1 /* $Cambridge: exim/src/src/acl.c,v 1.6 2004/12/16 15:11:47 tom Exp $ */
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
7 /* Copyright (c) University of Cambridge 1995 - 2004 */
8 /* See the file NOTICE for conditions of use and distribution. */
10 /* Code for handling Access Control Lists (ACLs) */
15 /* Default callout timeout */
17 #define CALLOUT_TIMEOUT_DEFAULT 30
19 /* ACL verb codes - keep in step with the table of verbs that follows */
21 enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
26 static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
30 /* For each verb, the condition for which "message" is used */
32 static int msgcond[] = { FAIL, OK, OK, FAIL, OK, FAIL, OK };
34 /* ACL condition and modifier codes - keep in step with the table that
37 enum { ACLC_ACL, ACLC_AUTHENTICATED,
38 #ifdef EXPERIMENTAL_BRIGHTMAIL
41 ACLC_CONDITION, ACLC_CONTROL,
42 #ifdef WITH_CONTENT_SCAN
46 #ifdef WITH_OLD_DEMIME
49 ACLC_DNSLISTS, ACLC_DOMAINS, ACLC_ENCRYPTED, ACLC_ENDPASS,
50 ACLC_HOSTS, ACLC_LOCAL_PARTS, ACLC_LOG_MESSAGE, ACLC_LOGWRITE,
51 #ifdef WITH_CONTENT_SCAN
55 #ifdef WITH_CONTENT_SCAN
59 #ifdef WITH_CONTENT_SCAN
62 ACLC_SENDER_DOMAINS, ACLC_SENDERS, ACLC_SET,
63 #ifdef WITH_CONTENT_SCAN
66 #ifdef EXPERIMENTAL_SPF
71 /* ACL conditions/modifiers: "delay", "control", "endpass", "message",
72 "log_message", "logwrite", and "set" are modifiers that look like conditions
73 but always return TRUE. They are used for their side effects. */
75 static uschar *conditions[] = { US"acl", US"authenticated",
76 #ifdef EXPERIMENTAL_BRIGHTMAIL
81 #ifdef WITH_CONTENT_SCAN
85 #ifdef WITH_OLD_DEMIME
88 US"dnslists", US"domains", US"encrypted",
89 US"endpass", US"hosts", US"local_parts", US"log_message", US"logwrite",
90 #ifdef WITH_CONTENT_SCAN
94 #ifdef WITH_CONTENT_SCAN
98 #ifdef WITH_CONTENT_SCAN
101 US"sender_domains", US"senders", US"set",
102 #ifdef WITH_CONTENT_SCAN
105 #ifdef EXPERIMENTAL_SPF
110 /* ACL control names */
112 static uschar *controls[] = { US"error", US"caseful_local_part",
113 US"caselower_local_part", US"enforce_sync", US"no_enforce_sync", US"freeze",
114 US"queue_only", US"submission", US"no_multiline"};
116 /* Flags to indicate for which conditions /modifiers a string expansion is done
117 at the outer level. In the other cases, expansion already occurs in the
118 checking functions. */
120 static uschar cond_expand_at_top[] = {
122 FALSE, /* authenticated */
123 #ifdef EXPERIMENTAL_BRIGHTMAIL
124 TRUE, /* bmi_optin */
126 TRUE, /* condition */
128 #ifdef WITH_CONTENT_SCAN
132 #ifdef WITH_OLD_DEMIME
137 FALSE, /* encrypted */
140 FALSE, /* local_parts */
141 TRUE, /* log_message */
143 #ifdef WITH_CONTENT_SCAN
147 #ifdef WITH_CONTENT_SCAN
148 TRUE, /* mime_regex */
150 FALSE, /* recipients */
151 #ifdef WITH_CONTENT_SCAN
154 FALSE, /* sender_domains */
157 #ifdef WITH_CONTENT_SCAN
160 #ifdef EXPERIMENTAL_SPF
166 /* Flags to identify the modifiers */
168 static uschar cond_modifiers[] = {
170 FALSE, /* authenticated */
171 #ifdef EXPERIMENTAL_BRIGHTMAIL
172 TRUE, /* bmi_optin */
174 FALSE, /* condition */
176 #ifdef WITH_CONTENT_SCAN
180 #ifdef WITH_OLD_DEMIME
183 FALSE, /* dnslists */
185 FALSE, /* encrypted */
188 FALSE, /* local_parts */
189 TRUE, /* log_message */
191 #ifdef WITH_CONTENT_SCAN
195 #ifdef WITH_CONTENT_SCAN
196 FALSE, /* mime_regex */
198 FALSE, /* recipients */
199 #ifdef WITH_CONTENT_SCAN
202 FALSE, /* sender_domains */
205 #ifdef WITH_CONTENT_SCAN
208 #ifdef EXPERIMENTAL_SPF
214 /* Bit map vector of which conditions are not allowed at certain times. For
215 each condition, there's a bitmap of dis-allowed times. */
217 static unsigned int cond_forbids[] = {
219 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* authenticated */
222 #ifdef EXPERIMENTAL_BRIGHTMAIL
223 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* bmi_optin */
224 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
225 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
226 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
227 (1<<ACL_WHERE_MAILAUTH)|
228 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
229 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA),
234 /* Certain types of control are always allowed, so we let it through
235 always and check in the control processing itself */
239 #ifdef WITH_CONTENT_SCAN
240 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* decode */
241 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
242 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
243 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
244 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
245 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
246 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_RCPT),
251 #ifdef WITH_CONTENT_SCAN
252 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* demime */
253 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
254 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
255 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
256 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
257 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
258 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
261 (1<<ACL_WHERE_NOTSMTP), /* dnslists */
263 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* domains */
264 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
265 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
266 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
267 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
268 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
271 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* encrypted */
274 (1<<ACL_WHERE_NOTSMTP), /* hosts */
276 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* local_parts */
277 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
278 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
279 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
280 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
281 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
287 #ifdef WITH_CONTENT_SCAN
288 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* malware */
289 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
290 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
291 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
292 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
293 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
294 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
299 #ifdef WITH_CONTENT_SCAN
300 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* mime_regex */
301 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
302 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
303 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
304 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
305 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
306 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_RCPT),
309 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* recipients */
310 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
311 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
312 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
313 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
314 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
317 #ifdef WITH_CONTENT_SCAN
318 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* regex */
319 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
320 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
321 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
322 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
323 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
324 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
327 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
329 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
