1 /* $Cambridge: exim/src/src/acl.c,v 1.29 2005/05/10 10:19:11 ph10 Exp $ */
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
7 /* Copyright (c) University of Cambridge 1995 - 2005 */
8 /* See the file NOTICE for conditions of use and distribution. */
10 /* Code for handling Access Control Lists (ACLs) */
15 /* Default callout timeout */
17 #define CALLOUT_TIMEOUT_DEFAULT 30
19 /* ACL verb codes - keep in step with the table of verbs that follows */
21 enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
26 static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
30 /* For each verb, the condition for which "message" is used */
32 static int msgcond[] = { FAIL, OK, OK, FAIL, OK, FAIL, OK };
34 /* ACL condition and modifier codes - keep in step with the table that
37 enum { ACLC_ACL, ACLC_AUTHENTICATED,
38 #ifdef EXPERIMENTAL_BRIGHTMAIL
41 ACLC_CONDITION, ACLC_CONTROL,
42 #ifdef WITH_CONTENT_SCAN
46 #ifdef WITH_OLD_DEMIME
49 #ifdef EXPERIMENTAL_DOMAINKEYS
50 ACLC_DK_DOMAIN_SOURCE,
52 ACLC_DK_SENDER_DOMAINS,
53 ACLC_DK_SENDER_LOCAL_PARTS,
57 ACLC_DNSLISTS, ACLC_DOMAINS, ACLC_ENCRYPTED, ACLC_ENDPASS,
58 ACLC_HOSTS, ACLC_LOCAL_PARTS, ACLC_LOG_MESSAGE, ACLC_LOGWRITE,
59 #ifdef WITH_CONTENT_SCAN
63 #ifdef WITH_CONTENT_SCAN
67 #ifdef WITH_CONTENT_SCAN
70 ACLC_SENDER_DOMAINS, ACLC_SENDERS, ACLC_SET,
71 #ifdef WITH_CONTENT_SCAN
74 #ifdef EXPERIMENTAL_SPF
79 /* ACL conditions/modifiers: "delay", "control", "endpass", "message",
80 "log_message", "logwrite", and "set" are modifiers that look like conditions
81 but always return TRUE. They are used for their side effects. */
83 static uschar *conditions[] = { US"acl", US"authenticated",
84 #ifdef EXPERIMENTAL_BRIGHTMAIL
89 #ifdef WITH_CONTENT_SCAN
93 #ifdef WITH_OLD_DEMIME
96 #ifdef EXPERIMENTAL_DOMAINKEYS
99 US"dk_sender_domains",
100 US"dk_sender_local_parts",
104 US"dnslists", US"domains", US"encrypted",
105 US"endpass", US"hosts", US"local_parts", US"log_message", US"logwrite",
106 #ifdef WITH_CONTENT_SCAN
110 #ifdef WITH_CONTENT_SCAN
114 #ifdef WITH_CONTENT_SCAN
117 US"sender_domains", US"senders", US"set",
118 #ifdef WITH_CONTENT_SCAN
121 #ifdef EXPERIMENTAL_SPF
126 /* ACL control names */
128 static uschar *controls[] = { US"error", US"caseful_local_part",
129 US"caselower_local_part", US"enforce_sync", US"no_enforce_sync", US"freeze",
130 US"queue_only", US"submission", US"no_multiline"};
132 /* Flags to indicate for which conditions /modifiers a string expansion is done
133 at the outer level. In the other cases, expansion already occurs in the
134 checking functions. */
136 static uschar cond_expand_at_top[] = {
138 FALSE, /* authenticated */
139 #ifdef EXPERIMENTAL_BRIGHTMAIL
140 TRUE, /* bmi_optin */
142 TRUE, /* condition */
144 #ifdef WITH_CONTENT_SCAN
148 #ifdef WITH_OLD_DEMIME
151 #ifdef EXPERIMENTAL_DOMAINKEYS
152 TRUE, /* dk_domain_source */
153 TRUE, /* dk_policy */
154 TRUE, /* dk_sender_domains */
155 TRUE, /* dk_sender_local_parts */
156 TRUE, /* dk_senders */
157 TRUE, /* dk_status */
161 FALSE, /* encrypted */
164 FALSE, /* local_parts */
165 TRUE, /* log_message */
167 #ifdef WITH_CONTENT_SCAN
171 #ifdef WITH_CONTENT_SCAN
172 TRUE, /* mime_regex */
174 FALSE, /* recipients */
175 #ifdef WITH_CONTENT_SCAN
178 FALSE, /* sender_domains */
181 #ifdef WITH_CONTENT_SCAN
184 #ifdef EXPERIMENTAL_SPF
190 /* Flags to identify the modifiers */
192 static uschar cond_modifiers[] = {
194 FALSE, /* authenticated */
195 #ifdef EXPERIMENTAL_BRIGHTMAIL
196 TRUE, /* bmi_optin */
198 FALSE, /* condition */
200 #ifdef WITH_CONTENT_SCAN
204 #ifdef WITH_OLD_DEMIME
207 #ifdef EXPERIMENTAL_DOMAINKEYS
208 FALSE, /* dk_domain_source */
209 FALSE, /* dk_policy */
210 FALSE, /* dk_sender_domains */
211 FALSE, /* dk_sender_local_parts */
212 FALSE, /* dk_senders */
213 FALSE, /* dk_status */
215 FALSE, /* dnslists */
217 FALSE, /* encrypted */
220 FALSE, /* local_parts */
221 TRUE, /* log_message */
223 #ifdef WITH_CONTENT_SCAN
227 #ifdef WITH_CONTENT_SCAN
228 FALSE, /* mime_regex */
230 FALSE, /* recipients */
231 #ifdef WITH_CONTENT_SCAN
234 FALSE, /* sender_domains */
237 #ifdef WITH_CONTENT_SCAN
240 #ifdef EXPERIMENTAL_SPF
246 /* Bit map vector of which conditions are not allowed at certain times. For
247 each condition, there's a bitmap of dis-allowed times. For some, it is easier
248 to specify the negation of a small number of allowed times. */
250 static unsigned int cond_forbids[] = {
253 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* authenticated */
256 #ifdef EXPERIMENTAL_BRIGHTMAIL
257 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
258 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
259 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
260 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
261 (1<<ACL_WHERE_MAILAUTH)|
262 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
263 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA),
268 /* Certain types of control are always allowed, so we let it through
269 always and check in the control processing itself. */
273 #ifdef WITH_CONTENT_SCAN
275 ~(1<<ACL_WHERE_MIME), /* decode */
280 #ifdef WITH_OLD_DEMIME
282 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* demime */
285 #ifdef EXPERIMENTAL_DOMAINKEYS
286 (1<<ACL_WHERE_AUTH)| /* dk_domain_source */
287 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
288 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
289 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
290 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
291 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
294 (1<<ACL_WHERE_AUTH)| /* dk_policy */
295 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
296 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
297 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
298 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
299 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
302 (1<<ACL_WHERE_AUTH)| /* dk_sender_domains */
303 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
304 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
305 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
306 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
307 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
310 (1<<ACL_WHERE_AUTH)| /* dk_sender_local_parts */
311 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
312 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
313 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
314 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
315 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
318 (1<<ACL_WHERE_AUTH)| /* dk_senders */
319 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
320 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
321 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
322 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
323 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
326 (1<<ACL_WHERE_AUTH)| /* dk_status */
327 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
328 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
329 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
330 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
331 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
335 (1<<ACL_WHERE_NOTSMTP), /* dnslists */
338 ~(1<<ACL_WHERE_RCPT), /* domains */
340 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* encrypted */
345 (1<<ACL_WHERE_NOTSMTP), /* hosts */
348 ~(1<<ACL_WHERE_RCPT), /* local_parts */
354 #ifdef WITH_CONTENT_SCAN
356 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* malware */
361 #ifdef WITH_CONTENT_SCAN
363 ~(1<<ACL_WHERE_MIME), /* mime_regex */
367 ~(1<<ACL_WHERE_RCPT), /* recipients */
369 #ifdef WITH_CONTENT_SCAN
371 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* regex */
372 (1<<ACL_WHERE_MIME)),
375 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
377 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
378 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
379 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
381 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
383 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
384 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
385 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
389 #ifdef WITH_CONTENT_SCAN
391 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* spam */
394 #ifdef EXPERIMENTAL_SPF
395 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
397 (1<<ACL_WHERE_MAILAUTH)|
398 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
399 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
402 /* Certain types of verify are always allowed, so we let it through
403 always and check in the verify function itself */
409 /* Return values from decode_control() */
412 #ifdef EXPERIMENTAL_BRIGHTMAIL
415 #ifdef EXPERIMENTAL_DOMAINKEYS
418 CONTROL_ERROR, CONTROL_CASEFUL_LOCAL_PART, CONTROL_CASELOWER_LOCAL_PART,
419 CONTROL_ENFORCE_SYNC, CONTROL_NO_ENFORCE_SYNC, CONTROL_FREEZE,
420 CONTROL_QUEUE_ONLY, CONTROL_SUBMISSION,
421 #ifdef WITH_CONTENT_SCAN
422 CONTROL_NO_MBOX_UNSPOOL,
424 CONTROL_FAKEREJECT, CONTROL_NO_MULTILINE };
426 /* Bit map vector of which controls are not allowed at certain times. For
427 each control, there's a bitmap of dis-allowed times. For some, it is easier to
428 specify the negation of a small number of allowed times. */
430 static unsigned int control_forbids[] = {
