1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2012 */
6 /* See the file NOTICE for conditions of use and distribution. */
8 /* Code for handling Access Control Lists (ACLs) */
13 /* Default callout timeout */
15 #define CALLOUT_TIMEOUT_DEFAULT 30
17 /* ACL verb codes - keep in step with the table of verbs that follows */
19 enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
24 static uschar *verbs[] =
25 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
28 /* For each verb, the conditions for which "message" or "log_message" are used
29 are held as a bitmap. This is to avoid expanding the strings unnecessarily. For
30 "accept", the FAIL case is used only after "endpass", but that is selected in
33 static int msgcond[] = {
34 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* accept */
37 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* discard */
39 (1<<FAIL) | (1<<FAIL_DROP), /* require */
43 /* ACL condition and modifier codes - keep in step with the table that
44 follows, and the cond_expand_at_top and uschar cond_modifiers tables lower
50 #ifdef EXPERIMENTAL_BRIGHTMAIL
56 #ifdef EXPERIMENTAL_DCC
59 #ifdef WITH_CONTENT_SCAN
63 #ifdef WITH_OLD_DEMIME
77 ACLC_LOG_REJECT_TARGET,
79 #ifdef WITH_CONTENT_SCAN
83 #ifdef WITH_CONTENT_SCAN
88 #ifdef WITH_CONTENT_SCAN
94 #ifdef WITH_CONTENT_SCAN
97 #ifdef EXPERIMENTAL_SPF
103 /* ACL conditions/modifiers: "delay", "control", "continue", "endpass",
104 "message", "log_message", "log_reject_target", "logwrite", and "set" are
105 modifiers that look like conditions but always return TRUE. They are used for
106 their side effects. */
108 static uschar *conditions[] = {
112 #ifdef EXPERIMENTAL_BRIGHTMAIL
118 #ifdef EXPERIMENTAL_DCC
121 #ifdef WITH_CONTENT_SCAN
125 #ifdef WITH_OLD_DEMIME
139 US"log_reject_target",
141 #ifdef WITH_CONTENT_SCAN
145 #ifdef WITH_CONTENT_SCAN
150 #ifdef WITH_CONTENT_SCAN
153 US"sender_domains", US"senders", US"set",
154 #ifdef WITH_CONTENT_SCAN
157 #ifdef EXPERIMENTAL_SPF
164 /* Return values from decode_control(); keep in step with the table of names
168 CONTROL_AUTH_UNADVERTISED,
169 #ifdef EXPERIMENTAL_BRIGHTMAIL
178 CONTROL_CASEFUL_LOCAL_PART,
179 CONTROL_CASELOWER_LOCAL_PART,
180 CONTROL_ENFORCE_SYNC,
181 CONTROL_NO_ENFORCE_SYNC,
185 CONTROL_SUPPRESS_LOCAL_FIXUPS,
186 #ifdef WITH_CONTENT_SCAN
187 CONTROL_NO_MBOX_UNSPOOL,
191 CONTROL_NO_MULTILINE,
192 CONTROL_NO_PIPELINING,
193 CONTROL_NO_DELAY_FLUSH,
194 CONTROL_NO_CALLOUT_FLUSH
197 /* ACL control names; keep in step with the table above! This list is used for
198 turning ids into names. The actual list of recognized names is in the variable
199 control_def controls_list[] below. The fact that there are two lists is a mess
200 and should be tidied up. */
202 static uschar *controls[] = {
203 US"allow_auth_unadvertised",
204 #ifdef EXPERIMENTAL_BRIGHTMAIL
209 US"dkim_disable_verify",
213 US"caseful_local_part",
214 US"caselower_local_part",
220 US"suppress_local_fixups",
221 #ifdef WITH_CONTENT_SCAN
226 US"no_multiline_responses",
232 /* Flags to indicate for which conditions/modifiers a string expansion is done
233 at the outer level. In the other cases, expansion already occurs in the
234 checking functions. */
236 static uschar cond_expand_at_top[] = {
238 TRUE, /* add_header */
239 FALSE, /* authenticated */
240 #ifdef EXPERIMENTAL_BRIGHTMAIL
241 TRUE, /* bmi_optin */
243 TRUE, /* condition */
246 #ifdef EXPERIMENTAL_DCC
249 #ifdef WITH_CONTENT_SCAN
253 #ifdef WITH_OLD_DEMIME
257 TRUE, /* dkim_signers */
258 TRUE, /* dkim_status */
262 FALSE, /* encrypted */
265 FALSE, /* local_parts */
266 TRUE, /* log_message */
267 TRUE, /* log_reject_target */
269 #ifdef WITH_CONTENT_SCAN
273 #ifdef WITH_CONTENT_SCAN
274 TRUE, /* mime_regex */
276 TRUE, /* ratelimit */
277 FALSE, /* recipients */
278 #ifdef WITH_CONTENT_SCAN
281 FALSE, /* sender_domains */
284 #ifdef WITH_CONTENT_SCAN
287 #ifdef EXPERIMENTAL_SPF
289 TRUE, /* spf_guess */
294 /* Flags to identify the modifiers */
296 static uschar cond_modifiers[] = {
298 TRUE, /* add_header */
299 FALSE, /* authenticated */
300 #ifdef EXPERIMENTAL_BRIGHTMAIL
301 TRUE, /* bmi_optin */
303 FALSE, /* condition */
306 #ifdef EXPERIMENTAL_DCC
309 #ifdef WITH_CONTENT_SCAN
313 #ifdef WITH_OLD_DEMIME
317 FALSE, /* dkim_signers */
318 FALSE, /* dkim_status */
320 FALSE, /* dnslists */
322 FALSE, /* encrypted */
325 FALSE, /* local_parts */
326 TRUE, /* log_message */
327 TRUE, /* log_reject_target */
329 #ifdef WITH_CONTENT_SCAN
333 #ifdef WITH_CONTENT_SCAN
334 FALSE, /* mime_regex */
336 FALSE, /* ratelimit */
337 FALSE, /* recipients */
338 #ifdef WITH_CONTENT_SCAN
341 FALSE, /* sender_domains */
344 #ifdef WITH_CONTENT_SCAN
347 #ifdef EXPERIMENTAL_SPF
349 FALSE, /* spf_guess */
354 /* Bit map vector of which conditions and modifiers are not allowed at certain
355 times. For each condition and modifier, there's a bitmap of dis-allowed times.
356 For some, it is easier to specify the negation of a small number of allowed
359 static unsigned int cond_forbids[] = {
363 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* add_header */
364 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
365 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
367 (1<<ACL_WHERE_NOTSMTP_START)),
369 (1<<ACL_WHERE_NOTSMTP)| /* authenticated */
370 (1<<ACL_WHERE_NOTSMTP_START)|
371 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO),
373 #ifdef EXPERIMENTAL_BRIGHTMAIL
374 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
375 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
376 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
377 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
378 (1<<ACL_WHERE_MAILAUTH)|
379 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
380 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA)|
381 (1<<ACL_WHERE_NOTSMTP_START),
388 /* Certain types of control are always allowed, so we let it through
389 always and check in the control processing itself. */
393 #ifdef EXPERIMENTAL_DCC
395 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* dcc */
398 #ifdef WITH_CONTENT_SCAN
400 ~(1<<ACL_WHERE_MIME), /* decode */
403 (1<<ACL_WHERE_NOTQUIT), /* delay */
405 #ifdef WITH_OLD_DEMIME
407 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* demime */
412 ~(1<<ACL_WHERE_DKIM), /* dkim_signers */
415 ~(1<<ACL_WHERE_DKIM), /* dkim_status */
418 (1<<ACL_WHERE_NOTSMTP)| /* dnslists */
419 (1<<ACL_WHERE_NOTSMTP_START),
422 ~(1<<ACL_WHERE_RCPT), /* domains */
424 (1<<ACL_WHERE_NOTSMTP)| /* encrypted */
425 (1<<ACL_WHERE_CONNECT)|
426 (1<<ACL_WHERE_NOTSMTP_START)|
431 (1<<ACL_WHERE_NOTSMTP)| /* hosts */
432 (1<<ACL_WHERE_NOTSMTP_START),
435 ~(1<<ACL_WHERE_RCPT), /* local_parts */
439 0, /* log_reject_target */
443 #ifdef WITH_CONTENT_SCAN
445 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* malware */
450 #ifdef WITH_CONTENT_SCAN
452 ~(1<<ACL_WHERE_MIME), /* mime_regex */
458 ~(1<<ACL_WHERE_RCPT), /* recipients */
460 #ifdef WITH_CONTENT_SCAN
462 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* regex */
463 (1<<ACL_WHERE_MIME)),
466 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
468 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
469 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
470 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
472 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
474 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
475 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
476 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
480 #ifdef WITH_CONTENT_SCAN
482 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* spam */
485 #ifdef EXPERIMENTAL_SPF
486 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
488 (1<<ACL_WHERE_MAILAUTH)|
489 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
490 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
491 (1<<ACL_WHERE_NOTSMTP)|
492 (1<<ACL_WHERE_NOTSMTP_START),
494 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf_guess */
496 (1<<ACL_WHERE_MAILAUTH)|
497 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
498 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
499 (1<<ACL_WHERE_NOTSMTP)|
500 (1<<ACL_WHERE_NOTSMTP_START),
503 /* Certain types of verify are always allowed, so we let it through
504 always and check in the verify function itself */
510 /* Bit map vector of which controls are not allowed at certain times. For
511 each control, there's a bitmap of dis-allowed times. For some, it is easier to
512 specify the negation of a small number of allowed times. */
514 static unsigned int control_forbids[] = {
516 ~((1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)), /* allow_auth_unadvertised */
518 #ifdef EXPERIMENTAL_BRIGHTMAIL
525 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dkim_disable_verify */
526 (1<<ACL_WHERE_NOTSMTP_START),
529 (1<<ACL_WHERE_NOTSMTP)|
530 (1<<ACL_WHERE_NOTSMTP_START)|
531 (1<<ACL_WHERE_NOTQUIT), /* dscp */
536 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
539 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
541 (1<<ACL_WHERE_NOTSMTP)| /* enforce_sync */
542 (1<<ACL_WHERE_NOTSMTP_START),
544 (1<<ACL_WHERE_NOTSMTP)| /* no_enforce_sync */
545 (1<<ACL_WHERE_NOTSMTP_START),
548 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
549 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
550 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
553 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
554 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
555 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
558 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
559 (1<<ACL_WHERE_PREDATA)),
562 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* suppress_local_fixups */
563 (1<<ACL_WHERE_PREDATA)|
564 (1<<ACL_WHERE_NOTSMTP_START)),
566 #ifdef WITH_CONTENT_SCAN
568 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
569 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
570 (1<<ACL_WHERE_MIME)),
574 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakedefer */
575 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
576 (1<<ACL_WHERE_MIME)),
579 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
580 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
581 (1<<ACL_WHERE_MIME)),
583 (1<<ACL_WHERE_NOTSMTP)| /* no_multiline */
584 (1<<ACL_WHERE_NOTSMTP_START),
586 (1<<ACL_WHERE_NOTSMTP)| /* no_pipelining */
587 (1<<ACL_WHERE_NOTSMTP_START),
589 (1<<ACL_WHERE_NOTSMTP)| /* no_delay_flush */
590 (1<<ACL_WHERE_NOTSMTP_START),
592 (1<<ACL_WHERE_NOTSMTP)| /* no_callout_flush */
593 (1<<ACL_WHERE_NOTSMTP_START)
596 /* Structure listing various control arguments, with their characteristics. */
598 typedef struct control_def {
600 int value; /* CONTROL_xxx value */
601 BOOL has_option; /* Has /option(s) following */
604 static control_def controls_list[] = {
605 { US"allow_auth_unadvertised", CONTROL_AUTH_UNADVERTISED, FALSE },
606 #ifdef EXPERIMENTAL_BRIGHTMAIL
607 { US"bmi_run", CONTROL_BMI_RUN, FALSE },
609 { US"debug", CONTROL_DEBUG, TRUE },
611 { US"dkim_disable_verify", CONTROL_DKIM_VERIFY, FALSE },
613 { US"dscp", CONTROL_DSCP, TRUE },
614 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE },
615 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE },
616 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE },
617 { US"freeze", CONTROL_FREEZE, TRUE },
618 { US"no_callout_flush", CONTROL_NO_CALLOUT_FLUSH, FALSE },
619 { US"no_delay_flush", CONTROL_NO_DELAY_FLUSH, FALSE },
620 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE },
621 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE },
622 { US"no_pipelining", CONTROL_NO_PIPELINING, FALSE },
623 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE },
624 #ifdef WITH_CONTENT_SCAN
625 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE },
627 { US"fakedefer", CONTROL_FAKEDEFER, TRUE },
628 { US"fakereject", CONTROL_FAKEREJECT, TRUE },
629 { US"submission", CONTROL_SUBMISSION, TRUE },
630 { US"suppress_local_fixups", CONTROL_SUPPRESS_LOCAL_FIXUPS, FALSE }
633 /* Support data structures for Client SMTP Authorization. acl_verify_csa()
634 caches its result in a tree to avoid repeated DNS queries. The result is an
635 integer code which is used as an index into the following tables of
636 explanatory strings and verification return codes. */
638 static tree_node *csa_cache = NULL;
640 enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
641 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
643 /* The acl_verify_csa() return code is translated into an acl_verify() return
644 code using the following table. It is OK unless the client is definitely not
645 authorized. This is because CSA is supposed to be optional for sending sites,
646 so recipients should not be too strict about checking it - especially because
647 DNS problems are quite likely to occur. It's possible to use $csa_status in
648 further ACL conditions to distinguish ok, unknown, and defer if required, but
649 the aim is to make the usual configuration simple. */
651 static int csa_return_code[] = {
653 FAIL, FAIL, FAIL, FAIL
656 static uschar *csa_status_string[] = {
657 US"unknown", US"ok", US"defer", US"defer",
658 US"fail", US"fail", US"fail", US"fail"
661 static uschar *csa_reason_string[] = {
664 US"deferred (SRV lookup failed)",
665 US"deferred (target address lookup failed)",
666 US"failed (explicit authorization required)",
667 US"failed (host name not authorized)",
668 US"failed (no authorized addresses)",
669 US"failed (client address mismatch)"
672 /* Options for the ratelimit condition. Note that there are two variants of
673 the per_rcpt option, depending on the ACL that is used to measure the rate.
