1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) The Exim Maintainers 2020 - 2024 */
6 /* Copyright (c) University of Cambridge 1995 - 2018 */
7 /* See the file NOTICE for conditions of use and distribution. */
8 /* SPDX-License-Identifier: GPL-2.0-or-later */
10 /* Code for handling Access Control Lists (ACLs) */
16 /* Default callout timeout */
18 #define CALLOUT_TIMEOUT_DEFAULT 30
20 /* Default quota cache TTLs */
22 #define QUOTA_POS_DEFAULT (5*60)
23 #define QUOTA_NEG_DEFAULT (60*60)
26 /* ACL verb codes - keep in step with the table of verbs that follows */
28 enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
33 static uschar *verbs[] = {
34 [ACL_ACCEPT] = US"accept",
35 [ACL_DEFER] = US"defer",
36 [ACL_DENY] = US"deny",
37 [ACL_DISCARD] = US"discard",
38 [ACL_DROP] = US"drop",
39 [ACL_REQUIRE] = US"require",
43 /* For each verb, the conditions for which "message" or "log_message" are used
44 are held as a bitmap. This is to avoid expanding the strings unnecessarily. For
45 "accept", the FAIL case is used only after "endpass", but that is selected in
48 static int msgcond[] = {
49 [ACL_ACCEPT] = BIT(OK) | BIT(FAIL) | BIT(FAIL_DROP),
50 [ACL_DEFER] = BIT(OK),
52 [ACL_DISCARD] = BIT(OK) | BIT(FAIL) | BIT(FAIL_DROP),
54 [ACL_REQUIRE] = BIT(FAIL) | BIT(FAIL_DROP),
60 /* ACL condition and modifier codes */
65 #ifdef EXPERIMENTAL_BRIGHTMAIL
71 #ifdef EXPERIMENTAL_DCC
74 #ifdef WITH_CONTENT_SCAN
92 ACLC_LOG_REJECT_TARGET,
94 #ifdef WITH_CONTENT_SCAN
98 #ifdef WITH_CONTENT_SCAN
104 #ifdef WITH_CONTENT_SCAN
112 #ifdef WITH_CONTENT_SCAN
123 /* ACL conditions/modifiers: "delay", "control", "continue", "endpass",
124 "message", "log_message", "log_reject_target", "logwrite", "queue" and "set" are
125 modifiers that look like conditions but always return TRUE. They are used for
126 their side effects. Do not invent new modifier names that result in one name
127 being the prefix of another; the binary-search in the list will go wrong. */
129 typedef struct condition_def {
132 /* Flags for actions or checks to do during readconf for this condition */
134 #define ACD_EXP BIT(0) /* do expansion at outer level*/
135 #define ACD_MOD BIT(1) /* is a modifier */
136 #define ACD_LOAD BIT(2) /* supported by a dynamic-load module */
138 /* Bit map vector of which conditions and modifiers are not allowed at certain
139 times. For each condition and modifier, there's a bitmap of dis-allowed times.
140 For some, it is easier to specify the negation of a small number of allowed
143 #define FORBIDDEN(times) (times)
144 #define PERMITTED(times) ((unsigned) ~(times))
148 static condition_def conditions[] = {
149 [ACLC_ACL] = { US"acl", 0,
152 [ACLC_ADD_HEADER] = { US"add_header", ACD_EXP | ACD_MOD,
153 PERMITTED(ACL_BIT_MAIL | ACL_BIT_RCPT |
154 ACL_BIT_PREDATA | ACL_BIT_DATA |
158 ACL_BIT_MIME | ACL_BIT_NOTSMTP |
160 ACL_BIT_NOTSMTP_START),
163 [ACLC_AUTHENTICATED] = { US"authenticated", 0,
164 FORBIDDEN(ACL_BIT_NOTSMTP |
165 ACL_BIT_NOTSMTP_START |
166 ACL_BIT_CONNECT | ACL_BIT_HELO),
168 #ifdef EXPERIMENTAL_BRIGHTMAIL
169 [ACLC_BMI_OPTIN] = { US"bmi_optin", ACD_EXP | ACD_MOD,
170 FORBIDDEN(ACL_BIT_AUTH |
171 ACL_BIT_CONNECT | ACL_BIT_HELO |
172 ACL_BIT_DATA | ACL_BIT_MIME |
173 # ifndef DISABLE_PRDR
176 ACL_BIT_ETRN | ACL_BIT_EXPN |
178 ACL_BIT_MAIL | ACL_BIT_STARTTLS |
179 ACL_BIT_VRFY | ACL_BIT_PREDATA |
180 ACL_BIT_NOTSMTP_START),
183 [ACLC_CONDITION] = { US"condition", ACD_EXP,
185 [ACLC_CONTINUE] = { US"continue", ACD_EXP | ACD_MOD,
188 /* Certain types of control are always allowed, so we let it through
189 always and check in the control processing itself. */
190 [ACLC_CONTROL] = { US"control", ACD_EXP | ACD_MOD,
193 #ifdef EXPERIMENTAL_DCC
194 [ACLC_DCC] = { US"dcc", ACD_EXP,
195 PERMITTED(ACL_BIT_DATA |
196 # ifndef DISABLE_PRDR
202 #ifdef WITH_CONTENT_SCAN
203 [ACLC_DECODE] = { US"decode", ACD_EXP,
204 PERMITTED(ACL_BIT_MIME) },
207 [ACLC_DELAY] = { US"delay", ACD_EXP | ACD_MOD,
208 FORBIDDEN(ACL_BIT_NOTQUIT) },
210 [ACLC_DKIM_SIGNER] = { US"dkim_signers", ACD_EXP,
211 PERMITTED(ACL_BIT_DKIM) },
212 [ACLC_DKIM_STATUS] = { US"dkim_status", ACD_EXP,
213 PERMITTED(ACL_BIT_DKIM | ACL_BIT_DATA | ACL_BIT_MIME
214 # ifndef DISABLE_PRDR
221 [ACLC_DMARC_STATUS] = { US"dmarc_status",
222 # if SUPPORT_DMARC==2
226 PERMITTED(ACL_BIT_DATA) },
229 /* Explicit key lookups can be made in non-smtp ACLs so pass
230 always and check in the verify processing itself. */
231 [ACLC_DNSLISTS] = { US"dnslists", ACD_EXP,
234 [ACLC_DOMAINS] = { US"domains", 0,
235 PERMITTED(ACL_BIT_RCPT | ACL_BIT_VRFY
241 [ACLC_ENCRYPTED] = { US"encrypted", 0,
242 FORBIDDEN(ACL_BIT_NOTSMTP |
243 ACL_BIT_NOTSMTP_START | ACL_BIT_CONNECT)
246 [ACLC_ENDPASS] = { US"endpass", ACD_EXP | ACD_MOD,
249 [ACLC_HOSTS] = { US"hosts", 0,
250 FORBIDDEN(ACL_BIT_NOTSMTP |
251 ACL_BIT_NOTSMTP_START),
253 [ACLC_LOCAL_PARTS] = { US"local_parts", 0,
254 PERMITTED(ACL_BIT_RCPT | ACL_BIT_VRFY
261 [ACLC_LOG_MESSAGE] = { US"log_message", ACD_EXP | ACD_MOD,
263 [ACLC_LOG_REJECT_TARGET] = { US"log_reject_target", ACD_EXP | ACD_MOD,
265 [ACLC_LOGWRITE] = { US"logwrite", ACD_EXP | ACD_MOD,
268 #ifdef WITH_CONTENT_SCAN
269 [ACLC_MALWARE] = { US"malware", ACD_EXP,
270 PERMITTED(ACL_BIT_DATA |
271 # ifndef DISABLE_PRDR
278 [ACLC_MESSAGE] = { US"message", ACD_EXP | ACD_MOD,
280 #ifdef WITH_CONTENT_SCAN
281 [ACLC_MIME_REGEX] = { US"mime_regex", ACD_EXP,
282 PERMITTED(ACL_BIT_MIME) },
285 [ACLC_QUEUE] = { US"queue", ACD_EXP | ACD_MOD,
286 FORBIDDEN(ACL_BIT_NOTSMTP |
293 [ACLC_RATELIMIT] = { US"ratelimit", ACD_EXP,
295 [ACLC_RECIPIENTS] = { US"recipients", 0,
296 PERMITTED(ACL_BIT_RCPT) },
298 #ifdef WITH_CONTENT_SCAN
299 [ACLC_REGEX] = { US"regex", ACD_EXP,
300 PERMITTED(ACL_BIT_DATA |
301 # ifndef DISABLE_PRDR
309 [ACLC_REMOVE_HEADER] = { US"remove_header", ACD_EXP | ACD_MOD,
310 PERMITTED(ACL_BIT_MAIL|ACL_BIT_RCPT |
311 ACL_BIT_PREDATA | ACL_BIT_DATA |
315 ACL_BIT_MIME | ACL_BIT_NOTSMTP |
316 ACL_BIT_NOTSMTP_START),
318 [ACLC_SEEN] = { US"seen", ACD_EXP,
320 [ACLC_SENDER_DOMAINS] = { US"sender_domains", 0,
321 FORBIDDEN(ACL_BIT_AUTH | ACL_BIT_CONNECT |
323 ACL_BIT_MAILAUTH | ACL_BIT_QUIT |
324 ACL_BIT_ETRN | ACL_BIT_EXPN |
325 ACL_BIT_STARTTLS | ACL_BIT_VRFY),
327 [ACLC_SENDERS] = { US"senders", 0,
328 FORBIDDEN(ACL_BIT_AUTH | ACL_BIT_CONNECT |
330 ACL_BIT_MAILAUTH | ACL_BIT_QUIT |
331 ACL_BIT_ETRN | ACL_BIT_EXPN |
332 ACL_BIT_STARTTLS | ACL_BIT_VRFY),
335 [ACLC_SET] = { US"set", ACD_EXP | ACD_MOD,
338 #ifdef WITH_CONTENT_SCAN
339 [ACLC_SPAM] = { US"spam", ACD_EXP,
340 PERMITTED(ACL_BIT_DATA |
341 # ifndef DISABLE_PRDR
348 [ACLC_SPF] = { US"spf",
353 FORBIDDEN(ACL_BIT_AUTH | ACL_BIT_CONNECT |
354 ACL_BIT_HELO | ACL_BIT_MAILAUTH |
355 ACL_BIT_ETRN | ACL_BIT_EXPN |
356 ACL_BIT_STARTTLS | ACL_BIT_VRFY |
357 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START),
359 [ACLC_SPF_GUESS] = { US"spf_guess",
364 FORBIDDEN(ACL_BIT_AUTH | ACL_BIT_CONNECT |
365 ACL_BIT_HELO | ACL_BIT_MAILAUTH |
366 ACL_BIT_ETRN | ACL_BIT_EXPN |
367 ACL_BIT_STARTTLS | ACL_BIT_VRFY |
368 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START),
371 [ACLC_UDPSEND] = { US"udpsend", ACD_EXP | ACD_MOD,
374 /* Certain types of verify are always allowed, so we let it through
375 always and check in the verify function itself */
376 [ACLC_VERIFY] = { US"verify", ACD_EXP,
382 # include "macro_predef.h"
386 for (condition_def * c = conditions; c < conditions + nelem(conditions); c++)
388 uschar buf[64], * p, * s;
389 int n = sprintf(CS buf, "_ACL_%s_", c->flags & ACD_MOD ? "MOD" : "COND");
390 for (p = buf + n, s = c->name; *s; s++) *p++ = toupper(*s);
392 builtin_macro_create(buf);
400 /* These tables support loading of dynamic modules triggered by an ACL
401 condition use, spotted during readconf. See acl_read(). */
403 # ifdef LOOKUP_MODULE_DIR
404 typedef struct condition_module {
405 const uschar * mod_name; /* module for the givien conditions */
406 misc_module_info * info; /* NULL when not loaded */
407 const int * conditions; /* array of ACLC_*, -1 terminated */
411 static int spf_condx[] = { ACLC_SPF, ACLC_SPF_GUESS, -1 };
413 # if SUPPORT_DMARC==2
414 static int dmarc_condx[] = { ACLC_DMARC_STATUS, -1 };
417 static condition_module condition_modules[] = {
419 {.mod_name = US"spf", .conditions = spf_condx},
422 {.mod_name = US"dmarc", .conditions = dmarc_condx},
428 /* Return values from decode_control() */
431 CONTROL_AUTH_UNADVERTISED,
432 #ifdef EXPERIMENTAL_BRIGHTMAIL
435 CONTROL_CASEFUL_LOCAL_PART,
436 CONTROL_CASELOWER_LOCAL_PART,
437 CONTROL_CUTTHROUGH_DELIVERY,
443 CONTROL_DMARC_VERIFY,
444 CONTROL_DMARC_FORENSIC,
447 CONTROL_ENFORCE_SYNC,
448 CONTROL_ERROR, /* pseudo-value for decode errors */
453 CONTROL_NO_CALLOUT_FLUSH,
454 CONTROL_NO_DELAY_FLUSH,
455 CONTROL_NO_ENFORCE_SYNC,
456 #ifdef WITH_CONTENT_SCAN
457 CONTROL_NO_MBOX_UNSPOOL,
459 CONTROL_NO_MULTILINE,
460 CONTROL_NO_PIPELINING,
464 CONTROL_SUPPRESS_LOCAL_FIXUPS,
466 CONTROL_UTF8_DOWNCONVERT,
468 #ifndef DISABLE_WELLKNOWN
475 /* Structure listing various control arguments, with their characteristics.
476 For each control, there's a bitmap of dis-allowed times. For some, it is easier
477 to specify the negation of a small number of allowed times. */
479 typedef struct control_def {
481 BOOL has_option; /* Has /option(s) following */
482 unsigned forbids; /* bitmap of dis-allowed times */
485 static control_def controls_list[] = {
486 /* name has_option forbids */
487 [CONTROL_AUTH_UNADVERTISED] =
488 { US"allow_auth_unadvertised", FALSE,
490 ~(ACL_BIT_CONNECT | ACL_BIT_HELO)
492 #ifdef EXPERIMENTAL_BRIGHTMAIL
494 { US"bmi_run", FALSE, 0 },
496 [CONTROL_CASEFUL_LOCAL_PART] =
497 { US"caseful_local_part", FALSE, (unsigned) ~ACL_BIT_RCPT },
498 [CONTROL_CASELOWER_LOCAL_PART] =
499 { US"caselower_local_part", FALSE, (unsigned) ~ACL_BIT_RCPT },
500 [CONTROL_CUTTHROUGH_DELIVERY] =
501 { US"cutthrough_delivery", TRUE, 0 },
503 { US"debug", TRUE, 0 },
506 [CONTROL_DKIM_VERIFY] =
507 { US"dkim_disable_verify", FALSE,
508 ACL_BIT_DATA | ACL_BIT_NOTSMTP |
509 # ifndef DISABLE_PRDR
512 ACL_BIT_NOTSMTP_START
517 [CONTROL_DMARC_VERIFY] =
518 { US"dmarc_disable_verify", FALSE,
519 ACL_BIT_DATA | ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
521 [CONTROL_DMARC_FORENSIC] =
522 { US"dmarc_enable_forensic", FALSE,
523 ACL_BIT_DATA | ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
529 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START | ACL_BIT_NOTQUIT
531 [CONTROL_ENFORCE_SYNC] =
532 { US"enforce_sync", FALSE,
533 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
536 /* Pseudo-value for decode errors */
538 { US"error", FALSE, 0 },
540 [CONTROL_FAKEDEFER] =
541 { US"fakedefer", TRUE,
543 ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
544 ACL_BIT_PREDATA | ACL_BIT_DATA |
550 [CONTROL_FAKEREJECT] =
551 { US"fakereject", TRUE,
553 ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
554 ACL_BIT_PREDATA | ACL_BIT_DATA |
563 ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
564 ACL_BIT_PREDATA | ACL_BIT_DATA |
565 // ACL_BIT_PRDR| /* Not allow one user to freeze for all */
566 ACL_BIT_NOTSMTP | ACL_BIT_MIME)
569 [CONTROL_NO_CALLOUT_FLUSH] =
570 { US"no_callout_flush", FALSE,
571 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
573 [CONTROL_NO_DELAY_FLUSH] =
574 { US"no_delay_flush", FALSE,
575 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
578 [CONTROL_NO_ENFORCE_SYNC] =
579 { US"no_enforce_sync", FALSE,
580 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
582 #ifdef WITH_CONTENT_SCAN
583 [CONTROL_NO_MBOX_UNSPOOL] =
584 { US"no_mbox_unspool", FALSE,
586 ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
587 ACL_BIT_PREDATA | ACL_BIT_DATA |
588 // ACL_BIT_PRDR| /* Not allow one user to freeze for all */
592 [CONTROL_NO_MULTILINE] =
593 { US"no_multiline_responses", FALSE,
594 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
596 [CONTROL_NO_PIPELINING] =
597 { US"no_pipelining", FALSE,
598 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
604 ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
605 ACL_BIT_PREDATA | ACL_BIT_DATA |
606 // ACL_BIT_PRDR| /* Not allow one user to freeze for all */
607 ACL_BIT_NOTSMTP | ACL_BIT_MIME)
610 [CONTROL_SUBMISSION] =
611 { US"submission", TRUE,
613 ~(ACL_BIT_MAIL | ACL_BIT_RCPT | ACL_BIT_PREDATA)
615 [CONTROL_SUPPRESS_LOCAL_FIXUPS] =
616 { US"suppress_local_fixups", FALSE,
618 ~(ACL_BIT_MAIL | ACL_BIT_RCPT | ACL_BIT_PREDATA |
619 ACL_BIT_NOTSMTP_START)
622 [CONTROL_UTF8_DOWNCONVERT] =
623 { US"utf8_downconvert", TRUE, (unsigned) ~(ACL_BIT_RCPT | ACL_BIT_VRFY)
626 #ifndef DISABLE_WELLKNOWN
627 [CONTROL_WELLKNOWN] =
628 { US"wellknown", TRUE, (unsigned) ~ACL_BIT_WELLKNOWN
633 /* Support data structures for Client SMTP Authorization. acl_verify_csa()
634 caches its result in a tree to avoid repeated DNS queries. The result is an
635 integer code which is used as an index into the following tables of
636 explanatory strings and verification return codes. */
638 static tree_node *csa_cache = NULL;
640 enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
641 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
643 /* The acl_verify_csa() return code is translated into an acl_verify() return
644 code using the following table. It is OK unless the client is definitely not
645 authorized. This is because CSA is supposed to be optional for sending sites,
646 so recipients should not be too strict about checking it - especially because
647 DNS problems are quite likely to occur. It's possible to use $csa_status in
648 further ACL conditions to distinguish ok, unknown, and defer if required, but
649 the aim is to make the usual configuration simple. */
651 static int csa_return_code[] = {
654 [CSA_DEFER_SRV] = OK,
655 [CSA_DEFER_ADDR] = OK,
656 [CSA_FAIL_EXPLICIT] = FAIL,
657 [CSA_FAIL_DOMAIN] = FAIL,
658 [CSA_FAIL_NOADDR] = FAIL,
659 [CSA_FAIL_MISMATCH] = FAIL
662 static uschar *csa_status_string[] = {
663 [CSA_UNKNOWN] = US"unknown",
665 [CSA_DEFER_SRV] = US"defer",
666 [CSA_DEFER_ADDR] = US"defer",
667 [CSA_FAIL_EXPLICIT] = US"fail",
668 [CSA_FAIL_DOMAIN] = US"fail",
669 [CSA_FAIL_NOADDR] = US"fail",
670 [CSA_FAIL_MISMATCH] = US"fail"
673 static uschar *csa_reason_string[] = {
674 [CSA_UNKNOWN] = US"unknown",
676 [CSA_DEFER_SRV] = US"deferred (SRV lookup failed)",
677 [CSA_DEFER_ADDR] = US"deferred (target address lookup failed)",
678 [CSA_FAIL_EXPLICIT] = US"failed (explicit authorization required)",
679 [CSA_FAIL_DOMAIN] = US"failed (host name not authorized)",
680 [CSA_FAIL_NOADDR] = US"failed (no authorized addresses)",
681 [CSA_FAIL_MISMATCH] = US"failed (client address mismatch)"
684 /* Options for the ratelimit condition. Note that there are two variants of
685 the per_rcpt option, depending on the ACL that is used to measure the rate.
