1 /* $Cambridge: exim/src/src/acl.c,v 1.56 2006/03/02 12:25:48 ph10 Exp $ */
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
7 /* Copyright (c) University of Cambridge 1995 - 2006 */
8 /* See the file NOTICE for conditions of use and distribution. */
10 /* Code for handling Access Control Lists (ACLs) */
15 /* Default callout timeout */
17 #define CALLOUT_TIMEOUT_DEFAULT 30
19 /* ACL verb codes - keep in step with the table of verbs that follows */
21 enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
26 static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
30 /* For each verb, the condition for which "message" is used */
32 static int msgcond[] = { FAIL, OK, OK, FAIL, OK, FAIL, OK };
34 /* ACL condition and modifier codes - keep in step with the table that
37 enum { ACLC_ACL, ACLC_AUTHENTICATED,
38 #ifdef EXPERIMENTAL_BRIGHTMAIL
41 ACLC_CONDITION, ACLC_CONTROL,
42 #ifdef WITH_CONTENT_SCAN
46 #ifdef WITH_OLD_DEMIME
49 #ifdef EXPERIMENTAL_DOMAINKEYS
50 ACLC_DK_DOMAIN_SOURCE,
52 ACLC_DK_SENDER_DOMAINS,
53 ACLC_DK_SENDER_LOCAL_PARTS,
57 ACLC_DNSLISTS, ACLC_DOMAINS, ACLC_ENCRYPTED, ACLC_ENDPASS,
58 ACLC_HOSTS, ACLC_LOCAL_PARTS, ACLC_LOG_MESSAGE, ACLC_LOGWRITE,
59 #ifdef WITH_CONTENT_SCAN
63 #ifdef WITH_CONTENT_SCAN
68 #ifdef WITH_CONTENT_SCAN
71 ACLC_SENDER_DOMAINS, ACLC_SENDERS, ACLC_SET,
72 #ifdef WITH_CONTENT_SCAN
75 #ifdef EXPERIMENTAL_SPF
80 /* ACL conditions/modifiers: "delay", "control", "endpass", "message",
81 "log_message", "logwrite", and "set" are modifiers that look like conditions
82 but always return TRUE. They are used for their side effects. */
84 static uschar *conditions[] = {
87 #ifdef EXPERIMENTAL_BRIGHTMAIL
92 #ifdef WITH_CONTENT_SCAN
96 #ifdef WITH_OLD_DEMIME
99 #ifdef EXPERIMENTAL_DOMAINKEYS
100 US"dk_domain_source",
102 US"dk_sender_domains",
103 US"dk_sender_local_parts",
107 US"dnslists", US"domains", US"encrypted",
108 US"endpass", US"hosts", US"local_parts", US"log_message", US"logwrite",
109 #ifdef WITH_CONTENT_SCAN
113 #ifdef WITH_CONTENT_SCAN
118 #ifdef WITH_CONTENT_SCAN
121 US"sender_domains", US"senders", US"set",
122 #ifdef WITH_CONTENT_SCAN
125 #ifdef EXPERIMENTAL_SPF
131 /* Return values from decode_control(); keep in step with the table of names
135 CONTROL_AUTH_UNADVERTISED,
136 #ifdef EXPERIMENTAL_BRIGHTMAIL
139 #ifdef EXPERIMENTAL_DOMAINKEYS
143 CONTROL_CASEFUL_LOCAL_PART,
144 CONTROL_CASELOWER_LOCAL_PART,
145 CONTROL_ENFORCE_SYNC,
146 CONTROL_NO_ENFORCE_SYNC,
150 CONTROL_SUPPRESS_LOCAL_FIXUPS,
151 #ifdef WITH_CONTENT_SCAN
152 CONTROL_NO_MBOX_UNSPOOL,
159 /* ACL control names; keep in step with the table above! This list is used for
160 turning ids into names. The actual list of recognized names is in the variable
161 control_def controls_list[] below. The fact that there are two lists is a mess
162 and should be tidied up. */
164 static uschar *controls[] = {
165 US"allow_auth_unadvertised",
166 #ifdef EXPERIMENTAL_BRIGHTMAIL
169 #ifdef EXPERIMENTAL_DOMAINKEYS
173 US"caseful_local_part",
174 US"caselower_local_part",
180 US"suppress_local_fixups",
181 #ifdef WITH_CONTENT_SCAN
187 /* Flags to indicate for which conditions /modifiers a string expansion is done
188 at the outer level. In the other cases, expansion already occurs in the
189 checking functions. */
191 static uschar cond_expand_at_top[] = {
193 FALSE, /* authenticated */
194 #ifdef EXPERIMENTAL_BRIGHTMAIL
195 TRUE, /* bmi_optin */
197 TRUE, /* condition */
199 #ifdef WITH_CONTENT_SCAN
203 #ifdef WITH_OLD_DEMIME
206 #ifdef EXPERIMENTAL_DOMAINKEYS
207 TRUE, /* dk_domain_source */
208 TRUE, /* dk_policy */
209 TRUE, /* dk_sender_domains */
210 TRUE, /* dk_sender_local_parts */
211 TRUE, /* dk_senders */
212 TRUE, /* dk_status */
216 FALSE, /* encrypted */
219 FALSE, /* local_parts */
220 TRUE, /* log_message */
222 #ifdef WITH_CONTENT_SCAN
226 #ifdef WITH_CONTENT_SCAN
227 TRUE, /* mime_regex */
229 TRUE, /* ratelimit */
230 FALSE, /* recipients */
231 #ifdef WITH_CONTENT_SCAN
234 FALSE, /* sender_domains */
237 #ifdef WITH_CONTENT_SCAN
240 #ifdef EXPERIMENTAL_SPF
246 /* Flags to identify the modifiers */
248 static uschar cond_modifiers[] = {
250 FALSE, /* authenticated */
251 #ifdef EXPERIMENTAL_BRIGHTMAIL
252 TRUE, /* bmi_optin */
254 FALSE, /* condition */
256 #ifdef WITH_CONTENT_SCAN
260 #ifdef WITH_OLD_DEMIME
263 #ifdef EXPERIMENTAL_DOMAINKEYS
264 FALSE, /* dk_domain_source */
265 FALSE, /* dk_policy */
266 FALSE, /* dk_sender_domains */
267 FALSE, /* dk_sender_local_parts */
268 FALSE, /* dk_senders */
269 FALSE, /* dk_status */
271 FALSE, /* dnslists */
273 FALSE, /* encrypted */
276 FALSE, /* local_parts */
277 TRUE, /* log_message */
279 #ifdef WITH_CONTENT_SCAN
283 #ifdef WITH_CONTENT_SCAN
284 FALSE, /* mime_regex */
286 FALSE, /* ratelimit */
287 FALSE, /* recipients */
288 #ifdef WITH_CONTENT_SCAN
291 FALSE, /* sender_domains */
294 #ifdef WITH_CONTENT_SCAN
297 #ifdef EXPERIMENTAL_SPF
303 /* Bit map vector of which conditions are not allowed at certain times. For
304 each condition, there's a bitmap of dis-allowed times. For some, it is easier
305 to specify the negation of a small number of allowed times. */
307 static unsigned int cond_forbids[] = {
310 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* authenticated */
313 #ifdef EXPERIMENTAL_BRIGHTMAIL
314 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
315 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
316 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
317 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
318 (1<<ACL_WHERE_MAILAUTH)|
319 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
320 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA),
325 /* Certain types of control are always allowed, so we let it through
326 always and check in the control processing itself. */
330 #ifdef WITH_CONTENT_SCAN
332 ~(1<<ACL_WHERE_MIME), /* decode */
337 #ifdef WITH_OLD_DEMIME
339 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* demime */
342 #ifdef EXPERIMENTAL_DOMAINKEYS
343 (1<<ACL_WHERE_AUTH)| /* dk_domain_source */
344 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
345 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
346 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
347 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
348 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
351 (1<<ACL_WHERE_AUTH)| /* dk_policy */
352 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
353 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
354 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
355 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
356 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
359 (1<<ACL_WHERE_AUTH)| /* dk_sender_domains */
360 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
361 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
362 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
363 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
364 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
367 (1<<ACL_WHERE_AUTH)| /* dk_sender_local_parts */
368 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
369 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
370 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
371 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
372 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
375 (1<<ACL_WHERE_AUTH)| /* dk_senders */
376 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
377 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
378 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
379 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
380 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
383 (1<<ACL_WHERE_AUTH)| /* dk_status */
384 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
385 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
386 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
387 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
388 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
392 (1<<ACL_WHERE_NOTSMTP), /* dnslists */
395 ~(1<<ACL_WHERE_RCPT), /* domains */
397 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* encrypted */
402 (1<<ACL_WHERE_NOTSMTP), /* hosts */
405 ~(1<<ACL_WHERE_RCPT), /* local_parts */
411 #ifdef WITH_CONTENT_SCAN
413 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* malware */
418 #ifdef WITH_CONTENT_SCAN
420 ~(1<<ACL_WHERE_MIME), /* mime_regex */
426 ~(1<<ACL_WHERE_RCPT), /* recipients */
428 #ifdef WITH_CONTENT_SCAN
430 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* regex */
431 (1<<ACL_WHERE_MIME)),
434 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
436 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
437 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
438 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
440 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
442 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
443 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
444 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
448 #ifdef WITH_CONTENT_SCAN
450 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* spam */
453 #ifdef EXPERIMENTAL_SPF
454 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
456 (1<<ACL_WHERE_MAILAUTH)|
457 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
458 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
461 /* Certain types of verify are always allowed, so we let it through
462 always and check in the verify function itself */
468 /* Bit map vector of which controls are not allowed at certain times. For
469 each control, there's a bitmap of dis-allowed times. For some, it is easier to
470 specify the negation of a small number of allowed times. */
472 static unsigned int control_forbids[] = {
474 ~((1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)), /* allow_auth_unadvertised */
476 #ifdef EXPERIMENTAL_BRIGHTMAIL
480 #ifdef EXPERIMENTAL_DOMAINKEYS
481 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), /* dk_verify */
487 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
490 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
492 (1<<ACL_WHERE_NOTSMTP), /* enforce_sync */
494 (1<<ACL_WHERE_NOTSMTP), /* no_enforce_sync */
497 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
498 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
499 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
502 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
503 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
504 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
507 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
508 (1<<ACL_WHERE_PREDATA)),
511 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* suppress_local_fixups */
512 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_PREDATA)),
514 #ifdef WITH_CONTENT_SCAN
516 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
517 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
518 (1<<ACL_WHERE_MIME)),
522 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakedefer */
523 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
524 (1<<ACL_WHERE_MIME)),
527 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
528 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
529 (1<<ACL_WHERE_MIME)),
531 (1<<ACL_WHERE_NOTSMTP) /* no_multiline */
534 /* Structure listing various control arguments, with their characteristics. */
536 typedef struct control_def {
