1 /* $Cambridge: exim/src/src/acl.c,v 1.82.2.1 2009/02/24 15:57:55 tom Exp $ */
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
7 /* Copyright (c) University of Cambridge 1995 - 2007 */
8 /* See the file NOTICE for conditions of use and distribution. */
10 /* Code for handling Access Control Lists (ACLs) */
15 /* Default callout timeout */
17 #define CALLOUT_TIMEOUT_DEFAULT 30
19 /* ACL verb codes - keep in step with the table of verbs that follows */
21 enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
26 static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
30 /* For each verb, the conditions for which "message" or "log_message" are used
31 are held as a bitmap. This is to avoid expanding the strings unnecessarily. For
32 "accept", the FAIL case is used only after "endpass", but that is selected in
35 static int msgcond[] = {
36 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* accept */
39 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* discard */
41 (1<<FAIL) | (1<<FAIL_DROP), /* require */
45 /* ACL condition and modifier codes - keep in step with the table that
46 follows, and the cond_expand_at_top and uschar cond_modifiers tables lower
52 #ifdef EXPERIMENTAL_BRIGHTMAIL
58 #ifdef EXPERIMENTAL_DCC
61 #ifdef WITH_CONTENT_SCAN
65 #ifdef WITH_OLD_DEMIME
75 ACLC_LOG_REJECT_TARGET,
77 #ifdef WITH_CONTENT_SCAN
81 #ifdef WITH_CONTENT_SCAN
86 #ifdef WITH_CONTENT_SCAN
92 #ifdef WITH_CONTENT_SCAN
95 #ifdef EXPERIMENTAL_SPF
101 /* ACL conditions/modifiers: "delay", "control", "continue", "endpass",
102 "message", "log_message", "log_reject_target", "logwrite", and "set" are
103 modifiers that look like conditions but always return TRUE. They are used for
104 their side effects. */
106 static uschar *conditions[] = {
110 #ifdef EXPERIMENTAL_BRIGHTMAIL
116 #ifdef EXPERIMENTAL_DCC
119 #ifdef WITH_CONTENT_SCAN
123 #ifdef WITH_OLD_DEMIME
133 US"log_reject_target",
135 #ifdef WITH_CONTENT_SCAN
139 #ifdef WITH_CONTENT_SCAN
144 #ifdef WITH_CONTENT_SCAN
147 US"sender_domains", US"senders", US"set",
148 #ifdef WITH_CONTENT_SCAN
151 #ifdef EXPERIMENTAL_SPF
158 /* Return values from decode_control(); keep in step with the table of names
162 CONTROL_AUTH_UNADVERTISED,
163 #ifdef EXPERIMENTAL_BRIGHTMAIL
170 CONTROL_CASEFUL_LOCAL_PART,
171 CONTROL_CASELOWER_LOCAL_PART,
172 CONTROL_ENFORCE_SYNC,
173 CONTROL_NO_ENFORCE_SYNC,
177 CONTROL_SUPPRESS_LOCAL_FIXUPS,
178 #ifdef WITH_CONTENT_SCAN
179 CONTROL_NO_MBOX_UNSPOOL,
183 CONTROL_NO_MULTILINE,
184 CONTROL_NO_PIPELINING,
185 CONTROL_NO_DELAY_FLUSH,
186 CONTROL_NO_CALLOUT_FLUSH
189 /* ACL control names; keep in step with the table above! This list is used for
190 turning ids into names. The actual list of recognized names is in the variable
191 control_def controls_list[] below. The fact that there are two lists is a mess
192 and should be tidied up. */
194 static uschar *controls[] = {
195 US"allow_auth_unadvertised",
196 #ifdef EXPERIMENTAL_BRIGHTMAIL
203 US"caseful_local_part",
204 US"caselower_local_part",
210 US"suppress_local_fixups",
211 #ifdef WITH_CONTENT_SCAN
216 US"no_multiline_responses",
222 /* Flags to indicate for which conditions/modifiers a string expansion is done
223 at the outer level. In the other cases, expansion already occurs in the
224 checking functions. */
226 static uschar cond_expand_at_top[] = {
228 TRUE, /* add_header */
229 FALSE, /* authenticated */
230 #ifdef EXPERIMENTAL_BRIGHTMAIL
231 TRUE, /* bmi_optin */
233 TRUE, /* condition */
236 #ifdef EXPERIMENTAL_DCC
239 #ifdef WITH_CONTENT_SCAN
243 #ifdef WITH_OLD_DEMIME
248 FALSE, /* encrypted */
251 FALSE, /* local_parts */
252 TRUE, /* log_message */
253 TRUE, /* log_reject_target */
255 #ifdef WITH_CONTENT_SCAN
259 #ifdef WITH_CONTENT_SCAN
260 TRUE, /* mime_regex */
262 TRUE, /* ratelimit */
263 FALSE, /* recipients */
264 #ifdef WITH_CONTENT_SCAN
267 FALSE, /* sender_domains */
270 #ifdef WITH_CONTENT_SCAN
273 #ifdef EXPERIMENTAL_SPF
275 TRUE, /* spf_guess */
280 /* Flags to identify the modifiers */
282 static uschar cond_modifiers[] = {
284 TRUE, /* add_header */
285 FALSE, /* authenticated */
286 #ifdef EXPERIMENTAL_BRIGHTMAIL
287 TRUE, /* bmi_optin */
289 FALSE, /* condition */
292 #ifdef EXPERIMENTAL_DCC
295 #ifdef WITH_CONTENT_SCAN
299 #ifdef WITH_OLD_DEMIME
302 FALSE, /* dnslists */
304 FALSE, /* encrypted */
307 FALSE, /* local_parts */
308 TRUE, /* log_message */
309 TRUE, /* log_reject_target */
311 #ifdef WITH_CONTENT_SCAN
315 #ifdef WITH_CONTENT_SCAN
316 FALSE, /* mime_regex */
318 FALSE, /* ratelimit */
319 FALSE, /* recipients */
320 #ifdef WITH_CONTENT_SCAN
323 FALSE, /* sender_domains */
326 #ifdef WITH_CONTENT_SCAN
329 #ifdef EXPERIMENTAL_SPF
331 FALSE, /* spf_guess */
336 /* Bit map vector of which conditions and modifiers are not allowed at certain
337 times. For each condition and modifier, there's a bitmap of dis-allowed times.
338 For some, it is easier to specify the negation of a small number of allowed
341 static unsigned int cond_forbids[] = {
345 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* add_header */
346 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
347 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
348 (1<<ACL_WHERE_NOTSMTP_START)),
350 (1<<ACL_WHERE_NOTSMTP)| /* authenticated */
351 (1<<ACL_WHERE_NOTSMTP_START)|
352 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO),
354 #ifdef EXPERIMENTAL_BRIGHTMAIL
355 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
356 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
357 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
358 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
359 (1<<ACL_WHERE_MAILAUTH)|
360 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
361 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA)|
362 (1<<ACL_WHERE_NOTSMTP_START),
369 /* Certain types of control are always allowed, so we let it through
370 always and check in the control processing itself. */
374 #ifdef EXPERIMENTAL_DCC
376 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* dcc */
379 #ifdef WITH_CONTENT_SCAN
381 ~(1<<ACL_WHERE_MIME), /* decode */
384 (1<<ACL_WHERE_NOTQUIT), /* delay */
386 #ifdef WITH_OLD_DEMIME
388 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* demime */
391 (1<<ACL_WHERE_NOTSMTP)| /* dnslists */
392 (1<<ACL_WHERE_NOTSMTP_START),
395 ~(1<<ACL_WHERE_RCPT), /* domains */
397 (1<<ACL_WHERE_NOTSMTP)| /* encrypted */
398 (1<<ACL_WHERE_CONNECT)|
399 (1<<ACL_WHERE_NOTSMTP_START)|
404 (1<<ACL_WHERE_NOTSMTP)| /* hosts */
405 (1<<ACL_WHERE_NOTSMTP_START),
408 ~(1<<ACL_WHERE_RCPT), /* local_parts */
412 0, /* log_reject_target */
416 #ifdef WITH_CONTENT_SCAN
418 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* malware */
423 #ifdef WITH_CONTENT_SCAN
425 ~(1<<ACL_WHERE_MIME), /* mime_regex */
431 ~(1<<ACL_WHERE_RCPT), /* recipients */
433 #ifdef WITH_CONTENT_SCAN
435 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* regex */
436 (1<<ACL_WHERE_MIME)),
439 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
441 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
442 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
443 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
445 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
447 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
448 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
449 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
453 #ifdef WITH_CONTENT_SCAN
455 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* spam */
458 #ifdef EXPERIMENTAL_SPF
459 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
461 (1<<ACL_WHERE_MAILAUTH)|
462 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
463 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
464 (1<<ACL_WHERE_NOTSMTP)|
465 (1<<ACL_WHERE_NOTSMTP_START),
467 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf_guess */
469 (1<<ACL_WHERE_MAILAUTH)|
470 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
471 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
472 (1<<ACL_WHERE_NOTSMTP)|
473 (1<<ACL_WHERE_NOTSMTP_START),
476 /* Certain types of verify are always allowed, so we let it through
477 always and check in the verify function itself */
483 /* Bit map vector of which controls are not allowed at certain times. For
484 each control, there's a bitmap of dis-allowed times. For some, it is easier to
485 specify the negation of a small number of allowed times. */
487 static unsigned int control_forbids[] = {
489 ~((1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)), /* allow_auth_unadvertised */
491 #ifdef EXPERIMENTAL_BRIGHTMAIL
496 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dkim_verify */
497 (1<<ACL_WHERE_NOTSMTP_START),
503 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
506 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
508 (1<<ACL_WHERE_NOTSMTP)| /* enforce_sync */
509 (1<<ACL_WHERE_NOTSMTP_START),
511 (1<<ACL_WHERE_NOTSMTP)| /* no_enforce_sync */
512 (1<<ACL_WHERE_NOTSMTP_START),
515 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
516 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
517 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
520 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
521 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
522 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
525 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
526 (1<<ACL_WHERE_PREDATA)),
529 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* suppress_local_fixups */
530 (1<<ACL_WHERE_PREDATA)|
531 (1<<ACL_WHERE_NOTSMTP_START)),
533 #ifdef WITH_CONTENT_SCAN
535 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
536 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
537 (1<<ACL_WHERE_MIME)),
541 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakedefer */
542 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
543 (1<<ACL_WHERE_MIME)),
546 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
547 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
548 (1<<ACL_WHERE_MIME)),
550 (1<<ACL_WHERE_NOTSMTP)| /* no_multiline */
551 (1<<ACL_WHERE_NOTSMTP_START),
553 (1<<ACL_WHERE_NOTSMTP)| /* no_pipelining */
554 (1<<ACL_WHERE_NOTSMTP_START),
556 (1<<ACL_WHERE_NOTSMTP)| /* no_delay_flush */
557 (1<<ACL_WHERE_NOTSMTP_START),
559 (1<<ACL_WHERE_NOTSMTP)| /* no_callout_flush */
560 (1<<ACL_WHERE_NOTSMTP_START)
563 /* Structure listing various control arguments, with their characteristics. */
565 typedef struct control_def {
567 int value; /* CONTROL_xxx value */
568 BOOL has_option; /* Has /option(s) following */
571 static control_def controls_list[] = {
572 { US"allow_auth_unadvertised", CONTROL_AUTH_UNADVERTISED, FALSE },
573 #ifdef EXPERIMENTAL_BRIGHTMAIL
574 { US"bmi_run", CONTROL_BMI_RUN, FALSE },
577 { US"dkim_verify", CONTROL_DKIM_VERIFY, FALSE },
579 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE },
580 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE },
581 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE },
582 { US"freeze", CONTROL_FREEZE, TRUE },
