1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) The Exim Maintainers 2020 - 2024 */
6 /* Copyright (c) University of Cambridge 1995 - 2018 */
7 /* See the file NOTICE for conditions of use and distribution. */
8 /* SPDX-License-Identifier: GPL-2.0-or-later */
10 /* Code for handling Access Control Lists (ACLs) */
16 /* Default callout timeout */
18 #define CALLOUT_TIMEOUT_DEFAULT 30
20 /* Default quota cache TTLs */
22 #define QUOTA_POS_DEFAULT (5*60)
23 #define QUOTA_NEG_DEFAULT (60*60)
26 /* ACL verb codes - keep in step with the table of verbs that follows */
28 enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
33 static uschar *verbs[] = {
34 [ACL_ACCEPT] = US"accept",
35 [ACL_DEFER] = US"defer",
36 [ACL_DENY] = US"deny",
37 [ACL_DISCARD] = US"discard",
38 [ACL_DROP] = US"drop",
39 [ACL_REQUIRE] = US"require",
43 /* For each verb, the conditions for which "message" or "log_message" are used
44 are held as a bitmap. This is to avoid expanding the strings unnecessarily. For
45 "accept", the FAIL case is used only after "endpass", but that is selected in
48 static int msgcond[] = {
49 [ACL_ACCEPT] = BIT(OK) | BIT(FAIL) | BIT(FAIL_DROP),
50 [ACL_DEFER] = BIT(OK),
52 [ACL_DISCARD] = BIT(OK) | BIT(FAIL) | BIT(FAIL_DROP),
54 [ACL_REQUIRE] = BIT(FAIL) | BIT(FAIL_DROP),
60 /* ACL condition and modifier codes */
65 #ifdef EXPERIMENTAL_BRIGHTMAIL
71 #ifdef EXPERIMENTAL_DCC
74 #ifdef WITH_CONTENT_SCAN
92 ACLC_LOG_REJECT_TARGET,
94 #ifdef WITH_CONTENT_SCAN
98 #ifdef WITH_CONTENT_SCAN
104 #ifdef WITH_CONTENT_SCAN
112 #ifdef WITH_CONTENT_SCAN
123 /* ACL conditions/modifiers: "delay", "control", "continue", "endpass",
124 "message", "log_message", "log_reject_target", "logwrite", "queue" and "set" are
125 modifiers that look like conditions but always return TRUE. They are used for
126 their side effects. Do not invent new modifier names that result in one name
127 being the prefix of another; the binary-search in the list will go wrong. */
129 typedef struct condition_def {
132 /* Flags for actions or checks to do during readconf for this condition */
134 #define ACD_EXP BIT(0) /* do expansion at outer level*/
135 #define ACD_MOD BIT(1) /* is a modifier */
136 #define ACD_LOAD BIT(2) /* supported by a dynamic-load module */
138 /* Bit map vector of which conditions and modifiers are not allowed at certain
139 times. For each condition and modifier, there's a bitmap of dis-allowed times.
140 For some, it is easier to specify the negation of a small number of allowed
143 #define FORBIDDEN(times) (times)
144 #define PERMITTED(times) ((unsigned) ~(times))
148 static condition_def conditions[] = {
149 [ACLC_ACL] = { US"acl", 0,
152 [ACLC_ADD_HEADER] = { US"add_header", ACD_EXP | ACD_MOD,
153 PERMITTED(ACL_BIT_MAIL | ACL_BIT_RCPT |
154 ACL_BIT_PREDATA | ACL_BIT_DATA |
158 ACL_BIT_MIME | ACL_BIT_NOTSMTP |
160 ACL_BIT_NOTSMTP_START),
163 [ACLC_AUTHENTICATED] = { US"authenticated", 0,
164 FORBIDDEN(ACL_BIT_NOTSMTP |
165 ACL_BIT_NOTSMTP_START |
166 ACL_BIT_CONNECT | ACL_BIT_HELO),
168 #ifdef EXPERIMENTAL_BRIGHTMAIL
169 [ACLC_BMI_OPTIN] = { US"bmi_optin", ACD_EXP | ACD_MOD,
170 FORBIDDEN(ACL_BIT_AUTH |
171 ACL_BIT_CONNECT | ACL_BIT_HELO |
172 ACL_BIT_DATA | ACL_BIT_MIME |
173 # ifndef DISABLE_PRDR
176 ACL_BIT_ETRN | ACL_BIT_EXPN |
178 ACL_BIT_MAIL | ACL_BIT_STARTTLS |
179 ACL_BIT_VRFY | ACL_BIT_PREDATA |
180 ACL_BIT_NOTSMTP_START),
183 [ACLC_CONDITION] = { US"condition", ACD_EXP,
185 [ACLC_CONTINUE] = { US"continue", ACD_EXP | ACD_MOD,
188 /* Certain types of control are always allowed, so we let it through
189 always and check in the control processing itself. */
190 [ACLC_CONTROL] = { US"control", ACD_EXP | ACD_MOD,
193 #ifdef EXPERIMENTAL_DCC
194 [ACLC_DCC] = { US"dcc", ACD_EXP,
195 PERMITTED(ACL_BIT_DATA |
196 # ifndef DISABLE_PRDR
202 #ifdef WITH_CONTENT_SCAN
203 [ACLC_DECODE] = { US"decode", ACD_EXP,
204 PERMITTED(ACL_BIT_MIME) },
207 [ACLC_DELAY] = { US"delay", ACD_EXP | ACD_MOD,
208 FORBIDDEN(ACL_BIT_NOTQUIT) },
210 [ACLC_DKIM_SIGNER] = { US"dkim_signers",
215 PERMITTED(ACL_BIT_DKIM) },
216 [ACLC_DKIM_STATUS] = { US"dkim_status",
221 PERMITTED(ACL_BIT_DKIM | ACL_BIT_DATA | ACL_BIT_MIME
222 # ifndef DISABLE_PRDR
229 [ACLC_DMARC_STATUS] = { US"dmarc_status",
230 # if SUPPORT_DMARC==2
234 PERMITTED(ACL_BIT_DATA) },
237 /* Explicit key lookups can be made in non-smtp ACLs so pass
238 always and check in the verify processing itself. */
239 [ACLC_DNSLISTS] = { US"dnslists", ACD_EXP,
242 [ACLC_DOMAINS] = { US"domains", 0,
243 PERMITTED(ACL_BIT_RCPT | ACL_BIT_VRFY
249 [ACLC_ENCRYPTED] = { US"encrypted", 0,
250 FORBIDDEN(ACL_BIT_NOTSMTP |
251 ACL_BIT_NOTSMTP_START | ACL_BIT_CONNECT)
254 [ACLC_ENDPASS] = { US"endpass", ACD_EXP | ACD_MOD,
257 [ACLC_HOSTS] = { US"hosts", 0,
258 FORBIDDEN(ACL_BIT_NOTSMTP |
259 ACL_BIT_NOTSMTP_START),
261 [ACLC_LOCAL_PARTS] = { US"local_parts", 0,
262 PERMITTED(ACL_BIT_RCPT | ACL_BIT_VRFY
269 [ACLC_LOG_MESSAGE] = { US"log_message", ACD_EXP | ACD_MOD,
271 [ACLC_LOG_REJECT_TARGET] = { US"log_reject_target", ACD_EXP | ACD_MOD,
273 [ACLC_LOGWRITE] = { US"logwrite", ACD_EXP | ACD_MOD,
276 #ifdef WITH_CONTENT_SCAN
277 [ACLC_MALWARE] = { US"malware", ACD_EXP,
278 PERMITTED(ACL_BIT_DATA |
279 # ifndef DISABLE_PRDR
286 [ACLC_MESSAGE] = { US"message", ACD_EXP | ACD_MOD,
288 #ifdef WITH_CONTENT_SCAN
289 [ACLC_MIME_REGEX] = { US"mime_regex", ACD_EXP,
290 PERMITTED(ACL_BIT_MIME) },
293 [ACLC_QUEUE] = { US"queue", ACD_EXP | ACD_MOD,
294 FORBIDDEN(ACL_BIT_NOTSMTP |
301 [ACLC_RATELIMIT] = { US"ratelimit", ACD_EXP,
303 [ACLC_RECIPIENTS] = { US"recipients", 0,
304 PERMITTED(ACL_BIT_RCPT) },
306 #ifdef WITH_CONTENT_SCAN
307 [ACLC_REGEX] = { US"regex", ACD_EXP,
308 PERMITTED(ACL_BIT_DATA |
309 # ifndef DISABLE_PRDR
317 [ACLC_REMOVE_HEADER] = { US"remove_header", ACD_EXP | ACD_MOD,
318 PERMITTED(ACL_BIT_MAIL|ACL_BIT_RCPT |
319 ACL_BIT_PREDATA | ACL_BIT_DATA |
323 ACL_BIT_MIME | ACL_BIT_NOTSMTP |
324 ACL_BIT_NOTSMTP_START),
326 [ACLC_SEEN] = { US"seen", ACD_EXP,
328 [ACLC_SENDER_DOMAINS] = { US"sender_domains", 0,
329 FORBIDDEN(ACL_BIT_AUTH | ACL_BIT_CONNECT |
331 ACL_BIT_MAILAUTH | ACL_BIT_QUIT |
332 ACL_BIT_ETRN | ACL_BIT_EXPN |
333 ACL_BIT_STARTTLS | ACL_BIT_VRFY),
335 [ACLC_SENDERS] = { US"senders", 0,
336 FORBIDDEN(ACL_BIT_AUTH | ACL_BIT_CONNECT |
338 ACL_BIT_MAILAUTH | ACL_BIT_QUIT |
339 ACL_BIT_ETRN | ACL_BIT_EXPN |
340 ACL_BIT_STARTTLS | ACL_BIT_VRFY),
343 [ACLC_SET] = { US"set", ACD_EXP | ACD_MOD,
346 #ifdef WITH_CONTENT_SCAN
347 [ACLC_SPAM] = { US"spam", ACD_EXP,
348 PERMITTED(ACL_BIT_DATA |
349 # ifndef DISABLE_PRDR
356 [ACLC_SPF] = { US"spf",
361 FORBIDDEN(ACL_BIT_AUTH | ACL_BIT_CONNECT |
362 ACL_BIT_HELO | ACL_BIT_MAILAUTH |
363 ACL_BIT_ETRN | ACL_BIT_EXPN |
364 ACL_BIT_STARTTLS | ACL_BIT_VRFY |
365 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START),
367 [ACLC_SPF_GUESS] = { US"spf_guess",
372 FORBIDDEN(ACL_BIT_AUTH | ACL_BIT_CONNECT |
373 ACL_BIT_HELO | ACL_BIT_MAILAUTH |
374 ACL_BIT_ETRN | ACL_BIT_EXPN |
375 ACL_BIT_STARTTLS | ACL_BIT_VRFY |
376 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START),
379 [ACLC_UDPSEND] = { US"udpsend", ACD_EXP | ACD_MOD,
382 /* Certain types of verify are always allowed, so we let it through
383 always and check in the verify function itself */
384 [ACLC_VERIFY] = { US"verify", ACD_EXP,
390 # include "macro_predef.h"
394 for (condition_def * c = conditions; c < conditions + nelem(conditions); c++)
396 uschar buf[64], * p, * s;
397 int n = sprintf(CS buf, "_ACL_%s_", c->flags & ACD_MOD ? "MOD" : "COND");
398 for (p = buf + n, s = c->name; *s; s++) *p++ = toupper(*s);
400 builtin_macro_create(buf);
405 /******************************************************************************/
409 /* These tables support loading of dynamic modules triggered by an ACL
410 condition use, spotted during readconf. See acl_read(). */
412 # ifdef LOOKUP_MODULE_DIR
413 typedef struct condition_module {
414 const uschar * mod_name; /* module for the givien conditions */
415 misc_module_info * info; /* NULL when not loaded */
416 const int * conditions; /* array of ACLC_*, -1 terminated */
420 static int spf_condx[] = { ACLC_SPF, ACLC_SPF_GUESS, -1 };
423 static int dkim_condx[] = { ACLC_DKIM_SIGNER, ACLC_DKIM_STATUS, -1 };
425 # if SUPPORT_DMARC==2
426 static int dmarc_condx[] = { ACLC_DMARC_STATUS, -1 };
429 /* These are modules which can be loaded on seeing an ACL condition
430 during readconf, The "arc" module is handled by custom coding. */
432 static condition_module condition_modules[] = {
434 {.mod_name = US"spf", .conditions = spf_condx},
437 {.mod_name = US"dkim", .conditions = dkim_condx},
439 # if SUPPORT_DMARC==2
440 {.mod_name = US"dmarc", .conditions = dmarc_condx},
444 # endif /*LOOKUP_MODULE_DIR*/
446 /****************************/
448 /* Return values from decode_control() */
451 CONTROL_AUTH_UNADVERTISED,
452 #ifdef EXPERIMENTAL_BRIGHTMAIL
455 CONTROL_CASEFUL_LOCAL_PART,
456 CONTROL_CASELOWER_LOCAL_PART,
457 CONTROL_CUTTHROUGH_DELIVERY,
463 CONTROL_DMARC_VERIFY,
464 CONTROL_DMARC_FORENSIC,
467 CONTROL_ENFORCE_SYNC,
468 CONTROL_ERROR, /* pseudo-value for decode errors */
473 CONTROL_NO_CALLOUT_FLUSH,
474 CONTROL_NO_DELAY_FLUSH,
475 CONTROL_NO_ENFORCE_SYNC,
476 #ifdef WITH_CONTENT_SCAN
477 CONTROL_NO_MBOX_UNSPOOL,
479 CONTROL_NO_MULTILINE,
480 CONTROL_NO_PIPELINING,
484 CONTROL_SUPPRESS_LOCAL_FIXUPS,
486 CONTROL_UTF8_DOWNCONVERT,
488 #ifndef DISABLE_WELLKNOWN
495 /* Structure listing various control arguments, with their characteristics.
496 For each control, there's a bitmap of dis-allowed times. For some, it is easier
497 to specify the negation of a small number of allowed times. */
499 typedef struct control_def {
501 BOOL has_option; /* Has /option(s) following */
502 unsigned forbids; /* bitmap of dis-allowed times */
505 static control_def controls_list[] = {
506 /* name has_option forbids */
507 [CONTROL_AUTH_UNADVERTISED] =
508 { US"allow_auth_unadvertised", FALSE,
510 ~(ACL_BIT_CONNECT | ACL_BIT_HELO)
512 #ifdef EXPERIMENTAL_BRIGHTMAIL
514 { US"bmi_run", FALSE, 0 },
516 [CONTROL_CASEFUL_LOCAL_PART] =
517 { US"caseful_local_part", FALSE, (unsigned) ~ACL_BIT_RCPT },
518 [CONTROL_CASELOWER_LOCAL_PART] =
519 { US"caselower_local_part", FALSE, (unsigned) ~ACL_BIT_RCPT },
520 [CONTROL_CUTTHROUGH_DELIVERY] =
521 { US"cutthrough_delivery", TRUE, 0 },
523 { US"debug", TRUE, 0 },
526 [CONTROL_DKIM_VERIFY] =
527 { US"dkim_disable_verify", FALSE,
528 ACL_BIT_DATA | ACL_BIT_NOTSMTP |
529 # ifndef DISABLE_PRDR
532 ACL_BIT_NOTSMTP_START
537 [CONTROL_DMARC_VERIFY] =
538 { US"dmarc_disable_verify", FALSE,
539 ACL_BIT_DATA | ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
541 [CONTROL_DMARC_FORENSIC] =
542 { US"dmarc_enable_forensic", FALSE,
543 ACL_BIT_DATA | ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
549 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START | ACL_BIT_NOTQUIT
551 [CONTROL_ENFORCE_SYNC] =
552 { US"enforce_sync", FALSE,
553 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
556 /* Pseudo-value for decode errors */
558 { US"error", FALSE, 0 },
560 [CONTROL_FAKEDEFER] =
561 { US"fakedefer", TRUE,
563 ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
564 ACL_BIT_PREDATA | ACL_BIT_DATA |
570 [CONTROL_FAKEREJECT] =
571 { US"fakereject", TRUE,
573 ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
574 ACL_BIT_PREDATA | ACL_BIT_DATA |
583 ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
584 ACL_BIT_PREDATA | ACL_BIT_DATA |
585 // ACL_BIT_PRDR| /* Not allow one user to freeze for all */
586 ACL_BIT_NOTSMTP | ACL_BIT_MIME)
589 [CONTROL_NO_CALLOUT_FLUSH] =
590 { US"no_callout_flush", FALSE,
591 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
593 [CONTROL_NO_DELAY_FLUSH] =
594 { US"no_delay_flush", FALSE,
595 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
598 [CONTROL_NO_ENFORCE_SYNC] =
599 { US"no_enforce_sync", FALSE,
600 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
602 #ifdef WITH_CONTENT_SCAN
603 [CONTROL_NO_MBOX_UNSPOOL] =
604 { US"no_mbox_unspool", FALSE,
606 ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
607 ACL_BIT_PREDATA | ACL_BIT_DATA |
608 // ACL_BIT_PRDR| /* Not allow one user to freeze for all */
612 [CONTROL_NO_MULTILINE] =
613 { US"no_multiline_responses", FALSE,
614 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
616 [CONTROL_NO_PIPELINING] =
617 { US"no_pipelining", FALSE,
618 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
624 ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
625 ACL_BIT_PREDATA | ACL_BIT_DATA |
626 // ACL_BIT_PRDR| /* Not allow one user to freeze for all */
627 ACL_BIT_NOTSMTP | ACL_BIT_MIME)
630 [CONTROL_SUBMISSION] =
631 { US"submission", TRUE,
633 ~(ACL_BIT_MAIL | ACL_BIT_RCPT | ACL_BIT_PREDATA)
635 [CONTROL_SUPPRESS_LOCAL_FIXUPS] =
636 { US"suppress_local_fixups", FALSE,
638 ~(ACL_BIT_MAIL | ACL_BIT_RCPT | ACL_BIT_PREDATA |
639 ACL_BIT_NOTSMTP_START)
642 [CONTROL_UTF8_DOWNCONVERT] =
643 { US"utf8_downconvert", TRUE, (unsigned) ~(ACL_BIT_RCPT | ACL_BIT_VRFY)
646 #ifndef DISABLE_WELLKNOWN
647 [CONTROL_WELLKNOWN] =
648 { US"wellknown", TRUE, (unsigned) ~ACL_BIT_WELLKNOWN
653 /* Support data structures for Client SMTP Authorization. acl_verify_csa()
654 caches its result in a tree to avoid repeated DNS queries. The result is an
655 integer code which is used as an index into the following tables of
656 explanatory strings and verification return codes. */
658 static tree_node *csa_cache = NULL;
660 enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
661 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
663 /* The acl_verify_csa() return code is translated into an acl_verify() return
664 code using the following table. It is OK unless the client is definitely not
665 authorized. This is because CSA is supposed to be optional for sending sites,
666 so recipients should not be too strict about checking it - especially because
667 DNS problems are quite likely to occur. It's possible to use $csa_status in
668 further ACL conditions to distinguish ok, unknown, and defer if required, but
669 the aim is to make the usual configuration simple. */
671 static int csa_return_code[] = {
674 [CSA_DEFER_SRV] = OK,
675 [CSA_DEFER_ADDR] = OK,
676 [CSA_FAIL_EXPLICIT] = FAIL,
677 [CSA_FAIL_DOMAIN] = FAIL,
678 [CSA_FAIL_NOADDR] = FAIL,
679 [CSA_FAIL_MISMATCH] = FAIL
682 static uschar *csa_status_string[] = {
683 [CSA_UNKNOWN] = US"unknown",
685 [CSA_DEFER_SRV] = US"defer",
686 [CSA_DEFER_ADDR] = US"defer",
687 [CSA_FAIL_EXPLICIT] = US"fail",
688 [CSA_FAIL_DOMAIN] = US"fail",
689 [CSA_FAIL_NOADDR] = US"fail",
690 [CSA_FAIL_MISMATCH] = US"fail"
693 static uschar *csa_reason_string[] = {
694 [CSA_UNKNOWN] = US"unknown",
696 [CSA_DEFER_SRV] = US"deferred (SRV lookup failed)",
697 [CSA_DEFER_ADDR] = US"deferred (target address lookup failed)",
698 [CSA_FAIL_EXPLICIT] = US"failed (explicit authorization required)",
699 [CSA_FAIL_DOMAIN] = US"failed (host name not authorized)",
700 [CSA_FAIL_NOADDR] = US"failed (no authorized addresses)",
701 [CSA_FAIL_MISMATCH] = US"failed (client address mismatch)"
704 /* Options for the ratelimit condition. Note that there are two variants of
705 the per_rcpt option, depending on the ACL that is used to measure the rate.
