1 /* $Cambridge: exim/src/src/acl.c,v 1.14 2005/01/12 12:51:55 ph10 Exp $ */
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
7 /* Copyright (c) University of Cambridge 1995 - 2005 */
8 /* See the file NOTICE for conditions of use and distribution. */
10 /* Code for handling Access Control Lists (ACLs) */
15 /* Default callout timeout */
17 #define CALLOUT_TIMEOUT_DEFAULT 30
19 /* ACL verb codes - keep in step with the table of verbs that follows */
21 enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
26 static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
30 /* For each verb, the condition for which "message" is used */
32 static int msgcond[] = { FAIL, OK, OK, FAIL, OK, FAIL, OK };
34 /* ACL condition and modifier codes - keep in step with the table that
37 enum { ACLC_ACL, ACLC_AUTHENTICATED,
38 #ifdef EXPERIMENTAL_BRIGHTMAIL
41 ACLC_CONDITION, ACLC_CONTROL,
42 #ifdef WITH_CONTENT_SCAN
46 #ifdef WITH_OLD_DEMIME
49 ACLC_DNSLISTS, ACLC_DOMAINS, ACLC_ENCRYPTED, ACLC_ENDPASS,
50 ACLC_HOSTS, ACLC_LOCAL_PARTS, ACLC_LOG_MESSAGE, ACLC_LOGWRITE,
51 #ifdef WITH_CONTENT_SCAN
55 #ifdef WITH_CONTENT_SCAN
59 #ifdef WITH_CONTENT_SCAN
62 ACLC_SENDER_DOMAINS, ACLC_SENDERS, ACLC_SET,
63 #ifdef WITH_CONTENT_SCAN
66 #ifdef EXPERIMENTAL_SPF
71 /* ACL conditions/modifiers: "delay", "control", "endpass", "message",
72 "log_message", "logwrite", and "set" are modifiers that look like conditions
73 but always return TRUE. They are used for their side effects. */
75 static uschar *conditions[] = { US"acl", US"authenticated",
76 #ifdef EXPERIMENTAL_BRIGHTMAIL
81 #ifdef WITH_CONTENT_SCAN
85 #ifdef WITH_OLD_DEMIME
88 US"dnslists", US"domains", US"encrypted",
89 US"endpass", US"hosts", US"local_parts", US"log_message", US"logwrite",
90 #ifdef WITH_CONTENT_SCAN
94 #ifdef WITH_CONTENT_SCAN
98 #ifdef WITH_CONTENT_SCAN
101 US"sender_domains", US"senders", US"set",
102 #ifdef WITH_CONTENT_SCAN
105 #ifdef EXPERIMENTAL_SPF
110 /* ACL control names */
112 static uschar *controls[] = { US"error", US"caseful_local_part",
113 US"caselower_local_part", US"enforce_sync", US"no_enforce_sync", US"freeze",
114 US"queue_only", US"submission", US"no_multiline"};
116 /* Flags to indicate for which conditions /modifiers a string expansion is done
117 at the outer level. In the other cases, expansion already occurs in the
118 checking functions. */
120 static uschar cond_expand_at_top[] = {
122 FALSE, /* authenticated */
123 #ifdef EXPERIMENTAL_BRIGHTMAIL
124 TRUE, /* bmi_optin */
126 TRUE, /* condition */
128 #ifdef WITH_CONTENT_SCAN
132 #ifdef WITH_OLD_DEMIME
137 FALSE, /* encrypted */
140 FALSE, /* local_parts */
141 TRUE, /* log_message */
143 #ifdef WITH_CONTENT_SCAN
147 #ifdef WITH_CONTENT_SCAN
148 TRUE, /* mime_regex */
150 FALSE, /* recipients */
151 #ifdef WITH_CONTENT_SCAN
154 FALSE, /* sender_domains */
157 #ifdef WITH_CONTENT_SCAN
160 #ifdef EXPERIMENTAL_SPF
166 /* Flags to identify the modifiers */
168 static uschar cond_modifiers[] = {
170 FALSE, /* authenticated */
171 #ifdef EXPERIMENTAL_BRIGHTMAIL
172 TRUE, /* bmi_optin */
174 FALSE, /* condition */
176 #ifdef WITH_CONTENT_SCAN
180 #ifdef WITH_OLD_DEMIME
183 FALSE, /* dnslists */
185 FALSE, /* encrypted */
188 FALSE, /* local_parts */
189 TRUE, /* log_message */
191 #ifdef WITH_CONTENT_SCAN
195 #ifdef WITH_CONTENT_SCAN
196 FALSE, /* mime_regex */
198 FALSE, /* recipients */
199 #ifdef WITH_CONTENT_SCAN
202 FALSE, /* sender_domains */
205 #ifdef WITH_CONTENT_SCAN
208 #ifdef EXPERIMENTAL_SPF
214 /* Bit map vector of which conditions are not allowed at certain times. For
215 each condition, there's a bitmap of dis-allowed times. */
217 static unsigned int cond_forbids[] = {
220 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* authenticated */
223 #ifdef EXPERIMENTAL_BRIGHTMAIL
224 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
225 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
226 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
227 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
228 (1<<ACL_WHERE_MAILAUTH)|
229 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
230 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA),
235 /* Certain types of control are always allowed, so we let it through
236 always and check in the control processing itself */
240 #ifdef WITH_CONTENT_SCAN
241 (1<<ACL_WHERE_AUTH)| /* decode */
242 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
243 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
244 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
245 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
246 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
247 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_RCPT),
252 #ifdef WITH_OLD_DEMIME
253 (1<<ACL_WHERE_AUTH)| /* demime */
254 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
255 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
256 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
257 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
258 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
259 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
262 (1<<ACL_WHERE_NOTSMTP), /* dnslists */
264 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* domains */
265 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
266 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
267 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
268 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
269 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
272 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* encrypted */
277 (1<<ACL_WHERE_NOTSMTP), /* hosts */
279 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* local_parts */
280 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
281 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
282 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
283 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
284 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
291 #ifdef WITH_CONTENT_SCAN
292 (1<<ACL_WHERE_AUTH)| /* malware */
293 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
294 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
295 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
296 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
297 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
298 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
303 #ifdef WITH_CONTENT_SCAN
304 (1<<ACL_WHERE_AUTH)| /* mime_regex */
305 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
306 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
307 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
308 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
309 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
310 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_RCPT),
313 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* recipients */
314 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
315 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
316 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
317 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
318 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
321 #ifdef WITH_CONTENT_SCAN
322 (1<<ACL_WHERE_AUTH)| /* regex */
323 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
324 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
325 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
326 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
327 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
328 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
331 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
333 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
334 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