686 However any ACL must be able to look up per_rcpt rates in /noupdate mode,
687 so the two variants must have the same internal representation as well as
688 the same configuration string. */
691 RATE_PER_WHAT, RATE_PER_CLASH, RATE_PER_ADDR, RATE_PER_BYTE, RATE_PER_CMD,
692 RATE_PER_CONN, RATE_PER_MAIL, RATE_PER_RCPT, RATE_PER_ALLRCPTS
695 #define RATE_SET(var,new) \
696 (((var) == RATE_PER_WHAT) ? ((var) = RATE_##new) : ((var) = RATE_PER_CLASH))
698 static uschar *ratelimit_option_string[] = {
699 [RATE_PER_WHAT] = US"?",
700 [RATE_PER_CLASH] = US"!",
701 [RATE_PER_ADDR] = US"per_addr",
702 [RATE_PER_BYTE] = US"per_byte",
703 [RATE_PER_CMD] = US"per_cmd",
704 [RATE_PER_CONN] = US"per_conn",
705 [RATE_PER_MAIL] = US"per_mail",
706 [RATE_PER_RCPT] = US"per_rcpt",
707 [RATE_PER_ALLRCPTS] = US"per_rcpt"
710 /* Enable recursion between acl_check_internal() and acl_check_condition() */
712 static int acl_check_wargs(int, address_item *, const uschar *, uschar **,
715 static acl_block * acl_current = NULL;
718 /*************************************************
719 * Find control in list *
720 *************************************************/
722 /* The lists are always in order, so binary chop can be used.
725 name the control name to search for
726 ol the first entry in the control list
727 last one more than the offset of the last entry in the control list
729 Returns: index of a control entry, or -1 if not found
733 find_control(const uschar * name, control_def * ol, int last)
735 for (int first = 0; last > first; )
737 int middle = (first + last)/2;
738 uschar * s = ol[middle].name;
739 int c = Ustrncmp(name, s, Ustrlen(s));
740 if (c == 0) return middle;
741 else if (c > 0) first = middle + 1;
749 /*************************************************
750 * Pick out condition from list *
751 *************************************************/
753 /* Use a binary chop method
757 list list of conditions
760 Returns: offset in list, or -1 if not found
764 acl_checkcondition(uschar * name, condition_def * list, int end)
766 for (int start = 0; start < end; )
768 int mid = (start + end)/2;
769 int c = Ustrcmp(name, list[mid].name);
770 if (c == 0) return mid;
771 if (c < 0) end = mid;
772 else start = mid + 1;
778 /*************************************************
779 * Pick out name from list *
780 *************************************************/
782 /* Use a binary chop method
789 Returns: offset in list, or -1 if not found
793 acl_checkname(uschar *name, uschar **list, int end)
795 for (int start = 0; start < end; )
797 int mid = (start + end)/2;
798 int c = Ustrcmp(name, list[mid]);
799 if (c == 0) return mid;
800 if (c < 0) end = mid; else start = mid + 1;
808 acl_varname_to_cond(const uschar ** sp, acl_condition_block * cond, uschar ** error)
810 const uschar * s = *sp, * endptr;
813 if ( Ustrncmp(s, "dkim_verify_status", 18) == 0
814 || Ustrncmp(s, "dkim_verify_reason", 18) == 0)
817 if (isalnum(*endptr))
819 *error = string_sprintf("invalid variable name after \"set\" in ACL "
820 "modifier \"set %s\" "
821 "(only \"dkim_verify_status\" or \"dkim_verify_reason\" permitted)",
825 cond->u.varname = string_copyn(s, 18);
830 if (Ustrncmp(s, "acl_c", 5) != 0 && Ustrncmp(s, "acl_m", 5) != 0)
832 *error = string_sprintf("invalid variable name after \"set\" in ACL "
833 "modifier \"set %s\" (must start \"acl_c\" or \"acl_m\")", s);
838 if (!isdigit(*endptr) && *endptr != '_')
840 *error = string_sprintf("invalid variable name after \"set\" in ACL "
841 "modifier \"set %s\" (digit or underscore must follow acl_c or acl_m)",
846 for ( ; *endptr && *endptr != '=' && !isspace(*endptr); endptr++)
847 if (!isalnum(*endptr) && *endptr != '_')
849 *error = string_sprintf("invalid character \"%c\" in variable name "
850 "in ACL modifier \"set %s\"", *endptr, s);
854 cond->u.varname = string_copyn(s + 4, endptr - s - 4);
857 Uskip_whitespace(&s);
864 acl_data_to_cond(const uschar * s, acl_condition_block * cond,
865 const uschar * name, BOOL taint, uschar ** error)
869 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
870 conditions[cond->type].flags & ACD_MOD ? US"modifier" : US"condition");
873 Uskip_whitespace(&s);
874 cond->arg = taint ? string_copy_taint(s, GET_TAINTED) : string_copy(s);
879 /*************************************************
880 * Read and parse one ACL *
881 *************************************************/
883 /* This function is called both from readconf in order to parse the ACLs in the
884 configuration file, and also when an ACL is encountered dynamically (e.g. as
885 the result of an expansion). It is given a function to call in order to
886 retrieve the lines of the ACL. This function handles skipping comments and
887 blank lines (where relevant).
890 func function to get next line of ACL
891 error where to put an error message
893 Returns: pointer to ACL, or NULL
894 NULL can be legal (empty ACL); in this case error will be NULL
898 acl_read(uschar *(*func)(void), uschar **error)
900 acl_block *yield = NULL;
901 acl_block **lastp = &yield;
902 acl_block *this = NULL;
903 acl_condition_block *cond;
904 acl_condition_block **condp = NULL;
909 while ((s = (*func)()))
912 BOOL negated = FALSE;
913 const uschar * saveline = s;
914 uschar name[EXIM_DRIVERNAME_MAX];
916 /* Conditions (but not verbs) are allowed to be negated by an initial
919 if (Uskip_whitespace(&s) == '!')
925 /* Read the name of a verb or a condition, or the start of a new ACL, which
926 can be started by a name, or by a macro definition. */
928 s = readconf_readname(name, sizeof(name), s);
929 if (*s == ':' || (isupper(name[0]) && *s == '=')) return yield;
931 /* If a verb is unrecognized, it may be another condition or modifier that
932 continues the previous verb. */
934 if ((v = acl_checkname(name, verbs, nelem(verbs))) < 0)
938 *error = string_sprintf("unknown ACL verb \"%s\" in \"%s\"", name,
950 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
953 *lastp = this = store_get(sizeof(acl_block), GET_UNTAINTED);
956 this->condition = NULL;
958 this->srcline = config_lineno; /* for debug output */
959 this->srcfile = config_filename; /**/
960 condp = &this->condition;
961 if (!*s) continue; /* No condition on this line */
967 s = readconf_readname(name, sizeof(name), s); /* Condition name */
970 /* Handle a condition or modifier. */
972 if ((c = acl_checkcondition(name, conditions, nelem(conditions))) < 0)
974 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
979 /* The modifiers may not be negated */
981 if (negated && conditions[c].flags & ACD_MOD)
983 *error = string_sprintf("ACL error: negation is not allowed with "
984 "\"%s\"", conditions[c].name);
988 /* ENDPASS may occur only with ACCEPT or DISCARD. */
990 if (c == ACLC_ENDPASS &&
991 this->verb != ACL_ACCEPT &&
992 this->verb != ACL_DISCARD)
994 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
995 conditions[c].name, verbs[this->verb]);
999 #ifdef LOOKUP_MODULE_DIR
1000 if (conditions[c].flags & ACD_LOAD)
1001 { /* a loadable module supports this condition */
1002 condition_module * cm;
1005 for (cm = condition_modules;
1006 cm < condition_modules + nelem(condition_modules); cm++)
1007 for (const int * cond = cm->conditions; *cond != -1; cond++)
1008 if (*cond == c) goto found;
1011 if (cm >= condition_modules + nelem(condition_modules))
1012 { /* shouldn't happen */
1013 *error = string_sprintf("ACL error: failed to locate support for '%s'",
1014 conditions[c].name);
1017 if ( !cm->info /* module not loaded */
1018 && !(cm->info = misc_mod_find(cm->mod_name, &s)))
1020 *error = string_sprintf("ACL error: failed to find module for '%s': %s",
1021 conditions[c].name, s);
1027 cond = store_get(sizeof(acl_condition_block), GET_UNTAINTED);
1030 cond->u.negated = negated;
1033 condp = &cond->next;
1035 /* The "set" modifier is different in that its argument is "name=value"
1036 rather than just a value, and we can check the validity of the name, which
1037 gives us a variable name to insert into the data block. The original ACL
1038 variable names were acl_c0 ... acl_c9 and acl_m0 ... acl_m9. This was
1039 extended to 20 of each type, but after that people successfully argued for
1040 arbitrary names. In the new scheme, the names must start with acl_c or acl_m.
1041 After that, we allow alphanumerics and underscores, but the first character
1042 after c or m must be a digit or an underscore. This retains backwards
1046 if (!acl_varname_to_cond(&s, cond, error)) return NULL;
1048 /* For "set", we are now positioned for the data. For the others, only
1049 "endpass" has no data */
1051 if (c != ACLC_ENDPASS)
1052 if (!acl_data_to_cond(s, cond, name, FALSE, error)) return NULL;
1060 /*************************************************
1061 * Set up added header line(s) *
1062 *************************************************/
1064 /* This function is called by the add_header modifier, and also from acl_warn()
1065 to implement the now-deprecated way of adding header lines using "message" on a
1066 "warn" verb. The argument is treated as a sequence of header lines which are
1067 added to a chain, provided there isn't an identical one already there.
1069 Argument: string of header lines
1074 setup_header(const uschar *hstring)
1076 const uschar *p, *q;
1077 int hlen = Ustrlen(hstring);
1079 /* Ignore any leading newlines */
1080 while (*hstring == '\n') hstring++, hlen--;
1082 /* An empty string does nothing; ensure exactly one final newline. */
1083 if (hlen <= 0) return;
1084 if (hstring[--hlen] != '\n') /* no newline */
1085 q = string_sprintf("%s\n", hstring);
1086 else if (hstring[hlen-1] == '\n') /* double newline */
1088 uschar * s = string_copy(hstring);
1089 while(s[--hlen] == '\n')
1096 /* Loop for multiple header lines, taking care about continuations */
1098 for (p = q; *p; p = q)
1102 int newtype = htype_add_bot;
1103 header_line **hptr = &acl_added_headers;
1105 /* Find next header line within the string */
1109 q = Ustrchr(q, '\n'); /* we know there was a newline */
1110 if (*++q != ' ' && *q != '\t') break;
1113 /* If the line starts with a colon, interpret the instruction for where to
1114 add it. This temporarily sets up a new type. */
1118 if (strncmpic(p, US":after_received:", 16) == 0)
1120 newtype = htype_add_rec;
1123 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
1125 newtype = htype_add_rfc;
1128 else if (strncmpic(p, US":at_start:", 10) == 0)
1130 newtype = htype_add_top;
1133 else if (strncmpic(p, US":at_end:", 8) == 0)
1135 newtype = htype_add_bot;
1138 while (*p == ' ' || *p == '\t') p++;
1141 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
1142 to the front of it. */
1144 for (s = p; s < q - 1; s++)
1145 if (*s == ':' || !isgraph(*s)) break;
1147 hdr = string_sprintf("%s%.*s", *s == ':' ? "" : "X-ACL-Warn: ", (int) (q - p), p);
1148 hlen = Ustrlen(hdr);
1150 /* See if this line has already been added */
1154 if (Ustrncmp((*hptr)->text, hdr, hlen) == 0) break;
1155 hptr = &(*hptr)->next;
1158 /* Add if not previously present */
1162 /* The header_line struct itself is not tainted, though it points to
1163 possibly tainted data. */
1164 header_line * h = store_get(sizeof(header_line), GET_UNTAINTED);
1177 /*************************************************
1178 * List the added header lines *
1179 *************************************************/
1185 for (header_line * h = acl_added_headers; h; h = h->next)
1188 if (h->text[i-1] == '\n') i--;
1189 g = string_append_listele_n(g, '\n', h->text, i);
1192 return string_from_gstring(g);
1196 /*************************************************
1197 * Set up removed header line(s) *
1198 *************************************************/
1200 /* This function is called by the remove_header modifier. The argument is
1201 treated as a sequence of header names which are added to a colon separated
1202 list, provided there isn't an identical one already there.
1204 Argument: string of header names
1209 setup_remove_header(const uschar *hnames)
1212 acl_removed_headers = acl_removed_headers
1213 ? string_sprintf("%s : %s", acl_removed_headers, hnames)
1214 : string_copy(hnames);
1219 /*************************************************
1221 *************************************************/
1223 /* This function is called when a WARN verb's conditions are true. It adds to
1224 the message's headers, and/or writes information to the log. In each case, this
1225 only happens once (per message for headers, per connection for log).
1227 ** NOTE: The header adding action using the "message" setting is historic, and
1228 its use is now deprecated. The new add_header modifier should be used instead.
1231 where ACL_WHERE_xxxx indicating which ACL this is
1232 user_message message for adding to headers
1233 log_message message for logging, if different
1239 acl_warn(int where, uschar * user_message, uschar * log_message)
1241 if (log_message && log_message != user_message)
1244 string_item *logged;
1246 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
1247 string_printing(log_message));
1249 /* If a sender verification has failed, and the log message is "sender verify
1250 failed", add the failure message. */
1252 if ( sender_verified_failed
1253 && sender_verified_failed->message
1254 && strcmpic(log_message, US"sender verify failed") == 0)
1255 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
1257 /* Search previously logged warnings. They are kept in malloc
1258 store so they can be freed at the start of a new message. */
1260 for (logged = acl_warn_logged; logged; logged = logged->next)
1261 if (Ustrcmp(logged->text, text) == 0) break;
1265 int length = Ustrlen(text) + 1;
1266 log_write(0, LOG_MAIN, "%s", text);
1267 logged = store_malloc(sizeof(string_item) + length);
1268 logged->text = US logged + sizeof(string_item);
1269 memcpy(logged->text, text, length);
1270 logged->next = acl_warn_logged;
1271 acl_warn_logged = logged;
1275 /* If there's no user message, we are done. */
1277 if (!user_message) return;
1279 /* If this isn't a message ACL, we can't do anything with a user message.
1282 if (where > ACL_WHERE_NOTSMTP)
1284 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
1285 "found in a non-message (%s) ACL: cannot specify header lines here: "
1286 "message ignored", acl_wherenames[where]);
1290 /* The code for setting up header lines is now abstracted into a separate
1291 function so that it can be used for the add_header modifier as well. */
1293 setup_header(user_message);
1298 /*************************************************
1299 * Verify and check reverse DNS *
1300 *************************************************/
1302 /* Called from acl_verify() below. We look up the host name(s) of the client IP
1303 address if this has not yet been done. The host_name_lookup() function checks
1304 that one of these names resolves to an address list that contains the client IP
1305 address, so we don't actually have to do the check here.
1308 user_msgptr pointer for user message
1309 log_msgptr pointer for log message
1311 Returns: OK verification condition succeeded
1312 FAIL verification failed
1313 DEFER there was a problem verifying
1317 acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
1321 /* Previous success */
1323 if (sender_host_name) return OK;
1325 /* Previous failure */
1327 if (host_lookup_failed)
1329 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
1333 /* Need to do a lookup */
1336 debug_printf_indent("looking up host name to force name/address consistency check\n");
1338 if ((rc = host_name_lookup()) != OK)
1340 *log_msgptr = rc == DEFER
1341 ? US"host lookup deferred for reverse lookup check"
1342 : string_sprintf("host lookup failed for reverse lookup check%s",
1344 return rc; /* DEFER or FAIL */
1347 host_build_sender_fullhost();
1353 /*************************************************
1354 * Check client IP address matches CSA target *
1355 *************************************************/
1357 /* Called from acl_verify_csa() below. This routine scans a section of a DNS
1358 response for address records belonging to the CSA target hostname. The section
1359 is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
1360 If one of the addresses matches the client's IP address, then the client is
1361 authorized by CSA. If there are target IP addresses but none of them match
1362 then the client is using an unauthorized IP address. If there are no target IP
1363 addresses then the client cannot be using an authorized IP address. (This is
1364 an odd configuration - why didn't the SRV record have a weight of 1 instead?)
