1 /* $Cambridge: exim/src/src/acl.c,v 1.13 2005/01/12 12:24:13 ph10 Exp $ */
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
7 /* Copyright (c) University of Cambridge 1995 - 2005 */
8 /* See the file NOTICE for conditions of use and distribution. */
10 /* Code for handling Access Control Lists (ACLs) */
15 /* Default callout timeout */
17 #define CALLOUT_TIMEOUT_DEFAULT 30
19 /* ACL verb codes - keep in step with the table of verbs that follows */
21 enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
26 static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
30 /* For each verb, the condition for which "message" is used */
32 static int msgcond[] = { FAIL, OK, OK, FAIL, OK, FAIL, OK };
34 /* ACL condition and modifier codes - keep in step with the table that
37 enum { ACLC_ACL, ACLC_AUTHENTICATED,
38 #ifdef EXPERIMENTAL_BRIGHTMAIL
41 ACLC_CONDITION, ACLC_CONTROL,
42 #ifdef WITH_CONTENT_SCAN
46 #ifdef WITH_OLD_DEMIME
49 ACLC_DNSLISTS, ACLC_DOMAINS, ACLC_ENCRYPTED, ACLC_ENDPASS,
50 ACLC_HOSTS, ACLC_LOCAL_PARTS, ACLC_LOG_MESSAGE, ACLC_LOGWRITE,
51 #ifdef WITH_CONTENT_SCAN
55 #ifdef WITH_CONTENT_SCAN
59 #ifdef WITH_CONTENT_SCAN
62 ACLC_SENDER_DOMAINS, ACLC_SENDERS, ACLC_SET,
63 #ifdef WITH_CONTENT_SCAN
66 #ifdef EXPERIMENTAL_SPF
71 /* ACL conditions/modifiers: "delay", "control", "endpass", "message",
72 "log_message", "logwrite", and "set" are modifiers that look like conditions
73 but always return TRUE. They are used for their side effects. */
75 static uschar *conditions[] = { US"acl", US"authenticated",
76 #ifdef EXPERIMENTAL_BRIGHTMAIL
81 #ifdef WITH_CONTENT_SCAN
85 #ifdef WITH_OLD_DEMIME
88 US"dnslists", US"domains", US"encrypted",
89 US"endpass", US"hosts", US"local_parts", US"log_message", US"logwrite",
90 #ifdef WITH_CONTENT_SCAN
94 #ifdef WITH_CONTENT_SCAN
98 #ifdef WITH_CONTENT_SCAN
101 US"sender_domains", US"senders", US"set",
102 #ifdef WITH_CONTENT_SCAN
105 #ifdef EXPERIMENTAL_SPF
110 /* ACL control names */
112 static uschar *controls[] = { US"error", US"caseful_local_part",
113 US"caselower_local_part", US"enforce_sync", US"no_enforce_sync", US"freeze",
114 US"queue_only", US"submission", US"no_multiline"};
116 /* Flags to indicate for which conditions /modifiers a string expansion is done
117 at the outer level. In the other cases, expansion already occurs in the
118 checking functions. */
120 static uschar cond_expand_at_top[] = {
122 FALSE, /* authenticated */
123 #ifdef EXPERIMENTAL_BRIGHTMAIL
124 TRUE, /* bmi_optin */
126 TRUE, /* condition */
128 #ifdef WITH_CONTENT_SCAN
132 #ifdef WITH_OLD_DEMIME
137 FALSE, /* encrypted */
140 FALSE, /* local_parts */
141 TRUE, /* log_message */
143 #ifdef WITH_CONTENT_SCAN
147 #ifdef WITH_CONTENT_SCAN
148 TRUE, /* mime_regex */
150 FALSE, /* recipients */
151 #ifdef WITH_CONTENT_SCAN
154 FALSE, /* sender_domains */
157 #ifdef WITH_CONTENT_SCAN
160 #ifdef EXPERIMENTAL_SPF
166 /* Flags to identify the modifiers */
168 static uschar cond_modifiers[] = {
170 FALSE, /* authenticated */
171 #ifdef EXPERIMENTAL_BRIGHTMAIL
172 TRUE, /* bmi_optin */
174 FALSE, /* condition */
176 #ifdef WITH_CONTENT_SCAN
180 #ifdef WITH_OLD_DEMIME
183 FALSE, /* dnslists */
185 FALSE, /* encrypted */
188 FALSE, /* local_parts */
189 TRUE, /* log_message */
191 #ifdef WITH_CONTENT_SCAN
195 #ifdef WITH_CONTENT_SCAN
196 FALSE, /* mime_regex */
198 FALSE, /* recipients */
199 #ifdef WITH_CONTENT_SCAN
202 FALSE, /* sender_domains */
205 #ifdef WITH_CONTENT_SCAN
208 #ifdef EXPERIMENTAL_SPF
214 /* Bit map vector of which conditions are not allowed at certain times. For
215 each condition, there's a bitmap of dis-allowed times. */
217 static unsigned int cond_forbids[] = {
219 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* authenticated */
222 #ifdef EXPERIMENTAL_BRIGHTMAIL
223 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
224 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
225 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
226 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
227 (1<<ACL_WHERE_MAILAUTH)|
228 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
229 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA),
234 /* Certain types of control are always allowed, so we let it through
235 always and check in the control processing itself */
239 #ifdef WITH_CONTENT_SCAN
240 (1<<ACL_WHERE_AUTH)| /* decode */
241 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
242 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
243 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
244 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
245 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
246 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_RCPT),
251 #ifdef WITH_OLD_DEMIME
252 (1<<ACL_WHERE_AUTH)| /* demime */
253 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
254 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
255 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
256 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
257 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
258 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
261 (1<<ACL_WHERE_NOTSMTP), /* dnslists */
263 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* domains */
264 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
265 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
266 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
267 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
268 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
271 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* encrypted */
274 (1<<ACL_WHERE_NOTSMTP), /* hosts */
276 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* local_parts */
277 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
278 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
279 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
280 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
281 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
287 #ifdef WITH_CONTENT_SCAN
288 (1<<ACL_WHERE_AUTH)| /* malware */
289 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
290 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
291 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
292 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
293 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
294 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
299 #ifdef WITH_CONTENT_SCAN
300 (1<<ACL_WHERE_AUTH)| /* mime_regex */
301 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
302 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
303 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
304 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
305 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
306 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_RCPT),
309 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* recipients */
310 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
311 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
312 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
313 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
314 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
317 #ifdef WITH_CONTENT_SCAN
318 (1<<ACL_WHERE_AUTH)| /* regex */
319 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
320 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
321 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
322 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
323 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
324 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
327 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
329 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
330 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