431 #ifdef EXPERIMENTAL_BRIGHTMAIL
434 #ifdef EXPERIMENTAL_DOMAINKEYS
435 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), /* dk_verify */
441 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
444 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
446 (1<<ACL_WHERE_NOTSMTP), /* enforce_sync */
448 (1<<ACL_WHERE_NOTSMTP), /* no_enforce_sync */
451 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
452 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
453 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
456 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
457 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
458 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
461 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
462 (1<<ACL_WHERE_PREDATA)),
464 #ifdef WITH_CONTENT_SCAN
466 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
467 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
468 (1<<ACL_WHERE_MIME)),
472 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
473 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
474 (1<<ACL_WHERE_MIME)),
476 (1<<ACL_WHERE_NOTSMTP) /* no_multiline */
479 /* Structure listing various control arguments, with their characteristics. */
481 typedef struct control_def {
483 int value; /* CONTROL_xxx value */
484 BOOL has_option; /* Has /option(s) following */
487 static control_def controls_list[] = {
488 #ifdef EXPERIMENTAL_BRIGHTMAIL
489 { US"bmi_run", CONTROL_BMI_RUN, FALSE},
491 #ifdef EXPERIMENTAL_DOMAINKEYS
492 { US"dk_verify", CONTROL_DK_VERIFY, FALSE},
494 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE},
495 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE},
496 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE},
497 { US"freeze", CONTROL_FREEZE, FALSE},
498 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE},
499 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE},
500 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE},
501 #ifdef WITH_CONTENT_SCAN
502 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE},
504 { US"fakereject", CONTROL_FAKEREJECT, TRUE},
505 { US"submission", CONTROL_SUBMISSION, TRUE}
508 /* Support data structures for Client SMTP Authorization. acl_verify_csa()
509 caches its result in a tree to avoid repeated DNS queries. The result is an
510 integer code which is used as an index into the following tables of
511 explanatory strings and verification return codes. */
513 static tree_node *csa_cache = NULL;
515 enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
516 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
518 /* The acl_verify_csa() return code is translated into an acl_verify() return
519 code using the following table. It is OK unless the client is definitely not
520 authorized. This is because CSA is supposed to be optional for sending sites,
521 so recipients should not be too strict about checking it - especially because
522 DNS problems are quite likely to occur. It's possible to use $csa_status in
523 further ACL conditions to distinguish ok, unknown, and defer if required, but
524 the aim is to make the usual configuration simple. */
526 static int csa_return_code[] = {
528 FAIL, FAIL, FAIL, FAIL
531 static uschar *csa_status_string[] = {
532 US"unknown", US"ok", US"defer", US"defer",
533 US"fail", US"fail", US"fail", US"fail"
536 static uschar *csa_reason_string[] = {
539 US"deferred (SRV lookup failed)",
540 US"deferred (target address lookup failed)",
541 US"failed (explicit authorization required)",
542 US"failed (host name not authorized)",
543 US"failed (no authorized addresses)",
544 US"failed (client address mismatch)"
547 /* Enable recursion between acl_check_internal() and acl_check_condition() */
549 static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
553 /*************************************************
554 * Pick out name from list *
555 *************************************************/
557 /* Use a binary chop method
564 Returns: offset in list, or -1 if not found
568 acl_checkname(uschar *name, uschar **list, int end)
574 int mid = (start + end)/2;
575 int c = Ustrcmp(name, list[mid]);
576 if (c == 0) return mid;
577 if (c < 0) end = mid; else start = mid + 1;
584 /*************************************************
585 * Read and parse one ACL *
586 *************************************************/
588 /* This function is called both from readconf in order to parse the ACLs in the
589 configuration file, and also when an ACL is encountered dynamically (e.g. as
590 the result of an expansion). It is given a function to call in order to
591 retrieve the lines of the ACL. This function handles skipping comments and
592 blank lines (where relevant).
595 func function to get next line of ACL
596 error where to put an error message
598 Returns: pointer to ACL, or NULL
599 NULL can be legal (empty ACL); in this case error will be NULL
603 acl_read(uschar *(*func)(void), uschar **error)
605 acl_block *yield = NULL;
606 acl_block **lastp = &yield;
607 acl_block *this = NULL;
608 acl_condition_block *cond;
609 acl_condition_block **condp = NULL;
614 while ((s = (*func)()) != NULL)
617 BOOL negated = FALSE;
618 uschar *saveline = s;
621 /* Conditions (but not verbs) are allowed to be negated by an initial
624 while (isspace(*s)) s++;
631 /* Read the name of a verb or a condition, or the start of a new ACL, which
632 can be started by a name, or by a macro definition. */
634 s = readconf_readname(name, sizeof(name), s);
635 if (*s == ':' || isupper(name[0] && *s == '=')) return yield;
637 /* If a verb is unrecognized, it may be another condition or modifier that
638 continues the previous verb. */
640 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
645 *error = string_sprintf("unknown ACL verb in \"%s\"", saveline);
656 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
659 this = store_get(sizeof(acl_block));
661 lastp = &(this->next);
664 this->condition = NULL;
665 condp = &(this->condition);
666 if (*s == 0) continue; /* No condition on this line */
672 s = readconf_readname(name, sizeof(name), s); /* Condition name */
675 /* Handle a condition or modifier. */
677 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
680 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
685 /* The modifiers may not be negated */
687 if (negated && cond_modifiers[c])
689 *error = string_sprintf("ACL error: negation is not allowed with "
690 "\"%s\"", conditions[c]);
694 /* ENDPASS may occur only with ACCEPT or DISCARD. */
696 if (c == ACLC_ENDPASS &&
697 this->verb != ACL_ACCEPT &&
698 this->verb != ACL_DISCARD)
700 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
701 conditions[c], verbs[this->verb]);
705 cond = store_get(sizeof(acl_condition_block));
708 cond->u.negated = negated;
711 condp = &(cond->next);
713 /* The "set" modifier is different in that its argument is "name=value"
714 rather than just a value, and we can check the validity of the name, which
715 gives us a variable number to insert into the data block. */
719 if (Ustrncmp(s, "acl_", 4) != 0 || (s[4] != 'c' && s[4] != 'm') ||
720 !isdigit(s[5]) || (!isspace(s[6]) && s[6] != '='))
722 *error = string_sprintf("unrecognized name after \"set\" in ACL "
723 "modifier \"set %s\"", s);
727 cond->u.varnumber = s[5] - '0';
728 if (s[4] == 'm') cond->u.varnumber += ACL_C_MAX;
730 while (isspace(*s)) s++;
733 /* For "set", we are now positioned for the data. For the others, only
734 "endpass" has no data */
736 if (c != ACLC_ENDPASS)
740 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
741 cond_modifiers[c]? US"modifier" : US"condition");
744 while (isspace(*s)) s++;
745 cond->arg = string_copy(s);
754 /*************************************************
756 *************************************************/
758 /* This function is called when a WARN verb's conditions are true. It adds to
759 the message's headers, and/or writes information to the log. In each case, this
760 only happens once (per message for headers, per connection for log).
763 where ACL_WHERE_xxxx indicating which ACL this is
764 user_message message for adding to headers
765 log_message message for logging, if different
771 acl_warn(int where, uschar *user_message, uschar *log_message)
775 if (log_message != NULL && log_message != user_message)
780 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
781 string_printing(log_message));
783 /* If a sender verification has failed, and the log message is "sender verify
784 failed", add the failure message. */
786 if (sender_verified_failed != NULL &&
787 sender_verified_failed->message != NULL &&
788 strcmpic(log_message, US"sender verify failed") == 0)
789 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
791 /* Search previously logged warnings. They are kept in malloc store so they
792 can be freed at the start of a new message. */
794 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
795 if (Ustrcmp(logged->text, text) == 0) break;
799 int length = Ustrlen(text) + 1;
800 log_write(0, LOG_MAIN, "%s", text);
801 logged = store_malloc(sizeof(string_item) + length);
802 logged->text = (uschar *)logged + sizeof(string_item);
803 memcpy(logged->text, text, length);
804 logged->next = acl_warn_logged;
805 acl_warn_logged = logged;
809 /* If there's no user message, we are done. */
811 if (user_message == NULL) return;
813 /* If this isn't a message ACL, we can't do anything with a user message.
