1 /* $Cambridge: exim/src/src/acl.c,v 1.20 2005/03/08 15:32:02 tom Exp $ */
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
7 /* Copyright (c) University of Cambridge 1995 - 2005 */
8 /* See the file NOTICE for conditions of use and distribution. */
10 /* Code for handling Access Control Lists (ACLs) */
15 /* Default callout timeout */
17 #define CALLOUT_TIMEOUT_DEFAULT 30
19 /* ACL verb codes - keep in step with the table of verbs that follows */
21 enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
26 static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
30 /* For each verb, the condition for which "message" is used */
32 static int msgcond[] = { FAIL, OK, OK, FAIL, OK, FAIL, OK };
34 /* ACL condition and modifier codes - keep in step with the table that
37 enum { ACLC_ACL, ACLC_AUTHENTICATED,
38 #ifdef EXPERIMENTAL_BRIGHTMAIL
41 ACLC_CONDITION, ACLC_CONTROL,
42 #ifdef WITH_CONTENT_SCAN
46 #ifdef WITH_OLD_DEMIME
49 #ifdef EXPERIMENTAL_DOMAINKEYS
50 ACLC_DK_DOMAIN_SOURCE,
52 ACLC_DK_SENDER_DOMAINS,
53 ACLC_DK_SENDER_LOCAL_PARTS,
57 ACLC_DNSLISTS, ACLC_DOMAINS, ACLC_ENCRYPTED, ACLC_ENDPASS,
58 ACLC_HOSTS, ACLC_LOCAL_PARTS, ACLC_LOG_MESSAGE, ACLC_LOGWRITE,
59 #ifdef WITH_CONTENT_SCAN
63 #ifdef WITH_CONTENT_SCAN
67 #ifdef WITH_CONTENT_SCAN
70 ACLC_SENDER_DOMAINS, ACLC_SENDERS, ACLC_SET,
71 #ifdef WITH_CONTENT_SCAN
74 #ifdef EXPERIMENTAL_SPF
79 /* ACL conditions/modifiers: "delay", "control", "endpass", "message",
80 "log_message", "logwrite", and "set" are modifiers that look like conditions
81 but always return TRUE. They are used for their side effects. */
83 static uschar *conditions[] = { US"acl", US"authenticated",
84 #ifdef EXPERIMENTAL_BRIGHTMAIL
89 #ifdef WITH_CONTENT_SCAN
93 #ifdef WITH_OLD_DEMIME
96 #ifdef EXPERIMENTAL_DOMAINKEYS
99 US"dk_sender_domains",
100 US"dk_sender_local_parts",
104 US"dnslists", US"domains", US"encrypted",
105 US"endpass", US"hosts", US"local_parts", US"log_message", US"logwrite",
106 #ifdef WITH_CONTENT_SCAN
110 #ifdef WITH_CONTENT_SCAN
114 #ifdef WITH_CONTENT_SCAN
117 US"sender_domains", US"senders", US"set",
118 #ifdef WITH_CONTENT_SCAN
121 #ifdef EXPERIMENTAL_SPF
126 /* ACL control names */
128 static uschar *controls[] = { US"error", US"caseful_local_part",
129 US"caselower_local_part", US"enforce_sync", US"no_enforce_sync", US"freeze",
130 US"queue_only", US"submission", US"no_multiline"};
132 /* Flags to indicate for which conditions /modifiers a string expansion is done
133 at the outer level. In the other cases, expansion already occurs in the
134 checking functions. */
136 static uschar cond_expand_at_top[] = {
138 FALSE, /* authenticated */
139 #ifdef EXPERIMENTAL_BRIGHTMAIL
140 TRUE, /* bmi_optin */
142 TRUE, /* condition */
144 #ifdef WITH_CONTENT_SCAN
148 #ifdef WITH_OLD_DEMIME
151 #ifdef EXPERIMENTAL_DOMAINKEYS
161 FALSE, /* encrypted */
164 FALSE, /* local_parts */
165 TRUE, /* log_message */
167 #ifdef WITH_CONTENT_SCAN
171 #ifdef WITH_CONTENT_SCAN
172 TRUE, /* mime_regex */
174 FALSE, /* recipients */
175 #ifdef WITH_CONTENT_SCAN
178 FALSE, /* sender_domains */
181 #ifdef WITH_CONTENT_SCAN
184 #ifdef EXPERIMENTAL_SPF
190 /* Flags to identify the modifiers */
192 static uschar cond_modifiers[] = {
194 FALSE, /* authenticated */
195 #ifdef EXPERIMENTAL_BRIGHTMAIL
196 TRUE, /* bmi_optin */
198 FALSE, /* condition */
200 #ifdef WITH_CONTENT_SCAN
204 #ifdef WITH_OLD_DEMIME
207 #ifdef EXPERIMENTAL_DOMAINKEYS
215 FALSE, /* dnslists */
217 FALSE, /* encrypted */
220 FALSE, /* local_parts */
221 TRUE, /* log_message */
223 #ifdef WITH_CONTENT_SCAN
227 #ifdef WITH_CONTENT_SCAN
228 FALSE, /* mime_regex */
230 FALSE, /* recipients */
231 #ifdef WITH_CONTENT_SCAN
234 FALSE, /* sender_domains */
237 #ifdef WITH_CONTENT_SCAN
240 #ifdef EXPERIMENTAL_SPF
246 /* Bit map vector of which conditions are not allowed at certain times. For
247 each condition, there's a bitmap of dis-allowed times. */
249 static unsigned int cond_forbids[] = {
252 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* authenticated */
255 #ifdef EXPERIMENTAL_BRIGHTMAIL
256 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
257 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
258 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
259 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
260 (1<<ACL_WHERE_MAILAUTH)|
261 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
262 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA),
267 /* Certain types of control are always allowed, so we let it through
268 always and check in the control processing itself */
272 #ifdef WITH_CONTENT_SCAN
273 (1<<ACL_WHERE_AUTH)| /* decode */
274 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
275 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
276 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
277 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
278 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
279 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_RCPT),
284 #ifdef WITH_OLD_DEMIME
285 (1<<ACL_WHERE_AUTH)| /* demime */
286 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
287 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
288 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
289 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
290 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
291 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
294 #ifdef EXPERIMENTAL_DOMAINKEYS
296 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
297 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
298 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
299 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
300 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
304 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
305 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
306 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
307 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
308 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
312 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
313 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
314 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
315 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
316 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
320 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
321 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
322 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
323 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
324 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
328 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
329 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
330 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
331 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
332 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
336 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
337 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
338 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
339 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
340 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
344 (1<<ACL_WHERE_NOTSMTP), /* dnslists */
346 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* domains */
347 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
348 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
349 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
350 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
351 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
354 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* encrypted */
359 (1<<ACL_WHERE_NOTSMTP), /* hosts */
361 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* local_parts */
362 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
363 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
364 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
365 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
366 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
373 #ifdef WITH_CONTENT_SCAN
374 (1<<ACL_WHERE_AUTH)| /* malware */
375 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
376 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
377 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
378 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
379 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
380 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
385 #ifdef WITH_CONTENT_SCAN
386 (1<<ACL_WHERE_AUTH)| /* mime_regex */
387 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
388 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
389 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
390 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
391 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
392 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_RCPT),
395 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* recipients */