706 However any ACL must be able to look up per_rcpt rates in /noupdate mode,
707 so the two variants must have the same internal representation as well as
708 the same configuration string. */
711 RATE_PER_WHAT, RATE_PER_CLASH, RATE_PER_ADDR, RATE_PER_BYTE, RATE_PER_CMD,
712 RATE_PER_CONN, RATE_PER_MAIL, RATE_PER_RCPT, RATE_PER_ALLRCPTS
715 #define RATE_SET(var,new) \
716 (((var) == RATE_PER_WHAT) ? ((var) = RATE_##new) : ((var) = RATE_PER_CLASH))
718 static uschar *ratelimit_option_string[] = {
719 [RATE_PER_WHAT] = US"?",
720 [RATE_PER_CLASH] = US"!",
721 [RATE_PER_ADDR] = US"per_addr",
722 [RATE_PER_BYTE] = US"per_byte",
723 [RATE_PER_CMD] = US"per_cmd",
724 [RATE_PER_CONN] = US"per_conn",
725 [RATE_PER_MAIL] = US"per_mail",
726 [RATE_PER_RCPT] = US"per_rcpt",
727 [RATE_PER_ALLRCPTS] = US"per_rcpt"
730 /* Enable recursion between acl_check_internal() and acl_check_condition() */
732 static int acl_check_wargs(int, address_item *, const uschar *, uschar **,
735 static acl_block * acl_current = NULL;
738 /*************************************************
739 * Find control in list *
740 *************************************************/
742 /* The lists are always in order, so binary chop can be used.
745 name the control name to search for
746 ol the first entry in the control list
747 last one more than the offset of the last entry in the control list
749 Returns: index of a control entry, or -1 if not found
753 find_control(const uschar * name, control_def * ol, int last)
755 for (int first = 0; last > first; )
757 int middle = (first + last)/2;
758 uschar * s = ol[middle].name;
759 int c = Ustrncmp(name, s, Ustrlen(s));
760 if (c == 0) return middle;
761 else if (c > 0) first = middle + 1;
769 /*************************************************
770 * Pick out condition from list *
771 *************************************************/
773 /* Use a binary chop method
777 list list of conditions
780 Returns: offset in list, or -1 if not found
784 acl_checkcondition(uschar * name, condition_def * list, int end)
786 for (int start = 0; start < end; )
788 int mid = (start + end)/2;
789 int c = Ustrcmp(name, list[mid].name);
790 if (c == 0) return mid;
791 if (c < 0) end = mid;
792 else start = mid + 1;
798 /*************************************************
799 * Pick out name from list *
800 *************************************************/
802 /* Use a binary chop method
809 Returns: offset in list, or -1 if not found
813 acl_checkname(uschar *name, uschar **list, int end)
815 for (int start = 0; start < end; )
817 int mid = (start + end)/2;
818 int c = Ustrcmp(name, list[mid]);
819 if (c == 0) return mid;
820 if (c < 0) end = mid; else start = mid + 1;
828 acl_varname_to_cond(const uschar ** sp, acl_condition_block * cond, uschar ** error)
830 const uschar * s = *sp, * endptr;
833 if ( Ustrncmp(s, "dkim_verify_status", 18) == 0
834 || Ustrncmp(s, "dkim_verify_reason", 18) == 0)
837 if (isalnum(*endptr))
839 *error = string_sprintf("invalid variable name after \"set\" in ACL "
840 "modifier \"set %s\" "
841 "(only \"dkim_verify_status\" or \"dkim_verify_reason\" permitted)",
845 cond->u.varname = string_copyn(s, 18);
850 if (Ustrncmp(s, "acl_c", 5) != 0 && Ustrncmp(s, "acl_m", 5) != 0)
852 *error = string_sprintf("invalid variable name after \"set\" in ACL "
853 "modifier \"set %s\" (must start \"acl_c\" or \"acl_m\")", s);
858 if (!isdigit(*endptr) && *endptr != '_')
860 *error = string_sprintf("invalid variable name after \"set\" in ACL "
861 "modifier \"set %s\" (digit or underscore must follow acl_c or acl_m)",
866 for ( ; *endptr && *endptr != '=' && !isspace(*endptr); endptr++)
867 if (!isalnum(*endptr) && *endptr != '_')
869 *error = string_sprintf("invalid character \"%c\" in variable name "
870 "in ACL modifier \"set %s\"", *endptr, s);
874 cond->u.varname = string_copyn(s + 4, endptr - s - 4);
877 Uskip_whitespace(&s);
884 acl_data_to_cond(const uschar * s, acl_condition_block * cond,
885 const uschar * name, BOOL taint, uschar ** error)
889 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
890 conditions[cond->type].flags & ACD_MOD ? US"modifier" : US"condition");
893 Uskip_whitespace(&s);
894 cond->arg = taint ? string_copy_taint(s, GET_TAINTED) : string_copy(s);
899 /*************************************************
900 * Read and parse one ACL *
901 *************************************************/
903 /* This function is called both from readconf in order to parse the ACLs in the
904 configuration file, and also when an ACL is encountered dynamically (e.g. as
905 the result of an expansion). It is given a function to call in order to
906 retrieve the lines of the ACL. This function handles skipping comments and
907 blank lines (where relevant).
910 func function to get next line of ACL
911 error where to put an error message
913 Returns: pointer to ACL, or NULL
914 NULL can be legal (empty ACL); in this case error will be NULL
918 acl_read(uschar *(*func)(void), uschar **error)
920 acl_block *yield = NULL;
921 acl_block **lastp = &yield;
922 acl_block *this = NULL;
923 acl_condition_block *cond;
924 acl_condition_block **condp = NULL;
929 while ((s = (*func)()))
932 BOOL negated = FALSE;
933 const uschar * saveline = s;
934 uschar name[EXIM_DRIVERNAME_MAX];
936 /* Conditions (but not verbs) are allowed to be negated by an initial
939 if (Uskip_whitespace(&s) == '!')
945 /* Read the name of a verb or a condition, or the start of a new ACL, which
946 can be started by a name, or by a macro definition. */
948 s = readconf_readname(name, sizeof(name), s);
949 if (*s == ':' || (isupper(name[0]) && *s == '=')) return yield;
951 /* If a verb is unrecognized, it may be another condition or modifier that
952 continues the previous verb. */
954 if ((v = acl_checkname(name, verbs, nelem(verbs))) < 0)
956 if (!this) /* not handling a verb right now */
958 *error = string_sprintf("unknown ACL verb \"%s\" in \"%s\"", name,
970 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
973 *lastp = this = store_get(sizeof(acl_block), GET_UNTAINTED);
976 this->condition = NULL;
978 this->srcline = config_lineno; /* for debug output */
979 this->srcfile = config_filename; /**/
980 condp = &this->condition;
981 if (!*s) continue; /* No condition on this line */
987 s = readconf_readname(name, sizeof(name), s); /* Condition name */
990 /* Handle a condition or modifier. */
992 if ((c = acl_checkcondition(name, conditions, nelem(conditions))) < 0)
994 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
999 /* The modifiers may not be negated */
1001 if (negated && conditions[c].flags & ACD_MOD)
1003 *error = string_sprintf("ACL error: negation is not allowed with "
1004 "\"%s\"", conditions[c].name);
1008 /* ENDPASS may occur only with ACCEPT or DISCARD. */
1010 if (c == ACLC_ENDPASS &&
1011 this->verb != ACL_ACCEPT &&
1012 this->verb != ACL_DISCARD)
1014 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
1015 conditions[c].name, verbs[this->verb]);
1019 #ifdef LOOKUP_MODULE_DIR
1020 if (conditions[c].flags & ACD_LOAD)
1021 { /* a loadable module supports this condition */
1022 condition_module * cm;
1025 /* Over the list of modules we support, check the list of ACL conditions
1026 each supports. This assumes no duplicates. */
1028 for (cm = condition_modules;
1029 cm < condition_modules + nelem(condition_modules); cm++)
1030 for (const int * cond = cm->conditions; *cond != -1; cond++)
1031 if (*cond == c) goto found;
1034 if (cm >= condition_modules + nelem(condition_modules))
1035 { /* shouldn't happen */
1036 *error = string_sprintf("ACL error: failed to locate support for '%s'",
1037 conditions[c].name);
1040 if ( !cm->info /* module not loaded */
1041 && !(cm->info = misc_mod_find(cm->mod_name, &s)))
1043 *error = string_sprintf("ACL error: failed to find module for '%s': %s",
1044 conditions[c].name, s);
1048 # ifdef EXPERIMENTAL_ARC
1049 else if (c == ACLC_VERIFY) /* Special handling for verify=arc; */
1050 { /* not invented a more general method yet- flag in verify_type_list? */
1051 const uschar * t = s;
1053 if ( *t++ == '=' && Uskip_whitespace(&t) && Ustrncmp(t, "arc", 3) == 0
1054 && !misc_mod_find(US"arc", &e))
1056 *error = string_sprintf("ACL error: failed to find module for '%s': %s",
1057 conditions[c].name, e);
1062 #endif /*LOOKUP_MODULE_DIR*/
1064 cond = store_get(sizeof(acl_condition_block), GET_UNTAINTED);
1067 cond->u.negated = negated;
1070 condp = &cond->next;
1072 /* The "set" modifier is different in that its argument is "name=value"
1073 rather than just a value, and we can check the validity of the name, which
1074 gives us a variable name to insert into the data block. The original ACL
1075 variable names were acl_c0 ... acl_c9 and acl_m0 ... acl_m9. This was
1076 extended to 20 of each type, but after that people successfully argued for
1077 arbitrary names. In the new scheme, the names must start with acl_c or acl_m.
1078 After that, we allow alphanumerics and underscores, but the first character
1079 after c or m must be a digit or an underscore. This retains backwards
1083 if (!acl_varname_to_cond(&s, cond, error)) return NULL;
1085 /* For "set", we are now positioned for the data. For the others, only
1086 "endpass" has no data */
1088 if (c != ACLC_ENDPASS)
1089 if (!acl_data_to_cond(s, cond, name, FALSE, error)) return NULL;
1097 /*************************************************
1098 * Set up added header line(s) *
1099 *************************************************/
1101 /* This function is called by the add_header modifier, and also from acl_warn()
1102 to implement the now-deprecated way of adding header lines using "message" on a
1103 "warn" verb. The argument is treated as a sequence of header lines which are
1104 added to a chain, provided there isn't an identical one already there.
1106 Argument: string of header lines
1111 setup_header(const uschar *hstring)
1113 const uschar *p, *q;
1114 int hlen = Ustrlen(hstring);
1116 /* Ignore any leading newlines */
1117 while (*hstring == '\n') hstring++, hlen--;
1119 /* An empty string does nothing; ensure exactly one final newline. */
1120 if (hlen <= 0) return;
1121 if (hstring[--hlen] != '\n') /* no newline */
1122 q = string_sprintf("%s\n", hstring);
1123 else if (hstring[hlen-1] == '\n') /* double newline */
1125 uschar * s = string_copy(hstring);
1126 while(s[--hlen] == '\n')
1133 /* Loop for multiple header lines, taking care about continuations */
1135 for (p = q; *p; p = q)
1139 int newtype = htype_add_bot;
1140 header_line **hptr = &acl_added_headers;
1142 /* Find next header line within the string */
1146 q = Ustrchr(q, '\n'); /* we know there was a newline */
1147 if (*++q != ' ' && *q != '\t') break;
1150 /* If the line starts with a colon, interpret the instruction for where to
1151 add it. This temporarily sets up a new type. */
1155 if (strncmpic(p, US":after_received:", 16) == 0)
1157 newtype = htype_add_rec;
1160 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
1162 newtype = htype_add_rfc;
1165 else if (strncmpic(p, US":at_start:", 10) == 0)
1167 newtype = htype_add_top;
1170 else if (strncmpic(p, US":at_end:", 8) == 0)
1172 newtype = htype_add_bot;
1175 while (*p == ' ' || *p == '\t') p++;
1178 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
1179 to the front of it. */
1181 for (s = p; s < q - 1; s++)
1182 if (*s == ':' || !isgraph(*s)) break;
1184 hdr = string_sprintf("%s%.*s", *s == ':' ? "" : "X-ACL-Warn: ", (int) (q - p), p);
1185 hlen = Ustrlen(hdr);
1187 /* See if this line has already been added */
1191 if (Ustrncmp((*hptr)->text, hdr, hlen) == 0) break;
1192 hptr = &(*hptr)->next;
1195 /* Add if not previously present */
1199 /* The header_line struct itself is not tainted, though it points to
1200 possibly tainted data. */
1201 header_line * h = store_get(sizeof(header_line), GET_UNTAINTED);
1214 /*************************************************
1215 * List the added header lines *
1216 *************************************************/
1222 for (header_line * h = acl_added_headers; h; h = h->next)
1225 if (h->text[i-1] == '\n') i--;
1226 g = string_append_listele_n(g, '\n', h->text, i);
1229 return string_from_gstring(g);
1233 /*************************************************
1234 * Set up removed header line(s) *
1235 *************************************************/
1237 /* This function is called by the remove_header modifier. The argument is
1238 treated as a sequence of header names which are added to a colon separated
1239 list, provided there isn't an identical one already there.
1241 Argument: string of header names
1246 setup_remove_header(const uschar *hnames)
1249 acl_removed_headers = acl_removed_headers
1250 ? string_sprintf("%s : %s", acl_removed_headers, hnames)
1251 : string_copy(hnames);
1256 /*************************************************
1258 *************************************************/
1260 /* This function is called when a WARN verb's conditions are true. It adds to
1261 the message's headers, and/or writes information to the log. In each case, this
1262 only happens once (per message for headers, per connection for log).
1264 ** NOTE: The header adding action using the "message" setting is historic, and
1265 its use is now deprecated. The new add_header modifier should be used instead.
1268 where ACL_WHERE_xxxx indicating which ACL this is
1269 user_message message for adding to headers
1270 log_message message for logging, if different
1276 acl_warn(int where, uschar * user_message, uschar * log_message)
1278 if (log_message && log_message != user_message)
1281 string_item *logged;
1283 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
1284 string_printing(log_message));
1286 /* If a sender verification has failed, and the log message is "sender verify
1287 failed", add the failure message. */
1289 if ( sender_verified_failed
1290 && sender_verified_failed->message
1291 && strcmpic(log_message, US"sender verify failed") == 0)
1292 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
1294 /* Search previously logged warnings. They are kept in malloc
1295 store so they can be freed at the start of a new message. */
1297 for (logged = acl_warn_logged; logged; logged = logged->next)
1298 if (Ustrcmp(logged->text, text) == 0) break;
1302 int length = Ustrlen(text) + 1;
1303 log_write(0, LOG_MAIN, "%s", text);
1304 logged = store_malloc(sizeof(string_item) + length);
1305 logged->text = US logged + sizeof(string_item);
1306 memcpy(logged->text, text, length);
1307 logged->next = acl_warn_logged;
1308 acl_warn_logged = logged;
1312 /* If there's no user message, we are done. */
1314 if (!user_message) return;
1316 /* If this isn't a message ACL, we can't do anything with a user message.
1319 if (where > ACL_WHERE_NOTSMTP)
1321 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
1322 "found in a non-message (%s) ACL: cannot specify header lines here: "
1323 "message ignored", acl_wherenames[where]);
1327 /* The code for setting up header lines is now abstracted into a separate
1328 function so that it can be used for the add_header modifier as well. */
1330 setup_header(user_message);
1335 /*************************************************
1336 * Verify and check reverse DNS *
1337 *************************************************/
1339 /* Called from acl_verify() below. We look up the host name(s) of the client IP
1340 address if this has not yet been done. The host_name_lookup() function checks
1341 that one of these names resolves to an address list that contains the client IP
1342 address, so we don't actually have to do the check here.