674 However any ACL must be able to look up per_rcpt rates in /noupdate mode,
675 so the two variants must have the same internal representation as well as
676 the same configuration string. */
679 RATE_PER_WHAT, RATE_PER_CLASH, RATE_PER_ADDR, RATE_PER_BYTE, RATE_PER_CMD,
680 RATE_PER_CONN, RATE_PER_MAIL, RATE_PER_RCPT, RATE_PER_ALLRCPTS
683 #define RATE_SET(var,new) \
684 (((var) == RATE_PER_WHAT) ? ((var) = RATE_##new) : ((var) = RATE_PER_CLASH))
686 static uschar *ratelimit_option_string[] = {
687 US"?", US"!", US"per_addr", US"per_byte", US"per_cmd",
688 US"per_conn", US"per_mail", US"per_rcpt", US"per_rcpt"
691 /* Enable recursion between acl_check_internal() and acl_check_condition() */
693 static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
697 /*************************************************
698 * Pick out name from list *
699 *************************************************/
701 /* Use a binary chop method
708 Returns: offset in list, or -1 if not found
712 acl_checkname(uschar *name, uschar **list, int end)
718 int mid = (start + end)/2;
719 int c = Ustrcmp(name, list[mid]);
720 if (c == 0) return mid;
721 if (c < 0) end = mid; else start = mid + 1;
728 /*************************************************
729 * Read and parse one ACL *
730 *************************************************/
732 /* This function is called both from readconf in order to parse the ACLs in the
733 configuration file, and also when an ACL is encountered dynamically (e.g. as
734 the result of an expansion). It is given a function to call in order to
735 retrieve the lines of the ACL. This function handles skipping comments and
736 blank lines (where relevant).
739 func function to get next line of ACL
740 error where to put an error message
742 Returns: pointer to ACL, or NULL
743 NULL can be legal (empty ACL); in this case error will be NULL
747 acl_read(uschar *(*func)(void), uschar **error)
749 acl_block *yield = NULL;
750 acl_block **lastp = &yield;
751 acl_block *this = NULL;
752 acl_condition_block *cond;
753 acl_condition_block **condp = NULL;
758 while ((s = (*func)()) != NULL)
761 BOOL negated = FALSE;
762 uschar *saveline = s;
765 /* Conditions (but not verbs) are allowed to be negated by an initial
768 while (isspace(*s)) s++;
775 /* Read the name of a verb or a condition, or the start of a new ACL, which
776 can be started by a name, or by a macro definition. */
778 s = readconf_readname(name, sizeof(name), s);
779 if (*s == ':' || (isupper(name[0]) && *s == '=')) return yield;
781 /* If a verb is unrecognized, it may be another condition or modifier that
782 continues the previous verb. */
784 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
789 *error = string_sprintf("unknown ACL verb \"%s\" in \"%s\"", name,
801 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
804 this = store_get(sizeof(acl_block));
806 lastp = &(this->next);
809 this->condition = NULL;
810 condp = &(this->condition);
811 if (*s == 0) continue; /* No condition on this line */
817 s = readconf_readname(name, sizeof(name), s); /* Condition name */
820 /* Handle a condition or modifier. */
822 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
825 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
830 /* The modifiers may not be negated */
832 if (negated && cond_modifiers[c])
834 *error = string_sprintf("ACL error: negation is not allowed with "
835 "\"%s\"", conditions[c]);
839 /* ENDPASS may occur only with ACCEPT or DISCARD. */
841 if (c == ACLC_ENDPASS &&
842 this->verb != ACL_ACCEPT &&
843 this->verb != ACL_DISCARD)
845 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
846 conditions[c], verbs[this->verb]);
850 cond = store_get(sizeof(acl_condition_block));
853 cond->u.negated = negated;
856 condp = &(cond->next);
858 /* The "set" modifier is different in that its argument is "name=value"
859 rather than just a value, and we can check the validity of the name, which
860 gives us a variable name to insert into the data block. The original ACL
861 variable names were acl_c0 ... acl_c9 and acl_m0 ... acl_m9. This was
862 extended to 20 of each type, but after that people successfully argued for
863 arbitrary names. In the new scheme, the names must start with acl_c or acl_m.
864 After that, we allow alphanumerics and underscores, but the first character
865 after c or m must be a digit or an underscore. This retains backwards
872 if (Ustrncmp(s, "acl_c", 5) != 0 &&
873 Ustrncmp(s, "acl_m", 5) != 0)
875 *error = string_sprintf("invalid variable name after \"set\" in ACL "
876 "modifier \"set %s\" (must start \"acl_c\" or \"acl_m\")", s);
881 if (!isdigit(*endptr) && *endptr != '_')
883 *error = string_sprintf("invalid variable name after \"set\" in ACL "
884 "modifier \"set %s\" (digit or underscore must follow acl_c or acl_m)",
889 while (*endptr != 0 && *endptr != '=' && !isspace(*endptr))
891 if (!isalnum(*endptr) && *endptr != '_')
893 *error = string_sprintf("invalid character \"%c\" in variable name "
894 "in ACL modifier \"set %s\"", *endptr, s);
900 cond->u.varname = string_copyn(s + 4, endptr - s - 4);
902 while (isspace(*s)) s++;
905 /* For "set", we are now positioned for the data. For the others, only
906 "endpass" has no data */
908 if (c != ACLC_ENDPASS)
912 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
913 cond_modifiers[c]? US"modifier" : US"condition");
916 while (isspace(*s)) s++;
917 cond->arg = string_copy(s);
926 /*************************************************
927 * Set up added header line(s) *
928 *************************************************/
930 /* This function is called by the add_header modifier, and also from acl_warn()
931 to implement the now-deprecated way of adding header lines using "message" on a
932 "warn" verb. The argument is treated as a sequence of header lines which are
933 added to a chain, provided there isn't an identical one already there.
935 Argument: string of header lines
940 setup_header(uschar *hstring)
943 int hlen = Ustrlen(hstring);
945 /* An empty string does nothing; otherwise add a final newline if necessary. */
947 if (hlen <= 0) return;
948 if (hstring[hlen-1] != '\n') hstring = string_sprintf("%s\n", hstring);
950 /* Loop for multiple header lines, taking care about continuations */
952 for (p = q = hstring; *p != 0; )
955 int newtype = htype_add_bot;
956 header_line **hptr = &acl_added_headers;
958 /* Find next header line within the string */
962 q = Ustrchr(q, '\n');
963 if (*(++q) != ' ' && *q != '\t') break;
966 /* If the line starts with a colon, interpret the instruction for where to
967 add it. This temporarily sets up a new type. */
971 if (strncmpic(p, US":after_received:", 16) == 0)
973 newtype = htype_add_rec;
976 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
978 newtype = htype_add_rfc;
981 else if (strncmpic(p, US":at_start:", 10) == 0)
983 newtype = htype_add_top;
986 else if (strncmpic(p, US":at_end:", 8) == 0)
988 newtype = htype_add_bot;
991 while (*p == ' ' || *p == '\t') p++;
994 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
995 to the front of it. */
997 for (s = p; s < q - 1; s++)
999 if (*s == ':' || !isgraph(*s)) break;
1002 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", (int) (q - p), p);
1005 /* See if this line has already been added */
1007 while (*hptr != NULL)
1009 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
1010 hptr = &((*hptr)->next);
1013 /* Add if not previously present */
1017 header_line *h = store_get(sizeof(header_line));
1026 /* Advance for next header line within the string */
1035 /*************************************************
1037 *************************************************/
1039 /* This function is called when a WARN verb's conditions are true. It adds to
1040 the message's headers, and/or writes information to the log. In each case, this
1041 only happens once (per message for headers, per connection for log).
1043 ** NOTE: The header adding action using the "message" setting is historic, and
1044 its use is now deprecated. The new add_header modifier should be used instead.
1047 where ACL_WHERE_xxxx indicating which ACL this is
1048 user_message message for adding to headers
1049 log_message message for logging, if different
1055 acl_warn(int where, uschar *user_message, uschar *log_message)
1057 if (log_message != NULL && log_message != user_message)
1060 string_item *logged;
1062 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
1063 string_printing(log_message));
1065 /* If a sender verification has failed, and the log message is "sender verify
1066 failed", add the failure message. */
1068 if (sender_verified_failed != NULL &&
1069 sender_verified_failed->message != NULL &&
1070 strcmpic(log_message, US"sender verify failed") == 0)
1071 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
1073 /* Search previously logged warnings. They are kept in malloc
1074 store so they can be freed at the start of a new message. */
1076 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
1077 if (Ustrcmp(logged->text, text) == 0) break;
1081 int length = Ustrlen(text) + 1;
1082 log_write(0, LOG_MAIN, "%s", text);
1083 logged = store_malloc(sizeof(string_item) + length);
1084 logged->text = (uschar *)logged + sizeof(string_item);
1085 memcpy(logged->text, text, length);
1086 logged->next = acl_warn_logged;
1087 acl_warn_logged = logged;
1091 /* If there's no user message, we are done. */
1093 if (user_message == NULL) return;
1095 /* If this isn't a message ACL, we can't do anything with a user message.
1098 if (where > ACL_WHERE_NOTSMTP)
1100 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
1101 "found in a non-message (%s) ACL: cannot specify header lines here: "
1102 "message ignored", acl_wherenames[where]);
1106 /* The code for setting up header lines is now abstracted into a separate
1107 function so that it can be used for the add_header modifier as well. */
1109 setup_header(user_message);
1114 /*************************************************
1115 * Verify and check reverse DNS *
1116 *************************************************/
1118 /* Called from acl_verify() below. We look up the host name(s) of the client IP
1119 address if this has not yet been done. The host_name_lookup() function checks
1120 that one of these names resolves to an address list that contains the client IP
1121 address, so we don't actually have to do the check here.
1124 user_msgptr pointer for user message
1125 log_msgptr pointer for log message
1127 Returns: OK verification condition succeeded
1128 FAIL verification failed
1129 DEFER there was a problem verifying
1133 acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
1137 user_msgptr = user_msgptr; /* stop compiler warning */
1139 /* Previous success */
1141 if (sender_host_name != NULL) return OK;
1143 /* Previous failure */
1145 if (host_lookup_failed)
1147 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
1151 /* Need to do a lookup */
1154 debug_printf("looking up host name to force name/address consistency check\n");
1156 if ((rc = host_name_lookup()) != OK)
1158 *log_msgptr = (rc == DEFER)?
1159 US"host lookup deferred for reverse lookup check"
1161 string_sprintf("host lookup failed for reverse lookup check%s",
1163 return rc; /* DEFER or FAIL */
1166 host_build_sender_fullhost();
1172 /*************************************************
1173 * Check client IP address matches CSA target *
1174 *************************************************/
1176 /* Called from acl_verify_csa() below. This routine scans a section of a DNS
1177 response for address records belonging to the CSA target hostname. The section
1178 is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
1179 If one of the addresses matches the client's IP address, then the client is
1180 authorized by CSA. If there are target IP addresses but none of them match
1181 then the client is using an unauthorized IP address. If there are no target IP
1182 addresses then the client cannot be using an authorized IP address. (This is
1183 an odd configuration - why didn't the SRV record have a weight of 1 instead?)