396 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
397 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
398 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
399 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
400 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
403 #ifdef WITH_CONTENT_SCAN
404 (1<<ACL_WHERE_AUTH)| /* regex */
405 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
406 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
407 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
408 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
409 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
410 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
413 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
415 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
416 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
417 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
419 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
421 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
422 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
423 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
427 #ifdef WITH_CONTENT_SCAN
428 (1<<ACL_WHERE_AUTH)| /* spam */
429 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
430 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
431 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
432 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
433 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
434 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
437 #ifdef EXPERIMENTAL_SPF
438 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
440 (1<<ACL_WHERE_MAILAUTH)|
441 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
442 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
445 /* Certain types of verify are always allowed, so we let it through
446 always and check in the verify function itself */
452 /* Return values from decode_control() */
455 #ifdef EXPERIMENTAL_BRIGHTMAIL
458 #ifdef EXPERIMENTAL_DOMAINKEYS
461 CONTROL_ERROR, CONTROL_CASEFUL_LOCAL_PART, CONTROL_CASELOWER_LOCAL_PART,
462 CONTROL_ENFORCE_SYNC, CONTROL_NO_ENFORCE_SYNC, CONTROL_FREEZE,
463 CONTROL_QUEUE_ONLY, CONTROL_SUBMISSION,
464 #ifdef WITH_CONTENT_SCAN
465 CONTROL_NO_MBOX_UNSPOOL,
467 CONTROL_FAKEREJECT, CONTROL_NO_MULTILINE };
469 /* Bit map vector of which controls are not allowed at certain times. For
470 each control, there's a bitmap of dis-allowed times. For some, it is easier to
471 specify the negation of a small number of allowed times. */
473 static unsigned int control_forbids[] = {
474 #ifdef EXPERIMENTAL_BRIGHTMAIL
477 #ifdef EXPERIMENTAL_DOMAINKEYS
478 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA), /* dk_verify */
484 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
487 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
489 (1<<ACL_WHERE_NOTSMTP), /* enforce_sync */
491 (1<<ACL_WHERE_NOTSMTP), /* no_enforce_sync */
494 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
495 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
496 (1<<ACL_WHERE_NOTSMTP)),
499 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
500 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
501 (1<<ACL_WHERE_NOTSMTP)),
504 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
505 (1<<ACL_WHERE_PREDATA)),
507 #ifdef WITH_CONTENT_SCAN
509 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
510 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)),
514 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
515 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)),
517 (1<<ACL_WHERE_NOTSMTP) /* no_multiline */
520 /* Structure listing various control arguments, with their characteristics. */
522 typedef struct control_def {
524 int value; /* CONTROL_xxx value */
525 BOOL has_option; /* Has /option(s) following */
528 static control_def controls_list[] = {
529 #ifdef EXPERIMENTAL_BRIGHTMAIL
530 { US"bmi_run", CONTROL_BMI_RUN, FALSE},
532 #ifdef EXPERIMENTAL_DOMAINKEYS
533 { US"dk_verify", CONTROL_DK_VERIFY, FALSE},
535 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE},
536 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE},
537 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE},
538 { US"freeze", CONTROL_FREEZE, FALSE},
539 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE},
540 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE},
541 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE},
542 #ifdef WITH_CONTENT_SCAN
543 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE},
545 { US"fakereject", CONTROL_FAKEREJECT, TRUE},
546 { US"submission", CONTROL_SUBMISSION, TRUE}
549 /* Enable recursion between acl_check_internal() and acl_check_condition() */
551 static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
555 /*************************************************
556 * Pick out name from list *
557 *************************************************/
559 /* Use a binary chop method
566 Returns: offset in list, or -1 if not found
570 acl_checkname(uschar *name, uschar **list, int end)
576 int mid = (start + end)/2;
577 int c = Ustrcmp(name, list[mid]);
578 if (c == 0) return mid;
579 if (c < 0) end = mid; else start = mid + 1;
586 /*************************************************
587 * Read and parse one ACL *
588 *************************************************/
590 /* This function is called both from readconf in order to parse the ACLs in the
591 configuration file, and also when an ACL is encountered dynamically (e.g. as
592 the result of an expansion). It is given a function to call in order to
593 retrieve the lines of the ACL. This function handles skipping comments and
594 blank lines (where relevant).
597 func function to get next line of ACL
598 error where to put an error message
600 Returns: pointer to ACL, or NULL
601 NULL can be legal (empty ACL); in this case error will be NULL
605 acl_read(uschar *(*func)(void), uschar **error)
607 acl_block *yield = NULL;
608 acl_block **lastp = &yield;
609 acl_block *this = NULL;
610 acl_condition_block *cond;
611 acl_condition_block **condp = NULL;
616 while ((s = (*func)()) != NULL)
619 BOOL negated = FALSE;
620 uschar *saveline = s;
623 /* Conditions (but not verbs) are allowed to be negated by an initial
626 while (isspace(*s)) s++;
633 /* Read the name of a verb or a condition, or the start of a new ACL */
635 s = readconf_readname(name, sizeof(name), s);
638 if (negated || name[0] == 0)
640 *error = string_sprintf("malformed ACL name in \"%s\"", saveline);
646 /* If a verb is unrecognized, it may be another condition or modifier that
647 continues the previous verb. */
649 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
654 *error = string_sprintf("unknown ACL verb in \"%s\"", saveline);
665 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
668 this = store_get(sizeof(acl_block));
670 lastp = &(this->next);
673 this->condition = NULL;
674 condp = &(this->condition);
675 if (*s == 0) continue; /* No condition on this line */
681 s = readconf_readname(name, sizeof(name), s); /* Condition name */
684 /* Handle a condition or modifier. */
686 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
689 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
694 /* The modifiers may not be negated */
696 if (negated && cond_modifiers[c])
698 *error = string_sprintf("ACL error: negation is not allowed with "
699 "\"%s\"", conditions[c]);
703 /* ENDPASS may occur only with ACCEPT or DISCARD. */
705 if (c == ACLC_ENDPASS &&
706 this->verb != ACL_ACCEPT &&
707 this->verb != ACL_DISCARD)
709 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
710 conditions[c], verbs[this->verb]);
714 cond = store_get(sizeof(acl_condition_block));
717 cond->u.negated = negated;
720 condp = &(cond->next);
722 /* The "set" modifier is different in that its argument is "name=value"
723 rather than just a value, and we can check the validity of the name, which
724 gives us a variable number to insert into the data block. */
728 if (Ustrncmp(s, "acl_", 4) != 0 || (s[4] != 'c' && s[4] != 'm') ||
729 !isdigit(s[5]) || (!isspace(s[6]) && s[6] != '='))
731 *error = string_sprintf("unrecognized name after \"set\" in ACL "
732 "modifier \"set %s\"", s);
736 cond->u.varnumber = s[5] - '0';
737 if (s[4] == 'm') cond->u.varnumber += ACL_C_MAX;
739 while (isspace(*s)) s++;
742 /* For "set", we are now positioned for the data. For the others, only
743 "endpass" has no data */
745 if (c != ACLC_ENDPASS)
749 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
750 cond_modifiers[c]? US"modifier" : US"condition");
753 while (isspace(*s)) s++;
754 cond->arg = string_copy(s);
763 /*************************************************
765 *************************************************/
767 /* This function is called when a WARN verb's conditions are true. It adds to
768 the message's headers, and/or writes information to the log. In each case, this
769 only happens once (per message for headers, per connection for log).