1367 dnsa the DNS answer block
1368 dnss a DNS scan block for us to use
1369 reset option specifying what portion to scan, as described above
1370 target the target hostname to use for matching RR names
1372 Returns: CSA_OK successfully authorized
1373 CSA_FAIL_MISMATCH addresses found but none matched
1374 CSA_FAIL_NOADDR no target addresses found
1378 acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1381 int rc = CSA_FAIL_NOADDR;
1383 for (dns_record * rr = dns_next_rr(dnsa, dnss, reset);
1385 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1387 /* Check this is an address RR for the target hostname. */
1391 && rr->type != T_AAAA
1395 if (strcmpic(target, rr->name) != 0) continue;
1397 rc = CSA_FAIL_MISMATCH;
1399 /* Turn the target address RR into a list of textual IP addresses and scan
1400 the list. There may be more than one if it is an A6 RR. */
1402 for (dns_address * da = dns_address_from_rr(dnsa, rr); da; da = da->next)
1404 /* If the client IP address matches the target IP address, it's good! */
1406 DEBUG(D_acl) debug_printf_indent("CSA target address is %s\n", da->address);
1408 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1412 /* If we found some target addresses but none of them matched, the client is
1413 using an unauthorized IP address, otherwise the target has no authorized IP
1421 /*************************************************
1422 * Verify Client SMTP Authorization *
1423 *************************************************/
1425 /* Called from acl_verify() below. This routine calls dns_lookup_special()
1426 to find the CSA SRV record corresponding to the domain argument, or
1427 $sender_helo_name if no argument is provided. It then checks that the
1428 client is authorized, and that its IP address corresponds to the SRV
1429 target's address by calling acl_verify_csa_address() above. The address
1430 should have been returned in the DNS response's ADDITIONAL section, but if
1431 not we perform another DNS lookup to get it.
1434 domain pointer to optional parameter following verify = csa
1436 Returns: CSA_UNKNOWN no valid CSA record found
1437 CSA_OK successfully authorized
1438 CSA_FAIL_* client is definitely not authorized
1439 CSA_DEFER_* there was a DNS problem
1443 acl_verify_csa(const uschar *domain)
1446 const uschar *found;
1447 int priority, weight, port;
1451 int rc, type, yield;
1452 #define TARGET_SIZE 256
1453 uschar * target = store_get(TARGET_SIZE, GET_TAINTED);
1455 /* Work out the domain we are using for the CSA lookup. The default is the
1456 client's HELO domain. If the client has not said HELO, use its IP address
1457 instead. If it's a local client (exim -bs), CSA isn't applicable. */
1459 while (isspace(*domain) && *domain) ++domain;
1460 if (*domain == '\0') domain = sender_helo_name;
1461 if (!domain) domain = sender_host_address;
1462 if (!sender_host_address) return CSA_UNKNOWN;
1464 /* If we have an address literal, strip off the framing ready for turning it
1465 into a domain. The framing consists of matched square brackets possibly
1466 containing a keyword and a colon before the actual IP address. */
1468 if (domain[0] == '[')
1470 const uschar *start = Ustrchr(domain, ':');
1471 if (start == NULL) start = domain;
1472 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1475 /* Turn domains that look like bare IP addresses into domains in the reverse
1476 DNS. This code also deals with address literals and $sender_host_address. It's
1477 not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1478 address literals, but it's probably the most friendly thing to do. This is an
1479 extension to CSA, so we allow it to be turned off for proper conformance. */
1481 if (string_is_ip_address(domain, NULL) != 0)
1483 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1484 domain = dns_build_reverse(domain);
1487 /* Find out if we've already done the CSA check for this domain. If we have,
1488 return the same result again. Otherwise build a new cached result structure
1489 for this domain. The name is filled in now, and the value is filled in when
1490 we return from this function. */
1492 if ((t = tree_search(csa_cache, domain)))
1495 t = store_get_perm(sizeof(tree_node) + Ustrlen(domain), domain);
1496 Ustrcpy(t->name, domain);
1497 (void)tree_insertnode(&csa_cache, t);
1499 /* Now we are ready to do the actual DNS lookup(s). */
1502 dnsa = store_get_dns_answer();
1503 switch (dns_special_lookup(dnsa, domain, T_CSA, &found))
1505 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1508 yield = CSA_DEFER_SRV;
1511 /* If we found nothing, the client's authorization is unknown. */
1515 yield = CSA_UNKNOWN;
1518 /* We got something! Go on to look at the reply in more detail. */
1524 /* Scan the reply for well-formed CSA SRV records. */
1526 for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
1528 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == T_SRV)
1530 const uschar * p = rr->data;
1532 /* Extract the numerical SRV fields (p is incremented) */
1534 if (rr_bad_size(rr, 3 * sizeof(uint16_t))) continue;
1535 GETSHORT(priority, p);
1536 GETSHORT(weight, p);
1540 debug_printf_indent("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1542 /* Check the CSA version number */
1544 if (priority != 1) continue;
1546 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1547 found by dns_special_lookup() is a parent of the one we asked for), we check
1548 the subdomain assertions in the port field. At the moment there's only one
1549 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1550 SRV records of their own. */
1552 if (Ustrcmp(found, domain) != 0)
1554 yield = port & 1 ? CSA_FAIL_EXPLICIT : CSA_UNKNOWN;
1558 /* This CSA SRV record refers directly to our domain, so we check the value
1559 in the weight field to work out the domain's authorization. 0 and 1 are
1560 unauthorized; 3 means the client is authorized but we can't check the IP
1561 address in order to authenticate it, so we treat it as unknown; values
1562 greater than 3 are undefined. */
1566 yield = CSA_FAIL_DOMAIN;
1570 if (weight > 2) continue;
1572 /* Weight == 2, which means the domain is authorized. We must check that the
1573 client's IP address is listed as one of the SRV target addresses. Save the
1574 target hostname then break to scan the additional data for its addresses. */
1576 (void)dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, p,
1577 (DN_EXPAND_ARG4_TYPE)target, TARGET_SIZE);
1579 DEBUG(D_acl) debug_printf_indent("CSA target is %s\n", target);
1584 /* If we didn't break the loop then no appropriate records were found. */
1588 yield = CSA_UNKNOWN;
1592 /* Do not check addresses if the target is ".", in accordance with RFC 2782.
1593 A target of "." indicates there are no valid addresses, so the client cannot
1594 be authorized. (This is an odd configuration because weight=2 target=. is
1595 equivalent to weight=1, but we check for it in order to keep load off the
1596 root name servers.) Note that dn_expand() turns "." into "". */
1598 if (Ustrcmp(target, "") == 0)
1600 yield = CSA_FAIL_NOADDR;
1604 /* Scan the additional section of the CSA SRV reply for addresses belonging
1605 to the target. If the name server didn't return any additional data (e.g.
1606 because it does not fully support SRV records), we need to do another lookup
1607 to obtain the target addresses; otherwise we have a definitive result. */
1609 rc = acl_verify_csa_address(dnsa, &dnss, RESET_ADDITIONAL, target);
1610 if (rc != CSA_FAIL_NOADDR)
1616 /* The DNS lookup type corresponds to the IP version used by the client. */
1619 if (Ustrchr(sender_host_address, ':') != NULL)
1622 #endif /* HAVE_IPV6 */
1626 lookup_dnssec_authenticated = NULL;
1627 switch (dns_lookup(dnsa, target, type, NULL))
1629 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1632 yield = CSA_DEFER_ADDR;
1635 /* If the query succeeded, scan the addresses and return the result. */
1638 rc = acl_verify_csa_address(dnsa, &dnss, RESET_ANSWERS, target);
1639 if (rc != CSA_FAIL_NOADDR)
1644 /* else fall through */
1646 /* If the target has no IP addresses, the client cannot have an authorized
1647 IP address. However, if the target site uses A6 records (not AAAA records)
1648 we have to do yet another lookup in order to check them. */
1652 yield = CSA_FAIL_NOADDR;
1658 store_free_dns_answer(dnsa);
1659 return t->data.val = yield;
1664 /*************************************************
1665 * Handle verification (address & other) *
1666 *************************************************/
1668 enum { VERIFY_REV_HOST_LKUP, VERIFY_CERT, VERIFY_HELO, VERIFY_CSA, VERIFY_HDR_SYNTAX,
1669 VERIFY_NOT_BLIND, VERIFY_HDR_SNDR, VERIFY_SNDR, VERIFY_RCPT,
1670 VERIFY_HDR_NAMES_ASCII, VERIFY_ARC
1675 unsigned where_allowed; /* bitmap */
1676 BOOL no_options; /* Never has /option(s) following */
1677 unsigned alt_opt_sep; /* >0 Non-/ option separator (custom parser) */
1679 static verify_type_t verify_type_list[] = {
1680 /* name value where no-opt opt-sep */
1681 { US"reverse_host_lookup", VERIFY_REV_HOST_LKUP, (unsigned)~0, FALSE, 0 },
1682 { US"certificate", VERIFY_CERT, (unsigned)~0, TRUE, 0 },
1683 { US"helo", VERIFY_HELO, (unsigned)~0, TRUE, 0 },
1684 { US"csa", VERIFY_CSA, (unsigned)~0, FALSE, 0 },
1685 { US"header_syntax", VERIFY_HDR_SYNTAX, ACL_BITS_HAVEDATA, TRUE, 0 },
1686 { US"not_blind", VERIFY_NOT_BLIND, ACL_BITS_HAVEDATA, FALSE, 0 },
1687 { US"header_sender", VERIFY_HDR_SNDR, ACL_BITS_HAVEDATA, FALSE, 0 },
1688 { US"sender", VERIFY_SNDR, ACL_BIT_MAIL | ACL_BIT_RCPT
1689 | ACL_BIT_PREDATA | ACL_BIT_DATA | ACL_BIT_NOTSMTP,
1691 { US"recipient", VERIFY_RCPT, ACL_BIT_RCPT, FALSE, 0 },
1692 { US"header_names_ascii", VERIFY_HDR_NAMES_ASCII, ACL_BITS_HAVEDATA, TRUE, 0 },
1693 #ifdef EXPERIMENTAL_ARC
1694 { US"arc", VERIFY_ARC, ACL_BIT_DATA, FALSE , 0 },
1699 enum { CALLOUT_DEFER_OK, CALLOUT_NOCACHE, CALLOUT_RANDOM, CALLOUT_USE_SENDER,
1700 CALLOUT_USE_POSTMASTER, CALLOUT_POSTMASTER, CALLOUT_FULLPOSTMASTER,
1701 CALLOUT_MAILFROM, CALLOUT_POSTMASTER_MAILFROM, CALLOUT_MAXWAIT, CALLOUT_CONNECT,
1702 CALLOUT_HOLD, CALLOUT_TIME /* TIME must be last */
1708 BOOL has_option; /* Has =option(s) following */
1709 BOOL timeval; /* Has a time value */
1711 static callout_opt_t callout_opt_list[] = {
1712 /* name value flag has-opt has-time */
1713 { US"defer_ok", CALLOUT_DEFER_OK, 0, FALSE, FALSE },
1714 { US"no_cache", CALLOUT_NOCACHE, vopt_callout_no_cache, FALSE, FALSE },
1715 { US"random", CALLOUT_RANDOM, vopt_callout_random, FALSE, FALSE },
1716 { US"use_sender", CALLOUT_USE_SENDER, vopt_callout_recipsender, FALSE, FALSE },
1717 { US"use_postmaster", CALLOUT_USE_POSTMASTER,vopt_callout_recippmaster, FALSE, FALSE },
1718 { US"postmaster_mailfrom",CALLOUT_POSTMASTER_MAILFROM,0, TRUE, FALSE },
1719 { US"postmaster", CALLOUT_POSTMASTER, 0, FALSE, FALSE },
1720 { US"fullpostmaster", CALLOUT_FULLPOSTMASTER,vopt_callout_fullpm, FALSE, FALSE },
1721 { US"mailfrom", CALLOUT_MAILFROM, 0, TRUE, FALSE },
1722 { US"maxwait", CALLOUT_MAXWAIT, 0, TRUE, TRUE },
1723 { US"connect", CALLOUT_CONNECT, 0, TRUE, TRUE },
1724 { US"hold", CALLOUT_HOLD, vopt_callout_hold, FALSE, FALSE },
1725 { NULL, CALLOUT_TIME, 0, FALSE, TRUE }
1731 v_period(const uschar * s, const uschar * arg, uschar ** log_msgptr)
1734 if ((period = readconf_readtime(s, 0, FALSE)) < 0)
1736 *log_msgptr = string_sprintf("bad time value in ACL condition "
1737 "\"verify %s\"", arg);
1745 sender_helo_verified_internal(void)
1747 /* We can test the result of optional HELO verification that might have
1748 occurred earlier. If not, we can attempt the verification now. */
1750 if (!f.helo_verified && !f.helo_verify_failed) smtp_verify_helo();
1751 return f.helo_verified;
1755 sender_helo_verified_cond(void)
1757 return sender_helo_verified_internal() ? OK : FAIL;
1761 sender_helo_verified_boolstr(void)
1763 return sender_helo_verified_internal() ? US"yes" : US"no";
1768 /* This function implements the "verify" condition. It is called when
1769 encountered in any ACL, because some tests are almost always permitted. Some
1770 just don't make sense, and always fail (for example, an attempt to test a host
1771 lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1774 where where called from
1775 addr the recipient address that the ACL is handling, or NULL
1776 arg the argument of "verify"
1777 user_msgptr pointer for user message
1778 log_msgptr pointer for log message
1779 basic_errno where to put verify errno
1781 Returns: OK verification condition succeeded
1782 FAIL verification failed
1783 DEFER there was a problem verifying
1788 acl_verify(int where, address_item *addr, const uschar *arg,
1789 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1793 int callout_overall = -1;
1794 int callout_connect = -1;
1795 int verify_options = 0;
1797 BOOL verify_header_sender = FALSE;
1798 BOOL defer_ok = FALSE;
1799 BOOL callout_defer_ok = FALSE;
1800 BOOL no_details = FALSE;
1801 BOOL success_on_redirect = FALSE;
1803 int quota_pos_cache = QUOTA_POS_DEFAULT, quota_neg_cache = QUOTA_NEG_DEFAULT;
1804 address_item * sender_vaddr = NULL;
1805 const uschar * verify_sender_address = NULL;
1806 uschar * pm_mailfrom = NULL;
1807 uschar * se_mailfrom = NULL;
1809 /* Some of the verify items have slash-separated options; some do not. Diagnose
1810 an error if options are given for items that don't expect them.
