1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) The Exim Maintainers 2020 - 2023 */
6 /* Copyright (c) University of Cambridge 1995 - 2018 */
7 /* See the file NOTICE for conditions of use and distribution. */
8 /* SPDX-License-Identifier: GPL-2.0-or-later */
10 /* Code for handling Access Control Lists (ACLs) */
16 /* Default callout timeout */
18 #define CALLOUT_TIMEOUT_DEFAULT 30
20 /* Default quota cache TTLs */
22 #define QUOTA_POS_DEFAULT (5*60)
23 #define QUOTA_NEG_DEFAULT (60*60)
26 /* ACL verb codes - keep in step with the table of verbs that follows */
28 enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
33 static uschar *verbs[] = {
34 [ACL_ACCEPT] = US"accept",
35 [ACL_DEFER] = US"defer",
36 [ACL_DENY] = US"deny",
37 [ACL_DISCARD] = US"discard",
38 [ACL_DROP] = US"drop",
39 [ACL_REQUIRE] = US"require",
43 /* For each verb, the conditions for which "message" or "log_message" are used
44 are held as a bitmap. This is to avoid expanding the strings unnecessarily. For
45 "accept", the FAIL case is used only after "endpass", but that is selected in
48 static int msgcond[] = {
49 [ACL_ACCEPT] = BIT(OK) | BIT(FAIL) | BIT(FAIL_DROP),
50 [ACL_DEFER] = BIT(OK),
52 [ACL_DISCARD] = BIT(OK) | BIT(FAIL) | BIT(FAIL_DROP),
54 [ACL_REQUIRE] = BIT(FAIL) | BIT(FAIL_DROP),
60 /* ACL condition and modifier codes - keep in step with the table that
67 #ifdef EXPERIMENTAL_BRIGHTMAIL
73 #ifdef EXPERIMENTAL_DCC
76 #ifdef WITH_CONTENT_SCAN
94 ACLC_LOG_REJECT_TARGET,
96 #ifdef WITH_CONTENT_SCAN
100 #ifdef WITH_CONTENT_SCAN
106 #ifdef WITH_CONTENT_SCAN
114 #ifdef WITH_CONTENT_SCAN
124 /* ACL conditions/modifiers: "delay", "control", "continue", "endpass",
125 "message", "log_message", "log_reject_target", "logwrite", "queue" and "set" are
126 modifiers that look like conditions but always return TRUE. They are used for
127 their side effects. Do not invent new modifier names that result in one name
128 being the prefix of another; the binary-search in the list will go wrong. */
130 typedef struct condition_def {
133 /* Flag to indicate the condition/modifier has a string expansion done
134 at the outer level. In the other cases, expansion already occurs in the
135 checking functions. */
136 BOOL expand_at_top:1;
140 /* Bit map vector of which conditions and modifiers are not allowed at certain
141 times. For each condition and modifier, there's a bitmap of dis-allowed times.
142 For some, it is easier to specify the negation of a small number of allowed
148 static condition_def conditions[] = {
149 [ACLC_ACL] = { US"acl", FALSE, FALSE, 0 },
151 [ACLC_ADD_HEADER] = { US"add_header", TRUE, TRUE,
153 ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
154 ACL_BIT_PREDATA | ACL_BIT_DATA |
158 ACL_BIT_MIME | ACL_BIT_NOTSMTP |
160 ACL_BIT_NOTSMTP_START),
163 [ACLC_AUTHENTICATED] = { US"authenticated", FALSE, FALSE,
164 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START |
165 ACL_BIT_CONNECT | ACL_BIT_HELO,
167 #ifdef EXPERIMENTAL_BRIGHTMAIL
168 [ACLC_BMI_OPTIN] = { US"bmi_optin", TRUE, TRUE,
170 ACL_BIT_CONNECT | ACL_BIT_HELO |
171 ACL_BIT_DATA | ACL_BIT_MIME |
172 # ifndef DISABLE_PRDR
175 ACL_BIT_ETRN | ACL_BIT_EXPN |
177 ACL_BIT_MAIL | ACL_BIT_STARTTLS |
178 ACL_BIT_VRFY | ACL_BIT_PREDATA |
179 ACL_BIT_NOTSMTP_START,
182 [ACLC_CONDITION] = { US"condition", TRUE, FALSE, 0 },
183 [ACLC_CONTINUE] = { US"continue", TRUE, TRUE, 0 },
185 /* Certain types of control are always allowed, so we let it through
186 always and check in the control processing itself. */
187 [ACLC_CONTROL] = { US"control", TRUE, TRUE, 0 },
189 #ifdef EXPERIMENTAL_DCC
190 [ACLC_DCC] = { US"dcc", TRUE, FALSE,
193 # ifndef DISABLE_PRDR
199 #ifdef WITH_CONTENT_SCAN
200 [ACLC_DECODE] = { US"decode", TRUE, FALSE, (unsigned int) ~ACL_BIT_MIME },
203 [ACLC_DELAY] = { US"delay", TRUE, TRUE, ACL_BIT_NOTQUIT },
205 [ACLC_DKIM_SIGNER] = { US"dkim_signers", TRUE, FALSE, (unsigned int) ~ACL_BIT_DKIM },
206 [ACLC_DKIM_STATUS] = { US"dkim_status", TRUE, FALSE,
208 ~(ACL_BIT_DKIM | ACL_BIT_DATA | ACL_BIT_MIME
209 # ifndef DISABLE_PRDR
216 [ACLC_DMARC_STATUS] = { US"dmarc_status", TRUE, FALSE, (unsigned int) ~ACL_BIT_DATA },
219 /* Explicit key lookups can be made in non-smtp ACLs so pass
220 always and check in the verify processing itself. */
221 [ACLC_DNSLISTS] = { US"dnslists", TRUE, FALSE, 0 },
223 [ACLC_DOMAINS] = { US"domains", FALSE, FALSE,
225 ~(ACL_BIT_RCPT | ACL_BIT_VRFY
231 [ACLC_ENCRYPTED] = { US"encrypted", FALSE, FALSE,
232 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START |
236 [ACLC_ENDPASS] = { US"endpass", TRUE, TRUE, 0 },
238 [ACLC_HOSTS] = { US"hosts", FALSE, FALSE,
239 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START,
241 [ACLC_LOCAL_PARTS] = { US"local_parts", FALSE, FALSE,
243 ~(ACL_BIT_RCPT | ACL_BIT_VRFY
250 [ACLC_LOG_MESSAGE] = { US"log_message", TRUE, TRUE, 0 },
251 [ACLC_LOG_REJECT_TARGET] = { US"log_reject_target", TRUE, TRUE, 0 },
252 [ACLC_LOGWRITE] = { US"logwrite", TRUE, TRUE, 0 },
254 #ifdef WITH_CONTENT_SCAN
255 [ACLC_MALWARE] = { US"malware", TRUE, FALSE,
258 # ifndef DISABLE_PRDR
265 [ACLC_MESSAGE] = { US"message", TRUE, TRUE, 0 },
266 #ifdef WITH_CONTENT_SCAN
267 [ACLC_MIME_REGEX] = { US"mime_regex", TRUE, FALSE, (unsigned int) ~ACL_BIT_MIME },
270 [ACLC_QUEUE] = { US"queue", TRUE, TRUE,
278 [ACLC_RATELIMIT] = { US"ratelimit", TRUE, FALSE, 0 },
279 [ACLC_RECIPIENTS] = { US"recipients", FALSE, FALSE, (unsigned int) ~ACL_BIT_RCPT },
281 #ifdef WITH_CONTENT_SCAN
282 [ACLC_REGEX] = { US"regex", TRUE, FALSE,
285 # ifndef DISABLE_PRDR
293 [ACLC_REMOVE_HEADER] = { US"remove_header", TRUE, TRUE,
295 ~(ACL_BIT_MAIL|ACL_BIT_RCPT |
296 ACL_BIT_PREDATA | ACL_BIT_DATA |
300 ACL_BIT_MIME | ACL_BIT_NOTSMTP |
301 ACL_BIT_NOTSMTP_START),
303 [ACLC_SEEN] = { US"seen", TRUE, FALSE, 0 },
304 [ACLC_SENDER_DOMAINS] = { US"sender_domains", FALSE, FALSE,
305 ACL_BIT_AUTH | ACL_BIT_CONNECT |
307 ACL_BIT_MAILAUTH | ACL_BIT_QUIT |
308 ACL_BIT_ETRN | ACL_BIT_EXPN |
309 ACL_BIT_STARTTLS | ACL_BIT_VRFY,
311 [ACLC_SENDERS] = { US"senders", FALSE, FALSE,
312 ACL_BIT_AUTH | ACL_BIT_CONNECT |
314 ACL_BIT_MAILAUTH | ACL_BIT_QUIT |
315 ACL_BIT_ETRN | ACL_BIT_EXPN |
316 ACL_BIT_STARTTLS | ACL_BIT_VRFY,
319 [ACLC_SET] = { US"set", TRUE, TRUE, 0 },
321 #ifdef WITH_CONTENT_SCAN
322 [ACLC_SPAM] = { US"spam", TRUE, FALSE,
323 (unsigned int) ~(ACL_BIT_DATA |
324 # ifndef DISABLE_PRDR
331 [ACLC_SPF] = { US"spf", TRUE, FALSE,
332 ACL_BIT_AUTH | ACL_BIT_CONNECT |
333 ACL_BIT_HELO | ACL_BIT_MAILAUTH |
334 ACL_BIT_ETRN | ACL_BIT_EXPN |
335 ACL_BIT_STARTTLS | ACL_BIT_VRFY |
336 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START,
338 [ACLC_SPF_GUESS] = { US"spf_guess", TRUE, FALSE,
339 ACL_BIT_AUTH | ACL_BIT_CONNECT |
340 ACL_BIT_HELO | ACL_BIT_MAILAUTH |
341 ACL_BIT_ETRN | ACL_BIT_EXPN |
342 ACL_BIT_STARTTLS | ACL_BIT_VRFY |
343 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START,
346 [ACLC_UDPSEND] = { US"udpsend", TRUE, TRUE, 0 },
348 /* Certain types of verify are always allowed, so we let it through
349 always and check in the verify function itself */
350 [ACLC_VERIFY] = { US"verify", TRUE, FALSE, 0 },
355 # include "macro_predef.h"
359 for (condition_def * c = conditions; c < conditions + nelem(conditions); c++)
361 uschar buf[64], * p, * s;
362 int n = sprintf(CS buf, "_ACL_%s_", c->is_modifier ? "MOD" : "COND");
363 for (p = buf + n, s = c->name; *s; s++) *p++ = toupper(*s);
365 builtin_macro_create(buf);
373 /* Return values from decode_control(); used as index so keep in step
374 with the controls_list table that follows! */
377 CONTROL_AUTH_UNADVERTISED,
378 #ifdef EXPERIMENTAL_BRIGHTMAIL
381 CONTROL_CASEFUL_LOCAL_PART,
382 CONTROL_CASELOWER_LOCAL_PART,
383 CONTROL_CUTTHROUGH_DELIVERY,
389 CONTROL_DMARC_VERIFY,
390 CONTROL_DMARC_FORENSIC,
393 CONTROL_ENFORCE_SYNC,
394 CONTROL_ERROR, /* pseudo-value for decode errors */
399 CONTROL_NO_CALLOUT_FLUSH,
400 CONTROL_NO_DELAY_FLUSH,
401 CONTROL_NO_ENFORCE_SYNC,
402 #ifdef WITH_CONTENT_SCAN
403 CONTROL_NO_MBOX_UNSPOOL,
405 CONTROL_NO_MULTILINE,
406 CONTROL_NO_PIPELINING,
410 CONTROL_SUPPRESS_LOCAL_FIXUPS,
412 CONTROL_UTF8_DOWNCONVERT,
418 /* Structure listing various control arguments, with their characteristics.
419 For each control, there's a bitmap of dis-allowed times. For some, it is easier
420 to specify the negation of a small number of allowed times. */
422 typedef struct control_def {
424 BOOL has_option; /* Has /option(s) following */
425 unsigned forbids; /* bitmap of dis-allowed times */
428 static control_def controls_list[] = {
429 /* name has_option forbids */
430 [CONTROL_AUTH_UNADVERTISED] =
431 { US"allow_auth_unadvertised", FALSE,
433 ~(ACL_BIT_CONNECT | ACL_BIT_HELO)
435 #ifdef EXPERIMENTAL_BRIGHTMAIL
437 { US"bmi_run", FALSE, 0 },
439 [CONTROL_CASEFUL_LOCAL_PART] =
440 { US"caseful_local_part", FALSE, (unsigned) ~ACL_BIT_RCPT },
441 [CONTROL_CASELOWER_LOCAL_PART] =
442 { US"caselower_local_part", FALSE, (unsigned) ~ACL_BIT_RCPT },
443 [CONTROL_CUTTHROUGH_DELIVERY] =
444 { US"cutthrough_delivery", TRUE, 0 },
446 { US"debug", TRUE, 0 },
449 [CONTROL_DKIM_VERIFY] =
450 { US"dkim_disable_verify", FALSE,
451 ACL_BIT_DATA | ACL_BIT_NOTSMTP |
452 # ifndef DISABLE_PRDR
455 ACL_BIT_NOTSMTP_START
460 [CONTROL_DMARC_VERIFY] =
461 { US"dmarc_disable_verify", FALSE,
462 ACL_BIT_DATA | ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
464 [CONTROL_DMARC_FORENSIC] =
465 { US"dmarc_enable_forensic", FALSE,
466 ACL_BIT_DATA | ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
472 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START | ACL_BIT_NOTQUIT
474 [CONTROL_ENFORCE_SYNC] =
475 { US"enforce_sync", FALSE,
476 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
479 /* Pseudo-value for decode errors */
481 { US"error", FALSE, 0 },
483 [CONTROL_FAKEDEFER] =
484 { US"fakedefer", TRUE,
486 ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
487 ACL_BIT_PREDATA | ACL_BIT_DATA |
493 [CONTROL_FAKEREJECT] =
494 { US"fakereject", TRUE,
496 ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
497 ACL_BIT_PREDATA | ACL_BIT_DATA |
506 ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
507 ACL_BIT_PREDATA | ACL_BIT_DATA |
508 // ACL_BIT_PRDR| /* Not allow one user to freeze for all */
509 ACL_BIT_NOTSMTP | ACL_BIT_MIME)
512 [CONTROL_NO_CALLOUT_FLUSH] =
513 { US"no_callout_flush", FALSE,
514 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
516 [CONTROL_NO_DELAY_FLUSH] =
517 { US"no_delay_flush", FALSE,
518 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
521 [CONTROL_NO_ENFORCE_SYNC] =
522 { US"no_enforce_sync", FALSE,
523 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
525 #ifdef WITH_CONTENT_SCAN
526 [CONTROL_NO_MBOX_UNSPOOL] =
527 { US"no_mbox_unspool", FALSE,
529 ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
530 ACL_BIT_PREDATA | ACL_BIT_DATA |
531 // ACL_BIT_PRDR| /* Not allow one user to freeze for all */
535 [CONTROL_NO_MULTILINE] =
536 { US"no_multiline_responses", FALSE,
537 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
539 [CONTROL_NO_PIPELINING] =
540 { US"no_pipelining", FALSE,
541 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
547 ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
548 ACL_BIT_PREDATA | ACL_BIT_DATA |
549 // ACL_BIT_PRDR| /* Not allow one user to freeze for all */
550 ACL_BIT_NOTSMTP | ACL_BIT_MIME)
553 [CONTROL_SUBMISSION] =
554 { US"submission", TRUE,
556 ~(ACL_BIT_MAIL | ACL_BIT_RCPT | ACL_BIT_PREDATA)
558 [CONTROL_SUPPRESS_LOCAL_FIXUPS] =
559 { US"suppress_local_fixups", FALSE,
561 ~(ACL_BIT_MAIL | ACL_BIT_RCPT | ACL_BIT_PREDATA |
562 ACL_BIT_NOTSMTP_START)
565 [CONTROL_UTF8_DOWNCONVERT] =
566 { US"utf8_downconvert", TRUE, (unsigned) ~(ACL_BIT_RCPT | ACL_BIT_VRFY)
571 /* Support data structures for Client SMTP Authorization. acl_verify_csa()
572 caches its result in a tree to avoid repeated DNS queries. The result is an
573 integer code which is used as an index into the following tables of
574 explanatory strings and verification return codes. */
576 static tree_node *csa_cache = NULL;
578 enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
579 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
581 /* The acl_verify_csa() return code is translated into an acl_verify() return
582 code using the following table. It is OK unless the client is definitely not
583 authorized. This is because CSA is supposed to be optional for sending sites,
584 so recipients should not be too strict about checking it - especially because
585 DNS problems are quite likely to occur. It's possible to use $csa_status in
586 further ACL conditions to distinguish ok, unknown, and defer if required, but
587 the aim is to make the usual configuration simple. */
589 static int csa_return_code[] = {
592 [CSA_DEFER_SRV] = OK,
593 [CSA_DEFER_ADDR] = OK,
594 [CSA_FAIL_EXPLICIT] = FAIL,
595 [CSA_FAIL_DOMAIN] = FAIL,
596 [CSA_FAIL_NOADDR] = FAIL,
597 [CSA_FAIL_MISMATCH] = FAIL
600 static uschar *csa_status_string[] = {
601 [CSA_UNKNOWN] = US"unknown",
603 [CSA_DEFER_SRV] = US"defer",
604 [CSA_DEFER_ADDR] = US"defer",
605 [CSA_FAIL_EXPLICIT] = US"fail",
606 [CSA_FAIL_DOMAIN] = US"fail",
607 [CSA_FAIL_NOADDR] = US"fail",
608 [CSA_FAIL_MISMATCH] = US"fail"
611 static uschar *csa_reason_string[] = {
612 [CSA_UNKNOWN] = US"unknown",
614 [CSA_DEFER_SRV] = US"deferred (SRV lookup failed)",
615 [CSA_DEFER_ADDR] = US"deferred (target address lookup failed)",
616 [CSA_FAIL_EXPLICIT] = US"failed (explicit authorization required)",
617 [CSA_FAIL_DOMAIN] = US"failed (host name not authorized)",
618 [CSA_FAIL_NOADDR] = US"failed (no authorized addresses)",
619 [CSA_FAIL_MISMATCH] = US"failed (client address mismatch)"
622 /* Options for the ratelimit condition. Note that there are two variants of
623 the per_rcpt option, depending on the ACL that is used to measure the rate.