330 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
331 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
333 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
335 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
336 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
337 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
341 #ifdef WITH_CONTENT_SCAN
342 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* spam */
343 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
344 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
345 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
346 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
347 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
348 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
351 #ifdef EXPERIMENTAL_SPF
352 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
354 (1<<ACL_WHERE_MAILAUTH)|
355 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
356 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
359 /* Certain types of verify are always allowed, so we let it through
360 always and check in the verify function itself */
366 /* Return values from decode_control() */
369 #ifdef EXPERIMENTAL_BRIGHTMAIL
372 CONTROL_ERROR, CONTROL_CASEFUL_LOCAL_PART, CONTROL_CASELOWER_LOCAL_PART,
373 CONTROL_ENFORCE_SYNC, CONTROL_NO_ENFORCE_SYNC, CONTROL_FREEZE,
374 CONTROL_QUEUE_ONLY, CONTROL_SUBMISSION,
375 #ifdef WITH_CONTENT_SCAN
376 CONTROL_NO_MBOX_UNSPOOL, CONTROL_FAKEREJECT,
378 CONTROL_NO_MULTILINE };
380 /* Bit map vector of which controls are not allowed at certain times. For
381 each control, there's a bitmap of dis-allowed times. For some, it is easier to
382 specify the negation of a small number of allowed times. */
384 static unsigned int control_forbids[] = {
385 #ifdef EXPERIMENTAL_BRIGHTMAIL
389 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
390 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
391 (1<<ACL_WHERE_NOTSMTP), /* enforce_sync */
392 (1<<ACL_WHERE_NOTSMTP), /* no_enforce_sync */
394 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
395 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
396 (1<<ACL_WHERE_NOTSMTP)),
398 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
399 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
400 (1<<ACL_WHERE_NOTSMTP)),
402 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
403 (1<<ACL_WHERE_PREDATA)),
405 #ifdef WITH_CONTENT_SCAN
406 (1<<ACL_WHERE_NOTSMTP), /* no_mbox_unspool */
407 (1<<ACL_WHERE_NOTSMTP), /* fakereject */
410 (1<<ACL_WHERE_NOTSMTP) /* no_multiline */
413 /* Structure listing various control arguments, with their characteristics. */
415 typedef struct control_def {
417 int value; /* CONTROL_xxx value */
418 BOOL has_option; /* Has /option(s) following */
421 static control_def controls_list[] = {
422 #ifdef EXPERIMENTAL_BRIGHTMAIL
423 { US"bmi_run", CONTROL_BMI_RUN, FALSE},
425 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE},
426 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE},
427 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE},
428 { US"freeze", CONTROL_FREEZE, FALSE},
429 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE},
430 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE},
431 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE},
432 #ifdef WITH_CONTENT_SCAN
433 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE},
434 { US"fakereject", CONTROL_FAKEREJECT, TRUE},
436 { US"submission", CONTROL_SUBMISSION, TRUE}
439 /* Enable recursion between acl_check_internal() and acl_check_condition() */
441 static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
445 /*************************************************
446 * Pick out name from list *
447 *************************************************/
449 /* Use a binary chop method
456 Returns: offset in list, or -1 if not found
460 acl_checkname(uschar *name, uschar **list, int end)
466 int mid = (start + end)/2;
467 int c = Ustrcmp(name, list[mid]);
468 if (c == 0) return mid;
469 if (c < 0) end = mid; else start = mid + 1;
476 /*************************************************
477 * Read and parse one ACL *
478 *************************************************/
480 /* This function is called both from readconf in order to parse the ACLs in the
481 configuration file, and also when an ACL is encountered dynamically (e.g. as
482 the result of an expansion). It is given a function to call in order to
483 retrieve the lines of the ACL. This function handles skipping comments and
484 blank lines (where relevant).
487 func function to get next line of ACL
488 error where to put an error message
490 Returns: pointer to ACL, or NULL
491 NULL can be legal (empty ACL); in this case error will be NULL
495 acl_read(uschar *(*func)(void), uschar **error)
497 acl_block *yield = NULL;
498 acl_block **lastp = &yield;
499 acl_block *this = NULL;
500 acl_condition_block *cond;
501 acl_condition_block **condp = NULL;
506 while ((s = (*func)()) != NULL)
509 BOOL negated = FALSE;
510 uschar *saveline = s;
513 /* Conditions (but not verbs) are allowed to be negated by an initial
516 while (isspace(*s)) s++;
523 /* Read the name of a verb or a condition, or the start of a new ACL */
525 s = readconf_readname(name, sizeof(name), s);
528 if (negated || name[0] == 0)
530 *error = string_sprintf("malformed ACL name in \"%s\"", saveline);
536 /* If a verb is unrecognized, it may be another condition or modifier that
537 continues the previous verb. */
539 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
544 *error = string_sprintf("unknown ACL verb in \"%s\"", saveline);
555 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
558 this = store_get(sizeof(acl_block));
560 lastp = &(this->next);
563 this->condition = NULL;
564 condp = &(this->condition);
565 if (*s == 0) continue; /* No condition on this line */
571 s = readconf_readname(name, sizeof(name), s); /* Condition name */
574 /* Handle a condition or modifier. */
576 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
579 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
584 /* The modifiers may not be negated */
586 if (negated && cond_modifiers[c])
588 *error = string_sprintf("ACL error: negation is not allowed with "
589 "\"%s\"", conditions[c]);
593 /* ENDPASS may occur only with ACCEPT or DISCARD. */
595 if (c == ACLC_ENDPASS &&
596 this->verb != ACL_ACCEPT &&
597 this->verb != ACL_DISCARD)
599 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
600 conditions[c], verbs[this->verb]);
604 cond = store_get(sizeof(acl_condition_block));
607 cond->u.negated = negated;
610 condp = &(cond->next);
612 /* The "set" modifier is different in that its argument is "name=value"
613 rather than just a value, and we can check the validity of the name, which
614 gives us a variable number to insert into the data block. */
618 if (Ustrncmp(s, "acl_", 4) != 0 || (s[4] != 'c' && s[4] != 'm') ||
619 !isdigit(s[5]) || (!isspace(s[6]) && s[6] != '='))
621 *error = string_sprintf("unrecognized name after \"set\" in ACL "
622 "modifier \"set %s\"", s);
626 cond->u.varnumber = s[5] - '0';
627 if (s[4] == 'm') cond->u.varnumber += ACL_C_MAX;
629 while (isspace(*s)) s++;
632 /* For "set", we are now positioned for the data. For the others, only
633 "endpass" has no data */
635 if (c != ACLC_ENDPASS)
639 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
640 cond_modifiers[c]? US"modifier" : US"condition");
643 while (isspace(*s)) s++;
644 cond->arg = string_copy(s);
653 /*************************************************
655 *************************************************/
657 /* This function is called when a WARN verb's conditions are true. It adds to
658 the message's headers, and/or writes information to the log. In each case, this
659 only happens once (per message for headers, per connection for log).