583 { US"no_callout_flush", CONTROL_NO_CALLOUT_FLUSH, FALSE },
584 { US"no_delay_flush", CONTROL_NO_DELAY_FLUSH, FALSE },
585 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE },
586 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE },
587 { US"no_pipelining", CONTROL_NO_PIPELINING, FALSE },
588 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE },
589 #ifdef WITH_CONTENT_SCAN
590 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE },
592 { US"fakedefer", CONTROL_FAKEDEFER, TRUE },
593 { US"fakereject", CONTROL_FAKEREJECT, TRUE },
594 { US"submission", CONTROL_SUBMISSION, TRUE },
595 { US"suppress_local_fixups", CONTROL_SUPPRESS_LOCAL_FIXUPS, FALSE }
598 /* Support data structures for Client SMTP Authorization. acl_verify_csa()
599 caches its result in a tree to avoid repeated DNS queries. The result is an
600 integer code which is used as an index into the following tables of
601 explanatory strings and verification return codes. */
603 static tree_node *csa_cache = NULL;
605 enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
606 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
608 /* The acl_verify_csa() return code is translated into an acl_verify() return
609 code using the following table. It is OK unless the client is definitely not
610 authorized. This is because CSA is supposed to be optional for sending sites,
611 so recipients should not be too strict about checking it - especially because
612 DNS problems are quite likely to occur. It's possible to use $csa_status in
613 further ACL conditions to distinguish ok, unknown, and defer if required, but
614 the aim is to make the usual configuration simple. */
616 static int csa_return_code[] = {
618 FAIL, FAIL, FAIL, FAIL
621 static uschar *csa_status_string[] = {
622 US"unknown", US"ok", US"defer", US"defer",
623 US"fail", US"fail", US"fail", US"fail"
626 static uschar *csa_reason_string[] = {
629 US"deferred (SRV lookup failed)",
630 US"deferred (target address lookup failed)",
631 US"failed (explicit authorization required)",
632 US"failed (host name not authorized)",
633 US"failed (no authorized addresses)",
634 US"failed (client address mismatch)"
637 /* Enable recursion between acl_check_internal() and acl_check_condition() */
639 static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
643 /*************************************************
644 * Pick out name from list *
645 *************************************************/
647 /* Use a binary chop method
654 Returns: offset in list, or -1 if not found
658 acl_checkname(uschar *name, uschar **list, int end)
664 int mid = (start + end)/2;
665 int c = Ustrcmp(name, list[mid]);
666 if (c == 0) return mid;
667 if (c < 0) end = mid; else start = mid + 1;
674 /*************************************************
675 * Read and parse one ACL *
676 *************************************************/
678 /* This function is called both from readconf in order to parse the ACLs in the
679 configuration file, and also when an ACL is encountered dynamically (e.g. as
680 the result of an expansion). It is given a function to call in order to
681 retrieve the lines of the ACL. This function handles skipping comments and
682 blank lines (where relevant).
685 func function to get next line of ACL
686 error where to put an error message
688 Returns: pointer to ACL, or NULL
689 NULL can be legal (empty ACL); in this case error will be NULL
693 acl_read(uschar *(*func)(void), uschar **error)
695 acl_block *yield = NULL;
696 acl_block **lastp = &yield;
697 acl_block *this = NULL;
698 acl_condition_block *cond;
699 acl_condition_block **condp = NULL;
704 while ((s = (*func)()) != NULL)
707 BOOL negated = FALSE;
708 uschar *saveline = s;
711 /* Conditions (but not verbs) are allowed to be negated by an initial
714 while (isspace(*s)) s++;
721 /* Read the name of a verb or a condition, or the start of a new ACL, which
722 can be started by a name, or by a macro definition. */
724 s = readconf_readname(name, sizeof(name), s);
725 if (*s == ':' || (isupper(name[0]) && *s == '=')) return yield;
727 /* If a verb is unrecognized, it may be another condition or modifier that
728 continues the previous verb. */
730 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
735 *error = string_sprintf("unknown ACL verb \"%s\" in \"%s\"", name,
747 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
750 this = store_get(sizeof(acl_block));
752 lastp = &(this->next);
755 this->condition = NULL;
756 condp = &(this->condition);
757 if (*s == 0) continue; /* No condition on this line */
763 s = readconf_readname(name, sizeof(name), s); /* Condition name */
766 /* Handle a condition or modifier. */
768 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
771 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
776 /* The modifiers may not be negated */
778 if (negated && cond_modifiers[c])
780 *error = string_sprintf("ACL error: negation is not allowed with "
781 "\"%s\"", conditions[c]);
785 /* ENDPASS may occur only with ACCEPT or DISCARD. */
787 if (c == ACLC_ENDPASS &&
788 this->verb != ACL_ACCEPT &&
789 this->verb != ACL_DISCARD)
791 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
792 conditions[c], verbs[this->verb]);
796 cond = store_get(sizeof(acl_condition_block));
799 cond->u.negated = negated;
802 condp = &(cond->next);
804 /* The "set" modifier is different in that its argument is "name=value"
805 rather than just a value, and we can check the validity of the name, which
806 gives us a variable name to insert into the data block. The original ACL
807 variable names were acl_c0 ... acl_c9 and acl_m0 ... acl_m9. This was
808 extended to 20 of each type, but after that people successfully argued for
809 arbitrary names. In the new scheme, the names must start with acl_c or acl_m.
810 After that, we allow alphanumerics and underscores, but the first character
811 after c or m must be a digit or an underscore. This retains backwards
818 if (Ustrncmp(s, "acl_c", 5) != 0 &&
819 Ustrncmp(s, "acl_m", 5) != 0)
821 *error = string_sprintf("invalid variable name after \"set\" in ACL "
822 "modifier \"set %s\" (must start \"acl_c\" or \"acl_m\")", s);
827 if (!isdigit(*endptr) && *endptr != '_')
829 *error = string_sprintf("invalid variable name after \"set\" in ACL "
830 "modifier \"set %s\" (digit or underscore must follow acl_c or acl_m)",
835 while (*endptr != 0 && *endptr != '=' && !isspace(*endptr))
837 if (!isalnum(*endptr) && *endptr != '_')
839 *error = string_sprintf("invalid character \"%c\" in variable name "
840 "in ACL modifier \"set %s\"", *endptr, s);
846 cond->u.varname = string_copyn(s + 4, endptr - s - 4);
848 while (isspace(*s)) s++;
851 /* For "set", we are now positioned for the data. For the others, only
852 "endpass" has no data */
854 if (c != ACLC_ENDPASS)
858 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
859 cond_modifiers[c]? US"modifier" : US"condition");
862 while (isspace(*s)) s++;
863 cond->arg = string_copy(s);
872 /*************************************************
873 * Set up added header line(s) *
874 *************************************************/
876 /* This function is called by the add_header modifier, and also from acl_warn()
877 to implement the now-deprecated way of adding header lines using "message" on a
878 "warn" verb. The argument is treated as a sequence of header lines which are
879 added to a chain, provided there isn't an identical one already there.
881 Argument: string of header lines
886 setup_header(uschar *hstring)
889 int hlen = Ustrlen(hstring);
891 /* An empty string does nothing; otherwise add a final newline if necessary. */
893 if (hlen <= 0) return;
894 if (hstring[hlen-1] != '\n') hstring = string_sprintf("%s\n", hstring);
896 /* Loop for multiple header lines, taking care about continuations */
898 for (p = q = hstring; *p != 0; )
901 int newtype = htype_add_bot;
902 header_line **hptr = &acl_added_headers;
904 /* Find next header line within the string */
908 q = Ustrchr(q, '\n');
909 if (*(++q) != ' ' && *q != '\t') break;
912 /* If the line starts with a colon, interpret the instruction for where to
913 add it. This temporarily sets up a new type. */
917 if (strncmpic(p, US":after_received:", 16) == 0)
919 newtype = htype_add_rec;
922 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
924 newtype = htype_add_rfc;
927 else if (strncmpic(p, US":at_start:", 10) == 0)
929 newtype = htype_add_top;
932 else if (strncmpic(p, US":at_end:", 8) == 0)
934 newtype = htype_add_bot;
937 while (*p == ' ' || *p == '\t') p++;
940 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
941 to the front of it. */
943 for (s = p; s < q - 1; s++)
945 if (*s == ':' || !isgraph(*s)) break;
948 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
951 /* See if this line has already been added */
953 while (*hptr != NULL)
955 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
956 hptr = &((*hptr)->next);
959 /* Add if not previously present */
963 header_line *h = store_get(sizeof(header_line));
972 /* Advance for next header line within the string */
981 /*************************************************
983 *************************************************/
985 /* This function is called when a WARN verb's conditions are true. It adds to
986 the message's headers, and/or writes information to the log. In each case, this
987 only happens once (per message for headers, per connection for log).
989 ** NOTE: The header adding action using the "message" setting is historic, and
990 its use is now deprecated. The new add_header modifier should be used instead.
993 where ACL_WHERE_xxxx indicating which ACL this is
994 user_message message for adding to headers
995 log_message message for logging, if different
1001 acl_warn(int where, uschar *user_message, uschar *log_message)
1003 if (log_message != NULL && log_message != user_message)
1006 string_item *logged;
1008 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
1009 string_printing(log_message));
1011 /* If a sender verification has failed, and the log message is "sender verify
1012 failed", add the failure message. */
1014 if (sender_verified_failed != NULL &&
1015 sender_verified_failed->message != NULL &&
1016 strcmpic(log_message, US"sender verify failed") == 0)
1017 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
1019 /* Search previously logged warnings. They are kept in malloc
1020 store so they can be freed at the start of a new message. */
1022 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
1023 if (Ustrcmp(logged->text, text) == 0) break;
1027 int length = Ustrlen(text) + 1;
1028 log_write(0, LOG_MAIN, "%s", text);
1029 logged = store_malloc(sizeof(string_item) + length);
1030 logged->text = (uschar *)logged + sizeof(string_item);
1031 memcpy(logged->text, text, length);
1032 logged->next = acl_warn_logged;
1033 acl_warn_logged = logged;
1037 /* If there's no user message, we are done. */
1039 if (user_message == NULL) return;
1041 /* If this isn't a message ACL, we can't do anything with a user message.