1186 dnsa the DNS answer block
1187 dnss a DNS scan block for us to use
1188 reset option specifing what portion to scan, as described above
1189 target the target hostname to use for matching RR names
1191 Returns: CSA_OK successfully authorized
1192 CSA_FAIL_MISMATCH addresses found but none matched
1193 CSA_FAIL_NOADDR no target addresses found
1197 acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1203 BOOL target_found = FALSE;
1205 for (rr = dns_next_rr(dnsa, dnss, reset);
1207 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1209 /* Check this is an address RR for the target hostname. */
1213 && rr->type != T_AAAA
1220 if (strcmpic(target, rr->name) != 0) continue;
1222 target_found = TRUE;
1224 /* Turn the target address RR into a list of textual IP addresses and scan
1225 the list. There may be more than one if it is an A6 RR. */
1227 for (da = dns_address_from_rr(dnsa, rr); da != NULL; da = da->next)
1229 /* If the client IP address matches the target IP address, it's good! */
1231 DEBUG(D_acl) debug_printf("CSA target address is %s\n", da->address);
1233 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1237 /* If we found some target addresses but none of them matched, the client is
1238 using an unauthorized IP address, otherwise the target has no authorized IP
1241 if (target_found) return CSA_FAIL_MISMATCH;
1242 else return CSA_FAIL_NOADDR;
1247 /*************************************************
1248 * Verify Client SMTP Authorization *
1249 *************************************************/
1251 /* Called from acl_verify() below. This routine calls dns_lookup_special()
1252 to find the CSA SRV record corresponding to the domain argument, or
1253 $sender_helo_name if no argument is provided. It then checks that the
1254 client is authorized, and that its IP address corresponds to the SRV
1255 target's address by calling acl_verify_csa_address() above. The address
1256 should have been returned in the DNS response's ADDITIONAL section, but if
1257 not we perform another DNS lookup to get it.
1260 domain pointer to optional parameter following verify = csa
1262 Returns: CSA_UNKNOWN no valid CSA record found
1263 CSA_OK successfully authorized
1264 CSA_FAIL_* client is definitely not authorized
1265 CSA_DEFER_* there was a DNS problem
1269 acl_verify_csa(uschar *domain)
1273 int priority, weight, port;
1280 /* Work out the domain we are using for the CSA lookup. The default is the
1281 client's HELO domain. If the client has not said HELO, use its IP address
1282 instead. If it's a local client (exim -bs), CSA isn't applicable. */
1284 while (isspace(*domain) && *domain != '\0') ++domain;
1285 if (*domain == '\0') domain = sender_helo_name;
1286 if (domain == NULL) domain = sender_host_address;
1287 if (sender_host_address == NULL) return CSA_UNKNOWN;
1289 /* If we have an address literal, strip off the framing ready for turning it
1290 into a domain. The framing consists of matched square brackets possibly
1291 containing a keyword and a colon before the actual IP address. */
1293 if (domain[0] == '[')
1295 uschar *start = Ustrchr(domain, ':');
1296 if (start == NULL) start = domain;
1297 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1300 /* Turn domains that look like bare IP addresses into domains in the reverse
1301 DNS. This code also deals with address literals and $sender_host_address. It's
1302 not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1303 address literals, but it's probably the most friendly thing to do. This is an
1304 extension to CSA, so we allow it to be turned off for proper conformance. */
1306 if (string_is_ip_address(domain, NULL) != 0)
1308 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1309 dns_build_reverse(domain, target);
1313 /* Find out if we've already done the CSA check for this domain. If we have,
1314 return the same result again. Otherwise build a new cached result structure
1315 for this domain. The name is filled in now, and the value is filled in when
1316 we return from this function. */
1318 t = tree_search(csa_cache, domain);
1319 if (t != NULL) return t->data.val;
1321 t = store_get_perm(sizeof(tree_node) + Ustrlen(domain));
1322 Ustrcpy(t->name, domain);
1323 (void)tree_insertnode(&csa_cache, t);
1325 /* Now we are ready to do the actual DNS lookup(s). */
1328 switch (dns_special_lookup(&dnsa, domain, T_CSA, &found))
1330 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1333 return t->data.val = CSA_DEFER_SRV;
1335 /* If we found nothing, the client's authorization is unknown. */
1339 return t->data.val = CSA_UNKNOWN;
1341 /* We got something! Go on to look at the reply in more detail. */
1347 /* Scan the reply for well-formed CSA SRV records. */
1349 for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
1351 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
1353 if (rr->type != T_SRV) continue;
1355 /* Extract the numerical SRV fields (p is incremented) */
1358 GETSHORT(priority, p);
1359 GETSHORT(weight, p);
1363 debug_printf("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1365 /* Check the CSA version number */
1367 if (priority != 1) continue;
1369 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1370 found by dns_special_lookup() is a parent of the one we asked for), we check
1371 the subdomain assertions in the port field. At the moment there's only one
1372 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1373 SRV records of their own. */
1375 if (found != domain)
1378 return t->data.val = CSA_FAIL_EXPLICIT;
1380 return t->data.val = CSA_UNKNOWN;
1383 /* This CSA SRV record refers directly to our domain, so we check the value
1384 in the weight field to work out the domain's authorization. 0 and 1 are
1385 unauthorized; 3 means the client is authorized but we can't check the IP
1386 address in order to authenticate it, so we treat it as unknown; values
1387 greater than 3 are undefined. */
1389 if (weight < 2) return t->data.val = CSA_FAIL_DOMAIN;
1391 if (weight > 2) continue;
1393 /* Weight == 2, which means the domain is authorized. We must check that the
1394 client's IP address is listed as one of the SRV target addresses. Save the
1395 target hostname then break to scan the additional data for its addresses. */
1397 (void)dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
1398 (DN_EXPAND_ARG4_TYPE)target, sizeof(target));
1400 DEBUG(D_acl) debug_printf("CSA target is %s\n", target);
1405 /* If we didn't break the loop then no appropriate records were found. */
1407 if (rr == NULL) return t->data.val = CSA_UNKNOWN;
1409 /* Do not check addresses if the target is ".", in accordance with RFC 2782.
1410 A target of "." indicates there are no valid addresses, so the client cannot
1411 be authorized. (This is an odd configuration because weight=2 target=. is
1412 equivalent to weight=1, but we check for it in order to keep load off the
1413 root name servers.) Note that dn_expand() turns "." into "". */
1415 if (Ustrcmp(target, "") == 0) return t->data.val = CSA_FAIL_NOADDR;
1417 /* Scan the additional section of the CSA SRV reply for addresses belonging
1418 to the target. If the name server didn't return any additional data (e.g.
1419 because it does not fully support SRV records), we need to do another lookup
1420 to obtain the target addresses; otherwise we have a definitive result. */
1422 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ADDITIONAL, target);
1423 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1425 /* The DNS lookup type corresponds to the IP version used by the client. */
1428 if (Ustrchr(sender_host_address, ':') != NULL)
1431 #endif /* HAVE_IPV6 */
1435 #if HAVE_IPV6 && defined(SUPPORT_A6)
1439 switch (dns_lookup(&dnsa, target, type, NULL))
1441 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1444 return t->data.val = CSA_DEFER_ADDR;
1446 /* If the query succeeded, scan the addresses and return the result. */
1449 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ANSWERS, target);
1450 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1451 /* else fall through */
1453 /* If the target has no IP addresses, the client cannot have an authorized
1454 IP address. However, if the target site uses A6 records (not AAAA records)
1455 we have to do yet another lookup in order to check them. */
1460 #if HAVE_IPV6 && defined(SUPPORT_A6)
1461 if (type == T_AAAA) { type = T_A6; goto DNS_LOOKUP_AGAIN; }
1464 return t->data.val = CSA_FAIL_NOADDR;
1470 /*************************************************
1471 * Handle verification (address & other) *
1472 *************************************************/
1474 enum { VERIFY_REV_HOST_LKUP, VERIFY_CERT, VERIFY_HELO, VERIFY_CSA, VERIFY_HDR_SYNTAX,
1475 VERIFY_NOT_BLIND, VERIFY_HDR_SNDR, VERIFY_SNDR, VERIFY_RCPT
1480 unsigned where_allowed; /* bitmap */
1481 BOOL no_options; /* Never has /option(s) following */
1482 unsigned alt_opt_sep; /* >0 Non-/ option separator (custom parser) */
1484 static verify_type_t verify_type_list[] = {
1485 { US"reverse_host_lookup", VERIFY_REV_HOST_LKUP, ~0, TRUE, 0 },
1486 { US"certificate", VERIFY_CERT, ~0, TRUE, 0 },
1487 { US"helo", VERIFY_HELO, ~0, TRUE, 0 },
1488 { US"csa", VERIFY_CSA, ~0, FALSE, 0 },
1489 { US"header_syntax", VERIFY_HDR_SYNTAX, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), TRUE, 0 },
1490 { US"not_blind", VERIFY_NOT_BLIND, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), TRUE, 0 },
1491 { US"header_sender", VERIFY_HDR_SNDR, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), FALSE, 0 },
1492 { US"sender", VERIFY_SNDR, (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)
1493 |(1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP),
1495 { US"recipient", VERIFY_RCPT, (1<<ACL_WHERE_RCPT), FALSE, 0 }
1499 enum { CALLOUT_DEFER_OK, CALLOUT_NOCACHE, CALLOUT_RANDOM, CALLOUT_USE_SENDER,
1500 CALLOUT_USE_POSTMASTER, CALLOUT_POSTMASTER, CALLOUT_FULLPOSTMASTER,
1501 CALLOUT_MAILFROM, CALLOUT_POSTMASTER_MAILFROM, CALLOUT_MAXWAIT, CALLOUT_CONNECT,
1508 BOOL has_option; /* Has =option(s) following */
1509 BOOL timeval; /* Has a time value */
1511 static callout_opt_t callout_opt_list[] = {
1512 { US"defer_ok", CALLOUT_DEFER_OK, 0, FALSE, FALSE },
1513 { US"no_cache", CALLOUT_NOCACHE, vopt_callout_no_cache, FALSE, FALSE },
1514 { US"random", CALLOUT_RANDOM, vopt_callout_random, FALSE, FALSE },
1515 { US"use_sender", CALLOUT_USE_SENDER, vopt_callout_recipsender, FALSE, FALSE },
1516 { US"use_postmaster", CALLOUT_USE_POSTMASTER,vopt_callout_recippmaster, FALSE, FALSE },
1517 { US"postmaster_mailfrom",CALLOUT_POSTMASTER_MAILFROM,0, TRUE, FALSE },
1518 { US"postmaster", CALLOUT_POSTMASTER, 0, FALSE, FALSE },
1519 { US"fullpostmaster", CALLOUT_FULLPOSTMASTER,vopt_callout_fullpm, FALSE, FALSE },
1520 { US"mailfrom", CALLOUT_MAILFROM, 0, TRUE, FALSE },
1521 { US"maxwait", CALLOUT_MAXWAIT, 0, TRUE, TRUE },
1522 { US"connect", CALLOUT_CONNECT, 0, TRUE, TRUE },
1523 { NULL, CALLOUT_TIME, 0, FALSE, TRUE }
1528 /* This function implements the "verify" condition. It is called when
1529 encountered in any ACL, because some tests are almost always permitted. Some
1530 just don't make sense, and always fail (for example, an attempt to test a host
1531 lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1534 where where called from
1535 addr the recipient address that the ACL is handling, or NULL
1536 arg the argument of "verify"
1537 user_msgptr pointer for user message
1538 log_msgptr pointer for log message
1539 basic_errno where to put verify errno
1541 Returns: OK verification condition succeeded
1542 FAIL verification failed
1543 DEFER there was a problem verifying
1548 acl_verify(int where, address_item *addr, uschar *arg,
1549 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1553 int callout_overall = -1;
1554 int callout_connect = -1;
1555 int verify_options = 0;
1557 BOOL verify_header_sender = FALSE;
1558 BOOL defer_ok = FALSE;
1559 BOOL callout_defer_ok = FALSE;
1560 BOOL no_details = FALSE;
1561 BOOL success_on_redirect = FALSE;
1562 address_item *sender_vaddr = NULL;
1563 uschar *verify_sender_address = NULL;
1564 uschar *pm_mailfrom = NULL;
1565 uschar *se_mailfrom = NULL;
1567 /* Some of the verify items have slash-separated options; some do not. Diagnose
1568 an error if options are given for items that don't expect them.