624 However any ACL must be able to look up per_rcpt rates in /noupdate mode,
625 so the two variants must have the same internal representation as well as
626 the same configuration string. */
629 RATE_PER_WHAT, RATE_PER_CLASH, RATE_PER_ADDR, RATE_PER_BYTE, RATE_PER_CMD,
630 RATE_PER_CONN, RATE_PER_MAIL, RATE_PER_RCPT, RATE_PER_ALLRCPTS
633 #define RATE_SET(var,new) \
634 (((var) == RATE_PER_WHAT) ? ((var) = RATE_##new) : ((var) = RATE_PER_CLASH))
636 static uschar *ratelimit_option_string[] = {
637 [RATE_PER_WHAT] = US"?",
638 [RATE_PER_CLASH] = US"!",
639 [RATE_PER_ADDR] = US"per_addr",
640 [RATE_PER_BYTE] = US"per_byte",
641 [RATE_PER_CMD] = US"per_cmd",
642 [RATE_PER_CONN] = US"per_conn",
643 [RATE_PER_MAIL] = US"per_mail",
644 [RATE_PER_RCPT] = US"per_rcpt",
645 [RATE_PER_ALLRCPTS] = US"per_rcpt"
648 /* Enable recursion between acl_check_internal() and acl_check_condition() */
650 static int acl_check_wargs(int, address_item *, const uschar *, uschar **,
653 static acl_block * acl_current = NULL;
656 /*************************************************
657 * Find control in list *
658 *************************************************/
660 /* The lists are always in order, so binary chop can be used.
663 name the control name to search for
664 ol the first entry in the control list
665 last one more than the offset of the last entry in the control list
667 Returns: index of a control entry, or -1 if not found
671 find_control(const uschar * name, control_def * ol, int last)
673 for (int first = 0; last > first; )
675 int middle = (first + last)/2;
676 uschar * s = ol[middle].name;
677 int c = Ustrncmp(name, s, Ustrlen(s));
678 if (c == 0) return middle;
679 else if (c > 0) first = middle + 1;
687 /*************************************************
688 * Pick out condition from list *
689 *************************************************/
691 /* Use a binary chop method
695 list list of conditions
698 Returns: offset in list, or -1 if not found
702 acl_checkcondition(uschar * name, condition_def * list, int end)
704 for (int start = 0; start < end; )
706 int mid = (start + end)/2;
707 int c = Ustrcmp(name, list[mid].name);
708 if (c == 0) return mid;
709 if (c < 0) end = mid;
710 else start = mid + 1;
716 /*************************************************
717 * Pick out name from list *
718 *************************************************/
720 /* Use a binary chop method
727 Returns: offset in list, or -1 if not found
731 acl_checkname(uschar *name, uschar **list, int end)
733 for (int start = 0; start < end; )
735 int mid = (start + end)/2;
736 int c = Ustrcmp(name, list[mid]);
737 if (c == 0) return mid;
738 if (c < 0) end = mid; else start = mid + 1;
746 acl_varname_to_cond(const uschar ** sp, acl_condition_block * cond, uschar ** error)
748 const uschar * s = *sp, * endptr;
751 if ( Ustrncmp(s, "dkim_verify_status", 18) == 0
752 || Ustrncmp(s, "dkim_verify_reason", 18) == 0)
755 if (isalnum(*endptr))
757 *error = string_sprintf("invalid variable name after \"set\" in ACL "
758 "modifier \"set %s\" "
759 "(only \"dkim_verify_status\" or \"dkim_verify_reason\" permitted)",
763 cond->u.varname = string_copyn(s, 18);
768 if (Ustrncmp(s, "acl_c", 5) != 0 && Ustrncmp(s, "acl_m", 5) != 0)
770 *error = string_sprintf("invalid variable name after \"set\" in ACL "
771 "modifier \"set %s\" (must start \"acl_c\" or \"acl_m\")", s);
776 if (!isdigit(*endptr) && *endptr != '_')
778 *error = string_sprintf("invalid variable name after \"set\" in ACL "
779 "modifier \"set %s\" (digit or underscore must follow acl_c or acl_m)",
784 for ( ; *endptr && *endptr != '=' && !isspace(*endptr); endptr++)
785 if (!isalnum(*endptr) && *endptr != '_')
787 *error = string_sprintf("invalid character \"%c\" in variable name "
788 "in ACL modifier \"set %s\"", *endptr, s);
792 cond->u.varname = string_copyn(s + 4, endptr - s - 4);
795 Uskip_whitespace(&s);
802 acl_data_to_cond(const uschar * s, acl_condition_block * cond,
803 const uschar * name, uschar ** error)
807 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
808 conditions[cond->type].is_modifier ? US"modifier" : US"condition");
811 Uskip_whitespace(&s);
812 cond->arg = string_copy(s);
817 /*************************************************
818 * Read and parse one ACL *
819 *************************************************/
821 /* This function is called both from readconf in order to parse the ACLs in the
822 configuration file, and also when an ACL is encountered dynamically (e.g. as
823 the result of an expansion). It is given a function to call in order to
824 retrieve the lines of the ACL. This function handles skipping comments and
825 blank lines (where relevant).
828 func function to get next line of ACL
829 error where to put an error message
831 Returns: pointer to ACL, or NULL
832 NULL can be legal (empty ACL); in this case error will be NULL
836 acl_read(uschar *(*func)(void), uschar **error)
838 acl_block *yield = NULL;
839 acl_block **lastp = &yield;
840 acl_block *this = NULL;
841 acl_condition_block *cond;
842 acl_condition_block **condp = NULL;
847 while ((s = (*func)()))
850 BOOL negated = FALSE;
851 const uschar * saveline = s;
852 uschar name[EXIM_DRIVERNAME_MAX];
854 /* Conditions (but not verbs) are allowed to be negated by an initial
857 if (Uskip_whitespace(&s) == '!')
863 /* Read the name of a verb or a condition, or the start of a new ACL, which
864 can be started by a name, or by a macro definition. */
866 s = readconf_readname(name, sizeof(name), s);
867 if (*s == ':' || (isupper(name[0]) && *s == '=')) return yield;
869 /* If a verb is unrecognized, it may be another condition or modifier that
870 continues the previous verb. */
872 if ((v = acl_checkname(name, verbs, nelem(verbs))) < 0)
876 *error = string_sprintf("unknown ACL verb \"%s\" in \"%s\"", name,
888 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
891 *lastp = this = store_get(sizeof(acl_block), GET_UNTAINTED);
894 this->condition = NULL;
896 this->srcline = config_lineno; /* for debug output */
897 this->srcfile = config_filename; /**/
898 condp = &this->condition;
899 if (!*s) continue; /* No condition on this line */
905 s = readconf_readname(name, sizeof(name), s); /* Condition name */
908 /* Handle a condition or modifier. */
910 if ((c = acl_checkcondition(name, conditions, nelem(conditions))) < 0)
912 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
917 /* The modifiers may not be negated */
919 if (negated && conditions[c].is_modifier)
921 *error = string_sprintf("ACL error: negation is not allowed with "
922 "\"%s\"", conditions[c].name);
926 /* ENDPASS may occur only with ACCEPT or DISCARD. */
928 if (c == ACLC_ENDPASS &&
929 this->verb != ACL_ACCEPT &&
930 this->verb != ACL_DISCARD)
932 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
933 conditions[c].name, verbs[this->verb]);
937 cond = store_get(sizeof(acl_condition_block), GET_UNTAINTED);
940 cond->u.negated = negated;
945 /* The "set" modifier is different in that its argument is "name=value"
946 rather than just a value, and we can check the validity of the name, which
947 gives us a variable name to insert into the data block. The original ACL
948 variable names were acl_c0 ... acl_c9 and acl_m0 ... acl_m9. This was
949 extended to 20 of each type, but after that people successfully argued for
950 arbitrary names. In the new scheme, the names must start with acl_c or acl_m.
951 After that, we allow alphanumerics and underscores, but the first character
952 after c or m must be a digit or an underscore. This retains backwards
956 if (!acl_varname_to_cond(&s, cond, error)) return NULL;
958 /* For "set", we are now positioned for the data. For the others, only
959 "endpass" has no data */
961 if (c != ACLC_ENDPASS)
962 if (!acl_data_to_cond(s, cond, name, error)) return NULL;
970 /*************************************************
971 * Set up added header line(s) *
972 *************************************************/
974 /* This function is called by the add_header modifier, and also from acl_warn()
975 to implement the now-deprecated way of adding header lines using "message" on a
976 "warn" verb. The argument is treated as a sequence of header lines which are
977 added to a chain, provided there isn't an identical one already there.
979 Argument: string of header lines
984 setup_header(const uschar *hstring)
987 int hlen = Ustrlen(hstring);
989 /* Ignore any leading newlines */
990 while (*hstring == '\n') hstring++, hlen--;
992 /* An empty string does nothing; ensure exactly one final newline. */
993 if (hlen <= 0) return;
994 if (hstring[--hlen] != '\n') /* no newline */
995 q = string_sprintf("%s\n", hstring);
996 else if (hstring[hlen-1] == '\n') /* double newline */
998 uschar * s = string_copy(hstring);
999 while(s[--hlen] == '\n')
1006 /* Loop for multiple header lines, taking care about continuations */
1008 for (p = q; *p; p = q)
1012 int newtype = htype_add_bot;
1013 header_line **hptr = &acl_added_headers;
1015 /* Find next header line within the string */
1019 q = Ustrchr(q, '\n'); /* we know there was a newline */
1020 if (*++q != ' ' && *q != '\t') break;
1023 /* If the line starts with a colon, interpret the instruction for where to
1024 add it. This temporarily sets up a new type. */
1028 if (strncmpic(p, US":after_received:", 16) == 0)
1030 newtype = htype_add_rec;
1033 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
1035 newtype = htype_add_rfc;
1038 else if (strncmpic(p, US":at_start:", 10) == 0)
1040 newtype = htype_add_top;
1043 else if (strncmpic(p, US":at_end:", 8) == 0)
1045 newtype = htype_add_bot;
1048 while (*p == ' ' || *p == '\t') p++;
1051 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
1052 to the front of it. */
1054 for (s = p; s < q - 1; s++)
1055 if (*s == ':' || !isgraph(*s)) break;
1057 hdr = string_sprintf("%s%.*s", *s == ':' ? "" : "X-ACL-Warn: ", (int) (q - p), p);
1058 hlen = Ustrlen(hdr);
1060 /* See if this line has already been added */
1064 if (Ustrncmp((*hptr)->text, hdr, hlen) == 0) break;
1065 hptr = &(*hptr)->next;
1068 /* Add if not previously present */
1072 /* The header_line struct itself is not tainted, though it points to
1073 possibly tainted data. */
1074 header_line * h = store_get(sizeof(header_line), GET_UNTAINTED);
1087 /*************************************************
1088 * List the added header lines *
1089 *************************************************/
1095 for (header_line * h = acl_added_headers; h; h = h->next)
1098 if (h->text[i-1] == '\n') i--;
1099 g = string_append_listele_n(g, '\n', h->text, i);
1102 return string_from_gstring(g);
1106 /*************************************************
1107 * Set up removed header line(s) *
1108 *************************************************/
1110 /* This function is called by the remove_header modifier. The argument is
1111 treated as a sequence of header names which are added to a colon separated
1112 list, provided there isn't an identical one already there.
1114 Argument: string of header names
1119 setup_remove_header(const uschar *hnames)
1122 acl_removed_headers = acl_removed_headers
1123 ? string_sprintf("%s : %s", acl_removed_headers, hnames)
1124 : string_copy(hnames);
1129 /*************************************************
1131 *************************************************/
1133 /* This function is called when a WARN verb's conditions are true. It adds to
1134 the message's headers, and/or writes information to the log. In each case, this
1135 only happens once (per message for headers, per connection for log).
1137 ** NOTE: The header adding action using the "message" setting is historic, and
1138 its use is now deprecated. The new add_header modifier should be used instead.
1141 where ACL_WHERE_xxxx indicating which ACL this is
1142 user_message message for adding to headers
1143 log_message message for logging, if different
1149 acl_warn(int where, uschar * user_message, uschar * log_message)
1151 if (log_message && log_message != user_message)
1154 string_item *logged;
1156 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
1157 string_printing(log_message));
1159 /* If a sender verification has failed, and the log message is "sender verify
1160 failed", add the failure message. */
1162 if ( sender_verified_failed
1163 && sender_verified_failed->message
1164 && strcmpic(log_message, US"sender verify failed") == 0)
1165 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
1167 /* Search previously logged warnings. They are kept in malloc
1168 store so they can be freed at the start of a new message. */
1170 for (logged = acl_warn_logged; logged; logged = logged->next)
1171 if (Ustrcmp(logged->text, text) == 0) break;
1175 int length = Ustrlen(text) + 1;
1176 log_write(0, LOG_MAIN, "%s", text);
1177 logged = store_malloc(sizeof(string_item) + length);
1178 logged->text = US logged + sizeof(string_item);
1179 memcpy(logged->text, text, length);
1180 logged->next = acl_warn_logged;
1181 acl_warn_logged = logged;
1185 /* If there's no user message, we are done. */
1187 if (!user_message) return;
1189 /* If this isn't a message ACL, we can't do anything with a user message.
1192 if (where > ACL_WHERE_NOTSMTP)
1194 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
1195 "found in a non-message (%s) ACL: cannot specify header lines here: "
1196 "message ignored", acl_wherenames[where]);
1200 /* The code for setting up header lines is now abstracted into a separate
1201 function so that it can be used for the add_header modifier as well. */
1203 setup_header(user_message);
1208 /*************************************************
1209 * Verify and check reverse DNS *
1210 *************************************************/
1212 /* Called from acl_verify() below. We look up the host name(s) of the client IP
1213 address if this has not yet been done. The host_name_lookup() function checks
1214 that one of these names resolves to an address list that contains the client IP
1215 address, so we don't actually have to do the check here.
1218 user_msgptr pointer for user message
1219 log_msgptr pointer for log message
1221 Returns: OK verification condition succeeded
1222 FAIL verification failed
1223 DEFER there was a problem verifying
1227 acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
1231 /* Previous success */
1233 if (sender_host_name) return OK;
1235 /* Previous failure */
1237 if (host_lookup_failed)
1239 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
1243 /* Need to do a lookup */
1246 debug_printf_indent("looking up host name to force name/address consistency check\n");
1248 if ((rc = host_name_lookup()) != OK)
1250 *log_msgptr = rc == DEFER
1251 ? US"host lookup deferred for reverse lookup check"
1252 : string_sprintf("host lookup failed for reverse lookup check%s",
1254 return rc; /* DEFER or FAIL */
1257 host_build_sender_fullhost();
1263 /*************************************************
1264 * Check client IP address matches CSA target *
1265 *************************************************/
1267 /* Called from acl_verify_csa() below. This routine scans a section of a DNS
1268 response for address records belonging to the CSA target hostname. The section
1269 is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
1270 If one of the addresses matches the client's IP address, then the client is
1271 authorized by CSA. If there are target IP addresses but none of them match
1272 then the client is using an unauthorized IP address. If there are no target IP
1273 addresses then the client cannot be using an authorized IP address. (This is
1274 an odd configuration - why didn't the SRV record have a weight of 1 instead?)
1277 dnsa the DNS answer block
1278 dnss a DNS scan block for us to use
1279 reset option specifying what portion to scan, as described above
1280 target the target hostname to use for matching RR names
1282 Returns: CSA_OK successfully authorized
1283 CSA_FAIL_MISMATCH addresses found but none matched
1284 CSA_FAIL_NOADDR no target addresses found
1288 acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1291 int rc = CSA_FAIL_NOADDR;
1293 for (dns_record * rr = dns_next_rr(dnsa, dnss, reset);
1295 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1297 /* Check this is an address RR for the target hostname. */
1301 && rr->type != T_AAAA
1305 if (strcmpic(target, rr->name) != 0) continue;
1307 rc = CSA_FAIL_MISMATCH;
1309 /* Turn the target address RR into a list of textual IP addresses and scan
1310 the list. There may be more than one if it is an A6 RR. */
1312 for (dns_address * da = dns_address_from_rr(dnsa, rr); da; da = da->next)
1314 /* If the client IP address matches the target IP address, it's good! */
1316 DEBUG(D_acl) debug_printf_indent("CSA target address is %s\n", da->address);
1318 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1322 /* If we found some target addresses but none of them matched, the client is
1323 using an unauthorized IP address, otherwise the target has no authorized IP
1331 /*************************************************
1332 * Verify Client SMTP Authorization *
1333 *************************************************/
1335 /* Called from acl_verify() below. This routine calls dns_lookup_special()
1336 to find the CSA SRV record corresponding to the domain argument, or
1337 $sender_helo_name if no argument is provided. It then checks that the
1338 client is authorized, and that its IP address corresponds to the SRV
1339 target's address by calling acl_verify_csa_address() above. The address
1340 should have been returned in the DNS response's ADDITIONAL section, but if
1341 not we perform another DNS lookup to get it.
