1 /* $Cambridge: exim/src/src/acl.c,v 1.64 2006/09/19 11:28:45 ph10 Exp $ */
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
7 /* Copyright (c) University of Cambridge 1995 - 2006 */
8 /* See the file NOTICE for conditions of use and distribution. */
10 /* Code for handling Access Control Lists (ACLs) */
15 /* Default callout timeout */
17 #define CALLOUT_TIMEOUT_DEFAULT 30
19 /* ACL verb codes - keep in step with the table of verbs that follows */
21 enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
26 static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
30 /* For each verb, the condition for which "message" is used */
32 static int msgcond[] = { FAIL, OK, OK, FAIL, OK, FAIL, OK };
34 /* ACL condition and modifier codes - keep in step with the table that
35 follows, and the cond_expand_at_top and uschar cond_modifiers tables lower
41 #ifdef EXPERIMENTAL_BRIGHTMAIL
46 #ifdef WITH_CONTENT_SCAN
50 #ifdef WITH_OLD_DEMIME
53 #ifdef EXPERIMENTAL_DOMAINKEYS
54 ACLC_DK_DOMAIN_SOURCE,
56 ACLC_DK_SENDER_DOMAINS,
57 ACLC_DK_SENDER_LOCAL_PARTS,
69 #ifdef WITH_CONTENT_SCAN
73 #ifdef WITH_CONTENT_SCAN
78 #ifdef WITH_CONTENT_SCAN
84 #ifdef WITH_CONTENT_SCAN
87 #ifdef EXPERIMENTAL_SPF
92 /* ACL conditions/modifiers: "delay", "control", "endpass", "message",
93 "log_message", "logwrite", and "set" are modifiers that look like conditions
94 but always return TRUE. They are used for their side effects. */
96 static uschar *conditions[] = {
100 #ifdef EXPERIMENTAL_BRIGHTMAIL
105 #ifdef WITH_CONTENT_SCAN
109 #ifdef WITH_OLD_DEMIME
112 #ifdef EXPERIMENTAL_DOMAINKEYS
113 US"dk_domain_source",
115 US"dk_sender_domains",
116 US"dk_sender_local_parts",
120 US"dnslists", US"domains", US"encrypted",
121 US"endpass", US"hosts", US"local_parts", US"log_message", US"logwrite",
122 #ifdef WITH_CONTENT_SCAN
126 #ifdef WITH_CONTENT_SCAN
131 #ifdef WITH_CONTENT_SCAN
134 US"sender_domains", US"senders", US"set",
135 #ifdef WITH_CONTENT_SCAN
138 #ifdef EXPERIMENTAL_SPF
144 /* Return values from decode_control(); keep in step with the table of names
148 CONTROL_AUTH_UNADVERTISED,
149 #ifdef EXPERIMENTAL_BRIGHTMAIL
152 #ifdef EXPERIMENTAL_DOMAINKEYS
156 CONTROL_CASEFUL_LOCAL_PART,
157 CONTROL_CASELOWER_LOCAL_PART,
158 CONTROL_ENFORCE_SYNC,
159 CONTROL_NO_ENFORCE_SYNC,
163 CONTROL_SUPPRESS_LOCAL_FIXUPS,
164 #ifdef WITH_CONTENT_SCAN
165 CONTROL_NO_MBOX_UNSPOOL,
172 /* ACL control names; keep in step with the table above! This list is used for
173 turning ids into names. The actual list of recognized names is in the variable
174 control_def controls_list[] below. The fact that there are two lists is a mess
175 and should be tidied up. */
177 static uschar *controls[] = {
178 US"allow_auth_unadvertised",
179 #ifdef EXPERIMENTAL_BRIGHTMAIL
182 #ifdef EXPERIMENTAL_DOMAINKEYS
186 US"caseful_local_part",
187 US"caselower_local_part",
193 US"suppress_local_fixups",
194 #ifdef WITH_CONTENT_SCAN
200 /* Flags to indicate for which conditions /modifiers a string expansion is done
201 at the outer level. In the other cases, expansion already occurs in the
202 checking functions. */
204 static uschar cond_expand_at_top[] = {
206 TRUE, /* add_header */
207 FALSE, /* authenticated */
208 #ifdef EXPERIMENTAL_BRIGHTMAIL
209 TRUE, /* bmi_optin */
211 TRUE, /* condition */
213 #ifdef WITH_CONTENT_SCAN
217 #ifdef WITH_OLD_DEMIME
220 #ifdef EXPERIMENTAL_DOMAINKEYS
221 TRUE, /* dk_domain_source */
222 TRUE, /* dk_policy */
223 TRUE, /* dk_sender_domains */
224 TRUE, /* dk_sender_local_parts */
225 TRUE, /* dk_senders */
226 TRUE, /* dk_status */
230 FALSE, /* encrypted */
233 FALSE, /* local_parts */
234 TRUE, /* log_message */
236 #ifdef WITH_CONTENT_SCAN
240 #ifdef WITH_CONTENT_SCAN
241 TRUE, /* mime_regex */
243 TRUE, /* ratelimit */
244 FALSE, /* recipients */
245 #ifdef WITH_CONTENT_SCAN
248 FALSE, /* sender_domains */
251 #ifdef WITH_CONTENT_SCAN
254 #ifdef EXPERIMENTAL_SPF
260 /* Flags to identify the modifiers */
262 static uschar cond_modifiers[] = {
264 TRUE, /* add_header */
265 FALSE, /* authenticated */
266 #ifdef EXPERIMENTAL_BRIGHTMAIL
267 TRUE, /* bmi_optin */
269 FALSE, /* condition */
271 #ifdef WITH_CONTENT_SCAN
275 #ifdef WITH_OLD_DEMIME
278 #ifdef EXPERIMENTAL_DOMAINKEYS
279 FALSE, /* dk_domain_source */
280 FALSE, /* dk_policy */
281 FALSE, /* dk_sender_domains */
282 FALSE, /* dk_sender_local_parts */
283 FALSE, /* dk_senders */
284 FALSE, /* dk_status */
286 FALSE, /* dnslists */
288 FALSE, /* encrypted */
291 FALSE, /* local_parts */
292 TRUE, /* log_message */
294 #ifdef WITH_CONTENT_SCAN
298 #ifdef WITH_CONTENT_SCAN
299 FALSE, /* mime_regex */
301 FALSE, /* ratelimit */
302 FALSE, /* recipients */
303 #ifdef WITH_CONTENT_SCAN
306 FALSE, /* sender_domains */
309 #ifdef WITH_CONTENT_SCAN
312 #ifdef EXPERIMENTAL_SPF
318 /* Bit map vector of which conditions are not allowed at certain times. For
319 each condition, there's a bitmap of dis-allowed times. For some, it is easier
320 to specify the negation of a small number of allowed times. */
322 static unsigned int cond_forbids[] = {
326 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* add_header */
327 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
328 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
329 (1<<ACL_WHERE_NOTSMTP_START)),
331 (1<<ACL_WHERE_NOTSMTP)| /* authenticated */
332 (1<<ACL_WHERE_NOTSMTP_START)|
333 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO),
335 #ifdef EXPERIMENTAL_BRIGHTMAIL
336 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
337 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
338 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
339 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
340 (1<<ACL_WHERE_MAILAUTH)|
341 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
342 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA)|
343 (1<<ACL_WHERE_NOTSMTP_START),
348 /* Certain types of control are always allowed, so we let it through
349 always and check in the control processing itself. */
353 #ifdef WITH_CONTENT_SCAN
355 ~(1<<ACL_WHERE_MIME), /* decode */
360 #ifdef WITH_OLD_DEMIME
362 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* demime */
365 #ifdef EXPERIMENTAL_DOMAINKEYS
366 (1<<ACL_WHERE_AUTH)| /* dk_domain_source */
367 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
368 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
369 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
370 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
371 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
372 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
374 (1<<ACL_WHERE_AUTH)| /* dk_policy */
375 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
376 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
377 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
378 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
379 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
380 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
382 (1<<ACL_WHERE_AUTH)| /* dk_sender_domains */
383 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
384 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
385 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
386 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
387 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
388 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
390 (1<<ACL_WHERE_AUTH)| /* dk_sender_local_parts */
391 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
392 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
393 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
394 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
395 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
396 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
398 (1<<ACL_WHERE_AUTH)| /* dk_senders */
399 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
400 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
401 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
402 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
403 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
404 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
406 (1<<ACL_WHERE_AUTH)| /* dk_status */
407 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
408 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
409 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
410 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
411 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
412 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
415 (1<<ACL_WHERE_NOTSMTP)| /* dnslists */
416 (1<<ACL_WHERE_NOTSMTP_START),
419 ~(1<<ACL_WHERE_RCPT), /* domains */
421 (1<<ACL_WHERE_NOTSMTP)| /* encrypted */
422 (1<<ACL_WHERE_CONNECT)|
423 (1<<ACL_WHERE_NOTSMTP_START)|
428 (1<<ACL_WHERE_NOTSMTP)| /* hosts */
429 (1<<ACL_WHERE_NOTSMTP_START),
432 ~(1<<ACL_WHERE_RCPT), /* local_parts */
438 #ifdef WITH_CONTENT_SCAN
440 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* malware */
445 #ifdef WITH_CONTENT_SCAN
447 ~(1<<ACL_WHERE_MIME), /* mime_regex */
453 ~(1<<ACL_WHERE_RCPT), /* recipients */
455 #ifdef WITH_CONTENT_SCAN
457 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* regex */
458 (1<<ACL_WHERE_MIME)),
461 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
463 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
464 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
465 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
467 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
469 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
470 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
471 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
475 #ifdef WITH_CONTENT_SCAN
477 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* spam */
480 #ifdef EXPERIMENTAL_SPF
481 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
483 (1<<ACL_WHERE_MAILAUTH)|
484 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
485 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
486 (1<<ACL_WHERE_NOTSMTP)|
487 (1<<ACL_WHERE_NOTSMTP_START),
490 /* Certain types of verify are always allowed, so we let it through
491 always and check in the verify function itself */
497 /* Bit map vector of which controls are not allowed at certain times. For
498 each control, there's a bitmap of dis-allowed times. For some, it is easier to
499 specify the negation of a small number of allowed times. */
501 static unsigned int control_forbids[] = {
503 ~((1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)), /* allow_auth_unadvertised */
505 #ifdef EXPERIMENTAL_BRIGHTMAIL
509 #ifdef EXPERIMENTAL_DOMAINKEYS
510 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dk_verify */
511 (1<<ACL_WHERE_NOTSMTP_START),
517 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
520 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
522 (1<<ACL_WHERE_NOTSMTP)| /* enforce_sync */
523 (1<<ACL_WHERE_NOTSMTP_START),
525 (1<<ACL_WHERE_NOTSMTP)| /* no_enforce_sync */
526 (1<<ACL_WHERE_NOTSMTP_START),
529 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
530 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
531 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
534 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
535 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
536 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
539 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
540 (1<<ACL_WHERE_PREDATA)),
543 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* suppress_local_fixups */
544 (1<<ACL_WHERE_PREDATA)|
545 (1<<ACL_WHERE_NOTSMTP_START)),
547 #ifdef WITH_CONTENT_SCAN
549 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
550 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
551 (1<<ACL_WHERE_MIME)),
