1 /* $Cambridge: exim/src/src/acl.c,v 1.23 2005/03/09 14:36:54 tom Exp $ */
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
7 /* Copyright (c) University of Cambridge 1995 - 2005 */
8 /* See the file NOTICE for conditions of use and distribution. */
10 /* Code for handling Access Control Lists (ACLs) */
15 /* Default callout timeout */
17 #define CALLOUT_TIMEOUT_DEFAULT 30
19 /* ACL verb codes - keep in step with the table of verbs that follows */
21 enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
26 static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
30 /* For each verb, the condition for which "message" is used */
32 static int msgcond[] = { FAIL, OK, OK, FAIL, OK, FAIL, OK };
34 /* ACL condition and modifier codes - keep in step with the table that
37 enum { ACLC_ACL, ACLC_AUTHENTICATED,
38 #ifdef EXPERIMENTAL_BRIGHTMAIL
41 ACLC_CONDITION, ACLC_CONTROL,
42 #ifdef WITH_CONTENT_SCAN
46 #ifdef WITH_OLD_DEMIME
49 #ifdef EXPERIMENTAL_DOMAINKEYS
50 ACLC_DK_DOMAIN_SOURCE,
52 ACLC_DK_SENDER_DOMAINS,
53 ACLC_DK_SENDER_LOCAL_PARTS,
57 ACLC_DNSLISTS, ACLC_DOMAINS, ACLC_ENCRYPTED, ACLC_ENDPASS,
58 ACLC_HOSTS, ACLC_LOCAL_PARTS, ACLC_LOG_MESSAGE, ACLC_LOGWRITE,
59 #ifdef WITH_CONTENT_SCAN
63 #ifdef WITH_CONTENT_SCAN
67 #ifdef WITH_CONTENT_SCAN
70 ACLC_SENDER_DOMAINS, ACLC_SENDERS, ACLC_SET,
71 #ifdef WITH_CONTENT_SCAN
74 #ifdef EXPERIMENTAL_SPF
79 /* ACL conditions/modifiers: "delay", "control", "endpass", "message",
80 "log_message", "logwrite", and "set" are modifiers that look like conditions
81 but always return TRUE. They are used for their side effects. */
83 static uschar *conditions[] = { US"acl", US"authenticated",
84 #ifdef EXPERIMENTAL_BRIGHTMAIL
89 #ifdef WITH_CONTENT_SCAN
93 #ifdef WITH_OLD_DEMIME
96 #ifdef EXPERIMENTAL_DOMAINKEYS
99 US"dk_sender_domains",
100 US"dk_sender_local_parts",
104 US"dnslists", US"domains", US"encrypted",
105 US"endpass", US"hosts", US"local_parts", US"log_message", US"logwrite",
106 #ifdef WITH_CONTENT_SCAN
110 #ifdef WITH_CONTENT_SCAN
114 #ifdef WITH_CONTENT_SCAN
117 US"sender_domains", US"senders", US"set",
118 #ifdef WITH_CONTENT_SCAN
121 #ifdef EXPERIMENTAL_SPF
126 /* ACL control names */
128 static uschar *controls[] = { US"error", US"caseful_local_part",
129 US"caselower_local_part", US"enforce_sync", US"no_enforce_sync", US"freeze",
130 US"queue_only", US"submission", US"no_multiline"};
132 /* Flags to indicate for which conditions /modifiers a string expansion is done
133 at the outer level. In the other cases, expansion already occurs in the
134 checking functions. */
136 static uschar cond_expand_at_top[] = {
138 FALSE, /* authenticated */
139 #ifdef EXPERIMENTAL_BRIGHTMAIL
140 TRUE, /* bmi_optin */
142 TRUE, /* condition */
144 #ifdef WITH_CONTENT_SCAN
148 #ifdef WITH_OLD_DEMIME
151 #ifdef EXPERIMENTAL_DOMAINKEYS
152 TRUE, /* dk_domain_source */
153 TRUE, /* dk_policy */
154 TRUE, /* dk_sender_domains */
155 TRUE, /* dk_sender_local_parts */
156 TRUE, /* dk_senders */
157 TRUE, /* dk_status */
161 FALSE, /* encrypted */
164 FALSE, /* local_parts */
165 TRUE, /* log_message */
167 #ifdef WITH_CONTENT_SCAN
171 #ifdef WITH_CONTENT_SCAN
172 TRUE, /* mime_regex */
174 FALSE, /* recipients */
175 #ifdef WITH_CONTENT_SCAN
178 FALSE, /* sender_domains */
181 #ifdef WITH_CONTENT_SCAN
184 #ifdef EXPERIMENTAL_SPF
190 /* Flags to identify the modifiers */
192 static uschar cond_modifiers[] = {
194 FALSE, /* authenticated */
195 #ifdef EXPERIMENTAL_BRIGHTMAIL
196 TRUE, /* bmi_optin */
198 FALSE, /* condition */
200 #ifdef WITH_CONTENT_SCAN
204 #ifdef WITH_OLD_DEMIME
207 #ifdef EXPERIMENTAL_DOMAINKEYS
208 FALSE, /* dk_domain_source */
209 FALSE, /* dk_policy */
210 FALSE, /* dk_sender_domains */
211 FALSE, /* dk_sender_local_parts */
212 FALSE, /* dk_senders */
213 FALSE, /* dk_status */
215 FALSE, /* dnslists */
217 FALSE, /* encrypted */
220 FALSE, /* local_parts */
221 TRUE, /* log_message */
223 #ifdef WITH_CONTENT_SCAN
227 #ifdef WITH_CONTENT_SCAN
228 FALSE, /* mime_regex */
230 FALSE, /* recipients */
231 #ifdef WITH_CONTENT_SCAN
234 FALSE, /* sender_domains */
237 #ifdef WITH_CONTENT_SCAN
240 #ifdef EXPERIMENTAL_SPF
246 /* Bit map vector of which conditions are not allowed at certain times. For
247 each condition, there's a bitmap of dis-allowed times. */
249 static unsigned int cond_forbids[] = {
252 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* authenticated */
255 #ifdef EXPERIMENTAL_BRIGHTMAIL
256 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
257 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
258 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
259 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
260 (1<<ACL_WHERE_MAILAUTH)|
261 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
262 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA),
267 /* Certain types of control are always allowed, so we let it through
268 always and check in the control processing itself */
272 #ifdef WITH_CONTENT_SCAN
273 (1<<ACL_WHERE_AUTH)| /* decode */
274 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
275 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
276 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
277 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
278 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
279 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_RCPT),
284 #ifdef WITH_OLD_DEMIME
285 (1<<ACL_WHERE_AUTH)| /* demime */
286 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
287 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
288 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
289 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
290 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
291 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
294 #ifdef EXPERIMENTAL_DOMAINKEYS
295 (1<<ACL_WHERE_AUTH)| /* dk_domain_source */
296 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
297 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
298 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
299 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
300 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
303 (1<<ACL_WHERE_AUTH)| /* dk_policy */
304 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
305 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
306 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
307 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
308 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
311 (1<<ACL_WHERE_AUTH)| /* dk_sender_domains */
312 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
313 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
314 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
315 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
316 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
319 (1<<ACL_WHERE_AUTH)| /* dk_sender_local_parts */
320 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
321 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
322 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
323 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
324 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
327 (1<<ACL_WHERE_AUTH)| /* dk_senders */
328 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
329 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
330 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
331 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
332 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
335 (1<<ACL_WHERE_AUTH)| /* dk_status */
336 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
337 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
338 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
339 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
340 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
344 (1<<ACL_WHERE_NOTSMTP), /* dnslists */
346 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* domains */
347 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
348 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
349 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
350 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
351 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
354 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* encrypted */
359 (1<<ACL_WHERE_NOTSMTP), /* hosts */
361 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* local_parts */
362 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
363 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
364 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
365 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
366 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
373 #ifdef WITH_CONTENT_SCAN
374 (1<<ACL_WHERE_AUTH)| /* malware */
375 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
376 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
377 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
378 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
379 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
380 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
385 #ifdef WITH_CONTENT_SCAN
386 (1<<ACL_WHERE_AUTH)| /* mime_regex */
387 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
388 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
389 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