1344 domain pointer to optional parameter following verify = csa
1346 Returns: CSA_UNKNOWN no valid CSA record found
1347 CSA_OK successfully authorized
1348 CSA_FAIL_* client is definitely not authorized
1349 CSA_DEFER_* there was a DNS problem
1353 acl_verify_csa(const uschar *domain)
1356 const uschar *found;
1357 int priority, weight, port;
1361 int rc, type, yield;
1362 #define TARGET_SIZE 256
1363 uschar * target = store_get(TARGET_SIZE, GET_TAINTED);
1365 /* Work out the domain we are using for the CSA lookup. The default is the
1366 client's HELO domain. If the client has not said HELO, use its IP address
1367 instead. If it's a local client (exim -bs), CSA isn't applicable. */
1369 while (isspace(*domain) && *domain != '\0') ++domain;
1370 if (*domain == '\0') domain = sender_helo_name;
1371 if (!domain) domain = sender_host_address;
1372 if (!sender_host_address) return CSA_UNKNOWN;
1374 /* If we have an address literal, strip off the framing ready for turning it
1375 into a domain. The framing consists of matched square brackets possibly
1376 containing a keyword and a colon before the actual IP address. */
1378 if (domain[0] == '[')
1380 const uschar *start = Ustrchr(domain, ':');
1381 if (start == NULL) start = domain;
1382 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1385 /* Turn domains that look like bare IP addresses into domains in the reverse
1386 DNS. This code also deals with address literals and $sender_host_address. It's
1387 not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1388 address literals, but it's probably the most friendly thing to do. This is an
1389 extension to CSA, so we allow it to be turned off for proper conformance. */
1391 if (string_is_ip_address(domain, NULL) != 0)
1393 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1394 domain = dns_build_reverse(domain);
1397 /* Find out if we've already done the CSA check for this domain. If we have,
1398 return the same result again. Otherwise build a new cached result structure
1399 for this domain. The name is filled in now, and the value is filled in when
1400 we return from this function. */
1402 if ((t = tree_search(csa_cache, domain)))
1405 t = store_get_perm(sizeof(tree_node) + Ustrlen(domain), domain);
1406 Ustrcpy(t->name, domain);
1407 (void)tree_insertnode(&csa_cache, t);
1409 /* Now we are ready to do the actual DNS lookup(s). */
1412 dnsa = store_get_dns_answer();
1413 switch (dns_special_lookup(dnsa, domain, T_CSA, &found))
1415 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1418 yield = CSA_DEFER_SRV;
1421 /* If we found nothing, the client's authorization is unknown. */
1425 yield = CSA_UNKNOWN;
1428 /* We got something! Go on to look at the reply in more detail. */
1434 /* Scan the reply for well-formed CSA SRV records. */
1436 for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
1438 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == T_SRV)
1440 const uschar * p = rr->data;
1442 /* Extract the numerical SRV fields (p is incremented) */
1444 if (rr_bad_size(rr, 3 * sizeof(uint16_t))) continue;
1445 GETSHORT(priority, p);
1446 GETSHORT(weight, p);
1450 debug_printf_indent("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1452 /* Check the CSA version number */
1454 if (priority != 1) continue;
1456 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1457 found by dns_special_lookup() is a parent of the one we asked for), we check
1458 the subdomain assertions in the port field. At the moment there's only one
1459 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1460 SRV records of their own. */
1462 if (Ustrcmp(found, domain) != 0)
1464 yield = port & 1 ? CSA_FAIL_EXPLICIT : CSA_UNKNOWN;
1468 /* This CSA SRV record refers directly to our domain, so we check the value
1469 in the weight field to work out the domain's authorization. 0 and 1 are
1470 unauthorized; 3 means the client is authorized but we can't check the IP
1471 address in order to authenticate it, so we treat it as unknown; values
1472 greater than 3 are undefined. */
1476 yield = CSA_FAIL_DOMAIN;
1480 if (weight > 2) continue;
1482 /* Weight == 2, which means the domain is authorized. We must check that the
1483 client's IP address is listed as one of the SRV target addresses. Save the
1484 target hostname then break to scan the additional data for its addresses. */
1486 (void)dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, p,
1487 (DN_EXPAND_ARG4_TYPE)target, TARGET_SIZE);
1489 DEBUG(D_acl) debug_printf_indent("CSA target is %s\n", target);
1494 /* If we didn't break the loop then no appropriate records were found. */
1498 yield = CSA_UNKNOWN;
1502 /* Do not check addresses if the target is ".", in accordance with RFC 2782.
1503 A target of "." indicates there are no valid addresses, so the client cannot
1504 be authorized. (This is an odd configuration because weight=2 target=. is
1505 equivalent to weight=1, but we check for it in order to keep load off the
1506 root name servers.) Note that dn_expand() turns "." into "". */
1508 if (Ustrcmp(target, "") == 0)
1510 yield = CSA_FAIL_NOADDR;
1514 /* Scan the additional section of the CSA SRV reply for addresses belonging
1515 to the target. If the name server didn't return any additional data (e.g.
1516 because it does not fully support SRV records), we need to do another lookup
1517 to obtain the target addresses; otherwise we have a definitive result. */
1519 rc = acl_verify_csa_address(dnsa, &dnss, RESET_ADDITIONAL, target);
1520 if (rc != CSA_FAIL_NOADDR)
1526 /* The DNS lookup type corresponds to the IP version used by the client. */
1529 if (Ustrchr(sender_host_address, ':') != NULL)
1532 #endif /* HAVE_IPV6 */
1536 lookup_dnssec_authenticated = NULL;
1537 switch (dns_lookup(dnsa, target, type, NULL))
1539 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1542 yield = CSA_DEFER_ADDR;
1545 /* If the query succeeded, scan the addresses and return the result. */
1548 rc = acl_verify_csa_address(dnsa, &dnss, RESET_ANSWERS, target);
1549 if (rc != CSA_FAIL_NOADDR)
1554 /* else fall through */
1556 /* If the target has no IP addresses, the client cannot have an authorized
1557 IP address. However, if the target site uses A6 records (not AAAA records)
1558 we have to do yet another lookup in order to check them. */
1562 yield = CSA_FAIL_NOADDR;
1568 store_free_dns_answer(dnsa);
1569 return t->data.val = yield;
1574 /*************************************************
1575 * Handle verification (address & other) *
1576 *************************************************/
1578 enum { VERIFY_REV_HOST_LKUP, VERIFY_CERT, VERIFY_HELO, VERIFY_CSA, VERIFY_HDR_SYNTAX,
1579 VERIFY_NOT_BLIND, VERIFY_HDR_SNDR, VERIFY_SNDR, VERIFY_RCPT,
1580 VERIFY_HDR_NAMES_ASCII, VERIFY_ARC
1585 unsigned where_allowed; /* bitmap */
1586 BOOL no_options; /* Never has /option(s) following */
1587 unsigned alt_opt_sep; /* >0 Non-/ option separator (custom parser) */
1589 static verify_type_t verify_type_list[] = {
1590 /* name value where no-opt opt-sep */
1591 { US"reverse_host_lookup", VERIFY_REV_HOST_LKUP, (unsigned)~0, FALSE, 0 },
1592 { US"certificate", VERIFY_CERT, (unsigned)~0, TRUE, 0 },
1593 { US"helo", VERIFY_HELO, (unsigned)~0, TRUE, 0 },
1594 { US"csa", VERIFY_CSA, (unsigned)~0, FALSE, 0 },
1595 { US"header_syntax", VERIFY_HDR_SYNTAX, ACL_BITS_HAVEDATA, TRUE, 0 },
1596 { US"not_blind", VERIFY_NOT_BLIND, ACL_BITS_HAVEDATA, FALSE, 0 },
1597 { US"header_sender", VERIFY_HDR_SNDR, ACL_BITS_HAVEDATA, FALSE, 0 },
1598 { US"sender", VERIFY_SNDR, ACL_BIT_MAIL | ACL_BIT_RCPT
1599 | ACL_BIT_PREDATA | ACL_BIT_DATA | ACL_BIT_NOTSMTP,
1601 { US"recipient", VERIFY_RCPT, ACL_BIT_RCPT, FALSE, 0 },
1602 { US"header_names_ascii", VERIFY_HDR_NAMES_ASCII, ACL_BITS_HAVEDATA, TRUE, 0 },
1603 #ifdef EXPERIMENTAL_ARC
1604 { US"arc", VERIFY_ARC, ACL_BIT_DATA, FALSE , 0 },
1609 enum { CALLOUT_DEFER_OK, CALLOUT_NOCACHE, CALLOUT_RANDOM, CALLOUT_USE_SENDER,
1610 CALLOUT_USE_POSTMASTER, CALLOUT_POSTMASTER, CALLOUT_FULLPOSTMASTER,
1611 CALLOUT_MAILFROM, CALLOUT_POSTMASTER_MAILFROM, CALLOUT_MAXWAIT, CALLOUT_CONNECT,
1612 CALLOUT_HOLD, CALLOUT_TIME /* TIME must be last */
1618 BOOL has_option; /* Has =option(s) following */
1619 BOOL timeval; /* Has a time value */
1621 static callout_opt_t callout_opt_list[] = {
1622 /* name value flag has-opt has-time */
1623 { US"defer_ok", CALLOUT_DEFER_OK, 0, FALSE, FALSE },
1624 { US"no_cache", CALLOUT_NOCACHE, vopt_callout_no_cache, FALSE, FALSE },
1625 { US"random", CALLOUT_RANDOM, vopt_callout_random, FALSE, FALSE },
1626 { US"use_sender", CALLOUT_USE_SENDER, vopt_callout_recipsender, FALSE, FALSE },
1627 { US"use_postmaster", CALLOUT_USE_POSTMASTER,vopt_callout_recippmaster, FALSE, FALSE },
1628 { US"postmaster_mailfrom",CALLOUT_POSTMASTER_MAILFROM,0, TRUE, FALSE },
1629 { US"postmaster", CALLOUT_POSTMASTER, 0, FALSE, FALSE },
1630 { US"fullpostmaster", CALLOUT_FULLPOSTMASTER,vopt_callout_fullpm, FALSE, FALSE },
1631 { US"mailfrom", CALLOUT_MAILFROM, 0, TRUE, FALSE },
1632 { US"maxwait", CALLOUT_MAXWAIT, 0, TRUE, TRUE },
1633 { US"connect", CALLOUT_CONNECT, 0, TRUE, TRUE },
1634 { US"hold", CALLOUT_HOLD, vopt_callout_hold, FALSE, FALSE },
1635 { NULL, CALLOUT_TIME, 0, FALSE, TRUE }
1641 v_period(const uschar * s, const uschar * arg, uschar ** log_msgptr)
1644 if ((period = readconf_readtime(s, 0, FALSE)) < 0)
1646 *log_msgptr = string_sprintf("bad time value in ACL condition "
1647 "\"verify %s\"", arg);
1655 sender_helo_verified_internal(void)
1657 /* We can test the result of optional HELO verification that might have
1658 occurred earlier. If not, we can attempt the verification now. */
1660 if (!f.helo_verified && !f.helo_verify_failed) smtp_verify_helo();
1661 return f.helo_verified;
1665 sender_helo_verified_cond(void)
1667 return sender_helo_verified_internal() ? OK : FAIL;
1671 sender_helo_verified_boolstr(void)
1673 return sender_helo_verified_internal() ? US"yes" : US"no";
1678 /* This function implements the "verify" condition. It is called when
1679 encountered in any ACL, because some tests are almost always permitted. Some
1680 just don't make sense, and always fail (for example, an attempt to test a host
1681 lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1684 where where called from
1685 addr the recipient address that the ACL is handling, or NULL
1686 arg the argument of "verify"
1687 user_msgptr pointer for user message
1688 log_msgptr pointer for log message
1689 basic_errno where to put verify errno
1691 Returns: OK verification condition succeeded
1692 FAIL verification failed
1693 DEFER there was a problem verifying
1698 acl_verify(int where, address_item *addr, const uschar *arg,
1699 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1703 int callout_overall = -1;
1704 int callout_connect = -1;
1705 int verify_options = 0;
1707 BOOL verify_header_sender = FALSE;
1708 BOOL defer_ok = FALSE;
1709 BOOL callout_defer_ok = FALSE;
1710 BOOL no_details = FALSE;
1711 BOOL success_on_redirect = FALSE;
1713 int quota_pos_cache = QUOTA_POS_DEFAULT, quota_neg_cache = QUOTA_NEG_DEFAULT;
1714 address_item * sender_vaddr = NULL;
1715 const uschar * verify_sender_address = NULL;
1716 uschar * pm_mailfrom = NULL;
1717 uschar * se_mailfrom = NULL;
1719 /* Some of the verify items have slash-separated options; some do not. Diagnose
1720 an error if options are given for items that don't expect them.
