1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) The Exim Maintainers 2020 - 2024 */
6 /* Copyright (c) University of Cambridge 1995 - 2018 */
7 /* See the file NOTICE for conditions of use and distribution. */
8 /* SPDX-License-Identifier: GPL-2.0-or-later */
10 /* Code for handling Access Control Lists (ACLs) */
16 /* Default callout timeout */
18 #define CALLOUT_TIMEOUT_DEFAULT 30
20 /* Default quota cache TTLs */
22 #define QUOTA_POS_DEFAULT (5*60)
23 #define QUOTA_NEG_DEFAULT (60*60)
26 /* ACL verb codes - keep in step with the table of verbs that follows */
28 enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
33 static uschar *verbs[] = {
34 [ACL_ACCEPT] = US"accept",
35 [ACL_DEFER] = US"defer",
36 [ACL_DENY] = US"deny",
37 [ACL_DISCARD] = US"discard",
38 [ACL_DROP] = US"drop",
39 [ACL_REQUIRE] = US"require",
43 /* For each verb, the conditions for which "message" or "log_message" are used
44 are held as a bitmap. This is to avoid expanding the strings unnecessarily. For
45 "accept", the FAIL case is used only after "endpass", but that is selected in
48 static int msgcond[] = {
49 [ACL_ACCEPT] = BIT(OK) | BIT(FAIL) | BIT(FAIL_DROP),
50 [ACL_DEFER] = BIT(OK),
52 [ACL_DISCARD] = BIT(OK) | BIT(FAIL) | BIT(FAIL_DROP),
54 [ACL_REQUIRE] = BIT(FAIL) | BIT(FAIL_DROP),
60 /* ACL condition and modifier codes */
65 #ifdef EXPERIMENTAL_BRIGHTMAIL
71 #ifdef EXPERIMENTAL_DCC
74 #ifdef WITH_CONTENT_SCAN
92 ACLC_LOG_REJECT_TARGET,
94 #ifdef WITH_CONTENT_SCAN
98 #ifdef WITH_CONTENT_SCAN
104 #ifdef WITH_CONTENT_SCAN
112 #ifdef WITH_CONTENT_SCAN
123 /* ACL conditions/modifiers: "delay", "control", "continue", "endpass",
124 "message", "log_message", "log_reject_target", "logwrite", "queue" and "set" are
125 modifiers that look like conditions but always return TRUE. They are used for
126 their side effects. Do not invent new modifier names that result in one name
127 being the prefix of another; the binary-search in the list will go wrong. */
129 typedef struct condition_def {
132 /* Flags for actions or checks to do during readconf for this condition */
134 #define ACD_EXP BIT(0) /* do expansion at outer level*/
135 #define ACD_MOD BIT(1) /* is a modifier */
136 #define ACD_LOAD BIT(2) /* supported by a dynamic-load module */
138 /* Bit map vector of which conditions and modifiers are not allowed at certain
139 times. For each condition and modifier, there's a bitmap of dis-allowed times.
140 For some, it is easier to specify the negation of a small number of allowed
143 #define FORBIDDEN(times) (times)
144 #define PERMITTED(times) ((unsigned) ~(times))
148 static condition_def conditions[] = {
149 [ACLC_ACL] = { US"acl", 0,
152 [ACLC_ADD_HEADER] = { US"add_header", ACD_EXP | ACD_MOD,
153 PERMITTED(ACL_BIT_MAIL | ACL_BIT_RCPT |
154 ACL_BIT_PREDATA | ACL_BIT_DATA |
158 ACL_BIT_MIME | ACL_BIT_NOTSMTP |
160 ACL_BIT_NOTSMTP_START),
163 [ACLC_AUTHENTICATED] = { US"authenticated", 0,
164 FORBIDDEN(ACL_BIT_NOTSMTP |
165 ACL_BIT_NOTSMTP_START |
166 ACL_BIT_CONNECT | ACL_BIT_HELO),
168 #ifdef EXPERIMENTAL_BRIGHTMAIL
169 [ACLC_BMI_OPTIN] = { US"bmi_optin", ACD_EXP | ACD_MOD,
170 FORBIDDEN(ACL_BIT_AUTH |
171 ACL_BIT_CONNECT | ACL_BIT_HELO |
172 ACL_BIT_DATA | ACL_BIT_MIME |
173 # ifndef DISABLE_PRDR
176 ACL_BIT_ETRN | ACL_BIT_EXPN |
178 ACL_BIT_MAIL | ACL_BIT_STARTTLS |
179 ACL_BIT_VRFY | ACL_BIT_PREDATA |
180 ACL_BIT_NOTSMTP_START),
183 [ACLC_CONDITION] = { US"condition", ACD_EXP,
185 [ACLC_CONTINUE] = { US"continue", ACD_EXP | ACD_MOD,
188 /* Certain types of control are always allowed, so we let it through
189 always and check in the control processing itself. */
190 [ACLC_CONTROL] = { US"control", ACD_EXP | ACD_MOD,
193 #ifdef EXPERIMENTAL_DCC
194 [ACLC_DCC] = { US"dcc", ACD_EXP,
195 PERMITTED(ACL_BIT_DATA |
196 # ifndef DISABLE_PRDR
202 #ifdef WITH_CONTENT_SCAN
203 [ACLC_DECODE] = { US"decode", ACD_EXP,
204 PERMITTED(ACL_BIT_MIME) },
207 [ACLC_DELAY] = { US"delay", ACD_EXP | ACD_MOD,
208 FORBIDDEN(ACL_BIT_NOTQUIT) },
210 [ACLC_DKIM_SIGNER] = { US"dkim_signers", ACD_EXP,
211 PERMITTED(ACL_BIT_DKIM) },
212 [ACLC_DKIM_STATUS] = { US"dkim_status", ACD_EXP,
213 PERMITTED(ACL_BIT_DKIM | ACL_BIT_DATA | ACL_BIT_MIME
214 # ifndef DISABLE_PRDR
221 [ACLC_DMARC_STATUS] = { US"dmarc_status", ACD_EXP,
222 PERMITTED(ACL_BIT_DATA) },
225 /* Explicit key lookups can be made in non-smtp ACLs so pass
226 always and check in the verify processing itself. */
227 [ACLC_DNSLISTS] = { US"dnslists", ACD_EXP,
230 [ACLC_DOMAINS] = { US"domains", 0,
231 PERMITTED(ACL_BIT_RCPT | ACL_BIT_VRFY
237 [ACLC_ENCRYPTED] = { US"encrypted", 0,
238 FORBIDDEN(ACL_BIT_NOTSMTP |
239 ACL_BIT_NOTSMTP_START | ACL_BIT_CONNECT)
242 [ACLC_ENDPASS] = { US"endpass", ACD_EXP | ACD_MOD,
245 [ACLC_HOSTS] = { US"hosts", 0,
246 FORBIDDEN(ACL_BIT_NOTSMTP |
247 ACL_BIT_NOTSMTP_START),
249 [ACLC_LOCAL_PARTS] = { US"local_parts", 0,
250 PERMITTED(ACL_BIT_RCPT | ACL_BIT_VRFY
257 [ACLC_LOG_MESSAGE] = { US"log_message", ACD_EXP | ACD_MOD,
259 [ACLC_LOG_REJECT_TARGET] = { US"log_reject_target", ACD_EXP | ACD_MOD,
261 [ACLC_LOGWRITE] = { US"logwrite", ACD_EXP | ACD_MOD,
264 #ifdef WITH_CONTENT_SCAN
265 [ACLC_MALWARE] = { US"malware", ACD_EXP,
266 PERMITTED(ACL_BIT_DATA |
267 # ifndef DISABLE_PRDR
274 [ACLC_MESSAGE] = { US"message", ACD_EXP | ACD_MOD,
276 #ifdef WITH_CONTENT_SCAN
277 [ACLC_MIME_REGEX] = { US"mime_regex", ACD_EXP,
278 PERMITTED(ACL_BIT_MIME) },
281 [ACLC_QUEUE] = { US"queue", ACD_EXP | ACD_MOD,
282 FORBIDDEN(ACL_BIT_NOTSMTP |
289 [ACLC_RATELIMIT] = { US"ratelimit", ACD_EXP,
291 [ACLC_RECIPIENTS] = { US"recipients", 0,
292 PERMITTED(ACL_BIT_RCPT) },
294 #ifdef WITH_CONTENT_SCAN
295 [ACLC_REGEX] = { US"regex", ACD_EXP,
296 PERMITTED(ACL_BIT_DATA |
297 # ifndef DISABLE_PRDR
305 [ACLC_REMOVE_HEADER] = { US"remove_header", ACD_EXP | ACD_MOD,
306 PERMITTED(ACL_BIT_MAIL|ACL_BIT_RCPT |
307 ACL_BIT_PREDATA | ACL_BIT_DATA |
311 ACL_BIT_MIME | ACL_BIT_NOTSMTP |
312 ACL_BIT_NOTSMTP_START),
314 [ACLC_SEEN] = { US"seen", ACD_EXP,
316 [ACLC_SENDER_DOMAINS] = { US"sender_domains", 0,
317 FORBIDDEN(ACL_BIT_AUTH | ACL_BIT_CONNECT |
319 ACL_BIT_MAILAUTH | ACL_BIT_QUIT |
320 ACL_BIT_ETRN | ACL_BIT_EXPN |
321 ACL_BIT_STARTTLS | ACL_BIT_VRFY),
323 [ACLC_SENDERS] = { US"senders", 0,
324 FORBIDDEN(ACL_BIT_AUTH | ACL_BIT_CONNECT |
326 ACL_BIT_MAILAUTH | ACL_BIT_QUIT |
327 ACL_BIT_ETRN | ACL_BIT_EXPN |
328 ACL_BIT_STARTTLS | ACL_BIT_VRFY),
331 [ACLC_SET] = { US"set", ACD_EXP | ACD_MOD,
334 #ifdef WITH_CONTENT_SCAN
335 [ACLC_SPAM] = { US"spam", ACD_EXP,
336 PERMITTED(ACL_BIT_DATA |
337 # ifndef DISABLE_PRDR
344 [ACLC_SPF] = { US"spf",
349 FORBIDDEN(ACL_BIT_AUTH | ACL_BIT_CONNECT |
350 ACL_BIT_HELO | ACL_BIT_MAILAUTH |
351 ACL_BIT_ETRN | ACL_BIT_EXPN |
352 ACL_BIT_STARTTLS | ACL_BIT_VRFY |
353 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START),
355 [ACLC_SPF_GUESS] = { US"spf_guess",
360 FORBIDDEN(ACL_BIT_AUTH | ACL_BIT_CONNECT |
361 ACL_BIT_HELO | ACL_BIT_MAILAUTH |
362 ACL_BIT_ETRN | ACL_BIT_EXPN |
363 ACL_BIT_STARTTLS | ACL_BIT_VRFY |
364 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START),
367 [ACLC_UDPSEND] = { US"udpsend", ACD_EXP | ACD_MOD,
370 /* Certain types of verify are always allowed, so we let it through
371 always and check in the verify function itself */
372 [ACLC_VERIFY] = { US"verify", ACD_EXP,
378 # include "macro_predef.h"
382 for (condition_def * c = conditions; c < conditions + nelem(conditions); c++)
384 uschar buf[64], * p, * s;
385 int n = sprintf(CS buf, "_ACL_%s_", c->flags & ACD_MOD ? "MOD" : "COND");
386 for (p = buf + n, s = c->name; *s; s++) *p++ = toupper(*s);
388 builtin_macro_create(buf);
396 # ifdef LOOKUP_MODULE_DIR
397 typedef struct condition_module {
398 const uschar * mod_name; /* module for the givien conditions */
399 misc_module_info * info; /* NULL when not loaded */
400 const int * conditions; /* array of ACLC_*, -1 terminated */
404 static int spf_condx[] = { ACLC_SPF, ACLC_SPF_GUESS, -1 };
407 static condition_module condition_modules[] = {
409 {.mod_name = US"spf", .conditions = spf_condx},
415 /* Return values from decode_control() */
418 CONTROL_AUTH_UNADVERTISED,
419 #ifdef EXPERIMENTAL_BRIGHTMAIL
422 CONTROL_CASEFUL_LOCAL_PART,
423 CONTROL_CASELOWER_LOCAL_PART,
424 CONTROL_CUTTHROUGH_DELIVERY,
430 CONTROL_DMARC_VERIFY,
431 CONTROL_DMARC_FORENSIC,
434 CONTROL_ENFORCE_SYNC,
435 CONTROL_ERROR, /* pseudo-value for decode errors */
440 CONTROL_NO_CALLOUT_FLUSH,
441 CONTROL_NO_DELAY_FLUSH,
442 CONTROL_NO_ENFORCE_SYNC,
443 #ifdef WITH_CONTENT_SCAN
444 CONTROL_NO_MBOX_UNSPOOL,
446 CONTROL_NO_MULTILINE,
447 CONTROL_NO_PIPELINING,
451 CONTROL_SUPPRESS_LOCAL_FIXUPS,
453 CONTROL_UTF8_DOWNCONVERT,
455 #ifndef DISABLE_WELLKNOWN
462 /* Structure listing various control arguments, with their characteristics.
463 For each control, there's a bitmap of dis-allowed times. For some, it is easier
464 to specify the negation of a small number of allowed times. */
466 typedef struct control_def {
468 BOOL has_option; /* Has /option(s) following */
469 unsigned forbids; /* bitmap of dis-allowed times */
472 static control_def controls_list[] = {
473 /* name has_option forbids */
474 [CONTROL_AUTH_UNADVERTISED] =
475 { US"allow_auth_unadvertised", FALSE,
477 ~(ACL_BIT_CONNECT | ACL_BIT_HELO)
479 #ifdef EXPERIMENTAL_BRIGHTMAIL
481 { US"bmi_run", FALSE, 0 },
483 [CONTROL_CASEFUL_LOCAL_PART] =
484 { US"caseful_local_part", FALSE, (unsigned) ~ACL_BIT_RCPT },
485 [CONTROL_CASELOWER_LOCAL_PART] =
486 { US"caselower_local_part", FALSE, (unsigned) ~ACL_BIT_RCPT },
487 [CONTROL_CUTTHROUGH_DELIVERY] =
488 { US"cutthrough_delivery", TRUE, 0 },
490 { US"debug", TRUE, 0 },
493 [CONTROL_DKIM_VERIFY] =
494 { US"dkim_disable_verify", FALSE,
495 ACL_BIT_DATA | ACL_BIT_NOTSMTP |
496 # ifndef DISABLE_PRDR
499 ACL_BIT_NOTSMTP_START
504 [CONTROL_DMARC_VERIFY] =
505 { US"dmarc_disable_verify", FALSE,
506 ACL_BIT_DATA | ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
508 [CONTROL_DMARC_FORENSIC] =
509 { US"dmarc_enable_forensic", FALSE,
510 ACL_BIT_DATA | ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
516 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START | ACL_BIT_NOTQUIT
518 [CONTROL_ENFORCE_SYNC] =
519 { US"enforce_sync", FALSE,
520 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
523 /* Pseudo-value for decode errors */
525 { US"error", FALSE, 0 },
527 [CONTROL_FAKEDEFER] =
528 { US"fakedefer", TRUE,
530 ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
531 ACL_BIT_PREDATA | ACL_BIT_DATA |
537 [CONTROL_FAKEREJECT] =
538 { US"fakereject", TRUE,
540 ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
541 ACL_BIT_PREDATA | ACL_BIT_DATA |
550 ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
551 ACL_BIT_PREDATA | ACL_BIT_DATA |
552 // ACL_BIT_PRDR| /* Not allow one user to freeze for all */
553 ACL_BIT_NOTSMTP | ACL_BIT_MIME)
556 [CONTROL_NO_CALLOUT_FLUSH] =
557 { US"no_callout_flush", FALSE,
558 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
560 [CONTROL_NO_DELAY_FLUSH] =
561 { US"no_delay_flush", FALSE,
562 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
565 [CONTROL_NO_ENFORCE_SYNC] =
566 { US"no_enforce_sync", FALSE,
567 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
569 #ifdef WITH_CONTENT_SCAN
570 [CONTROL_NO_MBOX_UNSPOOL] =
571 { US"no_mbox_unspool", FALSE,
573 ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
574 ACL_BIT_PREDATA | ACL_BIT_DATA |
575 // ACL_BIT_PRDR| /* Not allow one user to freeze for all */
579 [CONTROL_NO_MULTILINE] =
580 { US"no_multiline_responses", FALSE,
581 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
583 [CONTROL_NO_PIPELINING] =
584 { US"no_pipelining", FALSE,
585 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
591 ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
592 ACL_BIT_PREDATA | ACL_BIT_DATA |
593 // ACL_BIT_PRDR| /* Not allow one user to freeze for all */
594 ACL_BIT_NOTSMTP | ACL_BIT_MIME)
597 [CONTROL_SUBMISSION] =
598 { US"submission", TRUE,
600 ~(ACL_BIT_MAIL | ACL_BIT_RCPT | ACL_BIT_PREDATA)
602 [CONTROL_SUPPRESS_LOCAL_FIXUPS] =
603 { US"suppress_local_fixups", FALSE,
605 ~(ACL_BIT_MAIL | ACL_BIT_RCPT | ACL_BIT_PREDATA |
606 ACL_BIT_NOTSMTP_START)
609 [CONTROL_UTF8_DOWNCONVERT] =
610 { US"utf8_downconvert", TRUE, (unsigned) ~(ACL_BIT_RCPT | ACL_BIT_VRFY)
613 #ifndef DISABLE_WELLKNOWN
614 [CONTROL_WELLKNOWN] =
615 { US"wellknown", TRUE, (unsigned) ~ACL_BIT_WELLKNOWN
620 /* Support data structures for Client SMTP Authorization. acl_verify_csa()
621 caches its result in a tree to avoid repeated DNS queries. The result is an
622 integer code which is used as an index into the following tables of
623 explanatory strings and verification return codes. */
625 static tree_node *csa_cache = NULL;
627 enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
628 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
630 /* The acl_verify_csa() return code is translated into an acl_verify() return
631 code using the following table. It is OK unless the client is definitely not
632 authorized. This is because CSA is supposed to be optional for sending sites,
633 so recipients should not be too strict about checking it - especially because
634 DNS problems are quite likely to occur. It's possible to use $csa_status in
635 further ACL conditions to distinguish ok, unknown, and defer if required, but
636 the aim is to make the usual configuration simple. */
638 static int csa_return_code[] = {
641 [CSA_DEFER_SRV] = OK,
642 [CSA_DEFER_ADDR] = OK,
643 [CSA_FAIL_EXPLICIT] = FAIL,
644 [CSA_FAIL_DOMAIN] = FAIL,
645 [CSA_FAIL_NOADDR] = FAIL,
646 [CSA_FAIL_MISMATCH] = FAIL
649 static uschar *csa_status_string[] = {
650 [CSA_UNKNOWN] = US"unknown",
652 [CSA_DEFER_SRV] = US"defer",
653 [CSA_DEFER_ADDR] = US"defer",
654 [CSA_FAIL_EXPLICIT] = US"fail",
655 [CSA_FAIL_DOMAIN] = US"fail",
656 [CSA_FAIL_NOADDR] = US"fail",
657 [CSA_FAIL_MISMATCH] = US"fail"
660 static uschar *csa_reason_string[] = {
661 [CSA_UNKNOWN] = US"unknown",
663 [CSA_DEFER_SRV] = US"deferred (SRV lookup failed)",
664 [CSA_DEFER_ADDR] = US"deferred (target address lookup failed)",
665 [CSA_FAIL_EXPLICIT] = US"failed (explicit authorization required)",
666 [CSA_FAIL_DOMAIN] = US"failed (host name not authorized)",
667 [CSA_FAIL_NOADDR] = US"failed (no authorized addresses)",
668 [CSA_FAIL_MISMATCH] = US"failed (client address mismatch)"
671 /* Options for the ratelimit condition. Note that there are two variants of
672 the per_rcpt option, depending on the ACL that is used to measure the rate.