1345 user_msgptr pointer for user message
1346 log_msgptr pointer for log message
1348 Returns: OK verification condition succeeded
1349 FAIL verification failed
1350 DEFER there was a problem verifying
1354 acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
1358 /* Previous success */
1360 if (sender_host_name) return OK;
1362 /* Previous failure */
1364 if (host_lookup_failed)
1366 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
1370 /* Need to do a lookup */
1373 debug_printf_indent("looking up host name to force name/address consistency check\n");
1375 if ((rc = host_name_lookup()) != OK)
1377 *log_msgptr = rc == DEFER
1378 ? US"host lookup deferred for reverse lookup check"
1379 : string_sprintf("host lookup failed for reverse lookup check%s",
1381 return rc; /* DEFER or FAIL */
1384 host_build_sender_fullhost();
1390 /*************************************************
1391 * Check client IP address matches CSA target *
1392 *************************************************/
1394 /* Called from acl_verify_csa() below. This routine scans a section of a DNS
1395 response for address records belonging to the CSA target hostname. The section
1396 is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
1397 If one of the addresses matches the client's IP address, then the client is
1398 authorized by CSA. If there are target IP addresses but none of them match
1399 then the client is using an unauthorized IP address. If there are no target IP
1400 addresses then the client cannot be using an authorized IP address. (This is
1401 an odd configuration - why didn't the SRV record have a weight of 1 instead?)
1404 dnsa the DNS answer block
1405 dnss a DNS scan block for us to use
1406 reset option specifying what portion to scan, as described above
1407 target the target hostname to use for matching RR names
1409 Returns: CSA_OK successfully authorized
1410 CSA_FAIL_MISMATCH addresses found but none matched
1411 CSA_FAIL_NOADDR no target addresses found
1415 acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1418 int rc = CSA_FAIL_NOADDR;
1420 for (dns_record * rr = dns_next_rr(dnsa, dnss, reset);
1422 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1424 /* Check this is an address RR for the target hostname. */
1428 && rr->type != T_AAAA
1432 if (strcmpic(target, rr->name) != 0) continue;
1434 rc = CSA_FAIL_MISMATCH;
1436 /* Turn the target address RR into a list of textual IP addresses and scan
1437 the list. There may be more than one if it is an A6 RR. */
1439 for (dns_address * da = dns_address_from_rr(dnsa, rr); da; da = da->next)
1441 /* If the client IP address matches the target IP address, it's good! */
1443 DEBUG(D_acl) debug_printf_indent("CSA target address is %s\n", da->address);
1445 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1449 /* If we found some target addresses but none of them matched, the client is
1450 using an unauthorized IP address, otherwise the target has no authorized IP
1458 /*************************************************
1459 * Verify Client SMTP Authorization *
1460 *************************************************/
1462 /* Called from acl_verify() below. This routine calls dns_lookup_special()
1463 to find the CSA SRV record corresponding to the domain argument, or
1464 $sender_helo_name if no argument is provided. It then checks that the
1465 client is authorized, and that its IP address corresponds to the SRV
1466 target's address by calling acl_verify_csa_address() above. The address
1467 should have been returned in the DNS response's ADDITIONAL section, but if
1468 not we perform another DNS lookup to get it.
1471 domain pointer to optional parameter following verify = csa
1473 Returns: CSA_UNKNOWN no valid CSA record found
1474 CSA_OK successfully authorized
1475 CSA_FAIL_* client is definitely not authorized
1476 CSA_DEFER_* there was a DNS problem
1480 acl_verify_csa(const uschar *domain)
1483 const uschar *found;
1484 int priority, weight, port;
1488 int rc, type, yield;
1489 #define TARGET_SIZE 256
1490 uschar * target = store_get(TARGET_SIZE, GET_TAINTED);
1492 /* Work out the domain we are using for the CSA lookup. The default is the
1493 client's HELO domain. If the client has not said HELO, use its IP address
1494 instead. If it's a local client (exim -bs), CSA isn't applicable. */
1496 while (isspace(*domain) && *domain) ++domain;
1497 if (*domain == '\0') domain = sender_helo_name;
1498 if (!domain) domain = sender_host_address;
1499 if (!sender_host_address) return CSA_UNKNOWN;
1501 /* If we have an address literal, strip off the framing ready for turning it
1502 into a domain. The framing consists of matched square brackets possibly
1503 containing a keyword and a colon before the actual IP address. */
1505 if (domain[0] == '[')
1507 const uschar *start = Ustrchr(domain, ':');
1508 if (start == NULL) start = domain;
1509 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1512 /* Turn domains that look like bare IP addresses into domains in the reverse
1513 DNS. This code also deals with address literals and $sender_host_address. It's
1514 not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1515 address literals, but it's probably the most friendly thing to do. This is an
1516 extension to CSA, so we allow it to be turned off for proper conformance. */
1518 if (string_is_ip_address(domain, NULL) != 0)
1520 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1521 domain = dns_build_reverse(domain);
1524 /* Find out if we've already done the CSA check for this domain. If we have,
1525 return the same result again. Otherwise build a new cached result structure
1526 for this domain. The name is filled in now, and the value is filled in when
1527 we return from this function. */
1529 if ((t = tree_search(csa_cache, domain)))
1532 t = store_get_perm(sizeof(tree_node) + Ustrlen(domain), domain);
1533 Ustrcpy(t->name, domain);
1534 (void)tree_insertnode(&csa_cache, t);
1536 /* Now we are ready to do the actual DNS lookup(s). */
1539 dnsa = store_get_dns_answer();
1540 switch (dns_special_lookup(dnsa, domain, T_CSA, &found))
1542 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1545 yield = CSA_DEFER_SRV;
1548 /* If we found nothing, the client's authorization is unknown. */
1552 yield = CSA_UNKNOWN;
1555 /* We got something! Go on to look at the reply in more detail. */
1561 /* Scan the reply for well-formed CSA SRV records. */
1563 for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
1565 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == T_SRV)
1567 const uschar * p = rr->data;
1569 /* Extract the numerical SRV fields (p is incremented) */
1571 if (rr_bad_size(rr, 3 * sizeof(uint16_t))) continue;
1572 GETSHORT(priority, p);
1573 GETSHORT(weight, p);
1577 debug_printf_indent("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1579 /* Check the CSA version number */
1581 if (priority != 1) continue;
1583 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1584 found by dns_special_lookup() is a parent of the one we asked for), we check
1585 the subdomain assertions in the port field. At the moment there's only one
1586 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1587 SRV records of their own. */
1589 if (Ustrcmp(found, domain) != 0)
1591 yield = port & 1 ? CSA_FAIL_EXPLICIT : CSA_UNKNOWN;
1595 /* This CSA SRV record refers directly to our domain, so we check the value
1596 in the weight field to work out the domain's authorization. 0 and 1 are
1597 unauthorized; 3 means the client is authorized but we can't check the IP
1598 address in order to authenticate it, so we treat it as unknown; values
1599 greater than 3 are undefined. */
1603 yield = CSA_FAIL_DOMAIN;
1607 if (weight > 2) continue;
1609 /* Weight == 2, which means the domain is authorized. We must check that the
1610 client's IP address is listed as one of the SRV target addresses. Save the
1611 target hostname then break to scan the additional data for its addresses. */
1613 (void)dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, p,
1614 (DN_EXPAND_ARG4_TYPE)target, TARGET_SIZE);
1616 DEBUG(D_acl) debug_printf_indent("CSA target is %s\n", target);
1621 /* If we didn't break the loop then no appropriate records were found. */
1625 yield = CSA_UNKNOWN;
1629 /* Do not check addresses if the target is ".", in accordance with RFC 2782.
1630 A target of "." indicates there are no valid addresses, so the client cannot
1631 be authorized. (This is an odd configuration because weight=2 target=. is
1632 equivalent to weight=1, but we check for it in order to keep load off the
1633 root name servers.) Note that dn_expand() turns "." into "". */
1635 if (Ustrcmp(target, "") == 0)
1637 yield = CSA_FAIL_NOADDR;
1641 /* Scan the additional section of the CSA SRV reply for addresses belonging
1642 to the target. If the name server didn't return any additional data (e.g.
1643 because it does not fully support SRV records), we need to do another lookup
1644 to obtain the target addresses; otherwise we have a definitive result. */
1646 rc = acl_verify_csa_address(dnsa, &dnss, RESET_ADDITIONAL, target);
1647 if (rc != CSA_FAIL_NOADDR)
1653 /* The DNS lookup type corresponds to the IP version used by the client. */
1656 if (Ustrchr(sender_host_address, ':') != NULL)
1659 #endif /* HAVE_IPV6 */
1663 lookup_dnssec_authenticated = NULL;
1664 switch (dns_lookup(dnsa, target, type, NULL))
1666 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1669 yield = CSA_DEFER_ADDR;
1672 /* If the query succeeded, scan the addresses and return the result. */
1675 rc = acl_verify_csa_address(dnsa, &dnss, RESET_ANSWERS, target);
1676 if (rc != CSA_FAIL_NOADDR)
1681 /* else fall through */
1683 /* If the target has no IP addresses, the client cannot have an authorized
1684 IP address. However, if the target site uses A6 records (not AAAA records)
1685 we have to do yet another lookup in order to check them. */
1689 yield = CSA_FAIL_NOADDR;
1695 store_free_dns_answer(dnsa);
1696 return t->data.val = yield;
1701 /*************************************************
1702 * Handle verification (address & other) *
1703 *************************************************/
1705 enum { VERIFY_REV_HOST_LKUP, VERIFY_CERT, VERIFY_HELO, VERIFY_CSA, VERIFY_HDR_SYNTAX,
1706 VERIFY_NOT_BLIND, VERIFY_HDR_SNDR, VERIFY_SNDR, VERIFY_RCPT,
1707 VERIFY_HDR_NAMES_ASCII, VERIFY_ARC
1712 unsigned where_allowed; /* bitmap */
1713 BOOL no_options; /* Never has /option(s) following */
1714 unsigned alt_opt_sep; /* >0 Non-/ option separator (custom parser) */
1716 static verify_type_t verify_type_list[] = {
1717 /* name value where no-opt opt-sep */
1718 { US"reverse_host_lookup", VERIFY_REV_HOST_LKUP, (unsigned)~0, FALSE, 0 },
1719 { US"certificate", VERIFY_CERT, (unsigned)~0, TRUE, 0 },
1720 { US"helo", VERIFY_HELO, (unsigned)~0, TRUE, 0 },
1721 { US"csa", VERIFY_CSA, (unsigned)~0, FALSE, 0 },
1722 { US"header_syntax", VERIFY_HDR_SYNTAX, ACL_BITS_HAVEDATA, TRUE, 0 },
1723 { US"not_blind", VERIFY_NOT_BLIND, ACL_BITS_HAVEDATA, FALSE, 0 },
1724 { US"header_sender", VERIFY_HDR_SNDR, ACL_BITS_HAVEDATA, FALSE, 0 },
1725 { US"sender", VERIFY_SNDR, ACL_BIT_MAIL | ACL_BIT_RCPT
1726 | ACL_BIT_PREDATA | ACL_BIT_DATA | ACL_BIT_NOTSMTP,
1728 { US"recipient", VERIFY_RCPT, ACL_BIT_RCPT, FALSE, 0 },
1729 { US"header_names_ascii", VERIFY_HDR_NAMES_ASCII, ACL_BITS_HAVEDATA, TRUE, 0 },
1730 #ifdef EXPERIMENTAL_ARC
1731 { US"arc", VERIFY_ARC, ACL_BIT_DATA, FALSE , 0 },
1736 enum { CALLOUT_DEFER_OK, CALLOUT_NOCACHE, CALLOUT_RANDOM, CALLOUT_USE_SENDER,
1737 CALLOUT_USE_POSTMASTER, CALLOUT_POSTMASTER, CALLOUT_FULLPOSTMASTER,
1738 CALLOUT_MAILFROM, CALLOUT_POSTMASTER_MAILFROM, CALLOUT_MAXWAIT, CALLOUT_CONNECT,
1739 CALLOUT_HOLD, CALLOUT_TIME /* TIME must be last */
1745 BOOL has_option; /* Has =option(s) following */
1746 BOOL timeval; /* Has a time value */
1748 static callout_opt_t callout_opt_list[] = {
1749 /* name value flag has-opt has-time */
1750 { US"defer_ok", CALLOUT_DEFER_OK, 0, FALSE, FALSE },
1751 { US"no_cache", CALLOUT_NOCACHE, vopt_callout_no_cache, FALSE, FALSE },
1752 { US"random", CALLOUT_RANDOM, vopt_callout_random, FALSE, FALSE },
1753 { US"use_sender", CALLOUT_USE_SENDER, vopt_callout_recipsender, FALSE, FALSE },
1754 { US"use_postmaster", CALLOUT_USE_POSTMASTER,vopt_callout_recippmaster, FALSE, FALSE },
1755 { US"postmaster_mailfrom",CALLOUT_POSTMASTER_MAILFROM,0, TRUE, FALSE },
1756 { US"postmaster", CALLOUT_POSTMASTER, 0, FALSE, FALSE },
1757 { US"fullpostmaster", CALLOUT_FULLPOSTMASTER,vopt_callout_fullpm, FALSE, FALSE },
1758 { US"mailfrom", CALLOUT_MAILFROM, 0, TRUE, FALSE },
1759 { US"maxwait", CALLOUT_MAXWAIT, 0, TRUE, TRUE },
1760 { US"connect", CALLOUT_CONNECT, 0, TRUE, TRUE },
1761 { US"hold", CALLOUT_HOLD, vopt_callout_hold, FALSE, FALSE },
1762 { NULL, CALLOUT_TIME, 0, FALSE, TRUE }
1768 v_period(const uschar * s, const uschar * arg, uschar ** log_msgptr)
1771 if ((period = readconf_readtime(s, 0, FALSE)) < 0)
1773 *log_msgptr = string_sprintf("bad time value in ACL condition "
1774 "\"verify %s\"", arg);
1782 sender_helo_verified_internal(void)
1784 /* We can test the result of optional HELO verification that might have
1785 occurred earlier. If not, we can attempt the verification now. */
1787 if (!f.helo_verified && !f.helo_verify_failed) smtp_verify_helo();
1788 return f.helo_verified;
1792 sender_helo_verified_cond(void)
1794 return sender_helo_verified_internal() ? OK : FAIL;
1798 sender_helo_verified_boolstr(void)
1800 return sender_helo_verified_internal() ? US"yes" : US"no";
1805 /* This function implements the "verify" condition. It is called when
1806 encountered in any ACL, because some tests are almost always permitted. Some
1807 just don't make sense, and always fail (for example, an attempt to test a host
1808 lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1811 where where called from
1812 addr the recipient address that the ACL is handling, or NULL
1813 arg the argument of "verify"
1814 user_msgptr pointer for user message
1815 log_msgptr pointer for log message
1816 basic_errno where to put verify errno
1818 Returns: OK verification condition succeeded
1819 FAIL verification failed
1820 DEFER there was a problem verifying
1825 acl_verify(int where, address_item *addr, const uschar *arg,
1826 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1830 int callout_overall = -1;
1831 int callout_connect = -1;
1832 int verify_options = 0;
1834 BOOL verify_header_sender = FALSE;
1835 BOOL defer_ok = FALSE;
1836 BOOL callout_defer_ok = FALSE;
1837 BOOL no_details = FALSE;
1838 BOOL success_on_redirect = FALSE;
1840 int quota_pos_cache = QUOTA_POS_DEFAULT, quota_neg_cache = QUOTA_NEG_DEFAULT;
1841 address_item * sender_vaddr = NULL;
1842 const uschar * verify_sender_address = NULL;
1843 uschar * pm_mailfrom = NULL;
1844 uschar * se_mailfrom = NULL;
1846 /* Some of the verify items have slash-separated options; some do not. Diagnose
1847 an error if options are given for items that don't expect them.