1571 uschar *slash = Ustrchr(arg, '/');
1573 uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
1576 if (ss == NULL) goto BAD_VERIFY;
1578 /* Handle name/address consistency verification in a separate function. */
1580 for (vp= verify_type_list;
1581 (char *)vp < (char *)verify_type_list + sizeof(verify_type_list);
1584 if (vp->alt_opt_sep ? strncmpic(ss, vp->name, vp->alt_opt_sep) == 0
1585 : strcmpic (ss, vp->name) == 0)
1587 if ((char *)vp >= (char *)verify_type_list + sizeof(verify_type_list))
1590 if (vp->no_options && slash != NULL)
1592 *log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1593 "(this verify item has no options)", arg);
1596 if (!(vp->where_allowed & (1<<where)))
1598 *log_msgptr = string_sprintf("cannot verify %s in ACL for %s", vp->name, acl_wherenames[where]);
1603 case VERIFY_REV_HOST_LKUP:
1604 if (sender_host_address == NULL) return OK;
1605 return acl_verify_reverse(user_msgptr, log_msgptr);
1608 /* TLS certificate verification is done at STARTTLS time; here we just
1609 test whether it was successful or not. (This is for optional verification; for
1610 mandatory verification, the connection doesn't last this long.) */
1612 if (tls_certificate_verified) return OK;
1613 *user_msgptr = US"no verified certificate";
1617 /* We can test the result of optional HELO verification that might have
1618 occurred earlier. If not, we can attempt the verification now. */
1620 if (!helo_verified && !helo_verify_failed) smtp_verify_helo();
1621 return helo_verified? OK : FAIL;
1624 /* Do Client SMTP Authorization checks in a separate function, and turn the
1625 result code into user-friendly strings. */
1627 rc = acl_verify_csa(list);
1628 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1629 csa_reason_string[rc]);
1630 csa_status = csa_status_string[rc];
1631 DEBUG(D_acl) debug_printf("CSA result %s\n", csa_status);
1632 return csa_return_code[rc];
1634 case VERIFY_HDR_SYNTAX:
1635 /* Check that all relevant header lines have the correct syntax. If there is
1636 a syntax error, we return details of the error to the sender if configured to
1637 send out full details. (But a "message" setting on the ACL can override, as
1640 rc = verify_check_headers(log_msgptr);
1641 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1642 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1645 case VERIFY_NOT_BLIND:
1646 /* Check that no recipient of this message is "blind", that is, every envelope
1647 recipient must be mentioned in either To: or Cc:. */
1649 rc = verify_check_notblind();
1652 *log_msgptr = string_sprintf("bcc recipient detected");
1653 if (smtp_return_error_details)
1654 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1658 /* The remaining verification tests check recipient and sender addresses,
1659 either from the envelope or from the header. There are a number of
1660 slash-separated options that are common to all of them. */
1662 case VERIFY_HDR_SNDR:
1663 verify_header_sender = TRUE;
1667 /* In the case of a sender, this can optionally be followed by an address to use
1668 in place of the actual sender (rare special-case requirement). */
1672 verify_sender_address = sender_address;
1675 while (isspace(*s)) s++;
1676 if (*s++ != '=') goto BAD_VERIFY;
1677 while (isspace(*s)) s++;
1678 verify_sender_address = string_copy(s);
1689 /* Remaining items are optional; they apply to sender and recipient
1690 verification, including "header sender" verification. */
1692 while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1695 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1696 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1697 else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
1699 /* These two old options are left for backwards compatibility */
1701 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1703 callout_defer_ok = TRUE;
1704 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1707 else if (strcmpic(ss, US"check_postmaster") == 0)
1710 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1713 /* The callout option has a number of sub-options, comma separated */
1715 else if (strncmpic(ss, US"callout", 7) == 0)
1717 callout = CALLOUT_TIMEOUT_DEFAULT;
1721 while (isspace(*ss)) ss++;
1727 while (isspace(*ss)) ss++;
1729 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1733 double period = 1.0F;
1735 for (op= callout_opt_list; op->name; op++)
1736 if (strncmpic(opt, op->name, Ustrlen(op->name)) == 0)
1739 verify_options |= op->flag;
1742 opt += Ustrlen(op->name);
1743 while (isspace(*opt)) opt++;
1746 *log_msgptr = string_sprintf("'=' expected after "
1747 "\"%s\" in ACL verify condition \"%s\"", op->name, arg);
1750 while (isspace(*opt)) opt++;
1754 period = readconf_readtime(opt, 0, FALSE);
1757 *log_msgptr = string_sprintf("bad time value in ACL condition "
1758 "\"verify %s\"", arg);
1765 case CALLOUT_DEFER_OK: callout_defer_ok = TRUE; break;
1766 case CALLOUT_POSTMASTER: pm_mailfrom = US""; break;
1767 case CALLOUT_FULLPOSTMASTER: pm_mailfrom = US""; break;
1768 case CALLOUT_MAILFROM:
1769 if (!verify_header_sender)
1771 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1772 "callout option only for verify=header_sender (detected in ACL "
1773 "condition \"%s\")", arg);
1776 se_mailfrom = string_copy(opt);
1778 case CALLOUT_POSTMASTER_MAILFROM: pm_mailfrom = string_copy(opt); break;
1779 case CALLOUT_MAXWAIT: callout_overall = period; break;
1780 case CALLOUT_CONNECT: callout_connect = period; break;
1781 case CALLOUT_TIME: callout = period; break;
1787 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1788 "ACL condition \"%s\"", arg);
1794 /* Option not recognized */
1798 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1799 "condition \"verify %s\"", ss, arg);
1804 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1805 (vopt_callout_recipsender|vopt_callout_recippmaster))
1807 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1808 "for a recipient callout";
1812 /* Handle sender-in-header verification. Default the user message to the log
1813 message if giving out verification details. */
1815 if (verify_header_sender)
1818 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
1819 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1823 *basic_errno = verrno;
1824 if (smtp_return_error_details)
1826 if (*user_msgptr == NULL && *log_msgptr != NULL)
1827 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1828 if (rc == DEFER) acl_temp_details = TRUE;
1833 /* Handle a sender address. The default is to verify *the* sender address, but
1834 optionally a different address can be given, for special requirements. If the
1835 address is empty, we are dealing with a bounce message that has no sender, so
1836 we cannot do any checking. If the real sender address gets rewritten during
1837 verification (e.g. DNS widening), set the flag to stop it being rewritten again
1838 during message reception.
1840 A list of verified "sender" addresses is kept to try to avoid doing to much
1841 work repetitively when there are multiple recipients in a message and they all
1842 require sender verification. However, when callouts are involved, it gets too
1843 complicated because different recipients may require different callout options.
1844 Therefore, we always do a full sender verify when any kind of callout is
1845 specified. Caching elsewhere, for instance in the DNS resolver and in the
1846 callout handling, should ensure that this is not terribly inefficient. */
1848 else if (verify_sender_address != NULL)
1850 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1853 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1854 "sender verify callout";
1858 sender_vaddr = verify_checked_sender(verify_sender_address);
1859 if (sender_vaddr != NULL && /* Previously checked */
1860 callout <= 0) /* No callout needed this time */
1862 /* If the "routed" flag is set, it means that routing worked before, so
1863 this check can give OK (the saved return code value, if set, belongs to a
1864 callout that was done previously). If the "routed" flag is not set, routing
1865 must have failed, so we use the saved return code. */
1867 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1869 rc = sender_vaddr->special_action;
1870 *basic_errno = sender_vaddr->basic_errno;
1872 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1875 /* Do a new verification, and cache the result. The cache is used to avoid
1876 verifying the sender multiple times for multiple RCPTs when callouts are not
1877 specified (see comments above).
1879 The cache is also used on failure to give details in response to the first
1880 RCPT that gets bounced for this reason. However, this can be suppressed by
1881 the no_details option, which sets the flag that says "this detail has already
1882 been sent". The cache normally contains just one address, but there may be
1883 more in esoteric circumstances. */
1888 uschar *save_address_data = deliver_address_data;
1890 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1891 if (no_details) setflag(sender_vaddr, af_sverify_told);
1892 if (verify_sender_address[0] != 0)
1894 /* If this is the real sender address, save the unrewritten version
1895 for use later in receive. Otherwise, set a flag so that rewriting the
1896 sender in verify_address() does not update sender_address. */
1898 if (verify_sender_address == sender_address)
1899 sender_address_unrewritten = sender_address;
1901 verify_options |= vopt_fake_sender;
1903 if (success_on_redirect)
1904 verify_options |= vopt_success_on_redirect;
1906 /* The recipient, qualify, and expn options are never set in
1909 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
1910 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
1912 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1916 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1918 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1919 verify_sender_address, sender_vaddr->address);
1923 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1924 verify_sender_address);
1927 else *basic_errno = sender_vaddr->basic_errno;
1929 else rc = OK; /* Null sender */
1931 /* Cache the result code */
1933 if (routed) setflag(sender_vaddr, af_verify_routed);
1934 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1935 sender_vaddr->special_action = rc;
1936 sender_vaddr->next = sender_verified_list;
1937 sender_verified_list = sender_vaddr;
1939 /* Restore the recipient address data, which might have been clobbered by
1940 the sender verification. */
1942 deliver_address_data = save_address_data;
1945 /* Put the sender address_data value into $sender_address_data */
1947 sender_address_data = sender_vaddr->p.address_data;
1950 /* A recipient address just gets a straightforward verify; again we must handle
1951 the DEFER overrides. */
1957 if (success_on_redirect)
1958 verify_options |= vopt_success_on_redirect;
1960 /* We must use a copy of the address for verification, because it might
1964 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
1965 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
1966 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1968 *basic_errno = addr2.basic_errno;
1969 *log_msgptr = addr2.message;
1970 *user_msgptr = (addr2.user_message != NULL)?
1971 addr2.user_message : addr2.message;
1973 /* Allow details for temporary error if the address is so flagged. */
1974 if (testflag((&addr2), af_pass_message)) acl_temp_details = TRUE;
1976 /* Make $address_data visible */
1977 deliver_address_data = addr2.p.address_data;
1980 /* We have a result from the relevant test. Handle defer overrides first. */
1982 if (rc == DEFER && (defer_ok ||
1983 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1985 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1986 defer_ok? "defer_ok" : "callout_defer_ok");
1990 /* If we've failed a sender, set up a recipient message, and point
1991 sender_verified_failed to the address item that actually failed. */
1993 if (rc != OK && verify_sender_address != NULL)
1997 *log_msgptr = *user_msgptr = US"Sender verify failed";
1999 else if (*basic_errno != ERRNO_CALLOUTDEFER)
2001 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
2005 *log_msgptr = US"Could not complete sender verify callout";
2006 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
2010 sender_verified_failed = sender_vaddr;
2013 /* Verifying an address messes up the values of $domain and $local_part,
2014 so reset them before returning if this is a RCPT ACL. */
2018 deliver_domain = addr->domain;
2019 deliver_localpart = addr->local_part;
2023 /* Syntax errors in the verify argument come here. */
2026 *log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
2027 "\"helo\", \"header_syntax\", \"header_sender\" or "
2028 "\"reverse_host_lookup\" at start of ACL condition "
2029 "\"verify %s\"", arg);
2036 /*************************************************
2037 * Check argument for control= modifier *
2038 *************************************************/
2040 /* Called from acl_check_condition() below
2043 arg the argument string for control=
2044 pptr set to point to the terminating character
2045 where which ACL we are in
2046 log_msgptr for error messages
2048 Returns: CONTROL_xxx value
2052 decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
2057 for (d = controls_list;
2058 d < controls_list + sizeof(controls_list)/sizeof(control_def);
2061 len = Ustrlen(d->name);
2062 if (Ustrncmp(d->name, arg, len) == 0) break;
2065 if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
2066 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
2068 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2069 return CONTROL_ERROR;
2079 /*************************************************
2080 * Return a ratelimit error *
2081 *************************************************/
2083 /* Called from acl_ratelimit() below
2086 log_msgptr for error messages
2087 format format string
2088 ... supplementary arguments
2089 ss ratelimit option name
2090 where ACL_WHERE_xxxx indicating which ACL this is
2096 ratelimit_error(uschar **log_msgptr, const char *format, ...)
2099 uschar buffer[STRING_SPRINTF_BUFFER_SIZE];
2100 va_start(ap, format);
2101 if (!string_vformat(buffer, sizeof(buffer), format, ap))
2102 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
2103 "string_sprintf expansion was longer than " SIZE_T_FMT, sizeof(buffer));
2105 *log_msgptr = string_sprintf(
2106 "error in arguments to \"ratelimit\" condition: %s", buffer);
2113 /*************************************************
2114 * Handle rate limiting *
2115 *************************************************/
2117 /* Called by acl_check_condition() below to calculate the result
2118 of the ACL ratelimit condition.
