1 /* $Cambridge: exim/src/src/acl.c,v 1.33 2005/05/23 15:28:38 fanf2 Exp $ */
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
7 /* Copyright (c) University of Cambridge 1995 - 2005 */
8 /* See the file NOTICE for conditions of use and distribution. */
10 /* Code for handling Access Control Lists (ACLs) */
15 /* Default callout timeout */
17 #define CALLOUT_TIMEOUT_DEFAULT 30
19 /* ACL verb codes - keep in step with the table of verbs that follows */
21 enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
26 static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
30 /* For each verb, the condition for which "message" is used */
32 static int msgcond[] = { FAIL, OK, OK, FAIL, OK, FAIL, OK };
34 /* ACL condition and modifier codes - keep in step with the table that
37 enum { ACLC_ACL, ACLC_AUTHENTICATED,
38 #ifdef EXPERIMENTAL_BRIGHTMAIL
41 ACLC_CONDITION, ACLC_CONTROL,
42 #ifdef WITH_CONTENT_SCAN
46 #ifdef WITH_OLD_DEMIME
49 #ifdef EXPERIMENTAL_DOMAINKEYS
50 ACLC_DK_DOMAIN_SOURCE,
52 ACLC_DK_SENDER_DOMAINS,
53 ACLC_DK_SENDER_LOCAL_PARTS,
57 ACLC_DNSLISTS, ACLC_DOMAINS, ACLC_ENCRYPTED, ACLC_ENDPASS,
58 ACLC_HOSTS, ACLC_LOCAL_PARTS, ACLC_LOG_MESSAGE, ACLC_LOGWRITE,
59 #ifdef WITH_CONTENT_SCAN
63 #ifdef WITH_CONTENT_SCAN
67 #ifdef WITH_CONTENT_SCAN
70 ACLC_SENDER_DOMAINS, ACLC_SENDERS, ACLC_SET,
71 #ifdef WITH_CONTENT_SCAN
74 #ifdef EXPERIMENTAL_SPF
79 /* ACL conditions/modifiers: "delay", "control", "endpass", "message",
80 "log_message", "logwrite", and "set" are modifiers that look like conditions
81 but always return TRUE. They are used for their side effects. */
83 static uschar *conditions[] = { US"acl", US"authenticated",
84 #ifdef EXPERIMENTAL_BRIGHTMAIL
89 #ifdef WITH_CONTENT_SCAN
93 #ifdef WITH_OLD_DEMIME
96 #ifdef EXPERIMENTAL_DOMAINKEYS
99 US"dk_sender_domains",
100 US"dk_sender_local_parts",
104 US"dnslists", US"domains", US"encrypted",
105 US"endpass", US"hosts", US"local_parts", US"log_message", US"logwrite",
106 #ifdef WITH_CONTENT_SCAN
110 #ifdef WITH_CONTENT_SCAN
114 #ifdef WITH_CONTENT_SCAN
117 US"sender_domains", US"senders", US"set",
118 #ifdef WITH_CONTENT_SCAN
121 #ifdef EXPERIMENTAL_SPF
126 /* ACL control names */
128 static uschar *controls[] = { US"error", US"caseful_local_part",
129 US"caselower_local_part", US"enforce_sync", US"no_enforce_sync", US"freeze",
130 US"queue_only", US"submission", US"no_multiline"};
132 /* Flags to indicate for which conditions /modifiers a string expansion is done
133 at the outer level. In the other cases, expansion already occurs in the
134 checking functions. */
136 static uschar cond_expand_at_top[] = {
138 FALSE, /* authenticated */
139 #ifdef EXPERIMENTAL_BRIGHTMAIL
140 TRUE, /* bmi_optin */
142 TRUE, /* condition */
144 #ifdef WITH_CONTENT_SCAN
148 #ifdef WITH_OLD_DEMIME
151 #ifdef EXPERIMENTAL_DOMAINKEYS
152 TRUE, /* dk_domain_source */
153 TRUE, /* dk_policy */
154 TRUE, /* dk_sender_domains */
155 TRUE, /* dk_sender_local_parts */
156 TRUE, /* dk_senders */
157 TRUE, /* dk_status */
161 FALSE, /* encrypted */
164 FALSE, /* local_parts */
165 TRUE, /* log_message */
167 #ifdef WITH_CONTENT_SCAN
171 #ifdef WITH_CONTENT_SCAN
172 TRUE, /* mime_regex */
174 FALSE, /* recipients */
175 #ifdef WITH_CONTENT_SCAN
178 FALSE, /* sender_domains */
181 #ifdef WITH_CONTENT_SCAN
184 #ifdef EXPERIMENTAL_SPF
190 /* Flags to identify the modifiers */
192 static uschar cond_modifiers[] = {
194 FALSE, /* authenticated */
195 #ifdef EXPERIMENTAL_BRIGHTMAIL
196 TRUE, /* bmi_optin */
198 FALSE, /* condition */
200 #ifdef WITH_CONTENT_SCAN
204 #ifdef WITH_OLD_DEMIME
207 #ifdef EXPERIMENTAL_DOMAINKEYS
208 FALSE, /* dk_domain_source */
209 FALSE, /* dk_policy */
210 FALSE, /* dk_sender_domains */
211 FALSE, /* dk_sender_local_parts */
212 FALSE, /* dk_senders */
213 FALSE, /* dk_status */
215 FALSE, /* dnslists */
217 FALSE, /* encrypted */
220 FALSE, /* local_parts */
221 TRUE, /* log_message */
223 #ifdef WITH_CONTENT_SCAN
227 #ifdef WITH_CONTENT_SCAN
228 FALSE, /* mime_regex */
230 FALSE, /* recipients */
231 #ifdef WITH_CONTENT_SCAN
234 FALSE, /* sender_domains */
237 #ifdef WITH_CONTENT_SCAN
240 #ifdef EXPERIMENTAL_SPF
246 /* Bit map vector of which conditions are not allowed at certain times. For
247 each condition, there's a bitmap of dis-allowed times. For some, it is easier
248 to specify the negation of a small number of allowed times. */
250 static unsigned int cond_forbids[] = {
253 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* authenticated */
256 #ifdef EXPERIMENTAL_BRIGHTMAIL
257 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
258 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
259 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
260 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
261 (1<<ACL_WHERE_MAILAUTH)|
262 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
263 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA),
268 /* Certain types of control are always allowed, so we let it through
269 always and check in the control processing itself. */
273 #ifdef WITH_CONTENT_SCAN
275 ~(1<<ACL_WHERE_MIME), /* decode */
280 #ifdef WITH_OLD_DEMIME
282 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* demime */
285 #ifdef EXPERIMENTAL_DOMAINKEYS
286 (1<<ACL_WHERE_AUTH)| /* dk_domain_source */
287 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
288 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
289 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
290 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
291 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
294 (1<<ACL_WHERE_AUTH)| /* dk_policy */
295 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
296 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
297 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
298 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
299 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
302 (1<<ACL_WHERE_AUTH)| /* dk_sender_domains */
303 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
304 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
305 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
306 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
307 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
310 (1<<ACL_WHERE_AUTH)| /* dk_sender_local_parts */
311 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
312 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
313 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
314 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
315 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
318 (1<<ACL_WHERE_AUTH)| /* dk_senders */
319 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
320 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
321 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
322 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
323 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
326 (1<<ACL_WHERE_AUTH)| /* dk_status */
327 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
328 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
329 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
330 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