390 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
391 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
392 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_RCPT),
395 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* recipients */
396 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
397 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
398 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
399 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
400 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
403 #ifdef WITH_CONTENT_SCAN
404 (1<<ACL_WHERE_AUTH)| /* regex */
405 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
406 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
407 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
408 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
409 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
413 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
415 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
416 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
417 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
419 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
421 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
422 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
423 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
427 #ifdef WITH_CONTENT_SCAN
428 (1<<ACL_WHERE_AUTH)| /* spam */
429 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
430 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
431 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
432 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
433 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
434 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
437 #ifdef EXPERIMENTAL_SPF
438 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
440 (1<<ACL_WHERE_MAILAUTH)|
441 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
442 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
445 /* Certain types of verify are always allowed, so we let it through
446 always and check in the verify function itself */
452 /* Return values from decode_control() */
455 #ifdef EXPERIMENTAL_BRIGHTMAIL
458 #ifdef EXPERIMENTAL_DOMAINKEYS
461 CONTROL_ERROR, CONTROL_CASEFUL_LOCAL_PART, CONTROL_CASELOWER_LOCAL_PART,
462 CONTROL_ENFORCE_SYNC, CONTROL_NO_ENFORCE_SYNC, CONTROL_FREEZE,
463 CONTROL_QUEUE_ONLY, CONTROL_SUBMISSION,
464 #ifdef WITH_CONTENT_SCAN
465 CONTROL_NO_MBOX_UNSPOOL,
467 CONTROL_FAKEREJECT, CONTROL_NO_MULTILINE };
469 /* Bit map vector of which controls are not allowed at certain times. For
470 each control, there's a bitmap of dis-allowed times. For some, it is easier to
471 specify the negation of a small number of allowed times. */
473 static unsigned int control_forbids[] = {
474 #ifdef EXPERIMENTAL_BRIGHTMAIL
477 #ifdef EXPERIMENTAL_DOMAINKEYS
478 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), /* dk_verify */
484 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
487 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
489 (1<<ACL_WHERE_NOTSMTP), /* enforce_sync */
491 (1<<ACL_WHERE_NOTSMTP), /* no_enforce_sync */
494 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
495 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
496 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
499 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
500 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
501 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
504 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
505 (1<<ACL_WHERE_PREDATA)),
507 #ifdef WITH_CONTENT_SCAN
509 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
510 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
511 (1<<ACL_WHERE_MIME)),
515 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
516 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
517 (1<<ACL_WHERE_MIME)),
519 (1<<ACL_WHERE_NOTSMTP) /* no_multiline */
522 /* Structure listing various control arguments, with their characteristics. */
524 typedef struct control_def {
526 int value; /* CONTROL_xxx value */
527 BOOL has_option; /* Has /option(s) following */
530 static control_def controls_list[] = {
531 #ifdef EXPERIMENTAL_BRIGHTMAIL
532 { US"bmi_run", CONTROL_BMI_RUN, FALSE},
534 #ifdef EXPERIMENTAL_DOMAINKEYS
535 { US"dk_verify", CONTROL_DK_VERIFY, FALSE},
537 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE},
538 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE},
539 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE},
540 { US"freeze", CONTROL_FREEZE, FALSE},
541 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE},
542 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE},
543 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE},
544 #ifdef WITH_CONTENT_SCAN
545 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE},
547 { US"fakereject", CONTROL_FAKEREJECT, TRUE},
548 { US"submission", CONTROL_SUBMISSION, TRUE}
551 /* Enable recursion between acl_check_internal() and acl_check_condition() */
553 static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
557 /*************************************************
558 * Pick out name from list *
559 *************************************************/
561 /* Use a binary chop method
568 Returns: offset in list, or -1 if not found
572 acl_checkname(uschar *name, uschar **list, int end)
578 int mid = (start + end)/2;
579 int c = Ustrcmp(name, list[mid]);
580 if (c == 0) return mid;
581 if (c < 0) end = mid; else start = mid + 1;
588 /*************************************************
589 * Read and parse one ACL *
590 *************************************************/
592 /* This function is called both from readconf in order to parse the ACLs in the
593 configuration file, and also when an ACL is encountered dynamically (e.g. as
594 the result of an expansion). It is given a function to call in order to
595 retrieve the lines of the ACL. This function handles skipping comments and
596 blank lines (where relevant).
599 func function to get next line of ACL
600 error where to put an error message
602 Returns: pointer to ACL, or NULL
603 NULL can be legal (empty ACL); in this case error will be NULL
607 acl_read(uschar *(*func)(void), uschar **error)
609 acl_block *yield = NULL;
610 acl_block **lastp = &yield;
611 acl_block *this = NULL;
612 acl_condition_block *cond;
613 acl_condition_block **condp = NULL;
618 while ((s = (*func)()) != NULL)
621 BOOL negated = FALSE;
622 uschar *saveline = s;
625 /* Conditions (but not verbs) are allowed to be negated by an initial
628 while (isspace(*s)) s++;
635 /* Read the name of a verb or a condition, or the start of a new ACL */
637 s = readconf_readname(name, sizeof(name), s);
640 if (negated || name[0] == 0)
642 *error = string_sprintf("malformed ACL name in \"%s\"", saveline);
648 /* If a verb is unrecognized, it may be another condition or modifier that
649 continues the previous verb. */
651 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
656 *error = string_sprintf("unknown ACL verb in \"%s\"", saveline);
667 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
670 this = store_get(sizeof(acl_block));
672 lastp = &(this->next);
675 this->condition = NULL;
676 condp = &(this->condition);
677 if (*s == 0) continue; /* No condition on this line */
683 s = readconf_readname(name, sizeof(name), s); /* Condition name */
686 /* Handle a condition or modifier. */
688 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
691 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
696 /* The modifiers may not be negated */
698 if (negated && cond_modifiers[c])
700 *error = string_sprintf("ACL error: negation is not allowed with "
701 "\"%s\"", conditions[c]);
705 /* ENDPASS may occur only with ACCEPT or DISCARD. */
707 if (c == ACLC_ENDPASS &&
708 this->verb != ACL_ACCEPT &&
709 this->verb != ACL_DISCARD)
711 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
712 conditions[c], verbs[this->verb]);
716 cond = store_get(sizeof(acl_condition_block));
719 cond->u.negated = negated;
722 condp = &(cond->next);
724 /* The "set" modifier is different in that its argument is "name=value"
725 rather than just a value, and we can check the validity of the name, which
726 gives us a variable number to insert into the data block. */
730 if (Ustrncmp(s, "acl_", 4) != 0 || (s[4] != 'c' && s[4] != 'm') ||
731 !isdigit(s[5]) || (!isspace(s[6]) && s[6] != '='))
733 *error = string_sprintf("unrecognized name after \"set\" in ACL "
734 "modifier \"set %s\"", s);
738 cond->u.varnumber = s[5] - '0';
739 if (s[4] == 'm') cond->u.varnumber += ACL_C_MAX;
741 while (isspace(*s)) s++;
744 /* For "set", we are now positioned for the data. For the others, only
745 "endpass" has no data */
747 if (c != ACLC_ENDPASS)
751 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
752 cond_modifiers[c]? US"modifier" : US"condition");
755 while (isspace(*s)) s++;
756 cond->arg = string_copy(s);
765 /*************************************************
767 *************************************************/
769 /* This function is called when a WARN verb's conditions are true. It adds to
770 the message's headers, and/or writes information to the log. In each case, this
771 only happens once (per message for headers, per connection for log).
