1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) The Exim Maintainers 2020 - 2024 */
6 /* Copyright (c) University of Cambridge 1995 - 2018 */
7 /* See the file NOTICE for conditions of use and distribution. */
8 /* SPDX-License-Identifier: GPL-2.0-or-later */
10 /* Code for handling Access Control Lists (ACLs) */
16 /* Default callout timeout */
18 #define CALLOUT_TIMEOUT_DEFAULT 30
20 /* Default quota cache TTLs */
22 #define QUOTA_POS_DEFAULT (5*60)
23 #define QUOTA_NEG_DEFAULT (60*60)
26 /* ACL verb codes - keep in step with the table of verbs that follows */
28 enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
33 static uschar *verbs[] = {
34 [ACL_ACCEPT] = US"accept",
35 [ACL_DEFER] = US"defer",
36 [ACL_DENY] = US"deny",
37 [ACL_DISCARD] = US"discard",
38 [ACL_DROP] = US"drop",
39 [ACL_REQUIRE] = US"require",
43 /* For each verb, the conditions for which "message" or "log_message" are used
44 are held as a bitmap. This is to avoid expanding the strings unnecessarily. For
45 "accept", the FAIL case is used only after "endpass", but that is selected in
48 static int msgcond[] = {
49 [ACL_ACCEPT] = BIT(OK) | BIT(FAIL) | BIT(FAIL_DROP),
50 [ACL_DEFER] = BIT(OK),
52 [ACL_DISCARD] = BIT(OK) | BIT(FAIL) | BIT(FAIL_DROP),
54 [ACL_REQUIRE] = BIT(FAIL) | BIT(FAIL_DROP),
60 /* ACL condition and modifier codes */
66 #ifdef EXPERIMENTAL_BRIGHTMAIL
72 #ifdef EXPERIMENTAL_DCC
75 #ifdef WITH_CONTENT_SCAN
93 ACLC_LOG_REJECT_TARGET,
95 #ifdef WITH_CONTENT_SCAN
99 #ifdef WITH_CONTENT_SCAN
105 #ifdef WITH_CONTENT_SCAN
113 #ifdef WITH_CONTENT_SCAN
124 /* ACL conditions/modifiers: "delay", "control", "continue", "endpass",
125 "message", "log_message", "log_reject_target", "logwrite", "queue" and "set" are
126 modifiers that look like conditions but always return TRUE. They are used for
127 their side effects. Do not invent new modifier names that result in one name
128 being the prefix of another; the binary-search in the list will go wrong. */
130 typedef struct condition_def {
133 /* Flags for actions or checks to do during readconf for this condition */
135 #define ACD_EXP BIT(0) /* do expansion at outer level*/
136 #define ACD_MOD BIT(1) /* is a modifier */
137 #define ACD_LOAD BIT(2) /* supported by a dynamic-load module */
139 /* Bit map vector of which conditions and modifiers are not allowed at certain
140 times. For each condition and modifier, there's a bitmap of dis-allowed times.
141 For some, it is easier to specify the negation of a small number of allowed
144 #define FORBIDDEN(times) (times)
145 #define PERMITTED(times) ((unsigned) ~(times))
149 static condition_def conditions[] = {
150 [ACLC_ACL] = { US"acl", 0,
153 [ACLC_ADD_HEADER] = { US"add_header", ACD_EXP | ACD_MOD,
154 PERMITTED(ACL_BIT_MAIL | ACL_BIT_RCPT |
155 ACL_BIT_PREDATA | ACL_BIT_DATA |
157 ACL_BIT_MIME | ACL_BIT_NOTSMTP |
159 ACL_BIT_NOTSMTP_START),
162 [ACLC_ATRN_DOMAINS] = { US"atrn_domains", ACD_EXP,
163 PERMITTED(ACL_BIT_ATRN)
166 [ACLC_AUTHENTICATED] = { US"authenticated", 0,
167 FORBIDDEN(ACL_BIT_NOTSMTP |
168 ACL_BIT_NOTSMTP_START |
169 ACL_BIT_CONNECT | ACL_BIT_HELO),
171 #ifdef EXPERIMENTAL_BRIGHTMAIL
172 [ACLC_BMI_OPTIN] = { US"bmi_optin", ACD_EXP | ACD_MOD,
173 FORBIDDEN(ACL_BIT_AUTH |
174 ACL_BIT_CONNECT | ACL_BIT_HELO |
175 ACL_BIT_DATA | ACL_BIT_MIME |
177 ACL_BIT_ETRN | ACL_BIT_EXPN |
179 ACL_BIT_MAIL | ACL_BIT_STARTTLS |
180 ACL_BIT_VRFY | ACL_BIT_PREDATA |
181 ACL_BIT_NOTSMTP_START),
184 [ACLC_CONDITION] = { US"condition", ACD_EXP,
186 [ACLC_CONTINUE] = { US"continue", ACD_EXP | ACD_MOD,
189 /* Certain types of control are always allowed, so we let it through
190 always and check in the control processing itself. */
191 [ACLC_CONTROL] = { US"control", ACD_EXP | ACD_MOD,
194 #ifdef EXPERIMENTAL_DCC
195 [ACLC_DCC] = { US"dcc", ACD_EXP,
196 PERMITTED(ACL_BIT_DATA |
201 #ifdef WITH_CONTENT_SCAN
202 [ACLC_DECODE] = { US"decode", ACD_EXP,
203 PERMITTED(ACL_BIT_MIME) },
206 [ACLC_DELAY] = { US"delay", ACD_EXP | ACD_MOD,
207 FORBIDDEN(ACL_BIT_NOTQUIT) },
209 [ACLC_DKIM_SIGNER] = { US"dkim_signers",
214 PERMITTED(ACL_BIT_DKIM) },
215 [ACLC_DKIM_STATUS] = { US"dkim_status",
220 PERMITTED(ACL_BIT_DKIM | ACL_BIT_DATA | ACL_BIT_MIME
226 [ACLC_DMARC_STATUS] = { US"dmarc_status",
227 # if SUPPORT_DMARC==2
231 PERMITTED(ACL_BIT_DATA) },
234 /* Explicit key lookups can be made in non-smtp ACLs so pass
235 always and check in the verify processing itself. */
236 [ACLC_DNSLISTS] = { US"dnslists", 0,
239 [ACLC_DOMAINS] = { US"domains", 0,
240 PERMITTED(ACL_BIT_RCPT | ACL_BIT_VRFY
244 [ACLC_ENCRYPTED] = { US"encrypted", 0,
245 FORBIDDEN(ACL_BIT_NOTSMTP |
246 ACL_BIT_NOTSMTP_START | ACL_BIT_CONNECT)
249 [ACLC_ENDPASS] = { US"endpass", ACD_EXP | ACD_MOD,
252 [ACLC_HOSTS] = { US"hosts", 0,
253 FORBIDDEN(ACL_BIT_NOTSMTP |
254 ACL_BIT_NOTSMTP_START),
256 [ACLC_LOCAL_PARTS] = { US"local_parts", 0,
257 PERMITTED(ACL_BIT_RCPT | ACL_BIT_VRFY
262 [ACLC_LOG_MESSAGE] = { US"log_message", ACD_EXP | ACD_MOD,
264 [ACLC_LOG_REJECT_TARGET] = { US"log_reject_target", ACD_EXP | ACD_MOD,
266 [ACLC_LOGWRITE] = { US"logwrite", ACD_EXP | ACD_MOD,
269 #ifdef WITH_CONTENT_SCAN
270 [ACLC_MALWARE] = { US"malware", ACD_EXP,
271 PERMITTED(ACL_BIT_DATA |
277 [ACLC_MESSAGE] = { US"message", ACD_EXP | ACD_MOD,
279 #ifdef WITH_CONTENT_SCAN
280 [ACLC_MIME_REGEX] = { US"mime_regex", ACD_EXP,
281 PERMITTED(ACL_BIT_MIME) },
284 [ACLC_QUEUE] = { US"queue", ACD_EXP | ACD_MOD,
285 FORBIDDEN(ACL_BIT_NOTSMTP |
290 [ACLC_RATELIMIT] = { US"ratelimit", ACD_EXP,
292 [ACLC_RECIPIENTS] = { US"recipients", 0,
293 PERMITTED(ACL_BIT_RCPT) },
295 #ifdef WITH_CONTENT_SCAN
296 [ACLC_REGEX] = { US"regex", ACD_EXP,
297 PERMITTED(ACL_BIT_DATA |
304 [ACLC_REMOVE_HEADER] = { US"remove_header", ACD_EXP | ACD_MOD,
305 PERMITTED(ACL_BIT_MAIL|ACL_BIT_RCPT |
306 ACL_BIT_PREDATA | ACL_BIT_DATA |
308 ACL_BIT_MIME | ACL_BIT_NOTSMTP |
309 ACL_BIT_NOTSMTP_START),
311 [ACLC_SEEN] = { US"seen", ACD_EXP,
313 [ACLC_SENDER_DOMAINS] = { US"sender_domains", 0,
314 FORBIDDEN(ACL_BIT_AUTH | ACL_BIT_CONNECT |
316 ACL_BIT_MAILAUTH | ACL_BIT_QUIT |
317 ACL_BIT_ETRN | ACL_BIT_EXPN |
318 ACL_BIT_STARTTLS | ACL_BIT_VRFY),
320 [ACLC_SENDERS] = { US"senders", 0,
321 FORBIDDEN(ACL_BIT_AUTH | ACL_BIT_CONNECT |
323 ACL_BIT_MAILAUTH | ACL_BIT_QUIT |
324 ACL_BIT_ETRN | ACL_BIT_EXPN |
325 ACL_BIT_STARTTLS | ACL_BIT_VRFY),
328 [ACLC_SET] = { US"set", ACD_EXP | ACD_MOD,
331 #ifdef WITH_CONTENT_SCAN
332 [ACLC_SPAM] = { US"spam", ACD_EXP,
333 PERMITTED(ACL_BIT_DATA |
339 [ACLC_SPF] = { US"spf",
344 FORBIDDEN(ACL_BIT_AUTH | ACL_BIT_CONNECT |
345 ACL_BIT_HELO | ACL_BIT_MAILAUTH |
346 ACL_BIT_ETRN | ACL_BIT_EXPN |
347 ACL_BIT_STARTTLS | ACL_BIT_VRFY |
348 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START),
350 [ACLC_SPF_GUESS] = { US"spf_guess",
355 FORBIDDEN(ACL_BIT_AUTH | ACL_BIT_CONNECT |
356 ACL_BIT_HELO | ACL_BIT_MAILAUTH |
357 ACL_BIT_ETRN | ACL_BIT_EXPN |
358 ACL_BIT_STARTTLS | ACL_BIT_VRFY |
359 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START),
362 [ACLC_UDPSEND] = { US"udpsend", ACD_EXP | ACD_MOD,
365 /* Certain types of verify are always allowed, so we let it through
366 always and check in the verify function itself */
367 [ACLC_VERIFY] = { US"verify", ACD_EXP,
373 # include "macro_predef.h"
377 for (condition_def * c = conditions; c < conditions + nelem(conditions); c++)
379 uschar buf[64], * p, * s;
380 int n = sprintf(CS buf, "_ACL_%s_", c->flags & ACD_MOD ? "MOD" : "COND");
381 for (p = buf + n, s = c->name; *s; s++) *p++ = toupper(*s);
383 builtin_macro_create(buf);
388 /******************************************************************************/
392 /* These tables support loading of dynamic modules triggered by an ACL
393 condition use, spotted during readconf. See acl_read(). */
395 # ifdef LOOKUP_MODULE_DIR
396 typedef struct condition_module {
397 const uschar * mod_name; /* module for the givien conditions */
398 misc_module_info * info; /* NULL when not loaded */
399 const int * conditions; /* array of ACLC_*, -1 terminated */
403 static int spf_condx[] = { ACLC_SPF, ACLC_SPF_GUESS, -1 };
406 static int dkim_condx[] = { ACLC_DKIM_SIGNER, ACLC_DKIM_STATUS, -1 };
408 # if SUPPORT_DMARC==2
409 static int dmarc_condx[] = { ACLC_DMARC_STATUS, -1 };
412 /* These are modules which can be loaded on seeing an ACL condition
413 during readconf, The "arc" module is handled by custom coding. */
415 static condition_module condition_modules[] = {
417 {.mod_name = US"spf", .conditions = spf_condx},
420 {.mod_name = US"dkim", .conditions = dkim_condx},
422 # if SUPPORT_DMARC==2
423 {.mod_name = US"dmarc", .conditions = dmarc_condx},
427 # endif /*LOOKUP_MODULE_DIR*/
429 /****************************/
431 /* Return values from decode_control() */
434 CONTROL_AUTH_UNADVERTISED,
435 #ifdef EXPERIMENTAL_BRIGHTMAIL
438 CONTROL_CASEFUL_LOCAL_PART,
439 CONTROL_CASELOWER_LOCAL_PART,
440 CONTROL_CUTTHROUGH_DELIVERY,
446 CONTROL_DMARC_VERIFY,
447 CONTROL_DMARC_FORENSIC,
450 CONTROL_ENFORCE_SYNC,
451 CONTROL_ERROR, /* pseudo-value for decode errors */
456 CONTROL_NO_CALLOUT_FLUSH,
457 CONTROL_NO_DELAY_FLUSH,
458 CONTROL_NO_ENFORCE_SYNC,
459 #ifdef WITH_CONTENT_SCAN
460 CONTROL_NO_MBOX_UNSPOOL,
462 CONTROL_NO_MULTILINE,
463 CONTROL_NO_PIPELINING,
467 CONTROL_SUPPRESS_LOCAL_FIXUPS,
469 CONTROL_UTF8_DOWNCONVERT,
471 #ifndef DISABLE_WELLKNOWN
478 /* Structure listing various control arguments, with their characteristics.
479 For each control, there's a bitmap of dis-allowed times. For some, it is easier
480 to specify the negation of a small number of allowed times. */
482 typedef struct control_def {
484 BOOL has_option; /* Has /option(s) following */
485 unsigned forbids; /* bitmap of dis-allowed times */
488 static control_def controls_list[] = {
489 /* name has_option forbids */
490 [CONTROL_AUTH_UNADVERTISED] =
491 { US"allow_auth_unadvertised", FALSE,
493 ~(ACL_BIT_CONNECT | ACL_BIT_HELO)
495 #ifdef EXPERIMENTAL_BRIGHTMAIL
497 { US"bmi_run", FALSE, 0 },
499 [CONTROL_CASEFUL_LOCAL_PART] =
500 { US"caseful_local_part", FALSE, (unsigned) ~ACL_BIT_RCPT },
501 [CONTROL_CASELOWER_LOCAL_PART] =
502 { US"caselower_local_part", FALSE, (unsigned) ~ACL_BIT_RCPT },
503 [CONTROL_CUTTHROUGH_DELIVERY] =
504 { US"cutthrough_delivery", TRUE, 0 },
506 { US"debug", TRUE, 0 },
509 [CONTROL_DKIM_VERIFY] =
510 { US"dkim_disable_verify", FALSE,
511 ACL_BIT_DATA | ACL_BIT_NOTSMTP |
513 ACL_BIT_NOTSMTP_START
518 [CONTROL_DMARC_VERIFY] =
519 { US"dmarc_disable_verify", FALSE,
520 ACL_BIT_DATA | ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
522 [CONTROL_DMARC_FORENSIC] =
523 { US"dmarc_enable_forensic", FALSE,
524 ACL_BIT_DATA | ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
530 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START | ACL_BIT_NOTQUIT
532 [CONTROL_ENFORCE_SYNC] =
533 { US"enforce_sync", FALSE,
534 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
537 /* Pseudo-value for decode errors */
539 { US"error", FALSE, 0 },
541 [CONTROL_FAKEDEFER] =
542 { US"fakedefer", TRUE,
544 ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
545 ACL_BIT_PREDATA | ACL_BIT_DATA |
549 [CONTROL_FAKEREJECT] =
550 { US"fakereject", TRUE,
552 ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
553 ACL_BIT_PREDATA | ACL_BIT_DATA |
560 ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
561 ACL_BIT_PREDATA | ACL_BIT_DATA |
562 // ACL_BIT_PRDR| /* Not allow one user to freeze for all */
563 ACL_BIT_NOTSMTP | ACL_BIT_MIME)
566 [CONTROL_NO_CALLOUT_FLUSH] =
567 { US"no_callout_flush", FALSE,
568 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
570 [CONTROL_NO_DELAY_FLUSH] =
571 { US"no_delay_flush", FALSE,
572 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
575 [CONTROL_NO_ENFORCE_SYNC] =
576 { US"no_enforce_sync", FALSE,
577 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
579 #ifdef WITH_CONTENT_SCAN
580 [CONTROL_NO_MBOX_UNSPOOL] =
581 { US"no_mbox_unspool", FALSE,
583 ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
584 ACL_BIT_PREDATA | ACL_BIT_DATA |
585 // ACL_BIT_PRDR| /* Not allow one user to freeze for all */
589 [CONTROL_NO_MULTILINE] =
590 { US"no_multiline_responses", FALSE,
591 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
593 [CONTROL_NO_PIPELINING] =
594 { US"no_pipelining", FALSE,
595 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
601 ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
602 ACL_BIT_PREDATA | ACL_BIT_DATA |
603 // ACL_BIT_PRDR| /* Not allow one user to freeze for all */
604 ACL_BIT_NOTSMTP | ACL_BIT_MIME)
607 [CONTROL_SUBMISSION] =
608 { US"submission", TRUE,
610 ~(ACL_BIT_MAIL | ACL_BIT_RCPT | ACL_BIT_PREDATA)
612 [CONTROL_SUPPRESS_LOCAL_FIXUPS] =
613 { US"suppress_local_fixups", FALSE,
615 ~(ACL_BIT_MAIL | ACL_BIT_RCPT | ACL_BIT_PREDATA |
616 ACL_BIT_NOTSMTP_START)
619 [CONTROL_UTF8_DOWNCONVERT] =
620 { US"utf8_downconvert", TRUE, (unsigned) ~(ACL_BIT_RCPT | ACL_BIT_VRFY)
623 #ifndef DISABLE_WELLKNOWN
624 [CONTROL_WELLKNOWN] =
625 { US"wellknown", TRUE, (unsigned) ~ACL_BIT_WELLKNOWN
630 /* Support data structures for Client SMTP Authorization. acl_verify_csa()
631 caches its result in a tree to avoid repeated DNS queries. The result is an
632 integer code which is used as an index into the following tables of
633 explanatory strings and verification return codes. */
635 static tree_node *csa_cache = NULL;
637 enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
638 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
640 /* The acl_verify_csa() return code is translated into an acl_verify() return
641 code using the following table. It is OK unless the client is definitely not
642 authorized. This is because CSA is supposed to be optional for sending sites,
643 so recipients should not be too strict about checking it - especially because
644 DNS problems are quite likely to occur. It's possible to use $csa_status in
645 further ACL conditions to distinguish ok, unknown, and defer if required, but
646 the aim is to make the usual configuration simple. */
648 static int csa_return_code[] = {
651 [CSA_DEFER_SRV] = OK,
652 [CSA_DEFER_ADDR] = OK,
653 [CSA_FAIL_EXPLICIT] = FAIL,
654 [CSA_FAIL_DOMAIN] = FAIL,
655 [CSA_FAIL_NOADDR] = FAIL,
656 [CSA_FAIL_MISMATCH] = FAIL
659 static uschar *csa_status_string[] = {
660 [CSA_UNKNOWN] = US"unknown",
662 [CSA_DEFER_SRV] = US"defer",
663 [CSA_DEFER_ADDR] = US"defer",
664 [CSA_FAIL_EXPLICIT] = US"fail",
665 [CSA_FAIL_DOMAIN] = US"fail",
666 [CSA_FAIL_NOADDR] = US"fail",
667 [CSA_FAIL_MISMATCH] = US"fail"
670 static uschar *csa_reason_string[] = {
671 [CSA_UNKNOWN] = US"unknown",
673 [CSA_DEFER_SRV] = US"deferred (SRV lookup failed)",
674 [CSA_DEFER_ADDR] = US"deferred (target address lookup failed)",
675 [CSA_FAIL_EXPLICIT] = US"failed (explicit authorization required)",
676 [CSA_FAIL_DOMAIN] = US"failed (host name not authorized)",
677 [CSA_FAIL_NOADDR] = US"failed (no authorized addresses)",
678 [CSA_FAIL_MISMATCH] = US"failed (client address mismatch)"
681 /* Options for the ratelimit condition. Note that there are two variants of
682 the per_rcpt option, depending on the ACL that is used to measure the rate.