1850 uschar *slash = Ustrchr(arg, '/');
1851 const uschar *list = arg;
1852 uschar *ss = string_nextinlist(&list, &sep, NULL, 0);
1855 if (!ss) goto BAD_VERIFY;
1857 /* Handle name/address consistency verification in a separate function. */
1859 for (vp = verify_type_list;
1860 CS vp < CS verify_type_list + sizeof(verify_type_list);
1863 if (vp->alt_opt_sep ? strncmpic(ss, vp->name, vp->alt_opt_sep) == 0
1864 : strcmpic (ss, vp->name) == 0)
1866 if (CS vp >= CS verify_type_list + sizeof(verify_type_list))
1869 if (vp->no_options && slash)
1871 *log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1872 "(this verify item has no options)", arg);
1875 if (!(vp->where_allowed & BIT(where)))
1877 *log_msgptr = string_sprintf("cannot verify %s in ACL for %s",
1878 vp->name, acl_wherenames[where]);
1883 case VERIFY_REV_HOST_LKUP:
1884 if (!sender_host_address) return OK;
1885 if ((rc = acl_verify_reverse(user_msgptr, log_msgptr)) == DEFER)
1886 while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
1887 if (strcmpic(ss, US"defer_ok") == 0)
1892 /* TLS certificate verification is done at STARTTLS time; here we just
1893 test whether it was successful or not. (This is for optional verification; for
1894 mandatory verification, the connection doesn't last this long.) */
1896 if (tls_in.certificate_verified) return OK;
1897 *user_msgptr = US"no verified certificate";
1901 return sender_helo_verified_cond();
1904 /* Do Client SMTP Authorization checks in a separate function, and turn the
1905 result code into user-friendly strings. */
1907 rc = acl_verify_csa(list);
1908 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1909 csa_reason_string[rc]);
1910 csa_status = csa_status_string[rc];
1911 DEBUG(D_acl) debug_printf_indent("CSA result %s\n", csa_status);
1912 return csa_return_code[rc];
1914 #ifdef EXPERIMENTAL_ARC
1917 const misc_module_info * mi = misc_mod_findonly(US"arc");
1918 typedef int (*fn_t)(const uschar *);
1919 if (mi) return (((fn_t *) mi->functions)[ARC_VERIFY])
1920 (CUS string_nextinlist(&list, &sep, NULL, 0));
1924 case VERIFY_HDR_SYNTAX:
1925 /* Check that all relevant header lines have the correct 5322-syntax. If there is
1926 a syntax error, we return details of the error to the sender if configured to
1927 send out full details. (But a "message" setting on the ACL can override, as
1930 rc = verify_check_headers(log_msgptr);
1931 if (rc != OK && *log_msgptr)
1932 if (smtp_return_error_details)
1933 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1935 acl_verify_message = *log_msgptr;
1938 case VERIFY_HDR_NAMES_ASCII:
1939 /* Check that all header names are true 7 bit strings
1940 See RFC 5322, 2.2. and RFC 6532, 3. */
1942 rc = verify_check_header_names_ascii(log_msgptr);
1943 if (rc != OK && smtp_return_error_details && *log_msgptr)
1944 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1947 case VERIFY_NOT_BLIND:
1948 /* Check that no recipient of this message is "blind", that is, every envelope
1949 recipient must be mentioned in either To: or Cc:. */
1951 BOOL case_sensitive = TRUE;
1953 while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
1954 if (strcmpic(ss, US"case_insensitive") == 0)
1955 case_sensitive = FALSE;
1958 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1959 "condition \"verify %s\"", ss, arg);
1963 if ((rc = verify_check_notblind(case_sensitive)) != OK)
1965 *log_msgptr = US"bcc recipient detected";
1966 if (smtp_return_error_details)
1967 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1972 /* The remaining verification tests check recipient and sender addresses,
1973 either from the envelope or from the header. There are a number of
1974 slash-separated options that are common to all of them. */
1976 case VERIFY_HDR_SNDR:
1977 verify_header_sender = TRUE;
1981 /* In the case of a sender, this can optionally be followed by an address to use
1982 in place of the actual sender (rare special-case requirement). */
1986 verify_sender_address = sender_address;
1989 if (Uskip_whitespace(&s) != '=')
1992 Uskip_whitespace(&s);
1993 verify_sender_address = string_copy(s);
2004 /* Remaining items are optional; they apply to sender and recipient
2005 verification, including "header sender" verification. */
2007 while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
2009 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
2010 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
2011 else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
2013 /* These two old options are left for backwards compatibility */
2015 else if (strcmpic(ss, US"callout_defer_ok") == 0)
2017 callout_defer_ok = TRUE;
2018 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
2021 else if (strcmpic(ss, US"check_postmaster") == 0)
2024 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
2027 /* The callout option has a number of sub-options, comma separated */
2029 else if (strncmpic(ss, US"callout", 7) == 0)
2031 callout = CALLOUT_TIMEOUT_DEFAULT;
2034 Uskip_whitespace(&ss);
2037 const uschar * sublist = ss;
2040 Uskip_whitespace(&sublist);
2041 for (uschar * opt; opt = string_nextinlist(&sublist, &optsep, NULL, 0); )
2044 double period = 1.0F;
2046 for (op= callout_opt_list; op->name; op++)
2047 if (strncmpic(opt, op->name, Ustrlen(op->name)) == 0)
2050 verify_options |= op->flag;
2053 opt += Ustrlen(op->name);
2054 Uskip_whitespace(&opt);
2057 *log_msgptr = string_sprintf("'=' expected after "
2058 "\"%s\" in ACL verify condition \"%s\"", op->name, arg);
2061 Uskip_whitespace(&opt);
2063 if (op->timeval && (period = v_period(opt, arg, log_msgptr)) < 0)
2068 case CALLOUT_DEFER_OK: callout_defer_ok = TRUE; break;
2069 case CALLOUT_POSTMASTER: pm_mailfrom = US""; break;
2070 case CALLOUT_FULLPOSTMASTER: pm_mailfrom = US""; break;
2071 case CALLOUT_MAILFROM:
2072 if (!verify_header_sender)
2074 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
2075 "callout option only for verify=header_sender (detected in ACL "
2076 "condition \"%s\")", arg);
2079 se_mailfrom = string_copy(opt);
2081 case CALLOUT_POSTMASTER_MAILFROM: pm_mailfrom = string_copy(opt); break;
2082 case CALLOUT_MAXWAIT: callout_overall = period; break;
2083 case CALLOUT_CONNECT: callout_connect = period; break;
2084 case CALLOUT_TIME: callout = period; break;
2090 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
2091 "ACL condition \"%s\"", arg);
2097 /* The quota option has sub-options, comma-separated */
2099 else if (strncmpic(ss, US"quota", 5) == 0)
2104 Uskip_whitespace(&ss);
2107 const uschar * sublist = ss;
2111 Uskip_whitespace(&sublist);
2112 for (uschar * opt; opt = string_nextinlist(&sublist, &optsep, NULL, 0); )
2113 if (Ustrncmp(opt, "cachepos=", 9) == 0)
2114 if ((period = v_period(opt += 9, arg, log_msgptr)) < 0)
2117 quota_pos_cache = period;
2118 else if (Ustrncmp(opt, "cacheneg=", 9) == 0)
2119 if ((period = v_period(opt += 9, arg, log_msgptr)) < 0)
2122 quota_neg_cache = period;
2123 else if (Ustrcmp(opt, "no_cache") == 0)
2124 quota_pos_cache = quota_neg_cache = 0;
2129 /* Option not recognized */
2133 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
2134 "condition \"verify %s\"", ss, arg);
2139 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
2140 (vopt_callout_recipsender|vopt_callout_recippmaster))
2142 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
2143 "for a recipient callout";
2147 /* Handle quota verification */
2150 if (vp->value != VERIFY_RCPT)
2152 *log_msgptr = US"can only verify quota of recipient";
2156 if ((rc = verify_quota_call(addr->address,
2157 quota_pos_cache, quota_neg_cache, log_msgptr)) != OK)
2159 *basic_errno = errno;
2160 if (smtp_return_error_details)
2162 if (!*user_msgptr && *log_msgptr)
2163 *user_msgptr = string_sprintf("Rejected after %s: %s",
2164 smtp_names[smtp_connection_had[SMTP_HBUFF_PREV(smtp_ch_index)]],
2166 if (rc == DEFER) f.acl_temp_details = TRUE;
2173 /* Handle sender-in-header verification. Default the user message to the log
2174 message if giving out verification details. */
2176 if (verify_header_sender)
2180 if ((rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
2181 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
2184 *basic_errno = verrno;
2185 if (smtp_return_error_details)
2187 if (!*user_msgptr && *log_msgptr)
2188 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
2189 if (rc == DEFER) f.acl_temp_details = TRUE;
2194 /* Handle a sender address. The default is to verify *the* sender address, but
2195 optionally a different address can be given, for special requirements. If the
2196 address is empty, we are dealing with a bounce message that has no sender, so
2197 we cannot do any checking. If the real sender address gets rewritten during
2198 verification (e.g. DNS widening), set the flag to stop it being rewritten again
2199 during message reception.
2201 A list of verified "sender" addresses is kept to try to avoid doing to much
2202 work repetitively when there are multiple recipients in a message and they all
2203 require sender verification. However, when callouts are involved, it gets too
2204 complicated because different recipients may require different callout options.
2205 Therefore, we always do a full sender verify when any kind of callout is
2206 specified. Caching elsewhere, for instance in the DNS resolver and in the
2207 callout handling, should ensure that this is not terribly inefficient. */
2209 else if (verify_sender_address)
2211 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)))
2213 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
2214 "sender verify callout";
2218 sender_vaddr = verify_checked_sender(verify_sender_address);
2219 if ( sender_vaddr /* Previously checked */
2220 && callout <= 0) /* No callout needed this time */
2222 /* If the "routed" flag is set, it means that routing worked before, so
2223 this check can give OK (the saved return code value, if set, belongs to a
2224 callout that was done previously). If the "routed" flag is not set, routing
2225 must have failed, so we use the saved return code. */
2227 if (testflag(sender_vaddr, af_verify_routed))
2231 rc = sender_vaddr->special_action;
2232 *basic_errno = sender_vaddr->basic_errno;
2234 HDEBUG(D_acl) debug_printf_indent("using cached sender verify result\n");
2237 /* Do a new verification, and cache the result. The cache is used to avoid
2238 verifying the sender multiple times for multiple RCPTs when callouts are not
2239 specified (see comments above).
2241 The cache is also used on failure to give details in response to the first
2242 RCPT that gets bounced for this reason. However, this can be suppressed by
2243 the no_details option, which sets the flag that says "this detail has already
2244 been sent". The cache normally contains just one address, but there may be
2245 more in esoteric circumstances. */
2250 uschar *save_address_data = deliver_address_data;
2252 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
2254 if ((sender_vaddr->prop.utf8_msg = message_smtputf8))
2256 sender_vaddr->prop.utf8_downcvt = message_utf8_downconvert == 1;
2257 sender_vaddr->prop.utf8_downcvt_maybe = message_utf8_downconvert == -1;
2260 if (no_details) setflag(sender_vaddr, af_sverify_told);
2261 if (verify_sender_address[0] != 0)
2263 /* If this is the real sender address, save the unrewritten version
2264 for use later in receive. Otherwise, set a flag so that rewriting the
2265 sender in verify_address() does not update sender_address. */
2267 if (verify_sender_address == sender_address)
2268 sender_address_unrewritten = sender_address;
2270 verify_options |= vopt_fake_sender;
2272 if (success_on_redirect)
2273 verify_options |= vopt_success_on_redirect;
2275 /* The recipient, qualify, and expn options are never set in
2278 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
2279 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
2281 HDEBUG(D_acl) debug_printf_indent("----------- end verify ------------\n");
2284 *basic_errno = sender_vaddr->basic_errno;
2287 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
2288 debug_printf_indent("sender %s verified ok as %s\n",
2289 verify_sender_address, sender_vaddr->address);
2291 debug_printf_indent("sender %s verified ok\n",
2292 verify_sender_address);
2295 rc = OK; /* Null sender */
2297 /* Cache the result code */
2299 if (routed) setflag(sender_vaddr, af_verify_routed);
2300 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
2301 sender_vaddr->special_action = rc;
2302 sender_vaddr->next = sender_verified_list;
2303 sender_verified_list = sender_vaddr;
2305 /* Restore the recipient address data, which might have been clobbered by
2306 the sender verification. */
2308 deliver_address_data = save_address_data;
2311 /* Put the sender address_data value into $sender_address_data */
2313 sender_address_data = sender_vaddr->prop.address_data;
2316 /* A recipient address just gets a straightforward verify; again we must handle
2317 the DEFER overrides. */
2323 if (success_on_redirect)
2324 verify_options |= vopt_success_on_redirect;
2326 /* We must use a copy of the address for verification, because it might
2330 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
2331 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
2332 HDEBUG(D_acl) debug_printf_indent("----------- end verify ------------\n");
2334 *basic_errno = addr2.basic_errno;
2335 *log_msgptr = addr2.message;
2336 *user_msgptr = addr2.user_message ? addr2.user_message : addr2.message;
2338 /* Allow details for temporary error if the address is so flagged. */
2339 if (testflag((&addr2), af_pass_message)) f.acl_temp_details = TRUE;
2341 /* Make $address_data visible */
2342 deliver_address_data = addr2.prop.address_data;
2345 /* We have a result from the relevant test. Handle defer overrides first. */
2349 || callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER
2352 HDEBUG(D_acl) debug_printf_indent("verify defer overridden by %s\n",
2353 defer_ok? "defer_ok" : "callout_defer_ok");
2357 /* If we've failed a sender, set up a recipient message, and point
2358 sender_verified_failed to the address item that actually failed. */
2360 if (rc != OK && verify_sender_address)
2363 *log_msgptr = *user_msgptr = US"Sender verify failed";
2364 else if (*basic_errno != ERRNO_CALLOUTDEFER)
2365 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
2368 *log_msgptr = US"Could not complete sender verify callout";
2369 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
2373 sender_verified_failed = sender_vaddr;
2376 /* Verifying an address messes up the values of $domain and $local_part,
2377 so reset them before returning if this is a RCPT ACL. */
2381 deliver_domain = addr->domain;
2382 deliver_localpart = addr->local_part;
2386 /* Syntax errors in the verify argument come here. */
2389 *log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
2390 "\"helo\", \"header_syntax\", \"header_sender\", \"header_names_ascii\" "
2391 "or \"reverse_host_lookup\" at start of ACL condition "
2392 "\"verify %s\"", arg);
2399 /*************************************************
2400 * Check argument for control= modifier *
2401 *************************************************/
2403 /* Called from acl_check_condition() below.
2404 To handle the case "queue_only" we accept an _ in the
2405 initial / option-switch position.
2408 arg the argument string for control=
2409 pptr set to point to the terminating character
2410 where which ACL we are in
2411 log_msgptr for error messages
2413 Returns: CONTROL_xxx value
2417 decode_control(const uschar *arg, const uschar **pptr, int where, uschar **log_msgptr)
2423 if ( (idx = find_control(arg, controls_list, nelem(controls_list))) < 0
2424 || ( (c = arg[len = Ustrlen((d = controls_list+idx)->name)]) != 0
2425 && (!d->has_option || c != '/' && c != '_')
2428 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2429 return CONTROL_ERROR;
2439 /*************************************************
2440 * Return a ratelimit error *
2441 *************************************************/
2443 /* Called from acl_ratelimit() below
2446 log_msgptr for error messages
2447 format format string
2448 ... supplementary arguments
2454 ratelimit_error(uschar **log_msgptr, const char *format, ...)
2458 string_cat(NULL, US"error in arguments to \"ratelimit\" condition: ");
2460 va_start(ap, format);
2461 g = string_vformat(g, SVFMT_EXTEND|SVFMT_REBUFFER, format, ap);
2464 gstring_release_unused(g);
2465 *log_msgptr = string_from_gstring(g);
2472 /*************************************************
2473 * Handle rate limiting *
2474 *************************************************/
2476 /* Called by acl_check_condition() below to calculate the result
2477 of the ACL ratelimit condition.
2479 Note that the return value might be slightly unexpected: if the
2480 sender's rate is above the limit then the result is OK. This is
2481 similar to the dnslists condition, and is so that you can write
2482 ACL clauses like: defer ratelimit = 15 / 1h
2485 arg the option string for ratelimit=
2486 where ACL_WHERE_xxxx indicating which ACL this is
2487 log_msgptr for error messages
2489 Returns: OK - Sender's rate is above limit
2490 FAIL - Sender's rate is below limit
2491 DEFER - Problem opening ratelimit database
2492 ERROR - Syntax error in options.
2496 acl_ratelimit(const uschar *arg, int where, uschar **log_msgptr)
2498 double limit, period, count;
2501 uschar *unique = NULL;
2503 BOOL leaky = FALSE, strict = FALSE, readonly = FALSE;
2504 BOOL noupdate = FALSE, badacl = FALSE;
2505 int mode = RATE_PER_WHAT;
2507 tree_node **anchor, *t;
2508 open_db dbblock, *dbm;
2510 dbdata_ratelimit *dbd;
2511 dbdata_ratelimit_unique *dbdb;
2514 /* Parse the first two options and record their values in expansion
2515 variables. These variables allow the configuration to have informative
2516 error messages based on rate limits obtained from a table lookup. */
2518 /* First is the maximum number of messages per period / maximum burst
2519 size, which must be greater than or equal to zero. Zero is useful for
2520 rate measurement as opposed to rate limiting. */
2522 if (!(sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0)))
2523 return ratelimit_error(log_msgptr, "sender rate limit not set");
2525 limit = Ustrtod(sender_rate_limit, &ss);
2526 if (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
2527 else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
2528 else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
2530 if (limit < 0.0 || *ss != '\0')
2531 return ratelimit_error(log_msgptr,
2532 "\"%s\" is not a positive number", sender_rate_limit);
2534 /* Second is the rate measurement period / exponential smoothing time
2535 constant. This must be strictly greater than zero, because zero leads to
2536 run-time division errors. */
2538 period = !(sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0))
2539 ? -1.0 : readconf_readtime(sender_rate_period, 0, FALSE);
2541 return ratelimit_error(log_msgptr,
2542 "\"%s\" is not a time value", sender_rate_period);
2544 /* By default we are counting one of something, but the per_rcpt,
2545 per_byte, and count options can change this. */
2549 /* Parse the other options. */
2551 while ((ss = string_nextinlist(&arg, &sep, NULL, 0)))
2553 if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
2554 else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
2555 else if (strcmpic(ss, US"noupdate") == 0) noupdate = TRUE;
2556 else if (strcmpic(ss, US"readonly") == 0) readonly = TRUE;
2557 else if (strcmpic(ss, US"per_cmd") == 0) RATE_SET(mode, PER_CMD);
2558 else if (strcmpic(ss, US"per_conn") == 0)
2560 RATE_SET(mode, PER_CONN);
2561 if (where == ACL_WHERE_NOTSMTP || where == ACL_WHERE_NOTSMTP_START)
2564 else if (strcmpic(ss, US"per_mail") == 0)
2566 RATE_SET(mode, PER_MAIL);
2567 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2569 else if (strcmpic(ss, US"per_rcpt") == 0)
2571 /* If we are running in the RCPT ACL, then we'll count the recipients
2572 one by one, but if we are running when we have accumulated the whole
2573 list then we'll add them all in one batch. */
2574 if (where == ACL_WHERE_RCPT)
2575 RATE_SET(mode, PER_RCPT);
2576 else if (where >= ACL_WHERE_PREDATA && where <= ACL_WHERE_NOTSMTP)
2577 RATE_SET(mode, PER_ALLRCPTS), count = (double)recipients_count;
2578 else if (where == ACL_WHERE_MAIL || where > ACL_WHERE_NOTSMTP)
2579 RATE_SET(mode, PER_RCPT), badacl = TRUE;
2581 else if (strcmpic(ss, US"per_byte") == 0)
2583 /* If we have not yet received the message data and there was no SIZE
2584 declaration on the MAIL command, then it's safe to just use a value of
2585 zero and let the recorded rate decay as if nothing happened. */
2586 RATE_SET(mode, PER_MAIL);
2587 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2588 else count = message_size < 0 ? 0.0 : (double)message_size;
2590 else if (strcmpic(ss, US"per_addr") == 0)
2592 RATE_SET(mode, PER_RCPT);
2593 if (where != ACL_WHERE_RCPT) badacl = TRUE, unique = US"*";
2594 else unique = string_sprintf("%s@%s", deliver_localpart, deliver_domain);
2596 else if (strncmpic(ss, US"count=", 6) == 0)
2599 count = Ustrtod(ss+6, &e);
2600 if (count < 0.0 || *e != '\0')
2601 return ratelimit_error(log_msgptr, "\"%s\" is not a positive number", ss);
2603 else if (strncmpic(ss, US"unique=", 7) == 0)
2604 unique = string_copy(ss + 7);
2606 key = string_copy(ss);
2608 key = string_sprintf("%s/%s", key, ss);
2611 /* Sanity check. When the badacl flag is set the update mode must either
2612 be readonly (which is the default if it is omitted) or, for backwards
2613 compatibility, a combination of noupdate and strict or leaky. */
2615 if (mode == RATE_PER_CLASH)
2616 return ratelimit_error(log_msgptr, "conflicting per_* options");
2617 if (leaky + strict + readonly > 1)
2618 return ratelimit_error(log_msgptr, "conflicting update modes");
2619 if (badacl && (leaky || strict) && !noupdate)
2620 return ratelimit_error(log_msgptr,
2621 "\"%s\" must not have /leaky or /strict option, or cannot be used in %s ACL",
2622 ratelimit_option_string[mode], acl_wherenames[where]);
2624 /* Set the default values of any unset options. In readonly mode we
2625 perform the rate computation without any increment so that its value
2626 decays to eventually allow over-limit senders through. */
2628 if (noupdate) readonly = TRUE, leaky = strict = FALSE;
2629 if (badacl) readonly = TRUE;
2630 if (readonly) count = 0.0;
2631 if (!strict && !readonly) leaky = TRUE;
2632 if (mode == RATE_PER_WHAT) mode = RATE_PER_MAIL;
2634 /* Create the lookup key. If there is no explicit key, use sender_host_address.
