1 /* $Cambridge: exim/src/src/acl.c,v 1.82 2008/02/12 12:52:51 nm4 Exp $ */
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
7 /* Copyright (c) University of Cambridge 1995 - 2007 */
8 /* See the file NOTICE for conditions of use and distribution. */
10 /* Code for handling Access Control Lists (ACLs) */
15 /* Default callout timeout */
17 #define CALLOUT_TIMEOUT_DEFAULT 30
19 /* ACL verb codes - keep in step with the table of verbs that follows */
21 enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
26 static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
30 /* For each verb, the conditions for which "message" or "log_message" are used
31 are held as a bitmap. This is to avoid expanding the strings unnecessarily. For
32 "accept", the FAIL case is used only after "endpass", but that is selected in
35 static int msgcond[] = {
36 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* accept */
39 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* discard */
41 (1<<FAIL) | (1<<FAIL_DROP), /* require */
45 /* ACL condition and modifier codes - keep in step with the table that
46 follows, and the cond_expand_at_top and uschar cond_modifiers tables lower
52 #ifdef EXPERIMENTAL_BRIGHTMAIL
58 #ifdef EXPERIMENTAL_DCC
61 #ifdef WITH_CONTENT_SCAN
65 #ifdef WITH_OLD_DEMIME
68 #ifdef EXPERIMENTAL_DOMAINKEYS
69 ACLC_DK_DOMAIN_SOURCE,
71 ACLC_DK_SENDER_DOMAINS,
72 ACLC_DK_SENDER_LOCAL_PARTS,
83 ACLC_LOG_REJECT_TARGET,
85 #ifdef WITH_CONTENT_SCAN
89 #ifdef WITH_CONTENT_SCAN
94 #ifdef WITH_CONTENT_SCAN
100 #ifdef WITH_CONTENT_SCAN
103 #ifdef EXPERIMENTAL_SPF
109 /* ACL conditions/modifiers: "delay", "control", "continue", "endpass",
110 "message", "log_message", "log_reject_target", "logwrite", and "set" are
111 modifiers that look like conditions but always return TRUE. They are used for
112 their side effects. */
114 static uschar *conditions[] = {
118 #ifdef EXPERIMENTAL_BRIGHTMAIL
124 #ifdef EXPERIMENTAL_DCC
127 #ifdef WITH_CONTENT_SCAN
131 #ifdef WITH_OLD_DEMIME
134 #ifdef EXPERIMENTAL_DOMAINKEYS
135 US"dk_domain_source",
137 US"dk_sender_domains",
138 US"dk_sender_local_parts",
149 US"log_reject_target",
151 #ifdef WITH_CONTENT_SCAN
155 #ifdef WITH_CONTENT_SCAN
160 #ifdef WITH_CONTENT_SCAN
163 US"sender_domains", US"senders", US"set",
164 #ifdef WITH_CONTENT_SCAN
167 #ifdef EXPERIMENTAL_SPF
174 /* Return values from decode_control(); keep in step with the table of names
178 CONTROL_AUTH_UNADVERTISED,
179 #ifdef EXPERIMENTAL_BRIGHTMAIL
182 #ifdef EXPERIMENTAL_DOMAINKEYS
185 #ifdef EXPERIMENTAL_DKIM
189 CONTROL_CASEFUL_LOCAL_PART,
190 CONTROL_CASELOWER_LOCAL_PART,
191 CONTROL_ENFORCE_SYNC,
192 CONTROL_NO_ENFORCE_SYNC,
196 CONTROL_SUPPRESS_LOCAL_FIXUPS,
197 #ifdef WITH_CONTENT_SCAN
198 CONTROL_NO_MBOX_UNSPOOL,
202 CONTROL_NO_MULTILINE,
203 CONTROL_NO_PIPELINING,
204 CONTROL_NO_DELAY_FLUSH,
205 CONTROL_NO_CALLOUT_FLUSH
208 /* ACL control names; keep in step with the table above! This list is used for
209 turning ids into names. The actual list of recognized names is in the variable
210 control_def controls_list[] below. The fact that there are two lists is a mess
211 and should be tidied up. */
213 static uschar *controls[] = {
214 US"allow_auth_unadvertised",
215 #ifdef EXPERIMENTAL_BRIGHTMAIL
218 #ifdef EXPERIMENTAL_DOMAINKEYS
221 #ifdef EXPERIMENTAL_DKIM
225 US"caseful_local_part",
226 US"caselower_local_part",
232 US"suppress_local_fixups",
233 #ifdef WITH_CONTENT_SCAN
238 US"no_multiline_responses",
244 /* Flags to indicate for which conditions/modifiers a string expansion is done
245 at the outer level. In the other cases, expansion already occurs in the
246 checking functions. */
248 static uschar cond_expand_at_top[] = {
250 TRUE, /* add_header */
251 FALSE, /* authenticated */
252 #ifdef EXPERIMENTAL_BRIGHTMAIL
253 TRUE, /* bmi_optin */
255 TRUE, /* condition */
258 #ifdef EXPERIMENTAL_DCC
261 #ifdef WITH_CONTENT_SCAN
265 #ifdef WITH_OLD_DEMIME
268 #ifdef EXPERIMENTAL_DOMAINKEYS
269 TRUE, /* dk_domain_source */
270 TRUE, /* dk_policy */
271 TRUE, /* dk_sender_domains */
272 TRUE, /* dk_sender_local_parts */
273 TRUE, /* dk_senders */
274 TRUE, /* dk_status */
278 FALSE, /* encrypted */
281 FALSE, /* local_parts */
282 TRUE, /* log_message */
283 TRUE, /* log_reject_target */
285 #ifdef WITH_CONTENT_SCAN
289 #ifdef WITH_CONTENT_SCAN
290 TRUE, /* mime_regex */
292 TRUE, /* ratelimit */
293 FALSE, /* recipients */
294 #ifdef WITH_CONTENT_SCAN
297 FALSE, /* sender_domains */
300 #ifdef WITH_CONTENT_SCAN
303 #ifdef EXPERIMENTAL_SPF
305 TRUE, /* spf_guess */
310 /* Flags to identify the modifiers */
312 static uschar cond_modifiers[] = {
314 TRUE, /* add_header */
315 FALSE, /* authenticated */
316 #ifdef EXPERIMENTAL_BRIGHTMAIL
317 TRUE, /* bmi_optin */
319 FALSE, /* condition */
322 #ifdef EXPERIMENTAL_DCC
325 #ifdef WITH_CONTENT_SCAN
329 #ifdef WITH_OLD_DEMIME
332 #ifdef EXPERIMENTAL_DOMAINKEYS
333 FALSE, /* dk_domain_source */
334 FALSE, /* dk_policy */
335 FALSE, /* dk_sender_domains */
336 FALSE, /* dk_sender_local_parts */
337 FALSE, /* dk_senders */
338 FALSE, /* dk_status */
340 FALSE, /* dnslists */
342 FALSE, /* encrypted */
345 FALSE, /* local_parts */
346 TRUE, /* log_message */
347 TRUE, /* log_reject_target */
349 #ifdef WITH_CONTENT_SCAN
353 #ifdef WITH_CONTENT_SCAN
354 FALSE, /* mime_regex */
356 FALSE, /* ratelimit */
357 FALSE, /* recipients */
358 #ifdef WITH_CONTENT_SCAN
361 FALSE, /* sender_domains */
364 #ifdef WITH_CONTENT_SCAN
367 #ifdef EXPERIMENTAL_SPF
369 FALSE, /* spf_guess */
374 /* Bit map vector of which conditions and modifiers are not allowed at certain
375 times. For each condition and modifier, there's a bitmap of dis-allowed times.
376 For some, it is easier to specify the negation of a small number of allowed
379 static unsigned int cond_forbids[] = {
383 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* add_header */
384 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
385 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
386 (1<<ACL_WHERE_NOTSMTP_START)),
388 (1<<ACL_WHERE_NOTSMTP)| /* authenticated */
389 (1<<ACL_WHERE_NOTSMTP_START)|
390 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO),
392 #ifdef EXPERIMENTAL_BRIGHTMAIL
393 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
394 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
395 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
396 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
397 (1<<ACL_WHERE_MAILAUTH)|
398 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
399 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA)|
400 (1<<ACL_WHERE_NOTSMTP_START),
407 /* Certain types of control are always allowed, so we let it through
408 always and check in the control processing itself. */
412 #ifdef EXPERIMENTAL_DCC
414 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* dcc */
417 #ifdef WITH_CONTENT_SCAN
419 ~(1<<ACL_WHERE_MIME), /* decode */
422 (1<<ACL_WHERE_NOTQUIT), /* delay */
424 #ifdef WITH_OLD_DEMIME
426 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* demime */
429 #ifdef EXPERIMENTAL_DOMAINKEYS
430 (1<<ACL_WHERE_AUTH)| /* dk_domain_source */
431 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
432 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
433 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
434 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
435 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
436 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
438 (1<<ACL_WHERE_AUTH)| /* dk_policy */
439 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
440 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
441 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
442 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
443 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
444 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
446 (1<<ACL_WHERE_AUTH)| /* dk_sender_domains */
447 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
448 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
449 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
450 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
451 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
452 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
454 (1<<ACL_WHERE_AUTH)| /* dk_sender_local_parts */
455 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
456 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
457 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
458 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
459 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
460 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
462 (1<<ACL_WHERE_AUTH)| /* dk_senders */
463 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
464 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
465 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
466 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
467 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
468 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
470 (1<<ACL_WHERE_AUTH)| /* dk_status */
471 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
472 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
473 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
474 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
475 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
476 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
479 (1<<ACL_WHERE_NOTSMTP)| /* dnslists */
480 (1<<ACL_WHERE_NOTSMTP_START),
483 ~(1<<ACL_WHERE_RCPT), /* domains */
485 (1<<ACL_WHERE_NOTSMTP)| /* encrypted */
486 (1<<ACL_WHERE_CONNECT)|
487 (1<<ACL_WHERE_NOTSMTP_START)|
492 (1<<ACL_WHERE_NOTSMTP)| /* hosts */
493 (1<<ACL_WHERE_NOTSMTP_START),
496 ~(1<<ACL_WHERE_RCPT), /* local_parts */
500 0, /* log_reject_target */
504 #ifdef WITH_CONTENT_SCAN
506 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* malware */
511 #ifdef WITH_CONTENT_SCAN
513 ~(1<<ACL_WHERE_MIME), /* mime_regex */
519 ~(1<<ACL_WHERE_RCPT), /* recipients */
521 #ifdef WITH_CONTENT_SCAN
523 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* regex */
524 (1<<ACL_WHERE_MIME)),
527 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
529 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
530 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
531 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
533 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
535 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
536 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
537 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
541 #ifdef WITH_CONTENT_SCAN
543 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* spam */
546 #ifdef EXPERIMENTAL_SPF
547 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
549 (1<<ACL_WHERE_MAILAUTH)|
550 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
551 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
552 (1<<ACL_WHERE_NOTSMTP)|
553 (1<<ACL_WHERE_NOTSMTP_START),
555 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf_guess */
557 (1<<ACL_WHERE_MAILAUTH)|
558 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
559 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
560 (1<<ACL_WHERE_NOTSMTP)|
561 (1<<ACL_WHERE_NOTSMTP_START),
564 /* Certain types of verify are always allowed, so we let it through
565 always and check in the verify function itself */
571 /* Bit map vector of which controls are not allowed at certain times. For
572 each control, there's a bitmap of dis-allowed times. For some, it is easier to
573 specify the negation of a small number of allowed times. */
575 static unsigned int control_forbids[] = {
577 ~((1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)), /* allow_auth_unadvertised */
579 #ifdef EXPERIMENTAL_BRIGHTMAIL
583 #ifdef EXPERIMENTAL_DOMAINKEYS
584 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dk_verify */
585 (1<<ACL_WHERE_NOTSMTP_START),
588 #ifdef EXPERIMENTAL_DKIM
589 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dkim_verify */
590 (1<<ACL_WHERE_NOTSMTP_START),