772 where ACL_WHERE_xxxx indicating which ACL this is
773 user_message message for adding to headers
774 log_message message for logging, if different
780 acl_warn(int where, uschar *user_message, uschar *log_message)
784 if (log_message != NULL && log_message != user_message)
789 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
790 string_printing(log_message));
792 /* If a sender verification has failed, and the log message is "sender verify
793 failed", add the failure message. */
795 if (sender_verified_failed != NULL &&
796 sender_verified_failed->message != NULL &&
797 strcmpic(log_message, US"sender verify failed") == 0)
798 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
800 /* Search previously logged warnings. They are kept in malloc store so they
801 can be freed at the start of a new message. */
803 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
804 if (Ustrcmp(logged->text, text) == 0) break;
808 int length = Ustrlen(text) + 1;
809 log_write(0, LOG_MAIN, "%s", text);
810 logged = store_malloc(sizeof(string_item) + length);
811 logged->text = (uschar *)logged + sizeof(string_item);
812 memcpy(logged->text, text, length);
813 logged->next = acl_warn_logged;
814 acl_warn_logged = logged;
818 /* If there's no user message, we are done. */
820 if (user_message == NULL) return;
822 /* If this isn't a message ACL, we can't do anything with a user message.
825 if (where > ACL_WHERE_NOTSMTP)
827 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
828 "found in a non-message (%s) ACL: cannot specify header lines here: "
829 "message ignored", acl_wherenames[where]);
833 /* Treat the user message as a sequence of one or more header lines. */
835 hlen = Ustrlen(user_message);
838 uschar *text, *p, *q;
840 /* Add a final newline if not present */
842 text = ((user_message)[hlen-1] == '\n')? user_message :
843 string_sprintf("%s\n", user_message);
845 /* Loop for multiple header lines, taking care about continuations */
847 for (p = q = text; *p != 0; )
850 int newtype = htype_add_bot;
851 header_line **hptr = &acl_warn_headers;
853 /* Find next header line within the string */
857 q = Ustrchr(q, '\n');
858 if (*(++q) != ' ' && *q != '\t') break;
861 /* If the line starts with a colon, interpret the instruction for where to
862 add it. This temporarily sets up a new type. */
866 if (strncmpic(p, US":after_received:", 16) == 0)
868 newtype = htype_add_rec;
871 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
873 newtype = htype_add_rfc;
876 else if (strncmpic(p, US":at_start:", 10) == 0)
878 newtype = htype_add_top;
881 else if (strncmpic(p, US":at_end:", 8) == 0)
883 newtype = htype_add_bot;
886 while (*p == ' ' || *p == '\t') p++;
889 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
890 to the front of it. */
892 for (s = p; s < q - 1; s++)
894 if (*s == ':' || !isgraph(*s)) break;
897 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
900 /* See if this line has already been added */
902 while (*hptr != NULL)
904 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
905 hptr = &((*hptr)->next);
908 /* Add if not previously present */
912 header_line *h = store_get(sizeof(header_line));
921 /* Advance for next header line within the string */
930 /*************************************************
931 * Verify and check reverse DNS *
932 *************************************************/
934 /* Called from acl_verify() below. We look up the host name(s) of the client IP
935 address if this has not yet been done. The host_name_lookup() function checks
936 that one of these names resolves to an address list that contains the client IP
937 address, so we don't actually have to do the check here.
940 user_msgptr pointer for user message
941 log_msgptr pointer for log message
943 Returns: OK verification condition succeeded
944 FAIL verification failed
945 DEFER there was a problem verifying
949 acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
953 user_msgptr = user_msgptr; /* stop compiler warning */
955 /* Previous success */
957 if (sender_host_name != NULL) return OK;
959 /* Previous failure */
961 if (host_lookup_failed)
963 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
967 /* Need to do a lookup */
970 debug_printf("looking up host name to force name/address consistency check\n");
972 if ((rc = host_name_lookup()) != OK)
974 *log_msgptr = (rc == DEFER)?
975 US"host lookup deferred for reverse lookup check"
977 string_sprintf("host lookup failed for reverse lookup check%s",
979 return rc; /* DEFER or FAIL */
982 host_build_sender_fullhost();
988 /*************************************************
989 * Handle verification (address & other) *
990 *************************************************/
992 /* This function implements the "verify" condition. It is called when
993 encountered in any ACL, because some tests are almost always permitted. Some
994 just don't make sense, and always fail (for example, an attempt to test a host
995 lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
998 where where called from
999 addr the recipient address that the ACL is handling, or NULL
1000 arg the argument of "verify"
1001 user_msgptr pointer for user message
1002 log_msgptr pointer for log message
1003 basic_errno where to put verify errno
1005 Returns: OK verification condition succeeded
1006 FAIL verification failed
1007 DEFER there was a problem verifying
1012 acl_verify(int where, address_item *addr, uschar *arg,
1013 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1017 int callout_overall = -1;
1018 int callout_connect = -1;
1019 int verify_options = 0;
1021 BOOL verify_header_sender = FALSE;
1022 BOOL defer_ok = FALSE;
1023 BOOL callout_defer_ok = FALSE;
1024 BOOL no_details = FALSE;
1025 address_item *sender_vaddr = NULL;
1026 uschar *verify_sender_address = NULL;
1027 uschar *pm_mailfrom = NULL;
1028 uschar *se_mailfrom = NULL;
1030 uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
1032 if (ss == NULL) goto BAD_VERIFY;
1034 /* Handle name/address consistency verification in a separate function. */
1036 if (strcmpic(ss, US"reverse_host_lookup") == 0)
1038 if (sender_host_address == NULL) return OK;
1039 return acl_verify_reverse(user_msgptr, log_msgptr);
1042 /* TLS certificate verification is done at STARTTLS time; here we just
1043 test whether it was successful or not. (This is for optional verification; for
1044 mandatory verification, the connection doesn't last this long.) */
1046 if (strcmpic(ss, US"certificate") == 0)
1048 if (tls_certificate_verified) return OK;
1049 *user_msgptr = US"no verified certificate";
1053 /* We can test the result of optional HELO verification */
1055 if (strcmpic(ss, US"helo") == 0) return helo_verified? OK : FAIL;
1057 /* Handle header verification options - permitted only after DATA or a non-SMTP
1060 if (strncmpic(ss, US"header_", 7) == 0)
1062 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
1064 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
1065 "(only possible in ACL for DATA)", acl_wherenames[where]);
1069 /* Check that all relevant header lines have the correct syntax. If there is
1070 a syntax error, we return details of the error to the sender if configured to
1071 send out full details. (But a "message" setting on the ACL can override, as
1074 if (strcmpic(ss+7, US"syntax") == 0)
1076 int rc = verify_check_headers(log_msgptr);
1077 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1078 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1082 /* Check that there is at least one verifiable sender address in the relevant
1083 header lines. This can be followed by callout and defer options, just like
1084 sender and recipient. */
1086 else if (strcmpic(ss+7, US"sender") == 0) verify_header_sender = TRUE;
1088 /* Unknown verify argument starting with "header_" */
1090 else goto BAD_VERIFY;
1093 /* Otherwise, first item in verify argument must be "sender" or "recipient".