1044 if (where > ACL_WHERE_NOTSMTP)
1046 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
1047 "found in a non-message (%s) ACL: cannot specify header lines here: "
1048 "message ignored", acl_wherenames[where]);
1052 /* The code for setting up header lines is now abstracted into a separate
1053 function so that it can be used for the add_header modifier as well. */
1055 setup_header(user_message);
1060 /*************************************************
1061 * Verify and check reverse DNS *
1062 *************************************************/
1064 /* Called from acl_verify() below. We look up the host name(s) of the client IP
1065 address if this has not yet been done. The host_name_lookup() function checks
1066 that one of these names resolves to an address list that contains the client IP
1067 address, so we don't actually have to do the check here.
1070 user_msgptr pointer for user message
1071 log_msgptr pointer for log message
1073 Returns: OK verification condition succeeded
1074 FAIL verification failed
1075 DEFER there was a problem verifying
1079 acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
1083 user_msgptr = user_msgptr; /* stop compiler warning */
1085 /* Previous success */
1087 if (sender_host_name != NULL) return OK;
1089 /* Previous failure */
1091 if (host_lookup_failed)
1093 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
1097 /* Need to do a lookup */
1100 debug_printf("looking up host name to force name/address consistency check\n");
1102 if ((rc = host_name_lookup()) != OK)
1104 *log_msgptr = (rc == DEFER)?
1105 US"host lookup deferred for reverse lookup check"
1107 string_sprintf("host lookup failed for reverse lookup check%s",
1109 return rc; /* DEFER or FAIL */
1112 host_build_sender_fullhost();
1118 /*************************************************
1119 * Check client IP address matches CSA target *
1120 *************************************************/
1122 /* Called from acl_verify_csa() below. This routine scans a section of a DNS
1123 response for address records belonging to the CSA target hostname. The section
1124 is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
1125 If one of the addresses matches the client's IP address, then the client is
1126 authorized by CSA. If there are target IP addresses but none of them match
1127 then the client is using an unauthorized IP address. If there are no target IP
1128 addresses then the client cannot be using an authorized IP address. (This is
1129 an odd configuration - why didn't the SRV record have a weight of 1 instead?)
1132 dnsa the DNS answer block
1133 dnss a DNS scan block for us to use
1134 reset option specifing what portion to scan, as described above
1135 target the target hostname to use for matching RR names
1137 Returns: CSA_OK successfully authorized
1138 CSA_FAIL_MISMATCH addresses found but none matched
1139 CSA_FAIL_NOADDR no target addresses found
1143 acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1149 BOOL target_found = FALSE;
1151 for (rr = dns_next_rr(dnsa, dnss, reset);
1153 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1155 /* Check this is an address RR for the target hostname. */
1159 && rr->type != T_AAAA
1166 if (strcmpic(target, rr->name) != 0) continue;
1168 target_found = TRUE;
1170 /* Turn the target address RR into a list of textual IP addresses and scan
1171 the list. There may be more than one if it is an A6 RR. */
1173 for (da = dns_address_from_rr(dnsa, rr); da != NULL; da = da->next)
1175 /* If the client IP address matches the target IP address, it's good! */
1177 DEBUG(D_acl) debug_printf("CSA target address is %s\n", da->address);
1179 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1183 /* If we found some target addresses but none of them matched, the client is
1184 using an unauthorized IP address, otherwise the target has no authorized IP
1187 if (target_found) return CSA_FAIL_MISMATCH;
1188 else return CSA_FAIL_NOADDR;
1193 /*************************************************
1194 * Verify Client SMTP Authorization *
1195 *************************************************/
1197 /* Called from acl_verify() below. This routine calls dns_lookup_special()
1198 to find the CSA SRV record corresponding to the domain argument, or
1199 $sender_helo_name if no argument is provided. It then checks that the
1200 client is authorized, and that its IP address corresponds to the SRV
1201 target's address by calling acl_verify_csa_address() above. The address
1202 should have been returned in the DNS response's ADDITIONAL section, but if
1203 not we perform another DNS lookup to get it.
1206 domain pointer to optional parameter following verify = csa
1208 Returns: CSA_UNKNOWN no valid CSA record found
1209 CSA_OK successfully authorized
1210 CSA_FAIL_* client is definitely not authorized
1211 CSA_DEFER_* there was a DNS problem
1215 acl_verify_csa(uschar *domain)
1219 int priority, weight, port;
1226 /* Work out the domain we are using for the CSA lookup. The default is the
1227 client's HELO domain. If the client has not said HELO, use its IP address
1228 instead. If it's a local client (exim -bs), CSA isn't applicable. */
1230 while (isspace(*domain) && *domain != '\0') ++domain;
1231 if (*domain == '\0') domain = sender_helo_name;
1232 if (domain == NULL) domain = sender_host_address;
1233 if (sender_host_address == NULL) return CSA_UNKNOWN;
1235 /* If we have an address literal, strip off the framing ready for turning it
1236 into a domain. The framing consists of matched square brackets possibly
1237 containing a keyword and a colon before the actual IP address. */
1239 if (domain[0] == '[')
1241 uschar *start = Ustrchr(domain, ':');
1242 if (start == NULL) start = domain;
1243 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1246 /* Turn domains that look like bare IP addresses into domains in the reverse
1247 DNS. This code also deals with address literals and $sender_host_address. It's
1248 not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1249 address literals, but it's probably the most friendly thing to do. This is an
1250 extension to CSA, so we allow it to be turned off for proper conformance. */
1252 if (string_is_ip_address(domain, NULL) != 0)
1254 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1255 dns_build_reverse(domain, target);
1259 /* Find out if we've already done the CSA check for this domain. If we have,
1260 return the same result again. Otherwise build a new cached result structure
1261 for this domain. The name is filled in now, and the value is filled in when
1262 we return from this function. */
1264 t = tree_search(csa_cache, domain);
1265 if (t != NULL) return t->data.val;
1267 t = store_get_perm(sizeof(tree_node) + Ustrlen(domain));
1268 Ustrcpy(t->name, domain);
1269 (void)tree_insertnode(&csa_cache, t);
1271 /* Now we are ready to do the actual DNS lookup(s). */
1274 switch (dns_special_lookup(&dnsa, domain, T_CSA, &found))
1276 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1279 return t->data.val = CSA_DEFER_SRV;
1281 /* If we found nothing, the client's authorization is unknown. */
1285 return t->data.val = CSA_UNKNOWN;
1287 /* We got something! Go on to look at the reply in more detail. */
1293 /* Scan the reply for well-formed CSA SRV records. */
1295 for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
1297 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
1299 if (rr->type != T_SRV) continue;
1301 /* Extract the numerical SRV fields (p is incremented) */
1304 GETSHORT(priority, p);
1305 GETSHORT(weight, p);
1309 debug_printf("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1311 /* Check the CSA version number */
1313 if (priority != 1) continue;
1315 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1316 found by dns_special_lookup() is a parent of the one we asked for), we check
1317 the subdomain assertions in the port field. At the moment there's only one
1318 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1319 SRV records of their own. */
1321 if (found != domain)
1324 return t->data.val = CSA_FAIL_EXPLICIT;
1326 return t->data.val = CSA_UNKNOWN;
1329 /* This CSA SRV record refers directly to our domain, so we check the value
1330 in the weight field to work out the domain's authorization. 0 and 1 are
1331 unauthorized; 3 means the client is authorized but we can't check the IP
1332 address in order to authenticate it, so we treat it as unknown; values
1333 greater than 3 are undefined. */
1335 if (weight < 2) return t->data.val = CSA_FAIL_DOMAIN;
1337 if (weight > 2) continue;
1339 /* Weight == 2, which means the domain is authorized. We must check that the
1340 client's IP address is listed as one of the SRV target addresses. Save the
1341 target hostname then break to scan the additional data for its addresses. */
1343 (void)dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
1344 (DN_EXPAND_ARG4_TYPE)target, sizeof(target));
1346 DEBUG(D_acl) debug_printf("CSA target is %s\n", target);
1351 /* If we didn't break the loop then no appropriate records were found. */
1353 if (rr == NULL) return t->data.val = CSA_UNKNOWN;
1355 /* Do not check addresses if the target is ".", in accordance with RFC 2782.
1356 A target of "." indicates there are no valid addresses, so the client cannot
1357 be authorized. (This is an odd configuration because weight=2 target=. is
1358 equivalent to weight=1, but we check for it in order to keep load off the
1359 root name servers.) Note that dn_expand() turns "." into "". */
1361 if (Ustrcmp(target, "") == 0) return t->data.val = CSA_FAIL_NOADDR;
1363 /* Scan the additional section of the CSA SRV reply for addresses belonging
1364 to the target. If the name server didn't return any additional data (e.g.
1365 because it does not fully support SRV records), we need to do another lookup
1366 to obtain the target addresses; otherwise we have a definitive result. */
1368 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ADDITIONAL, target);
1369 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1371 /* The DNS lookup type corresponds to the IP version used by the client. */
1374 if (Ustrchr(sender_host_address, ':') != NULL)
1377 #endif /* HAVE_IPV6 */
1381 #if HAVE_IPV6 && defined(SUPPORT_A6)
1385 switch (dns_lookup(&dnsa, target, type, NULL))
1387 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1390 return t->data.val = CSA_DEFER_ADDR;
1392 /* If the query succeeded, scan the addresses and return the result. */
1395 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ANSWERS, target);
1396 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1397 /* else fall through */
1399 /* If the target has no IP addresses, the client cannot have an authorized
1400 IP address. However, if the target site uses A6 records (not AAAA records)
1401 we have to do yet another lookup in order to check them. */
1406 #if HAVE_IPV6 && defined(SUPPORT_A6)
1407 if (type == T_AAAA) { type = T_A6; goto DNS_LOOKUP_AGAIN; }
1410 return t->data.val = CSA_FAIL_NOADDR;
1416 /*************************************************
1417 * Handle verification (address & other) *
1418 *************************************************/
1420 /* This function implements the "verify" condition. It is called when
1421 encountered in any ACL, because some tests are almost always permitted. Some
1422 just don't make sense, and always fail (for example, an attempt to test a host
1423 lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1426 where where called from
1427 addr the recipient address that the ACL is handling, or NULL
1428 arg the argument of "verify"
1429 user_msgptr pointer for user message
1430 log_msgptr pointer for log message
1431 basic_errno where to put verify errno
1433 Returns: OK verification condition succeeded
1434 FAIL verification failed
1435 DEFER there was a problem verifying
1440 acl_verify(int where, address_item *addr, uschar *arg,
1441 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1445 int callout_overall = -1;
1446 int callout_connect = -1;
1447 int verify_options = 0;
1449 BOOL verify_header_sender = FALSE;
1450 BOOL defer_ok = FALSE;
1451 BOOL callout_defer_ok = FALSE;
1452 BOOL no_details = FALSE;
1453 BOOL success_on_redirect = FALSE;
1454 address_item *sender_vaddr = NULL;
1455 uschar *verify_sender_address = NULL;
1456 uschar *pm_mailfrom = NULL;
1457 uschar *se_mailfrom = NULL;
1459 /* Some of the verify items have slash-separated options; some do not. Diagnose
1460 an error if options are given for items that don't expect them. This code has
1461 now got very message. Refactoring to use a table would be a good idea one day.