673 However any ACL must be able to look up per_rcpt rates in /noupdate mode,
674 so the two variants must have the same internal representation as well as
675 the same configuration string. */
678 RATE_PER_WHAT, RATE_PER_CLASH, RATE_PER_ADDR, RATE_PER_BYTE, RATE_PER_CMD,
679 RATE_PER_CONN, RATE_PER_MAIL, RATE_PER_RCPT, RATE_PER_ALLRCPTS
682 #define RATE_SET(var,new) \
683 (((var) == RATE_PER_WHAT) ? ((var) = RATE_##new) : ((var) = RATE_PER_CLASH))
685 static uschar *ratelimit_option_string[] = {
686 [RATE_PER_WHAT] = US"?",
687 [RATE_PER_CLASH] = US"!",
688 [RATE_PER_ADDR] = US"per_addr",
689 [RATE_PER_BYTE] = US"per_byte",
690 [RATE_PER_CMD] = US"per_cmd",
691 [RATE_PER_CONN] = US"per_conn",
692 [RATE_PER_MAIL] = US"per_mail",
693 [RATE_PER_RCPT] = US"per_rcpt",
694 [RATE_PER_ALLRCPTS] = US"per_rcpt"
697 /* Enable recursion between acl_check_internal() and acl_check_condition() */
699 static int acl_check_wargs(int, address_item *, const uschar *, uschar **,
702 static acl_block * acl_current = NULL;
705 /*************************************************
706 * Find control in list *
707 *************************************************/
709 /* The lists are always in order, so binary chop can be used.
712 name the control name to search for
713 ol the first entry in the control list
714 last one more than the offset of the last entry in the control list
716 Returns: index of a control entry, or -1 if not found
720 find_control(const uschar * name, control_def * ol, int last)
722 for (int first = 0; last > first; )
724 int middle = (first + last)/2;
725 uschar * s = ol[middle].name;
726 int c = Ustrncmp(name, s, Ustrlen(s));
727 if (c == 0) return middle;
728 else if (c > 0) first = middle + 1;
736 /*************************************************
737 * Pick out condition from list *
738 *************************************************/
740 /* Use a binary chop method
744 list list of conditions
747 Returns: offset in list, or -1 if not found
751 acl_checkcondition(uschar * name, condition_def * list, int end)
753 for (int start = 0; start < end; )
755 int mid = (start + end)/2;
756 int c = Ustrcmp(name, list[mid].name);
757 if (c == 0) return mid;
758 if (c < 0) end = mid;
759 else start = mid + 1;
765 /*************************************************
766 * Pick out name from list *
767 *************************************************/
769 /* Use a binary chop method
776 Returns: offset in list, or -1 if not found
780 acl_checkname(uschar *name, uschar **list, int end)
782 for (int start = 0; start < end; )
784 int mid = (start + end)/2;
785 int c = Ustrcmp(name, list[mid]);
786 if (c == 0) return mid;
787 if (c < 0) end = mid; else start = mid + 1;
795 acl_varname_to_cond(const uschar ** sp, acl_condition_block * cond, uschar ** error)
797 const uschar * s = *sp, * endptr;
800 if ( Ustrncmp(s, "dkim_verify_status", 18) == 0
801 || Ustrncmp(s, "dkim_verify_reason", 18) == 0)
804 if (isalnum(*endptr))
806 *error = string_sprintf("invalid variable name after \"set\" in ACL "
807 "modifier \"set %s\" "
808 "(only \"dkim_verify_status\" or \"dkim_verify_reason\" permitted)",
812 cond->u.varname = string_copyn(s, 18);
817 if (Ustrncmp(s, "acl_c", 5) != 0 && Ustrncmp(s, "acl_m", 5) != 0)
819 *error = string_sprintf("invalid variable name after \"set\" in ACL "
820 "modifier \"set %s\" (must start \"acl_c\" or \"acl_m\")", s);
825 if (!isdigit(*endptr) && *endptr != '_')
827 *error = string_sprintf("invalid variable name after \"set\" in ACL "
828 "modifier \"set %s\" (digit or underscore must follow acl_c or acl_m)",
833 for ( ; *endptr && *endptr != '=' && !isspace(*endptr); endptr++)
834 if (!isalnum(*endptr) && *endptr != '_')
836 *error = string_sprintf("invalid character \"%c\" in variable name "
837 "in ACL modifier \"set %s\"", *endptr, s);
841 cond->u.varname = string_copyn(s + 4, endptr - s - 4);
844 Uskip_whitespace(&s);
851 acl_data_to_cond(const uschar * s, acl_condition_block * cond,
852 const uschar * name, BOOL taint, uschar ** error)
856 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
857 conditions[cond->type].flags & ACD_MOD ? US"modifier" : US"condition");
860 Uskip_whitespace(&s);
861 cond->arg = taint ? string_copy_taint(s, GET_TAINTED) : string_copy(s);
866 /*************************************************
867 * Read and parse one ACL *
868 *************************************************/
870 /* This function is called both from readconf in order to parse the ACLs in the
871 configuration file, and also when an ACL is encountered dynamically (e.g. as
872 the result of an expansion). It is given a function to call in order to
873 retrieve the lines of the ACL. This function handles skipping comments and
874 blank lines (where relevant).
877 func function to get next line of ACL
878 error where to put an error message
880 Returns: pointer to ACL, or NULL
881 NULL can be legal (empty ACL); in this case error will be NULL
885 acl_read(uschar *(*func)(void), uschar **error)
887 acl_block *yield = NULL;
888 acl_block **lastp = &yield;
889 acl_block *this = NULL;
890 acl_condition_block *cond;
891 acl_condition_block **condp = NULL;
896 while ((s = (*func)()))
899 BOOL negated = FALSE;
900 const uschar * saveline = s;
901 uschar name[EXIM_DRIVERNAME_MAX];
903 /* Conditions (but not verbs) are allowed to be negated by an initial
906 if (Uskip_whitespace(&s) == '!')
912 /* Read the name of a verb or a condition, or the start of a new ACL, which
913 can be started by a name, or by a macro definition. */
915 s = readconf_readname(name, sizeof(name), s);
916 if (*s == ':' || (isupper(name[0]) && *s == '=')) return yield;
918 /* If a verb is unrecognized, it may be another condition or modifier that
919 continues the previous verb. */
921 if ((v = acl_checkname(name, verbs, nelem(verbs))) < 0)
925 *error = string_sprintf("unknown ACL verb \"%s\" in \"%s\"", name,
937 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
940 *lastp = this = store_get(sizeof(acl_block), GET_UNTAINTED);
943 this->condition = NULL;
945 this->srcline = config_lineno; /* for debug output */
946 this->srcfile = config_filename; /**/
947 condp = &this->condition;
948 if (!*s) continue; /* No condition on this line */
954 s = readconf_readname(name, sizeof(name), s); /* Condition name */
957 /* Handle a condition or modifier. */
959 if ((c = acl_checkcondition(name, conditions, nelem(conditions))) < 0)
961 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
966 /* The modifiers may not be negated */
968 if (negated && conditions[c].flags & ACD_MOD)
970 *error = string_sprintf("ACL error: negation is not allowed with "
971 "\"%s\"", conditions[c].name);
975 /* ENDPASS may occur only with ACCEPT or DISCARD. */
977 if (c == ACLC_ENDPASS &&
978 this->verb != ACL_ACCEPT &&
979 this->verb != ACL_DISCARD)
981 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
982 conditions[c].name, verbs[this->verb]);
986 #ifdef LOOKUP_MODULE_DIR
987 if (conditions[c].flags & ACD_LOAD)
988 { /* a loadable module supports this condition */
989 condition_module * cm;
992 for (cm = condition_modules;
993 cm < condition_modules + nelem(condition_modules); cm++)
994 for (const int * cond = cm->conditions; *cond != -1; cond++)
995 if (*cond == c) goto found;
998 if (cm >= condition_modules + nelem(condition_modules))
999 { /* shouldn't happen */
1000 *error = string_sprintf("ACL error: failed to locate support for '%s'",
1001 conditions[c].name);
1004 if ( !cm->info /* module not loaded */
1005 && !(cm->info = misc_mod_find(cm->mod_name, &s)))
1007 *error = string_sprintf("ACL error: failed to find module for '%s': %s",
1008 conditions[c].name, s);
1014 cond = store_get(sizeof(acl_condition_block), GET_UNTAINTED);
1017 cond->u.negated = negated;
1020 condp = &cond->next;
1022 /* The "set" modifier is different in that its argument is "name=value"
1023 rather than just a value, and we can check the validity of the name, which
1024 gives us a variable name to insert into the data block. The original ACL
1025 variable names were acl_c0 ... acl_c9 and acl_m0 ... acl_m9. This was
1026 extended to 20 of each type, but after that people successfully argued for
1027 arbitrary names. In the new scheme, the names must start with acl_c or acl_m.
1028 After that, we allow alphanumerics and underscores, but the first character
1029 after c or m must be a digit or an underscore. This retains backwards
1033 if (!acl_varname_to_cond(&s, cond, error)) return NULL;
1035 /* For "set", we are now positioned for the data. For the others, only
1036 "endpass" has no data */
1038 if (c != ACLC_ENDPASS)
1039 if (!acl_data_to_cond(s, cond, name, FALSE, error)) return NULL;
1047 /*************************************************
1048 * Set up added header line(s) *
1049 *************************************************/
1051 /* This function is called by the add_header modifier, and also from acl_warn()
1052 to implement the now-deprecated way of adding header lines using "message" on a
1053 "warn" verb. The argument is treated as a sequence of header lines which are
1054 added to a chain, provided there isn't an identical one already there.
1056 Argument: string of header lines
1061 setup_header(const uschar *hstring)
1063 const uschar *p, *q;
1064 int hlen = Ustrlen(hstring);
1066 /* Ignore any leading newlines */
1067 while (*hstring == '\n') hstring++, hlen--;
1069 /* An empty string does nothing; ensure exactly one final newline. */
1070 if (hlen <= 0) return;
1071 if (hstring[--hlen] != '\n') /* no newline */
1072 q = string_sprintf("%s\n", hstring);
1073 else if (hstring[hlen-1] == '\n') /* double newline */
1075 uschar * s = string_copy(hstring);
1076 while(s[--hlen] == '\n')
1083 /* Loop for multiple header lines, taking care about continuations */
1085 for (p = q; *p; p = q)
1089 int newtype = htype_add_bot;
1090 header_line **hptr = &acl_added_headers;
1092 /* Find next header line within the string */
1096 q = Ustrchr(q, '\n'); /* we know there was a newline */
1097 if (*++q != ' ' && *q != '\t') break;
1100 /* If the line starts with a colon, interpret the instruction for where to
1101 add it. This temporarily sets up a new type. */
1105 if (strncmpic(p, US":after_received:", 16) == 0)
1107 newtype = htype_add_rec;
1110 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
1112 newtype = htype_add_rfc;
1115 else if (strncmpic(p, US":at_start:", 10) == 0)
1117 newtype = htype_add_top;
1120 else if (strncmpic(p, US":at_end:", 8) == 0)
1122 newtype = htype_add_bot;
1125 while (*p == ' ' || *p == '\t') p++;
1128 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
1129 to the front of it. */
1131 for (s = p; s < q - 1; s++)
1132 if (*s == ':' || !isgraph(*s)) break;
1134 hdr = string_sprintf("%s%.*s", *s == ':' ? "" : "X-ACL-Warn: ", (int) (q - p), p);
1135 hlen = Ustrlen(hdr);
1137 /* See if this line has already been added */
1141 if (Ustrncmp((*hptr)->text, hdr, hlen) == 0) break;
1142 hptr = &(*hptr)->next;
1145 /* Add if not previously present */
1149 /* The header_line struct itself is not tainted, though it points to
1150 possibly tainted data. */
1151 header_line * h = store_get(sizeof(header_line), GET_UNTAINTED);
1164 /*************************************************
1165 * List the added header lines *
1166 *************************************************/
1172 for (header_line * h = acl_added_headers; h; h = h->next)
1175 if (h->text[i-1] == '\n') i--;
1176 g = string_append_listele_n(g, '\n', h->text, i);
1179 return string_from_gstring(g);
1183 /*************************************************
1184 * Set up removed header line(s) *
1185 *************************************************/
1187 /* This function is called by the remove_header modifier. The argument is
1188 treated as a sequence of header names which are added to a colon separated
1189 list, provided there isn't an identical one already there.
1191 Argument: string of header names
1196 setup_remove_header(const uschar *hnames)
1199 acl_removed_headers = acl_removed_headers
1200 ? string_sprintf("%s : %s", acl_removed_headers, hnames)
1201 : string_copy(hnames);
1206 /*************************************************
1208 *************************************************/
1210 /* This function is called when a WARN verb's conditions are true. It adds to
1211 the message's headers, and/or writes information to the log. In each case, this
1212 only happens once (per message for headers, per connection for log).
1214 ** NOTE: The header adding action using the "message" setting is historic, and
1215 its use is now deprecated. The new add_header modifier should be used instead.
1218 where ACL_WHERE_xxxx indicating which ACL this is
1219 user_message message for adding to headers
1220 log_message message for logging, if different
1226 acl_warn(int where, uschar * user_message, uschar * log_message)
1228 if (log_message && log_message != user_message)
1231 string_item *logged;
1233 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
1234 string_printing(log_message));
1236 /* If a sender verification has failed, and the log message is "sender verify
1237 failed", add the failure message. */
1239 if ( sender_verified_failed
1240 && sender_verified_failed->message
1241 && strcmpic(log_message, US"sender verify failed") == 0)
1242 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
1244 /* Search previously logged warnings. They are kept in malloc
1245 store so they can be freed at the start of a new message. */
1247 for (logged = acl_warn_logged; logged; logged = logged->next)
1248 if (Ustrcmp(logged->text, text) == 0) break;
1252 int length = Ustrlen(text) + 1;
1253 log_write(0, LOG_MAIN, "%s", text);
1254 logged = store_malloc(sizeof(string_item) + length);
1255 logged->text = US logged + sizeof(string_item);
1256 memcpy(logged->text, text, length);
1257 logged->next = acl_warn_logged;
1258 acl_warn_logged = logged;
1262 /* If there's no user message, we are done. */
1264 if (!user_message) return;
1266 /* If this isn't a message ACL, we can't do anything with a user message.
1269 if (where > ACL_WHERE_NOTSMTP)
1271 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
1272 "found in a non-message (%s) ACL: cannot specify header lines here: "
1273 "message ignored", acl_wherenames[where]);
1277 /* The code for setting up header lines is now abstracted into a separate
1278 function so that it can be used for the add_header modifier as well. */
1280 setup_header(user_message);
1285 /*************************************************
1286 * Verify and check reverse DNS *
1287 *************************************************/
1289 /* Called from acl_verify() below. We look up the host name(s) of the client IP
1290 address if this has not yet been done. The host_name_lookup() function checks
1291 that one of these names resolves to an address list that contains the client IP
1292 address, so we don't actually have to do the check here.
1295 user_msgptr pointer for user message
1296 log_msgptr pointer for log message
1298 Returns: OK verification condition succeeded
1299 FAIL verification failed
1300 DEFER there was a problem verifying
1304 acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
1308 /* Previous success */
1310 if (sender_host_name) return OK;
1312 /* Previous failure */
1314 if (host_lookup_failed)
1316 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
1320 /* Need to do a lookup */
1323 debug_printf_indent("looking up host name to force name/address consistency check\n");
1325 if ((rc = host_name_lookup()) != OK)
1327 *log_msgptr = rc == DEFER
1328 ? US"host lookup deferred for reverse lookup check"
1329 : string_sprintf("host lookup failed for reverse lookup check%s",
1331 return rc; /* DEFER or FAIL */
1334 host_build_sender_fullhost();
1340 /*************************************************
1341 * Check client IP address matches CSA target *
1342 *************************************************/
1344 /* Called from acl_verify_csa() below. This routine scans a section of a DNS
1345 response for address records belonging to the CSA target hostname. The section
1346 is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
1347 If one of the addresses matches the client's IP address, then the client is
1348 authorized by CSA. If there are target IP addresses but none of them match
1349 then the client is using an unauthorized IP address. If there are no target IP
1350 addresses then the client cannot be using an authorized IP address. (This is
1351 an odd configuration - why didn't the SRV record have a weight of 1 instead?)