774 where ACL_WHERE_xxxx indicating which ACL this is
775 user_message message for adding to headers
776 log_message message for logging, if different
782 acl_warn(int where, uschar *user_message, uschar *log_message)
786 if (log_message != NULL && log_message != user_message)
791 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
792 string_printing(log_message));
794 /* If a sender verification has failed, and the log message is "sender verify
795 failed", add the failure message. */
797 if (sender_verified_failed != NULL &&
798 sender_verified_failed->message != NULL &&
799 strcmpic(log_message, US"sender verify failed") == 0)
800 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
802 /* Search previously logged warnings. They are kept in malloc store so they
803 can be freed at the start of a new message. */
805 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
806 if (Ustrcmp(logged->text, text) == 0) break;
810 int length = Ustrlen(text) + 1;
811 log_write(0, LOG_MAIN, "%s", text);
812 logged = store_malloc(sizeof(string_item) + length);
813 logged->text = (uschar *)logged + sizeof(string_item);
814 memcpy(logged->text, text, length);
815 logged->next = acl_warn_logged;
816 acl_warn_logged = logged;
820 /* If there's no user message, we are done. */
822 if (user_message == NULL) return;
824 /* If this isn't a message ACL, we can't do anything with a user message.
827 if (where > ACL_WHERE_NOTSMTP)
829 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
830 "found in a non-message (%s) ACL: cannot specify header lines here: "
831 "message ignored", acl_wherenames[where]);
835 /* Treat the user message as a sequence of one or more header lines. */
837 hlen = Ustrlen(user_message);
840 uschar *text, *p, *q;
842 /* Add a final newline if not present */
844 text = ((user_message)[hlen-1] == '\n')? user_message :
845 string_sprintf("%s\n", user_message);
847 /* Loop for multiple header lines, taking care about continuations */
849 for (p = q = text; *p != 0; )
852 int newtype = htype_add_bot;
853 header_line **hptr = &acl_warn_headers;
855 /* Find next header line within the string */
859 q = Ustrchr(q, '\n');
860 if (*(++q) != ' ' && *q != '\t') break;
863 /* If the line starts with a colon, interpret the instruction for where to
864 add it. This temporarily sets up a new type. */
868 if (strncmpic(p, US":after_received:", 16) == 0)
870 newtype = htype_add_rec;
873 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
875 newtype = htype_add_rfc;
878 else if (strncmpic(p, US":at_start:", 10) == 0)
880 newtype = htype_add_top;
883 else if (strncmpic(p, US":at_end:", 8) == 0)
885 newtype = htype_add_bot;
888 while (*p == ' ' || *p == '\t') p++;
891 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
892 to the front of it. */
894 for (s = p; s < q - 1; s++)
896 if (*s == ':' || !isgraph(*s)) break;
899 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
902 /* See if this line has already been added */
904 while (*hptr != NULL)
906 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
907 hptr = &((*hptr)->next);
910 /* Add if not previously present */
914 header_line *h = store_get(sizeof(header_line));
923 /* Advance for next header line within the string */
932 /*************************************************
933 * Verify and check reverse DNS *
934 *************************************************/
936 /* Called from acl_verify() below. We look up the host name(s) of the client IP
937 address if this has not yet been done. The host_name_lookup() function checks
938 that one of these names resolves to an address list that contains the client IP
939 address, so we don't actually have to do the check here.
942 user_msgptr pointer for user message
943 log_msgptr pointer for log message
945 Returns: OK verification condition succeeded
946 FAIL verification failed
947 DEFER there was a problem verifying
951 acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
955 user_msgptr = user_msgptr; /* stop compiler warning */
957 /* Previous success */
959 if (sender_host_name != NULL) return OK;
961 /* Previous failure */
963 if (host_lookup_failed)
965 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
969 /* Need to do a lookup */
972 debug_printf("looking up host name to force name/address consistency check\n");
974 if ((rc = host_name_lookup()) != OK)
976 *log_msgptr = (rc == DEFER)?
977 US"host lookup deferred for reverse lookup check"
979 string_sprintf("host lookup failed for reverse lookup check%s",
981 return rc; /* DEFER or FAIL */
984 host_build_sender_fullhost();
990 /*************************************************
991 * Handle verification (address & other) *
992 *************************************************/
994 /* This function implements the "verify" condition. It is called when
995 encountered in any ACL, because some tests are almost always permitted. Some
996 just don't make sense, and always fail (for example, an attempt to test a host
997 lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1000 where where called from
1001 addr the recipient address that the ACL is handling, or NULL
1002 arg the argument of "verify"
1003 user_msgptr pointer for user message
1004 log_msgptr pointer for log message
1005 basic_errno where to put verify errno
1007 Returns: OK verification condition succeeded
1008 FAIL verification failed
1009 DEFER there was a problem verifying
1014 acl_verify(int where, address_item *addr, uschar *arg,
1015 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1019 int callout_overall = -1;
1020 int callout_connect = -1;
1021 int verify_options = 0;
1023 BOOL verify_header_sender = FALSE;
1024 BOOL defer_ok = FALSE;
1025 BOOL callout_defer_ok = FALSE;
1026 BOOL no_details = FALSE;
1027 address_item *sender_vaddr = NULL;
1028 uschar *verify_sender_address = NULL;
1029 uschar *pm_mailfrom = NULL;
1030 uschar *se_mailfrom = NULL;
1032 uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
1034 if (ss == NULL) goto BAD_VERIFY;
1036 /* Handle name/address consistency verification in a separate function. */
1038 if (strcmpic(ss, US"reverse_host_lookup") == 0)
1040 if (sender_host_address == NULL) return OK;
1041 return acl_verify_reverse(user_msgptr, log_msgptr);
1044 /* TLS certificate verification is done at STARTTLS time; here we just
1045 test whether it was successful or not. (This is for optional verification; for
1046 mandatory verification, the connection doesn't last this long.) */
1048 if (strcmpic(ss, US"certificate") == 0)
1050 if (tls_certificate_verified) return OK;
1051 *user_msgptr = US"no verified certificate";
1055 /* We can test the result of optional HELO verification */
1057 if (strcmpic(ss, US"helo") == 0) return helo_verified? OK : FAIL;
1059 /* Handle header verification options - permitted only after DATA or a non-SMTP
1062 if (strncmpic(ss, US"header_", 7) == 0)
1064 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
1066 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
1067 "(only possible in ACL for DATA)", acl_wherenames[where]);
1071 /* Check that all relevant header lines have the correct syntax. If there is
1072 a syntax error, we return details of the error to the sender if configured to
1073 send out full details. (But a "message" setting on the ACL can override, as
1076 if (strcmpic(ss+7, US"syntax") == 0)
1078 int rc = verify_check_headers(log_msgptr);
1079 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1080 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1084 /* Check that there is at least one verifiable sender address in the relevant
1085 header lines. This can be followed by callout and defer options, just like
1086 sender and recipient. */
1088 else if (strcmpic(ss+7, US"sender") == 0) verify_header_sender = TRUE;
1090 /* Unknown verify argument starting with "header_" */
1092 else goto BAD_VERIFY;
1095 /* Otherwise, first item in verify argument must be "sender" or "recipient".