1464 uschar *slash = Ustrchr(arg, '/');
1466 uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
1468 if (ss == NULL) goto BAD_VERIFY;
1470 /* Handle name/address consistency verification in a separate function. */
1472 if (strcmpic(ss, US"reverse_host_lookup") == 0)
1474 if (slash != NULL) goto NO_OPTIONS;
1475 if (sender_host_address == NULL) return OK;
1476 return acl_verify_reverse(user_msgptr, log_msgptr);
1479 /* TLS certificate verification is done at STARTTLS time; here we just
1480 test whether it was successful or not. (This is for optional verification; for
1481 mandatory verification, the connection doesn't last this long.) */
1483 if (strcmpic(ss, US"certificate") == 0)
1485 if (slash != NULL) goto NO_OPTIONS;
1486 if (tls_certificate_verified) return OK;
1487 *user_msgptr = US"no verified certificate";
1491 /* We can test the result of optional HELO verification that might have
1492 occurred earlier. If not, we can attempt the verification now. */
1494 if (strcmpic(ss, US"helo") == 0)
1496 if (slash != NULL) goto NO_OPTIONS;
1497 if (!helo_verified && !helo_verify_failed) smtp_verify_helo();
1498 return helo_verified? OK : FAIL;
1501 /* Do Client SMTP Authorization checks in a separate function, and turn the
1502 result code into user-friendly strings. */
1504 if (strcmpic(ss, US"csa") == 0)
1506 rc = acl_verify_csa(list);
1507 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1508 csa_reason_string[rc]);
1509 csa_status = csa_status_string[rc];
1510 DEBUG(D_acl) debug_printf("CSA result %s\n", csa_status);
1511 return csa_return_code[rc];
1514 /* Check that all relevant header lines have the correct syntax. If there is
1515 a syntax error, we return details of the error to the sender if configured to
1516 send out full details. (But a "message" setting on the ACL can override, as
1519 if (strcmpic(ss, US"header_syntax") == 0)
1521 if (slash != NULL) goto NO_OPTIONS;
1522 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
1523 rc = verify_check_headers(log_msgptr);
1524 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1525 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1529 /* Check that no recipient of this message is "blind", that is, every envelope
1530 recipient must be mentioned in either To: or Cc:. */
1532 if (strcmpic(ss, US"not_blind") == 0)
1534 if (slash != NULL) goto NO_OPTIONS;
1535 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
1536 rc = verify_check_notblind();
1539 *log_msgptr = string_sprintf("bcc recipient detected");
1540 if (smtp_return_error_details)
1541 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1546 /* The remaining verification tests check recipient and sender addresses,
1547 either from the envelope or from the header. There are a number of
1548 slash-separated options that are common to all of them. */
1551 /* Check that there is at least one verifiable sender address in the relevant
1552 header lines. This can be followed by callout and defer options, just like
1553 sender and recipient. */
1555 if (strcmpic(ss, US"header_sender") == 0)
1557 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
1558 verify_header_sender = TRUE;
1561 /* Otherwise, first item in verify argument must be "sender" or "recipient".
1562 In the case of a sender, this can optionally be followed by an address to use
1563 in place of the actual sender (rare special-case requirement). */
1565 else if (strncmpic(ss, US"sender", 6) == 0)
1568 if (where > ACL_WHERE_NOTSMTP)
1570 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1571 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1572 acl_wherenames[where]);
1576 verify_sender_address = sender_address;
1579 while (isspace(*s)) s++;
1580 if (*s++ != '=') goto BAD_VERIFY;
1581 while (isspace(*s)) s++;
1582 verify_sender_address = string_copy(s);
1587 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1590 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1591 "(only possible for RCPT)", acl_wherenames[where]);
1596 /* Remaining items are optional; they apply to sender and recipient
1597 verification, including "header sender" verification. */
1599 while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1602 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1603 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1604 else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
1606 /* These two old options are left for backwards compatibility */
1608 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1610 callout_defer_ok = TRUE;
1611 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1614 else if (strcmpic(ss, US"check_postmaster") == 0)
1617 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1620 /* The callout option has a number of sub-options, comma separated */
1622 else if (strncmpic(ss, US"callout", 7) == 0)
1624 callout = CALLOUT_TIMEOUT_DEFAULT;
1628 while (isspace(*ss)) ss++;
1634 while (isspace(*ss)) ss++;
1636 /* This callout option handling code has become a mess as new options
1637 have been added in an ad hoc manner. It should be tidied up into some
1638 kind of table-driven thing. */
1640 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1643 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1644 else if (strcmpic(opt, US"no_cache") == 0)
1645 verify_options |= vopt_callout_no_cache;
1646 else if (strcmpic(opt, US"random") == 0)
1647 verify_options |= vopt_callout_random;
1648 else if (strcmpic(opt, US"use_sender") == 0)
1649 verify_options |= vopt_callout_recipsender;
1650 else if (strcmpic(opt, US"use_postmaster") == 0)
1651 verify_options |= vopt_callout_recippmaster;
1652 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
1653 else if (strcmpic(opt, US"fullpostmaster") == 0)
1656 verify_options |= vopt_callout_fullpm;
1659 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1661 if (!verify_header_sender)
1663 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1664 "callout option only for verify=header_sender (detected in ACL "
1665 "condition \"%s\")", arg);
1669 while (isspace(*opt)) opt++;
1672 *log_msgptr = string_sprintf("'=' expected after "
1673 "\"mailfrom\" in ACL condition \"%s\"", arg);
1676 while (isspace(*opt)) opt++;
1677 se_mailfrom = string_copy(opt);
1680 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1683 while (isspace(*opt)) opt++;
1686 *log_msgptr = string_sprintf("'=' expected after "
1687 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1690 while (isspace(*opt)) opt++;
1691 pm_mailfrom = string_copy(opt);
1694 else if (strncmpic(opt, US"maxwait", 7) == 0)
1697 while (isspace(*opt)) opt++;
1700 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1701 "ACL condition \"%s\"", arg);
1704 while (isspace(*opt)) opt++;
1705 callout_overall = readconf_readtime(opt, 0, FALSE);
1706 if (callout_overall < 0)
1708 *log_msgptr = string_sprintf("bad time value in ACL condition "
1709 "\"verify %s\"", arg);
1713 else if (strncmpic(opt, US"connect", 7) == 0)
1716 while (isspace(*opt)) opt++;
1719 *log_msgptr = string_sprintf("'=' expected after "
1720 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1723 while (isspace(*opt)) opt++;
1724 callout_connect = readconf_readtime(opt, 0, FALSE);
1725 if (callout_connect < 0)
1727 *log_msgptr = string_sprintf("bad time value in ACL condition "
1728 "\"verify %s\"", arg);
1732 else /* Plain time is callout connect/command timeout */
1734 callout = readconf_readtime(opt, 0, FALSE);
1737 *log_msgptr = string_sprintf("bad time value in ACL condition "
1738 "\"verify %s\"", arg);
1746 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1747 "ACL condition \"%s\"", arg);
1753 /* Option not recognized */
1757 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1758 "condition \"verify %s\"", ss, arg);
1763 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1764 (vopt_callout_recipsender|vopt_callout_recippmaster))
1766 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1767 "for a recipient callout";
1771 /* Handle sender-in-header verification. Default the user message to the log
1772 message if giving out verification details. */
1774 if (verify_header_sender)
1777 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
1778 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1782 *basic_errno = verrno;
1783 if (smtp_return_error_details)
1785 if (*user_msgptr == NULL && *log_msgptr != NULL)
1786 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1787 if (rc == DEFER) acl_temp_details = TRUE;
1792 /* Handle a sender address. The default is to verify *the* sender address, but
1793 optionally a different address can be given, for special requirements. If the
1794 address is empty, we are dealing with a bounce message that has no sender, so
1795 we cannot do any checking. If the real sender address gets rewritten during
1796 verification (e.g. DNS widening), set the flag to stop it being rewritten again
1797 during message reception.
1799 A list of verified "sender" addresses is kept to try to avoid doing to much
1800 work repetitively when there are multiple recipients in a message and they all
1801 require sender verification. However, when callouts are involved, it gets too
1802 complicated because different recipients may require different callout options.
1803 Therefore, we always do a full sender verify when any kind of callout is
1804 specified. Caching elsewhere, for instance in the DNS resolver and in the
1805 callout handling, should ensure that this is not terribly inefficient. */
1807 else if (verify_sender_address != NULL)
1809 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1812 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1813 "sender verify callout";
1817 sender_vaddr = verify_checked_sender(verify_sender_address);
1818 if (sender_vaddr != NULL && /* Previously checked */
1819 callout <= 0) /* No callout needed this time */
1821 /* If the "routed" flag is set, it means that routing worked before, so
1822 this check can give OK (the saved return code value, if set, belongs to a
1823 callout that was done previously). If the "routed" flag is not set, routing
1824 must have failed, so we use the saved return code. */
1826 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1828 rc = sender_vaddr->special_action;
1829 *basic_errno = sender_vaddr->basic_errno;
1831 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1834 /* Do a new verification, and cache the result. The cache is used to avoid
1835 verifying the sender multiple times for multiple RCPTs when callouts are not
1836 specified (see comments above).