1723 uschar *slash = Ustrchr(arg, '/');
1724 const uschar *list = arg;
1725 uschar *ss = string_nextinlist(&list, &sep, NULL, 0);
1728 if (!ss) goto BAD_VERIFY;
1730 /* Handle name/address consistency verification in a separate function. */
1732 for (vp = verify_type_list;
1733 CS vp < CS verify_type_list + sizeof(verify_type_list);
1736 if (vp->alt_opt_sep ? strncmpic(ss, vp->name, vp->alt_opt_sep) == 0
1737 : strcmpic (ss, vp->name) == 0)
1739 if (CS vp >= CS verify_type_list + sizeof(verify_type_list))
1742 if (vp->no_options && slash)
1744 *log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1745 "(this verify item has no options)", arg);
1748 if (!(vp->where_allowed & BIT(where)))
1750 *log_msgptr = string_sprintf("cannot verify %s in ACL for %s",
1751 vp->name, acl_wherenames[where]);
1756 case VERIFY_REV_HOST_LKUP:
1757 if (!sender_host_address) return OK;
1758 if ((rc = acl_verify_reverse(user_msgptr, log_msgptr)) == DEFER)
1759 while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
1760 if (strcmpic(ss, US"defer_ok") == 0)
1765 /* TLS certificate verification is done at STARTTLS time; here we just
1766 test whether it was successful or not. (This is for optional verification; for
1767 mandatory verification, the connection doesn't last this long.) */
1769 if (tls_in.certificate_verified) return OK;
1770 *user_msgptr = US"no verified certificate";
1774 return sender_helo_verified_cond();
1777 /* Do Client SMTP Authorization checks in a separate function, and turn the
1778 result code into user-friendly strings. */
1780 rc = acl_verify_csa(list);
1781 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1782 csa_reason_string[rc]);
1783 csa_status = csa_status_string[rc];
1784 DEBUG(D_acl) debug_printf_indent("CSA result %s\n", csa_status);
1785 return csa_return_code[rc];
1787 #ifdef EXPERIMENTAL_ARC
1789 { /* Do Authenticated Received Chain checks in a separate function. */
1790 const uschar * condlist = CUS string_nextinlist(&list, &sep, NULL, 0);
1794 if (!(arc_state = acl_verify_arc())) return DEFER;
1795 DEBUG(D_acl) debug_printf_indent("ARC verify result %s %s%s%s\n", arc_state,
1796 arc_state_reason ? "(":"", arc_state_reason, arc_state_reason ? ")":"");
1798 if (!condlist) condlist = US"none:pass";
1799 while ((cond = string_nextinlist(&condlist, &csep, NULL, 0)))
1800 if (Ustrcmp(arc_state, cond) == 0) return OK;
1805 case VERIFY_HDR_SYNTAX:
1806 /* Check that all relevant header lines have the correct 5322-syntax. If there is
1807 a syntax error, we return details of the error to the sender if configured to
1808 send out full details. (But a "message" setting on the ACL can override, as
1811 rc = verify_check_headers(log_msgptr);
1812 if (rc != OK && *log_msgptr)
1813 if (smtp_return_error_details)
1814 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1816 acl_verify_message = *log_msgptr;
1819 case VERIFY_HDR_NAMES_ASCII:
1820 /* Check that all header names are true 7 bit strings
1821 See RFC 5322, 2.2. and RFC 6532, 3. */
1823 rc = verify_check_header_names_ascii(log_msgptr);
1824 if (rc != OK && smtp_return_error_details && *log_msgptr)
1825 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1828 case VERIFY_NOT_BLIND:
1829 /* Check that no recipient of this message is "blind", that is, every envelope
1830 recipient must be mentioned in either To: or Cc:. */
1832 BOOL case_sensitive = TRUE;
1834 while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
1835 if (strcmpic(ss, US"case_insensitive") == 0)
1836 case_sensitive = FALSE;
1839 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1840 "condition \"verify %s\"", ss, arg);
1844 if ((rc = verify_check_notblind(case_sensitive)) != OK)
1846 *log_msgptr = US"bcc recipient detected";
1847 if (smtp_return_error_details)
1848 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1853 /* The remaining verification tests check recipient and sender addresses,
1854 either from the envelope or from the header. There are a number of
1855 slash-separated options that are common to all of them. */
1857 case VERIFY_HDR_SNDR:
1858 verify_header_sender = TRUE;
1862 /* In the case of a sender, this can optionally be followed by an address to use
1863 in place of the actual sender (rare special-case requirement). */
1867 verify_sender_address = sender_address;
1870 while (isspace(*s)) s++;
1871 if (*s++ != '=') goto BAD_VERIFY;
1872 while (isspace(*s)) s++;
1873 verify_sender_address = string_copy(s);
1884 /* Remaining items are optional; they apply to sender and recipient
1885 verification, including "header sender" verification. */
1887 while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
1889 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1890 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1891 else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
1893 /* These two old options are left for backwards compatibility */
1895 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1897 callout_defer_ok = TRUE;
1898 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1901 else if (strcmpic(ss, US"check_postmaster") == 0)
1904 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1907 /* The callout option has a number of sub-options, comma separated */
1909 else if (strncmpic(ss, US"callout", 7) == 0)
1911 callout = CALLOUT_TIMEOUT_DEFAULT;
1914 while (isspace(*ss)) ss++;
1917 const uschar * sublist = ss;
1920 while (isspace(*sublist)) sublist++;
1921 for (uschar * opt; opt = string_nextinlist(&sublist, &optsep, NULL, 0); )
1924 double period = 1.0F;
1926 for (op= callout_opt_list; op->name; op++)
1927 if (strncmpic(opt, op->name, Ustrlen(op->name)) == 0)
1930 verify_options |= op->flag;
1933 opt += Ustrlen(op->name);
1934 while (isspace(*opt)) opt++;
1937 *log_msgptr = string_sprintf("'=' expected after "
1938 "\"%s\" in ACL verify condition \"%s\"", op->name, arg);
1941 while (isspace(*opt)) opt++;
1943 if (op->timeval && (period = v_period(opt, arg, log_msgptr)) < 0)
1948 case CALLOUT_DEFER_OK: callout_defer_ok = TRUE; break;
1949 case CALLOUT_POSTMASTER: pm_mailfrom = US""; break;
1950 case CALLOUT_FULLPOSTMASTER: pm_mailfrom = US""; break;
1951 case CALLOUT_MAILFROM:
1952 if (!verify_header_sender)
1954 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1955 "callout option only for verify=header_sender (detected in ACL "
1956 "condition \"%s\")", arg);
1959 se_mailfrom = string_copy(opt);
1961 case CALLOUT_POSTMASTER_MAILFROM: pm_mailfrom = string_copy(opt); break;
1962 case CALLOUT_MAXWAIT: callout_overall = period; break;
1963 case CALLOUT_CONNECT: callout_connect = period; break;
1964 case CALLOUT_TIME: callout = period; break;
1970 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1971 "ACL condition \"%s\"", arg);
1977 /* The quota option has sub-options, comma-separated */
1979 else if (strncmpic(ss, US"quota", 5) == 0)
1984 while (isspace(*ss)) ss++;
1987 const uschar * sublist = ss;
1991 while (isspace(*sublist)) sublist++;
1992 for (uschar * opt; opt = string_nextinlist(&sublist, &optsep, NULL, 0); )
1993 if (Ustrncmp(opt, "cachepos=", 9) == 0)
1994 if ((period = v_period(opt += 9, arg, log_msgptr)) < 0)
1997 quota_pos_cache = period;
1998 else if (Ustrncmp(opt, "cacheneg=", 9) == 0)
1999 if ((period = v_period(opt += 9, arg, log_msgptr)) < 0)
2002 quota_neg_cache = period;
2003 else if (Ustrcmp(opt, "no_cache") == 0)
2004 quota_pos_cache = quota_neg_cache = 0;
2009 /* Option not recognized */
2013 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
2014 "condition \"verify %s\"", ss, arg);
2019 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
2020 (vopt_callout_recipsender|vopt_callout_recippmaster))
2022 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
2023 "for a recipient callout";
2027 /* Handle quota verification */
2030 if (vp->value != VERIFY_RCPT)
2032 *log_msgptr = US"can only verify quota of recipient";
2036 if ((rc = verify_quota_call(addr->address,
2037 quota_pos_cache, quota_neg_cache, log_msgptr)) != OK)
2039 *basic_errno = errno;
2040 if (smtp_return_error_details)
2042 if (!*user_msgptr && *log_msgptr)
2043 *user_msgptr = string_sprintf("Rejected after %s: %s",
2044 smtp_names[smtp_connection_had[SMTP_HBUFF_PREV(smtp_ch_index)]],
2046 if (rc == DEFER) f.acl_temp_details = TRUE;
2053 /* Handle sender-in-header verification. Default the user message to the log
2054 message if giving out verification details. */
2056 if (verify_header_sender)
2060 if ((rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
2061 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
2064 *basic_errno = verrno;
2065 if (smtp_return_error_details)
2067 if (!*user_msgptr && *log_msgptr)
2068 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
2069 if (rc == DEFER) f.acl_temp_details = TRUE;
2074 /* Handle a sender address. The default is to verify *the* sender address, but
2075 optionally a different address can be given, for special requirements. If the
2076 address is empty, we are dealing with a bounce message that has no sender, so
2077 we cannot do any checking. If the real sender address gets rewritten during
2078 verification (e.g. DNS widening), set the flag to stop it being rewritten again
2079 during message reception.
2081 A list of verified "sender" addresses is kept to try to avoid doing to much
2082 work repetitively when there are multiple recipients in a message and they all
2083 require sender verification. However, when callouts are involved, it gets too
2084 complicated because different recipients may require different callout options.
2085 Therefore, we always do a full sender verify when any kind of callout is
2086 specified. Caching elsewhere, for instance in the DNS resolver and in the
2087 callout handling, should ensure that this is not terribly inefficient. */
2089 else if (verify_sender_address)
2091 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)))
2093 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
2094 "sender verify callout";
2098 sender_vaddr = verify_checked_sender(verify_sender_address);
2099 if ( sender_vaddr /* Previously checked */
2100 && callout <= 0) /* No callout needed this time */
2102 /* If the "routed" flag is set, it means that routing worked before, so
2103 this check can give OK (the saved return code value, if set, belongs to a
2104 callout that was done previously). If the "routed" flag is not set, routing
2105 must have failed, so we use the saved return code. */
2107 if (testflag(sender_vaddr, af_verify_routed))
2111 rc = sender_vaddr->special_action;
2112 *basic_errno = sender_vaddr->basic_errno;
2114 HDEBUG(D_acl) debug_printf_indent("using cached sender verify result\n");
2117 /* Do a new verification, and cache the result. The cache is used to avoid
2118 verifying the sender multiple times for multiple RCPTs when callouts are not
2119 specified (see comments above).
2121 The cache is also used on failure to give details in response to the first
2122 RCPT that gets bounced for this reason. However, this can be suppressed by
2123 the no_details option, which sets the flag that says "this detail has already
2124 been sent". The cache normally contains just one address, but there may be
2125 more in esoteric circumstances. */
2130 uschar *save_address_data = deliver_address_data;
2132 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
2134 if ((sender_vaddr->prop.utf8_msg = message_smtputf8))
2136 sender_vaddr->prop.utf8_downcvt = message_utf8_downconvert == 1;
2137 sender_vaddr->prop.utf8_downcvt_maybe = message_utf8_downconvert == -1;
2140 if (no_details) setflag(sender_vaddr, af_sverify_told);
2141 if (verify_sender_address[0] != 0)
2143 /* If this is the real sender address, save the unrewritten version
2144 for use later in receive. Otherwise, set a flag so that rewriting the
2145 sender in verify_address() does not update sender_address. */
2147 if (verify_sender_address == sender_address)
2148 sender_address_unrewritten = sender_address;
2150 verify_options |= vopt_fake_sender;
2152 if (success_on_redirect)
2153 verify_options |= vopt_success_on_redirect;
2155 /* The recipient, qualify, and expn options are never set in
2158 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
2159 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
2161 HDEBUG(D_acl) debug_printf_indent("----------- end verify ------------\n");
2164 *basic_errno = sender_vaddr->basic_errno;
2167 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
2168 debug_printf_indent("sender %s verified ok as %s\n",
2169 verify_sender_address, sender_vaddr->address);
2171 debug_printf_indent("sender %s verified ok\n",
2172 verify_sender_address);
2175 rc = OK; /* Null sender */
2177 /* Cache the result code */
2179 if (routed) setflag(sender_vaddr, af_verify_routed);
2180 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
2181 sender_vaddr->special_action = rc;
2182 sender_vaddr->next = sender_verified_list;
2183 sender_verified_list = sender_vaddr;
2185 /* Restore the recipient address data, which might have been clobbered by
2186 the sender verification. */
2188 deliver_address_data = save_address_data;
2191 /* Put the sender address_data value into $sender_address_data */
2193 sender_address_data = sender_vaddr->prop.address_data;
2196 /* A recipient address just gets a straightforward verify; again we must handle
2197 the DEFER overrides. */
2203 if (success_on_redirect)
2204 verify_options |= vopt_success_on_redirect;
2206 /* We must use a copy of the address for verification, because it might
2210 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
2211 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
2212 HDEBUG(D_acl) debug_printf_indent("----------- end verify ------------\n");
2214 *basic_errno = addr2.basic_errno;
2215 *log_msgptr = addr2.message;
2216 *user_msgptr = addr2.user_message ? addr2.user_message : addr2.message;
2218 /* Allow details for temporary error if the address is so flagged. */
2219 if (testflag((&addr2), af_pass_message)) f.acl_temp_details = TRUE;
2221 /* Make $address_data visible */
2222 deliver_address_data = addr2.prop.address_data;
2225 /* We have a result from the relevant test. Handle defer overrides first. */
2229 || callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER
2232 HDEBUG(D_acl) debug_printf_indent("verify defer overridden by %s\n",
2233 defer_ok? "defer_ok" : "callout_defer_ok");
2237 /* If we've failed a sender, set up a recipient message, and point
2238 sender_verified_failed to the address item that actually failed. */
2240 if (rc != OK && verify_sender_address)
2243 *log_msgptr = *user_msgptr = US"Sender verify failed";
2244 else if (*basic_errno != ERRNO_CALLOUTDEFER)
2245 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
2248 *log_msgptr = US"Could not complete sender verify callout";
2249 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
2253 sender_verified_failed = sender_vaddr;
2256 /* Verifying an address messes up the values of $domain and $local_part,
2257 so reset them before returning if this is a RCPT ACL. */
2261 deliver_domain = addr->domain;
2262 deliver_localpart = addr->local_part;
2266 /* Syntax errors in the verify argument come here. */
2269 *log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
2270 "\"helo\", \"header_syntax\", \"header_sender\", \"header_names_ascii\" "
2271 "or \"reverse_host_lookup\" at start of ACL condition "
2272 "\"verify %s\"", arg);
2279 /*************************************************
2280 * Check argument for control= modifier *
2281 *************************************************/
2283 /* Called from acl_check_condition() below.
2284 To handle the case "queue_only" we accept an _ in the
2285 initial / option-switch position.
2288 arg the argument string for control=
2289 pptr set to point to the terminating character
2290 where which ACL we are in
2291 log_msgptr for error messages
2293 Returns: CONTROL_xxx value
2297 decode_control(const uschar *arg, const uschar **pptr, int where, uschar **log_msgptr)
2303 if ( (idx = find_control(arg, controls_list, nelem(controls_list))) < 0
2304 || ( (c = arg[len = Ustrlen((d = controls_list+idx)->name)]) != 0
2305 && (!d->has_option || c != '/' && c != '_')
2308 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2309 return CONTROL_ERROR;
2319 /*************************************************
2320 * Return a ratelimit error *
2321 *************************************************/
2323 /* Called from acl_ratelimit() below
2326 log_msgptr for error messages
2327 format format string
2328 ... supplementary arguments
2334 ratelimit_error(uschar **log_msgptr, const char *format, ...)
2338 string_cat(NULL, US"error in arguments to \"ratelimit\" condition: ");
2340 va_start(ap, format);
2341 g = string_vformat(g, SVFMT_EXTEND|SVFMT_REBUFFER, format, ap);
2344 gstring_release_unused(g);
2345 *log_msgptr = string_from_gstring(g);
2352 /*************************************************
2353 * Handle rate limiting *
2354 *************************************************/
2356 /* Called by acl_check_condition() below to calculate the result
2357 of the ACL ratelimit condition.
2359 Note that the return value might be slightly unexpected: if the
2360 sender's rate is above the limit then the result is OK. This is
2361 similar to the dnslists condition, and is so that you can write
2362 ACL clauses like: defer ratelimit = 15 / 1h
2365 arg the option string for ratelimit=
2366 where ACL_WHERE_xxxx indicating which ACL this is
2367 log_msgptr for error messages
2369 Returns: OK - Sender's rate is above limit
2370 FAIL - Sender's rate is below limit
2371 DEFER - Problem opening ratelimit database
2372 ERROR - Syntax error in options.
2376 acl_ratelimit(const uschar *arg, int where, uschar **log_msgptr)
2378 double limit, period, count;
2381 uschar *unique = NULL;
2383 BOOL leaky = FALSE, strict = FALSE, readonly = FALSE;
2384 BOOL noupdate = FALSE, badacl = FALSE;
2385 int mode = RATE_PER_WHAT;
2387 tree_node **anchor, *t;
2388 open_db dbblock, *dbm;
2390 dbdata_ratelimit *dbd;
2391 dbdata_ratelimit_unique *dbdb;
2394 /* Parse the first two options and record their values in expansion
2395 variables. These variables allow the configuration to have informative
2396 error messages based on rate limits obtained from a table lookup. */
2398 /* First is the maximum number of messages per period / maximum burst
2399 size, which must be greater than or equal to zero. Zero is useful for
2400 rate measurement as opposed to rate limiting. */
2402 if (!(sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0)))
2403 return ratelimit_error(log_msgptr, "sender rate limit not set");
2405 limit = Ustrtod(sender_rate_limit, &ss);
2406 if (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
2407 else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
2408 else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
2410 if (limit < 0.0 || *ss != '\0')
2411 return ratelimit_error(log_msgptr,
2412 "\"%s\" is not a positive number", sender_rate_limit);
2414 /* Second is the rate measurement period / exponential smoothing time
2415 constant. This must be strictly greater than zero, because zero leads to
2416 run-time division errors. */
2418 period = !(sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0))
2419 ? -1.0 : readconf_readtime(sender_rate_period, 0, FALSE);
2421 return ratelimit_error(log_msgptr,
2422 "\"%s\" is not a time value", sender_rate_period);
2424 /* By default we are counting one of something, but the per_rcpt,
2425 per_byte, and count options can change this. */
2429 /* Parse the other options. */
2431 while ((ss = string_nextinlist(&arg, &sep, NULL, 0)))
2433 if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
2434 else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
2435 else if (strcmpic(ss, US"noupdate") == 0) noupdate = TRUE;
2436 else if (strcmpic(ss, US"readonly") == 0) readonly = TRUE;
2437 else if (strcmpic(ss, US"per_cmd") == 0) RATE_SET(mode, PER_CMD);
2438 else if (strcmpic(ss, US"per_conn") == 0)
2440 RATE_SET(mode, PER_CONN);
2441 if (where == ACL_WHERE_NOTSMTP || where == ACL_WHERE_NOTSMTP_START)
2444 else if (strcmpic(ss, US"per_mail") == 0)
2446 RATE_SET(mode, PER_MAIL);
2447 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2449 else if (strcmpic(ss, US"per_rcpt") == 0)
2451 /* If we are running in the RCPT ACL, then we'll count the recipients
2452 one by one, but if we are running when we have accumulated the whole
2453 list then we'll add them all in one batch. */
2454 if (where == ACL_WHERE_RCPT)
2455 RATE_SET(mode, PER_RCPT);
2456 else if (where >= ACL_WHERE_PREDATA && where <= ACL_WHERE_NOTSMTP)
2457 RATE_SET(mode, PER_ALLRCPTS), count = (double)recipients_count;
2458 else if (where == ACL_WHERE_MAIL || where > ACL_WHERE_NOTSMTP)
2459 RATE_SET(mode, PER_RCPT), badacl = TRUE;
2461 else if (strcmpic(ss, US"per_byte") == 0)
2463 /* If we have not yet received the message data and there was no SIZE
2464 declaration on the MAIL command, then it's safe to just use a value of
2465 zero and let the recorded rate decay as if nothing happened. */
2466 RATE_SET(mode, PER_MAIL);
2467 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2468 else count = message_size < 0 ? 0.0 : (double)message_size;
2470 else if (strcmpic(ss, US"per_addr") == 0)
2472 RATE_SET(mode, PER_RCPT);
2473 if (where != ACL_WHERE_RCPT) badacl = TRUE, unique = US"*";
2474 else unique = string_sprintf("%s@%s", deliver_localpart, deliver_domain);
2476 else if (strncmpic(ss, US"count=", 6) == 0)
2479 count = Ustrtod(ss+6, &e);
2480 if (count < 0.0 || *e != '\0')
2481 return ratelimit_error(log_msgptr, "\"%s\" is not a positive number", ss);
2483 else if (strncmpic(ss, US"unique=", 7) == 0)
2484 unique = string_copy(ss + 7);
2486 key = string_copy(ss);
2488 key = string_sprintf("%s/%s", key, ss);
2491 /* Sanity check. When the badacl flag is set the update mode must either
2492 be readonly (which is the default if it is omitted) or, for backwards
2493 compatibility, a combination of noupdate and strict or leaky. */
2495 if (mode == RATE_PER_CLASH)
2496 return ratelimit_error(log_msgptr, "conflicting per_* options");
2497 if (leaky + strict + readonly > 1)
2498 return ratelimit_error(log_msgptr, "conflicting update modes");
2499 if (badacl && (leaky || strict) && !noupdate)
2500 return ratelimit_error(log_msgptr,
2501 "\"%s\" must not have /leaky or /strict option, or cannot be used in %s ACL",
2502 ratelimit_option_string[mode], acl_wherenames[where]);
2504 /* Set the default values of any unset options. In readonly mode we
2505 perform the rate computation without any increment so that its value
2506 decays to eventually allow over-limit senders through. */
2508 if (noupdate) readonly = TRUE, leaky = strict = FALSE;
2509 if (badacl) readonly = TRUE;
2510 if (readonly) count = 0.0;
2511 if (!strict && !readonly) leaky = TRUE;
2512 if (mode == RATE_PER_WHAT) mode = RATE_PER_MAIL;
2514 /* Create the lookup key. If there is no explicit key, use sender_host_address.
