* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2012 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* Code for handling Access Control Lists (ACLs) */
(unsigned int)
~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* add_header */
(1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
- #ifdef EXPERIMENTAL_PRDR
+ #ifndef DISABLE_PRDR
(1<<ACL_WHERE_PRDR)|
#endif
(1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
(1<<ACL_WHERE_AUTH)| /* bmi_optin */
(1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
(1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
- #ifdef EXPERIMENTAL_PRDR
+ #ifndef DISABLE_PRDR
(1<<ACL_WHERE_PRDR)|
#endif
(1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
#ifdef EXPERIMENTAL_DCC
(unsigned int)
~((1<<ACL_WHERE_DATA)| /* dcc */
- #ifdef EXPERIMENTAL_PRDR
+ #ifndef DISABLE_PRDR
(1<<ACL_WHERE_PRDR)|
- #endif /* EXPERIMENTAL_PRDR */
+ #endif
(1<<ACL_WHERE_NOTSMTP)),
#endif
#ifdef WITH_OLD_DEMIME
(unsigned int)
~((1<<ACL_WHERE_DATA)| /* demime */
- #ifdef EXPERIMENTAL_PRDR
+ #ifndef DISABLE_PRDR
(1<<ACL_WHERE_PRDR)|
- #endif /* EXPERIMENTAL_PRDR */
+ #endif
(1<<ACL_WHERE_NOTSMTP)),
#endif
(unsigned int)
~((1<<ACL_WHERE_RCPT) /* domains */
- #ifdef EXPERIMENTAL_PRDR
+ #ifndef DISABLE_PRDR
|(1<<ACL_WHERE_PRDR)
#endif
),
(unsigned int)
~((1<<ACL_WHERE_RCPT) /* local_parts */
- #ifdef EXPERIMENTAL_PRDR
+ #ifndef DISABLE_PRDR
|(1<<ACL_WHERE_PRDR)
#endif
),
#ifdef WITH_CONTENT_SCAN
(unsigned int)
~((1<<ACL_WHERE_DATA)| /* malware */
- #ifdef EXPERIMENTAL_PRDR
+ #ifndef DISABLE_PRDR
(1<<ACL_WHERE_PRDR)|
- #endif /* EXPERIMENTAL_PRDR */
+ #endif
(1<<ACL_WHERE_NOTSMTP)),
#endif
#ifdef WITH_CONTENT_SCAN
(unsigned int)
~((1<<ACL_WHERE_DATA)| /* regex */
- #ifdef EXPERIMENTAL_PRDR
+ #ifndef DISABLE_PRDR
(1<<ACL_WHERE_PRDR)|
- #endif /* EXPERIMENTAL_PRDR */
+ #endif
(1<<ACL_WHERE_NOTSMTP)|
(1<<ACL_WHERE_MIME)),
#endif
(unsigned int)
~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* remove_header */
(1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
- #ifdef EXPERIMENTAL_PRDR
+ #ifndef DISABLE_PRDR
(1<<ACL_WHERE_PRDR)|
#endif
(1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
#ifdef WITH_CONTENT_SCAN
(unsigned int)
~((1<<ACL_WHERE_DATA)| /* spam */
- #ifdef EXPERIMENTAL_PRDR
+ #ifndef DISABLE_PRDR
(1<<ACL_WHERE_PRDR)|
- #endif /* EXPERIMENTAL_PRDR */
+ #endif
(1<<ACL_WHERE_NOTSMTP)),
#endif
#ifndef DISABLE_DKIM
(1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dkim_disable_verify */
- #ifdef EXPERIMENTAL_PRDR
+ #ifndef DISABLE_PRDR
(1<<ACL_WHERE_PRDR)|
- #endif /* EXPERIMENTAL_PRDR */
+ #endif
(1<<ACL_WHERE_NOTSMTP_START),
#endif
(unsigned int)
~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakedefer */
(1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
- #ifdef EXPERIMENTAL_PRDR
+ #ifndef DISABLE_PRDR
(1<<ACL_WHERE_PRDR)|
- #endif /* EXPERIMENTAL_PRDR */
+ #endif
(1<<ACL_WHERE_MIME)),
(unsigned int)
~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
(1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
- #ifdef EXPERIMENTAL_PRDR
+ #ifndef DISABLE_PRDR
(1<<ACL_WHERE_PRDR)|
- #endif /* EXPERIMENTAL_PRDR */
+ #endif
(1<<ACL_WHERE_MIME)),
