);
2172 *log_msgptr = string_sprintf("syntax error in argument for "
2173 "\"ratelimit\" condition: \"%s\" is not a time value",
2174 sender_rate_period);
2178 /* Parse the other options. Should we check if the per_* options are being
2179 used in ACLs where they don't make sense, e.g. per_mail in the connect ACL? */
2181 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2184 if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
2185 else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
2186 else if (strcmpic(ss, US"per_byte") == 0) per_byte = TRUE;
2187 else if (strcmpic(ss, US"per_cmd") == 0) per_cmd = TRUE;
2188 else if (strcmpic(ss, US"per_conn") == 0) per_conn = TRUE;
2189 else if (strcmpic(ss, US"per_mail") == 0) per_mail = TRUE;
2190 else if (strcmpic(ss, US"per_rcpt") == 0) per_cmd = TRUE; /* alias */
2191 else have_key = TRUE;
2193 if (leaky + strict > 1 || per_byte + per_cmd + per_conn + per_mail > 1)
2195 *log_msgptr = US"conflicting options for \"ratelimit\" condition";
2199 /* Default option values */
2200 if (!strict) leaky = TRUE;
2201 if (!per_byte && !per_cmd && !per_conn) per_mail = TRUE;
2203 /* If there is no explicit key, use the sender_host_address. If there is no
2204 sender_host_address (e.g. -bs or acl_not_smtp) then we simply omit it. */
2206 if (!have_key && sender_host_address != NULL)
2207 key = string_sprintf("%s / %s", key, sender_host_address);
2209 HDEBUG(D_acl) debug_printf("ratelimit condition limit=%.0f period=%.0f key=%s\n",
2210 limit, period, key);
2212 /* See if we have already computed the rate by looking in the relevant tree. For
2213 per-connection rate limiting, store tree nodes and dbdata in the permanent pool
2214 so that they survive across resets. */
2217 old_pool = store_pool;
2221 anchor = &ratelimiters_conn;
2222 store_pool = POOL_PERM;
2224 else if (per_mail || per_byte)
2225 anchor = &ratelimiters_mail;
2227 anchor = &ratelimiters_cmd;
2229 if (anchor != NULL && (t = tree_search(*anchor, key)) != NULL)
2232 /* The following few lines duplicate some of the code below. */
2233 if (dbd->rate < limit) rc = FAIL;
2235 store_pool = old_pool;
2236 sender_rate = string_sprintf("%.1f", dbd->rate);
2238 debug_printf("ratelimit found pre-computed rate %s\n", sender_rate);
2242 /* We aren't using a pre-computed rate, so get a previously recorded
2243 rate from the database, update it, and write it back. If there's no
2244 previous rate for this key, create one. */
2246 dbm = dbfn_open(US"ratelimit", O_RDWR, &dbblock, TRUE);
2249 store_pool = old_pool;
2251 HDEBUG(D_acl) debug_printf("ratelimit database not available\n");
2252 *log_msgptr = US"ratelimit database not available";
2255 dbd = dbfn_read(dbm, key);
2257 gettimeofday(&tv, NULL);
2261 HDEBUG(D_acl) debug_printf("ratelimit initializing new key's data\n");
2262 dbd = store_get(sizeof(dbdata_ratelimit));
2263 dbd->time_stamp = tv.tv_sec;
2264 dbd->time_usec = tv.tv_usec;
2269 /* The smoothed rate is computed using an exponentially weighted moving
2270 average adjusted for variable sampling intervals. The standard EWMA for
2271 a fixed sampling interval is: f'(t) = (1 - a) * f(t) + a * f'(t - 1)
2272 where f() is the measured value and f'() is the smoothed value.
2274 Old data decays out of the smoothed value exponentially, such that data n
2275 samples old is multiplied by a^n. The exponential decay time constant p
2276 is defined such that data p samples old is multiplied by 1/e, which means
2277 that a = exp(-1/p). We can maintain the same time constant for a variable
2278 sampling interval i by using a = exp(-i/p).
2280 The rate we are measuring is messages per period, suitable for directly
2281 comparing with the limit. The average rate between now and the previous
2282 message is period / interval, which we feed into the EWMA as the sample.
2284 It turns out that the number of messages required for the smoothed rate
2285 to reach the limit when they are sent in a burst is equal to the limit.
2286 This can be seen by analysing the value of the smoothed rate after N
2287 messages sent at even intervals. Let k = (1 - a) * p/i
2289 rate_1 = (1 - a) * p/i + a * rate_0
2291 rate_2 = k + a * rate_1
2292 = k + a * k + a^2 * rate_0
2293 rate_3 = k + a * k + a^2 * k + a^3 * rate_0
2294 rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
2295 = rate_0 * a^N + k * (1 - a^N) / (1 - a)
2296 = rate_0 * a^N + p/i * (1 - a^N)