662 where ACL_WHERE_xxxx indicating which ACL this is
663 user_message message for adding to headers
664 log_message message for logging, if different
670 acl_warn(int where, uschar *user_message, uschar *log_message)
674 if (log_message != NULL && log_message != user_message)
679 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
680 string_printing(log_message));
682 /* If a sender verification has failed, and the log message is "sender verify
683 failed", add the failure message. */
685 if (sender_verified_failed != NULL &&
686 sender_verified_failed->message != NULL &&
687 strcmpic(log_message, US"sender verify failed") == 0)
688 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
690 /* Search previously logged warnings. They are kept in malloc store so they
691 can be freed at the start of a new message. */
693 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
694 if (Ustrcmp(logged->text, text) == 0) break;
698 int length = Ustrlen(text) + 1;
699 log_write(0, LOG_MAIN, "%s", text);
700 logged = store_malloc(sizeof(string_item) + length);
701 logged->text = (uschar *)logged + sizeof(string_item);
702 memcpy(logged->text, text, length);
703 logged->next = acl_warn_logged;
704 acl_warn_logged = logged;
708 /* If there's no user message, we are done. */
710 if (user_message == NULL) return;
712 /* If this isn't a message ACL, we can't do anything with a user message.
715 if (where > ACL_WHERE_NOTSMTP)
717 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
718 "found in a non-message (%s) ACL: cannot specify header lines here: "
719 "message ignored", acl_wherenames[where]);
723 /* Treat the user message as a sequence of one or more header lines. */
725 hlen = Ustrlen(user_message);
728 uschar *text, *p, *q;
730 /* Add a final newline if not present */
732 text = ((user_message)[hlen-1] == '\n')? user_message :
733 string_sprintf("%s\n", user_message);
735 /* Loop for multiple header lines, taking care about continuations */
737 for (p = q = text; *p != 0; )
740 int newtype = htype_add_bot;
741 header_line **hptr = &acl_warn_headers;
743 /* Find next header line within the string */
747 q = Ustrchr(q, '\n');
748 if (*(++q) != ' ' && *q != '\t') break;
751 /* If the line starts with a colon, interpret the instruction for where to
752 add it. This temporarily sets up a new type. */
756 if (strncmpic(p, US":after_received:", 16) == 0)
758 newtype = htype_add_rec;
761 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
763 newtype = htype_add_rfc;
766 else if (strncmpic(p, US":at_start:", 10) == 0)
768 newtype = htype_add_top;
771 else if (strncmpic(p, US":at_end:", 8) == 0)
773 newtype = htype_add_bot;
776 while (*p == ' ' || *p == '\t') p++;
779 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
780 to the front of it. */
782 for (s = p; s < q - 1; s++)
784 if (*s == ':' || !isgraph(*s)) break;
787 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
790 /* See if this line has already been added */
792 while (*hptr != NULL)
794 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
795 hptr = &((*hptr)->next);
798 /* Add if not previously present */
802 header_line *h = store_get(sizeof(header_line));
811 /* Advance for next header line within the string */
820 /*************************************************
821 * Verify and check reverse DNS *
822 *************************************************/
824 /* Called from acl_verify() below. We look up the host name(s) of the client IP
825 address if this has not yet been done. The host_name_lookup() function checks
826 that one of these names resolves to an address list that contains the client IP
827 address, so we don't actually have to do the check here.
830 user_msgptr pointer for user message
831 log_msgptr pointer for log message
833 Returns: OK verification condition succeeded
834 FAIL verification failed
835 DEFER there was a problem verifying
839 acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
843 user_msgptr = user_msgptr; /* stop compiler warning */
845 /* Previous success */
847 if (sender_host_name != NULL) return OK;
849 /* Previous failure */
851 if (host_lookup_failed)
853 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
857 /* Need to do a lookup */
860 debug_printf("looking up host name to force name/address consistency check\n");
862 if ((rc = host_name_lookup()) != OK)
864 *log_msgptr = (rc == DEFER)?
865 US"host lookup deferred for reverse lookup check"
867 string_sprintf("host lookup failed for reverse lookup check%s",
869 return rc; /* DEFER or FAIL */
872 host_build_sender_fullhost();
878 /*************************************************
879 * Handle verification (address & other) *
880 *************************************************/
882 /* This function implements the "verify" condition. It is called when
883 encountered in any ACL, because some tests are almost always permitted. Some
884 just don't make sense, and always fail (for example, an attempt to test a host
885 lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
888 where where called from
889 addr the recipient address that the ACL is handling, or NULL
890 arg the argument of "verify"
891 user_msgptr pointer for user message
892 log_msgptr pointer for log message
893 basic_errno where to put verify errno
895 Returns: OK verification condition succeeded
896 FAIL verification failed
897 DEFER there was a problem verifying
902 acl_verify(int where, address_item *addr, uschar *arg,
903 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
907 int callout_overall = -1;
908 int callout_connect = -1;
909 int verify_options = 0;
911 BOOL verify_header_sender = FALSE;
912 BOOL defer_ok = FALSE;
913 BOOL callout_defer_ok = FALSE;
914 BOOL no_details = FALSE;
915 address_item *sender_vaddr = NULL;
916 uschar *verify_sender_address = NULL;
917 uschar *pm_mailfrom = NULL;
918 uschar *se_mailfrom = NULL;
920 uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
922 if (ss == NULL) goto BAD_VERIFY;
924 /* Handle name/address consistency verification in a separate function. */
926 if (strcmpic(ss, US"reverse_host_lookup") == 0)
928 if (sender_host_address == NULL) return OK;
929 return acl_verify_reverse(user_msgptr, log_msgptr);
932 /* TLS certificate verification is done at STARTTLS time; here we just
933 test whether it was successful or not. (This is for optional verification; for
934 mandatory verification, the connection doesn't last this long.) */
936 if (strcmpic(ss, US"certificate") == 0)
938 if (tls_certificate_verified) return OK;
939 *user_msgptr = US"no verified certificate";
943 /* We can test the result of optional HELO verification */
945 if (strcmpic(ss, US"helo") == 0) return helo_verified? OK : FAIL;
947 /* Handle header verification options - permitted only after DATA or a non-SMTP
950 if (strncmpic(ss, US"header_", 7) == 0)
952 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
954 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
955 "(only possible in ACL for DATA)", acl_wherenames[where]);
959 /* Check that all relevant header lines have the correct syntax. If there is
960 a syntax error, we return details of the error to the sender if configured to
961 send out full details. (But a "message" setting on the ACL can override, as
964 if (strcmpic(ss+7, US"syntax") == 0)
966 int rc = verify_check_headers(log_msgptr);
967 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
968 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
972 /* Check that there is at least one verifiable sender address in the relevant
973 header lines. This can be followed by callout and defer options, just like
974 sender and recipient. */
976 else if (strcmpic(ss+7, US"sender") == 0) verify_header_sender = TRUE;
978 /* Unknown verify argument starting with "header_" */
980 else goto BAD_VERIFY;
983 /* Otherwise, first item in verify argument must be "sender" or "recipient".