335 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
337 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
339 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
340 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
341 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
345 #ifdef WITH_CONTENT_SCAN
346 (1<<ACL_WHERE_AUTH)| /* spam */
347 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
348 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
349 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
350 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
351 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
352 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
355 #ifdef EXPERIMENTAL_SPF
356 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
358 (1<<ACL_WHERE_MAILAUTH)|
359 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
360 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
363 /* Certain types of verify are always allowed, so we let it through
364 always and check in the verify function itself */
370 /* Return values from decode_control() */
373 #ifdef EXPERIMENTAL_BRIGHTMAIL
376 CONTROL_ERROR, CONTROL_CASEFUL_LOCAL_PART, CONTROL_CASELOWER_LOCAL_PART,
377 CONTROL_ENFORCE_SYNC, CONTROL_NO_ENFORCE_SYNC, CONTROL_FREEZE,
378 CONTROL_QUEUE_ONLY, CONTROL_SUBMISSION,
379 #ifdef WITH_CONTENT_SCAN
380 CONTROL_NO_MBOX_UNSPOOL,
382 CONTROL_FAKEREJECT, CONTROL_NO_MULTILINE };
384 /* Bit map vector of which controls are not allowed at certain times. For
385 each control, there's a bitmap of dis-allowed times. For some, it is easier to
386 specify the negation of a small number of allowed times. */
388 static unsigned int control_forbids[] = {
389 #ifdef EXPERIMENTAL_BRIGHTMAIL
396 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
399 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
401 (1<<ACL_WHERE_NOTSMTP), /* enforce_sync */
403 (1<<ACL_WHERE_NOTSMTP), /* no_enforce_sync */
406 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
407 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
408 (1<<ACL_WHERE_NOTSMTP)),
411 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
412 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
413 (1<<ACL_WHERE_NOTSMTP)),
416 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
417 (1<<ACL_WHERE_PREDATA)),
419 #ifdef WITH_CONTENT_SCAN
420 (1<<ACL_WHERE_NOTSMTP), /* no_mbox_unspool */
424 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
425 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)),
427 (1<<ACL_WHERE_NOTSMTP) /* no_multiline */
430 /* Structure listing various control arguments, with their characteristics. */
432 typedef struct control_def {
434 int value; /* CONTROL_xxx value */
435 BOOL has_option; /* Has /option(s) following */
438 static control_def controls_list[] = {
439 #ifdef EXPERIMENTAL_BRIGHTMAIL
440 { US"bmi_run", CONTROL_BMI_RUN, FALSE},
442 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE},
443 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE},
444 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE},
445 { US"freeze", CONTROL_FREEZE, FALSE},
446 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE},
447 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE},
448 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE},
449 #ifdef WITH_CONTENT_SCAN
450 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE},
452 { US"fakereject", CONTROL_FAKEREJECT, TRUE},
453 { US"submission", CONTROL_SUBMISSION, TRUE}
456 /* Enable recursion between acl_check_internal() and acl_check_condition() */
458 static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
462 /*************************************************
463 * Pick out name from list *
464 *************************************************/
466 /* Use a binary chop method
473 Returns: offset in list, or -1 if not found
477 acl_checkname(uschar *name, uschar **list, int end)
483 int mid = (start + end)/2;
484 int c = Ustrcmp(name, list[mid]);
485 if (c == 0) return mid;
486 if (c < 0) end = mid; else start = mid + 1;
493 /*************************************************
494 * Read and parse one ACL *
495 *************************************************/
497 /* This function is called both from readconf in order to parse the ACLs in the
498 configuration file, and also when an ACL is encountered dynamically (e.g. as
499 the result of an expansion). It is given a function to call in order to
500 retrieve the lines of the ACL. This function handles skipping comments and
501 blank lines (where relevant).
504 func function to get next line of ACL
505 error where to put an error message
507 Returns: pointer to ACL, or NULL
508 NULL can be legal (empty ACL); in this case error will be NULL
512 acl_read(uschar *(*func)(void), uschar **error)
514 acl_block *yield = NULL;
515 acl_block **lastp = &yield;
516 acl_block *this = NULL;
517 acl_condition_block *cond;
518 acl_condition_block **condp = NULL;
523 while ((s = (*func)()) != NULL)
526 BOOL negated = FALSE;
527 uschar *saveline = s;
530 /* Conditions (but not verbs) are allowed to be negated by an initial
533 while (isspace(*s)) s++;
540 /* Read the name of a verb or a condition, or the start of a new ACL */
542 s = readconf_readname(name, sizeof(name), s);
545 if (negated || name[0] == 0)
547 *error = string_sprintf("malformed ACL name in \"%s\"", saveline);
553 /* If a verb is unrecognized, it may be another condition or modifier that
554 continues the previous verb. */
556 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
561 *error = string_sprintf("unknown ACL verb in \"%s\"", saveline);
572 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
575 this = store_get(sizeof(acl_block));
577 lastp = &(this->next);
580 this->condition = NULL;
581 condp = &(this->condition);
582 if (*s == 0) continue; /* No condition on this line */
588 s = readconf_readname(name, sizeof(name), s); /* Condition name */
591 /* Handle a condition or modifier. */
593 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
596 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
601 /* The modifiers may not be negated */
603 if (negated && cond_modifiers[c])
605 *error = string_sprintf("ACL error: negation is not allowed with "
606 "\"%s\"", conditions[c]);
610 /* ENDPASS may occur only with ACCEPT or DISCARD. */
612 if (c == ACLC_ENDPASS &&
613 this->verb != ACL_ACCEPT &&
614 this->verb != ACL_DISCARD)
616 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
617 conditions[c], verbs[this->verb]);
621 cond = store_get(sizeof(acl_condition_block));
624 cond->u.negated = negated;
627 condp = &(cond->next);
629 /* The "set" modifier is different in that its argument is "name=value"
630 rather than just a value, and we can check the validity of the name, which
631 gives us a variable number to insert into the data block. */
635 if (Ustrncmp(s, "acl_", 4) != 0 || (s[4] != 'c' && s[4] != 'm') ||
636 !isdigit(s[5]) || (!isspace(s[6]) && s[6] != '='))
638 *error = string_sprintf("unrecognized name after \"set\" in ACL "
639 "modifier \"set %s\"", s);
643 cond->u.varnumber = s[5] - '0';
644 if (s[4] == 'm') cond->u.varnumber += ACL_C_MAX;
646 while (isspace(*s)) s++;
649 /* For "set", we are now positioned for the data. For the others, only
650 "endpass" has no data */
652 if (c != ACLC_ENDPASS)
656 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
657 cond_modifiers[c]? US"modifier" : US"condition");
660 while (isspace(*s)) s++;
661 cond->arg = string_copy(s);
670 /*************************************************
672 *************************************************/
674 /* This function is called when a WARN verb's conditions are true. It adds to
675 the message's headers, and/or writes information to the log. In each case, this
676 only happens once (per message for headers, per connection for log).