555 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakedefer */
556 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
557 (1<<ACL_WHERE_MIME)),
560 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
561 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
562 (1<<ACL_WHERE_MIME)),
564 (1<<ACL_WHERE_NOTSMTP)| /* no_multiline */
565 (1<<ACL_WHERE_NOTSMTP_START)
568 /* Structure listing various control arguments, with their characteristics. */
570 typedef struct control_def {
572 int value; /* CONTROL_xxx value */
573 BOOL has_option; /* Has /option(s) following */
576 static control_def controls_list[] = {
577 { US"allow_auth_unadvertised", CONTROL_AUTH_UNADVERTISED, FALSE },
578 #ifdef EXPERIMENTAL_BRIGHTMAIL
579 { US"bmi_run", CONTROL_BMI_RUN, FALSE },
581 #ifdef EXPERIMENTAL_DOMAINKEYS
582 { US"dk_verify", CONTROL_DK_VERIFY, FALSE },
584 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE },
585 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE },
586 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE },
587 { US"freeze", CONTROL_FREEZE, TRUE },
588 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE },
589 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE },
590 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE },
591 #ifdef WITH_CONTENT_SCAN
592 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE },
594 { US"fakedefer", CONTROL_FAKEDEFER, TRUE },
595 { US"fakereject", CONTROL_FAKEREJECT, TRUE },
596 { US"submission", CONTROL_SUBMISSION, TRUE },
597 { US"suppress_local_fixups", CONTROL_SUPPRESS_LOCAL_FIXUPS, FALSE }
600 /* Support data structures for Client SMTP Authorization. acl_verify_csa()
601 caches its result in a tree to avoid repeated DNS queries. The result is an
602 integer code which is used as an index into the following tables of
603 explanatory strings and verification return codes. */
605 static tree_node *csa_cache = NULL;
607 enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
608 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
610 /* The acl_verify_csa() return code is translated into an acl_verify() return
611 code using the following table. It is OK unless the client is definitely not
612 authorized. This is because CSA is supposed to be optional for sending sites,
613 so recipients should not be too strict about checking it - especially because
614 DNS problems are quite likely to occur. It's possible to use $csa_status in
615 further ACL conditions to distinguish ok, unknown, and defer if required, but
616 the aim is to make the usual configuration simple. */
618 static int csa_return_code[] = {
620 FAIL, FAIL, FAIL, FAIL
623 static uschar *csa_status_string[] = {
624 US"unknown", US"ok", US"defer", US"defer",
625 US"fail", US"fail", US"fail", US"fail"
628 static uschar *csa_reason_string[] = {
631 US"deferred (SRV lookup failed)",
632 US"deferred (target address lookup failed)",
633 US"failed (explicit authorization required)",
634 US"failed (host name not authorized)",
635 US"failed (no authorized addresses)",
636 US"failed (client address mismatch)"
639 /* Enable recursion between acl_check_internal() and acl_check_condition() */
641 static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
645 /*************************************************
646 * Pick out name from list *
647 *************************************************/
649 /* Use a binary chop method
656 Returns: offset in list, or -1 if not found
660 acl_checkname(uschar *name, uschar **list, int end)
666 int mid = (start + end)/2;
667 int c = Ustrcmp(name, list[mid]);
668 if (c == 0) return mid;
669 if (c < 0) end = mid; else start = mid + 1;
676 /*************************************************
677 * Read and parse one ACL *
678 *************************************************/
680 /* This function is called both from readconf in order to parse the ACLs in the
681 configuration file, and also when an ACL is encountered dynamically (e.g. as
682 the result of an expansion). It is given a function to call in order to
683 retrieve the lines of the ACL. This function handles skipping comments and
684 blank lines (where relevant).
687 func function to get next line of ACL
688 error where to put an error message
690 Returns: pointer to ACL, or NULL
691 NULL can be legal (empty ACL); in this case error will be NULL
695 acl_read(uschar *(*func)(void), uschar **error)
697 acl_block *yield = NULL;
698 acl_block **lastp = &yield;
699 acl_block *this = NULL;
700 acl_condition_block *cond;
701 acl_condition_block **condp = NULL;
706 while ((s = (*func)()) != NULL)
709 BOOL negated = FALSE;
710 uschar *saveline = s;
713 /* Conditions (but not verbs) are allowed to be negated by an initial
716 while (isspace(*s)) s++;
723 /* Read the name of a verb or a condition, or the start of a new ACL, which
724 can be started by a name, or by a macro definition. */
726 s = readconf_readname(name, sizeof(name), s);
727 if (*s == ':' || (isupper(name[0]) && *s == '=')) return yield;
729 /* If a verb is unrecognized, it may be another condition or modifier that
730 continues the previous verb. */
732 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
737 *error = string_sprintf("unknown ACL verb \"%s\" in \"%s\"", name,
749 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
752 this = store_get(sizeof(acl_block));
754 lastp = &(this->next);
757 this->condition = NULL;
758 condp = &(this->condition);
759 if (*s == 0) continue; /* No condition on this line */
765 s = readconf_readname(name, sizeof(name), s); /* Condition name */
768 /* Handle a condition or modifier. */
770 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
773 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
778 /* The modifiers may not be negated */
780 if (negated && cond_modifiers[c])
782 *error = string_sprintf("ACL error: negation is not allowed with "
783 "\"%s\"", conditions[c]);
787 /* ENDPASS may occur only with ACCEPT or DISCARD. */
789 if (c == ACLC_ENDPASS &&
790 this->verb != ACL_ACCEPT &&
791 this->verb != ACL_DISCARD)
793 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
794 conditions[c], verbs[this->verb]);
798 cond = store_get(sizeof(acl_condition_block));
801 cond->u.negated = negated;
804 condp = &(cond->next);
806 /* The "set" modifier is different in that its argument is "name=value"
807 rather than just a value, and we can check the validity of the name, which
808 gives us a variable name to insert into the data block. The original ACL
809 variable names were acl_c0 ... acl_c9 and acl_m0 ... acl_m9. This was
810 extended to 20 of each type, but after that people successfully argued for
811 arbitrary names. For compatibility, however, the names must still start with
812 acl_c or acl_m. After that, we allow alphanumerics and underscores. */
818 if (Ustrncmp(s, "acl_c", 5) != 0 &&
819 Ustrncmp(s, "acl_m", 5) != 0)
821 *error = string_sprintf("invalid variable name after \"set\" in ACL "
822 "modifier \"set %s\" (must start \"acl_c\" or \"acl_m\")", s);
827 while (*endptr != 0 && *endptr != '=' && !isspace(*endptr))
829 if (!isalnum(*endptr) && *endptr != '_')
831 *error = string_sprintf("invalid character \"%c\" in variable name "
832 "in ACL modifier \"set %s\"", *endptr, s);
840 *error = string_sprintf("invalid variable name after \"set\" in ACL "
841 "modifier \"set %s\" (must be at least 6 characters)", s);
845 cond->u.varname = string_copyn(s + 4, endptr - s - 4);
847 while (isspace(*s)) s++;
850 /* For "set", we are now positioned for the data. For the others, only
851 "endpass" has no data */
853 if (c != ACLC_ENDPASS)
857 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
858 cond_modifiers[c]? US"modifier" : US"condition");
861 while (isspace(*s)) s++;
862 cond->arg = string_copy(s);
871 /*************************************************
872 * Set up added header line(s) *
873 *************************************************/
875 /* This function is called by the add_header modifier, and also from acl_warn()
876 to implement the now-deprecated way of adding header lines using "message" on a
877 "warn" verb. The argument is treated as a sequence of header lines which are
878 added to a chain, provided there isn't an identical one already there.
880 Argument: string of header lines
885 setup_header(uschar *hstring)
888 int hlen = Ustrlen(hstring);
890 /* An empty string does nothing; otherwise add a final newline if necessary. */
892 if (hlen <= 0) return;
893 if (hstring[hlen-1] != '\n') hstring = string_sprintf("%s\n", hstring);
895 /* Loop for multiple header lines, taking care about continuations */
897 for (p = q = hstring; *p != 0; )
900 int newtype = htype_add_bot;
901 header_line **hptr = &acl_added_headers;
903 /* Find next header line within the string */
907 q = Ustrchr(q, '\n');
908 if (*(++q) != ' ' && *q != '\t') break;
911 /* If the line starts with a colon, interpret the instruction for where to
912 add it. This temporarily sets up a new type. */
916 if (strncmpic(p, US":after_received:", 16) == 0)
918 newtype = htype_add_rec;
921 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
923 newtype = htype_add_rfc;
926 else if (strncmpic(p, US":at_start:", 10) == 0)
928 newtype = htype_add_top;
931 else if (strncmpic(p, US":at_end:", 8) == 0)
933 newtype = htype_add_bot;
936 while (*p == ' ' || *p == '\t') p++;
939 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
940 to the front of it. */
942 for (s = p; s < q - 1; s++)
944 if (*s == ':' || !isgraph(*s)) break;
947 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
950 /* See if this line has already been added */
952 while (*hptr != NULL)
954 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
955 hptr = &((*hptr)->next);
958 /* Add if not previously present */
962 header_line *h = store_get(sizeof(header_line));
971 /* Advance for next header line within the string */
980 /*************************************************
982 *************************************************/
984 /* This function is called when a WARN verb's conditions are true. It adds to
985 the message's headers, and/or writes information to the log. In each case, this
986 only happens once (per message for headers, per connection for log).
988 ** NOTE: The header adding action using the "message" setting is historic, and
989 its use is now deprecated. The new add_header modifier should be used instead.
992 where ACL_WHERE_xxxx indicating which ACL this is
993 user_message message for adding to headers
994 log_message message for logging, if different
1000 acl_warn(int where, uschar *user_message, uschar *log_message)
1002 if (log_message != NULL && log_message != user_message)
1005 string_item *logged;
1007 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
1008 string_printing(log_message));
1010 /* If a sender verification has failed, and the log message is "sender verify
1011 failed", add the failure message. */
1013 if (sender_verified_failed != NULL &&
1014 sender_verified_failed->message != NULL &&
1015 strcmpic(log_message, US"sender verify failed") == 0)
1016 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
1018 /* Search previously logged warnings. They are kept in malloc
1019 store so they can be freed at the start of a new message. */
1021 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
1022 if (Ustrcmp(logged->text, text) == 0) break;
1026 int length = Ustrlen(text) + 1;
1027 log_write(0, LOG_MAIN, "%s", text);
1028 logged = store_malloc(sizeof(string_item) + length);
1029 logged->text = (uschar *)logged + sizeof(string_item);
1030 memcpy(logged->text, text, length);
1031 logged->next = acl_warn_logged;
1032 acl_warn_logged = logged;
1036 /* If there's no user message, we are done. */
1038 if (user_message == NULL) return;
1040 /* If this isn't a message ACL, we can't do anything with a user message.