2635 If there is no sender_host_address (e.g. -bs or acl_not_smtp) then we simply
2636 omit it. The smoothing constant (sender_rate_period) and the per_xxx options
2637 are added to the key because they alter the meaning of the stored data. */
2640 key = !sender_host_address ? US"" : sender_host_address;
2642 key = string_sprintf("%s/%s/%s%s",
2644 ratelimit_option_string[mode],
2645 unique == NULL ? "" : "unique/",
2649 debug_printf_indent("ratelimit condition count=%.0f %.1f/%s\n", count, limit, key);
2651 /* See if we have already computed the rate by looking in the relevant tree.
2652 For per-connection rate limiting, store tree nodes and dbdata in the permanent
2653 pool so that they survive across resets. In readonly mode we only remember the
2654 result for the rest of this command in case a later command changes it. After
2655 this bit of logic the code is independent of the per_* mode. */
2657 old_pool = store_pool;
2660 anchor = &ratelimiters_cmd;
2664 anchor = &ratelimiters_conn;
2665 store_pool = POOL_PERM;
2669 case RATE_PER_ALLRCPTS:
2670 anchor = &ratelimiters_mail;
2675 anchor = &ratelimiters_cmd;
2678 anchor = NULL; /* silence an "unused" complaint */
2679 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
2680 "internal ACL error: unknown ratelimit mode %d", mode);
2685 if ((t = tree_search(*anchor, key)))
2688 /* The following few lines duplicate some of the code below. */
2689 rc = (dbd->rate < limit)? FAIL : OK;
2690 store_pool = old_pool;
2691 sender_rate = string_sprintf("%.1f", dbd->rate);
2693 debug_printf_indent("ratelimit found pre-computed rate %s\n", sender_rate);
2697 /* We aren't using a pre-computed rate, so get a previously recorded rate
2698 from the database, which will be updated and written back if required. */
2700 if (!(dbm = dbfn_open(US"ratelimit", O_RDWR|O_CREAT, &dbblock, TRUE, TRUE)))
2702 store_pool = old_pool;
2704 HDEBUG(D_acl) debug_printf_indent("ratelimit database not available\n");
2705 *log_msgptr = US"ratelimit database not available";
2708 dbdb = dbfn_read_with_length(dbm, key, &dbdb_size);
2711 gettimeofday(&tv, NULL);
2715 /* Locate the basic ratelimit block inside the DB data. */
2716 HDEBUG(D_acl) debug_printf_indent("ratelimit found key in database\n");
2719 /* Forget the old Bloom filter if it is too old, so that we count each
2720 repeating event once per period. We don't simply clear and re-use the old
2721 filter because we want its size to change if the limit changes. Note that
2722 we keep the dbd pointer for copying the rate into the new data block. */
2724 if(unique && tv.tv_sec > dbdb->bloom_epoch + period)
2726 HDEBUG(D_acl) debug_printf_indent("ratelimit discarding old Bloom filter\n");
2732 if(unique && dbdb_size < sizeof(*dbdb))
2734 HDEBUG(D_acl) debug_printf_indent("ratelimit discarding undersize Bloom filter\n");
2739 /* Allocate a new data block if the database lookup failed
2740 or the Bloom filter passed its age limit. */
2746 /* No Bloom filter. This basic ratelimit block is initialized below. */
2747 HDEBUG(D_acl) debug_printf_indent("ratelimit creating new rate data block\n");
2748 dbdb_size = sizeof(*dbd);
2749 dbdb = store_get(dbdb_size, GET_UNTAINTED);
2754 HDEBUG(D_acl) debug_printf_indent("ratelimit creating new Bloom filter\n");
2756 /* See the long comment below for an explanation of the magic number 2.
2757 The filter has a minimum size in case the rate limit is very small;
2758 this is determined by the definition of dbdata_ratelimit_unique. */
2760 extra = (int)limit * 2 - sizeof(dbdb->bloom);
2761 if (extra < 0) extra = 0;
2762 dbdb_size = sizeof(*dbdb) + extra;
2763 dbdb = store_get(dbdb_size, GET_UNTAINTED);
2764 dbdb->bloom_epoch = tv.tv_sec;
2765 dbdb->bloom_size = sizeof(dbdb->bloom) + extra;
2766 memset(dbdb->bloom, 0, dbdb->bloom_size);
2768 /* Preserve any basic ratelimit data (which is our longer-term memory)
2769 by copying it from the discarded block. */
2779 /* If we are counting unique events, find out if this event is new or not.
2780 If the client repeats the event during the current period then it should be
2781 counted. We skip this code in readonly mode for efficiency, because any
2782 changes to the filter will be discarded and because count is already set to
2785 if (unique && !readonly)
2787 /* We identify unique events using a Bloom filter. (You can find my
2788 notes on Bloom filters at http://fanf.livejournal.com/81696.html)
2789 With the per_addr option, an "event" is a recipient address, though the
2790 user can use the unique option to define their own events. We only count
2791 an event if we have not seen it before.
2793 We size the filter according to the rate limit, which (in leaky mode)
2794 is the limit on the population of the filter. We allow 16 bits of space
2795 per entry (see the construction code above) and we set (up to) 8 of them
2796 when inserting an element (see the loop below). The probability of a false
2797 positive (an event we have not seen before but which we fail to count) is
2801 allzero = exp(-numhash * pop / size)
2802 = exp(-0.5 * pop / limit)
2803 fpr = pow(1 - allzero, numhash)
2805 For senders at the limit the fpr is 0.06% or 1 in 1700
2806 and for senders at half the limit it is 0.0006% or 1 in 170000
2808 In strict mode the Bloom filter can fill up beyond the normal limit, in
2809 which case the false positive rate will rise. This means that the
2810 measured rate for very fast senders can bogusly drop off after a while.
2812 At twice the limit, the fpr is 2.5% or 1 in 40
2813 At four times the limit, it is 31% or 1 in 3.2
2815 It takes ln(pop/limit) periods for an over-limit burst of pop events to
2816 decay below the limit, and if this is more than one then the Bloom filter
2817 will be discarded before the decay gets that far. The false positive rate
2818 at this threshold is 9.3% or 1 in 10.7. */
2821 unsigned n, hash, hinc;
2825 /* Instead of using eight independent hash values, we combine two values
2826 using the formula h1 + n * h2. This does not harm the Bloom filter's
2827 performance, and means the amount of hash we need is independent of the
2828 number of bits we set in the filter. */
2830 md5_start(&md5info);
2831 md5_end(&md5info, unique, Ustrlen(unique), md5sum);
2832 hash = md5sum[0] | md5sum[1] << 8 | md5sum[2] << 16 | md5sum[3] << 24;
2833 hinc = md5sum[4] | md5sum[5] << 8 | md5sum[6] << 16 | md5sum[7] << 24;
2835 /* Scan the bits corresponding to this event. A zero bit means we have
2836 not seen it before. Ensure all bits are set to record this event. */
2838 HDEBUG(D_acl) debug_printf_indent("ratelimit checking uniqueness of %s\n", unique);
2841 for (n = 0; n < 8; n++, hash += hinc)
2843 int bit = 1 << (hash % 8);
2844 int byte = (hash / 8) % dbdb->bloom_size;
2845 if ((dbdb->bloom[byte] & bit) == 0)
2847 dbdb->bloom[byte] |= bit;
2852 /* If this event has occurred before, do not count it. */
2856 HDEBUG(D_acl) debug_printf_indent("ratelimit event found in Bloom filter\n");
2860 HDEBUG(D_acl) debug_printf_indent("ratelimit event added to Bloom filter\n");
2863 /* If there was no previous ratelimit data block for this key, initialize
2864 the new one, otherwise update the block from the database. The initial rate
2865 is what would be computed by the code below for an infinite interval. */
2869 HDEBUG(D_acl) debug_printf_indent("ratelimit initializing new key's rate data\n");
2871 dbd->time_stamp = tv.tv_sec;
2872 dbd->time_usec = tv.tv_usec;
2877 /* The smoothed rate is computed using an exponentially weighted moving
2878 average adjusted for variable sampling intervals. The standard EWMA for
2879 a fixed sampling interval is: f'(t) = (1 - a) * f(t) + a * f'(t - 1)
2880 where f() is the measured value and f'() is the smoothed value.
2882 Old data decays out of the smoothed value exponentially, such that data n
2883 samples old is multiplied by a^n. The exponential decay time constant p
2884 is defined such that data p samples old is multiplied by 1/e, which means
2885 that a = exp(-1/p). We can maintain the same time constant for a variable
2886 sampling interval i by using a = exp(-i/p).
2888 The rate we are measuring is messages per period, suitable for directly
2889 comparing with the limit. The average rate between now and the previous
2890 message is period / interval, which we feed into the EWMA as the sample.
2892 It turns out that the number of messages required for the smoothed rate
2893 to reach the limit when they are sent in a burst is equal to the limit.
2894 This can be seen by analysing the value of the smoothed rate after N
2895 messages sent at even intervals. Let k = (1 - a) * p/i
2897 rate_1 = (1 - a) * p/i + a * rate_0
2899 rate_2 = k + a * rate_1
2900 = k + a * k + a^2 * rate_0
2901 rate_3 = k + a * k + a^2 * k + a^3 * rate_0
2902 rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
2903 = rate_0 * a^N + k * (1 - a^N) / (1 - a)
2904 = rate_0 * a^N + p/i * (1 - a^N)
2906 When N is large, a^N -> 0 so rate_N -> p/i as desired.
2908 rate_N = p/i + (rate_0 - p/i) * a^N
2909 a^N = (rate_N - p/i) / (rate_0 - p/i)
2910 N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
2911 N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
2913 Numerical analysis of the above equation, setting the computed rate to
2914 increase from rate_0 = 0 to rate_N = limit, shows that for large sending
2915 rates, p/i, the number of messages N = limit. So limit serves as both the
2916 maximum rate measured in messages per period, and the maximum number of
2917 messages that can be sent in a fast burst. */
2919 double this_time = (double)tv.tv_sec
2920 + (double)tv.tv_usec / 1000000.0;
2921 double prev_time = (double)dbd->time_stamp
2922 + (double)dbd->time_usec / 1000000.0;
2924 /* We must avoid division by zero, and deal gracefully with the clock going
2925 backwards. If we blunder ahead when time is in reverse then the computed
2926 rate will be bogus. To be safe we clamp interval to a very small number. */
2928 double interval = this_time - prev_time <= 0.0 ? 1e-9
2929 : this_time - prev_time;
2931 double i_over_p = interval / period;
2932 double a = exp(-i_over_p);
2934 /* Combine the instantaneous rate (period / interval) with the previous rate
2935 using the smoothing factor a. In order to measure sized events, multiply the
2936 instantaneous rate by the count of bytes or recipients etc. */
2938 dbd->time_stamp = tv.tv_sec;
2939 dbd->time_usec = tv.tv_usec;
2940 dbd->rate = (1 - a) * count / i_over_p + a * dbd->rate;
2942 /* When events are very widely spaced the computed rate tends towards zero.
2943 Although this is accurate it turns out not to be useful for our purposes,
2944 especially when the first event after a long silence is the start of a spam
2945 run. A more useful model is that the rate for an isolated event should be the
2946 size of the event per the period size, ignoring the lack of events outside
2947 the current period and regardless of where the event falls in the period. So,
2948 if the interval was so long that the calculated rate is unhelpfully small, we
2949 re-initialize the rate. In the absence of higher-rate bursts, the condition
2950 below is true if the interval is greater than the period. */
2952 if (dbd->rate < count) dbd->rate = count;
2955 /* Clients sending at the limit are considered to be over the limit.
2956 This matters for edge cases such as a limit of zero, when the client
2957 should be completely blocked. */
2959 rc = dbd->rate < limit ? FAIL : OK;
2961 /* Update the state if the rate is low or if we are being strict. If we
2962 are in leaky mode and the sender's rate is too high, we do not update
2963 the recorded rate in order to avoid an over-aggressive sender's retry
2964 rate preventing them from getting any email through. If readonly is set,
2965 neither leaky nor strict are set, so we do not do any updates. */
2967 if ((rc == FAIL && leaky) || strict)
2969 dbfn_write(dbm, key, dbdb, dbdb_size);
2970 HDEBUG(D_acl) debug_printf_indent("ratelimit db updated\n");
2974 HDEBUG(D_acl) debug_printf_indent("ratelimit db not updated: %s\n",
2975 readonly? "readonly mode" : "over the limit, but leaky");
2980 /* Store the result in the tree for future reference. Take the taint status
2981 from the key for consistency even though it's unlikely we'll ever expand this. */
2983 t = store_get(sizeof(tree_node) + Ustrlen(key), key);
2985 Ustrcpy(t->name, key);
2986 (void)tree_insertnode(anchor, t);
2988 /* We create the formatted version of the sender's rate very late in
2989 order to ensure that it is done using the correct storage pool. */
2991 store_pool = old_pool;
2992 sender_rate = string_sprintf("%.1f", dbd->rate);
2995 debug_printf_indent("ratelimit computed rate %s\n", sender_rate);
3002 /*************************************************
3003 * Handle a check for previously-seen *
3004 *************************************************/
3007 ACL clauses like: seen = -5m / key=$foo / readonly
3009 Return is true for condition-true - but the semantics
3010 depend heavily on the actual use-case.
3012 Negative times test for seen-before, positive for seen-more-recently-than
3013 (the given interval before current time).
3015 All are subject to history not having been cleaned from the DB.
3017 Default for seen-before is to create if not present, and to
3018 update if older than 10d (with the seen-test time).
3019 Default for seen-since is to always create or update.
3022 key=value. Default key is $sender_host_address
3025 refresh=<interval>: update an existing DB entry older than given
3026 amount. Default refresh lacking this option is 10d.
3027 The update sets the record timestamp to the seen-test time.
3029 XXX do we need separate nocreate, noupdate controls?
3032 arg the option string for seen=
3033 where ACL_WHERE_xxxx indicating which ACL this is
3034 log_msgptr for error messages
3036 Returns: OK - Condition is true
3037 FAIL - Condition is false
3038 DEFER - Problem opening history database
3039 ERROR - Syntax error in options
3043 acl_seen(const uschar * arg, int where, uschar ** log_msgptr)
3045 enum { SEEN_DEFAULT, SEEN_READONLY, SEEN_WRITE };
3047 const uschar * list = arg;
3048 int slash = '/', interval, mode = SEEN_DEFAULT, yield = FAIL;
3050 int refresh = 10 * 24 * 60 * 60; /* 10 days */
3051 const uschar * ele, * key = sender_host_address;
3052 open_db dbblock, * dbm;
3056 /* Parse the first element, the time-relation. */
3058 if (!(ele = string_nextinlist(&list, &slash, NULL, 0)))
3060 if ((before = *ele == '-'))
3062 if ((interval = readconf_readtime(ele, 0, FALSE)) < 0)
3065 /* Remaining elements are options */
3067 while ((ele = string_nextinlist(&list, &slash, NULL, 0)))
3068 if (Ustrncmp(ele, "key=", 4) == 0)
3070 else if (Ustrcmp(ele, "readonly") == 0)
3071 mode = SEEN_READONLY;
3072 else if (Ustrcmp(ele, "write") == 0)
3074 else if (Ustrncmp(ele, "refresh=", 8) == 0)
3076 if ((refresh = readconf_readtime(ele + 8, 0, FALSE)) < 0)
3082 if (!(dbm = dbfn_open(US"seen", O_RDWR|O_CREAT, &dbblock, TRUE, TRUE)))
3084 HDEBUG(D_acl) debug_printf_indent("database for 'seen' not available\n");
3085 *log_msgptr = US"database for 'seen' not available";
3089 dbd = dbfn_read_with_length(dbm, key, NULL);
3091 if (dbd) /* an existing record */
3093 time_t diff = now - dbd->time_stamp; /* time since the record was written */
3095 if (before ? diff >= interval : diff < interval)
3098 if (mode == SEEN_READONLY)
3099 { HDEBUG(D_acl) debug_printf_indent("seen db not written (readonly)\n"); }
3100 else if (mode == SEEN_WRITE || !before)
3102 dbd->time_stamp = now;
3103 dbfn_write(dbm, key, dbd, sizeof(*dbd));
3104 HDEBUG(D_acl) debug_printf_indent("seen db written (update)\n");
3106 else if (diff >= refresh)
3108 dbd->time_stamp = now - interval;
3109 dbfn_write(dbm, key, dbd, sizeof(*dbd));
3110 HDEBUG(D_acl) debug_printf_indent("seen db written (refresh)\n");
3114 { /* No record found, yield always FAIL */
3115 if (mode != SEEN_READONLY)
3117 dbdata_seen d = {.time_stamp = now};
3118 dbfn_write(dbm, key, &d, sizeof(*dbd));
3119 HDEBUG(D_acl) debug_printf_indent("seen db written (create)\n");
3122 HDEBUG(D_acl) debug_printf_indent("seen db not written (readonly)\n");
3130 *log_msgptr = string_sprintf("failed to parse '%s'", arg);
3133 *log_msgptr = string_sprintf("unrecognised option '%s' in '%s'", ele, arg);
3139 /*************************************************
3140 * The udpsend ACL modifier *
3141 *************************************************/
3143 /* Called by acl_check_condition() below.