683 However any ACL must be able to look up per_rcpt rates in /noupdate mode,
684 so the two variants must have the same internal representation as well as
685 the same configuration string. */
688 RATE_PER_WHAT, RATE_PER_CLASH, RATE_PER_ADDR, RATE_PER_BYTE, RATE_PER_CMD,
689 RATE_PER_CONN, RATE_PER_MAIL, RATE_PER_RCPT, RATE_PER_ALLRCPTS
692 #define RATE_SET(var,new) \
693 (((var) == RATE_PER_WHAT) ? ((var) = RATE_##new) : ((var) = RATE_PER_CLASH))
695 static uschar *ratelimit_option_string[] = {
696 [RATE_PER_WHAT] = US"?",
697 [RATE_PER_CLASH] = US"!",
698 [RATE_PER_ADDR] = US"per_addr",
699 [RATE_PER_BYTE] = US"per_byte",
700 [RATE_PER_CMD] = US"per_cmd",
701 [RATE_PER_CONN] = US"per_conn",
702 [RATE_PER_MAIL] = US"per_mail",
703 [RATE_PER_RCPT] = US"per_rcpt",
704 [RATE_PER_ALLRCPTS] = US"per_rcpt"
707 /* Enable recursion between acl_check_internal() and acl_check_condition() */
709 static int acl_check_wargs(int, address_item *, const uschar *, uschar **,
712 static acl_block * acl_current = NULL;
715 /*************************************************
716 * Find control in list *
717 *************************************************/
719 /* The lists are always in order, so binary chop can be used.
722 name the control name to search for
723 ol the first entry in the control list
724 last one more than the offset of the last entry in the control list
726 Returns: index of a control entry, or -1 if not found
730 find_control(const uschar * name, control_def * ol, int last)
732 for (int first = 0; last > first; )
734 int middle = (first + last)/2;
735 uschar * s = ol[middle].name;
736 int c = Ustrncmp(name, s, Ustrlen(s));
737 if (c == 0) return middle;
738 else if (c > 0) first = middle + 1;
746 /*************************************************
747 * Pick out condition from list *
748 *************************************************/
750 /* Use a binary chop method
754 list list of conditions
757 Returns: offset in list, or -1 if not found
761 acl_findcondition(uschar * name, condition_def * list, int end)
763 for (int start = 0; start < end; )
765 int mid = (start + end)/2;
766 int c = Ustrcmp(name, list[mid].name);
767 if (c == 0) return mid;
768 if (c < 0) end = mid;
769 else start = mid + 1;
775 /*************************************************
776 * Pick out name from list *
777 *************************************************/
779 /* Use a binary chop method
786 Returns: offset in list, or -1 if not found
790 acl_checkname(uschar *name, uschar **list, int end)
792 for (int start = 0; start < end; )
794 int mid = (start + end)/2;
795 int c = Ustrcmp(name, list[mid]);
796 if (c == 0) return mid;
797 if (c < 0) end = mid; else start = mid + 1;
805 acl_varname_to_cond(const uschar ** sp, acl_condition_block * cond, uschar ** error)
807 const uschar * s = *sp, * endptr;
810 if ( Ustrncmp(s, "dkim_verify_status", 18) == 0
811 || Ustrncmp(s, "dkim_verify_reason", 18) == 0)
814 if (isalnum(*endptr))
816 *error = string_sprintf("invalid variable name after \"set\" in ACL "
817 "modifier \"set %s\" "
818 "(only \"dkim_verify_status\" or \"dkim_verify_reason\" permitted)",
822 cond->u.varname = string_copyn(s, 18);
827 if (Ustrncmp(s, "acl_c", 5) != 0 && Ustrncmp(s, "acl_m", 5) != 0)
829 *error = string_sprintf("invalid variable name after \"set\" in ACL "
830 "modifier \"set %s\" (must start \"acl_c\" or \"acl_m\")", s);
835 if (!isdigit(*endptr) && *endptr != '_')
837 *error = string_sprintf("invalid variable name after \"set\" in ACL "
838 "modifier \"set %s\" (digit or underscore must follow acl_c or acl_m)",
843 for ( ; *endptr && *endptr != '=' && !isspace(*endptr); endptr++)
844 if (!isalnum(*endptr) && *endptr != '_')
846 *error = string_sprintf("invalid character \"%c\" in variable name "
847 "in ACL modifier \"set %s\"", *endptr, s);
851 cond->u.varname = string_copyn(s + 4, endptr - s - 4);
854 Uskip_whitespace(&s);
861 acl_data_to_cond(const uschar * s, acl_condition_block * cond,
862 const uschar * name, BOOL taint, uschar ** error)
866 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
867 conditions[cond->type].flags & ACD_MOD ? US"modifier" : US"condition");
870 Uskip_whitespace(&s);
871 cond->arg = taint ? string_copy_taint(s, GET_TAINTED) : string_copy(s);
876 /*************************************************
877 * Read and parse one ACL *
878 *************************************************/
880 /* This function is called both from readconf in order to parse the ACLs in the
881 configuration file, and also when an ACL is encountered dynamically (e.g. as
882 the result of an expansion). It is given a function to call in order to
883 retrieve the lines of the ACL. This function handles skipping comments and
884 blank lines (where relevant).
887 func function to get next line of ACL
888 error where to put an error message
890 Returns: pointer to ACL, or NULL
891 NULL can be legal (empty ACL); in this case error will be NULL
895 acl_read(uschar *(*func)(void), uschar **error)
897 acl_block *yield = NULL;
898 acl_block **lastp = &yield;
899 acl_block *this = NULL;
900 acl_condition_block *cond;
901 acl_condition_block **condp = NULL;
906 while ((s = (*func)()))
909 BOOL negated = FALSE;
910 const uschar * saveline = s;
911 uschar name[EXIM_DRIVERNAME_MAX];
913 /* Conditions (but not verbs) are allowed to be negated by an initial
916 if (Uskip_whitespace(&s) == '!')
922 /* Read the name of a verb or a condition, or the start of a new ACL, which
923 can be started by a name, or by a macro definition. */
925 s = readconf_readname(name, sizeof(name), s);
926 if (*s == ':' || (isupper(name[0]) && *s == '=')) return yield;
928 /* If a verb is unrecognized, it may be another condition or modifier that
929 continues the previous verb. */
931 if ((v = acl_checkname(name, verbs, nelem(verbs))) < 0)
933 if (!this) /* not handling a verb right now */
935 *error = string_sprintf("unknown ACL verb \"%s\" in \"%s\"", name,
947 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
950 *lastp = this = store_get(sizeof(acl_block), GET_UNTAINTED);
953 this->condition = NULL;
955 this->srcline = config_lineno; /* for debug output */
956 this->srcfile = config_filename; /**/
957 condp = &this->condition;
958 if (!*s) continue; /* No condition on this line */
964 s = readconf_readname(name, sizeof(name), s); /* Condition name */
967 /* Handle a condition or modifier. */
969 if ((c = acl_findcondition(name, conditions, nelem(conditions))) < 0)
971 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
976 /* The modifiers may not be negated */
978 if (negated && conditions[c].flags & ACD_MOD)
980 *error = string_sprintf("ACL error: negation is not allowed with "
981 "\"%s\"", conditions[c].name);
985 /* ENDPASS may occur only with ACCEPT or DISCARD. */
987 if (c == ACLC_ENDPASS &&
988 this->verb != ACL_ACCEPT &&
989 this->verb != ACL_DISCARD)
991 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
992 conditions[c].name, verbs[this->verb]);
996 #ifdef LOOKUP_MODULE_DIR
997 if (conditions[c].flags & ACD_LOAD)
998 { /* a loadable module supports this condition */
999 condition_module * cm;
1002 /* Over the list of modules we support, check the list of ACL conditions
1003 each supports. This assumes no duplicates. */
1005 for (cm = condition_modules;
1006 cm < condition_modules + nelem(condition_modules); cm++)
1007 for (const int * cond = cm->conditions; *cond != -1; cond++)
1008 if (*cond == c) goto found;
1011 if (cm >= condition_modules + nelem(condition_modules))
1012 { /* shouldn't happen */
1013 *error = string_sprintf("ACL error: failed to locate support for '%s'",
1014 conditions[c].name);
1017 if ( !cm->info /* module not loaded */
1018 && !(cm->info = misc_mod_find(cm->mod_name, &t)))
1020 *error = string_sprintf("ACL error: failed to find module for '%s': %s",
1021 conditions[c].name, t);
1025 # ifdef EXPERIMENTAL_ARC
1026 else if (c == ACLC_VERIFY) /* Special handling for verify=arc; */
1027 { /* not invented a more general method yet- flag in verify_type_list? */
1028 const uschar * t = s;
1030 if ( *t++ == '=' && Uskip_whitespace(&t) && Ustrncmp(t, "arc", 3) == 0
1031 && !misc_mod_find(US"arc", &e))
1033 *error = string_sprintf("ACL error: failed to find module for '%s': %s",
1034 conditions[c].name, e);
1039 #endif /*LOOKUP_MODULE_DIR*/
1041 cond = store_get(sizeof(acl_condition_block), GET_UNTAINTED);
1044 cond->u.negated = negated;
1047 condp = &cond->next;
1049 /* The "set" modifier is different in that its argument is "name=value"
1050 rather than just a value, and we can check the validity of the name, which
1051 gives us a variable name to insert into the data block. The original ACL
1052 variable names were acl_c0 ... acl_c9 and acl_m0 ... acl_m9. This was
1053 extended to 20 of each type, but after that people successfully argued for
1054 arbitrary names. In the new scheme, the names must start with acl_c or acl_m.
1055 After that, we allow alphanumerics and underscores, but the first character
1056 after c or m must be a digit or an underscore. This retains backwards
1060 if (!acl_varname_to_cond(&s, cond, error)) return NULL;
1062 /* For "set", we are now positioned for the data. For the others, only
1063 "endpass" has no data */
1065 if (c != ACLC_ENDPASS)
1066 if (!acl_data_to_cond(s, cond, name, FALSE, error)) return NULL;
1074 /*************************************************
1075 * Set up added header line(s) *
1076 *************************************************/
1078 /* This function is called by the add_header modifier, and also from acl_warn()
1079 to implement the now-deprecated way of adding header lines using "message" on a
1080 "warn" verb. The argument is treated as a sequence of header lines which are
1081 added to a chain, provided there isn't an identical one already there.
1083 Argument: string of header lines
1088 setup_header(const uschar *hstring)
1090 const uschar *p, *q;
1091 int hlen = Ustrlen(hstring);
1093 /* Ignore any leading newlines */
1094 while (*hstring == '\n') hstring++, hlen--;
1096 /* An empty string does nothing; ensure exactly one final newline. */
1097 if (hlen <= 0) return;
1098 if (hstring[--hlen] != '\n') /* no newline */
1099 q = string_sprintf("%s\n", hstring);
1100 else if (hstring[hlen-1] == '\n') /* double newline */
1102 uschar * s = string_copy(hstring);
1103 while(s[--hlen] == '\n')
1110 /* Loop for multiple header lines, taking care about continuations */
1112 for (p = q; *p; p = q)
1116 int newtype = htype_add_bot;
1117 header_line **hptr = &acl_added_headers;
1119 /* Find next header line within the string */
1123 q = Ustrchr(q, '\n'); /* we know there was a newline */
1124 if (*++q != ' ' && *q != '\t') break;
1127 /* If the line starts with a colon, interpret the instruction for where to
1128 add it. This temporarily sets up a new type. */
1132 if (strncmpic(p, US":after_received:", 16) == 0)
1134 newtype = htype_add_rec;
1137 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
1139 newtype = htype_add_rfc;
1142 else if (strncmpic(p, US":at_start:", 10) == 0)
1144 newtype = htype_add_top;
1147 else if (strncmpic(p, US":at_end:", 8) == 0)
1149 newtype = htype_add_bot;
1152 while (*p == ' ' || *p == '\t') p++;
1155 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
1156 to the front of it. */
1158 for (s = p; s < q - 1; s++)
1159 if (*s == ':' || !isgraph(*s)) break;
1161 hdr = string_sprintf("%s%.*s", *s == ':' ? "" : "X-ACL-Warn: ", (int) (q - p), p);
1162 hlen = Ustrlen(hdr);
1164 /* See if this line has already been added */
1168 if (Ustrncmp((*hptr)->text, hdr, hlen) == 0) break;
1169 hptr = &(*hptr)->next;
1172 /* Add if not previously present */
1176 /* The header_line struct itself is not tainted, though it points to
1177 possibly tainted data. */
1178 header_line * h = store_get(sizeof(header_line), GET_UNTAINTED);
1191 /*************************************************
1192 * List the added header lines *
1193 *************************************************/
1199 for (header_line * h = acl_added_headers; h; h = h->next)
1202 if (h->text[i-1] == '\n') i--;
1203 g = string_append_listele_n(g, '\n', h->text, i);
1206 return string_from_gstring(g);
1210 /*************************************************
1211 * Set up removed header line(s) *
1212 *************************************************/
1214 /* This function is called by the remove_header modifier. The argument is
1215 treated as a sequence of header names which are added to a colon separated
1216 list, provided there isn't an identical one already there.
1218 Argument: string of header names
1223 setup_remove_header(const uschar *hnames)
1226 acl_removed_headers = acl_removed_headers
1227 ? string_sprintf("%s : %s", acl_removed_headers, hnames)
1228 : string_copy(hnames);
1233 /*************************************************
1235 *************************************************/
1237 /* This function is called when a WARN verb's conditions are true. It adds to
1238 the message's headers, and/or writes information to the log. In each case, this
1239 only happens once (per message for headers, per connection for log).
1241 ** NOTE: The header adding action using the "message" setting is historic, and
1242 its use is now deprecated. The new add_header modifier should be used instead.
1245 where ACL_WHERE_xxxx indicating which ACL this is
1246 user_message message for adding to headers
1247 log_message message for logging, if different
1253 acl_warn(int where, uschar * user_message, uschar * log_message)
1255 if (log_message && log_message != user_message)
1258 string_item *logged;
1260 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
1261 string_printing(log_message));
1263 /* If a sender verification has failed, and the log message is "sender verify
1264 failed", add the failure message. */
1266 if ( sender_verified_failed
1267 && sender_verified_failed->message
1268 && strcmpic(log_message, US"sender verify failed") == 0)
1269 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
1271 /* Search previously logged warnings. They are kept in malloc
1272 store so they can be freed at the start of a new message. */
1274 for (logged = acl_warn_logged; logged; logged = logged->next)
1275 if (Ustrcmp(logged->text, text) == 0) break;
1279 int length = Ustrlen(text) + 1;
1280 log_write(0, LOG_MAIN, "%s", text);
1281 logged = store_malloc(sizeof(string_item) + length);
1282 logged->text = US logged + sizeof(string_item);
1283 memcpy(logged->text, text, length);
1284 logged->next = acl_warn_logged;
1285 acl_warn_logged = logged;
1289 /* If there's no user message, we are done. */
1291 if (!user_message) return;
1293 /* If this isn't a message ACL, we can't do anything with a user message.
1296 if (where > ACL_WHERE_NOTSMTP)
1298 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
1299 "found in a non-message (%s) ACL: cannot specify header lines here: "
1300 "message ignored", acl_wherenames[where]);
1304 /* The code for setting up header lines is now abstracted into a separate
1305 function so that it can be used for the add_header modifier as well. */
1307 setup_header(user_message);
1312 /*************************************************
1313 * Verify and check reverse DNS *
1314 *************************************************/
1316 /* Called from acl_verify() below. We look up the host name(s) of the client IP
1317 address if this has not yet been done. The host_name_lookup() function checks
1318 that one of these names resolves to an address list that contains the client IP
1319 address, so we don't actually have to do the check here.