2298 When N is large, a^N -> 0 so rate_N -> p/i as desired.
2300 rate_N = p/i + (rate_0 - p/i) * a^N
2301 a^N = (rate_N - p/i) / (rate_0 - p/i)
2302 N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
2303 N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
2305 Numerical analysis of the above equation, setting the computed rate to
2306 increase from rate_0 = 0 to rate_N = limit, shows that for large sending
2307 rates, p/i, the number of messages N = limit. So limit serves as both the
2308 maximum rate measured in messages per period, and the maximum number of
2309 messages that can be sent in a fast burst. */
2311 double this_time = (double)tv.tv_sec
2312 + (double)tv.tv_usec / 1000000.0;
2313 double prev_time = (double)dbd->time_stamp
2314 + (double)dbd->time_usec / 1000000.0;
2316 /* We must avoid division by zero, and deal gracefully with the clock going
2317 backwards. If we blunder ahead when time is in reverse then the computed
2318 rate will be bogus. To be safe we clamp interval to a very small number. */
2320 double interval = this_time - prev_time <= 0.0 ? 1e-9
2321 : this_time - prev_time;
2323 double i_over_p = interval / period;
2324 double a = exp(-i_over_p);
2326 dbd->time_stamp = tv.tv_sec;
2327 dbd->time_usec = tv.tv_usec;
2329 /* If we are measuring the rate in bytes per period, multiply the
2330 measured rate by the message size. If we don't know the message size
2331 then it's safe to just use a value of zero and let the recorded rate
2332 decay as if nothing happened. */
2335 dbd->rate = (message_size < 0 ? 0.0 : (double)message_size)
2336 * (1 - a) / i_over_p + a * dbd->rate;
2337 else if (per_cmd && where == ACL_WHERE_NOTSMTP)
2338 dbd->rate = (double)recipients_count
2339 * (1 - a) / i_over_p + a * dbd->rate;
2341 dbd->rate = (1 - a) / i_over_p + a * dbd->rate;
2344 /* Clients sending at the limit are considered to be over the limit. This
2345 matters for edge cases such the first message sent by a client (which gets
2346 the initial rate of 0.0) when the rate limit is zero (i.e. the client should
2347 be completely blocked). */
2349 if (dbd->rate < limit) rc = FAIL;
2352 /* Update the state if the rate is low or if we are being strict. If we
2353 are in leaky mode and the sender's rate is too high, we do not update
2354 the recorded rate in order to avoid an over-aggressive sender's retry
2355 rate preventing them from getting any email through. */
2357 if (rc == FAIL || !leaky)
2358 dbfn_write(dbm, key, dbd, sizeof(dbdata_ratelimit));
2361 /* Store the result in the tree for future reference, if necessary. */
2365 t = store_get(sizeof(tree_node) + Ustrlen(key));
2367 Ustrcpy(t->name, key);
2368 (void)tree_insertnode(anchor, t);
2371 /* We create the formatted version of the sender's rate very late in
2372 order to ensure that it is done using the correct storage pool. */
2374 store_pool = old_pool;
2375 sender_rate = string_sprintf("%.1f", dbd->rate);
2378 debug_printf("ratelimit computed rate %s\n", sender_rate);
2385 /*************************************************
2386 * Handle conditions/modifiers on an ACL item *
2387 *************************************************/
2389 /* Called from acl_check() below.
2393 cb ACL condition block - if NULL, result is OK
2394 where where called from
2395 addr the address being checked for RCPT, or NULL
2396 level the nesting level
2397 epp pointer to pass back TRUE if "endpass" encountered
2398 (applies only to "accept" and "discard")
2399 user_msgptr user message pointer
2400 log_msgptr log message pointer
2401 basic_errno pointer to where to put verify error
2403 Returns: OK - all conditions are met
2404 DISCARD - an "acl" condition returned DISCARD - only allowed
2405 for "accept" or "discard" verbs
2406 FAIL - at least one condition fails
2407 FAIL_DROP - an "acl" condition returned FAIL_DROP
2408 DEFER - can't tell at the moment (typically, lookup defer,
2409 but can be temporary callout problem)
2410 ERROR - ERROR from nested ACL or expansion failure or other
2415 acl_check_condition(int verb, acl_condition_block *cb, int where,
2416 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
2417 uschar **log_msgptr, int *basic_errno)
2419 uschar *user_message = NULL;
2420 uschar *log_message = NULL;
2423 #ifdef WITH_CONTENT_SCAN
2427 for (; cb != NULL; cb = cb->next)
2432 /* The message and log_message items set up messages to be used in
2433 case of rejection. They are expanded later. */
2435 if (cb->type == ACLC_MESSAGE)
2437 user_message = cb->arg;
2441 if (cb->type == ACLC_LOG_MESSAGE)
2443 log_message = cb->arg;
2447 /* The endpass "condition" just sets a flag to show it occurred. This is
2448 checked at compile time to be on an "accept" or "discard" item. */
2450 if (cb->type == ACLC_ENDPASS)
2456 /* For other conditions and modifiers, the argument is expanded now for some
2457 of them, but not for all, because expansion happens down in some lower level
2458 checking functions in some cases. */
2460 if (cond_expand_at_top[cb->type])
2462 arg = expand_string(cb->arg);
2465 if (expand_string_forcedfail) continue;
2466 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
2467 cb->arg, expand_string_message);
2468 return search_find_defer? DEFER : ERROR;
2473 /* Show condition, and expanded condition if it's different */
