X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/d7d7b7b91dd75cec636fc144da7e27eed860f971..45b915963e2e3721fc65c7c3f50f2f65f5c54d1b:/src/src/acl.c

diff --git a/src/src/acl.c b/src/src/acl.c
index f5949f04f..086fa68fd 100644
--- a/src/src/acl.c
+++ b/src/src/acl.c
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/src/src/acl.c,v 1.54 2006/02/07 11:19:00 ph10 Exp $ */
+/* $Cambridge: exim/src/src/acl.c,v 1.62 2006/06/28 16:00:23 ph10 Exp $ */
 
 /*************************************************
 *     Exim - an Internet mail transport agent    *
@@ -32,13 +32,17 @@ static uschar *verbs[] =
 static int msgcond[] = { FAIL, OK, OK, FAIL, OK, FAIL, OK };
 
 /* ACL condition and modifier codes - keep in step with the table that
-follows. */
+follows, and the cond_expand_at_top and uschar cond_modifiers tables lower
+down. */
 
-enum { ACLC_ACL, ACLC_AUTHENTICATED,
+enum { ACLC_ACL,
+       ACLC_ADD_HEADER,
+       ACLC_AUTHENTICATED,
 #ifdef EXPERIMENTAL_BRIGHTMAIL
        ACLC_BMI_OPTIN,
 #endif
-ACLC_CONDITION, ACLC_CONTROL,
+       ACLC_CONDITION,
+       ACLC_CONTROL,
 #ifdef WITH_CONTENT_SCAN
        ACLC_DECODE,
 #endif
@@ -54,8 +58,14 @@ ACLC_CONDITION, ACLC_CONTROL,
        ACLC_DK_SENDERS,
        ACLC_DK_STATUS,
 #endif
-       ACLC_DNSLISTS, ACLC_DOMAINS, ACLC_ENCRYPTED, ACLC_ENDPASS,
-       ACLC_HOSTS, ACLC_LOCAL_PARTS, ACLC_LOG_MESSAGE, ACLC_LOGWRITE,
+       ACLC_DNSLISTS,
+       ACLC_DOMAINS,
+       ACLC_ENCRYPTED,
+       ACLC_ENDPASS,
+       ACLC_HOSTS,
+       ACLC_LOCAL_PARTS,
+       ACLC_LOG_MESSAGE,
+       ACLC_LOGWRITE,
 #ifdef WITH_CONTENT_SCAN
        ACLC_MALWARE,
 #endif
@@ -68,7 +78,9 @@ ACLC_CONDITION, ACLC_CONTROL,
 #ifdef WITH_CONTENT_SCAN
        ACLC_REGEX,
 #endif
-       ACLC_SENDER_DOMAINS, ACLC_SENDERS, ACLC_SET,
+       ACLC_SENDER_DOMAINS,
+       ACLC_SENDERS,
+       ACLC_SET,
 #ifdef WITH_CONTENT_SCAN
        ACLC_SPAM,
 #endif
@@ -83,6 +95,7 @@ but always return TRUE. They are used for their side effects. */
 
 static uschar *conditions[] = {
   US"acl",
+  US"add_header",
   US"authenticated",
 #ifdef EXPERIMENTAL_BRIGHTMAIL
   US"bmi_optin",
@@ -132,19 +145,29 @@ static uschar *conditions[] = {
 that follows! */
 
 enum {
-#ifdef EXPERIMENTAL_BRIGHTMAIL
+  CONTROL_AUTH_UNADVERTISED,
+  #ifdef EXPERIMENTAL_BRIGHTMAIL
   CONTROL_BMI_RUN,
-#endif
-#ifdef EXPERIMENTAL_DOMAINKEYS
+  #endif
+  #ifdef EXPERIMENTAL_DOMAINKEYS
   CONTROL_DK_VERIFY,
-#endif
-  CONTROL_ERROR, CONTROL_CASEFUL_LOCAL_PART, CONTROL_CASELOWER_LOCAL_PART,
-  CONTROL_ENFORCE_SYNC, CONTROL_NO_ENFORCE_SYNC, CONTROL_FREEZE,
-  CONTROL_QUEUE_ONLY, CONTROL_SUBMISSION, CONTROL_SUPPRESS_LOCAL_FIXUPS,
-#ifdef WITH_CONTENT_SCAN
+  #endif
+  CONTROL_ERROR,
+  CONTROL_CASEFUL_LOCAL_PART,
+  CONTROL_CASELOWER_LOCAL_PART,
+  CONTROL_ENFORCE_SYNC,
+  CONTROL_NO_ENFORCE_SYNC,
+  CONTROL_FREEZE,
+  CONTROL_QUEUE_ONLY,
+  CONTROL_SUBMISSION,
+  CONTROL_SUPPRESS_LOCAL_FIXUPS,
+  #ifdef WITH_CONTENT_SCAN
   CONTROL_NO_MBOX_UNSPOOL,
-#endif
-  CONTROL_FAKEDEFER, CONTROL_FAKEREJECT, CONTROL_NO_MULTILINE };
+  #endif
+  CONTROL_FAKEDEFER,
+  CONTROL_FAKEREJECT,
+  CONTROL_NO_MULTILINE
+};
 