2120 Note that the return value might be slightly unexpected: if the
2121 sender's rate is above the limit then the result is OK. This is
2122 similar to the dnslists condition, and is so that you can write
2123 ACL clauses like: defer ratelimit = 15 / 1h
2126 arg the option string for ratelimit=
2127 where ACL_WHERE_xxxx indicating which ACL this is
2128 log_msgptr for error messages
2130 Returns: OK - Sender's rate is above limit
2131 FAIL - Sender's rate is below limit
2132 DEFER - Problem opening ratelimit database
2133 ERROR - Syntax error in options.
2137 acl_ratelimit(uschar *arg, int where, uschar **log_msgptr)
2139 double limit, period, count;
2142 uschar *unique = NULL;
2144 BOOL leaky = FALSE, strict = FALSE, readonly = FALSE;
2145 BOOL noupdate = FALSE, badacl = FALSE;
2146 int mode = RATE_PER_WHAT;
2148 tree_node **anchor, *t;
2149 open_db dbblock, *dbm;
2151 dbdata_ratelimit *dbd;
2152 dbdata_ratelimit_unique *dbdb;
2155 /* Parse the first two options and record their values in expansion
2156 variables. These variables allow the configuration to have informative
2157 error messages based on rate limits obtained from a table lookup. */
2159 /* First is the maximum number of messages per period / maximum burst
2160 size, which must be greater than or equal to zero. Zero is useful for
2161 rate measurement as opposed to rate limiting. */
2163 sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0);
2164 if (sender_rate_limit == NULL)
2168 limit = Ustrtod(sender_rate_limit, &ss);
2169 if (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
2170 else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
2171 else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
2173 if (limit < 0.0 || *ss != '\0')
2174 return ratelimit_error(log_msgptr,
2175 "\"%s\" is not a positive number", sender_rate_limit);
2177 /* Second is the rate measurement period / exponential smoothing time
2178 constant. This must be strictly greater than zero, because zero leads to
2179 run-time division errors. */
2181 sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0);
2182 if (sender_rate_period == NULL) period = -1.0;
2183 else period = readconf_readtime(sender_rate_period, 0, FALSE);
2185 return ratelimit_error(log_msgptr,
2186 "\"%s\" is not a time value", sender_rate_period);
2188 /* By default we are counting one of something, but the per_rcpt,
2189 per_byte, and count options can change this. */
2193 /* Parse the other options. */
2195 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2198 if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
2199 else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
2200 else if (strcmpic(ss, US"noupdate") == 0) noupdate = TRUE;
2201 else if (strcmpic(ss, US"readonly") == 0) readonly = TRUE;
2202 else if (strcmpic(ss, US"per_cmd") == 0) RATE_SET(mode, PER_CMD);
2203 else if (strcmpic(ss, US"per_conn") == 0)
2205 RATE_SET(mode, PER_CONN);
2206 if (where == ACL_WHERE_NOTSMTP || where == ACL_WHERE_NOTSMTP_START)
2209 else if (strcmpic(ss, US"per_mail") == 0)
2211 RATE_SET(mode, PER_MAIL);
2212 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2214 else if (strcmpic(ss, US"per_rcpt") == 0)
2216 /* If we are running in the RCPT ACL, then we'll count the recipients
2217 one by one, but if we are running when we have accumulated the whole
2218 list then we'll add them all in one batch. */
2219 if (where == ACL_WHERE_RCPT)
2220 RATE_SET(mode, PER_RCPT);
2221 else if (where >= ACL_WHERE_PREDATA && where <= ACL_WHERE_NOTSMTP)
2222 RATE_SET(mode, PER_ALLRCPTS), count = (double)recipients_count;
2223 else if (where == ACL_WHERE_MAIL || where > ACL_WHERE_NOTSMTP)
2224 RATE_SET(mode, PER_RCPT), badacl = TRUE;
2226 else if (strcmpic(ss, US"per_byte") == 0)
2228 /* If we have not yet received the message data and there was no SIZE
2229 declaration on the MAIL comand, then it's safe to just use a value of
2230 zero and let the recorded rate decay as if nothing happened. */
2231 RATE_SET(mode, PER_MAIL);
2232 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2233 else count = message_size < 0 ? 0.0 : (double)message_size;
2235 else if (strcmpic(ss, US"per_addr") == 0)
2237 RATE_SET(mode, PER_RCPT);
2238 if (where != ACL_WHERE_RCPT) badacl = TRUE, unique = US"*";
2239 else unique = string_sprintf("%s@%s", deliver_localpart, deliver_domain);
2241 else if (strncmpic(ss, US"count=", 6) == 0)
2244 count = Ustrtod(ss+6, &e);
2245 if (count < 0.0 || *e != '\0')
2246 return ratelimit_error(log_msgptr,
2247 "\"%s\" is not a positive number", ss);
2249 else if (strncmpic(ss, US"unique=", 7) == 0)
2250 unique = string_copy(ss + 7);
2251 else if (key == NULL)
2252 key = string_copy(ss);
2254 key = string_sprintf("%s/%s", key, ss);
2257 /* Sanity check. When the badacl flag is set the update mode must either
2258 be readonly (which is the default if it is omitted) or, for backwards
2259 compatibility, a combination of noupdate and strict or leaky. */
2261 if (mode == RATE_PER_CLASH)
2262 return ratelimit_error(log_msgptr, "conflicting per_* options");
2263 if (leaky + strict + readonly > 1)
2264 return ratelimit_error(log_msgptr, "conflicting update modes");
2265 if (badacl && (leaky || strict) && !noupdate)
2266 return ratelimit_error(log_msgptr,
2267 "\"%s\" must not have /leaky or /strict option in %s ACL",
2268 ratelimit_option_string[mode], acl_wherenames[where]);
2270 /* Set the default values of any unset options. In readonly mode we
2271 perform the rate computation without any increment so that its value
2272 decays to eventually allow over-limit senders through. */
2274 if (noupdate) readonly = TRUE, leaky = strict = FALSE;
2275 if (badacl) readonly = TRUE;
2276 if (readonly) count = 0.0;
2277 if (!strict && !readonly) leaky = TRUE;
2278 if (mode == RATE_PER_WHAT) mode = RATE_PER_MAIL;
2280 /* Create the lookup key. If there is no explicit key, use sender_host_address.
2281 If there is no sender_host_address (e.g. -bs or acl_not_smtp) then we simply
2282 omit it. The smoothing constant (sender_rate_period) and the per_xxx options
2283 are added to the key because they alter the meaning of the stored data. */
2286 key = (sender_host_address == NULL)? US"" : sender_host_address;
2288 key = string_sprintf("%s/%s/%s%s",
2290 ratelimit_option_string[mode],
2291 unique == NULL ? "" : "unique/",
2295 debug_printf("ratelimit condition count=%.0f %.1f/%s\n", count, limit, key);
2297 /* See if we have already computed the rate by looking in the relevant tree.
2298 For per-connection rate limiting, store tree nodes and dbdata in the permanent
2299 pool so that they survive across resets. In readonly mode we only remember the
2300 result for the rest of this command in case a later command changes it. After
2301 this bit of logic the code is independent of the per_* mode. */
2303 old_pool = store_pool;
2306 anchor = &ratelimiters_cmd;
2309 anchor = &ratelimiters_conn;
2310 store_pool = POOL_PERM;
2314 case RATE_PER_ALLRCPTS:
2315 anchor = &ratelimiters_mail;
2320 anchor = &ratelimiters_cmd;
2323 anchor = NULL; /* silence an "unused" complaint */
2324 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
2325 "internal ACL error: unknown ratelimit mode %d", mode);
2329 t = tree_search(*anchor, key);
2333 /* The following few lines duplicate some of the code below. */
2334 rc = (dbd->rate < limit)? FAIL : OK;
2335 store_pool = old_pool;
2336 sender_rate = string_sprintf("%.1f", dbd->rate);
2338 debug_printf("ratelimit found pre-computed rate %s\n", sender_rate);
2342 /* We aren't using a pre-computed rate, so get a previously recorded rate
2343 from the database, which will be updated and written back if required. */
2345 dbm = dbfn_open(US"ratelimit", O_RDWR, &dbblock, TRUE);
2348 store_pool = old_pool;
2350 HDEBUG(D_acl) debug_printf("ratelimit database not available\n");
2351 *log_msgptr = US"ratelimit database not available";
2354 dbdb = dbfn_read_with_length(dbm, key, &dbdb_size);
2357 gettimeofday(&tv, NULL);
2361 /* Locate the basic ratelimit block inside the DB data. */
2362 HDEBUG(D_acl) debug_printf("ratelimit found key in database\n");
2365 /* Forget the old Bloom filter if it is too old, so that we count each
2366 repeating event once per period. We don't simply clear and re-use the old
2367 filter because we want its size to change if the limit changes. Note that
2368 we keep the dbd pointer for copying the rate into the new data block. */
2370 if(unique != NULL && tv.tv_sec > dbdb->bloom_epoch + period)
2372 HDEBUG(D_acl) debug_printf("ratelimit discarding old Bloom filter\n");
2378 if(unique != NULL && dbdb_size < sizeof(*dbdb))
2380 HDEBUG(D_acl) debug_printf("ratelimit discarding undersize Bloom filter\n");
2385 /* Allocate a new data block if the database lookup failed
2386 or the Bloom filter passed its age limit. */
2392 /* No Bloom filter. This basic ratelimit block is initialized below. */
2393 HDEBUG(D_acl) debug_printf("ratelimit creating new rate data block\n");
2394 dbdb_size = sizeof(*dbd);
2395 dbdb = store_get(dbdb_size);
2400 HDEBUG(D_acl) debug_printf("ratelimit creating new Bloom filter\n");
2402 /* See the long comment below for an explanation of the magic number 2.
2403 The filter has a minimum size in case the rate limit is very small;
2404 this is determined by the definition of dbdata_ratelimit_unique. */
2406 extra = (int)limit * 2 - sizeof(dbdb->bloom);
2407 if (extra < 0) extra = 0;
2408 dbdb_size = sizeof(*dbdb) + extra;
2409 dbdb = store_get(dbdb_size);
2410 dbdb->bloom_epoch = tv.tv_sec;
2411 dbdb->bloom_size = sizeof(dbdb->bloom) + extra;
2412 memset(dbdb->bloom, 0, dbdb->bloom_size);
2414 /* Preserve any basic ratelimit data (which is our longer-term memory)
2415 by copying it from the discarded block. */
2425 /* If we are counting unique events, find out if this event is new or not.
2426 If the client repeats the event during the current period then it should be
2427 counted. We skip this code in readonly mode for efficiency, because any
2428 changes to the filter will be discarded and because count is already set to
2431 if (unique != NULL && !readonly)
2433 /* We identify unique events using a Bloom filter. (You can find my
2434 notes on Bloom filters at http://fanf.livejournal.com/81696.html)
2435 With the per_addr option, an "event" is a recipient address, though the
2436 user can use the unique option to define their own events. We only count
2437 an event if we have not seen it before.
2439 We size the filter according to the rate limit, which (in leaky mode)
2440 is the limit on the population of the filter. We allow 16 bits of space
2441 per entry (see the construction code above) and we set (up to) 8 of them
2442 when inserting an element (see the loop below). The probability of a false
2443 positive (an event we have not seen before but which we fail to count) is
2447 allzero = exp(-numhash * pop / size)
2448 = exp(-0.5 * pop / limit)
2449 fpr = pow(1 - allzero, numhash)
2451 For senders at the limit the fpr is 0.06% or 1 in 1700
2452 and for senders at half the limit it is 0.0006% or 1 in 170000
2454 In strict mode the Bloom filter can fill up beyond the normal limit, in
2455 which case the false positive rate will rise. This means that the
2456 measured rate for very fast senders can bogusly drop off after a while.