1096 In the case of a sender, this can optionally be followed by an address to use
1097 in place of the actual sender (rare special-case requirement). */
1099 else if (strncmpic(ss, US"sender", 6) == 0)
1102 if (where > ACL_WHERE_NOTSMTP)
1104 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1105 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1106 acl_wherenames[where]);
1110 verify_sender_address = sender_address;
1113 while (isspace(*s)) s++;
1114 if (*s++ != '=') goto BAD_VERIFY;
1115 while (isspace(*s)) s++;
1116 verify_sender_address = string_copy(s);
1121 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1124 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1125 "(only possible for RCPT)", acl_wherenames[where]);
1130 /* Remaining items are optional */
1132 while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1135 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1136 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1138 /* These two old options are left for backwards compatibility */
1140 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1142 callout_defer_ok = TRUE;
1143 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1146 else if (strcmpic(ss, US"check_postmaster") == 0)
1149 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1152 /* The callout option has a number of sub-options, comma separated */
1154 else if (strncmpic(ss, US"callout", 7) == 0)
1156 callout = CALLOUT_TIMEOUT_DEFAULT;
1160 while (isspace(*ss)) ss++;
1166 while (isspace(*ss)) ss++;
1168 /* This callout option handling code has become a mess as new options
1169 have been added in an ad hoc manner. It should be tidied up into some
1170 kind of table-driven thing. */
1172 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1175 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1176 else if (strcmpic(opt, US"no_cache") == 0)
1177 verify_options |= vopt_callout_no_cache;
1178 else if (strcmpic(opt, US"random") == 0)
1179 verify_options |= vopt_callout_random;
1180 else if (strcmpic(opt, US"use_sender") == 0)
1181 verify_options |= vopt_callout_recipsender;
1182 else if (strcmpic(opt, US"use_postmaster") == 0)
1183 verify_options |= vopt_callout_recippmaster;
1184 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
1186 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1188 if (!verify_header_sender)
1190 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1191 "callout option only for verify=header_sender (detected in ACL "
1192 "condition \"%s\")", arg);
1196 while (isspace(*opt)) opt++;
1199 *log_msgptr = string_sprintf("'=' expected after "
1200 "\"mailfrom\" in ACL condition \"%s\"", arg);
1203 while (isspace(*opt)) opt++;
1204 se_mailfrom = string_copy(opt);
1207 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1210 while (isspace(*opt)) opt++;
1213 *log_msgptr = string_sprintf("'=' expected after "
1214 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1217 while (isspace(*opt)) opt++;
1218 pm_mailfrom = string_copy(opt);
1221 else if (strncmpic(opt, US"maxwait", 7) == 0)
1224 while (isspace(*opt)) opt++;
1227 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1228 "ACL condition \"%s\"", arg);
1231 while (isspace(*opt)) opt++;
1232 callout_overall = readconf_readtime(opt, 0, FALSE);
1233 if (callout_overall < 0)
1235 *log_msgptr = string_sprintf("bad time value in ACL condition "
1236 "\"verify %s\"", arg);
1240 else if (strncmpic(opt, US"connect", 7) == 0)
1243 while (isspace(*opt)) opt++;
1246 *log_msgptr = string_sprintf("'=' expected after "
1247 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1250 while (isspace(*opt)) opt++;
1251 callout_connect = readconf_readtime(opt, 0, FALSE);
1252 if (callout_connect < 0)
1254 *log_msgptr = string_sprintf("bad time value in ACL condition "
1255 "\"verify %s\"", arg);
1259 else /* Plain time is callout connect/command timeout */
1261 callout = readconf_readtime(opt, 0, FALSE);
1264 *log_msgptr = string_sprintf("bad time value in ACL condition "
1265 "\"verify %s\"", arg);
1273 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1274 "ACL condition \"%s\"", arg);
1280 /* Option not recognized */
1284 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1285 "condition \"verify %s\"", ss, arg);
1290 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1291 (vopt_callout_recipsender|vopt_callout_recippmaster))
1293 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1294 "for a recipient callout";
1298 /* Handle sender-in-header verification. Default the user message to the log
1299 message if giving out verification details. */
1301 if (verify_header_sender)
1304 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
1305 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1309 *basic_errno = verrno;
1310 if (smtp_return_error_details)
1312 if (*user_msgptr == NULL && *log_msgptr != NULL)
1313 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1314 if (rc == DEFER) acl_temp_details = TRUE;
1319 /* Handle a sender address. The default is to verify *the* sender address, but
1320 optionally a different address can be given, for special requirements. If the
1321 address is empty, we are dealing with a bounce message that has no sender, so
1322 we cannot do any checking. If the real sender address gets rewritten during
1323 verification (e.g. DNS widening), set the flag to stop it being rewritten again
1324 during message reception.
1326 A list of verified "sender" addresses is kept to try to avoid doing to much
1327 work repetitively when there are multiple recipients in a message and they all
1328 require sender verification. However, when callouts are involved, it gets too
1329 complicated because different recipients may require different callout options.
1330 Therefore, we always do a full sender verify when any kind of callout is
1331 specified. Caching elsewhere, for instance in the DNS resolver and in the
1332 callout handling, should ensure that this is not terribly inefficient. */
1334 else if (verify_sender_address != NULL)
1336 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1339 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1340 "sender verify callout";
1344 sender_vaddr = verify_checked_sender(verify_sender_address);
1345 if (sender_vaddr != NULL && /* Previously checked */
1346 callout <= 0) /* No callout needed this time */
1348 /* If the "routed" flag is set, it means that routing worked before, so
1349 this check can give OK (the saved return code value, if set, belongs to a
1350 callout that was done previously). If the "routed" flag is not set, routing
1351 must have failed, so we use the saved return code. */
1353 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1355 rc = sender_vaddr->special_action;
1356 *basic_errno = sender_vaddr->basic_errno;
1358 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1361 /* Do a new verification, and cache the result. The cache is used to avoid
1362 verifying the sender multiple times for multiple RCPTs when callouts are not
1363 specified (see comments above).
1365 The cache is also used on failure to give details in response to the first
1366 RCPT that gets bounced for this reason. However, this can be suppressed by
1367 the no_details option, which sets the flag that says "this detail has already
1368 been sent". The cache normally contains just one address, but there may be
1369 more in esoteric circumstances. */
1374 uschar *save_address_data = deliver_address_data;
1376 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1377 if (no_details) setflag(sender_vaddr, af_sverify_told);
1378 if (verify_sender_address[0] != 0)
1380 /* If this is the real sender address, save the unrewritten version
1381 for use later in receive. Otherwise, set a flag so that rewriting the
1382 sender in verify_address() does not update sender_address. */
1384 if (verify_sender_address == sender_address)
1385 sender_address_unrewritten = sender_address;
1387 verify_options |= vopt_fake_sender;
1389 /* The recipient, qualify, and expn options are never set in
1392 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
1393 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
1395 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1399 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1401 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1402 verify_sender_address, sender_vaddr->address);
1406 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1407 verify_sender_address);
1410 else *basic_errno = sender_vaddr->basic_errno;
1412 else rc = OK; /* Null sender */
1414 /* Cache the result code */
1416 if (routed) setflag(sender_vaddr, af_verify_routed);
1417 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1418 sender_vaddr->special_action = rc;
1419 sender_vaddr->next = sender_verified_list;
1420 sender_verified_list = sender_vaddr;
1422 /* Restore the recipient address data, which might have been clobbered by
1423 the sender verification. */
1425 deliver_address_data = save_address_data;
1428 /* Put the sender address_data value into $sender_address_data */
1430 sender_address_data = sender_vaddr->p.address_data;
1433 /* A recipient address just gets a straightforward verify; again we must handle
1434 the DEFER overrides. */
1440 /* We must use a copy of the address for verification, because it might
1444 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
1445 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
1446 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1448 *log_msgptr = addr2.message;
1449 *user_msgptr = (addr2.user_message != NULL)?
