1 /* $Cambridge: exim/src/src/acl.c,v 1.5.2.3 2004/12/02 16:33:30 tom Exp $ */
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
7 /* Copyright (c) University of Cambridge 1995 - 2004 */
8 /* See the file NOTICE for conditions of use and distribution. */
10 /* Code for handling Access Control Lists (ACLs) */
15 /* Default callout timeout */
17 #define CALLOUT_TIMEOUT_DEFAULT 30
19 /* ACL verb codes - keep in step with the table of verbs that follows */
21 enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
26 static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
30 /* For each verb, the condition for which "message" is used */
32 static int msgcond[] = { FAIL, OK, OK, FAIL, OK, FAIL, OK };
34 /* ACL condition and modifier codes - keep in step with the table that
37 enum { ACLC_ACL, ACLC_AUTHENTICATED, ACLC_CONDITION, ACLC_CONTROL,
38 #ifdef WITH_CONTENT_SCAN
42 #ifdef WITH_OLD_DEMIME
45 ACLC_DNSLISTS, ACLC_DOMAINS, ACLC_ENCRYPTED, ACLC_ENDPASS,
46 ACLC_HOSTS, ACLC_LOCAL_PARTS, ACLC_LOG_MESSAGE, ACLC_LOGWRITE,
47 #ifdef WITH_CONTENT_SCAN
51 #ifdef WITH_CONTENT_SCAN
55 #ifdef WITH_CONTENT_SCAN
58 ACLC_SENDER_DOMAINS, ACLC_SENDERS, ACLC_SET,
59 #ifdef WITH_CONTENT_SCAN
64 /* ACL conditions/modifiers: "delay", "control", "endpass", "message",
65 "log_message", "logwrite", and "set" are modifiers that look like conditions
66 but always return TRUE. They are used for their side effects. */
68 static uschar *conditions[] = { US"acl", US"authenticated", US"condition",
70 #ifdef WITH_CONTENT_SCAN
74 #ifdef WITH_OLD_DEMIME
77 US"dnslists", US"domains", US"encrypted",
78 US"endpass", US"hosts", US"local_parts", US"log_message", US"logwrite",
79 #ifdef WITH_CONTENT_SCAN
83 #ifdef WITH_CONTENT_SCAN
87 #ifdef WITH_CONTENT_SCAN
90 US"sender_domains", US"senders", US"set",
91 #ifdef WITH_CONTENT_SCAN
96 /* ACL control names */
98 static uschar *controls[] = { US"error", US"caseful_local_part",
99 US"caselower_local_part", US"enforce_sync", US"no_enforce_sync", US"freeze",
100 US"queue_only", US"submission", US"no_multiline"};
102 /* Flags to indicate for which conditions /modifiers a string expansion is done
103 at the outer level. In the other cases, expansion already occurs in the
104 checking functions. */
106 static uschar cond_expand_at_top[] = {
108 FALSE, /* authenticated */
109 TRUE, /* condition */
111 #ifdef WITH_CONTENT_SCAN
115 #ifdef WITH_OLD_DEMIME
120 FALSE, /* encrypted */
123 FALSE, /* local_parts */
124 TRUE, /* log_message */
126 #ifdef WITH_CONTENT_SCAN
130 #ifdef WITH_CONTENT_SCAN
131 TRUE, /* mime_regex */
133 FALSE, /* recipients */
134 #ifdef WITH_CONTENT_SCAN
137 FALSE, /* sender_domains */
140 #ifdef WITH_CONTENT_SCAN
146 /* Flags to identify the modifiers */
148 static uschar cond_modifiers[] = {
150 FALSE, /* authenticated */
151 FALSE, /* condition */
153 #ifdef WITH_CONTENT_SCAN
157 #ifdef WITH_OLD_DEMIME
160 FALSE, /* dnslists */
162 FALSE, /* encrypted */
165 FALSE, /* local_parts */
166 TRUE, /* log_message */
168 #ifdef WITH_CONTENT_SCAN
172 #ifdef WITH_CONTENT_SCAN
173 FALSE, /* mime_regex */
175 FALSE, /* recipients */
176 #ifdef WITH_CONTENT_SCAN
179 FALSE, /* sender_domains */
182 #ifdef WITH_CONTENT_SCAN
188 /* Bit map vector of which conditions are not allowed at certain times. For
189 each condition, there's a bitmap of dis-allowed times. */
191 static unsigned int cond_forbids[] = {
193 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* authenticated */
197 /* Certain types of control are always allowed, so we let it through
198 always and check in the control processing itself */
202 #ifdef WITH_CONTENT_SCAN
203 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* decode */
204 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
205 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
206 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
207 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
208 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
209 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_RCPT),
214 #ifdef WITH_CONTENT_SCAN
215 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* demime */
216 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
217 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
218 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
219 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
220 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
221 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
224 (1<<ACL_WHERE_NOTSMTP), /* dnslists */
226 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* domains */
227 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
228 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
229 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
230 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
231 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
234 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* encrypted */
237 (1<<ACL_WHERE_NOTSMTP), /* hosts */
239 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* local_parts */
240 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
241 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
242 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
243 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
244 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
250 #ifdef WITH_CONTENT_SCAN
251 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* malware */
252 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
253 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
254 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
255 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
256 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
257 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
262 #ifdef WITH_CONTENT_SCAN
263 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* mime_regex */
264 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
265 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
266 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
267 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
268 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
269 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_RCPT),
272 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* recipients */
273 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
274 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
275 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
276 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
277 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
280 #ifdef WITH_CONTENT_SCAN
281 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* regex */
282 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
283 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
284 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
285 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
286 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
287 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
290 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
292 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
293 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
294 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
296 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
298 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
299 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
300 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
304 #ifdef WITH_CONTENT_SCAN
305 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* spam */
306 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
307 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
308 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
309 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
310 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
311 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
314 /* Certain types of verify are always allowed, so we let it through