2478 debug_printf("check %s%s %n",
2479 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
2480 conditions[cb->type], &lhswidth);
2482 if (cb->type == ACLC_SET)
2484 debug_printf("acl_%s ", cb->u.varname);
2485 lhswidth += 5 + Ustrlen(cb->u.varname);
2488 debug_printf("= %s\n", cb->arg);
2491 debug_printf("%.*s= %s\n", lhswidth,
2495 /* Check that this condition makes sense at this time */
2497 if ((cond_forbids[cb->type] & (1 << where)) != 0)
2499 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
2500 cond_modifiers[cb->type]? "use" : "test",
2501 conditions[cb->type], acl_wherenames[where]);
2505 /* Run the appropriate test for each condition, or take the appropriate
2506 action for the remaining modifiers. */
2510 case ACLC_ADD_HEADER:
2514 /* A nested ACL that returns "discard" makes sense only for an "accept" or
2518 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
2519 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
2521 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
2522 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
2528 case ACLC_AUTHENTICATED:
2529 rc = (sender_host_authenticated == NULL)? FAIL :
2530 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
2534 #ifdef EXPERIMENTAL_BRIGHTMAIL
2535 case ACLC_BMI_OPTIN:
2537 int old_pool = store_pool;
2538 store_pool = POOL_PERM;
2539 bmi_current_optin = string_copy(arg);
2540 store_pool = old_pool;
2545 case ACLC_CONDITION:
2546 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
2547 rc = (Uatoi(arg) == 0)? FAIL : OK;
2549 rc = (strcmpic(arg, US"no") == 0 ||
2550 strcmpic(arg, US"false") == 0)? FAIL :
2551 (strcmpic(arg, US"yes") == 0 ||
2552 strcmpic(arg, US"true") == 0)? OK : DEFER;
2554 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
2558 control_type = decode_control(arg, &p, where, log_msgptr);
2560 /* Check if this control makes sense at this time */
2562 if ((control_forbids[control_type] & (1 << where)) != 0)
2564 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
2565 controls[control_type], acl_wherenames[where]);
2569 switch(control_type)
2571 case CONTROL_AUTH_UNADVERTISED:
2572 allow_auth_unadvertised = TRUE;
2575 #ifdef EXPERIMENTAL_BRIGHTMAIL
2576 case CONTROL_BMI_RUN:
2581 #ifdef EXPERIMENTAL_DOMAINKEYS
2582 case CONTROL_DK_VERIFY:
2590 case CONTROL_CASEFUL_LOCAL_PART:
2591 deliver_localpart = addr->cc_local_part;
2594 case CONTROL_CASELOWER_LOCAL_PART:
2595 deliver_localpart = addr->lc_local_part;
2598 case CONTROL_ENFORCE_SYNC:
2599 smtp_enforce_sync = TRUE;
2602 case CONTROL_NO_ENFORCE_SYNC:
2603 smtp_enforce_sync = FALSE;
2606 #ifdef WITH_CONTENT_SCAN
2607 case CONTROL_NO_MBOX_UNSPOOL:
2608 no_mbox_unspool = TRUE;
2612 case CONTROL_NO_MULTILINE:
2613 no_multiline_responses = TRUE;
2616 case CONTROL_NO_PIPELINING:
2617 pipelining_enable = FALSE;
2620 case CONTROL_NO_DELAY_FLUSH:
2621 disable_delay_flush = TRUE;
2624 case CONTROL_NO_CALLOUT_FLUSH:
2625 disable_callout_flush = TRUE;
2628 case CONTROL_FAKEDEFER:
2629 case CONTROL_FAKEREJECT:
2630 fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
2634 while (*pp != 0) pp++;
2635 fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
2640 /* Explicitly reset to default string */
2641 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
2645 case CONTROL_FREEZE:
2646 deliver_freeze = TRUE;
2647 deliver_frozen_at = time(NULL);
2648 freeze_tell = freeze_tell_config; /* Reset to configured value */
2649 if (Ustrncmp(p, "/no_tell", 8) == 0)
2656 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2661 case CONTROL_QUEUE_ONLY:
2662 queue_only_policy = TRUE;
2665 case CONTROL_SUBMISSION:
2666 originator_name = US"";
2667 submission_mode = TRUE;
2670 if (Ustrncmp(p, "/sender_retain", 14) == 0)
2673 active_local_sender_retain = TRUE;
2674 active_local_from_check = FALSE;
2676 else if (Ustrncmp(p, "/domain=", 8) == 0)
2679 while (*pp != 0 && *pp != '/') pp++;
2680 submission_domain = string_copyn(p+8, pp-p-8);
2683 /* The name= option must be last, because it swallows the rest of
2685 else if (Ustrncmp(p, "/name=", 6) == 0)
2688 while (*pp != 0) pp++;
2689 submission_name = string_copy(parse_fix_phrase(p+6, pp-p-6,
2690 big_buffer, big_buffer_size));
2697 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2702 case CONTROL_SUPPRESS_LOCAL_FIXUPS:
2703 suppress_local_fixups = TRUE;
2708 #ifdef WITH_CONTENT_SCAN
2710 rc = mime_decode(&arg);
2716 int delay = readconf_readtime(arg, 0, FALSE);
2719 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
2720 "modifier: \"%s\" is not a time value", arg);
2725 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
2730 debug_printf("delay skipped in -bh checking mode\n");
2733 /* It appears to be impossible to detect that a TCP/IP connection has
2734 gone away without reading from it. This means that we cannot shorten
2735 the delay below if the client goes away, because we cannot discover
2736 that the client has closed its end of the connection. (The connection
2737 is actually in a half-closed state, waiting for the server to close its
2738 end.) It would be nice to be able to detect this state, so that the
2739 Exim process is not held up unnecessarily. However, it seems that we
2740 can't. The poll() function does not do the right thing, and in any case
2741 it is not always available.