538 int value; /* CONTROL_xxx value */
539 BOOL has_option; /* Has /option(s) following */
542 static control_def controls_list[] = {
543 { US"allow_auth_unadvertised", CONTROL_AUTH_UNADVERTISED, FALSE },
544 #ifdef EXPERIMENTAL_BRIGHTMAIL
545 { US"bmi_run", CONTROL_BMI_RUN, FALSE },
547 #ifdef EXPERIMENTAL_DOMAINKEYS
548 { US"dk_verify", CONTROL_DK_VERIFY, FALSE },
550 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE },
551 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE },
552 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE },
553 { US"freeze", CONTROL_FREEZE, TRUE },
554 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE },
555 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE },
556 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE },
557 #ifdef WITH_CONTENT_SCAN
558 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE },
560 { US"fakedefer", CONTROL_FAKEDEFER, TRUE },
561 { US"fakereject", CONTROL_FAKEREJECT, TRUE },
562 { US"submission", CONTROL_SUBMISSION, TRUE },
563 { US"suppress_local_fixups", CONTROL_SUPPRESS_LOCAL_FIXUPS, FALSE }
566 /* Support data structures for Client SMTP Authorization. acl_verify_csa()
567 caches its result in a tree to avoid repeated DNS queries. The result is an
568 integer code which is used as an index into the following tables of
569 explanatory strings and verification return codes. */
571 static tree_node *csa_cache = NULL;
573 enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
574 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
576 /* The acl_verify_csa() return code is translated into an acl_verify() return
577 code using the following table. It is OK unless the client is definitely not
578 authorized. This is because CSA is supposed to be optional for sending sites,
579 so recipients should not be too strict about checking it - especially because
580 DNS problems are quite likely to occur. It's possible to use $csa_status in
581 further ACL conditions to distinguish ok, unknown, and defer if required, but
582 the aim is to make the usual configuration simple. */
584 static int csa_return_code[] = {
586 FAIL, FAIL, FAIL, FAIL
589 static uschar *csa_status_string[] = {
590 US"unknown", US"ok", US"defer", US"defer",
591 US"fail", US"fail", US"fail", US"fail"
594 static uschar *csa_reason_string[] = {
597 US"deferred (SRV lookup failed)",
598 US"deferred (target address lookup failed)",
599 US"failed (explicit authorization required)",
600 US"failed (host name not authorized)",
601 US"failed (no authorized addresses)",
602 US"failed (client address mismatch)"
605 /* Enable recursion between acl_check_internal() and acl_check_condition() */
607 static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
611 /*************************************************
612 * Pick out name from list *
613 *************************************************/
615 /* Use a binary chop method
622 Returns: offset in list, or -1 if not found
626 acl_checkname(uschar *name, uschar **list, int end)
632 int mid = (start + end)/2;
633 int c = Ustrcmp(name, list[mid]);
634 if (c == 0) return mid;
635 if (c < 0) end = mid; else start = mid + 1;
642 /*************************************************
643 * Read and parse one ACL *
644 *************************************************/
646 /* This function is called both from readconf in order to parse the ACLs in the
647 configuration file, and also when an ACL is encountered dynamically (e.g. as
648 the result of an expansion). It is given a function to call in order to
649 retrieve the lines of the ACL. This function handles skipping comments and
650 blank lines (where relevant).
653 func function to get next line of ACL
654 error where to put an error message
656 Returns: pointer to ACL, or NULL
657 NULL can be legal (empty ACL); in this case error will be NULL
661 acl_read(uschar *(*func)(void), uschar **error)
663 acl_block *yield = NULL;
664 acl_block **lastp = &yield;
665 acl_block *this = NULL;
666 acl_condition_block *cond;
667 acl_condition_block **condp = NULL;
672 while ((s = (*func)()) != NULL)
675 BOOL negated = FALSE;
676 uschar *saveline = s;
679 /* Conditions (but not verbs) are allowed to be negated by an initial
682 while (isspace(*s)) s++;
689 /* Read the name of a verb or a condition, or the start of a new ACL, which
690 can be started by a name, or by a macro definition. */
692 s = readconf_readname(name, sizeof(name), s);
693 if (*s == ':' || isupper(name[0] && *s == '=')) return yield;
695 /* If a verb is unrecognized, it may be another condition or modifier that
696 continues the previous verb. */
698 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
703 *error = string_sprintf("unknown ACL verb in \"%s\"", saveline);
714 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
717 this = store_get(sizeof(acl_block));
719 lastp = &(this->next);
722 this->condition = NULL;
723 condp = &(this->condition);
724 if (*s == 0) continue; /* No condition on this line */
730 s = readconf_readname(name, sizeof(name), s); /* Condition name */
733 /* Handle a condition or modifier. */
735 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
738 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
743 /* The modifiers may not be negated */
745 if (negated && cond_modifiers[c])
747 *error = string_sprintf("ACL error: negation is not allowed with "
748 "\"%s\"", conditions[c]);
752 /* ENDPASS may occur only with ACCEPT or DISCARD. */
754 if (c == ACLC_ENDPASS &&
755 this->verb != ACL_ACCEPT &&
756 this->verb != ACL_DISCARD)
758 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
759 conditions[c], verbs[this->verb]);
763 cond = store_get(sizeof(acl_condition_block));
766 cond->u.negated = negated;
769 condp = &(cond->next);
771 /* The "set" modifier is different in that its argument is "name=value"
772 rather than just a value, and we can check the validity of the name, which
773 gives us a variable number to insert into the data block. */
780 if (Ustrncmp(s, "acl_", 4) != 0) goto BAD_ACL_VAR;
786 else if (s[4] == 'm')
791 else goto BAD_ACL_VAR;
793 n = Ustrtoul(s + 5, &endptr, 10);
794 if ((*endptr != 0 && *endptr != '=' && !isspace(*endptr)) || n >= max)
797 *error = string_sprintf("syntax error or unrecognized name after "
798 "\"set\" in ACL modifier \"set %s\"", s);
802 cond->u.varnumber = n + offset;
804 while (isspace(*s)) s++;
807 /* For "set", we are now positioned for the data. For the others, only
808 "endpass" has no data */
810 if (c != ACLC_ENDPASS)
814 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
815 cond_modifiers[c]? US"modifier" : US"condition");
818 while (isspace(*s)) s++;
819 cond->arg = string_copy(s);
828 /*************************************************
830 *************************************************/
832 /* This function is called when a WARN verb's conditions are true. It adds to
833 the message's headers, and/or writes information to the log. In each case, this
834 only happens once (per message for headers, per connection for log).
837 where ACL_WHERE_xxxx indicating which ACL this is
838 user_message message for adding to headers
839 log_message message for logging, if different
845 acl_warn(int where, uschar *user_message, uschar *log_message)
849 if (log_message != NULL && log_message != user_message)
854 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
855 string_printing(log_message));
857 /* If a sender verification has failed, and the log message is "sender verify
858 failed", add the failure message. */
860 if (sender_verified_failed != NULL &&
861 sender_verified_failed->message != NULL &&
862 strcmpic(log_message, US"sender verify failed") == 0)
863 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
865 /* Search previously logged warnings. They are kept in malloc
866 store so they can be freed at the start of a new message. */
868 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
869 if (Ustrcmp(logged->text, text) == 0) break;
873 int length = Ustrlen(text) + 1;
874 log_write(0, LOG_MAIN, "%s", text);
875 logged = store_malloc(sizeof(string_item) + length);
876 logged->text = (uschar *)logged + sizeof(string_item);
877 memcpy(logged->text, text, length);
878 logged->next = acl_warn_logged;
879 acl_warn_logged = logged;
883 /* If there's no user message, we are done. */
885 if (user_message == NULL) return;
887 /* If this isn't a message ACL, we can't do anything with a user message.
890 if (where > ACL_WHERE_NOTSMTP)
892 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
893 "found in a non-message (%s) ACL: cannot specify header lines here: "
894 "message ignored", acl_wherenames[where]);
898 /* Treat the user message as a sequence of one or more header lines. */
900 hlen = Ustrlen(user_message);
903 uschar *text, *p, *q;
905 /* Add a final newline if not present */
907 text = ((user_message)[hlen-1] == '\n')? user_message :
908 string_sprintf("%s\n", user_message);
910 /* Loop for multiple header lines, taking care about continuations */
912 for (p = q = text; *p != 0; )
915 int newtype = htype_add_bot;
916 header_line **hptr = &acl_warn_headers;
918 /* Find next header line within the string */
922 q = Ustrchr(q, '\n');
923 if (*(++q) != ' ' && *q != '\t') break;
926 /* If the line starts with a colon, interpret the instruction for where to
927 add it. This temporarily sets up a new type. */
931 if (strncmpic(p, US":after_received:", 16) == 0)
933 newtype = htype_add_rec;
936 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
938 newtype = htype_add_rfc;
941 else if (strncmpic(p, US":at_start:", 10) == 0)
943 newtype = htype_add_top;
946 else if (strncmpic(p, US":at_end:", 8) == 0)
948 newtype = htype_add_bot;
951 while (*p == ' ' || *p == '\t') p++;
954 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
955 to the front of it. */
957 for (s = p; s < q - 1; s++)
959 if (*s == ':' || !isgraph(*s)) break;
962 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
965 /* See if this line has already been added */
967 while (*hptr != NULL)
969 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
970 hptr = &((*hptr)->next);
973 /* Add if not previously present */
977 header_line *h = store_get(sizeof(header_line));
986 /* Advance for next header line within the string */
995 /*************************************************
996 * Verify and check reverse DNS *
997 *************************************************/
999 /* Called from acl_verify() below. We look up the host name(s) of the client IP
1000 address if this has not yet been done. The host_name_lookup() function checks
1001 that one of these names resolves to an address list that contains the client IP
1002 address, so we don't actually have to do the check here.
1005 user_msgptr pointer for user message
1006 log_msgptr pointer for log message
1008 Returns: OK verification condition succeeded
1009 FAIL verification failed
1010 DEFER there was a problem verifying
1014 acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
1018 user_msgptr = user_msgptr; /* stop compiler warning */
1020 /* Previous success */
1022 if (sender_host_name != NULL) return OK;
1024 /* Previous failure */
1026 if (host_lookup_failed)
1028 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
1032 /* Need to do a lookup */
1035 debug_printf("looking up host name to force name/address consistency check\n");
1037 if ((rc = host_name_lookup()) != OK)
1039 *log_msgptr = (rc == DEFER)?