 /* ACL control names; keep in step with the table above! This list is used for
 turning ids into names. The actual list of recognized names is in the variable
@@ -152,20 +175,27 @@ control_def controls_list[] below. The fact that there are two lists is a mess
 and should be tidied up. */
 
 static uschar *controls[] = {
+  US"allow_auth_unadvertised",
   #ifdef EXPERIMENTAL_BRIGHTMAIL
   US"bmi_run",
   #endif
   #ifdef EXPERIMENTAL_DOMAINKEYS
   US"dk_verify",
   #endif
-  US"error", US"caseful_local_part",
-  US"caselower_local_part", US"enforce_sync", US"no_enforce_sync", US"freeze",
-  US"queue_only", US"submission", US"suppress_local_fixups",
+  US"error",
+  US"caseful_local_part",
+  US"caselower_local_part",
+  US"enforce_sync",
+  US"no_enforce_sync",
+  US"freeze",
+  US"queue_only",
+  US"submission",
+  US"suppress_local_fixups",
   #ifdef WITH_CONTENT_SCAN
   US"no_mbox_unspool",
   #endif
-
-  US"no_multiline"};
+  US"no_multiline"
+};
 
 /* Flags to indicate for which conditions /modifiers a string expansion is done
 at the outer level. In the other cases, expansion already occurs in the
@@ -173,6 +203,7 @@ checking functions. */
 
 static uschar cond_expand_at_top[] = {
   TRUE,    /* acl */
+  TRUE,    /* add_header */
   FALSE,   /* authenticated */
 #ifdef EXPERIMENTAL_BRIGHTMAIL
   TRUE,    /* bmi_optin */
@@ -230,6 +261,7 @@ static uschar cond_expand_at_top[] = {
 
 static uschar cond_modifiers[] = {
   FALSE,   /* acl */
+  TRUE,    /* add_header */
   FALSE,   /* authenticated */
 #ifdef EXPERIMENTAL_BRIGHTMAIL
   TRUE,    /* bmi_optin */
@@ -290,18 +322,26 @@ to specify the negation of a small number of allowed times. */
 static unsigned int cond_forbids[] = {
   0,                                               /* acl */
 
-  (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)|   /* authenticated */
-    (1<<ACL_WHERE_HELO),
+  (unsigned int)
+  ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)|       /* add_header */
+    (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
+    (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
+    (1<<ACL_WHERE_NOTSMTP_START)),
 
-#ifdef EXPERIMENTAL_BRIGHTMAIL
+  (1<<ACL_WHERE_NOTSMTP)|                          /* authenticated */
+    (1<<ACL_WHERE_NOTSMTP_START)|
+    (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO),
+
+  #ifdef EXPERIMENTAL_BRIGHTMAIL
   (1<<ACL_WHERE_AUTH)|                             /* bmi_optin */
     (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
     (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
     (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
     (1<<ACL_WHERE_MAILAUTH)|
     (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
-    (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA),
-#endif
+    (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA)|
+    (1<<ACL_WHERE_NOTSMTP_START),
+  #endif
 
   0,                                               /* condition */
 
@@ -310,26 +350,26 @@ static unsigned int cond_forbids[] = {
 
   0,                                               /* control */
 
-#ifdef WITH_CONTENT_SCAN
+  #ifdef WITH_CONTENT_SCAN
   (unsigned int)
   ~(1<<ACL_WHERE_MIME),                            /* decode */
-#endif
+  #endif
 
   0,                                               /* delay */
 
-#ifdef WITH_OLD_DEMIME
+  #ifdef WITH_OLD_DEMIME
   (unsigned int)
   ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)),   /* demime */
-#endif
+  #endif
 
-#ifdef EXPERIMENTAL_DOMAINKEYS
+  #ifdef EXPERIMENTAL_DOMAINKEYS
   (1<<ACL_WHERE_AUTH)|                             /* dk_domain_source */
     (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
     (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
     (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
     (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
     (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
-    (1<<ACL_WHERE_VRFY),
+    (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
 