816 if (where > ACL_WHERE_NOTSMTP)
818 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
819 "found in a non-message (%s) ACL: cannot specify header lines here: "
820 "message ignored", acl_wherenames[where]);
824 /* Treat the user message as a sequence of one or more header lines. */
826 hlen = Ustrlen(user_message);
829 uschar *text, *p, *q;
831 /* Add a final newline if not present */
833 text = ((user_message)[hlen-1] == '\n')? user_message :
834 string_sprintf("%s\n", user_message);
836 /* Loop for multiple header lines, taking care about continuations */
838 for (p = q = text; *p != 0; )
841 int newtype = htype_add_bot;
842 header_line **hptr = &acl_warn_headers;
844 /* Find next header line within the string */
848 q = Ustrchr(q, '\n');
849 if (*(++q) != ' ' && *q != '\t') break;
852 /* If the line starts with a colon, interpret the instruction for where to
853 add it. This temporarily sets up a new type. */
857 if (strncmpic(p, US":after_received:", 16) == 0)
859 newtype = htype_add_rec;
862 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
864 newtype = htype_add_rfc;
867 else if (strncmpic(p, US":at_start:", 10) == 0)
869 newtype = htype_add_top;
872 else if (strncmpic(p, US":at_end:", 8) == 0)
874 newtype = htype_add_bot;
877 while (*p == ' ' || *p == '\t') p++;
880 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
881 to the front of it. */
883 for (s = p; s < q - 1; s++)
885 if (*s == ':' || !isgraph(*s)) break;
888 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
891 /* See if this line has already been added */
893 while (*hptr != NULL)
895 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
896 hptr = &((*hptr)->next);
899 /* Add if not previously present */
903 header_line *h = store_get(sizeof(header_line));
912 /* Advance for next header line within the string */
921 /*************************************************
922 * Verify and check reverse DNS *
923 *************************************************/
925 /* Called from acl_verify() below. We look up the host name(s) of the client IP
926 address if this has not yet been done. The host_name_lookup() function checks
927 that one of these names resolves to an address list that contains the client IP
928 address, so we don't actually have to do the check here.
931 user_msgptr pointer for user message
932 log_msgptr pointer for log message
934 Returns: OK verification condition succeeded
935 FAIL verification failed
936 DEFER there was a problem verifying
940 acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
944 user_msgptr = user_msgptr; /* stop compiler warning */
946 /* Previous success */
948 if (sender_host_name != NULL) return OK;
950 /* Previous failure */
952 if (host_lookup_failed)
954 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
958 /* Need to do a lookup */
961 debug_printf("looking up host name to force name/address consistency check\n");
963 if ((rc = host_name_lookup()) != OK)
965 *log_msgptr = (rc == DEFER)?
966 US"host lookup deferred for reverse lookup check"
968 string_sprintf("host lookup failed for reverse lookup check%s",
970 return rc; /* DEFER or FAIL */
973 host_build_sender_fullhost();
979 /*************************************************
980 * Check client IP address matches CSA target *
981 *************************************************/
983 /* Called from acl_verify_csa() below. This routine scans a section of a DNS
984 response for address records belonging to the CSA target hostname. The section
985 is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
986 If one of the addresses matches the client's IP address, then the client is
987 authorized by CSA. If there are target IP addresses but none of them match
988 then the client is using an unauthorized IP address. If there are no target IP
989 addresses then the client cannot be using an authorized IP address. (This is
990 an odd configuration - why didn't the SRV record have a weight of 1 instead?)
993 dnsa the DNS answer block
994 dnss a DNS scan block for us to use
995 reset option specifing what portion to scan, as described above
996 target the target hostname to use for matching RR names
998 Returns: CSA_OK successfully authorized
999 CSA_FAIL_MISMATCH addresses found but none matched
1000 CSA_FAIL_NOADDR no target addresses found
1004 acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1010 BOOL target_found = FALSE;
1012 for (rr = dns_next_rr(dnsa, dnss, reset);
1014 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1016 /* Check this is an address RR for the target hostname. */
1020 && rr->type != T_AAAA
1027 if (strcmpic(target, rr->name) != 0) continue;
1029 target_found = TRUE;
1031 /* Turn the target address RR into a list of textual IP addresses and scan
1032 the list. There may be more than one if it is an A6 RR. */
1034 for (da = dns_address_from_rr(dnsa, rr); da != NULL; da = da->next)
1036 /* If the client IP address matches the target IP address, it's good! */
1038 DEBUG(D_acl) debug_printf("CSA target address is %s\n", da->address);
1040 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1044 /* If we found some target addresses but none of them matched, the client is
1045 using an unauthorized IP address, otherwise the target has no authorized IP
1048 if (target_found) return CSA_FAIL_MISMATCH;
1049 else return CSA_FAIL_NOADDR;
1054 /*************************************************
1055 * Verify Client SMTP Authorization *
1056 *************************************************/
1058 /* Called from acl_verify() below. This routine calls dns_lookup_special()
1059 to find the CSA SRV record corresponding to the domain argument, or
1060 $sender_helo_name if no argument is provided. It then checks that the
1061 client is authorized, and that its IP address corresponds to the SRV
1062 target's address by calling acl_verify_csa_address() above. The address
1063 should have been returned in the DNS response's ADDITIONAL section, but if
1064 not we perform another DNS lookup to get it.
1067 domain pointer to optional parameter following verify = csa
1069 Returns: CSA_UNKNOWN no valid CSA record found
1070 CSA_OK successfully authorized
1071 CSA_FAIL_* client is definitely not authorized
1072 CSA_DEFER_* there was a DNS problem
1076 acl_verify_csa(uschar *domain)
1080 int priority, weight, port;
1087 /* Work out the domain we are using for the CSA lookup. The default is the
1088 client's HELO domain. If the client has not said HELO, use its IP address
1089 instead. If it's a local client (exim -bs), CSA isn't applicable. */
1091 while (isspace(*domain) && *domain != '\0') ++domain;
1092 if (*domain == '\0') domain = sender_helo_name;
1093 if (domain == NULL) domain = sender_host_address;
1094 if (sender_host_address == NULL) return CSA_UNKNOWN;
1096 /* If we have an address literal, strip off the framing ready for turning it
1097 into a domain. The framing consists of matched square brackets possibly
1098 containing a keyword and a colon before the actual IP address. */
1100 if (domain[0] == '[')
1102 uschar *start = Ustrchr(domain, ':');
1103 if (start == NULL) start = domain;
1104 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1107 /* Turn domains that look like bare IP addresses into domains in the reverse
1108 DNS. This code also deals with address literals and $sender_host_address. It's
1109 not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1110 address literals, but it's probably the most friendly thing to do. This is an
1111 extension to CSA, so we allow it to be turned off for proper conformance. */
1113 if (string_is_ip_address(domain, NULL))
1115 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1116 dns_build_reverse(domain, target);
1120 /* Find out if we've already done the CSA check for this domain. If we have,
1121 return the same result again. Otherwise build a new cached result structure
1122 for this domain. The name is filled in now, and the value is filled in when
1123 we return from this function. */
1125 t = tree_search(csa_cache, domain);
1126 if (t != NULL) return t->data.val;
1128 t = store_get_perm(sizeof(tree_node) + Ustrlen(domain));
1129 Ustrcpy(t->name, domain);
1130 (void)tree_insertnode(&csa_cache, t);
1132 /* Now we are ready to do the actual DNS lookup(s). */
1134 switch (dns_special_lookup(&dnsa, domain, T_CSA, &found))
1136 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1139 return t->data.val = CSA_DEFER_SRV;
1141 /* If we found nothing, the client's authorization is unknown. */
1145 return t->data.val = CSA_UNKNOWN;
1147 /* We got something! Go on to look at the reply in more detail. */
1153 /* Scan the reply for well-formed CSA SRV records. */
1155 for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
1157 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
1159 if (rr->type != T_SRV) continue;
1161 /* Extract the numerical SRV fields (p is incremented) */
1164 GETSHORT(priority, p);
1165 GETSHORT(weight, p);
1169 debug_printf("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1171 /* Check the CSA version number */
1173 if (priority != 1) continue;
1175 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1176 found by dns_special_lookup() is a parent of the one we asked for), we check
1177 the subdomain assertions in the port field. At the moment there's only one
1178 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1179 SRV records of their own. */
1181 if (found != domain)
1184 return t->data.val = CSA_FAIL_EXPLICIT;
1186 return t->data.val = CSA_UNKNOWN;
1189 /* This CSA SRV record refers directly to our domain, so we check the value
1190 in the weight field to work out the domain's authorization. 0 and 1 are
1191 unauthorized; 3 means the client is authorized but we can't check the IP
1192 address in order to authenticate it, so we treat it as unknown; values
1193 greater than 3 are undefined. */
1195 if (weight < 2) return t->data.val = CSA_FAIL_DOMAIN;
1197 if (weight > 2) continue;
1199 /* Weight == 2, which means the domain is authorized. We must check that the
1200 client's IP address is listed as one of the SRV target addresses. Save the
1201 target hostname then break to scan the additional data for its addresses. */
1203 (void)dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
1204 (DN_EXPAND_ARG4_TYPE)target, sizeof(target));
1206 DEBUG(D_acl) debug_printf("CSA target is %s\n", target);
1211 /* If we didn't break the loop then no appropriate records were found. */
1213 if (rr == NULL) return t->data.val = CSA_UNKNOWN;
1215 /* Do not check addresses if the target is ".", in accordance with RFC 2782.