1043 if (where > ACL_WHERE_NOTSMTP)
1045 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
1046 "found in a non-message (%s) ACL: cannot specify header lines here: "
1047 "message ignored", acl_wherenames[where]);
1051 /* The code for setting up header lines is now abstracted into a separate
1052 function so that it can be used for the add_header modifier as well. */
1054 setup_header(user_message);
1059 /*************************************************
1060 * Verify and check reverse DNS *
1061 *************************************************/
1063 /* Called from acl_verify() below. We look up the host name(s) of the client IP
1064 address if this has not yet been done. The host_name_lookup() function checks
1065 that one of these names resolves to an address list that contains the client IP
1066 address, so we don't actually have to do the check here.
1069 user_msgptr pointer for user message
1070 log_msgptr pointer for log message
1072 Returns: OK verification condition succeeded
1073 FAIL verification failed
1074 DEFER there was a problem verifying
1078 acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
1082 user_msgptr = user_msgptr; /* stop compiler warning */
1084 /* Previous success */
1086 if (sender_host_name != NULL) return OK;
1088 /* Previous failure */
1090 if (host_lookup_failed)
1092 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
1096 /* Need to do a lookup */
1099 debug_printf("looking up host name to force name/address consistency check\n");
1101 if ((rc = host_name_lookup()) != OK)
1103 *log_msgptr = (rc == DEFER)?
1104 US"host lookup deferred for reverse lookup check"
1106 string_sprintf("host lookup failed for reverse lookup check%s",
1108 return rc; /* DEFER or FAIL */
1111 host_build_sender_fullhost();
1117 /*************************************************
1118 * Check client IP address matches CSA target *
1119 *************************************************/
1121 /* Called from acl_verify_csa() below. This routine scans a section of a DNS
1122 response for address records belonging to the CSA target hostname. The section
1123 is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
1124 If one of the addresses matches the client's IP address, then the client is
1125 authorized by CSA. If there are target IP addresses but none of them match
1126 then the client is using an unauthorized IP address. If there are no target IP
1127 addresses then the client cannot be using an authorized IP address. (This is
1128 an odd configuration - why didn't the SRV record have a weight of 1 instead?)
1131 dnsa the DNS answer block
1132 dnss a DNS scan block for us to use
1133 reset option specifing what portion to scan, as described above
1134 target the target hostname to use for matching RR names
1136 Returns: CSA_OK successfully authorized
1137 CSA_FAIL_MISMATCH addresses found but none matched
1138 CSA_FAIL_NOADDR no target addresses found
1142 acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1148 BOOL target_found = FALSE;
1150 for (rr = dns_next_rr(dnsa, dnss, reset);
1152 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1154 /* Check this is an address RR for the target hostname. */
1158 && rr->type != T_AAAA
1165 if (strcmpic(target, rr->name) != 0) continue;
1167 target_found = TRUE;
1169 /* Turn the target address RR into a list of textual IP addresses and scan
1170 the list. There may be more than one if it is an A6 RR. */
1172 for (da = dns_address_from_rr(dnsa, rr); da != NULL; da = da->next)
1174 /* If the client IP address matches the target IP address, it's good! */
1176 DEBUG(D_acl) debug_printf("CSA target address is %s\n", da->address);
1178 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1182 /* If we found some target addresses but none of them matched, the client is
1183 using an unauthorized IP address, otherwise the target has no authorized IP
1186 if (target_found) return CSA_FAIL_MISMATCH;
1187 else return CSA_FAIL_NOADDR;
1192 /*************************************************
1193 * Verify Client SMTP Authorization *
1194 *************************************************/
1196 /* Called from acl_verify() below. This routine calls dns_lookup_special()
1197 to find the CSA SRV record corresponding to the domain argument, or
1198 $sender_helo_name if no argument is provided. It then checks that the
1199 client is authorized, and that its IP address corresponds to the SRV
1200 target's address by calling acl_verify_csa_address() above. The address
1201 should have been returned in the DNS response's ADDITIONAL section, but if
1202 not we perform another DNS lookup to get it.
1205 domain pointer to optional parameter following verify = csa
1207 Returns: CSA_UNKNOWN no valid CSA record found
1208 CSA_OK successfully authorized
1209 CSA_FAIL_* client is definitely not authorized
1210 CSA_DEFER_* there was a DNS problem
1214 acl_verify_csa(uschar *domain)
1218 int priority, weight, port;
1225 /* Work out the domain we are using for the CSA lookup. The default is the
1226 client's HELO domain. If the client has not said HELO, use its IP address
1227 instead. If it's a local client (exim -bs), CSA isn't applicable. */
1229 while (isspace(*domain) && *domain != '\0') ++domain;
1230 if (*domain == '\0') domain = sender_helo_name;
1231 if (domain == NULL) domain = sender_host_address;
1232 if (sender_host_address == NULL) return CSA_UNKNOWN;
1234 /* If we have an address literal, strip off the framing ready for turning it
1235 into a domain. The framing consists of matched square brackets possibly
1236 containing a keyword and a colon before the actual IP address. */
1238 if (domain[0] == '[')
1240 uschar *start = Ustrchr(domain, ':');
1241 if (start == NULL) start = domain;
1242 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1245 /* Turn domains that look like bare IP addresses into domains in the reverse
1246 DNS. This code also deals with address literals and $sender_host_address. It's
1247 not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1248 address literals, but it's probably the most friendly thing to do. This is an
1249 extension to CSA, so we allow it to be turned off for proper conformance. */
1251 if (string_is_ip_address(domain, NULL) != 0)
1253 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1254 dns_build_reverse(domain, target);
1258 /* Find out if we've already done the CSA check for this domain. If we have,
1259 return the same result again. Otherwise build a new cached result structure
1260 for this domain. The name is filled in now, and the value is filled in when
1261 we return from this function. */
1263 t = tree_search(csa_cache, domain);
1264 if (t != NULL) return t->data.val;
1266 t = store_get_perm(sizeof(tree_node) + Ustrlen(domain));
1267 Ustrcpy(t->name, domain);
1268 (void)tree_insertnode(&csa_cache, t);
1270 /* Now we are ready to do the actual DNS lookup(s). */
1273 switch (dns_special_lookup(&dnsa, domain, T_CSA, &found))
1275 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1278 return t->data.val = CSA_DEFER_SRV;
1280 /* If we found nothing, the client's authorization is unknown. */
1284 return t->data.val = CSA_UNKNOWN;
1286 /* We got something! Go on to look at the reply in more detail. */
1292 /* Scan the reply for well-formed CSA SRV records. */
1294 for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
1296 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
1298 if (rr->type != T_SRV) continue;
1300 /* Extract the numerical SRV fields (p is incremented) */
1303 GETSHORT(priority, p);
1304 GETSHORT(weight, p);
1308 debug_printf("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1310 /* Check the CSA version number */
1312 if (priority != 1) continue;
1314 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1315 found by dns_special_lookup() is a parent of the one we asked for), we check
1316 the subdomain assertions in the port field. At the moment there's only one
1317 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1318 SRV records of their own. */
1320 if (found != domain)
1323 return t->data.val = CSA_FAIL_EXPLICIT;
1325 return t->data.val = CSA_UNKNOWN;
1328 /* This CSA SRV record refers directly to our domain, so we check the value
1329 in the weight field to work out the domain's authorization. 0 and 1 are
1330 unauthorized; 3 means the client is authorized but we can't check the IP
1331 address in order to authenticate it, so we treat it as unknown; values
1332 greater than 3 are undefined. */
1334 if (weight < 2) return t->data.val = CSA_FAIL_DOMAIN;
1336 if (weight > 2) continue;
1338 /* Weight == 2, which means the domain is authorized. We must check that the
1339 client's IP address is listed as one of the SRV target addresses. Save the
1340 target hostname then break to scan the additional data for its addresses. */
1342 (void)dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
1343 (DN_EXPAND_ARG4_TYPE)target, sizeof(target));
1345 DEBUG(D_acl) debug_printf("CSA target is %s\n", target);
1350 /* If we didn't break the loop then no appropriate records were found. */
1352 if (rr == NULL) return t->data.val = CSA_UNKNOWN;
1354 /* Do not check addresses if the target is ".", in accordance with RFC 2782.
1355 A target of "." indicates there are no valid addresses, so the client cannot
1356 be authorized. (This is an odd configuration because weight=2 target=. is
1357 equivalent to weight=1, but we check for it in order to keep load off the
1358 root name servers.) Note that dn_expand() turns "." into "". */
1360 if (Ustrcmp(target, "") == 0) return t->data.val = CSA_FAIL_NOADDR;
1362 /* Scan the additional section of the CSA SRV reply for addresses belonging
1363 to the target. If the name server didn't return any additional data (e.g.
1364 because it does not fully support SRV records), we need to do another lookup
1365 to obtain the target addresses; otherwise we have a definitive result. */
1367 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ADDITIONAL, target);
1368 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1370 /* The DNS lookup type corresponds to the IP version used by the client. */
1373 if (Ustrchr(sender_host_address, ':') != NULL)
1376 #endif /* HAVE_IPV6 */
1380 #if HAVE_IPV6 && defined(SUPPORT_A6)
1384 switch (dns_lookup(&dnsa, target, type, NULL))
1386 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1389 return t->data.val = CSA_DEFER_ADDR;
1391 /* If the query succeeded, scan the addresses and return the result. */
1394 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ANSWERS, target);
1395 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1396 /* else fall through */
1398 /* If the target has no IP addresses, the client cannot have an authorized
1399 IP address. However, if the target site uses A6 records (not AAAA records)
1400 we have to do yet another lookup in order to check them. */
1405 #if HAVE_IPV6 && defined(SUPPORT_A6)
1406 if (type == T_AAAA) { type = T_A6; goto DNS_LOOKUP_AGAIN; }
1409 return t->data.val = CSA_FAIL_NOADDR;
1415 /*************************************************
1416 * Handle verification (address & other) *
1417 *************************************************/
1419 /* This function implements the "verify" condition. It is called when
1420 encountered in any ACL, because some tests are almost always permitted. Some
1421 just don't make sense, and always fail (for example, an attempt to test a host
1422 lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1425 where where called from
1426 addr the recipient address that the ACL is handling, or NULL
1427 arg the argument of "verify"
1428 user_msgptr pointer for user message
1429 log_msgptr pointer for log message
1430 basic_errno where to put verify errno
1432 Returns: OK verification condition succeeded
1433 FAIL verification failed
1434 DEFER there was a problem verifying
1439 acl_verify(int where, address_item *addr, uschar *arg,
1440 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1444 int callout_overall = -1;
1445 int callout_connect = -1;
1446 int verify_options = 0;
1448 BOOL verify_header_sender = FALSE;
1449 BOOL defer_ok = FALSE;
1450 BOOL callout_defer_ok = FALSE;
1451 BOOL no_details = FALSE;
1452 BOOL success_on_redirect = FALSE;
1453 address_item *sender_vaddr = NULL;
1454 uschar *verify_sender_address = NULL;
1455 uschar *pm_mailfrom = NULL;
1456 uschar *se_mailfrom = NULL;
1458 /* Some of the verify items have slash-separated options; some do not. Diagnose
1459 an error if options are given for items that don't expect them. This code has
1460 now got very message. Refactoring to use a table would be a good idea one day.