   (1<<ACL_WHERE_AUTH)|                             /* dk_policy */
     (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
@@ -337,7 +377,7 @@ static unsigned int cond_forbids[] = {
     (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
     (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
     (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
-    (1<<ACL_WHERE_VRFY),
+    (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
 
   (1<<ACL_WHERE_AUTH)|                             /* dk_sender_domains */
     (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
@@ -345,7 +385,7 @@ static unsigned int cond_forbids[] = {
     (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
     (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
     (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
-    (1<<ACL_WHERE_VRFY),
+    (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
 
   (1<<ACL_WHERE_AUTH)|                             /* dk_sender_local_parts */
     (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
@@ -353,7 +393,7 @@ static unsigned int cond_forbids[] = {
     (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
     (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
     (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
-    (1<<ACL_WHERE_VRFY),
+    (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
 
   (1<<ACL_WHERE_AUTH)|                             /* dk_senders */
     (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
@@ -361,7 +401,7 @@ static unsigned int cond_forbids[] = {
     (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
     (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
     (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
-    (1<<ACL_WHERE_VRFY),
+    (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
 
   (1<<ACL_WHERE_AUTH)|                             /* dk_status */
     (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
@@ -369,20 +409,24 @@ static unsigned int cond_forbids[] = {
     (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
     (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
     (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
-    (1<<ACL_WHERE_VRFY),
-#endif
+    (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
+  #endif
 
-  (1<<ACL_WHERE_NOTSMTP),                          /* dnslists */
+  (1<<ACL_WHERE_NOTSMTP)|                          /* dnslists */
+    (1<<ACL_WHERE_NOTSMTP_START),
 
   (unsigned int)
   ~(1<<ACL_WHERE_RCPT),                            /* domains */
 
-  (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)|   /* encrypted */
+  (1<<ACL_WHERE_NOTSMTP)|                          /* encrypted */
+    (1<<ACL_WHERE_CONNECT)|
+    (1<<ACL_WHERE_NOTSMTP_START)|
     (1<<ACL_WHERE_HELO),
 
   0,                                               /* endpass */
 
-  (1<<ACL_WHERE_NOTSMTP),                          /* hosts */
+  (1<<ACL_WHERE_NOTSMTP)|                          /* hosts */
+    (1<<ACL_WHERE_NOTSMTP_START),
 
   (unsigned int)
   ~(1<<ACL_WHERE_RCPT),                            /* local_parts */
@@ -391,28 +435,28 @@ static unsigned int cond_forbids[] = {
 
   0,                                               /* logwrite */
 
-#ifdef WITH_CONTENT_SCAN
+  #ifdef WITH_CONTENT_SCAN
   (unsigned int)
   ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)),   /* malware */
-#endif
+  #endif
 
   0,                                               /* message */
 
-#ifdef WITH_CONTENT_SCAN
+  #ifdef WITH_CONTENT_SCAN
   (unsigned int)
   ~(1<<ACL_WHERE_MIME),                            /* mime_regex */
-#endif
+  #endif
 
   0,                                               /* ratelimit */
 
   (unsigned int)
   ~(1<<ACL_WHERE_RCPT),                            /* recipients */
 
-#ifdef WITH_CONTENT_SCAN
+  #ifdef WITH_CONTENT_SCAN
   (unsigned int)
   ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)|    /* regex */
     (1<<ACL_WHERE_MIME)),
-#endif
+  #endif
 
   (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)|      /* sender_domains */
     (1<<ACL_WHERE_HELO)|
@@ -428,18 +472,20 @@ static unsigned int cond_forbids[] = {
 
   0,                                               /* set */
 
-#ifdef WITH_CONTENT_SCAN
+  #ifdef WITH_CONTENT_SCAN
   (unsigned int)
   ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)),   /* spam */
-#endif
+  #endif
 
-#ifdef EXPERIMENTAL_SPF
+  #ifdef EXPERIMENTAL_SPF
   (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)|      /* spf */
     (1<<ACL_WHERE_HELO)|
     (1<<ACL_WHERE_MAILAUTH)|
     (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
-    (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
-#endif
+    (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
+    (1<<ACL_WHERE_NOTSMTP)|
+    (1<<ACL_WHERE_NOTSMTP_START),
+  #endif
 