679 where ACL_WHERE_xxxx indicating which ACL this is
680 user_message message for adding to headers
681 log_message message for logging, if different
687 acl_warn(int where, uschar *user_message, uschar *log_message)
691 if (log_message != NULL && log_message != user_message)
696 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
697 string_printing(log_message));
699 /* If a sender verification has failed, and the log message is "sender verify
700 failed", add the failure message. */
702 if (sender_verified_failed != NULL &&
703 sender_verified_failed->message != NULL &&
704 strcmpic(log_message, US"sender verify failed") == 0)
705 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
707 /* Search previously logged warnings. They are kept in malloc store so they
708 can be freed at the start of a new message. */
710 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
711 if (Ustrcmp(logged->text, text) == 0) break;
715 int length = Ustrlen(text) + 1;
716 log_write(0, LOG_MAIN, "%s", text);
717 logged = store_malloc(sizeof(string_item) + length);
718 logged->text = (uschar *)logged + sizeof(string_item);
719 memcpy(logged->text, text, length);
720 logged->next = acl_warn_logged;
721 acl_warn_logged = logged;
725 /* If there's no user message, we are done. */
727 if (user_message == NULL) return;
729 /* If this isn't a message ACL, we can't do anything with a user message.
732 if (where > ACL_WHERE_NOTSMTP)
734 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
735 "found in a non-message (%s) ACL: cannot specify header lines here: "
736 "message ignored", acl_wherenames[where]);
740 /* Treat the user message as a sequence of one or more header lines. */
742 hlen = Ustrlen(user_message);
745 uschar *text, *p, *q;
747 /* Add a final newline if not present */
749 text = ((user_message)[hlen-1] == '\n')? user_message :
750 string_sprintf("%s\n", user_message);
752 /* Loop for multiple header lines, taking care about continuations */
754 for (p = q = text; *p != 0; )
757 int newtype = htype_add_bot;
758 header_line **hptr = &acl_warn_headers;
760 /* Find next header line within the string */
764 q = Ustrchr(q, '\n');
765 if (*(++q) != ' ' && *q != '\t') break;
768 /* If the line starts with a colon, interpret the instruction for where to
769 add it. This temporarily sets up a new type. */
773 if (strncmpic(p, US":after_received:", 16) == 0)
775 newtype = htype_add_rec;
778 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
780 newtype = htype_add_rfc;
783 else if (strncmpic(p, US":at_start:", 10) == 0)
785 newtype = htype_add_top;
788 else if (strncmpic(p, US":at_end:", 8) == 0)
790 newtype = htype_add_bot;
793 while (*p == ' ' || *p == '\t') p++;
796 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
797 to the front of it. */
799 for (s = p; s < q - 1; s++)
801 if (*s == ':' || !isgraph(*s)) break;
804 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
807 /* See if this line has already been added */
809 while (*hptr != NULL)
811 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
812 hptr = &((*hptr)->next);
815 /* Add if not previously present */
819 header_line *h = store_get(sizeof(header_line));
828 /* Advance for next header line within the string */
837 /*************************************************
838 * Verify and check reverse DNS *
839 *************************************************/
841 /* Called from acl_verify() below. We look up the host name(s) of the client IP
842 address if this has not yet been done. The host_name_lookup() function checks
843 that one of these names resolves to an address list that contains the client IP
844 address, so we don't actually have to do the check here.
847 user_msgptr pointer for user message
848 log_msgptr pointer for log message
850 Returns: OK verification condition succeeded
851 FAIL verification failed
852 DEFER there was a problem verifying
856 acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
860 user_msgptr = user_msgptr; /* stop compiler warning */
862 /* Previous success */
864 if (sender_host_name != NULL) return OK;
866 /* Previous failure */
868 if (host_lookup_failed)
870 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
874 /* Need to do a lookup */
877 debug_printf("looking up host name to force name/address consistency check\n");
879 if ((rc = host_name_lookup()) != OK)
881 *log_msgptr = (rc == DEFER)?
882 US"host lookup deferred for reverse lookup check"
884 string_sprintf("host lookup failed for reverse lookup check%s",
886 return rc; /* DEFER or FAIL */
889 host_build_sender_fullhost();
895 /*************************************************
896 * Handle verification (address & other) *
897 *************************************************/
899 /* This function implements the "verify" condition. It is called when
900 encountered in any ACL, because some tests are almost always permitted. Some
901 just don't make sense, and always fail (for example, an attempt to test a host
902 lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
905 where where called from
906 addr the recipient address that the ACL is handling, or NULL
907 arg the argument of "verify"
908 user_msgptr pointer for user message
909 log_msgptr pointer for log message
910 basic_errno where to put verify errno
912 Returns: OK verification condition succeeded
913 FAIL verification failed
914 DEFER there was a problem verifying
919 acl_verify(int where, address_item *addr, uschar *arg,
920 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
924 int callout_overall = -1;
925 int callout_connect = -1;
926 int verify_options = 0;
928 BOOL verify_header_sender = FALSE;
929 BOOL defer_ok = FALSE;
930 BOOL callout_defer_ok = FALSE;
931 BOOL no_details = FALSE;
932 address_item *sender_vaddr = NULL;
933 uschar *verify_sender_address = NULL;
934 uschar *pm_mailfrom = NULL;
935 uschar *se_mailfrom = NULL;
937 uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
939 if (ss == NULL) goto BAD_VERIFY;
941 /* Handle name/address consistency verification in a separate function. */
943 if (strcmpic(ss, US"reverse_host_lookup") == 0)
945 if (sender_host_address == NULL) return OK;
946 return acl_verify_reverse(user_msgptr, log_msgptr);
949 /* TLS certificate verification is done at STARTTLS time; here we just
950 test whether it was successful or not. (This is for optional verification; for
951 mandatory verification, the connection doesn't last this long.) */
953 if (strcmpic(ss, US"certificate") == 0)
955 if (tls_certificate_verified) return OK;
956 *user_msgptr = US"no verified certificate";
960 /* We can test the result of optional HELO verification */
962 if (strcmpic(ss, US"helo") == 0) return helo_verified? OK : FAIL;
964 /* Handle header verification options - permitted only after DATA or a non-SMTP
967 if (strncmpic(ss, US"header_", 7) == 0)
969 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
971 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
972 "(only possible in ACL for DATA)", acl_wherenames[where]);
976 /* Check that all relevant header lines have the correct syntax. If there is
977 a syntax error, we return details of the error to the sender if configured to
978 send out full details. (But a "message" setting on the ACL can override, as
981 if (strcmpic(ss+7, US"syntax") == 0)
983 int rc = verify_check_headers(log_msgptr);
984 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
985 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
989 /* Check that there is at least one verifiable sender address in the relevant
990 header lines. This can be followed by callout and defer options, just like
991 sender and recipient. */
993 else if (strcmpic(ss+7, US"sender") == 0) verify_header_sender = TRUE;
995 /* Unknown verify argument starting with "header_" */
997 else goto BAD_VERIFY;
1000 /* Otherwise, first item in verify argument must be "sender" or "recipient".