1813 uschar *slash = Ustrchr(arg, '/');
1814 const uschar *list = arg;
1815 uschar *ss = string_nextinlist(&list, &sep, NULL, 0);
1818 if (!ss) goto BAD_VERIFY;
1820 /* Handle name/address consistency verification in a separate function. */
1822 for (vp = verify_type_list;
1823 CS vp < CS verify_type_list + sizeof(verify_type_list);
1826 if (vp->alt_opt_sep ? strncmpic(ss, vp->name, vp->alt_opt_sep) == 0
1827 : strcmpic (ss, vp->name) == 0)
1829 if (CS vp >= CS verify_type_list + sizeof(verify_type_list))
1832 if (vp->no_options && slash)
1834 *log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1835 "(this verify item has no options)", arg);
1838 if (!(vp->where_allowed & BIT(where)))
1840 *log_msgptr = string_sprintf("cannot verify %s in ACL for %s",
1841 vp->name, acl_wherenames[where]);
1846 case VERIFY_REV_HOST_LKUP:
1847 if (!sender_host_address) return OK;
1848 if ((rc = acl_verify_reverse(user_msgptr, log_msgptr)) == DEFER)
1849 while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
1850 if (strcmpic(ss, US"defer_ok") == 0)
1855 /* TLS certificate verification is done at STARTTLS time; here we just
1856 test whether it was successful or not. (This is for optional verification; for
1857 mandatory verification, the connection doesn't last this long.) */
1859 if (tls_in.certificate_verified) return OK;
1860 *user_msgptr = US"no verified certificate";
1864 return sender_helo_verified_cond();
1867 /* Do Client SMTP Authorization checks in a separate function, and turn the
1868 result code into user-friendly strings. */
1870 rc = acl_verify_csa(list);
1871 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1872 csa_reason_string[rc]);
1873 csa_status = csa_status_string[rc];
1874 DEBUG(D_acl) debug_printf_indent("CSA result %s\n", csa_status);
1875 return csa_return_code[rc];
1877 #ifdef EXPERIMENTAL_ARC
1879 { /* Do Authenticated Received Chain checks in a separate function. */
1880 const uschar * condlist = CUS string_nextinlist(&list, &sep, NULL, 0);
1884 if (!(arc_state = acl_verify_arc())) return DEFER;
1885 DEBUG(D_acl) debug_printf_indent("ARC verify result %s %s%s%s\n", arc_state,
1886 arc_state_reason ? "(":"", arc_state_reason, arc_state_reason ? ")":"");
1888 if (!condlist) condlist = US"none:pass";
1889 while ((cond = string_nextinlist(&condlist, &csep, NULL, 0)))
1890 if (Ustrcmp(arc_state, cond) == 0) return OK;
1895 case VERIFY_HDR_SYNTAX:
1896 /* Check that all relevant header lines have the correct 5322-syntax. If there is
1897 a syntax error, we return details of the error to the sender if configured to
1898 send out full details. (But a "message" setting on the ACL can override, as
1901 rc = verify_check_headers(log_msgptr);
1902 if (rc != OK && *log_msgptr)
1903 if (smtp_return_error_details)
1904 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1906 acl_verify_message = *log_msgptr;
1909 case VERIFY_HDR_NAMES_ASCII:
1910 /* Check that all header names are true 7 bit strings
1911 See RFC 5322, 2.2. and RFC 6532, 3. */
1913 rc = verify_check_header_names_ascii(log_msgptr);
1914 if (rc != OK && smtp_return_error_details && *log_msgptr)
1915 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1918 case VERIFY_NOT_BLIND:
1919 /* Check that no recipient of this message is "blind", that is, every envelope
1920 recipient must be mentioned in either To: or Cc:. */
1922 BOOL case_sensitive = TRUE;
1924 while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
1925 if (strcmpic(ss, US"case_insensitive") == 0)
1926 case_sensitive = FALSE;
1929 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1930 "condition \"verify %s\"", ss, arg);
1934 if ((rc = verify_check_notblind(case_sensitive)) != OK)
1936 *log_msgptr = US"bcc recipient detected";
1937 if (smtp_return_error_details)
1938 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1943 /* The remaining verification tests check recipient and sender addresses,
1944 either from the envelope or from the header. There are a number of
1945 slash-separated options that are common to all of them. */
1947 case VERIFY_HDR_SNDR:
1948 verify_header_sender = TRUE;
1952 /* In the case of a sender, this can optionally be followed by an address to use
1953 in place of the actual sender (rare special-case requirement). */
1957 verify_sender_address = sender_address;
1960 if (Uskip_whitespace(&s) != '=')
1963 Uskip_whitespace(&s);
1964 verify_sender_address = string_copy(s);
1975 /* Remaining items are optional; they apply to sender and recipient
1976 verification, including "header sender" verification. */
1978 while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
1980 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1981 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1982 else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
1984 /* These two old options are left for backwards compatibility */
1986 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1988 callout_defer_ok = TRUE;
1989 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1992 else if (strcmpic(ss, US"check_postmaster") == 0)
1995 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1998 /* The callout option has a number of sub-options, comma separated */
2000 else if (strncmpic(ss, US"callout", 7) == 0)
2002 callout = CALLOUT_TIMEOUT_DEFAULT;
2005 Uskip_whitespace(&ss);
2008 const uschar * sublist = ss;
2011 Uskip_whitespace(&sublist);
2012 for (uschar * opt; opt = string_nextinlist(&sublist, &optsep, NULL, 0); )
2015 double period = 1.0F;
2017 for (op= callout_opt_list; op->name; op++)
2018 if (strncmpic(opt, op->name, Ustrlen(op->name)) == 0)
2021 verify_options |= op->flag;
2024 opt += Ustrlen(op->name);
2025 Uskip_whitespace(&opt);
2028 *log_msgptr = string_sprintf("'=' expected after "
2029 "\"%s\" in ACL verify condition \"%s\"", op->name, arg);
2032 Uskip_whitespace(&opt);
2034 if (op->timeval && (period = v_period(opt, arg, log_msgptr)) < 0)
2039 case CALLOUT_DEFER_OK: callout_defer_ok = TRUE; break;
2040 case CALLOUT_POSTMASTER: pm_mailfrom = US""; break;
2041 case CALLOUT_FULLPOSTMASTER: pm_mailfrom = US""; break;
2042 case CALLOUT_MAILFROM:
2043 if (!verify_header_sender)
2045 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
2046 "callout option only for verify=header_sender (detected in ACL "
2047 "condition \"%s\")", arg);
2050 se_mailfrom = string_copy(opt);
2052 case CALLOUT_POSTMASTER_MAILFROM: pm_mailfrom = string_copy(opt); break;
2053 case CALLOUT_MAXWAIT: callout_overall = period; break;
2054 case CALLOUT_CONNECT: callout_connect = period; break;
2055 case CALLOUT_TIME: callout = period; break;
2061 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
2062 "ACL condition \"%s\"", arg);
2068 /* The quota option has sub-options, comma-separated */
2070 else if (strncmpic(ss, US"quota", 5) == 0)
2075 Uskip_whitespace(&ss);
2078 const uschar * sublist = ss;
2082 Uskip_whitespace(&sublist);
2083 for (uschar * opt; opt = string_nextinlist(&sublist, &optsep, NULL, 0); )
2084 if (Ustrncmp(opt, "cachepos=", 9) == 0)
2085 if ((period = v_period(opt += 9, arg, log_msgptr)) < 0)
2088 quota_pos_cache = period;
2089 else if (Ustrncmp(opt, "cacheneg=", 9) == 0)
2090 if ((period = v_period(opt += 9, arg, log_msgptr)) < 0)
2093 quota_neg_cache = period;
2094 else if (Ustrcmp(opt, "no_cache") == 0)
2095 quota_pos_cache = quota_neg_cache = 0;
2100 /* Option not recognized */
2104 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
2105 "condition \"verify %s\"", ss, arg);
2110 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
2111 (vopt_callout_recipsender|vopt_callout_recippmaster))
2113 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
2114 "for a recipient callout";
2118 /* Handle quota verification */
2121 if (vp->value != VERIFY_RCPT)
2123 *log_msgptr = US"can only verify quota of recipient";
2127 if ((rc = verify_quota_call(addr->address,
2128 quota_pos_cache, quota_neg_cache, log_msgptr)) != OK)
2130 *basic_errno = errno;
2131 if (smtp_return_error_details)
2133 if (!*user_msgptr && *log_msgptr)
2134 *user_msgptr = string_sprintf("Rejected after %s: %s",
2135 smtp_names[smtp_connection_had[SMTP_HBUFF_PREV(smtp_ch_index)]],
2137 if (rc == DEFER) f.acl_temp_details = TRUE;
2144 /* Handle sender-in-header verification. Default the user message to the log
2145 message if giving out verification details. */
2147 if (verify_header_sender)
2151 if ((rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
2152 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
2155 *basic_errno = verrno;
2156 if (smtp_return_error_details)
2158 if (!*user_msgptr && *log_msgptr)
2159 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
2160 if (rc == DEFER) f.acl_temp_details = TRUE;
2165 /* Handle a sender address. The default is to verify *the* sender address, but
2166 optionally a different address can be given, for special requirements. If the
2167 address is empty, we are dealing with a bounce message that has no sender, so
2168 we cannot do any checking. If the real sender address gets rewritten during
2169 verification (e.g. DNS widening), set the flag to stop it being rewritten again
2170 during message reception.
2172 A list of verified "sender" addresses is kept to try to avoid doing to much
2173 work repetitively when there are multiple recipients in a message and they all
2174 require sender verification. However, when callouts are involved, it gets too
2175 complicated because different recipients may require different callout options.
2176 Therefore, we always do a full sender verify when any kind of callout is
2177 specified. Caching elsewhere, for instance in the DNS resolver and in the
2178 callout handling, should ensure that this is not terribly inefficient. */
2180 else if (verify_sender_address)
2182 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)))
2184 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
2185 "sender verify callout";
2189 sender_vaddr = verify_checked_sender(verify_sender_address);
2190 if ( sender_vaddr /* Previously checked */
2191 && callout <= 0) /* No callout needed this time */
2193 /* If the "routed" flag is set, it means that routing worked before, so
2194 this check can give OK (the saved return code value, if set, belongs to a
2195 callout that was done previously). If the "routed" flag is not set, routing
2196 must have failed, so we use the saved return code. */
2198 if (testflag(sender_vaddr, af_verify_routed))
2202 rc = sender_vaddr->special_action;
2203 *basic_errno = sender_vaddr->basic_errno;
2205 HDEBUG(D_acl) debug_printf_indent("using cached sender verify result\n");
2208 /* Do a new verification, and cache the result. The cache is used to avoid
2209 verifying the sender multiple times for multiple RCPTs when callouts are not
2210 specified (see comments above).
2212 The cache is also used on failure to give details in response to the first
2213 RCPT that gets bounced for this reason. However, this can be suppressed by
2214 the no_details option, which sets the flag that says "this detail has already
2215 been sent". The cache normally contains just one address, but there may be
2216 more in esoteric circumstances. */
2221 uschar *save_address_data = deliver_address_data;
2223 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
2225 if ((sender_vaddr->prop.utf8_msg = message_smtputf8))
2227 sender_vaddr->prop.utf8_downcvt = message_utf8_downconvert == 1;
2228 sender_vaddr->prop.utf8_downcvt_maybe = message_utf8_downconvert == -1;
2231 if (no_details) setflag(sender_vaddr, af_sverify_told);
2232 if (verify_sender_address[0] != 0)
2234 /* If this is the real sender address, save the unrewritten version
2235 for use later in receive. Otherwise, set a flag so that rewriting the
2236 sender in verify_address() does not update sender_address. */
2238 if (verify_sender_address == sender_address)
2239 sender_address_unrewritten = sender_address;
2241 verify_options |= vopt_fake_sender;
2243 if (success_on_redirect)
2244 verify_options |= vopt_success_on_redirect;
2246 /* The recipient, qualify, and expn options are never set in
2249 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
2250 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
2252 HDEBUG(D_acl) debug_printf_indent("----------- end verify ------------\n");
2255 *basic_errno = sender_vaddr->basic_errno;
2258 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
2259 debug_printf_indent("sender %s verified ok as %s\n",
2260 verify_sender_address, sender_vaddr->address);
2262 debug_printf_indent("sender %s verified ok\n",
2263 verify_sender_address);
2266 rc = OK; /* Null sender */
2268 /* Cache the result code */
2270 if (routed) setflag(sender_vaddr, af_verify_routed);
2271 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
2272 sender_vaddr->special_action = rc;
2273 sender_vaddr->next = sender_verified_list;
2274 sender_verified_list = sender_vaddr;
2276 /* Restore the recipient address data, which might have been clobbered by
2277 the sender verification. */
2279 deliver_address_data = save_address_data;
2282 /* Put the sender address_data value into $sender_address_data */
2284 sender_address_data = sender_vaddr->prop.address_data;
2287 /* A recipient address just gets a straightforward verify; again we must handle
2288 the DEFER overrides. */
2294 if (success_on_redirect)
2295 verify_options |= vopt_success_on_redirect;
2297 /* We must use a copy of the address for verification, because it might
2301 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
2302 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
2303 HDEBUG(D_acl) debug_printf_indent("----------- end verify ------------\n");
2305 *basic_errno = addr2.basic_errno;
2306 *log_msgptr = addr2.message;
2307 *user_msgptr = addr2.user_message ? addr2.user_message : addr2.message;
2309 /* Allow details for temporary error if the address is so flagged. */
2310 if (testflag((&addr2), af_pass_message)) f.acl_temp_details = TRUE;
2312 /* Make $address_data visible */
2313 deliver_address_data = addr2.prop.address_data;
2316 /* We have a result from the relevant test. Handle defer overrides first. */
2320 || callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER
2323 HDEBUG(D_acl) debug_printf_indent("verify defer overridden by %s\n",
2324 defer_ok? "defer_ok" : "callout_defer_ok");
2328 /* If we've failed a sender, set up a recipient message, and point
2329 sender_verified_failed to the address item that actually failed. */
2331 if (rc != OK && verify_sender_address)
2334 *log_msgptr = *user_msgptr = US"Sender verify failed";
2335 else if (*basic_errno != ERRNO_CALLOUTDEFER)
2336 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
2339 *log_msgptr = US"Could not complete sender verify callout";
2340 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
2344 sender_verified_failed = sender_vaddr;
2347 /* Verifying an address messes up the values of $domain and $local_part,
2348 so reset them before returning if this is a RCPT ACL. */
2352 deliver_domain = addr->domain;
2353 deliver_localpart = addr->local_part;
2357 /* Syntax errors in the verify argument come here. */
2360 *log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
2361 "\"helo\", \"header_syntax\", \"header_sender\", \"header_names_ascii\" "
2362 "or \"reverse_host_lookup\" at start of ACL condition "
2363 "\"verify %s\"", arg);
2370 /*************************************************
2371 * Check argument for control= modifier *
2372 *************************************************/
2374 /* Called from acl_check_condition() below.
2375 To handle the case "queue_only" we accept an _ in the
2376 initial / option-switch position.
2379 arg the argument string for control=
2380 pptr set to point to the terminating character
2381 where which ACL we are in
2382 log_msgptr for error messages
2384 Returns: CONTROL_xxx value
2388 decode_control(const uschar *arg, const uschar **pptr, int where, uschar **log_msgptr)
2394 if ( (idx = find_control(arg, controls_list, nelem(controls_list))) < 0
2395 || ( (c = arg[len = Ustrlen((d = controls_list+idx)->name)]) != 0
2396 && (!d->has_option || c != '/' && c != '_')
2399 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2400 return CONTROL_ERROR;
2410 /*************************************************
2411 * Return a ratelimit error *
2412 *************************************************/
2414 /* Called from acl_ratelimit() below
2417 log_msgptr for error messages
2418 format format string
2419 ... supplementary arguments
2425 ratelimit_error(uschar **log_msgptr, const char *format, ...)
2429 string_cat(NULL, US"error in arguments to \"ratelimit\" condition: ");
2431 va_start(ap, format);
2432 g = string_vformat(g, SVFMT_EXTEND|SVFMT_REBUFFER, format, ap);
2435 gstring_release_unused(g);
2436 *log_msgptr = string_from_gstring(g);
2443 /*************************************************
2444 * Handle rate limiting *
2445 *************************************************/
2447 /* Called by acl_check_condition() below to calculate the result
2448 of the ACL ratelimit condition.
2450 Note that the return value might be slightly unexpected: if the
2451 sender's rate is above the limit then the result is OK. This is
2452 similar to the dnslists condition, and is so that you can write
2453 ACL clauses like: defer ratelimit = 15 / 1h
2456 arg the option string for ratelimit=
2457 where ACL_WHERE_xxxx indicating which ACL this is
2458 log_msgptr for error messages
2460 Returns: OK - Sender's rate is above limit
2461 FAIL - Sender's rate is below limit
2462 DEFER - Problem opening ratelimit database
2463 ERROR - Syntax error in options.
2467 acl_ratelimit(const uschar *arg, int where, uschar **log_msgptr)
2469 double limit, period, count;
2472 uschar *unique = NULL;
2474 BOOL leaky = FALSE, strict = FALSE, readonly = FALSE;
2475 BOOL noupdate = FALSE, badacl = FALSE;
2476 int mode = RATE_PER_WHAT;
2478 tree_node **anchor, *t;
2479 open_db dbblock, *dbm;
2481 dbdata_ratelimit *dbd;
2482 dbdata_ratelimit_unique *dbdb;
2485 /* Parse the first two options and record their values in expansion
2486 variables. These variables allow the configuration to have informative
2487 error messages based on rate limits obtained from a table lookup. */
2489 /* First is the maximum number of messages per period / maximum burst
2490 size, which must be greater than or equal to zero. Zero is useful for
2491 rate measurement as opposed to rate limiting. */
2493 if (!(sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0)))
2494 return ratelimit_error(log_msgptr, "sender rate limit not set");
2496 limit = Ustrtod(sender_rate_limit, &ss);
2497 if (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
2498 else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
2499 else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
2501 if (limit < 0.0 || *ss != '\0')
2502 return ratelimit_error(log_msgptr,
2503 "\"%s\" is not a positive number", sender_rate_limit);
2505 /* Second is the rate measurement period / exponential smoothing time
2506 constant. This must be strictly greater than zero, because zero leads to
2507 run-time division errors. */
2509 period = !(sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0))
2510 ? -1.0 : readconf_readtime(sender_rate_period, 0, FALSE);
2512 return ratelimit_error(log_msgptr,
2513 "\"%s\" is not a time value", sender_rate_period);
2515 /* By default we are counting one of something, but the per_rcpt,
2516 per_byte, and count options can change this. */
2520 /* Parse the other options. */
2522 while ((ss = string_nextinlist(&arg, &sep, NULL, 0)))
2524 if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
2525 else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
2526 else if (strcmpic(ss, US"noupdate") == 0) noupdate = TRUE;
2527 else if (strcmpic(ss, US"readonly") == 0) readonly = TRUE;
2528 else if (strcmpic(ss, US"per_cmd") == 0) RATE_SET(mode, PER_CMD);
2529 else if (strcmpic(ss, US"per_conn") == 0)
2531 RATE_SET(mode, PER_CONN);
2532 if (where == ACL_WHERE_NOTSMTP || where == ACL_WHERE_NOTSMTP_START)
2535 else if (strcmpic(ss, US"per_mail") == 0)
2537 RATE_SET(mode, PER_MAIL);
2538 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2540 else if (strcmpic(ss, US"per_rcpt") == 0)
2542 /* If we are running in the RCPT ACL, then we'll count the recipients
2543 one by one, but if we are running when we have accumulated the whole
2544 list then we'll add them all in one batch. */
2545 if (where == ACL_WHERE_RCPT)
2546 RATE_SET(mode, PER_RCPT);
2547 else if (where >= ACL_WHERE_PREDATA && where <= ACL_WHERE_NOTSMTP)
2548 RATE_SET(mode, PER_ALLRCPTS), count = (double)recipients_count;
2549 else if (where == ACL_WHERE_MAIL || where > ACL_WHERE_NOTSMTP)
2550 RATE_SET(mode, PER_RCPT), badacl = TRUE;
2552 else if (strcmpic(ss, US"per_byte") == 0)
2554 /* If we have not yet received the message data and there was no SIZE
2555 declaration on the MAIL command, then it's safe to just use a value of
2556 zero and let the recorded rate decay as if nothing happened. */
2557 RATE_SET(mode, PER_MAIL);
2558 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2559 else count = message_size < 0 ? 0.0 : (double)message_size;
2561 else if (strcmpic(ss, US"per_addr") == 0)
2563 RATE_SET(mode, PER_RCPT);
2564 if (where != ACL_WHERE_RCPT) badacl = TRUE, unique = US"*";
2565 else unique = string_sprintf("%s@%s", deliver_localpart, deliver_domain);
2567 else if (strncmpic(ss, US"count=", 6) == 0)
2570 count = Ustrtod(ss+6, &e);
2571 if (count < 0.0 || *e != '\0')
2572 return ratelimit_error(log_msgptr, "\"%s\" is not a positive number", ss);
2574 else if (strncmpic(ss, US"unique=", 7) == 0)
2575 unique = string_copy(ss + 7);
2577 key = string_copy(ss);
2579 key = string_sprintf("%s/%s", key, ss);
2582 /* Sanity check. When the badacl flag is set the update mode must either
2583 be readonly (which is the default if it is omitted) or, for backwards
2584 compatibility, a combination of noupdate and strict or leaky. */
2586 if (mode == RATE_PER_CLASH)
2587 return ratelimit_error(log_msgptr, "conflicting per_* options");
2588 if (leaky + strict + readonly > 1)
2589 return ratelimit_error(log_msgptr, "conflicting update modes");
2590 if (badacl && (leaky || strict) && !noupdate)
2591 return ratelimit_error(log_msgptr,
2592 "\"%s\" must not have /leaky or /strict option, or cannot be used in %s ACL",
2593 ratelimit_option_string[mode], acl_wherenames[where]);
2595 /* Set the default values of any unset options. In readonly mode we
2596 perform the rate computation without any increment so that its value
2597 decays to eventually allow over-limit senders through. */
2599 if (noupdate) readonly = TRUE, leaky = strict = FALSE;
2600 if (badacl) readonly = TRUE;
2601 if (readonly) count = 0.0;
2602 if (!strict && !readonly) leaky = TRUE;
2603 if (mode == RATE_PER_WHAT) mode = RATE_PER_MAIL;
2605 /* Create the lookup key. If there is no explicit key, use sender_host_address.