596 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
599 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
601 (1<<ACL_WHERE_NOTSMTP)| /* enforce_sync */
602 (1<<ACL_WHERE_NOTSMTP_START),
604 (1<<ACL_WHERE_NOTSMTP)| /* no_enforce_sync */
605 (1<<ACL_WHERE_NOTSMTP_START),
608 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
609 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
610 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
613 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
614 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
615 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
618 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
619 (1<<ACL_WHERE_PREDATA)),
622 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* suppress_local_fixups */
623 (1<<ACL_WHERE_PREDATA)|
624 (1<<ACL_WHERE_NOTSMTP_START)),
626 #ifdef WITH_CONTENT_SCAN
628 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
629 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
630 (1<<ACL_WHERE_MIME)),
634 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakedefer */
635 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
636 (1<<ACL_WHERE_MIME)),
639 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
640 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
641 (1<<ACL_WHERE_MIME)),
643 (1<<ACL_WHERE_NOTSMTP)| /* no_multiline */
644 (1<<ACL_WHERE_NOTSMTP_START),
646 (1<<ACL_WHERE_NOTSMTP)| /* no_pipelining */
647 (1<<ACL_WHERE_NOTSMTP_START),
649 (1<<ACL_WHERE_NOTSMTP)| /* no_delay_flush */
650 (1<<ACL_WHERE_NOTSMTP_START),
652 (1<<ACL_WHERE_NOTSMTP)| /* no_callout_flush */
653 (1<<ACL_WHERE_NOTSMTP_START)
656 /* Structure listing various control arguments, with their characteristics. */
658 typedef struct control_def {
660 int value; /* CONTROL_xxx value */
661 BOOL has_option; /* Has /option(s) following */
664 static control_def controls_list[] = {
665 { US"allow_auth_unadvertised", CONTROL_AUTH_UNADVERTISED, FALSE },
666 #ifdef EXPERIMENTAL_BRIGHTMAIL
667 { US"bmi_run", CONTROL_BMI_RUN, FALSE },
669 #ifdef EXPERIMENTAL_DOMAINKEYS
670 { US"dk_verify", CONTROL_DK_VERIFY, FALSE },
672 #ifdef EXPERIMENTAL_DKIM
673 { US"dkim_verify", CONTROL_DKIM_VERIFY, FALSE },
675 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE },
676 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE },
677 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE },
678 { US"freeze", CONTROL_FREEZE, TRUE },
679 { US"no_callout_flush", CONTROL_NO_CALLOUT_FLUSH, FALSE },
680 { US"no_delay_flush", CONTROL_NO_DELAY_FLUSH, FALSE },
681 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE },
682 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE },
683 { US"no_pipelining", CONTROL_NO_PIPELINING, FALSE },
684 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE },
685 #ifdef WITH_CONTENT_SCAN
686 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE },
688 { US"fakedefer", CONTROL_FAKEDEFER, TRUE },
689 { US"fakereject", CONTROL_FAKEREJECT, TRUE },
690 { US"submission", CONTROL_SUBMISSION, TRUE },
691 { US"suppress_local_fixups", CONTROL_SUPPRESS_LOCAL_FIXUPS, FALSE }
694 /* Support data structures for Client SMTP Authorization. acl_verify_csa()
695 caches its result in a tree to avoid repeated DNS queries. The result is an
696 integer code which is used as an index into the following tables of
697 explanatory strings and verification return codes. */
699 static tree_node *csa_cache = NULL;
701 enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
702 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
704 /* The acl_verify_csa() return code is translated into an acl_verify() return
705 code using the following table. It is OK unless the client is definitely not
706 authorized. This is because CSA is supposed to be optional for sending sites,
707 so recipients should not be too strict about checking it - especially because
708 DNS problems are quite likely to occur. It's possible to use $csa_status in
709 further ACL conditions to distinguish ok, unknown, and defer if required, but
710 the aim is to make the usual configuration simple. */
712 static int csa_return_code[] = {
714 FAIL, FAIL, FAIL, FAIL
717 static uschar *csa_status_string[] = {
718 US"unknown", US"ok", US"defer", US"defer",
719 US"fail", US"fail", US"fail", US"fail"
722 static uschar *csa_reason_string[] = {
725 US"deferred (SRV lookup failed)",
726 US"deferred (target address lookup failed)",
727 US"failed (explicit authorization required)",
728 US"failed (host name not authorized)",
729 US"failed (no authorized addresses)",
730 US"failed (client address mismatch)"
733 /* Enable recursion between acl_check_internal() and acl_check_condition() */
735 static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
739 /*************************************************
740 * Pick out name from list *
741 *************************************************/
743 /* Use a binary chop method
750 Returns: offset in list, or -1 if not found
754 acl_checkname(uschar *name, uschar **list, int end)
760 int mid = (start + end)/2;
761 int c = Ustrcmp(name, list[mid]);
762 if (c == 0) return mid;
763 if (c < 0) end = mid; else start = mid + 1;
770 /*************************************************
771 * Read and parse one ACL *
772 *************************************************/
774 /* This function is called both from readconf in order to parse the ACLs in the
775 configuration file, and also when an ACL is encountered dynamically (e.g. as
776 the result of an expansion). It is given a function to call in order to
777 retrieve the lines of the ACL. This function handles skipping comments and
778 blank lines (where relevant).
781 func function to get next line of ACL
782 error where to put an error message
784 Returns: pointer to ACL, or NULL
785 NULL can be legal (empty ACL); in this case error will be NULL
789 acl_read(uschar *(*func)(void), uschar **error)
791 acl_block *yield = NULL;
792 acl_block **lastp = &yield;
793 acl_block *this = NULL;
794 acl_condition_block *cond;
795 acl_condition_block **condp = NULL;
800 while ((s = (*func)()) != NULL)
803 BOOL negated = FALSE;
804 uschar *saveline = s;
807 /* Conditions (but not verbs) are allowed to be negated by an initial
810 while (isspace(*s)) s++;
817 /* Read the name of a verb or a condition, or the start of a new ACL, which
818 can be started by a name, or by a macro definition. */
820 s = readconf_readname(name, sizeof(name), s);
821 if (*s == ':' || (isupper(name[0]) && *s == '=')) return yield;
823 /* If a verb is unrecognized, it may be another condition or modifier that
824 continues the previous verb. */
826 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
831 *error = string_sprintf("unknown ACL verb \"%s\" in \"%s\"", name,
843 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
846 this = store_get(sizeof(acl_block));
848 lastp = &(this->next);
851 this->condition = NULL;
852 condp = &(this->condition);
853 if (*s == 0) continue; /* No condition on this line */
859 s = readconf_readname(name, sizeof(name), s); /* Condition name */
862 /* Handle a condition or modifier. */
864 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
867 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
872 /* The modifiers may not be negated */
874 if (negated && cond_modifiers[c])
876 *error = string_sprintf("ACL error: negation is not allowed with "
877 "\"%s\"", conditions[c]);
881 /* ENDPASS may occur only with ACCEPT or DISCARD. */
883 if (c == ACLC_ENDPASS &&
884 this->verb != ACL_ACCEPT &&
885 this->verb != ACL_DISCARD)
887 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
888 conditions[c], verbs[this->verb]);
892 cond = store_get(sizeof(acl_condition_block));
895 cond->u.negated = negated;
898 condp = &(cond->next);
900 /* The "set" modifier is different in that its argument is "name=value"
901 rather than just a value, and we can check the validity of the name, which
902 gives us a variable name to insert into the data block. The original ACL
903 variable names were acl_c0 ... acl_c9 and acl_m0 ... acl_m9. This was
904 extended to 20 of each type, but after that people successfully argued for
905 arbitrary names. In the new scheme, the names must start with acl_c or acl_m.
906 After that, we allow alphanumerics and underscores, but the first character
907 after c or m must be a digit or an underscore. This retains backwards
914 if (Ustrncmp(s, "acl_c", 5) != 0 &&
915 Ustrncmp(s, "acl_m", 5) != 0)
917 *error = string_sprintf("invalid variable name after \"set\" in ACL "
918 "modifier \"set %s\" (must start \"acl_c\" or \"acl_m\")", s);
923 if (!isdigit(*endptr) && *endptr != '_')
925 *error = string_sprintf("invalid variable name after \"set\" in ACL "
926 "modifier \"set %s\" (digit or underscore must follow acl_c or acl_m)",
931 while (*endptr != 0 && *endptr != '=' && !isspace(*endptr))
933 if (!isalnum(*endptr) && *endptr != '_')
935 *error = string_sprintf("invalid character \"%c\" in variable name "
936 "in ACL modifier \"set %s\"", *endptr, s);
942 cond->u.varname = string_copyn(s + 4, endptr - s - 4);
944 while (isspace(*s)) s++;
947 /* For "set", we are now positioned for the data. For the others, only
948 "endpass" has no data */
950 if (c != ACLC_ENDPASS)
954 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
955 cond_modifiers[c]? US"modifier" : US"condition");
958 while (isspace(*s)) s++;
959 cond->arg = string_copy(s);
968 /*************************************************
969 * Set up added header line(s) *
970 *************************************************/
972 /* This function is called by the add_header modifier, and also from acl_warn()
973 to implement the now-deprecated way of adding header lines using "message" on a
974 "warn" verb. The argument is treated as a sequence of header lines which are
975 added to a chain, provided there isn't an identical one already there.
977 Argument: string of header lines
982 setup_header(uschar *hstring)
985 int hlen = Ustrlen(hstring);
987 /* An empty string does nothing; otherwise add a final newline if necessary. */
989 if (hlen <= 0) return;
990 if (hstring[hlen-1] != '\n') hstring = string_sprintf("%s\n", hstring);
992 /* Loop for multiple header lines, taking care about continuations */
994 for (p = q = hstring; *p != 0; )
997 int newtype = htype_add_bot;
998 header_line **hptr = &acl_added_headers;
1000 /* Find next header line within the string */
1004 q = Ustrchr(q, '\n');
1005 if (*(++q) != ' ' && *q != '\t') break;
1008 /* If the line starts with a colon, interpret the instruction for where to
1009 add it. This temporarily sets up a new type. */
1013 if (strncmpic(p, US":after_received:", 16) == 0)
1015 newtype = htype_add_rec;
1018 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
1020 newtype = htype_add_rfc;
1023 else if (strncmpic(p, US":at_start:", 10) == 0)
1025 newtype = htype_add_top;
1028 else if (strncmpic(p, US":at_end:", 8) == 0)
1030 newtype = htype_add_bot;
1033 while (*p == ' ' || *p == '\t') p++;
1036 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
1037 to the front of it. */
1039 for (s = p; s < q - 1; s++)
1041 if (*s == ':' || !isgraph(*s)) break;
1044 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
1047 /* See if this line has already been added */
1049 while (*hptr != NULL)
1051 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
1052 hptr = &((*hptr)->next);
1055 /* Add if not previously present */
1059 header_line *h = store_get(sizeof(header_line));
1068 /* Advance for next header line within the string */
1077 /*************************************************
1079 *************************************************/
1081 /* This function is called when a WARN verb's conditions are true. It adds to
1082 the message's headers, and/or writes information to the log. In each case, this
1083 only happens once (per message for headers, per connection for log).
1085 ** NOTE: The header adding action using the "message" setting is historic, and
1086 its use is now deprecated. The new add_header modifier should be used instead.