2515 If there is no sender_host_address (e.g. -bs or acl_not_smtp) then we simply
2516 omit it. The smoothing constant (sender_rate_period) and the per_xxx options
2517 are added to the key because they alter the meaning of the stored data. */
2520 key = !sender_host_address ? US"" : sender_host_address;
2522 key = string_sprintf("%s/%s/%s%s",
2524 ratelimit_option_string[mode],
2525 unique == NULL ? "" : "unique/",
2529 debug_printf_indent("ratelimit condition count=%.0f %.1f/%s\n", count, limit, key);
2531 /* See if we have already computed the rate by looking in the relevant tree.
2532 For per-connection rate limiting, store tree nodes and dbdata in the permanent
2533 pool so that they survive across resets. In readonly mode we only remember the
2534 result for the rest of this command in case a later command changes it. After
2535 this bit of logic the code is independent of the per_* mode. */
2537 old_pool = store_pool;
2540 anchor = &ratelimiters_cmd;
2544 anchor = &ratelimiters_conn;
2545 store_pool = POOL_PERM;
2549 case RATE_PER_ALLRCPTS:
2550 anchor = &ratelimiters_mail;
2555 anchor = &ratelimiters_cmd;
2558 anchor = NULL; /* silence an "unused" complaint */
2559 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
2560 "internal ACL error: unknown ratelimit mode %d", mode);
2565 if ((t = tree_search(*anchor, key)))
2568 /* The following few lines duplicate some of the code below. */
2569 rc = (dbd->rate < limit)? FAIL : OK;
2570 store_pool = old_pool;
2571 sender_rate = string_sprintf("%.1f", dbd->rate);
2573 debug_printf_indent("ratelimit found pre-computed rate %s\n", sender_rate);
2577 /* We aren't using a pre-computed rate, so get a previously recorded rate
2578 from the database, which will be updated and written back if required. */
2580 if (!(dbm = dbfn_open(US"ratelimit", O_RDWR, &dbblock, TRUE, TRUE)))
2582 store_pool = old_pool;
2584 HDEBUG(D_acl) debug_printf_indent("ratelimit database not available\n");
2585 *log_msgptr = US"ratelimit database not available";
2588 dbdb = dbfn_read_with_length(dbm, key, &dbdb_size);
2591 gettimeofday(&tv, NULL);
2595 /* Locate the basic ratelimit block inside the DB data. */
2596 HDEBUG(D_acl) debug_printf_indent("ratelimit found key in database\n");
2599 /* Forget the old Bloom filter if it is too old, so that we count each
2600 repeating event once per period. We don't simply clear and re-use the old
2601 filter because we want its size to change if the limit changes. Note that
2602 we keep the dbd pointer for copying the rate into the new data block. */
2604 if(unique && tv.tv_sec > dbdb->bloom_epoch + period)
2606 HDEBUG(D_acl) debug_printf_indent("ratelimit discarding old Bloom filter\n");
2612 if(unique && dbdb_size < sizeof(*dbdb))
2614 HDEBUG(D_acl) debug_printf_indent("ratelimit discarding undersize Bloom filter\n");
2619 /* Allocate a new data block if the database lookup failed
2620 or the Bloom filter passed its age limit. */
2626 /* No Bloom filter. This basic ratelimit block is initialized below. */
2627 HDEBUG(D_acl) debug_printf_indent("ratelimit creating new rate data block\n");
2628 dbdb_size = sizeof(*dbd);
2629 dbdb = store_get(dbdb_size, GET_UNTAINTED);
2634 HDEBUG(D_acl) debug_printf_indent("ratelimit creating new Bloom filter\n");
2636 /* See the long comment below for an explanation of the magic number 2.
2637 The filter has a minimum size in case the rate limit is very small;
2638 this is determined by the definition of dbdata_ratelimit_unique. */
2640 extra = (int)limit * 2 - sizeof(dbdb->bloom);
2641 if (extra < 0) extra = 0;
2642 dbdb_size = sizeof(*dbdb) + extra;
2643 dbdb = store_get(dbdb_size, GET_UNTAINTED);
2644 dbdb->bloom_epoch = tv.tv_sec;
2645 dbdb->bloom_size = sizeof(dbdb->bloom) + extra;
2646 memset(dbdb->bloom, 0, dbdb->bloom_size);
2648 /* Preserve any basic ratelimit data (which is our longer-term memory)
2649 by copying it from the discarded block. */
2659 /* If we are counting unique events, find out if this event is new or not.
2660 If the client repeats the event during the current period then it should be
2661 counted. We skip this code in readonly mode for efficiency, because any
2662 changes to the filter will be discarded and because count is already set to
2665 if (unique && !readonly)
2667 /* We identify unique events using a Bloom filter. (You can find my
2668 notes on Bloom filters at http://fanf.livejournal.com/81696.html)
2669 With the per_addr option, an "event" is a recipient address, though the
2670 user can use the unique option to define their own events. We only count
2671 an event if we have not seen it before.
2673 We size the filter according to the rate limit, which (in leaky mode)
2674 is the limit on the population of the filter. We allow 16 bits of space
2675 per entry (see the construction code above) and we set (up to) 8 of them
2676 when inserting an element (see the loop below). The probability of a false
2677 positive (an event we have not seen before but which we fail to count) is
2681 allzero = exp(-numhash * pop / size)
2682 = exp(-0.5 * pop / limit)
2683 fpr = pow(1 - allzero, numhash)
2685 For senders at the limit the fpr is 0.06% or 1 in 1700
2686 and for senders at half the limit it is 0.0006% or 1 in 170000
2688 In strict mode the Bloom filter can fill up beyond the normal limit, in
2689 which case the false positive rate will rise. This means that the
2690 measured rate for very fast senders can bogusly drop off after a while.
2692 At twice the limit, the fpr is 2.5% or 1 in 40
2693 At four times the limit, it is 31% or 1 in 3.2
2695 It takes ln(pop/limit) periods for an over-limit burst of pop events to
2696 decay below the limit, and if this is more than one then the Bloom filter
2697 will be discarded before the decay gets that far. The false positive rate
2698 at this threshold is 9.3% or 1 in 10.7. */
2701 unsigned n, hash, hinc;
2705 /* Instead of using eight independent hash values, we combine two values
2706 using the formula h1 + n * h2. This does not harm the Bloom filter's
2707 performance, and means the amount of hash we need is independent of the
2708 number of bits we set in the filter. */
2710 md5_start(&md5info);
2711 md5_end(&md5info, unique, Ustrlen(unique), md5sum);
2712 hash = md5sum[0] | md5sum[1] << 8 | md5sum[2] << 16 | md5sum[3] << 24;
2713 hinc = md5sum[4] | md5sum[5] << 8 | md5sum[6] << 16 | md5sum[7] << 24;
2715 /* Scan the bits corresponding to this event. A zero bit means we have
2716 not seen it before. Ensure all bits are set to record this event. */
2718 HDEBUG(D_acl) debug_printf_indent("ratelimit checking uniqueness of %s\n", unique);
2721 for (n = 0; n < 8; n++, hash += hinc)
2723 int bit = 1 << (hash % 8);
2724 int byte = (hash / 8) % dbdb->bloom_size;
2725 if ((dbdb->bloom[byte] & bit) == 0)
2727 dbdb->bloom[byte] |= bit;
2732 /* If this event has occurred before, do not count it. */
2736 HDEBUG(D_acl) debug_printf_indent("ratelimit event found in Bloom filter\n");
2740 HDEBUG(D_acl) debug_printf_indent("ratelimit event added to Bloom filter\n");
2743 /* If there was no previous ratelimit data block for this key, initialize
2744 the new one, otherwise update the block from the database. The initial rate
2745 is what would be computed by the code below for an infinite interval. */
2749 HDEBUG(D_acl) debug_printf_indent("ratelimit initializing new key's rate data\n");
2751 dbd->time_stamp = tv.tv_sec;
2752 dbd->time_usec = tv.tv_usec;
2757 /* The smoothed rate is computed using an exponentially weighted moving
2758 average adjusted for variable sampling intervals. The standard EWMA for
2759 a fixed sampling interval is: f'(t) = (1 - a) * f(t) + a * f'(t - 1)
2760 where f() is the measured value and f'() is the smoothed value.
2762 Old data decays out of the smoothed value exponentially, such that data n
2763 samples old is multiplied by a^n. The exponential decay time constant p
2764 is defined such that data p samples old is multiplied by 1/e, which means
2765 that a = exp(-1/p). We can maintain the same time constant for a variable
2766 sampling interval i by using a = exp(-i/p).
2768 The rate we are measuring is messages per period, suitable for directly
2769 comparing with the limit. The average rate between now and the previous
2770 message is period / interval, which we feed into the EWMA as the sample.
2772 It turns out that the number of messages required for the smoothed rate
2773 to reach the limit when they are sent in a burst is equal to the limit.
2774 This can be seen by analysing the value of the smoothed rate after N
2775 messages sent at even intervals. Let k = (1 - a) * p/i
2777 rate_1 = (1 - a) * p/i + a * rate_0
2779 rate_2 = k + a * rate_1
2780 = k + a * k + a^2 * rate_0
2781 rate_3 = k + a * k + a^2 * k + a^3 * rate_0
2782 rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
2783 = rate_0 * a^N + k * (1 - a^N) / (1 - a)
2784 = rate_0 * a^N + p/i * (1 - a^N)
2786 When N is large, a^N -> 0 so rate_N -> p/i as desired.
2788 rate_N = p/i + (rate_0 - p/i) * a^N
2789 a^N = (rate_N - p/i) / (rate_0 - p/i)
2790 N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
2791 N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
2793 Numerical analysis of the above equation, setting the computed rate to
2794 increase from rate_0 = 0 to rate_N = limit, shows that for large sending
2795 rates, p/i, the number of messages N = limit. So limit serves as both the
2796 maximum rate measured in messages per period, and the maximum number of
2797 messages that can be sent in a fast burst. */
2799 double this_time = (double)tv.tv_sec
2800 + (double)tv.tv_usec / 1000000.0;
2801 double prev_time = (double)dbd->time_stamp
2802 + (double)dbd->time_usec / 1000000.0;
2804 /* We must avoid division by zero, and deal gracefully with the clock going
2805 backwards. If we blunder ahead when time is in reverse then the computed
2806 rate will be bogus. To be safe we clamp interval to a very small number. */
2808 double interval = this_time - prev_time <= 0.0 ? 1e-9
2809 : this_time - prev_time;
2811 double i_over_p = interval / period;
2812 double a = exp(-i_over_p);
2814 /* Combine the instantaneous rate (period / interval) with the previous rate
2815 using the smoothing factor a. In order to measure sized events, multiply the
2816 instantaneous rate by the count of bytes or recipients etc. */
2818 dbd->time_stamp = tv.tv_sec;
2819 dbd->time_usec = tv.tv_usec;
2820 dbd->rate = (1 - a) * count / i_over_p + a * dbd->rate;
2822 /* When events are very widely spaced the computed rate tends towards zero.
2823 Although this is accurate it turns out not to be useful for our purposes,
2824 especially when the first event after a long silence is the start of a spam
2825 run. A more useful model is that the rate for an isolated event should be the
2826 size of the event per the period size, ignoring the lack of events outside
2827 the current period and regardless of where the event falls in the period. So,
2828 if the interval was so long that the calculated rate is unhelpfully small, we
2829 re-initialize the rate. In the absence of higher-rate bursts, the condition
2830 below is true if the interval is greater than the period. */
2832 if (dbd->rate < count) dbd->rate = count;
2835 /* Clients sending at the limit are considered to be over the limit.
2836 This matters for edge cases such as a limit of zero, when the client
2837 should be completely blocked. */
2839 rc = dbd->rate < limit ? FAIL : OK;
2841 /* Update the state if the rate is low or if we are being strict. If we
2842 are in leaky mode and the sender's rate is too high, we do not update
2843 the recorded rate in order to avoid an over-aggressive sender's retry
2844 rate preventing them from getting any email through. If readonly is set,
2845 neither leaky nor strict are set, so we do not do any updates. */
2847 if ((rc == FAIL && leaky) || strict)
2849 dbfn_write(dbm, key, dbdb, dbdb_size);
2850 HDEBUG(D_acl) debug_printf_indent("ratelimit db updated\n");
2854 HDEBUG(D_acl) debug_printf_indent("ratelimit db not updated: %s\n",
2855 readonly? "readonly mode" : "over the limit, but leaky");
2860 /* Store the result in the tree for future reference. Take the taint status
2861 from the key for consistency even though it's unlikely we'll ever expand this. */
2863 t = store_get(sizeof(tree_node) + Ustrlen(key), key);
2865 Ustrcpy(t->name, key);
2866 (void)tree_insertnode(anchor, t);
2868 /* We create the formatted version of the sender's rate very late in
2869 order to ensure that it is done using the correct storage pool. */
2871 store_pool = old_pool;
2872 sender_rate = string_sprintf("%.1f", dbd->rate);
2875 debug_printf_indent("ratelimit computed rate %s\n", sender_rate);
2882 /*************************************************
2883 * Handle a check for previously-seen *
2884 *************************************************/
2887 ACL clauses like: seen = -5m / key=$foo / readonly
2889 Return is true for condition-true - but the semantics
2890 depend heavily on the actual use-case.
2892 Negative times test for seen-before, positive for seen-more-recently-than
2893 (the given interval before current time).
2895 All are subject to history not having been cleaned from the DB.
2897 Default for seen-before is to create if not present, and to
2898 update if older than 10d (with the seen-test time).
2899 Default for seen-since is to always create or update.
2902 key=value. Default key is $sender_host_address
2905 refresh=<interval>: update an existing DB entry older than given
2906 amount. Default refresh lacking this option is 10d.
2907 The update sets the record timestamp to the seen-test time.
2909 XXX do we need separate nocreate, noupdate controls?
2912 arg the option string for seen=
2913 where ACL_WHERE_xxxx indicating which ACL this is
2914 log_msgptr for error messages
2916 Returns: OK - Condition is true
2917 FAIL - Condition is false
2918 DEFER - Problem opening history database
2919 ERROR - Syntax error in options
2923 acl_seen(const uschar * arg, int where, uschar ** log_msgptr)
2925 enum { SEEN_DEFAULT, SEEN_READONLY, SEEN_WRITE };
2927 const uschar * list = arg;
2928 int slash = '/', interval, mode = SEEN_DEFAULT, yield = FAIL;
2930 int refresh = 10 * 24 * 60 * 60; /* 10 days */
2931 const uschar * ele, * key = sender_host_address;
2932 open_db dbblock, * dbm;
2936 /* Parse the first element, the time-relation. */
2938 if (!(ele = string_nextinlist(&list, &slash, NULL, 0)))
2940 if ((before = *ele == '-'))
2942 if ((interval = readconf_readtime(ele, 0, FALSE)) < 0)
2945 /* Remaining elements are options */
2947 while ((ele = string_nextinlist(&list, &slash, NULL, 0)))
2948 if (Ustrncmp(ele, "key=", 4) == 0)
2950 else if (Ustrcmp(ele, "readonly") == 0)
2951 mode = SEEN_READONLY;
2952 else if (Ustrcmp(ele, "write") == 0)
2954 else if (Ustrncmp(ele, "refresh=", 8) == 0)
2956 if ((refresh = readconf_readtime(ele + 8, 0, FALSE)) < 0)
2962 if (!(dbm = dbfn_open(US"seen", O_RDWR, &dbblock, TRUE, TRUE)))
2964 HDEBUG(D_acl) debug_printf_indent("database for 'seen' not available\n");
2965 *log_msgptr = US"database for 'seen' not available";
2969 dbd = dbfn_read_with_length(dbm, key, NULL);
2971 if (dbd) /* an existing record */
2973 time_t diff = now - dbd->time_stamp; /* time since the record was written */
2975 if (before ? diff >= interval : diff < interval)
2978 if (mode == SEEN_READONLY)
2979 { HDEBUG(D_acl) debug_printf_indent("seen db not written (readonly)\n"); }
2980 else if (mode == SEEN_WRITE || !before)
2982 dbd->time_stamp = now;
2983 dbfn_write(dbm, key, dbd, sizeof(*dbd));
2984 HDEBUG(D_acl) debug_printf_indent("seen db written (update)\n");
2986 else if (diff >= refresh)
2988 dbd->time_stamp = now - interval;
2989 dbfn_write(dbm, key, dbd, sizeof(*dbd));
2990 HDEBUG(D_acl) debug_printf_indent("seen db written (refresh)\n");
2994 { /* No record found, yield always FAIL */
2995 if (mode != SEEN_READONLY)
2997 dbdata_seen d = {.time_stamp = now};
2998 dbfn_write(dbm, key, &d, sizeof(*dbd));
2999 HDEBUG(D_acl) debug_printf_indent("seen db written (create)\n");
3002 HDEBUG(D_acl) debug_printf_indent("seen db not written (readonly)\n");
3010 *log_msgptr = string_sprintf("failed to parse '%s'", arg);
3013 *log_msgptr = string_sprintf("unrecognised option '%s' in '%s'", ele, arg);
3019 /*************************************************
3020 * The udpsend ACL modifier *
3021 *************************************************/
3023 /* Called by acl_check_condition() below.