   /* Certain types of verify are always allowed, so we let it through
   always and check in the verify function itself */
@@ -453,12 +499,17 @@ each control, there's a bitmap of dis-allowed times. For some, it is easier to
 specify the negation of a small number of allowed times. */
 
 static unsigned int control_forbids[] = {
-#ifdef EXPERIMENTAL_BRIGHTMAIL
+  (unsigned int)
+  ~((1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)),   /* allow_auth_unadvertised */
+
+  #ifdef EXPERIMENTAL_BRIGHTMAIL
   0,                                               /* bmi_run */
-#endif
-#ifdef EXPERIMENTAL_DOMAINKEYS
-  (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP),      /* dk_verify */
-#endif
+  #endif
+
+  #ifdef EXPERIMENTAL_DOMAINKEYS
+  (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)|      /* dk_verify */
+    (1<<ACL_WHERE_NOTSMTP_START),
+  #endif
 
   0,                                               /* error */
 
@@ -468,9 +519,11 @@ static unsigned int control_forbids[] = {
   (unsigned int)
   ~(1<<ACL_WHERE_RCPT),                            /* caselower_local_part */
 
-  (1<<ACL_WHERE_NOTSMTP),                          /* enforce_sync */
+  (1<<ACL_WHERE_NOTSMTP)|                          /* enforce_sync */
+    (1<<ACL_WHERE_NOTSMTP_START),
 
-  (1<<ACL_WHERE_NOTSMTP),                          /* no_enforce_sync */
+  (1<<ACL_WHERE_NOTSMTP)|                          /* no_enforce_sync */
+    (1<<ACL_WHERE_NOTSMTP_START),
 
   (unsigned int)
   ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)|       /* freeze */
@@ -488,14 +541,15 @@ static unsigned int control_forbids[] = {
 
   (unsigned int)
   ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)|       /* suppress_local_fixups */
-    (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_PREDATA)),
+    (1<<ACL_WHERE_PREDATA)|
+    (1<<ACL_WHERE_NOTSMTP_START)),
 
-#ifdef WITH_CONTENT_SCAN
+  #ifdef WITH_CONTENT_SCAN
   (unsigned int)
   ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)|       /* no_mbox_unspool */
     (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
     (1<<ACL_WHERE_MIME)),
-#endif
+  #endif
 
   (unsigned int)
   ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)|       /* fakedefer */
@@ -507,7 +561,8 @@ static unsigned int control_forbids[] = {
     (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
     (1<<ACL_WHERE_MIME)),
 
-  (1<<ACL_WHERE_NOTSMTP)                           /* no_multiline */
+  (1<<ACL_WHERE_NOTSMTP)|                          /* no_multiline */
+    (1<<ACL_WHERE_NOTSMTP_START)
 };
 
 /* Structure listing various control arguments, with their characteristics. */
@@ -519,26 +574,27 @@ typedef struct control_def {
 } control_def;
 
 static control_def controls_list[] = {
+  { US"allow_auth_unadvertised", CONTROL_AUTH_UNADVERTISED, FALSE },
 #ifdef EXPERIMENTAL_BRIGHTMAIL
-  { US"bmi_run",                CONTROL_BMI_RUN, FALSE },
+  { US"bmi_run",                 CONTROL_BMI_RUN, FALSE },
 #endif
 #ifdef EXPERIMENTAL_DOMAINKEYS
-  { US"dk_verify",              CONTROL_DK_VERIFY, FALSE },
-#endif
-  { US"caseful_local_part",     CONTROL_CASEFUL_LOCAL_PART, FALSE },
-  { US"caselower_local_part",   CONTROL_CASELOWER_LOCAL_PART, FALSE },
-  { US"enforce_sync",           CONTROL_ENFORCE_SYNC, FALSE },
-  { US"freeze",                 CONTROL_FREEZE, FALSE },
-  { US"no_enforce_sync",        CONTROL_NO_ENFORCE_SYNC, FALSE },
-  { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE },
-  { US"queue_only",             CONTROL_QUEUE_ONLY, FALSE },
+  { US"dk_verify",               CONTROL_DK_VERIFY, FALSE },
+#endif
+  { US"caseful_local_part",      CONTROL_CASEFUL_LOCAL_PART, FALSE },
+  { US"caselower_local_part",    CONTROL_CASELOWER_LOCAL_PART, FALSE },
+  { US"enforce_sync",            CONTROL_ENFORCE_SYNC, FALSE },
+  { US"freeze",                  CONTROL_FREEZE, TRUE },
+  { US"no_enforce_sync",         CONTROL_NO_ENFORCE_SYNC, FALSE },
+  { US"no_multiline_responses",  CONTROL_NO_MULTILINE, FALSE },
+  { US"queue_only",              CONTROL_QUEUE_ONLY, FALSE },
 #ifdef WITH_CONTENT_SCAN
-  { US"no_mbox_unspool",        CONTROL_NO_MBOX_UNSPOOL, FALSE },
+  { US"no_mbox_unspool",         CONTROL_NO_MBOX_UNSPOOL, FALSE },
 #endif
-  { US"fakedefer",              CONTROL_FAKEDEFER, TRUE },
-  { US"fakereject",             CONTROL_FAKEREJECT, TRUE },
-  { US"submission",             CONTROL_SUBMISSION, TRUE },
-  { US"suppress_local_fixups",  CONTROL_SUPPRESS_LOCAL_FIXUPS, FALSE }
+  { US"fakedefer",               CONTROL_FAKEDEFER, TRUE },
+  { US"fakereject",              CONTROL_FAKEREJECT, TRUE },
+  { US"submission",              CONTROL_SUBMISSION, TRUE },
+  { US"suppress_local_fixups",   CONTROL_SUPPRESS_LOCAL_FIXUPS, FALSE }
   };
 