315 always and check in the verify function itself */
321 /* Return values from decode_control() */
323 enum { CONTROL_ERROR, CONTROL_CASEFUL_LOCAL_PART, CONTROL_CASELOWER_LOCAL_PART,
324 CONTROL_ENFORCE_SYNC, CONTROL_NO_ENFORCE_SYNC, CONTROL_FREEZE,
325 CONTROL_QUEUE_ONLY, CONTROL_SUBMISSION,
326 #ifdef WITH_CONTENT_SCAN
327 CONTROL_NO_MBOX_UNSPOOL, CONTROL_FAKEREJECT,
329 CONTROL_NO_MULTILINE };
331 /* Bit map vector of which controls are not allowed at certain times. For
332 each control, there's a bitmap of dis-allowed times. For some, it is easier to
333 specify the negation of a small number of allowed times. */
335 static unsigned int control_forbids[] = {
337 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
338 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
339 (1<<ACL_WHERE_NOTSMTP), /* enforce_sync */
340 (1<<ACL_WHERE_NOTSMTP), /* no_enforce_sync */
342 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
343 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
344 (1<<ACL_WHERE_NOTSMTP)),
346 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
347 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
348 (1<<ACL_WHERE_NOTSMTP)),
350 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
351 (1<<ACL_WHERE_PREDATA)),
353 #ifdef WITH_CONTENT_SCAN
354 (1<<ACL_WHERE_NOTSMTP), /* no_mbox_unspool */
355 (1<<ACL_WHERE_NOTSMTP), /* fakereject */
358 (1<<ACL_WHERE_NOTSMTP) /* no_multiline */
361 /* Structure listing various control arguments, with their characteristics. */
363 typedef struct control_def {
365 int value; /* CONTROL_xxx value */
366 BOOL has_option; /* Has /option(s) following */
369 static control_def controls_list[] = {
370 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE},
371 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE},
372 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE},
373 { US"freeze", CONTROL_FREEZE, FALSE},
374 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE},
375 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE},
376 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE},
377 #ifdef WITH_CONTENT_SCAN
378 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE},
379 { US"fakereject", CONTROL_FAKEREJECT, TRUE},
381 { US"submission", CONTROL_SUBMISSION, TRUE}
384 /* Enable recursion between acl_check_internal() and acl_check_condition() */
386 static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
390 /*************************************************
391 * Pick out name from list *
392 *************************************************/
394 /* Use a binary chop method
401 Returns: offset in list, or -1 if not found
405 acl_checkname(uschar *name, uschar **list, int end)
411 int mid = (start + end)/2;
412 int c = Ustrcmp(name, list[mid]);
413 if (c == 0) return mid;
414 if (c < 0) end = mid; else start = mid + 1;
421 /*************************************************
422 * Read and parse one ACL *
423 *************************************************/
425 /* This function is called both from readconf in order to parse the ACLs in the
426 configuration file, and also when an ACL is encountered dynamically (e.g. as
427 the result of an expansion). It is given a function to call in order to
428 retrieve the lines of the ACL. This function handles skipping comments and
429 blank lines (where relevant).
432 func function to get next line of ACL
433 error where to put an error message
435 Returns: pointer to ACL, or NULL
436 NULL can be legal (empty ACL); in this case error will be NULL
440 acl_read(uschar *(*func)(void), uschar **error)
442 acl_block *yield = NULL;
443 acl_block **lastp = &yield;
444 acl_block *this = NULL;
445 acl_condition_block *cond;
446 acl_condition_block **condp = NULL;
451 while ((s = (*func)()) != NULL)
454 BOOL negated = FALSE;
455 uschar *saveline = s;
458 /* Conditions (but not verbs) are allowed to be negated by an initial
461 while (isspace(*s)) s++;
468 /* Read the name of a verb or a condition, or the start of a new ACL */
470 s = readconf_readname(name, sizeof(name), s);
473 if (negated || name[0] == 0)
475 *error = string_sprintf("malformed ACL name in \"%s\"", saveline);
481 /* If a verb is unrecognized, it may be another condition or modifier that
482 continues the previous verb. */
484 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
489 *error = string_sprintf("unknown ACL verb in \"%s\"", saveline);
500 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
503 this = store_get(sizeof(acl_block));
505 lastp = &(this->next);
508 this->condition = NULL;
509 condp = &(this->condition);
510 if (*s == 0) continue; /* No condition on this line */
516 s = readconf_readname(name, sizeof(name), s); /* Condition name */
519 /* Handle a condition or modifier. */
521 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
524 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
529 /* The modifiers may not be negated */
531 if (negated && cond_modifiers[c])
533 *error = string_sprintf("ACL error: negation is not allowed with "
534 "\"%s\"", conditions[c]);
538 /* ENDPASS may occur only with ACCEPT or DISCARD. */
540 if (c == ACLC_ENDPASS &&
541 this->verb != ACL_ACCEPT &&
542 this->verb != ACL_DISCARD)
544 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
545 conditions[c], verbs[this->verb]);
549 cond = store_get(sizeof(acl_condition_block));
552 cond->u.negated = negated;
555 condp = &(cond->next);
557 /* The "set" modifier is different in that its argument is "name=value"
558 rather than just a value, and we can check the validity of the name, which
559 gives us a variable number to insert into the data block. */
563 if (Ustrncmp(s, "acl_", 4) != 0 || (s[4] != 'c' && s[4] != 'm') ||
564 !isdigit(s[5]) || (!isspace(s[6]) && s[6] != '='))
566 *error = string_sprintf("unrecognized name after \"set\" in ACL "
567 "modifier \"set %s\"", s);
571 cond->u.varnumber = s[5] - '0';
572 if (s[4] == 'm') cond->u.varnumber += ACL_C_MAX;
574 while (isspace(*s)) s++;
577 /* For "set", we are now positioned for the data. For the others, only
578 "endpass" has no data */
580 if (c != ACLC_ENDPASS)
584 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
585 cond_modifiers[c]? US"modifier" : US"condition");
588 while (isspace(*s)) s++;
589 cond->arg = string_copy(s);
598 /*************************************************
600 *************************************************/
602 /* This function is called when a WARN verb's conditions are true. It adds to
603 the message's headers, and/or writes information to the log. In each case, this
604 only happens once (per message for headers, per connection for log).
607 where ACL_WHERE_xxxx indicating which ACL this is
608 user_message message for adding to headers
609 log_message message for logging, if different
615 acl_warn(int where, uschar *user_message, uschar *log_message)
619 if (log_message != NULL && log_message != user_message)
624 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
625 string_printing(log_message));
627 /* If a sender verification has failed, and the log message is "sender verify
628 failed", add the failure message. */
630 if (sender_verified_failed != NULL &&
631 sender_verified_failed->message != NULL &&
632 strcmpic(log_message, US"sender verify failed") == 0)
633 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
635 /* Search previously logged warnings. They are kept in malloc store so they
636 can be freed at the start of a new message. */
638 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
639 if (Ustrcmp(logged->text, text) == 0) break;
643 int length = Ustrlen(text) + 1;
644 log_write(0, LOG_MAIN, "%s", text);
645 logged = store_malloc(sizeof(string_item) + length);
646 logged->text = (uschar *)logged + sizeof(string_item);
647 memcpy(logged->text, text, length);
648 logged->next = acl_warn_logged;
649 acl_warn_logged = logged;
653 /* If there's no user message, we are done. */
655 if (user_message == NULL) return;
657 /* If this isn't a message ACL, we can't do anything with a user message.