1463 uschar *slash = Ustrchr(arg, '/');
1465 uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
1467 if (ss == NULL) goto BAD_VERIFY;
1469 /* Handle name/address consistency verification in a separate function. */
1471 if (strcmpic(ss, US"reverse_host_lookup") == 0)
1473 if (slash != NULL) goto NO_OPTIONS;
1474 if (sender_host_address == NULL) return OK;
1475 return acl_verify_reverse(user_msgptr, log_msgptr);
1478 /* TLS certificate verification is done at STARTTLS time; here we just
1479 test whether it was successful or not. (This is for optional verification; for
1480 mandatory verification, the connection doesn't last this long.) */
1482 if (strcmpic(ss, US"certificate") == 0)
1484 if (slash != NULL) goto NO_OPTIONS;
1485 if (tls_certificate_verified) return OK;
1486 *user_msgptr = US"no verified certificate";
1490 /* We can test the result of optional HELO verification that might have
1491 occurred earlier. If not, we can attempt the verification now. */
1493 if (strcmpic(ss, US"helo") == 0)
1495 if (slash != NULL) goto NO_OPTIONS;
1496 if (!helo_verified && !helo_verify_failed) smtp_verify_helo();
1497 return helo_verified? OK : FAIL;
1500 /* Do Client SMTP Authorization checks in a separate function, and turn the
1501 result code into user-friendly strings. */
1503 if (strcmpic(ss, US"csa") == 0)
1505 rc = acl_verify_csa(list);
1506 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1507 csa_reason_string[rc]);
1508 csa_status = csa_status_string[rc];
1509 DEBUG(D_acl) debug_printf("CSA result %s\n", csa_status);
1510 return csa_return_code[rc];
1513 /* Check that all relevant header lines have the correct syntax. If there is
1514 a syntax error, we return details of the error to the sender if configured to
1515 send out full details. (But a "message" setting on the ACL can override, as
1518 if (strcmpic(ss, US"header_syntax") == 0)
1520 if (slash != NULL) goto NO_OPTIONS;
1521 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
1522 rc = verify_check_headers(log_msgptr);
1523 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1524 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1528 /* Check that no recipient of this message is "blind", that is, every envelope
1529 recipient must be mentioned in either To: or Cc:. */
1531 if (strcmpic(ss, US"not_blind") == 0)
1533 if (slash != NULL) goto NO_OPTIONS;
1534 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
1535 rc = verify_check_notblind();
1538 *log_msgptr = string_sprintf("bcc recipient detected");
1539 if (smtp_return_error_details)
1540 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1545 /* The remaining verification tests check recipient and sender addresses,
1546 either from the envelope or from the header. There are a number of
1547 slash-separated options that are common to all of them. */
1550 /* Check that there is at least one verifiable sender address in the relevant
1551 header lines. This can be followed by callout and defer options, just like
1552 sender and recipient. */
1554 if (strcmpic(ss, US"header_sender") == 0)
1556 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
1557 verify_header_sender = TRUE;
1560 /* Otherwise, first item in verify argument must be "sender" or "recipient".
1561 In the case of a sender, this can optionally be followed by an address to use
1562 in place of the actual sender (rare special-case requirement). */
1564 else if (strncmpic(ss, US"sender", 6) == 0)
1567 if (where > ACL_WHERE_NOTSMTP)
1569 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1570 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1571 acl_wherenames[where]);
1575 verify_sender_address = sender_address;
1578 while (isspace(*s)) s++;
1579 if (*s++ != '=') goto BAD_VERIFY;
1580 while (isspace(*s)) s++;
1581 verify_sender_address = string_copy(s);
1586 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1589 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1590 "(only possible for RCPT)", acl_wherenames[where]);
1595 /* Remaining items are optional; they apply to sender and recipient
1596 verification, including "header sender" verification. */
1598 while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1601 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1602 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1603 else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
1605 /* These two old options are left for backwards compatibility */
1607 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1609 callout_defer_ok = TRUE;
1610 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1613 else if (strcmpic(ss, US"check_postmaster") == 0)
1616 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1619 /* The callout option has a number of sub-options, comma separated */
1621 else if (strncmpic(ss, US"callout", 7) == 0)
1623 callout = CALLOUT_TIMEOUT_DEFAULT;
1627 while (isspace(*ss)) ss++;
1633 while (isspace(*ss)) ss++;
1635 /* This callout option handling code has become a mess as new options
1636 have been added in an ad hoc manner. It should be tidied up into some
1637 kind of table-driven thing. */
1639 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1642 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1643 else if (strcmpic(opt, US"no_cache") == 0)
1644 verify_options |= vopt_callout_no_cache;
1645 else if (strcmpic(opt, US"random") == 0)
1646 verify_options |= vopt_callout_random;
1647 else if (strcmpic(opt, US"use_sender") == 0)
1648 verify_options |= vopt_callout_recipsender;
1649 else if (strcmpic(opt, US"use_postmaster") == 0)
1650 verify_options |= vopt_callout_recippmaster;
1651 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
1652 else if (strcmpic(opt, US"fullpostmaster") == 0)
1655 verify_options |= vopt_callout_fullpm;
1658 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1660 if (!verify_header_sender)
1662 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1663 "callout option only for verify=header_sender (detected in ACL "
1664 "condition \"%s\")", arg);
1668 while (isspace(*opt)) opt++;
1671 *log_msgptr = string_sprintf("'=' expected after "
1672 "\"mailfrom\" in ACL condition \"%s\"", arg);
1675 while (isspace(*opt)) opt++;
1676 se_mailfrom = string_copy(opt);
1679 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1682 while (isspace(*opt)) opt++;
1685 *log_msgptr = string_sprintf("'=' expected after "
1686 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1689 while (isspace(*opt)) opt++;
1690 pm_mailfrom = string_copy(opt);
1693 else if (strncmpic(opt, US"maxwait", 7) == 0)
1696 while (isspace(*opt)) opt++;
1699 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1700 "ACL condition \"%s\"", arg);
1703 while (isspace(*opt)) opt++;
1704 callout_overall = readconf_readtime(opt, 0, FALSE);
1705 if (callout_overall < 0)
1707 *log_msgptr = string_sprintf("bad time value in ACL condition "
1708 "\"verify %s\"", arg);
1712 else if (strncmpic(opt, US"connect", 7) == 0)
1715 while (isspace(*opt)) opt++;
1718 *log_msgptr = string_sprintf("'=' expected after "
1719 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1722 while (isspace(*opt)) opt++;
1723 callout_connect = readconf_readtime(opt, 0, FALSE);
1724 if (callout_connect < 0)
1726 *log_msgptr = string_sprintf("bad time value in ACL condition "
1727 "\"verify %s\"", arg);
1731 else /* Plain time is callout connect/command timeout */
1733 callout = readconf_readtime(opt, 0, FALSE);
1736 *log_msgptr = string_sprintf("bad time value in ACL condition "
1737 "\"verify %s\"", arg);
1745 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1746 "ACL condition \"%s\"", arg);
1752 /* Option not recognized */
1756 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1757 "condition \"verify %s\"", ss, arg);
1762 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1763 (vopt_callout_recipsender|vopt_callout_recippmaster))
1765 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1766 "for a recipient callout";
1770 /* Handle sender-in-header verification. Default the user message to the log
1771 message if giving out verification details. */
1773 if (verify_header_sender)
1776 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
1777 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1781 *basic_errno = verrno;
1782 if (smtp_return_error_details)
1784 if (*user_msgptr == NULL && *log_msgptr != NULL)
1785 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1786 if (rc == DEFER) acl_temp_details = TRUE;
1791 /* Handle a sender address. The default is to verify *the* sender address, but
1792 optionally a different address can be given, for special requirements. If the
1793 address is empty, we are dealing with a bounce message that has no sender, so
1794 we cannot do any checking. If the real sender address gets rewritten during
1795 verification (e.g. DNS widening), set the flag to stop it being rewritten again
1796 during message reception.
1798 A list of verified "sender" addresses is kept to try to avoid doing to much
1799 work repetitively when there are multiple recipients in a message and they all
1800 require sender verification. However, when callouts are involved, it gets too
1801 complicated because different recipients may require different callout options.
1802 Therefore, we always do a full sender verify when any kind of callout is
1803 specified. Caching elsewhere, for instance in the DNS resolver and in the
1804 callout handling, should ensure that this is not terribly inefficient. */
1806 else if (verify_sender_address != NULL)
1808 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1811 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1812 "sender verify callout";
1816 sender_vaddr = verify_checked_sender(verify_sender_address);
1817 if (sender_vaddr != NULL && /* Previously checked */
1818 callout <= 0) /* No callout needed this time */
1820 /* If the "routed" flag is set, it means that routing worked before, so
1821 this check can give OK (the saved return code value, if set, belongs to a
1822 callout that was done previously). If the "routed" flag is not set, routing
1823 must have failed, so we use the saved return code. */
1825 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1827 rc = sender_vaddr->special_action;
1828 *basic_errno = sender_vaddr->basic_errno;
1830 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1833 /* Do a new verification, and cache the result. The cache is used to avoid
1834 verifying the sender multiple times for multiple RCPTs when callouts are not
1835 specified (see comments above).
1837 The cache is also used on failure to give details in response to the first
1838 RCPT that gets bounced for this reason. However, this can be suppressed by
1839 the no_details option, which sets the flag that says "this detail has already
1840 been sent". The cache normally contains just one address, but there may be
1841 more in esoteric circumstances. */
1846 uschar *save_address_data = deliver_address_data;
1848 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1849 if (no_details) setflag(sender_vaddr, af_sverify_told);
1850 if (verify_sender_address[0] != 0)
1852 /* If this is the real sender address, save the unrewritten version
1853 for use later in receive. Otherwise, set a flag so that rewriting the
1854 sender in verify_address() does not update sender_address. */
1856 if (verify_sender_address == sender_address)
1857 sender_address_unrewritten = sender_address;
1859 verify_options |= vopt_fake_sender;
1861 if (success_on_redirect)
1862 verify_options |= vopt_success_on_redirect;
1864 /* The recipient, qualify, and expn options are never set in
1867 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
1868 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
1870 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1874 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1876 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1877 verify_sender_address, sender_vaddr->address);
1881 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1882 verify_sender_address);
1885 else *basic_errno = sender_vaddr->basic_errno;
1887 else rc = OK; /* Null sender */
1889 /* Cache the result code */
1891 if (routed) setflag(sender_vaddr, af_verify_routed);
1892 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1893 sender_vaddr->special_action = rc;
1894 sender_vaddr->next = sender_verified_list;
1895 sender_verified_list = sender_vaddr;
1897 /* Restore the recipient address data, which might have been clobbered by
1898 the sender verification. */
1900 deliver_address_data = save_address_data;
1903 /* Put the sender address_data value into $sender_address_data */
1905 sender_address_data = sender_vaddr->p.address_data;
1908 /* A recipient address just gets a straightforward verify; again we must handle
1909 the DEFER overrides. */
1915 if (success_on_redirect)
1916 verify_options |= vopt_success_on_redirect;
1918 /* We must use a copy of the address for verification, because it might
1922 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
1923 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
1924 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1926 *log_msgptr = addr2.message;
1927 *user_msgptr = (addr2.user_message != NULL)?
