X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/187bc588ac69994548471cc4a303e77fb0e957bc..5032d1cf500b102849d9a47867fbb7b34d871683:/src/src/acl.c

diff --git a/src/src/acl.c b/src/src/acl.c
index 42b9091c3..06c1c494c 100644
--- a/src/src/acl.c
+++ b/src/src/acl.c
@@ -397,7 +397,7 @@ static unsigned int cond_forbids[] = {
   (unsigned int)
   ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)|       /* add_header */
     (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
-  #ifdef EXPERIMENTAL_PRDR
+  #ifndef DISABLE_PRDR
     (1<<ACL_WHERE_PRDR)|
   #endif
     (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
@@ -412,7 +412,7 @@ static unsigned int cond_forbids[] = {
   (1<<ACL_WHERE_AUTH)|                             /* bmi_optin */
     (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
     (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
-  #ifdef EXPERIMENTAL_PRDR
+  #ifndef DISABLE_PRDR
     (1<<ACL_WHERE_PRDR)|
   #endif
     (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
@@ -434,9 +434,9 @@ static unsigned int cond_forbids[] = {
   #ifdef EXPERIMENTAL_DCC
   (unsigned int)
   ~((1<<ACL_WHERE_DATA)|                           /* dcc */
-  #ifdef EXPERIMENTAL_PRDR
+  #ifndef DISABLE_PRDR
     (1<<ACL_WHERE_PRDR)|
-  #endif /* EXPERIMENTAL_PRDR */
+  #endif
     (1<<ACL_WHERE_NOTSMTP)),
   #endif
 
@@ -450,9 +450,9 @@ static unsigned int cond_forbids[] = {
   #ifdef WITH_OLD_DEMIME
   (unsigned int)
   ~((1<<ACL_WHERE_DATA)|                           /* demime */
-  #ifdef EXPERIMENTAL_PRDR
+  #ifndef DISABLE_PRDR
     (1<<ACL_WHERE_PRDR)|
-  #endif /* EXPERIMENTAL_PRDR */
+  #endif
     (1<<ACL_WHERE_NOTSMTP)),
   #endif
 
@@ -474,7 +474,7 @@ static unsigned int cond_forbids[] = {
 
   (unsigned int)
   ~((1<<ACL_WHERE_RCPT)                            /* domains */
-  #ifdef EXPERIMENTAL_PRDR
+  #ifndef DISABLE_PRDR
     |(1<<ACL_WHERE_PRDR)
   #endif
     ),
@@ -491,7 +491,7 @@ static unsigned int cond_forbids[] = {
 
   (unsigned int)
   ~((1<<ACL_WHERE_RCPT)                             /* local_parts */
-  #ifdef EXPERIMENTAL_PRDR
+  #ifndef DISABLE_PRDR
     |(1<<ACL_WHERE_PRDR)
   #endif
     ),
@@ -505,9 +505,9 @@ static unsigned int cond_forbids[] = {
   #ifdef WITH_CONTENT_SCAN
   (unsigned int)
   ~((1<<ACL_WHERE_DATA)|                           /* malware */
-  #ifdef EXPERIMENTAL_PRDR
+  #ifndef DISABLE_PRDR
     (1<<ACL_WHERE_PRDR)|
-  #endif /* EXPERIMENTAL_PRDR */
+  #endif
     (1<<ACL_WHERE_NOTSMTP)),
   #endif
 
@@ -526,9 +526,9 @@ static unsigned int cond_forbids[] = {
   #ifdef WITH_CONTENT_SCAN
   (unsigned int)
   ~((1<<ACL_WHERE_DATA)|                           /* regex */
-  #ifdef EXPERIMENTAL_PRDR
+  #ifndef DISABLE_PRDR
     (1<<ACL_WHERE_PRDR)|
-  #endif /* EXPERIMENTAL_PRDR */
+  #endif
     (1<<ACL_WHERE_NOTSMTP)|
     (1<<ACL_WHERE_MIME)),
   #endif
@@ -536,7 +536,7 @@ static unsigned int cond_forbids[] = {
   (unsigned int)
   ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)|       /* remove_header */
     (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
-  #ifdef EXPERIMENTAL_PRDR
+  #ifndef DISABLE_PRDR
     (1<<ACL_WHERE_PRDR)|
   #endif
     (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
@@ -559,9 +559,9 @@ static unsigned int cond_forbids[] = {
   #ifdef WITH_CONTENT_SCAN
   (unsigned int)
   ~((1<<ACL_WHERE_DATA)|                           /* spam */
-  #ifdef EXPERIMENTAL_PRDR
+  #ifndef DISABLE_PRDR
     (1<<ACL_WHERE_PRDR)|
-  #endif /* EXPERIMENTAL_PRDR */
+  #endif
     (1<<ACL_WHERE_NOTSMTP)),
   #endif
 