(1<<ACL_WHERE_NOTSMTP)| /* no_multiline */
DNS_LOOKUP_AGAIN:
#endif
+lookup_dnssec_authenticated = NULL;
switch (dns_lookup(&dnsa, target, type, NULL))
{
/* If something bad happened (most commonly DNS_AGAIN), defer. */
*************************************************/
enum { VERIFY_REV_HOST_LKUP, VERIFY_CERT, VERIFY_HELO, VERIFY_CSA, VERIFY_HDR_SYNTAX,
- VERIFY_NOT_BLIND, VERIFY_HDR_SNDR, VERIFY_SNDR, VERIFY_RCPT
+ VERIFY_NOT_BLIND, VERIFY_HDR_SNDR, VERIFY_SNDR, VERIFY_RCPT,
+ VERIFY_HDR_NAMES_ASCII
};
typedef struct {
uschar * name;
{ US"sender", VERIFY_SNDR, (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)
|(1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP),
FALSE, 6 },
- { US"recipient", VERIFY_RCPT, (1<<ACL_WHERE_RCPT), FALSE, 0 }
+ { US"recipient", VERIFY_RCPT, (1<<ACL_WHERE_RCPT), FALSE, 0 },
+ { US"header_names_ascii", VERIFY_HDR_NAMES_ASCII, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), TRUE, 0 }
};
*user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
return rc;
+ case VERIFY_HDR_NAMES_ASCII:
+ /* Check that all header names are true 7 bit strings
+ See RFC 5322, 2.2. and RFC 6532, 3. */
+
+ rc = verify_check_header_names_ascii(log_msgptr);
+ if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
+ *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
+ return rc;
+
case VERIFY_NOT_BLIND:
/* Check that no recipient of this message is "blind", that is, every envelope
recipient must be mentioned in either To: or Cc:. */
BAD_VERIFY:
*log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
- "\"helo\", \"header_syntax\", \"header_sender\" or "
- "\"reverse_host_lookup\" at start of ACL condition "
+ "\"helo\", \"header_syntax\", \"header_sender\", \"header_names_ascii\" "
+ "or \"reverse_host_lookup\" at start of ACL condition "
"\"verify %s\"", arg);
return ERROR;
}
uschar *portend;
host_item *h;
int portnum;
-int host_af;
int len;
int r, s;
+uschar * errstr;
hostname = string_nextinlist(&arg, &sep, NULL, 0);
portstr = string_nextinlist(&arg, &sep, NULL, 0);
HDEBUG(D_acl)
debug_printf("udpsend [%s]:%d %s\n", h->address, portnum, arg);
-host_af = (Ustrchr(h->address, ':') == NULL)? AF_INET:AF_INET6;
-r = s = ip_socket(SOCK_DGRAM, host_af);
-if (r < 0) goto defer;
-r = ip_connect(s, host_af, h->address, portnum, 1);
+r = s = ip_connectedsocket(SOCK_DGRAM, h->address, portnum, portnum,
+ 1, NULL, &errstr);
if (r < 0) goto defer;
len = Ustrlen(arg);
-r = send(s, arg, len, MSG_NOSIGNAL);
-if (r < 0) goto defer;
+r = send(s, arg, len, 0);
+if (r < 0)
+ {
+ errstr = US strerror(errno);
+ close(s);
+ goto defer;
+ }
+close(s);
if (r < len)
{
*log_msgptr =
return OK;
defer:
-*log_msgptr = string_sprintf("\"udpsend\" failed: %s", strerror(errno));
+*log_msgptr = string_sprintf("\"udpsend\" failed: %s", errstr);
return DEFER;
}
if (cb->type == ACLC_MESSAGE)
{
+ HDEBUG(D_acl) debug_printf(" message: %s\n", cb->arg);
user_message = cb->arg;
continue;
}
if (cb->type == ACLC_LOG_MESSAGE)
{
+ HDEBUG(D_acl) debug_printf("l_message: %s\n", cb->arg);
log_message = cb->arg;
continue;
}
/* The true/false parsing here should be kept in sync with that used in