660 if (where > ACL_WHERE_NOTSMTP)
662 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
663 "found in a non-message (%s) ACL: cannot specify header lines here: "
664 "message ignored", acl_wherenames[where]);
668 /* Treat the user message as a sequence of one or more header lines. */
670 hlen = Ustrlen(user_message);
673 uschar *text, *p, *q;
675 /* Add a final newline if not present */
677 text = ((user_message)[hlen-1] == '\n')? user_message :
678 string_sprintf("%s\n", user_message);
680 /* Loop for multiple header lines, taking care about continuations */
682 for (p = q = text; *p != 0; )
685 int newtype = htype_add_bot;
686 header_line **hptr = &acl_warn_headers;
688 /* Find next header line within the string */
692 q = Ustrchr(q, '\n');
693 if (*(++q) != ' ' && *q != '\t') break;
696 /* If the line starts with a colon, interpret the instruction for where to
697 add it. This temporarily sets up a new type. */
701 if (strncmpic(p, US":after_received:", 16) == 0)
703 newtype = htype_add_rec;
706 else if (strncmpic(p, US":at_start:", 10) == 0)
708 newtype = htype_add_top;
711 else if (strncmpic(p, US":at_end:", 8) == 0)
713 newtype = htype_add_bot;
716 while (*p == ' ' || *p == '\t') p++;
719 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
720 to the front of it. */
722 for (s = p; s < q - 1; s++)
724 if (*s == ':' || !isgraph(*s)) break;
727 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
730 /* See if this line has already been added */
732 while (*hptr != NULL)
734 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
735 hptr = &((*hptr)->next);
738 /* Add if not previously present */
742 header_line *h = store_get(sizeof(header_line));
751 /* Advance for next header line within the string */
760 /*************************************************
761 * Verify and check reverse DNS *
762 *************************************************/
764 /* Called from acl_verify() below. We look up the host name(s) of the client IP
765 address if this has not yet been done. The host_name_lookup() function checks
766 that one of these names resolves to an address list that contains the client IP
767 address, so we don't actually have to do the check here.
770 user_msgptr pointer for user message
771 log_msgptr pointer for log message
773 Returns: OK verification condition succeeded
774 FAIL verification failed
775 DEFER there was a problem verifying
779 acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
783 user_msgptr = user_msgptr; /* stop compiler warning */
785 /* Previous success */
787 if (sender_host_name != NULL) return OK;
789 /* Previous failure */
791 if (host_lookup_failed)
793 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
797 /* Need to do a lookup */
800 debug_printf("looking up host name to force name/address consistency check\n");
802 if ((rc = host_name_lookup()) != OK)
804 *log_msgptr = (rc == DEFER)?
805 US"host lookup deferred for reverse lookup check"
807 string_sprintf("host lookup failed for reverse lookup check%s",
809 return rc; /* DEFER or FAIL */
812 host_build_sender_fullhost();
818 /*************************************************
819 * Handle verification (address & other) *
820 *************************************************/
822 /* This function implements the "verify" condition. It is called when
823 encountered in any ACL, because some tests are almost always permitted. Some
824 just don't make sense, and always fail (for example, an attempt to test a host
825 lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
828 where where called from
829 addr the recipient address that the ACL is handling, or NULL
830 arg the argument of "verify"
831 user_msgptr pointer for user message
832 log_msgptr pointer for log message
833 basic_errno where to put verify errno
835 Returns: OK verification condition succeeded
836 FAIL verification failed
837 DEFER there was a problem verifying
842 acl_verify(int where, address_item *addr, uschar *arg,
843 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
847 int callout_overall = -1;
848 int callout_connect = -1;
849 int verify_options = 0;
851 BOOL verify_header_sender = FALSE;
852 BOOL defer_ok = FALSE;
853 BOOL callout_defer_ok = FALSE;
854 BOOL no_details = FALSE;
855 address_item *sender_vaddr = NULL;
856 uschar *verify_sender_address = NULL;
857 uschar *pm_mailfrom = NULL;
858 uschar *se_mailfrom = NULL;
860 uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
862 if (ss == NULL) goto BAD_VERIFY;
864 /* Handle name/address consistency verification in a separate function. */
866 if (strcmpic(ss, US"reverse_host_lookup") == 0)
868 if (sender_host_address == NULL) return OK;
869 return acl_verify_reverse(user_msgptr, log_msgptr);
872 /* TLS certificate verification is done at STARTTLS time; here we just
873 test whether it was successful or not. (This is for optional verification; for
874 mandatory verification, the connection doesn't last this long.) */
876 if (strcmpic(ss, US"certificate") == 0)
878 if (tls_certificate_verified) return OK;
879 *user_msgptr = US"no verified certificate";
883 /* We can test the result of optional HELO verification */
885 if (strcmpic(ss, US"helo") == 0) return helo_verified? OK : FAIL;
887 /* Handle header verification options - permitted only after DATA or a non-SMTP
890 if (strncmpic(ss, US"header_", 7) == 0)
892 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
894 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
895 "(only possible in ACL for DATA)", acl_wherenames[where]);
899 /* Check that all relevant header lines have the correct syntax. If there is
900 a syntax error, we return details of the error to the sender if configured to
901 send out full details. (But a "message" setting on the ACL can override, as
904 if (strcmpic(ss+7, US"syntax") == 0)
906 int rc = verify_check_headers(log_msgptr);
907 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
908 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
912 /* Check that there is at least one verifiable sender address in the relevant
913 header lines. This can be followed by callout and defer options, just like
914 sender and recipient. */
916 else if (strcmpic(ss+7, US"sender") == 0) verify_header_sender = TRUE;
918 /* Unknown verify argument starting with "header_" */
920 else goto BAD_VERIFY;
923 /* Otherwise, first item in verify argument must be "sender" or "recipient".