1838 The cache is also used on failure to give details in response to the first
1839 RCPT that gets bounced for this reason. However, this can be suppressed by
1840 the no_details option, which sets the flag that says "this detail has already
1841 been sent". The cache normally contains just one address, but there may be
1842 more in esoteric circumstances. */
1847 uschar *save_address_data = deliver_address_data;
1849 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1850 if (no_details) setflag(sender_vaddr, af_sverify_told);
1851 if (verify_sender_address[0] != 0)
1853 /* If this is the real sender address, save the unrewritten version
1854 for use later in receive. Otherwise, set a flag so that rewriting the
1855 sender in verify_address() does not update sender_address. */
1857 if (verify_sender_address == sender_address)
1858 sender_address_unrewritten = sender_address;
1860 verify_options |= vopt_fake_sender;
1862 if (success_on_redirect)
1863 verify_options |= vopt_success_on_redirect;
1865 /* The recipient, qualify, and expn options are never set in
1868 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
1869 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
1871 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1875 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1877 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1878 verify_sender_address, sender_vaddr->address);
1882 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1883 verify_sender_address);
1886 else *basic_errno = sender_vaddr->basic_errno;
1888 else rc = OK; /* Null sender */
1890 /* Cache the result code */
1892 if (routed) setflag(sender_vaddr, af_verify_routed);
1893 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1894 sender_vaddr->special_action = rc;
1895 sender_vaddr->next = sender_verified_list;
1896 sender_verified_list = sender_vaddr;
1898 /* Restore the recipient address data, which might have been clobbered by
1899 the sender verification. */
1901 deliver_address_data = save_address_data;
1904 /* Put the sender address_data value into $sender_address_data */
1906 sender_address_data = sender_vaddr->p.address_data;
1909 /* A recipient address just gets a straightforward verify; again we must handle
1910 the DEFER overrides. */
1916 if (success_on_redirect)
1917 verify_options |= vopt_success_on_redirect;
1919 /* We must use a copy of the address for verification, because it might
1923 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
1924 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
1925 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1927 *basic_errno = addr2.basic_errno;
1928 *log_msgptr = addr2.message;
1929 *user_msgptr = (addr2.user_message != NULL)?
1930 addr2.user_message : addr2.message;
1932 /* Allow details for temporary error if the address is so flagged. */
1933 if (testflag((&addr2), af_pass_message)) acl_temp_details = TRUE;
1935 /* Make $address_data visible */
1936 deliver_address_data = addr2.p.address_data;
1939 /* We have a result from the relevant test. Handle defer overrides first. */
1941 if (rc == DEFER && (defer_ok ||
1942 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1944 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1945 defer_ok? "defer_ok" : "callout_defer_ok");
1949 /* If we've failed a sender, set up a recipient message, and point
1950 sender_verified_failed to the address item that actually failed. */
1952 if (rc != OK && verify_sender_address != NULL)
1956 *log_msgptr = *user_msgptr = US"Sender verify failed";
1958 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1960 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1964 *log_msgptr = US"Could not complete sender verify callout";
1965 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1969 sender_verified_failed = sender_vaddr;
1972 /* Verifying an address messes up the values of $domain and $local_part,
1973 so reset them before returning if this is a RCPT ACL. */
1977 deliver_domain = addr->domain;
1978 deliver_localpart = addr->local_part;
1982 /* Syntax errors in the verify argument come here. */
1985 *log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
1986 "\"helo\", \"header_syntax\", \"header_sender\" or "
1987 "\"reverse_host_lookup\" at start of ACL condition "
1988 "\"verify %s\"", arg);
1991 /* Options supplied when not allowed come here */
1994 *log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1995 "(this verify item has no options)", arg);
1998 /* Calls in the wrong ACL come here */
2001 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
2002 "(only possible in ACL for DATA)", acl_wherenames[where]);
2009 /*************************************************
2010 * Check argument for control= modifier *
2011 *************************************************/
2013 /* Called from acl_check_condition() below
2016 arg the argument string for control=
2017 pptr set to point to the terminating character
2018 where which ACL we are in
2019 log_msgptr for error messages
2021 Returns: CONTROL_xxx value
2025 decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
2030 for (d = controls_list;
2031 d < controls_list + sizeof(controls_list)/sizeof(control_def);
2034 len = Ustrlen(d->name);
2035 if (Ustrncmp(d->name, arg, len) == 0) break;
2038 if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
2039 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
2041 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2042 return CONTROL_ERROR;
2051 /*************************************************
2052 * Handle rate limiting *
2053 *************************************************/
2055 /* Called by acl_check_condition() below to calculate the result
2056 of the ACL ratelimit condition.
2058 Note that the return value might be slightly unexpected: if the
2059 sender's rate is above the limit then the result is OK. This is
2060 similar to the dnslists condition, and is so that you can write
2061 ACL clauses like: defer ratelimit = 15 / 1h
2064 arg the option string for ratelimit=
2065 where ACL_WHERE_xxxx indicating which ACL this is
2066 log_msgptr for error messages
2068 Returns: OK - Sender's rate is above limit
2069 FAIL - Sender's rate is below limit
2070 DEFER - Problem opening ratelimit database
2071 ERROR - Syntax error in options.
2075 acl_ratelimit(uschar *arg, int where, uschar **log_msgptr)
2077 double limit, period;
2081 BOOL leaky = FALSE, strict = FALSE, noupdate = FALSE;
2082 BOOL per_byte = FALSE, per_cmd = FALSE, per_conn = FALSE, per_mail = FALSE;
2084 tree_node **anchor, *t;
2085 open_db dbblock, *dbm;
2086 dbdata_ratelimit *dbd;
2089 /* Parse the first two options and record their values in expansion
2090 variables. These variables allow the configuration to have informative
2091 error messages based on rate limits obtained from a table lookup. */
2093 /* First is the maximum number of messages per period and maximum burst
2094 size, which must be greater than or equal to zero. Zero is useful for
2095 rate measurement as opposed to rate limiting. */
2097 sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0);
2098 if (sender_rate_limit == NULL)
2102 limit = Ustrtod(sender_rate_limit, &ss);
2103 if (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
2104 else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
2105 else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
2107 if (limit < 0.0 || *ss != 0)
2109 *log_msgptr = string_sprintf("syntax error in argument for "
2110 "\"ratelimit\" condition: \"%s\" is not a positive number",
2115 /* Second is the rate measurement period and exponential smoothing time
2116 constant. This must be strictly greater than zero, because zero leads to
2117 run-time division errors. */
2119 sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0);
2120 if (sender_rate_period == NULL) period = -1.0;
2121 else period = readconf_readtime(sender_rate_period, 0, FALSE);
2124 *log_msgptr = string_sprintf("syntax error in argument for "
2125 "\"ratelimit\" condition: \"%s\" is not a time value",
2126 sender_rate_period);
2130 /* Parse the other options. Should we check if the per_* options are being
2131 used in ACLs where they don't make sense, e.g. per_mail in the connect ACL? */
2133 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2136 if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
2137 else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
2138 else if (strcmpic(ss, US"noupdate") == 0) noupdate = TRUE;
2139 else if (strcmpic(ss, US"per_byte") == 0) per_byte = TRUE;
2140 else if (strcmpic(ss, US"per_cmd") == 0) per_cmd = TRUE;
2141 else if (strcmpic(ss, US"per_rcpt") == 0) per_cmd = TRUE; /* alias */
2142 else if (strcmpic(ss, US"per_conn") == 0) per_conn = TRUE;
2143 else if (strcmpic(ss, US"per_mail") == 0) per_mail = TRUE;
2144 else key = string_sprintf("%s", ss);
2147 if (leaky + strict > 1 || per_byte + per_cmd + per_conn + per_mail > 1)
2149 *log_msgptr = US"conflicting options for \"ratelimit\" condition";
2153 /* Default option values */
2155 if (!strict) leaky = TRUE;
2156 if (!per_byte && !per_cmd && !per_conn) per_mail = TRUE;
2158 /* Create the lookup key. If there is no explicit key, use sender_host_address.
2159 If there is no sender_host_address (e.g. -bs or acl_not_smtp) then we simply
2160 omit it. The smoothing constant (sender_rate_period) and the per_xxx options
2161 are added to the key because they alter the meaning of the stored data. */
2164 key = (sender_host_address == NULL)? US"" : sender_host_address;
2166 key = string_sprintf("%s/%s/%s/%s",
2168 per_byte? US"per_byte" :
2169 per_cmd? US"per_cmd" :
2170 per_mail? US"per_mail" : US"per_conn",
2171 strict? US"strict" : US"leaky",
2174 HDEBUG(D_acl) debug_printf("ratelimit condition limit=%.0f period=%.0f key=%s\n",
2175 limit, period, key);
2177 /* See if we have already computed the rate by looking in the relevant tree.
2178 For per-connection rate limiting, store tree nodes and dbdata in the permanent
2179 pool so that they survive across resets. */
2182 old_pool = store_pool;
2186 anchor = &ratelimiters_conn;
2187 store_pool = POOL_PERM;
2189 else if (per_mail || per_byte)
2190 anchor = &ratelimiters_mail;
2192 anchor = &ratelimiters_cmd;
2194 if (anchor != NULL && (t = tree_search(*anchor, key)) != NULL)
2197 /* The following few lines duplicate some of the code below. */
2198 rc = (dbd->rate < limit)? FAIL : OK;
2199 store_pool = old_pool;
2200 sender_rate = string_sprintf("%.1f", dbd->rate);
2202 debug_printf("ratelimit found pre-computed rate %s\n", sender_rate);
2206 /* We aren't using a pre-computed rate, so get a previously recorded
2207 rate from the database, update it, and write it back when required. If there's
2208 no previous rate for this key, create one. */
2210 dbm = dbfn_open(US"ratelimit", O_RDWR, &dbblock, TRUE);
2213 store_pool = old_pool;
2215 HDEBUG(D_acl) debug_printf("ratelimit database not available\n");
2216 *log_msgptr = US"ratelimit database not available";
2219 dbd = dbfn_read(dbm, key);
2221 gettimeofday(&tv, NULL);
2225 HDEBUG(D_acl) debug_printf("ratelimit initializing new key's data\n");
2226 dbd = store_get(sizeof(dbdata_ratelimit));
2227 dbd->time_stamp = tv.tv_sec;
2228 dbd->time_usec = tv.tv_usec;
2233 /* The smoothed rate is computed using an exponentially weighted moving
2234 average adjusted for variable sampling intervals. The standard EWMA for
2235 a fixed sampling interval is: f'(t) = (1 - a) * f(t) + a * f'(t - 1)
2236 where f() is the measured value and f'() is the smoothed value.
2238 Old data decays out of the smoothed value exponentially, such that data n
2239 samples old is multiplied by a^n. The exponential decay time constant p
2240 is defined such that data p samples old is multiplied by 1/e, which means
2241 that a = exp(-1/p). We can maintain the same time constant for a variable
2242 sampling interval i by using a = exp(-i/p).
2244 The rate we are measuring is messages per period, suitable for directly
2245 comparing with the limit. The average rate between now and the previous
2246 message is period / interval, which we feed into the EWMA as the sample.
2248 It turns out that the number of messages required for the smoothed rate
2249 to reach the limit when they are sent in a burst is equal to the limit.