331 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
335 (1<<ACL_WHERE_NOTSMTP), /* dnslists */
338 ~(1<<ACL_WHERE_RCPT), /* domains */
340 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* encrypted */
345 (1<<ACL_WHERE_NOTSMTP), /* hosts */
348 ~(1<<ACL_WHERE_RCPT), /* local_parts */
354 #ifdef WITH_CONTENT_SCAN
356 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* malware */
361 #ifdef WITH_CONTENT_SCAN
363 ~(1<<ACL_WHERE_MIME), /* mime_regex */
367 ~(1<<ACL_WHERE_RCPT), /* recipients */
369 #ifdef WITH_CONTENT_SCAN
371 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* regex */
372 (1<<ACL_WHERE_MIME)),
375 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
377 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
378 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
379 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
381 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
383 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
384 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
385 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
389 #ifdef WITH_CONTENT_SCAN
391 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* spam */
394 #ifdef EXPERIMENTAL_SPF
395 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
397 (1<<ACL_WHERE_MAILAUTH)|
398 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
399 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
402 /* Certain types of verify are always allowed, so we let it through
403 always and check in the verify function itself */
409 /* Return values from decode_control() */
412 #ifdef EXPERIMENTAL_BRIGHTMAIL
415 #ifdef EXPERIMENTAL_DOMAINKEYS
418 CONTROL_ERROR, CONTROL_CASEFUL_LOCAL_PART, CONTROL_CASELOWER_LOCAL_PART,
419 CONTROL_ENFORCE_SYNC, CONTROL_NO_ENFORCE_SYNC, CONTROL_FREEZE,
420 CONTROL_QUEUE_ONLY, CONTROL_SUBMISSION,
421 #ifdef WITH_CONTENT_SCAN
422 CONTROL_NO_MBOX_UNSPOOL,
424 CONTROL_FAKEDEFER, CONTROL_FAKEREJECT, CONTROL_NO_MULTILINE };
426 /* Bit map vector of which controls are not allowed at certain times. For
427 each control, there's a bitmap of dis-allowed times. For some, it is easier to
428 specify the negation of a small number of allowed times. */
430 static unsigned int control_forbids[] = {
431 #ifdef EXPERIMENTAL_BRIGHTMAIL
434 #ifdef EXPERIMENTAL_DOMAINKEYS
435 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), /* dk_verify */
441 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
444 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
446 (1<<ACL_WHERE_NOTSMTP), /* enforce_sync */
448 (1<<ACL_WHERE_NOTSMTP), /* no_enforce_sync */
451 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
452 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
453 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
456 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
457 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
458 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
461 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
462 (1<<ACL_WHERE_PREDATA)),
464 #ifdef WITH_CONTENT_SCAN
466 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
467 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
468 (1<<ACL_WHERE_MIME)),
472 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakedefer */
473 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
474 (1<<ACL_WHERE_MIME)),
477 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
478 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
479 (1<<ACL_WHERE_MIME)),
481 (1<<ACL_WHERE_NOTSMTP) /* no_multiline */
484 /* Structure listing various control arguments, with their characteristics. */
486 typedef struct control_def {
488 int value; /* CONTROL_xxx value */
489 BOOL has_option; /* Has /option(s) following */
492 static control_def controls_list[] = {
493 #ifdef EXPERIMENTAL_BRIGHTMAIL
494 { US"bmi_run", CONTROL_BMI_RUN, FALSE},
496 #ifdef EXPERIMENTAL_DOMAINKEYS
497 { US"dk_verify", CONTROL_DK_VERIFY, FALSE},
499 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE},
500 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE},
501 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE},
502 { US"freeze", CONTROL_FREEZE, FALSE},
503 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE},
504 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE},
505 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE},
506 #ifdef WITH_CONTENT_SCAN
507 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE},
509 { US"fakedefer", CONTROL_FAKEDEFER, TRUE},
510 { US"fakereject", CONTROL_FAKEREJECT, TRUE},
511 { US"submission", CONTROL_SUBMISSION, TRUE}
514 /* Support data structures for Client SMTP Authorization. acl_verify_csa()
515 caches its result in a tree to avoid repeated DNS queries. The result is an
516 integer code which is used as an index into the following tables of
517 explanatory strings and verification return codes. */
519 static tree_node *csa_cache = NULL;
521 enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
522 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
524 /* The acl_verify_csa() return code is translated into an acl_verify() return
525 code using the following table. It is OK unless the client is definitely not
526 authorized. This is because CSA is supposed to be optional for sending sites,
527 so recipients should not be too strict about checking it - especially because
528 DNS problems are quite likely to occur. It's possible to use $csa_status in
529 further ACL conditions to distinguish ok, unknown, and defer if required, but
530 the aim is to make the usual configuration simple. */
532 static int csa_return_code[] = {
534 FAIL, FAIL, FAIL, FAIL
537 static uschar *csa_status_string[] = {
538 US"unknown", US"ok", US"defer", US"defer",
539 US"fail", US"fail", US"fail", US"fail"
542 static uschar *csa_reason_string[] = {
545 US"deferred (SRV lookup failed)",
546 US"deferred (target address lookup failed)",
547 US"failed (explicit authorization required)",
548 US"failed (host name not authorized)",
549 US"failed (no authorized addresses)",
550 US"failed (client address mismatch)"
553 /* Enable recursion between acl_check_internal() and acl_check_condition() */
555 static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
559 /*************************************************
560 * Pick out name from list *
561 *************************************************/
563 /* Use a binary chop method
570 Returns: offset in list, or -1 if not found
574 acl_checkname(uschar *name, uschar **list, int end)
580 int mid = (start + end)/2;
581 int c = Ustrcmp(name, list[mid]);
582 if (c == 0) return mid;
583 if (c < 0) end = mid; else start = mid + 1;
590 /*************************************************
591 * Read and parse one ACL *
592 *************************************************/
594 /* This function is called both from readconf in order to parse the ACLs in the
595 configuration file, and also when an ACL is encountered dynamically (e.g. as
596 the result of an expansion). It is given a function to call in order to
597 retrieve the lines of the ACL. This function handles skipping comments and
598 blank lines (where relevant).
