X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/7353285c15cfdcab0567dc8a0d55ff4720a7a01c..80a47a2c9633437d4ceebd214cd44abfbd4f4543:/src/src/acl.c

diff --git a/src/src/acl.c b/src/src/acl.c
index bc374b461..a3e79b13d 100644
--- a/src/src/acl.c
+++ b/src/src/acl.c
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/src/src/acl.c,v 1.79 2007/08/29 13:58:25 ph10 Exp $ */
+/* $Cambridge: exim/src/src/acl.c,v 1.83 2009/06/10 07:34:04 tom Exp $ */
 
 /*************************************************
 *     Exim - an Internet mail transport agent    *
@@ -55,6 +55,9 @@ enum { ACLC_ACL,
        ACLC_CONDITION,
        ACLC_CONTINUE,
        ACLC_CONTROL,
+#ifdef EXPERIMENTAL_DCC
+       ACLC_DCC,
+#endif
 #ifdef WITH_CONTENT_SCAN
        ACLC_DECODE,
 #endif
@@ -62,13 +65,9 @@ enum { ACLC_ACL,
 #ifdef WITH_OLD_DEMIME
        ACLC_DEMIME,
 #endif
-#ifdef EXPERIMENTAL_DOMAINKEYS
-       ACLC_DK_DOMAIN_SOURCE,
-       ACLC_DK_POLICY,
-       ACLC_DK_SENDER_DOMAINS,
-       ACLC_DK_SENDER_LOCAL_PARTS,
-       ACLC_DK_SENDERS,
-       ACLC_DK_STATUS,
+#ifndef DISABLE_DKIM
+       ACLC_DKIM_SIGNER,
+       ACLC_DKIM_STATUS,
 #endif
        ACLC_DNSLISTS,
        ACLC_DOMAINS,
@@ -99,6 +98,7 @@ enum { ACLC_ACL,
 #endif
 #ifdef EXPERIMENTAL_SPF
        ACLC_SPF,
+       ACLC_SPF_GUESS,
 #endif
        ACLC_VERIFY };
 
@@ -117,6 +117,9 @@ static uschar *conditions[] = {
   US"condition",
   US"continue",
   US"control",
+#ifdef EXPERIMENTAL_DCC
+  US"dcc",
+#endif
 #ifdef WITH_CONTENT_SCAN
   US"decode",
 #endif
@@ -124,13 +127,9 @@ static uschar *conditions[] = {
 #ifdef WITH_OLD_DEMIME
   US"demime",
 #endif
-#ifdef EXPERIMENTAL_DOMAINKEYS
-  US"dk_domain_source",
-  US"dk_policy",
-  US"dk_sender_domains",
-  US"dk_sender_local_parts",
-  US"dk_senders",
-  US"dk_status",
+#ifndef DISABLE_DKIM
+  US"dkim_signers",
+  US"dkim_status",
 #endif
   US"dnslists",
   US"domains",
@@ -159,6 +158,7 @@ static uschar *conditions[] = {
 #endif
 #ifdef EXPERIMENTAL_SPF
   US"spf",
+  US"spf_guess",
 #endif
   US"verify" };
 