3146 arg the option string for udpsend=
3147 log_msgptr for error messages
3149 Returns: OK - Completed.
3150 DEFER - Problem with DNS lookup.
3151 ERROR - Syntax error in options.
3155 acl_udpsend(const uschar *arg, uschar **log_msgptr)
3167 hostname = string_nextinlist(&arg, &sep, NULL, 0);
3168 portstr = string_nextinlist(&arg, &sep, NULL, 0);
3172 *log_msgptr = US"missing destination host in \"udpsend\" modifier";
3177 *log_msgptr = US"missing destination port in \"udpsend\" modifier";
3182 *log_msgptr = US"missing datagram payload in \"udpsend\" modifier";
3185 portnum = Ustrtol(portstr, &portend, 10);
3186 if (*portend != '\0')
3188 *log_msgptr = US"bad destination port in \"udpsend\" modifier";
3192 /* Make a single-item host list. */
3193 h = store_get(sizeof(host_item), GET_UNTAINTED);
3194 memset(h, 0, sizeof(host_item));
3199 if (string_is_ip_address(hostname, NULL))
3200 h->address = hostname, r = HOST_FOUND;
3202 r = host_find_byname(h, NULL, 0, NULL, FALSE);
3203 if (r == HOST_FIND_FAILED || r == HOST_FIND_AGAIN)
3205 *log_msgptr = US"DNS lookup failed in \"udpsend\" modifier";
3210 debug_printf_indent("udpsend [%s]:%d %s\n", h->address, portnum, arg);
3212 /*XXX this could better use sendto */
3213 r = s = ip_connectedsocket(SOCK_DGRAM, h->address, portnum, portnum,
3214 1, NULL, &errstr, NULL);
3215 if (r < 0) goto defer;
3217 r = send(s, arg, len, 0);
3220 errstr = US strerror(errno);
3228 string_sprintf("\"udpsend\" truncated from %d to %d octets", len, r);
3233 debug_printf_indent("udpsend %d bytes\n", r);
3238 *log_msgptr = string_sprintf("\"udpsend\" failed: %s", errstr);
3244 #ifndef DISABLE_WELLKNOWN
3245 /*************************************************
3246 * The "wellknown" ACL modifier *
3247 *************************************************/
3249 /* Called by acl_check_condition() below.
3251 Retrieve the given file and encode content as xtext.
3252 Prefix with a summary line giving the length of plaintext.
3253 Leave a global pointer to the whole, for output by
3254 the smtp verb handler code (smtp_in.c).
3257 arg the option string for wellknown=
3258 log_msgptr for error messages
3264 wellknown_process(const uschar * arg, uschar ** log_msgptr)
3266 struct stat statbuf;
3270 wellknown_response = NULL;
3271 if (f.no_multiline_responses) return FAIL;
3273 /* Check for file existence */
3275 if (!*arg) return FAIL;
3276 if (Ustat(arg, &statbuf) != 0)
3277 { *log_msgptr = US"stat"; goto fail; }
3279 /*XXX perhaps refuse to serve a group- or world-writeable file? */
3281 if (!(rf = Ufopen(arg, "r")))
3282 { *log_msgptr = US"open"; goto fail; }
3284 /* Set up summary line for output */
3286 g = string_fmt_append(NULL, "SIZE=%lu\n", (long) statbuf.st_size);
3289 for (int n = 0, ch; (ch = fgetc(rf)) != EOF; )
3291 /* Xtext-encode, adding output linebreaks for input linebreaks
3292 or when the line gets long enough */
3295 { g = string_fmt_append(g, "+%02X", ch); n = LINE_LIM; }
3296 else if (ch < 33 || ch > 126 || ch == '+' || ch == '=')
3297 { g = string_fmt_append(g, "+%02X", ch); n += 3; }
3299 { g = string_fmt_append(g, "%c", ch); n++; }
3302 { g = string_catn(g, US"\n", 1); n = 0; }
3306 gstring_release_unused(g);
3307 wellknown_response = string_from_gstring(g);
3311 *log_msgptr = string_sprintf("wellknown: failed to %s file \"%s\": %s",
3312 *log_msgptr, arg, strerror(errno));
3318 /*************************************************
3319 * Handle conditions/modifiers on an ACL item *
3320 *************************************************/
3322 /* Called from acl_check() below.
3326 cb ACL condition block - if NULL, result is OK
3327 where where called from
3328 addr the address being checked for RCPT, or NULL
3329 level the nesting level
3330 epp pointer to pass back TRUE if "endpass" encountered
3331 (applies only to "accept" and "discard")
3332 user_msgptr user message pointer
3333 log_msgptr log message pointer
3334 basic_errno pointer to where to put verify error
3336 Returns: OK - all conditions are met
3337 DISCARD - an "acl" condition returned DISCARD - only allowed
3338 for "accept" or "discard" verbs
3339 FAIL - at least one condition fails
3340 FAIL_DROP - an "acl" condition returned FAIL_DROP
3341 DEFER - can't tell at the moment (typically, lookup defer,
3342 but can be temporary callout problem)
3343 ERROR - ERROR from nested ACL or expansion failure or other
3348 acl_check_condition(int verb, acl_condition_block *cb, int where,
3349 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
3350 uschar **log_msgptr, int *basic_errno)
3352 uschar * user_message = NULL;
3353 uschar * log_message = NULL;
3356 for (; cb; cb = cb->next)
3360 BOOL textonly = FALSE;
3362 /* The message and log_message items set up messages to be used in
3363 case of rejection. They are expanded later. */
3365 if (cb->type == ACLC_MESSAGE)
3367 HDEBUG(D_acl) debug_printf_indent(" message: %s\n", cb->arg);
3368 user_message = cb->arg;
3372 if (cb->type == ACLC_LOG_MESSAGE)
3374 HDEBUG(D_acl) debug_printf_indent("l_message: %s\n", cb->arg);
3375 log_message = cb->arg;
3379 /* The endpass "condition" just sets a flag to show it occurred. This is
3380 checked at compile time to be on an "accept" or "discard" item. */
3382 if (cb->type == ACLC_ENDPASS)
3388 /* For other conditions and modifiers, the argument is expanded now for some
3389 of them, but not for all, because expansion happens down in some lower level
3390 checking functions in some cases. */
3392 if (!(conditions[cb->type].flags & ACD_EXP))
3395 else if (!(arg = expand_string_2(cb->arg, &textonly)))
3397 if (f.expand_string_forcedfail) continue;
3398 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
3399 cb->arg, expand_string_message);
3400 return f.search_find_defer ? DEFER : ERROR;
3403 /* Show condition, and expanded condition if it's different */
3408 debug_printf_indent("check %s%s %n",
3409 (!(conditions[cb->type].flags & ACD_MOD) && cb->u.negated) ? "!":"",
3410 conditions[cb->type].name, &lhswidth);
3412 if (cb->type == ACLC_SET)
3414 #ifndef DISABLE_DKIM
3415 if ( Ustrcmp(cb->u.varname, "dkim_verify_status") == 0
3416 || Ustrcmp(cb->u.varname, "dkim_verify_reason") == 0)
3418 debug_printf("%s ", cb->u.varname);
3424 debug_printf("acl_%s ", cb->u.varname);
3425 lhswidth += 5 + Ustrlen(cb->u.varname);
3429 debug_printf("= %s\n", cb->arg);
3432 debug_printf("%.*s= %s\n", lhswidth,
3436 /* Check that this condition makes sense at this time */
3438 if ((conditions[cb->type].forbids & (1 << where)) != 0)
3440 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
3441 conditions[cb->type].flags & ACD_MOD ? "use" : "test",
3442 conditions[cb->type].name, acl_wherenames[where]);
3446 /* Run the appropriate test for each condition, or take the appropriate
3447 action for the remaining modifiers. */
3451 case ACLC_ADD_HEADER:
3455 /* A nested ACL that returns "discard" makes sense only for an "accept" or
3459 rc = acl_check_wargs(where, addr, arg, user_msgptr, log_msgptr);
3460 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
3462 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
3463 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
3469 case ACLC_AUTHENTICATED:
3470 rc = sender_host_authenticated ? match_isinlist(sender_host_authenticated,
3471 &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL) : FAIL;
3474 #ifdef EXPERIMENTAL_BRIGHTMAIL
3475 case ACLC_BMI_OPTIN:
3477 int old_pool = store_pool;
3478 store_pool = POOL_PERM;
3479 bmi_current_optin = string_copy(arg);
3480 store_pool = old_pool;
3485 case ACLC_CONDITION:
3486 /* The true/false parsing here should be kept in sync with that used in
3487 expand.c when dealing with ECOND_BOOL so that we don't have too many
3488 different definitions of what can be a boolean. */
3490 ? Ustrspn(arg+1, "0123456789") == Ustrlen(arg+1) /* Negative number */
3491 : Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
3492 rc = (Uatoi(arg) == 0)? FAIL : OK;
3494 rc = (strcmpic(arg, US"no") == 0 ||
3495 strcmpic(arg, US"false") == 0)? FAIL :
3496 (strcmpic(arg, US"yes") == 0 ||
3497 strcmpic(arg, US"true") == 0)? OK : DEFER;
3499 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
3502 case ACLC_CONTINUE: /* Always succeeds */
3507 const uschar * p = NULL;
3508 control_type = decode_control(arg, &p, where, log_msgptr);
3510 /* Check if this control makes sense at this time */
3512 if (controls_list[control_type].forbids & (1 << where))
3514 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
3515 controls_list[control_type].name, acl_wherenames[where]);
3519 /*XXX ought to sort these, just for sanity */
3520 switch(control_type)
3522 case CONTROL_AUTH_UNADVERTISED:
3523 f.allow_auth_unadvertised = TRUE;
3526 #ifdef EXPERIMENTAL_BRIGHTMAIL
3527 case CONTROL_BMI_RUN:
3532 #ifndef DISABLE_DKIM
3533 case CONTROL_DKIM_VERIFY:
3534 f.dkim_disable_verify = TRUE;
3535 # ifdef SUPPORT_DMARC
3536 /* Since DKIM was blocked, skip DMARC too */
3537 f.dmarc_disable_verify = TRUE;
3538 f.dmarc_enable_forensic = FALSE;
3543 #ifdef SUPPORT_DMARC
3544 case CONTROL_DMARC_VERIFY:
3545 f.dmarc_disable_verify = TRUE;
3548 case CONTROL_DMARC_FORENSIC:
3549 f.dmarc_enable_forensic = TRUE;
3556 int fd, af, level, optname, value;
3557 /* If we are acting on stdin, the setsockopt may fail if stdin is not
3558 a socket; we can accept that, we'll just debug-log failures anyway. */
3559 fd = fileno(smtp_in);
3560 if ((af = ip_get_address_family(fd)) < 0)
3563 debug_printf_indent("smtp input is probably not a socket [%s], not setting DSCP\n",
3567 if (dscp_lookup(p+1, af, &level, &optname, &value))
3568 if (setsockopt(fd, level, optname, &value, sizeof(value)) < 0)
3570 HDEBUG(D_acl) debug_printf_indent("failed to set input DSCP[%s]: %s\n",
3571 p+1, strerror(errno));
3575 HDEBUG(D_acl) debug_printf_indent("set input DSCP to \"%s\"\n", p+1);
3579 *log_msgptr = string_sprintf("unrecognised DSCP value in \"control=%s\"", arg);
3585 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3593 case CONTROL_CASEFUL_LOCAL_PART:
3594 deliver_localpart = addr->cc_local_part;
3597 case CONTROL_CASELOWER_LOCAL_PART:
3598 deliver_localpart = addr->lc_local_part;
3601 case CONTROL_ENFORCE_SYNC:
3602 smtp_enforce_sync = TRUE;
3605 case CONTROL_NO_ENFORCE_SYNC:
3606 smtp_enforce_sync = FALSE;
3609 #ifdef WITH_CONTENT_SCAN
3610 case CONTROL_NO_MBOX_UNSPOOL:
3611 f.no_mbox_unspool = TRUE;
3615 case CONTROL_NO_MULTILINE:
3616 f.no_multiline_responses = TRUE;
3619 case CONTROL_NO_PIPELINING:
3620 f.pipelining_enable = FALSE;
3623 case CONTROL_NO_DELAY_FLUSH:
3624 f.disable_delay_flush = TRUE;
3627 case CONTROL_NO_CALLOUT_FLUSH:
3628 f.disable_callout_flush = TRUE;
3631 case CONTROL_FAKEREJECT:
3632 cancel_cutthrough_connection(TRUE, US"fakereject");
3633 case CONTROL_FAKEDEFER:
3634 fake_response = control_type == CONTROL_FAKEDEFER ? DEFER : FAIL;
3637 const uschar *pp = p + 1;
3639 /* The entire control= line was expanded at top so no need to expand
3640 the part after the / */
3641 fake_response_text = string_copyn(p+1, pp-p-1);
3644 else /* Explicitly reset to default string */
3645 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
3648 case CONTROL_FREEZE:
3649 f.deliver_freeze = TRUE;
3650 deliver_frozen_at = time(NULL);
3651 freeze_tell = freeze_tell_config; /* Reset to configured value */
3652 if (Ustrncmp(p, "/no_tell", 8) == 0)
3659 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3662 cancel_cutthrough_connection(TRUE, US"item frozen");
3666 f.queue_only_policy = TRUE;
3667 if (Ustrcmp(p, "_only") == 0)
3669 else while (*p == '/')
3670 if (Ustrncmp(p, "/only", 5) == 0)
3671 { p += 5; f.queue_smtp = FALSE; }
3672 else if (Ustrncmp(p, "/first_pass_route", 17) == 0)
3673 { p += 17; f.queue_smtp = TRUE; }
3676 cancel_cutthrough_connection(TRUE, US"queueing forced");
3679 case CONTROL_SUBMISSION:
3680 originator_name = US"";
3681 f.submission_mode = TRUE;
3684 if (Ustrncmp(p, "/sender_retain", 14) == 0)
3687 f.active_local_sender_retain = TRUE;
3688 f.active_local_from_check = FALSE;
3690 else if (Ustrncmp(p, "/domain=", 8) == 0)
3692 const uschar *pp = p + 8;
3693 while (*pp && *pp != '/') pp++;
3694 submission_domain = string_copyn(p+8, pp-p-8);
3697 /* The name= option must be last, because it swallows the rest of
3699 else if (Ustrncmp(p, "/name=", 6) == 0)
3701 const uschar *pp = p + 6;
3703 submission_name = parse_fix_phrase(p+6, pp-p-6);
3710 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3717 uschar * debug_tag = NULL, * debug_opts = NULL;
3718 BOOL kill = FALSE, stop = FALSE;
3722 const uschar * pp = p+1;
3723 if (Ustrncmp(pp, "tag=", 4) == 0)
3725 for (pp += 4; *pp && *pp != '/';) pp++;
3726 debug_tag = string_copyn(p+5, pp-p-5);
3728 else if (Ustrncmp(pp, "opts=", 5) == 0)
3730 for (pp += 5; *pp && *pp != '/';) pp++;
3731 debug_opts = string_copyn(p+6, pp-p-6);
3733 else if (Ustrncmp(pp, "kill", 4) == 0)
3738 else if (Ustrncmp(pp, "stop", 4) == 0)
3743 else if (Ustrncmp(pp, "pretrigger=", 11) == 0)
3744 debug_pretrigger_setup(pp+11);
3745 else if (Ustrncmp(pp, "trigger=", 8) == 0)
3747 if (Ustrncmp(pp += 8, "now", 3) == 0)
3750 debug_trigger_fire();
3752 else if (Ustrncmp(pp, "paniclog", 8) == 0)
3755 dtrigger_selector |= BIT(DTi_panictrigger);
3758 while (*pp && *pp != '/') pp++;
3763 debug_logging_stop(TRUE);
3765 debug_logging_stop(FALSE);
3766 else if (debug_tag || debug_opts)
3767 debug_logging_activate(debug_tag, debug_opts);
3771 case CONTROL_SUPPRESS_LOCAL_FIXUPS:
3772 f.suppress_local_fixups = TRUE;
3775 case CONTROL_CUTTHROUGH_DELIVERY:
3777 uschar * ignored = NULL;
3778 #ifndef DISABLE_PRDR
3783 /* Too hard to think about for now. We might in future cutthrough
3784 the case where both sides handle prdr and this-node prdr acl
3786 ignored = US"PRDR active";
3787 else if (f.deliver_freeze)
3788 ignored = US"frozen";
3789 else if (f.queue_only_policy)
3790 ignored = US"queue-only";
3791 else if (fake_response == FAIL)
3792 ignored = US"fakereject";
3793 else if (rcpt_count != 1)
3794 ignored = US"nonfirst rcpt";
3795 else if (cutthrough.delivery)
3796 ignored = US"repeated";
3797 else if (cutthrough.callout_hold_only)
3800 debug_printf_indent(" cutthrough request upgrades callout hold\n");
3801 cutthrough.callout_hold_only = FALSE;
3802 cutthrough.delivery = TRUE; /* control accepted */
3806 cutthrough.delivery = TRUE; /* control accepted */
3809 const uschar * pp = p+1;
3810 if (Ustrncmp(pp, "defer=", 6) == 0)
3813 if (Ustrncmp(pp, "pass", 4) == 0) cutthrough.defer_pass = TRUE;
3814 /* else if (Ustrncmp(pp, "spool") == 0) ; default */
3817 while (*pp && *pp != '/') pp++;
3822 DEBUG(D_acl) if (ignored)
3823 debug_printf(" cutthrough request ignored on %s item\n", ignored);
3828 case CONTROL_UTF8_DOWNCONVERT:
3833 message_utf8_downconvert = 1;
3834 addr->prop.utf8_downcvt = TRUE;
3835 addr->prop.utf8_downcvt_maybe = FALSE;
3841 message_utf8_downconvert = 0;
3842 addr->prop.utf8_downcvt = FALSE;
3843 addr->prop.utf8_downcvt_maybe = FALSE;
3847 if (p[1] == '-' && p[2] == '1')
3849 message_utf8_downconvert = -1;
3850 addr->prop.utf8_downcvt = FALSE;
3851 addr->prop.utf8_downcvt_maybe = TRUE;
3855 *log_msgptr = US"bad option value for control=utf8_downconvert";
3859 message_utf8_downconvert = 1;
3860 addr->prop.utf8_downcvt = TRUE;
3861 addr->prop.utf8_downcvt_maybe = FALSE;
3867 #ifndef DISABLE_WELLKNOWN
3868 case CONTROL_WELLKNOWN:
3869 rc = *p == '/' ? wellknown_process(p+1, log_msgptr) : FAIL;
3876 #ifdef EXPERIMENTAL_DCC
3879 /* Separate the regular expression and any optional parameters. */
3880 const uschar * list = arg;
3882 uschar * ss = string_nextinlist(&list, &sep, NULL, 0);
3883 /* Run the dcc backend. */
3884 rc = dcc_process(&ss);
3885 /* Modify return code based upon the existence of options. */
3886 while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
3887 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3888 rc = FAIL; /* FAIL so that the message is passed to the next ACL */
3893 #ifdef WITH_CONTENT_SCAN
3895 rc = mime_decode(&arg);
3901 int delay = readconf_readtime(arg, 0, FALSE);
3904 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
3905 "modifier: \"%s\" is not a time value", arg);
3910 HDEBUG(D_acl) debug_printf_indent("delay modifier requests %d-second delay\n",
3915 debug_printf_indent("delay skipped in -bh checking mode\n");
3918 /* NOTE 1: Remember that we may be
3919 dealing with stdin/stdout here, in addition to TCP/IP connections.