1094 In the case of a sender, this can optionally be followed by an address to use
1095 in place of the actual sender (rare special-case requirement). */
1097 else if (strncmpic(ss, US"sender", 6) == 0)
1100 if (where > ACL_WHERE_NOTSMTP)
1102 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1103 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1104 acl_wherenames[where]);
1108 verify_sender_address = sender_address;
1111 while (isspace(*s)) s++;
1112 if (*s++ != '=') goto BAD_VERIFY;
1113 while (isspace(*s)) s++;
1114 verify_sender_address = string_copy(s);
1119 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1122 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1123 "(only possible for RCPT)", acl_wherenames[where]);
1128 /* Remaining items are optional */
1130 while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1133 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1134 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1136 /* These two old options are left for backwards compatibility */
1138 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1140 callout_defer_ok = TRUE;
1141 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1144 else if (strcmpic(ss, US"check_postmaster") == 0)
1147 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1150 /* The callout option has a number of sub-options, comma separated */
1152 else if (strncmpic(ss, US"callout", 7) == 0)
1154 callout = CALLOUT_TIMEOUT_DEFAULT;
1158 while (isspace(*ss)) ss++;
1164 while (isspace(*ss)) ss++;
1166 /* This callout option handling code has become a mess as new options
1167 have been added in an ad hoc manner. It should be tidied up into some
1168 kind of table-driven thing. */
1170 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1173 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1174 else if (strcmpic(opt, US"no_cache") == 0)
1175 verify_options |= vopt_callout_no_cache;
1176 else if (strcmpic(opt, US"random") == 0)
1177 verify_options |= vopt_callout_random;
1178 else if (strcmpic(opt, US"use_sender") == 0)
1179 verify_options |= vopt_callout_recipsender;
1180 else if (strcmpic(opt, US"use_postmaster") == 0)
1181 verify_options |= vopt_callout_recippmaster;
1182 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
1184 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1186 if (!verify_header_sender)
1188 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1189 "callout option only for verify=header_sender (detected in ACL "
1190 "condition \"%s\")", arg);
1194 while (isspace(*opt)) opt++;
1197 *log_msgptr = string_sprintf("'=' expected after "
1198 "\"mailfrom\" in ACL condition \"%s\"", arg);
1201 while (isspace(*opt)) opt++;
1202 se_mailfrom = string_copy(opt);
1205 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1208 while (isspace(*opt)) opt++;
1211 *log_msgptr = string_sprintf("'=' expected after "
1212 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1215 while (isspace(*opt)) opt++;
1216 pm_mailfrom = string_copy(opt);
1219 else if (strncmpic(opt, US"maxwait", 7) == 0)
1222 while (isspace(*opt)) opt++;
1225 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1226 "ACL condition \"%s\"", arg);
1229 while (isspace(*opt)) opt++;
1230 callout_overall = readconf_readtime(opt, 0, FALSE);
1231 if (callout_overall < 0)
1233 *log_msgptr = string_sprintf("bad time value in ACL condition "
1234 "\"verify %s\"", arg);
1238 else if (strncmpic(opt, US"connect", 7) == 0)
1241 while (isspace(*opt)) opt++;
1244 *log_msgptr = string_sprintf("'=' expected after "
1245 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1248 while (isspace(*opt)) opt++;
1249 callout_connect = readconf_readtime(opt, 0, FALSE);
1250 if (callout_connect < 0)
1252 *log_msgptr = string_sprintf("bad time value in ACL condition "
1253 "\"verify %s\"", arg);
1257 else /* Plain time is callout connect/command timeout */
1259 callout = readconf_readtime(opt, 0, FALSE);
1262 *log_msgptr = string_sprintf("bad time value in ACL condition "
1263 "\"verify %s\"", arg);
1271 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1272 "ACL condition \"%s\"", arg);
1278 /* Option not recognized */
1282 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1283 "condition \"verify %s\"", ss, arg);
1288 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1289 (vopt_callout_recipsender|vopt_callout_recippmaster))
1291 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1292 "for a recipient callout";
1296 /* Handle sender-in-header verification. Default the user message to the log
1297 message if giving out verification details. */
1299 if (verify_header_sender)
1302 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
1303 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1307 *basic_errno = verrno;
1308 if (smtp_return_error_details)
1310 if (*user_msgptr == NULL && *log_msgptr != NULL)
1311 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1312 if (rc == DEFER) acl_temp_details = TRUE;
1317 /* Handle a sender address. The default is to verify *the* sender address, but
1318 optionally a different address can be given, for special requirements. If the
1319 address is empty, we are dealing with a bounce message that has no sender, so
1320 we cannot do any checking. If the real sender address gets rewritten during
1321 verification (e.g. DNS widening), set the flag to stop it being rewritten again
1322 during message reception.
1324 A list of verified "sender" addresses is kept to try to avoid doing to much
1325 work repetitively when there are multiple recipients in a message and they all
1326 require sender verification. However, when callouts are involved, it gets too
1327 complicated because different recipients may require different callout options.
1328 Therefore, we always do a full sender verify when any kind of callout is
1329 specified. Caching elsewhere, for instance in the DNS resolver and in the
1330 callout handling, should ensure that this is not terribly inefficient. */
1332 else if (verify_sender_address != NULL)
1334 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1337 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1338 "sender verify callout";
1342 sender_vaddr = verify_checked_sender(verify_sender_address);
1343 if (sender_vaddr != NULL && /* Previously checked */
1344 callout <= 0) /* No callout needed this time */
1346 /* If the "routed" flag is set, it means that routing worked before, so
1347 this check can give OK (the saved return code value, if set, belongs to a
1348 callout that was done previously). If the "routed" flag is not set, routing
1349 must have failed, so we use the saved return code. */
1351 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1353 rc = sender_vaddr->special_action;
1354 *basic_errno = sender_vaddr->basic_errno;
1356 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1359 /* Do a new verification, and cache the result. The cache is used to avoid
1360 verifying the sender multiple times for multiple RCPTs when callouts are not
1361 specified (see comments above).
1363 The cache is also used on failure to give details in response to the first
1364 RCPT that gets bounced for this reason. However, this can be suppressed by
1365 the no_details option, which sets the flag that says "this detail has already
1366 been sent". The cache normally contains just one address, but there may be
1367 more in esoteric circumstances. */
1372 uschar *save_address_data = deliver_address_data;
1374 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1375 if (no_details) setflag(sender_vaddr, af_sverify_told);
1376 if (verify_sender_address[0] != 0)
1378 /* If this is the real sender address, save the unrewritten version
1379 for use later in receive. Otherwise, set a flag so that rewriting the
1380 sender in verify_address() does not update sender_address. */
1382 if (verify_sender_address == sender_address)
1383 sender_address_unrewritten = sender_address;
1385 verify_options |= vopt_fake_sender;
1387 /* The recipient, qualify, and expn options are never set in
1390 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
1391 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
1393 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1397 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1399 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1400 verify_sender_address, sender_vaddr->address);
1404 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1405 verify_sender_address);
1408 else *basic_errno = sender_vaddr->basic_errno;
1410 else rc = OK; /* Null sender */
1412 /* Cache the result code */
1414 if (routed) setflag(sender_vaddr, af_verify_routed);
1415 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1416 sender_vaddr->special_action = rc;
1417 sender_vaddr->next = sender_verified_list;
1418 sender_verified_list = sender_vaddr;
1420 /* Restore the recipient address data, which might have been clobbered by
1421 the sender verification. */
1423 deliver_address_data = save_address_data;
1426 /* Put the sender address_data value into $sender_address_data */
1428 sender_address_data = sender_vaddr->p.address_data;
1431 /* A recipient address just gets a straightforward verify; again we must handle
1432 the DEFER overrides. */
1438 /* We must use a copy of the address for verification, because it might
1442 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
1443 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
1444 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1446 *log_msgptr = addr2.message;
1447 *user_msgptr = (addr2.user_message != NULL)?