@@ -608,9 +608,9 @@ static unsigned int control_forbids[] = {
 
   #ifndef DISABLE_DKIM
   (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)|      /* dkim_disable_verify */
-  #ifdef EXPERIMENTAL_PRDR
+  #ifndef DISABLE_PRDR
     (1<<ACL_WHERE_PRDR)|
-  #endif /* EXPERIMENTAL_PRDR */
+  #endif
     (1<<ACL_WHERE_NOTSMTP_START),
   #endif
 
@@ -674,17 +674,17 @@ static unsigned int control_forbids[] = {
   (unsigned int)
   ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)|       /* fakedefer */
     (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
-  #ifdef EXPERIMENTAL_PRDR
+  #ifndef DISABLE_PRDR
     (1<<ACL_WHERE_PRDR)|
-  #endif /* EXPERIMENTAL_PRDR */
+  #endif
     (1<<ACL_WHERE_MIME)),
 
   (unsigned int)
   ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)|       /* fakereject */
     (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
-  #ifdef EXPERIMENTAL_PRDR
+  #ifndef DISABLE_PRDR
     (1<<ACL_WHERE_PRDR)|
-  #endif /* EXPERIMENTAL_PRDR */
+  #endif
     (1<<ACL_WHERE_MIME)),
 
   (1<<ACL_WHERE_NOTSMTP)|                          /* no_multiline */
@@ -1550,7 +1550,7 @@ for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
   assertion: legitimate SMTP clients are all explicitly authorized with CSA
   SRV records of their own. */
 
-  if (found != domain)
+  if (Ustrcmp(found, domain) != 0)
     {
     if (port & 1)
       return t->data.val = CSA_FAIL_EXPLICIT;
@@ -2352,7 +2352,10 @@ rate measurement as opposed to rate limiting. */
 
 sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0);
 if (sender_rate_limit == NULL)
+  {
   limit = -1.0;
+  ss = NULL;	/* compiler quietening */
+  }
 else
   {
   limit = Ustrtod(sender_rate_limit, &ss);
@@ -2979,7 +2982,7 @@ uschar *debug_opts = NULL;
 uschar *p = NULL;
 int rc = OK;
 #ifdef WITH_CONTENT_SCAN
-int sep = '/';
+int sep = -'/';
 #endif
 
 for (; cb != NULL; cb = cb->next)
@@ -3351,19 +3354,27 @@ for (; cb != NULL; cb = cb->next)
       break;
 
       case CONTROL_CUTTHROUGH_DELIVERY:
-      if (deliver_freeze)
-        *log_msgptr = US"frozen";
-      else if (queue_only_policy)
-        *log_msgptr = US"queue-only";
-      else if (fake_response == FAIL)
-        *log_msgptr = US"fakereject";
+      if (prdr_requested)
+	/* Too hard to think about for now.  We might in future cutthrough
+	the case where both sides handle prdr and this-node prdr acl
+	is "accept" */
+        *log_msgptr = string_sprintf(US"PRDR on %s reception\n", arg);
       else
 	{
-	cutthrough_delivery = TRUE;
-	break;
+	if (deliver_freeze)
+	  *log_msgptr = US"frozen";
+	else if (queue_only_policy)
+	  *log_msgptr = US"queue-only";
+	else if (fake_response == FAIL)
+	  *log_msgptr = US"fakereject";
+	else
+	  {
+	  if (rcpt_count == 1) cutthrough.delivery = TRUE;
+	  break;
+	  }
+	*log_msgptr = string_sprintf("\"control=%s\" on %s item",
+				      arg, *log_msgptr);
 	}
-      *log_msgptr = string_sprintf("\"control=%s\" on %s item",
-				    arg, *log_msgptr);
       return ERROR;
       }
     break;
@@ -3580,21 +3591,28 @@ for (; cb != NULL; cb = cb->next)
     break;
 