1450 addr2.user_message : addr2.message;
1451 *basic_errno = addr2.basic_errno;
1453 /* Make $address_data visible */
1454 deliver_address_data = addr2.p.address_data;
1457 /* We have a result from the relevant test. Handle defer overrides first. */
1459 if (rc == DEFER && (defer_ok ||
1460 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1462 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1463 defer_ok? "defer_ok" : "callout_defer_ok");
1467 /* If we've failed a sender, set up a recipient message, and point
1468 sender_verified_failed to the address item that actually failed. */
1470 if (rc != OK && verify_sender_address != NULL)
1474 *log_msgptr = *user_msgptr = US"Sender verify failed";
1476 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1478 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1482 *log_msgptr = US"Could not complete sender verify callout";
1483 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1487 sender_verified_failed = sender_vaddr;
1490 /* Verifying an address messes up the values of $domain and $local_part,
1491 so reset them before returning if this is a RCPT ACL. */
1495 deliver_domain = addr->domain;
1496 deliver_localpart = addr->local_part;
1500 /* Syntax errors in the verify argument come here. */
1503 *log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
1504 "\"header_syntax\" or \"header_sender\" at start of ACL condition "
1505 "\"verify %s\"", arg);
1512 /*************************************************
1513 * Check argument for control= modifier *
1514 *************************************************/
1516 /* Called from acl_check_condition() below
1519 arg the argument string for control=
1520 pptr set to point to the terminating character
1521 where which ACL we are in
1522 log_msgptr for error messages
1524 Returns: CONTROL_xxx value
1528 decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
1533 for (d = controls_list;
1534 d < controls_list + sizeof(controls_list)/sizeof(control_def);
1537 len = Ustrlen(d->name);
1538 if (Ustrncmp(d->name, arg, len) == 0) break;
1541 if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
1542 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
1544 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1545 return CONTROL_ERROR;
1554 /*************************************************
1555 * Handle conditions/modifiers on an ACL item *
1556 *************************************************/
1558 /* Called from acl_check() below.
1562 cb ACL condition block - if NULL, result is OK
1563 where where called from
1564 addr the address being checked for RCPT, or NULL
1565 level the nesting level
1566 epp pointer to pass back TRUE if "endpass" encountered
1567 (applies only to "accept" and "discard")
1568 user_msgptr user message pointer
1569 log_msgptr log message pointer
1570 basic_errno pointer to where to put verify error
1572 Returns: OK - all conditions are met
1573 DISCARD - an "acl" condition returned DISCARD - only allowed
1574 for "accept" or "discard" verbs
1575 FAIL - at least one condition fails
1576 FAIL_DROP - an "acl" condition returned FAIL_DROP
1577 DEFER - can't tell at the moment (typically, lookup defer,
1578 but can be temporary callout problem)
1579 ERROR - ERROR from nested ACL or expansion failure or other
1584 acl_check_condition(int verb, acl_condition_block *cb, int where,
1585 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
1586 uschar **log_msgptr, int *basic_errno)
1588 uschar *user_message = NULL;
1589 uschar *log_message = NULL;
1592 #ifdef WITH_CONTENT_SCAN
1596 for (; cb != NULL; cb = cb->next)
1601 /* The message and log_message items set up messages to be used in
1602 case of rejection. They are expanded later. */
1604 if (cb->type == ACLC_MESSAGE)
1606 user_message = cb->arg;
1610 if (cb->type == ACLC_LOG_MESSAGE)
1612 log_message = cb->arg;
1616 /* The endpass "condition" just sets a flag to show it occurred. This is
1617 checked at compile time to be on an "accept" or "discard" item. */
1619 if (cb->type == ACLC_ENDPASS)
1625 /* For other conditions and modifiers, the argument is expanded now for some
1626 of them, but not for all, because expansion happens down in some lower level
1627 checking functions in some cases. */
1629 if (cond_expand_at_top[cb->type])
1631 arg = expand_string(cb->arg);
1634 if (expand_string_forcedfail) continue;
1635 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
1636 cb->arg, expand_string_message);
1637 return search_find_defer? DEFER : ERROR;
1642 /* Show condition, and expanded condition if it's different */
1647 debug_printf("check %s%s %n",
1648 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
1649 conditions[cb->type], &lhswidth);
1651 if (cb->type == ACLC_SET)
1653 int n = cb->u.varnumber;
1654 int t = (n < ACL_C_MAX)? 'c' : 'm';
1655 if (n >= ACL_C_MAX) n -= ACL_C_MAX;
1656 debug_printf("acl_%c%d ", t, n);
1660 debug_printf("= %s\n", cb->arg);
1663 debug_printf("%.*s= %s\n", lhswidth,
1667 /* Check that this condition makes sense at this time */
1669 if ((cond_forbids[cb->type] & (1 << where)) != 0)
1671 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
1672 cond_modifiers[cb->type]? "use" : "test",
1673 conditions[cb->type], acl_wherenames[where]);
1677 /* Run the appropriate test for each condition, or take the appropriate
1678 action for the remaining modifiers. */
1682 /* A nested ACL that returns "discard" makes sense only for an "accept" or
1686 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
1687 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
1689 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
1690 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
1696 case ACLC_AUTHENTICATED:
1697 rc = (sender_host_authenticated == NULL)? FAIL :
1698 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
1702 #ifdef EXPERIMENTAL_BRIGHTMAIL
1703 case ACLC_BMI_OPTIN:
1705 int old_pool = store_pool;
1706 store_pool = POOL_PERM;
1707 bmi_current_optin = string_copy(arg);
1708 store_pool = old_pool;
1713 case ACLC_CONDITION:
1714 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
1715 rc = (Uatoi(arg) == 0)? FAIL : OK;
1717 rc = (strcmpic(arg, US"no") == 0 ||
1718 strcmpic(arg, US"false") == 0)? FAIL :
1719 (strcmpic(arg, US"yes") == 0 ||
1720 strcmpic(arg, US"true") == 0)? OK : DEFER;
1722 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
1726 control_type = decode_control(arg, &p, where, log_msgptr);
1728 /* Check if this control makes sense at this time */
1730 if ((control_forbids[control_type] & (1 << where)) != 0)
1732 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
1733 controls[control_type], acl_wherenames[where]);
1737 switch(control_type)
1739 #ifdef EXPERIMENTAL_BRIGHTMAIL
1740 case CONTROL_BMI_RUN:
1744 #ifdef EXPERIMENTAL_DOMAINKEYS
1745 case CONTROL_DK_VERIFY:
1752 case CONTROL_CASEFUL_LOCAL_PART:
1753 deliver_localpart = addr->cc_local_part;
1756 case CONTROL_CASELOWER_LOCAL_PART:
1757 deliver_localpart = addr->lc_local_part;
1760 case CONTROL_ENFORCE_SYNC:
1761 smtp_enforce_sync = TRUE;
1764 case CONTROL_NO_ENFORCE_SYNC:
1765 smtp_enforce_sync = FALSE;
1768 #ifdef WITH_CONTENT_SCAN
1769 case CONTROL_NO_MBOX_UNSPOOL:
1770 no_mbox_unspool = TRUE;
1774 case CONTROL_NO_MULTILINE:
1775 no_multiline_responses = TRUE;
1778 case CONTROL_FAKEREJECT:
1783 while (*pp != 0) pp++;