2606 If there is no sender_host_address (e.g. -bs or acl_not_smtp) then we simply
2607 omit it. The smoothing constant (sender_rate_period) and the per_xxx options
2608 are added to the key because they alter the meaning of the stored data. */
2611 key = !sender_host_address ? US"" : sender_host_address;
2613 key = string_sprintf("%s/%s/%s%s",
2615 ratelimit_option_string[mode],
2616 unique == NULL ? "" : "unique/",
2620 debug_printf_indent("ratelimit condition count=%.0f %.1f/%s\n", count, limit, key);
2622 /* See if we have already computed the rate by looking in the relevant tree.
2623 For per-connection rate limiting, store tree nodes and dbdata in the permanent
2624 pool so that they survive across resets. In readonly mode we only remember the
2625 result for the rest of this command in case a later command changes it. After
2626 this bit of logic the code is independent of the per_* mode. */
2628 old_pool = store_pool;
2631 anchor = &ratelimiters_cmd;
2635 anchor = &ratelimiters_conn;
2636 store_pool = POOL_PERM;
2640 case RATE_PER_ALLRCPTS:
2641 anchor = &ratelimiters_mail;
2646 anchor = &ratelimiters_cmd;
2649 anchor = NULL; /* silence an "unused" complaint */
2650 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
2651 "internal ACL error: unknown ratelimit mode %d", mode);
2656 if ((t = tree_search(*anchor, key)))
2659 /* The following few lines duplicate some of the code below. */
2660 rc = (dbd->rate < limit)? FAIL : OK;
2661 store_pool = old_pool;
2662 sender_rate = string_sprintf("%.1f", dbd->rate);
2664 debug_printf_indent("ratelimit found pre-computed rate %s\n", sender_rate);
2668 /* We aren't using a pre-computed rate, so get a previously recorded rate
2669 from the database, which will be updated and written back if required. */
2671 if (!(dbm = dbfn_open(US"ratelimit", O_RDWR|O_CREAT, &dbblock, TRUE, TRUE)))
2673 store_pool = old_pool;
2675 HDEBUG(D_acl) debug_printf_indent("ratelimit database not available\n");
2676 *log_msgptr = US"ratelimit database not available";
2679 dbdb = dbfn_read_with_length(dbm, key, &dbdb_size);
2682 gettimeofday(&tv, NULL);
2686 /* Locate the basic ratelimit block inside the DB data. */
2687 HDEBUG(D_acl) debug_printf_indent("ratelimit found key in database\n");
2690 /* Forget the old Bloom filter if it is too old, so that we count each
2691 repeating event once per period. We don't simply clear and re-use the old
2692 filter because we want its size to change if the limit changes. Note that
2693 we keep the dbd pointer for copying the rate into the new data block. */
2695 if(unique && tv.tv_sec > dbdb->bloom_epoch + period)
2697 HDEBUG(D_acl) debug_printf_indent("ratelimit discarding old Bloom filter\n");
2703 if(unique && dbdb_size < sizeof(*dbdb))
2705 HDEBUG(D_acl) debug_printf_indent("ratelimit discarding undersize Bloom filter\n");
2710 /* Allocate a new data block if the database lookup failed
2711 or the Bloom filter passed its age limit. */
2717 /* No Bloom filter. This basic ratelimit block is initialized below. */
2718 HDEBUG(D_acl) debug_printf_indent("ratelimit creating new rate data block\n");
2719 dbdb_size = sizeof(*dbd);
2720 dbdb = store_get(dbdb_size, GET_UNTAINTED);
2725 HDEBUG(D_acl) debug_printf_indent("ratelimit creating new Bloom filter\n");
2727 /* See the long comment below for an explanation of the magic number 2.
2728 The filter has a minimum size in case the rate limit is very small;
2729 this is determined by the definition of dbdata_ratelimit_unique. */
2731 extra = (int)limit * 2 - sizeof(dbdb->bloom);
2732 if (extra < 0) extra = 0;
2733 dbdb_size = sizeof(*dbdb) + extra;
2734 dbdb = store_get(dbdb_size, GET_UNTAINTED);
2735 dbdb->bloom_epoch = tv.tv_sec;
2736 dbdb->bloom_size = sizeof(dbdb->bloom) + extra;
2737 memset(dbdb->bloom, 0, dbdb->bloom_size);
2739 /* Preserve any basic ratelimit data (which is our longer-term memory)
2740 by copying it from the discarded block. */
2750 /* If we are counting unique events, find out if this event is new or not.
2751 If the client repeats the event during the current period then it should be
2752 counted. We skip this code in readonly mode for efficiency, because any
2753 changes to the filter will be discarded and because count is already set to
2756 if (unique && !readonly)
2758 /* We identify unique events using a Bloom filter. (You can find my
2759 notes on Bloom filters at http://fanf.livejournal.com/81696.html)
2760 With the per_addr option, an "event" is a recipient address, though the
2761 user can use the unique option to define their own events. We only count
2762 an event if we have not seen it before.
2764 We size the filter according to the rate limit, which (in leaky mode)
2765 is the limit on the population of the filter. We allow 16 bits of space
2766 per entry (see the construction code above) and we set (up to) 8 of them
2767 when inserting an element (see the loop below). The probability of a false
2768 positive (an event we have not seen before but which we fail to count) is
2772 allzero = exp(-numhash * pop / size)
2773 = exp(-0.5 * pop / limit)
2774 fpr = pow(1 - allzero, numhash)
2776 For senders at the limit the fpr is 0.06% or 1 in 1700
2777 and for senders at half the limit it is 0.0006% or 1 in 170000
2779 In strict mode the Bloom filter can fill up beyond the normal limit, in
2780 which case the false positive rate will rise. This means that the
2781 measured rate for very fast senders can bogusly drop off after a while.
2783 At twice the limit, the fpr is 2.5% or 1 in 40
2784 At four times the limit, it is 31% or 1 in 3.2
2786 It takes ln(pop/limit) periods for an over-limit burst of pop events to
2787 decay below the limit, and if this is more than one then the Bloom filter
2788 will be discarded before the decay gets that far. The false positive rate
2789 at this threshold is 9.3% or 1 in 10.7. */
2792 unsigned n, hash, hinc;
2796 /* Instead of using eight independent hash values, we combine two values
2797 using the formula h1 + n * h2. This does not harm the Bloom filter's
2798 performance, and means the amount of hash we need is independent of the
2799 number of bits we set in the filter. */
2801 md5_start(&md5info);
2802 md5_end(&md5info, unique, Ustrlen(unique), md5sum);
2803 hash = md5sum[0] | md5sum[1] << 8 | md5sum[2] << 16 | md5sum[3] << 24;
2804 hinc = md5sum[4] | md5sum[5] << 8 | md5sum[6] << 16 | md5sum[7] << 24;
2806 /* Scan the bits corresponding to this event. A zero bit means we have
2807 not seen it before. Ensure all bits are set to record this event. */
2809 HDEBUG(D_acl) debug_printf_indent("ratelimit checking uniqueness of %s\n", unique);
2812 for (n = 0; n < 8; n++, hash += hinc)
2814 int bit = 1 << (hash % 8);
2815 int byte = (hash / 8) % dbdb->bloom_size;
2816 if ((dbdb->bloom[byte] & bit) == 0)
2818 dbdb->bloom[byte] |= bit;
2823 /* If this event has occurred before, do not count it. */
2827 HDEBUG(D_acl) debug_printf_indent("ratelimit event found in Bloom filter\n");
2831 HDEBUG(D_acl) debug_printf_indent("ratelimit event added to Bloom filter\n");
2834 /* If there was no previous ratelimit data block for this key, initialize
2835 the new one, otherwise update the block from the database. The initial rate
2836 is what would be computed by the code below for an infinite interval. */
2840 HDEBUG(D_acl) debug_printf_indent("ratelimit initializing new key's rate data\n");
2842 dbd->time_stamp = tv.tv_sec;
2843 dbd->time_usec = tv.tv_usec;
2848 /* The smoothed rate is computed using an exponentially weighted moving
2849 average adjusted for variable sampling intervals. The standard EWMA for
2850 a fixed sampling interval is: f'(t) = (1 - a) * f(t) + a * f'(t - 1)
2851 where f() is the measured value and f'() is the smoothed value.
2853 Old data decays out of the smoothed value exponentially, such that data n
2854 samples old is multiplied by a^n. The exponential decay time constant p
2855 is defined such that data p samples old is multiplied by 1/e, which means
2856 that a = exp(-1/p). We can maintain the same time constant for a variable
2857 sampling interval i by using a = exp(-i/p).
2859 The rate we are measuring is messages per period, suitable for directly
2860 comparing with the limit. The average rate between now and the previous
2861 message is period / interval, which we feed into the EWMA as the sample.
2863 It turns out that the number of messages required for the smoothed rate
2864 to reach the limit when they are sent in a burst is equal to the limit.
2865 This can be seen by analysing the value of the smoothed rate after N
2866 messages sent at even intervals. Let k = (1 - a) * p/i
2868 rate_1 = (1 - a) * p/i + a * rate_0
2870 rate_2 = k + a * rate_1
2871 = k + a * k + a^2 * rate_0
2872 rate_3 = k + a * k + a^2 * k + a^3 * rate_0
2873 rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
2874 = rate_0 * a^N + k * (1 - a^N) / (1 - a)
2875 = rate_0 * a^N + p/i * (1 - a^N)
2877 When N is large, a^N -> 0 so rate_N -> p/i as desired.
2879 rate_N = p/i + (rate_0 - p/i) * a^N
2880 a^N = (rate_N - p/i) / (rate_0 - p/i)
2881 N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
2882 N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
2884 Numerical analysis of the above equation, setting the computed rate to
2885 increase from rate_0 = 0 to rate_N = limit, shows that for large sending
2886 rates, p/i, the number of messages N = limit. So limit serves as both the
2887 maximum rate measured in messages per period, and the maximum number of
2888 messages that can be sent in a fast burst. */
2890 double this_time = (double)tv.tv_sec
2891 + (double)tv.tv_usec / 1000000.0;
2892 double prev_time = (double)dbd->time_stamp
2893 + (double)dbd->time_usec / 1000000.0;
2895 /* We must avoid division by zero, and deal gracefully with the clock going
2896 backwards. If we blunder ahead when time is in reverse then the computed
2897 rate will be bogus. To be safe we clamp interval to a very small number. */
2899 double interval = this_time - prev_time <= 0.0 ? 1e-9
2900 : this_time - prev_time;
2902 double i_over_p = interval / period;
2903 double a = exp(-i_over_p);
2905 /* Combine the instantaneous rate (period / interval) with the previous rate
2906 using the smoothing factor a. In order to measure sized events, multiply the
2907 instantaneous rate by the count of bytes or recipients etc. */
2909 dbd->time_stamp = tv.tv_sec;
2910 dbd->time_usec = tv.tv_usec;
2911 dbd->rate = (1 - a) * count / i_over_p + a * dbd->rate;
2913 /* When events are very widely spaced the computed rate tends towards zero.
2914 Although this is accurate it turns out not to be useful for our purposes,
2915 especially when the first event after a long silence is the start of a spam
2916 run. A more useful model is that the rate for an isolated event should be the
2917 size of the event per the period size, ignoring the lack of events outside
2918 the current period and regardless of where the event falls in the period. So,
2919 if the interval was so long that the calculated rate is unhelpfully small, we
2920 re-initialize the rate. In the absence of higher-rate bursts, the condition
2921 below is true if the interval is greater than the period. */
2923 if (dbd->rate < count) dbd->rate = count;
2926 /* Clients sending at the limit are considered to be over the limit.
2927 This matters for edge cases such as a limit of zero, when the client
2928 should be completely blocked. */
2930 rc = dbd->rate < limit ? FAIL : OK;
2932 /* Update the state if the rate is low or if we are being strict. If we
2933 are in leaky mode and the sender's rate is too high, we do not update
2934 the recorded rate in order to avoid an over-aggressive sender's retry
2935 rate preventing them from getting any email through. If readonly is set,
2936 neither leaky nor strict are set, so we do not do any updates. */
2938 if ((rc == FAIL && leaky) || strict)
2940 dbfn_write(dbm, key, dbdb, dbdb_size);
2941 HDEBUG(D_acl) debug_printf_indent("ratelimit db updated\n");
2945 HDEBUG(D_acl) debug_printf_indent("ratelimit db not updated: %s\n",
2946 readonly? "readonly mode" : "over the limit, but leaky");
2951 /* Store the result in the tree for future reference. Take the taint status
2952 from the key for consistency even though it's unlikely we'll ever expand this. */
2954 t = store_get(sizeof(tree_node) + Ustrlen(key), key);
2956 Ustrcpy(t->name, key);
2957 (void)tree_insertnode(anchor, t);
2959 /* We create the formatted version of the sender's rate very late in
2960 order to ensure that it is done using the correct storage pool. */
2962 store_pool = old_pool;
2963 sender_rate = string_sprintf("%.1f", dbd->rate);
2966 debug_printf_indent("ratelimit computed rate %s\n", sender_rate);
2973 /*************************************************
2974 * Handle a check for previously-seen *
2975 *************************************************/
2978 ACL clauses like: seen = -5m / key=$foo / readonly
2980 Return is true for condition-true - but the semantics
2981 depend heavily on the actual use-case.
2983 Negative times test for seen-before, positive for seen-more-recently-than
2984 (the given interval before current time).
2986 All are subject to history not having been cleaned from the DB.
2988 Default for seen-before is to create if not present, and to
2989 update if older than 10d (with the seen-test time).
2990 Default for seen-since is to always create or update.
2993 key=value. Default key is $sender_host_address
2996 refresh=<interval>: update an existing DB entry older than given
2997 amount. Default refresh lacking this option is 10d.
2998 The update sets the record timestamp to the seen-test time.
3000 XXX do we need separate nocreate, noupdate controls?
3003 arg the option string for seen=
3004 where ACL_WHERE_xxxx indicating which ACL this is
3005 log_msgptr for error messages
3007 Returns: OK - Condition is true
3008 FAIL - Condition is false
3009 DEFER - Problem opening history database
3010 ERROR - Syntax error in options
3014 acl_seen(const uschar * arg, int where, uschar ** log_msgptr)
3016 enum { SEEN_DEFAULT, SEEN_READONLY, SEEN_WRITE };
3018 const uschar * list = arg;
3019 int slash = '/', interval, mode = SEEN_DEFAULT, yield = FAIL;
3021 int refresh = 10 * 24 * 60 * 60; /* 10 days */
3022 const uschar * ele, * key = sender_host_address;
3023 open_db dbblock, * dbm;
3027 /* Parse the first element, the time-relation. */
3029 if (!(ele = string_nextinlist(&list, &slash, NULL, 0)))
3031 if ((before = *ele == '-'))
3033 if ((interval = readconf_readtime(ele, 0, FALSE)) < 0)
3036 /* Remaining elements are options */
3038 while ((ele = string_nextinlist(&list, &slash, NULL, 0)))
3039 if (Ustrncmp(ele, "key=", 4) == 0)
3041 else if (Ustrcmp(ele, "readonly") == 0)
3042 mode = SEEN_READONLY;
3043 else if (Ustrcmp(ele, "write") == 0)
3045 else if (Ustrncmp(ele, "refresh=", 8) == 0)
3047 if ((refresh = readconf_readtime(ele + 8, 0, FALSE)) < 0)
3053 if (!(dbm = dbfn_open(US"seen", O_RDWR|O_CREAT, &dbblock, TRUE, TRUE)))
3055 HDEBUG(D_acl) debug_printf_indent("database for 'seen' not available\n");
3056 *log_msgptr = US"database for 'seen' not available";
3060 dbd = dbfn_read_with_length(dbm, key, NULL);
3062 if (dbd) /* an existing record */
3064 time_t diff = now - dbd->time_stamp; /* time since the record was written */
3066 if (before ? diff >= interval : diff < interval)
3069 if (mode == SEEN_READONLY)
3070 { HDEBUG(D_acl) debug_printf_indent("seen db not written (readonly)\n"); }
3071 else if (mode == SEEN_WRITE || !before)
3073 dbd->time_stamp = now;
3074 dbfn_write(dbm, key, dbd, sizeof(*dbd));
3075 HDEBUG(D_acl) debug_printf_indent("seen db written (update)\n");
3077 else if (diff >= refresh)
3079 dbd->time_stamp = now - interval;
3080 dbfn_write(dbm, key, dbd, sizeof(*dbd));
3081 HDEBUG(D_acl) debug_printf_indent("seen db written (refresh)\n");
3085 { /* No record found, yield always FAIL */
3086 if (mode != SEEN_READONLY)
3088 dbdata_seen d = {.time_stamp = now};
3089 dbfn_write(dbm, key, &d, sizeof(*dbd));
3090 HDEBUG(D_acl) debug_printf_indent("seen db written (create)\n");
3093 HDEBUG(D_acl) debug_printf_indent("seen db not written (readonly)\n");
3101 *log_msgptr = string_sprintf("failed to parse '%s'", arg);
3104 *log_msgptr = string_sprintf("unrecognised option '%s' in '%s'", ele, arg);
3110 /*************************************************
3111 * The udpsend ACL modifier *
3112 *************************************************/
3114 /* Called by acl_check_condition() below.