601 func function to get next line of ACL
602 error where to put an error message
604 Returns: pointer to ACL, or NULL
605 NULL can be legal (empty ACL); in this case error will be NULL
609 acl_read(uschar *(*func)(void), uschar **error)
611 acl_block *yield = NULL;
612 acl_block **lastp = &yield;
613 acl_block *this = NULL;
614 acl_condition_block *cond;
615 acl_condition_block **condp = NULL;
620 while ((s = (*func)()) != NULL)
623 BOOL negated = FALSE;
624 uschar *saveline = s;
627 /* Conditions (but not verbs) are allowed to be negated by an initial
630 while (isspace(*s)) s++;
637 /* Read the name of a verb or a condition, or the start of a new ACL, which
638 can be started by a name, or by a macro definition. */
640 s = readconf_readname(name, sizeof(name), s);
641 if (*s == ':' || isupper(name[0] && *s == '=')) return yield;
643 /* If a verb is unrecognized, it may be another condition or modifier that
644 continues the previous verb. */
646 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
651 *error = string_sprintf("unknown ACL verb in \"%s\"", saveline);
662 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
665 this = store_get(sizeof(acl_block));
667 lastp = &(this->next);
670 this->condition = NULL;
671 condp = &(this->condition);
672 if (*s == 0) continue; /* No condition on this line */
678 s = readconf_readname(name, sizeof(name), s); /* Condition name */
681 /* Handle a condition or modifier. */
683 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
686 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
691 /* The modifiers may not be negated */
693 if (negated && cond_modifiers[c])
695 *error = string_sprintf("ACL error: negation is not allowed with "
696 "\"%s\"", conditions[c]);
700 /* ENDPASS may occur only with ACCEPT or DISCARD. */
702 if (c == ACLC_ENDPASS &&
703 this->verb != ACL_ACCEPT &&
704 this->verb != ACL_DISCARD)
706 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
707 conditions[c], verbs[this->verb]);
711 cond = store_get(sizeof(acl_condition_block));
714 cond->u.negated = negated;
717 condp = &(cond->next);
719 /* The "set" modifier is different in that its argument is "name=value"
720 rather than just a value, and we can check the validity of the name, which
721 gives us a variable number to insert into the data block. */
725 if (Ustrncmp(s, "acl_", 4) != 0 || (s[4] != 'c' && s[4] != 'm') ||
726 !isdigit(s[5]) || (!isspace(s[6]) && s[6] != '='))
728 *error = string_sprintf("unrecognized name after \"set\" in ACL "
729 "modifier \"set %s\"", s);
733 cond->u.varnumber = s[5] - '0';
734 if (s[4] == 'm') cond->u.varnumber += ACL_C_MAX;
736 while (isspace(*s)) s++;
739 /* For "set", we are now positioned for the data. For the others, only
740 "endpass" has no data */
742 if (c != ACLC_ENDPASS)
746 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
747 cond_modifiers[c]? US"modifier" : US"condition");
750 while (isspace(*s)) s++;
751 cond->arg = string_copy(s);
760 /*************************************************
762 *************************************************/
764 /* This function is called when a WARN verb's conditions are true. It adds to
765 the message's headers, and/or writes information to the log. In each case, this
766 only happens once (per message for headers, per connection for log).
769 where ACL_WHERE_xxxx indicating which ACL this is
770 user_message message for adding to headers
771 log_message message for logging, if different
777 acl_warn(int where, uschar *user_message, uschar *log_message)
781 if (log_message != NULL && log_message != user_message)
786 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
787 string_printing(log_message));
789 /* If a sender verification has failed, and the log message is "sender verify
790 failed", add the failure message. */
792 if (sender_verified_failed != NULL &&
793 sender_verified_failed->message != NULL &&
794 strcmpic(log_message, US"sender verify failed") == 0)
795 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
797 /* Search previously logged warnings. They are kept in malloc
798 store so they can be freed at the start of a new message. */
800 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
801 if (Ustrcmp(logged->text, text) == 0) break;
805 int length = Ustrlen(text) + 1;
806 log_write(0, LOG_MAIN, "%s", text);
807 logged = store_malloc(sizeof(string_item) + length);
808 logged->text = (uschar *)logged + sizeof(string_item);
809 memcpy(logged->text, text, length);
810 logged->next = acl_warn_logged;
811 acl_warn_logged = logged;
815 /* If there's no user message, we are done. */
817 if (user_message == NULL) return;
819 /* If this isn't a message ACL, we can't do anything with a user message.