@@ -171,8 +171,8 @@ enum {
   #ifdef EXPERIMENTAL_BRIGHTMAIL
   CONTROL_BMI_RUN,
   #endif
-  #ifdef EXPERIMENTAL_DOMAINKEYS
-  CONTROL_DK_VERIFY,
+  #ifndef DISABLE_DKIM
+  CONTROL_DKIM_VERIFY,
   #endif
   CONTROL_ERROR,
   CONTROL_CASEFUL_LOCAL_PART,
@@ -204,8 +204,8 @@ static uschar *controls[] = {
   #ifdef EXPERIMENTAL_BRIGHTMAIL
   US"bmi_run",
   #endif
-  #ifdef EXPERIMENTAL_DOMAINKEYS
-  US"dk_verify",
+  #ifndef DISABLE_DKIM
+  US"dkim_disable_verify",
   #endif
   US"error",
   US"caseful_local_part",
@@ -241,6 +241,9 @@ static uschar cond_expand_at_top[] = {
   TRUE,    /* condition */
   TRUE,    /* continue */
   TRUE,    /* control */
+#ifdef EXPERIMENTAL_DCC
+  TRUE,    /* dcc */
+#endif
 #ifdef WITH_CONTENT_SCAN
   TRUE,    /* decode */
 #endif
@@ -248,13 +251,9 @@ static uschar cond_expand_at_top[] = {
 #ifdef WITH_OLD_DEMIME
   TRUE,    /* demime */
 #endif
-#ifdef EXPERIMENTAL_DOMAINKEYS
-  TRUE,    /* dk_domain_source */
-  TRUE,    /* dk_policy */
-  TRUE,    /* dk_sender_domains */
-  TRUE,    /* dk_sender_local_parts */
-  TRUE,    /* dk_senders */
-  TRUE,    /* dk_status */
+#ifndef DISABLE_DKIM
+  TRUE,    /* dkim_signers */
+  TRUE,    /* dkim_status */
 #endif
   TRUE,    /* dnslists */
   FALSE,   /* domains */
@@ -285,6 +284,7 @@ static uschar cond_expand_at_top[] = {
 #endif
 #ifdef EXPERIMENTAL_SPF
   TRUE,    /* spf */
+  TRUE,    /* spf_guess */
 #endif
   TRUE     /* verify */
 };
@@ -301,6 +301,9 @@ static uschar cond_modifiers[] = {
   FALSE,   /* condition */
   TRUE,    /* continue */
   TRUE,    /* control */
+#ifdef EXPERIMENTAL_DCC
+  FALSE,   /* dcc */
+#endif
 #ifdef WITH_CONTENT_SCAN
   FALSE,   /* decode */
 #endif
@@ -308,13 +311,9 @@ static uschar cond_modifiers[] = {
 #ifdef WITH_OLD_DEMIME
   FALSE,   /* demime */
 #endif
-#ifdef EXPERIMENTAL_DOMAINKEYS
-  FALSE,   /* dk_domain_source */
-  FALSE,   /* dk_policy */
-  FALSE,   /* dk_sender_domains */
-  FALSE,   /* dk_sender_local_parts */
-  FALSE,   /* dk_senders */
-  FALSE,   /* dk_status */
+#ifndef DISABLE_DKIM
+  FALSE,   /* dkim_signers */
+  FALSE,   /* dkim_status */
 #endif
   FALSE,   /* dnslists */
   FALSE,   /* domains */
@@ -345,6 +344,7 @@ static uschar cond_modifiers[] = {
 #endif
 #ifdef EXPERIMENTAL_SPF
   FALSE,   /* spf */
+  FALSE,   /* spf_guess */
 #endif
   FALSE    /* verify */
 };
@@ -387,6 +387,11 @@ static unsigned int cond_forbids[] = {
 
   0,                                               /* control */
 
+  #ifdef EXPERIMENTAL_DCC
+  (unsigned int)
+  ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)),   /* dcc */
+  #endif
+
   #ifdef WITH_CONTENT_SCAN
   (unsigned int)
   ~(1<<ACL_WHERE_MIME),                            /* decode */
@@ -399,54 +404,12 @@ static unsigned int cond_forbids[] = {
   ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)),   /* demime */
   #endif
 
-  #ifdef EXPERIMENTAL_DOMAINKEYS
-  (1<<ACL_WHERE_AUTH)|                             /* dk_domain_source */
-    (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
-    (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
-    (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
-    (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
-    (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
-    (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
-
-  (1<<ACL_WHERE_AUTH)|                             /* dk_policy */
-    (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
-    (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
-    (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
-    (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
-    (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
-    (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
-
-  (1<<ACL_WHERE_AUTH)|                             /* dk_sender_domains */
-    (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
-    (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
-    (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
-    (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
-    (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
-    (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
-
-  (1<<ACL_WHERE_AUTH)|                             /* dk_sender_local_parts */
-    (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
-    (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
-    (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
-    (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
-    (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
-    (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
-
-  (1<<ACL_WHERE_AUTH)|                             /* dk_senders */
-    (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
-    (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
-    (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
-    (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
-    (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
-    (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
+  #ifndef DISABLE_DKIM
+  (unsigned int)
+  ~(1<<ACL_WHERE_DKIM),                            /* dkim_signers */
 
-  (1<<ACL_WHERE_AUTH)|                             /* dk_status */
-    (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
-    (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
-    (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
-    (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
-    (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
-    (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
+  (unsigned int)
+  ~(1<<ACL_WHERE_DKIM),                            /* dkim_status */
   #endif
 