1928 addr2.user_message : addr2.message;
1929 *basic_errno = addr2.basic_errno;
1931 /* Make $address_data visible */
1932 deliver_address_data = addr2.p.address_data;
1935 /* We have a result from the relevant test. Handle defer overrides first. */
1937 if (rc == DEFER && (defer_ok ||
1938 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1940 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1941 defer_ok? "defer_ok" : "callout_defer_ok");
1945 /* If we've failed a sender, set up a recipient message, and point
1946 sender_verified_failed to the address item that actually failed. */
1948 if (rc != OK && verify_sender_address != NULL)
1952 *log_msgptr = *user_msgptr = US"Sender verify failed";
1954 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1956 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1960 *log_msgptr = US"Could not complete sender verify callout";
1961 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1965 sender_verified_failed = sender_vaddr;
1968 /* Verifying an address messes up the values of $domain and $local_part,
1969 so reset them before returning if this is a RCPT ACL. */
1973 deliver_domain = addr->domain;
1974 deliver_localpart = addr->local_part;
1978 /* Syntax errors in the verify argument come here. */
1981 *log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
1982 "\"helo\", \"header_syntax\", \"header_sender\" or "
1983 "\"reverse_host_lookup\" at start of ACL condition "
1984 "\"verify %s\"", arg);
1987 /* Options supplied when not allowed come here */
1990 *log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1991 "(this verify item has no options)", arg);
1994 /* Calls in the wrong ACL come here */
1997 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
1998 "(only possible in ACL for DATA)", acl_wherenames[where]);
2005 /*************************************************
2006 * Check argument for control= modifier *
2007 *************************************************/
2009 /* Called from acl_check_condition() below
2012 arg the argument string for control=
2013 pptr set to point to the terminating character
2014 where which ACL we are in
2015 log_msgptr for error messages
2017 Returns: CONTROL_xxx value
2021 decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
2026 for (d = controls_list;
2027 d < controls_list + sizeof(controls_list)/sizeof(control_def);
2030 len = Ustrlen(d->name);
2031 if (Ustrncmp(d->name, arg, len) == 0) break;
2034 if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
2035 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
2037 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2038 return CONTROL_ERROR;
2047 /*************************************************
2048 * Handle rate limiting *
2049 *************************************************/
2051 /* Called by acl_check_condition() below to calculate the result
2052 of the ACL ratelimit condition.
2054 Note that the return value might be slightly unexpected: if the
2055 sender's rate is above the limit then the result is OK. This is
2056 similar to the dnslists condition, and is so that you can write
2057 ACL clauses like: defer ratelimit = 15 / 1h
2060 arg the option string for ratelimit=
2061 where ACL_WHERE_xxxx indicating which ACL this is
2062 log_msgptr for error messages
2064 Returns: OK - Sender's rate is above limit
2065 FAIL - Sender's rate is below limit
2066 DEFER - Problem opening ratelimit database
2067 ERROR - Syntax error in options.
2071 acl_ratelimit(uschar *arg, int where, uschar **log_msgptr)
2073 double limit, period;
2076 BOOL have_key = FALSE, leaky = FALSE, strict = FALSE;
2077 BOOL per_byte = FALSE, per_cmd = FALSE, per_conn = FALSE, per_mail = FALSE;
2079 tree_node **anchor, *t;
2080 open_db dbblock, *dbm;
2081 dbdata_ratelimit *dbd;
2084 /* Parse the first two options and record their values in expansion
2085 variables. These variables allow the configuration to have informative
2086 error messages based on rate limits obtained from a table lookup. */
2088 /* First is the maximum number of messages per period and maximum burst
2089 size, which must be greater than or equal to zero. Zero is useful for
2090 rate measurement as opposed to rate limiting. */
2092 sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0);
2093 if (sender_rate_limit == NULL)
2097 limit = Ustrtod(sender_rate_limit, &ss);
2098 if (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
2099 else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
2100 else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
2102 if (limit < 0.0 || *ss != 0)
2104 *log_msgptr = string_sprintf("syntax error in argument for "
2105 "\"ratelimit\" condition: \"%s\" is not a positive number",
2110 /* We use the rest of the argument list following the limit as the
2111 lookup key, because it doesn't make sense to use the same stored data
2112 if the period or options are different. */
2116 /* Second is the rate measurement period and exponential smoothing time
2117 constant. This must be strictly greater than zero, because zero leads to
2118 run-time division errors. */
2120 sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0);
2121 if (sender_rate_period == NULL) period = -1.0;
2122 else period = readconf_readtime(sender_rate_period, 0, FALSE);
2125 *log_msgptr = string_sprintf("syntax error in argument for "
2126 "\"ratelimit\" condition: \"%s\" is not a time value",
2127 sender_rate_period);
2131 /* Parse the other options. Should we check if the per_* options are being
2132 used in ACLs where they don't make sense, e.g. per_mail in the connect ACL? */
2134 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2137 if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
2138 else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
2139 else if (strcmpic(ss, US"per_byte") == 0) per_byte = TRUE;
2140 else if (strcmpic(ss, US"per_cmd") == 0) per_cmd = TRUE;
2141 else if (strcmpic(ss, US"per_conn") == 0) per_conn = TRUE;
2142 else if (strcmpic(ss, US"per_mail") == 0) per_mail = TRUE;
2143 else if (strcmpic(ss, US"per_rcpt") == 0) per_cmd = TRUE; /* alias */
2144 else have_key = TRUE;
2146 if (leaky + strict > 1 || per_byte + per_cmd + per_conn + per_mail > 1)
2148 *log_msgptr = US"conflicting options for \"ratelimit\" condition";
2152 /* Default option values */
2153 if (!strict) leaky = TRUE;
2154 if (!per_byte && !per_cmd && !per_conn) per_mail = TRUE;
2156 /* If there is no explicit key, use the sender_host_address. If there is no
2157 sender_host_address (e.g. -bs or acl_not_smtp) then we simply omit it. */
2159 if (!have_key && sender_host_address != NULL)
2160 key = string_sprintf("%s / %s", key, sender_host_address);
2162 HDEBUG(D_acl) debug_printf("ratelimit condition limit=%.0f period=%.0f key=%s\n",
2163 limit, period, key);
2165 /* See if we have already computed the rate by looking in the relevant tree. For
2166 per-connection rate limiting, store tree nodes and dbdata in the permanent pool
2167 so that they survive across resets. */
2170 old_pool = store_pool;
2174 anchor = &ratelimiters_conn;
2175 store_pool = POOL_PERM;
2177 else if (per_mail || per_byte)
2178 anchor = &ratelimiters_mail;
2180 anchor = &ratelimiters_cmd;
2182 if (anchor != NULL && (t = tree_search(*anchor, key)) != NULL)
2185 /* The following few lines duplicate some of the code below. */
2186 if (dbd->rate < limit) rc = FAIL;
2188 store_pool = old_pool;
2189 sender_rate = string_sprintf("%.1f", dbd->rate);
2191 debug_printf("ratelimit found pre-computed rate %s\n", sender_rate);
2195 /* We aren't using a pre-computed rate, so get a previously recorded
2196 rate from the database, update it, and write it back. If there's no
2197 previous rate for this key, create one. */
2199 dbm = dbfn_open(US"ratelimit", O_RDWR, &dbblock, TRUE);
2202 store_pool = old_pool;
2204 HDEBUG(D_acl) debug_printf("ratelimit database not available\n");
2205 *log_msgptr = US"ratelimit database not available";
2208 dbd = dbfn_read(dbm, key);
2210 gettimeofday(&tv, NULL);
2214 HDEBUG(D_acl) debug_printf("ratelimit initializing new key's data\n");
2215 dbd = store_get(sizeof(dbdata_ratelimit));
2216 dbd->time_stamp = tv.tv_sec;
2217 dbd->time_usec = tv.tv_usec;
2222 /* The smoothed rate is computed using an exponentially weighted moving
2223 average adjusted for variable sampling intervals. The standard EWMA for
2224 a fixed sampling interval is: f'(t) = (1 - a) * f(t) + a * f'(t - 1)
2225 where f() is the measured value and f'() is the smoothed value.
2227 Old data decays out of the smoothed value exponentially, such that data n
2228 samples old is multiplied by a^n. The exponential decay time constant p
2229 is defined such that data p samples old is multiplied by 1/e, which means
2230 that a = exp(-1/p). We can maintain the same time constant for a variable
2231 sampling interval i by using a = exp(-i/p).
2233 The rate we are measuring is messages per period, suitable for directly
2234 comparing with the limit. The average rate between now and the previous
2235 message is period / interval, which we feed into the EWMA as the sample.
2237 It turns out that the number of messages required for the smoothed rate
2238 to reach the limit when they are sent in a burst is equal to the limit.
2239 This can be seen by analysing the value of the smoothed rate after N
2240 messages sent at even intervals. Let k = (1 - a) * p/i
2242 rate_1 = (1 - a) * p/i + a * rate_0
2244 rate_2 = k + a * rate_1
2245 = k + a * k + a^2 * rate_0
2246 rate_3 = k + a * k + a^2 * k + a^3 * rate_0
2247 rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
2248 = rate_0 * a^N + k * (1 - a^N) / (1 - a)
2249 = rate_0 * a^N + p/i * (1 - a^N)