1216 A target of "." indicates there are no valid addresses, so the client cannot
1217 be authorized. (This is an odd configuration because weight=2 target=. is
1218 equivalent to weight=1, but we check for it in order to keep load off the
1219 root name servers.) Note that dn_expand() turns "." into "". */
1221 if (Ustrcmp(target, "") == 0) return t->data.val = CSA_FAIL_NOADDR;
1223 /* Scan the additional section of the CSA SRV reply for addresses belonging
1224 to the target. If the name server didn't return any additional data (e.g.
1225 because it does not fully support SRV records), we need to do another lookup
1226 to obtain the target addresses; otherwise we have a definitive result. */
1228 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ADDITIONAL, target);
1229 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1231 /* The DNS lookup type corresponds to the IP version used by the client. */
1234 if (Ustrchr(sender_host_address, ':') != NULL)
1237 #endif /* HAVE_IPV6 */
1241 #if HAVE_IPV6 && defined(SUPPORT_A6)
1245 switch (dns_lookup(&dnsa, target, type, NULL))
1247 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1250 return t->data.val = CSA_DEFER_ADDR;
1252 /* If the query succeeded, scan the addresses and return the result. */
1255 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ANSWERS, target);
1256 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1257 /* else fall through */
1259 /* If the target has no IP addresses, the client cannot have an authorized
1260 IP address. However, if the target site uses A6 records (not AAAA records)
1261 we have to do yet another lookup in order to check them. */
1266 #if HAVE_IPV6 && defined(SUPPORT_A6)
1267 if (type == T_AAAA) { type = T_A6; goto DNS_LOOKUP_AGAIN; }
1270 return t->data.val = CSA_FAIL_NOADDR;
1276 /*************************************************
1277 * Handle verification (address & other) *
1278 *************************************************/
1280 /* This function implements the "verify" condition. It is called when
1281 encountered in any ACL, because some tests are almost always permitted. Some
1282 just don't make sense, and always fail (for example, an attempt to test a host
1283 lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1286 where where called from
1287 addr the recipient address that the ACL is handling, or NULL
1288 arg the argument of "verify"
1289 user_msgptr pointer for user message
1290 log_msgptr pointer for log message
1291 basic_errno where to put verify errno
1293 Returns: OK verification condition succeeded
1294 FAIL verification failed
1295 DEFER there was a problem verifying
1300 acl_verify(int where, address_item *addr, uschar *arg,
1301 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1305 int callout_overall = -1;
1306 int callout_connect = -1;
1307 int verify_options = 0;
1309 BOOL verify_header_sender = FALSE;
1310 BOOL defer_ok = FALSE;
1311 BOOL callout_defer_ok = FALSE;
1312 BOOL no_details = FALSE;
1313 address_item *sender_vaddr = NULL;
1314 uschar *verify_sender_address = NULL;
1315 uschar *pm_mailfrom = NULL;
1316 uschar *se_mailfrom = NULL;
1318 /* Some of the verify items have slash-separated options; some do not. Diagnose
1319 an error if options are given for items that don't expect them. This code has
1320 now got very message. Refactoring to use a table would be a good idea one day.
1323 uschar *slash = Ustrchr(arg, '/');
1325 uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
1327 if (ss == NULL) goto BAD_VERIFY;
1329 /* Handle name/address consistency verification in a separate function. */
1331 if (strcmpic(ss, US"reverse_host_lookup") == 0)
1333 if (slash != NULL) goto NO_OPTIONS;
1334 if (sender_host_address == NULL) return OK;
1335 return acl_verify_reverse(user_msgptr, log_msgptr);
1338 /* TLS certificate verification is done at STARTTLS time; here we just
1339 test whether it was successful or not. (This is for optional verification; for
1340 mandatory verification, the connection doesn't last this long.) */
1342 if (strcmpic(ss, US"certificate") == 0)
1344 if (slash != NULL) goto NO_OPTIONS;
1345 if (tls_certificate_verified) return OK;
1346 *user_msgptr = US"no verified certificate";
1350 /* We can test the result of optional HELO verification */
1352 if (strcmpic(ss, US"helo") == 0)
1354 if (slash != NULL) goto NO_OPTIONS;
1355 return helo_verified? OK : FAIL;
1358 /* Do Client SMTP Authorization checks in a separate function, and turn the
1359 result code into user-friendly strings. */
1361 if (strcmpic(ss, US"csa") == 0)
1363 rc = acl_verify_csa(list);
1364 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1365 csa_reason_string[rc]);
1366 csa_status = csa_status_string[rc];
1367 DEBUG(D_acl) debug_printf("CSA result %s\n", csa_status);
1368 return csa_return_code[rc];
1371 /* Check that all relevant header lines have the correct syntax. If there is
1372 a syntax error, we return details of the error to the sender if configured to
1373 send out full details. (But a "message" setting on the ACL can override, as
1376 if (strcmpic(ss, US"header_syntax") == 0)
1378 if (slash != NULL) goto NO_OPTIONS;
1379 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
1381 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
1382 "(only possible in ACL for DATA)", acl_wherenames[where]);
1385 rc = verify_check_headers(log_msgptr);
1386 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1387 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1392 /* The remaining verification tests check recipient and sender addresses,
1393 either from the envelope or from the header. There are a number of
1394 slash-separated options that are common to all of them. */
1397 /* Check that there is at least one verifiable sender address in the relevant
1398 header lines. This can be followed by callout and defer options, just like
1399 sender and recipient. */
1401 if (strcmpic(ss, US"header_sender") == 0)
1403 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
1405 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
1406 "(only possible in ACL for DATA)", acl_wherenames[where]);
1409 verify_header_sender = TRUE;
1412 /* Otherwise, first item in verify argument must be "sender" or "recipient".
1413 In the case of a sender, this can optionally be followed by an address to use
1414 in place of the actual sender (rare special-case requirement). */
1416 else if (strncmpic(ss, US"sender", 6) == 0)
1419 if (where > ACL_WHERE_NOTSMTP)
1421 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1422 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1423 acl_wherenames[where]);
1427 verify_sender_address = sender_address;
1430 while (isspace(*s)) s++;
1431 if (*s++ != '=') goto BAD_VERIFY;
1432 while (isspace(*s)) s++;
1433 verify_sender_address = string_copy(s);
1438 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1441 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1442 "(only possible for RCPT)", acl_wherenames[where]);
1447 /* Remaining items are optional; they apply to sender and recipient
1448 verification, including "header sender" verification. */
1450 while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1453 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1454 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1456 /* These two old options are left for backwards compatibility */
1458 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1460 callout_defer_ok = TRUE;
1461 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1464 else if (strcmpic(ss, US"check_postmaster") == 0)
1467 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1470 /* The callout option has a number of sub-options, comma separated */
1472 else if (strncmpic(ss, US"callout", 7) == 0)
1474 callout = CALLOUT_TIMEOUT_DEFAULT;
1478 while (isspace(*ss)) ss++;
1484 while (isspace(*ss)) ss++;
1486 /* This callout option handling code has become a mess as new options
1487 have been added in an ad hoc manner. It should be tidied up into some
1488 kind of table-driven thing. */
1490 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1493 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1494 else if (strcmpic(opt, US"no_cache") == 0)
1495 verify_options |= vopt_callout_no_cache;
1496 else if (strcmpic(opt, US"random") == 0)
1497 verify_options |= vopt_callout_random;
1498 else if (strcmpic(opt, US"use_sender") == 0)
1499 verify_options |= vopt_callout_recipsender;
1500 else if (strcmpic(opt, US"use_postmaster") == 0)
1501 verify_options |= vopt_callout_recippmaster;
1502 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
1504 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1506 if (!verify_header_sender)
1508 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1509 "callout option only for verify=header_sender (detected in ACL "
1510 "condition \"%s\")", arg);
1514 while (isspace(*opt)) opt++;
1517 *log_msgptr = string_sprintf("'=' expected after "
1518 "\"mailfrom\" in ACL condition \"%s\"", arg);
1521 while (isspace(*opt)) opt++;
1522 se_mailfrom = string_copy(opt);
1525 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1528 while (isspace(*opt)) opt++;
1531 *log_msgptr = string_sprintf("'=' expected after "
1532 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1535 while (isspace(*opt)) opt++;
1536 pm_mailfrom = string_copy(opt);
1539 else if (strncmpic(opt, US"maxwait", 7) == 0)
1542 while (isspace(*opt)) opt++;
1545 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1546 "ACL condition \"%s\"", arg);
1549 while (isspace(*opt)) opt++;
1550 callout_overall = readconf_readtime(opt, 0, FALSE);
1551 if (callout_overall < 0)
1553 *log_msgptr = string_sprintf("bad time value in ACL condition "
1554 "\"verify %s\"", arg);
1558 else if (strncmpic(opt, US"connect", 7) == 0)
1561 while (isspace(*opt)) opt++;
1564 *log_msgptr = string_sprintf("'=' expected after "
1565 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1568 while (isspace(*opt)) opt++;
1569 callout_connect = readconf_readtime(opt, 0, FALSE);
1570 if (callout_connect < 0)
1572 *log_msgptr = string_sprintf("bad time value in ACL condition "
1573 "\"verify %s\"", arg);
1577 else /* Plain time is callout connect/command timeout */
1579 callout = readconf_readtime(opt, 0, FALSE);
1582 *log_msgptr = string_sprintf("bad time value in ACL condition "
1583 "\"verify %s\"", arg);
1591 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1592 "ACL condition \"%s\"", arg);
1598 /* Option not recognized */
1602 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1603 "condition \"verify %s\"", ss, arg);
1608 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1609 (vopt_callout_recipsender|vopt_callout_recippmaster))
1611 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1612 "for a recipient callout";
1616 /* Handle sender-in-header verification. Default the user message to the log
1617 message if giving out verification details. */
1619 if (verify_header_sender)
1622 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
1623 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1627 *basic_errno = verrno;
1628 if (smtp_return_error_details)
1630 if (*user_msgptr == NULL && *log_msgptr != NULL)
1631 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1632 if (rc == DEFER) acl_temp_details = TRUE;
1637 /* Handle a sender address. The default is to verify *the* sender address, but
1638 optionally a different address can be given, for special requirements. If the
1639 address is empty, we are dealing with a bounce message that has no sender, so
1640 we cannot do any checking. If the real sender address gets rewritten during
1641 verification (e.g. DNS widening), set the flag to stop it being rewritten again
1642 during message reception.