2458 At twice the limit, the fpr is 2.5% or 1 in 40
2459 At four times the limit, it is 31% or 1 in 3.2
2461 It takes ln(pop/limit) periods for an over-limit burst of pop events to
2462 decay below the limit, and if this is more than one then the Bloom filter
2463 will be discarded before the decay gets that far. The false positive rate
2464 at this threshold is 9.3% or 1 in 10.7. */
2467 unsigned n, hash, hinc;
2471 /* Instead of using eight independent hash values, we combine two values
2472 using the formula h1 + n * h2. This does not harm the Bloom filter's
2473 performance, and means the amount of hash we need is independent of the
2474 number of bits we set in the filter. */
2476 md5_start(&md5info);
2477 md5_end(&md5info, unique, Ustrlen(unique), md5sum);
2478 hash = md5sum[0] | md5sum[1] << 8 | md5sum[2] << 16 | md5sum[3] << 24;
2479 hinc = md5sum[4] | md5sum[5] << 8 | md5sum[6] << 16 | md5sum[7] << 24;
2481 /* Scan the bits corresponding to this event. A zero bit means we have
2482 not seen it before. Ensure all bits are set to record this event. */
2484 HDEBUG(D_acl) debug_printf("ratelimit checking uniqueness of %s\n", unique);
2487 for (n = 0; n < 8; n++, hash += hinc)
2489 int bit = 1 << (hash % 8);
2490 int byte = (hash / 8) % dbdb->bloom_size;
2491 if ((dbdb->bloom[byte] & bit) == 0)
2493 dbdb->bloom[byte] |= bit;
2498 /* If this event has occurred before, do not count it. */
2502 HDEBUG(D_acl) debug_printf("ratelimit event found in Bloom filter\n");
2506 HDEBUG(D_acl) debug_printf("ratelimit event added to Bloom filter\n");
2509 /* If there was no previous ratelimit data block for this key, initialize
2510 the new one, otherwise update the block from the database. The initial rate
2511 is what would be computed by the code below for an infinite interval. */
2515 HDEBUG(D_acl) debug_printf("ratelimit initializing new key's rate data\n");
2517 dbd->time_stamp = tv.tv_sec;
2518 dbd->time_usec = tv.tv_usec;
2523 /* The smoothed rate is computed using an exponentially weighted moving
2524 average adjusted for variable sampling intervals. The standard EWMA for
2525 a fixed sampling interval is: f'(t) = (1 - a) * f(t) + a * f'(t - 1)
2526 where f() is the measured value and f'() is the smoothed value.
2528 Old data decays out of the smoothed value exponentially, such that data n
2529 samples old is multiplied by a^n. The exponential decay time constant p
2530 is defined such that data p samples old is multiplied by 1/e, which means
2531 that a = exp(-1/p). We can maintain the same time constant for a variable
2532 sampling interval i by using a = exp(-i/p).
2534 The rate we are measuring is messages per period, suitable for directly
2535 comparing with the limit. The average rate between now and the previous
2536 message is period / interval, which we feed into the EWMA as the sample.
2538 It turns out that the number of messages required for the smoothed rate
2539 to reach the limit when they are sent in a burst is equal to the limit.
2540 This can be seen by analysing the value of the smoothed rate after N
2541 messages sent at even intervals. Let k = (1 - a) * p/i
2543 rate_1 = (1 - a) * p/i + a * rate_0
2545 rate_2 = k + a * rate_1
2546 = k + a * k + a^2 * rate_0
2547 rate_3 = k + a * k + a^2 * k + a^3 * rate_0
2548 rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
2549 = rate_0 * a^N + k * (1 - a^N) / (1 - a)
2550 = rate_0 * a^N + p/i * (1 - a^N)
2552 When N is large, a^N -> 0 so rate_N -> p/i as desired.
2554 rate_N = p/i + (rate_0 - p/i) * a^N
2555 a^N = (rate_N - p/i) / (rate_0 - p/i)
2556 N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
2557 N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
2559 Numerical analysis of the above equation, setting the computed rate to
2560 increase from rate_0 = 0 to rate_N = limit, shows that for large sending
2561 rates, p/i, the number of messages N = limit. So limit serves as both the
2562 maximum rate measured in messages per period, and the maximum number of
2563 messages that can be sent in a fast burst. */
2565 double this_time = (double)tv.tv_sec
2566 + (double)tv.tv_usec / 1000000.0;
2567 double prev_time = (double)dbd->time_stamp
2568 + (double)dbd->time_usec / 1000000.0;
2570 /* We must avoid division by zero, and deal gracefully with the clock going
2571 backwards. If we blunder ahead when time is in reverse then the computed
2572 rate will be bogus. To be safe we clamp interval to a very small number. */
2574 double interval = this_time - prev_time <= 0.0 ? 1e-9
2575 : this_time - prev_time;
2577 double i_over_p = interval / period;
2578 double a = exp(-i_over_p);
2580 /* Combine the instantaneous rate (period / interval) with the previous rate
2581 using the smoothing factor a. In order to measure sized events, multiply the
2582 instantaneous rate by the count of bytes or recipients etc. */
2584 dbd->time_stamp = tv.tv_sec;
2585 dbd->time_usec = tv.tv_usec;
2586 dbd->rate = (1 - a) * count / i_over_p + a * dbd->rate;
2588 /* When events are very widely spaced the computed rate tends towards zero.
2589 Although this is accurate it turns out not to be useful for our purposes,
2590 especially when the first event after a long silence is the start of a spam
2591 run. A more useful model is that the rate for an isolated event should be the
2592 size of the event per the period size, ignoring the lack of events outside
2593 the current period and regardless of where the event falls in the period. So,
2594 if the interval was so long that the calculated rate is unhelpfully small, we
2595 re-intialize the rate. In the absence of higher-rate bursts, the condition
2596 below is true if the interval is greater than the period. */
2598 if (dbd->rate < count) dbd->rate = count;
2601 /* Clients sending at the limit are considered to be over the limit.
2602 This matters for edge cases such as a limit of zero, when the client
2603 should be completely blocked. */
2605 rc = (dbd->rate < limit)? FAIL : OK;
2607 /* Update the state if the rate is low or if we are being strict. If we
2608 are in leaky mode and the sender's rate is too high, we do not update
2609 the recorded rate in order to avoid an over-aggressive sender's retry
2610 rate preventing them from getting any email through. If readonly is set,
2611 neither leaky nor strict are set, so we do not do any updates. */
2613 if ((rc == FAIL && leaky) || strict)
2615 dbfn_write(dbm, key, dbdb, dbdb_size);
2616 HDEBUG(D_acl) debug_printf("ratelimit db updated\n");
2620 HDEBUG(D_acl) debug_printf("ratelimit db not updated: %s\n",
2621 readonly? "readonly mode" : "over the limit, but leaky");
2626 /* Store the result in the tree for future reference. */
2628 t = store_get(sizeof(tree_node) + Ustrlen(key));
2630 Ustrcpy(t->name, key);
2631 (void)tree_insertnode(anchor, t);
2633 /* We create the formatted version of the sender's rate very late in
2634 order to ensure that it is done using the correct storage pool. */
2636 store_pool = old_pool;
2637 sender_rate = string_sprintf("%.1f", dbd->rate);
2640 debug_printf("ratelimit computed rate %s\n", sender_rate);
2647 /*************************************************
2648 * Handle conditions/modifiers on an ACL item *
2649 *************************************************/
2651 /* Called from acl_check() below.
2655 cb ACL condition block - if NULL, result is OK
2656 where where called from
2657 addr the address being checked for RCPT, or NULL
2658 level the nesting level
2659 epp pointer to pass back TRUE if "endpass" encountered
2660 (applies only to "accept" and "discard")
2661 user_msgptr user message pointer
2662 log_msgptr log message pointer
2663 basic_errno pointer to where to put verify error
2665 Returns: OK - all conditions are met
2666 DISCARD - an "acl" condition returned DISCARD - only allowed
2667 for "accept" or "discard" verbs
2668 FAIL - at least one condition fails
2669 FAIL_DROP - an "acl" condition returned FAIL_DROP
2670 DEFER - can't tell at the moment (typically, lookup defer,
2671 but can be temporary callout problem)
2672 ERROR - ERROR from nested ACL or expansion failure or other
2677 acl_check_condition(int verb, acl_condition_block *cb, int where,
2678 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
2679 uschar **log_msgptr, int *basic_errno)
2681 uschar *user_message = NULL;
2682 uschar *log_message = NULL;
2683 uschar *debug_tag = NULL;
2684 uschar *debug_opts = NULL;
2687 #ifdef WITH_CONTENT_SCAN
2691 for (; cb != NULL; cb = cb->next)
2696 /* The message and log_message items set up messages to be used in
2697 case of rejection. They are expanded later. */
2699 if (cb->type == ACLC_MESSAGE)
2701 user_message = cb->arg;
2705 if (cb->type == ACLC_LOG_MESSAGE)
2707 log_message = cb->arg;
2711 /* The endpass "condition" just sets a flag to show it occurred. This is
2712 checked at compile time to be on an "accept" or "discard" item. */
2714 if (cb->type == ACLC_ENDPASS)
2720 /* For other conditions and modifiers, the argument is expanded now for some
2721 of them, but not for all, because expansion happens down in some lower level
2722 checking functions in some cases. */
2724 if (cond_expand_at_top[cb->type])
2726 arg = expand_string(cb->arg);
2729 if (expand_string_forcedfail) continue;
2730 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
2731 cb->arg, expand_string_message);
2732 return search_find_defer? DEFER : ERROR;
2737 /* Show condition, and expanded condition if it's different */
2742 debug_printf("check %s%s %n",
2743 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
2744 conditions[cb->type], &lhswidth);
2746 if (cb->type == ACLC_SET)
2748 debug_printf("acl_%s ", cb->u.varname);
2749 lhswidth += 5 + Ustrlen(cb->u.varname);
2752 debug_printf("= %s\n", cb->arg);
2755 debug_printf("%.*s= %s\n", lhswidth,
2759 /* Check that this condition makes sense at this time */
2761 if ((cond_forbids[cb->type] & (1 << where)) != 0)
2763 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
2764 cond_modifiers[cb->type]? "use" : "test",
2765 conditions[cb->type], acl_wherenames[where]);
2769 /* Run the appropriate test for each condition, or take the appropriate
2770 action for the remaining modifiers. */
2774 case ACLC_ADD_HEADER:
2778 /* A nested ACL that returns "discard" makes sense only for an "accept" or
2782 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
2783 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
2785 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
2786 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
2792 case ACLC_AUTHENTICATED:
2793 rc = (sender_host_authenticated == NULL)? FAIL :
2794 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
2798 #ifdef EXPERIMENTAL_BRIGHTMAIL
2799 case ACLC_BMI_OPTIN:
2801 int old_pool = store_pool;
2802 store_pool = POOL_PERM;
2803 bmi_current_optin = string_copy(arg);
2804 store_pool = old_pool;
2809 case ACLC_CONDITION:
2810 /* The true/false parsing here should be kept in sync with that used in
2811 expand.c when dealing with ECOND_BOOL so that we don't have too many
2812 different definitions of what can be a boolean. */
2813 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
2814 rc = (Uatoi(arg) == 0)? FAIL : OK;
2816 rc = (strcmpic(arg, US"no") == 0 ||
2817 strcmpic(arg, US"false") == 0)? FAIL :
2818 (strcmpic(arg, US"yes") == 0 ||
2819 strcmpic(arg, US"true") == 0)? OK : DEFER;
2821 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
2824 case ACLC_CONTINUE: /* Always succeeds */
2828 control_type = decode_control(arg, &p, where, log_msgptr);
2830 /* Check if this control makes sense at this time */
2832 if ((control_forbids[control_type] & (1 << where)) != 0)
2834 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
2835 controls[control_type], acl_wherenames[where]);
2839 switch(control_type)
2841 case CONTROL_AUTH_UNADVERTISED:
2842 allow_auth_unadvertised = TRUE;
2845 #ifdef EXPERIMENTAL_BRIGHTMAIL
2846 case CONTROL_BMI_RUN:
2851 #ifndef DISABLE_DKIM
2852 case CONTROL_DKIM_VERIFY:
2853 dkim_disable_verify = TRUE;
2860 int fd, af, level, optname, value;
2861 /* If we are acting on stdin, the setsockopt may fail if stdin is not
2862 a socket; we can accept that, we'll just debug-log failures anyway. */
2863 fd = fileno(smtp_in);
2864 af = ip_get_address_family(fd);
2868 debug_printf("smtp input is probably not a socket [%s], not setting DSCP\n",
2872 if (dscp_lookup(p+1, af, &level, &optname, &value))
2874 if (setsockopt(fd, level, optname, &value, sizeof(value)) < 0)
2876 HDEBUG(D_acl) debug_printf("failed to set input DSCP[%s]: %s\n",
2877 p+1, strerror(errno));
2881 HDEBUG(D_acl) debug_printf("set input DSCP to \"%s\"\n", p+1);
2886 *log_msgptr = string_sprintf("unrecognised DSCP value in \"control=%s\"", arg);
2892 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2900 case CONTROL_CASEFUL_LOCAL_PART:
2901 deliver_localpart = addr->cc_local_part;
2904 case CONTROL_CASELOWER_LOCAL_PART:
2905 deliver_localpart = addr->lc_local_part;
2908 case CONTROL_ENFORCE_SYNC:
2909 smtp_enforce_sync = TRUE;
2912 case CONTROL_NO_ENFORCE_SYNC:
2913 smtp_enforce_sync = FALSE;
2916 #ifdef WITH_CONTENT_SCAN
2917 case CONTROL_NO_MBOX_UNSPOOL:
2918 no_mbox_unspool = TRUE;
2922 case CONTROL_NO_MULTILINE:
2923 no_multiline_responses = TRUE;
2926 case CONTROL_NO_PIPELINING:
2927 pipelining_enable = FALSE;
2930 case CONTROL_NO_DELAY_FLUSH:
2931 disable_delay_flush = TRUE;
2934 case CONTROL_NO_CALLOUT_FLUSH:
2935 disable_callout_flush = TRUE;
2938 case CONTROL_FAKEDEFER:
2939 case CONTROL_FAKEREJECT:
2940 fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
2944 while (*pp != 0) pp++;
2945 fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
2950 /* Explicitly reset to default string */
2951 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
2955 case CONTROL_FREEZE:
2956 deliver_freeze = TRUE;
2957 deliver_frozen_at = time(NULL);
2958 freeze_tell = freeze_tell_config; /* Reset to configured value */
2959 if (Ustrncmp(p, "/no_tell", 8) == 0)
2966 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2971 case CONTROL_QUEUE_ONLY:
2972 queue_only_policy = TRUE;
2975 case CONTROL_SUBMISSION:
2976 originator_name = US"";
2977 submission_mode = TRUE;
2980 if (Ustrncmp(p, "/sender_retain", 14) == 0)
2983 active_local_sender_retain = TRUE;
2984 active_local_from_check = FALSE;
2986 else if (Ustrncmp(p, "/domain=", 8) == 0)
2989 while (*pp != 0 && *pp != '/') pp++;
2990 submission_domain = string_copyn(p+8, pp-p-8);
2993 /* The name= option must be last, because it swallows the rest of
2995 else if (Ustrncmp(p, "/name=", 6) == 0)
2998 while (*pp != 0) pp++;
2999 submission_name = string_copy(parse_fix_phrase(p+6, pp-p-6,
3000 big_buffer, big_buffer_size));
3007 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3015 if (Ustrncmp(p, "/tag=", 5) == 0)
3018 while (*pp != '\0' && *pp != '/') pp++;
3019 debug_tag = string_copyn(p+5, pp-p-5);
3022 else if (Ustrncmp(p, "/opts=", 6) == 0)
3025 while (*pp != '\0' && *pp != '/') pp++;
3026 debug_opts = string_copyn(p+6, pp-p-6);
3030 debug_logging_activate(debug_tag, debug_opts);
3033 case CONTROL_SUPPRESS_LOCAL_FIXUPS:
3034 suppress_local_fixups = TRUE;
3039 #ifdef EXPERIMENTAL_DCC
3042 /* Seperate the regular expression and any optional parameters. */
3043 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3044 /* Run the dcc backend. */
3045 rc = dcc_process(&ss);
3046 /* Modify return code based upon the existance of options. */
3047 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3049 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3051 /* FAIL so that the message is passed to the next ACL */
3059 #ifdef WITH_CONTENT_SCAN
3061 rc = mime_decode(&arg);
3067 int delay = readconf_readtime(arg, 0, FALSE);
3070 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
3071 "modifier: \"%s\" is not a time value", arg);
3076 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
3081 debug_printf("delay skipped in -bh checking mode\n");
3084 /* It appears to be impossible to detect that a TCP/IP connection has
3085 gone away without reading from it. This means that we cannot shorten
3086 the delay below if the client goes away, because we cannot discover
3087 that the client has closed its end of the connection. (The connection
3088 is actually in a half-closed state, waiting for the server to close its
3089 end.) It would be nice to be able to detect this state, so that the
3090 Exim process is not held up unnecessarily. However, it seems that we
3091 can't. The poll() function does not do the right thing, and in any case
3092 it is not always available.
3094 NOTE 1: If ever this state of affairs changes, remember that we may be
3095 dealing with stdin/stdout here, in addition to TCP/IP connections.
3096 Also, delays may be specified for non-SMTP input, where smtp_out and
3097 smtp_in will be NULL. Whatever is done must work in all cases.
3099 NOTE 2: The added feature of flushing the output before a delay must
3100 apply only to SMTP input. Hence the test for smtp_out being non-NULL.
3105 if (smtp_out != NULL && !disable_delay_flush) mac_smtp_fflush();
3106 while (delay > 0) delay = sleep(delay);
3112 #ifdef WITH_OLD_DEMIME
3118 #ifndef DISABLE_DKIM
3119 case ACLC_DKIM_SIGNER:
3120 if (dkim_cur_signer != NULL)
3121 rc = match_isinlist(dkim_cur_signer,
3122 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
3127 case ACLC_DKIM_STATUS:
3128 rc = match_isinlist(dkim_exim_expand_query(DKIM_VERIFY_STATUS),
3129 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
3134 rc = verify_check_dnsbl(&arg);
3138 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
3139 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
3142 /* The value in tls_cipher is the full cipher name, for example,
3143 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
3144 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
3145 what may in practice come out of the SSL library - which at the time of
3146 writing is poorly documented. */
3148 case ACLC_ENCRYPTED:
3149 if (tls_cipher == NULL) rc = FAIL; else
3151 uschar *endcipher = NULL;
3152 uschar *cipher = Ustrchr(tls_cipher, ':');
3153 if (cipher == NULL) cipher = tls_cipher; else
3155 endcipher = Ustrchr(++cipher, ':');
3156 if (endcipher != NULL) *endcipher = 0;
3158 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
3159 if (endcipher != NULL) *endcipher = ':';
3163 /* Use verify_check_this_host() instead of verify_check_host() so that
3164 we can pass over &host_data to catch any looked up data. Once it has been
3165 set, it retains its value so that it's still there if another ACL verb
3166 comes through here and uses the cache. However, we must put it into
3167 permanent store in case it is also expected to be used in a subsequent
3168 message in the same SMTP connection. */
3171 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
3172 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
3173 if (host_data != NULL) host_data = string_copy_malloc(host_data);
3176 case ACLC_LOCAL_PARTS:
3177 rc = match_isinlist(addr->cc_local_part, &arg, 0,
3178 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
3179 &deliver_localpart_data);
3182 case ACLC_LOG_REJECT_TARGET:
3188 while ((ss = string_nextinlist(&s, &sep, big_buffer, big_buffer_size))
3191 if (Ustrcmp(ss, "main") == 0) logbits |= LOG_MAIN;
3192 else if (Ustrcmp(ss, "panic") == 0) logbits |= LOG_PANIC;
3193 else if (Ustrcmp(ss, "reject") == 0) logbits |= LOG_REJECT;
3196 logbits |= LOG_MAIN|LOG_REJECT;
3197 log_write(0, LOG_MAIN|LOG_PANIC, "unknown log name \"%s\" in "
3198 "\"log_reject_target\" in %s ACL", ss, acl_wherenames[where]);
3201 log_reject_target = logbits;
3214 if (Ustrncmp(s, "main", 4) == 0)
3215 { logbits |= LOG_MAIN; s += 4; }
3216 else if (Ustrncmp(s, "panic", 5) == 0)
3217 { logbits |= LOG_PANIC; s += 5; }
3218 else if (Ustrncmp(s, "reject", 6) == 0)
3219 { logbits |= LOG_REJECT; s += 6; }
3222 logbits = LOG_MAIN|LOG_PANIC;
3223 s = string_sprintf(":unknown log name in \"%s\" in "
3224 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
3230 while (isspace(*s)) s++;
3233 if (logbits == 0) logbits = LOG_MAIN;
3234 log_write(0, logbits, "%s", string_printing(s));
3238 #ifdef WITH_CONTENT_SCAN
3241 /* Separate the regular expression and any optional parameters. */
3242 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3243 /* Run the malware backend. */
3245 /* Modify return code based upon the existance of options. */
3246 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3248 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3250 /* FAIL so that the message is passed to the next ACL */
3257 case ACLC_MIME_REGEX:
3258 rc = mime_regex(&arg);
3262 case ACLC_RATELIMIT:
3263 rc = acl_ratelimit(arg, where, log_msgptr);
3266 case ACLC_RECIPIENTS:
3267 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
3271 #ifdef WITH_CONTENT_SCAN
3277 case ACLC_SENDER_DOMAINS:
3280 sdomain = Ustrrchr(sender_address, '@');
3281 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
3282 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
3283 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
3288 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
3289 sender_address_cache, -1, 0, &sender_data);
3292 /* Connection variables must persist forever */
3296 int old_pool = store_pool;
3297 if (cb->u.varname[0] == 'c') store_pool = POOL_PERM;
3298 acl_var_create(cb->u.varname)->data.ptr = string_copy(arg);
3299 store_pool = old_pool;
3303 #ifdef WITH_CONTENT_SCAN
3306 /* Seperate the regular expression and any optional parameters. */
3307 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3308 /* Run the spam backend. */
3310 /* Modify return code based upon the existance of options. */
3311 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3313 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3315 /* FAIL so that the message is passed to the next ACL */
3323 #ifdef EXPERIMENTAL_SPF
3325 rc = spf_process(&arg, sender_address, SPF_PROCESS_NORMAL);
3327 case ACLC_SPF_GUESS:
3328 rc = spf_process(&arg, sender_address, SPF_PROCESS_GUESS);
3332 /* If the verb is WARN, discard any user message from verification, because
3333 such messages are SMTP responses, not header additions. The latter come
3334 only from explicit "message" modifiers. However, put the user message into
3335 $acl_verify_message so it can be used in subsequent conditions or modifiers
3336 (until something changes it). */
3339 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
3340 acl_verify_message = *user_msgptr;
3341 if (verb == ACL_WARN) *user_msgptr = NULL;
3345 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
3346 "condition %d", cb->type);
3350 /* If a condition was negated, invert OK/FAIL. */
3352 if (!cond_modifiers[cb->type] && cb->u.negated)
3354 if (rc == OK) rc = FAIL;
3355 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
3358 if (rc != OK) break; /* Conditions loop */
3362 /* If the result is the one for which "message" and/or "log_message" are used,
3363 handle the values of these modifiers. If there isn't a log message set, we make
3364 it the same as the user message.
3366 "message" is a user message that will be included in an SMTP response. Unless
3367 it is empty, it overrides any previously set user message.
3369 "log_message" is a non-user message, and it adds to any existing non-user
3370 message that is already set.
3372 Most verbs have but a single return for which the messages are relevant, but
3373 for "discard", it's useful to have the log message both when it succeeds and
3374 when it fails. For "accept", the message is used in the OK case if there is no
3375 "endpass", but (for backwards compatibility) in the FAIL case if "endpass" is
3378 if (*epp && rc == OK) user_message = NULL;
3380 if (((1<<rc) & msgcond[verb]) != 0)
3383 uschar *old_user_msgptr = *user_msgptr;
3384 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
3386 /* If the verb is "warn", messages generated by conditions (verification or
3387 nested ACLs) are always discarded. This also happens for acceptance verbs
3388 when they actually do accept. Only messages specified at this level are used.
3389 However, the value of an existing message is available in $acl_verify_message
3390 during expansions. */
3392 if (verb == ACL_WARN ||
3393 (rc == OK && (verb == ACL_ACCEPT || verb == ACL_DISCARD)))
3394 *log_msgptr = *user_msgptr = NULL;
3396 if (user_message != NULL)
3398 acl_verify_message = old_user_msgptr;
3399 expmessage = expand_string(user_message);
3400 if (expmessage == NULL)
3402 if (!expand_string_forcedfail)
3403 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3404 user_message, expand_string_message);
3406 else if (expmessage[0] != 0) *user_msgptr = expmessage;
3409 if (log_message != NULL)
3411 acl_verify_message = old_log_msgptr;
3412 expmessage = expand_string(log_message);
3413 if (expmessage == NULL)
3415 if (!expand_string_forcedfail)
3416 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3417 log_message, expand_string_message);
3419 else if (expmessage[0] != 0)
3421 *log_msgptr = (*log_msgptr == NULL)? expmessage :
3422 string_sprintf("%s: %s", expmessage, *log_msgptr);
3426 /* If no log message, default it to the user message */
3428 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
3431 acl_verify_message = NULL;
3439 /*************************************************
3440 * Get line from a literal ACL *
3441 *************************************************/
3443 /* This function is passed to acl_read() in order to extract individual lines
3444 of a literal ACL, which we access via static pointers. We can destroy the
3445 contents because this is called only once (the compiled ACL is remembered).