2251 When N is large, a^N -> 0 so rate_N -> p/i as desired.
2253 rate_N = p/i + (rate_0 - p/i) * a^N
2254 a^N = (rate_N - p/i) / (rate_0 - p/i)
2255 N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
2256 N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
2258 Numerical analysis of the above equation, setting the computed rate to
2259 increase from rate_0 = 0 to rate_N = limit, shows that for large sending
2260 rates, p/i, the number of messages N = limit. So limit serves as both the
2261 maximum rate measured in messages per period, and the maximum number of
2262 messages that can be sent in a fast burst. */
2264 double this_time = (double)tv.tv_sec
2265 + (double)tv.tv_usec / 1000000.0;
2266 double prev_time = (double)dbd->time_stamp
2267 + (double)dbd->time_usec / 1000000.0;
2269 /* We must avoid division by zero, and deal gracefully with the clock going
2270 backwards. If we blunder ahead when time is in reverse then the computed
2271 rate will be bogus. To be safe we clamp interval to a very small number. */
2273 double interval = this_time - prev_time <= 0.0 ? 1e-9
2274 : this_time - prev_time;
2276 double i_over_p = interval / period;
2277 double a = exp(-i_over_p);
2279 dbd->time_stamp = tv.tv_sec;
2280 dbd->time_usec = tv.tv_usec;
2282 /* If we are measuring the rate in bytes per period, multiply the
2283 measured rate by the message size. If we don't know the message size
2284 then it's safe to just use a value of zero and let the recorded rate
2285 decay as if nothing happened. */
2288 dbd->rate = (message_size < 0 ? 0.0 : (double)message_size)
2289 * (1 - a) / i_over_p + a * dbd->rate;
2290 else if (per_cmd && where == ACL_WHERE_NOTSMTP)
2291 dbd->rate = (double)recipients_count
2292 * (1 - a) / i_over_p + a * dbd->rate;
2294 dbd->rate = (1 - a) / i_over_p + a * dbd->rate;
2297 /* Clients sending at the limit are considered to be over the limit. This
2298 matters for edge cases such the first message sent by a client (which gets
2299 the initial rate of 0.0) when the rate limit is zero (i.e. the client should
2300 be completely blocked). */
2302 if (dbd->rate < limit) rc = FAIL;
2305 /* Update the state if the rate is low or if we are being strict. If we
2306 are in leaky mode and the sender's rate is too high, we do not update
2307 the recorded rate in order to avoid an over-aggressive sender's retry
2308 rate preventing them from getting any email through. */
2310 if (rc == FAIL || !leaky)
2311 dbfn_write(dbm, key, dbd, sizeof(dbdata_ratelimit));
2314 /* Store the result in the tree for future reference, if necessary. */
2318 t = store_get(sizeof(tree_node) + Ustrlen(key));
2320 Ustrcpy(t->name, key);
2321 (void)tree_insertnode(anchor, t);
2324 /* We create the formatted version of the sender's rate very late in
2325 order to ensure that it is done using the correct storage pool. */
2327 store_pool = old_pool;
2328 sender_rate = string_sprintf("%.1f", dbd->rate);
2331 debug_printf("ratelimit computed rate %s\n", sender_rate);
2338 /*************************************************
2339 * Handle conditions/modifiers on an ACL item *
2340 *************************************************/
2342 /* Called from acl_check() below.
2346 cb ACL condition block - if NULL, result is OK
2347 where where called from
2348 addr the address being checked for RCPT, or NULL
2349 level the nesting level
2350 epp pointer to pass back TRUE if "endpass" encountered
2351 (applies only to "accept" and "discard")
2352 user_msgptr user message pointer
2353 log_msgptr log message pointer
2354 basic_errno pointer to where to put verify error
2356 Returns: OK - all conditions are met
2357 DISCARD - an "acl" condition returned DISCARD - only allowed
2358 for "accept" or "discard" verbs
2359 FAIL - at least one condition fails
2360 FAIL_DROP - an "acl" condition returned FAIL_DROP
2361 DEFER - can't tell at the moment (typically, lookup defer,
2362 but can be temporary callout problem)
2363 ERROR - ERROR from nested ACL or expansion failure or other
2368 acl_check_condition(int verb, acl_condition_block *cb, int where,
2369 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
2370 uschar **log_msgptr, int *basic_errno)
2372 uschar *user_message = NULL;
2373 uschar *log_message = NULL;
2376 #ifdef WITH_CONTENT_SCAN
2380 for (; cb != NULL; cb = cb->next)
2385 /* The message and log_message items set up messages to be used in
2386 case of rejection. They are expanded later. */
2388 if (cb->type == ACLC_MESSAGE)
2390 user_message = cb->arg;
2394 if (cb->type == ACLC_LOG_MESSAGE)
2396 log_message = cb->arg;
2400 /* The endpass "condition" just sets a flag to show it occurred. This is
2401 checked at compile time to be on an "accept" or "discard" item. */
2403 if (cb->type == ACLC_ENDPASS)
2409 /* For other conditions and modifiers, the argument is expanded now for some
2410 of them, but not for all, because expansion happens down in some lower level
2411 checking functions in some cases. */
2413 if (cond_expand_at_top[cb->type])
2415 arg = expand_string(cb->arg);
2418 if (expand_string_forcedfail) continue;
2419 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
2420 cb->arg, expand_string_message);
2421 return search_find_defer? DEFER : ERROR;
2426 /* Show condition, and expanded condition if it's different */
2431 debug_printf("check %s%s %n",
2432 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
2433 conditions[cb->type], &lhswidth);
2435 if (cb->type == ACLC_SET)
2437 debug_printf("acl_%s ", cb->u.varname);
2438 lhswidth += 5 + Ustrlen(cb->u.varname);
2441 debug_printf("= %s\n", cb->arg);
2444 debug_printf("%.*s= %s\n", lhswidth,
2448 /* Check that this condition makes sense at this time */
2450 if ((cond_forbids[cb->type] & (1 << where)) != 0)
2452 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
2453 cond_modifiers[cb->type]? "use" : "test",
2454 conditions[cb->type], acl_wherenames[where]);
2458 /* Run the appropriate test for each condition, or take the appropriate
2459 action for the remaining modifiers. */
2463 case ACLC_ADD_HEADER:
2467 /* A nested ACL that returns "discard" makes sense only for an "accept" or
2471 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
2472 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
2474 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
2475 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
2481 case ACLC_AUTHENTICATED:
2482 rc = (sender_host_authenticated == NULL)? FAIL :
2483 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
2487 #ifdef EXPERIMENTAL_BRIGHTMAIL
2488 case ACLC_BMI_OPTIN:
2490 int old_pool = store_pool;
2491 store_pool = POOL_PERM;
2492 bmi_current_optin = string_copy(arg);
2493 store_pool = old_pool;
2498 case ACLC_CONDITION:
2499 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
2500 rc = (Uatoi(arg) == 0)? FAIL : OK;
2502 rc = (strcmpic(arg, US"no") == 0 ||
2503 strcmpic(arg, US"false") == 0)? FAIL :
2504 (strcmpic(arg, US"yes") == 0 ||
2505 strcmpic(arg, US"true") == 0)? OK : DEFER;
2507 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
2511 control_type = decode_control(arg, &p, where, log_msgptr);
2513 /* Check if this control makes sense at this time */
2515 if ((control_forbids[control_type] & (1 << where)) != 0)
2517 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
2518 controls[control_type], acl_wherenames[where]);
2522 switch(control_type)
2524 case CONTROL_AUTH_UNADVERTISED:
2525 allow_auth_unadvertised = TRUE;
2528 #ifdef EXPERIMENTAL_BRIGHTMAIL
2529 case CONTROL_BMI_RUN:
2534 #ifdef EXPERIMENTAL_DOMAINKEYS
2535 case CONTROL_DK_VERIFY:
2543 case CONTROL_CASEFUL_LOCAL_PART:
2544 deliver_localpart = addr->cc_local_part;
2547 case CONTROL_CASELOWER_LOCAL_PART:
2548 deliver_localpart = addr->lc_local_part;
2551 case CONTROL_ENFORCE_SYNC:
2552 smtp_enforce_sync = TRUE;
2555 case CONTROL_NO_ENFORCE_SYNC:
2556 smtp_enforce_sync = FALSE;
2559 #ifdef WITH_CONTENT_SCAN
2560 case CONTROL_NO_MBOX_UNSPOOL:
2561 no_mbox_unspool = TRUE;
2565 case CONTROL_NO_MULTILINE:
2566 no_multiline_responses = TRUE;
2569 case CONTROL_FAKEDEFER:
2570 case CONTROL_FAKEREJECT:
2571 fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
2575 while (*pp != 0) pp++;
2576 fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
2581 /* Explicitly reset to default string */
2582 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
2586 case CONTROL_FREEZE:
2587 deliver_freeze = TRUE;
2588 deliver_frozen_at = time(NULL);
2589 freeze_tell = freeze_tell_config; /* Reset to configured value */
2590 if (Ustrncmp(p, "/no_tell", 8) == 0)
2597 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2602 case CONTROL_QUEUE_ONLY:
2603 queue_only_policy = TRUE;
2606 case CONTROL_SUBMISSION:
2607 originator_name = US"";
2608 submission_mode = TRUE;
2611 if (Ustrncmp(p, "/sender_retain", 14) == 0)
2614 active_local_sender_retain = TRUE;
2615 active_local_from_check = FALSE;
2617 else if (Ustrncmp(p, "/domain=", 8) == 0)
2620 while (*pp != 0 && *pp != '/') pp++;
2621 submission_domain = string_copyn(p+8, pp-p-8);
2624 /* The name= option must be last, because it swallows the rest of
2626 else if (Ustrncmp(p, "/name=", 6) == 0)
2629 while (*pp != 0) pp++;
2630 submission_name = string_copy(parse_fix_phrase(p+6, pp-p-6,
2631 big_buffer, big_buffer_size));
2638 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2643 case CONTROL_SUPPRESS_LOCAL_FIXUPS:
2644 suppress_local_fixups = TRUE;
2649 #ifdef WITH_CONTENT_SCAN
2651 rc = mime_decode(&arg);
2657 int delay = readconf_readtime(arg, 0, FALSE);
2660 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
2661 "modifier: \"%s\" is not a time value", arg);
2666 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
2671 debug_printf("delay skipped in -bh checking mode\n");
2674 /* It appears to be impossible to detect that a TCP/IP connection has
2675 gone away without reading from it. This means that we cannot shorten
2676 the delay below if the client goes away, because we cannot discover
2677 that the client has closed its end of the connection. (The connection
2678 is actually in a half-closed state, waiting for the server to close its
2679 end.) It would be nice to be able to detect this state, so that the
2680 Exim process is not held up unnecessarily. However, it seems that we
2681 can't. The poll() function does not do the right thing, and in any case
2682 it is not always available.
2684 NOTE: If ever this state of affairs changes, remember that we may be
2685 dealing with stdin/stdout here, in addition to TCP/IP connections.