2743 NOTE 1: If ever this state of affairs changes, remember that we may be
2744 dealing with stdin/stdout here, in addition to TCP/IP connections.
2745 Also, delays may be specified for non-SMTP input, where smtp_out and
2746 smtp_in will be NULL. Whatever is done must work in all cases.
2748 NOTE 2: The added feature of flushing the output before a delay must
2749 apply only to SMTP input. Hence the test for smtp_out being non-NULL.
2754 if (smtp_out != NULL && !disable_delay_flush) mac_smtp_fflush();
2755 while (delay > 0) delay = sleep(delay);
2761 #ifdef WITH_OLD_DEMIME
2767 #ifdef EXPERIMENTAL_DOMAINKEYS
2768 case ACLC_DK_DOMAIN_SOURCE:
2769 if (dk_verify_block == NULL) { rc = FAIL; break; };
2770 /* check header source of domain against given string */
2771 switch (dk_verify_block->address_source) {
2772 case DK_EXIM_ADDRESS_FROM_FROM:
2773 rc = match_isinlist(US"from", &arg, 0, NULL,
2774 NULL, MCL_STRING, TRUE, NULL);
2776 case DK_EXIM_ADDRESS_FROM_SENDER:
2777 rc = match_isinlist(US"sender", &arg, 0, NULL,
2778 NULL, MCL_STRING, TRUE, NULL);
2780 case DK_EXIM_ADDRESS_NONE:
2781 rc = match_isinlist(US"none", &arg, 0, NULL,
2782 NULL, MCL_STRING, TRUE, NULL);
2787 case ACLC_DK_POLICY:
2788 if (dk_verify_block == NULL) { rc = FAIL; break; };
2789 /* check policy against given string, default FAIL */
2791 if (dk_verify_block->signsall)
2792 rc = match_isinlist(US"signsall", &arg, 0, NULL,
2793 NULL, MCL_STRING, TRUE, NULL);
2794 if (dk_verify_block->testing)
2795 rc = match_isinlist(US"testing", &arg, 0, NULL,
2796 NULL, MCL_STRING, TRUE, NULL);
2799 case ACLC_DK_SENDER_DOMAINS:
2800 if (dk_verify_block == NULL) { rc = FAIL; break; };
2801 if (dk_verify_block->domain != NULL)
2802 rc = match_isinlist(dk_verify_block->domain, &arg, 0, &domainlist_anchor,
2803 NULL, MCL_DOMAIN, TRUE, NULL);
2807 case ACLC_DK_SENDER_LOCAL_PARTS:
2808 if (dk_verify_block == NULL) { rc = FAIL; break; };
2809 if (dk_verify_block->local_part != NULL)
2810 rc = match_isinlist(dk_verify_block->local_part, &arg, 0, &localpartlist_anchor,
2811 NULL, MCL_LOCALPART, TRUE, NULL);
2815 case ACLC_DK_SENDERS:
2816 if (dk_verify_block == NULL) { rc = FAIL; break; };
2817 if (dk_verify_block->address != NULL)
2818 rc = match_address_list(dk_verify_block->address, TRUE, TRUE, &arg, NULL, -1, 0, NULL);
2822 case ACLC_DK_STATUS:
2823 if (dk_verify_block == NULL) { rc = FAIL; break; };
2824 if (dk_verify_block->result > 0) {
2825 switch(dk_verify_block->result) {
2826 case DK_EXIM_RESULT_BAD_FORMAT:
2827 rc = match_isinlist(US"bad format", &arg, 0, NULL,
2828 NULL, MCL_STRING, TRUE, NULL);
2830 case DK_EXIM_RESULT_NO_KEY:
2831 rc = match_isinlist(US"no key", &arg, 0, NULL,
2832 NULL, MCL_STRING, TRUE, NULL);
2834 case DK_EXIM_RESULT_NO_SIGNATURE:
2835 rc = match_isinlist(US"no signature", &arg, 0, NULL,
2836 NULL, MCL_STRING, TRUE, NULL);
2838 case DK_EXIM_RESULT_REVOKED:
2839 rc = match_isinlist(US"revoked", &arg, 0, NULL,
2840 NULL, MCL_STRING, TRUE, NULL);
2842 case DK_EXIM_RESULT_NON_PARTICIPANT:
2843 rc = match_isinlist(US"non-participant", &arg, 0, NULL,
2844 NULL, MCL_STRING, TRUE, NULL);
2846 case DK_EXIM_RESULT_GOOD:
2847 rc = match_isinlist(US"good", &arg, 0, NULL,
2848 NULL, MCL_STRING, TRUE, NULL);
2850 case DK_EXIM_RESULT_BAD:
2851 rc = match_isinlist(US"bad", &arg, 0, NULL,
2852 NULL, MCL_STRING, TRUE, NULL);
2860 rc = verify_check_dnsbl(&arg);
2864 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
2865 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
2868 /* The value in tls_cipher is the full cipher name, for example,
2869 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
2870 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
2871 what may in practice come out of the SSL library - which at the time of
2872 writing is poorly documented. */
2874 case ACLC_ENCRYPTED:
2875 if (tls_cipher == NULL) rc = FAIL; else
2877 uschar *endcipher = NULL;
2878 uschar *cipher = Ustrchr(tls_cipher, ':');
2879 if (cipher == NULL) cipher = tls_cipher; else
2881 endcipher = Ustrchr(++cipher, ':');
2882 if (endcipher != NULL) *endcipher = 0;
2884 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
2885 if (endcipher != NULL) *endcipher = ':';
2889 /* Use verify_check_this_host() instead of verify_check_host() so that
2890 we can pass over &host_data to catch any looked up data. Once it has been
2891 set, it retains its value so that it's still there if another ACL verb