1089 where ACL_WHERE_xxxx indicating which ACL this is
1090 user_message message for adding to headers
1091 log_message message for logging, if different
1097 acl_warn(int where, uschar *user_message, uschar *log_message)
1099 if (log_message != NULL && log_message != user_message)
1102 string_item *logged;
1104 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
1105 string_printing(log_message));
1107 /* If a sender verification has failed, and the log message is "sender verify
1108 failed", add the failure message. */
1110 if (sender_verified_failed != NULL &&
1111 sender_verified_failed->message != NULL &&
1112 strcmpic(log_message, US"sender verify failed") == 0)
1113 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
1115 /* Search previously logged warnings. They are kept in malloc
1116 store so they can be freed at the start of a new message. */
1118 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
1119 if (Ustrcmp(logged->text, text) == 0) break;
1123 int length = Ustrlen(text) + 1;
1124 log_write(0, LOG_MAIN, "%s", text);
1125 logged = store_malloc(sizeof(string_item) + length);
1126 logged->text = (uschar *)logged + sizeof(string_item);
1127 memcpy(logged->text, text, length);
1128 logged->next = acl_warn_logged;
1129 acl_warn_logged = logged;
1133 /* If there's no user message, we are done. */
1135 if (user_message == NULL) return;
1137 /* If this isn't a message ACL, we can't do anything with a user message.
1140 if (where > ACL_WHERE_NOTSMTP)
1142 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
1143 "found in a non-message (%s) ACL: cannot specify header lines here: "
1144 "message ignored", acl_wherenames[where]);
1148 /* The code for setting up header lines is now abstracted into a separate
1149 function so that it can be used for the add_header modifier as well. */
1151 setup_header(user_message);
1156 /*************************************************
1157 * Verify and check reverse DNS *
1158 *************************************************/
1160 /* Called from acl_verify() below. We look up the host name(s) of the client IP
1161 address if this has not yet been done. The host_name_lookup() function checks
1162 that one of these names resolves to an address list that contains the client IP
1163 address, so we don't actually have to do the check here.
1166 user_msgptr pointer for user message
1167 log_msgptr pointer for log message
1169 Returns: OK verification condition succeeded
1170 FAIL verification failed
1171 DEFER there was a problem verifying
1175 acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
1179 user_msgptr = user_msgptr; /* stop compiler warning */
1181 /* Previous success */
1183 if (sender_host_name != NULL) return OK;
1185 /* Previous failure */
1187 if (host_lookup_failed)
1189 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
1193 /* Need to do a lookup */
1196 debug_printf("looking up host name to force name/address consistency check\n");
1198 if ((rc = host_name_lookup()) != OK)
1200 *log_msgptr = (rc == DEFER)?
1201 US"host lookup deferred for reverse lookup check"
1203 string_sprintf("host lookup failed for reverse lookup check%s",
1205 return rc; /* DEFER or FAIL */
1208 host_build_sender_fullhost();
1214 /*************************************************
1215 * Check client IP address matches CSA target *
1216 *************************************************/
1218 /* Called from acl_verify_csa() below. This routine scans a section of a DNS
1219 response for address records belonging to the CSA target hostname. The section
1220 is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
1221 If one of the addresses matches the client's IP address, then the client is
1222 authorized by CSA. If there are target IP addresses but none of them match
1223 then the client is using an unauthorized IP address. If there are no target IP
1224 addresses then the client cannot be using an authorized IP address. (This is
1225 an odd configuration - why didn't the SRV record have a weight of 1 instead?)
1228 dnsa the DNS answer block
1229 dnss a DNS scan block for us to use
1230 reset option specifing what portion to scan, as described above
1231 target the target hostname to use for matching RR names
1233 Returns: CSA_OK successfully authorized
1234 CSA_FAIL_MISMATCH addresses found but none matched
1235 CSA_FAIL_NOADDR no target addresses found
1239 acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1245 BOOL target_found = FALSE;
1247 for (rr = dns_next_rr(dnsa, dnss, reset);
1249 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1251 /* Check this is an address RR for the target hostname. */
1255 && rr->type != T_AAAA
1262 if (strcmpic(target, rr->name) != 0) continue;
1264 target_found = TRUE;
1266 /* Turn the target address RR into a list of textual IP addresses and scan
1267 the list. There may be more than one if it is an A6 RR. */
1269 for (da = dns_address_from_rr(dnsa, rr); da != NULL; da = da->next)
1271 /* If the client IP address matches the target IP address, it's good! */
1273 DEBUG(D_acl) debug_printf("CSA target address is %s\n", da->address);
1275 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1279 /* If we found some target addresses but none of them matched, the client is
1280 using an unauthorized IP address, otherwise the target has no authorized IP
1283 if (target_found) return CSA_FAIL_MISMATCH;
1284 else return CSA_FAIL_NOADDR;
1289 /*************************************************
1290 * Verify Client SMTP Authorization *
1291 *************************************************/
1293 /* Called from acl_verify() below. This routine calls dns_lookup_special()
1294 to find the CSA SRV record corresponding to the domain argument, or
1295 $sender_helo_name if no argument is provided. It then checks that the
1296 client is authorized, and that its IP address corresponds to the SRV
1297 target's address by calling acl_verify_csa_address() above. The address
1298 should have been returned in the DNS response's ADDITIONAL section, but if
1299 not we perform another DNS lookup to get it.
1302 domain pointer to optional parameter following verify = csa
1304 Returns: CSA_UNKNOWN no valid CSA record found
1305 CSA_OK successfully authorized
1306 CSA_FAIL_* client is definitely not authorized
1307 CSA_DEFER_* there was a DNS problem
1311 acl_verify_csa(uschar *domain)
1315 int priority, weight, port;
1322 /* Work out the domain we are using for the CSA lookup. The default is the
1323 client's HELO domain. If the client has not said HELO, use its IP address
1324 instead. If it's a local client (exim -bs), CSA isn't applicable. */
1326 while (isspace(*domain) && *domain != '\0') ++domain;
1327 if (*domain == '\0') domain = sender_helo_name;
1328 if (domain == NULL) domain = sender_host_address;
1329 if (sender_host_address == NULL) return CSA_UNKNOWN;
1331 /* If we have an address literal, strip off the framing ready for turning it
1332 into a domain. The framing consists of matched square brackets possibly
1333 containing a keyword and a colon before the actual IP address. */
1335 if (domain[0] == '[')
1337 uschar *start = Ustrchr(domain, ':');
1338 if (start == NULL) start = domain;
1339 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1342 /* Turn domains that look like bare IP addresses into domains in the reverse
1343 DNS. This code also deals with address literals and $sender_host_address. It's
1344 not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1345 address literals, but it's probably the most friendly thing to do. This is an
1346 extension to CSA, so we allow it to be turned off for proper conformance. */
1348 if (string_is_ip_address(domain, NULL) != 0)
1350 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1351 dns_build_reverse(domain, target);
1355 /* Find out if we've already done the CSA check for this domain. If we have,
1356 return the same result again. Otherwise build a new cached result structure
1357 for this domain. The name is filled in now, and the value is filled in when
1358 we return from this function. */
1360 t = tree_search(csa_cache, domain);
1361 if (t != NULL) return t->data.val;
1363 t = store_get_perm(sizeof(tree_node) + Ustrlen(domain));
1364 Ustrcpy(t->name, domain);
1365 (void)tree_insertnode(&csa_cache, t);
1367 /* Now we are ready to do the actual DNS lookup(s). */
1370 switch (dns_special_lookup(&dnsa, domain, T_CSA, &found))
1372 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1375 return t->data.val = CSA_DEFER_SRV;
1377 /* If we found nothing, the client's authorization is unknown. */
1381 return t->data.val = CSA_UNKNOWN;
1383 /* We got something! Go on to look at the reply in more detail. */
1389 /* Scan the reply for well-formed CSA SRV records. */
1391 for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
1393 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
1395 if (rr->type != T_SRV) continue;
1397 /* Extract the numerical SRV fields (p is incremented) */
1400 GETSHORT(priority, p);
1401 GETSHORT(weight, p);
1405 debug_printf("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1407 /* Check the CSA version number */
1409 if (priority != 1) continue;
1411 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1412 found by dns_special_lookup() is a parent of the one we asked for), we check
1413 the subdomain assertions in the port field. At the moment there's only one
1414 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1415 SRV records of their own. */
1417 if (found != domain)
1420 return t->data.val = CSA_FAIL_EXPLICIT;
1422 return t->data.val = CSA_UNKNOWN;
1425 /* This CSA SRV record refers directly to our domain, so we check the value
1426 in the weight field to work out the domain's authorization. 0 and 1 are
1427 unauthorized; 3 means the client is authorized but we can't check the IP
1428 address in order to authenticate it, so we treat it as unknown; values
1429 greater than 3 are undefined. */
1431 if (weight < 2) return t->data.val = CSA_FAIL_DOMAIN;
1433 if (weight > 2) continue;
1435 /* Weight == 2, which means the domain is authorized. We must check that the
1436 client's IP address is listed as one of the SRV target addresses. Save the
1437 target hostname then break to scan the additional data for its addresses. */
1439 (void)dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
1440 (DN_EXPAND_ARG4_TYPE)target, sizeof(target));
1442 DEBUG(D_acl) debug_printf("CSA target is %s\n", target);
1447 /* If we didn't break the loop then no appropriate records were found. */
1449 if (rr == NULL) return t->data.val = CSA_UNKNOWN;
1451 /* Do not check addresses if the target is ".", in accordance with RFC 2782.
1452 A target of "." indicates there are no valid addresses, so the client cannot
1453 be authorized. (This is an odd configuration because weight=2 target=. is
1454 equivalent to weight=1, but we check for it in order to keep load off the
1455 root name servers.) Note that dn_expand() turns "." into "". */
1457 if (Ustrcmp(target, "") == 0) return t->data.val = CSA_FAIL_NOADDR;
1459 /* Scan the additional section of the CSA SRV reply for addresses belonging
1460 to the target. If the name server didn't return any additional data (e.g.
1461 because it does not fully support SRV records), we need to do another lookup
1462 to obtain the target addresses; otherwise we have a definitive result. */
1464 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ADDITIONAL, target);
1465 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1467 /* The DNS lookup type corresponds to the IP version used by the client. */
1470 if (Ustrchr(sender_host_address, ':') != NULL)
1473 #endif /* HAVE_IPV6 */
1477 #if HAVE_IPV6 && defined(SUPPORT_A6)
1481 switch (dns_lookup(&dnsa, target, type, NULL))
1483 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1486 return t->data.val = CSA_DEFER_ADDR;
1488 /* If the query succeeded, scan the addresses and return the result. */
1491 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ANSWERS, target);
1492 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1493 /* else fall through */
1495 /* If the target has no IP addresses, the client cannot have an authorized
1496 IP address. However, if the target site uses A6 records (not AAAA records)
1497 we have to do yet another lookup in order to check them. */
1502 #if HAVE_IPV6 && defined(SUPPORT_A6)
1503 if (type == T_AAAA) { type = T_A6; goto DNS_LOOKUP_AGAIN; }
1506 return t->data.val = CSA_FAIL_NOADDR;
1512 /*************************************************
1513 * Handle verification (address & other) *
1514 *************************************************/
1516 /* This function implements the "verify" condition. It is called when
1517 encountered in any ACL, because some tests are almost always permitted. Some
1518 just don't make sense, and always fail (for example, an attempt to test a host
1519 lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1522 where where called from
1523 addr the recipient address that the ACL is handling, or NULL
1524 arg the argument of "verify"
1525 user_msgptr pointer for user message
1526 log_msgptr pointer for log message
1527 basic_errno where to put verify errno
1529 Returns: OK verification condition succeeded
1530 FAIL verification failed
1531 DEFER there was a problem verifying
1536 acl_verify(int where, address_item *addr, uschar *arg,
1537 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1541 int callout_overall = -1;
1542 int callout_connect = -1;
1543 int verify_options = 0;
1545 BOOL verify_header_sender = FALSE;
1546 BOOL defer_ok = FALSE;
1547 BOOL callout_defer_ok = FALSE;
1548 BOOL no_details = FALSE;
1549 BOOL success_on_redirect = FALSE;
1550 address_item *sender_vaddr = NULL;
1551 uschar *verify_sender_address = NULL;
1552 uschar *pm_mailfrom = NULL;
1553 uschar *se_mailfrom = NULL;
1555 /* Some of the verify items have slash-separated options; some do not. Diagnose
1556 an error if options are given for items that don't expect them. This code has
1557 now got very message. Refactoring to use a table would be a good idea one day.