 /* Support data structures for Client SMTP Authorization. acl_verify_csa()
@@ -668,7 +724,7 @@ while ((s = (*func)()) != NULL)
   can be started by a name, or by a macro definition. */
 
   s = readconf_readname(name, sizeof(name), s);
-  if (*s == ':' || isupper(name[0] && *s == '=')) return yield;
+  if (*s == ':' || (isupper(name[0]) && *s == '=')) return yield;
 
   /* If a verb is unrecognized, it may be another condition or modifier that
   continues the previous verb. */
@@ -678,7 +734,8 @@ while ((s = (*func)()) != NULL)
     {
     if (this == NULL)
       {
-      *error = string_sprintf("unknown ACL verb in \"%s\"", saveline);
+      *error = string_sprintf("unknown ACL verb \"%s\" in \"%s\"", name,
+        saveline);
       return NULL;
       }
     }
@@ -803,6 +860,115 @@ return yield;
 
 
 
+/*************************************************
+*         Set up added header line(s)            *
+*************************************************/
+
+/* This function is called by the add_header modifier, and also from acl_warn()
+to implement the now-deprecated way of adding header lines using "message" on a
+"warn" verb. The argument is treated as a sequence of header lines which are
+added to a chain, provided there isn't an identical one already there.
+
+Argument:   string of header lines
+Returns:    nothing
+*/
+
+static void
+setup_header(uschar *hstring)
+{
+uschar *p, *q;
+int hlen = Ustrlen(hstring);
+
+/* An empty string does nothing; otherwise add a final newline if necessary. */
+
+if (hlen <= 0) return;
+if (hstring[hlen-1] != '\n') hstring = string_sprintf("%s\n", hstring);
+
+/* Loop for multiple header lines, taking care about continuations */
+
+for (p = q = hstring; *p != 0; )
+  {
+  uschar *s;
+  int newtype = htype_add_bot;
+  header_line **hptr = &acl_added_headers;
+
+  /* Find next header line within the string */
+
+  for (;;)
+    {
+    q = Ustrchr(q, '\n');
+    if (*(++q) != ' ' && *q != '\t') break;
+    }
+
+  /* If the line starts with a colon, interpret the instruction for where to
+  add it. This temporarily sets up a new type. */
+
+  if (*p == ':')
+    {
+    if (strncmpic(p, US":after_received:", 16) == 0)
+      {
+      newtype = htype_add_rec;
+      p += 16;
+      }
+    else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
+      {
+      newtype = htype_add_rfc;
+      p += 14;
+      }
+    else if (strncmpic(p, US":at_start:", 10) == 0)
+      {
+      newtype = htype_add_top;
+      p += 10;
+      }
+    else if (strncmpic(p, US":at_end:", 8) == 0)
+      {
+      newtype = htype_add_bot;
+      p += 8;
+      }
+    while (*p == ' ' || *p == '\t') p++;
+    }
+
+  /* See if this line starts with a header name, and if not, add X-ACL-Warn:
+  to the front of it. */
+
+  for (s = p; s < q - 1; s++)
+    {
+    if (*s == ':' || !isgraph(*s)) break;
+    }
+
+  s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
+  hlen = Ustrlen(s);
+
+  /* See if this line has already been added */
+
+  while (*hptr != NULL)
+    {
+    if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
+    hptr = &((*hptr)->next);
+    }
+
+  /* Add if not previously present */
+
+  if (*hptr == NULL)
+    {
+    header_line *h = store_get(sizeof(header_line));
+    h->text = s;
+    h->next = NULL;
+    h->type = newtype;
+    h->slen = hlen;
+    *hptr = h;
+    hptr = &(h->next);
+    }
+
+  /* Advance for next header line within the string */
+
+  p = q;
+  }
+}
+
+
+
+
 /*************************************************
 *               Handle warnings                  *
 *************************************************/
@@ -811,6 +977,9 @@ return yield;
 the message's headers, and/or writes information to the log. In each case, this
 only happens once (per message for headers, per connection for log).
 