331 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
333 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
335 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
336 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
337 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
341 #ifdef WITH_CONTENT_SCAN
342 (1<<ACL_WHERE_AUTH)| /* spam */
343 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
344 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
345 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
346 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
347 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
348 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
351 #ifdef EXPERIMENTAL_SPF
352 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
354 (1<<ACL_WHERE_MAILAUTH)|
355 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
356 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
359 /* Certain types of verify are always allowed, so we let it through
360 always and check in the verify function itself */
366 /* Return values from decode_control() */
369 #ifdef EXPERIMENTAL_BRIGHTMAIL
372 CONTROL_ERROR, CONTROL_CASEFUL_LOCAL_PART, CONTROL_CASELOWER_LOCAL_PART,
373 CONTROL_ENFORCE_SYNC, CONTROL_NO_ENFORCE_SYNC, CONTROL_FREEZE,
374 CONTROL_QUEUE_ONLY, CONTROL_SUBMISSION,
375 #ifdef WITH_CONTENT_SCAN
376 CONTROL_NO_MBOX_UNSPOOL,
378 CONTROL_FAKEREJECT, CONTROL_NO_MULTILINE };
380 /* Bit map vector of which controls are not allowed at certain times. For
381 each control, there's a bitmap of dis-allowed times. For some, it is easier to
382 specify the negation of a small number of allowed times. */
384 static unsigned int control_forbids[] = {
385 #ifdef EXPERIMENTAL_BRIGHTMAIL
389 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
390 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
391 (1<<ACL_WHERE_NOTSMTP), /* enforce_sync */
392 (1<<ACL_WHERE_NOTSMTP), /* no_enforce_sync */
394 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
395 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
396 (1<<ACL_WHERE_NOTSMTP)),
398 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
399 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
400 (1<<ACL_WHERE_NOTSMTP)),
402 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
403 (1<<ACL_WHERE_PREDATA)),
405 #ifdef WITH_CONTENT_SCAN
406 (1<<ACL_WHERE_NOTSMTP), /* no_mbox_unspool */
409 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
410 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)),
412 (1<<ACL_WHERE_NOTSMTP) /* no_multiline */
415 /* Structure listing various control arguments, with their characteristics. */
417 typedef struct control_def {
419 int value; /* CONTROL_xxx value */
420 BOOL has_option; /* Has /option(s) following */
423 static control_def controls_list[] = {
424 #ifdef EXPERIMENTAL_BRIGHTMAIL
425 { US"bmi_run", CONTROL_BMI_RUN, FALSE},
427 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE},
428 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE},
429 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE},
430 { US"freeze", CONTROL_FREEZE, FALSE},
431 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE},
432 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE},
433 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE},
434 #ifdef WITH_CONTENT_SCAN
435 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE},
437 { US"fakereject", CONTROL_FAKEREJECT, TRUE},
438 { US"submission", CONTROL_SUBMISSION, TRUE}
441 /* Enable recursion between acl_check_internal() and acl_check_condition() */
443 static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
447 /*************************************************
448 * Pick out name from list *
449 *************************************************/
451 /* Use a binary chop method
458 Returns: offset in list, or -1 if not found
462 acl_checkname(uschar *name, uschar **list, int end)
468 int mid = (start + end)/2;
469 int c = Ustrcmp(name, list[mid]);
470 if (c == 0) return mid;
471 if (c < 0) end = mid; else start = mid + 1;
478 /*************************************************
479 * Read and parse one ACL *
480 *************************************************/
482 /* This function is called both from readconf in order to parse the ACLs in the
483 configuration file, and also when an ACL is encountered dynamically (e.g. as
484 the result of an expansion). It is given a function to call in order to
485 retrieve the lines of the ACL. This function handles skipping comments and
486 blank lines (where relevant).
489 func function to get next line of ACL
490 error where to put an error message
492 Returns: pointer to ACL, or NULL
493 NULL can be legal (empty ACL); in this case error will be NULL
497 acl_read(uschar *(*func)(void), uschar **error)
499 acl_block *yield = NULL;
500 acl_block **lastp = &yield;
501 acl_block *this = NULL;
502 acl_condition_block *cond;
503 acl_condition_block **condp = NULL;
508 while ((s = (*func)()) != NULL)
511 BOOL negated = FALSE;
512 uschar *saveline = s;
515 /* Conditions (but not verbs) are allowed to be negated by an initial
518 while (isspace(*s)) s++;
525 /* Read the name of a verb or a condition, or the start of a new ACL */
527 s = readconf_readname(name, sizeof(name), s);
530 if (negated || name[0] == 0)
532 *error = string_sprintf("malformed ACL name in \"%s\"", saveline);
538 /* If a verb is unrecognized, it may be another condition or modifier that
539 continues the previous verb. */
541 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
546 *error = string_sprintf("unknown ACL verb in \"%s\"", saveline);
557 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
560 this = store_get(sizeof(acl_block));
562 lastp = &(this->next);
565 this->condition = NULL;
566 condp = &(this->condition);
567 if (*s == 0) continue; /* No condition on this line */
573 s = readconf_readname(name, sizeof(name), s); /* Condition name */
576 /* Handle a condition or modifier. */
578 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
581 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
586 /* The modifiers may not be negated */
588 if (negated && cond_modifiers[c])
590 *error = string_sprintf("ACL error: negation is not allowed with "
591 "\"%s\"", conditions[c]);
595 /* ENDPASS may occur only with ACCEPT or DISCARD. */
597 if (c == ACLC_ENDPASS &&
598 this->verb != ACL_ACCEPT &&
599 this->verb != ACL_DISCARD)
601 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
602 conditions[c], verbs[this->verb]);
606 cond = store_get(sizeof(acl_condition_block));
609 cond->u.negated = negated;
612 condp = &(cond->next);
614 /* The "set" modifier is different in that its argument is "name=value"
615 rather than just a value, and we can check the validity of the name, which
616 gives us a variable number to insert into the data block. */
620 if (Ustrncmp(s, "acl_", 4) != 0 || (s[4] != 'c' && s[4] != 'm') ||
621 !isdigit(s[5]) || (!isspace(s[6]) && s[6] != '='))
623 *error = string_sprintf("unrecognized name after \"set\" in ACL "
624 "modifier \"set %s\"", s);
628 cond->u.varnumber = s[5] - '0';
629 if (s[4] == 'm') cond->u.varnumber += ACL_C_MAX;
631 while (isspace(*s)) s++;
634 /* For "set", we are now positioned for the data. For the others, only
635 "endpass" has no data */
637 if (c != ACLC_ENDPASS)
641 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
642 cond_modifiers[c]? US"modifier" : US"condition");
645 while (isspace(*s)) s++;
646 cond->arg = string_copy(s);
655 /*************************************************
657 *************************************************/
659 /* This function is called when a WARN verb's conditions are true. It adds to
660 the message's headers, and/or writes information to the log. In each case, this
661 only happens once (per message for headers, per connection for log).