1784 fake_reject_text = expand_string(string_copyn(p+1, pp-p));
1789 /* Explicitly reset to default string */
1790 fake_reject_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
1794 case CONTROL_FREEZE:
1795 deliver_freeze = TRUE;
1796 deliver_frozen_at = time(NULL);
1799 case CONTROL_QUEUE_ONLY:
1800 queue_only_policy = TRUE;
1803 case CONTROL_SUBMISSION:
1804 submission_mode = TRUE;
1807 if (Ustrncmp(p, "/sender_retain", 14) == 0)
1810 active_local_sender_retain = TRUE;
1811 active_local_from_check = FALSE;
1813 else if (Ustrncmp(p, "/domain=", 8) == 0)
1816 while (*pp != 0 && *pp != '/') pp++;
1817 submission_domain = string_copyn(p+8, pp-p);
1824 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1831 #ifdef WITH_CONTENT_SCAN
1833 rc = mime_decode(&arg);
1839 int delay = readconf_readtime(arg, 0, FALSE);
1842 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
1843 "modifier: \"%s\" is not a time value", arg);
1848 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
1853 debug_printf("delay skipped in -bh checking mode\n");
1857 while (delay > 0) delay = sleep(delay);
1863 #ifdef WITH_OLD_DEMIME
1869 #ifdef EXPERIMENTAL_DOMAINKEYS
1870 case ACLC_DK_DOMAIN_SOURCE:
1871 if (dk_verify_block == NULL) { rc = FAIL; break; };
1872 /* check header source of domain against given string */
1873 switch (dk_verify_block->address_source) {
1874 case DK_EXIM_ADDRESS_FROM_FROM:
1875 rc = match_isinlist(US"from", &arg, 0, NULL,
1876 NULL, MCL_STRING, TRUE, NULL);
1878 case DK_EXIM_ADDRESS_FROM_SENDER:
1879 rc = match_isinlist(US"sender", &arg, 0, NULL,
1880 NULL, MCL_STRING, TRUE, NULL);
1882 case DK_EXIM_ADDRESS_NONE:
1883 rc = match_isinlist(US"none", &arg, 0, NULL,
1884 NULL, MCL_STRING, TRUE, NULL);
1888 case ACLC_DK_POLICY:
1889 if (dk_verify_block == NULL) { rc = FAIL; break; };
1890 /* check policy against given string, default FAIL */
1892 if (dk_verify_block->signsall)
1893 rc = match_isinlist(US"signsall", &arg, 0, NULL,
1894 NULL, MCL_STRING, TRUE, NULL);
1895 if (dk_verify_block->testing)
1896 rc = match_isinlist(US"testing", &arg, 0, NULL,
1897 NULL, MCL_STRING, TRUE, NULL);
1899 case ACLC_DK_SENDER_DOMAINS:
1900 if (dk_verify_block == NULL) { rc = FAIL; break; };
1901 if (dk_verify_block->domain != NULL)
1902 rc = match_isinlist(dk_verify_block->domain, &arg, 0, &domainlist_anchor,
1903 NULL, MCL_DOMAIN, TRUE, NULL);
1906 case ACLC_DK_SENDER_LOCAL_PARTS:
1907 if (dk_verify_block == NULL) { rc = FAIL; break; };
1908 if (dk_verify_block->local_part != NULL)
1909 rc = match_isinlist(dk_verify_block->local_part, &arg, 0, &localpartlist_anchor,
1910 NULL, MCL_LOCALPART, TRUE, NULL);
1913 case ACLC_DK_SENDERS:
1914 if (dk_verify_block == NULL) { rc = FAIL; break; };
1915 if (dk_verify_block->address != NULL)
1916 rc = match_address_list(dk_verify_block->address, TRUE, TRUE, &arg, NULL, -1, 0, NULL);
1919 case ACLC_DK_STATUS:
1920 if (dk_verify_block == NULL) { rc = FAIL; break; };
1921 if (dk_verify_block->result > 0) {
1922 switch(dk_verify_block->result) {
1923 case DK_EXIM_RESULT_BAD_FORMAT:
1924 rc = match_isinlist(US"bad format", &arg, 0, NULL,
1925 NULL, MCL_STRING, TRUE, NULL);
1927 case DK_EXIM_RESULT_NO_KEY:
1928 rc = match_isinlist(US"no key", &arg, 0, NULL,
1929 NULL, MCL_STRING, TRUE, NULL);
1931 case DK_EXIM_RESULT_NO_SIGNATURE:
1932 rc = match_isinlist(US"no signature", &arg, 0, NULL,
1933 NULL, MCL_STRING, TRUE, NULL);
1935 case DK_EXIM_RESULT_REVOKED:
1936 rc = match_isinlist(US"revoked", &arg, 0, NULL,
1937 NULL, MCL_STRING, TRUE, NULL);
1939 case DK_EXIM_RESULT_NON_PARTICIPANT:
1940 rc = match_isinlist(US"non-participant", &arg, 0, NULL,
1941 NULL, MCL_STRING, TRUE, NULL);
1943 case DK_EXIM_RESULT_GOOD:
1944 rc = match_isinlist(US"good", &arg, 0, NULL,
1945 NULL, MCL_STRING, TRUE, NULL);
1947 case DK_EXIM_RESULT_BAD:
1948 rc = match_isinlist(US"bad", &arg, 0, NULL,
1949 NULL, MCL_STRING, TRUE, NULL);
1957 rc = verify_check_dnsbl(&arg);
1961 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
1962 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
1965 /* The value in tls_cipher is the full cipher name, for example,
1966 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
1967 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
1968 what may in practice come out of the SSL library - which at the time of
1969 writing is poorly documented. */
1971 case ACLC_ENCRYPTED:
1972 if (tls_cipher == NULL) rc = FAIL; else
1974 uschar *endcipher = NULL;
1975 uschar *cipher = Ustrchr(tls_cipher, ':');
1976 if (cipher == NULL) cipher = tls_cipher; else
1978 endcipher = Ustrchr(++cipher, ':');
1979 if (endcipher != NULL) *endcipher = 0;
1981 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
1982 if (endcipher != NULL) *endcipher = ':';
1986 /* Use verify_check_this_host() instead of verify_check_host() so that
1987 we can pass over &host_data to catch any looked up data. Once it has been
1988 set, it retains its value so that it's still there if another ACL verb
1989 comes through here and uses the cache. However, we must put it into
1990 permanent store in case it is also expected to be used in a subsequent
1991 message in the same SMTP connection. */
1994 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
1995 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
1996 if (host_data != NULL) host_data = string_copy_malloc(host_data);
1999 case ACLC_LOCAL_PARTS:
2000 rc = match_isinlist(addr->cc_local_part, &arg, 0,
2001 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
2002 &deliver_localpart_data);
2014 if (Ustrncmp(s, "main", 4) == 0)
2015 { logbits |= LOG_MAIN; s += 4; }
2016 else if (Ustrncmp(s, "panic", 5) == 0)
2017 { logbits |= LOG_PANIC; s += 5; }
2018 else if (Ustrncmp(s, "reject", 6) == 0)
2019 { logbits |= LOG_REJECT; s += 6; }
2022 logbits = LOG_MAIN|LOG_PANIC;
2023 s = string_sprintf(":unknown log name in \"%s\" in "
2024 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
2030 while (isspace(*s)) s++;
2031 if (logbits == 0) logbits = LOG_MAIN;
2032 log_write(0, logbits, "%s", string_printing(s));
2036 #ifdef WITH_CONTENT_SCAN
2039 /* Seperate the regular expression and any optional parameters. */
2040 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2041 /* Run the malware backend. */
2043 /* Modify return code based upon the existance of options. */
2044 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2046 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2048 /* FAIL so that the message is passed to the next ACL */
2055 case ACLC_MIME_REGEX:
2056 rc = mime_regex(&arg);
2060 case ACLC_RECIPIENTS:
2061 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
2065 #ifdef WITH_CONTENT_SCAN
2071 case ACLC_SENDER_DOMAINS:
2074 sdomain = Ustrrchr(sender_address, '@');
2075 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
2076 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
2077 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
2082 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
2083 sender_address_cache, -1, 0, &sender_data);
2086 /* Connection variables must persist forever */
2090 int old_pool = store_pool;
2091 if (cb->u.varnumber < ACL_C_MAX) store_pool = POOL_PERM;
2092 acl_var[cb->u.varnumber] = string_copy(arg);
2093 store_pool = old_pool;
2097 #ifdef WITH_CONTENT_SCAN
2100 /* Seperate the regular expression and any optional parameters. */