2892 comes through here and uses the cache. However, we must put it into
2893 permanent store in case it is also expected to be used in a subsequent
2894 message in the same SMTP connection. */
2897 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
2898 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
2899 if (host_data != NULL) host_data = string_copy_malloc(host_data);
2902 case ACLC_LOCAL_PARTS:
2903 rc = match_isinlist(addr->cc_local_part, &arg, 0,
2904 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
2905 &deliver_localpart_data);
2908 case ACLC_LOG_REJECT_TARGET:
2914 while ((ss = string_nextinlist(&s, &sep, big_buffer, big_buffer_size))
2917 if (Ustrcmp(ss, "main") == 0) logbits |= LOG_MAIN;
2918 else if (Ustrcmp(ss, "panic") == 0) logbits |= LOG_PANIC;
2919 else if (Ustrcmp(ss, "reject") == 0) logbits |= LOG_REJECT;
2922 logbits |= LOG_MAIN|LOG_REJECT;
2923 log_write(0, LOG_MAIN|LOG_PANIC, "unknown log name \"%s\" in "
2924 "\"log_reject_target\" in %s ACL", ss, acl_wherenames[where]);
2927 log_reject_target = logbits;
2940 if (Ustrncmp(s, "main", 4) == 0)
2941 { logbits |= LOG_MAIN; s += 4; }
2942 else if (Ustrncmp(s, "panic", 5) == 0)
2943 { logbits |= LOG_PANIC; s += 5; }
2944 else if (Ustrncmp(s, "reject", 6) == 0)
2945 { logbits |= LOG_REJECT; s += 6; }
2948 logbits = LOG_MAIN|LOG_PANIC;
2949 s = string_sprintf(":unknown log name in \"%s\" in "
2950 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
2956 while (isspace(*s)) s++;
2959 if (logbits == 0) logbits = LOG_MAIN;
2960 log_write(0, logbits, "%s", string_printing(s));
2964 #ifdef WITH_CONTENT_SCAN
2967 /* Separate the regular expression and any optional parameters. */
2968 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2969 /* Run the malware backend. */
2971 /* Modify return code based upon the existance of options. */
2972 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2974 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2976 /* FAIL so that the message is passed to the next ACL */
2983 case ACLC_MIME_REGEX:
2984 rc = mime_regex(&arg);
2988 case ACLC_RATELIMIT:
2989 rc = acl_ratelimit(arg, where, log_msgptr);
2992 case ACLC_RECIPIENTS:
2993 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
2997 #ifdef WITH_CONTENT_SCAN
3003 case ACLC_SENDER_DOMAINS:
3006 sdomain = Ustrrchr(sender_address, '@');
3007 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
3008 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
3009 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
3014 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
3015 sender_address_cache, -1, 0, &sender_data);
3018 /* Connection variables must persist forever */
3022 int old_pool = store_pool;
3023 if (cb->u.varname[0] == 'c') store_pool = POOL_PERM;
3024 acl_var_create(cb->u.varname)->data.ptr = string_copy(arg);
3025 store_pool = old_pool;
3029 #ifdef WITH_CONTENT_SCAN
3032 /* Seperate the regular expression and any optional parameters. */
3033 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3034 /* Run the spam backend. */
3036 /* Modify return code based upon the existance of options. */
3037 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3039 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3041 /* FAIL so that the message is passed to the next ACL */
3049 #ifdef EXPERIMENTAL_SPF
3051 rc = spf_process(&arg, sender_address);
3055 /* If the verb is WARN, discard any user message from verification, because
3056 such messages are SMTP responses, not header additions. The latter come
3057 only from explicit "message" modifiers. However, put the user message into
3058 $acl_verify_message so it can be used in subsequent conditions or modifiers
3059 (until something changes it). */
3062 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
3063 acl_verify_message = *user_msgptr;
3064 if (verb == ACL_WARN) *user_msgptr = NULL;
3068 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
3069 "condition %d", cb->type);
3073 /* If a condition was negated, invert OK/FAIL. */
3075 if (!cond_modifiers[cb->type] && cb->u.negated)
3077 if (rc == OK) rc = FAIL;
3078 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
3081 if (rc != OK) break; /* Conditions loop */
3085 /* If the result is the one for which "message" and/or "log_message" are used,
3086 handle the values of these modifiers. If there isn't a log message set, we make
3087 it the same as the user message.