   (1<<ACL_WHERE_NOTSMTP)|                          /* dnslists */
@@ -524,6 +487,14 @@ static unsigned int cond_forbids[] = {
     (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
     (1<<ACL_WHERE_NOTSMTP)|
     (1<<ACL_WHERE_NOTSMTP_START),
+
+  (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)|      /* spf_guess */
+    (1<<ACL_WHERE_HELO)|
+    (1<<ACL_WHERE_MAILAUTH)|
+    (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
+    (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
+    (1<<ACL_WHERE_NOTSMTP)|
+    (1<<ACL_WHERE_NOTSMTP_START),
   #endif
 
   /* Certain types of verify are always allowed, so we let it through
@@ -545,8 +516,8 @@ static unsigned int control_forbids[] = {
   0,                                               /* bmi_run */
   #endif
 
-  #ifdef EXPERIMENTAL_DOMAINKEYS
-  (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)|      /* dk_verify */
+  #ifndef DISABLE_DKIM
+  (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)|      /* dkim_disable_verify */
     (1<<ACL_WHERE_NOTSMTP_START),
   #endif
 
@@ -626,8 +597,8 @@ static control_def controls_list[] = {
 #ifdef EXPERIMENTAL_BRIGHTMAIL
   { US"bmi_run",                 CONTROL_BMI_RUN, FALSE },
 #endif
-#ifdef EXPERIMENTAL_DOMAINKEYS
-  { US"dk_verify",               CONTROL_DK_VERIFY, FALSE },
+#ifndef DISABLE_DKIM
+  { US"dkim_disable_verify",     CONTROL_DKIM_VERIFY, FALSE },
 #endif
   { US"caseful_local_part",      CONTROL_CASEFUL_LOCAL_PART, FALSE },
   { US"caselower_local_part",    CONTROL_CASELOWER_LOCAL_PART, FALSE },
@@ -2607,9 +2578,9 @@ for (; cb != NULL; cb = cb->next)
       break;
       #endif
 
-      #ifdef EXPERIMENTAL_DOMAINKEYS
-      case CONTROL_DK_VERIFY:
-      dk_do_verify = 1;
+      #ifndef DISABLE_DKIM
+      case CONTROL_DKIM_VERIFY:
+      dkim_disable_verify = TRUE;
       break;
       #endif
 
@@ -2734,6 +2705,26 @@ for (; cb != NULL; cb = cb->next)
       }
     break;
 
+    #ifdef EXPERIMENTAL_DCC
+    case ACLC_DCC:
+      {
+      /* Seperate the regular expression and any optional parameters. */
+      uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
+      /* Run the dcc backend. */
+      rc = dcc_process(&ss);
+      /* Modify return code based upon the existance of options. */
+      while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
+            != NULL) {
+        if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
+          {
+          /* FAIL so that the message is passed to the next ACL */
+          rc = FAIL;
+          }
+        }
+      }
+    break;
+    #endif
+
     #ifdef WITH_CONTENT_SCAN
     case ACLC_DECODE:
     rc = mime_decode(&arg);
@@ -2793,95 +2784,27 @@ for (; cb != NULL; cb = cb->next)
     break;
     #endif
 
-    #ifdef EXPERIMENTAL_DOMAINKEYS
-    case ACLC_DK_DOMAIN_SOURCE:
-    if (dk_verify_block == NULL) { rc = FAIL; break; };
-    /* check header source of domain against given string */
-    switch (dk_verify_block->address_source) {
-      case DK_EXIM_ADDRESS_FROM_FROM:
-        rc = match_isinlist(US"from", &arg, 0, NULL,
-                            NULL, MCL_STRING, TRUE, NULL);
-      break;
-      case DK_EXIM_ADDRESS_FROM_SENDER:
-        rc = match_isinlist(US"sender", &arg, 0, NULL,
-                            NULL, MCL_STRING, TRUE, NULL);
-      break;
-      case DK_EXIM_ADDRESS_NONE:
-        rc = match_isinlist(US"none", &arg, 0, NULL,
-                            NULL, MCL_STRING, TRUE, NULL);
-      break;
+    #ifndef DISABLE_DKIM
+    case ACLC_DKIM_SIGNER:
+    if (dkim_signing_domain != NULL)
+      {
+      rc = match_isinlist(dkim_signing_domain,
+                          &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
+      if (rc == FAIL)
+        {
+        rc = match_isinlist(dkim_exim_expand_query(DKIM_IDENTITY),
+                            &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
+        }
+      }
+    else
+      {
+       rc = FAIL;
       }
     break;
 