1001 In the case of a sender, this can optionally be followed by an address to use
1002 in place of the actual sender (rare special-case requirement). */
1004 else if (strncmpic(ss, US"sender", 6) == 0)
1007 if (where > ACL_WHERE_NOTSMTP)
1009 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1010 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1011 acl_wherenames[where]);
1015 verify_sender_address = sender_address;
1018 while (isspace(*s)) s++;
1019 if (*s++ != '=') goto BAD_VERIFY;
1020 while (isspace(*s)) s++;
1021 verify_sender_address = string_copy(s);
1026 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1029 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1030 "(only possible for RCPT)", acl_wherenames[where]);
1035 /* Remaining items are optional */
1037 while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1040 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1041 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1043 /* These two old options are left for backwards compatibility */
1045 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1047 callout_defer_ok = TRUE;
1048 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1051 else if (strcmpic(ss, US"check_postmaster") == 0)
1054 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1057 /* The callout option has a number of sub-options, comma separated */
1059 else if (strncmpic(ss, US"callout", 7) == 0)
1061 callout = CALLOUT_TIMEOUT_DEFAULT;
1065 while (isspace(*ss)) ss++;
1071 while (isspace(*ss)) ss++;
1073 /* This callout option handling code has become a mess as new options
1074 have been added in an ad hoc manner. It should be tidied up into some
1075 kind of table-driven thing. */
1077 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1080 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1081 else if (strcmpic(opt, US"no_cache") == 0)
1082 verify_options |= vopt_callout_no_cache;
1083 else if (strcmpic(opt, US"random") == 0)
1084 verify_options |= vopt_callout_random;
1085 else if (strcmpic(opt, US"use_sender") == 0)
1086 verify_options |= vopt_callout_recipsender;
1087 else if (strcmpic(opt, US"use_postmaster") == 0)
1088 verify_options |= vopt_callout_recippmaster;
1089 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
1091 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1093 if (!verify_header_sender)
1095 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1096 "callout option only for verify=header_sender (detected in ACL "
1097 "condition \"%s\")", arg);
1101 while (isspace(*opt)) opt++;
1104 *log_msgptr = string_sprintf("'=' expected after "
1105 "\"mailfrom\" in ACL condition \"%s\"", arg);
1108 while (isspace(*opt)) opt++;
1109 se_mailfrom = string_copy(opt);
1112 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1115 while (isspace(*opt)) opt++;
1118 *log_msgptr = string_sprintf("'=' expected after "
1119 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1122 while (isspace(*opt)) opt++;
1123 pm_mailfrom = string_copy(opt);
1126 else if (strncmpic(opt, US"maxwait", 7) == 0)
1129 while (isspace(*opt)) opt++;
1132 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1133 "ACL condition \"%s\"", arg);
1136 while (isspace(*opt)) opt++;
1137 callout_overall = readconf_readtime(opt, 0, FALSE);
1138 if (callout_overall < 0)
1140 *log_msgptr = string_sprintf("bad time value in ACL condition "
1141 "\"verify %s\"", arg);
1145 else if (strncmpic(opt, US"connect", 7) == 0)
1148 while (isspace(*opt)) opt++;
1151 *log_msgptr = string_sprintf("'=' expected after "
1152 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1155 while (isspace(*opt)) opt++;
1156 callout_connect = readconf_readtime(opt, 0, FALSE);
1157 if (callout_connect < 0)
1159 *log_msgptr = string_sprintf("bad time value in ACL condition "
1160 "\"verify %s\"", arg);
1164 else /* Plain time is callout connect/command timeout */
1166 callout = readconf_readtime(opt, 0, FALSE);
1169 *log_msgptr = string_sprintf("bad time value in ACL condition "
1170 "\"verify %s\"", arg);
1178 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1179 "ACL condition \"%s\"", arg);
1185 /* Option not recognized */
1189 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1190 "condition \"verify %s\"", ss, arg);
1195 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1196 (vopt_callout_recipsender|vopt_callout_recippmaster))
1198 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1199 "for a recipient callout";
1203 /* Handle sender-in-header verification. Default the user message to the log
1204 message if giving out verification details. */
1206 if (verify_header_sender)
1208 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
1209 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options);
1210 if (smtp_return_error_details)
1212 if (*user_msgptr == NULL && *log_msgptr != NULL)
1213 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1214 if (rc == DEFER) acl_temp_details = TRUE;
1218 /* Handle a sender address. The default is to verify *the* sender address, but
1219 optionally a different address can be given, for special requirements. If the
1220 address is empty, we are dealing with a bounce message that has no sender, so
1221 we cannot do any checking. If the real sender address gets rewritten during
1222 verification (e.g. DNS widening), set the flag to stop it being rewritten again
1223 during message reception.
1225 A list of verified "sender" addresses is kept to try to avoid doing to much
1226 work repetitively when there are multiple recipients in a message and they all
1227 require sender verification. However, when callouts are involved, it gets too
1228 complicated because different recipients may require different callout options.
1229 Therefore, we always do a full sender verify when any kind of callout is
1230 specified. Caching elsewhere, for instance in the DNS resolver and in the
1231 callout handling, should ensure that this is not terribly inefficient. */
1233 else if (verify_sender_address != NULL)
1235 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1238 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1239 "sender verify callout";
1243 sender_vaddr = verify_checked_sender(verify_sender_address);
1244 if (sender_vaddr != NULL && /* Previously checked */
1245 callout <= 0) /* No callout needed this time */
1247 /* If the "routed" flag is set, it means that routing worked before, so
1248 this check can give OK (the saved return code value, if set, belongs to a
1249 callout that was done previously). If the "routed" flag is not set, routing
1250 must have failed, so we use the saved return code. */
1252 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1254 rc = sender_vaddr->special_action;
1255 *basic_errno = sender_vaddr->basic_errno;
1257 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1260 /* Do a new verification, and cache the result. The cache is used to avoid
1261 verifying the sender multiple times for multiple RCPTs when callouts are not
1262 specified (see comments above).