+** NOTE: The header adding action using the "message" setting is historic, and
+its use is now deprecated. The new add_header modifier should be used instead.
+
 Arguments:
   where          ACL_WHERE_xxxx indicating which ACL this is
   user_message   message for adding to headers
@@ -822,8 +991,6 @@ Returns:         nothing
 static void
 acl_warn(int where, uschar *user_message, uschar *log_message)
 {
-int hlen;
-
 if (log_message != NULL && log_message != user_message)
   {
   uschar *text;
@@ -873,99 +1040,10 @@ if (where > ACL_WHERE_NOTSMTP)
   return;
   }
 
-/* Treat the user message as a sequence of one or more header lines. */
-
-hlen = Ustrlen(user_message);
-if (hlen > 0)
-  {
-  uschar *text, *p, *q;
-
-  /* Add a final newline if not present */
-
-  text = ((user_message)[hlen-1] == '\n')? user_message :
-    string_sprintf("%s\n", user_message);
-
-  /* Loop for multiple header lines, taking care about continuations */
-
-  for (p = q = text; *p != 0; )
-    {
-    uschar *s;
-    int newtype = htype_add_bot;
-    header_line **hptr = &acl_warn_headers;
-
-    /* Find next header line within the string */
-
-    for (;;)
-      {
-      q = Ustrchr(q, '\n');
-      if (*(++q) != ' ' && *q != '\t') break;
-      }
-
-    /* If the line starts with a colon, interpret the instruction for where to
-    add it. This temporarily sets up a new type. */
-
-    if (*p == ':')
-      {
-      if (strncmpic(p, US":after_received:", 16) == 0)
-        {
-        newtype = htype_add_rec;
-        p += 16;
-        }
-      else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
-        {
-        newtype = htype_add_rfc;
-        p += 14;
-        }
-      else if (strncmpic(p, US":at_start:", 10) == 0)
-        {
-        newtype = htype_add_top;
-        p += 10;
-        }
-      else if (strncmpic(p, US":at_end:", 8) == 0)
-        {
-        newtype = htype_add_bot;
-        p += 8;
-        }
-      while (*p == ' ' || *p == '\t') p++;
-      }
-
-    /* See if this line starts with a header name, and if not, add X-ACL-Warn:
-    to the front of it. */
-
-    for (s = p; s < q - 1; s++)
-      {
-      if (*s == ':' || !isgraph(*s)) break;
-      }
-
-    s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
-    hlen = Ustrlen(s);
-
-    /* See if this line has already been added */
-
-    while (*hptr != NULL)
-      {
-      if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
-      hptr = &((*hptr)->next);
-      }
-
-    /* Add if not previously present */
-
-    if (*hptr == NULL)
-      {
-      header_line *h = store_get(sizeof(header_line));
-      h->text = s;
-      h->next = NULL;
-      h->type = newtype;
-      h->slen = hlen;
-      *hptr = h;
-      hptr = &(h->next);
-      }
+/* The code for setting up header lines is now abstracted into a separate
+function so that it can be used for the add_header modifier as well. */
 
-    /* Advance for next header line within the string */
-
-    p = q;
-    }
-  }
+setup_header(user_message);
 }
 
 
@@ -1972,6 +2050,7 @@ ACL clauses like: defer ratelimit = 15 / 1h
 
 Arguments:
   arg         the option string for ratelimit=
+  where       ACL_WHERE_xxxx indicating which ACL this is
   log_msgptr  for error messages
 
 Returns:       OK        - Sender's rate is above limit
@@ -1981,7 +2060,7 @@ Returns:       OK        - Sender's rate is above limit
 */
 
 static int
-acl_ratelimit(uschar *arg, uschar **log_msgptr)
+acl_ratelimit(uschar *arg, int where, uschar **log_msgptr)
 {
 double limit, period;
 uschar *ss, *key;
@@ -2200,6 +2279,9 @@ else
   if (per_byte)
     dbd->rate = (message_size < 0 ? 0.0 : (double)message_size)
               * (1 - a) / i_over_p + a * dbd->rate;
+  else if (per_cmd && where == ACL_WHERE_NOTSMTP)
+    dbd->rate = (double)recipients_count
+              * (1 - a) / i_over_p + a * dbd->rate;
   else
     dbd->rate = (1 - a) / i_over_p + a * dbd->rate;
   }
@@ -2373,6 +2455,10 @@ for (; cb != NULL; cb = cb->next)
 
   switch(cb->type)
     {
+    case ACLC_ADD_HEADER:
+    setup_header(arg);
+    break;
+
     /* A nested ACL that returns "discard" makes sense only for an "accept" or
     "discard" verb. */
 