1448 addr2.user_message : addr2.message;
1449 *basic_errno = addr2.basic_errno;
1451 /* Make $address_data visible */
1452 deliver_address_data = addr2.p.address_data;
1455 /* We have a result from the relevant test. Handle defer overrides first. */
1457 if (rc == DEFER && (defer_ok ||
1458 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1460 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1461 defer_ok? "defer_ok" : "callout_defer_ok");
1465 /* If we've failed a sender, set up a recipient message, and point
1466 sender_verified_failed to the address item that actually failed. */
1468 if (rc != OK && verify_sender_address != NULL)
1472 *log_msgptr = *user_msgptr = US"Sender verify failed";
1474 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1476 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1480 *log_msgptr = US"Could not complete sender verify callout";
1481 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1485 sender_verified_failed = sender_vaddr;
1488 /* Verifying an address messes up the values of $domain and $local_part,
1489 so reset them before returning if this is a RCPT ACL. */
1493 deliver_domain = addr->domain;
1494 deliver_localpart = addr->local_part;
1498 /* Syntax errors in the verify argument come here. */
1501 *log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
1502 "\"header_syntax\" or \"header_sender\" at start of ACL condition "
1503 "\"verify %s\"", arg);
1510 /*************************************************
1511 * Check argument for control= modifier *
1512 *************************************************/
1514 /* Called from acl_check_condition() below
1517 arg the argument string for control=
1518 pptr set to point to the terminating character
1519 where which ACL we are in
1520 log_msgptr for error messages
1522 Returns: CONTROL_xxx value
1526 decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
1531 for (d = controls_list;
1532 d < controls_list + sizeof(controls_list)/sizeof(control_def);
1535 len = Ustrlen(d->name);
1536 if (Ustrncmp(d->name, arg, len) == 0) break;
1539 if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
1540 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
1542 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1543 return CONTROL_ERROR;
1552 /*************************************************
1553 * Handle conditions/modifiers on an ACL item *
1554 *************************************************/
1556 /* Called from acl_check() below.
1560 cb ACL condition block - if NULL, result is OK
1561 where where called from
1562 addr the address being checked for RCPT, or NULL
1563 level the nesting level
1564 epp pointer to pass back TRUE if "endpass" encountered
1565 (applies only to "accept" and "discard")
1566 user_msgptr user message pointer
1567 log_msgptr log message pointer
1568 basic_errno pointer to where to put verify error
1570 Returns: OK - all conditions are met
1571 DISCARD - an "acl" condition returned DISCARD - only allowed
1572 for "accept" or "discard" verbs
1573 FAIL - at least one condition fails
1574 FAIL_DROP - an "acl" condition returned FAIL_DROP
1575 DEFER - can't tell at the moment (typically, lookup defer,
1576 but can be temporary callout problem)
1577 ERROR - ERROR from nested ACL or expansion failure or other
1582 acl_check_condition(int verb, acl_condition_block *cb, int where,
1583 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
1584 uschar **log_msgptr, int *basic_errno)
1586 uschar *user_message = NULL;
1587 uschar *log_message = NULL;
1590 #ifdef WITH_CONTENT_SCAN
1594 for (; cb != NULL; cb = cb->next)
1599 /* The message and log_message items set up messages to be used in
1600 case of rejection. They are expanded later. */
1602 if (cb->type == ACLC_MESSAGE)
1604 user_message = cb->arg;
1608 if (cb->type == ACLC_LOG_MESSAGE)
1610 log_message = cb->arg;
1614 /* The endpass "condition" just sets a flag to show it occurred. This is
1615 checked at compile time to be on an "accept" or "discard" item. */
1617 if (cb->type == ACLC_ENDPASS)
1623 /* For other conditions and modifiers, the argument is expanded now for some
1624 of them, but not for all, because expansion happens down in some lower level
1625 checking functions in some cases. */
1627 if (cond_expand_at_top[cb->type])
1629 arg = expand_string(cb->arg);
1632 if (expand_string_forcedfail) continue;
1633 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
1634 cb->arg, expand_string_message);
1635 return search_find_defer? DEFER : ERROR;
1640 /* Show condition, and expanded condition if it's different */
1645 debug_printf("check %s%s %n",
1646 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
1647 conditions[cb->type], &lhswidth);
1649 if (cb->type == ACLC_SET)
1651 int n = cb->u.varnumber;
1652 int t = (n < ACL_C_MAX)? 'c' : 'm';
1653 if (n >= ACL_C_MAX) n -= ACL_C_MAX;
1654 debug_printf("acl_%c%d ", t, n);
1658 debug_printf("= %s\n", cb->arg);
1661 debug_printf("%.*s= %s\n", lhswidth,
1665 /* Check that this condition makes sense at this time */
1667 if ((cond_forbids[cb->type] & (1 << where)) != 0)
1669 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
1670 cond_modifiers[cb->type]? "use" : "test",
1671 conditions[cb->type], acl_wherenames[where]);
1675 /* Run the appropriate test for each condition, or take the appropriate
1676 action for the remaining modifiers. */
1680 /* A nested ACL that returns "discard" makes sense only for an "accept" or
1684 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
1685 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
1687 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
1688 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
1694 case ACLC_AUTHENTICATED:
1695 rc = (sender_host_authenticated == NULL)? FAIL :
1696 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
1700 #ifdef EXPERIMENTAL_BRIGHTMAIL
1701 case ACLC_BMI_OPTIN:
1703 int old_pool = store_pool;
1704 store_pool = POOL_PERM;
1705 bmi_current_optin = string_copy(arg);
1706 store_pool = old_pool;
1711 case ACLC_CONDITION:
1712 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
1713 rc = (Uatoi(arg) == 0)? FAIL : OK;
1715 rc = (strcmpic(arg, US"no") == 0 ||
1716 strcmpic(arg, US"false") == 0)? FAIL :
1717 (strcmpic(arg, US"yes") == 0 ||
1718 strcmpic(arg, US"true") == 0)? OK : DEFER;
1720 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
1724 control_type = decode_control(arg, &p, where, log_msgptr);
1726 /* Check if this control makes sense at this time */
1728 if ((control_forbids[control_type] & (1 << where)) != 0)
1730 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
1731 controls[control_type], acl_wherenames[where]);
1735 switch(control_type)
1737 #ifdef EXPERIMENTAL_BRIGHTMAIL
1738 case CONTROL_BMI_RUN:
1742 #ifdef EXPERIMENTAL_DOMAINKEYS
1743 case CONTROL_DK_VERIFY:
1750 case CONTROL_CASEFUL_LOCAL_PART:
1751 deliver_localpart = addr->cc_local_part;
1754 case CONTROL_CASELOWER_LOCAL_PART:
1755 deliver_localpart = addr->lc_local_part;
1758 case CONTROL_ENFORCE_SYNC:
1759 smtp_enforce_sync = TRUE;
1762 case CONTROL_NO_ENFORCE_SYNC:
1763 smtp_enforce_sync = FALSE;
1766 #ifdef WITH_CONTENT_SCAN
1767 case CONTROL_NO_MBOX_UNSPOOL:
1768 no_mbox_unspool = TRUE;
1772 case CONTROL_NO_MULTILINE:
1773 no_multiline_responses = TRUE;
1776 case CONTROL_FAKEREJECT:
1781 while (*pp != 0) pp++;
1782 fake_reject_text = expand_string(string_copyn(p+1, pp-p));
1787 /* Explicitly reset to default string */
1788 fake_reject_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
1792 case CONTROL_FREEZE:
1793 deliver_freeze = TRUE;
1794 deliver_frozen_at = time(NULL);
1797 case CONTROL_QUEUE_ONLY:
1798 queue_only_policy = TRUE;
1801 case CONTROL_SUBMISSION:
1802 submission_mode = TRUE;
1805 if (Ustrncmp(p, "/sender_retain", 14) == 0)
1808 active_local_sender_retain = TRUE;
1809 active_local_from_check = FALSE;
1811 else if (Ustrncmp(p, "/domain=", 8) == 0)
1814 while (*pp != 0 && *pp != '/') pp++;
1815 submission_domain = string_copyn(p+8, pp-p);
1822 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1829 #ifdef WITH_CONTENT_SCAN
1831 rc = mime_decode(&arg);