822 if (where > ACL_WHERE_NOTSMTP)
824 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
825 "found in a non-message (%s) ACL: cannot specify header lines here: "
826 "message ignored", acl_wherenames[where]);
830 /* Treat the user message as a sequence of one or more header lines. */
832 hlen = Ustrlen(user_message);
835 uschar *text, *p, *q;
837 /* Add a final newline if not present */
839 text = ((user_message)[hlen-1] == '\n')? user_message :
840 string_sprintf("%s\n", user_message);
842 /* Loop for multiple header lines, taking care about continuations */
844 for (p = q = text; *p != 0; )
847 int newtype = htype_add_bot;
848 header_line **hptr = &acl_warn_headers;
850 /* Find next header line within the string */
854 q = Ustrchr(q, '\n');
855 if (*(++q) != ' ' && *q != '\t') break;
858 /* If the line starts with a colon, interpret the instruction for where to
859 add it. This temporarily sets up a new type. */
863 if (strncmpic(p, US":after_received:", 16) == 0)
865 newtype = htype_add_rec;
868 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
870 newtype = htype_add_rfc;
873 else if (strncmpic(p, US":at_start:", 10) == 0)
875 newtype = htype_add_top;
878 else if (strncmpic(p, US":at_end:", 8) == 0)
880 newtype = htype_add_bot;
883 while (*p == ' ' || *p == '\t') p++;
886 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
887 to the front of it. */
889 for (s = p; s < q - 1; s++)
891 if (*s == ':' || !isgraph(*s)) break;
894 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
897 /* See if this line has already been added */
899 while (*hptr != NULL)
901 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
902 hptr = &((*hptr)->next);
905 /* Add if not previously present */
909 header_line *h = store_get(sizeof(header_line));
918 /* Advance for next header line within the string */
927 /*************************************************
928 * Verify and check reverse DNS *
929 *************************************************/
931 /* Called from acl_verify() below. We look up the host name(s) of the client IP
932 address if this has not yet been done. The host_name_lookup() function checks
933 that one of these names resolves to an address list that contains the client IP
934 address, so we don't actually have to do the check here.
937 user_msgptr pointer for user message
938 log_msgptr pointer for log message
940 Returns: OK verification condition succeeded
941 FAIL verification failed
942 DEFER there was a problem verifying
946 acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
950 user_msgptr = user_msgptr; /* stop compiler warning */
952 /* Previous success */
954 if (sender_host_name != NULL) return OK;
956 /* Previous failure */
958 if (host_lookup_failed)
960 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
964 /* Need to do a lookup */
967 debug_printf("looking up host name to force name/address consistency check\n");
969 if ((rc = host_name_lookup()) != OK)
971 *log_msgptr = (rc == DEFER)?
972 US"host lookup deferred for reverse lookup check"
974 string_sprintf("host lookup failed for reverse lookup check%s",
976 return rc; /* DEFER or FAIL */
979 host_build_sender_fullhost();
985 /*************************************************
986 * Check client IP address matches CSA target *
987 *************************************************/
989 /* Called from acl_verify_csa() below. This routine scans a section of a DNS
990 response for address records belonging to the CSA target hostname. The section
991 is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
992 If one of the addresses matches the client's IP address, then the client is
993 authorized by CSA. If there are target IP addresses but none of them match
994 then the client is using an unauthorized IP address. If there are no target IP
995 addresses then the client cannot be using an authorized IP address. (This is
996 an odd configuration - why didn't the SRV record have a weight of 1 instead?)
999 dnsa the DNS answer block
1000 dnss a DNS scan block for us to use
1001 reset option specifing what portion to scan, as described above
1002 target the target hostname to use for matching RR names
1004 Returns: CSA_OK successfully authorized
1005 CSA_FAIL_MISMATCH addresses found but none matched
1006 CSA_FAIL_NOADDR no target addresses found
1010 acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1016 BOOL target_found = FALSE;
1018 for (rr = dns_next_rr(dnsa, dnss, reset);
1020 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1022 /* Check this is an address RR for the target hostname. */
1026 && rr->type != T_AAAA
1033 if (strcmpic(target, rr->name) != 0) continue;
1035 target_found = TRUE;
1037 /* Turn the target address RR into a list of textual IP addresses and scan
1038 the list. There may be more than one if it is an A6 RR. */
1040 for (da = dns_address_from_rr(dnsa, rr); da != NULL; da = da->next)
1042 /* If the client IP address matches the target IP address, it's good! */
1044 DEBUG(D_acl) debug_printf("CSA target address is %s\n", da->address);
1046 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1050 /* If we found some target addresses but none of them matched, the client is
1051 using an unauthorized IP address, otherwise the target has no authorized IP
1054 if (target_found) return CSA_FAIL_MISMATCH;
1055 else return CSA_FAIL_NOADDR;
1060 /*************************************************
1061 * Verify Client SMTP Authorization *
1062 *************************************************/
1064 /* Called from acl_verify() below. This routine calls dns_lookup_special()
1065 to find the CSA SRV record corresponding to the domain argument, or
1066 $sender_helo_name if no argument is provided. It then checks that the
1067 client is authorized, and that its IP address corresponds to the SRV
1068 target's address by calling acl_verify_csa_address() above. The address
1069 should have been returned in the DNS response's ADDITIONAL section, but if
1070 not we perform another DNS lookup to get it.