664 where ACL_WHERE_xxxx indicating which ACL this is
665 user_message message for adding to headers
666 log_message message for logging, if different
672 acl_warn(int where, uschar *user_message, uschar *log_message)
676 if (log_message != NULL && log_message != user_message)
681 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
682 string_printing(log_message));
684 /* If a sender verification has failed, and the log message is "sender verify
685 failed", add the failure message. */
687 if (sender_verified_failed != NULL &&
688 sender_verified_failed->message != NULL &&
689 strcmpic(log_message, US"sender verify failed") == 0)
690 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
692 /* Search previously logged warnings. They are kept in malloc store so they
693 can be freed at the start of a new message. */
695 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
696 if (Ustrcmp(logged->text, text) == 0) break;
700 int length = Ustrlen(text) + 1;
701 log_write(0, LOG_MAIN, "%s", text);
702 logged = store_malloc(sizeof(string_item) + length);
703 logged->text = (uschar *)logged + sizeof(string_item);
704 memcpy(logged->text, text, length);
705 logged->next = acl_warn_logged;
706 acl_warn_logged = logged;
710 /* If there's no user message, we are done. */
712 if (user_message == NULL) return;
714 /* If this isn't a message ACL, we can't do anything with a user message.
717 if (where > ACL_WHERE_NOTSMTP)
719 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
720 "found in a non-message (%s) ACL: cannot specify header lines here: "
721 "message ignored", acl_wherenames[where]);
725 /* Treat the user message as a sequence of one or more header lines. */
727 hlen = Ustrlen(user_message);
730 uschar *text, *p, *q;
732 /* Add a final newline if not present */
734 text = ((user_message)[hlen-1] == '\n')? user_message :
735 string_sprintf("%s\n", user_message);
737 /* Loop for multiple header lines, taking care about continuations */
739 for (p = q = text; *p != 0; )
742 int newtype = htype_add_bot;
743 header_line **hptr = &acl_warn_headers;
745 /* Find next header line within the string */
749 q = Ustrchr(q, '\n');
750 if (*(++q) != ' ' && *q != '\t') break;
753 /* If the line starts with a colon, interpret the instruction for where to
754 add it. This temporarily sets up a new type. */
758 if (strncmpic(p, US":after_received:", 16) == 0)
760 newtype = htype_add_rec;
763 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
765 newtype = htype_add_rfc;
768 else if (strncmpic(p, US":at_start:", 10) == 0)
770 newtype = htype_add_top;
773 else if (strncmpic(p, US":at_end:", 8) == 0)
775 newtype = htype_add_bot;
778 while (*p == ' ' || *p == '\t') p++;
781 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
782 to the front of it. */
784 for (s = p; s < q - 1; s++)
786 if (*s == ':' || !isgraph(*s)) break;
789 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
792 /* See if this line has already been added */
794 while (*hptr != NULL)
796 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
797 hptr = &((*hptr)->next);
800 /* Add if not previously present */
804 header_line *h = store_get(sizeof(header_line));
813 /* Advance for next header line within the string */
822 /*************************************************
823 * Verify and check reverse DNS *
824 *************************************************/
826 /* Called from acl_verify() below. We look up the host name(s) of the client IP
827 address if this has not yet been done. The host_name_lookup() function checks
828 that one of these names resolves to an address list that contains the client IP
829 address, so we don't actually have to do the check here.
832 user_msgptr pointer for user message
833 log_msgptr pointer for log message
835 Returns: OK verification condition succeeded
836 FAIL verification failed
837 DEFER there was a problem verifying
841 acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
845 user_msgptr = user_msgptr; /* stop compiler warning */
847 /* Previous success */
849 if (sender_host_name != NULL) return OK;
851 /* Previous failure */
853 if (host_lookup_failed)
855 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
859 /* Need to do a lookup */
862 debug_printf("looking up host name to force name/address consistency check\n");
864 if ((rc = host_name_lookup()) != OK)
866 *log_msgptr = (rc == DEFER)?
867 US"host lookup deferred for reverse lookup check"
869 string_sprintf("host lookup failed for reverse lookup check%s",
871 return rc; /* DEFER or FAIL */
874 host_build_sender_fullhost();
880 /*************************************************
881 * Handle verification (address & other) *
882 *************************************************/
884 /* This function implements the "verify" condition. It is called when
885 encountered in any ACL, because some tests are almost always permitted. Some
886 just don't make sense, and always fail (for example, an attempt to test a host
887 lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
890 where where called from
891 addr the recipient address that the ACL is handling, or NULL
892 arg the argument of "verify"
893 user_msgptr pointer for user message
894 log_msgptr pointer for log message
895 basic_errno where to put verify errno
897 Returns: OK verification condition succeeded
898 FAIL verification failed
899 DEFER there was a problem verifying
904 acl_verify(int where, address_item *addr, uschar *arg,
905 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
909 int callout_overall = -1;
910 int callout_connect = -1;
911 int verify_options = 0;
913 BOOL verify_header_sender = FALSE;
914 BOOL defer_ok = FALSE;
915 BOOL callout_defer_ok = FALSE;
916 BOOL no_details = FALSE;
917 address_item *sender_vaddr = NULL;
918 uschar *verify_sender_address = NULL;
919 uschar *pm_mailfrom = NULL;
920 uschar *se_mailfrom = NULL;
922 uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
924 if (ss == NULL) goto BAD_VERIFY;
926 /* Handle name/address consistency verification in a separate function. */
928 if (strcmpic(ss, US"reverse_host_lookup") == 0)
930 if (sender_host_address == NULL) return OK;
931 return acl_verify_reverse(user_msgptr, log_msgptr);
934 /* TLS certificate verification is done at STARTTLS time; here we just
935 test whether it was successful or not. (This is for optional verification; for
936 mandatory verification, the connection doesn't last this long.) */
938 if (strcmpic(ss, US"certificate") == 0)
940 if (tls_certificate_verified) return OK;
941 *user_msgptr = US"no verified certificate";
945 /* We can test the result of optional HELO verification */
947 if (strcmpic(ss, US"helo") == 0) return helo_verified? OK : FAIL;
949 /* Handle header verification options - permitted only after DATA or a non-SMTP
952 if (strncmpic(ss, US"header_", 7) == 0)
954 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
956 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
957 "(only possible in ACL for DATA)", acl_wherenames[where]);
961 /* Check that all relevant header lines have the correct syntax. If there is
962 a syntax error, we return details of the error to the sender if configured to
963 send out full details. (But a "message" setting on the ACL can override, as
966 if (strcmpic(ss+7, US"syntax") == 0)
968 int rc = verify_check_headers(log_msgptr);
969 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
970 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
974 /* Check that there is at least one verifiable sender address in the relevant
975 header lines. This can be followed by callout and defer options, just like
976 sender and recipient. */
978 else if (strcmpic(ss+7, US"sender") == 0) verify_header_sender = TRUE;
980 /* Unknown verify argument starting with "header_" */
982 else goto BAD_VERIFY;
985 /* Otherwise, first item in verify argument must be "sender" or "recipient".