984 In the case of a sender, this can optionally be followed by an address to use
985 in place of the actual sender (rare special-case requirement). */
987 else if (strncmpic(ss, US"sender", 6) == 0)
990 if (where > ACL_WHERE_NOTSMTP)
992 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
993 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
994 acl_wherenames[where]);
998 verify_sender_address = sender_address;
1001 while (isspace(*s)) s++;
1002 if (*s++ != '=') goto BAD_VERIFY;
1003 while (isspace(*s)) s++;
1004 verify_sender_address = string_copy(s);
1009 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1012 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1013 "(only possible for RCPT)", acl_wherenames[where]);
1018 /* Remaining items are optional */
1020 while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1023 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1024 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1026 /* These two old options are left for backwards compatibility */
1028 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1030 callout_defer_ok = TRUE;
1031 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1034 else if (strcmpic(ss, US"check_postmaster") == 0)
1037 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1040 /* The callout option has a number of sub-options, comma separated */
1042 else if (strncmpic(ss, US"callout", 7) == 0)
1044 callout = CALLOUT_TIMEOUT_DEFAULT;
1048 while (isspace(*ss)) ss++;
1054 while (isspace(*ss)) ss++;
1056 /* This callout option handling code has become a mess as new options
1057 have been added in an ad hoc manner. It should be tidied up into some
1058 kind of table-driven thing. */
1060 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1063 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1064 else if (strcmpic(opt, US"no_cache") == 0)
1065 verify_options |= vopt_callout_no_cache;
1066 else if (strcmpic(opt, US"random") == 0)
1067 verify_options |= vopt_callout_random;
1068 else if (strcmpic(opt, US"use_sender") == 0)
1069 verify_options |= vopt_callout_recipsender;
1070 else if (strcmpic(opt, US"use_postmaster") == 0)
1071 verify_options |= vopt_callout_recippmaster;
1072 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
1074 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1076 if (!verify_header_sender)
1078 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1079 "callout option only for verify=header_sender (detected in ACL "
1080 "condition \"%s\")", arg);
1084 while (isspace(*opt)) opt++;
1087 *log_msgptr = string_sprintf("'=' expected after "
1088 "\"mailfrom\" in ACL condition \"%s\"", arg);
1091 while (isspace(*opt)) opt++;
1092 se_mailfrom = string_copy(opt);
1095 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1098 while (isspace(*opt)) opt++;
1101 *log_msgptr = string_sprintf("'=' expected after "
1102 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1105 while (isspace(*opt)) opt++;
1106 pm_mailfrom = string_copy(opt);
1109 else if (strncmpic(opt, US"maxwait", 7) == 0)
1112 while (isspace(*opt)) opt++;
1115 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1116 "ACL condition \"%s\"", arg);
1119 while (isspace(*opt)) opt++;
1120 callout_overall = readconf_readtime(opt, 0, FALSE);
1121 if (callout_overall < 0)
1123 *log_msgptr = string_sprintf("bad time value in ACL condition "
1124 "\"verify %s\"", arg);
1128 else if (strncmpic(opt, US"connect", 7) == 0)
1131 while (isspace(*opt)) opt++;
1134 *log_msgptr = string_sprintf("'=' expected after "
1135 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1138 while (isspace(*opt)) opt++;
1139 callout_connect = readconf_readtime(opt, 0, FALSE);
1140 if (callout_connect < 0)
1142 *log_msgptr = string_sprintf("bad time value in ACL condition "
1143 "\"verify %s\"", arg);
1147 else /* Plain time is callout connect/command timeout */
1149 callout = readconf_readtime(opt, 0, FALSE);
1152 *log_msgptr = string_sprintf("bad time value in ACL condition "
1153 "\"verify %s\"", arg);
1161 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1162 "ACL condition \"%s\"", arg);
1168 /* Option not recognized */
1172 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1173 "condition \"verify %s\"", ss, arg);
1178 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1179 (vopt_callout_recipsender|vopt_callout_recippmaster))
1181 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1182 "for a recipient callout";
1186 /* Handle sender-in-header verification. Default the user message to the log
1187 message if giving out verification details. */
1189 if (verify_header_sender)
1191 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
1192 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options);
1193 if (smtp_return_error_details)
1195 if (*user_msgptr == NULL && *log_msgptr != NULL)
1196 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1197 if (rc == DEFER) acl_temp_details = TRUE;
1201 /* Handle a sender address. The default is to verify *the* sender address, but
1202 optionally a different address can be given, for special requirements. If the
1203 address is empty, we are dealing with a bounce message that has no sender, so
1204 we cannot do any checking. If the real sender address gets rewritten during
1205 verification (e.g. DNS widening), set the flag to stop it being rewritten again
1206 during message reception.
1208 A list of verified "sender" addresses is kept to try to avoid doing to much
1209 work repetitively when there are multiple recipients in a message and they all
1210 require sender verification. However, when callouts are involved, it gets too
1211 complicated because different recipients may require different callout options.
1212 Therefore, we always do a full sender verify when any kind of callout is
1213 specified. Caching elsewhere, for instance in the DNS resolver and in the
1214 callout handling, should ensure that this is not terribly inefficient. */
1216 else if (verify_sender_address != NULL)
1218 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1221 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1222 "sender verify callout";
1226 sender_vaddr = verify_checked_sender(verify_sender_address);
1227 if (sender_vaddr != NULL && /* Previously checked */
1228 callout <= 0) /* No callout needed this time */
1230 /* If the "routed" flag is set, it means that routing worked before, so
1231 this check can give OK (the saved return code value, if set, belongs to a
1232 callout that was done previously). If the "routed" flag is not set, routing
1233 must have failed, so we use the saved return code. */
1235 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1237 rc = sender_vaddr->special_action;
1238 *basic_errno = sender_vaddr->basic_errno;
1240 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1243 /* Do a new verification, and cache the result. The cache is used to avoid
1244 verifying the sender multiple times for multiple RCPTs when callouts are not
1245 specified (see comments above).