2101 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2102 /* Run the spam backend. */
2104 /* Modify return code based upon the existance of options. */
2105 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2107 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2109 /* FAIL so that the message is passed to the next ACL */
2117 #ifdef EXPERIMENTAL_SPF
2119 rc = spf_process(&arg, sender_address);
2123 /* If the verb is WARN, discard any user message from verification, because
2124 such messages are SMTP responses, not header additions. The latter come
2125 only from explicit "message" modifiers. */
2128 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
2129 if (verb == ACL_WARN) *user_msgptr = NULL;
2133 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
2134 "condition %d", cb->type);
2138 /* If a condition was negated, invert OK/FAIL. */
2140 if (!cond_modifiers[cb->type] && cb->u.negated)
2142 if (rc == OK) rc = FAIL;
2143 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
2146 if (rc != OK) break; /* Conditions loop */
2150 /* If the result is the one for which "message" and/or "log_message" are used,
2151 handle the values of these options. Most verbs have but a single return for
2152 which the messages are relevant, but for "discard", it's useful to have the log
2153 message both when it succeeds and when it fails. Also, for an "accept" that
2154 appears in a QUIT ACL, we want to handle the user message. Since only "accept"
2155 and "warn" are permitted in that ACL, we don't need to test the verb.
2157 These modifiers act in different ways:
2159 "message" is a user message that will be included in an SMTP response. Unless
2160 it is empty, it overrides any previously set user message.
2162 "log_message" is a non-user message, and it adds to any existing non-user
2163 message that is already set.
2165 If there isn't a log message set, we make it the same as the user message. */
2167 if (((rc == FAIL_DROP)? FAIL : rc) == msgcond[verb] ||
2168 (verb == ACL_DISCARD && rc == OK) ||
2169 (where == ACL_WHERE_QUIT))
2173 /* If the verb is "warn", messages generated by conditions (verification or
2174 nested ACLs) are discarded. Only messages specified at this level are used.
2175 However, the value of an existing message is available in $acl_verify_message
2176 during expansions. */
2178 uschar *old_user_msgptr = *user_msgptr;
2179 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
2181 if (verb == ACL_WARN) *log_msgptr = *user_msgptr = NULL;
2183 if (user_message != NULL)
2185 acl_verify_message = old_user_msgptr;
2186 expmessage = expand_string(user_message);
2187 if (expmessage == NULL)
2189 if (!expand_string_forcedfail)
2190 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2191 user_message, expand_string_message);
2193 else if (expmessage[0] != 0) *user_msgptr = expmessage;
2196 if (log_message != NULL)
2198 acl_verify_message = old_log_msgptr;
2199 expmessage = expand_string(log_message);
2200 if (expmessage == NULL)
2202 if (!expand_string_forcedfail)
2203 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2204 log_message, expand_string_message);
2206 else if (expmessage[0] != 0)
2208 *log_msgptr = (*log_msgptr == NULL)? expmessage :
2209 string_sprintf("%s: %s", expmessage, *log_msgptr);
2213 /* If no log message, default it to the user message */
2215 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
2218 acl_verify_message = NULL;
2226 /*************************************************
2227 * Get line from a literal ACL *
2228 *************************************************/
2230 /* This function is passed to acl_read() in order to extract individual lines
2231 of a literal ACL, which we access via static pointers. We can destroy the
2232 contents because this is called only once (the compiled ACL is remembered).
2234 This code is intended to treat the data in the same way as lines in the main
2235 Exim configuration file. That is:
2237 . Leading spaces are ignored.
2239 . A \ at the end of a line is a continuation - trailing spaces after the \
2240 are permitted (this is because I don't believe in making invisible things
2241 significant). Leading spaces on the continued part of a line are ignored.
2243 . Physical lines starting (significantly) with # are totally ignored, and
2244 may appear within a sequence of backslash-continued lines.
2246 . Blank lines are ignored, but will end a sequence of continuations.
2249 Returns: a pointer to the next line
2253 static uschar *acl_text; /* Current pointer in the text */
2254 static uschar *acl_text_end; /* Points one past the terminating '0' */
2262 /* This loop handles leading blank lines and comments. */
2266 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
2267 if (*acl_text == 0) return NULL; /* No more data */
2268 yield = acl_text; /* Potential data line */
2270 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2272 /* If we hit the end before a newline, we have the whole logical line. If
2273 it's a comment, there's no more data to be given. Otherwise, yield it. */
2275 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
2277 /* After reaching a newline, end this loop if the physical line does not
2278 start with '#'. If it does, it's a comment, and the loop continues. */
2280 if (*yield != '#') break;
2283 /* This loop handles continuations. We know we have some real data, ending in
2284 newline. See if there is a continuation marker at the end (ignoring trailing
2285 white space). We know that *yield is not white space, so no need to test for
2286 cont > yield in the backwards scanning loop. */
2291 for (cont = acl_text - 1; isspace(*cont); cont--);
2293 /* If no continuation follows, we are done. Mark the end of the line and
2302 /* We have encountered a continuation. Skip over whitespace at the start of
2303 the next line, and indeed the whole of the next line or lines if they are
2308 while (*(++acl_text) == ' ' || *acl_text == '\t');
2309 if (*acl_text != '#') break;
2310 while (*(++acl_text) != 0 && *acl_text != '\n');
2313 /* We have the start of a continuation line. Move all the rest of the data
2314 to join onto the previous line, and then find its end. If the end is not a
2315 newline, we are done. Otherwise loop to look for another continuation. */
2317 memmove(cont, acl_text, acl_text_end - acl_text);
2318 acl_text_end -= acl_text - cont;
2320 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2321 if (*acl_text == 0) return yield;
2324 /* Control does not reach here */
2331 /*************************************************
2332 * Check access using an ACL *
2333 *************************************************/
2335 /* This function is called from address_check. It may recurse via
2336 acl_check_condition() - hence the use of a level to stop looping. The ACL is
2337 passed as a string which is expanded. A forced failure implies no access check
2338 is required. If the result is a single word, it is taken as the name of an ACL
2339 which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
2340 text, complete with newlines, and parsed as such. In both cases, the ACL check
2341 is then run. This function uses an auxiliary function for acl_read() to call
2342 for reading individual lines of a literal ACL. This is acl_getline(), which
2343 appears immediately above.