2686 Whatever is done must work in both cases. To detected the stdin/stdout
2687 case, check for smtp_in or smtp_out being NULL. */
2691 while (delay > 0) delay = sleep(delay);
2697 #ifdef WITH_OLD_DEMIME
2703 #ifdef EXPERIMENTAL_DOMAINKEYS
2704 case ACLC_DK_DOMAIN_SOURCE:
2705 if (dk_verify_block == NULL) { rc = FAIL; break; };
2706 /* check header source of domain against given string */
2707 switch (dk_verify_block->address_source) {
2708 case DK_EXIM_ADDRESS_FROM_FROM:
2709 rc = match_isinlist(US"from", &arg, 0, NULL,
2710 NULL, MCL_STRING, TRUE, NULL);
2712 case DK_EXIM_ADDRESS_FROM_SENDER:
2713 rc = match_isinlist(US"sender", &arg, 0, NULL,
2714 NULL, MCL_STRING, TRUE, NULL);
2716 case DK_EXIM_ADDRESS_NONE:
2717 rc = match_isinlist(US"none", &arg, 0, NULL,
2718 NULL, MCL_STRING, TRUE, NULL);
2723 case ACLC_DK_POLICY:
2724 if (dk_verify_block == NULL) { rc = FAIL; break; };
2725 /* check policy against given string, default FAIL */
2727 if (dk_verify_block->signsall)
2728 rc = match_isinlist(US"signsall", &arg, 0, NULL,
2729 NULL, MCL_STRING, TRUE, NULL);
2730 if (dk_verify_block->testing)
2731 rc = match_isinlist(US"testing", &arg, 0, NULL,
2732 NULL, MCL_STRING, TRUE, NULL);
2735 case ACLC_DK_SENDER_DOMAINS:
2736 if (dk_verify_block == NULL) { rc = FAIL; break; };
2737 if (dk_verify_block->domain != NULL)
2738 rc = match_isinlist(dk_verify_block->domain, &arg, 0, &domainlist_anchor,
2739 NULL, MCL_DOMAIN, TRUE, NULL);
2743 case ACLC_DK_SENDER_LOCAL_PARTS:
2744 if (dk_verify_block == NULL) { rc = FAIL; break; };
2745 if (dk_verify_block->local_part != NULL)
2746 rc = match_isinlist(dk_verify_block->local_part, &arg, 0, &localpartlist_anchor,
2747 NULL, MCL_LOCALPART, TRUE, NULL);
2751 case ACLC_DK_SENDERS:
2752 if (dk_verify_block == NULL) { rc = FAIL; break; };
2753 if (dk_verify_block->address != NULL)
2754 rc = match_address_list(dk_verify_block->address, TRUE, TRUE, &arg, NULL, -1, 0, NULL);
2758 case ACLC_DK_STATUS:
2759 if (dk_verify_block == NULL) { rc = FAIL; break; };
2760 if (dk_verify_block->result > 0) {
2761 switch(dk_verify_block->result) {
2762 case DK_EXIM_RESULT_BAD_FORMAT:
2763 rc = match_isinlist(US"bad format", &arg, 0, NULL,
2764 NULL, MCL_STRING, TRUE, NULL);
2766 case DK_EXIM_RESULT_NO_KEY:
2767 rc = match_isinlist(US"no key", &arg, 0, NULL,
2768 NULL, MCL_STRING, TRUE, NULL);
2770 case DK_EXIM_RESULT_NO_SIGNATURE:
2771 rc = match_isinlist(US"no signature", &arg, 0, NULL,
2772 NULL, MCL_STRING, TRUE, NULL);
2774 case DK_EXIM_RESULT_REVOKED:
2775 rc = match_isinlist(US"revoked", &arg, 0, NULL,
2776 NULL, MCL_STRING, TRUE, NULL);
2778 case DK_EXIM_RESULT_NON_PARTICIPANT:
2779 rc = match_isinlist(US"non-participant", &arg, 0, NULL,
2780 NULL, MCL_STRING, TRUE, NULL);
2782 case DK_EXIM_RESULT_GOOD:
2783 rc = match_isinlist(US"good", &arg, 0, NULL,
2784 NULL, MCL_STRING, TRUE, NULL);
2786 case DK_EXIM_RESULT_BAD:
2787 rc = match_isinlist(US"bad", &arg, 0, NULL,
2788 NULL, MCL_STRING, TRUE, NULL);
2796 rc = verify_check_dnsbl(&arg);
2800 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
2801 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
2804 /* The value in tls_cipher is the full cipher name, for example,
2805 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
2806 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
2807 what may in practice come out of the SSL library - which at the time of
2808 writing is poorly documented. */
2810 case ACLC_ENCRYPTED:
2811 if (tls_cipher == NULL) rc = FAIL; else
2813 uschar *endcipher = NULL;
2814 uschar *cipher = Ustrchr(tls_cipher, ':');
2815 if (cipher == NULL) cipher = tls_cipher; else
2817 endcipher = Ustrchr(++cipher, ':');
2818 if (endcipher != NULL) *endcipher = 0;
2820 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
2821 if (endcipher != NULL) *endcipher = ':';
2825 /* Use verify_check_this_host() instead of verify_check_host() so that
2826 we can pass over &host_data to catch any looked up data. Once it has been
2827 set, it retains its value so that it's still there if another ACL verb
2828 comes through here and uses the cache. However, we must put it into
2829 permanent store in case it is also expected to be used in a subsequent
2830 message in the same SMTP connection. */
2833 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
2834 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
2835 if (host_data != NULL) host_data = string_copy_malloc(host_data);
2838 case ACLC_LOCAL_PARTS:
2839 rc = match_isinlist(addr->cc_local_part, &arg, 0,
2840 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
2841 &deliver_localpart_data);
2853 if (Ustrncmp(s, "main", 4) == 0)
2854 { logbits |= LOG_MAIN; s += 4; }
2855 else if (Ustrncmp(s, "panic", 5) == 0)
2856 { logbits |= LOG_PANIC; s += 5; }
2857 else if (Ustrncmp(s, "reject", 6) == 0)
2858 { logbits |= LOG_REJECT; s += 6; }
2861 logbits = LOG_MAIN|LOG_PANIC;
2862 s = string_sprintf(":unknown log name in \"%s\" in "
2863 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
2869 while (isspace(*s)) s++;
2870 if (logbits == 0) logbits = LOG_MAIN;
2871 log_write(0, logbits, "%s", string_printing(s));
2875 #ifdef WITH_CONTENT_SCAN
2878 /* Seperate the regular expression and any optional parameters. */
2879 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2880 /* Run the malware backend. */
2882 /* Modify return code based upon the existance of options. */
2883 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2885 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2887 /* FAIL so that the message is passed to the next ACL */
2894 case ACLC_MIME_REGEX:
2895 rc = mime_regex(&arg);
2899 case ACLC_RATELIMIT:
2900 rc = acl_ratelimit(arg, where, log_msgptr);
2903 case ACLC_RECIPIENTS:
2904 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
2908 #ifdef WITH_CONTENT_SCAN
2914 case ACLC_SENDER_DOMAINS:
2917 sdomain = Ustrrchr(sender_address, '@');
2918 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
2919 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
2920 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
2925 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
2926 sender_address_cache, -1, 0, &sender_data);
2929 /* Connection variables must persist forever */
2933 int old_pool = store_pool;
2934 if (cb->u.varname[0] == 'c') store_pool = POOL_PERM;
2935 acl_var_create(cb->u.varname)->data.ptr = string_copy(arg);
2936 store_pool = old_pool;
2940 #ifdef WITH_CONTENT_SCAN
2943 /* Seperate the regular expression and any optional parameters. */
2944 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2945 /* Run the spam backend. */
2947 /* Modify return code based upon the existance of options. */
2948 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2950 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2952 /* FAIL so that the message is passed to the next ACL */
2960 #ifdef EXPERIMENTAL_SPF
2962 rc = spf_process(&arg, sender_address);
2966 /* If the verb is WARN, discard any user message from verification, because
2967 such messages are SMTP responses, not header additions. The latter come
2968 only from explicit "message" modifiers. However, put the user message into
2969 $acl_verify_message so it can be used in subsequent conditions or modifiers
2970 (until something changes it). */
2973 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
2974 acl_verify_message = *user_msgptr;
2975 if (verb == ACL_WARN) *user_msgptr = NULL;
2979 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
2980 "condition %d", cb->type);
2984 /* If a condition was negated, invert OK/FAIL. */
2986 if (!cond_modifiers[cb->type] && cb->u.negated)
2988 if (rc == OK) rc = FAIL;
2989 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
2992 if (rc != OK) break; /* Conditions loop */
2996 /* If the result is the one for which "message" and/or "log_message" are used,
2997 handle the values of these options. Most verbs have but a single return for
2998 which the messages are relevant, but for "discard", it's useful to have the log
2999 message both when it succeeds and when it fails. Also, for an "accept" that
3000 appears in a QUIT ACL, we want to handle the user message. Since only "accept"
3001 and "warn" are permitted in that ACL, we don't need to test the verb.
3003 These modifiers act in different ways:
3005 "message" is a user message that will be included in an SMTP response. Unless
3006 it is empty, it overrides any previously set user message.
3008 "log_message" is a non-user message, and it adds to any existing non-user
3009 message that is already set.
3011 If there isn't a log message set, we make it the same as the user message. */
3013 if (((rc == FAIL_DROP)? FAIL : rc) == msgcond[verb] ||
3014 (verb == ACL_DISCARD && rc == OK) ||
3015 (where == ACL_WHERE_QUIT))
3019 /* If the verb is "warn", messages generated by conditions (verification or
3020 nested ACLs) are discarded. Only messages specified at this level are used.
3021 However, the value of an existing message is available in $acl_verify_message
3022 during expansions. */
3024 uschar *old_user_msgptr = *user_msgptr;
3025 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
3027 if (verb == ACL_WARN) *log_msgptr = *user_msgptr = NULL;
3029 if (user_message != NULL)
3031 acl_verify_message = old_user_msgptr;
3032 expmessage = expand_string(user_message);
3033 if (expmessage == NULL)
3035 if (!expand_string_forcedfail)
3036 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3037 user_message, expand_string_message);
3039 else if (expmessage[0] != 0) *user_msgptr = expmessage;
3042 if (log_message != NULL)
3044 acl_verify_message = old_log_msgptr;
3045 expmessage = expand_string(log_message);
3046 if (expmessage == NULL)
3048 if (!expand_string_forcedfail)
3049 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3050 log_message, expand_string_message);
3052 else if (expmessage[0] != 0)
3054 *log_msgptr = (*log_msgptr == NULL)? expmessage :
3055 string_sprintf("%s: %s", expmessage, *log_msgptr);
3059 /* If no log message, default it to the user message */
3061 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
3064 acl_verify_message = NULL;
3072 /*************************************************
3073 * Get line from a literal ACL *
3074 *************************************************/
3076 /* This function is passed to acl_read() in order to extract individual lines
3077 of a literal ACL, which we access via static pointers. We can destroy the
3078 contents because this is called only once (the compiled ACL is remembered).
3080 This code is intended to treat the data in the same way as lines in the main
3081 Exim configuration file. That is:
3083 . Leading spaces are ignored.
3085 . A \ at the end of a line is a continuation - trailing spaces after the \
3086 are permitted (this is because I don't believe in making invisible things
3087 significant). Leading spaces on the continued part of a line are ignored.
3089 . Physical lines starting (significantly) with # are totally ignored, and
3090 may appear within a sequence of backslash-continued lines.
3092 . Blank lines are ignored, but will end a sequence of continuations.