1073 domain pointer to optional parameter following verify = csa
1075 Returns: CSA_UNKNOWN no valid CSA record found
1076 CSA_OK successfully authorized
1077 CSA_FAIL_* client is definitely not authorized
1078 CSA_DEFER_* there was a DNS problem
1082 acl_verify_csa(uschar *domain)
1086 int priority, weight, port;
1093 /* Work out the domain we are using for the CSA lookup. The default is the
1094 client's HELO domain. If the client has not said HELO, use its IP address
1095 instead. If it's a local client (exim -bs), CSA isn't applicable. */
1097 while (isspace(*domain) && *domain != '\0') ++domain;
1098 if (*domain == '\0') domain = sender_helo_name;
1099 if (domain == NULL) domain = sender_host_address;
1100 if (sender_host_address == NULL) return CSA_UNKNOWN;
1102 /* If we have an address literal, strip off the framing ready for turning it
1103 into a domain. The framing consists of matched square brackets possibly
1104 containing a keyword and a colon before the actual IP address. */
1106 if (domain[0] == '[')
1108 uschar *start = Ustrchr(domain, ':');
1109 if (start == NULL) start = domain;
1110 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1113 /* Turn domains that look like bare IP addresses into domains in the reverse
1114 DNS. This code also deals with address literals and $sender_host_address. It's
1115 not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1116 address literals, but it's probably the most friendly thing to do. This is an
1117 extension to CSA, so we allow it to be turned off for proper conformance. */
1119 if (string_is_ip_address(domain, NULL))
1121 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1122 dns_build_reverse(domain, target);
1126 /* Find out if we've already done the CSA check for this domain. If we have,
1127 return the same result again. Otherwise build a new cached result structure
1128 for this domain. The name is filled in now, and the value is filled in when
1129 we return from this function. */
1131 t = tree_search(csa_cache, domain);
1132 if (t != NULL) return t->data.val;
1134 t = store_get_perm(sizeof(tree_node) + Ustrlen(domain));
1135 Ustrcpy(t->name, domain);
1136 (void)tree_insertnode(&csa_cache, t);
1138 /* Now we are ready to do the actual DNS lookup(s). */
1140 switch (dns_special_lookup(&dnsa, domain, T_CSA, &found))
1142 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1145 return t->data.val = CSA_DEFER_SRV;
1147 /* If we found nothing, the client's authorization is unknown. */
1151 return t->data.val = CSA_UNKNOWN;
1153 /* We got something! Go on to look at the reply in more detail. */
1159 /* Scan the reply for well-formed CSA SRV records. */
1161 for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
1163 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
1165 if (rr->type != T_SRV) continue;
1167 /* Extract the numerical SRV fields (p is incremented) */
1170 GETSHORT(priority, p);
1171 GETSHORT(weight, p);
1175 debug_printf("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1177 /* Check the CSA version number */
1179 if (priority != 1) continue;
1181 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1182 found by dns_special_lookup() is a parent of the one we asked for), we check
1183 the subdomain assertions in the port field. At the moment there's only one
1184 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1185 SRV records of their own. */
1187 if (found != domain)
1190 return t->data.val = CSA_FAIL_EXPLICIT;
1192 return t->data.val = CSA_UNKNOWN;
1195 /* This CSA SRV record refers directly to our domain, so we check the value
1196 in the weight field to work out the domain's authorization. 0 and 1 are
1197 unauthorized; 3 means the client is authorized but we can't check the IP
1198 address in order to authenticate it, so we treat it as unknown; values
1199 greater than 3 are undefined. */
1201 if (weight < 2) return t->data.val = CSA_FAIL_DOMAIN;
1203 if (weight > 2) continue;
1205 /* Weight == 2, which means the domain is authorized. We must check that the
1206 client's IP address is listed as one of the SRV target addresses. Save the
1207 target hostname then break to scan the additional data for its addresses. */
1209 (void)dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
1210 (DN_EXPAND_ARG4_TYPE)target, sizeof(target));
1212 DEBUG(D_acl) debug_printf("CSA target is %s\n", target);
1217 /* If we didn't break the loop then no appropriate records were found. */
1219 if (rr == NULL) return t->data.val = CSA_UNKNOWN;
1221 /* Do not check addresses if the target is ".", in accordance with RFC 2782.
1222 A target of "." indicates there are no valid addresses, so the client cannot
1223 be authorized. (This is an odd configuration because weight=2 target=. is
1224 equivalent to weight=1, but we check for it in order to keep load off the
1225 root name servers.) Note that dn_expand() turns "." into "". */
1227 if (Ustrcmp(target, "") == 0) return t->data.val = CSA_FAIL_NOADDR;
1229 /* Scan the additional section of the CSA SRV reply for addresses belonging
1230 to the target. If the name server didn't return any additional data (e.g.
1231 because it does not fully support SRV records), we need to do another lookup
1232 to obtain the target addresses; otherwise we have a definitive result. */
1234 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ADDITIONAL, target);
1235 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1237 /* The DNS lookup type corresponds to the IP version used by the client. */
1240 if (Ustrchr(sender_host_address, ':') != NULL)
1243 #endif /* HAVE_IPV6 */
1247 #if HAVE_IPV6 && defined(SUPPORT_A6)
1251 switch (dns_lookup(&dnsa, target, type, NULL))
1253 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1256 return t->data.val = CSA_DEFER_ADDR;
1258 /* If the query succeeded, scan the addresses and return the result. */
1261 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ANSWERS, target);
1262 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1263 /* else fall through */
1265 /* If the target has no IP addresses, the client cannot have an authorized
1266 IP address. However, if the target site uses A6 records (not AAAA records)
1267 we have to do yet another lookup in order to check them. */
1272 #if HAVE_IPV6 && defined(SUPPORT_A6)
1273 if (type == T_AAAA) { type = T_A6; goto DNS_LOOKUP_AGAIN; }
1276 return t->data.val = CSA_FAIL_NOADDR;
1282 /*************************************************
1283 * Handle verification (address & other) *
1284 *************************************************/
1286 /* This function implements the "verify" condition. It is called when
1287 encountered in any ACL, because some tests are almost always permitted. Some
1288 just don't make sense, and always fail (for example, an attempt to test a host
1289 lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1292 where where called from
1293 addr the recipient address that the ACL is handling, or NULL
1294 arg the argument of "verify"
1295 user_msgptr pointer for user message
1296 log_msgptr pointer for log message
1297 basic_errno where to put verify errno
1299 Returns: OK verification condition succeeded
1300 FAIL verification failed
1301 DEFER there was a problem verifying
1306 acl_verify(int where, address_item *addr, uschar *arg,
1307 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1311 int callout_overall = -1;
1312 int callout_connect = -1;
1313 int verify_options = 0;
1315 BOOL verify_header_sender = FALSE;
1316 BOOL defer_ok = FALSE;
1317 BOOL callout_defer_ok = FALSE;
1318 BOOL no_details = FALSE;
1319 address_item *sender_vaddr = NULL;
1320 uschar *verify_sender_address = NULL;
1321 uschar *pm_mailfrom = NULL;
1322 uschar *se_mailfrom = NULL;
1324 /* Some of the verify items have slash-separated options; some do not. Diagnose
1325 an error if options are given for items that don't expect them. This code has
1326 now got very message. Refactoring to use a table would be a good idea one day.