1040 US"host lookup deferred for reverse lookup check"
1042 string_sprintf("host lookup failed for reverse lookup check%s",
1044 return rc; /* DEFER or FAIL */
1047 host_build_sender_fullhost();
1053 /*************************************************
1054 * Check client IP address matches CSA target *
1055 *************************************************/
1057 /* Called from acl_verify_csa() below. This routine scans a section of a DNS
1058 response for address records belonging to the CSA target hostname. The section
1059 is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
1060 If one of the addresses matches the client's IP address, then the client is
1061 authorized by CSA. If there are target IP addresses but none of them match
1062 then the client is using an unauthorized IP address. If there are no target IP
1063 addresses then the client cannot be using an authorized IP address. (This is
1064 an odd configuration - why didn't the SRV record have a weight of 1 instead?)
1067 dnsa the DNS answer block
1068 dnss a DNS scan block for us to use
1069 reset option specifing what portion to scan, as described above
1070 target the target hostname to use for matching RR names
1072 Returns: CSA_OK successfully authorized
1073 CSA_FAIL_MISMATCH addresses found but none matched
1074 CSA_FAIL_NOADDR no target addresses found
1078 acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1084 BOOL target_found = FALSE;
1086 for (rr = dns_next_rr(dnsa, dnss, reset);
1088 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1090 /* Check this is an address RR for the target hostname. */
1094 && rr->type != T_AAAA
1101 if (strcmpic(target, rr->name) != 0) continue;
1103 target_found = TRUE;
1105 /* Turn the target address RR into a list of textual IP addresses and scan
1106 the list. There may be more than one if it is an A6 RR. */
1108 for (da = dns_address_from_rr(dnsa, rr); da != NULL; da = da->next)
1110 /* If the client IP address matches the target IP address, it's good! */
1112 DEBUG(D_acl) debug_printf("CSA target address is %s\n", da->address);
1114 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1118 /* If we found some target addresses but none of them matched, the client is
1119 using an unauthorized IP address, otherwise the target has no authorized IP
1122 if (target_found) return CSA_FAIL_MISMATCH;
1123 else return CSA_FAIL_NOADDR;
1128 /*************************************************
1129 * Verify Client SMTP Authorization *
1130 *************************************************/
1132 /* Called from acl_verify() below. This routine calls dns_lookup_special()
1133 to find the CSA SRV record corresponding to the domain argument, or
1134 $sender_helo_name if no argument is provided. It then checks that the
1135 client is authorized, and that its IP address corresponds to the SRV
1136 target's address by calling acl_verify_csa_address() above. The address
1137 should have been returned in the DNS response's ADDITIONAL section, but if
1138 not we perform another DNS lookup to get it.
1141 domain pointer to optional parameter following verify = csa
1143 Returns: CSA_UNKNOWN no valid CSA record found
1144 CSA_OK successfully authorized
1145 CSA_FAIL_* client is definitely not authorized
1146 CSA_DEFER_* there was a DNS problem
1150 acl_verify_csa(uschar *domain)
1154 int priority, weight, port;
1161 /* Work out the domain we are using for the CSA lookup. The default is the
1162 client's HELO domain. If the client has not said HELO, use its IP address
1163 instead. If it's a local client (exim -bs), CSA isn't applicable. */
1165 while (isspace(*domain) && *domain != '\0') ++domain;
1166 if (*domain == '\0') domain = sender_helo_name;
1167 if (domain == NULL) domain = sender_host_address;
1168 if (sender_host_address == NULL) return CSA_UNKNOWN;
1170 /* If we have an address literal, strip off the framing ready for turning it
1171 into a domain. The framing consists of matched square brackets possibly
1172 containing a keyword and a colon before the actual IP address. */
1174 if (domain[0] == '[')
1176 uschar *start = Ustrchr(domain, ':');
1177 if (start == NULL) start = domain;
1178 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1181 /* Turn domains that look like bare IP addresses into domains in the reverse
1182 DNS. This code also deals with address literals and $sender_host_address. It's
1183 not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1184 address literals, but it's probably the most friendly thing to do. This is an
1185 extension to CSA, so we allow it to be turned off for proper conformance. */
1187 if (string_is_ip_address(domain, NULL) != 0)
1189 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1190 dns_build_reverse(domain, target);
1194 /* Find out if we've already done the CSA check for this domain. If we have,
1195 return the same result again. Otherwise build a new cached result structure
1196 for this domain. The name is filled in now, and the value is filled in when
1197 we return from this function. */
1199 t = tree_search(csa_cache, domain);
1200 if (t != NULL) return t->data.val;
1202 t = store_get_perm(sizeof(tree_node) + Ustrlen(domain));
1203 Ustrcpy(t->name, domain);
1204 (void)tree_insertnode(&csa_cache, t);
1206 /* Now we are ready to do the actual DNS lookup(s). */
1209 switch (dns_special_lookup(&dnsa, domain, T_CSA, &found))
1211 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1214 return t->data.val = CSA_DEFER_SRV;
1216 /* If we found nothing, the client's authorization is unknown. */
1220 return t->data.val = CSA_UNKNOWN;
1222 /* We got something! Go on to look at the reply in more detail. */
1228 /* Scan the reply for well-formed CSA SRV records. */
1230 for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
1232 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
1234 if (rr->type != T_SRV) continue;
1236 /* Extract the numerical SRV fields (p is incremented) */
1239 GETSHORT(priority, p);
1240 GETSHORT(weight, p);
1244 debug_printf("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1246 /* Check the CSA version number */
1248 if (priority != 1) continue;
1250 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1251 found by dns_special_lookup() is a parent of the one we asked for), we check
1252 the subdomain assertions in the port field. At the moment there's only one
1253 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1254 SRV records of their own. */
1256 if (found != domain)
1259 return t->data.val = CSA_FAIL_EXPLICIT;
1261 return t->data.val = CSA_UNKNOWN;
1264 /* This CSA SRV record refers directly to our domain, so we check the value
1265 in the weight field to work out the domain's authorization. 0 and 1 are
1266 unauthorized; 3 means the client is authorized but we can't check the IP
1267 address in order to authenticate it, so we treat it as unknown; values
1268 greater than 3 are undefined. */
1270 if (weight < 2) return t->data.val = CSA_FAIL_DOMAIN;
1272 if (weight > 2) continue;
1274 /* Weight == 2, which means the domain is authorized. We must check that the
1275 client's IP address is listed as one of the SRV target addresses. Save the
1276 target hostname then break to scan the additional data for its addresses. */
1278 (void)dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
1279 (DN_EXPAND_ARG4_TYPE)target, sizeof(target));
1281 DEBUG(D_acl) debug_printf("CSA target is %s\n", target);
1286 /* If we didn't break the loop then no appropriate records were found. */
1288 if (rr == NULL) return t->data.val = CSA_UNKNOWN;
1290 /* Do not check addresses if the target is ".", in accordance with RFC 2782.
1291 A target of "." indicates there are no valid addresses, so the client cannot
1292 be authorized. (This is an odd configuration because weight=2 target=. is
1293 equivalent to weight=1, but we check for it in order to keep load off the
1294 root name servers.) Note that dn_expand() turns "." into "". */
1296 if (Ustrcmp(target, "") == 0) return t->data.val = CSA_FAIL_NOADDR;
1298 /* Scan the additional section of the CSA SRV reply for addresses belonging
1299 to the target. If the name server didn't return any additional data (e.g.
1300 because it does not fully support SRV records), we need to do another lookup
1301 to obtain the target addresses; otherwise we have a definitive result. */
1303 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ADDITIONAL, target);
1304 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1306 /* The DNS lookup type corresponds to the IP version used by the client. */
1309 if (Ustrchr(sender_host_address, ':') != NULL)
1312 #endif /* HAVE_IPV6 */
1316 #if HAVE_IPV6 && defined(SUPPORT_A6)
1320 switch (dns_lookup(&dnsa, target, type, NULL))
1322 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1325 return t->data.val = CSA_DEFER_ADDR;
1327 /* If the query succeeded, scan the addresses and return the result. */
1330 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ANSWERS, target);
1331 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1332 /* else fall through */
1334 /* If the target has no IP addresses, the client cannot have an authorized
1335 IP address. However, if the target site uses A6 records (not AAAA records)
1336 we have to do yet another lookup in order to check them. */
1341 #if HAVE_IPV6 && defined(SUPPORT_A6)
1342 if (type == T_AAAA) { type = T_A6; goto DNS_LOOKUP_AGAIN; }
1345 return t->data.val = CSA_FAIL_NOADDR;
1351 /*************************************************
1352 * Handle verification (address & other) *
1353 *************************************************/
1355 /* This function implements the "verify" condition. It is called when
1356 encountered in any ACL, because some tests are almost always permitted. Some
1357 just don't make sense, and always fail (for example, an attempt to test a host
1358 lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1361 where where called from
1362 addr the recipient address that the ACL is handling, or NULL
1363 arg the argument of "verify"
1364 user_msgptr pointer for user message
1365 log_msgptr pointer for log message
1366 basic_errno where to put verify errno
1368 Returns: OK verification condition succeeded
1369 FAIL verification failed
1370 DEFER there was a problem verifying
1375 acl_verify(int where, address_item *addr, uschar *arg,
1376 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1380 int callout_overall = -1;
1381 int callout_connect = -1;
1382 int verify_options = 0;
1384 BOOL verify_header_sender = FALSE;
1385 BOOL defer_ok = FALSE;
1386 BOOL callout_defer_ok = FALSE;
1387 BOOL no_details = FALSE;
1388 BOOL success_on_redirect = FALSE;
1389 address_item *sender_vaddr = NULL;
1390 uschar *verify_sender_address = NULL;
1391 uschar *pm_mailfrom = NULL;
1392 uschar *se_mailfrom = NULL;
1394 /* Some of the verify items have slash-separated options; some do not. Diagnose
1395 an error if options are given for items that don't expect them. This code has
1396 now got very message. Refactoring to use a table would be a good idea one day.