1354 dnsa the DNS answer block
1355 dnss a DNS scan block for us to use
1356 reset option specifying what portion to scan, as described above
1357 target the target hostname to use for matching RR names
1359 Returns: CSA_OK successfully authorized
1360 CSA_FAIL_MISMATCH addresses found but none matched
1361 CSA_FAIL_NOADDR no target addresses found
1365 acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1368 int rc = CSA_FAIL_NOADDR;
1370 for (dns_record * rr = dns_next_rr(dnsa, dnss, reset);
1372 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1374 /* Check this is an address RR for the target hostname. */
1378 && rr->type != T_AAAA
1382 if (strcmpic(target, rr->name) != 0) continue;
1384 rc = CSA_FAIL_MISMATCH;
1386 /* Turn the target address RR into a list of textual IP addresses and scan
1387 the list. There may be more than one if it is an A6 RR. */
1389 for (dns_address * da = dns_address_from_rr(dnsa, rr); da; da = da->next)
1391 /* If the client IP address matches the target IP address, it's good! */
1393 DEBUG(D_acl) debug_printf_indent("CSA target address is %s\n", da->address);
1395 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1399 /* If we found some target addresses but none of them matched, the client is
1400 using an unauthorized IP address, otherwise the target has no authorized IP
1408 /*************************************************
1409 * Verify Client SMTP Authorization *
1410 *************************************************/
1412 /* Called from acl_verify() below. This routine calls dns_lookup_special()
1413 to find the CSA SRV record corresponding to the domain argument, or
1414 $sender_helo_name if no argument is provided. It then checks that the
1415 client is authorized, and that its IP address corresponds to the SRV
1416 target's address by calling acl_verify_csa_address() above. The address
1417 should have been returned in the DNS response's ADDITIONAL section, but if
1418 not we perform another DNS lookup to get it.
1421 domain pointer to optional parameter following verify = csa
1423 Returns: CSA_UNKNOWN no valid CSA record found
1424 CSA_OK successfully authorized
1425 CSA_FAIL_* client is definitely not authorized
1426 CSA_DEFER_* there was a DNS problem
1430 acl_verify_csa(const uschar *domain)
1433 const uschar *found;
1434 int priority, weight, port;
1438 int rc, type, yield;
1439 #define TARGET_SIZE 256
1440 uschar * target = store_get(TARGET_SIZE, GET_TAINTED);
1442 /* Work out the domain we are using for the CSA lookup. The default is the
1443 client's HELO domain. If the client has not said HELO, use its IP address
1444 instead. If it's a local client (exim -bs), CSA isn't applicable. */
1446 while (isspace(*domain) && *domain) ++domain;
1447 if (*domain == '\0') domain = sender_helo_name;
1448 if (!domain) domain = sender_host_address;
1449 if (!sender_host_address) return CSA_UNKNOWN;
1451 /* If we have an address literal, strip off the framing ready for turning it
1452 into a domain. The framing consists of matched square brackets possibly
1453 containing a keyword and a colon before the actual IP address. */
1455 if (domain[0] == '[')
1457 const uschar *start = Ustrchr(domain, ':');
1458 if (start == NULL) start = domain;
1459 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1462 /* Turn domains that look like bare IP addresses into domains in the reverse
1463 DNS. This code also deals with address literals and $sender_host_address. It's
1464 not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1465 address literals, but it's probably the most friendly thing to do. This is an
1466 extension to CSA, so we allow it to be turned off for proper conformance. */
1468 if (string_is_ip_address(domain, NULL) != 0)
1470 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1471 domain = dns_build_reverse(domain);
1474 /* Find out if we've already done the CSA check for this domain. If we have,
1475 return the same result again. Otherwise build a new cached result structure
1476 for this domain. The name is filled in now, and the value is filled in when
1477 we return from this function. */
1479 if ((t = tree_search(csa_cache, domain)))
1482 t = store_get_perm(sizeof(tree_node) + Ustrlen(domain), domain);
1483 Ustrcpy(t->name, domain);
1484 (void)tree_insertnode(&csa_cache, t);
1486 /* Now we are ready to do the actual DNS lookup(s). */
1489 dnsa = store_get_dns_answer();
1490 switch (dns_special_lookup(dnsa, domain, T_CSA, &found))
1492 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1495 yield = CSA_DEFER_SRV;
1498 /* If we found nothing, the client's authorization is unknown. */
1502 yield = CSA_UNKNOWN;
1505 /* We got something! Go on to look at the reply in more detail. */
1511 /* Scan the reply for well-formed CSA SRV records. */
1513 for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
1515 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == T_SRV)
1517 const uschar * p = rr->data;
1519 /* Extract the numerical SRV fields (p is incremented) */
1521 if (rr_bad_size(rr, 3 * sizeof(uint16_t))) continue;
1522 GETSHORT(priority, p);
1523 GETSHORT(weight, p);
1527 debug_printf_indent("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1529 /* Check the CSA version number */
1531 if (priority != 1) continue;
1533 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1534 found by dns_special_lookup() is a parent of the one we asked for), we check
1535 the subdomain assertions in the port field. At the moment there's only one
1536 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1537 SRV records of their own. */
1539 if (Ustrcmp(found, domain) != 0)
1541 yield = port & 1 ? CSA_FAIL_EXPLICIT : CSA_UNKNOWN;
1545 /* This CSA SRV record refers directly to our domain, so we check the value
1546 in the weight field to work out the domain's authorization. 0 and 1 are
1547 unauthorized; 3 means the client is authorized but we can't check the IP
1548 address in order to authenticate it, so we treat it as unknown; values
1549 greater than 3 are undefined. */
1553 yield = CSA_FAIL_DOMAIN;
1557 if (weight > 2) continue;
1559 /* Weight == 2, which means the domain is authorized. We must check that the
1560 client's IP address is listed as one of the SRV target addresses. Save the
1561 target hostname then break to scan the additional data for its addresses. */
1563 (void)dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, p,
1564 (DN_EXPAND_ARG4_TYPE)target, TARGET_SIZE);
1566 DEBUG(D_acl) debug_printf_indent("CSA target is %s\n", target);
1571 /* If we didn't break the loop then no appropriate records were found. */
1575 yield = CSA_UNKNOWN;
1579 /* Do not check addresses if the target is ".", in accordance with RFC 2782.
1580 A target of "." indicates there are no valid addresses, so the client cannot
1581 be authorized. (This is an odd configuration because weight=2 target=. is
1582 equivalent to weight=1, but we check for it in order to keep load off the
1583 root name servers.) Note that dn_expand() turns "." into "". */
1585 if (Ustrcmp(target, "") == 0)
1587 yield = CSA_FAIL_NOADDR;
1591 /* Scan the additional section of the CSA SRV reply for addresses belonging
1592 to the target. If the name server didn't return any additional data (e.g.
1593 because it does not fully support SRV records), we need to do another lookup
1594 to obtain the target addresses; otherwise we have a definitive result. */
1596 rc = acl_verify_csa_address(dnsa, &dnss, RESET_ADDITIONAL, target);
1597 if (rc != CSA_FAIL_NOADDR)
1603 /* The DNS lookup type corresponds to the IP version used by the client. */
1606 if (Ustrchr(sender_host_address, ':') != NULL)
1609 #endif /* HAVE_IPV6 */
1613 lookup_dnssec_authenticated = NULL;
1614 switch (dns_lookup(dnsa, target, type, NULL))
1616 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1619 yield = CSA_DEFER_ADDR;
1622 /* If the query succeeded, scan the addresses and return the result. */
1625 rc = acl_verify_csa_address(dnsa, &dnss, RESET_ANSWERS, target);
1626 if (rc != CSA_FAIL_NOADDR)
1631 /* else fall through */
1633 /* If the target has no IP addresses, the client cannot have an authorized
1634 IP address. However, if the target site uses A6 records (not AAAA records)
1635 we have to do yet another lookup in order to check them. */
1639 yield = CSA_FAIL_NOADDR;
1645 store_free_dns_answer(dnsa);
1646 return t->data.val = yield;
1651 /*************************************************
1652 * Handle verification (address & other) *
1653 *************************************************/
1655 enum { VERIFY_REV_HOST_LKUP, VERIFY_CERT, VERIFY_HELO, VERIFY_CSA, VERIFY_HDR_SYNTAX,
1656 VERIFY_NOT_BLIND, VERIFY_HDR_SNDR, VERIFY_SNDR, VERIFY_RCPT,
1657 VERIFY_HDR_NAMES_ASCII, VERIFY_ARC
1662 unsigned where_allowed; /* bitmap */
1663 BOOL no_options; /* Never has /option(s) following */
1664 unsigned alt_opt_sep; /* >0 Non-/ option separator (custom parser) */
1666 static verify_type_t verify_type_list[] = {
1667 /* name value where no-opt opt-sep */
1668 { US"reverse_host_lookup", VERIFY_REV_HOST_LKUP, (unsigned)~0, FALSE, 0 },
1669 { US"certificate", VERIFY_CERT, (unsigned)~0, TRUE, 0 },
1670 { US"helo", VERIFY_HELO, (unsigned)~0, TRUE, 0 },
1671 { US"csa", VERIFY_CSA, (unsigned)~0, FALSE, 0 },
1672 { US"header_syntax", VERIFY_HDR_SYNTAX, ACL_BITS_HAVEDATA, TRUE, 0 },
1673 { US"not_blind", VERIFY_NOT_BLIND, ACL_BITS_HAVEDATA, FALSE, 0 },
1674 { US"header_sender", VERIFY_HDR_SNDR, ACL_BITS_HAVEDATA, FALSE, 0 },
1675 { US"sender", VERIFY_SNDR, ACL_BIT_MAIL | ACL_BIT_RCPT
1676 | ACL_BIT_PREDATA | ACL_BIT_DATA | ACL_BIT_NOTSMTP,
1678 { US"recipient", VERIFY_RCPT, ACL_BIT_RCPT, FALSE, 0 },
1679 { US"header_names_ascii", VERIFY_HDR_NAMES_ASCII, ACL_BITS_HAVEDATA, TRUE, 0 },
1680 #ifdef EXPERIMENTAL_ARC
1681 { US"arc", VERIFY_ARC, ACL_BIT_DATA, FALSE , 0 },
1686 enum { CALLOUT_DEFER_OK, CALLOUT_NOCACHE, CALLOUT_RANDOM, CALLOUT_USE_SENDER,
1687 CALLOUT_USE_POSTMASTER, CALLOUT_POSTMASTER, CALLOUT_FULLPOSTMASTER,
1688 CALLOUT_MAILFROM, CALLOUT_POSTMASTER_MAILFROM, CALLOUT_MAXWAIT, CALLOUT_CONNECT,
1689 CALLOUT_HOLD, CALLOUT_TIME /* TIME must be last */
1695 BOOL has_option; /* Has =option(s) following */
1696 BOOL timeval; /* Has a time value */
1698 static callout_opt_t callout_opt_list[] = {
1699 /* name value flag has-opt has-time */
1700 { US"defer_ok", CALLOUT_DEFER_OK, 0, FALSE, FALSE },
1701 { US"no_cache", CALLOUT_NOCACHE, vopt_callout_no_cache, FALSE, FALSE },
1702 { US"random", CALLOUT_RANDOM, vopt_callout_random, FALSE, FALSE },
1703 { US"use_sender", CALLOUT_USE_SENDER, vopt_callout_recipsender, FALSE, FALSE },
1704 { US"use_postmaster", CALLOUT_USE_POSTMASTER,vopt_callout_recippmaster, FALSE, FALSE },
1705 { US"postmaster_mailfrom",CALLOUT_POSTMASTER_MAILFROM,0, TRUE, FALSE },
1706 { US"postmaster", CALLOUT_POSTMASTER, 0, FALSE, FALSE },
1707 { US"fullpostmaster", CALLOUT_FULLPOSTMASTER,vopt_callout_fullpm, FALSE, FALSE },
1708 { US"mailfrom", CALLOUT_MAILFROM, 0, TRUE, FALSE },
1709 { US"maxwait", CALLOUT_MAXWAIT, 0, TRUE, TRUE },
1710 { US"connect", CALLOUT_CONNECT, 0, TRUE, TRUE },
1711 { US"hold", CALLOUT_HOLD, vopt_callout_hold, FALSE, FALSE },
1712 { NULL, CALLOUT_TIME, 0, FALSE, TRUE }
1718 v_period(const uschar * s, const uschar * arg, uschar ** log_msgptr)
1721 if ((period = readconf_readtime(s, 0, FALSE)) < 0)
1723 *log_msgptr = string_sprintf("bad time value in ACL condition "
1724 "\"verify %s\"", arg);
1732 sender_helo_verified_internal(void)
1734 /* We can test the result of optional HELO verification that might have
1735 occurred earlier. If not, we can attempt the verification now. */
1737 if (!f.helo_verified && !f.helo_verify_failed) smtp_verify_helo();
1738 return f.helo_verified;
1742 sender_helo_verified_cond(void)
1744 return sender_helo_verified_internal() ? OK : FAIL;
1748 sender_helo_verified_boolstr(void)
1750 return sender_helo_verified_internal() ? US"yes" : US"no";
1755 /* This function implements the "verify" condition. It is called when
1756 encountered in any ACL, because some tests are almost always permitted. Some
1757 just don't make sense, and always fail (for example, an attempt to test a host
1758 lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1761 where where called from
1762 addr the recipient address that the ACL is handling, or NULL
1763 arg the argument of "verify"
1764 user_msgptr pointer for user message
1765 log_msgptr pointer for log message
1766 basic_errno where to put verify errno
1768 Returns: OK verification condition succeeded
1769 FAIL verification failed
1770 DEFER there was a problem verifying
1775 acl_verify(int where, address_item *addr, const uschar *arg,
1776 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1780 int callout_overall = -1;
1781 int callout_connect = -1;
1782 int verify_options = 0;
1784 BOOL verify_header_sender = FALSE;
1785 BOOL defer_ok = FALSE;
1786 BOOL callout_defer_ok = FALSE;
1787 BOOL no_details = FALSE;
1788 BOOL success_on_redirect = FALSE;
1790 int quota_pos_cache = QUOTA_POS_DEFAULT, quota_neg_cache = QUOTA_NEG_DEFAULT;
1791 address_item * sender_vaddr = NULL;
1792 const uschar * verify_sender_address = NULL;
1793 uschar * pm_mailfrom = NULL;
1794 uschar * se_mailfrom = NULL;
1796 /* Some of the verify items have slash-separated options; some do not. Diagnose
1797 an error if options are given for items that don't expect them.