1644 A list of verified "sender" addresses is kept to try to avoid doing to much
1645 work repetitively when there are multiple recipients in a message and they all
1646 require sender verification. However, when callouts are involved, it gets too
1647 complicated because different recipients may require different callout options.
1648 Therefore, we always do a full sender verify when any kind of callout is
1649 specified. Caching elsewhere, for instance in the DNS resolver and in the
1650 callout handling, should ensure that this is not terribly inefficient. */
1652 else if (verify_sender_address != NULL)
1654 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1657 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1658 "sender verify callout";
1662 sender_vaddr = verify_checked_sender(verify_sender_address);
1663 if (sender_vaddr != NULL && /* Previously checked */
1664 callout <= 0) /* No callout needed this time */
1666 /* If the "routed" flag is set, it means that routing worked before, so
1667 this check can give OK (the saved return code value, if set, belongs to a
1668 callout that was done previously). If the "routed" flag is not set, routing
1669 must have failed, so we use the saved return code. */
1671 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1673 rc = sender_vaddr->special_action;
1674 *basic_errno = sender_vaddr->basic_errno;
1676 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1679 /* Do a new verification, and cache the result. The cache is used to avoid
1680 verifying the sender multiple times for multiple RCPTs when callouts are not
1681 specified (see comments above).
1683 The cache is also used on failure to give details in response to the first
1684 RCPT that gets bounced for this reason. However, this can be suppressed by
1685 the no_details option, which sets the flag that says "this detail has already
1686 been sent". The cache normally contains just one address, but there may be
1687 more in esoteric circumstances. */
1692 uschar *save_address_data = deliver_address_data;
1694 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1695 if (no_details) setflag(sender_vaddr, af_sverify_told);
1696 if (verify_sender_address[0] != 0)
1698 /* If this is the real sender address, save the unrewritten version
1699 for use later in receive. Otherwise, set a flag so that rewriting the
1700 sender in verify_address() does not update sender_address. */
1702 if (verify_sender_address == sender_address)
1703 sender_address_unrewritten = sender_address;
1705 verify_options |= vopt_fake_sender;
1707 /* The recipient, qualify, and expn options are never set in
1710 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
1711 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
1713 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1717 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1719 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1720 verify_sender_address, sender_vaddr->address);
1724 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1725 verify_sender_address);
1728 else *basic_errno = sender_vaddr->basic_errno;
1730 else rc = OK; /* Null sender */
1732 /* Cache the result code */
1734 if (routed) setflag(sender_vaddr, af_verify_routed);
1735 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1736 sender_vaddr->special_action = rc;
1737 sender_vaddr->next = sender_verified_list;
1738 sender_verified_list = sender_vaddr;
1740 /* Restore the recipient address data, which might have been clobbered by
1741 the sender verification. */
1743 deliver_address_data = save_address_data;
1746 /* Put the sender address_data value into $sender_address_data */
1748 sender_address_data = sender_vaddr->p.address_data;
1751 /* A recipient address just gets a straightforward verify; again we must handle
1752 the DEFER overrides. */
1758 /* We must use a copy of the address for verification, because it might
1762 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
1763 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
1764 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1766 *log_msgptr = addr2.message;
1767 *user_msgptr = (addr2.user_message != NULL)?
1768 addr2.user_message : addr2.message;
1769 *basic_errno = addr2.basic_errno;
1771 /* Make $address_data visible */
1772 deliver_address_data = addr2.p.address_data;
1775 /* We have a result from the relevant test. Handle defer overrides first. */
1777 if (rc == DEFER && (defer_ok ||
1778 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1780 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1781 defer_ok? "defer_ok" : "callout_defer_ok");
1785 /* If we've failed a sender, set up a recipient message, and point
1786 sender_verified_failed to the address item that actually failed. */
1788 if (rc != OK && verify_sender_address != NULL)
1792 *log_msgptr = *user_msgptr = US"Sender verify failed";
1794 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1796 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1800 *log_msgptr = US"Could not complete sender verify callout";
1801 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1805 sender_verified_failed = sender_vaddr;
1808 /* Verifying an address messes up the values of $domain and $local_part,
1809 so reset them before returning if this is a RCPT ACL. */
1813 deliver_domain = addr->domain;
1814 deliver_localpart = addr->local_part;
1818 /* Syntax errors in the verify argument come here. */
1821 *log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
1822 "\"helo\", \"header_syntax\", \"header_sender\" or "
1823 "\"reverse_host_lookup\" at start of ACL condition "
1824 "\"verify %s\"", arg);
1827 /* Options supplied when not allowed come here */
1830 *log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1831 "(this verify item has no options)", arg);
1838 /*************************************************
1839 * Check argument for control= modifier *
1840 *************************************************/
1842 /* Called from acl_check_condition() below
1845 arg the argument string for control=
1846 pptr set to point to the terminating character
1847 where which ACL we are in
1848 log_msgptr for error messages
1850 Returns: CONTROL_xxx value
1854 decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
1859 for (d = controls_list;
1860 d < controls_list + sizeof(controls_list)/sizeof(control_def);
1863 len = Ustrlen(d->name);
1864 if (Ustrncmp(d->name, arg, len) == 0) break;
1867 if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
1868 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
1870 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1871 return CONTROL_ERROR;
1880 /*************************************************
1881 * Handle conditions/modifiers on an ACL item *
1882 *************************************************/
1884 /* Called from acl_check() below.