924 In the case of a sender, this can optionally be followed by an address to use
925 in place of the actual sender (rare special-case requirement). */
927 else if (strncmpic(ss, US"sender", 6) == 0)
930 if (where > ACL_WHERE_NOTSMTP)
932 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
933 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
934 acl_wherenames[where]);
938 verify_sender_address = sender_address;
941 while (isspace(*s)) s++;
942 if (*s++ != '=') goto BAD_VERIFY;
943 while (isspace(*s)) s++;
944 verify_sender_address = string_copy(s);
949 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
952 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
953 "(only possible for RCPT)", acl_wherenames[where]);
958 /* Remaining items are optional */
960 while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
963 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
964 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
966 /* These two old options are left for backwards compatibility */
968 else if (strcmpic(ss, US"callout_defer_ok") == 0)
970 callout_defer_ok = TRUE;
971 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
974 else if (strcmpic(ss, US"check_postmaster") == 0)
977 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
980 /* The callout option has a number of sub-options, comma separated */
982 else if (strncmpic(ss, US"callout", 7) == 0)
984 callout = CALLOUT_TIMEOUT_DEFAULT;
988 while (isspace(*ss)) ss++;
994 while (isspace(*ss)) ss++;
996 /* This callout option handling code has become a mess as new options
997 have been added in an ad hoc manner. It should be tidied up into some
998 kind of table-driven thing. */
1000 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1003 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1004 else if (strcmpic(opt, US"no_cache") == 0)
1005 verify_options |= vopt_callout_no_cache;
1006 else if (strcmpic(opt, US"random") == 0)
1007 verify_options |= vopt_callout_random;
1008 else if (strcmpic(opt, US"use_sender") == 0)
1009 verify_options |= vopt_callout_recipsender;
1010 else if (strcmpic(opt, US"use_postmaster") == 0)
1011 verify_options |= vopt_callout_recippmaster;
1012 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
1014 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1016 if (!verify_header_sender)
1018 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1019 "callout option only for verify=header_sender (detected in ACL "
1020 "condition \"%s\")", arg);
1024 while (isspace(*opt)) opt++;
1027 *log_msgptr = string_sprintf("'=' expected after "
1028 "\"mailfrom\" in ACL condition \"%s\"", arg);
1031 while (isspace(*opt)) opt++;
1032 se_mailfrom = string_copy(opt);
1035 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1038 while (isspace(*opt)) opt++;
1041 *log_msgptr = string_sprintf("'=' expected after "
1042 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1045 while (isspace(*opt)) opt++;
1046 pm_mailfrom = string_copy(opt);
1049 else if (strncmpic(opt, US"maxwait", 7) == 0)
1052 while (isspace(*opt)) opt++;
1055 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1056 "ACL condition \"%s\"", arg);
1059 while (isspace(*opt)) opt++;
1060 callout_overall = readconf_readtime(opt, 0, FALSE);
1061 if (callout_overall < 0)
1063 *log_msgptr = string_sprintf("bad time value in ACL condition "
1064 "\"verify %s\"", arg);
1068 else if (strncmpic(opt, US"connect", 7) == 0)
1071 while (isspace(*opt)) opt++;
1074 *log_msgptr = string_sprintf("'=' expected after "
1075 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1078 while (isspace(*opt)) opt++;
1079 callout_connect = readconf_readtime(opt, 0, FALSE);
1080 if (callout_connect < 0)
1082 *log_msgptr = string_sprintf("bad time value in ACL condition "
1083 "\"verify %s\"", arg);
1087 else /* Plain time is callout connect/command timeout */
1089 callout = readconf_readtime(opt, 0, FALSE);
1092 *log_msgptr = string_sprintf("bad time value in ACL condition "
1093 "\"verify %s\"", arg);
1101 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1102 "ACL condition \"%s\"", arg);
1108 /* Option not recognized */
1112 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1113 "condition \"verify %s\"", ss, arg);
1118 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1119 (vopt_callout_recipsender|vopt_callout_recippmaster))
1121 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1122 "for a recipient callout";
1126 /* Handle sender-in-header verification. Default the user message to the log
1127 message if giving out verification details. */
1129 if (verify_header_sender)
1131 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
1132 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options);
1133 if (smtp_return_error_details)
1135 if (*user_msgptr == NULL && *log_msgptr != NULL)
1136 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1137 if (rc == DEFER) acl_temp_details = TRUE;
1141 /* Handle a sender address. The default is to verify *the* sender address, but
1142 optionally a different address can be given, for special requirements. If the
1143 address is empty, we are dealing with a bounce message that has no sender, so
1144 we cannot do any checking. If the real sender address gets rewritten during
1145 verification (e.g. DNS widening), set the flag to stop it being rewritten again
1146 during message reception.
1148 A list of verified "sender" addresses is kept to try to avoid doing to much
1149 work repetitively when there are multiple recipients in a message and they all
1150 require sender verification. However, when callouts are involved, it gets too
1151 complicated because different recipients may require different callout options.
1152 Therefore, we always do a full sender verify when any kind of callout is
1153 specified. Caching elsewhere, for instance in the DNS resolver and in the
1154 callout handling, should ensure that this is not terribly inefficient. */
1156 else if (verify_sender_address != NULL)
1158 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1161 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1162 "sender verify callout";
1166 sender_vaddr = verify_checked_sender(verify_sender_address);
1167 if (sender_vaddr != NULL && /* Previously checked */
1168 callout <= 0) /* No callout needed this time */
1170 /* If the "routed" flag is set, it means that routing worked before, so
1171 this check can give OK (the saved return code value, if set, belongs to a
1172 callout that was done previously). If the "routed" flag is not set, routing
1173 must have failed, so we use the saved return code. */
1175 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1177 rc = sender_vaddr->special_action;
1178 *basic_errno = sender_vaddr->basic_errno;
1180 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1183 /* Do a new verification, and cache the result. The cache is used to avoid
1184 verifying the sender multiple times for multiple RCPTs when callouts are not
1185 specified (see comments above).