1837 int delay = readconf_readtime(arg, 0, FALSE);
1840 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
1841 "modifier: \"%s\" is not a time value", arg);
1846 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
1851 debug_printf("delay skipped in -bh checking mode\n");
1855 while (delay > 0) delay = sleep(delay);
1861 #ifdef WITH_OLD_DEMIME
1867 #ifdef EXPERIMENTAL_DOMAINKEYS
1868 case ACLC_DK_DOMAIN_SOURCE:
1869 if (dk_verify_block == NULL) { rc = FAIL; break; };
1870 /* check header source of domain against given string */
1871 switch (dk_verify_block->address_source) {
1872 case DK_EXIM_ADDRESS_FROM_FROM:
1873 rc = match_isinlist(US"from", &arg, 0, NULL,
1874 NULL, MCL_STRING, TRUE, NULL);
1876 case DK_EXIM_ADDRESS_FROM_SENDER:
1877 rc = match_isinlist(US"sender", &arg, 0, NULL,
1878 NULL, MCL_STRING, TRUE, NULL);
1880 case DK_EXIM_ADDRESS_NONE:
1881 rc = match_isinlist(US"none", &arg, 0, NULL,
1882 NULL, MCL_STRING, TRUE, NULL);
1886 case ACLC_DK_POLICY:
1887 if (dk_verify_block == NULL) { rc = FAIL; break; };
1888 /* check policy against given string, default FAIL */
1890 if (dk_verify_block->signsall)
1891 rc = match_isinlist(US"signsall", &arg, 0, NULL,
1892 NULL, MCL_STRING, TRUE, NULL);
1893 if (dk_verify_block->testing)
1894 rc = match_isinlist(US"testing", &arg, 0, NULL,
1895 NULL, MCL_STRING, TRUE, NULL);
1897 case ACLC_DK_SENDER_DOMAINS:
1898 if (dk_verify_block == NULL) { rc = FAIL; break; };
1899 if (dk_verify_block->domain != NULL)
1900 rc = match_isinlist(dk_verify_block->domain, &arg, 0, &domainlist_anchor,
1901 NULL, MCL_DOMAIN, TRUE, NULL);
1904 case ACLC_DK_SENDER_LOCAL_PARTS:
1905 if (dk_verify_block == NULL) { rc = FAIL; break; };
1906 if (dk_verify_block->local_part != NULL)
1907 rc = match_isinlist(dk_verify_block->local_part, &arg, 0, &localpartlist_anchor,
1908 NULL, MCL_LOCALPART, TRUE, NULL);
1911 case ACLC_DK_SENDERS:
1912 if (dk_verify_block == NULL) { rc = FAIL; break; };
1913 if (dk_verify_block->address != NULL)
1914 rc = match_address_list(dk_verify_block->address, TRUE, TRUE, &arg, NULL, -1, 0, NULL);
1917 case ACLC_DK_STATUS:
1918 if (dk_verify_block == NULL) { rc = FAIL; break; };
1919 if (dk_verify_block->result > 0) {
1920 switch(dk_verify_block->result) {
1921 case DK_EXIM_RESULT_BAD_FORMAT:
1922 rc = match_isinlist(US"bad format", &arg, 0, NULL,
1923 NULL, MCL_STRING, TRUE, NULL);
1925 case DK_EXIM_RESULT_NO_KEY:
1926 rc = match_isinlist(US"no key", &arg, 0, NULL,
1927 NULL, MCL_STRING, TRUE, NULL);
1929 case DK_EXIM_RESULT_NO_SIGNATURE:
1930 rc = match_isinlist(US"no signature", &arg, 0, NULL,
1931 NULL, MCL_STRING, TRUE, NULL);
1933 case DK_EXIM_RESULT_REVOKED:
1934 rc = match_isinlist(US"revoked", &arg, 0, NULL,
1935 NULL, MCL_STRING, TRUE, NULL);
1937 case DK_EXIM_RESULT_NON_PARTICIPANT:
1938 rc = match_isinlist(US"non-participant", &arg, 0, NULL,
1939 NULL, MCL_STRING, TRUE, NULL);
1941 case DK_EXIM_RESULT_GOOD:
1942 rc = match_isinlist(US"good", &arg, 0, NULL,
1943 NULL, MCL_STRING, TRUE, NULL);
1945 case DK_EXIM_RESULT_BAD:
1946 rc = match_isinlist(US"bad", &arg, 0, NULL,
1947 NULL, MCL_STRING, TRUE, NULL);
1955 rc = verify_check_dnsbl(&arg);
1959 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
1960 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
1963 /* The value in tls_cipher is the full cipher name, for example,
1964 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
1965 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
1966 what may in practice come out of the SSL library - which at the time of
1967 writing is poorly documented. */
1969 case ACLC_ENCRYPTED:
1970 if (tls_cipher == NULL) rc = FAIL; else
1972 uschar *endcipher = NULL;
1973 uschar *cipher = Ustrchr(tls_cipher, ':');
1974 if (cipher == NULL) cipher = tls_cipher; else
1976 endcipher = Ustrchr(++cipher, ':');
1977 if (endcipher != NULL) *endcipher = 0;
1979 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
1980 if (endcipher != NULL) *endcipher = ':';
1984 /* Use verify_check_this_host() instead of verify_check_host() so that
1985 we can pass over &host_data to catch any looked up data. Once it has been
1986 set, it retains its value so that it's still there if another ACL verb
1987 comes through here and uses the cache. However, we must put it into
1988 permanent store in case it is also expected to be used in a subsequent
1989 message in the same SMTP connection. */
1992 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
1993 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
1994 if (host_data != NULL) host_data = string_copy_malloc(host_data);
1997 case ACLC_LOCAL_PARTS:
1998 rc = match_isinlist(addr->cc_local_part, &arg, 0,
1999 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
2000 &deliver_localpart_data);
2012 if (Ustrncmp(s, "main", 4) == 0)
2013 { logbits |= LOG_MAIN; s += 4; }
2014 else if (Ustrncmp(s, "panic", 5) == 0)
2015 { logbits |= LOG_PANIC; s += 5; }
2016 else if (Ustrncmp(s, "reject", 6) == 0)
2017 { logbits |= LOG_REJECT; s += 6; }
2020 logbits = LOG_MAIN|LOG_PANIC;
2021 s = string_sprintf(":unknown log name in \"%s\" in "
2022 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
2028 while (isspace(*s)) s++;
2029 if (logbits == 0) logbits = LOG_MAIN;
2030 log_write(0, logbits, "%s", string_printing(s));
2034 #ifdef WITH_CONTENT_SCAN
2037 /* Seperate the regular expression and any optional parameters. */
2038 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2039 /* Run the malware backend. */
2041 /* Modify return code based upon the existance of options. */
2042 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2044 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2046 /* FAIL so that the message is passed to the next ACL */
2053 case ACLC_MIME_REGEX:
2054 rc = mime_regex(&arg);
2058 case ACLC_RECIPIENTS:
2059 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
2063 #ifdef WITH_CONTENT_SCAN
2069 case ACLC_SENDER_DOMAINS:
2072 sdomain = Ustrrchr(sender_address, '@');
2073 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
2074 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
2075 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
2080 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
2081 sender_address_cache, -1, 0, &sender_data);
2084 /* Connection variables must persist forever */
2088 int old_pool = store_pool;
2089 if (cb->u.varnumber < ACL_C_MAX) store_pool = POOL_PERM;
2090 acl_var[cb->u.varnumber] = string_copy(arg);
2091 store_pool = old_pool;
2095 #ifdef WITH_CONTENT_SCAN
2098 /* Seperate the regular expression and any optional parameters. */
2099 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2100 /* Run the spam backend. */
2102 /* Modify return code based upon the existance of options. */
2103 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2105 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2107 /* FAIL so that the message is passed to the next ACL */
2115 #ifdef EXPERIMENTAL_SPF
2117 rc = spf_process(&arg, sender_address);
2121 /* If the verb is WARN, discard any user message from verification, because
2122 such messages are SMTP responses, not header additions. The latter come
2123 only from explicit "message" modifiers. */
2126 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
2127 if (verb == ACL_WARN) *user_msgptr = NULL;
2131 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
2132 "condition %d", cb->type);
2136 /* If a condition was negated, invert OK/FAIL. */
2138 if (!cond_modifiers[cb->type] && cb->u.negated)
2140 if (rc == OK) rc = FAIL;
2141 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
2144 if (rc != OK) break; /* Conditions loop */
2148 /* If the result is the one for which "message" and/or "log_message" are used,
2149 handle the values of these options. Most verbs have but a single return for
2150 which the messages are relevant, but for "discard", it's useful to have the log
2151 message both when it succeeds and when it fails. Also, for an "accept" that
2152 appears in a QUIT ACL, we want to handle the user message. Since only "accept"
2153 and "warn" are permitted in that ACL, we don't need to test the verb.