@@ -2393,7 +2479,7 @@ for (; cb != NULL; cb = cb->next)
         TRUE, NULL);
     break;
 
-#ifdef EXPERIMENTAL_BRIGHTMAIL
+    #ifdef EXPERIMENTAL_BRIGHTMAIL
     case ACLC_BMI_OPTIN:
       {
       int old_pool = store_pool;
@@ -2402,7 +2488,7 @@ for (; cb != NULL; cb = cb->next)
       store_pool = old_pool;
       }
     break;
-#endif
+    #endif
 
     case ACLC_CONDITION:
     if (Ustrspn(arg, "0123456789") == Ustrlen(arg))     /* Digits, or empty */
@@ -2430,16 +2516,22 @@ for (; cb != NULL; cb = cb->next)
 
     switch(control_type)
       {
-#ifdef EXPERIMENTAL_BRIGHTMAIL
+      case CONTROL_AUTH_UNADVERTISED:
+      allow_auth_unadvertised = TRUE;
+      break;
+
+      #ifdef EXPERIMENTAL_BRIGHTMAIL
       case CONTROL_BMI_RUN:
       bmi_run = 1;
       break;
-#endif
-#ifdef EXPERIMENTAL_DOMAINKEYS
+      #endif
+
+      #ifdef EXPERIMENTAL_DOMAINKEYS
       case CONTROL_DK_VERIFY:
       dk_do_verify = 1;
       break;
-#endif
+      #endif
+
       case CONTROL_ERROR:
       return ERROR;
 
@@ -2459,11 +2551,11 @@ for (; cb != NULL; cb = cb->next)
       smtp_enforce_sync = FALSE;
       break;
 
-#ifdef WITH_CONTENT_SCAN
+      #ifdef WITH_CONTENT_SCAN
       case CONTROL_NO_MBOX_UNSPOOL:
       no_mbox_unspool = TRUE;
       break;
-#endif
+      #endif
 
       case CONTROL_NO_MULTILINE:
       no_multiline_responses = TRUE;
@@ -2489,6 +2581,17 @@ for (; cb != NULL; cb = cb->next)
       case CONTROL_FREEZE:
       deliver_freeze = TRUE;
       deliver_frozen_at = time(NULL);
+      freeze_tell = freeze_tell_config;       /* Reset to configured value */
+      if (Ustrncmp(p, "/no_tell", 8) == 0)
+        {
+        p += 8;
+        freeze_tell = NULL;
+        }
+      if (*p != 0)
+        {
+        *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
+        return ERROR;
+        }
       break;
 
       case CONTROL_QUEUE_ONLY:
@@ -2538,11 +2641,11 @@ for (; cb != NULL; cb = cb->next)
       }
     break;
 
-#ifdef WITH_CONTENT_SCAN
+    #ifdef WITH_CONTENT_SCAN
     case ACLC_DECODE:
     rc = mime_decode(&arg);
     break;
-#endif
+    #endif
 
     case ACLC_DELAY:
       {
@@ -2586,14 +2689,14 @@ for (; cb != NULL; cb = cb->next)
       }
     break;
 
-#ifdef WITH_OLD_DEMIME
+    #ifdef WITH_OLD_DEMIME
     case ACLC_DEMIME:
       rc = demime(&arg);
     break;
-#endif
+    #endif
 