1264 The cache is also used on failure to give details in response to the first
1265 RCPT that gets bounced for this reason. However, this can be suppressed by
1266 the no_details option, which sets the flag that says "this detail has already
1267 been sent". The cache normally contains just one address, but there may be
1268 more in esoteric circumstances. */
1273 uschar *save_address_data = deliver_address_data;
1275 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1276 if (no_details) setflag(sender_vaddr, af_sverify_told);
1277 if (verify_sender_address[0] != 0)
1279 /* If this is the real sender address, save the unrewritten version
1280 for use later in receive. Otherwise, set a flag so that rewriting the
1281 sender in verify_address() does not update sender_address. */
1283 if (verify_sender_address == sender_address)
1284 sender_address_unrewritten = sender_address;
1286 verify_options |= vopt_fake_sender;
1288 /* The recipient, qualify, and expn options are never set in
1291 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
1292 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
1294 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1298 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1300 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1301 verify_sender_address, sender_vaddr->address);
1305 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1306 verify_sender_address);
1309 else *basic_errno = sender_vaddr->basic_errno;
1311 else rc = OK; /* Null sender */
1313 /* Cache the result code */
1315 if (routed) setflag(sender_vaddr, af_verify_routed);
1316 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1317 sender_vaddr->special_action = rc;
1318 sender_vaddr->next = sender_verified_list;
1319 sender_verified_list = sender_vaddr;
1321 /* Restore the recipient address data, which might have been clobbered by
1322 the sender verification. */
1324 deliver_address_data = save_address_data;
1327 /* Put the sender address_data value into $sender_address_data */
1329 sender_address_data = sender_vaddr->p.address_data;
1332 /* A recipient address just gets a straightforward verify; again we must handle
1333 the DEFER overrides. */
1339 /* We must use a copy of the address for verification, because it might
1343 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
1344 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
1345 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1346 *log_msgptr = addr2.message;
1347 *user_msgptr = addr2.user_message;
1348 *basic_errno = addr2.basic_errno;
1350 /* Make $address_data visible */
1351 deliver_address_data = addr2.p.address_data;
1354 /* We have a result from the relevant test. Handle defer overrides first. */
1356 if (rc == DEFER && (defer_ok ||
1357 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1359 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1360 defer_ok? "defer_ok" : "callout_defer_ok");
1364 /* If we've failed a sender, set up a recipient message, and point
1365 sender_verified_failed to the address item that actually failed. */
1367 if (rc != OK && verify_sender_address != NULL)
1371 *log_msgptr = *user_msgptr = US"Sender verify failed";
1373 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1375 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1379 *log_msgptr = US"Could not complete sender verify callout";
1380 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1384 sender_verified_failed = sender_vaddr;
1387 /* Verifying an address messes up the values of $domain and $local_part,
1388 so reset them before returning if this is a RCPT ACL. */
1392 deliver_domain = addr->domain;
1393 deliver_localpart = addr->local_part;
1397 /* Syntax errors in the verify argument come here. */
1400 *log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
1401 "\"header_syntax\" or \"header_sender\" at start of ACL condition "
1402 "\"verify %s\"", arg);
1409 /*************************************************
1410 * Check argument for control= modifier *
1411 *************************************************/
1413 /* Called from acl_check_condition() below
1416 arg the argument string for control=
1417 pptr set to point to the terminating character
1418 where which ACL we are in
1419 log_msgptr for error messages
1421 Returns: CONTROL_xxx value
1425 decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
1430 for (d = controls_list;
1431 d < controls_list + sizeof(controls_list)/sizeof(control_def);
1434 len = Ustrlen(d->name);
1435 if (Ustrncmp(d->name, arg, len) == 0) break;
1438 if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
1439 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
1441 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1442 return CONTROL_ERROR;
1451 /*************************************************
1452 * Handle conditions/modifiers on an ACL item *
1453 *************************************************/
1455 /* Called from acl_check() below.
1459 cb ACL condition block - if NULL, result is OK
1460 where where called from
1461 addr the address being checked for RCPT, or NULL
1462 level the nesting level
1463 epp pointer to pass back TRUE if "endpass" encountered
1464 (applies only to "accept" and "discard")
1465 user_msgptr user message pointer
1466 log_msgptr log message pointer
1467 basic_errno pointer to where to put verify error
1469 Returns: OK - all conditions are met
1470 DISCARD - an "acl" condition returned DISCARD - only allowed
1471 for "accept" or "discard" verbs
1472 FAIL - at least one condition fails
1473 FAIL_DROP - an "acl" condition returned FAIL_DROP
1474 DEFER - can't tell at the moment (typically, lookup defer,
1475 but can be temporary callout problem)
1476 ERROR - ERROR from nested ACL or expansion failure or other
1481 acl_check_condition(int verb, acl_condition_block *cb, int where,
1482 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
1483 uschar **log_msgptr, int *basic_errno)
1485 uschar *user_message = NULL;
1486 uschar *log_message = NULL;
1489 #ifdef WITH_CONTENT_SCAN
1493 for (; cb != NULL; cb = cb->next)
1498 /* The message and log_message items set up messages to be used in
1499 case of rejection. They are expanded later. */
1501 if (cb->type == ACLC_MESSAGE)
1503 user_message = cb->arg;
1507 if (cb->type == ACLC_LOG_MESSAGE)
1509 log_message = cb->arg;
1513 /* The endpass "condition" just sets a flag to show it occurred. This is
1514 checked at compile time to be on an "accept" or "discard" item. */
1516 if (cb->type == ACLC_ENDPASS)
1522 /* For other conditions and modifiers, the argument is expanded now for some
1523 of them, but not for all, because expansion happens down in some lower level
1524 checking functions in some cases. */
1526 if (cond_expand_at_top[cb->type])
1528 arg = expand_string(cb->arg);
1531 if (expand_string_forcedfail) continue;
1532 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
1533 cb->arg, expand_string_message);
1534 return search_find_defer? DEFER : ERROR;
1539 /* Show condition, and expanded condition if it's different */
1544 debug_printf("check %s%s %n",
1545 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
1546 conditions[cb->type], &lhswidth);
1548 if (cb->type == ACLC_SET)
1550 int n = cb->u.varnumber;
1551 int t = (n < ACL_C_MAX)? 'c' : 'm';
1552 if (n >= ACL_C_MAX) n -= ACL_C_MAX;
1553 debug_printf("acl_%c%d ", t, n);
1557 debug_printf("= %s\n", cb->arg);
1560 debug_printf("%.*s= %s\n", lhswidth,
1564 /* Check that this condition makes sense at this time */
1566 if ((cond_forbids[cb->type] & (1 << where)) != 0)
1568 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
1569 cond_modifiers[cb->type]? "use" : "test",
1570 conditions[cb->type], acl_wherenames[where]);
1574 /* Run the appropriate test for each condition, or take the appropriate
1575 action for the remaining modifiers. */
1579 /* A nested ACL that returns "discard" makes sense only for an "accept" or
1583 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