1399 uschar *slash = Ustrchr(arg, '/');
1401 uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
1403 if (ss == NULL) goto BAD_VERIFY;
1405 /* Handle name/address consistency verification in a separate function. */
1407 if (strcmpic(ss, US"reverse_host_lookup") == 0)
1409 if (slash != NULL) goto NO_OPTIONS;
1410 if (sender_host_address == NULL) return OK;
1411 return acl_verify_reverse(user_msgptr, log_msgptr);
1414 /* TLS certificate verification is done at STARTTLS time; here we just
1415 test whether it was successful or not. (This is for optional verification; for
1416 mandatory verification, the connection doesn't last this long.) */
1418 if (strcmpic(ss, US"certificate") == 0)
1420 if (slash != NULL) goto NO_OPTIONS;
1421 if (tls_certificate_verified) return OK;
1422 *user_msgptr = US"no verified certificate";
1426 /* We can test the result of optional HELO verification that might have
1427 occurred earlier. If not, we can attempt the verification now. */
1429 if (strcmpic(ss, US"helo") == 0)
1431 if (slash != NULL) goto NO_OPTIONS;
1432 if (!helo_verified && !helo_verify_failed) smtp_verify_helo();
1433 return helo_verified? OK : FAIL;
1436 /* Do Client SMTP Authorization checks in a separate function, and turn the
1437 result code into user-friendly strings. */
1439 if (strcmpic(ss, US"csa") == 0)
1441 rc = acl_verify_csa(list);
1442 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1443 csa_reason_string[rc]);
1444 csa_status = csa_status_string[rc];
1445 DEBUG(D_acl) debug_printf("CSA result %s\n", csa_status);
1446 return csa_return_code[rc];
1449 /* Check that all relevant header lines have the correct syntax. If there is
1450 a syntax error, we return details of the error to the sender if configured to
1451 send out full details. (But a "message" setting on the ACL can override, as
1454 if (strcmpic(ss, US"header_syntax") == 0)
1456 if (slash != NULL) goto NO_OPTIONS;
1457 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
1458 rc = verify_check_headers(log_msgptr);
1459 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1460 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1464 /* Check that no recipient of this message is "blind", that is, every envelope
1465 recipient must be mentioned in either To: or Cc:. */
1467 if (strcmpic(ss, US"not_blind") == 0)
1469 if (slash != NULL) goto NO_OPTIONS;
1470 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
1471 rc = verify_check_notblind();
1474 *log_msgptr = string_sprintf("bcc recipient detected");
1475 if (smtp_return_error_details)
1476 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1481 /* The remaining verification tests check recipient and sender addresses,
1482 either from the envelope or from the header. There are a number of
1483 slash-separated options that are common to all of them. */
1486 /* Check that there is at least one verifiable sender address in the relevant
1487 header lines. This can be followed by callout and defer options, just like
1488 sender and recipient. */
1490 if (strcmpic(ss, US"header_sender") == 0)
1492 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
1493 verify_header_sender = TRUE;
1496 /* Otherwise, first item in verify argument must be "sender" or "recipient".
1497 In the case of a sender, this can optionally be followed by an address to use
1498 in place of the actual sender (rare special-case requirement). */
1500 else if (strncmpic(ss, US"sender", 6) == 0)
1503 if (where > ACL_WHERE_NOTSMTP)
1505 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1506 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1507 acl_wherenames[where]);
1511 verify_sender_address = sender_address;
1514 while (isspace(*s)) s++;
1515 if (*s++ != '=') goto BAD_VERIFY;
1516 while (isspace(*s)) s++;
1517 verify_sender_address = string_copy(s);
1522 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1525 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1526 "(only possible for RCPT)", acl_wherenames[where]);
1531 /* Remaining items are optional; they apply to sender and recipient
1532 verification, including "header sender" verification. */
1534 while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1537 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1538 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1539 else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
1541 /* These two old options are left for backwards compatibility */
1543 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1545 callout_defer_ok = TRUE;
1546 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1549 else if (strcmpic(ss, US"check_postmaster") == 0)
1552 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1555 /* The callout option has a number of sub-options, comma separated */
1557 else if (strncmpic(ss, US"callout", 7) == 0)
1559 callout = CALLOUT_TIMEOUT_DEFAULT;
1563 while (isspace(*ss)) ss++;
1569 while (isspace(*ss)) ss++;
1571 /* This callout option handling code has become a mess as new options
1572 have been added in an ad hoc manner. It should be tidied up into some
1573 kind of table-driven thing. */
1575 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1578 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1579 else if (strcmpic(opt, US"no_cache") == 0)
1580 verify_options |= vopt_callout_no_cache;
1581 else if (strcmpic(opt, US"random") == 0)
1582 verify_options |= vopt_callout_random;
1583 else if (strcmpic(opt, US"use_sender") == 0)
1584 verify_options |= vopt_callout_recipsender;
1585 else if (strcmpic(opt, US"use_postmaster") == 0)
1586 verify_options |= vopt_callout_recippmaster;
1587 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
1588 else if (strcmpic(opt, US"fullpostmaster") == 0)
1591 verify_options |= vopt_callout_fullpm;
1594 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1596 if (!verify_header_sender)
1598 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1599 "callout option only for verify=header_sender (detected in ACL "
1600 "condition \"%s\")", arg);
1604 while (isspace(*opt)) opt++;
1607 *log_msgptr = string_sprintf("'=' expected after "
1608 "\"mailfrom\" in ACL condition \"%s\"", arg);
1611 while (isspace(*opt)) opt++;
1612 se_mailfrom = string_copy(opt);
1615 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1618 while (isspace(*opt)) opt++;
1621 *log_msgptr = string_sprintf("'=' expected after "
1622 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1625 while (isspace(*opt)) opt++;
1626 pm_mailfrom = string_copy(opt);
1629 else if (strncmpic(opt, US"maxwait", 7) == 0)
1632 while (isspace(*opt)) opt++;
1635 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1636 "ACL condition \"%s\"", arg);
1639 while (isspace(*opt)) opt++;
1640 callout_overall = readconf_readtime(opt, 0, FALSE);
1641 if (callout_overall < 0)
1643 *log_msgptr = string_sprintf("bad time value in ACL condition "
1644 "\"verify %s\"", arg);
1648 else if (strncmpic(opt, US"connect", 7) == 0)
1651 while (isspace(*opt)) opt++;
1654 *log_msgptr = string_sprintf("'=' expected after "
1655 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1658 while (isspace(*opt)) opt++;
1659 callout_connect = readconf_readtime(opt, 0, FALSE);
1660 if (callout_connect < 0)
1662 *log_msgptr = string_sprintf("bad time value in ACL condition "
1663 "\"verify %s\"", arg);
1667 else /* Plain time is callout connect/command timeout */
1669 callout = readconf_readtime(opt, 0, FALSE);
1672 *log_msgptr = string_sprintf("bad time value in ACL condition "
1673 "\"verify %s\"", arg);
1681 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1682 "ACL condition \"%s\"", arg);
1688 /* Option not recognized */
1692 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1693 "condition \"verify %s\"", ss, arg);
1698 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1699 (vopt_callout_recipsender|vopt_callout_recippmaster))
1701 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1702 "for a recipient callout";
1706 /* Handle sender-in-header verification. Default the user message to the log
1707 message if giving out verification details. */
1709 if (verify_header_sender)
1712 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
1713 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1717 *basic_errno = verrno;
1718 if (smtp_return_error_details)
1720 if (*user_msgptr == NULL && *log_msgptr != NULL)
1721 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1722 if (rc == DEFER) acl_temp_details = TRUE;
1727 /* Handle a sender address. The default is to verify *the* sender address, but
1728 optionally a different address can be given, for special requirements. If the
1729 address is empty, we are dealing with a bounce message that has no sender, so
1730 we cannot do any checking. If the real sender address gets rewritten during
1731 verification (e.g. DNS widening), set the flag to stop it being rewritten again
1732 during message reception.
1734 A list of verified "sender" addresses is kept to try to avoid doing to much
1735 work repetitively when there are multiple recipients in a message and they all
1736 require sender verification. However, when callouts are involved, it gets too
1737 complicated because different recipients may require different callout options.
1738 Therefore, we always do a full sender verify when any kind of callout is
1739 specified. Caching elsewhere, for instance in the DNS resolver and in the
1740 callout handling, should ensure that this is not terribly inefficient. */
1742 else if (verify_sender_address != NULL)
1744 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1747 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1748 "sender verify callout";
1752 sender_vaddr = verify_checked_sender(verify_sender_address);
1753 if (sender_vaddr != NULL && /* Previously checked */
1754 callout <= 0) /* No callout needed this time */
1756 /* If the "routed" flag is set, it means that routing worked before, so
1757 this check can give OK (the saved return code value, if set, belongs to a
1758 callout that was done previously). If the "routed" flag is not set, routing
1759 must have failed, so we use the saved return code. */
1761 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1763 rc = sender_vaddr->special_action;
1764 *basic_errno = sender_vaddr->basic_errno;
1766 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1769 /* Do a new verification, and cache the result. The cache is used to avoid
1770 verifying the sender multiple times for multiple RCPTs when callouts are not
1771 specified (see comments above).
1773 The cache is also used on failure to give details in response to the first
1774 RCPT that gets bounced for this reason. However, this can be suppressed by
1775 the no_details option, which sets the flag that says "this detail has already
1776 been sent". The cache normally contains just one address, but there may be
1777 more in esoteric circumstances. */
1782 uschar *save_address_data = deliver_address_data;
1784 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1785 if (no_details) setflag(sender_vaddr, af_sverify_told);
1786 if (verify_sender_address[0] != 0)
1788 /* If this is the real sender address, save the unrewritten version
1789 for use later in receive. Otherwise, set a flag so that rewriting the
1790 sender in verify_address() does not update sender_address. */
1792 if (verify_sender_address == sender_address)
1793 sender_address_unrewritten = sender_address;
1795 verify_options |= vopt_fake_sender;
1797 if (success_on_redirect)
1798 verify_options |= vopt_success_on_redirect;
1800 /* The recipient, qualify, and expn options are never set in
1803 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
1804 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
1806 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1810 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1812 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1813 verify_sender_address, sender_vaddr->address);
1817 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1818 verify_sender_address);
1821 else *basic_errno = sender_vaddr->basic_errno;
1823 else rc = OK; /* Null sender */
1825 /* Cache the result code */
1827 if (routed) setflag(sender_vaddr, af_verify_routed);
1828 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1829 sender_vaddr->special_action = rc;
1830 sender_vaddr->next = sender_verified_list;
1831 sender_verified_list = sender_vaddr;
1833 /* Restore the recipient address data, which might have been clobbered by
1834 the sender verification. */
1836 deliver_address_data = save_address_data;
1839 /* Put the sender address_data value into $sender_address_data */
1841 sender_address_data = sender_vaddr->p.address_data;
1844 /* A recipient address just gets a straightforward verify; again we must handle
1845 the DEFER overrides. */
1851 if (success_on_redirect)
1852 verify_options |= vopt_success_on_redirect;
1854 /* We must use a copy of the address for verification, because it might
1858 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
1859 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
1860 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1862 *log_msgptr = addr2.message;
1863 *user_msgptr = (addr2.user_message != NULL)?