1888 cb ACL condition block - if NULL, result is OK
1889 where where called from
1890 addr the address being checked for RCPT, or NULL
1891 level the nesting level
1892 epp pointer to pass back TRUE if "endpass" encountered
1893 (applies only to "accept" and "discard")
1894 user_msgptr user message pointer
1895 log_msgptr log message pointer
1896 basic_errno pointer to where to put verify error
1898 Returns: OK - all conditions are met
1899 DISCARD - an "acl" condition returned DISCARD - only allowed
1900 for "accept" or "discard" verbs
1901 FAIL - at least one condition fails
1902 FAIL_DROP - an "acl" condition returned FAIL_DROP
1903 DEFER - can't tell at the moment (typically, lookup defer,
1904 but can be temporary callout problem)
1905 ERROR - ERROR from nested ACL or expansion failure or other
1910 acl_check_condition(int verb, acl_condition_block *cb, int where,
1911 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
1912 uschar **log_msgptr, int *basic_errno)
1914 uschar *user_message = NULL;
1915 uschar *log_message = NULL;
1918 #ifdef WITH_CONTENT_SCAN
1922 for (; cb != NULL; cb = cb->next)
1927 /* The message and log_message items set up messages to be used in
1928 case of rejection. They are expanded later. */
1930 if (cb->type == ACLC_MESSAGE)
1932 user_message = cb->arg;
1936 if (cb->type == ACLC_LOG_MESSAGE)
1938 log_message = cb->arg;
1942 /* The endpass "condition" just sets a flag to show it occurred. This is
1943 checked at compile time to be on an "accept" or "discard" item. */
1945 if (cb->type == ACLC_ENDPASS)
1951 /* For other conditions and modifiers, the argument is expanded now for some
1952 of them, but not for all, because expansion happens down in some lower level
1953 checking functions in some cases. */
1955 if (cond_expand_at_top[cb->type])
1957 arg = expand_string(cb->arg);
1960 if (expand_string_forcedfail) continue;
1961 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
1962 cb->arg, expand_string_message);
1963 return search_find_defer? DEFER : ERROR;
1968 /* Show condition, and expanded condition if it's different */
1973 debug_printf("check %s%s %n",
1974 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
1975 conditions[cb->type], &lhswidth);
1977 if (cb->type == ACLC_SET)
1979 int n = cb->u.varnumber;
1980 int t = (n < ACL_C_MAX)? 'c' : 'm';
1981 if (n >= ACL_C_MAX) n -= ACL_C_MAX;
1982 debug_printf("acl_%c%d ", t, n);
1986 debug_printf("= %s\n", cb->arg);
1989 debug_printf("%.*s= %s\n", lhswidth,
1993 /* Check that this condition makes sense at this time */
1995 if ((cond_forbids[cb->type] & (1 << where)) != 0)
1997 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
1998 cond_modifiers[cb->type]? "use" : "test",
1999 conditions[cb->type], acl_wherenames[where]);
2003 /* Run the appropriate test for each condition, or take the appropriate
2004 action for the remaining modifiers. */
2008 /* A nested ACL that returns "discard" makes sense only for an "accept" or
2012 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
2013 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
2015 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
2016 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
2022 case ACLC_AUTHENTICATED:
2023 rc = (sender_host_authenticated == NULL)? FAIL :
2024 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
2028 #ifdef EXPERIMENTAL_BRIGHTMAIL
2029 case ACLC_BMI_OPTIN:
2031 int old_pool = store_pool;
2032 store_pool = POOL_PERM;
2033 bmi_current_optin = string_copy(arg);
2034 store_pool = old_pool;
2039 case ACLC_CONDITION:
2040 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
2041 rc = (Uatoi(arg) == 0)? FAIL : OK;
2043 rc = (strcmpic(arg, US"no") == 0 ||
2044 strcmpic(arg, US"false") == 0)? FAIL :
2045 (strcmpic(arg, US"yes") == 0 ||
2046 strcmpic(arg, US"true") == 0)? OK : DEFER;
2048 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
2052 control_type = decode_control(arg, &p, where, log_msgptr);
2054 /* Check if this control makes sense at this time */
2056 if ((control_forbids[control_type] & (1 << where)) != 0)
2058 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
2059 controls[control_type], acl_wherenames[where]);
2063 switch(control_type)
2065 #ifdef EXPERIMENTAL_BRIGHTMAIL
2066 case CONTROL_BMI_RUN:
2070 #ifdef EXPERIMENTAL_DOMAINKEYS
2071 case CONTROL_DK_VERIFY:
2078 case CONTROL_CASEFUL_LOCAL_PART:
2079 deliver_localpart = addr->cc_local_part;
2082 case CONTROL_CASELOWER_LOCAL_PART:
2083 deliver_localpart = addr->lc_local_part;
2086 case CONTROL_ENFORCE_SYNC:
2087 smtp_enforce_sync = TRUE;
2090 case CONTROL_NO_ENFORCE_SYNC:
2091 smtp_enforce_sync = FALSE;
2094 #ifdef WITH_CONTENT_SCAN
2095 case CONTROL_NO_MBOX_UNSPOOL:
2096 no_mbox_unspool = TRUE;
2100 case CONTROL_NO_MULTILINE:
2101 no_multiline_responses = TRUE;
2104 case CONTROL_FAKEREJECT:
2109 while (*pp != 0) pp++;
2110 fake_reject_text = expand_string(string_copyn(p+1, pp-p));
2115 /* Explicitly reset to default string */
2116 fake_reject_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
2120 case CONTROL_FREEZE:
2121 deliver_freeze = TRUE;
2122 deliver_frozen_at = time(NULL);
2125 case CONTROL_QUEUE_ONLY:
2126 queue_only_policy = TRUE;
2129 case CONTROL_SUBMISSION:
2130 submission_mode = TRUE;
2133 if (Ustrncmp(p, "/sender_retain", 14) == 0)
2136 active_local_sender_retain = TRUE;
2137 active_local_from_check = FALSE;
2139 else if (Ustrncmp(p, "/domain=", 8) == 0)
2142 while (*pp != 0 && *pp != '/') pp++;
2143 submission_domain = string_copyn(p+8, pp-p);
2150 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2157 #ifdef WITH_CONTENT_SCAN
2159 rc = mime_decode(&arg);
2165 int delay = readconf_readtime(arg, 0, FALSE);
2168 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
2169 "modifier: \"%s\" is not a time value", arg);
2174 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
2179 debug_printf("delay skipped in -bh checking mode\n");
2183 while (delay > 0) delay = sleep(delay);
2189 #ifdef WITH_OLD_DEMIME
2195 #ifdef EXPERIMENTAL_DOMAINKEYS
2196 case ACLC_DK_DOMAIN_SOURCE:
2197 if (dk_verify_block == NULL) { rc = FAIL; break; };
2198 /* check header source of domain against given string */
2199 switch (dk_verify_block->address_source) {
2200 case DK_EXIM_ADDRESS_FROM_FROM:
2201 rc = match_isinlist(US"from", &arg, 0, NULL,
2202 NULL, MCL_STRING, TRUE, NULL);
2204 case DK_EXIM_ADDRESS_FROM_SENDER:
2205 rc = match_isinlist(US"sender", &arg, 0, NULL,
2206 NULL, MCL_STRING, TRUE, NULL);
2208 case DK_EXIM_ADDRESS_NONE:
2209 rc = match_isinlist(US"none", &arg, 0, NULL,
2210 NULL, MCL_STRING, TRUE, NULL);
2214 case ACLC_DK_POLICY:
2215 if (dk_verify_block == NULL) { rc = FAIL; break; };
2216 /* check policy against given string, default FAIL */
2218 if (dk_verify_block->signsall)
2219 rc = match_isinlist(US"signsall", &arg, 0, NULL,
2220 NULL, MCL_STRING, TRUE, NULL);
2221 if (dk_verify_block->testing)
2222 rc = match_isinlist(US"testing", &arg, 0, NULL,
2223 NULL, MCL_STRING, TRUE, NULL);
2225 case ACLC_DK_SENDER_DOMAINS:
2226 if (dk_verify_block == NULL) { rc = FAIL; break; };
2227 if (dk_verify_block->domain != NULL)
2228 rc = match_isinlist(dk_verify_block->domain, &arg, 0, &domainlist_anchor,
2229 NULL, MCL_DOMAIN, TRUE, NULL);
2232 case ACLC_DK_SENDER_LOCAL_PARTS:
2233 if (dk_verify_block == NULL) { rc = FAIL; break; };
2234 if (dk_verify_block->local_part != NULL)
2235 rc = match_isinlist(dk_verify_block->local_part, &arg, 0, &localpartlist_anchor,
2236 NULL, MCL_LOCALPART, TRUE, NULL);
2239 case ACLC_DK_SENDERS:
2240 if (dk_verify_block == NULL) { rc = FAIL; break; };
2241 if (dk_verify_block->address != NULL)
2242 rc = match_address_list(dk_verify_block->address, TRUE, TRUE, &arg, NULL, -1, 0, NULL);
2245 case ACLC_DK_STATUS:
2246 if (dk_verify_block == NULL) { rc = FAIL; break; };
2247 if (dk_verify_block->result > 0) {
2248 switch(dk_verify_block->result) {
2249 case DK_EXIM_RESULT_BAD_FORMAT:
2250 rc = match_isinlist(US"bad format", &arg, 0, NULL,
2251 NULL, MCL_STRING, TRUE, NULL);
2253 case DK_EXIM_RESULT_NO_KEY:
2254 rc = match_isinlist(US"no key", &arg, 0, NULL,
2255 NULL, MCL_STRING, TRUE, NULL);
2257 case DK_EXIM_RESULT_NO_SIGNATURE:
2258 rc = match_isinlist(US"no signature", &arg, 0, NULL,
2259 NULL, MCL_STRING, TRUE, NULL);
2261 case DK_EXIM_RESULT_REVOKED:
2262 rc = match_isinlist(US"revoked", &arg, 0, NULL,
2263 NULL, MCL_STRING, TRUE, NULL);
2265 case DK_EXIM_RESULT_NON_PARTICIPANT:
2266 rc = match_isinlist(US"non-participant", &arg, 0, NULL,
2267 NULL, MCL_STRING, TRUE, NULL);
2269 case DK_EXIM_RESULT_GOOD:
2270 rc = match_isinlist(US"good", &arg, 0, NULL,
2271 NULL, MCL_STRING, TRUE, NULL);
2273 case DK_EXIM_RESULT_BAD:
2274 rc = match_isinlist(US"bad", &arg, 0, NULL,
2275 NULL, MCL_STRING, TRUE, NULL);
2283 rc = verify_check_dnsbl(&arg);
2287 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
2288 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
2291 /* The value in tls_cipher is the full cipher name, for example,
2292 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
2293 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
2294 what may in practice come out of the SSL library - which at the time of
2295 writing is poorly documented. */
2297 case ACLC_ENCRYPTED:
2298 if (tls_cipher == NULL) rc = FAIL; else
2300 uschar *endcipher = NULL;
2301 uschar *cipher = Ustrchr(tls_cipher, ':');
2302 if (cipher == NULL) cipher = tls_cipher; else
2304 endcipher = Ustrchr(++cipher, ':');
2305 if (endcipher != NULL) *endcipher = 0;
2307 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
2308 if (endcipher != NULL) *endcipher = ':';
2312 /* Use verify_check_this_host() instead of verify_check_host() so that
2313 we can pass over &host_data to catch any looked up data. Once it has been
2314 set, it retains its value so that it's still there if another ACL verb
2315 comes through here and uses the cache. However, we must put it into
2316 permanent store in case it is also expected to be used in a subsequent
2317 message in the same SMTP connection. */
2320 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
2321 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
2322 if (host_data != NULL) host_data = string_copy_malloc(host_data);
2325 case ACLC_LOCAL_PARTS:
2326 rc = match_isinlist(addr->cc_local_part, &arg, 0,
2327 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
2328 &deliver_localpart_data);
2340 if (Ustrncmp(s, "main", 4) == 0)
2341 { logbits |= LOG_MAIN; s += 4; }
2342 else if (Ustrncmp(s, "panic", 5) == 0)
2343 { logbits |= LOG_PANIC; s += 5; }
2344 else if (Ustrncmp(s, "reject", 6) == 0)
2345 { logbits |= LOG_REJECT; s += 6; }
2348 logbits = LOG_MAIN|LOG_PANIC;
2349 s = string_sprintf(":unknown log name in \"%s\" in "
2350 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
2356 while (isspace(*s)) s++;
2357 if (logbits == 0) logbits = LOG_MAIN;
2358 log_write(0, logbits, "%s", string_printing(s));
2362 #ifdef WITH_CONTENT_SCAN
2365 /* Seperate the regular expression and any optional parameters. */
2366 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2367 /* Run the malware backend. */
2369 /* Modify return code based upon the existance of options. */
2370 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2372 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2374 /* FAIL so that the message is passed to the next ACL */
2381 case ACLC_MIME_REGEX:
2382 rc = mime_regex(&arg);
2386 case ACLC_RECIPIENTS:
2387 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
2391 #ifdef WITH_CONTENT_SCAN
2397 case ACLC_SENDER_DOMAINS:
2400 sdomain = Ustrrchr(sender_address, '@');
2401 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
2402 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
2403 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
2408 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
2409 sender_address_cache, -1, 0, &sender_data);
2412 /* Connection variables must persist forever */
2416 int old_pool = store_pool;
2417 if (cb->u.varnumber < ACL_C_MAX) store_pool = POOL_PERM;
2418 acl_var[cb->u.varnumber] = string_copy(arg);
2419 store_pool = old_pool;
2423 #ifdef WITH_CONTENT_SCAN
2426 /* Seperate the regular expression and any optional parameters. */
2427 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2428 /* Run the spam backend. */
2430 /* Modify return code based upon the existance of options. */
2431 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2433 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2435 /* FAIL so that the message is passed to the next ACL */
2443 #ifdef EXPERIMENTAL_SPF
2445 rc = spf_process(&arg, sender_address);
2449 /* If the verb is WARN, discard any user message from verification, because
2450 such messages are SMTP responses, not header additions. The latter come
2451 only from explicit "message" modifiers. However, put the user message into
2452 $acl_verify_message so it can be used in subsequent conditions or modifiers
2453 (until something changes it). */
2456 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
2457 acl_verify_message = *user_msgptr;
2458 if (verb == ACL_WARN) *user_msgptr = NULL;
2462 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
2463 "condition %d", cb->type);
2467 /* If a condition was negated, invert OK/FAIL. */
2469 if (!cond_modifiers[cb->type] && cb->u.negated)
2471 if (rc == OK) rc = FAIL;
2472 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
2475 if (rc != OK) break; /* Conditions loop */
2479 /* If the result is the one for which "message" and/or "log_message" are used,
2480 handle the values of these options. Most verbs have but a single return for
2481 which the messages are relevant, but for "discard", it's useful to have the log
2482 message both when it succeeds and when it fails. Also, for an "accept" that
2483 appears in a QUIT ACL, we want to handle the user message. Since only "accept"
2484 and "warn" are permitted in that ACL, we don't need to test the verb.
2486 These modifiers act in different ways:
2488 "message" is a user message that will be included in an SMTP response. Unless
2489 it is empty, it overrides any previously set user message.
2491 "log_message" is a non-user message, and it adds to any existing non-user
2492 message that is already set.
2494 If there isn't a log message set, we make it the same as the user message. */
2496 if (((rc == FAIL_DROP)? FAIL : rc) == msgcond[verb] ||
2497 (verb == ACL_DISCARD && rc == OK) ||
2498 (where == ACL_WHERE_QUIT))
2502 /* If the verb is "warn", messages generated by conditions (verification or
2503 nested ACLs) are discarded. Only messages specified at this level are used.
2504 However, the value of an existing message is available in $acl_verify_message
2505 during expansions. */
2507 uschar *old_user_msgptr = *user_msgptr;
2508 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
2510 if (verb == ACL_WARN) *log_msgptr = *user_msgptr = NULL;
2512 if (user_message != NULL)
2514 acl_verify_message = old_user_msgptr;
2515 expmessage = expand_string(user_message);
2516 if (expmessage == NULL)
2518 if (!expand_string_forcedfail)
2519 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2520 user_message, expand_string_message);
2522 else if (expmessage[0] != 0) *user_msgptr = expmessage;
2525 if (log_message != NULL)
2527 acl_verify_message = old_log_msgptr;
2528 expmessage = expand_string(log_message);
2529 if (expmessage == NULL)
2531 if (!expand_string_forcedfail)
2532 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2533 log_message, expand_string_message);
2535 else if (expmessage[0] != 0)
2537 *log_msgptr = (*log_msgptr == NULL)? expmessage :
2538 string_sprintf("%s: %s", expmessage, *log_msgptr);
2542 /* If no log message, default it to the user message */
2544 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
2547 acl_verify_message = NULL;
2555 /*************************************************
2556 * Get line from a literal ACL *
2557 *************************************************/
2559 /* This function is passed to acl_read() in order to extract individual lines
2560 of a literal ACL, which we access via static pointers. We can destroy the
2561 contents because this is called only once (the compiled ACL is remembered).
2563 This code is intended to treat the data in the same way as lines in the main
2564 Exim configuration file. That is:
2566 . Leading spaces are ignored.
2568 . A \ at the end of a line is a continuation - trailing spaces after the \
2569 are permitted (this is because I don't believe in making invisible things
2570 significant). Leading spaces on the continued part of a line are ignored.
2572 . Physical lines starting (significantly) with # are totally ignored, and
2573 may appear within a sequence of backslash-continued lines.
2575 . Blank lines are ignored, but will end a sequence of continuations.