2155 These modifiers act in different ways:
2157 "message" is a user message that will be included in an SMTP response. Unless
2158 it is empty, it overrides any previously set user message.
2160 "log_message" is a non-user message, and it adds to any existing non-user
2161 message that is already set.
2163 If there isn't a log message set, we make it the same as the user message. */
2165 if (((rc == FAIL_DROP)? FAIL : rc) == msgcond[verb] ||
2166 (verb == ACL_DISCARD && rc == OK) ||
2167 (where == ACL_WHERE_QUIT))
2171 /* If the verb is "warn", messages generated by conditions (verification or
2172 nested ACLs) are discarded. Only messages specified at this level are used.
2173 However, the value of an existing message is available in $acl_verify_message
2174 during expansions. */
2176 uschar *old_user_msgptr = *user_msgptr;
2177 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
2179 if (verb == ACL_WARN) *log_msgptr = *user_msgptr = NULL;
2181 if (user_message != NULL)
2183 acl_verify_message = old_user_msgptr;
2184 expmessage = expand_string(user_message);
2185 if (expmessage == NULL)
2187 if (!expand_string_forcedfail)
2188 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2189 user_message, expand_string_message);
2191 else if (expmessage[0] != 0) *user_msgptr = expmessage;
2194 if (log_message != NULL)
2196 acl_verify_message = old_log_msgptr;
2197 expmessage = expand_string(log_message);
2198 if (expmessage == NULL)
2200 if (!expand_string_forcedfail)
2201 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2202 log_message, expand_string_message);
2204 else if (expmessage[0] != 0)
2206 *log_msgptr = (*log_msgptr == NULL)? expmessage :
2207 string_sprintf("%s: %s", expmessage, *log_msgptr);
2211 /* If no log message, default it to the user message */
2213 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
2216 acl_verify_message = NULL;
2224 /*************************************************
2225 * Get line from a literal ACL *
2226 *************************************************/
2228 /* This function is passed to acl_read() in order to extract individual lines
2229 of a literal ACL, which we access via static pointers. We can destroy the
2230 contents because this is called only once (the compiled ACL is remembered).
2232 This code is intended to treat the data in the same way as lines in the main
2233 Exim configuration file. That is:
2235 . Leading spaces are ignored.
2237 . A \ at the end of a line is a continuation - trailing spaces after the \
2238 are permitted (this is because I don't believe in making invisible things
2239 significant). Leading spaces on the continued part of a line are ignored.
2241 . Physical lines starting (significantly) with # are totally ignored, and
2242 may appear within a sequence of backslash-continued lines.
2244 . Blank lines are ignored, but will end a sequence of continuations.
2247 Returns: a pointer to the next line
2251 static uschar *acl_text; /* Current pointer in the text */
2252 static uschar *acl_text_end; /* Points one past the terminating '0' */
2260 /* This loop handles leading blank lines and comments. */
2264 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
2265 if (*acl_text == 0) return NULL; /* No more data */
2266 yield = acl_text; /* Potential data line */
2268 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2270 /* If we hit the end before a newline, we have the whole logical line. If
2271 it's a comment, there's no more data to be given. Otherwise, yield it. */
2273 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
2275 /* After reaching a newline, end this loop if the physical line does not
2276 start with '#'. If it does, it's a comment, and the loop continues. */
2278 if (*yield != '#') break;
2281 /* This loop handles continuations. We know we have some real data, ending in
2282 newline. See if there is a continuation marker at the end (ignoring trailing
2283 white space). We know that *yield is not white space, so no need to test for
2284 cont > yield in the backwards scanning loop. */
2289 for (cont = acl_text - 1; isspace(*cont); cont--);
2291 /* If no continuation follows, we are done. Mark the end of the line and
2300 /* We have encountered a continuation. Skip over whitespace at the start of
2301 the next line, and indeed the whole of the next line or lines if they are
2306 while (*(++acl_text) == ' ' || *acl_text == '\t');
2307 if (*acl_text != '#') break;
2308 while (*(++acl_text) != 0 && *acl_text != '\n');
2311 /* We have the start of a continuation line. Move all the rest of the data
2312 to join onto the previous line, and then find its end. If the end is not a
2313 newline, we are done. Otherwise loop to look for another continuation. */
2315 memmove(cont, acl_text, acl_text_end - acl_text);
2316 acl_text_end -= acl_text - cont;
2318 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2319 if (*acl_text == 0) return yield;
2322 /* Control does not reach here */
2329 /*************************************************
2330 * Check access using an ACL *
2331 *************************************************/
2333 /* This function is called from address_check. It may recurse via
2334 acl_check_condition() - hence the use of a level to stop looping. The ACL is
2335 passed as a string which is expanded. A forced failure implies no access check
2336 is required. If the result is a single word, it is taken as the name of an ACL
2337 which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
2338 text, complete with newlines, and parsed as such. In both cases, the ACL check
2339 is then run. This function uses an auxiliary function for acl_read() to call
2340 for reading individual lines of a literal ACL. This is acl_getline(), which
2341 appears immediately above.