2250 This can be seen by analysing the value of the smoothed rate after N
2251 messages sent at even intervals. Let k = (1 - a) * p/i
2253 rate_1 = (1 - a) * p/i + a * rate_0
2255 rate_2 = k + a * rate_1
2256 = k + a * k + a^2 * rate_0
2257 rate_3 = k + a * k + a^2 * k + a^3 * rate_0
2258 rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
2259 = rate_0 * a^N + k * (1 - a^N) / (1 - a)
2260 = rate_0 * a^N + p/i * (1 - a^N)
2262 When N is large, a^N -> 0 so rate_N -> p/i as desired.
2264 rate_N = p/i + (rate_0 - p/i) * a^N
2265 a^N = (rate_N - p/i) / (rate_0 - p/i)
2266 N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
2267 N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
2269 Numerical analysis of the above equation, setting the computed rate to
2270 increase from rate_0 = 0 to rate_N = limit, shows that for large sending
2271 rates, p/i, the number of messages N = limit. So limit serves as both the
2272 maximum rate measured in messages per period, and the maximum number of
2273 messages that can be sent in a fast burst. */
2275 double this_time = (double)tv.tv_sec
2276 + (double)tv.tv_usec / 1000000.0;
2277 double prev_time = (double)dbd->time_stamp
2278 + (double)dbd->time_usec / 1000000.0;
2280 /* We must avoid division by zero, and deal gracefully with the clock going
2281 backwards. If we blunder ahead when time is in reverse then the computed
2282 rate will be bogus. To be safe we clamp interval to a very small number. */
2284 double interval = this_time - prev_time <= 0.0 ? 1e-9
2285 : this_time - prev_time;
2287 double i_over_p = interval / period;
2288 double a = exp(-i_over_p);
2290 dbd->time_stamp = tv.tv_sec;
2291 dbd->time_usec = tv.tv_usec;
2293 /* If we are measuring the rate in bytes per period, multiply the
2294 measured rate by the message size. If we don't know the message size
2295 then it's safe to just use a value of zero and let the recorded rate
2296 decay as if nothing happened. */
2299 dbd->rate = (message_size < 0 ? 0.0 : (double)message_size)
2300 * (1 - a) / i_over_p + a * dbd->rate;
2301 else if (per_cmd && where == ACL_WHERE_NOTSMTP)
2302 dbd->rate = (double)recipients_count
2303 * (1 - a) / i_over_p + a * dbd->rate;
2305 dbd->rate = (1 - a) / i_over_p + a * dbd->rate;
2308 /* Clients sending at the limit are considered to be over the limit. This
2309 matters for edge cases such the first message sent by a client (which gets
2310 the initial rate of 0.0) when the rate limit is zero (i.e. the client should
2311 be completely blocked). */
2313 rc = (dbd->rate < limit)? FAIL : OK;
2315 /* Update the state if the rate is low or if we are being strict. If we
2316 are in leaky mode and the sender's rate is too high, we do not update
2317 the recorded rate in order to avoid an over-aggressive sender's retry
2318 rate preventing them from getting any email through. If noupdate is set,
2319 do not do any updates. */
2321 if ((rc == FAIL || !leaky) && !noupdate)
2323 dbfn_write(dbm, key, dbd, sizeof(dbdata_ratelimit));
2324 HDEBUG(D_acl) debug_printf("ratelimit db updated\n");
2328 HDEBUG(D_acl) debug_printf("ratelimit db not updated: %s\n",
2329 noupdate? "noupdate set" : "over the limit, but leaky");
2334 /* Store the result in the tree for future reference, if necessary. */
2336 if (anchor != NULL && !noupdate)
2338 t = store_get(sizeof(tree_node) + Ustrlen(key));
2340 Ustrcpy(t->name, key);
2341 (void)tree_insertnode(anchor, t);
2344 /* We create the formatted version of the sender's rate very late in
2345 order to ensure that it is done using the correct storage pool. */
2347 store_pool = old_pool;
2348 sender_rate = string_sprintf("%.1f", dbd->rate);
2351 debug_printf("ratelimit computed rate %s\n", sender_rate);
2358 /*************************************************
2359 * Handle conditions/modifiers on an ACL item *
2360 *************************************************/
2362 /* Called from acl_check() below.
2366 cb ACL condition block - if NULL, result is OK
2367 where where called from
2368 addr the address being checked for RCPT, or NULL
2369 level the nesting level
2370 epp pointer to pass back TRUE if "endpass" encountered
2371 (applies only to "accept" and "discard")
2372 user_msgptr user message pointer
2373 log_msgptr log message pointer
2374 basic_errno pointer to where to put verify error
2376 Returns: OK - all conditions are met
2377 DISCARD - an "acl" condition returned DISCARD - only allowed
2378 for "accept" or "discard" verbs
2379 FAIL - at least one condition fails
2380 FAIL_DROP - an "acl" condition returned FAIL_DROP
2381 DEFER - can't tell at the moment (typically, lookup defer,
2382 but can be temporary callout problem)
2383 ERROR - ERROR from nested ACL or expansion failure or other
2388 acl_check_condition(int verb, acl_condition_block *cb, int where,
2389 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
2390 uschar **log_msgptr, int *basic_errno)
2392 uschar *user_message = NULL;
2393 uschar *log_message = NULL;
2396 #ifdef WITH_CONTENT_SCAN
2400 for (; cb != NULL; cb = cb->next)
2405 /* The message and log_message items set up messages to be used in
2406 case of rejection. They are expanded later. */
2408 if (cb->type == ACLC_MESSAGE)
2410 user_message = cb->arg;
2414 if (cb->type == ACLC_LOG_MESSAGE)
2416 log_message = cb->arg;
2420 /* The endpass "condition" just sets a flag to show it occurred. This is
2421 checked at compile time to be on an "accept" or "discard" item. */
2423 if (cb->type == ACLC_ENDPASS)
2429 /* For other conditions and modifiers, the argument is expanded now for some
2430 of them, but not for all, because expansion happens down in some lower level
2431 checking functions in some cases. */
2433 if (cond_expand_at_top[cb->type])
2435 arg = expand_string(cb->arg);
2438 if (expand_string_forcedfail) continue;
2439 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
2440 cb->arg, expand_string_message);
2441 return search_find_defer? DEFER : ERROR;
2446 /* Show condition, and expanded condition if it's different */
2451 debug_printf("check %s%s %n",
2452 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
2453 conditions[cb->type], &lhswidth);
2455 if (cb->type == ACLC_SET)
2457 debug_printf("acl_%s ", cb->u.varname);
2458 lhswidth += 5 + Ustrlen(cb->u.varname);
2461 debug_printf("= %s\n", cb->arg);
2464 debug_printf("%.*s= %s\n", lhswidth,
2468 /* Check that this condition makes sense at this time */
2470 if ((cond_forbids[cb->type] & (1 << where)) != 0)
2472 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
2473 cond_modifiers[cb->type]? "use" : "test",
2474 conditions[cb->type], acl_wherenames[where]);
2478 /* Run the appropriate test for each condition, or take the appropriate
2479 action for the remaining modifiers. */
2483 case ACLC_ADD_HEADER:
2487 /* A nested ACL that returns "discard" makes sense only for an "accept" or
2491 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
2492 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
2494 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
2495 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
2501 case ACLC_AUTHENTICATED:
2502 rc = (sender_host_authenticated == NULL)? FAIL :
2503 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
2507 #ifdef EXPERIMENTAL_BRIGHTMAIL
2508 case ACLC_BMI_OPTIN:
2510 int old_pool = store_pool;
2511 store_pool = POOL_PERM;
2512 bmi_current_optin = string_copy(arg);
2513 store_pool = old_pool;
2518 case ACLC_CONDITION:
2519 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
2520 rc = (Uatoi(arg) == 0)? FAIL : OK;
2522 rc = (strcmpic(arg, US"no") == 0 ||
2523 strcmpic(arg, US"false") == 0)? FAIL :
2524 (strcmpic(arg, US"yes") == 0 ||
2525 strcmpic(arg, US"true") == 0)? OK : DEFER;
2527 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
2530 case ACLC_CONTINUE: /* Always succeeds */
2534 control_type = decode_control(arg, &p, where, log_msgptr);
2536 /* Check if this control makes sense at this time */
2538 if ((control_forbids[control_type] & (1 << where)) != 0)
2540 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
2541 controls[control_type], acl_wherenames[where]);
2545 switch(control_type)
2547 case CONTROL_AUTH_UNADVERTISED:
2548 allow_auth_unadvertised = TRUE;
2551 #ifdef EXPERIMENTAL_BRIGHTMAIL
2552 case CONTROL_BMI_RUN:
2557 #ifndef DISABLE_DKIM
2558 case CONTROL_DKIM_VERIFY:
2566 case CONTROL_CASEFUL_LOCAL_PART:
2567 deliver_localpart = addr->cc_local_part;
2570 case CONTROL_CASELOWER_LOCAL_PART:
2571 deliver_localpart = addr->lc_local_part;
2574 case CONTROL_ENFORCE_SYNC:
2575 smtp_enforce_sync = TRUE;
2578 case CONTROL_NO_ENFORCE_SYNC:
2579 smtp_enforce_sync = FALSE;
2582 #ifdef WITH_CONTENT_SCAN
2583 case CONTROL_NO_MBOX_UNSPOOL:
2584 no_mbox_unspool = TRUE;
2588 case CONTROL_NO_MULTILINE:
2589 no_multiline_responses = TRUE;
2592 case CONTROL_NO_PIPELINING:
2593 pipelining_enable = FALSE;
2596 case CONTROL_NO_DELAY_FLUSH:
2597 disable_delay_flush = TRUE;
2600 case CONTROL_NO_CALLOUT_FLUSH:
2601 disable_callout_flush = TRUE;
2604 case CONTROL_FAKEDEFER:
2605 case CONTROL_FAKEREJECT:
2606 fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
2610 while (*pp != 0) pp++;
2611 fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
2616 /* Explicitly reset to default string */
2617 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
2621 case CONTROL_FREEZE:
2622 deliver_freeze = TRUE;
2623 deliver_frozen_at = time(NULL);
2624 freeze_tell = freeze_tell_config; /* Reset to configured value */
2625 if (Ustrncmp(p, "/no_tell", 8) == 0)
2632 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2637 case CONTROL_QUEUE_ONLY:
2638 queue_only_policy = TRUE;
2641 case CONTROL_SUBMISSION:
2642 originator_name = US"";
2643 submission_mode = TRUE;
2646 if (Ustrncmp(p, "/sender_retain", 14) == 0)
2649 active_local_sender_retain = TRUE;
2650 active_local_from_check = FALSE;
2652 else if (Ustrncmp(p, "/domain=", 8) == 0)
2655 while (*pp != 0 && *pp != '/') pp++;
2656 submission_domain = string_copyn(p+8, pp-p-8);
2659 /* The name= option must be last, because it swallows the rest of
2661 else if (Ustrncmp(p, "/name=", 6) == 0)
2664 while (*pp != 0) pp++;
2665 submission_name = string_copy(parse_fix_phrase(p+6, pp-p-6,
2666 big_buffer, big_buffer_size));
2673 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2678 case CONTROL_SUPPRESS_LOCAL_FIXUPS:
2679 suppress_local_fixups = TRUE;
2684 #ifdef EXPERIMENTAL_DCC
2687 /* Seperate the regular expression and any optional parameters. */
2688 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2689 /* Run the dcc backend. */
2690 rc = dcc_process(&ss);
2691 /* Modify return code based upon the existance of options. */
2692 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2694 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2696 /* FAIL so that the message is passed to the next ACL */
2704 #ifdef WITH_CONTENT_SCAN
2706 rc = mime_decode(&arg);
2712 int delay = readconf_readtime(arg, 0, FALSE);
2715 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
2716 "modifier: \"%s\" is not a time value", arg);
2721 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
2726 debug_printf("delay skipped in -bh checking mode\n");
2729 /* It appears to be impossible to detect that a TCP/IP connection has
2730 gone away without reading from it. This means that we cannot shorten
2731 the delay below if the client goes away, because we cannot discover
2732 that the client has closed its end of the connection. (The connection
2733 is actually in a half-closed state, waiting for the server to close its
2734 end.) It would be nice to be able to detect this state, so that the
2735 Exim process is not held up unnecessarily. However, it seems that we
2736 can't. The poll() function does not do the right thing, and in any case
2737 it is not always available.