1800 uschar *slash = Ustrchr(arg, '/');
1801 const uschar *list = arg;
1802 uschar *ss = string_nextinlist(&list, &sep, NULL, 0);
1805 if (!ss) goto BAD_VERIFY;
1807 /* Handle name/address consistency verification in a separate function. */
1809 for (vp = verify_type_list;
1810 CS vp < CS verify_type_list + sizeof(verify_type_list);
1813 if (vp->alt_opt_sep ? strncmpic(ss, vp->name, vp->alt_opt_sep) == 0
1814 : strcmpic (ss, vp->name) == 0)
1816 if (CS vp >= CS verify_type_list + sizeof(verify_type_list))
1819 if (vp->no_options && slash)
1821 *log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1822 "(this verify item has no options)", arg);
1825 if (!(vp->where_allowed & BIT(where)))
1827 *log_msgptr = string_sprintf("cannot verify %s in ACL for %s",
1828 vp->name, acl_wherenames[where]);
1833 case VERIFY_REV_HOST_LKUP:
1834 if (!sender_host_address) return OK;
1835 if ((rc = acl_verify_reverse(user_msgptr, log_msgptr)) == DEFER)
1836 while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
1837 if (strcmpic(ss, US"defer_ok") == 0)
1842 /* TLS certificate verification is done at STARTTLS time; here we just
1843 test whether it was successful or not. (This is for optional verification; for
1844 mandatory verification, the connection doesn't last this long.) */
1846 if (tls_in.certificate_verified) return OK;
1847 *user_msgptr = US"no verified certificate";
1851 return sender_helo_verified_cond();
1854 /* Do Client SMTP Authorization checks in a separate function, and turn the
1855 result code into user-friendly strings. */
1857 rc = acl_verify_csa(list);
1858 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1859 csa_reason_string[rc]);
1860 csa_status = csa_status_string[rc];
1861 DEBUG(D_acl) debug_printf_indent("CSA result %s\n", csa_status);
1862 return csa_return_code[rc];
1864 #ifdef EXPERIMENTAL_ARC
1866 { /* Do Authenticated Received Chain checks in a separate function. */
1867 const uschar * condlist = CUS string_nextinlist(&list, &sep, NULL, 0);
1871 if (!(arc_state = acl_verify_arc())) return DEFER;
1872 DEBUG(D_acl) debug_printf_indent("ARC verify result %s %s%s%s\n", arc_state,
1873 arc_state_reason ? "(":"", arc_state_reason, arc_state_reason ? ")":"");
1875 if (!condlist) condlist = US"none:pass";
1876 while ((cond = string_nextinlist(&condlist, &csep, NULL, 0)))
1877 if (Ustrcmp(arc_state, cond) == 0) return OK;
1882 case VERIFY_HDR_SYNTAX:
1883 /* Check that all relevant header lines have the correct 5322-syntax. If there is
1884 a syntax error, we return details of the error to the sender if configured to
1885 send out full details. (But a "message" setting on the ACL can override, as
1888 rc = verify_check_headers(log_msgptr);
1889 if (rc != OK && *log_msgptr)
1890 if (smtp_return_error_details)
1891 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1893 acl_verify_message = *log_msgptr;
1896 case VERIFY_HDR_NAMES_ASCII:
1897 /* Check that all header names are true 7 bit strings
1898 See RFC 5322, 2.2. and RFC 6532, 3. */
1900 rc = verify_check_header_names_ascii(log_msgptr);
1901 if (rc != OK && smtp_return_error_details && *log_msgptr)
1902 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1905 case VERIFY_NOT_BLIND:
1906 /* Check that no recipient of this message is "blind", that is, every envelope
1907 recipient must be mentioned in either To: or Cc:. */
1909 BOOL case_sensitive = TRUE;
1911 while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
1912 if (strcmpic(ss, US"case_insensitive") == 0)
1913 case_sensitive = FALSE;
1916 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1917 "condition \"verify %s\"", ss, arg);
1921 if ((rc = verify_check_notblind(case_sensitive)) != OK)
1923 *log_msgptr = US"bcc recipient detected";
1924 if (smtp_return_error_details)
1925 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1930 /* The remaining verification tests check recipient and sender addresses,
1931 either from the envelope or from the header. There are a number of
1932 slash-separated options that are common to all of them. */
1934 case VERIFY_HDR_SNDR:
1935 verify_header_sender = TRUE;
1939 /* In the case of a sender, this can optionally be followed by an address to use
1940 in place of the actual sender (rare special-case requirement). */
1944 verify_sender_address = sender_address;
1947 if (Uskip_whitespace(&s) != '=')
1950 Uskip_whitespace(&s);
1951 verify_sender_address = string_copy(s);
1962 /* Remaining items are optional; they apply to sender and recipient
1963 verification, including "header sender" verification. */
1965 while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
1967 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1968 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1969 else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
1971 /* These two old options are left for backwards compatibility */
1973 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1975 callout_defer_ok = TRUE;
1976 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1979 else if (strcmpic(ss, US"check_postmaster") == 0)
1982 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1985 /* The callout option has a number of sub-options, comma separated */
1987 else if (strncmpic(ss, US"callout", 7) == 0)
1989 callout = CALLOUT_TIMEOUT_DEFAULT;
1992 Uskip_whitespace(&ss);
1995 const uschar * sublist = ss;
1998 Uskip_whitespace(&sublist);
1999 for (uschar * opt; opt = string_nextinlist(&sublist, &optsep, NULL, 0); )
2002 double period = 1.0F;
2004 for (op= callout_opt_list; op->name; op++)
2005 if (strncmpic(opt, op->name, Ustrlen(op->name)) == 0)
2008 verify_options |= op->flag;
2011 opt += Ustrlen(op->name);
2012 Uskip_whitespace(&opt);
2015 *log_msgptr = string_sprintf("'=' expected after "
2016 "\"%s\" in ACL verify condition \"%s\"", op->name, arg);
2019 Uskip_whitespace(&opt);
2021 if (op->timeval && (period = v_period(opt, arg, log_msgptr)) < 0)
2026 case CALLOUT_DEFER_OK: callout_defer_ok = TRUE; break;
2027 case CALLOUT_POSTMASTER: pm_mailfrom = US""; break;
2028 case CALLOUT_FULLPOSTMASTER: pm_mailfrom = US""; break;
2029 case CALLOUT_MAILFROM:
2030 if (!verify_header_sender)
2032 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
2033 "callout option only for verify=header_sender (detected in ACL "
2034 "condition \"%s\")", arg);
2037 se_mailfrom = string_copy(opt);
2039 case CALLOUT_POSTMASTER_MAILFROM: pm_mailfrom = string_copy(opt); break;
2040 case CALLOUT_MAXWAIT: callout_overall = period; break;
2041 case CALLOUT_CONNECT: callout_connect = period; break;
2042 case CALLOUT_TIME: callout = period; break;
2048 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
2049 "ACL condition \"%s\"", arg);
2055 /* The quota option has sub-options, comma-separated */
2057 else if (strncmpic(ss, US"quota", 5) == 0)
2062 Uskip_whitespace(&ss);
2065 const uschar * sublist = ss;
2069 Uskip_whitespace(&sublist);
2070 for (uschar * opt; opt = string_nextinlist(&sublist, &optsep, NULL, 0); )
2071 if (Ustrncmp(opt, "cachepos=", 9) == 0)
2072 if ((period = v_period(opt += 9, arg, log_msgptr)) < 0)
2075 quota_pos_cache = period;
2076 else if (Ustrncmp(opt, "cacheneg=", 9) == 0)
2077 if ((period = v_period(opt += 9, arg, log_msgptr)) < 0)
2080 quota_neg_cache = period;
2081 else if (Ustrcmp(opt, "no_cache") == 0)
2082 quota_pos_cache = quota_neg_cache = 0;
2087 /* Option not recognized */
2091 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
2092 "condition \"verify %s\"", ss, arg);
2097 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
2098 (vopt_callout_recipsender|vopt_callout_recippmaster))
2100 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
2101 "for a recipient callout";
2105 /* Handle quota verification */
2108 if (vp->value != VERIFY_RCPT)
2110 *log_msgptr = US"can only verify quota of recipient";
2114 if ((rc = verify_quota_call(addr->address,
2115 quota_pos_cache, quota_neg_cache, log_msgptr)) != OK)
2117 *basic_errno = errno;
2118 if (smtp_return_error_details)
2120 if (!*user_msgptr && *log_msgptr)
2121 *user_msgptr = string_sprintf("Rejected after %s: %s",
2122 smtp_names[smtp_connection_had[SMTP_HBUFF_PREV(smtp_ch_index)]],
2124 if (rc == DEFER) f.acl_temp_details = TRUE;
2131 /* Handle sender-in-header verification. Default the user message to the log
2132 message if giving out verification details. */
2134 if (verify_header_sender)
2138 if ((rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
2139 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
2142 *basic_errno = verrno;
2143 if (smtp_return_error_details)
2145 if (!*user_msgptr && *log_msgptr)
2146 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
2147 if (rc == DEFER) f.acl_temp_details = TRUE;
2152 /* Handle a sender address. The default is to verify *the* sender address, but
2153 optionally a different address can be given, for special requirements. If the
2154 address is empty, we are dealing with a bounce message that has no sender, so
2155 we cannot do any checking. If the real sender address gets rewritten during
2156 verification (e.g. DNS widening), set the flag to stop it being rewritten again
2157 during message reception.
2159 A list of verified "sender" addresses is kept to try to avoid doing to much
2160 work repetitively when there are multiple recipients in a message and they all
2161 require sender verification. However, when callouts are involved, it gets too
2162 complicated because different recipients may require different callout options.
2163 Therefore, we always do a full sender verify when any kind of callout is
2164 specified. Caching elsewhere, for instance in the DNS resolver and in the
2165 callout handling, should ensure that this is not terribly inefficient. */
2167 else if (verify_sender_address)
2169 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)))
2171 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
2172 "sender verify callout";
2176 sender_vaddr = verify_checked_sender(verify_sender_address);
2177 if ( sender_vaddr /* Previously checked */
2178 && callout <= 0) /* No callout needed this time */
2180 /* If the "routed" flag is set, it means that routing worked before, so
2181 this check can give OK (the saved return code value, if set, belongs to a
2182 callout that was done previously). If the "routed" flag is not set, routing
2183 must have failed, so we use the saved return code. */
2185 if (testflag(sender_vaddr, af_verify_routed))
2189 rc = sender_vaddr->special_action;
2190 *basic_errno = sender_vaddr->basic_errno;
2192 HDEBUG(D_acl) debug_printf_indent("using cached sender verify result\n");
2195 /* Do a new verification, and cache the result. The cache is used to avoid
2196 verifying the sender multiple times for multiple RCPTs when callouts are not
2197 specified (see comments above).
2199 The cache is also used on failure to give details in response to the first
2200 RCPT that gets bounced for this reason. However, this can be suppressed by
2201 the no_details option, which sets the flag that says "this detail has already
2202 been sent". The cache normally contains just one address, but there may be
2203 more in esoteric circumstances. */
2208 uschar *save_address_data = deliver_address_data;
2210 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
2212 if ((sender_vaddr->prop.utf8_msg = message_smtputf8))
2214 sender_vaddr->prop.utf8_downcvt = message_utf8_downconvert == 1;
2215 sender_vaddr->prop.utf8_downcvt_maybe = message_utf8_downconvert == -1;
2218 if (no_details) setflag(sender_vaddr, af_sverify_told);
2219 if (verify_sender_address[0] != 0)
2221 /* If this is the real sender address, save the unrewritten version
2222 for use later in receive. Otherwise, set a flag so that rewriting the
2223 sender in verify_address() does not update sender_address. */
2225 if (verify_sender_address == sender_address)
2226 sender_address_unrewritten = sender_address;
2228 verify_options |= vopt_fake_sender;
2230 if (success_on_redirect)
2231 verify_options |= vopt_success_on_redirect;
2233 /* The recipient, qualify, and expn options are never set in
2236 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
2237 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
2239 HDEBUG(D_acl) debug_printf_indent("----------- end verify ------------\n");
2242 *basic_errno = sender_vaddr->basic_errno;
2245 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
2246 debug_printf_indent("sender %s verified ok as %s\n",
2247 verify_sender_address, sender_vaddr->address);
2249 debug_printf_indent("sender %s verified ok\n",
2250 verify_sender_address);
2253 rc = OK; /* Null sender */
2255 /* Cache the result code */
2257 if (routed) setflag(sender_vaddr, af_verify_routed);
2258 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
2259 sender_vaddr->special_action = rc;
2260 sender_vaddr->next = sender_verified_list;
2261 sender_verified_list = sender_vaddr;
2263 /* Restore the recipient address data, which might have been clobbered by
2264 the sender verification. */
2266 deliver_address_data = save_address_data;
2269 /* Put the sender address_data value into $sender_address_data */
2271 sender_address_data = sender_vaddr->prop.address_data;
2274 /* A recipient address just gets a straightforward verify; again we must handle
2275 the DEFER overrides. */
2281 if (success_on_redirect)
2282 verify_options |= vopt_success_on_redirect;
2284 /* We must use a copy of the address for verification, because it might
2288 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
2289 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
2290 HDEBUG(D_acl) debug_printf_indent("----------- end verify ------------\n");
2292 *basic_errno = addr2.basic_errno;
2293 *log_msgptr = addr2.message;
2294 *user_msgptr = addr2.user_message ? addr2.user_message : addr2.message;
2296 /* Allow details for temporary error if the address is so flagged. */
2297 if (testflag((&addr2), af_pass_message)) f.acl_temp_details = TRUE;
2299 /* Make $address_data visible */
2300 deliver_address_data = addr2.prop.address_data;
2303 /* We have a result from the relevant test. Handle defer overrides first. */
2307 || callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER
2310 HDEBUG(D_acl) debug_printf_indent("verify defer overridden by %s\n",
2311 defer_ok? "defer_ok" : "callout_defer_ok");
2315 /* If we've failed a sender, set up a recipient message, and point
2316 sender_verified_failed to the address item that actually failed. */
2318 if (rc != OK && verify_sender_address)
2321 *log_msgptr = *user_msgptr = US"Sender verify failed";
2322 else if (*basic_errno != ERRNO_CALLOUTDEFER)
2323 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
2326 *log_msgptr = US"Could not complete sender verify callout";
2327 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
2331 sender_verified_failed = sender_vaddr;
2334 /* Verifying an address messes up the values of $domain and $local_part,
2335 so reset them before returning if this is a RCPT ACL. */
2339 deliver_domain = addr->domain;
2340 deliver_localpart = addr->local_part;
2344 /* Syntax errors in the verify argument come here. */
2347 *log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
2348 "\"helo\", \"header_syntax\", \"header_sender\", \"header_names_ascii\" "
2349 "or \"reverse_host_lookup\" at start of ACL condition "
2350 "\"verify %s\"", arg);
2357 /*************************************************
2358 * Check argument for control= modifier *
2359 *************************************************/
2361 /* Called from acl_check_condition() below.
2362 To handle the case "queue_only" we accept an _ in the
2363 initial / option-switch position.
2366 arg the argument string for control=
2367 pptr set to point to the terminating character
2368 where which ACL we are in
2369 log_msgptr for error messages
2371 Returns: CONTROL_xxx value
2375 decode_control(const uschar *arg, const uschar **pptr, int where, uschar **log_msgptr)
2381 if ( (idx = find_control(arg, controls_list, nelem(controls_list))) < 0
2382 || ( (c = arg[len = Ustrlen((d = controls_list+idx)->name)]) != 0
2383 && (!d->has_option || c != '/' && c != '_')
2386 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2387 return CONTROL_ERROR;
2397 /*************************************************
2398 * Return a ratelimit error *
2399 *************************************************/
2401 /* Called from acl_ratelimit() below
2404 log_msgptr for error messages
2405 format format string
2406 ... supplementary arguments
2412 ratelimit_error(uschar **log_msgptr, const char *format, ...)
2416 string_cat(NULL, US"error in arguments to \"ratelimit\" condition: ");
2418 va_start(ap, format);
2419 g = string_vformat(g, SVFMT_EXTEND|SVFMT_REBUFFER, format, ap);
2422 gstring_release_unused(g);
2423 *log_msgptr = string_from_gstring(g);
2430 /*************************************************
2431 * Handle rate limiting *
2432 *************************************************/
2434 /* Called by acl_check_condition() below to calculate the result
2435 of the ACL ratelimit condition.
2437 Note that the return value might be slightly unexpected: if the
2438 sender's rate is above the limit then the result is OK. This is
2439 similar to the dnslists condition, and is so that you can write
2440 ACL clauses like: defer ratelimit = 15 / 1h
2443 arg the option string for ratelimit=
2444 where ACL_WHERE_xxxx indicating which ACL this is
2445 log_msgptr for error messages
2447 Returns: OK - Sender's rate is above limit
2448 FAIL - Sender's rate is below limit
2449 DEFER - Problem opening ratelimit database
2450 ERROR - Syntax error in options.
2454 acl_ratelimit(const uschar *arg, int where, uschar **log_msgptr)
2456 double limit, period, count;
2459 uschar *unique = NULL;
2461 BOOL leaky = FALSE, strict = FALSE, readonly = FALSE;
2462 BOOL noupdate = FALSE, badacl = FALSE;
2463 int mode = RATE_PER_WHAT;
2465 tree_node **anchor, *t;
2466 open_db dbblock, *dbm;
2468 dbdata_ratelimit *dbd;
2469 dbdata_ratelimit_unique *dbdb;
2472 /* Parse the first two options and record their values in expansion
2473 variables. These variables allow the configuration to have informative
2474 error messages based on rate limits obtained from a table lookup. */
2476 /* First is the maximum number of messages per period / maximum burst
2477 size, which must be greater than or equal to zero. Zero is useful for
2478 rate measurement as opposed to rate limiting. */
2480 if (!(sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0)))
2481 return ratelimit_error(log_msgptr, "sender rate limit not set");
2483 limit = Ustrtod(sender_rate_limit, &ss);
2484 if (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
2485 else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
2486 else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
2488 if (limit < 0.0 || *ss != '\0')
2489 return ratelimit_error(log_msgptr,
2490 "\"%s\" is not a positive number", sender_rate_limit);
2492 /* Second is the rate measurement period / exponential smoothing time
2493 constant. This must be strictly greater than zero, because zero leads to
2494 run-time division errors. */
2496 period = !(sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0))
2497 ? -1.0 : readconf_readtime(sender_rate_period, 0, FALSE);
2499 return ratelimit_error(log_msgptr,
2500 "\"%s\" is not a time value", sender_rate_period);
2502 /* By default we are counting one of something, but the per_rcpt,
2503 per_byte, and count options can change this. */
2507 /* Parse the other options. */
2509 while ((ss = string_nextinlist(&arg, &sep, NULL, 0)))
2511 if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
2512 else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
2513 else if (strcmpic(ss, US"noupdate") == 0) noupdate = TRUE;
2514 else if (strcmpic(ss, US"readonly") == 0) readonly = TRUE;
2515 else if (strcmpic(ss, US"per_cmd") == 0) RATE_SET(mode, PER_CMD);
2516 else if (strcmpic(ss, US"per_conn") == 0)
2518 RATE_SET(mode, PER_CONN);
2519 if (where == ACL_WHERE_NOTSMTP || where == ACL_WHERE_NOTSMTP_START)
2522 else if (strcmpic(ss, US"per_mail") == 0)
2524 RATE_SET(mode, PER_MAIL);
2525 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2527 else if (strcmpic(ss, US"per_rcpt") == 0)
2529 /* If we are running in the RCPT ACL, then we'll count the recipients
2530 one by one, but if we are running when we have accumulated the whole
2531 list then we'll add them all in one batch. */
2532 if (where == ACL_WHERE_RCPT)
2533 RATE_SET(mode, PER_RCPT);
2534 else if (where >= ACL_WHERE_PREDATA && where <= ACL_WHERE_NOTSMTP)
2535 RATE_SET(mode, PER_ALLRCPTS), count = (double)recipients_count;
2536 else if (where == ACL_WHERE_MAIL || where > ACL_WHERE_NOTSMTP)
2537 RATE_SET(mode, PER_RCPT), badacl = TRUE;
2539 else if (strcmpic(ss, US"per_byte") == 0)
2541 /* If we have not yet received the message data and there was no SIZE
2542 declaration on the MAIL command, then it's safe to just use a value of
2543 zero and let the recorded rate decay as if nothing happened. */
2544 RATE_SET(mode, PER_MAIL);
2545 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2546 else count = message_size < 0 ? 0.0 : (double)message_size;
2548 else if (strcmpic(ss, US"per_addr") == 0)
2550 RATE_SET(mode, PER_RCPT);
2551 if (where != ACL_WHERE_RCPT) badacl = TRUE, unique = US"*";
2552 else unique = string_sprintf("%s@%s", deliver_localpart, deliver_domain);
2554 else if (strncmpic(ss, US"count=", 6) == 0)
2557 count = Ustrtod(ss+6, &e);
2558 if (count < 0.0 || *e != '\0')
2559 return ratelimit_error(log_msgptr, "\"%s\" is not a positive number", ss);
2561 else if (strncmpic(ss, US"unique=", 7) == 0)
2562 unique = string_copy(ss + 7);
2564 key = string_copy(ss);
2566 key = string_sprintf("%s/%s", key, ss);
2569 /* Sanity check. When the badacl flag is set the update mode must either
2570 be readonly (which is the default if it is omitted) or, for backwards
2571 compatibility, a combination of noupdate and strict or leaky. */
2573 if (mode == RATE_PER_CLASH)
2574 return ratelimit_error(log_msgptr, "conflicting per_* options");
2575 if (leaky + strict + readonly > 1)
2576 return ratelimit_error(log_msgptr, "conflicting update modes");
2577 if (badacl && (leaky || strict) && !noupdate)
2578 return ratelimit_error(log_msgptr,
2579 "\"%s\" must not have /leaky or /strict option, or cannot be used in %s ACL",
2580 ratelimit_option_string[mode], acl_wherenames[where]);
2582 /* Set the default values of any unset options. In readonly mode we
2583 perform the rate computation without any increment so that its value
2584 decays to eventually allow over-limit senders through. */
2586 if (noupdate) readonly = TRUE, leaky = strict = FALSE;
2587 if (badacl) readonly = TRUE;
2588 if (readonly) count = 0.0;
2589 if (!strict && !readonly) leaky = TRUE;
2590 if (mode == RATE_PER_WHAT) mode = RATE_PER_MAIL;
2592 /* Create the lookup key. If there is no explicit key, use sender_host_address.