3447 This code is intended to treat the data in the same way as lines in the main
3448 Exim configuration file. That is:
3450 . Leading spaces are ignored.
3452 . A \ at the end of a line is a continuation - trailing spaces after the \
3453 are permitted (this is because I don't believe in making invisible things
3454 significant). Leading spaces on the continued part of a line are ignored.
3456 . Physical lines starting (significantly) with # are totally ignored, and
3457 may appear within a sequence of backslash-continued lines.
3459 . Blank lines are ignored, but will end a sequence of continuations.
3462 Returns: a pointer to the next line
3466 static uschar *acl_text; /* Current pointer in the text */
3467 static uschar *acl_text_end; /* Points one past the terminating '0' */
3475 /* This loop handles leading blank lines and comments. */
3479 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
3480 if (*acl_text == 0) return NULL; /* No more data */
3481 yield = acl_text; /* Potential data line */
3483 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3485 /* If we hit the end before a newline, we have the whole logical line. If
3486 it's a comment, there's no more data to be given. Otherwise, yield it. */
3488 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
3490 /* After reaching a newline, end this loop if the physical line does not
3491 start with '#'. If it does, it's a comment, and the loop continues. */
3493 if (*yield != '#') break;
3496 /* This loop handles continuations. We know we have some real data, ending in
3497 newline. See if there is a continuation marker at the end (ignoring trailing
3498 white space). We know that *yield is not white space, so no need to test for
3499 cont > yield in the backwards scanning loop. */
3504 for (cont = acl_text - 1; isspace(*cont); cont--);
3506 /* If no continuation follows, we are done. Mark the end of the line and
3515 /* We have encountered a continuation. Skip over whitespace at the start of
3516 the next line, and indeed the whole of the next line or lines if they are
3521 while (*(++acl_text) == ' ' || *acl_text == '\t');
3522 if (*acl_text != '#') break;
3523 while (*(++acl_text) != 0 && *acl_text != '\n');
3526 /* We have the start of a continuation line. Move all the rest of the data
3527 to join onto the previous line, and then find its end. If the end is not a
3528 newline, we are done. Otherwise loop to look for another continuation. */
3530 memmove(cont, acl_text, acl_text_end - acl_text);
3531 acl_text_end -= acl_text - cont;
3533 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3534 if (*acl_text == 0) return yield;
3537 /* Control does not reach here */
3544 /*************************************************
3545 * Check access using an ACL *
3546 *************************************************/
3548 /* This function is called from address_check. It may recurse via
3549 acl_check_condition() - hence the use of a level to stop looping. The ACL is
3550 passed as a string which is expanded. A forced failure implies no access check
3551 is required. If the result is a single word, it is taken as the name of an ACL
3552 which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
3553 text, complete with newlines, and parsed as such. In both cases, the ACL check
3554 is then run. This function uses an auxiliary function for acl_read() to call
3555 for reading individual lines of a literal ACL. This is acl_getline(), which
3556 appears immediately above.
3559 where where called from
3560 addr address item when called from RCPT; otherwise NULL
3561 s the input string; NULL is the same as an empty ACL => DENY
3562 level the nesting level
3563 user_msgptr where to put a user error (for SMTP response)
3564 log_msgptr where to put a logging message (not for SMTP response)
3566 Returns: OK access is granted
3567 DISCARD access is apparently granted...
3568 FAIL access is denied
3569 FAIL_DROP access is denied; drop the connection
3570 DEFER can't tell at the moment
3575 acl_check_internal(int where, address_item *addr, uschar *s, int level,
3576 uschar **user_msgptr, uschar **log_msgptr)
3579 acl_block *acl = NULL;
3580 uschar *acl_name = US"inline ACL";
3583 /* Catch configuration loops */
3587 *log_msgptr = US"ACL nested too deep: possible loop";
3593 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
3597 /* At top level, we expand the incoming string. At lower levels, it has already
3598 been expanded as part of condition processing. */
3602 ss = expand_string(s);
3605 if (expand_string_forcedfail) return OK;
3606 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
3607 expand_string_message);
3613 while (isspace(*ss))ss++;
3615 /* If we can't find a named ACL, the default is to parse it as an inline one.
3616 (Unless it begins with a slash; non-existent files give rise to an error.) */
3620 /* Handle the case of a string that does not contain any spaces. Look for a
3621 named ACL among those read from the configuration, or a previously read file.
3622 It is possible that the pointer to the ACL is NULL if the configuration
3623 contains a name with no data. If not found, and the text begins with '/',
3624 read an ACL from a file, and save it so it can be re-used. */
3626 if (Ustrchr(ss, ' ') == NULL)
3628 tree_node *t = tree_search(acl_anchor, ss);
3631 acl = (acl_block *)(t->data.ptr);
3634 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
3637 acl_name = string_sprintf("ACL \"%s\"", ss);
3638 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
3641 else if (*ss == '/')
3643 struct stat statbuf;
3644 fd = Uopen(ss, O_RDONLY, 0);
3647 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
3652 if (fstat(fd, &statbuf) != 0)
3654 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
3659 acl_text = store_get(statbuf.st_size + 1);
3660 acl_text_end = acl_text + statbuf.st_size + 1;
3662 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
3664 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
3665 ss, strerror(errno));
3668 acl_text[statbuf.st_size] = 0;
3671 acl_name = string_sprintf("ACL \"%s\"", ss);
3672 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
3676 /* Parse an ACL that is still in text form. If it came from a file, remember it
3677 in the ACL tree, having read it into the POOL_PERM store pool so that it
3678 persists between multiple messages. */
3682 int old_pool = store_pool;
3683 if (fd >= 0) store_pool = POOL_PERM;
3684 acl = acl_read(acl_getline, log_msgptr);
3685 store_pool = old_pool;
3686 if (acl == NULL && *log_msgptr != NULL) return ERROR;
3689 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
3690 Ustrcpy(t->name, ss);
3692 (void)tree_insertnode(&acl_anchor, t);
3696 /* Now we have an ACL to use. It's possible it may be NULL. */
3701 int basic_errno = 0;
3702 BOOL endpass_seen = FALSE;
3704 *log_msgptr = *user_msgptr = NULL;
3705 acl_temp_details = FALSE;
3707 if ((where == ACL_WHERE_QUIT || where == ACL_WHERE_NOTQUIT) &&
3708 acl->verb != ACL_ACCEPT &&
3709 acl->verb != ACL_WARN)
3711 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT or not-QUIT ACL",
3716 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
3718 /* Clear out any search error message from a previous check before testing
3721 search_error_message = NULL;
3722 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
3723 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
3725 /* Handle special returns: DEFER causes a return except on a WARN verb;
3726 ERROR always causes a return. */
3731 HDEBUG(D_acl) debug_printf("%s: condition test deferred in %s\n", verbs[acl->verb], acl_name);
3732 if (basic_errno != ERRNO_CALLOUTDEFER)
3734 if (search_error_message != NULL && *search_error_message != 0)
3735 *log_msgptr = search_error_message;
3736 if (smtp_return_error_details) acl_temp_details = TRUE;
3740 acl_temp_details = TRUE;
3742 if (acl->verb != ACL_WARN) return DEFER;
3745 default: /* Paranoia */
3747 HDEBUG(D_acl) debug_printf("%s: condition test error in %s\n", verbs[acl->verb], acl_name);
3751 HDEBUG(D_acl) debug_printf("%s: condition test succeeded in %s\n",
3752 verbs[acl->verb], acl_name);
3756 HDEBUG(D_acl) debug_printf("%s: condition test failed in %s\n", verbs[acl->verb], acl_name);
3759 /* DISCARD and DROP can happen only from a nested ACL condition, and
3760 DISCARD can happen only for an "accept" or "discard" verb. */
3763 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\" in %s\n",
3764 verbs[acl->verb], acl_name);
3768 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\" in %s\n",
3769 verbs[acl->verb], acl_name);
3773 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
3774 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
3775 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
3780 if (cond == OK || cond == DISCARD) return cond;
3783 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
3791 acl_temp_details = TRUE;
3797 if (cond == OK) return FAIL;
3801 if (cond == OK || cond == DISCARD) return DISCARD;
3804 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
3810 if (cond == OK) return FAIL_DROP;
3814 if (cond != OK) return cond;
3819 acl_warn(where, *user_msgptr, *log_msgptr);
3820 else if (cond == DEFER && (log_extra_selector & LX_acl_warn_skipped) != 0)
3821 log_write(0, LOG_MAIN, "%s Warning: ACL \"warn\" statement skipped: "
3822 "condition test deferred%s%s", host_and_ident(TRUE),
3823 (*log_msgptr == NULL)? US"" : US": ",
3824 (*log_msgptr == NULL)? US"" : *log_msgptr);
3825 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
3829 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
3834 /* Pass to the next ACL item */
3839 /* We have reached the end of the ACL. This is an implicit DENY. */
3841 HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
3846 /*************************************************
3847 * Check access using an ACL *
3848 *************************************************/
3850 /* This is the external interface for ACL checks. It sets up an address and the
3851 expansions for $domain and $local_part when called after RCPT, then calls
3852 acl_check_internal() to do the actual work.
3855 where ACL_WHERE_xxxx indicating where called from
3856 recipient RCPT address for RCPT check, else NULL
3857 s the input string; NULL is the same as an empty ACL => DENY
3858 user_msgptr where to put a user error (for SMTP response)
3859 log_msgptr where to put a logging message (not for SMTP response)
3861 Returns: OK access is granted by an ACCEPT verb
3862 DISCARD access is granted by a DISCARD verb
3863 FAIL access is denied
3864 FAIL_DROP access is denied; drop the connection
3865 DEFER can't tell at the moment
3870 acl_check(int where, uschar *recipient, uschar *s, uschar **user_msgptr,
3871 uschar **log_msgptr)
3875 address_item *addr = NULL;
3877 *user_msgptr = *log_msgptr = NULL;
3878 sender_verified_failed = NULL;
3879 ratelimiters_cmd = NULL;
3880 log_reject_target = LOG_MAIN|LOG_REJECT;
3882 if (where == ACL_WHERE_RCPT)
3884 adb = address_defaults;
3886 addr->address = recipient;
3887 if (deliver_split_address(addr) == DEFER)
3889 *log_msgptr = US"defer in percent_hack_domains check";
3892 deliver_domain = addr->domain;
3893 deliver_localpart = addr->local_part;
3896 rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
3898 deliver_domain = deliver_localpart = deliver_address_data =
3899 sender_address_data = NULL;
3901 /* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
3902 ACL, which is really in the middle of an SMTP command. */
3906 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
3908 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
3909 "ACL", acl_wherenames[where]);
3915 /* A DROP response is not permitted from MAILAUTH */
3917 if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
3919 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
3920 "ACL", acl_wherenames[where]);
3924 /* Before giving a response, take a look at the length of any user message, and
3925 split it up into multiple lines if possible. */
3927 *user_msgptr = string_split_message(*user_msgptr);
3928 if (fake_response != OK)
3929 fake_response_text = string_split_message(fake_response_text);
3936 /*************************************************
3937 * Create ACL variable *
3938 *************************************************/
3940 /* Create an ACL variable or reuse an existing one. ACL variables are in a
3941 binary tree (see tree.c) with acl_var_c and acl_var_m as root nodes.
3944 name pointer to the variable's name, starting with c or m
3946 Returns the pointer to variable's tree node
3950 acl_var_create(uschar *name)
3952 tree_node *node, **root;
3953 root = (name[0] == 'c')? &acl_var_c : &acl_var_m;
3954 node = tree_search(*root, name);
3957 node = store_get(sizeof(tree_node) + Ustrlen(name));
3958 Ustrcpy(node->name, name);
3959 (void)tree_insertnode(root, node);
3961 node->data.ptr = NULL;
3967 /*************************************************
3968 * Write an ACL variable in spool format *
3969 *************************************************/
3971 /* This function is used as a callback for tree_walk when writing variables to
3972 the spool file. To retain spool file compatibility, what is written is -aclc or
3973 -aclm followed by the rest of the name and the data length, space separated,
3974 then the value itself, starting on a new line, and terminated by an additional
3975 newline. When we had only numbered ACL variables, the first line might look
3976 like this: "-aclc 5 20". Now it might be "-aclc foo 20" for the variable called
3980 name of the variable
3981 value of the variable
3982 ctx FILE pointer (as a void pointer)
3988 acl_var_write(uschar *name, uschar *value, void *ctx)
3990 FILE *f = (FILE *)ctx;
3991 fprintf(f, "-acl%c %s %d\n%s\n", name[0], name+1, Ustrlen(value), value);