3089 "message" is a user message that will be included in an SMTP response. Unless
3090 it is empty, it overrides any previously set user message.
3092 "log_message" is a non-user message, and it adds to any existing non-user
3093 message that is already set.
3095 Most verbs have but a single return for which the messages are relevant, but
3096 for "discard", it's useful to have the log message both when it succeeds and
3097 when it fails. For "accept", the message is used in the OK case if there is no
3098 "endpass", but (for backwards compatibility) in the FAIL case if "endpass" is
3101 if (*epp && rc == OK) user_message = NULL;
3103 if (((1<<rc) & msgcond[verb]) != 0)
3106 uschar *old_user_msgptr = *user_msgptr;
3107 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
3109 /* If the verb is "warn", messages generated by conditions (verification or
3110 nested ACLs) are always discarded. This also happens for acceptance verbs
3111 when they actually do accept. Only messages specified at this level are used.
3112 However, the value of an existing message is available in $acl_verify_message
3113 during expansions. */
3115 if (verb == ACL_WARN ||
3116 (rc == OK && (verb == ACL_ACCEPT || verb == ACL_DISCARD)))
3117 *log_msgptr = *user_msgptr = NULL;
3119 if (user_message != NULL)
3121 acl_verify_message = old_user_msgptr;
3122 expmessage = expand_string(user_message);
3123 if (expmessage == NULL)
3125 if (!expand_string_forcedfail)
3126 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3127 user_message, expand_string_message);
3129 else if (expmessage[0] != 0) *user_msgptr = expmessage;
3132 if (log_message != NULL)
3134 acl_verify_message = old_log_msgptr;
3135 expmessage = expand_string(log_message);
3136 if (expmessage == NULL)
3138 if (!expand_string_forcedfail)
3139 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3140 log_message, expand_string_message);
3142 else if (expmessage[0] != 0)
3144 *log_msgptr = (*log_msgptr == NULL)? expmessage :
3145 string_sprintf("%s: %s", expmessage, *log_msgptr);
3149 /* If no log message, default it to the user message */
3151 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
3154 acl_verify_message = NULL;
3162 /*************************************************
3163 * Get line from a literal ACL *
3164 *************************************************/
3166 /* This function is passed to acl_read() in order to extract individual lines
3167 of a literal ACL, which we access via static pointers. We can destroy the
3168 contents because this is called only once (the compiled ACL is remembered).
3170 This code is intended to treat the data in the same way as lines in the main
3171 Exim configuration file. That is:
3173 . Leading spaces are ignored.
3175 . A \ at the end of a line is a continuation - trailing spaces after the \
3176 are permitted (this is because I don't believe in making invisible things
3177 significant). Leading spaces on the continued part of a line are ignored.
3179 . Physical lines starting (significantly) with # are totally ignored, and
3180 may appear within a sequence of backslash-continued lines.
3182 . Blank lines are ignored, but will end a sequence of continuations.
3185 Returns: a pointer to the next line
3189 static uschar *acl_text; /* Current pointer in the text */
3190 static uschar *acl_text_end; /* Points one past the terminating '0' */
3198 /* This loop handles leading blank lines and comments. */
3202 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
3203 if (*acl_text == 0) return NULL; /* No more data */
3204 yield = acl_text; /* Potential data line */
3206 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3208 /* If we hit the end before a newline, we have the whole logical line. If
3209 it's a comment, there's no more data to be given. Otherwise, yield it. */
3211 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
3213 /* After reaching a newline, end this loop if the physical line does not
3214 start with '#'. If it does, it's a comment, and the loop continues. */
3216 if (*yield != '#') break;
3219 /* This loop handles continuations. We know we have some real data, ending in
3220 newline. See if there is a continuation marker at the end (ignoring trailing
3221 white space). We know that *yield is not white space, so no need to test for
3222 cont > yield in the backwards scanning loop. */
3227 for (cont = acl_text - 1; isspace(*cont); cont--);
3229 /* If no continuation follows, we are done. Mark the end of the line and
3238 /* We have encountered a continuation. Skip over whitespace at the start of
3239 the next line, and indeed the whole of the next line or lines if they are
3244 while (*(++acl_text) == ' ' || *acl_text == '\t');
3245 if (*acl_text != '#') break;
3246 while (*(++acl_text) != 0 && *acl_text != '\n');
3249 /* We have the start of a continuation line. Move all the rest of the data
3250 to join onto the previous line, and then find its end. If the end is not a
3251 newline, we are done. Otherwise loop to look for another continuation. */
3253 memmove(cont, acl_text, acl_text_end - acl_text);
3254 acl_text_end -= acl_text - cont;
3256 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3257 if (*acl_text == 0) return yield;
3260 /* Control does not reach here */
3267 /*************************************************
3268 * Check access using an ACL *
3269 *************************************************/
3271 /* This function is called from address_check. It may recurse via
3272 acl_check_condition() - hence the use of a level to stop looping. The ACL is
3273 passed as a string which is expanded. A forced failure implies no access check
3274 is required. If the result is a single word, it is taken as the name of an ACL
3275 which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
3276 text, complete with newlines, and parsed as such. In both cases, the ACL check
3277 is then run. This function uses an auxiliary function for acl_read() to call
3278 for reading individual lines of a literal ACL. This is acl_getline(), which
3279 appears immediately above.