-    case ACLC_DK_POLICY:
-    if (dk_verify_block == NULL) { rc = FAIL; break; };
-    /* check policy against given string, default FAIL */
-    rc = FAIL;
-    if (dk_verify_block->signsall)
-      rc = match_isinlist(US"signsall", &arg, 0, NULL,
-                          NULL, MCL_STRING, TRUE, NULL);
-    if (dk_verify_block->testing)
-      rc = match_isinlist(US"testing", &arg, 0, NULL,
-                          NULL, MCL_STRING, TRUE, NULL);
-    break;
-
-    case ACLC_DK_SENDER_DOMAINS:
-    if (dk_verify_block == NULL) { rc = FAIL; break; };
-    if (dk_verify_block->domain != NULL)
-      rc = match_isinlist(dk_verify_block->domain, &arg, 0, &domainlist_anchor,
-                          NULL, MCL_DOMAIN, TRUE, NULL);
-    else rc = FAIL;
-    break;
-
-    case ACLC_DK_SENDER_LOCAL_PARTS:
-    if (dk_verify_block == NULL) { rc = FAIL; break; };
-    if (dk_verify_block->local_part != NULL)
-      rc = match_isinlist(dk_verify_block->local_part, &arg, 0, &localpartlist_anchor,
-                          NULL, MCL_LOCALPART, TRUE, NULL);
-    else rc = FAIL;
-    break;
-
-    case ACLC_DK_SENDERS:
-    if (dk_verify_block == NULL) { rc = FAIL; break; };
-    if (dk_verify_block->address != NULL)
-      rc = match_address_list(dk_verify_block->address, TRUE, TRUE, &arg, NULL, -1, 0, NULL);
-    else rc = FAIL;
-    break;
-
-    case ACLC_DK_STATUS:
-    if (dk_verify_block == NULL) { rc = FAIL; break; };
-    if (dk_verify_block->result > 0) {
-      switch(dk_verify_block->result) {
-        case DK_EXIM_RESULT_BAD_FORMAT:
-          rc = match_isinlist(US"bad format", &arg, 0, NULL,
-                              NULL, MCL_STRING, TRUE, NULL);
-        break;
-        case DK_EXIM_RESULT_NO_KEY:
-          rc = match_isinlist(US"no key", &arg, 0, NULL,
-                              NULL, MCL_STRING, TRUE, NULL);
-        break;
-        case DK_EXIM_RESULT_NO_SIGNATURE:
-          rc = match_isinlist(US"no signature", &arg, 0, NULL,
-                              NULL, MCL_STRING, TRUE, NULL);
-        break;
-        case DK_EXIM_RESULT_REVOKED:
-          rc = match_isinlist(US"revoked", &arg, 0, NULL,
-                              NULL, MCL_STRING, TRUE, NULL);
-        break;
-        case DK_EXIM_RESULT_NON_PARTICIPANT:
-          rc = match_isinlist(US"non-participant", &arg, 0, NULL,
-                              NULL, MCL_STRING, TRUE, NULL);
-        break;
-        case DK_EXIM_RESULT_GOOD:
-          rc = match_isinlist(US"good", &arg, 0, NULL,
-                              NULL, MCL_STRING, TRUE, NULL);
-        break;
-        case DK_EXIM_RESULT_BAD:
-          rc = match_isinlist(US"bad", &arg, 0, NULL,
-                              NULL, MCL_STRING, TRUE, NULL);
-        break;
-        }
-      }
+    case ACLC_DKIM_STATUS:
+    rc = match_isinlist(dkim_exim_expand_query(DKIM_VERIFY_STATUS),
+                        &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
     break;
     #endif
 
@@ -3077,7 +3000,10 @@ for (; cb != NULL; cb = cb->next)
 
     #ifdef EXPERIMENTAL_SPF
     case ACLC_SPF:
-      rc = spf_process(&arg, sender_address);
+      rc = spf_process(&arg, sender_address, SPF_PROCESS_NORMAL);
+    break;
+    case ACLC_SPF_GUESS:
+      rc = spf_process(&arg, sender_address, SPF_PROCESS_GUESS);
     break;
     #endif