1584 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
1586 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
1587 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
1593 case ACLC_AUTHENTICATED:
1594 rc = (sender_host_authenticated == NULL)? FAIL :
1595 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
1599 #ifdef EXPERIMENTAL_BRIGHTMAIL
1600 case ACLC_BMI_OPTIN:
1602 int old_pool = store_pool;
1603 store_pool = POOL_PERM;
1604 bmi_current_optin = string_copy(arg);
1605 store_pool = old_pool;
1610 case ACLC_CONDITION:
1611 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
1612 rc = (Uatoi(arg) == 0)? FAIL : OK;
1614 rc = (strcmpic(arg, US"no") == 0 ||
1615 strcmpic(arg, US"false") == 0)? FAIL :
1616 (strcmpic(arg, US"yes") == 0 ||
1617 strcmpic(arg, US"true") == 0)? OK : DEFER;
1619 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
1623 control_type = decode_control(arg, &p, where, log_msgptr);
1625 /* Check if this control makes sense at this time */
1627 if ((control_forbids[control_type] & (1 << where)) != 0)
1629 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
1630 controls[control_type], acl_wherenames[where]);
1634 switch(control_type)
1636 #ifdef EXPERIMENTAL_BRIGHTMAIL
1637 case CONTROL_BMI_RUN:
1645 case CONTROL_CASEFUL_LOCAL_PART:
1646 deliver_localpart = addr->cc_local_part;
1649 case CONTROL_CASELOWER_LOCAL_PART:
1650 deliver_localpart = addr->lc_local_part;
1653 case CONTROL_ENFORCE_SYNC:
1654 smtp_enforce_sync = TRUE;
1657 case CONTROL_NO_ENFORCE_SYNC:
1658 smtp_enforce_sync = FALSE;
1661 #ifdef WITH_CONTENT_SCAN
1662 case CONTROL_NO_MBOX_UNSPOOL:
1663 no_mbox_unspool = TRUE;
1667 case CONTROL_NO_MULTILINE:
1668 no_multiline_responses = TRUE;
1671 case CONTROL_FAKEREJECT:
1676 while (*pp != 0) pp++;
1677 fake_reject_text = expand_string(string_copyn(p+1, pp-p));
1682 /* Explicitly reset to default string */
1683 fake_reject_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legit message, it may still be delivered to the target recipient(s).";
1687 case CONTROL_FREEZE:
1688 deliver_freeze = TRUE;
1689 deliver_frozen_at = time(NULL);
1692 case CONTROL_QUEUE_ONLY:
1693 queue_only_policy = TRUE;
1696 case CONTROL_SUBMISSION:
1697 submission_mode = TRUE;
1700 if (Ustrncmp(p, "/sender_retain", 14) == 0)
1703 active_local_sender_retain = TRUE;
1704 active_local_from_check = FALSE;
1706 else if (Ustrncmp(p, "/domain=", 8) == 0)
1709 while (*pp != 0 && *pp != '/') pp++;
1710 submission_domain = string_copyn(p+8, pp-p);
1717 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1724 #ifdef WITH_CONTENT_SCAN
1726 rc = mime_decode(&arg);
1732 int delay = readconf_readtime(arg, 0, FALSE);
1735 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
1736 "modifier: \"%s\" is not a time value", arg);
1741 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
1746 debug_printf("delay skipped in -bh checking mode\n");
1750 while (delay > 0) delay = sleep(delay);
1756 #ifdef WITH_OLD_DEMIME
1763 rc = verify_check_dnsbl(&arg);
1767 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
1768 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
1771 /* The value in tls_cipher is the full cipher name, for example,
1772 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
1773 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
1774 what may in practice come out of the SSL library - which at the time of
1775 writing is poorly documented. */
1777 case ACLC_ENCRYPTED:
1778 if (tls_cipher == NULL) rc = FAIL; else
1780 uschar *endcipher = NULL;
1781 uschar *cipher = Ustrchr(tls_cipher, ':');
1782 if (cipher == NULL) cipher = tls_cipher; else
1784 endcipher = Ustrchr(++cipher, ':');
1785 if (endcipher != NULL) *endcipher = 0;
1787 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
1788 if (endcipher != NULL) *endcipher = ':';
1792 /* Use verify_check_this_host() instead of verify_check_host() so that
1793 we can pass over &host_data to catch any looked up data. Once it has been
1794 set, it retains its value so that it's still there if another ACL verb
1795 comes through here and uses the cache. However, we must put it into
1796 permanent store in case it is also expected to be used in a subsequent
1797 message in the same SMTP connection. */
1800 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
1801 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
1802 if (host_data != NULL) host_data = string_copy_malloc(host_data);
1805 case ACLC_LOCAL_PARTS:
1806 rc = match_isinlist(addr->cc_local_part, &arg, 0,
1807 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
1808 &deliver_localpart_data);
1820 if (Ustrncmp(s, "main", 4) == 0)
1821 { logbits |= LOG_MAIN; s += 4; }
1822 else if (Ustrncmp(s, "panic", 5) == 0)
1823 { logbits |= LOG_PANIC; s += 5; }
1824 else if (Ustrncmp(s, "reject", 6) == 0)
1825 { logbits |= LOG_REJECT; s += 6; }
1828 logbits = LOG_MAIN|LOG_PANIC;
1829 s = string_sprintf(":unknown log name in \"%s\" in "
1830 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
1836 while (isspace(*s)) s++;
1837 if (logbits == 0) logbits = LOG_MAIN;
1838 log_write(0, logbits, "%s", string_printing(s));
1842 #ifdef WITH_CONTENT_SCAN
1845 /* Seperate the regular expression and any optional parameters. */
1846 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
1847 /* Run the malware backend. */
1849 /* Modify return code based upon the existance of options. */
1850 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
1852 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
1854 /* FAIL so that the message is passed to the next ACL */
1861 case ACLC_MIME_REGEX:
1862 rc = mime_regex(&arg);
1866 case ACLC_RECIPIENTS:
1867 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
1871 #ifdef WITH_CONTENT_SCAN
1877 case ACLC_SENDER_DOMAINS:
1880 sdomain = Ustrrchr(sender_address, '@');
1881 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
1882 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
1883 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
1888 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
1889 sender_address_cache, -1, 0, &sender_data);
1892 /* Connection variables must persist forever */
1896 int old_pool = store_pool;
1897 if (cb->u.varnumber < ACL_C_MAX) store_pool = POOL_PERM;
1898 acl_var[cb->u.varnumber] = string_copy(arg);
1899 store_pool = old_pool;
1903 #ifdef WITH_CONTENT_SCAN
1906 /* Seperate the regular expression and any optional parameters. */
1907 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
1908 /* Run the spam backend. */
1910 /* Modify return code based upon the existance of options. */
1911 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
1913 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
1915 /* FAIL so that the message is passed to the next ACL */
1923 #ifdef EXPERIMENTAL_SPF
1925 rc = spf_process(&arg, sender_address);
1929 /* If the verb is WARN, discard any user message from verification, because
1930 such messages are SMTP responses, not header additions. The latter come
1931 only from explicit "message" modifiers. */
1934 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
1935 if (verb == ACL_WARN) *user_msgptr = NULL;
1939 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
1940 "condition %d", cb->type);
1944 /* If a condition was negated, invert OK/FAIL. */
1946 if (!cond_modifiers[cb->type] && cb->u.negated)
1948 if (rc == OK) rc = FAIL;
1949 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
1952 if (rc != OK) break; /* Conditions loop */
1956 /* If the result is the one for which "message" and/or "log_message" are used,
1957 handle the values of these options. Most verbs have but a single return for
1958 which the messages are relevant, but for "discard", it's useful to have the log
1959 message both when it succeeds and when it fails. Also, for an "accept" that
1960 appears in a QUIT ACL, we want to handle the user message. Since only "accept"
1961 and "warn" are permitted in that ACL, we don't need to test the verb.