1864 addr2.user_message : addr2.message;
1865 *basic_errno = addr2.basic_errno;
1867 /* Make $address_data visible */
1868 deliver_address_data = addr2.p.address_data;
1871 /* We have a result from the relevant test. Handle defer overrides first. */
1873 if (rc == DEFER && (defer_ok ||
1874 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1876 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1877 defer_ok? "defer_ok" : "callout_defer_ok");
1881 /* If we've failed a sender, set up a recipient message, and point
1882 sender_verified_failed to the address item that actually failed. */
1884 if (rc != OK && verify_sender_address != NULL)
1888 *log_msgptr = *user_msgptr = US"Sender verify failed";
1890 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1892 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1896 *log_msgptr = US"Could not complete sender verify callout";
1897 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1901 sender_verified_failed = sender_vaddr;
1904 /* Verifying an address messes up the values of $domain and $local_part,
1905 so reset them before returning if this is a RCPT ACL. */
1909 deliver_domain = addr->domain;
1910 deliver_localpart = addr->local_part;
1914 /* Syntax errors in the verify argument come here. */
1917 *log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
1918 "\"helo\", \"header_syntax\", \"header_sender\" or "
1919 "\"reverse_host_lookup\" at start of ACL condition "
1920 "\"verify %s\"", arg);
1923 /* Options supplied when not allowed come here */
1926 *log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1927 "(this verify item has no options)", arg);
1930 /* Calls in the wrong ACL come here */
1933 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
1934 "(only possible in ACL for DATA)", acl_wherenames[where]);
1941 /*************************************************
1942 * Check argument for control= modifier *
1943 *************************************************/
1945 /* Called from acl_check_condition() below
1948 arg the argument string for control=
1949 pptr set to point to the terminating character
1950 where which ACL we are in
1951 log_msgptr for error messages
1953 Returns: CONTROL_xxx value
1957 decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
1962 for (d = controls_list;
1963 d < controls_list + sizeof(controls_list)/sizeof(control_def);
1966 len = Ustrlen(d->name);
1967 if (Ustrncmp(d->name, arg, len) == 0) break;
1970 if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
1971 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
1973 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1974 return CONTROL_ERROR;
1983 /*************************************************
1984 * Handle rate limiting *
1985 *************************************************/
1987 /* Called by acl_check_condition() below to calculate the result
1988 of the ACL ratelimit condition.
1990 Note that the return value might be slightly unexpected: if the
1991 sender's rate is above the limit then the result is OK. This is
1992 similar to the dnslists condition, and is so that you can write
1993 ACL clauses like: defer ratelimit = 15 / 1h
1996 arg the option string for ratelimit=
1997 log_msgptr for error messages
1999 Returns: OK - Sender's rate is above limit
2000 FAIL - Sender's rate is below limit
2001 DEFER - Problem opening ratelimit database
2002 ERROR - Syntax error in options.
2006 acl_ratelimit(uschar *arg, uschar **log_msgptr)
2008 double limit, period;
2011 BOOL have_key = FALSE, leaky = FALSE, strict = FALSE;
2012 BOOL per_byte = FALSE, per_cmd = FALSE, per_conn = FALSE, per_mail = FALSE;
2014 tree_node **anchor, *t;
2015 open_db dbblock, *dbm;
2016 dbdata_ratelimit *dbd;
2019 /* Parse the first two options and record their values in expansion
2020 variables. These variables allow the configuration to have informative
2021 error messages based on rate limits obtained from a table lookup. */
2023 /* First is the maximum number of messages per period and maximum burst
2024 size, which must be greater than or equal to zero. Zero is useful for
2025 rate measurement as opposed to rate limiting. */
2027 sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0);
2028 if (sender_rate_limit == NULL)
2032 limit = Ustrtod(sender_rate_limit, &ss);
2033 if (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
2034 else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
2035 else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
2037 if (limit < 0.0 || *ss != 0)
2039 *log_msgptr = string_sprintf("syntax error in argument for "
2040 "\"ratelimit\" condition: \"%s\" is not a positive number",
2045 /* We use the rest of the argument list following the limit as the
2046 lookup key, because it doesn't make sense to use the same stored data
2047 if the period or options are different. */
2051 /* Second is the rate measurement period and exponential smoothing time
2052 constant. This must be strictly greater than zero, because zero leads to
2053 run-time division errors. */
2055 sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0);
2056 if (sender_rate_period == NULL) period = -1.0;
2057 else period = readconf_readtime(sender_rate_period, 0, FALSE);
2060 *log_msgptr = string_sprintf("syntax error in argument for "
2061 "\"ratelimit\" condition: \"%s\" is not a time value",
2062 sender_rate_period);
2066 /* Parse the other options. Should we check if the per_* options are being
2067 used in ACLs where they don't make sense, e.g. per_mail in the connect ACL? */
2069 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2072 if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
2073 else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
2074 else if (strcmpic(ss, US"per_byte") == 0) per_byte = TRUE;
2075 else if (strcmpic(ss, US"per_cmd") == 0) per_cmd = TRUE;
2076 else if (strcmpic(ss, US"per_conn") == 0) per_conn = TRUE;
2077 else if (strcmpic(ss, US"per_mail") == 0) per_mail = TRUE;
2078 else if (strcmpic(ss, US"per_rcpt") == 0) per_cmd = TRUE; /* alias */
2079 else have_key = TRUE;
2081 if (leaky + strict > 1 || per_byte + per_cmd + per_conn + per_mail > 1)
2083 *log_msgptr = US"conflicting options for \"ratelimit\" condition";
2087 /* Default option values */
2088 if (!strict) leaky = TRUE;
2089 if (!per_byte && !per_cmd && !per_conn) per_mail = TRUE;
2091 /* If there is no explicit key, use the sender_host_address. If there is no
2092 sender_host_address (e.g. -bs or acl_not_smtp) then we simply omit it. */
2094 if (!have_key && sender_host_address != NULL)
2095 key = string_sprintf("%s / %s", key, sender_host_address);
2097 HDEBUG(D_acl) debug_printf("ratelimit condition limit=%.0f period=%.0f key=%s\n",
2098 limit, period, key);
2100 /* See if we have already computed the rate by looking in the relevant tree. For
2101 per-connection rate limiting, store tree nodes and dbdata in the permanent pool
2102 so that they survive across resets. */
2105 old_pool = store_pool;
2109 anchor = &ratelimiters_conn;
2110 store_pool = POOL_PERM;
2112 else if (per_mail || per_byte)
2113 anchor = &ratelimiters_mail;
2115 anchor = &ratelimiters_cmd;
2117 if (anchor != NULL && (t = tree_search(*anchor, key)) != NULL)
2120 /* The following few lines duplicate some of the code below. */
2121 if (dbd->rate < limit) rc = FAIL;
2123 store_pool = old_pool;
2124 sender_rate = string_sprintf("%.1f", dbd->rate);
2126 debug_printf("ratelimit found pre-computed rate %s\n", sender_rate);
2130 /* We aren't using a pre-computed rate, so get a previously recorded
2131 rate from the database, update it, and write it back. If there's no
2132 previous rate for this key, create one. */
2134 dbm = dbfn_open(US"ratelimit", O_RDWR, &dbblock, TRUE);
2137 store_pool = old_pool;
2139 HDEBUG(D_acl) debug_printf("ratelimit database not available\n");
2140 *log_msgptr = US"ratelimit database not available";
2143 dbd = dbfn_read(dbm, key);
2145 gettimeofday(&tv, NULL);
2149 HDEBUG(D_acl) debug_printf("ratelimit initializing new key's data\n");
2150 dbd = store_get(sizeof(dbdata_ratelimit));
2151 dbd->time_stamp = tv.tv_sec;
2152 dbd->time_usec = tv.tv_usec;
2157 /* The smoothed rate is computed using an exponentially weighted moving
2158 average adjusted for variable sampling intervals. The standard EWMA for
2159 a fixed sampling interval is: f'(t) = (1 - a) * f(t) + a * f'(t - 1)
2160 where f() is the measured value and f'() is the smoothed value.
2162 Old data decays out of the smoothed value exponentially, such that data n
2163 samples old is multiplied by a^n. The exponential decay time constant p
2164 is defined such that data p samples old is multiplied by 1/e, which means
2165 that a = exp(-1/p). We can maintain the same time constant for a variable
2166 sampling interval i by using a = exp(-i/p).
2168 The rate we are measuring is messages per period, suitable for directly
2169 comparing with the limit. The average rate between now and the previous
2170 message is period / interval, which we feed into the EWMA as the sample.
2172 It turns out that the number of messages required for the smoothed rate
2173 to reach the limit when they are sent in a burst is equal to the limit.