1187 The cache is also used on failure to give details in response to the first
1188 RCPT that gets bounced for this reason. However, this can be suppressed by
1189 the no_details option, which sets the flag that says "this detail has already
1190 been sent". The cache normally contains just one address, but there may be
1191 more in esoteric circumstances. */
1196 uschar *save_address_data = deliver_address_data;
1198 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1199 if (no_details) setflag(sender_vaddr, af_sverify_told);
1200 if (verify_sender_address[0] != 0)
1202 /* If this is the real sender address, save the unrewritten version
1203 for use later in receive. Otherwise, set a flag so that rewriting the
1204 sender in verify_address() does not update sender_address. */
1206 if (verify_sender_address == sender_address)
1207 sender_address_unrewritten = sender_address;
1209 verify_options |= vopt_fake_sender;
1211 /* The recipient, qualify, and expn options are never set in
1214 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
1215 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
1217 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1221 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1223 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1224 verify_sender_address, sender_vaddr->address);
1228 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1229 verify_sender_address);
1232 else *basic_errno = sender_vaddr->basic_errno;
1234 else rc = OK; /* Null sender */
1236 /* Cache the result code */
1238 if (routed) setflag(sender_vaddr, af_verify_routed);
1239 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1240 sender_vaddr->special_action = rc;
1241 sender_vaddr->next = sender_verified_list;
1242 sender_verified_list = sender_vaddr;
1244 /* Restore the recipient address data, which might have been clobbered by
1245 the sender verification. */
1247 deliver_address_data = save_address_data;
1250 /* Put the sender address_data value into $sender_address_data */
1252 sender_address_data = sender_vaddr->p.address_data;
1255 /* A recipient address just gets a straightforward verify; again we must handle
1256 the DEFER overrides. */
1262 /* We must use a copy of the address for verification, because it might
1266 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
1267 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
1268 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1269 *log_msgptr = addr2.message;
1270 *user_msgptr = addr2.user_message;
1271 *basic_errno = addr2.basic_errno;
1273 /* Make $address_data visible */
1274 deliver_address_data = addr2.p.address_data;
1277 /* We have a result from the relevant test. Handle defer overrides first. */
1279 if (rc == DEFER && (defer_ok ||
1280 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1282 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1283 defer_ok? "defer_ok" : "callout_defer_ok");
1287 /* If we've failed a sender, set up a recipient message, and point
1288 sender_verified_failed to the address item that actually failed. */
1290 if (rc != OK && verify_sender_address != NULL)
1294 *log_msgptr = *user_msgptr = US"Sender verify failed";
1296 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1298 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1302 *log_msgptr = US"Could not complete sender verify callout";
1303 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1307 sender_verified_failed = sender_vaddr;
1310 /* Verifying an address messes up the values of $domain and $local_part,
1311 so reset them before returning if this is a RCPT ACL. */
1315 deliver_domain = addr->domain;
1316 deliver_localpart = addr->local_part;
1320 /* Syntax errors in the verify argument come here. */
1323 *log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
1324 "\"header_syntax\" or \"header_sender\" at start of ACL condition "
1325 "\"verify %s\"", arg);
1332 /*************************************************
1333 * Check argument for control= modifier *
1334 *************************************************/
1336 /* Called from acl_check_condition() below
1339 arg the argument string for control=
1340 pptr set to point to the terminating character
1341 where which ACL we are in
1342 log_msgptr for error messages
1344 Returns: CONTROL_xxx value
1348 decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
1353 for (d = controls_list;
1354 d < controls_list + sizeof(controls_list)/sizeof(control_def);
1357 len = Ustrlen(d->name);
1358 if (Ustrncmp(d->name, arg, len) == 0) break;
1361 if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
1362 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
1364 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1365 return CONTROL_ERROR;
1374 /*************************************************
1375 * Handle conditions/modifiers on an ACL item *
1376 *************************************************/
1378 /* Called from acl_check() below.
1382 cb ACL condition block - if NULL, result is OK
1383 where where called from
1384 addr the address being checked for RCPT, or NULL
1385 level the nesting level
1386 epp pointer to pass back TRUE if "endpass" encountered
1387 (applies only to "accept" and "discard")
1388 user_msgptr user message pointer
1389 log_msgptr log message pointer
1390 basic_errno pointer to where to put verify error
1392 Returns: OK - all conditions are met
1393 DISCARD - an "acl" condition returned DISCARD - only allowed
1394 for "accept" or "discard" verbs
1395 FAIL - at least one condition fails
1396 FAIL_DROP - an "acl" condition returned FAIL_DROP
1397 DEFER - can't tell at the moment (typically, lookup defer,
1398 but can be temporary callout problem)
1399 ERROR - ERROR from nested ACL or expansion failure or other
1404 acl_check_condition(int verb, acl_condition_block *cb, int where,
1405 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
1406 uschar **log_msgptr, int *basic_errno)
1408 uschar *user_message = NULL;
1409 uschar *log_message = NULL;
1412 #ifdef WITH_CONTENT_SCAN
1416 for (; cb != NULL; cb = cb->next)
1421 /* The message and log_message items set up messages to be used in
1422 case of rejection. They are expanded later. */
1424 if (cb->type == ACLC_MESSAGE)
1426 user_message = cb->arg;
1430 if (cb->type == ACLC_LOG_MESSAGE)
1432 log_message = cb->arg;
1436 /* The endpass "condition" just sets a flag to show it occurred. This is
1437 checked at compile time to be on an "accept" or "discard" item. */
1439 if (cb->type == ACLC_ENDPASS)
1445 /* For other conditions and modifiers, the argument is expanded now for some
1446 of them, but not for all, because expansion happens down in some lower level
1447 checking functions in some cases. */
1449 if (cond_expand_at_top[cb->type])
1451 arg = expand_string(cb->arg);
1454 if (expand_string_forcedfail) continue;
1455 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
1456 cb->arg, expand_string_message);
1457 return search_find_defer? DEFER : ERROR;
1462 /* Show condition, and expanded condition if it's different */
1467 debug_printf("check %s%s %n",
1468 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
1469 conditions[cb->type], &lhswidth);
1471 if (cb->type == ACLC_SET)
1473 int n = cb->u.varnumber;
1474 int t = (n < ACL_C_MAX)? 'c' : 'm';
1475 if (n >= ACL_C_MAX) n -= ACL_C_MAX;
1476 debug_printf("acl_%c%d ", t, n);
1480 debug_printf("= %s\n", cb->arg);
1483 debug_printf("%.*s= %s\n", lhswidth,
1487 /* Check that this condition makes sense at this time */
1489 if ((cond_forbids[cb->type] & (1 << where)) != 0)
1491 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
1492 cond_modifiers[cb->type]? "use" : "test",