3117 arg the option string for udpsend=
3118 log_msgptr for error messages
3120 Returns: OK - Completed.
3121 DEFER - Problem with DNS lookup.
3122 ERROR - Syntax error in options.
3126 acl_udpsend(const uschar *arg, uschar **log_msgptr)
3138 hostname = string_nextinlist(&arg, &sep, NULL, 0);
3139 portstr = string_nextinlist(&arg, &sep, NULL, 0);
3143 *log_msgptr = US"missing destination host in \"udpsend\" modifier";
3148 *log_msgptr = US"missing destination port in \"udpsend\" modifier";
3153 *log_msgptr = US"missing datagram payload in \"udpsend\" modifier";
3156 portnum = Ustrtol(portstr, &portend, 10);
3157 if (*portend != '\0')
3159 *log_msgptr = US"bad destination port in \"udpsend\" modifier";
3163 /* Make a single-item host list. */
3164 h = store_get(sizeof(host_item), GET_UNTAINTED);
3165 memset(h, 0, sizeof(host_item));
3170 if (string_is_ip_address(hostname, NULL))
3171 h->address = hostname, r = HOST_FOUND;
3173 r = host_find_byname(h, NULL, 0, NULL, FALSE);
3174 if (r == HOST_FIND_FAILED || r == HOST_FIND_AGAIN)
3176 *log_msgptr = US"DNS lookup failed in \"udpsend\" modifier";
3181 debug_printf_indent("udpsend [%s]:%d %s\n", h->address, portnum, arg);
3183 /*XXX this could better use sendto */
3184 r = s = ip_connectedsocket(SOCK_DGRAM, h->address, portnum, portnum,
3185 1, NULL, &errstr, NULL);
3186 if (r < 0) goto defer;
3188 r = send(s, arg, len, 0);
3191 errstr = US strerror(errno);
3199 string_sprintf("\"udpsend\" truncated from %d to %d octets", len, r);
3204 debug_printf_indent("udpsend %d bytes\n", r);
3209 *log_msgptr = string_sprintf("\"udpsend\" failed: %s", errstr);
3215 #ifndef DISABLE_WELLKNOWN
3216 /*************************************************
3217 * The "wellknown" ACL modifier *
3218 *************************************************/
3220 /* Called by acl_check_condition() below.
3222 Retrieve the given file and encode content as xtext.
3223 Prefix with a summary line giving the length of plaintext.
3224 Leave a global pointer to the whole, for output by
3225 the smtp verb handler code (smtp_in.c).
3228 arg the option string for wellknown=
3229 log_msgptr for error messages
3235 wellknown_process(const uschar * arg, uschar ** log_msgptr)
3237 struct stat statbuf;
3241 wellknown_response = NULL;
3242 if (f.no_multiline_responses) return FAIL;
3244 /* Check for file existence */
3246 if (!*arg) return FAIL;
3247 if (Ustat(arg, &statbuf) != 0)
3248 { *log_msgptr = US"stat"; goto fail; }
3250 /*XXX perhaps refuse to serve a group- or world-writeable file? */
3252 if (!(rf = Ufopen(arg, "r")))
3253 { *log_msgptr = US"open"; goto fail; }
3255 /* Set up summary line for output */
3257 g = string_fmt_append(NULL, "SIZE=%lu\n", (long) statbuf.st_size);
3260 for (int n = 0, ch; (ch = fgetc(rf)) != EOF; )
3262 /* Xtext-encode, adding output linebreaks for input linebreaks
3263 or when the line gets long enough */
3266 { g = string_fmt_append(g, "+%02X", ch); n = LINE_LIM; }
3267 else if (ch < 33 || ch > 126 || ch == '+' || ch == '=')
3268 { g = string_fmt_append(g, "+%02X", ch); n += 3; }
3270 { g = string_fmt_append(g, "%c", ch); n++; }
3273 { g = string_catn(g, US"\n", 1); n = 0; }
3277 gstring_release_unused(g);
3278 wellknown_response = string_from_gstring(g);
3282 *log_msgptr = string_sprintf("wellknown: failed to %s file \"%s\": %s",
3283 *log_msgptr, arg, strerror(errno));
3289 /*************************************************
3290 * Handle conditions/modifiers on an ACL item *
3291 *************************************************/
3293 /* Called from acl_check() below.
3297 cb ACL condition block - if NULL, result is OK
3298 where where called from
3299 addr the address being checked for RCPT, or NULL
3300 level the nesting level
3301 epp pointer to pass back TRUE if "endpass" encountered
3302 (applies only to "accept" and "discard")
3303 user_msgptr user message pointer
3304 log_msgptr log message pointer
3305 basic_errno pointer to where to put verify error
3307 Returns: OK - all conditions are met
3308 DISCARD - an "acl" condition returned DISCARD - only allowed
3309 for "accept" or "discard" verbs
3310 FAIL - at least one condition fails
3311 FAIL_DROP - an "acl" condition returned FAIL_DROP
3312 DEFER - can't tell at the moment (typically, lookup defer,
3313 but can be temporary callout problem)
3314 ERROR - ERROR from nested ACL or expansion failure or other
3319 acl_check_condition(int verb, acl_condition_block *cb, int where,
3320 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
3321 uschar **log_msgptr, int *basic_errno)
3323 uschar * user_message = NULL;
3324 uschar * log_message = NULL;
3327 for (; cb; cb = cb->next)
3331 BOOL textonly = FALSE;
3333 /* The message and log_message items set up messages to be used in
3334 case of rejection. They are expanded later. */
3336 if (cb->type == ACLC_MESSAGE)
3338 HDEBUG(D_acl) debug_printf_indent(" message: %s\n", cb->arg);
3339 user_message = cb->arg;
3343 if (cb->type == ACLC_LOG_MESSAGE)
3345 HDEBUG(D_acl) debug_printf_indent("l_message: %s\n", cb->arg);
3346 log_message = cb->arg;
3350 /* The endpass "condition" just sets a flag to show it occurred. This is
3351 checked at compile time to be on an "accept" or "discard" item. */
3353 if (cb->type == ACLC_ENDPASS)
3359 /* For other conditions and modifiers, the argument is expanded now for some
3360 of them, but not for all, because expansion happens down in some lower level
3361 checking functions in some cases. */
3363 if (!(conditions[cb->type].flags & ACD_EXP))
3366 else if (!(arg = expand_string_2(cb->arg, &textonly)))
3368 if (f.expand_string_forcedfail) continue;
3369 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
3370 cb->arg, expand_string_message);
3371 return f.search_find_defer ? DEFER : ERROR;
3374 /* Show condition, and expanded condition if it's different */
3379 debug_printf_indent("check %s%s %n",
3380 (!(conditions[cb->type].flags & ACD_MOD) && cb->u.negated) ? "!":"",
3381 conditions[cb->type].name, &lhswidth);
3383 if (cb->type == ACLC_SET)
3385 #ifndef DISABLE_DKIM
3386 if ( Ustrcmp(cb->u.varname, "dkim_verify_status") == 0
3387 || Ustrcmp(cb->u.varname, "dkim_verify_reason") == 0)
3389 debug_printf("%s ", cb->u.varname);
3395 debug_printf("acl_%s ", cb->u.varname);
3396 lhswidth += 5 + Ustrlen(cb->u.varname);
3400 debug_printf("= %s\n", cb->arg);
3403 debug_printf("%.*s= %s\n", lhswidth,
3407 /* Check that this condition makes sense at this time */
3409 if ((conditions[cb->type].forbids & (1 << where)) != 0)
3411 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
3412 conditions[cb->type].flags & ACD_MOD ? "use" : "test",
3413 conditions[cb->type].name, acl_wherenames[where]);
3417 /* Run the appropriate test for each condition, or take the appropriate
3418 action for the remaining modifiers. */
3422 case ACLC_ADD_HEADER:
3426 /* A nested ACL that returns "discard" makes sense only for an "accept" or
3430 rc = acl_check_wargs(where, addr, arg, user_msgptr, log_msgptr);
3431 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
3433 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
3434 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
3440 case ACLC_AUTHENTICATED:
3441 rc = sender_host_authenticated ? match_isinlist(sender_host_authenticated,
3442 &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL) : FAIL;
3445 #ifdef EXPERIMENTAL_BRIGHTMAIL
3446 case ACLC_BMI_OPTIN:
3448 int old_pool = store_pool;
3449 store_pool = POOL_PERM;
3450 bmi_current_optin = string_copy(arg);
3451 store_pool = old_pool;
3456 case ACLC_CONDITION:
3457 /* The true/false parsing here should be kept in sync with that used in
3458 expand.c when dealing with ECOND_BOOL so that we don't have too many
3459 different definitions of what can be a boolean. */
3461 ? Ustrspn(arg+1, "0123456789") == Ustrlen(arg+1) /* Negative number */
3462 : Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
3463 rc = (Uatoi(arg) == 0)? FAIL : OK;
3465 rc = (strcmpic(arg, US"no") == 0 ||
3466 strcmpic(arg, US"false") == 0)? FAIL :
3467 (strcmpic(arg, US"yes") == 0 ||
3468 strcmpic(arg, US"true") == 0)? OK : DEFER;
3470 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
3473 case ACLC_CONTINUE: /* Always succeeds */
3478 const uschar * p = NULL;
3479 control_type = decode_control(arg, &p, where, log_msgptr);
3481 /* Check if this control makes sense at this time */
3483 if (controls_list[control_type].forbids & (1 << where))
3485 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
3486 controls_list[control_type].name, acl_wherenames[where]);
3490 /*XXX ought to sort these, just for sanity */
3491 switch(control_type)
3493 case CONTROL_AUTH_UNADVERTISED:
3494 f.allow_auth_unadvertised = TRUE;
3497 #ifdef EXPERIMENTAL_BRIGHTMAIL
3498 case CONTROL_BMI_RUN:
3503 #ifndef DISABLE_DKIM
3504 case CONTROL_DKIM_VERIFY:
3505 f.dkim_disable_verify = TRUE;
3506 # ifdef SUPPORT_DMARC
3507 /* Since DKIM was blocked, skip DMARC too */
3508 f.dmarc_disable_verify = TRUE;
3509 f.dmarc_enable_forensic = FALSE;
3514 #ifdef SUPPORT_DMARC
3515 case CONTROL_DMARC_VERIFY:
3516 f.dmarc_disable_verify = TRUE;
3519 case CONTROL_DMARC_FORENSIC:
3520 f.dmarc_enable_forensic = TRUE;
3527 int fd, af, level, optname, value;
3528 /* If we are acting on stdin, the setsockopt may fail if stdin is not
3529 a socket; we can accept that, we'll just debug-log failures anyway. */
3530 fd = fileno(smtp_in);
3531 if ((af = ip_get_address_family(fd)) < 0)
3534 debug_printf_indent("smtp input is probably not a socket [%s], not setting DSCP\n",
3538 if (dscp_lookup(p+1, af, &level, &optname, &value))
3539 if (setsockopt(fd, level, optname, &value, sizeof(value)) < 0)
3541 HDEBUG(D_acl) debug_printf_indent("failed to set input DSCP[%s]: %s\n",
3542 p+1, strerror(errno));
3546 HDEBUG(D_acl) debug_printf_indent("set input DSCP to \"%s\"\n", p+1);
3550 *log_msgptr = string_sprintf("unrecognised DSCP value in \"control=%s\"", arg);
3556 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3564 case CONTROL_CASEFUL_LOCAL_PART:
3565 deliver_localpart = addr->cc_local_part;
3568 case CONTROL_CASELOWER_LOCAL_PART:
3569 deliver_localpart = addr->lc_local_part;
3572 case CONTROL_ENFORCE_SYNC:
3573 smtp_enforce_sync = TRUE;
3576 case CONTROL_NO_ENFORCE_SYNC:
3577 smtp_enforce_sync = FALSE;
3580 #ifdef WITH_CONTENT_SCAN
3581 case CONTROL_NO_MBOX_UNSPOOL:
3582 f.no_mbox_unspool = TRUE;
3586 case CONTROL_NO_MULTILINE:
3587 f.no_multiline_responses = TRUE;
3590 case CONTROL_NO_PIPELINING:
3591 f.pipelining_enable = FALSE;
3594 case CONTROL_NO_DELAY_FLUSH:
3595 f.disable_delay_flush = TRUE;
3598 case CONTROL_NO_CALLOUT_FLUSH:
3599 f.disable_callout_flush = TRUE;
3602 case CONTROL_FAKEREJECT:
3603 cancel_cutthrough_connection(TRUE, US"fakereject");
3604 case CONTROL_FAKEDEFER:
3605 fake_response = control_type == CONTROL_FAKEDEFER ? DEFER : FAIL;
3608 const uschar *pp = p + 1;
3610 /* The entire control= line was expanded at top so no need to expand
3611 the part after the / */
3612 fake_response_text = string_copyn(p+1, pp-p-1);
3615 else /* Explicitly reset to default string */
3616 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
3619 case CONTROL_FREEZE:
3620 f.deliver_freeze = TRUE;
3621 deliver_frozen_at = time(NULL);
3622 freeze_tell = freeze_tell_config; /* Reset to configured value */
3623 if (Ustrncmp(p, "/no_tell", 8) == 0)
3630 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3633 cancel_cutthrough_connection(TRUE, US"item frozen");
3637 f.queue_only_policy = TRUE;
3638 if (Ustrcmp(p, "_only") == 0)
3640 else while (*p == '/')
3641 if (Ustrncmp(p, "/only", 5) == 0)
3642 { p += 5; f.queue_smtp = FALSE; }
3643 else if (Ustrncmp(p, "/first_pass_route", 17) == 0)
3644 { p += 17; f.queue_smtp = TRUE; }
3647 cancel_cutthrough_connection(TRUE, US"queueing forced");
3650 case CONTROL_SUBMISSION:
3651 originator_name = US"";
3652 f.submission_mode = TRUE;
3655 if (Ustrncmp(p, "/sender_retain", 14) == 0)
3658 f.active_local_sender_retain = TRUE;
3659 f.active_local_from_check = FALSE;
3661 else if (Ustrncmp(p, "/domain=", 8) == 0)
3663 const uschar *pp = p + 8;
3664 while (*pp && *pp != '/') pp++;
3665 submission_domain = string_copyn(p+8, pp-p-8);
3668 /* The name= option must be last, because it swallows the rest of
3670 else if (Ustrncmp(p, "/name=", 6) == 0)
3672 const uschar *pp = p + 6;
3674 submission_name = parse_fix_phrase(p+6, pp-p-6);
3681 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3688 uschar * debug_tag = NULL, * debug_opts = NULL;
3689 BOOL kill = FALSE, stop = FALSE;
3693 const uschar * pp = p+1;
3694 if (Ustrncmp(pp, "tag=", 4) == 0)
3696 for (pp += 4; *pp && *pp != '/';) pp++;
3697 debug_tag = string_copyn(p+5, pp-p-5);
3699 else if (Ustrncmp(pp, "opts=", 5) == 0)
3701 for (pp += 5; *pp && *pp != '/';) pp++;
3702 debug_opts = string_copyn(p+6, pp-p-6);
3704 else if (Ustrncmp(pp, "kill", 4) == 0)
3709 else if (Ustrncmp(pp, "stop", 4) == 0)
3714 else if (Ustrncmp(pp, "pretrigger=", 11) == 0)
3715 debug_pretrigger_setup(pp+11);
3716 else if (Ustrncmp(pp, "trigger=", 8) == 0)
3718 if (Ustrncmp(pp += 8, "now", 3) == 0)
3721 debug_trigger_fire();
3723 else if (Ustrncmp(pp, "paniclog", 8) == 0)
3726 dtrigger_selector |= BIT(DTi_panictrigger);
3729 while (*pp && *pp != '/') pp++;
3734 debug_logging_stop(TRUE);
3736 debug_logging_stop(FALSE);
3737 else if (debug_tag || debug_opts)
3738 debug_logging_activate(debug_tag, debug_opts);
3742 case CONTROL_SUPPRESS_LOCAL_FIXUPS:
3743 f.suppress_local_fixups = TRUE;
3746 case CONTROL_CUTTHROUGH_DELIVERY:
3748 uschar * ignored = NULL;
3749 #ifndef DISABLE_PRDR
3754 /* Too hard to think about for now. We might in future cutthrough
3755 the case where both sides handle prdr and this-node prdr acl
3757 ignored = US"PRDR active";
3758 else if (f.deliver_freeze)
3759 ignored = US"frozen";
3760 else if (f.queue_only_policy)
3761 ignored = US"queue-only";
3762 else if (fake_response == FAIL)
3763 ignored = US"fakereject";
3764 else if (rcpt_count != 1)
3765 ignored = US"nonfirst rcpt";
3766 else if (cutthrough.delivery)
3767 ignored = US"repeated";
3768 else if (cutthrough.callout_hold_only)
3771 debug_printf_indent(" cutthrough request upgrades callout hold\n");
3772 cutthrough.callout_hold_only = FALSE;
3773 cutthrough.delivery = TRUE; /* control accepted */
3777 cutthrough.delivery = TRUE; /* control accepted */
3780 const uschar * pp = p+1;
3781 if (Ustrncmp(pp, "defer=", 6) == 0)
3784 if (Ustrncmp(pp, "pass", 4) == 0) cutthrough.defer_pass = TRUE;
3785 /* else if (Ustrncmp(pp, "spool") == 0) ; default */
3788 while (*pp && *pp != '/') pp++;
3793 DEBUG(D_acl) if (ignored)
3794 debug_printf(" cutthrough request ignored on %s item\n", ignored);
3799 case CONTROL_UTF8_DOWNCONVERT:
3804 message_utf8_downconvert = 1;
3805 addr->prop.utf8_downcvt = TRUE;
3806 addr->prop.utf8_downcvt_maybe = FALSE;
3812 message_utf8_downconvert = 0;
3813 addr->prop.utf8_downcvt = FALSE;
3814 addr->prop.utf8_downcvt_maybe = FALSE;
3818 if (p[1] == '-' && p[2] == '1')
3820 message_utf8_downconvert = -1;
3821 addr->prop.utf8_downcvt = FALSE;
3822 addr->prop.utf8_downcvt_maybe = TRUE;
3826 *log_msgptr = US"bad option value for control=utf8_downconvert";
3830 message_utf8_downconvert = 1;
3831 addr->prop.utf8_downcvt = TRUE;
3832 addr->prop.utf8_downcvt_maybe = FALSE;
3838 #ifndef DISABLE_WELLKNOWN
3839 case CONTROL_WELLKNOWN:
3840 rc = *p == '/' ? wellknown_process(p+1, log_msgptr) : FAIL;
3847 #ifdef EXPERIMENTAL_DCC
3850 /* Separate the regular expression and any optional parameters. */
3851 const uschar * list = arg;
3853 uschar * ss = string_nextinlist(&list, &sep, NULL, 0);
3854 /* Run the dcc backend. */
3855 rc = dcc_process(&ss);
3856 /* Modify return code based upon the existence of options. */
3857 while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
3858 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3859 rc = FAIL; /* FAIL so that the message is passed to the next ACL */
3864 #ifdef WITH_CONTENT_SCAN
3866 rc = mime_decode(&arg);
3872 int delay = readconf_readtime(arg, 0, FALSE);
3875 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
3876 "modifier: \"%s\" is not a time value", arg);
3881 HDEBUG(D_acl) debug_printf_indent("delay modifier requests %d-second delay\n",
3886 debug_printf_indent("delay skipped in -bh checking mode\n");
3889 /* NOTE 1: Remember that we may be
3890 dealing with stdin/stdout here, in addition to TCP/IP connections.