1247 The cache is also used on failure to give details in response to the first
1248 RCPT that gets bounced for this reason. However, this can be suppressed by
1249 the no_details option, which sets the flag that says "this detail has already
1250 been sent". The cache normally contains just one address, but there may be
1251 more in esoteric circumstances. */
1256 uschar *save_address_data = deliver_address_data;
1258 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1259 if (no_details) setflag(sender_vaddr, af_sverify_told);
1260 if (verify_sender_address[0] != 0)
1262 /* If this is the real sender address, save the unrewritten version
1263 for use later in receive. Otherwise, set a flag so that rewriting the
1264 sender in verify_address() does not update sender_address. */
1266 if (verify_sender_address == sender_address)
1267 sender_address_unrewritten = sender_address;
1269 verify_options |= vopt_fake_sender;
1271 /* The recipient, qualify, and expn options are never set in
1274 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
1275 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
1277 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1281 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1283 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1284 verify_sender_address, sender_vaddr->address);
1288 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1289 verify_sender_address);
1292 else *basic_errno = sender_vaddr->basic_errno;
1294 else rc = OK; /* Null sender */
1296 /* Cache the result code */
1298 if (routed) setflag(sender_vaddr, af_verify_routed);
1299 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1300 sender_vaddr->special_action = rc;
1301 sender_vaddr->next = sender_verified_list;
1302 sender_verified_list = sender_vaddr;
1304 /* Restore the recipient address data, which might have been clobbered by
1305 the sender verification. */
1307 deliver_address_data = save_address_data;
1310 /* Put the sender address_data value into $sender_address_data */
1312 sender_address_data = sender_vaddr->p.address_data;
1315 /* A recipient address just gets a straightforward verify; again we must handle
1316 the DEFER overrides. */
1322 /* We must use a copy of the address for verification, because it might
1326 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
1327 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
1328 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1329 *log_msgptr = addr2.message;
1330 *user_msgptr = addr2.user_message;
1331 *basic_errno = addr2.basic_errno;
1333 /* Make $address_data visible */
1334 deliver_address_data = addr2.p.address_data;
1337 /* We have a result from the relevant test. Handle defer overrides first. */
1339 if (rc == DEFER && (defer_ok ||
1340 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1342 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1343 defer_ok? "defer_ok" : "callout_defer_ok");
1347 /* If we've failed a sender, set up a recipient message, and point
1348 sender_verified_failed to the address item that actually failed. */
1350 if (rc != OK && verify_sender_address != NULL)
1354 *log_msgptr = *user_msgptr = US"Sender verify failed";
1356 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1358 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1362 *log_msgptr = US"Could not complete sender verify callout";
1363 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1367 sender_verified_failed = sender_vaddr;
1370 /* Verifying an address messes up the values of $domain and $local_part,
1371 so reset them before returning if this is a RCPT ACL. */
1375 deliver_domain = addr->domain;
1376 deliver_localpart = addr->local_part;
1380 /* Syntax errors in the verify argument come here. */
1383 *log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
1384 "\"header_syntax\" or \"header_sender\" at start of ACL condition "
1385 "\"verify %s\"", arg);
1392 /*************************************************
1393 * Check argument for control= modifier *
1394 *************************************************/
1396 /* Called from acl_check_condition() below
1399 arg the argument string for control=
1400 pptr set to point to the terminating character
1401 where which ACL we are in
1402 log_msgptr for error messages
1404 Returns: CONTROL_xxx value
1408 decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
1413 for (d = controls_list;
1414 d < controls_list + sizeof(controls_list)/sizeof(control_def);
1417 len = Ustrlen(d->name);
1418 if (Ustrncmp(d->name, arg, len) == 0) break;
1421 if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
1422 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
1424 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1425 return CONTROL_ERROR;
1434 /*************************************************
1435 * Handle conditions/modifiers on an ACL item *
1436 *************************************************/
1438 /* Called from acl_check() below.
1442 cb ACL condition block - if NULL, result is OK
1443 where where called from
1444 addr the address being checked for RCPT, or NULL
1445 level the nesting level
1446 epp pointer to pass back TRUE if "endpass" encountered
1447 (applies only to "accept" and "discard")
1448 user_msgptr user message pointer
1449 log_msgptr log message pointer
1450 basic_errno pointer to where to put verify error
1452 Returns: OK - all conditions are met
1453 DISCARD - an "acl" condition returned DISCARD - only allowed
1454 for "accept" or "discard" verbs
1455 FAIL - at least one condition fails
1456 FAIL_DROP - an "acl" condition returned FAIL_DROP
1457 DEFER - can't tell at the moment (typically, lookup defer,
1458 but can be temporary callout problem)
1459 ERROR - ERROR from nested ACL or expansion failure or other
1464 acl_check_condition(int verb, acl_condition_block *cb, int where,
1465 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
1466 uschar **log_msgptr, int *basic_errno)
1468 uschar *user_message = NULL;
1469 uschar *log_message = NULL;
1472 #ifdef WITH_CONTENT_SCAN
1476 for (; cb != NULL; cb = cb->next)
1481 /* The message and log_message items set up messages to be used in
1482 case of rejection. They are expanded later. */
1484 if (cb->type == ACLC_MESSAGE)
1486 user_message = cb->arg;
1490 if (cb->type == ACLC_LOG_MESSAGE)
1492 log_message = cb->arg;
1496 /* The endpass "condition" just sets a flag to show it occurred. This is
1497 checked at compile time to be on an "accept" or "discard" item. */
1499 if (cb->type == ACLC_ENDPASS)
1505 /* For other conditions and modifiers, the argument is expanded now for some
1506 of them, but not for all, because expansion happens down in some lower level
1507 checking functions in some cases. */
1509 if (cond_expand_at_top[cb->type])
1511 arg = expand_string(cb->arg);
1514 if (expand_string_forcedfail) continue;
1515 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
1516 cb->arg, expand_string_message);
1517 return search_find_defer? DEFER : ERROR;
1522 /* Show condition, and expanded condition if it's different */
1527 debug_printf("check %s%s %n",
1528 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
1529 conditions[cb->type], &lhswidth);
1531 if (cb->type == ACLC_SET)
1533 int n = cb->u.varnumber;
1534 int t = (n < ACL_C_MAX)? 'c' : 'm';
1535 if (n >= ACL_C_MAX) n -= ACL_C_MAX;
1536 debug_printf("acl_%c%d ", t, n);
1540 debug_printf("= %s\n", cb->arg);
1543 debug_printf("%.*s= %s\n", lhswidth,
1547 /* Check that this condition makes sense at this time */
1549 if ((cond_forbids[cb->type] & (1 << where)) != 0)
1551 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
1552 cond_modifiers[cb->type]? "use" : "test",
1553 conditions[cb->type], acl_wherenames[where]);
1557 /* Run the appropriate test for each condition, or take the appropriate
1558 action for the remaining modifiers. */
1562 /* A nested ACL that returns "discard" makes sense only for an "accept" or
1566 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