1493 conditions[cb->type], acl_wherenames[where]);
1497 /* Run the appropriate test for each condition, or take the appropriate
1498 action for the remaining modifiers. */
1502 /* A nested ACL that returns "discard" makes sense only for an "accept" or
1506 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
1507 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
1509 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
1510 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
1516 case ACLC_AUTHENTICATED:
1517 rc = (sender_host_authenticated == NULL)? FAIL :
1518 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
1522 case ACLC_CONDITION:
1523 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
1524 rc = (Uatoi(arg) == 0)? FAIL : OK;
1526 rc = (strcmpic(arg, US"no") == 0 ||
1527 strcmpic(arg, US"false") == 0)? FAIL :
1528 (strcmpic(arg, US"yes") == 0 ||
1529 strcmpic(arg, US"true") == 0)? OK : DEFER;
1531 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
1535 control_type = decode_control(arg, &p, where, log_msgptr);
1537 /* Check this control makes sense at this time */
1539 if ((control_forbids[control_type] & (1 << where)) != 0)
1541 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
1542 controls[control_type], acl_wherenames[where]);
1546 switch(control_type)
1551 case CONTROL_CASEFUL_LOCAL_PART:
1552 deliver_localpart = addr->cc_local_part;
1555 case CONTROL_CASELOWER_LOCAL_PART:
1556 deliver_localpart = addr->lc_local_part;
1559 case CONTROL_ENFORCE_SYNC:
1560 smtp_enforce_sync = TRUE;
1563 case CONTROL_NO_ENFORCE_SYNC:
1564 smtp_enforce_sync = FALSE;
1567 #ifdef WITH_CONTENT_SCAN
1568 case CONTROL_NO_MBOX_UNSPOOL:
1569 no_mbox_unspool = TRUE;
1573 case CONTROL_NO_MULTILINE:
1574 no_multiline_responses = TRUE;
1577 #ifdef WITH_CONTENT_SCAN
1578 case CONTROL_FAKEREJECT:
1583 case CONTROL_FREEZE:
1584 deliver_freeze = TRUE;
1585 deliver_frozen_at = time(NULL);
1588 case CONTROL_QUEUE_ONLY:
1589 queue_only_policy = TRUE;
1592 case CONTROL_SUBMISSION:
1593 submission_mode = TRUE;
1596 if (Ustrncmp(p, "/sender_retain", 14) == 0)
1599 active_local_sender_retain = TRUE;
1600 active_local_from_check = FALSE;
1602 else if (Ustrncmp(p, "/domain=", 8) == 0)
1605 while (*pp != 0 && *pp != '/') pp++;
1606 submission_domain = string_copyn(p+8, pp-p);
1613 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1620 #ifdef WITH_CONTENT_SCAN
1622 rc = mime_decode(&arg);
1628 int delay = readconf_readtime(arg, 0, FALSE);
1631 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
1632 "modifier: \"%s\" is not a time value", arg);
1637 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
1642 debug_printf("delay skipped in -bh checking mode\n");
1649 #ifdef WITH_OLD_DEMIME
1656 rc = verify_check_dnsbl(&arg);
1660 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
1661 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
1664 /* The value in tls_cipher is the full cipher name, for example,
1665 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
1666 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
1667 what may in practice come out of the SSL library - which at the time of
1668 writing is poorly documented. */
1670 case ACLC_ENCRYPTED:
1671 if (tls_cipher == NULL) rc = FAIL; else
1673 uschar *endcipher = NULL;
1674 uschar *cipher = Ustrchr(tls_cipher, ':');
1675 if (cipher == NULL) cipher = tls_cipher; else
1677 endcipher = Ustrchr(++cipher, ':');
1678 if (endcipher != NULL) *endcipher = 0;
1680 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
1681 if (endcipher != NULL) *endcipher = ':';
1685 /* Use verify_check_this_host() instead of verify_check_host() so that
1686 we can pass over &host_data to catch any looked up data. Once it has been
1687 set, it retains its value so that it's still there if another ACL verb
1688 comes through here and uses the cache. However, we must put it into
1689 permanent store in case it is also expected to be used in a subsequent
1690 message in the same SMTP connection. */
1693 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
1694 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
1695 if (host_data != NULL) host_data = string_copy_malloc(host_data);
1698 case ACLC_LOCAL_PARTS:
1699 rc = match_isinlist(addr->cc_local_part, &arg, 0,
1700 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
1701 &deliver_localpart_data);
1713 if (Ustrncmp(s, "main", 4) == 0)
1714 { logbits |= LOG_MAIN; s += 4; }
1715 else if (Ustrncmp(s, "panic", 5) == 0)
1716 { logbits |= LOG_PANIC; s += 5; }
1717 else if (Ustrncmp(s, "reject", 6) == 0)
1718 { logbits |= LOG_REJECT; s += 6; }
1721 logbits = LOG_MAIN|LOG_PANIC;
1722 s = string_sprintf(":unknown log name in \"%s\" in "
1723 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
1729 while (isspace(*s)) s++;
1730 if (logbits == 0) logbits = LOG_MAIN;
1731 log_write(0, logbits, "%s", string_printing(s));
1735 #ifdef WITH_CONTENT_SCAN
1738 /* Seperate the regular expression and any optional parameters. */
1739 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
1740 /* Run the malware backend. */
1742 /* Modify return code based upon the existance of options. */
1743 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
1745 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
1747 /* FAIL so that the message is passed to the next ACL */
1754 case ACLC_MIME_REGEX:
1755 rc = mime_regex(&arg);
1759 case ACLC_RECIPIENTS:
1760 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
1764 #ifdef WITH_CONTENT_SCAN
1770 case ACLC_SENDER_DOMAINS:
1773 sdomain = Ustrrchr(sender_address, '@');
1774 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
1775 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
1776 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
1781 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
1782 sender_address_cache, -1, 0, &sender_data);
1785 /* Connection variables must persist forever */
1789 int old_pool = store_pool;
1790 if (cb->u.varnumber < ACL_C_MAX) store_pool = POOL_PERM;
1791 acl_var[cb->u.varnumber] = string_copy(arg);
1792 store_pool = old_pool;
1796 #ifdef WITH_CONTENT_SCAN
1799 /* Seperate the regular expression and any optional parameters. */
1800 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
1801 /* Run the spam backend. */
1803 /* Modify return code based upon the existance of options. */
1804 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
1806 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
1808 /* FAIL so that the message is passed to the next ACL */
1816 /* If the verb is WARN, discard any user message from verification, because
1817 such messages are SMTP responses, not header additions. The latter come
1818 only from explicit "message" modifiers. */
1821 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
1822 if (verb == ACL_WARN) *user_msgptr = NULL;
1826 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
1827 "condition %d", cb->type);
1831 /* If a condition was negated, invert OK/FAIL. */
1833 if (!cond_modifiers[cb->type] && cb->u.negated)
1835 if (rc == OK) rc = FAIL;
1836 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
1839 if (rc != OK) break; /* Conditions loop */
1843 /* If the result is the one for which "message" and/or "log_message" are used,
1844 handle the values of these options. Most verbs have but a single return for
1845 which the messages are relevant, but for "discard", it's useful to have the log
1846 message both when it succeeds and when it fails. Also, for an "accept" that
1847 appears in a QUIT ACL, we want to handle the user message. Since only "accept"
1848 and "warn" are permitted in that ACL, we don't need to test the verb.