1322 user_msgptr pointer for user message
1323 log_msgptr pointer for log message
1325 Returns: OK verification condition succeeded
1326 FAIL verification failed
1327 DEFER there was a problem verifying
1331 acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
1335 /* Previous success */
1337 if (sender_host_name) return OK;
1339 /* Previous failure */
1341 if (host_lookup_failed)
1343 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
1347 /* Need to do a lookup */
1350 debug_printf_indent("looking up host name to force name/address consistency check\n");
1352 if ((rc = host_name_lookup()) != OK)
1354 *log_msgptr = rc == DEFER
1355 ? US"host lookup deferred for reverse lookup check"
1356 : string_sprintf("host lookup failed for reverse lookup check%s",
1358 return rc; /* DEFER or FAIL */
1361 host_build_sender_fullhost();
1367 /*************************************************
1368 * Check client IP address matches CSA target *
1369 *************************************************/
1371 /* Called from acl_verify_csa() below. This routine scans a section of a DNS
1372 response for address records belonging to the CSA target hostname. The section
1373 is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
1374 If one of the addresses matches the client's IP address, then the client is
1375 authorized by CSA. If there are target IP addresses but none of them match
1376 then the client is using an unauthorized IP address. If there are no target IP
1377 addresses then the client cannot be using an authorized IP address. (This is
1378 an odd configuration - why didn't the SRV record have a weight of 1 instead?)
1381 dnsa the DNS answer block
1382 dnss a DNS scan block for us to use
1383 reset option specifying what portion to scan, as described above
1384 target the target hostname to use for matching RR names
1386 Returns: CSA_OK successfully authorized
1387 CSA_FAIL_MISMATCH addresses found but none matched
1388 CSA_FAIL_NOADDR no target addresses found
1392 acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1395 int rc = CSA_FAIL_NOADDR;
1397 for (dns_record * rr = dns_next_rr(dnsa, dnss, reset);
1399 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1401 /* Check this is an address RR for the target hostname. */
1405 && rr->type != T_AAAA
1409 if (strcmpic(target, rr->name) != 0) continue;
1411 rc = CSA_FAIL_MISMATCH;
1413 /* Turn the target address RR into a list of textual IP addresses and scan
1414 the list. There may be more than one if it is an A6 RR. */
1416 for (dns_address * da = dns_address_from_rr(dnsa, rr); da; da = da->next)
1418 /* If the client IP address matches the target IP address, it's good! */
1420 DEBUG(D_acl) debug_printf_indent("CSA target address is %s\n", da->address);
1422 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1426 /* If we found some target addresses but none of them matched, the client is
1427 using an unauthorized IP address, otherwise the target has no authorized IP
1435 /*************************************************
1436 * Verify Client SMTP Authorization *
1437 *************************************************/
1439 /* Called from acl_verify() below. This routine calls dns_lookup_special()
1440 to find the CSA SRV record corresponding to the domain argument, or
1441 $sender_helo_name if no argument is provided. It then checks that the
1442 client is authorized, and that its IP address corresponds to the SRV
1443 target's address by calling acl_verify_csa_address() above. The address
1444 should have been returned in the DNS response's ADDITIONAL section, but if
1445 not we perform another DNS lookup to get it.
1448 domain pointer to optional parameter following verify = csa
1450 Returns: CSA_UNKNOWN no valid CSA record found
1451 CSA_OK successfully authorized
1452 CSA_FAIL_* client is definitely not authorized
1453 CSA_DEFER_* there was a DNS problem
1457 acl_verify_csa(const uschar *domain)
1460 const uschar *found;
1461 int priority, weight, port;
1465 int rc, type, yield;
1466 #define TARGET_SIZE 256
1467 uschar * target = store_get(TARGET_SIZE, GET_TAINTED);
1469 /* Work out the domain we are using for the CSA lookup. The default is the
1470 client's HELO domain. If the client has not said HELO, use its IP address
1471 instead. If it's a local client (exim -bs), CSA isn't applicable. */
1473 while (isspace(*domain) && *domain) ++domain;
1474 if (*domain == '\0') domain = sender_helo_name;
1475 if (!domain) domain = sender_host_address;
1476 if (!sender_host_address) return CSA_UNKNOWN;
1478 /* If we have an address literal, strip off the framing ready for turning it
1479 into a domain. The framing consists of matched square brackets possibly
1480 containing a keyword and a colon before the actual IP address. */
1482 if (domain[0] == '[')
1484 const uschar *start = Ustrchr(domain, ':');
1485 if (start == NULL) start = domain;
1486 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1489 /* Turn domains that look like bare IP addresses into domains in the reverse
1490 DNS. This code also deals with address literals and $sender_host_address. It's
1491 not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1492 address literals, but it's probably the most friendly thing to do. This is an
1493 extension to CSA, so we allow it to be turned off for proper conformance. */
1495 if (string_is_ip_address(domain, NULL) != 0)
1497 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1498 domain = dns_build_reverse(domain);
1501 /* Find out if we've already done the CSA check for this domain. If we have,
1502 return the same result again. Otherwise build a new cached result structure
1503 for this domain. The name is filled in now, and the value is filled in when
1504 we return from this function. */
1506 if ((t = tree_search(csa_cache, domain)))
1509 t = store_get_perm(sizeof(tree_node) + Ustrlen(domain), domain);
1510 Ustrcpy(t->name, domain);
1511 (void)tree_insertnode(&csa_cache, t);
1513 /* Now we are ready to do the actual DNS lookup(s). */
1516 dnsa = store_get_dns_answer();
1517 switch (dns_special_lookup(dnsa, domain, T_CSA, &found))
1519 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1522 yield = CSA_DEFER_SRV;
1525 /* If we found nothing, the client's authorization is unknown. */
1529 yield = CSA_UNKNOWN;
1532 /* We got something! Go on to look at the reply in more detail. */
1538 /* Scan the reply for well-formed CSA SRV records. */
1540 for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
1542 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == T_SRV)
1544 const uschar * p = rr->data;
1546 /* Extract the numerical SRV fields (p is incremented) */
1548 if (rr_bad_size(rr, 3 * sizeof(uint16_t))) continue;
1549 GETSHORT(priority, p);
1550 GETSHORT(weight, p);
1554 debug_printf_indent("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1556 /* Check the CSA version number */
1558 if (priority != 1) continue;
1560 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1561 found by dns_special_lookup() is a parent of the one we asked for), we check
1562 the subdomain assertions in the port field. At the moment there's only one
1563 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1564 SRV records of their own. */
1566 if (Ustrcmp(found, domain) != 0)
1568 yield = port & 1 ? CSA_FAIL_EXPLICIT : CSA_UNKNOWN;
1572 /* This CSA SRV record refers directly to our domain, so we check the value
1573 in the weight field to work out the domain's authorization. 0 and 1 are
1574 unauthorized; 3 means the client is authorized but we can't check the IP
1575 address in order to authenticate it, so we treat it as unknown; values
1576 greater than 3 are undefined. */
1580 yield = CSA_FAIL_DOMAIN;
1584 if (weight > 2) continue;
1586 /* Weight == 2, which means the domain is authorized. We must check that the
1587 client's IP address is listed as one of the SRV target addresses. Save the
1588 target hostname then break to scan the additional data for its addresses. */
1590 (void)dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, p,
1591 (DN_EXPAND_ARG4_TYPE)target, TARGET_SIZE);
1593 DEBUG(D_acl) debug_printf_indent("CSA target is %s\n", target);
1598 /* If we didn't break the loop then no appropriate records were found. */
1602 yield = CSA_UNKNOWN;
1606 /* Do not check addresses if the target is ".", in accordance with RFC 2782.
1607 A target of "." indicates there are no valid addresses, so the client cannot
1608 be authorized. (This is an odd configuration because weight=2 target=. is
1609 equivalent to weight=1, but we check for it in order to keep load off the
1610 root name servers.) Note that dn_expand() turns "." into "". */
1612 if (Ustrcmp(target, "") == 0)
1614 yield = CSA_FAIL_NOADDR;
1618 /* Scan the additional section of the CSA SRV reply for addresses belonging
1619 to the target. If the name server didn't return any additional data (e.g.
1620 because it does not fully support SRV records), we need to do another lookup
1621 to obtain the target addresses; otherwise we have a definitive result. */
1623 rc = acl_verify_csa_address(dnsa, &dnss, RESET_ADDITIONAL, target);
1624 if (rc != CSA_FAIL_NOADDR)
1630 /* The DNS lookup type corresponds to the IP version used by the client. */
1633 if (Ustrchr(sender_host_address, ':') != NULL)
1636 #endif /* HAVE_IPV6 */
1640 lookup_dnssec_authenticated = NULL;
1641 switch (dns_lookup(dnsa, target, type, NULL))
1643 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1646 yield = CSA_DEFER_ADDR;
1649 /* If the query succeeded, scan the addresses and return the result. */
1652 rc = acl_verify_csa_address(dnsa, &dnss, RESET_ANSWERS, target);
1653 if (rc != CSA_FAIL_NOADDR)
1658 /* else fall through */
1660 /* If the target has no IP addresses, the client cannot have an authorized
1661 IP address. However, if the target site uses A6 records (not AAAA records)
1662 we have to do yet another lookup in order to check them. */
1666 yield = CSA_FAIL_NOADDR;
1672 store_free_dns_answer(dnsa);
1673 return t->data.val = yield;
1678 /*************************************************
1679 * Handle verification (address & other) *
1680 *************************************************/
1682 enum { VERIFY_REV_HOST_LKUP, VERIFY_CERT, VERIFY_HELO, VERIFY_CSA, VERIFY_HDR_SYNTAX,
1683 VERIFY_NOT_BLIND, VERIFY_HDR_SNDR, VERIFY_SNDR, VERIFY_RCPT,
1684 VERIFY_HDR_NAMES_ASCII, VERIFY_ARC
1689 unsigned where_allowed; /* bitmap */
1690 BOOL no_options; /* Never has /option(s) following */
1691 unsigned alt_opt_sep; /* >0 Non-/ option separator (custom parser) */
1693 static verify_type_t verify_type_list[] = {
1694 /* name value where no-opt opt-sep */
1695 { US"reverse_host_lookup", VERIFY_REV_HOST_LKUP, (unsigned)~0, FALSE, 0 },
1696 { US"certificate", VERIFY_CERT, (unsigned)~0, TRUE, 0 },
1697 { US"helo", VERIFY_HELO, (unsigned)~0, TRUE, 0 },
1698 { US"csa", VERIFY_CSA, (unsigned)~0, FALSE, 0 },
1699 { US"header_syntax", VERIFY_HDR_SYNTAX, ACL_BITS_HAVEDATA, TRUE, 0 },
1700 { US"not_blind", VERIFY_NOT_BLIND, ACL_BITS_HAVEDATA, FALSE, 0 },
1701 { US"header_sender", VERIFY_HDR_SNDR, ACL_BITS_HAVEDATA, FALSE, 0 },
1702 { US"sender", VERIFY_SNDR, ACL_BIT_MAIL | ACL_BIT_RCPT
1703 | ACL_BIT_PREDATA | ACL_BIT_DATA | ACL_BIT_NOTSMTP,
1705 { US"recipient", VERIFY_RCPT, ACL_BIT_RCPT, FALSE, 0 },
1706 { US"header_names_ascii", VERIFY_HDR_NAMES_ASCII, ACL_BITS_HAVEDATA, TRUE, 0 },
1707 #ifdef EXPERIMENTAL_ARC
1708 { US"arc", VERIFY_ARC, ACL_BIT_DATA, FALSE , 0 },
1713 enum { CALLOUT_DEFER_OK, CALLOUT_NOCACHE, CALLOUT_RANDOM, CALLOUT_USE_SENDER,
1714 CALLOUT_USE_POSTMASTER, CALLOUT_POSTMASTER, CALLOUT_FULLPOSTMASTER,
1715 CALLOUT_MAILFROM, CALLOUT_POSTMASTER_MAILFROM, CALLOUT_MAXWAIT, CALLOUT_CONNECT,
1716 CALLOUT_HOLD, CALLOUT_TIME /* TIME must be last */
1722 BOOL has_option; /* Has =option(s) following */
1723 BOOL timeval; /* Has a time value */
1725 static callout_opt_t callout_opt_list[] = {
1726 /* name value flag has-opt has-time */
1727 { US"defer_ok", CALLOUT_DEFER_OK, 0, FALSE, FALSE },
1728 { US"no_cache", CALLOUT_NOCACHE, vopt_callout_no_cache, FALSE, FALSE },
1729 { US"random", CALLOUT_RANDOM, vopt_callout_random, FALSE, FALSE },
1730 { US"use_sender", CALLOUT_USE_SENDER, vopt_callout_recipsender, FALSE, FALSE },
1731 { US"use_postmaster", CALLOUT_USE_POSTMASTER,vopt_callout_recippmaster, FALSE, FALSE },
1732 { US"postmaster_mailfrom",CALLOUT_POSTMASTER_MAILFROM,0, TRUE, FALSE },
1733 { US"postmaster", CALLOUT_POSTMASTER, 0, FALSE, FALSE },
1734 { US"fullpostmaster", CALLOUT_FULLPOSTMASTER,vopt_callout_fullpm, FALSE, FALSE },
1735 { US"mailfrom", CALLOUT_MAILFROM, 0, TRUE, FALSE },
1736 { US"maxwait", CALLOUT_MAXWAIT, 0, TRUE, TRUE },
1737 { US"connect", CALLOUT_CONNECT, 0, TRUE, TRUE },
1738 { US"hold", CALLOUT_HOLD, vopt_callout_hold, FALSE, FALSE },
1739 { NULL, CALLOUT_TIME, 0, FALSE, TRUE }
1745 v_period(const uschar * s, const uschar * arg, uschar ** log_msgptr)
1748 if ((period = readconf_readtime(s, 0, FALSE)) < 0)
1750 *log_msgptr = string_sprintf("bad time value in ACL condition "
1751 "\"verify %s\"", arg);
1759 sender_helo_verified_internal(void)
1761 /* We can test the result of optional HELO verification that might have
1762 occurred earlier. If not, we can attempt the verification now. */
1764 if (!f.helo_verified && !f.helo_verify_failed) smtp_verify_helo();
1765 return f.helo_verified;
1769 sender_helo_verified_cond(void)
1771 return sender_helo_verified_internal() ? OK : FAIL;
1775 sender_helo_verified_boolstr(void)
1777 return sender_helo_verified_internal() ? US"yes" : US"no";
1782 /* This function implements the "verify" condition. It is called when
1783 encountered in any ACL, because some tests are almost always permitted. Some
1784 just don't make sense, and always fail (for example, an attempt to test a host
1785 lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1788 where where called from
1789 addr the recipient address that the ACL is handling, or NULL
1790 arg the argument of "verify"
1791 user_msgptr pointer for user message
1792 log_msgptr pointer for log message
1793 basic_errno where to put verify errno
1795 Returns: OK verification condition succeeded
1796 FAIL verification failed
1797 DEFER there was a problem verifying
1802 acl_verify(int where, address_item *addr, const uschar *arg,
1803 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1807 int callout_overall = -1;
1808 int callout_connect = -1;
1809 int verify_options = 0;
1811 BOOL verify_header_sender = FALSE;
1812 BOOL defer_ok = FALSE;
1813 BOOL callout_defer_ok = FALSE;
1814 BOOL no_details = FALSE;
1815 BOOL success_on_redirect = FALSE;
1817 int quota_pos_cache = QUOTA_POS_DEFAULT, quota_neg_cache = QUOTA_NEG_DEFAULT;
1818 address_item * sender_vaddr = NULL;
1819 const uschar * verify_sender_address = NULL;
1820 uschar * pm_mailfrom = NULL;
1821 uschar * se_mailfrom = NULL;
1823 /* Some of the verify items have slash-separated options; some do not. Diagnose
1824 an error if options are given for items that don't expect them.