2593 If there is no sender_host_address (e.g. -bs or acl_not_smtp) then we simply
2594 omit it. The smoothing constant (sender_rate_period) and the per_xxx options
2595 are added to the key because they alter the meaning of the stored data. */
2598 key = !sender_host_address ? US"" : sender_host_address;
2600 key = string_sprintf("%s/%s/%s%s",
2602 ratelimit_option_string[mode],
2603 unique == NULL ? "" : "unique/",
2607 debug_printf_indent("ratelimit condition count=%.0f %.1f/%s\n", count, limit, key);
2609 /* See if we have already computed the rate by looking in the relevant tree.
2610 For per-connection rate limiting, store tree nodes and dbdata in the permanent
2611 pool so that they survive across resets. In readonly mode we only remember the
2612 result for the rest of this command in case a later command changes it. After
2613 this bit of logic the code is independent of the per_* mode. */
2615 old_pool = store_pool;
2618 anchor = &ratelimiters_cmd;
2622 anchor = &ratelimiters_conn;
2623 store_pool = POOL_PERM;
2627 case RATE_PER_ALLRCPTS:
2628 anchor = &ratelimiters_mail;
2633 anchor = &ratelimiters_cmd;
2636 anchor = NULL; /* silence an "unused" complaint */
2637 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
2638 "internal ACL error: unknown ratelimit mode %d", mode);
2643 if ((t = tree_search(*anchor, key)))
2646 /* The following few lines duplicate some of the code below. */
2647 rc = (dbd->rate < limit)? FAIL : OK;
2648 store_pool = old_pool;
2649 sender_rate = string_sprintf("%.1f", dbd->rate);
2651 debug_printf_indent("ratelimit found pre-computed rate %s\n", sender_rate);
2655 /* We aren't using a pre-computed rate, so get a previously recorded rate
2656 from the database, which will be updated and written back if required. */
2658 if (!(dbm = dbfn_open(US"ratelimit", O_RDWR|O_CREAT, &dbblock, TRUE, TRUE)))
2660 store_pool = old_pool;
2662 HDEBUG(D_acl) debug_printf_indent("ratelimit database not available\n");
2663 *log_msgptr = US"ratelimit database not available";
2666 dbdb = dbfn_read_with_length(dbm, key, &dbdb_size);
2669 gettimeofday(&tv, NULL);
2673 /* Locate the basic ratelimit block inside the DB data. */
2674 HDEBUG(D_acl) debug_printf_indent("ratelimit found key in database\n");
2677 /* Forget the old Bloom filter if it is too old, so that we count each
2678 repeating event once per period. We don't simply clear and re-use the old
2679 filter because we want its size to change if the limit changes. Note that
2680 we keep the dbd pointer for copying the rate into the new data block. */
2682 if(unique && tv.tv_sec > dbdb->bloom_epoch + period)
2684 HDEBUG(D_acl) debug_printf_indent("ratelimit discarding old Bloom filter\n");
2690 if(unique && dbdb_size < sizeof(*dbdb))
2692 HDEBUG(D_acl) debug_printf_indent("ratelimit discarding undersize Bloom filter\n");
2697 /* Allocate a new data block if the database lookup failed
2698 or the Bloom filter passed its age limit. */
2704 /* No Bloom filter. This basic ratelimit block is initialized below. */
2705 HDEBUG(D_acl) debug_printf_indent("ratelimit creating new rate data block\n");
2706 dbdb_size = sizeof(*dbd);
2707 dbdb = store_get(dbdb_size, GET_UNTAINTED);
2712 HDEBUG(D_acl) debug_printf_indent("ratelimit creating new Bloom filter\n");
2714 /* See the long comment below for an explanation of the magic number 2.
2715 The filter has a minimum size in case the rate limit is very small;
2716 this is determined by the definition of dbdata_ratelimit_unique. */
2718 extra = (int)limit * 2 - sizeof(dbdb->bloom);
2719 if (extra < 0) extra = 0;
2720 dbdb_size = sizeof(*dbdb) + extra;
2721 dbdb = store_get(dbdb_size, GET_UNTAINTED);
2722 dbdb->bloom_epoch = tv.tv_sec;
2723 dbdb->bloom_size = sizeof(dbdb->bloom) + extra;
2724 memset(dbdb->bloom, 0, dbdb->bloom_size);
2726 /* Preserve any basic ratelimit data (which is our longer-term memory)
2727 by copying it from the discarded block. */
2737 /* If we are counting unique events, find out if this event is new or not.
2738 If the client repeats the event during the current period then it should be
2739 counted. We skip this code in readonly mode for efficiency, because any
2740 changes to the filter will be discarded and because count is already set to
2743 if (unique && !readonly)
2745 /* We identify unique events using a Bloom filter. (You can find my
2746 notes on Bloom filters at http://fanf.livejournal.com/81696.html)
2747 With the per_addr option, an "event" is a recipient address, though the
2748 user can use the unique option to define their own events. We only count
2749 an event if we have not seen it before.
2751 We size the filter according to the rate limit, which (in leaky mode)
2752 is the limit on the population of the filter. We allow 16 bits of space
2753 per entry (see the construction code above) and we set (up to) 8 of them
2754 when inserting an element (see the loop below). The probability of a false
2755 positive (an event we have not seen before but which we fail to count) is
2759 allzero = exp(-numhash * pop / size)
2760 = exp(-0.5 * pop / limit)
2761 fpr = pow(1 - allzero, numhash)
2763 For senders at the limit the fpr is 0.06% or 1 in 1700
2764 and for senders at half the limit it is 0.0006% or 1 in 170000
2766 In strict mode the Bloom filter can fill up beyond the normal limit, in
2767 which case the false positive rate will rise. This means that the
2768 measured rate for very fast senders can bogusly drop off after a while.
2770 At twice the limit, the fpr is 2.5% or 1 in 40
2771 At four times the limit, it is 31% or 1 in 3.2
2773 It takes ln(pop/limit) periods for an over-limit burst of pop events to
2774 decay below the limit, and if this is more than one then the Bloom filter
2775 will be discarded before the decay gets that far. The false positive rate
2776 at this threshold is 9.3% or 1 in 10.7. */
2779 unsigned n, hash, hinc;
2783 /* Instead of using eight independent hash values, we combine two values
2784 using the formula h1 + n * h2. This does not harm the Bloom filter's
2785 performance, and means the amount of hash we need is independent of the
2786 number of bits we set in the filter. */
2788 md5_start(&md5info);
2789 md5_end(&md5info, unique, Ustrlen(unique), md5sum);
2790 hash = md5sum[0] | md5sum[1] << 8 | md5sum[2] << 16 | md5sum[3] << 24;
2791 hinc = md5sum[4] | md5sum[5] << 8 | md5sum[6] << 16 | md5sum[7] << 24;
2793 /* Scan the bits corresponding to this event. A zero bit means we have
2794 not seen it before. Ensure all bits are set to record this event. */
2796 HDEBUG(D_acl) debug_printf_indent("ratelimit checking uniqueness of %s\n", unique);
2799 for (n = 0; n < 8; n++, hash += hinc)
2801 int bit = 1 << (hash % 8);
2802 int byte = (hash / 8) % dbdb->bloom_size;
2803 if ((dbdb->bloom[byte] & bit) == 0)
2805 dbdb->bloom[byte] |= bit;
2810 /* If this event has occurred before, do not count it. */
2814 HDEBUG(D_acl) debug_printf_indent("ratelimit event found in Bloom filter\n");
2818 HDEBUG(D_acl) debug_printf_indent("ratelimit event added to Bloom filter\n");
2821 /* If there was no previous ratelimit data block for this key, initialize
2822 the new one, otherwise update the block from the database. The initial rate
2823 is what would be computed by the code below for an infinite interval. */
2827 HDEBUG(D_acl) debug_printf_indent("ratelimit initializing new key's rate data\n");
2829 dbd->time_stamp = tv.tv_sec;
2830 dbd->time_usec = tv.tv_usec;
2835 /* The smoothed rate is computed using an exponentially weighted moving
2836 average adjusted for variable sampling intervals. The standard EWMA for
2837 a fixed sampling interval is: f'(t) = (1 - a) * f(t) + a * f'(t - 1)
2838 where f() is the measured value and f'() is the smoothed value.
2840 Old data decays out of the smoothed value exponentially, such that data n
2841 samples old is multiplied by a^n. The exponential decay time constant p
2842 is defined such that data p samples old is multiplied by 1/e, which means
2843 that a = exp(-1/p). We can maintain the same time constant for a variable
2844 sampling interval i by using a = exp(-i/p).
2846 The rate we are measuring is messages per period, suitable for directly
2847 comparing with the limit. The average rate between now and the previous
2848 message is period / interval, which we feed into the EWMA as the sample.
2850 It turns out that the number of messages required for the smoothed rate
2851 to reach the limit when they are sent in a burst is equal to the limit.
2852 This can be seen by analysing the value of the smoothed rate after N
2853 messages sent at even intervals. Let k = (1 - a) * p/i
2855 rate_1 = (1 - a) * p/i + a * rate_0
2857 rate_2 = k + a * rate_1
2858 = k + a * k + a^2 * rate_0
2859 rate_3 = k + a * k + a^2 * k + a^3 * rate_0
2860 rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
2861 = rate_0 * a^N + k * (1 - a^N) / (1 - a)
2862 = rate_0 * a^N + p/i * (1 - a^N)
2864 When N is large, a^N -> 0 so rate_N -> p/i as desired.
2866 rate_N = p/i + (rate_0 - p/i) * a^N
2867 a^N = (rate_N - p/i) / (rate_0 - p/i)
2868 N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
2869 N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
2871 Numerical analysis of the above equation, setting the computed rate to
2872 increase from rate_0 = 0 to rate_N = limit, shows that for large sending
2873 rates, p/i, the number of messages N = limit. So limit serves as both the
2874 maximum rate measured in messages per period, and the maximum number of
2875 messages that can be sent in a fast burst. */
2877 double this_time = (double)tv.tv_sec
2878 + (double)tv.tv_usec / 1000000.0;
2879 double prev_time = (double)dbd->time_stamp
2880 + (double)dbd->time_usec / 1000000.0;
2882 /* We must avoid division by zero, and deal gracefully with the clock going
2883 backwards. If we blunder ahead when time is in reverse then the computed
2884 rate will be bogus. To be safe we clamp interval to a very small number. */
2886 double interval = this_time - prev_time <= 0.0 ? 1e-9
2887 : this_time - prev_time;
2889 double i_over_p = interval / period;
2890 double a = exp(-i_over_p);
2892 /* Combine the instantaneous rate (period / interval) with the previous rate
2893 using the smoothing factor a. In order to measure sized events, multiply the
2894 instantaneous rate by the count of bytes or recipients etc. */
2896 dbd->time_stamp = tv.tv_sec;
2897 dbd->time_usec = tv.tv_usec;
2898 dbd->rate = (1 - a) * count / i_over_p + a * dbd->rate;
2900 /* When events are very widely spaced the computed rate tends towards zero.
2901 Although this is accurate it turns out not to be useful for our purposes,
2902 especially when the first event after a long silence is the start of a spam
2903 run. A more useful model is that the rate for an isolated event should be the
2904 size of the event per the period size, ignoring the lack of events outside
2905 the current period and regardless of where the event falls in the period. So,
2906 if the interval was so long that the calculated rate is unhelpfully small, we
2907 re-initialize the rate. In the absence of higher-rate bursts, the condition
2908 below is true if the interval is greater than the period. */
2910 if (dbd->rate < count) dbd->rate = count;
2913 /* Clients sending at the limit are considered to be over the limit.
2914 This matters for edge cases such as a limit of zero, when the client
2915 should be completely blocked. */
2917 rc = dbd->rate < limit ? FAIL : OK;
2919 /* Update the state if the rate is low or if we are being strict. If we
2920 are in leaky mode and the sender's rate is too high, we do not update
2921 the recorded rate in order to avoid an over-aggressive sender's retry
2922 rate preventing them from getting any email through. If readonly is set,
2923 neither leaky nor strict are set, so we do not do any updates. */
2925 if ((rc == FAIL && leaky) || strict)
2927 dbfn_write(dbm, key, dbdb, dbdb_size);
2928 HDEBUG(D_acl) debug_printf_indent("ratelimit db updated\n");
2932 HDEBUG(D_acl) debug_printf_indent("ratelimit db not updated: %s\n",
2933 readonly? "readonly mode" : "over the limit, but leaky");
2938 /* Store the result in the tree for future reference. Take the taint status
2939 from the key for consistency even though it's unlikely we'll ever expand this. */
2941 t = store_get(sizeof(tree_node) + Ustrlen(key), key);
2943 Ustrcpy(t->name, key);
2944 (void)tree_insertnode(anchor, t);
2946 /* We create the formatted version of the sender's rate very late in
2947 order to ensure that it is done using the correct storage pool. */
2949 store_pool = old_pool;
2950 sender_rate = string_sprintf("%.1f", dbd->rate);
2953 debug_printf_indent("ratelimit computed rate %s\n", sender_rate);
2960 /*************************************************
2961 * Handle a check for previously-seen *
2962 *************************************************/
2965 ACL clauses like: seen = -5m / key=$foo / readonly
2967 Return is true for condition-true - but the semantics
2968 depend heavily on the actual use-case.
2970 Negative times test for seen-before, positive for seen-more-recently-than
2971 (the given interval before current time).
2973 All are subject to history not having been cleaned from the DB.
2975 Default for seen-before is to create if not present, and to
2976 update if older than 10d (with the seen-test time).
2977 Default for seen-since is to always create or update.
2980 key=value. Default key is $sender_host_address
2983 refresh=<interval>: update an existing DB entry older than given
2984 amount. Default refresh lacking this option is 10d.
2985 The update sets the record timestamp to the seen-test time.
2987 XXX do we need separate nocreate, noupdate controls?
2990 arg the option string for seen=
2991 where ACL_WHERE_xxxx indicating which ACL this is
2992 log_msgptr for error messages
2994 Returns: OK - Condition is true
2995 FAIL - Condition is false
2996 DEFER - Problem opening history database
2997 ERROR - Syntax error in options
3001 acl_seen(const uschar * arg, int where, uschar ** log_msgptr)
3003 enum { SEEN_DEFAULT, SEEN_READONLY, SEEN_WRITE };
3005 const uschar * list = arg;
3006 int slash = '/', interval, mode = SEEN_DEFAULT, yield = FAIL;
3008 int refresh = 10 * 24 * 60 * 60; /* 10 days */
3009 const uschar * ele, * key = sender_host_address;
3010 open_db dbblock, * dbm;
3014 /* Parse the first element, the time-relation. */
3016 if (!(ele = string_nextinlist(&list, &slash, NULL, 0)))
3018 if ((before = *ele == '-'))
3020 if ((interval = readconf_readtime(ele, 0, FALSE)) < 0)
3023 /* Remaining elements are options */
3025 while ((ele = string_nextinlist(&list, &slash, NULL, 0)))
3026 if (Ustrncmp(ele, "key=", 4) == 0)
3028 else if (Ustrcmp(ele, "readonly") == 0)
3029 mode = SEEN_READONLY;
3030 else if (Ustrcmp(ele, "write") == 0)
3032 else if (Ustrncmp(ele, "refresh=", 8) == 0)
3034 if ((refresh = readconf_readtime(ele + 8, 0, FALSE)) < 0)
3040 if (!(dbm = dbfn_open(US"seen", O_RDWR|O_CREAT, &dbblock, TRUE, TRUE)))
3042 HDEBUG(D_acl) debug_printf_indent("database for 'seen' not available\n");
3043 *log_msgptr = US"database for 'seen' not available";
3047 dbd = dbfn_read_with_length(dbm, key, NULL);
3049 if (dbd) /* an existing record */
3051 time_t diff = now - dbd->time_stamp; /* time since the record was written */
3053 if (before ? diff >= interval : diff < interval)
3056 if (mode == SEEN_READONLY)
3057 { HDEBUG(D_acl) debug_printf_indent("seen db not written (readonly)\n"); }
3058 else if (mode == SEEN_WRITE || !before)
3060 dbd->time_stamp = now;
3061 dbfn_write(dbm, key, dbd, sizeof(*dbd));
3062 HDEBUG(D_acl) debug_printf_indent("seen db written (update)\n");
3064 else if (diff >= refresh)
3066 dbd->time_stamp = now - interval;
3067 dbfn_write(dbm, key, dbd, sizeof(*dbd));
3068 HDEBUG(D_acl) debug_printf_indent("seen db written (refresh)\n");
3072 { /* No record found, yield always FAIL */
3073 if (mode != SEEN_READONLY)
3075 dbdata_seen d = {.time_stamp = now};
3076 dbfn_write(dbm, key, &d, sizeof(*dbd));
3077 HDEBUG(D_acl) debug_printf_indent("seen db written (create)\n");
3080 HDEBUG(D_acl) debug_printf_indent("seen db not written (readonly)\n");
3088 *log_msgptr = string_sprintf("failed to parse '%s'", arg);
3091 *log_msgptr = string_sprintf("unrecognised option '%s' in '%s'", ele, arg);
3097 /*************************************************
3098 * The udpsend ACL modifier *
3099 *************************************************/
3101 /* Called by acl_check_condition() below.