1329 uschar *slash = Ustrchr(arg, '/');
1331 uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
1333 if (ss == NULL) goto BAD_VERIFY;
1335 /* Handle name/address consistency verification in a separate function. */
1337 if (strcmpic(ss, US"reverse_host_lookup") == 0)
1339 if (slash != NULL) goto NO_OPTIONS;
1340 if (sender_host_address == NULL) return OK;
1341 return acl_verify_reverse(user_msgptr, log_msgptr);
1344 /* TLS certificate verification is done at STARTTLS time; here we just
1345 test whether it was successful or not. (This is for optional verification; for
1346 mandatory verification, the connection doesn't last this long.) */
1348 if (strcmpic(ss, US"certificate") == 0)
1350 if (slash != NULL) goto NO_OPTIONS;
1351 if (tls_certificate_verified) return OK;
1352 *user_msgptr = US"no verified certificate";
1356 /* We can test the result of optional HELO verification */
1358 if (strcmpic(ss, US"helo") == 0)
1360 if (slash != NULL) goto NO_OPTIONS;
1361 return helo_verified? OK : FAIL;
1364 /* Do Client SMTP Authorization checks in a separate function, and turn the
1365 result code into user-friendly strings. */
1367 if (strcmpic(ss, US"csa") == 0)
1369 rc = acl_verify_csa(list);
1370 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1371 csa_reason_string[rc]);
1372 csa_status = csa_status_string[rc];
1373 DEBUG(D_acl) debug_printf("CSA result %s\n", csa_status);
1374 return csa_return_code[rc];
1377 /* Check that all relevant header lines have the correct syntax. If there is
1378 a syntax error, we return details of the error to the sender if configured to
1379 send out full details. (But a "message" setting on the ACL can override, as
1382 if (strcmpic(ss, US"header_syntax") == 0)
1384 if (slash != NULL) goto NO_OPTIONS;
1385 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
1387 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
1388 "(only possible in ACL for DATA)", acl_wherenames[where]);
1391 rc = verify_check_headers(log_msgptr);
1392 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1393 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1398 /* The remaining verification tests check recipient and sender addresses,
1399 either from the envelope or from the header. There are a number of
1400 slash-separated options that are common to all of them. */
1403 /* Check that there is at least one verifiable sender address in the relevant
1404 header lines. This can be followed by callout and defer options, just like
1405 sender and recipient. */
1407 if (strcmpic(ss, US"header_sender") == 0)
1409 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
1411 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
1412 "(only possible in ACL for DATA)", acl_wherenames[where]);
1415 verify_header_sender = TRUE;
1418 /* Otherwise, first item in verify argument must be "sender" or "recipient".
1419 In the case of a sender, this can optionally be followed by an address to use
1420 in place of the actual sender (rare special-case requirement). */
1422 else if (strncmpic(ss, US"sender", 6) == 0)
1425 if (where > ACL_WHERE_NOTSMTP)
1427 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1428 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1429 acl_wherenames[where]);
1433 verify_sender_address = sender_address;
1436 while (isspace(*s)) s++;
1437 if (*s++ != '=') goto BAD_VERIFY;
1438 while (isspace(*s)) s++;
1439 verify_sender_address = string_copy(s);
1444 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1447 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1448 "(only possible for RCPT)", acl_wherenames[where]);
1453 /* Remaining items are optional; they apply to sender and recipient
1454 verification, including "header sender" verification. */
1456 while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1459 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1460 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1462 /* These two old options are left for backwards compatibility */
1464 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1466 callout_defer_ok = TRUE;
1467 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1470 else if (strcmpic(ss, US"check_postmaster") == 0)
1473 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1476 /* The callout option has a number of sub-options, comma separated */
1478 else if (strncmpic(ss, US"callout", 7) == 0)
1480 callout = CALLOUT_TIMEOUT_DEFAULT;
1484 while (isspace(*ss)) ss++;
1490 while (isspace(*ss)) ss++;
1492 /* This callout option handling code has become a mess as new options
1493 have been added in an ad hoc manner. It should be tidied up into some
1494 kind of table-driven thing. */
1496 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1499 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1500 else if (strcmpic(opt, US"no_cache") == 0)
1501 verify_options |= vopt_callout_no_cache;
1502 else if (strcmpic(opt, US"random") == 0)
1503 verify_options |= vopt_callout_random;
1504 else if (strcmpic(opt, US"use_sender") == 0)
1505 verify_options |= vopt_callout_recipsender;
1506 else if (strcmpic(opt, US"use_postmaster") == 0)
1507 verify_options |= vopt_callout_recippmaster;
1508 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
1510 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1512 if (!verify_header_sender)
1514 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1515 "callout option only for verify=header_sender (detected in ACL "
1516 "condition \"%s\")", arg);
1520 while (isspace(*opt)) opt++;
1523 *log_msgptr = string_sprintf("'=' expected after "
1524 "\"mailfrom\" in ACL condition \"%s\"", arg);
1527 while (isspace(*opt)) opt++;
1528 se_mailfrom = string_copy(opt);
1531 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1534 while (isspace(*opt)) opt++;
1537 *log_msgptr = string_sprintf("'=' expected after "
1538 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1541 while (isspace(*opt)) opt++;
1542 pm_mailfrom = string_copy(opt);
1545 else if (strncmpic(opt, US"maxwait", 7) == 0)
1548 while (isspace(*opt)) opt++;
1551 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1552 "ACL condition \"%s\"", arg);
1555 while (isspace(*opt)) opt++;
1556 callout_overall = readconf_readtime(opt, 0, FALSE);
1557 if (callout_overall < 0)
1559 *log_msgptr = string_sprintf("bad time value in ACL condition "
1560 "\"verify %s\"", arg);
1564 else if (strncmpic(opt, US"connect", 7) == 0)
1567 while (isspace(*opt)) opt++;
1570 *log_msgptr = string_sprintf("'=' expected after "
1571 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1574 while (isspace(*opt)) opt++;
1575 callout_connect = readconf_readtime(opt, 0, FALSE);
1576 if (callout_connect < 0)
1578 *log_msgptr = string_sprintf("bad time value in ACL condition "
1579 "\"verify %s\"", arg);
1583 else /* Plain time is callout connect/command timeout */
1585 callout = readconf_readtime(opt, 0, FALSE);
1588 *log_msgptr = string_sprintf("bad time value in ACL condition "
1589 "\"verify %s\"", arg);
1597 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1598 "ACL condition \"%s\"", arg);
1604 /* Option not recognized */
1608 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1609 "condition \"verify %s\"", ss, arg);
1614 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1615 (vopt_callout_recipsender|vopt_callout_recippmaster))
1617 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1618 "for a recipient callout";
1622 /* Handle sender-in-header verification. Default the user message to the log
1623 message if giving out verification details. */
1625 if (verify_header_sender)
1628 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
1629 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1633 *basic_errno = verrno;
1634 if (smtp_return_error_details)
1636 if (*user_msgptr == NULL && *log_msgptr != NULL)
1637 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1638 if (rc == DEFER) acl_temp_details = TRUE;
1643 /* Handle a sender address. The default is to verify *the* sender address, but
1644 optionally a different address can be given, for special requirements. If the
1645 address is empty, we are dealing with a bounce message that has no sender, so
1646 we cannot do any checking. If the real sender address gets rewritten during
1647 verification (e.g. DNS widening), set the flag to stop it being rewritten again
1648 during message reception.