1827 uschar *slash = Ustrchr(arg, '/');
1828 const uschar *list = arg;
1829 uschar *ss = string_nextinlist(&list, &sep, NULL, 0);
1832 if (!ss) goto BAD_VERIFY;
1834 /* Handle name/address consistency verification in a separate function. */
1836 for (vp = verify_type_list;
1837 CS vp < CS verify_type_list + sizeof(verify_type_list);
1840 if (vp->alt_opt_sep ? strncmpic(ss, vp->name, vp->alt_opt_sep) == 0
1841 : strcmpic (ss, vp->name) == 0)
1843 if (CS vp >= CS verify_type_list + sizeof(verify_type_list))
1846 if (vp->no_options && slash)
1848 *log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1849 "(this verify item has no options)", arg);
1852 if (!(vp->where_allowed & BIT(where)))
1854 *log_msgptr = string_sprintf("cannot verify %s in ACL for %s",
1855 vp->name, acl_wherenames[where]);
1860 case VERIFY_REV_HOST_LKUP:
1861 if (!sender_host_address) return OK;
1862 if ((rc = acl_verify_reverse(user_msgptr, log_msgptr)) == DEFER)
1863 while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
1864 if (strcmpic(ss, US"defer_ok") == 0)
1869 /* TLS certificate verification is done at STARTTLS time; here we just
1870 test whether it was successful or not. (This is for optional verification; for
1871 mandatory verification, the connection doesn't last this long.) */
1873 if (tls_in.certificate_verified) return OK;
1874 *user_msgptr = US"no verified certificate";
1878 return sender_helo_verified_cond();
1881 /* Do Client SMTP Authorization checks in a separate function, and turn the
1882 result code into user-friendly strings. */
1884 rc = acl_verify_csa(list);
1885 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1886 csa_reason_string[rc]);
1887 csa_status = csa_status_string[rc];
1888 DEBUG(D_acl) debug_printf_indent("CSA result %s\n", csa_status);
1889 return csa_return_code[rc];
1891 #ifdef EXPERIMENTAL_ARC
1894 const misc_module_info * mi = misc_mod_findonly(US"arc");
1895 typedef int (*fn_t)(const uschar *);
1896 if (mi) return (((fn_t *) mi->functions)[ARC_VERIFY])
1897 (CUS string_nextinlist(&list, &sep, NULL, 0));
1901 case VERIFY_HDR_SYNTAX:
1902 /* Check that all relevant header lines have the correct 5322-syntax. If there is
1903 a syntax error, we return details of the error to the sender if configured to
1904 send out full details. (But a "message" setting on the ACL can override, as
1907 rc = verify_check_headers(log_msgptr);
1908 if (rc != OK && *log_msgptr)
1909 if (smtp_return_error_details)
1910 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1912 acl_verify_message = *log_msgptr;
1915 case VERIFY_HDR_NAMES_ASCII:
1916 /* Check that all header names are true 7 bit strings
1917 See RFC 5322, 2.2. and RFC 6532, 3. */
1919 rc = verify_check_header_names_ascii(log_msgptr);
1920 if (rc != OK && smtp_return_error_details && *log_msgptr)
1921 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1924 case VERIFY_NOT_BLIND:
1925 /* Check that no recipient of this message is "blind", that is, every envelope
1926 recipient must be mentioned in either To: or Cc:. */
1928 BOOL case_sensitive = TRUE;
1930 while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
1931 if (strcmpic(ss, US"case_insensitive") == 0)
1932 case_sensitive = FALSE;
1935 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1936 "condition \"verify %s\"", ss, arg);
1940 if ((rc = verify_check_notblind(case_sensitive)) != OK)
1942 *log_msgptr = US"bcc recipient detected";
1943 if (smtp_return_error_details)
1944 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1949 /* The remaining verification tests check recipient and sender addresses,
1950 either from the envelope or from the header. There are a number of
1951 slash-separated options that are common to all of them. */
1953 case VERIFY_HDR_SNDR:
1954 verify_header_sender = TRUE;
1958 /* In the case of a sender, this can optionally be followed by an address to use
1959 in place of the actual sender (rare special-case requirement). */
1963 verify_sender_address = sender_address;
1966 if (Uskip_whitespace(&s) != '=')
1969 Uskip_whitespace(&s);
1970 verify_sender_address = string_copy(s);
1981 /* Remaining items are optional; they apply to sender and recipient
1982 verification, including "header sender" verification. */
1984 while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
1986 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1987 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1988 else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
1990 /* These two old options are left for backwards compatibility */
1992 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1994 callout_defer_ok = TRUE;
1995 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1998 else if (strcmpic(ss, US"check_postmaster") == 0)
2001 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
2004 /* The callout option has a number of sub-options, comma separated */
2006 else if (strncmpic(ss, US"callout", 7) == 0)
2008 callout = CALLOUT_TIMEOUT_DEFAULT;
2011 Uskip_whitespace(&ss);
2014 const uschar * sublist = ss;
2017 Uskip_whitespace(&sublist);
2018 for (uschar * opt; opt = string_nextinlist(&sublist, &optsep, NULL, 0); )
2021 double period = 1.0F;
2023 for (op= callout_opt_list; op->name; op++)
2024 if (strncmpic(opt, op->name, Ustrlen(op->name)) == 0)
2027 verify_options |= op->flag;
2030 opt += Ustrlen(op->name);
2031 Uskip_whitespace(&opt);
2034 *log_msgptr = string_sprintf("'=' expected after "
2035 "\"%s\" in ACL verify condition \"%s\"", op->name, arg);
2038 Uskip_whitespace(&opt);
2040 if (op->timeval && (period = v_period(opt, arg, log_msgptr)) < 0)
2045 case CALLOUT_DEFER_OK: callout_defer_ok = TRUE; break;
2046 case CALLOUT_POSTMASTER: pm_mailfrom = US""; break;
2047 case CALLOUT_FULLPOSTMASTER: pm_mailfrom = US""; break;
2048 case CALLOUT_MAILFROM:
2049 if (!verify_header_sender)
2051 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
2052 "callout option only for verify=header_sender (detected in ACL "
2053 "condition \"%s\")", arg);
2056 se_mailfrom = string_copy(opt);
2058 case CALLOUT_POSTMASTER_MAILFROM: pm_mailfrom = string_copy(opt); break;
2059 case CALLOUT_MAXWAIT: callout_overall = period; break;
2060 case CALLOUT_CONNECT: callout_connect = period; break;
2061 case CALLOUT_TIME: callout = period; break;
2067 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
2068 "ACL condition \"%s\"", arg);
2074 /* The quota option has sub-options, comma-separated */
2076 else if (strncmpic(ss, US"quota", 5) == 0)
2081 Uskip_whitespace(&ss);
2084 const uschar * sublist = ss;
2088 Uskip_whitespace(&sublist);
2089 for (uschar * opt; opt = string_nextinlist(&sublist, &optsep, NULL, 0); )
2090 if (Ustrncmp(opt, "cachepos=", 9) == 0)
2091 if ((period = v_period(opt += 9, arg, log_msgptr)) < 0)
2094 quota_pos_cache = period;
2095 else if (Ustrncmp(opt, "cacheneg=", 9) == 0)
2096 if ((period = v_period(opt += 9, arg, log_msgptr)) < 0)
2099 quota_neg_cache = period;
2100 else if (Ustrcmp(opt, "no_cache") == 0)
2101 quota_pos_cache = quota_neg_cache = 0;
2106 /* Option not recognized */
2110 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
2111 "condition \"verify %s\"", ss, arg);
2116 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
2117 (vopt_callout_recipsender|vopt_callout_recippmaster))
2119 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
2120 "for a recipient callout";
2124 /* Handle quota verification */
2127 if (vp->value != VERIFY_RCPT)
2129 *log_msgptr = US"can only verify quota of recipient";
2133 if ((rc = verify_quota_call(addr->address,
2134 quota_pos_cache, quota_neg_cache, log_msgptr)) != OK)
2136 *basic_errno = errno;
2137 if (smtp_return_error_details)
2139 if (!*user_msgptr && *log_msgptr)
2140 *user_msgptr = string_sprintf("Rejected after %s: %s",
2141 smtp_names[smtp_connection_had[SMTP_HBUFF_PREV(smtp_ch_index)]],
2143 if (rc == DEFER) f.acl_temp_details = TRUE;
2150 /* Handle sender-in-header verification. Default the user message to the log
2151 message if giving out verification details. */
2153 if (verify_header_sender)
2157 if ((rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
2158 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
2161 *basic_errno = verrno;
2162 if (smtp_return_error_details)
2164 if (!*user_msgptr && *log_msgptr)
2165 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
2166 if (rc == DEFER) f.acl_temp_details = TRUE;
2171 /* Handle a sender address. The default is to verify *the* sender address, but
2172 optionally a different address can be given, for special requirements. If the
2173 address is empty, we are dealing with a bounce message that has no sender, so
2174 we cannot do any checking. If the real sender address gets rewritten during
2175 verification (e.g. DNS widening), set the flag to stop it being rewritten again
2176 during message reception.
2178 A list of verified "sender" addresses is kept to try to avoid doing to much
2179 work repetitively when there are multiple recipients in a message and they all
2180 require sender verification. However, when callouts are involved, it gets too
2181 complicated because different recipients may require different callout options.
2182 Therefore, we always do a full sender verify when any kind of callout is
2183 specified. Caching elsewhere, for instance in the DNS resolver and in the
2184 callout handling, should ensure that this is not terribly inefficient. */
2186 else if (verify_sender_address)
2188 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)))
2190 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
2191 "sender verify callout";
2195 sender_vaddr = verify_checked_sender(verify_sender_address);
2196 if ( sender_vaddr /* Previously checked */
2197 && callout <= 0) /* No callout needed this time */
2199 /* If the "routed" flag is set, it means that routing worked before, so
2200 this check can give OK (the saved return code value, if set, belongs to a
2201 callout that was done previously). If the "routed" flag is not set, routing
2202 must have failed, so we use the saved return code. */
2204 if (testflag(sender_vaddr, af_verify_routed))
2208 rc = sender_vaddr->special_action;
2209 *basic_errno = sender_vaddr->basic_errno;
2211 HDEBUG(D_acl) debug_printf_indent("using cached sender verify result\n");
2214 /* Do a new verification, and cache the result. The cache is used to avoid
2215 verifying the sender multiple times for multiple RCPTs when callouts are not
2216 specified (see comments above).
2218 The cache is also used on failure to give details in response to the first
2219 RCPT that gets bounced for this reason. However, this can be suppressed by
2220 the no_details option, which sets the flag that says "this detail has already
2221 been sent". The cache normally contains just one address, but there may be
2222 more in esoteric circumstances. */
2227 uschar *save_address_data = deliver_address_data;
2229 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
2231 if ((sender_vaddr->prop.utf8_msg = message_smtputf8))
2233 sender_vaddr->prop.utf8_downcvt = message_utf8_downconvert == 1;
2234 sender_vaddr->prop.utf8_downcvt_maybe = message_utf8_downconvert == -1;
2237 if (no_details) setflag(sender_vaddr, af_sverify_told);
2238 if (verify_sender_address[0] != 0)
2240 /* If this is the real sender address, save the unrewritten version
2241 for use later in receive. Otherwise, set a flag so that rewriting the
2242 sender in verify_address() does not update sender_address. */
2244 if (verify_sender_address == sender_address)
2245 sender_address_unrewritten = sender_address;
2247 verify_options |= vopt_fake_sender;
2249 if (success_on_redirect)
2250 verify_options |= vopt_success_on_redirect;
2252 /* The recipient, qualify, and expn options are never set in
2255 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
2256 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
2258 HDEBUG(D_acl) debug_printf_indent("----------- end verify ------------\n");
2261 *basic_errno = sender_vaddr->basic_errno;
2264 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
2265 debug_printf_indent("sender %s verified ok as %s\n",
2266 verify_sender_address, sender_vaddr->address);
2268 debug_printf_indent("sender %s verified ok\n",
2269 verify_sender_address);
2272 rc = OK; /* Null sender */
2274 /* Cache the result code */
2276 if (routed) setflag(sender_vaddr, af_verify_routed);
2277 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
2278 sender_vaddr->special_action = rc;
2279 sender_vaddr->next = sender_verified_list;
2280 sender_verified_list = sender_vaddr;
2282 /* Restore the recipient address data, which might have been clobbered by
2283 the sender verification. */
2285 deliver_address_data = save_address_data;
2288 /* Put the sender address_data value into $sender_address_data */
2290 sender_address_data = sender_vaddr->prop.address_data;
2293 /* A recipient address just gets a straightforward verify; again we must handle
2294 the DEFER overrides. */
2300 if (success_on_redirect)
2301 verify_options |= vopt_success_on_redirect;
2303 /* We must use a copy of the address for verification, because it might
2307 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
2308 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
2309 HDEBUG(D_acl) debug_printf_indent("----------- end verify ------------\n");
2311 *basic_errno = addr2.basic_errno;
2312 *log_msgptr = addr2.message;
2313 *user_msgptr = addr2.user_message ? addr2.user_message : addr2.message;
2315 /* Allow details for temporary error if the address is so flagged. */
2316 if (testflag((&addr2), af_pass_message)) f.acl_temp_details = TRUE;
2318 /* Make $address_data visible */
2319 deliver_address_data = addr2.prop.address_data;
2322 /* We have a result from the relevant test. Handle defer overrides first. */
2326 || callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER
2329 HDEBUG(D_acl) debug_printf_indent("verify defer overridden by %s\n",
2330 defer_ok? "defer_ok" : "callout_defer_ok");
2334 /* If we've failed a sender, set up a recipient message, and point
2335 sender_verified_failed to the address item that actually failed. */
2337 if (rc != OK && verify_sender_address)
2340 *log_msgptr = *user_msgptr = US"Sender verify failed";
2341 else if (*basic_errno != ERRNO_CALLOUTDEFER)
2342 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
2345 *log_msgptr = US"Could not complete sender verify callout";
2346 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
2350 sender_verified_failed = sender_vaddr;
2353 /* Verifying an address messes up the values of $domain and $local_part,
2354 so reset them before returning if this is a RCPT ACL. */
2358 deliver_domain = addr->domain;
2359 deliver_localpart = addr->local_part;
2363 /* Syntax errors in the verify argument come here. */
2366 *log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
2367 "\"helo\", \"header_syntax\", \"header_sender\", \"header_names_ascii\" "
2368 "or \"reverse_host_lookup\" at start of ACL condition "
2369 "\"verify %s\"", arg);
2376 /*************************************************
2377 * Check argument for control= modifier *
2378 *************************************************/
2380 /* Called from acl_check_condition() below.
2381 To handle the case "queue_only" we accept an _ in the
2382 initial / option-switch position.
2385 arg the argument string for control=
2386 pptr set to point to the terminating character
2387 where which ACL we are in
2388 log_msgptr for error messages
2390 Returns: CONTROL_xxx value
2394 decode_control(const uschar *arg, const uschar **pptr, int where, uschar **log_msgptr)
2400 if ( (idx = find_control(arg, controls_list, nelem(controls_list))) < 0
2401 || ( (c = arg[len = Ustrlen((d = controls_list+idx)->name)]) != 0
2402 && (!d->has_option || c != '/' && c != '_')
2405 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2406 return CONTROL_ERROR;
2416 /*************************************************
2417 * Return a ratelimit error *
2418 *************************************************/
2420 /* Called from acl_ratelimit() below
2423 log_msgptr for error messages
2424 format format string
2425 ... supplementary arguments
2431 ratelimit_error(uschar **log_msgptr, const char *format, ...)
2435 string_cat(NULL, US"error in arguments to \"ratelimit\" condition: ");
2437 va_start(ap, format);
2438 g = string_vformat(g, SVFMT_EXTEND|SVFMT_REBUFFER, format, ap);
2441 gstring_release_unused(g);
2442 *log_msgptr = string_from_gstring(g);
2449 /*************************************************
2450 * Handle rate limiting *
2451 *************************************************/
2453 /* Called by acl_check_condition() below to calculate the result
2454 of the ACL ratelimit condition.
2456 Note that the return value might be slightly unexpected: if the
2457 sender's rate is above the limit then the result is OK. This is
2458 similar to the dnslists condition, and is so that you can write
2459 ACL clauses like: defer ratelimit = 15 / 1h
2462 arg the option string for ratelimit=
2463 where ACL_WHERE_xxxx indicating which ACL this is
2464 log_msgptr for error messages
2466 Returns: OK - Sender's rate is above limit
2467 FAIL - Sender's rate is below limit
2468 DEFER - Problem opening ratelimit database
2469 ERROR - Syntax error in options.
2473 acl_ratelimit(const uschar *arg, int where, uschar **log_msgptr)
2475 double limit, period, count;
2478 uschar *unique = NULL;
2480 BOOL leaky = FALSE, strict = FALSE, readonly = FALSE;
2481 BOOL noupdate = FALSE, badacl = FALSE;
2482 int mode = RATE_PER_WHAT;
2484 tree_node ** anchor = NULL, * t;
2485 open_db dbblock, *dbm;
2487 dbdata_ratelimit *dbd;
2488 dbdata_ratelimit_unique *dbdb;
2491 /* Parse the first two options and record their values in expansion
2492 variables. These variables allow the configuration to have informative
2493 error messages based on rate limits obtained from a table lookup. */
2495 /* First is the maximum number of messages per period / maximum burst
2496 size, which must be greater than or equal to zero. Zero is useful for
2497 rate measurement as opposed to rate limiting. */
2499 if (!(sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0)))
2500 return ratelimit_error(log_msgptr, "sender rate limit not set");
2502 limit = Ustrtod(sender_rate_limit, &ss);
2503 if (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
2504 else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
2505 else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
2507 if (limit < 0.0 || *ss != '\0')
2508 return ratelimit_error(log_msgptr,
2509 "\"%s\" is not a positive number", sender_rate_limit);
2511 /* Second is the rate measurement period / exponential smoothing time
2512 constant. This must be strictly greater than zero, because zero leads to
2513 run-time division errors. */
2515 period = !(sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0))
2516 ? -1.0 : readconf_readtime(sender_rate_period, 0, FALSE);
2518 return ratelimit_error(log_msgptr,
2519 "\"%s\" is not a time value", sender_rate_period);
2521 /* By default we are counting one of something, but the per_rcpt,
2522 per_byte, and count options can change this. */
2526 /* Parse the other options. */
2528 while ((ss = string_nextinlist(&arg, &sep, NULL, 0)))
2530 if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
2531 else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
2532 else if (strcmpic(ss, US"noupdate") == 0) noupdate = TRUE;
2533 else if (strcmpic(ss, US"readonly") == 0) readonly = TRUE;
2534 else if (strcmpic(ss, US"per_cmd") == 0) RATE_SET(mode, PER_CMD);
2535 else if (strcmpic(ss, US"per_conn") == 0)
2537 RATE_SET(mode, PER_CONN);
2538 if (where == ACL_WHERE_NOTSMTP || where == ACL_WHERE_NOTSMTP_START)
2541 else if (strcmpic(ss, US"per_mail") == 0)
2543 RATE_SET(mode, PER_MAIL);
2544 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2546 else if (strcmpic(ss, US"per_rcpt") == 0)
2548 /* If we are running in the RCPT ACL, then we'll count the recipients
2549 one by one, but if we are running when we have accumulated the whole
2550 list then we'll add them all in one batch. */
2551 if (where == ACL_WHERE_RCPT)
2552 RATE_SET(mode, PER_RCPT);
2553 else if (where >= ACL_WHERE_PREDATA && where <= ACL_WHERE_NOTSMTP)
2554 RATE_SET(mode, PER_ALLRCPTS), count = (double)recipients_count;
2555 else if (where == ACL_WHERE_MAIL || where > ACL_WHERE_NOTSMTP)
2556 RATE_SET(mode, PER_RCPT), badacl = TRUE;
2558 else if (strcmpic(ss, US"per_byte") == 0)
2560 /* If we have not yet received the message data and there was no SIZE
2561 declaration on the MAIL command, then it's safe to just use a value of
2562 zero and let the recorded rate decay as if nothing happened. */
2563 RATE_SET(mode, PER_MAIL);
2564 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2565 else count = message_size < 0 ? 0.0 : (double)message_size;
2567 else if (strcmpic(ss, US"per_addr") == 0)
2569 RATE_SET(mode, PER_RCPT);
2570 if (where != ACL_WHERE_RCPT) badacl = TRUE, unique = US"*";
2571 else unique = string_sprintf("%s@%s", deliver_localpart, deliver_domain);
2573 else if (strncmpic(ss, US"count=", 6) == 0)
2576 count = Ustrtod(ss+6, &e);
2577 if (count < 0.0 || *e != '\0')
2578 return ratelimit_error(log_msgptr, "\"%s\" is not a positive number", ss);
2580 else if (strncmpic(ss, US"unique=", 7) == 0)
2581 unique = string_copy(ss + 7);
2583 key = string_copy(ss);
2585 key = string_sprintf("%s/%s", key, ss);
2588 /* Sanity check. When the badacl flag is set the update mode must either
2589 be readonly (which is the default if it is omitted) or, for backwards
2590 compatibility, a combination of noupdate and strict or leaky. */
2592 if (mode == RATE_PER_CLASH)
2593 return ratelimit_error(log_msgptr, "conflicting per_* options");
2594 if (leaky + strict + readonly > 1)
2595 return ratelimit_error(log_msgptr, "conflicting update modes");
2596 if (badacl && (leaky || strict) && !noupdate)
2597 return ratelimit_error(log_msgptr,
2598 "\"%s\" must not have /leaky or /strict option, or cannot be used in %s ACL",
2599 ratelimit_option_string[mode], acl_wherenames[where]);
2601 /* Set the default values of any unset options. In readonly mode we
2602 perform the rate computation without any increment so that its value
2603 decays to eventually allow over-limit senders through. */
2605 if (noupdate) readonly = TRUE, leaky = strict = FALSE;
2606 if (badacl) readonly = TRUE;
2607 if (readonly) count = 0.0;
2608 if (!strict && !readonly) leaky = TRUE;
2609 if (mode == RATE_PER_WHAT) mode = RATE_PER_MAIL;
2611 /* Create the lookup key. If there is no explicit key, use sender_host_address.