1560 uschar *slash = Ustrchr(arg, '/');
1562 uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
1564 if (ss == NULL) goto BAD_VERIFY;
1566 /* Handle name/address consistency verification in a separate function. */
1568 if (strcmpic(ss, US"reverse_host_lookup") == 0)
1570 if (slash != NULL) goto NO_OPTIONS;
1571 if (sender_host_address == NULL) return OK;
1572 return acl_verify_reverse(user_msgptr, log_msgptr);
1575 /* TLS certificate verification is done at STARTTLS time; here we just
1576 test whether it was successful or not. (This is for optional verification; for
1577 mandatory verification, the connection doesn't last this long.) */
1579 if (strcmpic(ss, US"certificate") == 0)
1581 if (slash != NULL) goto NO_OPTIONS;
1582 if (tls_certificate_verified) return OK;
1583 *user_msgptr = US"no verified certificate";
1587 /* We can test the result of optional HELO verification that might have
1588 occurred earlier. If not, we can attempt the verification now. */
1590 if (strcmpic(ss, US"helo") == 0)
1592 if (slash != NULL) goto NO_OPTIONS;
1593 if (!helo_verified && !helo_verify_failed) smtp_verify_helo();
1594 return helo_verified? OK : FAIL;
1597 /* Do Client SMTP Authorization checks in a separate function, and turn the
1598 result code into user-friendly strings. */
1600 if (strcmpic(ss, US"csa") == 0)
1602 rc = acl_verify_csa(list);
1603 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1604 csa_reason_string[rc]);
1605 csa_status = csa_status_string[rc];
1606 DEBUG(D_acl) debug_printf("CSA result %s\n", csa_status);
1607 return csa_return_code[rc];
1610 /* Check that all relevant header lines have the correct syntax. If there is
1611 a syntax error, we return details of the error to the sender if configured to
1612 send out full details. (But a "message" setting on the ACL can override, as
1615 if (strcmpic(ss, US"header_syntax") == 0)
1617 if (slash != NULL) goto NO_OPTIONS;
1618 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
1619 rc = verify_check_headers(log_msgptr);
1620 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1621 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1625 /* Check that no recipient of this message is "blind", that is, every envelope
1626 recipient must be mentioned in either To: or Cc:. */
1628 if (strcmpic(ss, US"not_blind") == 0)
1630 if (slash != NULL) goto NO_OPTIONS;
1631 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
1632 rc = verify_check_notblind();
1635 *log_msgptr = string_sprintf("bcc recipient detected");
1636 if (smtp_return_error_details)
1637 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1642 /* The remaining verification tests check recipient and sender addresses,
1643 either from the envelope or from the header. There are a number of
1644 slash-separated options that are common to all of them. */
1647 /* Check that there is at least one verifiable sender address in the relevant
1648 header lines. This can be followed by callout and defer options, just like
1649 sender and recipient. */
1651 if (strcmpic(ss, US"header_sender") == 0)
1653 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
1654 verify_header_sender = TRUE;
1657 /* Otherwise, first item in verify argument must be "sender" or "recipient".
1658 In the case of a sender, this can optionally be followed by an address to use
1659 in place of the actual sender (rare special-case requirement). */
1661 else if (strncmpic(ss, US"sender", 6) == 0)
1664 if (where > ACL_WHERE_NOTSMTP)
1666 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1667 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1668 acl_wherenames[where]);
1672 verify_sender_address = sender_address;
1675 while (isspace(*s)) s++;
1676 if (*s++ != '=') goto BAD_VERIFY;
1677 while (isspace(*s)) s++;
1678 verify_sender_address = string_copy(s);
1683 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1686 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1687 "(only possible for RCPT)", acl_wherenames[where]);
1692 /* Remaining items are optional; they apply to sender and recipient
1693 verification, including "header sender" verification. */
1695 while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1698 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1699 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1700 else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
1702 /* These two old options are left for backwards compatibility */
1704 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1706 callout_defer_ok = TRUE;
1707 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1710 else if (strcmpic(ss, US"check_postmaster") == 0)
1713 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1716 /* The callout option has a number of sub-options, comma separated */
1718 else if (strncmpic(ss, US"callout", 7) == 0)
1720 callout = CALLOUT_TIMEOUT_DEFAULT;
1724 while (isspace(*ss)) ss++;
1730 while (isspace(*ss)) ss++;
1732 /* This callout option handling code has become a mess as new options
1733 have been added in an ad hoc manner. It should be tidied up into some
1734 kind of table-driven thing. */
1736 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1739 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1740 else if (strcmpic(opt, US"no_cache") == 0)
1741 verify_options |= vopt_callout_no_cache;
1742 else if (strcmpic(opt, US"random") == 0)
1743 verify_options |= vopt_callout_random;
1744 else if (strcmpic(opt, US"use_sender") == 0)
1745 verify_options |= vopt_callout_recipsender;
1746 else if (strcmpic(opt, US"use_postmaster") == 0)
1747 verify_options |= vopt_callout_recippmaster;
1748 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
1749 else if (strcmpic(opt, US"fullpostmaster") == 0)
1752 verify_options |= vopt_callout_fullpm;
1755 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1757 if (!verify_header_sender)
1759 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1760 "callout option only for verify=header_sender (detected in ACL "
1761 "condition \"%s\")", arg);
1765 while (isspace(*opt)) opt++;
1768 *log_msgptr = string_sprintf("'=' expected after "
1769 "\"mailfrom\" in ACL condition \"%s\"", arg);
1772 while (isspace(*opt)) opt++;
1773 se_mailfrom = string_copy(opt);
1776 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1779 while (isspace(*opt)) opt++;
1782 *log_msgptr = string_sprintf("'=' expected after "
1783 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1786 while (isspace(*opt)) opt++;
1787 pm_mailfrom = string_copy(opt);
1790 else if (strncmpic(opt, US"maxwait", 7) == 0)
1793 while (isspace(*opt)) opt++;
1796 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1797 "ACL condition \"%s\"", arg);
1800 while (isspace(*opt)) opt++;
1801 callout_overall = readconf_readtime(opt, 0, FALSE);
1802 if (callout_overall < 0)
1804 *log_msgptr = string_sprintf("bad time value in ACL condition "
1805 "\"verify %s\"", arg);
1809 else if (strncmpic(opt, US"connect", 7) == 0)
1812 while (isspace(*opt)) opt++;
1815 *log_msgptr = string_sprintf("'=' expected after "
1816 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1819 while (isspace(*opt)) opt++;
1820 callout_connect = readconf_readtime(opt, 0, FALSE);
1821 if (callout_connect < 0)
1823 *log_msgptr = string_sprintf("bad time value in ACL condition "
1824 "\"verify %s\"", arg);
1828 else /* Plain time is callout connect/command timeout */
1830 callout = readconf_readtime(opt, 0, FALSE);
1833 *log_msgptr = string_sprintf("bad time value in ACL condition "
1834 "\"verify %s\"", arg);
1842 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1843 "ACL condition \"%s\"", arg);
1849 /* Option not recognized */
1853 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1854 "condition \"verify %s\"", ss, arg);
1859 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1860 (vopt_callout_recipsender|vopt_callout_recippmaster))
1862 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1863 "for a recipient callout";
1867 /* Handle sender-in-header verification. Default the user message to the log
1868 message if giving out verification details. */
1870 if (verify_header_sender)
1873 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
1874 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1878 *basic_errno = verrno;
1879 if (smtp_return_error_details)
1881 if (*user_msgptr == NULL && *log_msgptr != NULL)
1882 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1883 if (rc == DEFER) acl_temp_details = TRUE;
1888 /* Handle a sender address. The default is to verify *the* sender address, but
1889 optionally a different address can be given, for special requirements. If the
1890 address is empty, we are dealing with a bounce message that has no sender, so
1891 we cannot do any checking. If the real sender address gets rewritten during
1892 verification (e.g. DNS widening), set the flag to stop it being rewritten again
1893 during message reception.
1895 A list of verified "sender" addresses is kept to try to avoid doing to much
1896 work repetitively when there are multiple recipients in a message and they all
1897 require sender verification. However, when callouts are involved, it gets too
1898 complicated because different recipients may require different callout options.
1899 Therefore, we always do a full sender verify when any kind of callout is
1900 specified. Caching elsewhere, for instance in the DNS resolver and in the
1901 callout handling, should ensure that this is not terribly inefficient. */
1903 else if (verify_sender_address != NULL)
1905 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1908 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1909 "sender verify callout";
1913 sender_vaddr = verify_checked_sender(verify_sender_address);
1914 if (sender_vaddr != NULL && /* Previously checked */
1915 callout <= 0) /* No callout needed this time */
1917 /* If the "routed" flag is set, it means that routing worked before, so
1918 this check can give OK (the saved return code value, if set, belongs to a
1919 callout that was done previously). If the "routed" flag is not set, routing
1920 must have failed, so we use the saved return code. */
1922 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1924 rc = sender_vaddr->special_action;
1925 *basic_errno = sender_vaddr->basic_errno;
1927 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1930 /* Do a new verification, and cache the result. The cache is used to avoid
1931 verifying the sender multiple times for multiple RCPTs when callouts are not
1932 specified (see comments above).
1934 The cache is also used on failure to give details in response to the first
1935 RCPT that gets bounced for this reason. However, this can be suppressed by
1936 the no_details option, which sets the flag that says "this detail has already
1937 been sent". The cache normally contains just one address, but there may be
1938 more in esoteric circumstances. */
1943 uschar *save_address_data = deliver_address_data;
1945 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1946 if (no_details) setflag(sender_vaddr, af_sverify_told);
1947 if (verify_sender_address[0] != 0)
1949 /* If this is the real sender address, save the unrewritten version
1950 for use later in receive. Otherwise, set a flag so that rewriting the
1951 sender in verify_address() does not update sender_address. */
1953 if (verify_sender_address == sender_address)
1954 sender_address_unrewritten = sender_address;
1956 verify_options |= vopt_fake_sender;
1958 if (success_on_redirect)
1959 verify_options |= vopt_success_on_redirect;
1961 /* The recipient, qualify, and expn options are never set in
1964 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
1965 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
1967 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1971 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1973 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1974 verify_sender_address, sender_vaddr->address);
1978 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1979 verify_sender_address);
1982 else *basic_errno = sender_vaddr->basic_errno;
1984 else rc = OK; /* Null sender */
1986 /* Cache the result code */
1988 if (routed) setflag(sender_vaddr, af_verify_routed);
1989 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1990 sender_vaddr->special_action = rc;
1991 sender_vaddr->next = sender_verified_list;
1992 sender_verified_list = sender_vaddr;
1994 /* Restore the recipient address data, which might have been clobbered by
1995 the sender verification. */
1997 deliver_address_data = save_address_data;
2000 /* Put the sender address_data value into $sender_address_data */
2002 sender_address_data = sender_vaddr->p.address_data;
2005 /* A recipient address just gets a straightforward verify; again we must handle
2006 the DEFER overrides. */
2012 if (success_on_redirect)
2013 verify_options |= vopt_success_on_redirect;
2015 /* We must use a copy of the address for verification, because it might
2019 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
2020 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
2021 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
2023 *basic_errno = addr2.basic_errno;
2024 *log_msgptr = addr2.message;
2025 *user_msgptr = (addr2.user_message != NULL)?