1650 A list of verified "sender" addresses is kept to try to avoid doing to much
1651 work repetitively when there are multiple recipients in a message and they all
1652 require sender verification. However, when callouts are involved, it gets too
1653 complicated because different recipients may require different callout options.
1654 Therefore, we always do a full sender verify when any kind of callout is
1655 specified. Caching elsewhere, for instance in the DNS resolver and in the
1656 callout handling, should ensure that this is not terribly inefficient. */
1658 else if (verify_sender_address != NULL)
1660 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1663 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1664 "sender verify callout";
1668 sender_vaddr = verify_checked_sender(verify_sender_address);
1669 if (sender_vaddr != NULL && /* Previously checked */
1670 callout <= 0) /* No callout needed this time */
1672 /* If the "routed" flag is set, it means that routing worked before, so
1673 this check can give OK (the saved return code value, if set, belongs to a
1674 callout that was done previously). If the "routed" flag is not set, routing
1675 must have failed, so we use the saved return code. */
1677 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1679 rc = sender_vaddr->special_action;
1680 *basic_errno = sender_vaddr->basic_errno;
1682 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1685 /* Do a new verification, and cache the result. The cache is used to avoid
1686 verifying the sender multiple times for multiple RCPTs when callouts are not
1687 specified (see comments above).
1689 The cache is also used on failure to give details in response to the first
1690 RCPT that gets bounced for this reason. However, this can be suppressed by
1691 the no_details option, which sets the flag that says "this detail has already
1692 been sent". The cache normally contains just one address, but there may be
1693 more in esoteric circumstances. */
1698 uschar *save_address_data = deliver_address_data;
1700 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1701 if (no_details) setflag(sender_vaddr, af_sverify_told);
1702 if (verify_sender_address[0] != 0)
1704 /* If this is the real sender address, save the unrewritten version
1705 for use later in receive. Otherwise, set a flag so that rewriting the
1706 sender in verify_address() does not update sender_address. */
1708 if (verify_sender_address == sender_address)
1709 sender_address_unrewritten = sender_address;
1711 verify_options |= vopt_fake_sender;
1713 /* The recipient, qualify, and expn options are never set in
1716 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
1717 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
1719 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1723 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1725 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1726 verify_sender_address, sender_vaddr->address);
1730 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1731 verify_sender_address);
1734 else *basic_errno = sender_vaddr->basic_errno;
1736 else rc = OK; /* Null sender */
1738 /* Cache the result code */
1740 if (routed) setflag(sender_vaddr, af_verify_routed);
1741 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1742 sender_vaddr->special_action = rc;
1743 sender_vaddr->next = sender_verified_list;
1744 sender_verified_list = sender_vaddr;
1746 /* Restore the recipient address data, which might have been clobbered by
1747 the sender verification. */
1749 deliver_address_data = save_address_data;
1752 /* Put the sender address_data value into $sender_address_data */
1754 sender_address_data = sender_vaddr->p.address_data;
1757 /* A recipient address just gets a straightforward verify; again we must handle
1758 the DEFER overrides. */
1764 /* We must use a copy of the address for verification, because it might
1768 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
1769 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
1770 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1772 *log_msgptr = addr2.message;
1773 *user_msgptr = (addr2.user_message != NULL)?
1774 addr2.user_message : addr2.message;
1775 *basic_errno = addr2.basic_errno;
1777 /* Make $address_data visible */
1778 deliver_address_data = addr2.p.address_data;
1781 /* We have a result from the relevant test. Handle defer overrides first. */
1783 if (rc == DEFER && (defer_ok ||
1784 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1786 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1787 defer_ok? "defer_ok" : "callout_defer_ok");
1791 /* If we've failed a sender, set up a recipient message, and point
1792 sender_verified_failed to the address item that actually failed. */
1794 if (rc != OK && verify_sender_address != NULL)
1798 *log_msgptr = *user_msgptr = US"Sender verify failed";
1800 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1802 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1806 *log_msgptr = US"Could not complete sender verify callout";
1807 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1811 sender_verified_failed = sender_vaddr;
1814 /* Verifying an address messes up the values of $domain and $local_part,
1815 so reset them before returning if this is a RCPT ACL. */
1819 deliver_domain = addr->domain;
1820 deliver_localpart = addr->local_part;
1824 /* Syntax errors in the verify argument come here. */
1827 *log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
1828 "\"helo\", \"header_syntax\", \"header_sender\" or "
1829 "\"reverse_host_lookup\" at start of ACL condition "
1830 "\"verify %s\"", arg);
1833 /* Options supplied when not allowed come here */
1836 *log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1837 "(this verify item has no options)", arg);
1844 /*************************************************
1845 * Check argument for control= modifier *
1846 *************************************************/
1848 /* Called from acl_check_condition() below
1851 arg the argument string for control=
1852 pptr set to point to the terminating character
1853 where which ACL we are in
1854 log_msgptr for error messages
1856 Returns: CONTROL_xxx value
1860 decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
1865 for (d = controls_list;
1866 d < controls_list + sizeof(controls_list)/sizeof(control_def);
1869 len = Ustrlen(d->name);
1870 if (Ustrncmp(d->name, arg, len) == 0) break;
1873 if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
1874 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
1876 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1877 return CONTROL_ERROR;
1886 /*************************************************
1887 * Handle conditions/modifiers on an ACL item *
1888 *************************************************/
1890 /* Called from acl_check() below.