2578 Returns: a pointer to the next line
2582 static uschar *acl_text; /* Current pointer in the text */
2583 static uschar *acl_text_end; /* Points one past the terminating '0' */
2591 /* This loop handles leading blank lines and comments. */
2595 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
2596 if (*acl_text == 0) return NULL; /* No more data */
2597 yield = acl_text; /* Potential data line */
2599 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2601 /* If we hit the end before a newline, we have the whole logical line. If
2602 it's a comment, there's no more data to be given. Otherwise, yield it. */
2604 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
2606 /* After reaching a newline, end this loop if the physical line does not
2607 start with '#'. If it does, it's a comment, and the loop continues. */
2609 if (*yield != '#') break;
2612 /* This loop handles continuations. We know we have some real data, ending in
2613 newline. See if there is a continuation marker at the end (ignoring trailing
2614 white space). We know that *yield is not white space, so no need to test for
2615 cont > yield in the backwards scanning loop. */
2620 for (cont = acl_text - 1; isspace(*cont); cont--);
2622 /* If no continuation follows, we are done. Mark the end of the line and
2631 /* We have encountered a continuation. Skip over whitespace at the start of
2632 the next line, and indeed the whole of the next line or lines if they are
2637 while (*(++acl_text) == ' ' || *acl_text == '\t');
2638 if (*acl_text != '#') break;
2639 while (*(++acl_text) != 0 && *acl_text != '\n');
2642 /* We have the start of a continuation line. Move all the rest of the data
2643 to join onto the previous line, and then find its end. If the end is not a
2644 newline, we are done. Otherwise loop to look for another continuation. */
2646 memmove(cont, acl_text, acl_text_end - acl_text);
2647 acl_text_end -= acl_text - cont;
2649 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2650 if (*acl_text == 0) return yield;
2653 /* Control does not reach here */
2660 /*************************************************
2661 * Check access using an ACL *
2662 *************************************************/
2664 /* This function is called from address_check. It may recurse via
2665 acl_check_condition() - hence the use of a level to stop looping. The ACL is
2666 passed as a string which is expanded. A forced failure implies no access check
2667 is required. If the result is a single word, it is taken as the name of an ACL
2668 which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
2669 text, complete with newlines, and parsed as such. In both cases, the ACL check
2670 is then run. This function uses an auxiliary function for acl_read() to call
2671 for reading individual lines of a literal ACL. This is acl_getline(), which
2672 appears immediately above.
2675 where where called from
2676 addr address item when called from RCPT; otherwise NULL
2677 s the input string; NULL is the same as an empty ACL => DENY
2678 level the nesting level
2679 user_msgptr where to put a user error (for SMTP response)
2680 log_msgptr where to put a logging message (not for SMTP response)
2682 Returns: OK access is granted
2683 DISCARD access is apparently granted...
2684 FAIL access is denied
2685 FAIL_DROP access is denied; drop the connection
2686 DEFER can't tell at the moment
2691 acl_check_internal(int where, address_item *addr, uschar *s, int level,
2692 uschar **user_msgptr, uschar **log_msgptr)
2695 acl_block *acl = NULL;
2696 uschar *acl_name = US"inline ACL";
2699 /* Catch configuration loops */
2703 *log_msgptr = US"ACL nested too deep: possible loop";
2709 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
2713 /* At top level, we expand the incoming string. At lower levels, it has already
2714 been expanded as part of condition processing. */
2718 ss = expand_string(s);
2721 if (expand_string_forcedfail) return OK;
2722 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
2723 expand_string_message);
2729 while (isspace(*ss))ss++;
2731 /* If we can't find a named ACL, the default is to parse it as an inline one.
2732 (Unless it begins with a slash; non-existent files give rise to an error.) */
2736 /* Handle the case of a string that does not contain any spaces. Look for a
2737 named ACL among those read from the configuration, or a previously read file.
2738 It is possible that the pointer to the ACL is NULL if the configuration
2739 contains a name with no data. If not found, and the text begins with '/',
2740 read an ACL from a file, and save it so it can be re-used. */
2742 if (Ustrchr(ss, ' ') == NULL)
2744 tree_node *t = tree_search(acl_anchor, ss);
2747 acl = (acl_block *)(t->data.ptr);
2750 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
2753 acl_name = string_sprintf("ACL \"%s\"", ss);
2754 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
2757 else if (*ss == '/')
2759 struct stat statbuf;
2760 fd = Uopen(ss, O_RDONLY, 0);
2763 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
2768 if (fstat(fd, &statbuf) != 0)
2770 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
2775 acl_text = store_get(statbuf.st_size + 1);
2776 acl_text_end = acl_text + statbuf.st_size + 1;
2778 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
2780 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
2781 ss, strerror(errno));
2784 acl_text[statbuf.st_size] = 0;
2787 acl_name = string_sprintf("ACL \"%s\"", ss);
2788 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
2792 /* Parse an ACL that is still in text form. If it came from a file, remember it
2793 in the ACL tree, having read it into the POOL_PERM store pool so that it
2794 persists between multiple messages. */
2798 int old_pool = store_pool;
2799 if (fd >= 0) store_pool = POOL_PERM;
2800 acl = acl_read(acl_getline, log_msgptr);
2801 store_pool = old_pool;
2802 if (acl == NULL && *log_msgptr != NULL) return ERROR;
2805 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
2806 Ustrcpy(t->name, ss);
2808 (void)tree_insertnode(&acl_anchor, t);
2812 /* Now we have an ACL to use. It's possible it may be NULL. */
2817 int basic_errno = 0;
2818 BOOL endpass_seen = FALSE;
2820 *log_msgptr = *user_msgptr = NULL;
2821 acl_temp_details = FALSE;
2823 if (where == ACL_WHERE_QUIT &&
2824 acl->verb != ACL_ACCEPT &&
2825 acl->verb != ACL_WARN)
2827 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
2832 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
2834 /* Clear out any search error message from a previous check before testing
2837 search_error_message = NULL;
2838 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
2839 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
2841 /* Handle special returns: DEFER causes a return except on a WARN verb;
2842 ERROR always causes a return. */
2847 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
2848 if (basic_errno != ERRNO_CALLOUTDEFER)
2850 if (search_error_message != NULL && *search_error_message != 0)
2851 *log_msgptr = search_error_message;
2852 if (smtp_return_error_details) acl_temp_details = TRUE;
2856 acl_temp_details = TRUE;
2858 if (acl->verb != ACL_WARN) return DEFER;
2861 default: /* Paranoia */
2863 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
2867 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
2872 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
2875 /* DISCARD and DROP can happen only from a nested ACL condition, and
2876 DISCARD can happen only for an "accept" or "discard" verb. */
2879 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
2884 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
2889 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
2890 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
2891 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
2896 if (cond == OK || cond == DISCARD) return cond;
2899 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
2907 acl_temp_details = TRUE;
2913 if (cond == OK) return FAIL;
2917 if (cond == OK || cond == DISCARD) return DISCARD;
2920 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
2926 if (cond == OK) return FAIL_DROP;
2930 if (cond != OK) return cond;
2935 acl_warn(where, *user_msgptr, *log_msgptr);
2936 else if (cond == DEFER)
2937 acl_warn(where, NULL, string_sprintf("ACL \"warn\" statement skipped: "
2938 "condition test deferred: %s",
2939 (*log_msgptr == NULL)? US"" : *log_msgptr));
2940 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
2944 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
2949 /* Pass to the next ACL item */
2954 /* We have reached the end of the ACL. This is an implicit DENY. */
2956 HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
2961 /*************************************************
2962 * Check access using an ACL *
2963 *************************************************/
2965 /* This is the external interface for ACL checks. It sets up an address and the
2966 expansions for $domain and $local_part when called after RCPT, then calls
2967 acl_check_internal() to do the actual work.
2970 where ACL_WHERE_xxxx indicating where called from
2971 data_string RCPT address, or SMTP command argument, or NULL
2972 s the input string; NULL is the same as an empty ACL => DENY
2973 user_msgptr where to put a user error (for SMTP response)
2974 log_msgptr where to put a logging message (not for SMTP response)
2976 Returns: OK access is granted by an ACCEPT verb
2977 DISCARD access is granted by a DISCARD verb
2978 FAIL access is denied
2979 FAIL_DROP access is denied; drop the connection
2980 DEFER can't tell at the moment
2985 acl_check(int where, uschar *data_string, uschar *s, uschar **user_msgptr,
2986 uschar **log_msgptr)
2992 *user_msgptr = *log_msgptr = NULL;
2993 sender_verified_failed = NULL;
2995 if (where == ACL_WHERE_RCPT)
2997 adb = address_defaults;
2999 addr->address = data_string;
3000 if (deliver_split_address(addr) == DEFER)
3002 *log_msgptr = US"defer in percent_hack_domains check";
3005 deliver_domain = addr->domain;
3006 deliver_localpart = addr->local_part;
3011 smtp_command_argument = data_string;
3014 rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
3016 smtp_command_argument = deliver_domain =
3017 deliver_localpart = deliver_address_data = sender_address_data = NULL;
3019 /* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
3020 ACL, which is really in the middle of an SMTP command. */
3024 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
3026 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
3027 "ACL", acl_wherenames[where]);
3033 /* A DROP response is not permitted from MAILAUTH */
3035 if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
3037 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
3038 "ACL", acl_wherenames[where]);
3042 /* Before giving an error response, take a look at the length of any user
3043 message, and split it up into multiple lines if possible. */
3045 if (rc != OK && *user_msgptr != NULL && Ustrlen(*user_msgptr) > 75)
3047 uschar *s = *user_msgptr = string_copy(*user_msgptr);
3053 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
3054 if (*ss == 0) break;
3061 while (--t > s + 35)
3065 if (t[-1] == ':') { tt = t; break; }
3066 if (tt == NULL) tt = t;
3070 if (tt == NULL) /* Can't split behind - try ahead */
3075 if (*t == ' ' || *t == '\n')
3081 if (tt == NULL) break; /* Can't find anywhere to split */