2026 addr2.user_message : addr2.message;
2028 /* Allow details for temporary error if the address is so flagged. */
2029 if (testflag((&addr2), af_pass_message)) acl_temp_details = TRUE;
2031 /* Make $address_data visible */
2032 deliver_address_data = addr2.p.address_data;
2035 /* We have a result from the relevant test. Handle defer overrides first. */
2037 if (rc == DEFER && (defer_ok ||
2038 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
2040 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
2041 defer_ok? "defer_ok" : "callout_defer_ok");
2045 /* If we've failed a sender, set up a recipient message, and point
2046 sender_verified_failed to the address item that actually failed. */
2048 if (rc != OK && verify_sender_address != NULL)
2052 *log_msgptr = *user_msgptr = US"Sender verify failed";
2054 else if (*basic_errno != ERRNO_CALLOUTDEFER)
2056 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
2060 *log_msgptr = US"Could not complete sender verify callout";
2061 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
2065 sender_verified_failed = sender_vaddr;
2068 /* Verifying an address messes up the values of $domain and $local_part,
2069 so reset them before returning if this is a RCPT ACL. */
2073 deliver_domain = addr->domain;
2074 deliver_localpart = addr->local_part;
2078 /* Syntax errors in the verify argument come here. */
2081 *log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
2082 "\"helo\", \"header_syntax\", \"header_sender\" or "
2083 "\"reverse_host_lookup\" at start of ACL condition "
2084 "\"verify %s\"", arg);
2087 /* Options supplied when not allowed come here */
2090 *log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
2091 "(this verify item has no options)", arg);
2094 /* Calls in the wrong ACL come here */
2097 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
2098 "(only possible in ACL for DATA)", acl_wherenames[where]);
2105 /*************************************************
2106 * Check argument for control= modifier *
2107 *************************************************/
2109 /* Called from acl_check_condition() below
2112 arg the argument string for control=
2113 pptr set to point to the terminating character
2114 where which ACL we are in
2115 log_msgptr for error messages
2117 Returns: CONTROL_xxx value
2121 decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
2126 for (d = controls_list;
2127 d < controls_list + sizeof(controls_list)/sizeof(control_def);
2130 len = Ustrlen(d->name);
2131 if (Ustrncmp(d->name, arg, len) == 0) break;
2134 if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
2135 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
2137 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2138 return CONTROL_ERROR;
2147 /*************************************************
2148 * Handle rate limiting *
2149 *************************************************/
2151 /* Called by acl_check_condition() below to calculate the result
2152 of the ACL ratelimit condition.
2154 Note that the return value might be slightly unexpected: if the
2155 sender's rate is above the limit then the result is OK. This is
2156 similar to the dnslists condition, and is so that you can write
2157 ACL clauses like: defer ratelimit = 15 / 1h
2160 arg the option string for ratelimit=
2161 where ACL_WHERE_xxxx indicating which ACL this is
2162 log_msgptr for error messages
2164 Returns: OK - Sender's rate is above limit
2165 FAIL - Sender's rate is below limit
2166 DEFER - Problem opening ratelimit database
2167 ERROR - Syntax error in options.
2171 acl_ratelimit(uschar *arg, int where, uschar **log_msgptr)
2173 double limit, period;
2177 BOOL leaky = FALSE, strict = FALSE, noupdate = FALSE;
2178 BOOL per_byte = FALSE, per_cmd = FALSE, per_conn = FALSE, per_mail = FALSE;
2180 tree_node **anchor, *t;
2181 open_db dbblock, *dbm;
2182 dbdata_ratelimit *dbd;
2185 /* Parse the first two options and record their values in expansion
2186 variables. These variables allow the configuration to have informative
2187 error messages based on rate limits obtained from a table lookup. */
2189 /* First is the maximum number of messages per period and maximum burst
2190 size, which must be greater than or equal to zero. Zero is useful for
2191 rate measurement as opposed to rate limiting. */
2193 sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0);
2194 if (sender_rate_limit == NULL)
2198 limit = Ustrtod(sender_rate_limit, &ss);
2199 if (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
2200 else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
2201 else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
2203 if (limit < 0.0 || *ss != 0)
2205 *log_msgptr = string_sprintf("syntax error in argument for "
2206 "\"ratelimit\" condition: \"%s\" is not a positive number",
2211 /* Second is the rate measurement period and exponential smoothing time
2212 constant. This must be strictly greater than zero, because zero leads to
2213 run-time division errors. */
2215 sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0);
2216 if (sender_rate_period == NULL) period = -1.0;
2217 else period = readconf_readtime(sender_rate_period, 0, FALSE);
2220 *log_msgptr = string_sprintf("syntax error in argument for "
2221 "\"ratelimit\" condition: \"%s\" is not a time value",
2222 sender_rate_period);
2226 /* Parse the other options. Should we check if the per_* options are being
2227 used in ACLs where they don't make sense, e.g. per_mail in the connect ACL? */
2229 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2232 if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
2233 else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
2234 else if (strcmpic(ss, US"noupdate") == 0) noupdate = TRUE;
2235 else if (strcmpic(ss, US"per_byte") == 0) per_byte = TRUE;
2236 else if (strcmpic(ss, US"per_cmd") == 0) per_cmd = TRUE;
2237 else if (strcmpic(ss, US"per_rcpt") == 0) per_cmd = TRUE; /* alias */
2238 else if (strcmpic(ss, US"per_conn") == 0) per_conn = TRUE;
2239 else if (strcmpic(ss, US"per_mail") == 0) per_mail = TRUE;
2240 else key = string_sprintf("%s", ss);
2243 if (leaky + strict > 1 || per_byte + per_cmd + per_conn + per_mail > 1)
2245 *log_msgptr = US"conflicting options for \"ratelimit\" condition";
2249 /* Default option values */
2251 if (!strict) leaky = TRUE;
2252 if (!per_byte && !per_cmd && !per_conn) per_mail = TRUE;
2254 /* Create the lookup key. If there is no explicit key, use sender_host_address.
2255 If there is no sender_host_address (e.g. -bs or acl_not_smtp) then we simply
2256 omit it. The smoothing constant (sender_rate_period) and the per_xxx options
2257 are added to the key because they alter the meaning of the stored data. */
2260 key = (sender_host_address == NULL)? US"" : sender_host_address;
2262 key = string_sprintf("%s/%s/%s/%s",
2264 per_byte? US"per_byte" :
2265 per_cmd? US"per_cmd" :
2266 per_mail? US"per_mail" : US"per_conn",
2267 strict? US"strict" : US"leaky",
2270 HDEBUG(D_acl) debug_printf("ratelimit condition limit=%.0f period=%.0f key=%s\n",
2271 limit, period, key);
2273 /* See if we have already computed the rate by looking in the relevant tree.
2274 For per-connection rate limiting, store tree nodes and dbdata in the permanent
2275 pool so that they survive across resets. */
2278 old_pool = store_pool;
2282 anchor = &ratelimiters_conn;
2283 store_pool = POOL_PERM;
2285 else if (per_mail || per_byte)
2286 anchor = &ratelimiters_mail;
2288 anchor = &ratelimiters_cmd;
2290 if (anchor != NULL && (t = tree_search(*anchor, key)) != NULL)
2293 /* The following few lines duplicate some of the code below. */
2294 rc = (dbd->rate < limit)? FAIL : OK;
2295 store_pool = old_pool;
2296 sender_rate = string_sprintf("%.1f", dbd->rate);
2298 debug_printf("ratelimit found pre-computed rate %s\n", sender_rate);
2302 /* We aren't using a pre-computed rate, so get a previously recorded
2303 rate from the database, update it, and write it back when required. If there's
2304 no previous rate for this key, create one. */
2306 dbm = dbfn_open(US"ratelimit", O_RDWR, &dbblock, TRUE);
2309 store_pool = old_pool;
2311 HDEBUG(D_acl) debug_printf("ratelimit database not available\n");
2312 *log_msgptr = US"ratelimit database not available";
2315 dbd = dbfn_read(dbm, key);
2317 gettimeofday(&tv, NULL);
2321 HDEBUG(D_acl) debug_printf("ratelimit initializing new key's data\n");
2322 dbd = store_get(sizeof(dbdata_ratelimit));
2323 dbd->time_stamp = tv.tv_sec;
2324 dbd->time_usec = tv.tv_usec;
2329 /* The smoothed rate is computed using an exponentially weighted moving
2330 average adjusted for variable sampling intervals. The standard EWMA for
2331 a fixed sampling interval is: f'(t) = (1 - a) * f(t) + a * f'(t - 1)
2332 where f() is the measured value and f'() is the smoothed value.
2334 Old data decays out of the smoothed value exponentially, such that data n
2335 samples old is multiplied by a^n. The exponential decay time constant p
2336 is defined such that data p samples old is multiplied by 1/e, which means
2337 that a = exp(-1/p). We can maintain the same time constant for a variable
2338 sampling interval i by using a = exp(-i/p).
2340 The rate we are measuring is messages per period, suitable for directly
2341 comparing with the limit. The average rate between now and the previous
2342 message is period / interval, which we feed into the EWMA as the sample.
2344 It turns out that the number of messages required for the smoothed rate
2345 to reach the limit when they are sent in a burst is equal to the limit.
2346 This can be seen by analysing the value of the smoothed rate after N
2347 messages sent at even intervals. Let k = (1 - a) * p/i
2349 rate_1 = (1 - a) * p/i + a * rate_0
2351 rate_2 = k + a * rate_1
2352 = k + a * k + a^2 * rate_0
2353 rate_3 = k + a * k + a^2 * k + a^3 * rate_0
2354 rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
2355 = rate_0 * a^N + k * (1 - a^N) / (1 - a)
2356 = rate_0 * a^N + p/i * (1 - a^N)