1850 These modifiers act in different ways:
1852 "message" is a user message that will be included in an SMTP response. Unless
1853 it is empty, it overrides any previously set user message.
1855 "log_message" is a non-user message, and it adds to any existing non-user
1856 message that is already set.
1858 If there isn't a log message set, we make it the same as the user message. */
1860 if (((rc == FAIL_DROP)? FAIL : rc) == msgcond[verb] ||
1861 (verb == ACL_DISCARD && rc == OK) ||
1862 (where == ACL_WHERE_QUIT))
1866 /* If the verb is "warn", messages generated by conditions (verification or
1867 nested ACLs) are discarded. Only messages specified at this level are used.
1868 However, the value of an existing message is available in $acl_verify_message
1869 during expansions. */
1871 uschar *old_user_msgptr = *user_msgptr;
1872 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
1874 if (verb == ACL_WARN) *log_msgptr = *user_msgptr = NULL;
1876 if (user_message != NULL)
1878 acl_verify_message = old_user_msgptr;
1879 expmessage = expand_string(user_message);
1880 if (expmessage == NULL)
1882 if (!expand_string_forcedfail)
1883 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
1884 user_message, expand_string_message);
1886 else if (expmessage[0] != 0) *user_msgptr = expmessage;
1889 if (log_message != NULL)
1891 acl_verify_message = old_log_msgptr;
1892 expmessage = expand_string(log_message);
1893 if (expmessage == NULL)
1895 if (!expand_string_forcedfail)
1896 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
1897 log_message, expand_string_message);
1899 else if (expmessage[0] != 0)
1901 *log_msgptr = (*log_msgptr == NULL)? expmessage :
1902 string_sprintf("%s: %s", expmessage, *log_msgptr);
1906 /* If no log message, default it to the user message */
1908 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
1911 acl_verify_message = NULL;
1919 /*************************************************
1920 * Get line from a literal ACL *
1921 *************************************************/
1923 /* This function is passed to acl_read() in order to extract individual lines
1924 of a literal ACL, which we access via static pointers. We can destroy the
1925 contents because this is called only once (the compiled ACL is remembered).
1927 This code is intended to treat the data in the same way as lines in the main
1928 Exim configuration file. That is:
1930 . Leading spaces are ignored.
1932 . A \ at the end of a line is a continuation - trailing spaces after the \
1933 are permitted (this is because I don't believe in making invisible things
1934 significant). Leading spaces on the continued part of a line are ignored.
1936 . Physical lines starting (significantly) with # are totally ignored, and
1937 may appear within a sequence of backslash-continued lines.
1939 . Blank lines are ignored, but will end a sequence of continuations.
1942 Returns: a pointer to the next line
1946 static uschar *acl_text; /* Current pointer in the text */
1947 static uschar *acl_text_end; /* Points one past the terminating '0' */
1955 /* This loop handles leading blank lines and comments. */
1959 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
1960 if (*acl_text == 0) return NULL; /* No more data */
1961 yield = acl_text; /* Potential data line */
1963 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
1965 /* If we hit the end before a newline, we have the whole logical line. If
1966 it's a comment, there's no more data to be given. Otherwise, yield it. */
1968 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
1970 /* After reaching a newline, end this loop if the physical line does not
1971 start with '#'. If it does, it's a comment, and the loop continues. */
1973 if (*yield != '#') break;
1976 /* This loop handles continuations. We know we have some real data, ending in
1977 newline. See if there is a continuation marker at the end (ignoring trailing
1978 white space). We know that *yield is not white space, so no need to test for
1979 cont > yield in the backwards scanning loop. */
1984 for (cont = acl_text - 1; isspace(*cont); cont--);
1986 /* If no continuation follows, we are done. Mark the end of the line and
1995 /* We have encountered a continuation. Skip over whitespace at the start of
1996 the next line, and indeed the whole of the next line or lines if they are
2001 while (*(++acl_text) == ' ' || *acl_text == '\t');
2002 if (*acl_text != '#') break;
2003 while (*(++acl_text) != 0 && *acl_text != '\n');
2006 /* We have the start of a continuation line. Move all the rest of the data
2007 to join onto the previous line, and then find its end. If the end is not a
2008 newline, we are done. Otherwise loop to look for another continuation. */
2010 memmove(cont, acl_text, acl_text_end - acl_text);
2011 acl_text_end -= acl_text - cont;
2013 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2014 if (*acl_text == 0) return yield;
2017 /* Control does not reach here */
2024 /*************************************************
2025 * Check access using an ACL *
2026 *************************************************/
2028 /* This function is called from address_check. It may recurse via
2029 acl_check_condition() - hence the use of a level to stop looping. The ACL is
2030 passed as a string which is expanded. A forced failure implies no access check
2031 is required. If the result is a single word, it is taken as the name of an ACL
2032 which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
2033 text, complete with newlines, and parsed as such. In both cases, the ACL check
2034 is then run. This function uses an auxiliary function for acl_read() to call
2035 for reading individual lines of a literal ACL. This is acl_getline(), which
2036 appears immediately above.
2039 where where called from
2040 addr address item when called from RCPT; otherwise NULL
2041 s the input string; NULL is the same as an empty ACL => DENY
2042 level the nesting level
2043 user_msgptr where to put a user error (for SMTP response)
2044 log_msgptr where to put a logging message (not for SMTP response)
2046 Returns: OK access is granted
2047 DISCARD access is apparently granted...
2048 FAIL access is denied
2049 FAIL_DROP access is denied; drop the connection
2050 DEFER can't tell at the moment
2055 acl_check_internal(int where, address_item *addr, uschar *s, int level,
2056 uschar **user_msgptr, uschar **log_msgptr)
2059 acl_block *acl = NULL;
2060 uschar *acl_name = US"inline ACL";
2063 /* Catch configuration loops */
2067 *log_msgptr = US"ACL nested too deep: possible loop";
2073 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
2077 /* At top level, we expand the incoming string. At lower levels, it has already
2078 been expanded as part of condition processing. */
2082 ss = expand_string(s);
2085 if (expand_string_forcedfail) return OK;
2086 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
2087 expand_string_message);
2093 while (isspace(*ss))ss++;
2095 /* If we can't find a named ACL, the default is to parse it as an inline one.