1963 These modifiers act in different ways:
1965 "message" is a user message that will be included in an SMTP response. Unless
1966 it is empty, it overrides any previously set user message.
1968 "log_message" is a non-user message, and it adds to any existing non-user
1969 message that is already set.
1971 If there isn't a log message set, we make it the same as the user message. */
1973 if (((rc == FAIL_DROP)? FAIL : rc) == msgcond[verb] ||
1974 (verb == ACL_DISCARD && rc == OK) ||
1975 (where == ACL_WHERE_QUIT))
1979 /* If the verb is "warn", messages generated by conditions (verification or
1980 nested ACLs) are discarded. Only messages specified at this level are used.
1981 However, the value of an existing message is available in $acl_verify_message
1982 during expansions. */
1984 uschar *old_user_msgptr = *user_msgptr;
1985 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
1987 if (verb == ACL_WARN) *log_msgptr = *user_msgptr = NULL;
1989 if (user_message != NULL)
1991 acl_verify_message = old_user_msgptr;
1992 expmessage = expand_string(user_message);
1993 if (expmessage == NULL)
1995 if (!expand_string_forcedfail)
1996 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
1997 user_message, expand_string_message);
1999 else if (expmessage[0] != 0) *user_msgptr = expmessage;
2002 if (log_message != NULL)
2004 acl_verify_message = old_log_msgptr;
2005 expmessage = expand_string(log_message);
2006 if (expmessage == NULL)
2008 if (!expand_string_forcedfail)
2009 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2010 log_message, expand_string_message);
2012 else if (expmessage[0] != 0)
2014 *log_msgptr = (*log_msgptr == NULL)? expmessage :
2015 string_sprintf("%s: %s", expmessage, *log_msgptr);
2019 /* If no log message, default it to the user message */
2021 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
2024 acl_verify_message = NULL;
2032 /*************************************************
2033 * Get line from a literal ACL *
2034 *************************************************/
2036 /* This function is passed to acl_read() in order to extract individual lines
2037 of a literal ACL, which we access via static pointers. We can destroy the
2038 contents because this is called only once (the compiled ACL is remembered).
2040 This code is intended to treat the data in the same way as lines in the main
2041 Exim configuration file. That is:
2043 . Leading spaces are ignored.
2045 . A \ at the end of a line is a continuation - trailing spaces after the \
2046 are permitted (this is because I don't believe in making invisible things
2047 significant). Leading spaces on the continued part of a line are ignored.
2049 . Physical lines starting (significantly) with # are totally ignored, and
2050 may appear within a sequence of backslash-continued lines.
2052 . Blank lines are ignored, but will end a sequence of continuations.
2055 Returns: a pointer to the next line
2059 static uschar *acl_text; /* Current pointer in the text */
2060 static uschar *acl_text_end; /* Points one past the terminating '0' */
2068 /* This loop handles leading blank lines and comments. */
2072 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
2073 if (*acl_text == 0) return NULL; /* No more data */
2074 yield = acl_text; /* Potential data line */
2076 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2078 /* If we hit the end before a newline, we have the whole logical line. If
2079 it's a comment, there's no more data to be given. Otherwise, yield it. */
2081 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
2083 /* After reaching a newline, end this loop if the physical line does not
2084 start with '#'. If it does, it's a comment, and the loop continues. */
2086 if (*yield != '#') break;
2089 /* This loop handles continuations. We know we have some real data, ending in
2090 newline. See if there is a continuation marker at the end (ignoring trailing
2091 white space). We know that *yield is not white space, so no need to test for
2092 cont > yield in the backwards scanning loop. */
2097 for (cont = acl_text - 1; isspace(*cont); cont--);
2099 /* If no continuation follows, we are done. Mark the end of the line and
2108 /* We have encountered a continuation. Skip over whitespace at the start of
2109 the next line, and indeed the whole of the next line or lines if they are
2114 while (*(++acl_text) == ' ' || *acl_text == '\t');
2115 if (*acl_text != '#') break;
2116 while (*(++acl_text) != 0 && *acl_text != '\n');
2119 /* We have the start of a continuation line. Move all the rest of the data
2120 to join onto the previous line, and then find its end. If the end is not a
2121 newline, we are done. Otherwise loop to look for another continuation. */
2123 memmove(cont, acl_text, acl_text_end - acl_text);
2124 acl_text_end -= acl_text - cont;
2126 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2127 if (*acl_text == 0) return yield;
2130 /* Control does not reach here */
2137 /*************************************************
2138 * Check access using an ACL *
2139 *************************************************/
2141 /* This function is called from address_check. It may recurse via
2142 acl_check_condition() - hence the use of a level to stop looping. The ACL is
2143 passed as a string which is expanded. A forced failure implies no access check
2144 is required. If the result is a single word, it is taken as the name of an ACL
2145 which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
2146 text, complete with newlines, and parsed as such. In both cases, the ACL check
2147 is then run. This function uses an auxiliary function for acl_read() to call
2148 for reading individual lines of a literal ACL. This is acl_getline(), which
2149 appears immediately above.
2152 where where called from
2153 addr address item when called from RCPT; otherwise NULL
2154 s the input string; NULL is the same as an empty ACL => DENY
2155 level the nesting level
2156 user_msgptr where to put a user error (for SMTP response)
2157 log_msgptr where to put a logging message (not for SMTP response)
2159 Returns: OK access is granted
2160 DISCARD access is apparently granted...
2161 FAIL access is denied
2162 FAIL_DROP access is denied; drop the connection
2163 DEFER can't tell at the moment
2168 acl_check_internal(int where, address_item *addr, uschar *s, int level,
2169 uschar **user_msgptr, uschar **log_msgptr)
2172 acl_block *acl = NULL;
2173 uschar *acl_name = US"inline ACL";
2176 /* Catch configuration loops */
2180 *log_msgptr = US"ACL nested too deep: possible loop";
2186 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
2190 /* At top level, we expand the incoming string. At lower levels, it has already
2191 been expanded as part of condition processing. */
2195 ss = expand_string(s);
2198 if (expand_string_forcedfail) return OK;
2199 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
2200 expand_string_message);
2206 while (isspace(*ss))ss++;
2208 /* If we can't find a named ACL, the default is to parse it as an inline one.