986 In the case of a sender, this can optionally be followed by an address to use
987 in place of the actual sender (rare special-case requirement). */
989 else if (strncmpic(ss, US"sender", 6) == 0)
992 if (where > ACL_WHERE_NOTSMTP)
994 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
995 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
996 acl_wherenames[where]);
1000 verify_sender_address = sender_address;
1003 while (isspace(*s)) s++;
1004 if (*s++ != '=') goto BAD_VERIFY;
1005 while (isspace(*s)) s++;
1006 verify_sender_address = string_copy(s);
1011 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1014 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1015 "(only possible for RCPT)", acl_wherenames[where]);
1020 /* Remaining items are optional */
1022 while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1025 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1026 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1028 /* These two old options are left for backwards compatibility */
1030 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1032 callout_defer_ok = TRUE;
1033 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1036 else if (strcmpic(ss, US"check_postmaster") == 0)
1039 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1042 /* The callout option has a number of sub-options, comma separated */
1044 else if (strncmpic(ss, US"callout", 7) == 0)
1046 callout = CALLOUT_TIMEOUT_DEFAULT;
1050 while (isspace(*ss)) ss++;
1056 while (isspace(*ss)) ss++;
1058 /* This callout option handling code has become a mess as new options
1059 have been added in an ad hoc manner. It should be tidied up into some
1060 kind of table-driven thing. */
1062 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1065 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1066 else if (strcmpic(opt, US"no_cache") == 0)
1067 verify_options |= vopt_callout_no_cache;
1068 else if (strcmpic(opt, US"random") == 0)
1069 verify_options |= vopt_callout_random;
1070 else if (strcmpic(opt, US"use_sender") == 0)
1071 verify_options |= vopt_callout_recipsender;
1072 else if (strcmpic(opt, US"use_postmaster") == 0)
1073 verify_options |= vopt_callout_recippmaster;
1074 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
1076 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1078 if (!verify_header_sender)
1080 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1081 "callout option only for verify=header_sender (detected in ACL "
1082 "condition \"%s\")", arg);
1086 while (isspace(*opt)) opt++;
1089 *log_msgptr = string_sprintf("'=' expected after "
1090 "\"mailfrom\" in ACL condition \"%s\"", arg);
1093 while (isspace(*opt)) opt++;
1094 se_mailfrom = string_copy(opt);
1097 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1100 while (isspace(*opt)) opt++;
1103 *log_msgptr = string_sprintf("'=' expected after "
1104 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1107 while (isspace(*opt)) opt++;
1108 pm_mailfrom = string_copy(opt);
1111 else if (strncmpic(opt, US"maxwait", 7) == 0)
1114 while (isspace(*opt)) opt++;
1117 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1118 "ACL condition \"%s\"", arg);
1121 while (isspace(*opt)) opt++;
1122 callout_overall = readconf_readtime(opt, 0, FALSE);
1123 if (callout_overall < 0)
1125 *log_msgptr = string_sprintf("bad time value in ACL condition "
1126 "\"verify %s\"", arg);
1130 else if (strncmpic(opt, US"connect", 7) == 0)
1133 while (isspace(*opt)) opt++;
1136 *log_msgptr = string_sprintf("'=' expected after "
1137 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1140 while (isspace(*opt)) opt++;
1141 callout_connect = readconf_readtime(opt, 0, FALSE);
1142 if (callout_connect < 0)
1144 *log_msgptr = string_sprintf("bad time value in ACL condition "
1145 "\"verify %s\"", arg);
1149 else /* Plain time is callout connect/command timeout */
1151 callout = readconf_readtime(opt, 0, FALSE);
1154 *log_msgptr = string_sprintf("bad time value in ACL condition "
1155 "\"verify %s\"", arg);
1163 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1164 "ACL condition \"%s\"", arg);
1170 /* Option not recognized */
1174 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1175 "condition \"verify %s\"", ss, arg);
1180 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1181 (vopt_callout_recipsender|vopt_callout_recippmaster))
1183 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1184 "for a recipient callout";
1188 /* Handle sender-in-header verification. Default the user message to the log
1189 message if giving out verification details. */
1191 if (verify_header_sender)
1193 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
1194 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options);
1195 if (smtp_return_error_details)
1197 if (*user_msgptr == NULL && *log_msgptr != NULL)
1198 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1199 if (rc == DEFER) acl_temp_details = TRUE;
1203 /* Handle a sender address. The default is to verify *the* sender address, but
1204 optionally a different address can be given, for special requirements. If the
1205 address is empty, we are dealing with a bounce message that has no sender, so
1206 we cannot do any checking. If the real sender address gets rewritten during
1207 verification (e.g. DNS widening), set the flag to stop it being rewritten again
1208 during message reception.
1210 A list of verified "sender" addresses is kept to try to avoid doing to much
1211 work repetitively when there are multiple recipients in a message and they all
1212 require sender verification. However, when callouts are involved, it gets too
1213 complicated because different recipients may require different callout options.
1214 Therefore, we always do a full sender verify when any kind of callout is
1215 specified. Caching elsewhere, for instance in the DNS resolver and in the
1216 callout handling, should ensure that this is not terribly inefficient. */
1218 else if (verify_sender_address != NULL)
1220 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1223 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1224 "sender verify callout";
1228 sender_vaddr = verify_checked_sender(verify_sender_address);
1229 if (sender_vaddr != NULL && /* Previously checked */
1230 callout <= 0) /* No callout needed this time */
1232 /* If the "routed" flag is set, it means that routing worked before, so
1233 this check can give OK (the saved return code value, if set, belongs to a
1234 callout that was done previously). If the "routed" flag is not set, routing
1235 must have failed, so we use the saved return code. */
1237 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1239 rc = sender_vaddr->special_action;
1240 *basic_errno = sender_vaddr->basic_errno;
1242 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1245 /* Do a new verification, and cache the result. The cache is used to avoid
1246 verifying the sender multiple times for multiple RCPTs when callouts are not
1247 specified (see comments above).