2612 If there is no sender_host_address (e.g. -bs or acl_not_smtp) then we simply
2613 omit it. The smoothing constant (sender_rate_period) and the per_xxx options
2614 are added to the key because they alter the meaning of the stored data. */
2617 key = !sender_host_address ? US"" : sender_host_address;
2619 key = string_sprintf("%s/%s/%s%s",
2621 ratelimit_option_string[mode],
2622 unique == NULL ? "" : "unique/",
2626 debug_printf_indent("ratelimit condition count=%.0f %.1f/%s\n", count, limit, key);
2628 /* See if we have already computed the rate by looking in the relevant tree.
2629 For per-connection rate limiting, store tree nodes and dbdata in the permanent
2630 pool so that they survive across resets. In readonly mode we only remember the
2631 result for the rest of this command in case a later command changes it. After
2632 this bit of logic the code is independent of the per_* mode. */
2634 old_pool = store_pool;
2637 anchor = &ratelimiters_cmd;
2641 anchor = &ratelimiters_conn;
2642 store_pool = POOL_PERM;
2646 case RATE_PER_ALLRCPTS:
2647 anchor = &ratelimiters_mail;
2652 anchor = &ratelimiters_cmd;
2655 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
2656 "internal ACL error: unknown ratelimit mode %d", mode);
2661 if ((t = tree_search(*anchor, key)))
2664 /* The following few lines duplicate some of the code below. */
2665 rc = (dbd->rate < limit)? FAIL : OK;
2666 store_pool = old_pool;
2667 sender_rate = string_sprintf("%.1f", dbd->rate);
2669 debug_printf_indent("ratelimit found pre-computed rate %s\n", sender_rate);
2673 /* We aren't using a pre-computed rate, so get a previously recorded rate
2674 from the database, which will be updated and written back if required. */
2676 if (!(dbm = dbfn_open(US"ratelimit", O_RDWR|O_CREAT, &dbblock, TRUE, TRUE)))
2678 store_pool = old_pool;
2680 HDEBUG(D_acl) debug_printf_indent("ratelimit database not available\n");
2681 *log_msgptr = US"ratelimit database not available";
2684 dbdb = dbfn_read_with_length(dbm, key, &dbdb_size);
2687 gettimeofday(&tv, NULL);
2691 /* Locate the basic ratelimit block inside the DB data. */
2692 HDEBUG(D_acl) debug_printf_indent("ratelimit found key in database\n");
2695 /* Forget the old Bloom filter if it is too old, so that we count each
2696 repeating event once per period. We don't simply clear and re-use the old
2697 filter because we want its size to change if the limit changes. Note that
2698 we keep the dbd pointer for copying the rate into the new data block. */
2700 if(unique && tv.tv_sec > dbdb->bloom_epoch + period)
2702 HDEBUG(D_acl) debug_printf_indent("ratelimit discarding old Bloom filter\n");
2708 if(unique && dbdb_size < sizeof(*dbdb))
2710 HDEBUG(D_acl) debug_printf_indent("ratelimit discarding undersize Bloom filter\n");
2715 /* Allocate a new data block if the database lookup failed
2716 or the Bloom filter passed its age limit. */
2722 /* No Bloom filter. This basic ratelimit block is initialized below. */
2723 HDEBUG(D_acl) debug_printf_indent("ratelimit creating new rate data block\n");
2724 dbdb_size = sizeof(*dbd);
2725 dbdb = store_get(dbdb_size, GET_UNTAINTED);
2730 HDEBUG(D_acl) debug_printf_indent("ratelimit creating new Bloom filter\n");
2732 /* See the long comment below for an explanation of the magic number 2.
2733 The filter has a minimum size in case the rate limit is very small;
2734 this is determined by the definition of dbdata_ratelimit_unique. */
2736 extra = (int)limit * 2 - sizeof(dbdb->bloom);
2737 if (extra < 0) extra = 0;
2738 dbdb_size = sizeof(*dbdb) + extra;
2739 dbdb = store_get(dbdb_size, GET_UNTAINTED);
2740 dbdb->bloom_epoch = tv.tv_sec;
2741 dbdb->bloom_size = sizeof(dbdb->bloom) + extra;
2742 memset(dbdb->bloom, 0, dbdb->bloom_size);
2744 /* Preserve any basic ratelimit data (which is our longer-term memory)
2745 by copying it from the discarded block. */
2755 /* If we are counting unique events, find out if this event is new or not.
2756 If the client repeats the event during the current period then it should be
2757 counted. We skip this code in readonly mode for efficiency, because any
2758 changes to the filter will be discarded and because count is already set to
2761 if (unique && !readonly)
2763 /* We identify unique events using a Bloom filter. (You can find my
2764 notes on Bloom filters at http://fanf.livejournal.com/81696.html)
2765 With the per_addr option, an "event" is a recipient address, though the
2766 user can use the unique option to define their own events. We only count
2767 an event if we have not seen it before.
2769 We size the filter according to the rate limit, which (in leaky mode)
2770 is the limit on the population of the filter. We allow 16 bits of space
2771 per entry (see the construction code above) and we set (up to) 8 of them
2772 when inserting an element (see the loop below). The probability of a false
2773 positive (an event we have not seen before but which we fail to count) is
2777 allzero = exp(-numhash * pop / size)
2778 = exp(-0.5 * pop / limit)
2779 fpr = pow(1 - allzero, numhash)
2781 For senders at the limit the fpr is 0.06% or 1 in 1700
2782 and for senders at half the limit it is 0.0006% or 1 in 170000
2784 In strict mode the Bloom filter can fill up beyond the normal limit, in
2785 which case the false positive rate will rise. This means that the
2786 measured rate for very fast senders can bogusly drop off after a while.
2788 At twice the limit, the fpr is 2.5% or 1 in 40
2789 At four times the limit, it is 31% or 1 in 3.2
2791 It takes ln(pop/limit) periods for an over-limit burst of pop events to
2792 decay below the limit, and if this is more than one then the Bloom filter
2793 will be discarded before the decay gets that far. The false positive rate
2794 at this threshold is 9.3% or 1 in 10.7. */
2797 unsigned n, hash, hinc;
2801 /* Instead of using eight independent hash values, we combine two values
2802 using the formula h1 + n * h2. This does not harm the Bloom filter's
2803 performance, and means the amount of hash we need is independent of the
2804 number of bits we set in the filter. */
2806 md5_start(&md5info);
2807 md5_end(&md5info, unique, Ustrlen(unique), md5sum);
2808 hash = md5sum[0] | md5sum[1] << 8 | md5sum[2] << 16 | md5sum[3] << 24;
2809 hinc = md5sum[4] | md5sum[5] << 8 | md5sum[6] << 16 | md5sum[7] << 24;
2811 /* Scan the bits corresponding to this event. A zero bit means we have
2812 not seen it before. Ensure all bits are set to record this event. */
2814 HDEBUG(D_acl) debug_printf_indent("ratelimit checking uniqueness of %s\n", unique);
2817 for (n = 0; n < 8; n++, hash += hinc)
2819 int bit = 1 << (hash % 8);
2820 int byte = (hash / 8) % dbdb->bloom_size;
2821 if ((dbdb->bloom[byte] & bit) == 0)
2823 dbdb->bloom[byte] |= bit;
2828 /* If this event has occurred before, do not count it. */
2832 HDEBUG(D_acl) debug_printf_indent("ratelimit event found in Bloom filter\n");
2836 HDEBUG(D_acl) debug_printf_indent("ratelimit event added to Bloom filter\n");
2839 /* If there was no previous ratelimit data block for this key, initialize
2840 the new one, otherwise update the block from the database. The initial rate
2841 is what would be computed by the code below for an infinite interval. */
2845 HDEBUG(D_acl) debug_printf_indent("ratelimit initializing new key's rate data\n");
2847 dbd->time_stamp = tv.tv_sec;
2848 dbd->time_usec = tv.tv_usec;
2853 /* The smoothed rate is computed using an exponentially weighted moving
2854 average adjusted for variable sampling intervals. The standard EWMA for
2855 a fixed sampling interval is: f'(t) = (1 - a) * f(t) + a * f'(t - 1)
2856 where f() is the measured value and f'() is the smoothed value.
2858 Old data decays out of the smoothed value exponentially, such that data n
2859 samples old is multiplied by a^n. The exponential decay time constant p
2860 is defined such that data p samples old is multiplied by 1/e, which means
2861 that a = exp(-1/p). We can maintain the same time constant for a variable
2862 sampling interval i by using a = exp(-i/p).
2864 The rate we are measuring is messages per period, suitable for directly
2865 comparing with the limit. The average rate between now and the previous
2866 message is period / interval, which we feed into the EWMA as the sample.
2868 It turns out that the number of messages required for the smoothed rate
2869 to reach the limit when they are sent in a burst is equal to the limit.
2870 This can be seen by analysing the value of the smoothed rate after N
2871 messages sent at even intervals. Let k = (1 - a) * p/i
2873 rate_1 = (1 - a) * p/i + a * rate_0
2875 rate_2 = k + a * rate_1
2876 = k + a * k + a^2 * rate_0
2877 rate_3 = k + a * k + a^2 * k + a^3 * rate_0
2878 rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
2879 = rate_0 * a^N + k * (1 - a^N) / (1 - a)
2880 = rate_0 * a^N + p/i * (1 - a^N)
2882 When N is large, a^N -> 0 so rate_N -> p/i as desired.
2884 rate_N = p/i + (rate_0 - p/i) * a^N
2885 a^N = (rate_N - p/i) / (rate_0 - p/i)
2886 N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
2887 N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
2889 Numerical analysis of the above equation, setting the computed rate to
2890 increase from rate_0 = 0 to rate_N = limit, shows that for large sending
2891 rates, p/i, the number of messages N = limit. So limit serves as both the
2892 maximum rate measured in messages per period, and the maximum number of
2893 messages that can be sent in a fast burst. */
2895 double this_time = (double)tv.tv_sec
2896 + (double)tv.tv_usec / 1000000.0;
2897 double prev_time = (double)dbd->time_stamp
2898 + (double)dbd->time_usec / 1000000.0;
2900 /* We must avoid division by zero, and deal gracefully with the clock going
2901 backwards. If we blunder ahead when time is in reverse then the computed
2902 rate will be bogus. To be safe we clamp interval to a very small number. */
2904 double interval = this_time - prev_time <= 0.0 ? 1e-9
2905 : this_time - prev_time;
2907 double i_over_p = interval / period;
2908 double a = exp(-i_over_p);
2910 /* Combine the instantaneous rate (period / interval) with the previous rate
2911 using the smoothing factor a. In order to measure sized events, multiply the
2912 instantaneous rate by the count of bytes or recipients etc. */
2914 dbd->time_stamp = tv.tv_sec;
2915 dbd->time_usec = tv.tv_usec;
2916 dbd->rate = (1 - a) * count / i_over_p + a * dbd->rate;
2918 /* When events are very widely spaced the computed rate tends towards zero.
2919 Although this is accurate it turns out not to be useful for our purposes,
2920 especially when the first event after a long silence is the start of a spam
2921 run. A more useful model is that the rate for an isolated event should be the
2922 size of the event per the period size, ignoring the lack of events outside
2923 the current period and regardless of where the event falls in the period. So,
2924 if the interval was so long that the calculated rate is unhelpfully small, we
2925 re-initialize the rate. In the absence of higher-rate bursts, the condition
2926 below is true if the interval is greater than the period. */
2928 if (dbd->rate < count) dbd->rate = count;
2931 /* Clients sending at the limit are considered to be over the limit.
2932 This matters for edge cases such as a limit of zero, when the client
2933 should be completely blocked. */
2935 rc = dbd->rate < limit ? FAIL : OK;
2937 /* Update the state if the rate is low or if we are being strict. If we
2938 are in leaky mode and the sender's rate is too high, we do not update
2939 the recorded rate in order to avoid an over-aggressive sender's retry
2940 rate preventing them from getting any email through. If readonly is set,
2941 neither leaky nor strict are set, so we do not do any updates. */
2943 if ((rc == FAIL && leaky) || strict)
2945 dbfn_write(dbm, key, dbdb, dbdb_size);
2946 HDEBUG(D_acl) debug_printf_indent("ratelimit db updated\n");
2950 HDEBUG(D_acl) debug_printf_indent("ratelimit db not updated: %s\n",
2951 readonly? "readonly mode" : "over the limit, but leaky");
2956 /* Store the result in the tree for future reference. Take the taint status
2957 from the key for consistency even though it's unlikely we'll ever expand this. */
2959 t = store_get(sizeof(tree_node) + Ustrlen(key), key);
2961 Ustrcpy(t->name, key);
2962 (void)tree_insertnode(anchor, t);
2964 /* We create the formatted version of the sender's rate very late in
2965 order to ensure that it is done using the correct storage pool. */
2967 store_pool = old_pool;
2968 sender_rate = string_sprintf("%.1f", dbd->rate);
2971 debug_printf_indent("ratelimit computed rate %s\n", sender_rate);
2978 /*************************************************
2979 * Handle a check for previously-seen *
2980 *************************************************/
2983 ACL clauses like: seen = -5m / key=$foo / readonly
2985 Return is true for condition-true - but the semantics
2986 depend heavily on the actual use-case.
2988 Negative times test for seen-before, positive for seen-more-recently-than
2989 (the given interval before current time).
2991 All are subject to history not having been cleaned from the DB.
2993 Default for seen-before is to create if not present, and to
2994 update if older than 10d (with the seen-test time).
2995 Default for seen-since is to always create or update.
2998 key=value. Default key is $sender_host_address
3001 refresh=<interval>: update an existing DB entry older than given
3002 amount. Default refresh lacking this option is 10d.
3003 The update sets the record timestamp to the seen-test time.
3005 XXX do we need separate nocreate, noupdate controls?
3008 arg the option string for seen=
3009 where ACL_WHERE_xxxx indicating which ACL this is
3010 log_msgptr for error messages
3012 Returns: OK - Condition is true
3013 FAIL - Condition is false
3014 DEFER - Problem opening history database
3015 ERROR - Syntax error in options
3019 acl_seen(const uschar * arg, int where, uschar ** log_msgptr)
3021 enum { SEEN_DEFAULT, SEEN_READONLY, SEEN_WRITE };
3023 const uschar * list = arg;
3024 int slash = '/', interval, mode = SEEN_DEFAULT, yield = FAIL;
3026 int refresh = 10 * 24 * 60 * 60; /* 10 days */
3027 const uschar * ele, * key = sender_host_address;
3028 open_db dbblock, * dbm;
3032 /* Parse the first element, the time-relation. */
3034 if (!(ele = string_nextinlist(&list, &slash, NULL, 0)))
3036 if ((before = *ele == '-'))
3038 if ((interval = readconf_readtime(ele, 0, FALSE)) < 0)
3041 /* Remaining elements are options */
3043 while ((ele = string_nextinlist(&list, &slash, NULL, 0)))
3044 if (Ustrncmp(ele, "key=", 4) == 0)
3046 else if (Ustrcmp(ele, "readonly") == 0)
3047 mode = SEEN_READONLY;
3048 else if (Ustrcmp(ele, "write") == 0)
3050 else if (Ustrncmp(ele, "refresh=", 8) == 0)
3052 if ((refresh = readconf_readtime(ele + 8, 0, FALSE)) < 0)
3058 if (!(dbm = dbfn_open(US"seen", O_RDWR|O_CREAT, &dbblock, TRUE, TRUE)))
3060 HDEBUG(D_acl) debug_printf_indent("database for 'seen' not available\n");
3061 *log_msgptr = US"database for 'seen' not available";
3065 dbd = dbfn_read_with_length(dbm, key, NULL);
3067 if (dbd) /* an existing record */
3069 time_t diff = now - dbd->time_stamp; /* time since the record was written */
3071 if (before ? diff >= interval : diff < interval)
3074 if (mode == SEEN_READONLY)
3075 { HDEBUG(D_acl) debug_printf_indent("seen db not written (readonly)\n"); }
3076 else if (mode == SEEN_WRITE || !before)
3078 dbd->time_stamp = now;
3079 dbfn_write(dbm, key, dbd, sizeof(*dbd));
3080 HDEBUG(D_acl) debug_printf_indent("seen db written (update)\n");
3082 else if (diff >= refresh)
3084 dbd->time_stamp = now - interval;
3085 dbfn_write(dbm, key, dbd, sizeof(*dbd));
3086 HDEBUG(D_acl) debug_printf_indent("seen db written (refresh)\n");
3090 { /* No record found, yield always FAIL */
3091 if (mode != SEEN_READONLY)
3093 dbdata_seen d = {.time_stamp = now};
3094 dbfn_write(dbm, key, &d, sizeof(*dbd));
3095 HDEBUG(D_acl) debug_printf_indent("seen db written (create)\n");
3098 HDEBUG(D_acl) debug_printf_indent("seen db not written (readonly)\n");
3106 *log_msgptr = string_sprintf("failed to parse '%s'", arg);
3109 *log_msgptr = string_sprintf("unrecognised option '%s' in '%s'", ele, arg);
3115 /*************************************************
3116 * The udpsend ACL modifier *
3117 *************************************************/
3119 /* Called by acl_check_condition() below.