expand.c when dealing with ECOND_BOOL so that we don't have too many
different definitions of what can be a boolean. */
- if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
+ if (*arg == '-'
+ ? Ustrspn(arg+1, "0123456789") == Ustrlen(arg+1) /* Negative number */
+ : Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
rc = (Uatoi(arg) == 0)? FAIL : OK;
else
rc = (strcmpic(arg, US"no") == 0 ||
disable_callout_flush = TRUE;
break;
- case CONTROL_FAKEDEFER:
case CONTROL_FAKEREJECT:
+ cancel_cutthrough_connection("fakereject");
+ case CONTROL_FAKEDEFER:
fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
if (*p == '/')
{
*log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
return ERROR;
}
+ cancel_cutthrough_connection("item frozen");
break;
case CONTROL_QUEUE_ONLY:
queue_only_policy = TRUE;
+ cancel_cutthrough_connection("queueing forced");
break;
case CONTROL_SUBMISSION:
case CONTROL_CUTTHROUGH_DELIVERY:
if (deliver_freeze)
- {
- *log_msgptr = string_sprintf("\"control=%s\" on frozen item", arg);
- return ERROR;
- }
- if (queue_only_policy)
- {
- *log_msgptr = string_sprintf("\"control=%s\" on queue-only item", arg);
- return ERROR;
- }
- cutthrough_delivery = TRUE;
- break;
+ *log_msgptr = US"frozen";
+ else if (queue_only_policy)
+ *log_msgptr = US"queue-only";
+ else if (fake_response == FAIL)
+ *log_msgptr = US"fakereject";
+ else
+ {
+ cutthrough_delivery = TRUE;
+ break;
+ }
+ *log_msgptr = string_sprintf("\"control=%s\" on %s item",
+ arg, *log_msgptr);
+ return ERROR;
}
break;
switch(acl->verb)
{
case ACL_ACCEPT:
- if (cond == OK || cond == DISCARD) return cond;
+ if (cond == OK || cond == DISCARD)
+ {
+ HDEBUG(D_acl) debug_printf("end of %s: ACCEPT\n", acl_name);
+ return cond;
+ }
if (endpass_seen)
{
HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
case ACL_DEFER:
if (cond == OK)
{
+ HDEBUG(D_acl) debug_printf("end of %s: DEFER\n", acl_name);
acl_temp_details = TRUE;
return DEFER;
}
break;
case ACL_DENY:
- if (cond == OK) return FAIL;
+ if (cond == OK)
+ {
+ HDEBUG(D_acl) debug_printf("end of %s: DENY\n", acl_name);
+ return FAIL;
+ }
break;
case ACL_DISCARD:
- if (cond == OK || cond == DISCARD) return DISCARD;
+ if (cond == OK || cond == DISCARD)
+ {
+ HDEBUG(D_acl) debug_printf("end of %s: DISCARD\n", acl_name);
+ return DISCARD;
+ }
if (endpass_seen)
{
HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
break;
case ACL_DROP:
- if (cond == OK) return FAIL_DROP;
+ if (cond == OK)
+ {
+ HDEBUG(D_acl) debug_printf("end of %s: DROP\n", acl_name);
+ return FAIL_DROP;
+ }
break;
case ACL_REQUIRE:
- if (cond != OK) return cond;
+ if (cond != OK)
+ {
+ HDEBUG(D_acl) debug_printf("end of %s: not OK\n", acl_name);
+ return cond;
+ }
break;
case ACL_WARN:
ratelimiters_cmd = NULL;
log_reject_target = LOG_MAIN|LOG_REJECT;
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
if (where == ACL_WHERE_RCPT || where == ACL_WHERE_PRDR )
#else
if (where == ACL_WHERE_RCPT )
switch (where)
{
case ACL_WHERE_RCPT:
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
case ACL_WHERE_PRDR:
#endif
if( rcpt_count > 1 )
fprintf(f, "-acl%c %s %d\n%s\n", name[0], name+1, Ustrlen(value), value);
}
+/* vi: aw ai sw=2
+*/
/* End of acl.c */