1249 The cache is also used on failure to give details in response to the first
1250 RCPT that gets bounced for this reason. However, this can be suppressed by
1251 the no_details option, which sets the flag that says "this detail has already
1252 been sent". The cache normally contains just one address, but there may be
1253 more in esoteric circumstances. */
1258 uschar *save_address_data = deliver_address_data;
1260 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1261 if (no_details) setflag(sender_vaddr, af_sverify_told);
1262 if (verify_sender_address[0] != 0)
1264 /* If this is the real sender address, save the unrewritten version
1265 for use later in receive. Otherwise, set a flag so that rewriting the
1266 sender in verify_address() does not update sender_address. */
1268 if (verify_sender_address == sender_address)
1269 sender_address_unrewritten = sender_address;
1271 verify_options |= vopt_fake_sender;
1273 /* The recipient, qualify, and expn options are never set in
1276 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
1277 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
1279 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1283 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1285 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1286 verify_sender_address, sender_vaddr->address);
1290 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1291 verify_sender_address);
1294 else *basic_errno = sender_vaddr->basic_errno;
1296 else rc = OK; /* Null sender */
1298 /* Cache the result code */
1300 if (routed) setflag(sender_vaddr, af_verify_routed);
1301 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1302 sender_vaddr->special_action = rc;
1303 sender_vaddr->next = sender_verified_list;
1304 sender_verified_list = sender_vaddr;
1306 /* Restore the recipient address data, which might have been clobbered by
1307 the sender verification. */
1309 deliver_address_data = save_address_data;
1312 /* Put the sender address_data value into $sender_address_data */
1314 sender_address_data = sender_vaddr->p.address_data;
1317 /* A recipient address just gets a straightforward verify; again we must handle
1318 the DEFER overrides. */
1324 /* We must use a copy of the address for verification, because it might
1328 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
1329 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
1330 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1331 *log_msgptr = addr2.message;
1332 *user_msgptr = addr2.user_message;
1333 *basic_errno = addr2.basic_errno;
1335 /* Make $address_data visible */
1336 deliver_address_data = addr2.p.address_data;
1339 /* We have a result from the relevant test. Handle defer overrides first. */
1341 if (rc == DEFER && (defer_ok ||
1342 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1344 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1345 defer_ok? "defer_ok" : "callout_defer_ok");
1349 /* If we've failed a sender, set up a recipient message, and point
1350 sender_verified_failed to the address item that actually failed. */
1352 if (rc != OK && verify_sender_address != NULL)
1356 *log_msgptr = *user_msgptr = US"Sender verify failed";
1358 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1360 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1364 *log_msgptr = US"Could not complete sender verify callout";
1365 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1369 sender_verified_failed = sender_vaddr;
1372 /* Verifying an address messes up the values of $domain and $local_part,
1373 so reset them before returning if this is a RCPT ACL. */
1377 deliver_domain = addr->domain;
1378 deliver_localpart = addr->local_part;
1382 /* Syntax errors in the verify argument come here. */
1385 *log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
1386 "\"header_syntax\" or \"header_sender\" at start of ACL condition "
1387 "\"verify %s\"", arg);
1394 /*************************************************
1395 * Check argument for control= modifier *
1396 *************************************************/
1398 /* Called from acl_check_condition() below
1401 arg the argument string for control=
1402 pptr set to point to the terminating character
1403 where which ACL we are in
1404 log_msgptr for error messages
1406 Returns: CONTROL_xxx value
1410 decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
1415 for (d = controls_list;
1416 d < controls_list + sizeof(controls_list)/sizeof(control_def);
1419 len = Ustrlen(d->name);
1420 if (Ustrncmp(d->name, arg, len) == 0) break;
1423 if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
1424 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
1426 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1427 return CONTROL_ERROR;
1436 /*************************************************
1437 * Handle conditions/modifiers on an ACL item *
1438 *************************************************/
1440 /* Called from acl_check() below.
1444 cb ACL condition block - if NULL, result is OK
1445 where where called from
1446 addr the address being checked for RCPT, or NULL
1447 level the nesting level
1448 epp pointer to pass back TRUE if "endpass" encountered
1449 (applies only to "accept" and "discard")
1450 user_msgptr user message pointer
1451 log_msgptr log message pointer
1452 basic_errno pointer to where to put verify error
1454 Returns: OK - all conditions are met
1455 DISCARD - an "acl" condition returned DISCARD - only allowed
1456 for "accept" or "discard" verbs
1457 FAIL - at least one condition fails
1458 FAIL_DROP - an "acl" condition returned FAIL_DROP
1459 DEFER - can't tell at the moment (typically, lookup defer,
1460 but can be temporary callout problem)
1461 ERROR - ERROR from nested ACL or expansion failure or other
1466 acl_check_condition(int verb, acl_condition_block *cb, int where,
1467 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
1468 uschar **log_msgptr, int *basic_errno)
1470 uschar *user_message = NULL;
1471 uschar *log_message = NULL;
1474 #ifdef WITH_CONTENT_SCAN
1478 for (; cb != NULL; cb = cb->next)
1483 /* The message and log_message items set up messages to be used in
1484 case of rejection. They are expanded later. */
1486 if (cb->type == ACLC_MESSAGE)
1488 user_message = cb->arg;
1492 if (cb->type == ACLC_LOG_MESSAGE)
1494 log_message = cb->arg;
1498 /* The endpass "condition" just sets a flag to show it occurred. This is
1499 checked at compile time to be on an "accept" or "discard" item. */
1501 if (cb->type == ACLC_ENDPASS)
1507 /* For other conditions and modifiers, the argument is expanded now for some
1508 of them, but not for all, because expansion happens down in some lower level
1509 checking functions in some cases. */
1511 if (cond_expand_at_top[cb->type])
1513 arg = expand_string(cb->arg);
1516 if (expand_string_forcedfail) continue;
1517 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
1518 cb->arg, expand_string_message);
1519 return search_find_defer? DEFER : ERROR;
1524 /* Show condition, and expanded condition if it's different */
1529 debug_printf("check %s%s %n",
1530 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
1531 conditions[cb->type], &lhswidth);
1533 if (cb->type == ACLC_SET)
1535 int n = cb->u.varnumber;
1536 int t = (n < ACL_C_MAX)? 'c' : 'm';
1537 if (n >= ACL_C_MAX) n -= ACL_C_MAX;
1538 debug_printf("acl_%c%d ", t, n);
1542 debug_printf("= %s\n", cb->arg);
1545 debug_printf("%.*s= %s\n", lhswidth,
1549 /* Check that this condition makes sense at this time */
1551 if ((cond_forbids[cb->type] & (1 << where)) != 0)
1553 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
1554 cond_modifiers[cb->type]? "use" : "test",
1555 conditions[cb->type], acl_wherenames[where]);
1559 /* Run the appropriate test for each condition, or take the appropriate
1560 action for the remaining modifiers. */
1564 /* A nested ACL that returns "discard" makes sense only for an "accept" or
1568 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