2739 NOTE 1: If ever this state of affairs changes, remember that we may be
2740 dealing with stdin/stdout here, in addition to TCP/IP connections.
2741 Also, delays may be specified for non-SMTP input, where smtp_out and
2742 smtp_in will be NULL. Whatever is done must work in all cases.
2744 NOTE 2: The added feature of flushing the output before a delay must
2745 apply only to SMTP input. Hence the test for smtp_out being non-NULL.
2750 if (smtp_out != NULL && !disable_delay_flush) mac_smtp_fflush();
2751 while (delay > 0) delay = sleep(delay);
2757 #ifdef WITH_OLD_DEMIME
2764 rc = verify_check_dnsbl(&arg);
2768 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
2769 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
2772 /* The value in tls_cipher is the full cipher name, for example,
2773 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
2774 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
2775 what may in practice come out of the SSL library - which at the time of
2776 writing is poorly documented. */
2778 case ACLC_ENCRYPTED:
2779 if (tls_cipher == NULL) rc = FAIL; else
2781 uschar *endcipher = NULL;
2782 uschar *cipher = Ustrchr(tls_cipher, ':');
2783 if (cipher == NULL) cipher = tls_cipher; else
2785 endcipher = Ustrchr(++cipher, ':');
2786 if (endcipher != NULL) *endcipher = 0;
2788 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
2789 if (endcipher != NULL) *endcipher = ':';
2793 /* Use verify_check_this_host() instead of verify_check_host() so that
2794 we can pass over &host_data to catch any looked up data. Once it has been
2795 set, it retains its value so that it's still there if another ACL verb
2796 comes through here and uses the cache. However, we must put it into
2797 permanent store in case it is also expected to be used in a subsequent
2798 message in the same SMTP connection. */
2801 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
2802 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
2803 if (host_data != NULL) host_data = string_copy_malloc(host_data);
2806 case ACLC_LOCAL_PARTS:
2807 rc = match_isinlist(addr->cc_local_part, &arg, 0,
2808 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
2809 &deliver_localpart_data);
2812 case ACLC_LOG_REJECT_TARGET:
2818 while ((ss = string_nextinlist(&s, &sep, big_buffer, big_buffer_size))
2821 if (Ustrcmp(ss, "main") == 0) logbits |= LOG_MAIN;
2822 else if (Ustrcmp(ss, "panic") == 0) logbits |= LOG_PANIC;
2823 else if (Ustrcmp(ss, "reject") == 0) logbits |= LOG_REJECT;
2826 logbits |= LOG_MAIN|LOG_REJECT;
2827 log_write(0, LOG_MAIN|LOG_PANIC, "unknown log name \"%s\" in "
2828 "\"log_reject_target\" in %s ACL", ss, acl_wherenames[where]);
2831 log_reject_target = logbits;
2844 if (Ustrncmp(s, "main", 4) == 0)
2845 { logbits |= LOG_MAIN; s += 4; }
2846 else if (Ustrncmp(s, "panic", 5) == 0)
2847 { logbits |= LOG_PANIC; s += 5; }
2848 else if (Ustrncmp(s, "reject", 6) == 0)
2849 { logbits |= LOG_REJECT; s += 6; }
2852 logbits = LOG_MAIN|LOG_PANIC;
2853 s = string_sprintf(":unknown log name in \"%s\" in "
2854 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
2860 while (isspace(*s)) s++;
2863 if (logbits == 0) logbits = LOG_MAIN;
2864 log_write(0, logbits, "%s", string_printing(s));
2868 #ifdef WITH_CONTENT_SCAN
2871 /* Separate the regular expression and any optional parameters. */
2872 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2873 /* Run the malware backend. */
2875 /* Modify return code based upon the existance of options. */
2876 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2878 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2880 /* FAIL so that the message is passed to the next ACL */
2887 case ACLC_MIME_REGEX:
2888 rc = mime_regex(&arg);
2892 case ACLC_RATELIMIT:
2893 rc = acl_ratelimit(arg, where, log_msgptr);
2896 case ACLC_RECIPIENTS:
2897 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
2901 #ifdef WITH_CONTENT_SCAN
2907 case ACLC_SENDER_DOMAINS:
2910 sdomain = Ustrrchr(sender_address, '@');
2911 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
2912 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
2913 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
2918 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
2919 sender_address_cache, -1, 0, &sender_data);
2922 /* Connection variables must persist forever */
2926 int old_pool = store_pool;
2927 if (cb->u.varname[0] == 'c') store_pool = POOL_PERM;
2928 acl_var_create(cb->u.varname)->data.ptr = string_copy(arg);
2929 store_pool = old_pool;
2933 #ifdef WITH_CONTENT_SCAN
2936 /* Seperate the regular expression and any optional parameters. */
2937 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2938 /* Run the spam backend. */
2940 /* Modify return code based upon the existance of options. */
2941 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2943 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2945 /* FAIL so that the message is passed to the next ACL */
2953 #ifdef EXPERIMENTAL_SPF
2955 rc = spf_process(&arg, sender_address, SPF_PROCESS_NORMAL);
2957 case ACLC_SPF_GUESS:
2958 rc = spf_process(&arg, sender_address, SPF_PROCESS_GUESS);
2962 /* If the verb is WARN, discard any user message from verification, because
2963 such messages are SMTP responses, not header additions. The latter come
2964 only from explicit "message" modifiers. However, put the user message into
2965 $acl_verify_message so it can be used in subsequent conditions or modifiers
2966 (until something changes it). */
2969 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
2970 acl_verify_message = *user_msgptr;
2971 if (verb == ACL_WARN) *user_msgptr = NULL;
2975 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
2976 "condition %d", cb->type);
2980 /* If a condition was negated, invert OK/FAIL. */
2982 if (!cond_modifiers[cb->type] && cb->u.negated)
2984 if (rc == OK) rc = FAIL;
2985 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
2988 if (rc != OK) break; /* Conditions loop */
2992 /* If the result is the one for which "message" and/or "log_message" are used,
2993 handle the values of these modifiers. If there isn't a log message set, we make
2994 it the same as the user message.
2996 "message" is a user message that will be included in an SMTP response. Unless
2997 it is empty, it overrides any previously set user message.
2999 "log_message" is a non-user message, and it adds to any existing non-user
3000 message that is already set.
3002 Most verbs have but a single return for which the messages are relevant, but
3003 for "discard", it's useful to have the log message both when it succeeds and
3004 when it fails. For "accept", the message is used in the OK case if there is no
3005 "endpass", but (for backwards compatibility) in the FAIL case if "endpass" is
3008 if (*epp && rc == OK) user_message = NULL;
3010 if (((1<<rc) & msgcond[verb]) != 0)
3013 uschar *old_user_msgptr = *user_msgptr;
3014 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
3016 /* If the verb is "warn", messages generated by conditions (verification or
3017 nested ACLs) are always discarded. This also happens for acceptance verbs
3018 when they actually do accept. Only messages specified at this level are used.
3019 However, the value of an existing message is available in $acl_verify_message
3020 during expansions. */
3022 if (verb == ACL_WARN ||
3023 (rc == OK && (verb == ACL_ACCEPT || verb == ACL_DISCARD)))
3024 *log_msgptr = *user_msgptr = NULL;
3026 if (user_message != NULL)
3028 acl_verify_message = old_user_msgptr;
3029 expmessage = expand_string(user_message);
3030 if (expmessage == NULL)
3032 if (!expand_string_forcedfail)
3033 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3034 user_message, expand_string_message);
3036 else if (expmessage[0] != 0) *user_msgptr = expmessage;
3039 if (log_message != NULL)
3041 acl_verify_message = old_log_msgptr;
3042 expmessage = expand_string(log_message);
3043 if (expmessage == NULL)
3045 if (!expand_string_forcedfail)
3046 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3047 log_message, expand_string_message);
3049 else if (expmessage[0] != 0)
3051 *log_msgptr = (*log_msgptr == NULL)? expmessage :
3052 string_sprintf("%s: %s", expmessage, *log_msgptr);
3056 /* If no log message, default it to the user message */
3058 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
3061 acl_verify_message = NULL;
3069 /*************************************************
3070 * Get line from a literal ACL *
3071 *************************************************/
3073 /* This function is passed to acl_read() in order to extract individual lines
3074 of a literal ACL, which we access via static pointers. We can destroy the
3075 contents because this is called only once (the compiled ACL is remembered).
3077 This code is intended to treat the data in the same way as lines in the main
3078 Exim configuration file. That is:
3080 . Leading spaces are ignored.
3082 . A \ at the end of a line is a continuation - trailing spaces after the \
3083 are permitted (this is because I don't believe in making invisible things
3084 significant). Leading spaces on the continued part of a line are ignored.
3086 . Physical lines starting (significantly) with # are totally ignored, and
3087 may appear within a sequence of backslash-continued lines.
3089 . Blank lines are ignored, but will end a sequence of continuations.