1567 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
1569 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
1570 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
1576 case ACLC_AUTHENTICATED:
1577 rc = (sender_host_authenticated == NULL)? FAIL :
1578 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
1582 #ifdef EXPERIMENTAL_BRIGHTMAIL
1583 case ACLC_BMI_OPTIN:
1585 int old_pool = store_pool;
1586 store_pool = POOL_PERM;
1587 bmi_current_optin = string_copy(arg);
1588 store_pool = old_pool;
1593 case ACLC_CONDITION:
1594 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
1595 rc = (Uatoi(arg) == 0)? FAIL : OK;
1597 rc = (strcmpic(arg, US"no") == 0 ||
1598 strcmpic(arg, US"false") == 0)? FAIL :
1599 (strcmpic(arg, US"yes") == 0 ||
1600 strcmpic(arg, US"true") == 0)? OK : DEFER;
1602 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
1606 control_type = decode_control(arg, &p, where, log_msgptr);
1608 /* Check if this control makes sense at this time */
1610 if ((control_forbids[control_type] & (1 << where)) != 0)
1612 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
1613 controls[control_type], acl_wherenames[where]);
1617 switch(control_type)
1619 #ifdef EXPERIMENTAL_BRIGHTMAIL
1620 case CONTROL_BMI_RUN:
1628 case CONTROL_CASEFUL_LOCAL_PART:
1629 deliver_localpart = addr->cc_local_part;
1632 case CONTROL_CASELOWER_LOCAL_PART:
1633 deliver_localpart = addr->lc_local_part;
1636 case CONTROL_ENFORCE_SYNC:
1637 smtp_enforce_sync = TRUE;
1640 case CONTROL_NO_ENFORCE_SYNC:
1641 smtp_enforce_sync = FALSE;
1644 #ifdef WITH_CONTENT_SCAN
1645 case CONTROL_NO_MBOX_UNSPOOL:
1646 no_mbox_unspool = TRUE;
1650 case CONTROL_NO_MULTILINE:
1651 no_multiline_responses = TRUE;
1654 #ifdef WITH_CONTENT_SCAN
1655 case CONTROL_FAKEREJECT:
1660 while (*pp != 0) pp++;
1661 fake_reject_text = expand_string(string_copyn(p+1, pp-p));
1666 /* Explicitly reset to default string */
1667 fake_reject_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legit message, it may still be delivered to the target recipient(s).";
1672 case CONTROL_FREEZE:
1673 deliver_freeze = TRUE;
1674 deliver_frozen_at = time(NULL);
1677 case CONTROL_QUEUE_ONLY:
1678 queue_only_policy = TRUE;
1681 case CONTROL_SUBMISSION:
1682 submission_mode = TRUE;
1685 if (Ustrncmp(p, "/sender_retain", 14) == 0)
1688 active_local_sender_retain = TRUE;
1689 active_local_from_check = FALSE;
1691 else if (Ustrncmp(p, "/domain=", 8) == 0)
1694 while (*pp != 0 && *pp != '/') pp++;
1695 submission_domain = string_copyn(p+8, pp-p);
1702 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1709 #ifdef WITH_CONTENT_SCAN
1711 rc = mime_decode(&arg);
1717 int delay = readconf_readtime(arg, 0, FALSE);
1720 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
1721 "modifier: \"%s\" is not a time value", arg);
1726 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
1731 debug_printf("delay skipped in -bh checking mode\n");
1738 #ifdef WITH_OLD_DEMIME
1745 rc = verify_check_dnsbl(&arg);
1749 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
1750 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
1753 /* The value in tls_cipher is the full cipher name, for example,
1754 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
1755 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
1756 what may in practice come out of the SSL library - which at the time of
1757 writing is poorly documented. */
1759 case ACLC_ENCRYPTED:
1760 if (tls_cipher == NULL) rc = FAIL; else
1762 uschar *endcipher = NULL;
1763 uschar *cipher = Ustrchr(tls_cipher, ':');
1764 if (cipher == NULL) cipher = tls_cipher; else
1766 endcipher = Ustrchr(++cipher, ':');
1767 if (endcipher != NULL) *endcipher = 0;
1769 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
1770 if (endcipher != NULL) *endcipher = ':';
1774 /* Use verify_check_this_host() instead of verify_check_host() so that
1775 we can pass over &host_data to catch any looked up data. Once it has been
1776 set, it retains its value so that it's still there if another ACL verb
1777 comes through here and uses the cache. However, we must put it into
1778 permanent store in case it is also expected to be used in a subsequent
1779 message in the same SMTP connection. */
1782 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
1783 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
1784 if (host_data != NULL) host_data = string_copy_malloc(host_data);
1787 case ACLC_LOCAL_PARTS:
1788 rc = match_isinlist(addr->cc_local_part, &arg, 0,
1789 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
1790 &deliver_localpart_data);
1802 if (Ustrncmp(s, "main", 4) == 0)
1803 { logbits |= LOG_MAIN; s += 4; }
1804 else if (Ustrncmp(s, "panic", 5) == 0)
1805 { logbits |= LOG_PANIC; s += 5; }
1806 else if (Ustrncmp(s, "reject", 6) == 0)
1807 { logbits |= LOG_REJECT; s += 6; }
1810 logbits = LOG_MAIN|LOG_PANIC;
1811 s = string_sprintf(":unknown log name in \"%s\" in "
1812 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
1818 while (isspace(*s)) s++;
1819 if (logbits == 0) logbits = LOG_MAIN;
1820 log_write(0, logbits, "%s", string_printing(s));
1824 #ifdef WITH_CONTENT_SCAN
1827 /* Seperate the regular expression and any optional parameters. */
1828 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
1829 /* Run the malware backend. */
1831 /* Modify return code based upon the existance of options. */
1832 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
1834 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
1836 /* FAIL so that the message is passed to the next ACL */
1843 case ACLC_MIME_REGEX:
1844 rc = mime_regex(&arg);
1848 case ACLC_RECIPIENTS:
1849 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
1853 #ifdef WITH_CONTENT_SCAN
1859 case ACLC_SENDER_DOMAINS:
1862 sdomain = Ustrrchr(sender_address, '@');
1863 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
1864 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
1865 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
1870 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
1871 sender_address_cache, -1, 0, &sender_data);
1874 /* Connection variables must persist forever */
1878 int old_pool = store_pool;
1879 if (cb->u.varnumber < ACL_C_MAX) store_pool = POOL_PERM;
1880 acl_var[cb->u.varnumber] = string_copy(arg);
1881 store_pool = old_pool;
1885 #ifdef WITH_CONTENT_SCAN
1888 /* Seperate the regular expression and any optional parameters. */
1889 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
1890 /* Run the spam backend. */
1892 /* Modify return code based upon the existance of options. */
1893 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
1895 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
1897 /* FAIL so that the message is passed to the next ACL */
1905 #ifdef EXPERIMENTAL_SPF
1907 rc = spf_process(&arg, sender_address);
1911 /* If the verb is WARN, discard any user message from verification, because
1912 such messages are SMTP responses, not header additions. The latter come
1913 only from explicit "message" modifiers. */
1916 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
1917 if (verb == ACL_WARN) *user_msgptr = NULL;
1921 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
1922 "condition %d", cb->type);
1926 /* If a condition was negated, invert OK/FAIL. */
1928 if (!cond_modifiers[cb->type] && cb->u.negated)
1930 if (rc == OK) rc = FAIL;
1931 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
1934 if (rc != OK) break; /* Conditions loop */
1938 /* If the result is the one for which "message" and/or "log_message" are used,
1939 handle the values of these options. Most verbs have but a single return for
1940 which the messages are relevant, but for "discard", it's useful to have the log
1941 message both when it succeeds and when it fails. Also, for an "accept" that
1942 appears in a QUIT ACL, we want to handle the user message. Since only "accept"
1943 and "warn" are permitted in that ACL, we don't need to test the verb.