3920 Also, delays may be specified for non-SMTP input, where smtp_out and
3921 smtp_in will be NULL. Whatever is done must work in all cases.
3923 NOTE 2: The added feature of flushing the output before a delay must
3924 apply only to SMTP input. Hence the test for smtp_out being non-NULL.
3929 if (smtp_out && !f.disable_delay_flush)
3932 #if !defined(NO_POLL_H) && defined (POLLRDHUP)
3938 p.fd = fileno(smtp_out);
3939 p.events = POLLRDHUP;
3942 if (poll(&p, n, delay*1000) > 0)
3943 HDEBUG(D_acl) debug_printf_indent("delay cancelled by peer close\n");
3946 /* Lacking POLLRDHUP it appears to be impossible to detect that a
3947 TCP/IP connection has gone away without reading from it. This means
3948 that we cannot shorten the delay below if the client goes away,
3949 because we cannot discover that the client has closed its end of the
3950 connection. (The connection is actually in a half-closed state,
3951 waiting for the server to close its end.) It would be nice to be able
3952 to detect this state, so that the Exim process is not held up
3953 unnecessarily. However, it seems that we can't. The poll() function
3954 does not do the right thing, and in any case it is not always
3957 while (delay > 0) delay = sleep(delay);
3964 #ifndef DISABLE_DKIM
3965 case ACLC_DKIM_SIGNER:
3966 case ACLC_DKIM_STATUS:
3967 /* See comment on ACLC_SPF wrt. coding issues */
3969 misc_module_info * mi = misc_mod_find(US"dkim", &log_message);
3970 typedef int (*fn_t)(const uschar *);
3972 ? (((fn_t *) mi->functions)
3973 [cb->type == ACLC_DKIM_SIGNER
3974 ? DKIM_SIGNER_ISINLIST
3975 : DKIM_STATUS_LISTMATCH]) (arg)
3981 #ifdef SUPPORT_DMARC
3982 case ACLC_DMARC_STATUS:
3983 /* See comment on ACLC_SPF wrt. coding issues */
3985 misc_module_info * mi = misc_mod_find(US"dmarc", &log_message);
3986 typedef uschar * (*efn_t)(int);
3987 uschar * expanded_query;
3990 { rc = DEFER; break; } /* shouldn't happen */
3992 if (!f.dmarc_has_been_checked)
3994 typedef int (*pfn_t)(void);
3995 (void) (((pfn_t *) mi->functions)[DMARC_PROCESS]) ();
3996 f.dmarc_has_been_checked = TRUE;
3999 /* used long way of dmarc_exim_expand_query() in case we need more
4000 view into the process in the future. */
4002 /*XXX is this call used with any other arg? */
4003 expanded_query = (((efn_t *) mi->functions)[DMARC_EXPAND_QUERY])
4004 (DMARC_VERIFY_STATUS);
4005 rc = match_isinlist(expanded_query,
4006 &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
4012 rc = verify_check_dnsbl(where, &arg, log_msgptr);
4016 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
4017 addr->domain_cache, MCL_DOMAIN, TRUE, CUSS &deliver_domain_data);
4020 /* The value in tls_cipher is the full cipher name, for example,
4021 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
4022 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
4023 what may in practice come out of the SSL library - which at the time of
4024 writing is poorly documented. */
4026 case ACLC_ENCRYPTED:
4027 if (!tls_in.cipher) rc = FAIL;
4030 uschar *endcipher = NULL;
4031 uschar *cipher = Ustrchr(tls_in.cipher, ':');
4032 if (!cipher) cipher = tls_in.cipher; else
4034 endcipher = Ustrchr(++cipher, ':');
4035 if (endcipher) *endcipher = 0;
4037 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
4038 if (endcipher) *endcipher = ':';
4042 /* Use verify_check_this_host() instead of verify_check_host() so that
4043 we can pass over &host_data to catch any looked up data. Once it has been
4044 set, it retains its value so that it's still there if another ACL verb
4045 comes through here and uses the cache. However, we must put it into
4046 permanent store in case it is also expected to be used in a subsequent
4047 message in the same SMTP connection. */
4050 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
4051 sender_host_address ? sender_host_address : US"", CUSS &host_data);
4052 if (rc == DEFER) *log_msgptr = search_error_message;
4053 if (host_data) host_data = string_copy_perm(host_data, TRUE);
4056 case ACLC_LOCAL_PARTS:
4057 rc = match_isinlist(addr->cc_local_part, &arg, 0,
4058 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
4059 CUSS &deliver_localpart_data);
4062 case ACLC_LOG_REJECT_TARGET:
4064 int logbits = 0, sep = 0;
4065 const uschar * s = arg;
4067 for (uschar * ss; ss = string_nextinlist(&s, &sep, NULL, 0); )
4069 if (Ustrcmp(ss, "main") == 0) logbits |= LOG_MAIN;
4070 else if (Ustrcmp(ss, "panic") == 0) logbits |= LOG_PANIC;
4071 else if (Ustrcmp(ss, "reject") == 0) logbits |= LOG_REJECT;
4074 logbits |= LOG_MAIN|LOG_REJECT;
4075 log_write(0, LOG_MAIN|LOG_PANIC, "unknown log name \"%s\" in "
4076 "\"log_reject_target\" in %s ACL", ss, acl_wherenames[where]);
4079 log_reject_target = logbits;
4086 const uschar *s = arg;
4092 if (Ustrncmp(s, "main", 4) == 0)
4093 { logbits |= LOG_MAIN; s += 4; }
4094 else if (Ustrncmp(s, "panic", 5) == 0)
4095 { logbits |= LOG_PANIC; s += 5; }
4096 else if (Ustrncmp(s, "reject", 6) == 0)
4097 { logbits |= LOG_REJECT; s += 6; }
4100 logbits = LOG_MAIN|LOG_PANIC;
4101 s = string_sprintf(":unknown log name in \"%s\" in "
4102 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
4108 Uskip_whitespace(&s);
4110 if (logbits == 0) logbits = LOG_MAIN;
4111 log_write(0, logbits, "%s", string_printing(s));
4115 #ifdef WITH_CONTENT_SCAN
4116 case ACLC_MALWARE: /* Run the malware backend. */
4118 /* Separate the regular expression and any optional parameters. */
4119 const uschar * list = arg;
4120 BOOL defer_ok = FALSE;
4121 int timeout = 0, sep = -'/';
4122 uschar * ss = string_nextinlist(&list, &sep, NULL, 0);
4124 for (uschar * opt; opt = string_nextinlist(&list, &sep, NULL, 0); )
4125 if (strcmpic(opt, US"defer_ok") == 0)
4127 else if ( strncmpic(opt, US"tmo=", 4) == 0
4128 && (timeout = readconf_readtime(opt+4, '\0', FALSE)) < 0
4131 *log_msgptr = string_sprintf("bad timeout value in '%s'", opt);
4135 rc = malware(ss, textonly, timeout);
4136 if (rc == DEFER && defer_ok)
4137 rc = FAIL; /* FAIL so that the message is passed to the next ACL */
4141 case ACLC_MIME_REGEX:
4142 rc = mime_regex(&arg, textonly);
4147 if (is_tainted(arg))
4149 *log_msgptr = string_sprintf("Tainted name '%s' for queue not permitted",
4153 if (Ustrchr(arg, '/'))
4155 *log_msgptr = string_sprintf(
4156 "Directory separator not permitted in queue name: '%s'", arg);
4159 queue_name = string_copy_perm(arg, FALSE);
4162 case ACLC_RATELIMIT:
4163 rc = acl_ratelimit(arg, where, log_msgptr);
4166 case ACLC_RECIPIENTS:
4167 rc = match_address_list(CUS addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
4168 CUSS &recipient_data);
4171 #ifdef WITH_CONTENT_SCAN
4173 rc = regex(&arg, textonly);
4177 case ACLC_REMOVE_HEADER:
4178 setup_remove_header(arg);
4182 rc = acl_seen(arg, where, log_msgptr);
4185 case ACLC_SENDER_DOMAINS:
4188 sdomain = Ustrrchr(sender_address, '@');
4189 sdomain = sdomain ? sdomain + 1 : US"";
4190 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
4191 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
4196 rc = match_address_list(CUS sender_address, TRUE, TRUE, &arg,
4197 sender_address_cache, -1, 0, CUSS &sender_data);
4200 /* Connection variables must persist forever; message variables not */
4204 int old_pool = store_pool;
4205 if ( cb->u.varname[0] != 'm'
4206 #ifndef DISABLE_EVENT
4207 || event_name /* An event is being delivered */
4210 store_pool = POOL_PERM;
4212 #ifndef DISABLE_DKIM /* Overwriteable dkim result variables */
4213 if ( Ustrcmp(cb->u.varname, "dkim_verify_status") == 0
4214 || Ustrcmp(cb->u.varname, "dkim_verify_reason") == 0
4217 misc_module_info * mi = misc_mod_findonly(US"dkim");
4218 typedef void (*fn_t)(const uschar *, void *);
4221 (((fn_t *) mi->functions)[DKIM_SETVAR])
4222 (cb->u.varname, string_copy(arg));
4226 acl_var_create(cb->u.varname)->data.ptr = string_copy(arg);
4227 store_pool = old_pool;
4231 #ifdef WITH_CONTENT_SCAN
4234 /* Separate the regular expression and any optional parameters. */
4235 const uschar * list = arg;
4237 uschar * ss = string_nextinlist(&list, &sep, NULL, 0);
4239 rc = spam(CUSS &ss);
4240 /* Modify return code based upon the existence of options. */
4241 while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
4242 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
4243 rc = FAIL; /* FAIL so that the message is passed to the next ACL */
4250 case ACLC_SPF_GUESS:
4251 /* We have hardwired function-call numbers, and also prototypes for the
4252 functions. We could do a function name table search or (simpler)
4253 a module include file with defines for the numbers
4254 but I can't see how to deal with prototypes. Is a K&R non-prototyped
4255 function still usable with today's compilers (but we would lose on
4256 type-checking)? We could macroize the typedef, and even the function
4257 table access - but it obscures how it works rather. */
4259 misc_module_info * mi = misc_mod_find(US"spf", &log_message);
4260 typedef int (*fn_t)(const uschar **, const uschar *, int);
4264 { rc = DEFER; break; } /* shouldn't happen */
4266 fn = ((fn_t *) mi->functions)[SPF_PROCESS];
4268 rc = fn(&arg, sender_address,
4269 cb->type == ACLC_SPF ? SPF_PROCESS_NORMAL : SPF_PROCESS_GUESS);
4275 rc = acl_udpsend(arg, log_msgptr);
4278 /* If the verb is WARN, discard any user message from verification, because
4279 such messages are SMTP responses, not header additions. The latter come
4280 only from explicit "message" modifiers. However, put the user message into
4281 $acl_verify_message so it can be used in subsequent conditions or modifiers
4282 (until something changes it). */
4285 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
4287 acl_verify_message = *user_msgptr;
4288 if (verb == ACL_WARN) *user_msgptr = NULL;
4292 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
4293 "condition %d", cb->type);
4297 /* If a condition was negated, invert OK/FAIL. */
4299 if (!(conditions[cb->type].flags & ACD_MOD) && cb->u.negated)
4300 if (rc == OK) rc = FAIL;
4301 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
4303 if (rc != OK) break; /* Conditions loop */
4307 /* If the result is the one for which "message" and/or "log_message" are used,
4308 handle the values of these modifiers. If there isn't a log message set, we make
4309 it the same as the user message.
4311 "message" is a user message that will be included in an SMTP response. Unless
4312 it is empty, it overrides any previously set user message.
4314 "log_message" is a non-user message, and it adds to any existing non-user
4315 message that is already set.
4317 Most verbs have but a single return for which the messages are relevant, but
4318 for "discard", it's useful to have the log message both when it succeeds and
4319 when it fails. For "accept", the message is used in the OK case if there is no
4320 "endpass", but (for backwards compatibility) in the FAIL case if "endpass" is
4323 if (*epp && rc == OK) user_message = NULL;
4325 if ((BIT(rc) & msgcond[verb]) != 0)
4328 uschar *old_user_msgptr = *user_msgptr;
4329 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
4331 /* If the verb is "warn", messages generated by conditions (verification or
4332 nested ACLs) are always discarded. This also happens for acceptance verbs
4333 when they actually do accept. Only messages specified at this level are used.
4334 However, the value of an existing message is available in $acl_verify_message
4335 during expansions. */
4337 if (verb == ACL_WARN ||
4338 (rc == OK && (verb == ACL_ACCEPT || verb == ACL_DISCARD)))
4339 *log_msgptr = *user_msgptr = NULL;
4343 acl_verify_message = old_user_msgptr;
4344 expmessage = expand_string(user_message);
4347 if (!f.expand_string_forcedfail)
4348 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
4349 user_message, expand_string_message);
4351 else if (expmessage[0] != 0) *user_msgptr = expmessage;
4356 acl_verify_message = old_log_msgptr;
4357 expmessage = expand_string(log_message);
4360 if (!f.expand_string_forcedfail)
4361 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
4362 log_message, expand_string_message);
4364 else if (expmessage[0] != 0)
4366 *log_msgptr = (*log_msgptr == NULL)? expmessage :
4367 string_sprintf("%s: %s", expmessage, *log_msgptr);
4371 /* If no log message, default it to the user message */
4373 if (!*log_msgptr) *log_msgptr = *user_msgptr;
4376 acl_verify_message = NULL;
4384 /*************************************************
4385 * Get line from a literal ACL *
4386 *************************************************/
4388 /* This function is passed to acl_read() in order to extract individual lines
4389 of a literal ACL, which we access via static pointers. We can destroy the
4390 contents because this is called only once (the compiled ACL is remembered).
4392 This code is intended to treat the data in the same way as lines in the main
4393 Exim configuration file. That is:
4395 . Leading spaces are ignored.
4397 . A \ at the end of a line is a continuation - trailing spaces after the \
4398 are permitted (this is because I don't believe in making invisible things
4399 significant). Leading spaces on the continued part of a line are ignored.
4401 . Physical lines starting (significantly) with # are totally ignored, and
4402 may appear within a sequence of backslash-continued lines.
4404 . Blank lines are ignored, but will end a sequence of continuations.
4407 Returns: a pointer to the next line
4411 static uschar *acl_text; /* Current pointer in the text */
4412 static uschar *acl_text_end; /* Points one past the terminating '0' */
4420 /* This loop handles leading blank lines and comments. */
4424 Uskip_whitespace(&acl_text); /* Leading spaces/empty lines */
4425 if (!*acl_text) return NULL; /* No more data */
4426 yield = acl_text; /* Potential data line */
4428 while (*acl_text && *acl_text != '\n') acl_text++;
4430 /* If we hit the end before a newline, we have the whole logical line. If
4431 it's a comment, there's no more data to be given. Otherwise, yield it. */
4433 if (!*acl_text) return *yield == '#' ? NULL : yield;
4435 /* After reaching a newline, end this loop if the physical line does not
4436 start with '#'. If it does, it's a comment, and the loop continues. */
4438 if (*yield != '#') break;
4441 /* This loop handles continuations. We know we have some real data, ending in
4442 newline. See if there is a continuation marker at the end (ignoring trailing
4443 white space). We know that *yield is not white space, so no need to test for
4444 cont > yield in the backwards scanning loop. */
4449 for (cont = acl_text - 1; isspace(*cont); cont--);
4451 /* If no continuation follows, we are done. Mark the end of the line and
4460 /* We have encountered a continuation. Skip over whitespace at the start of
4461 the next line, and indeed the whole of the next line or lines if they are
4466 while (*(++acl_text) == ' ' || *acl_text == '\t');
4467 if (*acl_text != '#') break;
4468 while (*(++acl_text) != 0 && *acl_text != '\n');
4471 /* We have the start of a continuation line. Move all the rest of the data
4472 to join onto the previous line, and then find its end. If the end is not a
4473 newline, we are done. Otherwise loop to look for another continuation. */
4475 memmove(cont, acl_text, acl_text_end - acl_text);
4476 acl_text_end -= acl_text - cont;
4478 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
4479 if (*acl_text == 0) return yield;
4482 /* Control does not reach here */
4489 /************************************************/
4490 /* For error messages, a string describing the config location
4491 associated with current processing. NULL if not in an ACL. */
4494 acl_current_verb(void)
4496 if (acl_current) return string_sprintf(" (ACL %s, %s %d)",
4497 verbs[acl_current->verb], acl_current->srcfile, acl_current->srcline);
4501 /*************************************************
4502 * Check access using an ACL *
4503 *************************************************/
4505 /* This function is called from address_check. It may recurse via
4506 acl_check_condition() - hence the use of a level to stop looping. The ACL is
4507 passed as a string which is expanded. A forced failure implies no access check
4508 is required. If the result is a single word, it is taken as the name of an ACL
4509 which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
4510 text, complete with newlines, and parsed as such. In both cases, the ACL check
4511 is then run. This function uses an auxiliary function for acl_read() to call
4512 for reading individual lines of a literal ACL. This is acl_getline(), which
4513 appears immediately above.
4516 where where called from
4517 addr address item when called from RCPT; otherwise NULL
4518 s the input string; NULL is the same as an empty ACL => DENY
4519 user_msgptr where to put a user error (for SMTP response)
4520 log_msgptr where to put a logging message (not for SMTP response)
4522 Returns: OK access is granted
4523 DISCARD access is apparently granted...
4524 FAIL access is denied
4525 FAIL_DROP access is denied; drop the connection
4526 DEFER can't tell at the moment
4531 acl_check_internal(int where, address_item *addr, uschar *s,
4532 uschar **user_msgptr, uschar **log_msgptr)
4535 acl_block *acl = NULL;
4536 uschar *acl_name = US"inline ACL";
4539 /* Catch configuration loops */
4543 *log_msgptr = US"ACL nested too deep: possible loop";
4549 HDEBUG(D_acl) debug_printf_indent("ACL is NULL: implicit DENY\n");
4553 /* At top level, we expand the incoming string. At lower levels, it has already
4554 been expanded as part of condition processing. */
4558 else if (!(ss = expand_string(s)))
4560 if (f.expand_string_forcedfail) return OK;
4561 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
4562 expand_string_message);
4566 Uskip_whitespace(&ss);
4568 /* If we can't find a named ACL, the default is to parse it as an inline one.