3282 where where called from
3283 addr address item when called from RCPT; otherwise NULL
3284 s the input string; NULL is the same as an empty ACL => DENY
3285 level the nesting level
3286 user_msgptr where to put a user error (for SMTP response)
3287 log_msgptr where to put a logging message (not for SMTP response)
3289 Returns: OK access is granted
3290 DISCARD access is apparently granted...
3291 FAIL access is denied
3292 FAIL_DROP access is denied; drop the connection
3293 DEFER can't tell at the moment
3298 acl_check_internal(int where, address_item *addr, uschar *s, int level,
3299 uschar **user_msgptr, uschar **log_msgptr)
3302 acl_block *acl = NULL;
3303 uschar *acl_name = US"inline ACL";
3306 /* Catch configuration loops */
3310 *log_msgptr = US"ACL nested too deep: possible loop";
3316 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
3320 /* At top level, we expand the incoming string. At lower levels, it has already
3321 been expanded as part of condition processing. */
3325 ss = expand_string(s);
3328 if (expand_string_forcedfail) return OK;
3329 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
3330 expand_string_message);
3336 while (isspace(*ss))ss++;
3338 /* If we can't find a named ACL, the default is to parse it as an inline one.
3339 (Unless it begins with a slash; non-existent files give rise to an error.) */
3343 /* Handle the case of a string that does not contain any spaces. Look for a
3344 named ACL among those read from the configuration, or a previously read file.
3345 It is possible that the pointer to the ACL is NULL if the configuration
3346 contains a name with no data. If not found, and the text begins with '/',
3347 read an ACL from a file, and save it so it can be re-used. */
3349 if (Ustrchr(ss, ' ') == NULL)
3351 tree_node *t = tree_search(acl_anchor, ss);
3354 acl = (acl_block *)(t->data.ptr);
3357 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
3360 acl_name = string_sprintf("ACL \"%s\"", ss);
3361 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
3364 else if (*ss == '/')
3366 struct stat statbuf;
3367 fd = Uopen(ss, O_RDONLY, 0);
3370 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
3375 if (fstat(fd, &statbuf) != 0)
3377 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
3382 acl_text = store_get(statbuf.st_size + 1);
3383 acl_text_end = acl_text + statbuf.st_size + 1;
3385 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
3387 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
3388 ss, strerror(errno));
3391 acl_text[statbuf.st_size] = 0;
3394 acl_name = string_sprintf("ACL \"%s\"", ss);
3395 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
3399 /* Parse an ACL that is still in text form. If it came from a file, remember it
3400 in the ACL tree, having read it into the POOL_PERM store pool so that it
3401 persists between multiple messages. */
3405 int old_pool = store_pool;
3406 if (fd >= 0) store_pool = POOL_PERM;
3407 acl = acl_read(acl_getline, log_msgptr);
3408 store_pool = old_pool;
3409 if (acl == NULL && *log_msgptr != NULL) return ERROR;
3412 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
3413 Ustrcpy(t->name, ss);
3415 (void)tree_insertnode(&acl_anchor, t);
3419 /* Now we have an ACL to use. It's possible it may be NULL. */
3424 int basic_errno = 0;
3425 BOOL endpass_seen = FALSE;
3427 *log_msgptr = *user_msgptr = NULL;
3428 acl_temp_details = FALSE;
3430 if (where == ACL_WHERE_QUIT &&
3431 acl->verb != ACL_ACCEPT &&
3432 acl->verb != ACL_WARN)
3434 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
3439 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
3441 /* Clear out any search error message from a previous check before testing
3444 search_error_message = NULL;
3445 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
3446 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
3448 /* Handle special returns: DEFER causes a return except on a WARN verb;
3449 ERROR always causes a return. */
3454 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
3455 if (basic_errno != ERRNO_CALLOUTDEFER)
3457 if (search_error_message != NULL && *search_error_message != 0)
3458 *log_msgptr = search_error_message;
3459 if (smtp_return_error_details) acl_temp_details = TRUE;
3463 acl_temp_details = TRUE;
3465 if (acl->verb != ACL_WARN) return DEFER;
3468 default: /* Paranoia */
3470 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
3474 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
3479 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
3482 /* DISCARD and DROP can happen only from a nested ACL condition, and
3483 DISCARD can happen only for an "accept" or "discard" verb. */
3486 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
3491 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
3496 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
3497 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
3498 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
3503 if (cond == OK || cond == DISCARD) return cond;
3506 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
3514 acl_temp_details = TRUE;
3520 if (cond == OK) return FAIL;
3524 if (cond == OK || cond == DISCARD) return DISCARD;
3527 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
3533 if (cond == OK) return FAIL_DROP;
3537 if (cond != OK) return cond;
3542 acl_warn(where, *user_msgptr, *log_msgptr);
3543 else if (cond == DEFER && (log_extra_selector & LX_acl_warn_skipped) != 0)
3544 log_write(0, LOG_MAIN, "%s Warning: ACL \"warn\" statement skipped: "
3545 "condition test deferred%s%s", host_and_ident(TRUE),
3546 (*log_msgptr == NULL)? US"" : US": ",
3547 (*log_msgptr == NULL)? US"" : *log_msgptr);
3548 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
3552 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
3557 /* Pass to the next ACL item */
3562 /* We have reached the end of the ACL. This is an implicit DENY. */
3564 HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
3569 /*************************************************
3570 * Check access using an ACL *
3571 *************************************************/
3573 /* This is the external interface for ACL checks. It sets up an address and the
3574 expansions for $domain and $local_part when called after RCPT, then calls
3575 acl_check_internal() to do the actual work.