2358 When N is large, a^N -> 0 so rate_N -> p/i as desired.
2360 rate_N = p/i + (rate_0 - p/i) * a^N
2361 a^N = (rate_N - p/i) / (rate_0 - p/i)
2362 N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
2363 N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
2365 Numerical analysis of the above equation, setting the computed rate to
2366 increase from rate_0 = 0 to rate_N = limit, shows that for large sending
2367 rates, p/i, the number of messages N = limit. So limit serves as both the
2368 maximum rate measured in messages per period, and the maximum number of
2369 messages that can be sent in a fast burst. */
2371 double this_time = (double)tv.tv_sec
2372 + (double)tv.tv_usec / 1000000.0;
2373 double prev_time = (double)dbd->time_stamp
2374 + (double)dbd->time_usec / 1000000.0;
2376 /* We must avoid division by zero, and deal gracefully with the clock going
2377 backwards. If we blunder ahead when time is in reverse then the computed
2378 rate will be bogus. To be safe we clamp interval to a very small number. */
2380 double interval = this_time - prev_time <= 0.0 ? 1e-9
2381 : this_time - prev_time;
2383 double i_over_p = interval / period;
2384 double a = exp(-i_over_p);
2386 dbd->time_stamp = tv.tv_sec;
2387 dbd->time_usec = tv.tv_usec;
2389 /* If we are measuring the rate in bytes per period, multiply the
2390 measured rate by the message size. If we don't know the message size
2391 then it's safe to just use a value of zero and let the recorded rate
2392 decay as if nothing happened. */
2395 dbd->rate = (message_size < 0 ? 0.0 : (double)message_size)
2396 * (1 - a) / i_over_p + a * dbd->rate;
2397 else if (per_cmd && where == ACL_WHERE_NOTSMTP)
2398 dbd->rate = (double)recipients_count
2399 * (1 - a) / i_over_p + a * dbd->rate;
2401 dbd->rate = (1 - a) / i_over_p + a * dbd->rate;
2404 /* Clients sending at the limit are considered to be over the limit. This
2405 matters for edge cases such the first message sent by a client (which gets
2406 the initial rate of 0.0) when the rate limit is zero (i.e. the client should
2407 be completely blocked). */
2409 rc = (dbd->rate < limit)? FAIL : OK;
2411 /* Update the state if the rate is low or if we are being strict. If we
2412 are in leaky mode and the sender's rate is too high, we do not update
2413 the recorded rate in order to avoid an over-aggressive sender's retry
2414 rate preventing them from getting any email through. If noupdate is set,
2415 do not do any updates. */
2417 if ((rc == FAIL || !leaky) && !noupdate)
2419 dbfn_write(dbm, key, dbd, sizeof(dbdata_ratelimit));
2420 HDEBUG(D_acl) debug_printf("ratelimit db updated\n");
2424 HDEBUG(D_acl) debug_printf("ratelimit db not updated: %s\n",
2425 noupdate? "noupdate set" : "over the limit, but leaky");
2430 /* Store the result in the tree for future reference, if necessary. */
2432 if (anchor != NULL && !noupdate)
2434 t = store_get(sizeof(tree_node) + Ustrlen(key));
2436 Ustrcpy(t->name, key);
2437 (void)tree_insertnode(anchor, t);
2440 /* We create the formatted version of the sender's rate very late in
2441 order to ensure that it is done using the correct storage pool. */
2443 store_pool = old_pool;
2444 sender_rate = string_sprintf("%.1f", dbd->rate);
2447 debug_printf("ratelimit computed rate %s\n", sender_rate);
2454 /*************************************************
2455 * Handle conditions/modifiers on an ACL item *
2456 *************************************************/
2458 /* Called from acl_check() below.
2462 cb ACL condition block - if NULL, result is OK
2463 where where called from
2464 addr the address being checked for RCPT, or NULL
2465 level the nesting level
2466 epp pointer to pass back TRUE if "endpass" encountered
2467 (applies only to "accept" and "discard")
2468 user_msgptr user message pointer
2469 log_msgptr log message pointer
2470 basic_errno pointer to where to put verify error
2472 Returns: OK - all conditions are met
2473 DISCARD - an "acl" condition returned DISCARD - only allowed
2474 for "accept" or "discard" verbs
2475 FAIL - at least one condition fails
2476 FAIL_DROP - an "acl" condition returned FAIL_DROP
2477 DEFER - can't tell at the moment (typically, lookup defer,
2478 but can be temporary callout problem)
2479 ERROR - ERROR from nested ACL or expansion failure or other
2484 acl_check_condition(int verb, acl_condition_block *cb, int where,
2485 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
2486 uschar **log_msgptr, int *basic_errno)
2488 uschar *user_message = NULL;
2489 uschar *log_message = NULL;
2492 #ifdef WITH_CONTENT_SCAN
2496 for (; cb != NULL; cb = cb->next)
2501 /* The message and log_message items set up messages to be used in
2502 case of rejection. They are expanded later. */
2504 if (cb->type == ACLC_MESSAGE)
2506 user_message = cb->arg;
2510 if (cb->type == ACLC_LOG_MESSAGE)
2512 log_message = cb->arg;
2516 /* The endpass "condition" just sets a flag to show it occurred. This is
2517 checked at compile time to be on an "accept" or "discard" item. */
2519 if (cb->type == ACLC_ENDPASS)
2525 /* For other conditions and modifiers, the argument is expanded now for some
2526 of them, but not for all, because expansion happens down in some lower level
2527 checking functions in some cases. */
2529 if (cond_expand_at_top[cb->type])
2531 arg = expand_string(cb->arg);
2534 if (expand_string_forcedfail) continue;
2535 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
2536 cb->arg, expand_string_message);
2537 return search_find_defer? DEFER : ERROR;
2542 /* Show condition, and expanded condition if it's different */
2547 debug_printf("check %s%s %n",
2548 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
2549 conditions[cb->type], &lhswidth);
2551 if (cb->type == ACLC_SET)
2553 debug_printf("acl_%s ", cb->u.varname);
2554 lhswidth += 5 + Ustrlen(cb->u.varname);
2557 debug_printf("= %s\n", cb->arg);
2560 debug_printf("%.*s= %s\n", lhswidth,
2564 /* Check that this condition makes sense at this time */
2566 if ((cond_forbids[cb->type] & (1 << where)) != 0)
2568 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
2569 cond_modifiers[cb->type]? "use" : "test",
2570 conditions[cb->type], acl_wherenames[where]);
2574 /* Run the appropriate test for each condition, or take the appropriate
2575 action for the remaining modifiers. */
2579 case ACLC_ADD_HEADER:
2583 /* A nested ACL that returns "discard" makes sense only for an "accept" or
2587 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
2588 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
2590 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
2591 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
2597 case ACLC_AUTHENTICATED:
2598 rc = (sender_host_authenticated == NULL)? FAIL :
2599 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
2603 #ifdef EXPERIMENTAL_BRIGHTMAIL
2604 case ACLC_BMI_OPTIN:
2606 int old_pool = store_pool;
2607 store_pool = POOL_PERM;
2608 bmi_current_optin = string_copy(arg);
2609 store_pool = old_pool;
2614 case ACLC_CONDITION:
2615 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
2616 rc = (Uatoi(arg) == 0)? FAIL : OK;
2618 rc = (strcmpic(arg, US"no") == 0 ||
2619 strcmpic(arg, US"false") == 0)? FAIL :
2620 (strcmpic(arg, US"yes") == 0 ||
2621 strcmpic(arg, US"true") == 0)? OK : DEFER;
2623 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
2626 case ACLC_CONTINUE: /* Always succeeds */
2630 control_type = decode_control(arg, &p, where, log_msgptr);
2632 /* Check if this control makes sense at this time */
2634 if ((control_forbids[control_type] & (1 << where)) != 0)
2636 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
2637 controls[control_type], acl_wherenames[where]);
2641 switch(control_type)
2643 case CONTROL_AUTH_UNADVERTISED:
2644 allow_auth_unadvertised = TRUE;
2647 #ifdef EXPERIMENTAL_BRIGHTMAIL
2648 case CONTROL_BMI_RUN:
2653 #ifdef EXPERIMENTAL_DOMAINKEYS
2654 case CONTROL_DK_VERIFY:
2659 #ifdef EXPERIMENTAL_DKIM
2660 case CONTROL_DKIM_VERIFY:
2668 case CONTROL_CASEFUL_LOCAL_PART:
2669 deliver_localpart = addr->cc_local_part;
2672 case CONTROL_CASELOWER_LOCAL_PART:
2673 deliver_localpart = addr->lc_local_part;
2676 case CONTROL_ENFORCE_SYNC:
2677 smtp_enforce_sync = TRUE;
2680 case CONTROL_NO_ENFORCE_SYNC:
2681 smtp_enforce_sync = FALSE;
2684 #ifdef WITH_CONTENT_SCAN
2685 case CONTROL_NO_MBOX_UNSPOOL:
2686 no_mbox_unspool = TRUE;
2690 case CONTROL_NO_MULTILINE:
2691 no_multiline_responses = TRUE;
2694 case CONTROL_NO_PIPELINING:
2695 pipelining_enable = FALSE;
2698 case CONTROL_NO_DELAY_FLUSH:
2699 disable_delay_flush = TRUE;
2702 case CONTROL_NO_CALLOUT_FLUSH:
2703 disable_callout_flush = TRUE;
2706 case CONTROL_FAKEDEFER:
2707 case CONTROL_FAKEREJECT:
2708 fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
2712 while (*pp != 0) pp++;
2713 fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
2718 /* Explicitly reset to default string */
2719 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
2723 case CONTROL_FREEZE:
2724 deliver_freeze = TRUE;
2725 deliver_frozen_at = time(NULL);
2726 freeze_tell = freeze_tell_config; /* Reset to configured value */
2727 if (Ustrncmp(p, "/no_tell", 8) == 0)
2734 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2739 case CONTROL_QUEUE_ONLY:
2740 queue_only_policy = TRUE;
2743 case CONTROL_SUBMISSION:
2744 originator_name = US"";
2745 submission_mode = TRUE;
2748 if (Ustrncmp(p, "/sender_retain", 14) == 0)
2751 active_local_sender_retain = TRUE;
2752 active_local_from_check = FALSE;
2754 else if (Ustrncmp(p, "/domain=", 8) == 0)
2757 while (*pp != 0 && *pp != '/') pp++;
2758 submission_domain = string_copyn(p+8, pp-p-8);
2761 /* The name= option must be last, because it swallows the rest of
2763 else if (Ustrncmp(p, "/name=", 6) == 0)
2766 while (*pp != 0) pp++;
2767 submission_name = string_copy(parse_fix_phrase(p+6, pp-p-6,
2768 big_buffer, big_buffer_size));
2775 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2780 case CONTROL_SUPPRESS_LOCAL_FIXUPS:
2781 suppress_local_fixups = TRUE;
2786 #ifdef EXPERIMENTAL_DCC
2789 /* Seperate the regular expression and any optional parameters. */
2790 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2791 /* Run the dcc backend. */
2792 rc = dcc_process(&ss);
2793 /* Modify return code based upon the existance of options. */
2794 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2796 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2798 /* FAIL so that the message is passed to the next ACL */
2806 #ifdef WITH_CONTENT_SCAN
2808 rc = mime_decode(&arg);
2814 int delay = readconf_readtime(arg, 0, FALSE);
2817 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
2818 "modifier: \"%s\" is not a time value", arg);
2823 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
2828 debug_printf("delay skipped in -bh checking mode\n");
2831 /* It appears to be impossible to detect that a TCP/IP connection has
2832 gone away without reading from it. This means that we cannot shorten
2833 the delay below if the client goes away, because we cannot discover
2834 that the client has closed its end of the connection. (The connection
2835 is actually in a half-closed state, waiting for the server to close its
2836 end.) It would be nice to be able to detect this state, so that the
2837 Exim process is not held up unnecessarily. However, it seems that we
2838 can't. The poll() function does not do the right thing, and in any case
2839 it is not always available.
2841 NOTE 1: If ever this state of affairs changes, remember that we may be
2842 dealing with stdin/stdout here, in addition to TCP/IP connections.
2843 Also, delays may be specified for non-SMTP input, where smtp_out and
2844 smtp_in will be NULL. Whatever is done must work in all cases.
2846 NOTE 2: The added feature of flushing the output before a delay must
2847 apply only to SMTP input. Hence the test for smtp_out being non-NULL.