3891 Also, delays may be specified for non-SMTP input, where smtp_out and
3892 smtp_in will be NULL. Whatever is done must work in all cases.
3894 NOTE 2: The added feature of flushing the output before a delay must
3895 apply only to SMTP input. Hence the test for smtp_out being non-NULL.
3900 if (smtp_out && !f.disable_delay_flush)
3903 #if !defined(NO_POLL_H) && defined (POLLRDHUP)
3909 p.fd = fileno(smtp_out);
3910 p.events = POLLRDHUP;
3913 if (poll(&p, n, delay*1000) > 0)
3914 HDEBUG(D_acl) debug_printf_indent("delay cancelled by peer close\n");
3917 /* Lacking POLLRDHUP it appears to be impossible to detect that a
3918 TCP/IP connection has gone away without reading from it. This means
3919 that we cannot shorten the delay below if the client goes away,
3920 because we cannot discover that the client has closed its end of the
3921 connection. (The connection is actually in a half-closed state,
3922 waiting for the server to close its end.) It would be nice to be able
3923 to detect this state, so that the Exim process is not held up
3924 unnecessarily. However, it seems that we can't. The poll() function
3925 does not do the right thing, and in any case it is not always
3928 while (delay > 0) delay = sleep(delay);
3935 #ifndef DISABLE_DKIM
3936 case ACLC_DKIM_SIGNER:
3937 case ACLC_DKIM_STATUS:
3938 /* See comment on ACLC_SPF wrt. coding issues */
3940 misc_module_info * mi = misc_mod_find(US"dkim", &log_message);
3941 typedef int (*fn_t)(const uschar *);
3943 ? (((fn_t *) mi->functions)
3944 [cb->type == ACLC_DKIM_SIGNER
3945 ? DKIM_SIGNER_ISINLIST
3946 : DKIM_STATUS_LISTMATCH]) (arg)
3952 #ifdef SUPPORT_DMARC
3953 case ACLC_DMARC_STATUS:
3954 /* See comment on ACLC_SPF wrt. coding issues */
3956 misc_module_info * mi = misc_mod_find(US"dmarc", &log_message);
3957 typedef uschar * (*efn_t)(int);
3958 uschar * expanded_query;
3961 { rc = DEFER; break; } /* shouldn't happen */
3963 if (!f.dmarc_has_been_checked)
3965 typedef int (*pfn_t)(void);
3966 (void) (((pfn_t *) mi->functions)[DMARC_PROCESS]) ();
3967 f.dmarc_has_been_checked = TRUE;
3970 /* used long way of dmarc_exim_expand_query() in case we need more
3971 view into the process in the future. */
3973 /*XXX is this call used with any other arg? */
3974 expanded_query = (((efn_t *) mi->functions)[DMARC_EXPAND_QUERY])
3975 (DMARC_VERIFY_STATUS);
3976 rc = match_isinlist(expanded_query,
3977 &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
3983 rc = verify_check_dnsbl(where, &arg, log_msgptr);
3987 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
3988 addr->domain_cache, MCL_DOMAIN, TRUE, CUSS &deliver_domain_data);
3991 /* The value in tls_cipher is the full cipher name, for example,
3992 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
3993 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
3994 what may in practice come out of the SSL library - which at the time of
3995 writing is poorly documented. */
3997 case ACLC_ENCRYPTED:
3998 if (!tls_in.cipher) rc = FAIL;
4001 uschar *endcipher = NULL;
4002 uschar *cipher = Ustrchr(tls_in.cipher, ':');
4003 if (!cipher) cipher = tls_in.cipher; else
4005 endcipher = Ustrchr(++cipher, ':');
4006 if (endcipher) *endcipher = 0;
4008 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
4009 if (endcipher) *endcipher = ':';
4013 /* Use verify_check_this_host() instead of verify_check_host() so that
4014 we can pass over &host_data to catch any looked up data. Once it has been
4015 set, it retains its value so that it's still there if another ACL verb
4016 comes through here and uses the cache. However, we must put it into
4017 permanent store in case it is also expected to be used in a subsequent
4018 message in the same SMTP connection. */
4021 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
4022 sender_host_address ? sender_host_address : US"", CUSS &host_data);
4023 if (rc == DEFER) *log_msgptr = search_error_message;
4024 if (host_data) host_data = string_copy_perm(host_data, TRUE);
4027 case ACLC_LOCAL_PARTS:
4028 rc = match_isinlist(addr->cc_local_part, &arg, 0,
4029 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
4030 CUSS &deliver_localpart_data);
4033 case ACLC_LOG_REJECT_TARGET:
4035 int logbits = 0, sep = 0;
4036 const uschar * s = arg;
4038 for (uschar * ss; ss = string_nextinlist(&s, &sep, NULL, 0); )
4040 if (Ustrcmp(ss, "main") == 0) logbits |= LOG_MAIN;
4041 else if (Ustrcmp(ss, "panic") == 0) logbits |= LOG_PANIC;
4042 else if (Ustrcmp(ss, "reject") == 0) logbits |= LOG_REJECT;
4045 logbits |= LOG_MAIN|LOG_REJECT;
4046 log_write(0, LOG_MAIN|LOG_PANIC, "unknown log name \"%s\" in "
4047 "\"log_reject_target\" in %s ACL", ss, acl_wherenames[where]);
4050 log_reject_target = logbits;
4057 const uschar *s = arg;
4063 if (Ustrncmp(s, "main", 4) == 0)
4064 { logbits |= LOG_MAIN; s += 4; }
4065 else if (Ustrncmp(s, "panic", 5) == 0)
4066 { logbits |= LOG_PANIC; s += 5; }
4067 else if (Ustrncmp(s, "reject", 6) == 0)
4068 { logbits |= LOG_REJECT; s += 6; }
4071 logbits = LOG_MAIN|LOG_PANIC;
4072 s = string_sprintf(":unknown log name in \"%s\" in "
4073 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
4079 Uskip_whitespace(&s);
4081 if (logbits == 0) logbits = LOG_MAIN;
4082 log_write(0, logbits, "%s", string_printing(s));
4086 #ifdef WITH_CONTENT_SCAN
4087 case ACLC_MALWARE: /* Run the malware backend. */
4089 /* Separate the regular expression and any optional parameters. */
4090 const uschar * list = arg;
4091 BOOL defer_ok = FALSE;
4092 int timeout = 0, sep = -'/';
4093 uschar * ss = string_nextinlist(&list, &sep, NULL, 0);
4095 for (uschar * opt; opt = string_nextinlist(&list, &sep, NULL, 0); )
4096 if (strcmpic(opt, US"defer_ok") == 0)
4098 else if ( strncmpic(opt, US"tmo=", 4) == 0
4099 && (timeout = readconf_readtime(opt+4, '\0', FALSE)) < 0
4102 *log_msgptr = string_sprintf("bad timeout value in '%s'", opt);
4106 rc = malware(ss, textonly, timeout);
4107 if (rc == DEFER && defer_ok)
4108 rc = FAIL; /* FAIL so that the message is passed to the next ACL */
4112 case ACLC_MIME_REGEX:
4113 rc = mime_regex(&arg, textonly);
4118 if (is_tainted(arg))
4120 *log_msgptr = string_sprintf("Tainted name '%s' for queue not permitted",
4124 if (Ustrchr(arg, '/'))
4126 *log_msgptr = string_sprintf(
4127 "Directory separator not permitted in queue name: '%s'", arg);
4130 queue_name = string_copy_perm(arg, FALSE);
4133 case ACLC_RATELIMIT:
4134 rc = acl_ratelimit(arg, where, log_msgptr);
4137 case ACLC_RECIPIENTS:
4138 rc = match_address_list(CUS addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
4139 CUSS &recipient_data);
4142 #ifdef WITH_CONTENT_SCAN
4144 rc = regex(&arg, textonly);
4148 case ACLC_REMOVE_HEADER:
4149 setup_remove_header(arg);
4153 rc = acl_seen(arg, where, log_msgptr);
4156 case ACLC_SENDER_DOMAINS:
4159 sdomain = Ustrrchr(sender_address, '@');
4160 sdomain = sdomain ? sdomain + 1 : US"";
4161 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
4162 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
4167 rc = match_address_list(CUS sender_address, TRUE, TRUE, &arg,
4168 sender_address_cache, -1, 0, CUSS &sender_data);
4171 /* Connection variables must persist forever; message variables not */
4175 int old_pool = store_pool;
4176 if ( cb->u.varname[0] != 'm'
4177 #ifndef DISABLE_EVENT
4178 || event_name /* An event is being delivered */
4181 store_pool = POOL_PERM;
4183 #ifndef DISABLE_DKIM /* Overwriteable dkim result variables */
4184 if ( Ustrcmp(cb->u.varname, "dkim_verify_status") == 0
4185 || Ustrcmp(cb->u.varname, "dkim_verify_reason") == 0
4188 misc_module_info * mi = misc_mod_findonly(US"dkim");
4189 typedef void (*fn_t)(const uschar *, void *);
4192 (((fn_t *) mi->functions)[DKIM_SETVAR])
4193 (cb->u.varname, string_copy(arg));
4197 acl_var_create(cb->u.varname)->data.ptr = string_copy(arg);
4198 store_pool = old_pool;
4202 #ifdef WITH_CONTENT_SCAN
4205 /* Separate the regular expression and any optional parameters. */
4206 const uschar * list = arg;
4208 uschar * ss = string_nextinlist(&list, &sep, NULL, 0);
4210 rc = spam(CUSS &ss);
4211 /* Modify return code based upon the existence of options. */
4212 while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
4213 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
4214 rc = FAIL; /* FAIL so that the message is passed to the next ACL */
4221 case ACLC_SPF_GUESS:
4222 /* We have hardwired function-call numbers, and also prototypes for the
4223 functions. We could do a function name table search or (simpler)
4224 a module include file with defines for the numbers
4225 but I can't see how to deal with prototypes. Is a K&R non-prototyped
4226 function still usable with today's compilers (but we would lose on
4227 type-checking)? We could macroize the typedef, and even the function
4228 table access - but it obscures how it works rather. */
4230 misc_module_info * mi = misc_mod_find(US"spf", &log_message);
4231 typedef int (*fn_t)(const uschar **, const uschar *, int);
4235 { rc = DEFER; break; } /* shouldn't happen */
4237 fn = ((fn_t *) mi->functions)[SPF_PROCESS];
4239 rc = fn(&arg, sender_address,
4240 cb->type == ACLC_SPF ? SPF_PROCESS_NORMAL : SPF_PROCESS_GUESS);
4246 rc = acl_udpsend(arg, log_msgptr);
4249 /* If the verb is WARN, discard any user message from verification, because
4250 such messages are SMTP responses, not header additions. The latter come
4251 only from explicit "message" modifiers. However, put the user message into
4252 $acl_verify_message so it can be used in subsequent conditions or modifiers
4253 (until something changes it). */
4256 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
4258 acl_verify_message = *user_msgptr;
4259 if (verb == ACL_WARN) *user_msgptr = NULL;
4263 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
4264 "condition %d", cb->type);
4268 /* If a condition was negated, invert OK/FAIL. */
4270 if (!(conditions[cb->type].flags & ACD_MOD) && cb->u.negated)
4271 if (rc == OK) rc = FAIL;
4272 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
4274 if (rc != OK) break; /* Conditions loop */
4278 /* If the result is the one for which "message" and/or "log_message" are used,
4279 handle the values of these modifiers. If there isn't a log message set, we make
4280 it the same as the user message.
4282 "message" is a user message that will be included in an SMTP response. Unless
4283 it is empty, it overrides any previously set user message.
4285 "log_message" is a non-user message, and it adds to any existing non-user
4286 message that is already set.
4288 Most verbs have but a single return for which the messages are relevant, but
4289 for "discard", it's useful to have the log message both when it succeeds and
4290 when it fails. For "accept", the message is used in the OK case if there is no
4291 "endpass", but (for backwards compatibility) in the FAIL case if "endpass" is
4294 if (*epp && rc == OK) user_message = NULL;
4296 if ((BIT(rc) & msgcond[verb]) != 0)
4299 uschar *old_user_msgptr = *user_msgptr;
4300 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
4302 /* If the verb is "warn", messages generated by conditions (verification or
4303 nested ACLs) are always discarded. This also happens for acceptance verbs
4304 when they actually do accept. Only messages specified at this level are used.
4305 However, the value of an existing message is available in $acl_verify_message
4306 during expansions. */
4308 if (verb == ACL_WARN ||
4309 (rc == OK && (verb == ACL_ACCEPT || verb == ACL_DISCARD)))
4310 *log_msgptr = *user_msgptr = NULL;
4314 acl_verify_message = old_user_msgptr;
4315 expmessage = expand_string(user_message);
4318 if (!f.expand_string_forcedfail)
4319 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
4320 user_message, expand_string_message);
4322 else if (expmessage[0] != 0) *user_msgptr = expmessage;
4327 acl_verify_message = old_log_msgptr;
4328 expmessage = expand_string(log_message);
4331 if (!f.expand_string_forcedfail)
4332 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
4333 log_message, expand_string_message);
4335 else if (expmessage[0] != 0)
4337 *log_msgptr = (*log_msgptr == NULL)? expmessage :
4338 string_sprintf("%s: %s", expmessage, *log_msgptr);
4342 /* If no log message, default it to the user message */
4344 if (!*log_msgptr) *log_msgptr = *user_msgptr;
4347 acl_verify_message = NULL;
4355 /*************************************************
4356 * Get line from a literal ACL *
4357 *************************************************/
4359 /* This function is passed to acl_read() in order to extract individual lines
4360 of a literal ACL, which we access via static pointers. We can destroy the
4361 contents because this is called only once (the compiled ACL is remembered).
4363 This code is intended to treat the data in the same way as lines in the main
4364 Exim configuration file. That is:
4366 . Leading spaces are ignored.
4368 . A \ at the end of a line is a continuation - trailing spaces after the \
4369 are permitted (this is because I don't believe in making invisible things
4370 significant). Leading spaces on the continued part of a line are ignored.
4372 . Physical lines starting (significantly) with # are totally ignored, and
4373 may appear within a sequence of backslash-continued lines.
4375 . Blank lines are ignored, but will end a sequence of continuations.
4378 Returns: a pointer to the next line
4382 static uschar *acl_text; /* Current pointer in the text */
4383 static uschar *acl_text_end; /* Points one past the terminating '0' */
4391 /* This loop handles leading blank lines and comments. */
4395 Uskip_whitespace(&acl_text); /* Leading spaces/empty lines */
4396 if (!*acl_text) return NULL; /* No more data */
4397 yield = acl_text; /* Potential data line */
4399 while (*acl_text && *acl_text != '\n') acl_text++;
4401 /* If we hit the end before a newline, we have the whole logical line. If
4402 it's a comment, there's no more data to be given. Otherwise, yield it. */
4404 if (!*acl_text) return *yield == '#' ? NULL : yield;
4406 /* After reaching a newline, end this loop if the physical line does not
4407 start with '#'. If it does, it's a comment, and the loop continues. */
4409 if (*yield != '#') break;
4412 /* This loop handles continuations. We know we have some real data, ending in
4413 newline. See if there is a continuation marker at the end (ignoring trailing
4414 white space). We know that *yield is not white space, so no need to test for
4415 cont > yield in the backwards scanning loop. */
4420 for (cont = acl_text - 1; isspace(*cont); cont--);
4422 /* If no continuation follows, we are done. Mark the end of the line and
4431 /* We have encountered a continuation. Skip over whitespace at the start of
4432 the next line, and indeed the whole of the next line or lines if they are
4437 while (*(++acl_text) == ' ' || *acl_text == '\t');
4438 if (*acl_text != '#') break;
4439 while (*(++acl_text) != 0 && *acl_text != '\n');
4442 /* We have the start of a continuation line. Move all the rest of the data
4443 to join onto the previous line, and then find its end. If the end is not a
4444 newline, we are done. Otherwise loop to look for another continuation. */
4446 memmove(cont, acl_text, acl_text_end - acl_text);
4447 acl_text_end -= acl_text - cont;
4449 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
4450 if (*acl_text == 0) return yield;
4453 /* Control does not reach here */
4460 /************************************************/
4461 /* For error messages, a string describing the config location
4462 associated with current processing. NULL if not in an ACL. */
4465 acl_current_verb(void)
4467 if (acl_current) return string_sprintf(" (ACL %s, %s %d)",
4468 verbs[acl_current->verb], acl_current->srcfile, acl_current->srcline);
4472 /*************************************************
4473 * Check access using an ACL *
4474 *************************************************/
4476 /* This function is called from address_check. It may recurse via
4477 acl_check_condition() - hence the use of a level to stop looping. The ACL is
4478 passed as a string which is expanded. A forced failure implies no access check
4479 is required. If the result is a single word, it is taken as the name of an ACL
4480 which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
4481 text, complete with newlines, and parsed as such. In both cases, the ACL check
4482 is then run. This function uses an auxiliary function for acl_read() to call
4483 for reading individual lines of a literal ACL. This is acl_getline(), which
4484 appears immediately above.