3104 arg the option string for udpsend=
3105 log_msgptr for error messages
3107 Returns: OK - Completed.
3108 DEFER - Problem with DNS lookup.
3109 ERROR - Syntax error in options.
3113 acl_udpsend(const uschar *arg, uschar **log_msgptr)
3125 hostname = string_nextinlist(&arg, &sep, NULL, 0);
3126 portstr = string_nextinlist(&arg, &sep, NULL, 0);
3130 *log_msgptr = US"missing destination host in \"udpsend\" modifier";
3135 *log_msgptr = US"missing destination port in \"udpsend\" modifier";
3140 *log_msgptr = US"missing datagram payload in \"udpsend\" modifier";
3143 portnum = Ustrtol(portstr, &portend, 10);
3144 if (*portend != '\0')
3146 *log_msgptr = US"bad destination port in \"udpsend\" modifier";
3150 /* Make a single-item host list. */
3151 h = store_get(sizeof(host_item), GET_UNTAINTED);
3152 memset(h, 0, sizeof(host_item));
3157 if (string_is_ip_address(hostname, NULL))
3158 h->address = hostname, r = HOST_FOUND;
3160 r = host_find_byname(h, NULL, 0, NULL, FALSE);
3161 if (r == HOST_FIND_FAILED || r == HOST_FIND_AGAIN)
3163 *log_msgptr = US"DNS lookup failed in \"udpsend\" modifier";
3168 debug_printf_indent("udpsend [%s]:%d %s\n", h->address, portnum, arg);
3170 /*XXX this could better use sendto */
3171 r = s = ip_connectedsocket(SOCK_DGRAM, h->address, portnum, portnum,
3172 1, NULL, &errstr, NULL);
3173 if (r < 0) goto defer;
3175 r = send(s, arg, len, 0);
3178 errstr = US strerror(errno);
3186 string_sprintf("\"udpsend\" truncated from %d to %d octets", len, r);
3191 debug_printf_indent("udpsend %d bytes\n", r);
3196 *log_msgptr = string_sprintf("\"udpsend\" failed: %s", errstr);
3202 #ifndef DISABLE_WELLKNOWN
3203 /*************************************************
3204 * The "wellknown" ACL modifier *
3205 *************************************************/
3207 /* Called by acl_check_condition() below.
3209 Retrieve the given file and encode content as xtext.
3210 Prefix with a summary line giving the length of plaintext.
3211 Leave a global pointer to the whole, for output by
3212 the smtp verb handler code (smtp_in.c).
3215 arg the option string for wellknown=
3216 log_msgptr for error messages
3222 wellknown_process(const uschar * arg, uschar ** log_msgptr)
3224 struct stat statbuf;
3228 wellknown_response = NULL;
3229 if (f.no_multiline_responses) return FAIL;
3231 /* Check for file existence */
3233 if (!*arg) return FAIL;
3234 if (Ustat(arg, &statbuf) != 0)
3235 { *log_msgptr = US"stat"; goto fail; }
3237 /*XXX perhaps refuse to serve a group- or world-writeable file? */
3239 if (!(rf = Ufopen(arg, "r")))
3240 { *log_msgptr = US"open"; goto fail; }
3242 /* Set up summary line for output */
3244 g = string_fmt_append(NULL, "SIZE=%lu\n", (long) statbuf.st_size);
3247 for (int n = 0, ch; (ch = fgetc(rf)) != EOF; )
3249 /* Xtext-encode, adding output linebreaks for input linebreaks
3250 or when the line gets long enough */
3253 { g = string_fmt_append(g, "+%02X", ch); n = LINE_LIM; }
3254 else if (ch < 33 || ch > 126 || ch == '+' || ch == '=')
3255 { g = string_fmt_append(g, "+%02X", ch); n += 3; }
3257 { g = string_fmt_append(g, "%c", ch); n++; }
3260 { g = string_catn(g, US"\n", 1); n = 0; }
3264 gstring_release_unused(g);
3265 wellknown_response = string_from_gstring(g);
3269 *log_msgptr = string_sprintf("wellknown: failed to %s file \"%s\": %s",
3270 *log_msgptr, arg, strerror(errno));
3276 /*************************************************
3277 * Handle conditions/modifiers on an ACL item *
3278 *************************************************/
3280 /* Called from acl_check() below.
3284 cb ACL condition block - if NULL, result is OK
3285 where where called from
3286 addr the address being checked for RCPT, or NULL
3287 level the nesting level
3288 epp pointer to pass back TRUE if "endpass" encountered
3289 (applies only to "accept" and "discard")
3290 user_msgptr user message pointer
3291 log_msgptr log message pointer
3292 basic_errno pointer to where to put verify error
3294 Returns: OK - all conditions are met
3295 DISCARD - an "acl" condition returned DISCARD - only allowed
3296 for "accept" or "discard" verbs
3297 FAIL - at least one condition fails
3298 FAIL_DROP - an "acl" condition returned FAIL_DROP
3299 DEFER - can't tell at the moment (typically, lookup defer,
3300 but can be temporary callout problem)
3301 ERROR - ERROR from nested ACL or expansion failure or other
3306 acl_check_condition(int verb, acl_condition_block *cb, int where,
3307 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
3308 uschar **log_msgptr, int *basic_errno)
3310 uschar * user_message = NULL;
3311 uschar * log_message = NULL;
3314 for (; cb; cb = cb->next)
3318 BOOL textonly = FALSE;
3320 /* The message and log_message items set up messages to be used in
3321 case of rejection. They are expanded later. */
3323 if (cb->type == ACLC_MESSAGE)
3325 HDEBUG(D_acl) debug_printf_indent(" message: %s\n", cb->arg);
3326 user_message = cb->arg;
3330 if (cb->type == ACLC_LOG_MESSAGE)
3332 HDEBUG(D_acl) debug_printf_indent("l_message: %s\n", cb->arg);
3333 log_message = cb->arg;
3337 /* The endpass "condition" just sets a flag to show it occurred. This is
3338 checked at compile time to be on an "accept" or "discard" item. */
3340 if (cb->type == ACLC_ENDPASS)
3346 /* For other conditions and modifiers, the argument is expanded now for some
3347 of them, but not for all, because expansion happens down in some lower level
3348 checking functions in some cases. */
3350 if (!(conditions[cb->type].flags & ACD_EXP))
3353 else if (!(arg = expand_string_2(cb->arg, &textonly)))
3355 if (f.expand_string_forcedfail) continue;
3356 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
3357 cb->arg, expand_string_message);
3358 return f.search_find_defer ? DEFER : ERROR;
3361 /* Show condition, and expanded condition if it's different */
3366 debug_printf_indent("check %s%s %n",
3367 (!(conditions[cb->type].flags & ACD_MOD) && cb->u.negated) ? "!":"",
3368 conditions[cb->type].name, &lhswidth);
3370 if (cb->type == ACLC_SET)
3372 #ifndef DISABLE_DKIM
3373 if ( Ustrcmp(cb->u.varname, "dkim_verify_status") == 0
3374 || Ustrcmp(cb->u.varname, "dkim_verify_reason") == 0)
3376 debug_printf("%s ", cb->u.varname);
3382 debug_printf("acl_%s ", cb->u.varname);
3383 lhswidth += 5 + Ustrlen(cb->u.varname);
3387 debug_printf("= %s\n", cb->arg);
3390 debug_printf("%.*s= %s\n", lhswidth,
3394 /* Check that this condition makes sense at this time */
3396 if ((conditions[cb->type].forbids & (1 << where)) != 0)
3398 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
3399 conditions[cb->type].flags & ACD_MOD ? "use" : "test",
3400 conditions[cb->type].name, acl_wherenames[where]);
3404 /* Run the appropriate test for each condition, or take the appropriate
3405 action for the remaining modifiers. */
3409 case ACLC_ADD_HEADER:
3413 /* A nested ACL that returns "discard" makes sense only for an "accept" or
3417 rc = acl_check_wargs(where, addr, arg, user_msgptr, log_msgptr);
3418 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
3420 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
3421 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
3427 case ACLC_AUTHENTICATED:
3428 rc = sender_host_authenticated ? match_isinlist(sender_host_authenticated,
3429 &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL) : FAIL;
3432 #ifdef EXPERIMENTAL_BRIGHTMAIL
3433 case ACLC_BMI_OPTIN:
3435 int old_pool = store_pool;
3436 store_pool = POOL_PERM;
3437 bmi_current_optin = string_copy(arg);
3438 store_pool = old_pool;
3443 case ACLC_CONDITION:
3444 /* The true/false parsing here should be kept in sync with that used in
3445 expand.c when dealing with ECOND_BOOL so that we don't have too many
3446 different definitions of what can be a boolean. */
3448 ? Ustrspn(arg+1, "0123456789") == Ustrlen(arg+1) /* Negative number */
3449 : Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
3450 rc = (Uatoi(arg) == 0)? FAIL : OK;
3452 rc = (strcmpic(arg, US"no") == 0 ||
3453 strcmpic(arg, US"false") == 0)? FAIL :
3454 (strcmpic(arg, US"yes") == 0 ||
3455 strcmpic(arg, US"true") == 0)? OK : DEFER;
3457 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
3460 case ACLC_CONTINUE: /* Always succeeds */
3465 const uschar * p = NULL;
3466 control_type = decode_control(arg, &p, where, log_msgptr);
3468 /* Check if this control makes sense at this time */
3470 if (controls_list[control_type].forbids & (1 << where))
3472 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
3473 controls_list[control_type].name, acl_wherenames[where]);
3477 /*XXX ought to sort these, just for sanity */
3478 switch(control_type)
3480 case CONTROL_AUTH_UNADVERTISED:
3481 f.allow_auth_unadvertised = TRUE;
3484 #ifdef EXPERIMENTAL_BRIGHTMAIL
3485 case CONTROL_BMI_RUN:
3490 #ifndef DISABLE_DKIM
3491 case CONTROL_DKIM_VERIFY:
3492 f.dkim_disable_verify = TRUE;
3493 # ifdef SUPPORT_DMARC
3494 /* Since DKIM was blocked, skip DMARC too */
3495 f.dmarc_disable_verify = TRUE;
3496 f.dmarc_enable_forensic = FALSE;
3501 #ifdef SUPPORT_DMARC
3502 case CONTROL_DMARC_VERIFY:
3503 f.dmarc_disable_verify = TRUE;
3506 case CONTROL_DMARC_FORENSIC:
3507 f.dmarc_enable_forensic = TRUE;
3514 int fd, af, level, optname, value;
3515 /* If we are acting on stdin, the setsockopt may fail if stdin is not
3516 a socket; we can accept that, we'll just debug-log failures anyway. */
3517 fd = fileno(smtp_in);
3518 if ((af = ip_get_address_family(fd)) < 0)
3521 debug_printf_indent("smtp input is probably not a socket [%s], not setting DSCP\n",
3525 if (dscp_lookup(p+1, af, &level, &optname, &value))
3526 if (setsockopt(fd, level, optname, &value, sizeof(value)) < 0)
3528 HDEBUG(D_acl) debug_printf_indent("failed to set input DSCP[%s]: %s\n",
3529 p+1, strerror(errno));
3533 HDEBUG(D_acl) debug_printf_indent("set input DSCP to \"%s\"\n", p+1);
3537 *log_msgptr = string_sprintf("unrecognised DSCP value in \"control=%s\"", arg);
3543 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3551 case CONTROL_CASEFUL_LOCAL_PART:
3552 deliver_localpart = addr->cc_local_part;
3555 case CONTROL_CASELOWER_LOCAL_PART:
3556 deliver_localpart = addr->lc_local_part;
3559 case CONTROL_ENFORCE_SYNC:
3560 smtp_enforce_sync = TRUE;
3563 case CONTROL_NO_ENFORCE_SYNC:
3564 smtp_enforce_sync = FALSE;
3567 #ifdef WITH_CONTENT_SCAN
3568 case CONTROL_NO_MBOX_UNSPOOL:
3569 f.no_mbox_unspool = TRUE;
3573 case CONTROL_NO_MULTILINE:
3574 f.no_multiline_responses = TRUE;
3577 case CONTROL_NO_PIPELINING:
3578 f.pipelining_enable = FALSE;
3581 case CONTROL_NO_DELAY_FLUSH:
3582 f.disable_delay_flush = TRUE;
3585 case CONTROL_NO_CALLOUT_FLUSH:
3586 f.disable_callout_flush = TRUE;
3589 case CONTROL_FAKEREJECT:
3590 cancel_cutthrough_connection(TRUE, US"fakereject");
3591 case CONTROL_FAKEDEFER:
3592 fake_response = control_type == CONTROL_FAKEDEFER ? DEFER : FAIL;
3595 const uschar *pp = p + 1;
3597 /* The entire control= line was expanded at top so no need to expand
3598 the part after the / */
3599 fake_response_text = string_copyn(p+1, pp-p-1);
3602 else /* Explicitly reset to default string */
3603 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
3606 case CONTROL_FREEZE:
3607 f.deliver_freeze = TRUE;
3608 deliver_frozen_at = time(NULL);
3609 freeze_tell = freeze_tell_config; /* Reset to configured value */
3610 if (Ustrncmp(p, "/no_tell", 8) == 0)
3617 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3620 cancel_cutthrough_connection(TRUE, US"item frozen");
3624 f.queue_only_policy = TRUE;
3625 if (Ustrcmp(p, "_only") == 0)
3627 else while (*p == '/')
3628 if (Ustrncmp(p, "/only", 5) == 0)
3629 { p += 5; f.queue_smtp = FALSE; }
3630 else if (Ustrncmp(p, "/first_pass_route", 17) == 0)
3631 { p += 17; f.queue_smtp = TRUE; }
3634 cancel_cutthrough_connection(TRUE, US"queueing forced");
3637 case CONTROL_SUBMISSION:
3638 originator_name = US"";
3639 f.submission_mode = TRUE;
3642 if (Ustrncmp(p, "/sender_retain", 14) == 0)
3645 f.active_local_sender_retain = TRUE;
3646 f.active_local_from_check = FALSE;
3648 else if (Ustrncmp(p, "/domain=", 8) == 0)
3650 const uschar *pp = p + 8;
3651 while (*pp && *pp != '/') pp++;
3652 submission_domain = string_copyn(p+8, pp-p-8);
3655 /* The name= option must be last, because it swallows the rest of
3657 else if (Ustrncmp(p, "/name=", 6) == 0)
3659 const uschar *pp = p + 6;
3661 submission_name = parse_fix_phrase(p+6, pp-p-6);
3668 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3675 uschar * debug_tag = NULL, * debug_opts = NULL;
3676 BOOL kill = FALSE, stop = FALSE;
3680 const uschar * pp = p+1;
3681 if (Ustrncmp(pp, "tag=", 4) == 0)
3683 for (pp += 4; *pp && *pp != '/';) pp++;
3684 debug_tag = string_copyn(p+5, pp-p-5);
3686 else if (Ustrncmp(pp, "opts=", 5) == 0)
3688 for (pp += 5; *pp && *pp != '/';) pp++;
3689 debug_opts = string_copyn(p+6, pp-p-6);
3691 else if (Ustrncmp(pp, "kill", 4) == 0)
3696 else if (Ustrncmp(pp, "stop", 4) == 0)
3701 else if (Ustrncmp(pp, "pretrigger=", 11) == 0)
3702 debug_pretrigger_setup(pp+11);
3703 else if (Ustrncmp(pp, "trigger=", 8) == 0)
3705 if (Ustrncmp(pp += 8, "now", 3) == 0)
3708 debug_trigger_fire();
3710 else if (Ustrncmp(pp, "paniclog", 8) == 0)
3713 dtrigger_selector |= BIT(DTi_panictrigger);
3716 while (*pp && *pp != '/') pp++;
3721 debug_logging_stop(TRUE);
3723 debug_logging_stop(FALSE);
3724 else if (debug_tag || debug_opts)
3725 debug_logging_activate(debug_tag, debug_opts);
3729 case CONTROL_SUPPRESS_LOCAL_FIXUPS:
3730 f.suppress_local_fixups = TRUE;
3733 case CONTROL_CUTTHROUGH_DELIVERY:
3735 uschar * ignored = NULL;
3736 #ifndef DISABLE_PRDR
3741 /* Too hard to think about for now. We might in future cutthrough
3742 the case where both sides handle prdr and this-node prdr acl
3744 ignored = US"PRDR active";
3745 else if (f.deliver_freeze)
3746 ignored = US"frozen";
3747 else if (f.queue_only_policy)
3748 ignored = US"queue-only";
3749 else if (fake_response == FAIL)
3750 ignored = US"fakereject";
3751 else if (rcpt_count != 1)
3752 ignored = US"nonfirst rcpt";
3753 else if (cutthrough.delivery)
3754 ignored = US"repeated";
3755 else if (cutthrough.callout_hold_only)
3758 debug_printf_indent(" cutthrough request upgrades callout hold\n");
3759 cutthrough.callout_hold_only = FALSE;
3760 cutthrough.delivery = TRUE; /* control accepted */
3764 cutthrough.delivery = TRUE; /* control accepted */
3767 const uschar * pp = p+1;
3768 if (Ustrncmp(pp, "defer=", 6) == 0)
3771 if (Ustrncmp(pp, "pass", 4) == 0) cutthrough.defer_pass = TRUE;
3772 /* else if (Ustrncmp(pp, "spool") == 0) ; default */
3775 while (*pp && *pp != '/') pp++;
3780 DEBUG(D_acl) if (ignored)
3781 debug_printf(" cutthrough request ignored on %s item\n", ignored);
3786 case CONTROL_UTF8_DOWNCONVERT:
3791 message_utf8_downconvert = 1;
3792 addr->prop.utf8_downcvt = TRUE;
3793 addr->prop.utf8_downcvt_maybe = FALSE;
3799 message_utf8_downconvert = 0;
3800 addr->prop.utf8_downcvt = FALSE;
3801 addr->prop.utf8_downcvt_maybe = FALSE;
3805 if (p[1] == '-' && p[2] == '1')
3807 message_utf8_downconvert = -1;
3808 addr->prop.utf8_downcvt = FALSE;
3809 addr->prop.utf8_downcvt_maybe = TRUE;
3813 *log_msgptr = US"bad option value for control=utf8_downconvert";
3817 message_utf8_downconvert = 1;
3818 addr->prop.utf8_downcvt = TRUE;
3819 addr->prop.utf8_downcvt_maybe = FALSE;
3825 #ifndef DISABLE_WELLKNOWN
3826 case CONTROL_WELLKNOWN:
3827 rc = *p == '/' ? wellknown_process(p+1, log_msgptr) : FAIL;
3834 #ifdef EXPERIMENTAL_DCC
3837 /* Separate the regular expression and any optional parameters. */
3838 const uschar * list = arg;
3840 uschar * ss = string_nextinlist(&list, &sep, NULL, 0);
3841 /* Run the dcc backend. */
3842 rc = dcc_process(&ss);
3843 /* Modify return code based upon the existence of options. */
3844 while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
3845 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3846 rc = FAIL; /* FAIL so that the message is passed to the next ACL */
3851 #ifdef WITH_CONTENT_SCAN
3853 rc = mime_decode(&arg);
3859 int delay = readconf_readtime(arg, 0, FALSE);
3862 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
3863 "modifier: \"%s\" is not a time value", arg);
3868 HDEBUG(D_acl) debug_printf_indent("delay modifier requests %d-second delay\n",
3873 debug_printf_indent("delay skipped in -bh checking mode\n");
3876 /* NOTE 1: Remember that we may be
3877 dealing with stdin/stdout here, in addition to TCP/IP connections.