1569 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
1571 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
1572 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
1578 case ACLC_AUTHENTICATED:
1579 rc = (sender_host_authenticated == NULL)? FAIL :
1580 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
1584 #ifdef EXPERIMENTAL_BRIGHTMAIL
1585 case ACLC_BMI_OPTIN:
1587 int old_pool = store_pool;
1588 store_pool = POOL_PERM;
1589 bmi_current_optin = string_copy(arg);
1590 store_pool = old_pool;
1595 case ACLC_CONDITION:
1596 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
1597 rc = (Uatoi(arg) == 0)? FAIL : OK;
1599 rc = (strcmpic(arg, US"no") == 0 ||
1600 strcmpic(arg, US"false") == 0)? FAIL :
1601 (strcmpic(arg, US"yes") == 0 ||
1602 strcmpic(arg, US"true") == 0)? OK : DEFER;
1604 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
1608 control_type = decode_control(arg, &p, where, log_msgptr);
1610 /* Check if this control makes sense at this time */
1612 if ((control_forbids[control_type] & (1 << where)) != 0)
1614 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
1615 controls[control_type], acl_wherenames[where]);
1619 switch(control_type)
1621 #ifdef EXPERIMENTAL_BRIGHTMAIL
1622 case CONTROL_BMI_RUN:
1630 case CONTROL_CASEFUL_LOCAL_PART:
1631 deliver_localpart = addr->cc_local_part;
1634 case CONTROL_CASELOWER_LOCAL_PART:
1635 deliver_localpart = addr->lc_local_part;
1638 case CONTROL_ENFORCE_SYNC:
1639 smtp_enforce_sync = TRUE;
1642 case CONTROL_NO_ENFORCE_SYNC:
1643 smtp_enforce_sync = FALSE;
1646 #ifdef WITH_CONTENT_SCAN
1647 case CONTROL_NO_MBOX_UNSPOOL:
1648 no_mbox_unspool = TRUE;
1652 case CONTROL_NO_MULTILINE:
1653 no_multiline_responses = TRUE;
1656 case CONTROL_FAKEREJECT:
1661 while (*pp != 0) pp++;
1662 fake_reject_text = expand_string(string_copyn(p+1, pp-p));
1667 /* Explicitly reset to default string */
1668 fake_reject_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legit message, it may still be delivered to the target recipient(s).";
1672 case CONTROL_FREEZE:
1673 deliver_freeze = TRUE;
1674 deliver_frozen_at = time(NULL);
1677 case CONTROL_QUEUE_ONLY:
1678 queue_only_policy = TRUE;
1681 case CONTROL_SUBMISSION:
1682 submission_mode = TRUE;
1685 if (Ustrncmp(p, "/sender_retain", 14) == 0)
1688 active_local_sender_retain = TRUE;
1689 active_local_from_check = FALSE;
1691 else if (Ustrncmp(p, "/domain=", 8) == 0)
1694 while (*pp != 0 && *pp != '/') pp++;
1695 submission_domain = string_copyn(p+8, pp-p);
1702 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1709 #ifdef WITH_CONTENT_SCAN
1711 rc = mime_decode(&arg);
1717 int delay = readconf_readtime(arg, 0, FALSE);
1720 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
1721 "modifier: \"%s\" is not a time value", arg);
1726 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
1731 debug_printf("delay skipped in -bh checking mode\n");
1735 while (delay > 0) delay = sleep(delay);
1741 #ifdef WITH_OLD_DEMIME
1748 rc = verify_check_dnsbl(&arg);
1752 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
1753 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
1756 /* The value in tls_cipher is the full cipher name, for example,
1757 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
1758 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
1759 what may in practice come out of the SSL library - which at the time of
1760 writing is poorly documented. */
1762 case ACLC_ENCRYPTED:
1763 if (tls_cipher == NULL) rc = FAIL; else
1765 uschar *endcipher = NULL;
1766 uschar *cipher = Ustrchr(tls_cipher, ':');
1767 if (cipher == NULL) cipher = tls_cipher; else
1769 endcipher = Ustrchr(++cipher, ':');
1770 if (endcipher != NULL) *endcipher = 0;
1772 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
1773 if (endcipher != NULL) *endcipher = ':';
1777 /* Use verify_check_this_host() instead of verify_check_host() so that
1778 we can pass over &host_data to catch any looked up data. Once it has been
1779 set, it retains its value so that it's still there if another ACL verb
1780 comes through here and uses the cache. However, we must put it into
1781 permanent store in case it is also expected to be used in a subsequent
1782 message in the same SMTP connection. */
1785 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
1786 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
1787 if (host_data != NULL) host_data = string_copy_malloc(host_data);
1790 case ACLC_LOCAL_PARTS:
1791 rc = match_isinlist(addr->cc_local_part, &arg, 0,
1792 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
1793 &deliver_localpart_data);
1805 if (Ustrncmp(s, "main", 4) == 0)
1806 { logbits |= LOG_MAIN; s += 4; }
1807 else if (Ustrncmp(s, "panic", 5) == 0)
1808 { logbits |= LOG_PANIC; s += 5; }
1809 else if (Ustrncmp(s, "reject", 6) == 0)
1810 { logbits |= LOG_REJECT; s += 6; }
1813 logbits = LOG_MAIN|LOG_PANIC;
1814 s = string_sprintf(":unknown log name in \"%s\" in "
1815 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
1821 while (isspace(*s)) s++;
1822 if (logbits == 0) logbits = LOG_MAIN;
1823 log_write(0, logbits, "%s", string_printing(s));
1827 #ifdef WITH_CONTENT_SCAN
1830 /* Seperate the regular expression and any optional parameters. */
1831 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
1832 /* Run the malware backend. */
1834 /* Modify return code based upon the existance of options. */
1835 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
1837 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
1839 /* FAIL so that the message is passed to the next ACL */
1846 case ACLC_MIME_REGEX:
1847 rc = mime_regex(&arg);
1851 case ACLC_RECIPIENTS:
1852 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
1856 #ifdef WITH_CONTENT_SCAN
1862 case ACLC_SENDER_DOMAINS:
1865 sdomain = Ustrrchr(sender_address, '@');
1866 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
1867 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
1868 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
1873 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
1874 sender_address_cache, -1, 0, &sender_data);
1877 /* Connection variables must persist forever */
1881 int old_pool = store_pool;
1882 if (cb->u.varnumber < ACL_C_MAX) store_pool = POOL_PERM;
1883 acl_var[cb->u.varnumber] = string_copy(arg);
1884 store_pool = old_pool;
1888 #ifdef WITH_CONTENT_SCAN
1891 /* Seperate the regular expression and any optional parameters. */
1892 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
1893 /* Run the spam backend. */
1895 /* Modify return code based upon the existance of options. */
1896 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
1898 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
1900 /* FAIL so that the message is passed to the next ACL */
1908 #ifdef EXPERIMENTAL_SPF
1910 rc = spf_process(&arg, sender_address);
1914 /* If the verb is WARN, discard any user message from verification, because
1915 such messages are SMTP responses, not header additions. The latter come
1916 only from explicit "message" modifiers. */
1919 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
1920 if (verb == ACL_WARN) *user_msgptr = NULL;
1924 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
1925 "condition %d", cb->type);
1929 /* If a condition was negated, invert OK/FAIL. */
1931 if (!cond_modifiers[cb->type] && cb->u.negated)
1933 if (rc == OK) rc = FAIL;
1934 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
1937 if (rc != OK) break; /* Conditions loop */
1941 /* If the result is the one for which "message" and/or "log_message" are used,
1942 handle the values of these options. Most verbs have but a single return for
1943 which the messages are relevant, but for "discard", it's useful to have the log
1944 message both when it succeeds and when it fails. Also, for an "accept" that
1945 appears in a QUIT ACL, we want to handle the user message. Since only "accept"
1946 and "warn" are permitted in that ACL, we don't need to test the verb.