2346 where where called from
2347 addr address item when called from RCPT; otherwise NULL
2348 s the input string; NULL is the same as an empty ACL => DENY
2349 level the nesting level
2350 user_msgptr where to put a user error (for SMTP response)
2351 log_msgptr where to put a logging message (not for SMTP response)
2353 Returns: OK access is granted
2354 DISCARD access is apparently granted...
2355 FAIL access is denied
2356 FAIL_DROP access is denied; drop the connection
2357 DEFER can't tell at the moment
2362 acl_check_internal(int where, address_item *addr, uschar *s, int level,
2363 uschar **user_msgptr, uschar **log_msgptr)
2366 acl_block *acl = NULL;
2367 uschar *acl_name = US"inline ACL";
2370 /* Catch configuration loops */
2374 *log_msgptr = US"ACL nested too deep: possible loop";
2380 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
2384 /* At top level, we expand the incoming string. At lower levels, it has already
2385 been expanded as part of condition processing. */
2389 ss = expand_string(s);
2392 if (expand_string_forcedfail) return OK;
2393 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
2394 expand_string_message);
2400 while (isspace(*ss))ss++;
2402 /* If we can't find a named ACL, the default is to parse it as an inline one.
2403 (Unless it begins with a slash; non-existent files give rise to an error.) */
2407 /* Handle the case of a string that does not contain any spaces. Look for a
2408 named ACL among those read from the configuration, or a previously read file.
2409 It is possible that the pointer to the ACL is NULL if the configuration
2410 contains a name with no data. If not found, and the text begins with '/',
2411 read an ACL from a file, and save it so it can be re-used. */
2413 if (Ustrchr(ss, ' ') == NULL)
2415 tree_node *t = tree_search(acl_anchor, ss);
2418 acl = (acl_block *)(t->data.ptr);
2421 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
2424 acl_name = string_sprintf("ACL \"%s\"", ss);
2425 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
2428 else if (*ss == '/')
2430 struct stat statbuf;
2431 fd = Uopen(ss, O_RDONLY, 0);
2434 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
2439 if (fstat(fd, &statbuf) != 0)
2441 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
2446 acl_text = store_get(statbuf.st_size + 1);
2447 acl_text_end = acl_text + statbuf.st_size + 1;
2449 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
2451 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
2452 ss, strerror(errno));
2455 acl_text[statbuf.st_size] = 0;
2458 acl_name = string_sprintf("ACL \"%s\"", ss);
2459 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
2463 /* Parse an ACL that is still in text form. If it came from a file, remember it
2464 in the ACL tree, having read it into the POOL_PERM store pool so that it
2465 persists between multiple messages. */
2469 int old_pool = store_pool;
2470 if (fd >= 0) store_pool = POOL_PERM;
2471 acl = acl_read(acl_getline, log_msgptr);
2472 store_pool = old_pool;
2473 if (acl == NULL && *log_msgptr != NULL) return ERROR;
2476 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
2477 Ustrcpy(t->name, ss);
2479 (void)tree_insertnode(&acl_anchor, t);
2483 /* Now we have an ACL to use. It's possible it may be NULL. */
2488 int basic_errno = 0;
2489 BOOL endpass_seen = FALSE;
2491 *log_msgptr = *user_msgptr = NULL;
2492 acl_temp_details = FALSE;
2494 if (where == ACL_WHERE_QUIT &&
2495 acl->verb != ACL_ACCEPT &&
2496 acl->verb != ACL_WARN)
2498 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
2503 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
2505 /* Clear out any search error message from a previous check before testing
2508 search_error_message = NULL;
2509 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
2510 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
2512 /* Handle special returns: DEFER causes a return except on a WARN verb;
2513 ERROR always causes a return. */
2518 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
2519 if (basic_errno != ERRNO_CALLOUTDEFER)
2521 if (search_error_message != NULL && *search_error_message != 0)
2522 *log_msgptr = search_error_message;
2523 if (smtp_return_error_details) acl_temp_details = TRUE;
2527 acl_temp_details = TRUE;
2529 if (acl->verb != ACL_WARN) return DEFER;
2532 default: /* Paranoia */
2534 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
2538 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
2543 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
2546 /* DISCARD and DROP can happen only from a nested ACL condition, and
2547 DISCARD can happen only for an "accept" or "discard" verb. */
2550 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
2555 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
2560 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
2561 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
2562 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
2567 if (cond == OK || cond == DISCARD) return cond;
2570 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
2578 acl_temp_details = TRUE;
2584 if (cond == OK) return FAIL;
2588 if (cond == OK || cond == DISCARD) return DISCARD;
2591 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
2597 if (cond == OK) return FAIL_DROP;
2601 if (cond != OK) return cond;
2606 acl_warn(where, *user_msgptr, *log_msgptr);
2607 else if (cond == DEFER)
2608 acl_warn(where, NULL, string_sprintf("ACL \"warn\" statement skipped: "
2609 "condition test deferred: %s",
2610 (*log_msgptr == NULL)? US"" : *log_msgptr));
2611 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
2615 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
2620 /* Pass to the next ACL item */
2625 /* We have reached the end of the ACL. This is an implicit DENY. */
2627 HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
2632 /*************************************************
2633 * Check access using an ACL *
2634 *************************************************/
2636 /* This is the external interface for ACL checks. It sets up an address and the
2637 expansions for $domain and $local_part when called after RCPT, then calls
2638 acl_check_internal() to do the actual work.
2641 where ACL_WHERE_xxxx indicating where called from
2642 data_string RCPT address, or SMTP command argument, or NULL
2643 s the input string; NULL is the same as an empty ACL => DENY
2644 user_msgptr where to put a user error (for SMTP response)
2645 log_msgptr where to put a logging message (not for SMTP response)
2647 Returns: OK access is granted by an ACCEPT verb
2648 DISCARD access is granted by a DISCARD verb
2649 FAIL access is denied
2650 FAIL_DROP access is denied; drop the connection
2651 DEFER can't tell at the moment
2656 acl_check(int where, uschar *data_string, uschar *s, uschar **user_msgptr,
2657 uschar **log_msgptr)
2663 *user_msgptr = *log_msgptr = NULL;
2664 sender_verified_failed = NULL;
2666 if (where == ACL_WHERE_RCPT)
2668 adb = address_defaults;
2670 addr->address = data_string;
2671 if (deliver_split_address(addr) == DEFER)
2673 *log_msgptr = US"defer in percent_hack_domains check";
2676 deliver_domain = addr->domain;
2677 deliver_localpart = addr->local_part;
2682 smtp_command_argument = data_string;
2685 rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
2687 smtp_command_argument = deliver_domain =
2688 deliver_localpart = deliver_address_data = sender_address_data = NULL;
2690 /* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
2691 ACL, which is really in the middle of an SMTP command. */
2695 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
2697 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
2698 "ACL", acl_wherenames[where]);
2704 /* A DROP response is not permitted from MAILAUTH */
2706 if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
2708 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
2709 "ACL", acl_wherenames[where]);
2713 /* Before giving an error response, take a look at the length of any user
2714 message, and split it up into multiple lines if possible. */
2716 if (rc != OK && *user_msgptr != NULL && Ustrlen(*user_msgptr) > 75)
2718 uschar *s = *user_msgptr = string_copy(*user_msgptr);
2724 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
2725 if (*ss == 0) break;
2732 while (--t > s + 35)
2736 if (t[-1] == ':') { tt = t; break; }
2737 if (tt == NULL) tt = t;
2741 if (tt == NULL) /* Can't split behind - try ahead */
2746 if (*t == ' ' || *t == '\n')
2752 if (tt == NULL) break; /* Can't find anywhere to split */