2174 This can be seen by analysing the value of the smoothed rate after N
2175 messages sent at even intervals. Let k = (1 - a) * p/i
2177 rate_1 = (1 - a) * p/i + a * rate_0
2179 rate_2 = k + a * rate_1
2180 = k + a * k + a^2 * rate_0
2181 rate_3 = k + a * k + a^2 * k + a^3 * rate_0
2182 rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
2183 = rate_0 * a^N + k * (1 - a^N) / (1 - a)
2184 = rate_0 * a^N + p/i * (1 - a^N)
2186 When N is large, a^N -> 0 so rate_N -> p/i as desired.
2188 rate_N = p/i + (rate_0 - p/i) * a^N
2189 a^N = (rate_N - p/i) / (rate_0 - p/i)
2190 N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
2191 N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
2193 Numerical analysis of the above equation, setting the computed rate to
2194 increase from rate_0 = 0 to rate_N = limit, shows that for large sending
2195 rates, p/i, the number of messages N = limit. So limit serves as both the
2196 maximum rate measured in messages per period, and the maximum number of
2197 messages that can be sent in a fast burst. */
2199 double this_time = (double)tv.tv_sec
2200 + (double)tv.tv_usec / 1000000.0;
2201 double prev_time = (double)dbd->time_stamp
2202 + (double)dbd->time_usec / 1000000.0;
2204 /* We must avoid division by zero, and deal gracefully with the clock going
2205 backwards. If we blunder ahead when time is in reverse then the computed
2206 rate will be bogus. To be safe we clamp interval to a very small number. */
2208 double interval = this_time - prev_time <= 0.0 ? 1e-9
2209 : this_time - prev_time;
2211 double i_over_p = interval / period;
2212 double a = exp(-i_over_p);
2214 dbd->time_stamp = tv.tv_sec;
2215 dbd->time_usec = tv.tv_usec;
2217 /* If we are measuring the rate in bytes per period, multiply the
2218 measured rate by the message size. If we don't know the message size
2219 then it's safe to just use a value of zero and let the recorded rate
2220 decay as if nothing happened. */
2223 dbd->rate = (message_size < 0 ? 0.0 : (double)message_size)
2224 * (1 - a) / i_over_p + a * dbd->rate;
2226 dbd->rate = (1 - a) / i_over_p + a * dbd->rate;
2229 /* Clients sending at the limit are considered to be over the limit. This
2230 matters for edge cases such the first message sent by a client (which gets
2231 the initial rate of 0.0) when the rate limit is zero (i.e. the client should
2232 be completely blocked). */
2234 if (dbd->rate < limit) rc = FAIL;
2237 /* Update the state if the rate is low or if we are being strict. If we
2238 are in leaky mode and the sender's rate is too high, we do not update
2239 the recorded rate in order to avoid an over-aggressive sender's retry
2240 rate preventing them from getting any email through. */
2242 if (rc == FAIL || !leaky)
2243 dbfn_write(dbm, key, dbd, sizeof(dbdata_ratelimit));
2246 /* Store the result in the tree for future reference, if necessary. */
2250 t = store_get(sizeof(tree_node) + Ustrlen(key));
2252 Ustrcpy(t->name, key);
2253 (void)tree_insertnode(anchor, t);
2256 /* We create the formatted version of the sender's rate very late in
2257 order to ensure that it is done using the correct storage pool. */
2259 store_pool = old_pool;
2260 sender_rate = string_sprintf("%.1f", dbd->rate);
2263 debug_printf("ratelimit computed rate %s\n", sender_rate);
2270 /*************************************************
2271 * Handle conditions/modifiers on an ACL item *
2272 *************************************************/
2274 /* Called from acl_check() below.
2278 cb ACL condition block - if NULL, result is OK
2279 where where called from
2280 addr the address being checked for RCPT, or NULL
2281 level the nesting level
2282 epp pointer to pass back TRUE if "endpass" encountered
2283 (applies only to "accept" and "discard")
2284 user_msgptr user message pointer
2285 log_msgptr log message pointer
2286 basic_errno pointer to where to put verify error
2288 Returns: OK - all conditions are met
2289 DISCARD - an "acl" condition returned DISCARD - only allowed
2290 for "accept" or "discard" verbs
2291 FAIL - at least one condition fails
2292 FAIL_DROP - an "acl" condition returned FAIL_DROP
2293 DEFER - can't tell at the moment (typically, lookup defer,
2294 but can be temporary callout problem)
2295 ERROR - ERROR from nested ACL or expansion failure or other
2300 acl_check_condition(int verb, acl_condition_block *cb, int where,
2301 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
2302 uschar **log_msgptr, int *basic_errno)
2304 uschar *user_message = NULL;
2305 uschar *log_message = NULL;
2308 #ifdef WITH_CONTENT_SCAN
2312 for (; cb != NULL; cb = cb->next)
2317 /* The message and log_message items set up messages to be used in
2318 case of rejection. They are expanded later. */
2320 if (cb->type == ACLC_MESSAGE)
2322 user_message = cb->arg;
2326 if (cb->type == ACLC_LOG_MESSAGE)
2328 log_message = cb->arg;
2332 /* The endpass "condition" just sets a flag to show it occurred. This is
2333 checked at compile time to be on an "accept" or "discard" item. */
2335 if (cb->type == ACLC_ENDPASS)
2341 /* For other conditions and modifiers, the argument is expanded now for some
2342 of them, but not for all, because expansion happens down in some lower level
2343 checking functions in some cases. */
2345 if (cond_expand_at_top[cb->type])
2347 arg = expand_string(cb->arg);
2350 if (expand_string_forcedfail) continue;
2351 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
2352 cb->arg, expand_string_message);
2353 return search_find_defer? DEFER : ERROR;
2358 /* Show condition, and expanded condition if it's different */
2363 debug_printf("check %s%s %n",
2364 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
2365 conditions[cb->type], &lhswidth);
2367 if (cb->type == ACLC_SET)
2369 int n = cb->u.varnumber;
2370 int t = (n < ACL_CVARS)? 'c' : 'm';
2371 if (n >= ACL_CVARS) n -= ACL_CVARS;
2372 debug_printf("acl_%c%d ", t, n);
2376 debug_printf("= %s\n", cb->arg);
2379 debug_printf("%.*s= %s\n", lhswidth,
2383 /* Check that this condition makes sense at this time */
2385 if ((cond_forbids[cb->type] & (1 << where)) != 0)
2387 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
2388 cond_modifiers[cb->type]? "use" : "test",
2389 conditions[cb->type], acl_wherenames[where]);
2393 /* Run the appropriate test for each condition, or take the appropriate
2394 action for the remaining modifiers. */
2398 /* A nested ACL that returns "discard" makes sense only for an "accept" or
2402 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
2403 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
2405 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
2406 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
2412 case ACLC_AUTHENTICATED:
2413 rc = (sender_host_authenticated == NULL)? FAIL :
2414 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
2418 #ifdef EXPERIMENTAL_BRIGHTMAIL
2419 case ACLC_BMI_OPTIN:
2421 int old_pool = store_pool;
2422 store_pool = POOL_PERM;
2423 bmi_current_optin = string_copy(arg);
2424 store_pool = old_pool;
2429 case ACLC_CONDITION:
2430 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
2431 rc = (Uatoi(arg) == 0)? FAIL : OK;
2433 rc = (strcmpic(arg, US"no") == 0 ||
2434 strcmpic(arg, US"false") == 0)? FAIL :
2435 (strcmpic(arg, US"yes") == 0 ||
2436 strcmpic(arg, US"true") == 0)? OK : DEFER;
2438 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
2442 control_type = decode_control(arg, &p, where, log_msgptr);
2444 /* Check if this control makes sense at this time */
2446 if ((control_forbids[control_type] & (1 << where)) != 0)
2448 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
2449 controls[control_type], acl_wherenames[where]);
2453 switch(control_type)
2455 case CONTROL_AUTH_UNADVERTISED:
2456 allow_auth_unadvertised = TRUE;
2459 #ifdef EXPERIMENTAL_BRIGHTMAIL
2460 case CONTROL_BMI_RUN:
2465 #ifdef EXPERIMENTAL_DOMAINKEYS
2466 case CONTROL_DK_VERIFY:
2474 case CONTROL_CASEFUL_LOCAL_PART:
2475 deliver_localpart = addr->cc_local_part;
2478 case CONTROL_CASELOWER_LOCAL_PART:
2479 deliver_localpart = addr->lc_local_part;
2482 case CONTROL_ENFORCE_SYNC:
2483 smtp_enforce_sync = TRUE;
2486 case CONTROL_NO_ENFORCE_SYNC:
2487 smtp_enforce_sync = FALSE;
2490 #ifdef WITH_CONTENT_SCAN
2491 case CONTROL_NO_MBOX_UNSPOOL:
2492 no_mbox_unspool = TRUE;
2496 case CONTROL_NO_MULTILINE:
2497 no_multiline_responses = TRUE;
2500 case CONTROL_FAKEDEFER:
2501 case CONTROL_FAKEREJECT:
2502 fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
2506 while (*pp != 0) pp++;
2507 fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
2512 /* Explicitly reset to default string */
2513 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
2517 case CONTROL_FREEZE:
2518 deliver_freeze = TRUE;
2519 deliver_frozen_at = time(NULL);
2520 freeze_tell = freeze_tell_config; /* Reset to configured value */
2521 if (Ustrncmp(p, "/no_tell", 8) == 0)
2528 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2533 case CONTROL_QUEUE_ONLY:
2534 queue_only_policy = TRUE;
2537 case CONTROL_SUBMISSION:
2538 originator_name = US"";
2539 submission_mode = TRUE;
2542 if (Ustrncmp(p, "/sender_retain", 14) == 0)
2545 active_local_sender_retain = TRUE;
2546 active_local_from_check = FALSE;
2548 else if (Ustrncmp(p, "/domain=", 8) == 0)
2551 while (*pp != 0 && *pp != '/') pp++;
2552 submission_domain = string_copyn(p+8, pp-p-8);
2555 /* The name= option must be last, because it swallows the rest of
2557 else if (Ustrncmp(p, "/name=", 6) == 0)
2560 while (*pp != 0) pp++;
2561 submission_name = string_copy(parse_fix_phrase(p+6, pp-p-6,
2562 big_buffer, big_buffer_size));
2569 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2574 case CONTROL_SUPPRESS_LOCAL_FIXUPS:
2575 suppress_local_fixups = TRUE;
2580 #ifdef WITH_CONTENT_SCAN
2582 rc = mime_decode(&arg);
2588 int delay = readconf_readtime(arg, 0, FALSE);
2591 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
2592 "modifier: \"%s\" is not a time value", arg);
2597 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
2602 debug_printf("delay skipped in -bh checking mode\n");
2605 /* It appears to be impossible to detect that a TCP/IP connection has
2606 gone away without reading from it. This means that we cannot shorten
2607 the delay below if the client goes away, because we cannot discover
2608 that the client has closed its end of the connection. (The connection
2609 is actually in a half-closed state, waiting for the server to close its
2610 end.) It would be nice to be able to detect this state, so that the
2611 Exim process is not held up unnecessarily. However, it seems that we
2612 can't. The poll() function does not do the right thing, and in any case
2613 it is not always available.
2615 NOTE: If ever this state of affairs changes, remember that we may be
2616 dealing with stdin/stdout here, in addition to TCP/IP connections.