3026 arg the option string for udpsend=
3027 log_msgptr for error messages
3029 Returns: OK - Completed.
3030 DEFER - Problem with DNS lookup.
3031 ERROR - Syntax error in options.
3035 acl_udpsend(const uschar *arg, uschar **log_msgptr)
3047 hostname = string_nextinlist(&arg, &sep, NULL, 0);
3048 portstr = string_nextinlist(&arg, &sep, NULL, 0);
3052 *log_msgptr = US"missing destination host in \"udpsend\" modifier";
3057 *log_msgptr = US"missing destination port in \"udpsend\" modifier";
3062 *log_msgptr = US"missing datagram payload in \"udpsend\" modifier";
3065 portnum = Ustrtol(portstr, &portend, 10);
3066 if (*portend != '\0')
3068 *log_msgptr = US"bad destination port in \"udpsend\" modifier";
3072 /* Make a single-item host list. */
3073 h = store_get(sizeof(host_item), GET_UNTAINTED);
3074 memset(h, 0, sizeof(host_item));
3079 if (string_is_ip_address(hostname, NULL))
3080 h->address = hostname, r = HOST_FOUND;
3082 r = host_find_byname(h, NULL, 0, NULL, FALSE);
3083 if (r == HOST_FIND_FAILED || r == HOST_FIND_AGAIN)
3085 *log_msgptr = US"DNS lookup failed in \"udpsend\" modifier";
3090 debug_printf_indent("udpsend [%s]:%d %s\n", h->address, portnum, arg);
3092 /*XXX this could better use sendto */
3093 r = s = ip_connectedsocket(SOCK_DGRAM, h->address, portnum, portnum,
3094 1, NULL, &errstr, NULL);
3095 if (r < 0) goto defer;
3097 r = send(s, arg, len, 0);
3100 errstr = US strerror(errno);
3108 string_sprintf("\"udpsend\" truncated from %d to %d octets", len, r);
3113 debug_printf_indent("udpsend %d bytes\n", r);
3118 *log_msgptr = string_sprintf("\"udpsend\" failed: %s", errstr);
3124 /*************************************************
3125 * Handle conditions/modifiers on an ACL item *
3126 *************************************************/
3128 /* Called from acl_check() below.
3132 cb ACL condition block - if NULL, result is OK
3133 where where called from
3134 addr the address being checked for RCPT, or NULL
3135 level the nesting level
3136 epp pointer to pass back TRUE if "endpass" encountered
3137 (applies only to "accept" and "discard")
3138 user_msgptr user message pointer
3139 log_msgptr log message pointer
3140 basic_errno pointer to where to put verify error
3142 Returns: OK - all conditions are met
3143 DISCARD - an "acl" condition returned DISCARD - only allowed
3144 for "accept" or "discard" verbs
3145 FAIL - at least one condition fails
3146 FAIL_DROP - an "acl" condition returned FAIL_DROP
3147 DEFER - can't tell at the moment (typically, lookup defer,
3148 but can be temporary callout problem)
3149 ERROR - ERROR from nested ACL or expansion failure or other
3154 acl_check_condition(int verb, acl_condition_block *cb, int where,
3155 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
3156 uschar **log_msgptr, int *basic_errno)
3158 uschar * user_message = NULL;
3159 uschar * log_message = NULL;
3162 for (; cb; cb = cb->next)
3166 BOOL textonly = FALSE;
3168 /* The message and log_message items set up messages to be used in
3169 case of rejection. They are expanded later. */
3171 if (cb->type == ACLC_MESSAGE)
3173 HDEBUG(D_acl) debug_printf_indent(" message: %s\n", cb->arg);
3174 user_message = cb->arg;
3178 if (cb->type == ACLC_LOG_MESSAGE)
3180 HDEBUG(D_acl) debug_printf_indent("l_message: %s\n", cb->arg);
3181 log_message = cb->arg;
3185 /* The endpass "condition" just sets a flag to show it occurred. This is
3186 checked at compile time to be on an "accept" or "discard" item. */
3188 if (cb->type == ACLC_ENDPASS)
3194 /* For other conditions and modifiers, the argument is expanded now for some
3195 of them, but not for all, because expansion happens down in some lower level
3196 checking functions in some cases. */
3198 if (!conditions[cb->type].expand_at_top)
3201 else if (!(arg = expand_string_2(cb->arg, &textonly)))
3203 if (f.expand_string_forcedfail) continue;
3204 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
3205 cb->arg, expand_string_message);
3206 return f.search_find_defer ? DEFER : ERROR;
3209 /* Show condition, and expanded condition if it's different */
3214 debug_printf_indent("check %s%s %n",
3215 (!conditions[cb->type].is_modifier && cb->u.negated)? "!":"",
3216 conditions[cb->type].name, &lhswidth);
3218 if (cb->type == ACLC_SET)
3220 #ifndef DISABLE_DKIM
3221 if ( Ustrcmp(cb->u.varname, "dkim_verify_status") == 0
3222 || Ustrcmp(cb->u.varname, "dkim_verify_reason") == 0)
3224 debug_printf("%s ", cb->u.varname);
3230 debug_printf("acl_%s ", cb->u.varname);
3231 lhswidth += 5 + Ustrlen(cb->u.varname);
3235 debug_printf("= %s\n", cb->arg);
3238 debug_printf("%.*s= %s\n", lhswidth,
3242 /* Check that this condition makes sense at this time */
3244 if ((conditions[cb->type].forbids & (1 << where)) != 0)
3246 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
3247 conditions[cb->type].is_modifier ? "use" : "test",
3248 conditions[cb->type].name, acl_wherenames[where]);
3252 /* Run the appropriate test for each condition, or take the appropriate
3253 action for the remaining modifiers. */
3257 case ACLC_ADD_HEADER:
3261 /* A nested ACL that returns "discard" makes sense only for an "accept" or
3265 rc = acl_check_wargs(where, addr, arg, user_msgptr, log_msgptr);
3266 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
3268 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
3269 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
3275 case ACLC_AUTHENTICATED:
3276 rc = sender_host_authenticated ? match_isinlist(sender_host_authenticated,
3277 &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL) : FAIL;
3280 #ifdef EXPERIMENTAL_BRIGHTMAIL
3281 case ACLC_BMI_OPTIN:
3283 int old_pool = store_pool;
3284 store_pool = POOL_PERM;
3285 bmi_current_optin = string_copy(arg);
3286 store_pool = old_pool;
3291 case ACLC_CONDITION:
3292 /* The true/false parsing here should be kept in sync with that used in
3293 expand.c when dealing with ECOND_BOOL so that we don't have too many
3294 different definitions of what can be a boolean. */
3296 ? Ustrspn(arg+1, "0123456789") == Ustrlen(arg+1) /* Negative number */
3297 : Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
3298 rc = (Uatoi(arg) == 0)? FAIL : OK;
3300 rc = (strcmpic(arg, US"no") == 0 ||
3301 strcmpic(arg, US"false") == 0)? FAIL :
3302 (strcmpic(arg, US"yes") == 0 ||
3303 strcmpic(arg, US"true") == 0)? OK : DEFER;
3305 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
3308 case ACLC_CONTINUE: /* Always succeeds */
3313 const uschar *p = NULL;
3314 control_type = decode_control(arg, &p, where, log_msgptr);
3316 /* Check if this control makes sense at this time */
3318 if (controls_list[control_type].forbids & (1 << where))
3320 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
3321 controls_list[control_type].name, acl_wherenames[where]);
3325 switch(control_type)
3327 case CONTROL_AUTH_UNADVERTISED:
3328 f.allow_auth_unadvertised = TRUE;
3331 #ifdef EXPERIMENTAL_BRIGHTMAIL
3332 case CONTROL_BMI_RUN:
3337 #ifndef DISABLE_DKIM
3338 case CONTROL_DKIM_VERIFY:
3339 f.dkim_disable_verify = TRUE;
3340 # ifdef SUPPORT_DMARC
3341 /* Since DKIM was blocked, skip DMARC too */
3342 f.dmarc_disable_verify = TRUE;
3343 f.dmarc_enable_forensic = FALSE;
3348 #ifdef SUPPORT_DMARC
3349 case CONTROL_DMARC_VERIFY:
3350 f.dmarc_disable_verify = TRUE;
3353 case CONTROL_DMARC_FORENSIC:
3354 f.dmarc_enable_forensic = TRUE;
3361 int fd, af, level, optname, value;
3362 /* If we are acting on stdin, the setsockopt may fail if stdin is not
3363 a socket; we can accept that, we'll just debug-log failures anyway. */
3364 fd = fileno(smtp_in);
3365 if ((af = ip_get_address_family(fd)) < 0)
3368 debug_printf_indent("smtp input is probably not a socket [%s], not setting DSCP\n",
3372 if (dscp_lookup(p+1, af, &level, &optname, &value))
3373 if (setsockopt(fd, level, optname, &value, sizeof(value)) < 0)
3375 HDEBUG(D_acl) debug_printf_indent("failed to set input DSCP[%s]: %s\n",
3376 p+1, strerror(errno));
3380 HDEBUG(D_acl) debug_printf_indent("set input DSCP to \"%s\"\n", p+1);
3384 *log_msgptr = string_sprintf("unrecognised DSCP value in \"control=%s\"", arg);
3390 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3398 case CONTROL_CASEFUL_LOCAL_PART:
3399 deliver_localpart = addr->cc_local_part;
3402 case CONTROL_CASELOWER_LOCAL_PART:
3403 deliver_localpart = addr->lc_local_part;
3406 case CONTROL_ENFORCE_SYNC:
3407 smtp_enforce_sync = TRUE;
3410 case CONTROL_NO_ENFORCE_SYNC:
3411 smtp_enforce_sync = FALSE;
3414 #ifdef WITH_CONTENT_SCAN
3415 case CONTROL_NO_MBOX_UNSPOOL:
3416 f.no_mbox_unspool = TRUE;
3420 case CONTROL_NO_MULTILINE:
3421 f.no_multiline_responses = TRUE;
3424 case CONTROL_NO_PIPELINING:
3425 f.pipelining_enable = FALSE;
3428 case CONTROL_NO_DELAY_FLUSH:
3429 f.disable_delay_flush = TRUE;
3432 case CONTROL_NO_CALLOUT_FLUSH:
3433 f.disable_callout_flush = TRUE;
3436 case CONTROL_FAKEREJECT:
3437 cancel_cutthrough_connection(TRUE, US"fakereject");
3438 case CONTROL_FAKEDEFER:
3439 fake_response = control_type == CONTROL_FAKEDEFER ? DEFER : FAIL;
3442 const uschar *pp = p + 1;
3444 /* The entire control= line was expanded at top so no need to expand
3445 the part after the / */
3446 fake_response_text = string_copyn(p+1, pp-p-1);
3449 else /* Explicitly reset to default string */
3450 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
3453 case CONTROL_FREEZE:
3454 f.deliver_freeze = TRUE;
3455 deliver_frozen_at = time(NULL);
3456 freeze_tell = freeze_tell_config; /* Reset to configured value */
3457 if (Ustrncmp(p, "/no_tell", 8) == 0)
3464 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3467 cancel_cutthrough_connection(TRUE, US"item frozen");
3471 f.queue_only_policy = TRUE;
3472 if (Ustrcmp(p, "_only") == 0)
3474 else while (*p == '/')
3475 if (Ustrncmp(p, "/only", 5) == 0)
3476 { p += 5; f.queue_smtp = FALSE; }
3477 else if (Ustrncmp(p, "/first_pass_route", 17) == 0)
3478 { p += 17; f.queue_smtp = TRUE; }
3481 cancel_cutthrough_connection(TRUE, US"queueing forced");
3484 case CONTROL_SUBMISSION:
3485 originator_name = US"";
3486 f.submission_mode = TRUE;
3489 if (Ustrncmp(p, "/sender_retain", 14) == 0)
3492 f.active_local_sender_retain = TRUE;
3493 f.active_local_from_check = FALSE;
3495 else if (Ustrncmp(p, "/domain=", 8) == 0)
3497 const uschar *pp = p + 8;
3498 while (*pp && *pp != '/') pp++;
3499 submission_domain = string_copyn(p+8, pp-p-8);
3502 /* The name= option must be last, because it swallows the rest of
3504 else if (Ustrncmp(p, "/name=", 6) == 0)
3506 const uschar *pp = p + 6;
3508 submission_name = parse_fix_phrase(p+6, pp-p-6);
3515 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3522 uschar * debug_tag = NULL, * debug_opts = NULL;
3523 BOOL kill = FALSE, stop = FALSE;
3527 const uschar * pp = p+1;
3528 if (Ustrncmp(pp, "tag=", 4) == 0)
3530 for (pp += 4; *pp && *pp != '/';) pp++;
3531 debug_tag = string_copyn(p+5, pp-p-5);
3533 else if (Ustrncmp(pp, "opts=", 5) == 0)
3535 for (pp += 5; *pp && *pp != '/';) pp++;
3536 debug_opts = string_copyn(p+6, pp-p-6);
3538 else if (Ustrncmp(pp, "kill", 4) == 0)
3543 else if (Ustrncmp(pp, "stop", 4) == 0)
3548 else if (Ustrncmp(pp, "pretrigger=", 11) == 0)
3549 debug_pretrigger_setup(pp+11);
3550 else if (Ustrncmp(pp, "trigger=", 8) == 0)
3552 if (Ustrncmp(pp += 8, "now", 3) == 0)
3555 debug_trigger_fire();
3557 else if (Ustrncmp(pp, "paniclog", 8) == 0)
3560 dtrigger_selector |= BIT(DTi_panictrigger);
3563 while (*pp && *pp != '/') pp++;
3568 debug_logging_stop(TRUE);
3570 debug_logging_stop(FALSE);
3571 else if (debug_tag || debug_opts)
3572 debug_logging_activate(debug_tag, debug_opts);
3576 case CONTROL_SUPPRESS_LOCAL_FIXUPS:
3577 f.suppress_local_fixups = TRUE;
3580 case CONTROL_CUTTHROUGH_DELIVERY:
3582 uschar * ignored = NULL;
3583 #ifndef DISABLE_PRDR
3588 /* Too hard to think about for now. We might in future cutthrough
3589 the case where both sides handle prdr and this-node prdr acl
3591 ignored = US"PRDR active";
3592 else if (f.deliver_freeze)
3593 ignored = US"frozen";
3594 else if (f.queue_only_policy)
3595 ignored = US"queue-only";
3596 else if (fake_response == FAIL)
3597 ignored = US"fakereject";
3598 else if (rcpt_count != 1)
3599 ignored = US"nonfirst rcpt";
3600 else if (cutthrough.delivery)
3601 ignored = US"repeated";
3602 else if (cutthrough.callout_hold_only)
3605 debug_printf_indent(" cutthrough request upgrades callout hold\n");
3606 cutthrough.callout_hold_only = FALSE;
3607 cutthrough.delivery = TRUE; /* control accepted */
3611 cutthrough.delivery = TRUE; /* control accepted */
3614 const uschar * pp = p+1;
3615 if (Ustrncmp(pp, "defer=", 6) == 0)
3618 if (Ustrncmp(pp, "pass", 4) == 0) cutthrough.defer_pass = TRUE;
3619 /* else if (Ustrncmp(pp, "spool") == 0) ; default */
3622 while (*pp && *pp != '/') pp++;
3627 DEBUG(D_acl) if (ignored)
3628 debug_printf(" cutthrough request ignored on %s item\n", ignored);
3633 case CONTROL_UTF8_DOWNCONVERT:
3638 message_utf8_downconvert = 1;
3639 addr->prop.utf8_downcvt = TRUE;
3640 addr->prop.utf8_downcvt_maybe = FALSE;
3646 message_utf8_downconvert = 0;
3647 addr->prop.utf8_downcvt = FALSE;
3648 addr->prop.utf8_downcvt_maybe = FALSE;
3652 if (p[1] == '-' && p[2] == '1')
3654 message_utf8_downconvert = -1;
3655 addr->prop.utf8_downcvt = FALSE;
3656 addr->prop.utf8_downcvt_maybe = TRUE;
3660 *log_msgptr = US"bad option value for control=utf8_downconvert";
3664 message_utf8_downconvert = 1;
3665 addr->prop.utf8_downcvt = TRUE;
3666 addr->prop.utf8_downcvt_maybe = FALSE;
3676 #ifdef EXPERIMENTAL_DCC
3679 /* Separate the regular expression and any optional parameters. */
3680 const uschar * list = arg;
3682 uschar * ss = string_nextinlist(&list, &sep, NULL, 0);
3683 /* Run the dcc backend. */
3684 rc = dcc_process(&ss);
3685 /* Modify return code based upon the existence of options. */
3686 while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
3687 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3688 rc = FAIL; /* FAIL so that the message is passed to the next ACL */
3693 #ifdef WITH_CONTENT_SCAN
3695 rc = mime_decode(&arg);
3701 int delay = readconf_readtime(arg, 0, FALSE);
3704 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
3705 "modifier: \"%s\" is not a time value", arg);
3710 HDEBUG(D_acl) debug_printf_indent("delay modifier requests %d-second delay\n",
3715 debug_printf_indent("delay skipped in -bh checking mode\n");
3718 /* NOTE 1: Remember that we may be
3719 dealing with stdin/stdout here, in addition to TCP/IP connections.