3122 arg the option string for udpsend=
3123 log_msgptr for error messages
3125 Returns: OK - Completed.
3126 DEFER - Problem with DNS lookup.
3127 ERROR - Syntax error in options.
3131 acl_udpsend(const uschar *arg, uschar **log_msgptr)
3143 hostname = string_nextinlist(&arg, &sep, NULL, 0);
3144 portstr = string_nextinlist(&arg, &sep, NULL, 0);
3148 *log_msgptr = US"missing destination host in \"udpsend\" modifier";
3153 *log_msgptr = US"missing destination port in \"udpsend\" modifier";
3158 *log_msgptr = US"missing datagram payload in \"udpsend\" modifier";
3161 portnum = Ustrtol(portstr, &portend, 10);
3162 if (*portend != '\0')
3164 *log_msgptr = US"bad destination port in \"udpsend\" modifier";
3168 /* Make a single-item host list. */
3169 h = store_get(sizeof(host_item), GET_UNTAINTED);
3170 memset(h, 0, sizeof(host_item));
3175 if (string_is_ip_address(hostname, NULL))
3176 h->address = hostname, r = HOST_FOUND;
3178 r = host_find_byname(h, NULL, 0, NULL, FALSE);
3179 if (r == HOST_FIND_FAILED || r == HOST_FIND_AGAIN)
3181 *log_msgptr = US"DNS lookup failed in \"udpsend\" modifier";
3186 debug_printf_indent("udpsend [%s]:%d %s\n", h->address, portnum, arg);
3188 /*XXX this could better use sendto */
3189 r = s = ip_connectedsocket(SOCK_DGRAM, h->address, portnum, portnum,
3190 1, NULL, &errstr, NULL);
3191 if (r < 0) goto defer;
3193 r = send(s, arg, len, 0);
3196 errstr = US strerror(errno);
3204 string_sprintf("\"udpsend\" truncated from %d to %d octets", len, r);
3209 debug_printf_indent("udpsend %d bytes\n", r);
3214 *log_msgptr = string_sprintf("\"udpsend\" failed: %s", errstr);
3220 #ifndef DISABLE_WELLKNOWN
3221 /*************************************************
3222 * The "wellknown" ACL modifier *
3223 *************************************************/
3225 /* Called by acl_check_condition() below.
3227 Retrieve the given file and encode content as xtext.
3228 Prefix with a summary line giving the length of plaintext.
3229 Leave a global pointer to the whole, for output by
3230 the smtp verb handler code (smtp_in.c).
3233 arg the option string for wellknown=
3234 log_msgptr for error messages
3240 wellknown_process(const uschar * arg, uschar ** log_msgptr)
3242 struct stat statbuf;
3246 wellknown_response = NULL;
3247 if (f.no_multiline_responses) return FAIL;
3249 /* Check for file existence */
3251 if (!*arg) return FAIL;
3252 if (Ustat(arg, &statbuf) != 0)
3253 { *log_msgptr = US"stat"; goto fail; }
3255 /*XXX perhaps refuse to serve a group- or world-writeable file? */
3257 if (!(rf = Ufopen(arg, "r")))
3258 { *log_msgptr = US"open"; goto fail; }
3260 /* Set up summary line for output */
3262 g = string_fmt_append(NULL, "SIZE=%lu\n", (long) statbuf.st_size);
3265 for (int n = 0, ch; (ch = fgetc(rf)) != EOF; )
3267 /* Xtext-encode, adding output linebreaks for input linebreaks
3268 or when the line gets long enough */
3271 { g = string_fmt_append(g, "+%02X", ch); n = LINE_LIM; }
3272 else if (ch < 33 || ch > 126 || ch == '+' || ch == '=')
3273 { g = string_fmt_append(g, "+%02X", ch); n += 3; }
3275 { g = string_fmt_append(g, "%c", ch); n++; }
3278 { g = string_catn(g, US"\n", 1); n = 0; }
3282 gstring_release_unused(g);
3283 wellknown_response = string_from_gstring(g);
3287 *log_msgptr = string_sprintf("wellknown: failed to %s file \"%s\": %s",
3288 *log_msgptr, arg, strerror(errno));
3294 /*************************************************
3295 * Handle conditions/modifiers on an ACL item *
3296 *************************************************/
3298 /* Called from acl_check() below.
3302 cb ACL condition block - if NULL, result is OK
3303 where where called from
3304 addr the address being checked for RCPT, or NULL
3305 level the nesting level
3306 epp pointer to pass back TRUE if "endpass" encountered
3307 (applies only to "accept" and "discard")
3308 user_msgptr user message pointer
3309 log_msgptr log message pointer
3310 basic_errno pointer to where to put verify error
3312 Returns: OK - all conditions are met
3313 DISCARD - an "acl" condition returned DISCARD - only allowed
3314 for "accept" or "discard" verbs
3315 FAIL - at least one condition fails
3316 FAIL_DROP - an "acl" condition returned FAIL_DROP
3317 DEFER - can't tell at the moment (typically, lookup defer,
3318 but can be temporary callout problem)
3319 ERROR - ERROR from nested ACL or expansion failure or other
3324 acl_check_condition(int verb, acl_condition_block * cb, int where,
3325 address_item * addr, int level, BOOL * epp, uschar ** user_msgptr,
3326 uschar ** log_msgptr, int * basic_errno)
3328 uschar * user_message = NULL, * log_message = NULL;
3331 for (; cb; cb = cb->next)
3335 BOOL textonly = FALSE;
3339 /* The message and log_message items set up messages to be used in
3340 case of rejection. They are expanded later. */
3343 HDEBUG(D_acl) debug_printf_indent(" message: %s\n", cb->arg);
3344 user_message = cb->arg; continue;
3346 case ACLC_LOG_MESSAGE:
3347 HDEBUG(D_acl) debug_printf_indent("l_message: %s\n", cb->arg);
3348 log_message = cb->arg; continue;
3350 /* The endpass "condition" just sets a flag to show it occurred. This is
3351 checked at compile time to be on an "accept" or "discard" item. */
3354 *epp = TRUE; continue;
3357 /* For other conditions and modifiers, the argument is expanded now for some
3358 of them, but not for all, because expansion happens down in some lower level
3359 checking functions in some cases. */
3361 if (!(conditions[cb->type].flags & ACD_EXP))
3364 else if (!(arg = expand_string_2(cb->arg, &textonly)))
3366 if (f.expand_string_forcedfail) continue;
3367 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
3368 cb->arg, expand_string_message);
3369 return f.search_find_defer ? DEFER : ERROR;
3372 /* Show condition, and expanded condition if it's different */
3377 debug_printf_indent("check %s%s %n",
3378 (!(conditions[cb->type].flags & ACD_MOD) && cb->u.negated) ? "!":"",
3379 conditions[cb->type].name, &lhswidth);
3381 if (cb->type == ACLC_SET)
3383 #ifndef DISABLE_DKIM
3384 if ( Ustrcmp(cb->u.varname, "dkim_verify_status") == 0
3385 || Ustrcmp(cb->u.varname, "dkim_verify_reason") == 0)
3387 debug_printf("%s ", cb->u.varname);
3393 debug_printf("acl_%s ", cb->u.varname);
3394 lhswidth += 5 + Ustrlen(cb->u.varname);
3398 debug_printf("= %s\n", cb->arg);
3401 debug_printf("%.*s= %s\n", lhswidth,
3405 /* Check that this condition makes sense at this time */
3407 if ((conditions[cb->type].forbids & (1 << where)) != 0)
3409 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
3410 conditions[cb->type].flags & ACD_MOD ? "use" : "test",
3411 conditions[cb->type].name, acl_wherenames[where]);
3415 /* Run the appropriate test for each condition, or take the appropriate
3416 action for the remaining modifiers. */
3420 /* A nested ACL that returns "discard" makes sense only for an "accept" or
3424 rc = acl_check_wargs(where, addr, arg, user_msgptr, log_msgptr);
3425 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
3427 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
3428 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
3434 case ACLC_ADD_HEADER:
3438 case ACLC_ATRN_DOMAINS:
3439 if (is_tainted(arg))
3441 log_write(0, LOG_MAIN|LOG_PANIC,
3442 "attempt to used tainted value '%s' for atrn_domains%#s",
3445 ? string_sprintf(" (%s %d)", config_filename, config_lineno)
3447 *log_msgptr = US"internal configuration error";
3450 atrn_domains = string_copy(arg);
3452 rc = spool_has_one_undelivered_dom(arg);
3456 case ACLC_AUTHENTICATED:
3457 rc = sender_host_authenticated ? match_isinlist(sender_host_authenticated,
3458 &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL) : FAIL;
3461 #ifdef EXPERIMENTAL_BRIGHTMAIL
3462 case ACLC_BMI_OPTIN:
3464 int old_pool = store_pool;
3465 store_pool = POOL_PERM;
3466 bmi_current_optin = string_copy(arg);
3467 store_pool = old_pool;
3472 case ACLC_CONDITION:
3473 /* The true/false parsing here should be kept in sync with that used in
3474 expand.c when dealing with ECOND_BOOL so that we don't have too many
3475 different definitions of what can be a boolean. */
3477 ? Ustrspn(arg+1, "0123456789") == Ustrlen(arg+1) /* Negative number */
3478 : Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
3479 rc = (Uatoi(arg) == 0)? FAIL : OK;
3481 rc = (strcmpic(arg, US"no") == 0 ||
3482 strcmpic(arg, US"false") == 0)? FAIL :
3483 (strcmpic(arg, US"yes") == 0 ||
3484 strcmpic(arg, US"true") == 0)? OK : DEFER;
3486 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
3489 case ACLC_CONTINUE: /* Always succeeds */
3494 const uschar * p = NULL;
3495 control_type = decode_control(arg, &p, where, log_msgptr);
3497 /* Check if this control makes sense at this time */
3499 if (controls_list[control_type].forbids & (1 << where))
3501 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
3502 controls_list[control_type].name, acl_wherenames[where]);
3506 /*XXX ought to sort these, just for sanity */
3507 switch(control_type)
3509 case CONTROL_AUTH_UNADVERTISED:
3510 f.allow_auth_unadvertised = TRUE;
3513 #ifdef EXPERIMENTAL_BRIGHTMAIL
3514 case CONTROL_BMI_RUN:
3519 #ifndef DISABLE_DKIM
3520 case CONTROL_DKIM_VERIFY:
3521 f.dkim_disable_verify = TRUE;
3522 # ifdef SUPPORT_DMARC
3523 /* Since DKIM was blocked, skip DMARC too */
3524 f.dmarc_disable_verify = TRUE;
3525 f.dmarc_enable_forensic = FALSE;
3530 #ifdef SUPPORT_DMARC
3531 case CONTROL_DMARC_VERIFY:
3532 f.dmarc_disable_verify = TRUE;
3535 case CONTROL_DMARC_FORENSIC:
3536 f.dmarc_enable_forensic = TRUE;
3543 int fd, af, level, optname, value;
3544 /* If we are acting on stdin, the setsockopt may fail if stdin is not
3545 a socket; we can accept that, we'll just debug-log failures anyway. */
3546 fd = fileno(smtp_in);
3547 if ((af = ip_get_address_family(fd)) < 0)
3550 debug_printf_indent("smtp input is probably not a socket [%s], not setting DSCP\n",
3554 if (dscp_lookup(p+1, af, &level, &optname, &value))
3555 if (setsockopt(fd, level, optname, &value, sizeof(value)) < 0)
3557 HDEBUG(D_acl) debug_printf_indent("failed to set input DSCP[%s]: %s\n",
3558 p+1, strerror(errno));
3562 HDEBUG(D_acl) debug_printf_indent("set input DSCP to \"%s\"\n", p+1);
3566 *log_msgptr = string_sprintf("unrecognised DSCP value in \"control=%s\"", arg);
3572 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3580 case CONTROL_CASEFUL_LOCAL_PART:
3581 deliver_localpart = addr->cc_local_part;
3584 case CONTROL_CASELOWER_LOCAL_PART:
3585 deliver_localpart = addr->lc_local_part;
3588 case CONTROL_ENFORCE_SYNC:
3589 smtp_enforce_sync = TRUE;
3592 case CONTROL_NO_ENFORCE_SYNC:
3593 smtp_enforce_sync = FALSE;
3596 #ifdef WITH_CONTENT_SCAN
3597 case CONTROL_NO_MBOX_UNSPOOL:
3598 f.no_mbox_unspool = TRUE;
3602 case CONTROL_NO_MULTILINE:
3603 f.no_multiline_responses = TRUE;
3606 case CONTROL_NO_PIPELINING:
3607 f.pipelining_enable = FALSE;
3610 case CONTROL_NO_DELAY_FLUSH:
3611 f.disable_delay_flush = TRUE;
3614 case CONTROL_NO_CALLOUT_FLUSH:
3615 f.disable_callout_flush = TRUE;
3618 case CONTROL_FAKEREJECT:
3619 cancel_cutthrough_connection(TRUE, US"fakereject");
3620 case CONTROL_FAKEDEFER:
3621 fake_response = control_type == CONTROL_FAKEDEFER ? DEFER : FAIL;
3624 const uschar *pp = p + 1;
3626 /* The entire control= line was expanded at top so no need to expand
3627 the part after the / */
3628 fake_response_text = string_copyn(p+1, pp-p-1);
3631 else /* Explicitly reset to default string */
3632 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
3635 case CONTROL_FREEZE:
3636 f.deliver_freeze = TRUE;
3637 deliver_frozen_at = time(NULL);
3638 freeze_tell = freeze_tell_config; /* Reset to configured value */
3639 if (Ustrncmp(p, "/no_tell", 8) == 0)
3646 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3649 cancel_cutthrough_connection(TRUE, US"item frozen");
3653 f.queue_only_policy = TRUE;
3654 if (Ustrcmp(p, "_only") == 0)
3656 else while (*p == '/')
3657 if (Ustrncmp(p, "/only", 5) == 0)
3658 { p += 5; f.queue_smtp = FALSE; }
3659 else if (Ustrncmp(p, "/first_pass_route", 17) == 0)
3660 { p += 17; f.queue_smtp = TRUE; }
3663 cancel_cutthrough_connection(TRUE, US"queueing forced");
3666 case CONTROL_SUBMISSION:
3667 originator_name = US"";
3668 f.submission_mode = TRUE;
3671 if (Ustrncmp(p, "/sender_retain", 14) == 0)
3674 f.active_local_sender_retain = TRUE;
3675 f.active_local_from_check = FALSE;
3677 else if (Ustrncmp(p, "/domain=", 8) == 0)
3679 const uschar *pp = p + 8;
3680 while (*pp && *pp != '/') pp++;
3681 submission_domain = string_copyn(p+8, pp-p-8);
3684 /* The name= option must be last, because it swallows the rest of
3686 else if (Ustrncmp(p, "/name=", 6) == 0)
3688 const uschar *pp = p + 6;
3690 submission_name = parse_fix_phrase(p+6, pp-p-6);
3697 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3704 uschar * debug_tag = NULL, * debug_opts = NULL;
3705 BOOL kill = FALSE, stop = FALSE;
3709 const uschar * pp = p+1;
3710 if (Ustrncmp(pp, "tag=", 4) == 0)
3712 for (pp += 4; *pp && *pp != '/';) pp++;
3713 debug_tag = string_copyn(p+5, pp-p-5);
3715 else if (Ustrncmp(pp, "opts=", 5) == 0)
3717 for (pp += 5; *pp && *pp != '/';) pp++;
3718 debug_opts = string_copyn(p+6, pp-p-6);
3720 else if (Ustrncmp(pp, "kill", 4) == 0)
3725 else if (Ustrncmp(pp, "stop", 4) == 0)
3730 else if (Ustrncmp(pp, "pretrigger=", 11) == 0)
3731 debug_pretrigger_setup(pp+11);
3732 else if (Ustrncmp(pp, "trigger=", 8) == 0)
3734 if (Ustrncmp(pp += 8, "now", 3) == 0)
3737 debug_trigger_fire();
3739 else if (Ustrncmp(pp, "paniclog", 8) == 0)
3742 dtrigger_selector |= BIT(DTi_panictrigger);
3745 while (*pp && *pp != '/') pp++;
3750 debug_logging_stop(TRUE);
3752 debug_logging_stop(FALSE);
3753 else if (debug_tag || debug_opts)
3754 debug_logging_activate(debug_tag, debug_opts);
3758 case CONTROL_SUPPRESS_LOCAL_FIXUPS:
3759 f.suppress_local_fixups = TRUE;
3762 case CONTROL_CUTTHROUGH_DELIVERY:
3764 uschar * ignored = NULL;
3765 #ifndef DISABLE_PRDR
3770 /* Too hard to think about for now. We might in future cutthrough
3771 the case where both sides handle prdr and this-node prdr acl
3773 ignored = US"PRDR active";
3774 else if (f.deliver_freeze)
3775 ignored = US"frozen";
3776 else if (f.queue_only_policy)
3777 ignored = US"queue-only";
3778 else if (fake_response == FAIL)
3779 ignored = US"fakereject";
3780 else if (rcpt_count != 1)
3781 ignored = US"nonfirst rcpt";
3782 else if (cutthrough.delivery)
3783 ignored = US"repeated";
3784 else if (cutthrough.callout_hold_only)
3787 debug_printf_indent(" cutthrough request upgrades callout hold\n");
3788 cutthrough.callout_hold_only = FALSE;
3789 cutthrough.delivery = TRUE; /* control accepted */
3793 cutthrough.delivery = TRUE; /* control accepted */
3796 const uschar * pp = p+1;
3797 if (Ustrncmp(pp, "defer=", 6) == 0)
3800 if (Ustrncmp(pp, "pass", 4) == 0) cutthrough.defer_pass = TRUE;
3801 /* else if (Ustrncmp(pp, "spool") == 0) ; default */
3804 while (*pp && *pp != '/') pp++;
3809 DEBUG(D_acl) if (ignored)
3810 debug_printf(" cutthrough request ignored on %s item\n", ignored);
3815 case CONTROL_UTF8_DOWNCONVERT:
3820 message_utf8_downconvert = 1;
3821 addr->prop.utf8_downcvt = TRUE;
3822 addr->prop.utf8_downcvt_maybe = FALSE;
3828 message_utf8_downconvert = 0;
3829 addr->prop.utf8_downcvt = FALSE;
3830 addr->prop.utf8_downcvt_maybe = FALSE;
3834 if (p[1] == '-' && p[2] == '1')
3836 message_utf8_downconvert = -1;
3837 addr->prop.utf8_downcvt = FALSE;
3838 addr->prop.utf8_downcvt_maybe = TRUE;
3842 *log_msgptr = US"bad option value for control=utf8_downconvert";
3846 message_utf8_downconvert = 1;
3847 addr->prop.utf8_downcvt = TRUE;
3848 addr->prop.utf8_downcvt_maybe = FALSE;
3854 #ifndef DISABLE_WELLKNOWN
3855 case CONTROL_WELLKNOWN:
3856 rc = *p == '/' ? wellknown_process(p+1, log_msgptr) : FAIL;
3863 #ifdef EXPERIMENTAL_DCC
3866 /* Separate the regular expression and any optional parameters. */
3867 const uschar * list = arg;
3869 uschar * ss = string_nextinlist(&list, &sep, NULL, 0);
3870 /* Run the dcc backend. */
3871 rc = dcc_process(&ss);
3872 /* Modify return code based upon the existence of options. */
3873 while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
3874 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3875 rc = FAIL; /* FAIL so that the message is passed to the next ACL */
3880 #ifdef WITH_CONTENT_SCAN
3882 rc = mime_decode(&arg);
3888 int delay = readconf_readtime(arg, 0, FALSE);
3891 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
3892 "modifier: \"%s\" is not a time value", arg);
3897 HDEBUG(D_acl) debug_printf_indent("delay modifier requests %d-second delay\n",
3902 debug_printf_indent("delay skipped in -bh checking mode\n");
3905 /* NOTE 1: Remember that we may be
3906 dealing with stdin/stdout here, in addition to TCP/IP connections.