1945 These modifiers act in different ways:
1947 "message" is a user message that will be included in an SMTP response. Unless
1948 it is empty, it overrides any previously set user message.
1950 "log_message" is a non-user message, and it adds to any existing non-user
1951 message that is already set.
1953 If there isn't a log message set, we make it the same as the user message. */
1955 if (((rc == FAIL_DROP)? FAIL : rc) == msgcond[verb] ||
1956 (verb == ACL_DISCARD && rc == OK) ||
1957 (where == ACL_WHERE_QUIT))
1961 /* If the verb is "warn", messages generated by conditions (verification or
1962 nested ACLs) are discarded. Only messages specified at this level are used.
1963 However, the value of an existing message is available in $acl_verify_message
1964 during expansions. */
1966 uschar *old_user_msgptr = *user_msgptr;
1967 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
1969 if (verb == ACL_WARN) *log_msgptr = *user_msgptr = NULL;
1971 if (user_message != NULL)
1973 acl_verify_message = old_user_msgptr;
1974 expmessage = expand_string(user_message);
1975 if (expmessage == NULL)
1977 if (!expand_string_forcedfail)
1978 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
1979 user_message, expand_string_message);
1981 else if (expmessage[0] != 0) *user_msgptr = expmessage;
1984 if (log_message != NULL)
1986 acl_verify_message = old_log_msgptr;
1987 expmessage = expand_string(log_message);
1988 if (expmessage == NULL)
1990 if (!expand_string_forcedfail)
1991 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
1992 log_message, expand_string_message);
1994 else if (expmessage[0] != 0)
1996 *log_msgptr = (*log_msgptr == NULL)? expmessage :
1997 string_sprintf("%s: %s", expmessage, *log_msgptr);
2001 /* If no log message, default it to the user message */
2003 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
2006 acl_verify_message = NULL;
2014 /*************************************************
2015 * Get line from a literal ACL *
2016 *************************************************/
2018 /* This function is passed to acl_read() in order to extract individual lines
2019 of a literal ACL, which we access via static pointers. We can destroy the
2020 contents because this is called only once (the compiled ACL is remembered).
2022 This code is intended to treat the data in the same way as lines in the main
2023 Exim configuration file. That is:
2025 . Leading spaces are ignored.
2027 . A \ at the end of a line is a continuation - trailing spaces after the \
2028 are permitted (this is because I don't believe in making invisible things
2029 significant). Leading spaces on the continued part of a line are ignored.
2031 . Physical lines starting (significantly) with # are totally ignored, and
2032 may appear within a sequence of backslash-continued lines.
2034 . Blank lines are ignored, but will end a sequence of continuations.
2037 Returns: a pointer to the next line
2041 static uschar *acl_text; /* Current pointer in the text */
2042 static uschar *acl_text_end; /* Points one past the terminating '0' */
2050 /* This loop handles leading blank lines and comments. */
2054 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
2055 if (*acl_text == 0) return NULL; /* No more data */
2056 yield = acl_text; /* Potential data line */
2058 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2060 /* If we hit the end before a newline, we have the whole logical line. If
2061 it's a comment, there's no more data to be given. Otherwise, yield it. */
2063 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
2065 /* After reaching a newline, end this loop if the physical line does not
2066 start with '#'. If it does, it's a comment, and the loop continues. */
2068 if (*yield != '#') break;
2071 /* This loop handles continuations. We know we have some real data, ending in
2072 newline. See if there is a continuation marker at the end (ignoring trailing
2073 white space). We know that *yield is not white space, so no need to test for
2074 cont > yield in the backwards scanning loop. */
2079 for (cont = acl_text - 1; isspace(*cont); cont--);
2081 /* If no continuation follows, we are done. Mark the end of the line and
2090 /* We have encountered a continuation. Skip over whitespace at the start of
2091 the next line, and indeed the whole of the next line or lines if they are
2096 while (*(++acl_text) == ' ' || *acl_text == '\t');
2097 if (*acl_text != '#') break;
2098 while (*(++acl_text) != 0 && *acl_text != '\n');
2101 /* We have the start of a continuation line. Move all the rest of the data
2102 to join onto the previous line, and then find its end. If the end is not a
2103 newline, we are done. Otherwise loop to look for another continuation. */
2105 memmove(cont, acl_text, acl_text_end - acl_text);
2106 acl_text_end -= acl_text - cont;
2108 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2109 if (*acl_text == 0) return yield;
2112 /* Control does not reach here */
2119 /*************************************************
2120 * Check access using an ACL *
2121 *************************************************/
2123 /* This function is called from address_check. It may recurse via
2124 acl_check_condition() - hence the use of a level to stop looping. The ACL is
2125 passed as a string which is expanded. A forced failure implies no access check
2126 is required. If the result is a single word, it is taken as the name of an ACL
2127 which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
2128 text, complete with newlines, and parsed as such. In both cases, the ACL check
2129 is then run. This function uses an auxiliary function for acl_read() to call
2130 for reading individual lines of a literal ACL. This is acl_getline(), which
2131 appears immediately above.
2134 where where called from
2135 addr address item when called from RCPT; otherwise NULL
2136 s the input string; NULL is the same as an empty ACL => DENY
2137 level the nesting level
2138 user_msgptr where to put a user error (for SMTP response)
2139 log_msgptr where to put a logging message (not for SMTP response)
2141 Returns: OK access is granted
2142 DISCARD access is apparently granted...
2143 FAIL access is denied
2144 FAIL_DROP access is denied; drop the connection
2145 DEFER can't tell at the moment
2150 acl_check_internal(int where, address_item *addr, uschar *s, int level,
2151 uschar **user_msgptr, uschar **log_msgptr)
2154 acl_block *acl = NULL;
2155 uschar *acl_name = US"inline ACL";
2158 /* Catch configuration loops */
2162 *log_msgptr = US"ACL nested too deep: possible loop";
2168 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
2172 /* At top level, we expand the incoming string. At lower levels, it has already
2173 been expanded as part of condition processing. */
2177 ss = expand_string(s);
2180 if (expand_string_forcedfail) return OK;
2181 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
2182 expand_string_message);
2188 while (isspace(*ss))ss++;
2190 /* If we can't find a named ACL, the default is to parse it as an inline one.