1948 These modifiers act in different ways:
1950 "message" is a user message that will be included in an SMTP response. Unless
1951 it is empty, it overrides any previously set user message.
1953 "log_message" is a non-user message, and it adds to any existing non-user
1954 message that is already set.
1956 If there isn't a log message set, we make it the same as the user message. */
1958 if (((rc == FAIL_DROP)? FAIL : rc) == msgcond[verb] ||
1959 (verb == ACL_DISCARD && rc == OK) ||
1960 (where == ACL_WHERE_QUIT))
1964 /* If the verb is "warn", messages generated by conditions (verification or
1965 nested ACLs) are discarded. Only messages specified at this level are used.
1966 However, the value of an existing message is available in $acl_verify_message
1967 during expansions. */
1969 uschar *old_user_msgptr = *user_msgptr;
1970 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
1972 if (verb == ACL_WARN) *log_msgptr = *user_msgptr = NULL;
1974 if (user_message != NULL)
1976 acl_verify_message = old_user_msgptr;
1977 expmessage = expand_string(user_message);
1978 if (expmessage == NULL)
1980 if (!expand_string_forcedfail)
1981 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
1982 user_message, expand_string_message);
1984 else if (expmessage[0] != 0) *user_msgptr = expmessage;
1987 if (log_message != NULL)
1989 acl_verify_message = old_log_msgptr;
1990 expmessage = expand_string(log_message);
1991 if (expmessage == NULL)
1993 if (!expand_string_forcedfail)
1994 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
1995 log_message, expand_string_message);
1997 else if (expmessage[0] != 0)
1999 *log_msgptr = (*log_msgptr == NULL)? expmessage :
2000 string_sprintf("%s: %s", expmessage, *log_msgptr);
2004 /* If no log message, default it to the user message */
2006 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
2009 acl_verify_message = NULL;
2017 /*************************************************
2018 * Get line from a literal ACL *
2019 *************************************************/
2021 /* This function is passed to acl_read() in order to extract individual lines
2022 of a literal ACL, which we access via static pointers. We can destroy the
2023 contents because this is called only once (the compiled ACL is remembered).
2025 This code is intended to treat the data in the same way as lines in the main
2026 Exim configuration file. That is:
2028 . Leading spaces are ignored.
2030 . A \ at the end of a line is a continuation - trailing spaces after the \
2031 are permitted (this is because I don't believe in making invisible things
2032 significant). Leading spaces on the continued part of a line are ignored.
2034 . Physical lines starting (significantly) with # are totally ignored, and
2035 may appear within a sequence of backslash-continued lines.
2037 . Blank lines are ignored, but will end a sequence of continuations.
2040 Returns: a pointer to the next line
2044 static uschar *acl_text; /* Current pointer in the text */
2045 static uschar *acl_text_end; /* Points one past the terminating '0' */
2053 /* This loop handles leading blank lines and comments. */
2057 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
2058 if (*acl_text == 0) return NULL; /* No more data */
2059 yield = acl_text; /* Potential data line */
2061 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2063 /* If we hit the end before a newline, we have the whole logical line. If
2064 it's a comment, there's no more data to be given. Otherwise, yield it. */
2066 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
2068 /* After reaching a newline, end this loop if the physical line does not
2069 start with '#'. If it does, it's a comment, and the loop continues. */
2071 if (*yield != '#') break;
2074 /* This loop handles continuations. We know we have some real data, ending in
2075 newline. See if there is a continuation marker at the end (ignoring trailing
2076 white space). We know that *yield is not white space, so no need to test for
2077 cont > yield in the backwards scanning loop. */
2082 for (cont = acl_text - 1; isspace(*cont); cont--);
2084 /* If no continuation follows, we are done. Mark the end of the line and
2093 /* We have encountered a continuation. Skip over whitespace at the start of
2094 the next line, and indeed the whole of the next line or lines if they are
2099 while (*(++acl_text) == ' ' || *acl_text == '\t');
2100 if (*acl_text != '#') break;
2101 while (*(++acl_text) != 0 && *acl_text != '\n');
2104 /* We have the start of a continuation line. Move all the rest of the data
2105 to join onto the previous line, and then find its end. If the end is not a
2106 newline, we are done. Otherwise loop to look for another continuation. */
2108 memmove(cont, acl_text, acl_text_end - acl_text);
2109 acl_text_end -= acl_text - cont;
2111 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2112 if (*acl_text == 0) return yield;
2115 /* Control does not reach here */
2122 /*************************************************
2123 * Check access using an ACL *
2124 *************************************************/
2126 /* This function is called from address_check. It may recurse via
2127 acl_check_condition() - hence the use of a level to stop looping. The ACL is
2128 passed as a string which is expanded. A forced failure implies no access check
2129 is required. If the result is a single word, it is taken as the name of an ACL
2130 which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
2131 text, complete with newlines, and parsed as such. In both cases, the ACL check
2132 is then run. This function uses an auxiliary function for acl_read() to call
2133 for reading individual lines of a literal ACL. This is acl_getline(), which
2134 appears immediately above.
2137 where where called from
2138 addr address item when called from RCPT; otherwise NULL
2139 s the input string; NULL is the same as an empty ACL => DENY
2140 level the nesting level
2141 user_msgptr where to put a user error (for SMTP response)
2142 log_msgptr where to put a logging message (not for SMTP response)
2144 Returns: OK access is granted
2145 DISCARD access is apparently granted...
2146 FAIL access is denied
2147 FAIL_DROP access is denied; drop the connection
2148 DEFER can't tell at the moment
2153 acl_check_internal(int where, address_item *addr, uschar *s, int level,
2154 uschar **user_msgptr, uschar **log_msgptr)
2157 acl_block *acl = NULL;
2158 uschar *acl_name = US"inline ACL";
2161 /* Catch configuration loops */
2165 *log_msgptr = US"ACL nested too deep: possible loop";
2171 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
2175 /* At top level, we expand the incoming string. At lower levels, it has already
2176 been expanded as part of condition processing. */
2180 ss = expand_string(s);
2183 if (expand_string_forcedfail) return OK;
2184 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
2185 expand_string_message);
2191 while (isspace(*ss))ss++;
2193 /* If we can't find a named ACL, the default is to parse it as an inline one.