3720 Also, delays may be specified for non-SMTP input, where smtp_out and
3721 smtp_in will be NULL. Whatever is done must work in all cases.
3723 NOTE 2: The added feature of flushing the output before a delay must
3724 apply only to SMTP input. Hence the test for smtp_out being non-NULL.
3729 if (smtp_out && !f.disable_delay_flush)
3732 #if !defined(NO_POLL_H) && defined (POLLRDHUP)
3738 p.fd = fileno(smtp_out);
3739 p.events = POLLRDHUP;
3742 if (poll(&p, n, delay*1000) > 0)
3743 HDEBUG(D_acl) debug_printf_indent("delay cancelled by peer close\n");
3746 /* Lacking POLLRDHUP it appears to be impossible to detect that a
3747 TCP/IP connection has gone away without reading from it. This means
3748 that we cannot shorten the delay below if the client goes away,
3749 because we cannot discover that the client has closed its end of the
3750 connection. (The connection is actually in a half-closed state,
3751 waiting for the server to close its end.) It would be nice to be able
3752 to detect this state, so that the Exim process is not held up
3753 unnecessarily. However, it seems that we can't. The poll() function
3754 does not do the right thing, and in any case it is not always
3757 while (delay > 0) delay = sleep(delay);
3764 #ifndef DISABLE_DKIM
3765 case ACLC_DKIM_SIGNER:
3766 if (dkim_cur_signer)
3767 rc = match_isinlist(dkim_cur_signer,
3768 &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
3773 case ACLC_DKIM_STATUS:
3774 { /* return good for any match */
3775 const uschar * s = dkim_verify_status ? dkim_verify_status : US"none";
3777 for (uschar * ss; ss = string_nextinlist(&s, &sep, NULL, 0); )
3778 if ( (rc = match_isinlist(ss, &arg,
3779 0, NULL, NULL, MCL_STRING, TRUE, NULL))
3785 #ifdef SUPPORT_DMARC
3786 case ACLC_DMARC_STATUS:
3787 if (!f.dmarc_has_been_checked)
3789 f.dmarc_has_been_checked = TRUE;
3791 /* used long way of dmarc_exim_expand_query() in case we need more
3792 view into the process in the future. */
3793 rc = match_isinlist(dmarc_exim_expand_query(DMARC_VERIFY_STATUS),
3794 &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
3799 rc = verify_check_dnsbl(where, &arg, log_msgptr);
3803 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
3804 addr->domain_cache, MCL_DOMAIN, TRUE, CUSS &deliver_domain_data);
3807 /* The value in tls_cipher is the full cipher name, for example,
3808 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
3809 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
3810 what may in practice come out of the SSL library - which at the time of
3811 writing is poorly documented. */
3813 case ACLC_ENCRYPTED:
3814 if (!tls_in.cipher) rc = FAIL;
3817 uschar *endcipher = NULL;
3818 uschar *cipher = Ustrchr(tls_in.cipher, ':');
3819 if (!cipher) cipher = tls_in.cipher; else
3821 endcipher = Ustrchr(++cipher, ':');
3822 if (endcipher) *endcipher = 0;
3824 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
3825 if (endcipher) *endcipher = ':';
3829 /* Use verify_check_this_host() instead of verify_check_host() so that
3830 we can pass over &host_data to catch any looked up data. Once it has been
3831 set, it retains its value so that it's still there if another ACL verb
3832 comes through here and uses the cache. However, we must put it into
3833 permanent store in case it is also expected to be used in a subsequent
3834 message in the same SMTP connection. */
3837 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
3838 sender_host_address ? sender_host_address : US"", CUSS &host_data);
3839 if (rc == DEFER) *log_msgptr = search_error_message;
3840 if (host_data) host_data = string_copy_perm(host_data, TRUE);
3843 case ACLC_LOCAL_PARTS:
3844 rc = match_isinlist(addr->cc_local_part, &arg, 0,
3845 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
3846 CUSS &deliver_localpart_data);
3849 case ACLC_LOG_REJECT_TARGET:
3851 int logbits = 0, sep = 0;
3852 const uschar * s = arg;
3854 for (uschar * ss; ss = string_nextinlist(&s, &sep, NULL, 0); )
3856 if (Ustrcmp(ss, "main") == 0) logbits |= LOG_MAIN;
3857 else if (Ustrcmp(ss, "panic") == 0) logbits |= LOG_PANIC;
3858 else if (Ustrcmp(ss, "reject") == 0) logbits |= LOG_REJECT;
3861 logbits |= LOG_MAIN|LOG_REJECT;
3862 log_write(0, LOG_MAIN|LOG_PANIC, "unknown log name \"%s\" in "
3863 "\"log_reject_target\" in %s ACL", ss, acl_wherenames[where]);
3866 log_reject_target = logbits;
3873 const uschar *s = arg;
3879 if (Ustrncmp(s, "main", 4) == 0)
3880 { logbits |= LOG_MAIN; s += 4; }
3881 else if (Ustrncmp(s, "panic", 5) == 0)
3882 { logbits |= LOG_PANIC; s += 5; }
3883 else if (Ustrncmp(s, "reject", 6) == 0)
3884 { logbits |= LOG_REJECT; s += 6; }
3887 logbits = LOG_MAIN|LOG_PANIC;
3888 s = string_sprintf(":unknown log name in \"%s\" in "
3889 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
3895 while (isspace(*s)) s++;
3897 if (logbits == 0) logbits = LOG_MAIN;
3898 log_write(0, logbits, "%s", string_printing(s));
3902 #ifdef WITH_CONTENT_SCAN
3903 case ACLC_MALWARE: /* Run the malware backend. */
3905 /* Separate the regular expression and any optional parameters. */
3906 const uschar * list = arg;
3907 BOOL defer_ok = FALSE;
3908 int timeout = 0, sep = -'/';
3909 uschar * ss = string_nextinlist(&list, &sep, NULL, 0);
3911 for (uschar * opt; opt = string_nextinlist(&list, &sep, NULL, 0); )
3912 if (strcmpic(opt, US"defer_ok") == 0)
3914 else if ( strncmpic(opt, US"tmo=", 4) == 0
3915 && (timeout = readconf_readtime(opt+4, '\0', FALSE)) < 0
3918 *log_msgptr = string_sprintf("bad timeout value in '%s'", opt);
3922 rc = malware(ss, textonly, timeout);
3923 if (rc == DEFER && defer_ok)
3924 rc = FAIL; /* FAIL so that the message is passed to the next ACL */
3928 case ACLC_MIME_REGEX:
3929 rc = mime_regex(&arg, textonly);
3934 if (is_tainted(arg))
3936 *log_msgptr = string_sprintf("Tainted name '%s' for queue not permitted",
3940 if (Ustrchr(arg, '/'))
3942 *log_msgptr = string_sprintf(
3943 "Directory separator not permitted in queue name: '%s'", arg);
3946 queue_name = string_copy_perm(arg, FALSE);
3949 case ACLC_RATELIMIT:
3950 rc = acl_ratelimit(arg, where, log_msgptr);
3953 case ACLC_RECIPIENTS:
3954 rc = match_address_list(CUS addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
3955 CUSS &recipient_data);
3958 #ifdef WITH_CONTENT_SCAN
3960 rc = regex(&arg, textonly);
3964 case ACLC_REMOVE_HEADER:
3965 setup_remove_header(arg);
3969 rc = acl_seen(arg, where, log_msgptr);
3972 case ACLC_SENDER_DOMAINS:
3975 sdomain = Ustrrchr(sender_address, '@');
3976 sdomain = sdomain ? sdomain + 1 : US"";
3977 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
3978 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
3983 rc = match_address_list(CUS sender_address, TRUE, TRUE, &arg,
3984 sender_address_cache, -1, 0, CUSS &sender_data);
3987 /* Connection variables must persist forever; message variables not */
3991 int old_pool = store_pool;
3992 if ( cb->u.varname[0] != 'm'
3993 #ifndef DISABLE_EVENT
3994 || event_name /* An event is being delivered */
3997 store_pool = POOL_PERM;
3998 #ifndef DISABLE_DKIM /* Overwriteable dkim result variables */
3999 if (Ustrcmp(cb->u.varname, "dkim_verify_status") == 0)
4000 dkim_verify_status = string_copy(arg);
4001 else if (Ustrcmp(cb->u.varname, "dkim_verify_reason") == 0)
4002 dkim_verify_reason = string_copy(arg);
4005 acl_var_create(cb->u.varname)->data.ptr = string_copy(arg);
4006 store_pool = old_pool;
4010 #ifdef WITH_CONTENT_SCAN
4013 /* Separate the regular expression and any optional parameters. */
4014 const uschar * list = arg;
4016 uschar * ss = string_nextinlist(&list, &sep, NULL, 0);
4018 rc = spam(CUSS &ss);
4019 /* Modify return code based upon the existence of options. */
4020 while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
4021 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
4022 rc = FAIL; /* FAIL so that the message is passed to the next ACL */
4029 rc = spf_process(&arg, sender_address, SPF_PROCESS_NORMAL);
4032 case ACLC_SPF_GUESS:
4033 rc = spf_process(&arg, sender_address, SPF_PROCESS_GUESS);
4038 rc = acl_udpsend(arg, log_msgptr);
4041 /* If the verb is WARN, discard any user message from verification, because
4042 such messages are SMTP responses, not header additions. The latter come
4043 only from explicit "message" modifiers. However, put the user message into
4044 $acl_verify_message so it can be used in subsequent conditions or modifiers
4045 (until something changes it). */
4048 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
4050 acl_verify_message = *user_msgptr;
4051 if (verb == ACL_WARN) *user_msgptr = NULL;
4055 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
4056 "condition %d", cb->type);
4060 /* If a condition was negated, invert OK/FAIL. */
4062 if (!conditions[cb->type].is_modifier && cb->u.negated)
4063 if (rc == OK) rc = FAIL;
4064 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
4066 if (rc != OK) break; /* Conditions loop */
4070 /* If the result is the one for which "message" and/or "log_message" are used,
4071 handle the values of these modifiers. If there isn't a log message set, we make
4072 it the same as the user message.
4074 "message" is a user message that will be included in an SMTP response. Unless
4075 it is empty, it overrides any previously set user message.
4077 "log_message" is a non-user message, and it adds to any existing non-user
4078 message that is already set.
4080 Most verbs have but a single return for which the messages are relevant, but
4081 for "discard", it's useful to have the log message both when it succeeds and
4082 when it fails. For "accept", the message is used in the OK case if there is no
4083 "endpass", but (for backwards compatibility) in the FAIL case if "endpass" is
4086 if (*epp && rc == OK) user_message = NULL;
4088 if ((BIT(rc) & msgcond[verb]) != 0)
4091 uschar *old_user_msgptr = *user_msgptr;
4092 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
4094 /* If the verb is "warn", messages generated by conditions (verification or
4095 nested ACLs) are always discarded. This also happens for acceptance verbs
4096 when they actually do accept. Only messages specified at this level are used.
4097 However, the value of an existing message is available in $acl_verify_message
4098 during expansions. */
4100 if (verb == ACL_WARN ||
4101 (rc == OK && (verb == ACL_ACCEPT || verb == ACL_DISCARD)))
4102 *log_msgptr = *user_msgptr = NULL;
4106 acl_verify_message = old_user_msgptr;
4107 expmessage = expand_string(user_message);
4110 if (!f.expand_string_forcedfail)
4111 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
4112 user_message, expand_string_message);
4114 else if (expmessage[0] != 0) *user_msgptr = expmessage;
4119 acl_verify_message = old_log_msgptr;
4120 expmessage = expand_string(log_message);
4123 if (!f.expand_string_forcedfail)
4124 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
4125 log_message, expand_string_message);
4127 else if (expmessage[0] != 0)
4129 *log_msgptr = (*log_msgptr == NULL)? expmessage :
4130 string_sprintf("%s: %s", expmessage, *log_msgptr);
4134 /* If no log message, default it to the user message */
4136 if (!*log_msgptr) *log_msgptr = *user_msgptr;
4139 acl_verify_message = NULL;
4147 /*************************************************
4148 * Get line from a literal ACL *
4149 *************************************************/
4151 /* This function is passed to acl_read() in order to extract individual lines
4152 of a literal ACL, which we access via static pointers. We can destroy the
4153 contents because this is called only once (the compiled ACL is remembered).
4155 This code is intended to treat the data in the same way as lines in the main
4156 Exim configuration file. That is:
4158 . Leading spaces are ignored.
4160 . A \ at the end of a line is a continuation - trailing spaces after the \
4161 are permitted (this is because I don't believe in making invisible things
4162 significant). Leading spaces on the continued part of a line are ignored.
4164 . Physical lines starting (significantly) with # are totally ignored, and
4165 may appear within a sequence of backslash-continued lines.
4167 . Blank lines are ignored, but will end a sequence of continuations.
4170 Returns: a pointer to the next line
4174 static uschar *acl_text; /* Current pointer in the text */
4175 static uschar *acl_text_end; /* Points one past the terminating '0' */
4183 /* This loop handles leading blank lines and comments. */
4187 Uskip_whitespace(&acl_text); /* Leading spaces/empty lines */
4188 if (!*acl_text) return NULL; /* No more data */
4189 yield = acl_text; /* Potential data line */
4191 while (*acl_text && *acl_text != '\n') acl_text++;
4193 /* If we hit the end before a newline, we have the whole logical line. If
4194 it's a comment, there's no more data to be given. Otherwise, yield it. */
4196 if (!*acl_text) return *yield == '#' ? NULL : yield;
4198 /* After reaching a newline, end this loop if the physical line does not
4199 start with '#'. If it does, it's a comment, and the loop continues. */
4201 if (*yield != '#') break;
4204 /* This loop handles continuations. We know we have some real data, ending in
4205 newline. See if there is a continuation marker at the end (ignoring trailing
4206 white space). We know that *yield is not white space, so no need to test for
4207 cont > yield in the backwards scanning loop. */
4212 for (cont = acl_text - 1; isspace(*cont); cont--);
4214 /* If no continuation follows, we are done. Mark the end of the line and
4223 /* We have encountered a continuation. Skip over whitespace at the start of
4224 the next line, and indeed the whole of the next line or lines if they are
4229 while (*(++acl_text) == ' ' || *acl_text == '\t');
4230 if (*acl_text != '#') break;
4231 while (*(++acl_text) != 0 && *acl_text != '\n');
4234 /* We have the start of a continuation line. Move all the rest of the data
4235 to join onto the previous line, and then find its end. If the end is not a
4236 newline, we are done. Otherwise loop to look for another continuation. */
4238 memmove(cont, acl_text, acl_text_end - acl_text);
4239 acl_text_end -= acl_text - cont;
4241 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
4242 if (*acl_text == 0) return yield;
4245 /* Control does not reach here */
4252 /************************************************/
4253 /* For error messages, a string describing the config location
4254 associated with current processing. NULL if not in an ACL. */
4257 acl_current_verb(void)
4259 if (acl_current) return string_sprintf(" (ACL %s, %s %d)",
4260 verbs[acl_current->verb], acl_current->srcfile, acl_current->srcline);
4264 /*************************************************
4265 * Check access using an ACL *
4266 *************************************************/
4268 /* This function is called from address_check. It may recurse via
4269 acl_check_condition() - hence the use of a level to stop looping. The ACL is
4270 passed as a string which is expanded. A forced failure implies no access check
4271 is required. If the result is a single word, it is taken as the name of an ACL
4272 which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
4273 text, complete with newlines, and parsed as such. In both cases, the ACL check
4274 is then run. This function uses an auxiliary function for acl_read() to call
4275 for reading individual lines of a literal ACL. This is acl_getline(), which
4276 appears immediately above.
4279 where where called from
4280 addr address item when called from RCPT; otherwise NULL
4281 s the input string; NULL is the same as an empty ACL => DENY
4282 user_msgptr where to put a user error (for SMTP response)
4283 log_msgptr where to put a logging message (not for SMTP response)
4285 Returns: OK access is granted
4286 DISCARD access is apparently granted...
4287 FAIL access is denied
4288 FAIL_DROP access is denied; drop the connection
4289 DEFER can't tell at the moment
4294 acl_check_internal(int where, address_item *addr, uschar *s,
4295 uschar **user_msgptr, uschar **log_msgptr)
4298 acl_block *acl = NULL;
4299 uschar *acl_name = US"inline ACL";
4302 /* Catch configuration loops */
4306 *log_msgptr = US"ACL nested too deep: possible loop";
4312 HDEBUG(D_acl) debug_printf_indent("ACL is NULL: implicit DENY\n");
4316 /* At top level, we expand the incoming string. At lower levels, it has already
4317 been expanded as part of condition processing. */
4321 if (!(ss = expand_string(s)))
4323 if (f.expand_string_forcedfail) return OK;
4324 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
4325 expand_string_message);
4331 while (isspace(*ss)) ss++;
4333 /* If we can't find a named ACL, the default is to parse it as an inline one.