-#ifdef EXPERIMENTAL_DOMAINKEYS
-  case ACLC_DK_DOMAIN_SOURCE:
+    #ifdef EXPERIMENTAL_DOMAINKEYS
+    case ACLC_DK_DOMAIN_SOURCE:
     if (dk_verify_block == NULL) { rc = FAIL; break; };
     /* check header source of domain against given string */
     switch (dk_verify_block->address_source) {
@@ -2609,9 +2712,10 @@ for (; cb != NULL; cb = cb->next)
         rc = match_isinlist(US"none", &arg, 0, NULL,
                             NULL, MCL_STRING, TRUE, NULL);
       break;
-    }
-  break;
-  case ACLC_DK_POLICY:
+      }
+    break;
+
+    case ACLC_DK_POLICY:
     if (dk_verify_block == NULL) { rc = FAIL; break; };
     /* check policy against given string, default FAIL */
     rc = FAIL;
@@ -2621,28 +2725,32 @@ for (; cb != NULL; cb = cb->next)
     if (dk_verify_block->testing)
       rc = match_isinlist(US"testing", &arg, 0, NULL,
                           NULL, MCL_STRING, TRUE, NULL);
-  break;
-  case ACLC_DK_SENDER_DOMAINS:
+    break;
+
+    case ACLC_DK_SENDER_DOMAINS:
     if (dk_verify_block == NULL) { rc = FAIL; break; };
     if (dk_verify_block->domain != NULL)
       rc = match_isinlist(dk_verify_block->domain, &arg, 0, &domainlist_anchor,
                           NULL, MCL_DOMAIN, TRUE, NULL);
     else rc = FAIL;
-  break;
-  case ACLC_DK_SENDER_LOCAL_PARTS:
+    break;
+
+    case ACLC_DK_SENDER_LOCAL_PARTS:
     if (dk_verify_block == NULL) { rc = FAIL; break; };
     if (dk_verify_block->local_part != NULL)
       rc = match_isinlist(dk_verify_block->local_part, &arg, 0, &localpartlist_anchor,
                           NULL, MCL_LOCALPART, TRUE, NULL);
     else rc = FAIL;
-  break;
-  case ACLC_DK_SENDERS:
+    break;
+
+    case ACLC_DK_SENDERS:
     if (dk_verify_block == NULL) { rc = FAIL; break; };
     if (dk_verify_block->address != NULL)
       rc = match_address_list(dk_verify_block->address, TRUE, TRUE, &arg, NULL, -1, 0, NULL);
     else rc = FAIL;
-  break;
-  case ACLC_DK_STATUS:
+    break;
+
+    case ACLC_DK_STATUS:
     if (dk_verify_block == NULL) { rc = FAIL; break; };
     if (dk_verify_block->result > 0) {
       switch(dk_verify_block->result) {
@@ -2674,10 +2782,10 @@ for (; cb != NULL; cb = cb->next)
           rc = match_isinlist(US"bad", &arg, 0, NULL,
                               NULL, MCL_STRING, TRUE, NULL);
         break;
+        }
       }
-    }
-  break;
-#endif
+    break;
+    #endif
 
     case ACLC_DNSLISTS:
     rc = verify_check_dnsbl(&arg);
@@ -2759,7 +2867,7 @@ for (; cb != NULL; cb = cb->next)
       }
     break;
 
-#ifdef WITH_CONTENT_SCAN
+    #ifdef WITH_CONTENT_SCAN
     case ACLC_MALWARE:
       {
       /* Seperate the regular expression and any optional parameters. */
@@ -2779,12 +2887,12 @@ for (; cb != NULL; cb = cb->next)
     break;
 
     case ACLC_MIME_REGEX:
-      rc = mime_regex(&arg);
+    rc = mime_regex(&arg);
     break;
-#endif
+    #endif
 
     case ACLC_RATELIMIT:
-      rc = acl_ratelimit(arg, log_msgptr);
+    rc = acl_ratelimit(arg, where, log_msgptr);
     break;
 
     case ACLC_RECIPIENTS:
@@ -2792,11 +2900,11 @@ for (; cb != NULL; cb = cb->next)
       &recipient_data);
     break;
 
-#ifdef WITH_CONTENT_SCAN
-   case ACLC_REGEX:
-      rc = regex(&arg);
+    #ifdef WITH_CONTENT_SCAN
+    case ACLC_REGEX:
+    rc = regex(&arg);
     break;
-#endif
+    #endif
 
     case ACLC_SENDER_DOMAINS:
       {
@@ -2824,7 +2932,7 @@ for (; cb != NULL; cb = cb->next)
       }
     break;
 
-#ifdef WITH_CONTENT_SCAN
+    #ifdef WITH_CONTENT_SCAN
     case ACLC_SPAM:
       {
       /* Seperate the regular expression and any optional parameters. */
@@ -2842,13 +2950,13 @@ for (; cb != NULL; cb = cb->next)
         }
       }
     break;
-#endif
+    #endif
 
-#ifdef EXPERIMENTAL_SPF
+    #ifdef EXPERIMENTAL_SPF
     case ACLC_SPF:
       rc = spf_process(&arg, sender_address);
     break;
-#endif
+    #endif
 
     /* If the verb is WARN, discard any user message from verification, because
     such messages are SMTP responses, not header additions. The latter come