     #ifdef WITH_CONTENT_SCAN
-    case ACLC_MALWARE:
+    case ACLC_MALWARE:			/* Run the malware backend. */
       {
       /* Separate the regular expression and any optional parameters. */
       uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
-      /* Run the malware backend. */
-      rc = malware(&ss);
-      /* Modify return code based upon the existance of options. */
-      while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
-            != NULL) {
-        if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
-          {
-          /* FAIL so that the message is passed to the next ACL */
-          rc = FAIL;
-          }
-        }
+      uschar *opt;
+      BOOL defer_ok = FALSE;
+      int timeout = 0;
+
+      while ((opt = string_nextinlist(&arg, &sep, NULL, 0)))
+        if (strcmpic(opt, US"defer_ok") == 0)
+	  defer_ok = TRUE;
+	else if (  strncmpic(opt, US"tmo=", 4) == 0
+		&& (timeout = readconf_readtime(opt+4, '\0', FALSE)) < 0
+		)
+	  {
+	  *log_msgptr = string_sprintf("bad timeout value in '%s'", opt);
+	  return ERROR;
+	  }
+
+      rc = malware(ss, timeout);
+      if (rc == DEFER && defer_ok)
+	rc = FAIL;	/* FAIL so that the message is passed to the next ACL */
       }
     break;
 
@@ -4129,7 +4147,11 @@ while (acl != NULL)
   switch(acl->verb)
     {
     case ACL_ACCEPT:
-    if (cond == OK || cond == DISCARD) return cond;
+    if (cond == OK || cond == DISCARD)
+      {
+      HDEBUG(D_acl) debug_printf("end of %s: ACCEPT\n", acl_name);
+      return cond;
+      }
     if (endpass_seen)
       {
       HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
@@ -4140,17 +4162,26 @@ while (acl != NULL)
     case ACL_DEFER:
     if (cond == OK)
       {
+      HDEBUG(D_acl) debug_printf("end of %s: DEFER\n", acl_name);
       acl_temp_details = TRUE;
       return DEFER;
       }
     break;
 
     case ACL_DENY:
-    if (cond == OK) return FAIL;
+    if (cond == OK)
+      {
+      HDEBUG(D_acl) debug_printf("end of %s: DENY\n", acl_name);
+      return FAIL;
+      }
     break;
 
     case ACL_DISCARD:
-    if (cond == OK || cond == DISCARD) return DISCARD;
+    if (cond == OK || cond == DISCARD)
+      {
+      HDEBUG(D_acl) debug_printf("end of %s: DISCARD\n", acl_name);
+      return DISCARD;
+      }
     if (endpass_seen)
       {
       HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
@@ -4159,11 +4190,19 @@ while (acl != NULL)
     break;
 
     case ACL_DROP:
-    if (cond == OK) return FAIL_DROP;
+    if (cond == OK)
+      {
+      HDEBUG(D_acl) debug_printf("end of %s: DROP\n", acl_name);
+      return FAIL_DROP;
+      }
     break;
 
     case ACL_REQUIRE:
-    if (cond != OK) return cond;
+    if (cond != OK)
+      {
+      HDEBUG(D_acl) debug_printf("end of %s: not OK\n", acl_name);
+      return cond;
+      }
     break;
 
     case ACL_WARN:
@@ -4319,10 +4358,10 @@ sender_verified_failed = NULL;
 ratelimiters_cmd = NULL;
 log_reject_target = LOG_MAIN|LOG_REJECT;
 
-#ifdef EXPERIMENTAL_PRDR
-if (where == ACL_WHERE_RCPT || where == ACL_WHERE_PRDR )
+#ifndef DISABLE_PRDR
+if (where == ACL_WHERE_RCPT || where == ACL_WHERE_PRDR)
 #else
-if (where == ACL_WHERE_RCPT )
+if (where == ACL_WHERE_RCPT)
 #endif
   {
   adb = address_defaults;
@@ -4363,12 +4402,10 @@ If conn-failure, no action (and keep the spooled copy).
 switch (where)
 {
 case ACL_WHERE_RCPT:
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
 case ACL_WHERE_PRDR:
 #endif
-  if( rcpt_count > 1 )
-    cancel_cutthrough_connection("more than one recipient");
-  else if (rc == OK  &&  cutthrough_delivery  &&  cutthrough_fd < 0)
+  if (rc == OK  &&  cutthrough.delivery  && rcpt_count > cutthrough.nrcpt)
     open_cutthrough_connection(addr);
   break;