2852 if (smtp_out != NULL && !disable_delay_flush) mac_smtp_fflush();
2853 while (delay > 0) delay = sleep(delay);
2859 #ifdef WITH_OLD_DEMIME
2865 #ifdef EXPERIMENTAL_DOMAINKEYS
2866 case ACLC_DK_DOMAIN_SOURCE:
2867 if (dk_verify_block == NULL) { rc = FAIL; break; };
2868 /* check header source of domain against given string */
2869 switch (dk_verify_block->address_source) {
2870 case DK_EXIM_ADDRESS_FROM_FROM:
2871 rc = match_isinlist(US"from", &arg, 0, NULL,
2872 NULL, MCL_STRING, TRUE, NULL);
2874 case DK_EXIM_ADDRESS_FROM_SENDER:
2875 rc = match_isinlist(US"sender", &arg, 0, NULL,
2876 NULL, MCL_STRING, TRUE, NULL);
2878 case DK_EXIM_ADDRESS_NONE:
2879 rc = match_isinlist(US"none", &arg, 0, NULL,
2880 NULL, MCL_STRING, TRUE, NULL);
2885 case ACLC_DK_POLICY:
2886 if (dk_verify_block == NULL) { rc = FAIL; break; };
2887 /* check policy against given string, default FAIL */
2889 if (dk_verify_block->signsall)
2890 rc = match_isinlist(US"signsall", &arg, 0, NULL,
2891 NULL, MCL_STRING, TRUE, NULL);
2892 if (dk_verify_block->testing)
2893 rc = match_isinlist(US"testing", &arg, 0, NULL,
2894 NULL, MCL_STRING, TRUE, NULL);
2897 case ACLC_DK_SENDER_DOMAINS:
2898 if (dk_verify_block == NULL) { rc = FAIL; break; };
2899 if (dk_verify_block->domain != NULL)
2900 rc = match_isinlist(dk_verify_block->domain, &arg, 0, &domainlist_anchor,
2901 NULL, MCL_DOMAIN, TRUE, NULL);
2905 case ACLC_DK_SENDER_LOCAL_PARTS:
2906 if (dk_verify_block == NULL) { rc = FAIL; break; };
2907 if (dk_verify_block->local_part != NULL)
2908 rc = match_isinlist(dk_verify_block->local_part, &arg, 0, &localpartlist_anchor,
2909 NULL, MCL_LOCALPART, TRUE, NULL);
2913 case ACLC_DK_SENDERS:
2914 if (dk_verify_block == NULL) { rc = FAIL; break; };
2915 if (dk_verify_block->address != NULL)
2916 rc = match_address_list(dk_verify_block->address, TRUE, TRUE, &arg, NULL, -1, 0, NULL);
2920 case ACLC_DK_STATUS:
2921 if (dk_verify_block == NULL) { rc = FAIL; break; };
2922 if (dk_verify_block->result > 0) {
2923 switch(dk_verify_block->result) {
2924 case DK_EXIM_RESULT_BAD_FORMAT:
2925 rc = match_isinlist(US"bad format", &arg, 0, NULL,
2926 NULL, MCL_STRING, TRUE, NULL);
2928 case DK_EXIM_RESULT_NO_KEY:
2929 rc = match_isinlist(US"no key", &arg, 0, NULL,
2930 NULL, MCL_STRING, TRUE, NULL);
2932 case DK_EXIM_RESULT_NO_SIGNATURE:
2933 rc = match_isinlist(US"no signature", &arg, 0, NULL,
2934 NULL, MCL_STRING, TRUE, NULL);
2936 case DK_EXIM_RESULT_REVOKED:
2937 rc = match_isinlist(US"revoked", &arg, 0, NULL,
2938 NULL, MCL_STRING, TRUE, NULL);
2940 case DK_EXIM_RESULT_NON_PARTICIPANT:
2941 rc = match_isinlist(US"non-participant", &arg, 0, NULL,
2942 NULL, MCL_STRING, TRUE, NULL);
2944 case DK_EXIM_RESULT_GOOD:
2945 rc = match_isinlist(US"good", &arg, 0, NULL,
2946 NULL, MCL_STRING, TRUE, NULL);
2948 case DK_EXIM_RESULT_BAD:
2949 rc = match_isinlist(US"bad", &arg, 0, NULL,
2950 NULL, MCL_STRING, TRUE, NULL);
2958 rc = verify_check_dnsbl(&arg);
2962 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
2963 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
2966 /* The value in tls_cipher is the full cipher name, for example,
2967 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
2968 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
2969 what may in practice come out of the SSL library - which at the time of
2970 writing is poorly documented. */
2972 case ACLC_ENCRYPTED:
2973 if (tls_cipher == NULL) rc = FAIL; else
2975 uschar *endcipher = NULL;
2976 uschar *cipher = Ustrchr(tls_cipher, ':');
2977 if (cipher == NULL) cipher = tls_cipher; else
2979 endcipher = Ustrchr(++cipher, ':');
2980 if (endcipher != NULL) *endcipher = 0;
2982 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
2983 if (endcipher != NULL) *endcipher = ':';
2987 /* Use verify_check_this_host() instead of verify_check_host() so that
2988 we can pass over &host_data to catch any looked up data. Once it has been
2989 set, it retains its value so that it's still there if another ACL verb
2990 comes through here and uses the cache. However, we must put it into
2991 permanent store in case it is also expected to be used in a subsequent
2992 message in the same SMTP connection. */
2995 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
2996 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
2997 if (host_data != NULL) host_data = string_copy_malloc(host_data);
3000 case ACLC_LOCAL_PARTS:
3001 rc = match_isinlist(addr->cc_local_part, &arg, 0,
3002 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
3003 &deliver_localpart_data);
3006 case ACLC_LOG_REJECT_TARGET:
3012 while ((ss = string_nextinlist(&s, &sep, big_buffer, big_buffer_size))
3015 if (Ustrcmp(ss, "main") == 0) logbits |= LOG_MAIN;
3016 else if (Ustrcmp(ss, "panic") == 0) logbits |= LOG_PANIC;
3017 else if (Ustrcmp(ss, "reject") == 0) logbits |= LOG_REJECT;
3020 logbits |= LOG_MAIN|LOG_REJECT;
3021 log_write(0, LOG_MAIN|LOG_PANIC, "unknown log name \"%s\" in "
3022 "\"log_reject_target\" in %s ACL", ss, acl_wherenames[where]);
3025 log_reject_target = logbits;
3038 if (Ustrncmp(s, "main", 4) == 0)
3039 { logbits |= LOG_MAIN; s += 4; }
3040 else if (Ustrncmp(s, "panic", 5) == 0)
3041 { logbits |= LOG_PANIC; s += 5; }
3042 else if (Ustrncmp(s, "reject", 6) == 0)
3043 { logbits |= LOG_REJECT; s += 6; }
3046 logbits = LOG_MAIN|LOG_PANIC;
3047 s = string_sprintf(":unknown log name in \"%s\" in "
3048 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
3054 while (isspace(*s)) s++;
3057 if (logbits == 0) logbits = LOG_MAIN;
3058 log_write(0, logbits, "%s", string_printing(s));
3062 #ifdef WITH_CONTENT_SCAN
3065 /* Separate the regular expression and any optional parameters. */
3066 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3067 /* Run the malware backend. */
3069 /* Modify return code based upon the existance of options. */
3070 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3072 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3074 /* FAIL so that the message is passed to the next ACL */
3081 case ACLC_MIME_REGEX:
3082 rc = mime_regex(&arg);
3086 case ACLC_RATELIMIT:
3087 rc = acl_ratelimit(arg, where, log_msgptr);
3090 case ACLC_RECIPIENTS:
3091 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
3095 #ifdef WITH_CONTENT_SCAN
3101 case ACLC_SENDER_DOMAINS:
3104 sdomain = Ustrrchr(sender_address, '@');
3105 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
3106 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
3107 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
3112 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
3113 sender_address_cache, -1, 0, &sender_data);
3116 /* Connection variables must persist forever */
3120 int old_pool = store_pool;
3121 if (cb->u.varname[0] == 'c') store_pool = POOL_PERM;
3122 acl_var_create(cb->u.varname)->data.ptr = string_copy(arg);
3123 store_pool = old_pool;
3127 #ifdef WITH_CONTENT_SCAN
3130 /* Seperate the regular expression and any optional parameters. */
3131 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3132 /* Run the spam backend. */
3134 /* Modify return code based upon the existance of options. */
3135 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3137 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3139 /* FAIL so that the message is passed to the next ACL */
3147 #ifdef EXPERIMENTAL_SPF
3149 rc = spf_process(&arg, sender_address, SPF_PROCESS_NORMAL);
3151 case ACLC_SPF_GUESS:
3152 rc = spf_process(&arg, sender_address, SPF_PROCESS_GUESS);
3156 /* If the verb is WARN, discard any user message from verification, because
3157 such messages are SMTP responses, not header additions. The latter come
3158 only from explicit "message" modifiers. However, put the user message into
3159 $acl_verify_message so it can be used in subsequent conditions or modifiers
3160 (until something changes it). */
3163 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
3164 acl_verify_message = *user_msgptr;
3165 if (verb == ACL_WARN) *user_msgptr = NULL;
3169 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
3170 "condition %d", cb->type);
3174 /* If a condition was negated, invert OK/FAIL. */
3176 if (!cond_modifiers[cb->type] && cb->u.negated)
3178 if (rc == OK) rc = FAIL;
3179 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
3182 if (rc != OK) break; /* Conditions loop */
3186 /* If the result is the one for which "message" and/or "log_message" are used,
3187 handle the values of these modifiers. If there isn't a log message set, we make
3188 it the same as the user message.
3190 "message" is a user message that will be included in an SMTP response. Unless
3191 it is empty, it overrides any previously set user message.
3193 "log_message" is a non-user message, and it adds to any existing non-user
3194 message that is already set.
3196 Most verbs have but a single return for which the messages are relevant, but
3197 for "discard", it's useful to have the log message both when it succeeds and
3198 when it fails. For "accept", the message is used in the OK case if there is no
3199 "endpass", but (for backwards compatibility) in the FAIL case if "endpass" is
3202 if (*epp && rc == OK) user_message = NULL;
3204 if (((1<<rc) & msgcond[verb]) != 0)
3207 uschar *old_user_msgptr = *user_msgptr;
3208 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
3210 /* If the verb is "warn", messages generated by conditions (verification or
3211 nested ACLs) are always discarded. This also happens for acceptance verbs
3212 when they actually do accept. Only messages specified at this level are used.
3213 However, the value of an existing message is available in $acl_verify_message
3214 during expansions. */
3216 if (verb == ACL_WARN ||
3217 (rc == OK && (verb == ACL_ACCEPT || verb == ACL_DISCARD)))
3218 *log_msgptr = *user_msgptr = NULL;
3220 if (user_message != NULL)
3222 acl_verify_message = old_user_msgptr;
3223 expmessage = expand_string(user_message);
3224 if (expmessage == NULL)
3226 if (!expand_string_forcedfail)
3227 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3228 user_message, expand_string_message);
3230 else if (expmessage[0] != 0) *user_msgptr = expmessage;
3233 if (log_message != NULL)
3235 acl_verify_message = old_log_msgptr;
3236 expmessage = expand_string(log_message);
3237 if (expmessage == NULL)
3239 if (!expand_string_forcedfail)
3240 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3241 log_message, expand_string_message);
3243 else if (expmessage[0] != 0)
3245 *log_msgptr = (*log_msgptr == NULL)? expmessage :
3246 string_sprintf("%s: %s", expmessage, *log_msgptr);
3250 /* If no log message, default it to the user message */
3252 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
3255 acl_verify_message = NULL;
3263 /*************************************************
3264 * Get line from a literal ACL *
3265 *************************************************/
3267 /* This function is passed to acl_read() in order to extract individual lines
3268 of a literal ACL, which we access via static pointers. We can destroy the
3269 contents because this is called only once (the compiled ACL is remembered).
3271 This code is intended to treat the data in the same way as lines in the main
3272 Exim configuration file. That is:
3274 . Leading spaces are ignored.
3276 . A \ at the end of a line is a continuation - trailing spaces after the \
3277 are permitted (this is because I don't believe in making invisible things
3278 significant). Leading spaces on the continued part of a line are ignored.