3095 Returns: a pointer to the next line
3099 static uschar *acl_text; /* Current pointer in the text */
3100 static uschar *acl_text_end; /* Points one past the terminating '0' */
3108 /* This loop handles leading blank lines and comments. */
3112 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
3113 if (*acl_text == 0) return NULL; /* No more data */
3114 yield = acl_text; /* Potential data line */
3116 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3118 /* If we hit the end before a newline, we have the whole logical line. If
3119 it's a comment, there's no more data to be given. Otherwise, yield it. */
3121 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
3123 /* After reaching a newline, end this loop if the physical line does not
3124 start with '#'. If it does, it's a comment, and the loop continues. */
3126 if (*yield != '#') break;
3129 /* This loop handles continuations. We know we have some real data, ending in
3130 newline. See if there is a continuation marker at the end (ignoring trailing
3131 white space). We know that *yield is not white space, so no need to test for
3132 cont > yield in the backwards scanning loop. */
3137 for (cont = acl_text - 1; isspace(*cont); cont--);
3139 /* If no continuation follows, we are done. Mark the end of the line and
3148 /* We have encountered a continuation. Skip over whitespace at the start of
3149 the next line, and indeed the whole of the next line or lines if they are
3154 while (*(++acl_text) == ' ' || *acl_text == '\t');
3155 if (*acl_text != '#') break;
3156 while (*(++acl_text) != 0 && *acl_text != '\n');
3159 /* We have the start of a continuation line. Move all the rest of the data
3160 to join onto the previous line, and then find its end. If the end is not a
3161 newline, we are done. Otherwise loop to look for another continuation. */
3163 memmove(cont, acl_text, acl_text_end - acl_text);
3164 acl_text_end -= acl_text - cont;
3166 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3167 if (*acl_text == 0) return yield;
3170 /* Control does not reach here */
3177 /*************************************************
3178 * Check access using an ACL *
3179 *************************************************/
3181 /* This function is called from address_check. It may recurse via
3182 acl_check_condition() - hence the use of a level to stop looping. The ACL is
3183 passed as a string which is expanded. A forced failure implies no access check
3184 is required. If the result is a single word, it is taken as the name of an ACL
3185 which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
3186 text, complete with newlines, and parsed as such. In both cases, the ACL check
3187 is then run. This function uses an auxiliary function for acl_read() to call
3188 for reading individual lines of a literal ACL. This is acl_getline(), which
3189 appears immediately above.
3192 where where called from
3193 addr address item when called from RCPT; otherwise NULL
3194 s the input string; NULL is the same as an empty ACL => DENY
3195 level the nesting level
3196 user_msgptr where to put a user error (for SMTP response)
3197 log_msgptr where to put a logging message (not for SMTP response)
3199 Returns: OK access is granted
3200 DISCARD access is apparently granted...
3201 FAIL access is denied
3202 FAIL_DROP access is denied; drop the connection
3203 DEFER can't tell at the moment
3208 acl_check_internal(int where, address_item *addr, uschar *s, int level,
3209 uschar **user_msgptr, uschar **log_msgptr)
3212 acl_block *acl = NULL;
3213 uschar *acl_name = US"inline ACL";
3216 /* Catch configuration loops */
3220 *log_msgptr = US"ACL nested too deep: possible loop";
3226 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
3230 /* At top level, we expand the incoming string. At lower levels, it has already
3231 been expanded as part of condition processing. */
3235 ss = expand_string(s);
3238 if (expand_string_forcedfail) return OK;
3239 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
3240 expand_string_message);
3246 while (isspace(*ss))ss++;
3248 /* If we can't find a named ACL, the default is to parse it as an inline one.
3249 (Unless it begins with a slash; non-existent files give rise to an error.) */
3253 /* Handle the case of a string that does not contain any spaces. Look for a
3254 named ACL among those read from the configuration, or a previously read file.
3255 It is possible that the pointer to the ACL is NULL if the configuration
3256 contains a name with no data. If not found, and the text begins with '/',
3257 read an ACL from a file, and save it so it can be re-used. */
3259 if (Ustrchr(ss, ' ') == NULL)
3261 tree_node *t = tree_search(acl_anchor, ss);
3264 acl = (acl_block *)(t->data.ptr);
3267 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
3270 acl_name = string_sprintf("ACL \"%s\"", ss);
3271 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
3274 else if (*ss == '/')
3276 struct stat statbuf;
3277 fd = Uopen(ss, O_RDONLY, 0);
3280 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
3285 if (fstat(fd, &statbuf) != 0)
3287 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
3292 acl_text = store_get(statbuf.st_size + 1);
3293 acl_text_end = acl_text + statbuf.st_size + 1;
3295 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
3297 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
3298 ss, strerror(errno));
3301 acl_text[statbuf.st_size] = 0;
3304 acl_name = string_sprintf("ACL \"%s\"", ss);
3305 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
3309 /* Parse an ACL that is still in text form. If it came from a file, remember it
3310 in the ACL tree, having read it into the POOL_PERM store pool so that it
3311 persists between multiple messages. */
3315 int old_pool = store_pool;
3316 if (fd >= 0) store_pool = POOL_PERM;
3317 acl = acl_read(acl_getline, log_msgptr);
3318 store_pool = old_pool;
3319 if (acl == NULL && *log_msgptr != NULL) return ERROR;
3322 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
3323 Ustrcpy(t->name, ss);
3325 (void)tree_insertnode(&acl_anchor, t);
3329 /* Now we have an ACL to use. It's possible it may be NULL. */
3334 int basic_errno = 0;
3335 BOOL endpass_seen = FALSE;
3337 *log_msgptr = *user_msgptr = NULL;
3338 acl_temp_details = FALSE;
3340 if (where == ACL_WHERE_QUIT &&
3341 acl->verb != ACL_ACCEPT &&
3342 acl->verb != ACL_WARN)
3344 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
3349 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
3351 /* Clear out any search error message from a previous check before testing
3354 search_error_message = NULL;
3355 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
3356 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
3358 /* Handle special returns: DEFER causes a return except on a WARN verb;
3359 ERROR always causes a return. */
3364 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
3365 if (basic_errno != ERRNO_CALLOUTDEFER)
3367 if (search_error_message != NULL && *search_error_message != 0)
3368 *log_msgptr = search_error_message;
3369 if (smtp_return_error_details) acl_temp_details = TRUE;
3373 acl_temp_details = TRUE;
3375 if (acl->verb != ACL_WARN) return DEFER;
3378 default: /* Paranoia */
3380 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
3384 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
3389 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
3392 /* DISCARD and DROP can happen only from a nested ACL condition, and
3393 DISCARD can happen only for an "accept" or "discard" verb. */
3396 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
3401 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
3406 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
3407 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
3408 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
3413 if (cond == OK || cond == DISCARD) return cond;
3416 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
3424 acl_temp_details = TRUE;
3430 if (cond == OK) return FAIL;
3434 if (cond == OK || cond == DISCARD) return DISCARD;
3437 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
3443 if (cond == OK) return FAIL_DROP;
3447 if (cond != OK) return cond;
3452 acl_warn(where, *user_msgptr, *log_msgptr);
3453 else if (cond == DEFER && (log_extra_selector & LX_acl_warn_skipped) != 0)
3454 log_write(0, LOG_MAIN, "%s Warning: ACL \"warn\" statement skipped: "
3455 "condition test deferred%s%s", host_and_ident(TRUE),
3456 (*log_msgptr == NULL)? US"" : US": ",
3457 (*log_msgptr == NULL)? US"" : *log_msgptr);
3458 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
3462 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
3467 /* Pass to the next ACL item */
3472 /* We have reached the end of the ACL. This is an implicit DENY. */
3474 HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
3479 /*************************************************
3480 * Check access using an ACL *
3481 *************************************************/
3483 /* This is the external interface for ACL checks. It sets up an address and the
3484 expansions for $domain and $local_part when called after RCPT, then calls
3485 acl_check_internal() to do the actual work.
3488 where ACL_WHERE_xxxx indicating where called from
3489 recipient RCPT address for RCPT check, else NULL
3490 s the input string; NULL is the same as an empty ACL => DENY
3491 user_msgptr where to put a user error (for SMTP response)
3492 log_msgptr where to put a logging message (not for SMTP response)
3494 Returns: OK access is granted by an ACCEPT verb
3495 DISCARD access is granted by a DISCARD verb
3496 FAIL access is denied
3497 FAIL_DROP access is denied; drop the connection
3498 DEFER can't tell at the moment
3503 acl_check(int where, uschar *recipient, uschar *s, uschar **user_msgptr,
3504 uschar **log_msgptr)
3508 address_item *addr = NULL;
3510 *user_msgptr = *log_msgptr = NULL;
3511 sender_verified_failed = NULL;
3512 ratelimiters_cmd = NULL;
3514 if (where == ACL_WHERE_RCPT)
3516 adb = address_defaults;
3518 addr->address = recipient;
3519 if (deliver_split_address(addr) == DEFER)
3521 *log_msgptr = US"defer in percent_hack_domains check";
3524 deliver_domain = addr->domain;
3525 deliver_localpart = addr->local_part;
3528 rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
3530 deliver_domain = deliver_localpart = deliver_address_data =
3531 sender_address_data = NULL;
3533 /* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
3534 ACL, which is really in the middle of an SMTP command. */
3538 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
3540 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
3541 "ACL", acl_wherenames[where]);
3547 /* A DROP response is not permitted from MAILAUTH */
3549 if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
3551 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
3552 "ACL", acl_wherenames[where]);
3556 /* Before giving an error response, take a look at the length of any user
3557 message, and split it up into multiple lines if possible. */
3559 if (rc != OK && *user_msgptr != NULL && Ustrlen(*user_msgptr) > 75)
3561 uschar *s = *user_msgptr = string_copy(*user_msgptr);
3567 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
3568 if (*ss == 0) break;
3575 while (--t > s + 35)
3579 if (t[-1] == ':') { tt = t; break; }
3580 if (tt == NULL) tt = t;
3584 if (tt == NULL) /* Can't split behind - try ahead */
3589 if (*t == ' ' || *t == '\n')
3595 if (tt == NULL) break; /* Can't find anywhere to split */
3607 /*************************************************
3608 * Create ACL variable *
3609 *************************************************/
3611 /* Create an ACL variable or reuse an existing one. ACL variables are in a
3612 binary tree (see tree.c) with acl_var_c and acl_var_m as root nodes.
3615 name pointer to the variable's name, starting with c or m
3617 Returns the pointer to variable's tree node
3621 acl_var_create(uschar *name)
3623 tree_node *node, **root;
3624 root = (name[0] == 'c')? &acl_var_c : &acl_var_m;
3625 node = tree_search(*root, name);
3628 node = store_get(sizeof(tree_node) + Ustrlen(name));
3629 Ustrcpy(node->name, name);
3630 (void)tree_insertnode(root, node);
3632 node->data.ptr = NULL;
3638 /*************************************************
3639 * Write an ACL variable in spool format *
3640 *************************************************/
3642 /* This function is used as a callback for tree_walk when writing variables to
3643 the spool file. To retain spool file compatibility, what is written is -aclc or
3644 -aclm followed by the rest of the name and the data length, space separated,
3645 then the value itself, starting on a new line, and terminated by an additional
3646 newline. When we had only numbered ACL variables, the first line might look
3647 like this: "-aclc 5 20". Now it might be "-aclc foo 20" for the variable called
3651 name of the variable
3652 value of the variable
3653 ctx FILE pointer (as a void pointer)
3659 acl_var_write(uschar *name, uschar *value, void *ctx)
3661 FILE *f = (FILE *)ctx;
3662 fprintf(f, "-acl%c %s %d\n%s\n", name[0], name+1, Ustrlen(value), value);