3878 Also, delays may be specified for non-SMTP input, where smtp_out and
3879 smtp_in will be NULL. Whatever is done must work in all cases.
3881 NOTE 2: The added feature of flushing the output before a delay must
3882 apply only to SMTP input. Hence the test for smtp_out being non-NULL.
3887 if (smtp_out && !f.disable_delay_flush)
3890 #if !defined(NO_POLL_H) && defined (POLLRDHUP)
3896 p.fd = fileno(smtp_out);
3897 p.events = POLLRDHUP;
3900 if (poll(&p, n, delay*1000) > 0)
3901 HDEBUG(D_acl) debug_printf_indent("delay cancelled by peer close\n");
3904 /* Lacking POLLRDHUP it appears to be impossible to detect that a
3905 TCP/IP connection has gone away without reading from it. This means
3906 that we cannot shorten the delay below if the client goes away,
3907 because we cannot discover that the client has closed its end of the
3908 connection. (The connection is actually in a half-closed state,
3909 waiting for the server to close its end.) It would be nice to be able
3910 to detect this state, so that the Exim process is not held up
3911 unnecessarily. However, it seems that we can't. The poll() function
3912 does not do the right thing, and in any case it is not always
3915 while (delay > 0) delay = sleep(delay);
3922 #ifndef DISABLE_DKIM
3923 case ACLC_DKIM_SIGNER:
3924 if (dkim_cur_signer)
3925 rc = match_isinlist(dkim_cur_signer,
3926 &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
3931 case ACLC_DKIM_STATUS:
3932 { /* return good for any match */
3933 const uschar * s = dkim_verify_status ? dkim_verify_status : US"none";
3935 for (uschar * ss; ss = string_nextinlist(&s, &sep, NULL, 0); )
3936 if ( (rc = match_isinlist(ss, &arg,
3937 0, NULL, NULL, MCL_STRING, TRUE, NULL))
3943 #ifdef SUPPORT_DMARC
3944 case ACLC_DMARC_STATUS:
3945 if (!f.dmarc_has_been_checked)
3947 f.dmarc_has_been_checked = TRUE;
3949 /* used long way of dmarc_exim_expand_query() in case we need more
3950 view into the process in the future. */
3951 rc = match_isinlist(dmarc_exim_expand_query(DMARC_VERIFY_STATUS),
3952 &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
3957 rc = verify_check_dnsbl(where, &arg, log_msgptr);
3961 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
3962 addr->domain_cache, MCL_DOMAIN, TRUE, CUSS &deliver_domain_data);
3965 /* The value in tls_cipher is the full cipher name, for example,
3966 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
3967 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
3968 what may in practice come out of the SSL library - which at the time of
3969 writing is poorly documented. */
3971 case ACLC_ENCRYPTED:
3972 if (!tls_in.cipher) rc = FAIL;
3975 uschar *endcipher = NULL;
3976 uschar *cipher = Ustrchr(tls_in.cipher, ':');
3977 if (!cipher) cipher = tls_in.cipher; else
3979 endcipher = Ustrchr(++cipher, ':');
3980 if (endcipher) *endcipher = 0;
3982 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
3983 if (endcipher) *endcipher = ':';
3987 /* Use verify_check_this_host() instead of verify_check_host() so that
3988 we can pass over &host_data to catch any looked up data. Once it has been
3989 set, it retains its value so that it's still there if another ACL verb
3990 comes through here and uses the cache. However, we must put it into
3991 permanent store in case it is also expected to be used in a subsequent
3992 message in the same SMTP connection. */
3995 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
3996 sender_host_address ? sender_host_address : US"", CUSS &host_data);
3997 if (rc == DEFER) *log_msgptr = search_error_message;
3998 if (host_data) host_data = string_copy_perm(host_data, TRUE);
4001 case ACLC_LOCAL_PARTS:
4002 rc = match_isinlist(addr->cc_local_part, &arg, 0,
4003 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
4004 CUSS &deliver_localpart_data);
4007 case ACLC_LOG_REJECT_TARGET:
4009 int logbits = 0, sep = 0;
4010 const uschar * s = arg;
4012 for (uschar * ss; ss = string_nextinlist(&s, &sep, NULL, 0); )
4014 if (Ustrcmp(ss, "main") == 0) logbits |= LOG_MAIN;
4015 else if (Ustrcmp(ss, "panic") == 0) logbits |= LOG_PANIC;
4016 else if (Ustrcmp(ss, "reject") == 0) logbits |= LOG_REJECT;
4019 logbits |= LOG_MAIN|LOG_REJECT;
4020 log_write(0, LOG_MAIN|LOG_PANIC, "unknown log name \"%s\" in "
4021 "\"log_reject_target\" in %s ACL", ss, acl_wherenames[where]);
4024 log_reject_target = logbits;
4031 const uschar *s = arg;
4037 if (Ustrncmp(s, "main", 4) == 0)
4038 { logbits |= LOG_MAIN; s += 4; }
4039 else if (Ustrncmp(s, "panic", 5) == 0)
4040 { logbits |= LOG_PANIC; s += 5; }
4041 else if (Ustrncmp(s, "reject", 6) == 0)
4042 { logbits |= LOG_REJECT; s += 6; }
4045 logbits = LOG_MAIN|LOG_PANIC;
4046 s = string_sprintf(":unknown log name in \"%s\" in "
4047 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
4053 Uskip_whitespace(&s);
4055 if (logbits == 0) logbits = LOG_MAIN;
4056 log_write(0, logbits, "%s", string_printing(s));
4060 #ifdef WITH_CONTENT_SCAN
4061 case ACLC_MALWARE: /* Run the malware backend. */
4063 /* Separate the regular expression and any optional parameters. */
4064 const uschar * list = arg;
4065 BOOL defer_ok = FALSE;
4066 int timeout = 0, sep = -'/';
4067 uschar * ss = string_nextinlist(&list, &sep, NULL, 0);
4069 for (uschar * opt; opt = string_nextinlist(&list, &sep, NULL, 0); )
4070 if (strcmpic(opt, US"defer_ok") == 0)
4072 else if ( strncmpic(opt, US"tmo=", 4) == 0
4073 && (timeout = readconf_readtime(opt+4, '\0', FALSE)) < 0
4076 *log_msgptr = string_sprintf("bad timeout value in '%s'", opt);
4080 rc = malware(ss, textonly, timeout);
4081 if (rc == DEFER && defer_ok)
4082 rc = FAIL; /* FAIL so that the message is passed to the next ACL */
4086 case ACLC_MIME_REGEX:
4087 rc = mime_regex(&arg, textonly);
4092 if (is_tainted(arg))
4094 *log_msgptr = string_sprintf("Tainted name '%s' for queue not permitted",
4098 if (Ustrchr(arg, '/'))
4100 *log_msgptr = string_sprintf(
4101 "Directory separator not permitted in queue name: '%s'", arg);
4104 queue_name = string_copy_perm(arg, FALSE);
4107 case ACLC_RATELIMIT:
4108 rc = acl_ratelimit(arg, where, log_msgptr);
4111 case ACLC_RECIPIENTS:
4112 rc = match_address_list(CUS addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
4113 CUSS &recipient_data);
4116 #ifdef WITH_CONTENT_SCAN
4118 rc = regex(&arg, textonly);
4122 case ACLC_REMOVE_HEADER:
4123 setup_remove_header(arg);
4127 rc = acl_seen(arg, where, log_msgptr);
4130 case ACLC_SENDER_DOMAINS:
4133 sdomain = Ustrrchr(sender_address, '@');
4134 sdomain = sdomain ? sdomain + 1 : US"";
4135 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
4136 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
4141 rc = match_address_list(CUS sender_address, TRUE, TRUE, &arg,
4142 sender_address_cache, -1, 0, CUSS &sender_data);
4145 /* Connection variables must persist forever; message variables not */
4149 int old_pool = store_pool;
4150 if ( cb->u.varname[0] != 'm'
4151 #ifndef DISABLE_EVENT
4152 || event_name /* An event is being delivered */
4155 store_pool = POOL_PERM;
4156 #ifndef DISABLE_DKIM /* Overwriteable dkim result variables */
4157 if (Ustrcmp(cb->u.varname, "dkim_verify_status") == 0)
4158 dkim_verify_status = string_copy(arg);
4159 else if (Ustrcmp(cb->u.varname, "dkim_verify_reason") == 0)
4160 dkim_verify_reason = string_copy(arg);
4163 acl_var_create(cb->u.varname)->data.ptr = string_copy(arg);
4164 store_pool = old_pool;
4168 #ifdef WITH_CONTENT_SCAN
4171 /* Separate the regular expression and any optional parameters. */
4172 const uschar * list = arg;
4174 uschar * ss = string_nextinlist(&list, &sep, NULL, 0);
4176 rc = spam(CUSS &ss);
4177 /* Modify return code based upon the existence of options. */
4178 while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
4179 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
4180 rc = FAIL; /* FAIL so that the message is passed to the next ACL */
4187 case ACLC_SPF_GUESS:
4188 /* Hardwire the offset of the function in the module functions table
4189 for now. Work out a more general mech later. */
4191 misc_module_info * mi = misc_mod_find(US"spf", &log_message);
4192 typedef int (*fn_t)(const uschar **, const uschar *, int);
4196 { rc = DEFER; break; } /* shouldn't happen */
4198 fn = ((fn_t *) mi->functions)[1];
4200 rc = fn(&arg, sender_address,
4201 cb->type == ACLC_SPF ? SPF_PROCESS_NORMAL : SPF_PROCESS_GUESS);
4207 rc = acl_udpsend(arg, log_msgptr);
4210 /* If the verb is WARN, discard any user message from verification, because
4211 such messages are SMTP responses, not header additions. The latter come
4212 only from explicit "message" modifiers. However, put the user message into
4213 $acl_verify_message so it can be used in subsequent conditions or modifiers
4214 (until something changes it). */
4217 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
4219 acl_verify_message = *user_msgptr;
4220 if (verb == ACL_WARN) *user_msgptr = NULL;
4224 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
4225 "condition %d", cb->type);
4229 /* If a condition was negated, invert OK/FAIL. */
4231 if (!(conditions[cb->type].flags & ACD_MOD) && cb->u.negated)
4232 if (rc == OK) rc = FAIL;
4233 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
4235 if (rc != OK) break; /* Conditions loop */
4239 /* If the result is the one for which "message" and/or "log_message" are used,
4240 handle the values of these modifiers. If there isn't a log message set, we make
4241 it the same as the user message.
4243 "message" is a user message that will be included in an SMTP response. Unless
4244 it is empty, it overrides any previously set user message.
4246 "log_message" is a non-user message, and it adds to any existing non-user
4247 message that is already set.
4249 Most verbs have but a single return for which the messages are relevant, but
4250 for "discard", it's useful to have the log message both when it succeeds and
4251 when it fails. For "accept", the message is used in the OK case if there is no
4252 "endpass", but (for backwards compatibility) in the FAIL case if "endpass" is
4255 if (*epp && rc == OK) user_message = NULL;
4257 if ((BIT(rc) & msgcond[verb]) != 0)
4260 uschar *old_user_msgptr = *user_msgptr;
4261 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
4263 /* If the verb is "warn", messages generated by conditions (verification or
4264 nested ACLs) are always discarded. This also happens for acceptance verbs
4265 when they actually do accept. Only messages specified at this level are used.
4266 However, the value of an existing message is available in $acl_verify_message
4267 during expansions. */
4269 if (verb == ACL_WARN ||
4270 (rc == OK && (verb == ACL_ACCEPT || verb == ACL_DISCARD)))
4271 *log_msgptr = *user_msgptr = NULL;
4275 acl_verify_message = old_user_msgptr;
4276 expmessage = expand_string(user_message);
4279 if (!f.expand_string_forcedfail)
4280 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
4281 user_message, expand_string_message);
4283 else if (expmessage[0] != 0) *user_msgptr = expmessage;
4288 acl_verify_message = old_log_msgptr;
4289 expmessage = expand_string(log_message);
4292 if (!f.expand_string_forcedfail)
4293 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
4294 log_message, expand_string_message);
4296 else if (expmessage[0] != 0)
4298 *log_msgptr = (*log_msgptr == NULL)? expmessage :
4299 string_sprintf("%s: %s", expmessage, *log_msgptr);
4303 /* If no log message, default it to the user message */
4305 if (!*log_msgptr) *log_msgptr = *user_msgptr;
4308 acl_verify_message = NULL;
4316 /*************************************************
4317 * Get line from a literal ACL *
4318 *************************************************/
4320 /* This function is passed to acl_read() in order to extract individual lines
4321 of a literal ACL, which we access via static pointers. We can destroy the
4322 contents because this is called only once (the compiled ACL is remembered).
4324 This code is intended to treat the data in the same way as lines in the main
4325 Exim configuration file. That is:
4327 . Leading spaces are ignored.
4329 . A \ at the end of a line is a continuation - trailing spaces after the \
4330 are permitted (this is because I don't believe in making invisible things
4331 significant). Leading spaces on the continued part of a line are ignored.
4333 . Physical lines starting (significantly) with # are totally ignored, and
4334 may appear within a sequence of backslash-continued lines.
4336 . Blank lines are ignored, but will end a sequence of continuations.
4339 Returns: a pointer to the next line
4343 static uschar *acl_text; /* Current pointer in the text */
4344 static uschar *acl_text_end; /* Points one past the terminating '0' */
4352 /* This loop handles leading blank lines and comments. */
4356 Uskip_whitespace(&acl_text); /* Leading spaces/empty lines */
4357 if (!*acl_text) return NULL; /* No more data */
4358 yield = acl_text; /* Potential data line */
4360 while (*acl_text && *acl_text != '\n') acl_text++;
4362 /* If we hit the end before a newline, we have the whole logical line. If
4363 it's a comment, there's no more data to be given. Otherwise, yield it. */
4365 if (!*acl_text) return *yield == '#' ? NULL : yield;
4367 /* After reaching a newline, end this loop if the physical line does not
4368 start with '#'. If it does, it's a comment, and the loop continues. */
4370 if (*yield != '#') break;
4373 /* This loop handles continuations. We know we have some real data, ending in
4374 newline. See if there is a continuation marker at the end (ignoring trailing
4375 white space). We know that *yield is not white space, so no need to test for
4376 cont > yield in the backwards scanning loop. */
4381 for (cont = acl_text - 1; isspace(*cont); cont--);
4383 /* If no continuation follows, we are done. Mark the end of the line and
4392 /* We have encountered a continuation. Skip over whitespace at the start of
4393 the next line, and indeed the whole of the next line or lines if they are
4398 while (*(++acl_text) == ' ' || *acl_text == '\t');
4399 if (*acl_text != '#') break;
4400 while (*(++acl_text) != 0 && *acl_text != '\n');
4403 /* We have the start of a continuation line. Move all the rest of the data
4404 to join onto the previous line, and then find its end. If the end is not a
4405 newline, we are done. Otherwise loop to look for another continuation. */
4407 memmove(cont, acl_text, acl_text_end - acl_text);
4408 acl_text_end -= acl_text - cont;
4410 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
4411 if (*acl_text == 0) return yield;
4414 /* Control does not reach here */
4421 /************************************************/
4422 /* For error messages, a string describing the config location
4423 associated with current processing. NULL if not in an ACL. */
4426 acl_current_verb(void)
4428 if (acl_current) return string_sprintf(" (ACL %s, %s %d)",
4429 verbs[acl_current->verb], acl_current->srcfile, acl_current->srcline);
4433 /*************************************************
4434 * Check access using an ACL *
4435 *************************************************/
4437 /* This function is called from address_check. It may recurse via
4438 acl_check_condition() - hence the use of a level to stop looping. The ACL is
4439 passed as a string which is expanded. A forced failure implies no access check
4440 is required. If the result is a single word, it is taken as the name of an ACL
4441 which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
4442 text, complete with newlines, and parsed as such. In both cases, the ACL check
4443 is then run. This function uses an auxiliary function for acl_read() to call
4444 for reading individual lines of a literal ACL. This is acl_getline(), which
4445 appears immediately above.