4569 (Unless it begins with a slash; non-existent files give rise to an error.) */
4573 if (is_tainted(acl_text) && !f.running_in_test_harness)
4575 log_write(0, LOG_MAIN|LOG_PANIC,
4576 "attempt to use tainted ACL text \"%s\"", acl_text);
4577 /* Avoid leaking info to an attacker */
4578 *log_msgptr = US"internal configuration error";
4582 /* Handle the case of a string that does not contain any spaces. Look for a
4583 named ACL among those read from the configuration, or a previously read file.
4584 It is possible that the pointer to the ACL is NULL if the configuration
4585 contains a name with no data. If not found, and the text begins with '/',
4586 read an ACL from a file, and save it so it can be re-used. */
4588 if (Ustrchr(ss, ' ') == NULL)
4590 tree_node * t = tree_search(acl_anchor, ss);
4593 if (!(acl = (acl_block *)(t->data.ptr)))
4595 HDEBUG(D_acl) debug_printf_indent("ACL \"%s\" is empty: implicit DENY\n", ss);
4598 acl_name = string_sprintf("ACL %s", ss);
4599 HDEBUG(D_acl) debug_printf_indent("using ACL \"%s\"\n", ss);
4602 else if (*ss == '/')
4604 struct stat statbuf;
4605 if ((fd = Uopen(ss, O_RDONLY, 0)) < 0)
4607 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
4611 if (fstat(fd, &statbuf) != 0)
4613 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
4618 /* If the string being used as a filename is tainted, so is the file content */
4619 acl_text = store_get(statbuf.st_size + 1, ss);
4620 acl_text_end = acl_text + statbuf.st_size + 1;
4622 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
4624 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
4625 ss, strerror(errno));
4628 acl_text[statbuf.st_size] = 0;
4631 acl_name = string_sprintf("ACL %s", ss);
4632 HDEBUG(D_acl) debug_printf_indent("read ACL from file %s\n", ss);
4636 /* Parse an ACL that is still in text form. If it came from a file, remember it
4637 in the ACL tree, having read it into the POOL_PERM store pool so that it
4638 persists between multiple messages. */
4642 int old_pool = store_pool;
4643 if (fd >= 0) store_pool = POOL_PERM;
4644 acl = acl_read(acl_getline, log_msgptr);
4645 store_pool = old_pool;
4646 if (!acl && *log_msgptr) return ERROR;
4649 tree_node * t = store_get_perm(sizeof(tree_node) + Ustrlen(ss), ss);
4650 Ustrcpy(t->name, ss);
4652 (void)tree_insertnode(&acl_anchor, t);
4656 /* Now we have an ACL to use. It's possible it may be NULL. */
4658 while ((acl_current = acl))
4661 int basic_errno = 0;
4662 BOOL endpass_seen = FALSE;
4663 BOOL acl_quit_check = acl_level == 0
4664 && (where == ACL_WHERE_QUIT || where == ACL_WHERE_NOTQUIT);
4666 *log_msgptr = *user_msgptr = NULL;
4667 f.acl_temp_details = FALSE;
4669 config_filename = acl->srcfile;
4670 config_lineno = acl->srcline;
4674 debug_printf_indent("processing %s \"%s\"", acl_name, verbs[acl->verb]);
4675 if (config_lineno) debug_printf(" (%s %d)", config_filename, config_lineno);
4679 /* Clear out any search error message from a previous check before testing
4682 search_error_message = NULL;
4683 cond = acl_check_condition(acl->verb, acl->condition, where, addr, acl_level,
4684 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
4686 /* Handle special returns: DEFER causes a return except on a WARN verb;
4687 ERROR always causes a return. */
4692 HDEBUG(D_acl) debug_printf_indent("%s: condition test deferred in %s\n",
4693 verbs[acl->verb], acl_name);
4694 if (basic_errno != ERRNO_CALLOUTDEFER)
4696 if (search_error_message && *search_error_message)
4697 *log_msgptr = search_error_message;
4698 if (smtp_return_error_details) f.acl_temp_details = TRUE;
4701 f.acl_temp_details = TRUE;
4702 if (acl->verb != ACL_WARN) return DEFER;
4705 default: /* Paranoia */
4707 HDEBUG(D_acl) debug_printf_indent("%s: condition test error in %s\n",
4708 verbs[acl->verb], acl_name);
4712 HDEBUG(D_acl) debug_printf_indent("%s: condition test succeeded in %s\n",
4713 verbs[acl->verb], acl_name);
4717 HDEBUG(D_acl) debug_printf_indent("%s: condition test failed in %s\n",
4718 verbs[acl->verb], acl_name);
4721 /* DISCARD and DROP can happen only from a nested ACL condition, and
4722 DISCARD can happen only for an "accept" or "discard" verb. */
4725 HDEBUG(D_acl) debug_printf_indent("%s: condition test yielded \"discard\" in %s\n",
4726 verbs[acl->verb], acl_name);
4730 HDEBUG(D_acl) debug_printf_indent("%s: condition test yielded \"drop\" in %s\n",
4731 verbs[acl->verb], acl_name);
4735 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
4736 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
4737 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
4742 if (cond == OK || cond == DISCARD)
4744 HDEBUG(D_acl) debug_printf_indent("end of %s: ACCEPT\n", acl_name);
4749 HDEBUG(D_acl) debug_printf_indent("accept: endpass encountered - denying access\n");
4757 HDEBUG(D_acl) debug_printf_indent("end of %s: DEFER\n", acl_name);
4758 if (acl_quit_check) goto badquit;
4759 f.acl_temp_details = TRUE;
4767 HDEBUG(D_acl) debug_printf_indent("end of %s: DENY\n", acl_name);
4768 if (acl_quit_check) goto badquit;
4774 if (cond == OK || cond == DISCARD)
4776 HDEBUG(D_acl) debug_printf_indent("end of %s: DISCARD\n", acl_name);
4777 if (acl_quit_check) goto badquit;
4783 debug_printf_indent("discard: endpass encountered - denying access\n");
4791 HDEBUG(D_acl) debug_printf_indent("end of %s: DROP\n", acl_name);
4792 if (acl_quit_check) goto badquit;
4800 HDEBUG(D_acl) debug_printf_indent("end of %s: not OK\n", acl_name);
4801 if (acl_quit_check) goto badquit;
4808 acl_warn(where, *user_msgptr, *log_msgptr);
4809 else if (cond == DEFER && LOGGING(acl_warn_skipped))
4810 if (config_lineno > 0)
4811 log_write(0, LOG_MAIN,
4812 "%s Warning: ACL 'warn' statement skipped (in %s at line %d of %s):"
4813 " condition test deferred%s%s",
4814 host_and_ident(TRUE), acl_name, config_lineno, config_filename,
4815 *log_msgptr ? US": " : US"", *log_msgptr ? *log_msgptr : US"");
4817 log_write(0, LOG_MAIN,
4818 "%s Warning: ACL 'warn' statement skipped (in %s):"
4819 " condition test deferred%s%s",
4820 host_and_ident(TRUE), acl_name,
4821 *log_msgptr ? US": " : US"", *log_msgptr ? *log_msgptr : US"");
4822 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
4826 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
4831 /* Pass to the next ACL item */
4836 /* We have reached the end of the ACL. This is an implicit DENY. */
4838 HDEBUG(D_acl) debug_printf_indent("end of %s: implicit DENY\n", acl_name);
4842 *log_msgptr = string_sprintf("QUIT or not-QUIT toplevel ACL may not fail "
4843 "('%s' verb used incorrectly)", verbs[acl->verb]);
4850 /* Same args as acl_check_internal() above, but the string s is
4851 the name of an ACL followed optionally by up to 9 space-separated arguments.
4852 The name and args are separately expanded. Args go into $acl_arg globals. */
4854 acl_check_wargs(int where, address_item *addr, const uschar *s,
4855 uschar **user_msgptr, uschar **log_msgptr)
4858 uschar * tmp_arg[9]; /* must match acl_arg[] */
4859 uschar * sav_arg[9]; /* must match acl_arg[] */
4865 if (!(tmp = string_dequote(&s)) || !(name = expand_string(tmp)))
4868 for (i = 0; i < 9; i++)
4870 if (!Uskip_whitespace(&s))
4872 if (!(tmp = string_dequote(&s)) || !(tmp_arg[i] = expand_string(tmp)))
4879 sav_narg = acl_narg;
4881 for (i = 0; i < acl_narg; i++)
4883 sav_arg[i] = acl_arg[i];
4884 acl_arg[i] = tmp_arg[i];
4888 sav_arg[i] = acl_arg[i];
4889 acl_arg[i++] = NULL;
4893 ret = acl_check_internal(where, addr, name, user_msgptr, log_msgptr);
4897 acl_narg = sav_narg;
4898 for (i = 0; i < 9; i++) acl_arg[i] = sav_arg[i];
4902 if (f.expand_string_forcedfail) return ERROR;
4903 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
4904 tmp, expand_string_message);
4905 return f.search_find_defer ? DEFER : ERROR;
4910 /*************************************************
4911 * Check access using an ACL *
4912 *************************************************/
4914 /* Alternate interface for ACL, used by expansions */
4916 acl_eval(int where, uschar *s, uschar **user_msgptr, uschar **log_msgptr)
4919 address_item *addr = NULL;
4922 *user_msgptr = *log_msgptr = NULL;
4923 sender_verified_failed = NULL;
4924 ratelimiters_cmd = NULL;
4925 log_reject_target = LOG_MAIN|LOG_REJECT;
4927 if (where == ACL_WHERE_RCPT)
4929 adb = address_defaults;
4931 addr->address = expand_string(US"$local_part@$domain");
4932 addr->domain = deliver_domain;
4933 addr->local_part = deliver_localpart;
4934 addr->cc_local_part = deliver_localpart;
4935 addr->lc_local_part = deliver_localpart;
4939 rc = acl_check_internal(where, addr, s, user_msgptr, log_msgptr);
4947 /* This is the external interface for ACL checks. It sets up an address and the
4948 expansions for $domain and $local_part when called after RCPT, then calls
4949 acl_check_internal() to do the actual work.
4952 where ACL_WHERE_xxxx indicating where called from
4953 recipient RCPT address for RCPT check, else NULL
4954 s the input string; NULL is the same as an empty ACL => DENY
4955 user_msgptr where to put a user error (for SMTP response)
4956 log_msgptr where to put a logging message (not for SMTP response)
4958 Returns: OK access is granted by an ACCEPT verb
4959 DISCARD access is granted by a DISCARD verb
4960 FAIL access is denied
4961 FAIL_DROP access is denied; drop the connection
4962 DEFER can't tell at the moment
4967 acl_check(int where, const uschar * recipient, uschar * s,
4968 uschar ** user_msgptr, uschar ** log_msgptr)
4972 address_item *addr = NULL;
4974 *user_msgptr = *log_msgptr = NULL;
4975 sender_verified_failed = NULL;
4976 ratelimiters_cmd = NULL;
4977 log_reject_target = LOG_MAIN|LOG_REJECT;
4979 #ifndef DISABLE_PRDR
4980 if (where==ACL_WHERE_RCPT || where==ACL_WHERE_VRFY || where==ACL_WHERE_PRDR)
4982 if (where==ACL_WHERE_RCPT || where==ACL_WHERE_VRFY)
4985 adb = address_defaults;
4987 addr->address = recipient;
4988 if (deliver_split_address(addr) == DEFER)
4990 *log_msgptr = US"defer in percent_hack_domains check";
4994 if ((addr->prop.utf8_msg = message_smtputf8))
4996 addr->prop.utf8_downcvt = message_utf8_downconvert == 1;
4997 addr->prop.utf8_downcvt_maybe = message_utf8_downconvert == -1;
5000 deliver_domain = addr->domain;
5001 deliver_localpart = addr->local_part;
5006 rc = acl_check_internal(where, addr, s, user_msgptr, log_msgptr);
5008 acl_where = ACL_WHERE_UNKNOWN;
5011 /* Cutthrough - if requested,
5012 and WHERE_RCPT and not yet opened conn as result of recipient-verify,
5013 and rcpt acl returned accept,
5014 and first recipient (cancel on any subsequents)
5015 open one now and run it up to RCPT acceptance.
5016 A failed verify should cancel cutthrough request,
5017 and will pass the fail to the originator.
5018 Initial implementation: dual-write to spool.
5019 Assume the rxd datastream is now being copied byte-for-byte to an open cutthrough connection.
5021 Cease cutthrough copy on rxd final dot; do not send one.
5023 On a data acl, if not accept and a cutthrough conn is open, hard-close it (no SMTP niceness).
5025 On data acl accept, terminate the dataphase on an open cutthrough conn. If accepted or
5026 perm-rejected, reflect that to the original sender - and dump the spooled copy.
5027 If temp-reject, close the conn (and keep the spooled copy).
5028 If conn-failure, no action (and keep the spooled copy).
5032 case ACL_WHERE_RCPT:
5033 #ifndef DISABLE_PRDR
5034 case ACL_WHERE_PRDR:
5037 if (f.host_checking_callout) /* -bhc mode */
5038 cancel_cutthrough_connection(TRUE, US"host-checking mode");
5041 && cutthrough.delivery
5042 && rcpt_count > cutthrough.nrcpt
5045 if ((rc = open_cutthrough_connection(addr)) == DEFER)
5046 if (cutthrough.defer_pass)
5048 uschar * s = addr->message;
5049 /* Horrid kludge to recover target's SMTP message */
5051 do --s; while (!isdigit(*s));
5052 if (*--s && isdigit(*s) && *--s && isdigit(*s)) *user_msgptr = s;
5053 f.acl_temp_details = TRUE;
5057 HDEBUG(D_acl) debug_printf_indent("cutthrough defer; will spool\n");
5061 else HDEBUG(D_acl) if (cutthrough.delivery)
5062 if (rcpt_count <= cutthrough.nrcpt)
5063 debug_printf_indent("ignore cutthrough request; nonfirst message\n");
5065 debug_printf_indent("ignore cutthrough request; ACL did not accept\n");
5068 case ACL_WHERE_PREDATA:
5070 cutthrough_predata();
5072 cancel_cutthrough_connection(TRUE, US"predata acl not ok");
5075 case ACL_WHERE_QUIT:
5076 case ACL_WHERE_NOTQUIT:
5077 /* Drop cutthrough conns, and drop heldopen verify conns if
5078 the previous was not DATA */
5081 smtp_connection_had[SMTP_HBUFF_PREV(SMTP_HBUFF_PREV(smtp_ch_index))];
5082 BOOL dropverify = !(prev == SCH_DATA || prev == SCH_BDAT);
5084 cancel_cutthrough_connection(dropverify, US"quit or conndrop");
5092 deliver_domain = deliver_localpart = deliver_address_data =
5093 deliver_domain_data = sender_address_data = NULL;
5095 /* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
5096 ACL, which is really in the middle of an SMTP command. */
5100 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
5102 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
5103 "ACL", acl_wherenames[where]);
5109 /* A DROP response is not permitted from MAILAUTH */
5111 if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
5113 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
5114 "ACL", acl_wherenames[where]);
5118 /* Before giving a response, take a look at the length of any user message, and
5119 split it up into multiple lines if possible. */
5121 *user_msgptr = string_split_message(*user_msgptr);
5122 if (fake_response != OK)
5123 fake_response_text = string_split_message(fake_response_text);
5129 /*************************************************
5130 * Create ACL variable *
5131 *************************************************/
5133 /* Create an ACL variable or reuse an existing one. ACL variables are in a
5134 binary tree (see tree.c) with acl_var_c and acl_var_m as root nodes.
5137 name pointer to the variable's name, starting with c or m
5139 Returns the pointer to variable's tree node
5143 acl_var_create(uschar * name)
5145 tree_node * node, ** root = name[0] == 'c' ? &acl_var_c : &acl_var_m;
5146 if (!(node = tree_search(*root, name)))
5148 node = store_get(sizeof(tree_node) + Ustrlen(name), name);
5149 Ustrcpy(node->name, name);
5150 (void)tree_insertnode(root, node);
5152 node->data.ptr = NULL;
5158 /*************************************************
5159 * Write an ACL variable in spool format *
5160 *************************************************/
5162 /* This function is used as a callback for tree_walk when writing variables to
5163 the spool file. To retain spool file compatibility, what is written is -aclc or
5164 -aclm followed by the rest of the name and the data length, space separated,
5165 then the value itself, starting on a new line, and terminated by an additional
5166 newline. When we had only numbered ACL variables, the first line might look
5167 like this: "-aclc 5 20". Now it might be "-aclc foo 20" for the variable called
5171 name of the variable
5172 value of the variable
5173 ctx FILE pointer (as a void pointer)
5179 acl_var_write(uschar * name, uschar * value, void * ctx)
5181 FILE * f = (FILE *)ctx;
5183 if (is_tainted(value))
5185 const uschar * quoter_name;
5187 (void) quoter_for_address(value, "er_name);
5189 fprintf(f, "(%s)", quoter_name);
5191 fprintf(f, "acl%c %s %d\n%s\n", name[0], name+1, Ustrlen(value), value);
5198 acl_standalone_setvar(const uschar * s, BOOL taint)
5200 acl_condition_block * cond = store_get(sizeof(acl_condition_block), GET_UNTAINTED);
5201 uschar * errstr = NULL, * log_msg = NULL;
5206 cond->type = ACLC_SET;
5207 if (!acl_varname_to_cond(&s, cond, &errstr)) return errstr;
5208 if (!acl_data_to_cond(s, cond, US"'-be'", taint, &errstr)) return errstr;
5210 if (acl_check_condition(ACL_WARN, cond, ACL_WHERE_UNKNOWN,
5211 NULL, 0, &endpass_seen, &errstr, &log_msg, &e) != OK)
5212 return string_sprintf("oops: %s", errstr);
5213 return string_sprintf("variable %s set", cond->u.varname);
5217 #endif /* !MACRO_PREDEF */