2617 Whatever is done must work in both cases. To detected the stdin/stdout
2618 case, check for smtp_in or smtp_out being NULL. */
2622 while (delay > 0) delay = sleep(delay);
2628 #ifdef WITH_OLD_DEMIME
2634 #ifdef EXPERIMENTAL_DOMAINKEYS
2635 case ACLC_DK_DOMAIN_SOURCE:
2636 if (dk_verify_block == NULL) { rc = FAIL; break; };
2637 /* check header source of domain against given string */
2638 switch (dk_verify_block->address_source) {
2639 case DK_EXIM_ADDRESS_FROM_FROM:
2640 rc = match_isinlist(US"from", &arg, 0, NULL,
2641 NULL, MCL_STRING, TRUE, NULL);
2643 case DK_EXIM_ADDRESS_FROM_SENDER:
2644 rc = match_isinlist(US"sender", &arg, 0, NULL,
2645 NULL, MCL_STRING, TRUE, NULL);
2647 case DK_EXIM_ADDRESS_NONE:
2648 rc = match_isinlist(US"none", &arg, 0, NULL,
2649 NULL, MCL_STRING, TRUE, NULL);
2653 case ACLC_DK_POLICY:
2654 if (dk_verify_block == NULL) { rc = FAIL; break; };
2655 /* check policy against given string, default FAIL */
2657 if (dk_verify_block->signsall)
2658 rc = match_isinlist(US"signsall", &arg, 0, NULL,
2659 NULL, MCL_STRING, TRUE, NULL);
2660 if (dk_verify_block->testing)
2661 rc = match_isinlist(US"testing", &arg, 0, NULL,
2662 NULL, MCL_STRING, TRUE, NULL);
2664 case ACLC_DK_SENDER_DOMAINS:
2665 if (dk_verify_block == NULL) { rc = FAIL; break; };
2666 if (dk_verify_block->domain != NULL)
2667 rc = match_isinlist(dk_verify_block->domain, &arg, 0, &domainlist_anchor,
2668 NULL, MCL_DOMAIN, TRUE, NULL);
2671 case ACLC_DK_SENDER_LOCAL_PARTS:
2672 if (dk_verify_block == NULL) { rc = FAIL; break; };
2673 if (dk_verify_block->local_part != NULL)
2674 rc = match_isinlist(dk_verify_block->local_part, &arg, 0, &localpartlist_anchor,
2675 NULL, MCL_LOCALPART, TRUE, NULL);
2678 case ACLC_DK_SENDERS:
2679 if (dk_verify_block == NULL) { rc = FAIL; break; };
2680 if (dk_verify_block->address != NULL)
2681 rc = match_address_list(dk_verify_block->address, TRUE, TRUE, &arg, NULL, -1, 0, NULL);
2684 case ACLC_DK_STATUS:
2685 if (dk_verify_block == NULL) { rc = FAIL; break; };
2686 if (dk_verify_block->result > 0) {
2687 switch(dk_verify_block->result) {
2688 case DK_EXIM_RESULT_BAD_FORMAT:
2689 rc = match_isinlist(US"bad format", &arg, 0, NULL,
2690 NULL, MCL_STRING, TRUE, NULL);
2692 case DK_EXIM_RESULT_NO_KEY:
2693 rc = match_isinlist(US"no key", &arg, 0, NULL,
2694 NULL, MCL_STRING, TRUE, NULL);
2696 case DK_EXIM_RESULT_NO_SIGNATURE:
2697 rc = match_isinlist(US"no signature", &arg, 0, NULL,
2698 NULL, MCL_STRING, TRUE, NULL);
2700 case DK_EXIM_RESULT_REVOKED:
2701 rc = match_isinlist(US"revoked", &arg, 0, NULL,
2702 NULL, MCL_STRING, TRUE, NULL);
2704 case DK_EXIM_RESULT_NON_PARTICIPANT:
2705 rc = match_isinlist(US"non-participant", &arg, 0, NULL,
2706 NULL, MCL_STRING, TRUE, NULL);
2708 case DK_EXIM_RESULT_GOOD:
2709 rc = match_isinlist(US"good", &arg, 0, NULL,
2710 NULL, MCL_STRING, TRUE, NULL);
2712 case DK_EXIM_RESULT_BAD:
2713 rc = match_isinlist(US"bad", &arg, 0, NULL,
2714 NULL, MCL_STRING, TRUE, NULL);
2722 rc = verify_check_dnsbl(&arg);
2726 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
2727 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
2730 /* The value in tls_cipher is the full cipher name, for example,
2731 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
2732 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
2733 what may in practice come out of the SSL library - which at the time of
2734 writing is poorly documented. */
2736 case ACLC_ENCRYPTED:
2737 if (tls_cipher == NULL) rc = FAIL; else
2739 uschar *endcipher = NULL;
2740 uschar *cipher = Ustrchr(tls_cipher, ':');
2741 if (cipher == NULL) cipher = tls_cipher; else
2743 endcipher = Ustrchr(++cipher, ':');
2744 if (endcipher != NULL) *endcipher = 0;
2746 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
2747 if (endcipher != NULL) *endcipher = ':';
2751 /* Use verify_check_this_host() instead of verify_check_host() so that
2752 we can pass over &host_data to catch any looked up data. Once it has been
2753 set, it retains its value so that it's still there if another ACL verb
2754 comes through here and uses the cache. However, we must put it into
2755 permanent store in case it is also expected to be used in a subsequent
2756 message in the same SMTP connection. */
2759 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
2760 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
2761 if (host_data != NULL) host_data = string_copy_malloc(host_data);
2764 case ACLC_LOCAL_PARTS:
2765 rc = match_isinlist(addr->cc_local_part, &arg, 0,
2766 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
2767 &deliver_localpart_data);
2779 if (Ustrncmp(s, "main", 4) == 0)
2780 { logbits |= LOG_MAIN; s += 4; }
2781 else if (Ustrncmp(s, "panic", 5) == 0)
2782 { logbits |= LOG_PANIC; s += 5; }
2783 else if (Ustrncmp(s, "reject", 6) == 0)
2784 { logbits |= LOG_REJECT; s += 6; }
2787 logbits = LOG_MAIN|LOG_PANIC;
2788 s = string_sprintf(":unknown log name in \"%s\" in "
2789 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
2795 while (isspace(*s)) s++;
2796 if (logbits == 0) logbits = LOG_MAIN;
2797 log_write(0, logbits, "%s", string_printing(s));
2801 #ifdef WITH_CONTENT_SCAN
2804 /* Seperate the regular expression and any optional parameters. */
2805 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2806 /* Run the malware backend. */
2808 /* Modify return code based upon the existance of options. */
2809 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2811 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2813 /* FAIL so that the message is passed to the next ACL */
2820 case ACLC_MIME_REGEX:
2821 rc = mime_regex(&arg);
2825 case ACLC_RATELIMIT:
2826 rc = acl_ratelimit(arg, log_msgptr);
2829 case ACLC_RECIPIENTS:
2830 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
2834 #ifdef WITH_CONTENT_SCAN
2840 case ACLC_SENDER_DOMAINS:
2843 sdomain = Ustrrchr(sender_address, '@');
2844 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
2845 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
2846 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
2851 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
2852 sender_address_cache, -1, 0, &sender_data);
2855 /* Connection variables must persist forever */
2859 int old_pool = store_pool;
2860 if (cb->u.varnumber < ACL_CVARS) store_pool = POOL_PERM;
2861 acl_var[cb->u.varnumber] = string_copy(arg);
2862 store_pool = old_pool;
2866 #ifdef WITH_CONTENT_SCAN
2869 /* Seperate the regular expression and any optional parameters. */
2870 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2871 /* Run the spam backend. */
2873 /* Modify return code based upon the existance of options. */
2874 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2876 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2878 /* FAIL so that the message is passed to the next ACL */
2886 #ifdef EXPERIMENTAL_SPF
2888 rc = spf_process(&arg, sender_address);
2892 /* If the verb is WARN, discard any user message from verification, because
2893 such messages are SMTP responses, not header additions. The latter come
2894 only from explicit "message" modifiers. However, put the user message into
2895 $acl_verify_message so it can be used in subsequent conditions or modifiers
2896 (until something changes it). */
2899 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
2900 acl_verify_message = *user_msgptr;
2901 if (verb == ACL_WARN) *user_msgptr = NULL;
2905 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
2906 "condition %d", cb->type);
2910 /* If a condition was negated, invert OK/FAIL. */
2912 if (!cond_modifiers[cb->type] && cb->u.negated)
2914 if (rc == OK) rc = FAIL;
2915 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
2918 if (rc != OK) break; /* Conditions loop */
2922 /* If the result is the one for which "message" and/or "log_message" are used,
2923 handle the values of these options. Most verbs have but a single return for
2924 which the messages are relevant, but for "discard", it's useful to have the log
2925 message both when it succeeds and when it fails. Also, for an "accept" that
2926 appears in a QUIT ACL, we want to handle the user message. Since only "accept"
2927 and "warn" are permitted in that ACL, we don't need to test the verb.
2929 These modifiers act in different ways:
2931 "message" is a user message that will be included in an SMTP response. Unless
2932 it is empty, it overrides any previously set user message.
2934 "log_message" is a non-user message, and it adds to any existing non-user
2935 message that is already set.
2937 If there isn't a log message set, we make it the same as the user message. */
2939 if (((rc == FAIL_DROP)? FAIL : rc) == msgcond[verb] ||
2940 (verb == ACL_DISCARD && rc == OK) ||
2941 (where == ACL_WHERE_QUIT))
2945 /* If the verb is "warn", messages generated by conditions (verification or
2946 nested ACLs) are discarded. Only messages specified at this level are used.
2947 However, the value of an existing message is available in $acl_verify_message
2948 during expansions. */
2950 uschar *old_user_msgptr = *user_msgptr;
2951 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
2953 if (verb == ACL_WARN) *log_msgptr = *user_msgptr = NULL;
2955 if (user_message != NULL)
2957 acl_verify_message = old_user_msgptr;
2958 expmessage = expand_string(user_message);
2959 if (expmessage == NULL)
2961 if (!expand_string_forcedfail)
2962 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2963 user_message, expand_string_message);
2965 else if (expmessage[0] != 0) *user_msgptr = expmessage;
2968 if (log_message != NULL)
2970 acl_verify_message = old_log_msgptr;
2971 expmessage = expand_string(log_message);
2972 if (expmessage == NULL)
2974 if (!expand_string_forcedfail)
2975 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2976 log_message, expand_string_message);
2978 else if (expmessage[0] != 0)
2980 *log_msgptr = (*log_msgptr == NULL)? expmessage :
2981 string_sprintf("%s: %s", expmessage, *log_msgptr);
2985 /* If no log message, default it to the user message */
2987 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
2990 acl_verify_message = NULL;
2998 /*************************************************
2999 * Get line from a literal ACL *
3000 *************************************************/
3002 /* This function is passed to acl_read() in order to extract individual lines
3003 of a literal ACL, which we access via static pointers. We can destroy the
3004 contents because this is called only once (the compiled ACL is remembered).
3006 This code is intended to treat the data in the same way as lines in the main
3007 Exim configuration file. That is:
3009 . Leading spaces are ignored.