3907 Also, delays may be specified for non-SMTP input, where smtp_out and
3908 smtp_in will be NULL. Whatever is done must work in all cases.
3910 NOTE 2: The added feature of flushing the output before a delay must
3911 apply only to SMTP input. Hence the test for smtp_out being non-NULL.
3916 if (smtp_out && !f.disable_delay_flush)
3919 #if !defined(NO_POLL_H) && defined (POLLRDHUP)
3925 p.fd = fileno(smtp_out);
3926 p.events = POLLRDHUP;
3929 if (poll(&p, n, delay*1000) > 0)
3930 HDEBUG(D_acl) debug_printf_indent("delay cancelled by peer close\n");
3933 /* Lacking POLLRDHUP it appears to be impossible to detect that a
3934 TCP/IP connection has gone away without reading from it. This means
3935 that we cannot shorten the delay below if the client goes away,
3936 because we cannot discover that the client has closed its end of the
3937 connection. (The connection is actually in a half-closed state,
3938 waiting for the server to close its end.) It would be nice to be able
3939 to detect this state, so that the Exim process is not held up
3940 unnecessarily. However, it seems that we can't. The poll() function
3941 does not do the right thing, and in any case it is not always
3944 while (delay > 0) delay = sleep(delay);
3951 #ifndef DISABLE_DKIM
3952 case ACLC_DKIM_SIGNER:
3953 case ACLC_DKIM_STATUS:
3954 /* See comment on ACLC_SPF wrt. coding issues */
3956 misc_module_info * mi = misc_mod_find(US"dkim", &log_message);
3957 typedef int (*fn_t)(const uschar *);
3959 ? (((fn_t *) mi->functions)
3960 [cb->type == ACLC_DKIM_SIGNER
3961 ? DKIM_SIGNER_ISINLIST
3962 : DKIM_STATUS_LISTMATCH]) (arg)
3968 #ifdef SUPPORT_DMARC
3969 case ACLC_DMARC_STATUS:
3970 /* See comment on ACLC_SPF wrt. coding issues */
3972 misc_module_info * mi = misc_mod_find(US"dmarc", &log_message);
3973 typedef uschar * (*efn_t)(int);
3974 uschar * expanded_query;
3977 { rc = DEFER; break; } /* shouldn't happen */
3979 if (!f.dmarc_has_been_checked)
3981 typedef int (*pfn_t)(void);
3982 (void) (((pfn_t *) mi->functions)[DMARC_PROCESS]) ();
3983 f.dmarc_has_been_checked = TRUE;
3986 /* used long way of dmarc_exim_expand_query() in case we need more
3987 view into the process in the future. */
3989 /*XXX is this call used with any other arg? */
3990 expanded_query = (((efn_t *) mi->functions)[DMARC_EXPAND_QUERY])
3991 (DMARC_VERIFY_STATUS);
3992 rc = match_isinlist(expanded_query,
3993 &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
3999 rc = verify_check_dnsbl(where, arg, log_msgptr);
4003 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
4004 addr->domain_cache, MCL_DOMAIN, TRUE, CUSS &deliver_domain_data);
4007 /* The value in tls_cipher is the full cipher name, for example,
4008 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
4009 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
4010 what may in practice come out of the SSL library - which at the time of
4011 writing is poorly documented. */
4013 case ACLC_ENCRYPTED:
4014 if (!tls_in.cipher) rc = FAIL;
4017 uschar *endcipher = NULL;
4018 uschar *cipher = Ustrchr(tls_in.cipher, ':');
4019 if (!cipher) cipher = tls_in.cipher; else
4021 endcipher = Ustrchr(++cipher, ':');
4022 if (endcipher) *endcipher = 0;
4024 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
4025 if (endcipher) *endcipher = ':';
4029 /* Use verify_check_this_host() instead of verify_check_host() so that
4030 we can pass over &host_data to catch any looked up data. Once it has been
4031 set, it retains its value so that it's still there if another ACL verb
4032 comes through here and uses the cache. However, we must put it into
4033 permanent store in case it is also expected to be used in a subsequent
4034 message in the same SMTP connection. */
4037 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
4038 sender_host_address ? sender_host_address : US"", CUSS &host_data);
4039 if (rc == DEFER) *log_msgptr = search_error_message;
4040 if (host_data) host_data = string_copy_perm(host_data, TRUE);
4043 case ACLC_LOCAL_PARTS:
4044 rc = match_isinlist(addr->cc_local_part, &arg, 0,
4045 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
4046 CUSS &deliver_localpart_data);
4049 case ACLC_LOG_REJECT_TARGET:
4051 int logbits = 0, sep = 0;
4052 const uschar * s = arg;
4054 for (uschar * ss; ss = string_nextinlist(&s, &sep, NULL, 0); )
4056 if (Ustrcmp(ss, "main") == 0) logbits |= LOG_MAIN;
4057 else if (Ustrcmp(ss, "panic") == 0) logbits |= LOG_PANIC;
4058 else if (Ustrcmp(ss, "reject") == 0) logbits |= LOG_REJECT;
4061 logbits |= LOG_MAIN|LOG_REJECT;
4062 log_write(0, LOG_MAIN|LOG_PANIC, "unknown log name \"%s\" in "
4063 "\"log_reject_target\" in %s ACL", ss, acl_wherenames[where]);
4066 log_reject_target = logbits;
4073 const uschar *s = arg;
4079 if (Ustrncmp(s, "main", 4) == 0)
4080 { logbits |= LOG_MAIN; s += 4; }
4081 else if (Ustrncmp(s, "panic", 5) == 0)
4082 { logbits |= LOG_PANIC; s += 5; }
4083 else if (Ustrncmp(s, "reject", 6) == 0)
4084 { logbits |= LOG_REJECT; s += 6; }
4087 logbits = LOG_MAIN|LOG_PANIC;
4088 s = string_sprintf(":unknown log name in \"%s\" in "
4089 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
4095 Uskip_whitespace(&s);
4097 if (logbits == 0) logbits = LOG_MAIN;
4098 log_write(0, logbits, "%s", string_printing(s));
4102 #ifdef WITH_CONTENT_SCAN
4103 case ACLC_MALWARE: /* Run the malware backend. */
4105 /* Separate the regular expression and any optional parameters. */
4106 const uschar * list = arg;
4107 BOOL defer_ok = FALSE;
4108 int timeout = 0, sep = -'/';
4109 uschar * ss = string_nextinlist(&list, &sep, NULL, 0);
4111 for (uschar * opt; opt = string_nextinlist(&list, &sep, NULL, 0); )
4112 if (strcmpic(opt, US"defer_ok") == 0)
4114 else if ( strncmpic(opt, US"tmo=", 4) == 0
4115 && (timeout = readconf_readtime(opt+4, '\0', FALSE)) < 0
4118 *log_msgptr = string_sprintf("bad timeout value in '%s'", opt);
4122 rc = malware(ss, textonly, timeout);
4123 if (rc == DEFER && defer_ok)
4124 rc = FAIL; /* FAIL so that the message is passed to the next ACL */
4128 case ACLC_MIME_REGEX:
4129 rc = mime_regex(&arg, textonly);
4134 if (is_tainted(arg))
4136 *log_msgptr = string_sprintf("Tainted name '%s' for queue not permitted",
4140 if (Ustrchr(arg, '/'))
4142 *log_msgptr = string_sprintf(
4143 "Directory separator not permitted in queue name: '%s'", arg);
4146 queue_name = string_copy_perm(arg, FALSE);
4149 case ACLC_RATELIMIT:
4150 rc = acl_ratelimit(arg, where, log_msgptr);
4153 case ACLC_RECIPIENTS:
4154 rc = match_address_list(CUS addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
4155 CUSS &recipient_data);
4158 #ifdef WITH_CONTENT_SCAN
4160 rc = regex(&arg, textonly);
4164 case ACLC_REMOVE_HEADER:
4165 setup_remove_header(arg);
4169 rc = acl_seen(arg, where, log_msgptr);
4172 case ACLC_SENDER_DOMAINS:
4175 sdomain = Ustrrchr(sender_address, '@');
4176 sdomain = sdomain ? sdomain + 1 : US"";
4177 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
4178 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
4183 rc = match_address_list(CUS sender_address, TRUE, TRUE, &arg,
4184 sender_address_cache, -1, 0, CUSS &sender_data);
4187 /* Connection variables must persist forever; message variables not */
4191 int old_pool = store_pool;
4192 if ( cb->u.varname[0] != 'm'
4193 #ifndef DISABLE_EVENT
4194 || event_name /* An event is being delivered */
4197 store_pool = POOL_PERM;
4199 #ifndef DISABLE_DKIM /* Overwriteable dkim result variables */
4200 if ( Ustrcmp(cb->u.varname, "dkim_verify_status") == 0
4201 || Ustrcmp(cb->u.varname, "dkim_verify_reason") == 0
4204 misc_module_info * mi = misc_mod_findonly(US"dkim");
4205 typedef void (*fn_t)(const uschar *, void *);
4208 (((fn_t *) mi->functions)[DKIM_SETVAR])
4209 (cb->u.varname, string_copy(arg));
4213 acl_var_create(cb->u.varname)->data.ptr = string_copy(arg);
4214 store_pool = old_pool;
4218 #ifdef WITH_CONTENT_SCAN
4221 /* Separate the regular expression and any optional parameters. */
4222 const uschar * list = arg;
4224 uschar * ss = string_nextinlist(&list, &sep, NULL, 0);
4226 rc = spam(CUSS &ss);
4227 /* Modify return code based upon the existence of options. */
4228 while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
4229 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
4230 rc = FAIL; /* FAIL so that the message is passed to the next ACL */
4237 case ACLC_SPF_GUESS:
4238 /* We have hardwired function-call numbers, and also prototypes for the
4239 functions. We could do a function name table search or (simpler)
4240 a module include file with defines for the numbers
4241 but I can't see how to deal with prototypes. Is a K&R non-prototyped
4242 function still usable with today's compilers (but we would lose on
4243 type-checking)? We could macroize the typedef, and even the function
4244 table access - but it obscures how it works rather. */
4246 misc_module_info * mi = misc_mod_find(US"spf", &log_message);
4247 typedef int (*fn_t)(const uschar **, const uschar *, int);
4251 { rc = DEFER; break; } /* shouldn't happen */
4253 fn = ((fn_t *) mi->functions)[SPF_PROCESS];
4255 rc = fn(&arg, sender_address,
4256 cb->type == ACLC_SPF ? SPF_PROCESS_NORMAL : SPF_PROCESS_GUESS);
4262 rc = acl_udpsend(arg, log_msgptr);
4265 /* If the verb is WARN, discard any user message from verification, because
4266 such messages are SMTP responses, not header additions. The latter come
4267 only from explicit "message" modifiers. However, put the user message into
4268 $acl_verify_message so it can be used in subsequent conditions or modifiers
4269 (until something changes it). */
4272 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
4274 acl_verify_message = *user_msgptr;
4275 if (verb == ACL_WARN) *user_msgptr = NULL;
4279 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
4280 "condition %d", cb->type);
4284 /* If a condition was negated, invert OK/FAIL. */
4286 if (!(conditions[cb->type].flags & ACD_MOD) && cb->u.negated)
4287 if (rc == OK) rc = FAIL;
4288 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
4290 if (rc != OK) break; /* Conditions loop */
4294 /* If the result is the one for which "message" and/or "log_message" are used,
4295 handle the values of these modifiers. If there isn't a log message set, we make
4296 it the same as the user message.
4298 "message" is a user message that will be included in an SMTP response. Unless
4299 it is empty, it overrides any previously set user message.
4301 "log_message" is a non-user message, and it adds to any existing non-user
4302 message that is already set.
4304 Most verbs have but a single return for which the messages are relevant, but
4305 for "discard", it's useful to have the log message both when it succeeds and
4306 when it fails. For "accept", the message is used in the OK case if there is no
4307 "endpass", but (for backwards compatibility) in the FAIL case if "endpass" is
4310 if (*epp && rc == OK) user_message = NULL;
4312 if ((BIT(rc) & msgcond[verb]) != 0)
4315 uschar *old_user_msgptr = *user_msgptr;
4316 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
4318 /* If the verb is "warn", messages generated by conditions (verification or
4319 nested ACLs) are always discarded. This also happens for acceptance verbs
4320 when they actually do accept. Only messages specified at this level are used.
4321 However, the value of an existing message is available in $acl_verify_message
4322 during expansions. */
4324 if (verb == ACL_WARN ||
4325 (rc == OK && (verb == ACL_ACCEPT || verb == ACL_DISCARD)))
4326 *log_msgptr = *user_msgptr = NULL;
4330 acl_verify_message = old_user_msgptr;
4331 expmessage = expand_string(user_message);
4334 if (!f.expand_string_forcedfail)
4335 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
4336 user_message, expand_string_message);
4338 else if (expmessage[0] != 0) *user_msgptr = expmessage;
4343 acl_verify_message = old_log_msgptr;
4344 expmessage = expand_string(log_message);
4347 if (!f.expand_string_forcedfail)
4348 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
4349 log_message, expand_string_message);
4351 else if (expmessage[0] != 0)
4353 *log_msgptr = (*log_msgptr == NULL)? expmessage :
4354 string_sprintf("%s: %s", expmessage, *log_msgptr);
4358 /* If no log message, default it to the user message */
4360 if (!*log_msgptr) *log_msgptr = *user_msgptr;
4363 acl_verify_message = NULL;
4371 /*************************************************
4372 * Get line from a literal ACL *
4373 *************************************************/
4375 /* This function is passed to acl_read() in order to extract individual lines
4376 of a literal ACL, which we access via static pointers. We can destroy the
4377 contents because this is called only once (the compiled ACL is remembered).
4379 This code is intended to treat the data in the same way as lines in the main
4380 Exim configuration file. That is:
4382 . Leading spaces are ignored.
4384 . A \ at the end of a line is a continuation - trailing spaces after the \
4385 are permitted (this is because I don't believe in making invisible things
4386 significant). Leading spaces on the continued part of a line are ignored.
4388 . Physical lines starting (significantly) with # are totally ignored, and
4389 may appear within a sequence of backslash-continued lines.
4391 . Blank lines are ignored, but will end a sequence of continuations.
4394 Returns: a pointer to the next line
4398 static uschar *acl_text; /* Current pointer in the text */
4399 static uschar *acl_text_end; /* Points one past the terminating '0' */
4407 /* This loop handles leading blank lines and comments. */
4411 Uskip_whitespace(&acl_text); /* Leading spaces/empty lines */
4412 if (!*acl_text) return NULL; /* No more data */
4413 yield = acl_text; /* Potential data line */
4415 while (*acl_text && *acl_text != '\n') acl_text++;
4417 /* If we hit the end before a newline, we have the whole logical line. If
4418 it's a comment, there's no more data to be given. Otherwise, yield it. */
4420 if (!*acl_text) return *yield == '#' ? NULL : yield;
4422 /* After reaching a newline, end this loop if the physical line does not
4423 start with '#'. If it does, it's a comment, and the loop continues. */
4425 if (*yield != '#') break;
4428 /* This loop handles continuations. We know we have some real data, ending in
4429 newline. See if there is a continuation marker at the end (ignoring trailing
4430 white space). We know that *yield is not white space, so no need to test for
4431 cont > yield in the backwards scanning loop. */
4436 for (cont = acl_text - 1; isspace(*cont); cont--);
4438 /* If no continuation follows, we are done. Mark the end of the line and
4447 /* We have encountered a continuation. Skip over whitespace at the start of
4448 the next line, and indeed the whole of the next line or lines if they are
4453 while (*(++acl_text) == ' ' || *acl_text == '\t');
4454 if (*acl_text != '#') break;
4455 while (*(++acl_text) != 0 && *acl_text != '\n');
4458 /* We have the start of a continuation line. Move all the rest of the data
4459 to join onto the previous line, and then find its end. If the end is not a
4460 newline, we are done. Otherwise loop to look for another continuation. */
4462 memmove(cont, acl_text, acl_text_end - acl_text);
4463 acl_text_end -= acl_text - cont;
4465 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
4466 if (*acl_text == 0) return yield;
4469 /* Control does not reach here */
4476 /************************************************/
4477 /* For error messages, a string describing the config location
4478 associated with current processing. NULL if not in an ACL. */
4481 acl_current_verb(void)
4483 if (acl_current) return string_sprintf(" (ACL %s, %s %d)",
4484 verbs[acl_current->verb], acl_current->srcfile, acl_current->srcline);
4488 /*************************************************
4489 * Check access using an ACL *
4490 *************************************************/
4492 /* This function is called from address_check. It may recurse via
4493 acl_check_condition() - hence the use of a level to stop looping. The ACL is
4494 passed as a string which is expanded. A forced failure implies no access check
4495 is required. If the result is a single word, it is taken as the name of an ACL
4496 which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
4497 text, complete with newlines, and parsed as such. In both cases, the ACL check
4498 is then run. This function uses an auxiliary function for acl_read() to call
4499 for reading individual lines of a literal ACL. This is acl_getline(), which
4500 appears immediately above.
4503 where where called from
4504 addr address item when called from RCPT; otherwise NULL
4505 s the input string; NULL is the same as an empty ACL => DENY
4506 user_msgptr where to put a user error (for SMTP response)
4507 log_msgptr where to put a logging message (not for SMTP response)
4509 Returns: OK access is granted
4510 DISCARD access is apparently granted...
4511 FAIL access is denied
4512 FAIL_DROP access is denied; drop the connection
4513 DEFER can't tell at the moment
4518 acl_check_internal(int where, address_item *addr, uschar *s,
4519 uschar **user_msgptr, uschar **log_msgptr)
4522 acl_block *acl = NULL;
4523 uschar *acl_name = US"inline ACL";
4526 /* Catch configuration loops */
4530 *log_msgptr = US"ACL nested too deep: possible loop";
4536 HDEBUG(D_acl) debug_printf_indent("ACL is NULL: implicit DENY\n");
4540 /* At top level, we expand the incoming string. At lower levels, it has already
4541 been expanded as part of condition processing. */
4545 else if (!(ss = expand_string(s)))
4547 if (f.expand_string_forcedfail) return OK;
4548 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
4549 expand_string_message);
4553 Uskip_whitespace(&ss);
4555 /* If we can't find a named ACL, the default is to parse it as an inline one.