3578 where ACL_WHERE_xxxx indicating where called from
3579 recipient RCPT address for RCPT check, else NULL
3580 s the input string; NULL is the same as an empty ACL => DENY
3581 user_msgptr where to put a user error (for SMTP response)
3582 log_msgptr where to put a logging message (not for SMTP response)
3584 Returns: OK access is granted by an ACCEPT verb
3585 DISCARD access is granted by a DISCARD verb
3586 FAIL access is denied
3587 FAIL_DROP access is denied; drop the connection
3588 DEFER can't tell at the moment
3593 acl_check(int where, uschar *recipient, uschar *s, uschar **user_msgptr,
3594 uschar **log_msgptr)
3598 address_item *addr = NULL;
3600 *user_msgptr = *log_msgptr = NULL;
3601 sender_verified_failed = NULL;
3602 ratelimiters_cmd = NULL;
3603 log_reject_target = LOG_MAIN|LOG_REJECT;
3605 if (where == ACL_WHERE_RCPT)
3607 adb = address_defaults;
3609 addr->address = recipient;
3610 if (deliver_split_address(addr) == DEFER)
3612 *log_msgptr = US"defer in percent_hack_domains check";
3615 deliver_domain = addr->domain;
3616 deliver_localpart = addr->local_part;
3619 rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
3621 deliver_domain = deliver_localpart = deliver_address_data =
3622 sender_address_data = NULL;
3624 /* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
3625 ACL, which is really in the middle of an SMTP command. */
3629 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
3631 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
3632 "ACL", acl_wherenames[where]);
3638 /* A DROP response is not permitted from MAILAUTH */
3640 if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
3642 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
3643 "ACL", acl_wherenames[where]);
3647 /* Before giving a response, take a look at the length of any user message, and
3648 split it up into multiple lines if possible. */
3650 if (*user_msgptr != NULL && Ustrlen(*user_msgptr) > 75)
3652 uschar *s = *user_msgptr = string_copy(*user_msgptr);
3658 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
3659 if (*ss == 0) break;
3666 while (--t > s + 35)
3670 if (t[-1] == ':') { tt = t; break; }
3671 if (tt == NULL) tt = t;
3675 if (tt == NULL) /* Can't split behind - try ahead */
3680 if (*t == ' ' || *t == '\n')
3686 if (tt == NULL) break; /* Can't find anywhere to split */
3698 /*************************************************
3699 * Create ACL variable *
3700 *************************************************/
3702 /* Create an ACL variable or reuse an existing one. ACL variables are in a
3703 binary tree (see tree.c) with acl_var_c and acl_var_m as root nodes.
3706 name pointer to the variable's name, starting with c or m
3708 Returns the pointer to variable's tree node
3712 acl_var_create(uschar *name)
3714 tree_node *node, **root;
3715 root = (name[0] == 'c')? &acl_var_c : &acl_var_m;
3716 node = tree_search(*root, name);
3719 node = store_get(sizeof(tree_node) + Ustrlen(name));
3720 Ustrcpy(node->name, name);
3721 (void)tree_insertnode(root, node);
3723 node->data.ptr = NULL;
3729 /*************************************************
3730 * Write an ACL variable in spool format *
3731 *************************************************/
3733 /* This function is used as a callback for tree_walk when writing variables to
3734 the spool file. To retain spool file compatibility, what is written is -aclc or
3735 -aclm followed by the rest of the name and the data length, space separated,
3736 then the value itself, starting on a new line, and terminated by an additional
3737 newline. When we had only numbered ACL variables, the first line might look
3738 like this: "-aclc 5 20". Now it might be "-aclc foo 20" for the variable called
3742 name of the variable
3743 value of the variable
3744 ctx FILE pointer (as a void pointer)
3750 acl_var_write(uschar *name, uschar *value, void *ctx)
3752 FILE *f = (FILE *)ctx;
3753 fprintf(f, "-acl%c %s %d\n%s\n", name[0], name+1, Ustrlen(value), value);
git://git.exim.org / exim.git / blob