3011 . A \ at the end of a line is a continuation - trailing spaces after the \
3012 are permitted (this is because I don't believe in making invisible things
3013 significant). Leading spaces on the continued part of a line are ignored.
3015 . Physical lines starting (significantly) with # are totally ignored, and
3016 may appear within a sequence of backslash-continued lines.
3018 . Blank lines are ignored, but will end a sequence of continuations.
3021 Returns: a pointer to the next line
3025 static uschar *acl_text; /* Current pointer in the text */
3026 static uschar *acl_text_end; /* Points one past the terminating '0' */
3034 /* This loop handles leading blank lines and comments. */
3038 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
3039 if (*acl_text == 0) return NULL; /* No more data */
3040 yield = acl_text; /* Potential data line */
3042 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3044 /* If we hit the end before a newline, we have the whole logical line. If
3045 it's a comment, there's no more data to be given. Otherwise, yield it. */
3047 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
3049 /* After reaching a newline, end this loop if the physical line does not
3050 start with '#'. If it does, it's a comment, and the loop continues. */
3052 if (*yield != '#') break;
3055 /* This loop handles continuations. We know we have some real data, ending in
3056 newline. See if there is a continuation marker at the end (ignoring trailing
3057 white space). We know that *yield is not white space, so no need to test for
3058 cont > yield in the backwards scanning loop. */
3063 for (cont = acl_text - 1; isspace(*cont); cont--);
3065 /* If no continuation follows, we are done. Mark the end of the line and
3074 /* We have encountered a continuation. Skip over whitespace at the start of
3075 the next line, and indeed the whole of the next line or lines if they are
3080 while (*(++acl_text) == ' ' || *acl_text == '\t');
3081 if (*acl_text != '#') break;
3082 while (*(++acl_text) != 0 && *acl_text != '\n');
3085 /* We have the start of a continuation line. Move all the rest of the data
3086 to join onto the previous line, and then find its end. If the end is not a
3087 newline, we are done. Otherwise loop to look for another continuation. */
3089 memmove(cont, acl_text, acl_text_end - acl_text);
3090 acl_text_end -= acl_text - cont;
3092 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3093 if (*acl_text == 0) return yield;
3096 /* Control does not reach here */
3103 /*************************************************
3104 * Check access using an ACL *
3105 *************************************************/
3107 /* This function is called from address_check. It may recurse via
3108 acl_check_condition() - hence the use of a level to stop looping. The ACL is
3109 passed as a string which is expanded. A forced failure implies no access check
3110 is required. If the result is a single word, it is taken as the name of an ACL
3111 which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
3112 text, complete with newlines, and parsed as such. In both cases, the ACL check
3113 is then run. This function uses an auxiliary function for acl_read() to call
3114 for reading individual lines of a literal ACL. This is acl_getline(), which
3115 appears immediately above.
3118 where where called from
3119 addr address item when called from RCPT; otherwise NULL
3120 s the input string; NULL is the same as an empty ACL => DENY
3121 level the nesting level
3122 user_msgptr where to put a user error (for SMTP response)
3123 log_msgptr where to put a logging message (not for SMTP response)
3125 Returns: OK access is granted
3126 DISCARD access is apparently granted...
3127 FAIL access is denied
3128 FAIL_DROP access is denied; drop the connection
3129 DEFER can't tell at the moment
3134 acl_check_internal(int where, address_item *addr, uschar *s, int level,
3135 uschar **user_msgptr, uschar **log_msgptr)
3138 acl_block *acl = NULL;
3139 uschar *acl_name = US"inline ACL";
3142 /* Catch configuration loops */
3146 *log_msgptr = US"ACL nested too deep: possible loop";
3152 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
3156 /* At top level, we expand the incoming string. At lower levels, it has already
3157 been expanded as part of condition processing. */
3161 ss = expand_string(s);
3164 if (expand_string_forcedfail) return OK;
3165 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
3166 expand_string_message);
3172 while (isspace(*ss))ss++;
3174 /* If we can't find a named ACL, the default is to parse it as an inline one.
3175 (Unless it begins with a slash; non-existent files give rise to an error.) */
3179 /* Handle the case of a string that does not contain any spaces. Look for a
3180 named ACL among those read from the configuration, or a previously read file.
3181 It is possible that the pointer to the ACL is NULL if the configuration
3182 contains a name with no data. If not found, and the text begins with '/',
3183 read an ACL from a file, and save it so it can be re-used. */
3185 if (Ustrchr(ss, ' ') == NULL)
3187 tree_node *t = tree_search(acl_anchor, ss);
3190 acl = (acl_block *)(t->data.ptr);
3193 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
3196 acl_name = string_sprintf("ACL \"%s\"", ss);
3197 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
3200 else if (*ss == '/')
3202 struct stat statbuf;
3203 fd = Uopen(ss, O_RDONLY, 0);
3206 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
3211 if (fstat(fd, &statbuf) != 0)
3213 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
3218 acl_text = store_get(statbuf.st_size + 1);
3219 acl_text_end = acl_text + statbuf.st_size + 1;
3221 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
3223 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
3224 ss, strerror(errno));
3227 acl_text[statbuf.st_size] = 0;
3230 acl_name = string_sprintf("ACL \"%s\"", ss);
3231 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
3235 /* Parse an ACL that is still in text form. If it came from a file, remember it
3236 in the ACL tree, having read it into the POOL_PERM store pool so that it
3237 persists between multiple messages. */
3241 int old_pool = store_pool;
3242 if (fd >= 0) store_pool = POOL_PERM;
3243 acl = acl_read(acl_getline, log_msgptr);
3244 store_pool = old_pool;
3245 if (acl == NULL && *log_msgptr != NULL) return ERROR;
3248 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
3249 Ustrcpy(t->name, ss);
3251 (void)tree_insertnode(&acl_anchor, t);
3255 /* Now we have an ACL to use. It's possible it may be NULL. */
3260 int basic_errno = 0;
3261 BOOL endpass_seen = FALSE;
3263 *log_msgptr = *user_msgptr = NULL;
3264 acl_temp_details = FALSE;
3266 if (where == ACL_WHERE_QUIT &&
3267 acl->verb != ACL_ACCEPT &&
3268 acl->verb != ACL_WARN)
3270 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
3275 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
3277 /* Clear out any search error message from a previous check before testing
3280 search_error_message = NULL;
3281 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
3282 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
3284 /* Handle special returns: DEFER causes a return except on a WARN verb;
3285 ERROR always causes a return. */
3290 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
3291 if (basic_errno != ERRNO_CALLOUTDEFER)
3293 if (search_error_message != NULL && *search_error_message != 0)
3294 *log_msgptr = search_error_message;
3295 if (smtp_return_error_details) acl_temp_details = TRUE;
3299 acl_temp_details = TRUE;
3301 if (acl->verb != ACL_WARN) return DEFER;
3304 default: /* Paranoia */
3306 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
3310 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
3315 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
3318 /* DISCARD and DROP can happen only from a nested ACL condition, and
3319 DISCARD can happen only for an "accept" or "discard" verb. */
3322 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
3327 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
3332 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
3333 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
3334 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
3339 if (cond == OK || cond == DISCARD) return cond;
3342 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
3350 acl_temp_details = TRUE;
3356 if (cond == OK) return FAIL;
3360 if (cond == OK || cond == DISCARD) return DISCARD;
3363 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
3369 if (cond == OK) return FAIL_DROP;
3373 if (cond != OK) return cond;
3378 acl_warn(where, *user_msgptr, *log_msgptr);
3379 else if (cond == DEFER && (log_extra_selector & LX_acl_warn_skipped) != 0)
3380 log_write(0, LOG_MAIN, "%s Warning: ACL \"warn\" statement skipped: "
3381 "condition test deferred%s%s", host_and_ident(TRUE),
3382 (*log_msgptr == NULL)? US"" : US": ",
3383 (*log_msgptr == NULL)? US"" : *log_msgptr);
3384 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
3388 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
3393 /* Pass to the next ACL item */
3398 /* We have reached the end of the ACL. This is an implicit DENY. */
3400 HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
3405 /*************************************************
3406 * Check access using an ACL *
3407 *************************************************/
3409 /* This is the external interface for ACL checks. It sets up an address and the
3410 expansions for $domain and $local_part when called after RCPT, then calls
3411 acl_check_internal() to do the actual work.
3414 where ACL_WHERE_xxxx indicating where called from
3415 recipient RCPT address for RCPT check, else NULL
3416 s the input string; NULL is the same as an empty ACL => DENY
3417 user_msgptr where to put a user error (for SMTP response)
3418 log_msgptr where to put a logging message (not for SMTP response)
3420 Returns: OK access is granted by an ACCEPT verb
3421 DISCARD access is granted by a DISCARD verb
3422 FAIL access is denied
3423 FAIL_DROP access is denied; drop the connection
3424 DEFER can't tell at the moment
3429 acl_check(int where, uschar *recipient, uschar *s, uschar **user_msgptr,
3430 uschar **log_msgptr)
3434 address_item *addr = NULL;
3436 *user_msgptr = *log_msgptr = NULL;
3437 sender_verified_failed = NULL;
3438 ratelimiters_cmd = NULL;
3440 if (where == ACL_WHERE_RCPT)
3442 adb = address_defaults;
3444 addr->address = recipient;
3445 if (deliver_split_address(addr) == DEFER)
3447 *log_msgptr = US"defer in percent_hack_domains check";
3450 deliver_domain = addr->domain;
3451 deliver_localpart = addr->local_part;
3454 rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
3456 deliver_domain = deliver_localpart = deliver_address_data =
3457 sender_address_data = NULL;
3459 /* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
3460 ACL, which is really in the middle of an SMTP command. */
3464 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
3466 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
3467 "ACL", acl_wherenames[where]);
3473 /* A DROP response is not permitted from MAILAUTH */
3475 if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
3477 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
3478 "ACL", acl_wherenames[where]);
3482 /* Before giving an error response, take a look at the length of any user
3483 message, and split it up into multiple lines if possible. */
3485 if (rc != OK && *user_msgptr != NULL && Ustrlen(*user_msgptr) > 75)
3487 uschar *s = *user_msgptr = string_copy(*user_msgptr);
3493 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
3494 if (*ss == 0) break;
3501 while (--t > s + 35)
3505 if (t[-1] == ':') { tt = t; break; }
3506 if (tt == NULL) tt = t;
3510 if (tt == NULL) /* Can't split behind - try ahead */
3515 if (*t == ' ' || *t == '\n')
3521 if (tt == NULL) break; /* Can't find anywhere to split */
git://git.exim.org / exim.git / blob