3280 . Physical lines starting (significantly) with # are totally ignored, and
3281 may appear within a sequence of backslash-continued lines.
3283 . Blank lines are ignored, but will end a sequence of continuations.
3286 Returns: a pointer to the next line
3290 static uschar *acl_text; /* Current pointer in the text */
3291 static uschar *acl_text_end; /* Points one past the terminating '0' */
3299 /* This loop handles leading blank lines and comments. */
3303 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
3304 if (*acl_text == 0) return NULL; /* No more data */
3305 yield = acl_text; /* Potential data line */
3307 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3309 /* If we hit the end before a newline, we have the whole logical line. If
3310 it's a comment, there's no more data to be given. Otherwise, yield it. */
3312 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
3314 /* After reaching a newline, end this loop if the physical line does not
3315 start with '#'. If it does, it's a comment, and the loop continues. */
3317 if (*yield != '#') break;
3320 /* This loop handles continuations. We know we have some real data, ending in
3321 newline. See if there is a continuation marker at the end (ignoring trailing
3322 white space). We know that *yield is not white space, so no need to test for
3323 cont > yield in the backwards scanning loop. */
3328 for (cont = acl_text - 1; isspace(*cont); cont--);
3330 /* If no continuation follows, we are done. Mark the end of the line and
3339 /* We have encountered a continuation. Skip over whitespace at the start of
3340 the next line, and indeed the whole of the next line or lines if they are
3345 while (*(++acl_text) == ' ' || *acl_text == '\t');
3346 if (*acl_text != '#') break;
3347 while (*(++acl_text) != 0 && *acl_text != '\n');
3350 /* We have the start of a continuation line. Move all the rest of the data
3351 to join onto the previous line, and then find its end. If the end is not a
3352 newline, we are done. Otherwise loop to look for another continuation. */
3354 memmove(cont, acl_text, acl_text_end - acl_text);
3355 acl_text_end -= acl_text - cont;
3357 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3358 if (*acl_text == 0) return yield;
3361 /* Control does not reach here */
3368 /*************************************************
3369 * Check access using an ACL *
3370 *************************************************/
3372 /* This function is called from address_check. It may recurse via
3373 acl_check_condition() - hence the use of a level to stop looping. The ACL is
3374 passed as a string which is expanded. A forced failure implies no access check
3375 is required. If the result is a single word, it is taken as the name of an ACL
3376 which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
3377 text, complete with newlines, and parsed as such. In both cases, the ACL check
3378 is then run. This function uses an auxiliary function for acl_read() to call
3379 for reading individual lines of a literal ACL. This is acl_getline(), which
3380 appears immediately above.
3383 where where called from
3384 addr address item when called from RCPT; otherwise NULL
3385 s the input string; NULL is the same as an empty ACL => DENY
3386 level the nesting level
3387 user_msgptr where to put a user error (for SMTP response)
3388 log_msgptr where to put a logging message (not for SMTP response)
3390 Returns: OK access is granted
3391 DISCARD access is apparently granted...
3392 FAIL access is denied
3393 FAIL_DROP access is denied; drop the connection
3394 DEFER can't tell at the moment
3399 acl_check_internal(int where, address_item *addr, uschar *s, int level,
3400 uschar **user_msgptr, uschar **log_msgptr)
3403 acl_block *acl = NULL;
3404 uschar *acl_name = US"inline ACL";
3407 /* Catch configuration loops */
3411 *log_msgptr = US"ACL nested too deep: possible loop";
3417 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
3421 /* At top level, we expand the incoming string. At lower levels, it has already
3422 been expanded as part of condition processing. */
3426 ss = expand_string(s);
3429 if (expand_string_forcedfail) return OK;
3430 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
3431 expand_string_message);
3437 while (isspace(*ss))ss++;
3439 /* If we can't find a named ACL, the default is to parse it as an inline one.
3440 (Unless it begins with a slash; non-existent files give rise to an error.) */
3444 /* Handle the case of a string that does not contain any spaces. Look for a
3445 named ACL among those read from the configuration, or a previously read file.
3446 It is possible that the pointer to the ACL is NULL if the configuration
3447 contains a name with no data. If not found, and the text begins with '/',
3448 read an ACL from a file, and save it so it can be re-used. */
3450 if (Ustrchr(ss, ' ') == NULL)
3452 tree_node *t = tree_search(acl_anchor, ss);
3455 acl = (acl_block *)(t->data.ptr);
3458 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
3461 acl_name = string_sprintf("ACL \"%s\"", ss);
3462 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
3465 else if (*ss == '/')
3467 struct stat statbuf;
3468 fd = Uopen(ss, O_RDONLY, 0);
3471 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
3476 if (fstat(fd, &statbuf) != 0)
3478 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
3483 acl_text = store_get(statbuf.st_size + 1);
3484 acl_text_end = acl_text + statbuf.st_size + 1;
3486 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
3488 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
3489 ss, strerror(errno));
3492 acl_text[statbuf.st_size] = 0;
3495 acl_name = string_sprintf("ACL \"%s\"", ss);
3496 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
3500 /* Parse an ACL that is still in text form. If it came from a file, remember it
3501 in the ACL tree, having read it into the POOL_PERM store pool so that it
3502 persists between multiple messages. */
3506 int old_pool = store_pool;
3507 if (fd >= 0) store_pool = POOL_PERM;
3508 acl = acl_read(acl_getline, log_msgptr);
3509 store_pool = old_pool;
3510 if (acl == NULL && *log_msgptr != NULL) return ERROR;
3513 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
3514 Ustrcpy(t->name, ss);
3516 (void)tree_insertnode(&acl_anchor, t);
3520 /* Now we have an ACL to use. It's possible it may be NULL. */
3525 int basic_errno = 0;
3526 BOOL endpass_seen = FALSE;
3528 *log_msgptr = *user_msgptr = NULL;
3529 acl_temp_details = FALSE;
3531 if ((where == ACL_WHERE_QUIT || where == ACL_WHERE_NOTQUIT) &&
3532 acl->verb != ACL_ACCEPT &&
3533 acl->verb != ACL_WARN)
3535 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT or not-QUIT ACL",
3540 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
3542 /* Clear out any search error message from a previous check before testing
3545 search_error_message = NULL;
3546 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
3547 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
3549 /* Handle special returns: DEFER causes a return except on a WARN verb;
3550 ERROR always causes a return. */
3555 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
3556 if (basic_errno != ERRNO_CALLOUTDEFER)
3558 if (search_error_message != NULL && *search_error_message != 0)
3559 *log_msgptr = search_error_message;
3560 if (smtp_return_error_details) acl_temp_details = TRUE;
3564 acl_temp_details = TRUE;
3566 if (acl->verb != ACL_WARN) return DEFER;
3569 default: /* Paranoia */
3571 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
3575 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
3580 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
3583 /* DISCARD and DROP can happen only from a nested ACL condition, and
3584 DISCARD can happen only for an "accept" or "discard" verb. */
3587 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
3592 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
3597 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
3598 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
3599 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
3604 if (cond == OK || cond == DISCARD) return cond;
3607 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
3615 acl_temp_details = TRUE;
3621 if (cond == OK) return FAIL;
3625 if (cond == OK || cond == DISCARD) return DISCARD;
3628 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
3634 if (cond == OK) return FAIL_DROP;
3638 if (cond != OK) return cond;
3643 acl_warn(where, *user_msgptr, *log_msgptr);
3644 else if (cond == DEFER && (log_extra_selector & LX_acl_warn_skipped) != 0)
3645 log_write(0, LOG_MAIN, "%s Warning: ACL \"warn\" statement skipped: "
3646 "condition test deferred%s%s", host_and_ident(TRUE),
3647 (*log_msgptr == NULL)? US"" : US": ",
3648 (*log_msgptr == NULL)? US"" : *log_msgptr);
3649 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
3653 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
3658 /* Pass to the next ACL item */
3663 /* We have reached the end of the ACL. This is an implicit DENY. */
3665 HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
3670 /*************************************************
3671 * Check access using an ACL *
3672 *************************************************/
3674 /* This is the external interface for ACL checks. It sets up an address and the
3675 expansions for $domain and $local_part when called after RCPT, then calls
3676 acl_check_internal() to do the actual work.
3679 where ACL_WHERE_xxxx indicating where called from
3680 recipient RCPT address for RCPT check, else NULL
3681 s the input string; NULL is the same as an empty ACL => DENY
3682 user_msgptr where to put a user error (for SMTP response)
3683 log_msgptr where to put a logging message (not for SMTP response)
3685 Returns: OK access is granted by an ACCEPT verb
3686 DISCARD access is granted by a DISCARD verb
3687 FAIL access is denied
3688 FAIL_DROP access is denied; drop the connection
3689 DEFER can't tell at the moment
3694 acl_check(int where, uschar *recipient, uschar *s, uschar **user_msgptr,
3695 uschar **log_msgptr)
3699 address_item *addr = NULL;
3701 *user_msgptr = *log_msgptr = NULL;
3702 sender_verified_failed = NULL;
3703 ratelimiters_cmd = NULL;
3704 log_reject_target = LOG_MAIN|LOG_REJECT;
3706 if (where == ACL_WHERE_RCPT)
3708 adb = address_defaults;
3710 addr->address = recipient;
3711 if (deliver_split_address(addr) == DEFER)
3713 *log_msgptr = US"defer in percent_hack_domains check";
3716 deliver_domain = addr->domain;
3717 deliver_localpart = addr->local_part;
3720 rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
3722 deliver_domain = deliver_localpart = deliver_address_data =
3723 sender_address_data = NULL;
3725 /* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
3726 ACL, which is really in the middle of an SMTP command. */
3730 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
3732 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
3733 "ACL", acl_wherenames[where]);
3739 /* A DROP response is not permitted from MAILAUTH */
3741 if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
3743 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
3744 "ACL", acl_wherenames[where]);
3748 /* Before giving a response, take a look at the length of any user message, and
3749 split it up into multiple lines if possible. */
3751 *user_msgptr = string_split_message(*user_msgptr);
3752 if (fake_response != OK)
3753 fake_response_text = string_split_message(fake_response_text);
3760 /*************************************************
3761 * Create ACL variable *
3762 *************************************************/
3764 /* Create an ACL variable or reuse an existing one. ACL variables are in a
3765 binary tree (see tree.c) with acl_var_c and acl_var_m as root nodes.
3768 name pointer to the variable's name, starting with c or m
3770 Returns the pointer to variable's tree node
3774 acl_var_create(uschar *name)
3776 tree_node *node, **root;
3777 root = (name[0] == 'c')? &acl_var_c : &acl_var_m;
3778 node = tree_search(*root, name);
3781 node = store_get(sizeof(tree_node) + Ustrlen(name));
3782 Ustrcpy(node->name, name);
3783 (void)tree_insertnode(root, node);
3785 node->data.ptr = NULL;
3791 /*************************************************
3792 * Write an ACL variable in spool format *
3793 *************************************************/
3795 /* This function is used as a callback for tree_walk when writing variables to
3796 the spool file. To retain spool file compatibility, what is written is -aclc or
3797 -aclm followed by the rest of the name and the data length, space separated,
3798 then the value itself, starting on a new line, and terminated by an additional
3799 newline. When we had only numbered ACL variables, the first line might look
3800 like this: "-aclc 5 20". Now it might be "-aclc foo 20" for the variable called
3804 name of the variable
3805 value of the variable
3806 ctx FILE pointer (as a void pointer)
3812 acl_var_write(uschar *name, uschar *value, void *ctx)
3814 FILE *f = (FILE *)ctx;
3815 fprintf(f, "-acl%c %s %d\n%s\n", name[0], name+1, Ustrlen(value), value);
git://git.exim.org / exim.git / blob