4487 where where called from
4488 addr address item when called from RCPT; otherwise NULL
4489 s the input string; NULL is the same as an empty ACL => DENY
4490 user_msgptr where to put a user error (for SMTP response)
4491 log_msgptr where to put a logging message (not for SMTP response)
4493 Returns: OK access is granted
4494 DISCARD access is apparently granted...
4495 FAIL access is denied
4496 FAIL_DROP access is denied; drop the connection
4497 DEFER can't tell at the moment
4502 acl_check_internal(int where, address_item *addr, uschar *s,
4503 uschar **user_msgptr, uschar **log_msgptr)
4506 acl_block *acl = NULL;
4507 uschar *acl_name = US"inline ACL";
4510 /* Catch configuration loops */
4514 *log_msgptr = US"ACL nested too deep: possible loop";
4520 HDEBUG(D_acl) debug_printf_indent("ACL is NULL: implicit DENY\n");
4524 /* At top level, we expand the incoming string. At lower levels, it has already
4525 been expanded as part of condition processing. */
4529 else if (!(ss = expand_string(s)))
4531 if (f.expand_string_forcedfail) return OK;
4532 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
4533 expand_string_message);
4537 Uskip_whitespace(&ss);
4539 /* If we can't find a named ACL, the default is to parse it as an inline one.
4540 (Unless it begins with a slash; non-existent files give rise to an error.) */
4544 if (is_tainted(acl_text) && !f.running_in_test_harness)
4546 log_write(0, LOG_MAIN|LOG_PANIC,
4547 "attempt to use tainted ACL text \"%s\"", acl_text);
4548 /* Avoid leaking info to an attacker */
4549 *log_msgptr = US"internal configuration error";
4553 /* Handle the case of a string that does not contain any spaces. Look for a
4554 named ACL among those read from the configuration, or a previously read file.
4555 It is possible that the pointer to the ACL is NULL if the configuration
4556 contains a name with no data. If not found, and the text begins with '/',
4557 read an ACL from a file, and save it so it can be re-used. */
4559 if (Ustrchr(ss, ' ') == NULL)
4561 tree_node * t = tree_search(acl_anchor, ss);
4564 if (!(acl = (acl_block *)(t->data.ptr)))
4566 HDEBUG(D_acl) debug_printf_indent("ACL \"%s\" is empty: implicit DENY\n", ss);
4569 acl_name = string_sprintf("ACL \"%s\"", ss);
4570 HDEBUG(D_acl) debug_printf_indent("using ACL \"%s\"\n", ss);
4573 else if (*ss == '/')
4575 struct stat statbuf;
4576 if ((fd = Uopen(ss, O_RDONLY, 0)) < 0)
4578 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
4582 if (fstat(fd, &statbuf) != 0)
4584 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
4589 /* If the string being used as a filename is tainted, so is the file content */
4590 acl_text = store_get(statbuf.st_size + 1, ss);
4591 acl_text_end = acl_text + statbuf.st_size + 1;
4593 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
4595 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
4596 ss, strerror(errno));
4599 acl_text[statbuf.st_size] = 0;
4602 acl_name = string_sprintf("ACL \"%s\"", ss);
4603 HDEBUG(D_acl) debug_printf_indent("read ACL from file %s\n", ss);
4607 /* Parse an ACL that is still in text form. If it came from a file, remember it
4608 in the ACL tree, having read it into the POOL_PERM store pool so that it
4609 persists between multiple messages. */
4613 int old_pool = store_pool;
4614 if (fd >= 0) store_pool = POOL_PERM;
4615 acl = acl_read(acl_getline, log_msgptr);
4616 store_pool = old_pool;
4617 if (!acl && *log_msgptr) return ERROR;
4620 tree_node * t = store_get_perm(sizeof(tree_node) + Ustrlen(ss), ss);
4621 Ustrcpy(t->name, ss);
4623 (void)tree_insertnode(&acl_anchor, t);
4627 /* Now we have an ACL to use. It's possible it may be NULL. */
4629 while ((acl_current = acl))
4632 int basic_errno = 0;
4633 BOOL endpass_seen = FALSE;
4634 BOOL acl_quit_check = acl_level == 0
4635 && (where == ACL_WHERE_QUIT || where == ACL_WHERE_NOTQUIT);
4637 *log_msgptr = *user_msgptr = NULL;
4638 f.acl_temp_details = FALSE;
4640 HDEBUG(D_acl) debug_printf_indent("processing \"%s\" (%s %d)\n",
4641 verbs[acl->verb], acl->srcfile, acl->srcline);
4643 /* Clear out any search error message from a previous check before testing
4646 search_error_message = NULL;
4647 cond = acl_check_condition(acl->verb, acl->condition, where, addr, acl_level,
4648 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
4650 /* Handle special returns: DEFER causes a return except on a WARN verb;
4651 ERROR always causes a return. */
4656 HDEBUG(D_acl) debug_printf_indent("%s: condition test deferred in %s\n",
4657 verbs[acl->verb], acl_name);
4658 if (basic_errno != ERRNO_CALLOUTDEFER)
4660 if (search_error_message && *search_error_message)
4661 *log_msgptr = search_error_message;
4662 if (smtp_return_error_details) f.acl_temp_details = TRUE;
4665 f.acl_temp_details = TRUE;
4666 if (acl->verb != ACL_WARN) return DEFER;
4669 default: /* Paranoia */
4671 HDEBUG(D_acl) debug_printf_indent("%s: condition test error in %s\n",
4672 verbs[acl->verb], acl_name);
4676 HDEBUG(D_acl) debug_printf_indent("%s: condition test succeeded in %s\n",
4677 verbs[acl->verb], acl_name);
4681 HDEBUG(D_acl) debug_printf_indent("%s: condition test failed in %s\n",
4682 verbs[acl->verb], acl_name);
4685 /* DISCARD and DROP can happen only from a nested ACL condition, and
4686 DISCARD can happen only for an "accept" or "discard" verb. */
4689 HDEBUG(D_acl) debug_printf_indent("%s: condition test yielded \"discard\" in %s\n",
4690 verbs[acl->verb], acl_name);
4694 HDEBUG(D_acl) debug_printf_indent("%s: condition test yielded \"drop\" in %s\n",
4695 verbs[acl->verb], acl_name);
4699 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
4700 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
4701 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
4706 if (cond == OK || cond == DISCARD)
4708 HDEBUG(D_acl) debug_printf_indent("end of %s: ACCEPT\n", acl_name);
4713 HDEBUG(D_acl) debug_printf_indent("accept: endpass encountered - denying access\n");
4721 HDEBUG(D_acl) debug_printf_indent("end of %s: DEFER\n", acl_name);
4722 if (acl_quit_check) goto badquit;
4723 f.acl_temp_details = TRUE;
4731 HDEBUG(D_acl) debug_printf_indent("end of %s: DENY\n", acl_name);
4732 if (acl_quit_check) goto badquit;
4738 if (cond == OK || cond == DISCARD)
4740 HDEBUG(D_acl) debug_printf_indent("end of %s: DISCARD\n", acl_name);
4741 if (acl_quit_check) goto badquit;
4747 debug_printf_indent("discard: endpass encountered - denying access\n");
4755 HDEBUG(D_acl) debug_printf_indent("end of %s: DROP\n", acl_name);
4756 if (acl_quit_check) goto badquit;
4764 HDEBUG(D_acl) debug_printf_indent("end of %s: not OK\n", acl_name);
4765 if (acl_quit_check) goto badquit;
4772 acl_warn(where, *user_msgptr, *log_msgptr);
4773 else if (cond == DEFER && LOGGING(acl_warn_skipped))
4774 log_write(0, LOG_MAIN, "%s Warning: ACL \"warn\" statement skipped: "
4775 "condition test deferred%s%s", host_and_ident(TRUE),
4776 *log_msgptr ? US": " : US"",
4777 *log_msgptr ? *log_msgptr : US"");
4778 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
4782 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
4787 /* Pass to the next ACL item */
4792 /* We have reached the end of the ACL. This is an implicit DENY. */
4794 HDEBUG(D_acl) debug_printf_indent("end of %s: implicit DENY\n", acl_name);
4798 *log_msgptr = string_sprintf("QUIT or not-QUIT toplevel ACL may not fail "
4799 "('%s' verb used incorrectly)", verbs[acl->verb]);
4806 /* Same args as acl_check_internal() above, but the string s is
4807 the name of an ACL followed optionally by up to 9 space-separated arguments.
4808 The name and args are separately expanded. Args go into $acl_arg globals. */
4810 acl_check_wargs(int where, address_item *addr, const uschar *s,
4811 uschar **user_msgptr, uschar **log_msgptr)
4814 uschar * tmp_arg[9]; /* must match acl_arg[] */
4815 uschar * sav_arg[9]; /* must match acl_arg[] */
4821 if (!(tmp = string_dequote(&s)) || !(name = expand_string(tmp)))
4824 for (i = 0; i < 9; i++)
4826 if (!Uskip_whitespace(&s))
4828 if (!(tmp = string_dequote(&s)) || !(tmp_arg[i] = expand_string(tmp)))
4835 sav_narg = acl_narg;
4837 for (i = 0; i < acl_narg; i++)
4839 sav_arg[i] = acl_arg[i];
4840 acl_arg[i] = tmp_arg[i];
4844 sav_arg[i] = acl_arg[i];
4845 acl_arg[i++] = NULL;
4849 ret = acl_check_internal(where, addr, name, user_msgptr, log_msgptr);
4852 acl_narg = sav_narg;
4853 for (i = 0; i < 9; i++) acl_arg[i] = sav_arg[i];
4857 if (f.expand_string_forcedfail) return ERROR;
4858 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
4859 tmp, expand_string_message);
4860 return f.search_find_defer ? DEFER : ERROR;
4865 /*************************************************
4866 * Check access using an ACL *
4867 *************************************************/
4869 /* Alternate interface for ACL, used by expansions */
4871 acl_eval(int where, uschar *s, uschar **user_msgptr, uschar **log_msgptr)
4874 address_item *addr = NULL;
4877 *user_msgptr = *log_msgptr = NULL;
4878 sender_verified_failed = NULL;
4879 ratelimiters_cmd = NULL;
4880 log_reject_target = LOG_MAIN|LOG_REJECT;
4882 if (where == ACL_WHERE_RCPT)
4884 adb = address_defaults;
4886 addr->address = expand_string(US"$local_part@$domain");
4887 addr->domain = deliver_domain;
4888 addr->local_part = deliver_localpart;
4889 addr->cc_local_part = deliver_localpart;
4890 addr->lc_local_part = deliver_localpart;
4894 rc = acl_check_internal(where, addr, s, user_msgptr, log_msgptr);
4901 /* This is the external interface for ACL checks. It sets up an address and the
4902 expansions for $domain and $local_part when called after RCPT, then calls
4903 acl_check_internal() to do the actual work.
4906 where ACL_WHERE_xxxx indicating where called from
4907 recipient RCPT address for RCPT check, else NULL
4908 s the input string; NULL is the same as an empty ACL => DENY
4909 user_msgptr where to put a user error (for SMTP response)
4910 log_msgptr where to put a logging message (not for SMTP response)
4912 Returns: OK access is granted by an ACCEPT verb
4913 DISCARD access is granted by a DISCARD verb
4914 FAIL access is denied
4915 FAIL_DROP access is denied; drop the connection
4916 DEFER can't tell at the moment
4919 int acl_where = ACL_WHERE_UNKNOWN;
4922 acl_check(int where, const uschar * recipient, uschar * s,
4923 uschar ** user_msgptr, uschar ** log_msgptr)
4927 address_item *addr = NULL;
4929 *user_msgptr = *log_msgptr = NULL;
4930 sender_verified_failed = NULL;
4931 ratelimiters_cmd = NULL;
4932 log_reject_target = LOG_MAIN|LOG_REJECT;
4934 #ifndef DISABLE_PRDR
4935 if (where==ACL_WHERE_RCPT || where==ACL_WHERE_VRFY || where==ACL_WHERE_PRDR)
4937 if (where==ACL_WHERE_RCPT || where==ACL_WHERE_VRFY)
4940 adb = address_defaults;
4942 addr->address = recipient;
4943 if (deliver_split_address(addr) == DEFER)
4945 *log_msgptr = US"defer in percent_hack_domains check";
4949 if ((addr->prop.utf8_msg = message_smtputf8))
4951 addr->prop.utf8_downcvt = message_utf8_downconvert == 1;
4952 addr->prop.utf8_downcvt_maybe = message_utf8_downconvert == -1;
4955 deliver_domain = addr->domain;
4956 deliver_localpart = addr->local_part;
4961 rc = acl_check_internal(where, addr, s, user_msgptr, log_msgptr);
4963 acl_where = ACL_WHERE_UNKNOWN;
4965 /* Cutthrough - if requested,
4966 and WHERE_RCPT and not yet opened conn as result of recipient-verify,
4967 and rcpt acl returned accept,
4968 and first recipient (cancel on any subsequents)
4969 open one now and run it up to RCPT acceptance.
4970 A failed verify should cancel cutthrough request,
4971 and will pass the fail to the originator.
4972 Initial implementation: dual-write to spool.
4973 Assume the rxd datastream is now being copied byte-for-byte to an open cutthrough connection.
4975 Cease cutthrough copy on rxd final dot; do not send one.
4977 On a data acl, if not accept and a cutthrough conn is open, hard-close it (no SMTP niceness).
4979 On data acl accept, terminate the dataphase on an open cutthrough conn. If accepted or
4980 perm-rejected, reflect that to the original sender - and dump the spooled copy.
4981 If temp-reject, close the conn (and keep the spooled copy).
4982 If conn-failure, no action (and keep the spooled copy).
4986 case ACL_WHERE_RCPT:
4987 #ifndef DISABLE_PRDR
4988 case ACL_WHERE_PRDR:
4991 if (f.host_checking_callout) /* -bhc mode */
4992 cancel_cutthrough_connection(TRUE, US"host-checking mode");
4995 && cutthrough.delivery
4996 && rcpt_count > cutthrough.nrcpt
4999 if ((rc = open_cutthrough_connection(addr)) == DEFER)
5000 if (cutthrough.defer_pass)
5002 uschar * s = addr->message;
5003 /* Horrid kludge to recover target's SMTP message */
5005 do --s; while (!isdigit(*s));
5006 if (*--s && isdigit(*s) && *--s && isdigit(*s)) *user_msgptr = s;
5007 f.acl_temp_details = TRUE;
5011 HDEBUG(D_acl) debug_printf_indent("cutthrough defer; will spool\n");
5015 else HDEBUG(D_acl) if (cutthrough.delivery)
5016 if (rcpt_count <= cutthrough.nrcpt)
5017 debug_printf_indent("ignore cutthrough request; nonfirst message\n");
5019 debug_printf_indent("ignore cutthrough request; ACL did not accept\n");
5022 case ACL_WHERE_PREDATA:
5024 cutthrough_predata();
5026 cancel_cutthrough_connection(TRUE, US"predata acl not ok");
5029 case ACL_WHERE_QUIT:
5030 case ACL_WHERE_NOTQUIT:
5031 /* Drop cutthrough conns, and drop heldopen verify conns if
5032 the previous was not DATA */
5035 smtp_connection_had[SMTP_HBUFF_PREV(SMTP_HBUFF_PREV(smtp_ch_index))];
5036 BOOL dropverify = !(prev == SCH_DATA || prev == SCH_BDAT);
5038 cancel_cutthrough_connection(dropverify, US"quit or conndrop");
5046 deliver_domain = deliver_localpart = deliver_address_data =
5047 deliver_domain_data = sender_address_data = NULL;
5049 /* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
5050 ACL, which is really in the middle of an SMTP command. */
5054 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
5056 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
5057 "ACL", acl_wherenames[where]);
5063 /* A DROP response is not permitted from MAILAUTH */
5065 if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
5067 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
5068 "ACL", acl_wherenames[where]);
5072 /* Before giving a response, take a look at the length of any user message, and
5073 split it up into multiple lines if possible. */
5075 *user_msgptr = string_split_message(*user_msgptr);
5076 if (fake_response != OK)
5077 fake_response_text = string_split_message(fake_response_text);
5083 /*************************************************
5084 * Create ACL variable *
5085 *************************************************/
5087 /* Create an ACL variable or reuse an existing one. ACL variables are in a
5088 binary tree (see tree.c) with acl_var_c and acl_var_m as root nodes.
5091 name pointer to the variable's name, starting with c or m
5093 Returns the pointer to variable's tree node
5097 acl_var_create(uschar * name)
5099 tree_node * node, ** root = name[0] == 'c' ? &acl_var_c : &acl_var_m;
5100 if (!(node = tree_search(*root, name)))
5102 node = store_get(sizeof(tree_node) + Ustrlen(name), name);
5103 Ustrcpy(node->name, name);
5104 (void)tree_insertnode(root, node);
5106 node->data.ptr = NULL;
5112 /*************************************************
5113 * Write an ACL variable in spool format *
5114 *************************************************/
5116 /* This function is used as a callback for tree_walk when writing variables to
5117 the spool file. To retain spool file compatibility, what is written is -aclc or
5118 -aclm followed by the rest of the name and the data length, space separated,
5119 then the value itself, starting on a new line, and terminated by an additional
5120 newline. When we had only numbered ACL variables, the first line might look
5121 like this: "-aclc 5 20". Now it might be "-aclc foo 20" for the variable called
5125 name of the variable
5126 value of the variable
5127 ctx FILE pointer (as a void pointer)
5133 acl_var_write(uschar * name, uschar * value, void * ctx)
5135 FILE * f = (FILE *)ctx;
5137 if (is_tainted(value))
5139 const uschar * quoter_name;
5141 (void) quoter_for_address(value, "er_name);
5143 fprintf(f, "(%s)", quoter_name);
5145 fprintf(f, "acl%c %s %d\n%s\n", name[0], name+1, Ustrlen(value), value);
5152 acl_standalone_setvar(const uschar * s, BOOL taint)
5154 acl_condition_block * cond = store_get(sizeof(acl_condition_block), GET_UNTAINTED);
5155 uschar * errstr = NULL, * log_msg = NULL;
5160 cond->type = ACLC_SET;
5161 if (!acl_varname_to_cond(&s, cond, &errstr)) return errstr;
5162 if (!acl_data_to_cond(s, cond, US"'-be'", taint, &errstr)) return errstr;
5164 if (acl_check_condition(ACL_WARN, cond, ACL_WHERE_UNKNOWN,
5165 NULL, 0, &endpass_seen, &errstr, &log_msg, &e) != OK)
5166 return string_sprintf("oops: %s", errstr);
5167 return string_sprintf("variable %s set", cond->u.varname);
5171 #endif /* !MACRO_PREDEF */