4448 where where called from
4449 addr address item when called from RCPT; otherwise NULL
4450 s the input string; NULL is the same as an empty ACL => DENY
4451 user_msgptr where to put a user error (for SMTP response)
4452 log_msgptr where to put a logging message (not for SMTP response)
4454 Returns: OK access is granted
4455 DISCARD access is apparently granted...
4456 FAIL access is denied
4457 FAIL_DROP access is denied; drop the connection
4458 DEFER can't tell at the moment
4463 acl_check_internal(int where, address_item *addr, uschar *s,
4464 uschar **user_msgptr, uschar **log_msgptr)
4467 acl_block *acl = NULL;
4468 uschar *acl_name = US"inline ACL";
4471 /* Catch configuration loops */
4475 *log_msgptr = US"ACL nested too deep: possible loop";
4481 HDEBUG(D_acl) debug_printf_indent("ACL is NULL: implicit DENY\n");
4485 /* At top level, we expand the incoming string. At lower levels, it has already
4486 been expanded as part of condition processing. */
4490 else if (!(ss = expand_string(s)))
4492 if (f.expand_string_forcedfail) return OK;
4493 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
4494 expand_string_message);
4498 Uskip_whitespace(&ss);
4500 /* If we can't find a named ACL, the default is to parse it as an inline one.
4501 (Unless it begins with a slash; non-existent files give rise to an error.) */
4505 if (is_tainted(acl_text) && !f.running_in_test_harness)
4507 log_write(0, LOG_MAIN|LOG_PANIC,
4508 "attempt to use tainted ACL text \"%s\"", acl_text);
4509 /* Avoid leaking info to an attacker */
4510 *log_msgptr = US"internal configuration error";
4514 /* Handle the case of a string that does not contain any spaces. Look for a
4515 named ACL among those read from the configuration, or a previously read file.
4516 It is possible that the pointer to the ACL is NULL if the configuration
4517 contains a name with no data. If not found, and the text begins with '/',
4518 read an ACL from a file, and save it so it can be re-used. */
4520 if (Ustrchr(ss, ' ') == NULL)
4522 tree_node * t = tree_search(acl_anchor, ss);
4525 if (!(acl = (acl_block *)(t->data.ptr)))
4527 HDEBUG(D_acl) debug_printf_indent("ACL \"%s\" is empty: implicit DENY\n", ss);
4530 acl_name = string_sprintf("ACL \"%s\"", ss);
4531 HDEBUG(D_acl) debug_printf_indent("using ACL \"%s\"\n", ss);
4534 else if (*ss == '/')
4536 struct stat statbuf;
4537 if ((fd = Uopen(ss, O_RDONLY, 0)) < 0)
4539 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
4543 if (fstat(fd, &statbuf) != 0)
4545 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
4550 /* If the string being used as a filename is tainted, so is the file content */
4551 acl_text = store_get(statbuf.st_size + 1, ss);
4552 acl_text_end = acl_text + statbuf.st_size + 1;
4554 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
4556 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
4557 ss, strerror(errno));
4560 acl_text[statbuf.st_size] = 0;
4563 acl_name = string_sprintf("ACL \"%s\"", ss);
4564 HDEBUG(D_acl) debug_printf_indent("read ACL from file %s\n", ss);
4568 /* Parse an ACL that is still in text form. If it came from a file, remember it
4569 in the ACL tree, having read it into the POOL_PERM store pool so that it
4570 persists between multiple messages. */
4574 int old_pool = store_pool;
4575 if (fd >= 0) store_pool = POOL_PERM;
4576 acl = acl_read(acl_getline, log_msgptr);
4577 store_pool = old_pool;
4578 if (!acl && *log_msgptr) return ERROR;
4581 tree_node * t = store_get_perm(sizeof(tree_node) + Ustrlen(ss), ss);
4582 Ustrcpy(t->name, ss);
4584 (void)tree_insertnode(&acl_anchor, t);
4588 /* Now we have an ACL to use. It's possible it may be NULL. */
4590 while ((acl_current = acl))
4593 int basic_errno = 0;
4594 BOOL endpass_seen = FALSE;
4595 BOOL acl_quit_check = acl_level == 0
4596 && (where == ACL_WHERE_QUIT || where == ACL_WHERE_NOTQUIT);
4598 *log_msgptr = *user_msgptr = NULL;
4599 f.acl_temp_details = FALSE;
4601 HDEBUG(D_acl) debug_printf_indent("processing \"%s\" (%s %d)\n",
4602 verbs[acl->verb], acl->srcfile, acl->srcline);
4604 /* Clear out any search error message from a previous check before testing
4607 search_error_message = NULL;
4608 cond = acl_check_condition(acl->verb, acl->condition, where, addr, acl_level,
4609 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
4611 /* Handle special returns: DEFER causes a return except on a WARN verb;
4612 ERROR always causes a return. */
4617 HDEBUG(D_acl) debug_printf_indent("%s: condition test deferred in %s\n",
4618 verbs[acl->verb], acl_name);
4619 if (basic_errno != ERRNO_CALLOUTDEFER)
4621 if (search_error_message && *search_error_message)
4622 *log_msgptr = search_error_message;
4623 if (smtp_return_error_details) f.acl_temp_details = TRUE;
4626 f.acl_temp_details = TRUE;
4627 if (acl->verb != ACL_WARN) return DEFER;
4630 default: /* Paranoia */
4632 HDEBUG(D_acl) debug_printf_indent("%s: condition test error in %s\n",
4633 verbs[acl->verb], acl_name);
4637 HDEBUG(D_acl) debug_printf_indent("%s: condition test succeeded in %s\n",
4638 verbs[acl->verb], acl_name);
4642 HDEBUG(D_acl) debug_printf_indent("%s: condition test failed in %s\n",
4643 verbs[acl->verb], acl_name);
4646 /* DISCARD and DROP can happen only from a nested ACL condition, and
4647 DISCARD can happen only for an "accept" or "discard" verb. */
4650 HDEBUG(D_acl) debug_printf_indent("%s: condition test yielded \"discard\" in %s\n",
4651 verbs[acl->verb], acl_name);
4655 HDEBUG(D_acl) debug_printf_indent("%s: condition test yielded \"drop\" in %s\n",
4656 verbs[acl->verb], acl_name);
4660 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
4661 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
4662 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
4667 if (cond == OK || cond == DISCARD)
4669 HDEBUG(D_acl) debug_printf_indent("end of %s: ACCEPT\n", acl_name);
4674 HDEBUG(D_acl) debug_printf_indent("accept: endpass encountered - denying access\n");
4682 HDEBUG(D_acl) debug_printf_indent("end of %s: DEFER\n", acl_name);
4683 if (acl_quit_check) goto badquit;
4684 f.acl_temp_details = TRUE;
4692 HDEBUG(D_acl) debug_printf_indent("end of %s: DENY\n", acl_name);
4693 if (acl_quit_check) goto badquit;
4699 if (cond == OK || cond == DISCARD)
4701 HDEBUG(D_acl) debug_printf_indent("end of %s: DISCARD\n", acl_name);
4702 if (acl_quit_check) goto badquit;
4708 debug_printf_indent("discard: endpass encountered - denying access\n");
4716 HDEBUG(D_acl) debug_printf_indent("end of %s: DROP\n", acl_name);
4717 if (acl_quit_check) goto badquit;
4725 HDEBUG(D_acl) debug_printf_indent("end of %s: not OK\n", acl_name);
4726 if (acl_quit_check) goto badquit;
4733 acl_warn(where, *user_msgptr, *log_msgptr);
4734 else if (cond == DEFER && LOGGING(acl_warn_skipped))
4735 log_write(0, LOG_MAIN, "%s Warning: ACL \"warn\" statement skipped: "
4736 "condition test deferred%s%s", host_and_ident(TRUE),
4737 *log_msgptr ? US": " : US"",
4738 *log_msgptr ? *log_msgptr : US"");
4739 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
4743 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
4748 /* Pass to the next ACL item */
4753 /* We have reached the end of the ACL. This is an implicit DENY. */
4755 HDEBUG(D_acl) debug_printf_indent("end of %s: implicit DENY\n", acl_name);
4759 *log_msgptr = string_sprintf("QUIT or not-QUIT toplevel ACL may not fail "
4760 "('%s' verb used incorrectly)", verbs[acl->verb]);
4767 /* Same args as acl_check_internal() above, but the string s is
4768 the name of an ACL followed optionally by up to 9 space-separated arguments.
4769 The name and args are separately expanded. Args go into $acl_arg globals. */
4771 acl_check_wargs(int where, address_item *addr, const uschar *s,
4772 uschar **user_msgptr, uschar **log_msgptr)
4775 uschar * tmp_arg[9]; /* must match acl_arg[] */
4776 uschar * sav_arg[9]; /* must match acl_arg[] */
4782 if (!(tmp = string_dequote(&s)) || !(name = expand_string(tmp)))
4785 for (i = 0; i < 9; i++)
4787 if (!Uskip_whitespace(&s))
4789 if (!(tmp = string_dequote(&s)) || !(tmp_arg[i] = expand_string(tmp)))
4796 sav_narg = acl_narg;
4798 for (i = 0; i < acl_narg; i++)
4800 sav_arg[i] = acl_arg[i];
4801 acl_arg[i] = tmp_arg[i];
4805 sav_arg[i] = acl_arg[i];
4806 acl_arg[i++] = NULL;
4810 ret = acl_check_internal(where, addr, name, user_msgptr, log_msgptr);
4813 acl_narg = sav_narg;
4814 for (i = 0; i < 9; i++) acl_arg[i] = sav_arg[i];
4818 if (f.expand_string_forcedfail) return ERROR;
4819 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
4820 tmp, expand_string_message);
4821 return f.search_find_defer ? DEFER : ERROR;
4826 /*************************************************
4827 * Check access using an ACL *
4828 *************************************************/
4830 /* Alternate interface for ACL, used by expansions */
4832 acl_eval(int where, uschar *s, uschar **user_msgptr, uschar **log_msgptr)
4835 address_item *addr = NULL;
4838 *user_msgptr = *log_msgptr = NULL;
4839 sender_verified_failed = NULL;
4840 ratelimiters_cmd = NULL;
4841 log_reject_target = LOG_MAIN|LOG_REJECT;
4843 if (where == ACL_WHERE_RCPT)
4845 adb = address_defaults;
4847 addr->address = expand_string(US"$local_part@$domain");
4848 addr->domain = deliver_domain;
4849 addr->local_part = deliver_localpart;
4850 addr->cc_local_part = deliver_localpart;
4851 addr->lc_local_part = deliver_localpart;
4855 rc = acl_check_internal(where, addr, s, user_msgptr, log_msgptr);
4862 /* This is the external interface for ACL checks. It sets up an address and the
4863 expansions for $domain and $local_part when called after RCPT, then calls
4864 acl_check_internal() to do the actual work.
4867 where ACL_WHERE_xxxx indicating where called from
4868 recipient RCPT address for RCPT check, else NULL
4869 s the input string; NULL is the same as an empty ACL => DENY
4870 user_msgptr where to put a user error (for SMTP response)
4871 log_msgptr where to put a logging message (not for SMTP response)
4873 Returns: OK access is granted by an ACCEPT verb
4874 DISCARD access is granted by a DISCARD verb
4875 FAIL access is denied
4876 FAIL_DROP access is denied; drop the connection
4877 DEFER can't tell at the moment
4880 int acl_where = ACL_WHERE_UNKNOWN;
4883 acl_check(int where, const uschar * recipient, uschar * s,
4884 uschar ** user_msgptr, uschar ** log_msgptr)
4888 address_item *addr = NULL;
4890 *user_msgptr = *log_msgptr = NULL;
4891 sender_verified_failed = NULL;
4892 ratelimiters_cmd = NULL;
4893 log_reject_target = LOG_MAIN|LOG_REJECT;
4895 #ifndef DISABLE_PRDR
4896 if (where==ACL_WHERE_RCPT || where==ACL_WHERE_VRFY || where==ACL_WHERE_PRDR)
4898 if (where==ACL_WHERE_RCPT || where==ACL_WHERE_VRFY)
4901 adb = address_defaults;
4903 addr->address = recipient;
4904 if (deliver_split_address(addr) == DEFER)
4906 *log_msgptr = US"defer in percent_hack_domains check";
4910 if ((addr->prop.utf8_msg = message_smtputf8))
4912 addr->prop.utf8_downcvt = message_utf8_downconvert == 1;
4913 addr->prop.utf8_downcvt_maybe = message_utf8_downconvert == -1;
4916 deliver_domain = addr->domain;
4917 deliver_localpart = addr->local_part;
4922 rc = acl_check_internal(where, addr, s, user_msgptr, log_msgptr);
4924 acl_where = ACL_WHERE_UNKNOWN;
4926 /* Cutthrough - if requested,
4927 and WHERE_RCPT and not yet opened conn as result of recipient-verify,
4928 and rcpt acl returned accept,
4929 and first recipient (cancel on any subsequents)
4930 open one now and run it up to RCPT acceptance.
4931 A failed verify should cancel cutthrough request,
4932 and will pass the fail to the originator.
4933 Initial implementation: dual-write to spool.
4934 Assume the rxd datastream is now being copied byte-for-byte to an open cutthrough connection.
4936 Cease cutthrough copy on rxd final dot; do not send one.
4938 On a data acl, if not accept and a cutthrough conn is open, hard-close it (no SMTP niceness).
4940 On data acl accept, terminate the dataphase on an open cutthrough conn. If accepted or
4941 perm-rejected, reflect that to the original sender - and dump the spooled copy.
4942 If temp-reject, close the conn (and keep the spooled copy).
4943 If conn-failure, no action (and keep the spooled copy).
4947 case ACL_WHERE_RCPT:
4948 #ifndef DISABLE_PRDR
4949 case ACL_WHERE_PRDR:
4952 if (f.host_checking_callout) /* -bhc mode */
4953 cancel_cutthrough_connection(TRUE, US"host-checking mode");
4956 && cutthrough.delivery
4957 && rcpt_count > cutthrough.nrcpt
4960 if ((rc = open_cutthrough_connection(addr)) == DEFER)
4961 if (cutthrough.defer_pass)
4963 uschar * s = addr->message;
4964 /* Horrid kludge to recover target's SMTP message */
4966 do --s; while (!isdigit(*s));
4967 if (*--s && isdigit(*s) && *--s && isdigit(*s)) *user_msgptr = s;
4968 f.acl_temp_details = TRUE;
4972 HDEBUG(D_acl) debug_printf_indent("cutthrough defer; will spool\n");
4976 else HDEBUG(D_acl) if (cutthrough.delivery)
4977 if (rcpt_count <= cutthrough.nrcpt)
4978 debug_printf_indent("ignore cutthrough request; nonfirst message\n");
4980 debug_printf_indent("ignore cutthrough request; ACL did not accept\n");
4983 case ACL_WHERE_PREDATA:
4985 cutthrough_predata();
4987 cancel_cutthrough_connection(TRUE, US"predata acl not ok");
4990 case ACL_WHERE_QUIT:
4991 case ACL_WHERE_NOTQUIT:
4992 /* Drop cutthrough conns, and drop heldopen verify conns if
4993 the previous was not DATA */
4996 smtp_connection_had[SMTP_HBUFF_PREV(SMTP_HBUFF_PREV(smtp_ch_index))];
4997 BOOL dropverify = !(prev == SCH_DATA || prev == SCH_BDAT);
4999 cancel_cutthrough_connection(dropverify, US"quit or conndrop");
5007 deliver_domain = deliver_localpart = deliver_address_data =
5008 deliver_domain_data = sender_address_data = NULL;
5010 /* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
5011 ACL, which is really in the middle of an SMTP command. */
5015 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
5017 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
5018 "ACL", acl_wherenames[where]);
5024 /* A DROP response is not permitted from MAILAUTH */
5026 if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
5028 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
5029 "ACL", acl_wherenames[where]);
5033 /* Before giving a response, take a look at the length of any user message, and
5034 split it up into multiple lines if possible. */
5036 *user_msgptr = string_split_message(*user_msgptr);
5037 if (fake_response != OK)
5038 fake_response_text = string_split_message(fake_response_text);
5044 /*************************************************
5045 * Create ACL variable *
5046 *************************************************/
5048 /* Create an ACL variable or reuse an existing one. ACL variables are in a
5049 binary tree (see tree.c) with acl_var_c and acl_var_m as root nodes.
5052 name pointer to the variable's name, starting with c or m
5054 Returns the pointer to variable's tree node
5058 acl_var_create(uschar * name)
5060 tree_node * node, ** root = name[0] == 'c' ? &acl_var_c : &acl_var_m;
5061 if (!(node = tree_search(*root, name)))
5063 node = store_get(sizeof(tree_node) + Ustrlen(name), name);
5064 Ustrcpy(node->name, name);
5065 (void)tree_insertnode(root, node);
5067 node->data.ptr = NULL;
5073 /*************************************************
5074 * Write an ACL variable in spool format *
5075 *************************************************/
5077 /* This function is used as a callback for tree_walk when writing variables to
5078 the spool file. To retain spool file compatibility, what is written is -aclc or
5079 -aclm followed by the rest of the name and the data length, space separated,
5080 then the value itself, starting on a new line, and terminated by an additional
5081 newline. When we had only numbered ACL variables, the first line might look
5082 like this: "-aclc 5 20". Now it might be "-aclc foo 20" for the variable called
5086 name of the variable
5087 value of the variable
5088 ctx FILE pointer (as a void pointer)
5094 acl_var_write(uschar * name, uschar * value, void * ctx)
5096 FILE * f = (FILE *)ctx;
5098 if (is_tainted(value))
5100 const uschar * quoter_name;
5102 (void) quoter_for_address(value, "er_name);
5104 fprintf(f, "(%s)", quoter_name);
5106 fprintf(f, "acl%c %s %d\n%s\n", name[0], name+1, Ustrlen(value), value);
5113 acl_standalone_setvar(const uschar * s, BOOL taint)
5115 acl_condition_block * cond = store_get(sizeof(acl_condition_block), GET_UNTAINTED);
5116 uschar * errstr = NULL, * log_msg = NULL;
5121 cond->type = ACLC_SET;
5122 if (!acl_varname_to_cond(&s, cond, &errstr)) return errstr;
5123 if (!acl_data_to_cond(s, cond, US"'-be'", taint, &errstr)) return errstr;
5125 if (acl_check_condition(ACL_WARN, cond, ACL_WHERE_UNKNOWN,
5126 NULL, 0, &endpass_seen, &errstr, &log_msg, &e) != OK)
5127 return string_sprintf("oops: %s", errstr);
5128 return string_sprintf("variable %s set", cond->u.varname);
5132 #endif /* !MACRO_PREDEF */