4556 (Unless it begins with a slash; non-existent files give rise to an error.) */
4560 if (is_tainted(acl_text) && !f.running_in_test_harness)
4562 log_write(0, LOG_MAIN|LOG_PANIC,
4563 "attempt to use tainted ACL text \"%s\"", acl_text);
4564 /* Avoid leaking info to an attacker */
4565 *log_msgptr = US"internal configuration error";
4569 /* Handle the case of a string that does not contain any spaces. Look for a
4570 named ACL among those read from the configuration, or a previously read file.
4571 It is possible that the pointer to the ACL is NULL if the configuration
4572 contains a name with no data. If not found, and the text begins with '/',
4573 read an ACL from a file, and save it so it can be re-used. */
4575 if (Ustrchr(ss, ' ') == NULL)
4577 tree_node * t = tree_search(acl_anchor, ss);
4580 if (!(acl = (acl_block *)(t->data.ptr)))
4582 HDEBUG(D_acl) debug_printf_indent("ACL \"%s\" is empty: implicit DENY\n", ss);
4585 acl_name = string_sprintf("ACL %s", ss);
4586 HDEBUG(D_acl) debug_printf_indent("using ACL \"%s\"\n", ss);
4589 else if (*ss == '/')
4591 struct stat statbuf;
4592 if ((fd = Uopen(ss, O_RDONLY, 0)) < 0)
4594 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
4598 if (fstat(fd, &statbuf) != 0)
4600 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
4605 /* If the string being used as a filename is tainted, so is the file content */
4606 acl_text = store_get(statbuf.st_size + 1, ss);
4607 acl_text_end = acl_text + statbuf.st_size + 1;
4609 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
4611 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
4612 ss, strerror(errno));
4615 acl_text[statbuf.st_size] = 0;
4618 acl_name = string_sprintf("ACL %s", ss);
4619 HDEBUG(D_acl) debug_printf_indent("read ACL from file %s\n", ss);
4623 /* Parse an ACL that is still in text form. If it came from a file, remember it
4624 in the ACL tree, having read it into the POOL_PERM store pool so that it
4625 persists between multiple messages. */
4629 int old_pool = store_pool;
4630 if (fd >= 0) store_pool = POOL_PERM;
4631 acl = acl_read(acl_getline, log_msgptr);
4632 store_pool = old_pool;
4633 if (!acl && *log_msgptr) return ERROR;
4636 tree_node * t = store_get_perm(sizeof(tree_node) + Ustrlen(ss), ss);
4637 Ustrcpy(t->name, ss);
4639 (void)tree_insertnode(&acl_anchor, t);
4643 /* Now we have an ACL to use. It's possible it may be NULL. */
4645 while ((acl_current = acl))
4648 int basic_errno = 0;
4649 BOOL endpass_seen = FALSE;
4650 BOOL acl_quit_check = acl_level == 0
4651 && (where == ACL_WHERE_QUIT || where == ACL_WHERE_NOTQUIT);
4653 *log_msgptr = *user_msgptr = NULL;
4654 f.acl_temp_details = FALSE;
4656 config_filename = acl->srcfile;
4657 config_lineno = acl->srcline;
4661 debug_printf_indent("processing %s \"%s\"", acl_name, verbs[acl->verb]);
4662 if (config_lineno) debug_printf(" (%s %d)", config_filename, config_lineno);
4666 /* Clear out any search error message from a previous check before testing
4669 search_error_message = NULL;
4670 cond = acl_check_condition(acl->verb, acl->condition, where, addr, acl_level,
4671 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
4673 /* Handle special returns: DEFER causes a return except on a WARN verb;
4674 ERROR always causes a return. */
4679 HDEBUG(D_acl) debug_printf_indent("%s: condition test deferred in %s\n",
4680 verbs[acl->verb], acl_name);
4681 if (basic_errno != ERRNO_CALLOUTDEFER)
4683 if (search_error_message && *search_error_message)
4684 *log_msgptr = search_error_message;
4685 if (smtp_return_error_details) f.acl_temp_details = TRUE;
4688 f.acl_temp_details = TRUE;
4689 if (acl->verb != ACL_WARN) return DEFER;
4692 default: /* Paranoia */
4694 HDEBUG(D_acl) debug_printf_indent("%s: condition test error in %s\n",
4695 verbs[acl->verb], acl_name);
4699 HDEBUG(D_acl) debug_printf_indent("%s: condition test succeeded in %s\n",
4700 verbs[acl->verb], acl_name);
4704 HDEBUG(D_acl) debug_printf_indent("%s: condition test failed in %s\n",
4705 verbs[acl->verb], acl_name);
4708 /* DISCARD and DROP can happen only from a nested ACL condition, and
4709 DISCARD can happen only for an "accept" or "discard" verb. */
4712 HDEBUG(D_acl) debug_printf_indent("%s: condition test yielded \"discard\" in %s\n",
4713 verbs[acl->verb], acl_name);
4717 HDEBUG(D_acl) debug_printf_indent("%s: condition test yielded \"drop\" in %s\n",
4718 verbs[acl->verb], acl_name);
4722 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
4723 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
4724 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
4729 if (cond == OK || cond == DISCARD)
4731 HDEBUG(D_acl) debug_printf_indent("end of %s: ACCEPT\n", acl_name);
4736 HDEBUG(D_acl) debug_printf_indent("accept: endpass encountered - denying access\n");
4744 HDEBUG(D_acl) debug_printf_indent("end of %s: DEFER\n", acl_name);
4745 if (acl_quit_check) goto badquit;
4746 f.acl_temp_details = TRUE;
4754 HDEBUG(D_acl) debug_printf_indent("end of %s: DENY\n", acl_name);
4755 if (acl_quit_check) goto badquit;
4761 if (cond == OK || cond == DISCARD)
4763 HDEBUG(D_acl) debug_printf_indent("end of %s: DISCARD\n", acl_name);
4764 if (acl_quit_check) goto badquit;
4770 debug_printf_indent("discard: endpass encountered - denying access\n");
4778 HDEBUG(D_acl) debug_printf_indent("end of %s: DROP\n", acl_name);
4779 if (acl_quit_check) goto badquit;
4787 HDEBUG(D_acl) debug_printf_indent("end of %s: not OK\n", acl_name);
4788 if (acl_quit_check) goto badquit;
4795 acl_warn(where, *user_msgptr, *log_msgptr);
4796 else if (cond == DEFER && LOGGING(acl_warn_skipped))
4797 if (config_lineno > 0)
4798 log_write(0, LOG_MAIN,
4799 "%s Warning: ACL 'warn' statement skipped (in %s at line %d of %s):"
4800 " condition test deferred%s%s",
4801 host_and_ident(TRUE), acl_name, config_lineno, config_filename,
4802 *log_msgptr ? US": " : US"", *log_msgptr ? *log_msgptr : US"");
4804 log_write(0, LOG_MAIN,
4805 "%s Warning: ACL 'warn' statement skipped (in %s):"
4806 " condition test deferred%s%s",
4807 host_and_ident(TRUE), acl_name,
4808 *log_msgptr ? US": " : US"", *log_msgptr ? *log_msgptr : US"");
4809 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
4813 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
4818 /* Pass to the next ACL item */
4823 /* We have reached the end of the ACL. This is an implicit DENY. */
4825 HDEBUG(D_acl) debug_printf_indent("end of %s: implicit DENY\n", acl_name);
4829 *log_msgptr = string_sprintf("QUIT or not-QUIT toplevel ACL may not fail "
4830 "('%s' verb used incorrectly)", verbs[acl->verb]);
4837 /* Same args as acl_check_internal() above, but the string s is
4838 the name of an ACL followed optionally by up to 9 space-separated arguments.
4839 The name and args are separately expanded. Args go into $acl_arg globals. */
4841 acl_check_wargs(int where, address_item *addr, const uschar *s,
4842 uschar **user_msgptr, uschar **log_msgptr)
4845 uschar * tmp_arg[9]; /* must match acl_arg[] */
4846 uschar * sav_arg[9]; /* must match acl_arg[] */
4852 if (!(tmp = string_dequote(&s)) || !(name = expand_string(tmp)))
4855 for (i = 0; i < 9; i++)
4857 if (!Uskip_whitespace(&s))
4859 if (!(tmp = string_dequote(&s)) || !(tmp_arg[i] = expand_string(tmp)))
4866 sav_narg = acl_narg;
4868 for (i = 0; i < acl_narg; i++)
4870 sav_arg[i] = acl_arg[i];
4871 acl_arg[i] = tmp_arg[i];
4875 sav_arg[i] = acl_arg[i];
4876 acl_arg[i++] = NULL;
4880 ret = acl_check_internal(where, addr, name, user_msgptr, log_msgptr);
4884 acl_narg = sav_narg;
4885 for (i = 0; i < 9; i++) acl_arg[i] = sav_arg[i];
4889 if (f.expand_string_forcedfail) return ERROR;
4890 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
4891 tmp, expand_string_message);
4892 return f.search_find_defer ? DEFER : ERROR;
4897 /*************************************************
4898 * Check access using an ACL *
4899 *************************************************/
4901 /* Alternate interface for ACL, used by expansions */
4903 acl_eval(int where, uschar *s, uschar **user_msgptr, uschar **log_msgptr)
4906 address_item *addr = NULL;
4909 *user_msgptr = *log_msgptr = NULL;
4910 sender_verified_failed = NULL;
4911 ratelimiters_cmd = NULL;
4912 log_reject_target = LOG_MAIN|LOG_REJECT;
4914 if (where == ACL_WHERE_RCPT)
4916 adb = address_defaults;
4918 addr->address = expand_string(US"$local_part@$domain");
4919 addr->domain = deliver_domain;
4920 addr->local_part = deliver_localpart;
4921 addr->cc_local_part = deliver_localpart;
4922 addr->lc_local_part = deliver_localpart;
4926 rc = acl_check_internal(where, addr, s, user_msgptr, log_msgptr);
4934 /* This is the external interface for ACL checks. It sets up an address and the
4935 expansions for $domain and $local_part when called after RCPT, then calls
4936 acl_check_internal() to do the actual work.
4939 where ACL_WHERE_xxxx indicating where called from
4940 recipient RCPT address for RCPT check, else NULL
4941 s the input string; NULL is the same as an empty ACL => DENY
4942 user_msgptr where to put a user error (for SMTP response)
4943 log_msgptr where to put a logging message (not for SMTP response)
4945 Returns: OK access is granted by an ACCEPT verb
4946 DISCARD access is granted by a DISCARD verb
4947 FAIL access is denied
4948 FAIL_DROP access is denied; drop the connection
4949 DEFER can't tell at the moment
4954 acl_check(int where, const uschar * recipient, uschar * s,
4955 uschar ** user_msgptr, uschar ** log_msgptr)
4959 address_item *addr = NULL;
4961 *user_msgptr = *log_msgptr = NULL;
4962 sender_verified_failed = NULL;
4963 ratelimiters_cmd = NULL;
4964 log_reject_target = LOG_MAIN|LOG_REJECT;
4966 #ifndef DISABLE_PRDR
4967 if (where==ACL_WHERE_RCPT || where==ACL_WHERE_VRFY || where==ACL_WHERE_PRDR)
4969 if (where==ACL_WHERE_RCPT || where==ACL_WHERE_VRFY)
4972 adb = address_defaults;
4974 addr->address = recipient;
4975 if (deliver_split_address(addr) == DEFER)
4977 *log_msgptr = US"defer in percent_hack_domains check";
4981 if ((addr->prop.utf8_msg = message_smtputf8))
4983 addr->prop.utf8_downcvt = message_utf8_downconvert == 1;
4984 addr->prop.utf8_downcvt_maybe = message_utf8_downconvert == -1;
4987 deliver_domain = addr->domain;
4988 deliver_localpart = addr->local_part;
4993 rc = acl_check_internal(where, addr, s, user_msgptr, log_msgptr);
4995 acl_where = ACL_WHERE_UNKNOWN;
4998 /* Cutthrough - if requested,
4999 and WHERE_RCPT and not yet opened conn as result of recipient-verify,
5000 and rcpt acl returned accept,
5001 and first recipient (cancel on any subsequents)
5002 open one now and run it up to RCPT acceptance.
5003 A failed verify should cancel cutthrough request,
5004 and will pass the fail to the originator.
5005 Initial implementation: dual-write to spool.
5006 Assume the rxd datastream is now being copied byte-for-byte to an open cutthrough connection.
5008 Cease cutthrough copy on rxd final dot; do not send one.
5010 On a data acl, if not accept and a cutthrough conn is open, hard-close it (no SMTP niceness).
5012 On data acl accept, terminate the dataphase on an open cutthrough conn. If accepted or
5013 perm-rejected, reflect that to the original sender - and dump the spooled copy.
5014 If temp-reject, close the conn (and keep the spooled copy).
5015 If conn-failure, no action (and keep the spooled copy).
5019 case ACL_WHERE_RCPT:
5020 #ifndef DISABLE_PRDR
5021 case ACL_WHERE_PRDR:
5024 if (f.host_checking_callout) /* -bhc mode */
5025 cancel_cutthrough_connection(TRUE, US"host-checking mode");
5028 && cutthrough.delivery
5029 && rcpt_count > cutthrough.nrcpt
5032 if ((rc = open_cutthrough_connection(addr)) == DEFER)
5033 if (cutthrough.defer_pass)
5035 uschar * s = addr->message;
5036 /* Horrid kludge to recover target's SMTP message */
5038 do --s; while (!isdigit(*s));
5039 if (*--s && isdigit(*s) && *--s && isdigit(*s)) *user_msgptr = s;
5040 f.acl_temp_details = TRUE;
5044 HDEBUG(D_acl) debug_printf_indent("cutthrough defer; will spool\n");
5048 else HDEBUG(D_acl) if (cutthrough.delivery)
5049 if (rcpt_count <= cutthrough.nrcpt)
5050 debug_printf_indent("ignore cutthrough request; nonfirst message\n");
5052 debug_printf_indent("ignore cutthrough request; ACL did not accept\n");
5055 case ACL_WHERE_PREDATA:
5057 cutthrough_predata();
5059 cancel_cutthrough_connection(TRUE, US"predata acl not ok");
5062 case ACL_WHERE_QUIT:
5063 case ACL_WHERE_NOTQUIT:
5064 /* Drop cutthrough conns, and drop heldopen verify conns if
5065 the previous was not DATA */
5068 smtp_connection_had[SMTP_HBUFF_PREV(SMTP_HBUFF_PREV(smtp_ch_index))];
5069 BOOL dropverify = !(prev == SCH_DATA || prev == SCH_BDAT);
5071 cancel_cutthrough_connection(dropverify, US"quit or conndrop");
5079 deliver_domain = deliver_localpart = deliver_address_data =
5080 deliver_domain_data = sender_address_data = NULL;
5082 /* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
5083 ACL, which is really in the middle of an SMTP command. */
5087 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
5089 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
5090 "ACL", acl_wherenames[where]);
5096 /* A DROP response is not permitted from MAILAUTH */
5098 if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
5100 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
5101 "ACL", acl_wherenames[where]);
5105 /* Before giving a response, take a look at the length of any user message, and
5106 split it up into multiple lines if possible. */
5108 *user_msgptr = string_split_message(*user_msgptr);
5109 if (fake_response != OK)
5110 fake_response_text = string_split_message(fake_response_text);
5116 /*************************************************
5117 * Create ACL variable *
5118 *************************************************/
5120 /* Create an ACL variable or reuse an existing one. ACL variables are in a
5121 binary tree (see tree.c) with acl_var_c and acl_var_m as root nodes.
5124 name pointer to the variable's name, starting with c or m
5126 Returns the pointer to variable's tree node
5130 acl_var_create(uschar * name)
5132 tree_node * node, ** root = name[0] == 'c' ? &acl_var_c : &acl_var_m;
5133 if (!(node = tree_search(*root, name)))
5135 node = store_get(sizeof(tree_node) + Ustrlen(name), name);
5136 Ustrcpy(node->name, name);
5137 (void)tree_insertnode(root, node);
5139 node->data.ptr = NULL;
5145 /*************************************************
5146 * Write an ACL variable in spool format *
5147 *************************************************/
5149 /* This function is used as a callback for tree_walk when writing variables to
5150 the spool file. To retain spool file compatibility, what is written is -aclc or
5151 -aclm followed by the rest of the name and the data length, space separated,
5152 then the value itself, starting on a new line, and terminated by an additional
5153 newline. When we had only numbered ACL variables, the first line might look
5154 like this: "-aclc 5 20". Now it might be "-aclc foo 20" for the variable called
5158 name of the variable
5159 value of the variable
5160 ctx FILE pointer (as a void pointer)
5166 acl_var_write(uschar * name, uschar * value, void * ctx)
5168 FILE * f = (FILE *)ctx;
5170 if (is_tainted(value))
5172 const uschar * quoter_name;
5174 (void) quoter_for_address(value, "er_name);
5176 fprintf(f, "(%s)", quoter_name);
5178 fprintf(f, "acl%c %s %d\n%s\n", name[0], name+1, Ustrlen(value), value);
5185 acl_standalone_setvar(const uschar * s, BOOL taint)
5187 acl_condition_block * cond = store_get(sizeof(acl_condition_block), GET_UNTAINTED);
5188 uschar * errstr = NULL, * log_msg = NULL;
5189 BOOL endpass_seen = FALSE;
5193 cond->type = ACLC_SET;
5194 if (!acl_varname_to_cond(&s, cond, &errstr)) return errstr;
5195 if (!acl_data_to_cond(s, cond, US"'-be'", taint, &errstr)) return errstr;
5197 if (acl_check_condition(ACL_WARN, cond, ACL_WHERE_UNKNOWN,
5198 NULL, 0, &endpass_seen, &errstr, &log_msg, &e) != OK)
5199 return string_sprintf("oops: %s", errstr);
5200 return string_sprintf("variable %s set", cond->u.varname);
5204 #endif /* !MACRO_PREDEF */
git://git.exim.org / exim.git / blob