2344 where where called from
2345 addr address item when called from RCPT; otherwise NULL
2346 s the input string; NULL is the same as an empty ACL => DENY
2347 level the nesting level
2348 user_msgptr where to put a user error (for SMTP response)
2349 log_msgptr where to put a logging message (not for SMTP response)
2351 Returns: OK access is granted
2352 DISCARD access is apparently granted...
2353 FAIL access is denied
2354 FAIL_DROP access is denied; drop the connection
2355 DEFER can't tell at the moment
2360 acl_check_internal(int where, address_item *addr, uschar *s, int level,
2361 uschar **user_msgptr, uschar **log_msgptr)
2364 acl_block *acl = NULL;
2365 uschar *acl_name = US"inline ACL";
2368 /* Catch configuration loops */
2372 *log_msgptr = US"ACL nested too deep: possible loop";
2378 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
2382 /* At top level, we expand the incoming string. At lower levels, it has already
2383 been expanded as part of condition processing. */
2387 ss = expand_string(s);
2390 if (expand_string_forcedfail) return OK;
2391 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
2392 expand_string_message);
2398 while (isspace(*ss))ss++;
2400 /* If we can't find a named ACL, the default is to parse it as an inline one.
2401 (Unless it begins with a slash; non-existent files give rise to an error.) */
2405 /* Handle the case of a string that does not contain any spaces. Look for a
2406 named ACL among those read from the configuration, or a previously read file.
2407 It is possible that the pointer to the ACL is NULL if the configuration
2408 contains a name with no data. If not found, and the text begins with '/',
2409 read an ACL from a file, and save it so it can be re-used. */
2411 if (Ustrchr(ss, ' ') == NULL)
2413 tree_node *t = tree_search(acl_anchor, ss);
2416 acl = (acl_block *)(t->data.ptr);
2419 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
2422 acl_name = string_sprintf("ACL \"%s\"", ss);
2423 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
2426 else if (*ss == '/')
2428 struct stat statbuf;
2429 fd = Uopen(ss, O_RDONLY, 0);
2432 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
2437 if (fstat(fd, &statbuf) != 0)
2439 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
2444 acl_text = store_get(statbuf.st_size + 1);
2445 acl_text_end = acl_text + statbuf.st_size + 1;
2447 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
2449 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
2450 ss, strerror(errno));
2453 acl_text[statbuf.st_size] = 0;
2456 acl_name = string_sprintf("ACL \"%s\"", ss);
2457 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
2461 /* Parse an ACL that is still in text form. If it came from a file, remember it
2462 in the ACL tree, having read it into the POOL_PERM store pool so that it
2463 persists between multiple messages. */
2467 int old_pool = store_pool;
2468 if (fd >= 0) store_pool = POOL_PERM;
2469 acl = acl_read(acl_getline, log_msgptr);
2470 store_pool = old_pool;
2471 if (acl == NULL && *log_msgptr != NULL) return ERROR;
2474 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
2475 Ustrcpy(t->name, ss);
2477 (void)tree_insertnode(&acl_anchor, t);
2481 /* Now we have an ACL to use. It's possible it may be NULL. */
2486 int basic_errno = 0;
2487 BOOL endpass_seen = FALSE;
2489 *log_msgptr = *user_msgptr = NULL;
2490 acl_temp_details = FALSE;
2492 if (where == ACL_WHERE_QUIT &&
2493 acl->verb != ACL_ACCEPT &&
2494 acl->verb != ACL_WARN)
2496 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
2501 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
2503 /* Clear out any search error message from a previous check before testing
2506 search_error_message = NULL;
2507 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
2508 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
2510 /* Handle special returns: DEFER causes a return except on a WARN verb;
2511 ERROR always causes a return. */
2516 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
2517 if (basic_errno != ERRNO_CALLOUTDEFER)
2519 if (search_error_message != NULL && *search_error_message != 0)
2520 *log_msgptr = search_error_message;
2521 if (smtp_return_error_details) acl_temp_details = TRUE;
2525 acl_temp_details = TRUE;
2527 if (acl->verb != ACL_WARN) return DEFER;
2530 default: /* Paranoia */
2532 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
2536 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
2541 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
2544 /* DISCARD and DROP can happen only from a nested ACL condition, and
2545 DISCARD can happen only for an "accept" or "discard" verb. */
2548 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
2553 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
2558 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
2559 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
2560 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
2565 if (cond == OK || cond == DISCARD) return cond;
2568 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
2576 acl_temp_details = TRUE;
2582 if (cond == OK) return FAIL;
2586 if (cond == OK || cond == DISCARD) return DISCARD;
2589 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
2595 if (cond == OK) return FAIL_DROP;
2599 if (cond != OK) return cond;
2604 acl_warn(where, *user_msgptr, *log_msgptr);
2605 else if (cond == DEFER)
2606 acl_warn(where, NULL, string_sprintf("ACL \"warn\" statement skipped: "
2607 "condition test deferred: %s",
2608 (*log_msgptr == NULL)? US"" : *log_msgptr));
2609 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
2613 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
2618 /* Pass to the next ACL item */
2623 /* We have reached the end of the ACL. This is an implicit DENY. */
2625 HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
2630 /*************************************************
2631 * Check access using an ACL *
2632 *************************************************/
2634 /* This is the external interface for ACL checks. It sets up an address and the
2635 expansions for $domain and $local_part when called after RCPT, then calls
2636 acl_check_internal() to do the actual work.
2639 where ACL_WHERE_xxxx indicating where called from
2640 data_string RCPT address, or SMTP command argument, or NULL
2641 s the input string; NULL is the same as an empty ACL => DENY
2642 user_msgptr where to put a user error (for SMTP response)
2643 log_msgptr where to put a logging message (not for SMTP response)
2645 Returns: OK access is granted by an ACCEPT verb
2646 DISCARD access is granted by a DISCARD verb
2647 FAIL access is denied
2648 FAIL_DROP access is denied; drop the connection
2649 DEFER can't tell at the moment
2654 acl_check(int where, uschar *data_string, uschar *s, uschar **user_msgptr,
2655 uschar **log_msgptr)
2661 *user_msgptr = *log_msgptr = NULL;
2662 sender_verified_failed = NULL;
2664 if (where == ACL_WHERE_RCPT)
2666 adb = address_defaults;
2668 addr->address = data_string;
2669 if (deliver_split_address(addr) == DEFER)
2671 *log_msgptr = US"defer in percent_hack_domains check";
2674 deliver_domain = addr->domain;
2675 deliver_localpart = addr->local_part;
2680 smtp_command_argument = data_string;
2683 rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
2685 smtp_command_argument = deliver_domain =
2686 deliver_localpart = deliver_address_data = sender_address_data = NULL;
2688 /* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
2689 ACL, which is really in the middle of an SMTP command. */
2693 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
2695 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
2696 "ACL", acl_wherenames[where]);
2702 /* A DROP response is not permitted from MAILAUTH */
2704 if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
2706 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
2707 "ACL", acl_wherenames[where]);
2711 /* Before giving an error response, take a look at the length of any user
2712 message, and split it up into multiple lines if possible. */
2714 if (rc != OK && *user_msgptr != NULL && Ustrlen(*user_msgptr) > 75)
2716 uschar *s = *user_msgptr = string_copy(*user_msgptr);
2722 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
2723 if (*ss == 0) break;
2730 while (--t > s + 35)
2734 if (t[-1] == ':') { tt = t; break; }
2735 if (tt == NULL) tt = t;
2739 if (tt == NULL) /* Can't split behind - try ahead */
2744 if (*t == ' ' || *t == '\n')
2750 if (tt == NULL) break; /* Can't find anywhere to split */
git://git.exim.org / exim.git / blob