2096 (Unless it begins with a slash; non-existent files give rise to an error.) */
2100 /* Handle the case of a string that does not contain any spaces. Look for a
2101 named ACL among those read from the configuration, or a previously read file.
2102 It is possible that the pointer to the ACL is NULL if the configuration
2103 contains a name with no data. If not found, and the text begins with '/',
2104 read an ACL from a file, and save it so it can be re-used. */
2106 if (Ustrchr(ss, ' ') == NULL)
2108 tree_node *t = tree_search(acl_anchor, ss);
2111 acl = (acl_block *)(t->data.ptr);
2114 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
2117 acl_name = string_sprintf("ACL \"%s\"", ss);
2118 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
2121 else if (*ss == '/')
2123 struct stat statbuf;
2124 fd = Uopen(ss, O_RDONLY, 0);
2127 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
2132 if (fstat(fd, &statbuf) != 0)
2134 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
2139 acl_text = store_get(statbuf.st_size + 1);
2140 acl_text_end = acl_text + statbuf.st_size + 1;
2142 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
2144 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
2145 ss, strerror(errno));
2148 acl_text[statbuf.st_size] = 0;
2151 acl_name = string_sprintf("ACL \"%s\"", ss);
2152 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
2156 /* Parse an ACL that is still in text form. If it came from a file, remember it
2157 in the ACL tree, having read it into the POOL_PERM store pool so that it
2158 persists between multiple messages. */
2162 int old_pool = store_pool;
2163 if (fd >= 0) store_pool = POOL_PERM;
2164 acl = acl_read(acl_getline, log_msgptr);
2165 store_pool = old_pool;
2166 if (acl == NULL && *log_msgptr != NULL) return ERROR;
2169 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
2170 Ustrcpy(t->name, ss);
2172 (void)tree_insertnode(&acl_anchor, t);
2176 /* Now we have an ACL to use. It's possible it may be NULL. */
2181 int basic_errno = 0;
2182 BOOL endpass_seen = FALSE;
2184 *log_msgptr = *user_msgptr = NULL;
2185 acl_temp_details = FALSE;
2187 if (where == ACL_WHERE_QUIT &&
2188 acl->verb != ACL_ACCEPT &&
2189 acl->verb != ACL_WARN)
2191 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
2196 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
2198 /* Clear out any search error message from a previous check before testing
2201 search_error_message = NULL;
2202 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
2203 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
2205 /* Handle special returns: DEFER causes a return except on a WARN verb;
2206 ERROR always causes a return. */
2211 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
2212 if (basic_errno != ERRNO_CALLOUTDEFER)
2214 if (search_error_message != NULL && *search_error_message != 0)
2215 *log_msgptr = search_error_message;
2216 if (smtp_return_error_details) acl_temp_details = TRUE;
2220 acl_temp_details = TRUE;
2222 if (acl->verb != ACL_WARN) return DEFER;
2225 default: /* Paranoia */
2227 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
2231 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
2236 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
2239 /* DISCARD and DROP can happen only from a nested ACL condition, and
2240 DISCARD can happen only for an "accept" or "discard" verb. */
2243 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
2248 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
2253 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
2254 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
2255 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
2260 if (cond == OK || cond == DISCARD) return cond;
2263 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
2271 acl_temp_details = TRUE;
2277 if (cond == OK) return FAIL;
2281 if (cond == OK || cond == DISCARD) return DISCARD;
2284 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
2290 if (cond == OK) return FAIL_DROP;
2294 if (cond != OK) return cond;
2299 acl_warn(where, *user_msgptr, *log_msgptr);
2300 else if (cond == DEFER)
2301 acl_warn(where, NULL, string_sprintf("ACL \"warn\" statement skipped: "
2302 "condition test deferred: %s",
2303 (*log_msgptr == NULL)? US"" : *log_msgptr));
2304 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
2308 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
2313 /* Pass to the next ACL item */
2318 /* We have reached the end of the ACL. This is an implicit DENY. */
2320 HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
2325 /*************************************************
2326 * Check access using an ACL *
2327 *************************************************/
2329 /* This is the external interface for ACL checks. It sets up an address and the
2330 expansions for $domain and $local_part when called after RCPT, then calls
2331 acl_check_internal() to do the actual work.
2334 where ACL_WHERE_xxxx indicating where called from
2335 data_string RCPT address, or SMTP command argument, or NULL
2336 s the input string; NULL is the same as an empty ACL => DENY
2337 user_msgptr where to put a user error (for SMTP response)
2338 log_msgptr where to put a logging message (not for SMTP response)
2340 Returns: OK access is granted by an ACCEPT verb
2341 DISCARD access is granted by a DISCARD verb
2342 FAIL access is denied
2343 FAIL_DROP access is denied; drop the connection
2344 DEFER can't tell at the moment
2349 acl_check(int where, uschar *data_string, uschar *s, uschar **user_msgptr,
2350 uschar **log_msgptr)
2356 *user_msgptr = *log_msgptr = NULL;
2357 sender_verified_failed = NULL;
2359 if (where == ACL_WHERE_RCPT)
2361 adb = address_defaults;
2363 addr->address = data_string;
2364 if (deliver_split_address(addr) == DEFER)
2366 *log_msgptr = US"defer in percent_hack_domains check";
2369 deliver_domain = addr->domain;
2370 deliver_localpart = addr->local_part;
2375 smtp_command_argument = data_string;
2378 rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
2380 smtp_command_argument = deliver_domain =
2381 deliver_localpart = deliver_address_data = sender_address_data = NULL;
2383 /* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
2384 ACL, which is really in the middle of an SMTP command. */
2388 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
2390 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
2391 "ACL", acl_wherenames[where]);
2397 /* A DROP response is not permitted from MAILAUTH */
2399 if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
2401 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
2402 "ACL", acl_wherenames[where]);
2406 /* Before giving an error response, take a look at the length of any user
2407 message, and split it up into multiple lines if possible. */
2409 if (rc != OK && *user_msgptr != NULL && Ustrlen(*user_msgptr) > 75)
2411 uschar *s = *user_msgptr = string_copy(*user_msgptr);
2417 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
2418 if (*ss == 0) break;
2425 while (--t > s + 35)
2429 if (t[-1] == ':') { tt = t; break; }
2430 if (tt == NULL) tt = t;
2434 if (tt == NULL) /* Can't split behind - try ahead */
2439 if (*t == ' ' || *t == '\n')
2445 if (tt == NULL) break; /* Can't find anywhere to split */