2209 (Unless it begins with a slash; non-existent files give rise to an error.) */
2213 /* Handle the case of a string that does not contain any spaces. Look for a
2214 named ACL among those read from the configuration, or a previously read file.
2215 It is possible that the pointer to the ACL is NULL if the configuration
2216 contains a name with no data. If not found, and the text begins with '/',
2217 read an ACL from a file, and save it so it can be re-used. */
2219 if (Ustrchr(ss, ' ') == NULL)
2221 tree_node *t = tree_search(acl_anchor, ss);
2224 acl = (acl_block *)(t->data.ptr);
2227 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
2230 acl_name = string_sprintf("ACL \"%s\"", ss);
2231 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
2234 else if (*ss == '/')
2236 struct stat statbuf;
2237 fd = Uopen(ss, O_RDONLY, 0);
2240 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
2245 if (fstat(fd, &statbuf) != 0)
2247 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
2252 acl_text = store_get(statbuf.st_size + 1);
2253 acl_text_end = acl_text + statbuf.st_size + 1;
2255 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
2257 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
2258 ss, strerror(errno));
2261 acl_text[statbuf.st_size] = 0;
2264 acl_name = string_sprintf("ACL \"%s\"", ss);
2265 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
2269 /* Parse an ACL that is still in text form. If it came from a file, remember it
2270 in the ACL tree, having read it into the POOL_PERM store pool so that it
2271 persists between multiple messages. */
2275 int old_pool = store_pool;
2276 if (fd >= 0) store_pool = POOL_PERM;
2277 acl = acl_read(acl_getline, log_msgptr);
2278 store_pool = old_pool;
2279 if (acl == NULL && *log_msgptr != NULL) return ERROR;
2282 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
2283 Ustrcpy(t->name, ss);
2285 (void)tree_insertnode(&acl_anchor, t);
2289 /* Now we have an ACL to use. It's possible it may be NULL. */
2294 int basic_errno = 0;
2295 BOOL endpass_seen = FALSE;
2297 *log_msgptr = *user_msgptr = NULL;
2298 acl_temp_details = FALSE;
2300 if (where == ACL_WHERE_QUIT &&
2301 acl->verb != ACL_ACCEPT &&
2302 acl->verb != ACL_WARN)
2304 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
2309 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
2311 /* Clear out any search error message from a previous check before testing
2314 search_error_message = NULL;
2315 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
2316 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
2318 /* Handle special returns: DEFER causes a return except on a WARN verb;
2319 ERROR always causes a return. */
2324 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
2325 if (basic_errno != ERRNO_CALLOUTDEFER)
2327 if (search_error_message != NULL && *search_error_message != 0)
2328 *log_msgptr = search_error_message;
2329 if (smtp_return_error_details) acl_temp_details = TRUE;
2333 acl_temp_details = TRUE;
2335 if (acl->verb != ACL_WARN) return DEFER;
2338 default: /* Paranoia */
2340 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
2344 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
2349 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
2352 /* DISCARD and DROP can happen only from a nested ACL condition, and
2353 DISCARD can happen only for an "accept" or "discard" verb. */
2356 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
2361 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
2366 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
2367 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
2368 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
2373 if (cond == OK || cond == DISCARD) return cond;
2376 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
2384 acl_temp_details = TRUE;
2390 if (cond == OK) return FAIL;
2394 if (cond == OK || cond == DISCARD) return DISCARD;
2397 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
2403 if (cond == OK) return FAIL_DROP;
2407 if (cond != OK) return cond;
2412 acl_warn(where, *user_msgptr, *log_msgptr);
2413 else if (cond == DEFER)
2414 acl_warn(where, NULL, string_sprintf("ACL \"warn\" statement skipped: "
2415 "condition test deferred: %s",
2416 (*log_msgptr == NULL)? US"" : *log_msgptr));
2417 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
2421 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
2426 /* Pass to the next ACL item */
2431 /* We have reached the end of the ACL. This is an implicit DENY. */
2433 HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
2438 /*************************************************
2439 * Check access using an ACL *
2440 *************************************************/
2442 /* This is the external interface for ACL checks. It sets up an address and the
2443 expansions for $domain and $local_part when called after RCPT, then calls
2444 acl_check_internal() to do the actual work.
2447 where ACL_WHERE_xxxx indicating where called from
2448 data_string RCPT address, or SMTP command argument, or NULL
2449 s the input string; NULL is the same as an empty ACL => DENY
2450 user_msgptr where to put a user error (for SMTP response)
2451 log_msgptr where to put a logging message (not for SMTP response)
2453 Returns: OK access is granted by an ACCEPT verb
2454 DISCARD access is granted by a DISCARD verb
2455 FAIL access is denied
2456 FAIL_DROP access is denied; drop the connection
2457 DEFER can't tell at the moment
2462 acl_check(int where, uschar *data_string, uschar *s, uschar **user_msgptr,
2463 uschar **log_msgptr)
2469 *user_msgptr = *log_msgptr = NULL;
2470 sender_verified_failed = NULL;
2472 if (where == ACL_WHERE_RCPT)
2474 adb = address_defaults;
2476 addr->address = data_string;
2477 if (deliver_split_address(addr) == DEFER)
2479 *log_msgptr = US"defer in percent_hack_domains check";
2482 deliver_domain = addr->domain;
2483 deliver_localpart = addr->local_part;
2488 smtp_command_argument = data_string;
2491 rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
2493 smtp_command_argument = deliver_domain =
2494 deliver_localpart = deliver_address_data = sender_address_data = NULL;
2496 /* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
2497 ACL, which is really in the middle of an SMTP command. */
2501 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
2503 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
2504 "ACL", acl_wherenames[where]);
2510 /* A DROP response is not permitted from MAILAUTH */
2512 if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
2514 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
2515 "ACL", acl_wherenames[where]);
2519 /* Before giving an error response, take a look at the length of any user
2520 message, and split it up into multiple lines if possible. */
2522 if (rc != OK && *user_msgptr != NULL && Ustrlen(*user_msgptr) > 75)
2524 uschar *s = *user_msgptr = string_copy(*user_msgptr);
2530 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
2531 if (*ss == 0) break;
2538 while (--t > s + 35)
2542 if (t[-1] == ':') { tt = t; break; }
2543 if (tt == NULL) tt = t;
2547 if (tt == NULL) /* Can't split behind - try ahead */
2552 if (*t == ' ' || *t == '\n')
2558 if (tt == NULL) break; /* Can't find anywhere to split */
git://git.exim.org / exim.git / blob