4334 (Unless it begins with a slash; non-existent files give rise to an error.) */
4338 if (is_tainted(acl_text) && !f.running_in_test_harness)
4340 log_write(0, LOG_MAIN|LOG_PANIC,
4341 "attempt to use tainted ACL text \"%s\"", acl_text);
4342 /* Avoid leaking info to an attacker */
4343 *log_msgptr = US"internal configuration error";
4347 /* Handle the case of a string that does not contain any spaces. Look for a
4348 named ACL among those read from the configuration, or a previously read file.
4349 It is possible that the pointer to the ACL is NULL if the configuration
4350 contains a name with no data. If not found, and the text begins with '/',
4351 read an ACL from a file, and save it so it can be re-used. */
4353 if (Ustrchr(ss, ' ') == NULL)
4355 tree_node * t = tree_search(acl_anchor, ss);
4358 if (!(acl = (acl_block *)(t->data.ptr)))
4360 HDEBUG(D_acl) debug_printf_indent("ACL \"%s\" is empty: implicit DENY\n", ss);
4363 acl_name = string_sprintf("ACL \"%s\"", ss);
4364 HDEBUG(D_acl) debug_printf_indent("using ACL \"%s\"\n", ss);
4367 else if (*ss == '/')
4369 struct stat statbuf;
4370 if ((fd = Uopen(ss, O_RDONLY, 0)) < 0)
4372 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
4376 if (fstat(fd, &statbuf) != 0)
4378 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
4383 /* If the string being used as a filename is tainted, so is the file content */
4384 acl_text = store_get(statbuf.st_size + 1, ss);
4385 acl_text_end = acl_text + statbuf.st_size + 1;
4387 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
4389 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
4390 ss, strerror(errno));
4393 acl_text[statbuf.st_size] = 0;
4396 acl_name = string_sprintf("ACL \"%s\"", ss);
4397 HDEBUG(D_acl) debug_printf_indent("read ACL from file %s\n", ss);
4401 /* Parse an ACL that is still in text form. If it came from a file, remember it
4402 in the ACL tree, having read it into the POOL_PERM store pool so that it
4403 persists between multiple messages. */
4407 int old_pool = store_pool;
4408 if (fd >= 0) store_pool = POOL_PERM;
4409 acl = acl_read(acl_getline, log_msgptr);
4410 store_pool = old_pool;
4411 if (!acl && *log_msgptr) return ERROR;
4414 tree_node * t = store_get_perm(sizeof(tree_node) + Ustrlen(ss), ss);
4415 Ustrcpy(t->name, ss);
4417 (void)tree_insertnode(&acl_anchor, t);
4421 /* Now we have an ACL to use. It's possible it may be NULL. */
4423 while ((acl_current = acl))
4426 int basic_errno = 0;
4427 BOOL endpass_seen = FALSE;
4428 BOOL acl_quit_check = acl_level == 0
4429 && (where == ACL_WHERE_QUIT || where == ACL_WHERE_NOTQUIT);
4431 *log_msgptr = *user_msgptr = NULL;
4432 f.acl_temp_details = FALSE;
4434 HDEBUG(D_acl) debug_printf_indent("processing \"%s\" (%s %d)\n",
4435 verbs[acl->verb], acl->srcfile, acl->srcline);
4437 /* Clear out any search error message from a previous check before testing
4440 search_error_message = NULL;
4441 cond = acl_check_condition(acl->verb, acl->condition, where, addr, acl_level,
4442 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
4444 /* Handle special returns: DEFER causes a return except on a WARN verb;
4445 ERROR always causes a return. */
4450 HDEBUG(D_acl) debug_printf_indent("%s: condition test deferred in %s\n",
4451 verbs[acl->verb], acl_name);
4452 if (basic_errno != ERRNO_CALLOUTDEFER)
4454 if (search_error_message != NULL && *search_error_message != 0)
4455 *log_msgptr = search_error_message;
4456 if (smtp_return_error_details) f.acl_temp_details = TRUE;
4459 f.acl_temp_details = TRUE;
4460 if (acl->verb != ACL_WARN) return DEFER;
4463 default: /* Paranoia */
4465 HDEBUG(D_acl) debug_printf_indent("%s: condition test error in %s\n",
4466 verbs[acl->verb], acl_name);
4470 HDEBUG(D_acl) debug_printf_indent("%s: condition test succeeded in %s\n",
4471 verbs[acl->verb], acl_name);
4475 HDEBUG(D_acl) debug_printf_indent("%s: condition test failed in %s\n",
4476 verbs[acl->verb], acl_name);
4479 /* DISCARD and DROP can happen only from a nested ACL condition, and
4480 DISCARD can happen only for an "accept" or "discard" verb. */
4483 HDEBUG(D_acl) debug_printf_indent("%s: condition test yielded \"discard\" in %s\n",
4484 verbs[acl->verb], acl_name);
4488 HDEBUG(D_acl) debug_printf_indent("%s: condition test yielded \"drop\" in %s\n",
4489 verbs[acl->verb], acl_name);
4493 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
4494 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
4495 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
4500 if (cond == OK || cond == DISCARD)
4502 HDEBUG(D_acl) debug_printf_indent("end of %s: ACCEPT\n", acl_name);
4507 HDEBUG(D_acl) debug_printf_indent("accept: endpass encountered - denying access\n");
4515 HDEBUG(D_acl) debug_printf_indent("end of %s: DEFER\n", acl_name);
4516 if (acl_quit_check) goto badquit;
4517 f.acl_temp_details = TRUE;
4525 HDEBUG(D_acl) debug_printf_indent("end of %s: DENY\n", acl_name);
4526 if (acl_quit_check) goto badquit;
4532 if (cond == OK || cond == DISCARD)
4534 HDEBUG(D_acl) debug_printf_indent("end of %s: DISCARD\n", acl_name);
4535 if (acl_quit_check) goto badquit;
4541 debug_printf_indent("discard: endpass encountered - denying access\n");
4549 HDEBUG(D_acl) debug_printf_indent("end of %s: DROP\n", acl_name);
4550 if (acl_quit_check) goto badquit;
4558 HDEBUG(D_acl) debug_printf_indent("end of %s: not OK\n", acl_name);
4559 if (acl_quit_check) goto badquit;
4566 acl_warn(where, *user_msgptr, *log_msgptr);
4567 else if (cond == DEFER && LOGGING(acl_warn_skipped))
4568 log_write(0, LOG_MAIN, "%s Warning: ACL \"warn\" statement skipped: "
4569 "condition test deferred%s%s", host_and_ident(TRUE),
4570 *log_msgptr ? US": " : US"",
4571 *log_msgptr ? *log_msgptr : US"");
4572 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
4576 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
4581 /* Pass to the next ACL item */
4586 /* We have reached the end of the ACL. This is an implicit DENY. */
4588 HDEBUG(D_acl) debug_printf_indent("end of %s: implicit DENY\n", acl_name);
4592 *log_msgptr = string_sprintf("QUIT or not-QUIT toplevel ACL may not fail "
4593 "('%s' verb used incorrectly)", verbs[acl->verb]);
4600 /* Same args as acl_check_internal() above, but the string s is
4601 the name of an ACL followed optionally by up to 9 space-separated arguments.
4602 The name and args are separately expanded. Args go into $acl_arg globals. */
4604 acl_check_wargs(int where, address_item *addr, const uschar *s,
4605 uschar **user_msgptr, uschar **log_msgptr)
4608 uschar * tmp_arg[9]; /* must match acl_arg[] */
4609 uschar * sav_arg[9]; /* must match acl_arg[] */
4615 if (!(tmp = string_dequote(&s)) || !(name = expand_string(tmp)))
4618 for (i = 0; i < 9; i++)
4620 while (*s && isspace(*s)) s++;
4622 if (!(tmp = string_dequote(&s)) || !(tmp_arg[i] = expand_string(tmp)))
4629 sav_narg = acl_narg;
4631 for (i = 0; i < acl_narg; i++)
4633 sav_arg[i] = acl_arg[i];
4634 acl_arg[i] = tmp_arg[i];
4638 sav_arg[i] = acl_arg[i];
4639 acl_arg[i++] = NULL;
4643 ret = acl_check_internal(where, addr, name, user_msgptr, log_msgptr);
4646 acl_narg = sav_narg;
4647 for (i = 0; i < 9; i++) acl_arg[i] = sav_arg[i];
4651 if (f.expand_string_forcedfail) return ERROR;
4652 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
4653 tmp, expand_string_message);
4654 return f.search_find_defer ? DEFER : ERROR;
4659 /*************************************************
4660 * Check access using an ACL *
4661 *************************************************/
4663 /* Alternate interface for ACL, used by expansions */
4665 acl_eval(int where, uschar *s, uschar **user_msgptr, uschar **log_msgptr)
4668 address_item *addr = NULL;
4671 *user_msgptr = *log_msgptr = NULL;
4672 sender_verified_failed = NULL;
4673 ratelimiters_cmd = NULL;
4674 log_reject_target = LOG_MAIN|LOG_REJECT;
4676 if (where == ACL_WHERE_RCPT)
4678 adb = address_defaults;
4680 addr->address = expand_string(US"$local_part@$domain");
4681 addr->domain = deliver_domain;
4682 addr->local_part = deliver_localpart;
4683 addr->cc_local_part = deliver_localpart;
4684 addr->lc_local_part = deliver_localpart;
4688 rc = acl_check_internal(where, addr, s, user_msgptr, log_msgptr);
4695 /* This is the external interface for ACL checks. It sets up an address and the
4696 expansions for $domain and $local_part when called after RCPT, then calls
4697 acl_check_internal() to do the actual work.
4700 where ACL_WHERE_xxxx indicating where called from
4701 recipient RCPT address for RCPT check, else NULL
4702 s the input string; NULL is the same as an empty ACL => DENY
4703 user_msgptr where to put a user error (for SMTP response)
4704 log_msgptr where to put a logging message (not for SMTP response)
4706 Returns: OK access is granted by an ACCEPT verb
4707 DISCARD access is granted by a DISCARD verb
4708 FAIL access is denied
4709 FAIL_DROP access is denied; drop the connection
4710 DEFER can't tell at the moment
4713 int acl_where = ACL_WHERE_UNKNOWN;
4716 acl_check(int where, const uschar * recipient, uschar * s,
4717 uschar ** user_msgptr, uschar ** log_msgptr)
4721 address_item *addr = NULL;
4723 *user_msgptr = *log_msgptr = NULL;
4724 sender_verified_failed = NULL;
4725 ratelimiters_cmd = NULL;
4726 log_reject_target = LOG_MAIN|LOG_REJECT;
4728 #ifndef DISABLE_PRDR
4729 if (where==ACL_WHERE_RCPT || where==ACL_WHERE_VRFY || where==ACL_WHERE_PRDR)
4731 if (where==ACL_WHERE_RCPT || where==ACL_WHERE_VRFY)
4734 adb = address_defaults;
4736 addr->address = recipient;
4737 if (deliver_split_address(addr) == DEFER)
4739 *log_msgptr = US"defer in percent_hack_domains check";
4743 if ((addr->prop.utf8_msg = message_smtputf8))
4745 addr->prop.utf8_downcvt = message_utf8_downconvert == 1;
4746 addr->prop.utf8_downcvt_maybe = message_utf8_downconvert == -1;
4749 deliver_domain = addr->domain;
4750 deliver_localpart = addr->local_part;
4755 rc = acl_check_internal(where, addr, s, user_msgptr, log_msgptr);
4757 acl_where = ACL_WHERE_UNKNOWN;
4759 /* Cutthrough - if requested,
4760 and WHERE_RCPT and not yet opened conn as result of recipient-verify,
4761 and rcpt acl returned accept,
4762 and first recipient (cancel on any subsequents)
4763 open one now and run it up to RCPT acceptance.
4764 A failed verify should cancel cutthrough request,
4765 and will pass the fail to the originator.
4766 Initial implementation: dual-write to spool.
4767 Assume the rxd datastream is now being copied byte-for-byte to an open cutthrough connection.
4769 Cease cutthrough copy on rxd final dot; do not send one.
4771 On a data acl, if not accept and a cutthrough conn is open, hard-close it (no SMTP niceness).
4773 On data acl accept, terminate the dataphase on an open cutthrough conn. If accepted or
4774 perm-rejected, reflect that to the original sender - and dump the spooled copy.
4775 If temp-reject, close the conn (and keep the spooled copy).
4776 If conn-failure, no action (and keep the spooled copy).
4780 case ACL_WHERE_RCPT:
4781 #ifndef DISABLE_PRDR
4782 case ACL_WHERE_PRDR:
4785 if (f.host_checking_callout) /* -bhc mode */
4786 cancel_cutthrough_connection(TRUE, US"host-checking mode");
4789 && cutthrough.delivery
4790 && rcpt_count > cutthrough.nrcpt
4793 if ((rc = open_cutthrough_connection(addr)) == DEFER)
4794 if (cutthrough.defer_pass)
4796 uschar * s = addr->message;
4797 /* Horrid kludge to recover target's SMTP message */
4799 do --s; while (!isdigit(*s));
4800 if (*--s && isdigit(*s) && *--s && isdigit(*s)) *user_msgptr = s;
4801 f.acl_temp_details = TRUE;
4805 HDEBUG(D_acl) debug_printf_indent("cutthrough defer; will spool\n");
4809 else HDEBUG(D_acl) if (cutthrough.delivery)
4810 if (rcpt_count <= cutthrough.nrcpt)
4811 debug_printf_indent("ignore cutthrough request; nonfirst message\n");
4813 debug_printf_indent("ignore cutthrough request; ACL did not accept\n");
4816 case ACL_WHERE_PREDATA:
4818 cutthrough_predata();
4820 cancel_cutthrough_connection(TRUE, US"predata acl not ok");
4823 case ACL_WHERE_QUIT:
4824 case ACL_WHERE_NOTQUIT:
4825 /* Drop cutthrough conns, and drop heldopen verify conns if
4826 the previous was not DATA */
4829 smtp_connection_had[SMTP_HBUFF_PREV(SMTP_HBUFF_PREV(smtp_ch_index))];
4830 BOOL dropverify = !(prev == SCH_DATA || prev == SCH_BDAT);
4832 cancel_cutthrough_connection(dropverify, US"quit or conndrop");
4840 deliver_domain = deliver_localpart = deliver_address_data =
4841 deliver_domain_data = sender_address_data = NULL;
4843 /* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
4844 ACL, which is really in the middle of an SMTP command. */
4848 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
4850 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
4851 "ACL", acl_wherenames[where]);
4857 /* A DROP response is not permitted from MAILAUTH */
4859 if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
4861 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
4862 "ACL", acl_wherenames[where]);
4866 /* Before giving a response, take a look at the length of any user message, and
4867 split it up into multiple lines if possible. */
4869 *user_msgptr = string_split_message(*user_msgptr);
4870 if (fake_response != OK)
4871 fake_response_text = string_split_message(fake_response_text);
4877 /*************************************************
4878 * Create ACL variable *
4879 *************************************************/
4881 /* Create an ACL variable or reuse an existing one. ACL variables are in a
4882 binary tree (see tree.c) with acl_var_c and acl_var_m as root nodes.
4885 name pointer to the variable's name, starting with c or m
4887 Returns the pointer to variable's tree node
4891 acl_var_create(uschar * name)
4893 tree_node * node, ** root = name[0] == 'c' ? &acl_var_c : &acl_var_m;
4894 if (!(node = tree_search(*root, name)))
4896 node = store_get(sizeof(tree_node) + Ustrlen(name), name);
4897 Ustrcpy(node->name, name);
4898 (void)tree_insertnode(root, node);
4900 node->data.ptr = NULL;
4906 /*************************************************
4907 * Write an ACL variable in spool format *
4908 *************************************************/
4910 /* This function is used as a callback for tree_walk when writing variables to
4911 the spool file. To retain spool file compatibility, what is written is -aclc or
4912 -aclm followed by the rest of the name and the data length, space separated,
4913 then the value itself, starting on a new line, and terminated by an additional
4914 newline. When we had only numbered ACL variables, the first line might look
4915 like this: "-aclc 5 20". Now it might be "-aclc foo 20" for the variable called
4919 name of the variable
4920 value of the variable
4921 ctx FILE pointer (as a void pointer)
4927 acl_var_write(uschar * name, uschar * value, void * ctx)
4929 FILE * f = (FILE *)ctx;
4931 if (is_tainted(value))
4933 int q = quoter_for_address(value);
4935 if (is_real_quoter(q)) fprintf(f, "(%s)", lookup_list[q]->name);
4937 fprintf(f, "acl%c %s %d\n%s\n", name[0], name+1, Ustrlen(value), value);
4944 acl_standalone_setvar(const uschar * s)
4946 acl_condition_block * cond = store_get(sizeof(acl_condition_block), GET_UNTAINTED);
4947 uschar * errstr = NULL, * log_msg = NULL;
4952 cond->type = ACLC_SET;
4953 if (!acl_varname_to_cond(&s, cond, &errstr)) return errstr;
4954 if (!acl_data_to_cond(s, cond, US"'-be'", &errstr)) return errstr;
4956 if (acl_check_condition(ACL_WARN, cond, ACL_WHERE_UNKNOWN,
4957 NULL, 0, &endpass_seen, &errstr, &log_msg, &e) != OK)
4958 return string_sprintf("oops: %s", errstr);
4959 return string_sprintf("variable %s set", cond->u.varname);
4963 #endif /* !MACRO_PREDEF */