3092 Returns: a pointer to the next line
3096 static uschar *acl_text; /* Current pointer in the text */
3097 static uschar *acl_text_end; /* Points one past the terminating '0' */
3105 /* This loop handles leading blank lines and comments. */
3109 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
3110 if (*acl_text == 0) return NULL; /* No more data */
3111 yield = acl_text; /* Potential data line */
3113 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3115 /* If we hit the end before a newline, we have the whole logical line. If
3116 it's a comment, there's no more data to be given. Otherwise, yield it. */
3118 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
3120 /* After reaching a newline, end this loop if the physical line does not
3121 start with '#'. If it does, it's a comment, and the loop continues. */
3123 if (*yield != '#') break;
3126 /* This loop handles continuations. We know we have some real data, ending in
3127 newline. See if there is a continuation marker at the end (ignoring trailing
3128 white space). We know that *yield is not white space, so no need to test for
3129 cont > yield in the backwards scanning loop. */
3134 for (cont = acl_text - 1; isspace(*cont); cont--);
3136 /* If no continuation follows, we are done. Mark the end of the line and
3145 /* We have encountered a continuation. Skip over whitespace at the start of
3146 the next line, and indeed the whole of the next line or lines if they are
3151 while (*(++acl_text) == ' ' || *acl_text == '\t');
3152 if (*acl_text != '#') break;
3153 while (*(++acl_text) != 0 && *acl_text != '\n');
3156 /* We have the start of a continuation line. Move all the rest of the data
3157 to join onto the previous line, and then find its end. If the end is not a
3158 newline, we are done. Otherwise loop to look for another continuation. */
3160 memmove(cont, acl_text, acl_text_end - acl_text);
3161 acl_text_end -= acl_text - cont;
3163 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3164 if (*acl_text == 0) return yield;
3167 /* Control does not reach here */
3174 /*************************************************
3175 * Check access using an ACL *
3176 *************************************************/
3178 /* This function is called from address_check. It may recurse via
3179 acl_check_condition() - hence the use of a level to stop looping. The ACL is
3180 passed as a string which is expanded. A forced failure implies no access check
3181 is required. If the result is a single word, it is taken as the name of an ACL
3182 which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
3183 text, complete with newlines, and parsed as such. In both cases, the ACL check
3184 is then run. This function uses an auxiliary function for acl_read() to call
3185 for reading individual lines of a literal ACL. This is acl_getline(), which
3186 appears immediately above.
3189 where where called from
3190 addr address item when called from RCPT; otherwise NULL
3191 s the input string; NULL is the same as an empty ACL => DENY
3192 level the nesting level
3193 user_msgptr where to put a user error (for SMTP response)
3194 log_msgptr where to put a logging message (not for SMTP response)
3196 Returns: OK access is granted
3197 DISCARD access is apparently granted...
3198 FAIL access is denied
3199 FAIL_DROP access is denied; drop the connection
3200 DEFER can't tell at the moment
3205 acl_check_internal(int where, address_item *addr, uschar *s, int level,
3206 uschar **user_msgptr, uschar **log_msgptr)
3209 acl_block *acl = NULL;
3210 uschar *acl_name = US"inline ACL";
3213 /* Catch configuration loops */
3217 *log_msgptr = US"ACL nested too deep: possible loop";
3223 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
3227 /* At top level, we expand the incoming string. At lower levels, it has already
3228 been expanded as part of condition processing. */
3232 ss = expand_string(s);
3235 if (expand_string_forcedfail) return OK;
3236 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
3237 expand_string_message);
3243 while (isspace(*ss))ss++;
3245 /* If we can't find a named ACL, the default is to parse it as an inline one.
3246 (Unless it begins with a slash; non-existent files give rise to an error.) */
3250 /* Handle the case of a string that does not contain any spaces. Look for a
3251 named ACL among those read from the configuration, or a previously read file.
3252 It is possible that the pointer to the ACL is NULL if the configuration
3253 contains a name with no data. If not found, and the text begins with '/',
3254 read an ACL from a file, and save it so it can be re-used. */
3256 if (Ustrchr(ss, ' ') == NULL)
3258 tree_node *t = tree_search(acl_anchor, ss);
3261 acl = (acl_block *)(t->data.ptr);
3264 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
3267 acl_name = string_sprintf("ACL \"%s\"", ss);
3268 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
3271 else if (*ss == '/')
3273 struct stat statbuf;
3274 fd = Uopen(ss, O_RDONLY, 0);
3277 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
3282 if (fstat(fd, &statbuf) != 0)
3284 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
3289 acl_text = store_get(statbuf.st_size + 1);
3290 acl_text_end = acl_text + statbuf.st_size + 1;
3292 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
3294 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
3295 ss, strerror(errno));
3298 acl_text[statbuf.st_size] = 0;
3301 acl_name = string_sprintf("ACL \"%s\"", ss);
3302 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
3306 /* Parse an ACL that is still in text form. If it came from a file, remember it
3307 in the ACL tree, having read it into the POOL_PERM store pool so that it
3308 persists between multiple messages. */
3312 int old_pool = store_pool;
3313 if (fd >= 0) store_pool = POOL_PERM;
3314 acl = acl_read(acl_getline, log_msgptr);
3315 store_pool = old_pool;
3316 if (acl == NULL && *log_msgptr != NULL) return ERROR;
3319 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
3320 Ustrcpy(t->name, ss);
3322 (void)tree_insertnode(&acl_anchor, t);
3326 /* Now we have an ACL to use. It's possible it may be NULL. */
3331 int basic_errno = 0;
3332 BOOL endpass_seen = FALSE;
3334 *log_msgptr = *user_msgptr = NULL;
3335 acl_temp_details = FALSE;
3337 if ((where == ACL_WHERE_QUIT || where == ACL_WHERE_NOTQUIT) &&
3338 acl->verb != ACL_ACCEPT &&
3339 acl->verb != ACL_WARN)
3341 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT or not-QUIT ACL",
3346 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
3348 /* Clear out any search error message from a previous check before testing
3351 search_error_message = NULL;
3352 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
3353 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
3355 /* Handle special returns: DEFER causes a return except on a WARN verb;
3356 ERROR always causes a return. */
3361 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
3362 if (basic_errno != ERRNO_CALLOUTDEFER)
3364 if (search_error_message != NULL && *search_error_message != 0)
3365 *log_msgptr = search_error_message;
3366 if (smtp_return_error_details) acl_temp_details = TRUE;
3370 acl_temp_details = TRUE;
3372 if (acl->verb != ACL_WARN) return DEFER;
3375 default: /* Paranoia */
3377 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
3381 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
3386 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
3389 /* DISCARD and DROP can happen only from a nested ACL condition, and
3390 DISCARD can happen only for an "accept" or "discard" verb. */
3393 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
3398 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
3403 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
3404 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
3405 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
3410 if (cond == OK || cond == DISCARD) return cond;
3413 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
3421 acl_temp_details = TRUE;
3427 if (cond == OK) return FAIL;
3431 if (cond == OK || cond == DISCARD) return DISCARD;
3434 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
3440 if (cond == OK) return FAIL_DROP;
3444 if (cond != OK) return cond;
3449 acl_warn(where, *user_msgptr, *log_msgptr);
3450 else if (cond == DEFER && (log_extra_selector & LX_acl_warn_skipped) != 0)
3451 log_write(0, LOG_MAIN, "%s Warning: ACL \"warn\" statement skipped: "
3452 "condition test deferred%s%s", host_and_ident(TRUE),
3453 (*log_msgptr == NULL)? US"" : US": ",
3454 (*log_msgptr == NULL)? US"" : *log_msgptr);
3455 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
3459 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
3464 /* Pass to the next ACL item */
3469 /* We have reached the end of the ACL. This is an implicit DENY. */
3471 HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
3476 /*************************************************
3477 * Check access using an ACL *
3478 *************************************************/
3480 /* This is the external interface for ACL checks. It sets up an address and the
3481 expansions for $domain and $local_part when called after RCPT, then calls
3482 acl_check_internal() to do the actual work.
3485 where ACL_WHERE_xxxx indicating where called from
3486 recipient RCPT address for RCPT check, else NULL
3487 s the input string; NULL is the same as an empty ACL => DENY
3488 user_msgptr where to put a user error (for SMTP response)
3489 log_msgptr where to put a logging message (not for SMTP response)
3491 Returns: OK access is granted by an ACCEPT verb
3492 DISCARD access is granted by a DISCARD verb
3493 FAIL access is denied
3494 FAIL_DROP access is denied; drop the connection
3495 DEFER can't tell at the moment
3500 acl_check(int where, uschar *recipient, uschar *s, uschar **user_msgptr,
3501 uschar **log_msgptr)
3505 address_item *addr = NULL;
3507 *user_msgptr = *log_msgptr = NULL;
3508 sender_verified_failed = NULL;
3509 ratelimiters_cmd = NULL;
3510 log_reject_target = LOG_MAIN|LOG_REJECT;
3512 if (where == ACL_WHERE_RCPT)
3514 adb = address_defaults;
3516 addr->address = recipient;
3517 if (deliver_split_address(addr) == DEFER)
3519 *log_msgptr = US"defer in percent_hack_domains check";
3522 deliver_domain = addr->domain;
3523 deliver_localpart = addr->local_part;
3526 rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
3528 deliver_domain = deliver_localpart = deliver_address_data =
3529 sender_address_data = NULL;
3531 /* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
3532 ACL, which is really in the middle of an SMTP command. */
3536 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
3538 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
3539 "ACL", acl_wherenames[where]);
3545 /* A DROP response is not permitted from MAILAUTH */
3547 if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
3549 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
3550 "ACL", acl_wherenames[where]);
3554 /* Before giving a response, take a look at the length of any user message, and
3555 split it up into multiple lines if possible. */
3557 *user_msgptr = string_split_message(*user_msgptr);
3558 if (fake_response != OK)
3559 fake_response_text = string_split_message(fake_response_text);
3566 /*************************************************
3567 * Create ACL variable *
3568 *************************************************/
3570 /* Create an ACL variable or reuse an existing one. ACL variables are in a
3571 binary tree (see tree.c) with acl_var_c and acl_var_m as root nodes.
3574 name pointer to the variable's name, starting with c or m
3576 Returns the pointer to variable's tree node
3580 acl_var_create(uschar *name)
3582 tree_node *node, **root;
3583 root = (name[0] == 'c')? &acl_var_c : &acl_var_m;
3584 node = tree_search(*root, name);
3587 node = store_get(sizeof(tree_node) + Ustrlen(name));
3588 Ustrcpy(node->name, name);
3589 (void)tree_insertnode(root, node);
3591 node->data.ptr = NULL;
3597 /*************************************************
3598 * Write an ACL variable in spool format *
3599 *************************************************/
3601 /* This function is used as a callback for tree_walk when writing variables to
3602 the spool file. To retain spool file compatibility, what is written is -aclc or
3603 -aclm followed by the rest of the name and the data length, space separated,
3604 then the value itself, starting on a new line, and terminated by an additional
3605 newline. When we had only numbered ACL variables, the first line might look
3606 like this: "-aclc 5 20". Now it might be "-aclc foo 20" for the variable called
3610 name of the variable
3611 value of the variable
3612 ctx FILE pointer (as a void pointer)
3618 acl_var_write(uschar *name, uschar *value, void *ctx)
3620 FILE *f = (FILE *)ctx;
3621 fprintf(f, "-acl%c %s %d\n%s\n", name[0], name+1, Ustrlen(value), value);