2191 (Unless it begins with a slash; non-existent files give rise to an error.) */
2195 /* Handle the case of a string that does not contain any spaces. Look for a
2196 named ACL among those read from the configuration, or a previously read file.
2197 It is possible that the pointer to the ACL is NULL if the configuration
2198 contains a name with no data. If not found, and the text begins with '/',
2199 read an ACL from a file, and save it so it can be re-used. */
2201 if (Ustrchr(ss, ' ') == NULL)
2203 tree_node *t = tree_search(acl_anchor, ss);
2206 acl = (acl_block *)(t->data.ptr);
2209 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
2212 acl_name = string_sprintf("ACL \"%s\"", ss);
2213 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
2216 else if (*ss == '/')
2218 struct stat statbuf;
2219 fd = Uopen(ss, O_RDONLY, 0);
2222 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
2227 if (fstat(fd, &statbuf) != 0)
2229 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
2234 acl_text = store_get(statbuf.st_size + 1);
2235 acl_text_end = acl_text + statbuf.st_size + 1;
2237 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
2239 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
2240 ss, strerror(errno));
2243 acl_text[statbuf.st_size] = 0;
2246 acl_name = string_sprintf("ACL \"%s\"", ss);
2247 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
2251 /* Parse an ACL that is still in text form. If it came from a file, remember it
2252 in the ACL tree, having read it into the POOL_PERM store pool so that it
2253 persists between multiple messages. */
2257 int old_pool = store_pool;
2258 if (fd >= 0) store_pool = POOL_PERM;
2259 acl = acl_read(acl_getline, log_msgptr);
2260 store_pool = old_pool;
2261 if (acl == NULL && *log_msgptr != NULL) return ERROR;
2264 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
2265 Ustrcpy(t->name, ss);
2267 (void)tree_insertnode(&acl_anchor, t);
2271 /* Now we have an ACL to use. It's possible it may be NULL. */
2276 int basic_errno = 0;
2277 BOOL endpass_seen = FALSE;
2279 *log_msgptr = *user_msgptr = NULL;
2280 acl_temp_details = FALSE;
2282 if (where == ACL_WHERE_QUIT &&
2283 acl->verb != ACL_ACCEPT &&
2284 acl->verb != ACL_WARN)
2286 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
2291 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
2293 /* Clear out any search error message from a previous check before testing
2296 search_error_message = NULL;
2297 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
2298 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
2300 /* Handle special returns: DEFER causes a return except on a WARN verb;
2301 ERROR always causes a return. */
2306 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
2307 if (basic_errno != ERRNO_CALLOUTDEFER)
2309 if (search_error_message != NULL && *search_error_message != 0)
2310 *log_msgptr = search_error_message;
2311 if (smtp_return_error_details) acl_temp_details = TRUE;
2315 acl_temp_details = TRUE;
2317 if (acl->verb != ACL_WARN) return DEFER;
2320 default: /* Paranoia */
2322 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
2326 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
2331 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
2334 /* DISCARD and DROP can happen only from a nested ACL condition, and
2335 DISCARD can happen only for an "accept" or "discard" verb. */
2338 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
2343 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
2348 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
2349 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
2350 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
2355 if (cond == OK || cond == DISCARD) return cond;
2358 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
2366 acl_temp_details = TRUE;
2372 if (cond == OK) return FAIL;
2376 if (cond == OK || cond == DISCARD) return DISCARD;
2379 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
2385 if (cond == OK) return FAIL_DROP;
2389 if (cond != OK) return cond;
2394 acl_warn(where, *user_msgptr, *log_msgptr);
2395 else if (cond == DEFER)
2396 acl_warn(where, NULL, string_sprintf("ACL \"warn\" statement skipped: "
2397 "condition test deferred: %s",
2398 (*log_msgptr == NULL)? US"" : *log_msgptr));
2399 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
2403 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
2408 /* Pass to the next ACL item */
2413 /* We have reached the end of the ACL. This is an implicit DENY. */
2415 HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
2420 /*************************************************
2421 * Check access using an ACL *
2422 *************************************************/
2424 /* This is the external interface for ACL checks. It sets up an address and the
2425 expansions for $domain and $local_part when called after RCPT, then calls
2426 acl_check_internal() to do the actual work.
2429 where ACL_WHERE_xxxx indicating where called from
2430 data_string RCPT address, or SMTP command argument, or NULL
2431 s the input string; NULL is the same as an empty ACL => DENY
2432 user_msgptr where to put a user error (for SMTP response)
2433 log_msgptr where to put a logging message (not for SMTP response)
2435 Returns: OK access is granted by an ACCEPT verb
2436 DISCARD access is granted by a DISCARD verb
2437 FAIL access is denied
2438 FAIL_DROP access is denied; drop the connection
2439 DEFER can't tell at the moment
2444 acl_check(int where, uschar *data_string, uschar *s, uschar **user_msgptr,
2445 uschar **log_msgptr)
2451 *user_msgptr = *log_msgptr = NULL;
2452 sender_verified_failed = NULL;
2454 if (where == ACL_WHERE_RCPT)
2456 adb = address_defaults;
2458 addr->address = data_string;
2459 if (deliver_split_address(addr) == DEFER)
2461 *log_msgptr = US"defer in percent_hack_domains check";
2464 deliver_domain = addr->domain;
2465 deliver_localpart = addr->local_part;
2470 smtp_command_argument = data_string;
2473 rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
2475 smtp_command_argument = deliver_domain =
2476 deliver_localpart = deliver_address_data = sender_address_data = NULL;
2478 /* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
2479 ACL, which is really in the middle of an SMTP command. */
2483 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
2485 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
2486 "ACL", acl_wherenames[where]);
2492 /* A DROP response is not permitted from MAILAUTH */
2494 if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
2496 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
2497 "ACL", acl_wherenames[where]);
2501 /* Before giving an error response, take a look at the length of any user
2502 message, and split it up into multiple lines if possible. */
2504 if (rc != OK && *user_msgptr != NULL && Ustrlen(*user_msgptr) > 75)
2506 uschar *s = *user_msgptr = string_copy(*user_msgptr);
2512 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
2513 if (*ss == 0) break;
2520 while (--t > s + 35)
2524 if (t[-1] == ':') { tt = t; break; }
2525 if (tt == NULL) tt = t;
2529 if (tt == NULL) /* Can't split behind - try ahead */
2534 if (*t == ' ' || *t == '\n')
2540 if (tt == NULL) break; /* Can't find anywhere to split */
git://git.exim.org / exim.git / blob