2194 (Unless it begins with a slash; non-existent files give rise to an error.) */
2198 /* Handle the case of a string that does not contain any spaces. Look for a
2199 named ACL among those read from the configuration, or a previously read file.
2200 It is possible that the pointer to the ACL is NULL if the configuration
2201 contains a name with no data. If not found, and the text begins with '/',
2202 read an ACL from a file, and save it so it can be re-used. */
2204 if (Ustrchr(ss, ' ') == NULL)
2206 tree_node *t = tree_search(acl_anchor, ss);
2209 acl = (acl_block *)(t->data.ptr);
2212 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
2215 acl_name = string_sprintf("ACL \"%s\"", ss);
2216 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
2219 else if (*ss == '/')
2221 struct stat statbuf;
2222 fd = Uopen(ss, O_RDONLY, 0);
2225 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
2230 if (fstat(fd, &statbuf) != 0)
2232 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
2237 acl_text = store_get(statbuf.st_size + 1);
2238 acl_text_end = acl_text + statbuf.st_size + 1;
2240 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
2242 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
2243 ss, strerror(errno));
2246 acl_text[statbuf.st_size] = 0;
2249 acl_name = string_sprintf("ACL \"%s\"", ss);
2250 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
2254 /* Parse an ACL that is still in text form. If it came from a file, remember it
2255 in the ACL tree, having read it into the POOL_PERM store pool so that it
2256 persists between multiple messages. */
2260 int old_pool = store_pool;
2261 if (fd >= 0) store_pool = POOL_PERM;
2262 acl = acl_read(acl_getline, log_msgptr);
2263 store_pool = old_pool;
2264 if (acl == NULL && *log_msgptr != NULL) return ERROR;
2267 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
2268 Ustrcpy(t->name, ss);
2270 (void)tree_insertnode(&acl_anchor, t);
2274 /* Now we have an ACL to use. It's possible it may be NULL. */
2279 int basic_errno = 0;
2280 BOOL endpass_seen = FALSE;
2282 *log_msgptr = *user_msgptr = NULL;
2283 acl_temp_details = FALSE;
2285 if (where == ACL_WHERE_QUIT &&
2286 acl->verb != ACL_ACCEPT &&
2287 acl->verb != ACL_WARN)
2289 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
2294 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
2296 /* Clear out any search error message from a previous check before testing
2299 search_error_message = NULL;
2300 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
2301 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
2303 /* Handle special returns: DEFER causes a return except on a WARN verb;
2304 ERROR always causes a return. */
2309 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
2310 if (basic_errno != ERRNO_CALLOUTDEFER)
2312 if (search_error_message != NULL && *search_error_message != 0)
2313 *log_msgptr = search_error_message;
2314 if (smtp_return_error_details) acl_temp_details = TRUE;
2318 acl_temp_details = TRUE;
2320 if (acl->verb != ACL_WARN) return DEFER;
2323 default: /* Paranoia */
2325 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
2329 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
2334 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
2337 /* DISCARD and DROP can happen only from a nested ACL condition, and
2338 DISCARD can happen only for an "accept" or "discard" verb. */
2341 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
2346 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
2351 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
2352 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
2353 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
2358 if (cond == OK || cond == DISCARD) return cond;
2361 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
2369 acl_temp_details = TRUE;
2375 if (cond == OK) return FAIL;
2379 if (cond == OK || cond == DISCARD) return DISCARD;
2382 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
2388 if (cond == OK) return FAIL_DROP;
2392 if (cond != OK) return cond;
2397 acl_warn(where, *user_msgptr, *log_msgptr);
2398 else if (cond == DEFER)
2399 acl_warn(where, NULL, string_sprintf("ACL \"warn\" statement skipped: "
2400 "condition test deferred: %s",
2401 (*log_msgptr == NULL)? US"" : *log_msgptr));
2402 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
2406 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
2411 /* Pass to the next ACL item */
2416 /* We have reached the end of the ACL. This is an implicit DENY. */
2418 HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
2423 /*************************************************
2424 * Check access using an ACL *
2425 *************************************************/
2427 /* This is the external interface for ACL checks. It sets up an address and the
2428 expansions for $domain and $local_part when called after RCPT, then calls
2429 acl_check_internal() to do the actual work.
2432 where ACL_WHERE_xxxx indicating where called from
2433 data_string RCPT address, or SMTP command argument, or NULL
2434 s the input string; NULL is the same as an empty ACL => DENY
2435 user_msgptr where to put a user error (for SMTP response)
2436 log_msgptr where to put a logging message (not for SMTP response)
2438 Returns: OK access is granted by an ACCEPT verb
2439 DISCARD access is granted by a DISCARD verb
2440 FAIL access is denied
2441 FAIL_DROP access is denied; drop the connection
2442 DEFER can't tell at the moment
2447 acl_check(int where, uschar *data_string, uschar *s, uschar **user_msgptr,
2448 uschar **log_msgptr)
2454 *user_msgptr = *log_msgptr = NULL;
2455 sender_verified_failed = NULL;
2457 if (where == ACL_WHERE_RCPT)
2459 adb = address_defaults;
2461 addr->address = data_string;
2462 if (deliver_split_address(addr) == DEFER)
2464 *log_msgptr = US"defer in percent_hack_domains check";
2467 deliver_domain = addr->domain;
2468 deliver_localpart = addr->local_part;
2473 smtp_command_argument = data_string;
2476 rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
2478 smtp_command_argument = deliver_domain =
2479 deliver_localpart = deliver_address_data = sender_address_data = NULL;
2481 /* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
2482 ACL, which is really in the middle of an SMTP command. */
2486 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
2488 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
2489 "ACL", acl_wherenames[where]);
2495 /* A DROP response is not permitted from MAILAUTH */
2497 if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
2499 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
2500 "ACL", acl_wherenames[where]);
2504 /* Before giving an error response, take a look at the length of any user
2505 message, and split it up into multiple lines if possible. */
2507 if (rc != OK && *user_msgptr != NULL && Ustrlen(*user_msgptr) > 75)
2509 uschar *s = *user_msgptr = string_copy(*user_msgptr);
2515 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
2516 if (*ss == 0) break;
2523 while (--t > s + 35)
2527 if (t[-1] == ':') { tt = t; break; }
2528 if (tt == NULL) tt = t;
2532 if (tt == NULL) /* Can't split behind - try ahead */
2537 if (*t == ' ' || *t == '\n')
2543 if (tt == NULL) break; /* Can't find anywhere to split */