1894 cb ACL condition block - if NULL, result is OK
1895 where where called from
1896 addr the address being checked for RCPT, or NULL
1897 level the nesting level
1898 epp pointer to pass back TRUE if "endpass" encountered
1899 (applies only to "accept" and "discard")
1900 user_msgptr user message pointer
1901 log_msgptr log message pointer
1902 basic_errno pointer to where to put verify error
1904 Returns: OK - all conditions are met
1905 DISCARD - an "acl" condition returned DISCARD - only allowed
1906 for "accept" or "discard" verbs
1907 FAIL - at least one condition fails
1908 FAIL_DROP - an "acl" condition returned FAIL_DROP
1909 DEFER - can't tell at the moment (typically, lookup defer,
1910 but can be temporary callout problem)
1911 ERROR - ERROR from nested ACL or expansion failure or other
1916 acl_check_condition(int verb, acl_condition_block *cb, int where,
1917 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
1918 uschar **log_msgptr, int *basic_errno)
1920 uschar *user_message = NULL;
1921 uschar *log_message = NULL;
1924 #ifdef WITH_CONTENT_SCAN
1928 for (; cb != NULL; cb = cb->next)
1933 /* The message and log_message items set up messages to be used in
1934 case of rejection. They are expanded later. */
1936 if (cb->type == ACLC_MESSAGE)
1938 user_message = cb->arg;
1942 if (cb->type == ACLC_LOG_MESSAGE)
1944 log_message = cb->arg;
1948 /* The endpass "condition" just sets a flag to show it occurred. This is
1949 checked at compile time to be on an "accept" or "discard" item. */
1951 if (cb->type == ACLC_ENDPASS)
1957 /* For other conditions and modifiers, the argument is expanded now for some
1958 of them, but not for all, because expansion happens down in some lower level
1959 checking functions in some cases. */
1961 if (cond_expand_at_top[cb->type])
1963 arg = expand_string(cb->arg);
1966 if (expand_string_forcedfail) continue;
1967 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
1968 cb->arg, expand_string_message);
1969 return search_find_defer? DEFER : ERROR;
1974 /* Show condition, and expanded condition if it's different */
1979 debug_printf("check %s%s %n",
1980 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
1981 conditions[cb->type], &lhswidth);
1983 if (cb->type == ACLC_SET)
1985 int n = cb->u.varnumber;
1986 int t = (n < ACL_C_MAX)? 'c' : 'm';
1987 if (n >= ACL_C_MAX) n -= ACL_C_MAX;
1988 debug_printf("acl_%c%d ", t, n);
1992 debug_printf("= %s\n", cb->arg);
1995 debug_printf("%.*s= %s\n", lhswidth,
1999 /* Check that this condition makes sense at this time */
2001 if ((cond_forbids[cb->type] & (1 << where)) != 0)
2003 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
2004 cond_modifiers[cb->type]? "use" : "test",
2005 conditions[cb->type], acl_wherenames[where]);
2009 /* Run the appropriate test for each condition, or take the appropriate
2010 action for the remaining modifiers. */
2014 /* A nested ACL that returns "discard" makes sense only for an "accept" or
2018 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
2019 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
2021 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
2022 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
2028 case ACLC_AUTHENTICATED:
2029 rc = (sender_host_authenticated == NULL)? FAIL :
2030 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
2034 #ifdef EXPERIMENTAL_BRIGHTMAIL
2035 case ACLC_BMI_OPTIN:
2037 int old_pool = store_pool;
2038 store_pool = POOL_PERM;
2039 bmi_current_optin = string_copy(arg);
2040 store_pool = old_pool;
2045 case ACLC_CONDITION:
2046 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
2047 rc = (Uatoi(arg) == 0)? FAIL : OK;
2049 rc = (strcmpic(arg, US"no") == 0 ||
2050 strcmpic(arg, US"false") == 0)? FAIL :
2051 (strcmpic(arg, US"yes") == 0 ||
2052 strcmpic(arg, US"true") == 0)? OK : DEFER;
2054 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
2058 control_type = decode_control(arg, &p, where, log_msgptr);
2060 /* Check if this control makes sense at this time */
2062 if ((control_forbids[control_type] & (1 << where)) != 0)
2064 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
2065 controls[control_type], acl_wherenames[where]);
2069 switch(control_type)
2071 #ifdef EXPERIMENTAL_BRIGHTMAIL
2072 case CONTROL_BMI_RUN:
2076 #ifdef EXPERIMENTAL_DOMAINKEYS
2077 case CONTROL_DK_VERIFY:
2084 case CONTROL_CASEFUL_LOCAL_PART:
2085 deliver_localpart = addr->cc_local_part;
2088 case CONTROL_CASELOWER_LOCAL_PART:
2089 deliver_localpart = addr->lc_local_part;
2092 case CONTROL_ENFORCE_SYNC:
2093 smtp_enforce_sync = TRUE;
2096 case CONTROL_NO_ENFORCE_SYNC:
2097 smtp_enforce_sync = FALSE;
2100 #ifdef WITH_CONTENT_SCAN
2101 case CONTROL_NO_MBOX_UNSPOOL:
2102 no_mbox_unspool = TRUE;
2106 case CONTROL_NO_MULTILINE:
2107 no_multiline_responses = TRUE;
2110 case CONTROL_FAKEDEFER:
2111 case CONTROL_FAKEREJECT:
2112 fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
2116 while (*pp != 0) pp++;
2117 fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
2122 /* Explicitly reset to default string */
2123 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
2127 case CONTROL_FREEZE:
2128 deliver_freeze = TRUE;
2129 deliver_frozen_at = time(NULL);
2132 case CONTROL_QUEUE_ONLY:
2133 queue_only_policy = TRUE;
2136 case CONTROL_SUBMISSION:
2137 originator_name = US"";
2138 submission_mode = TRUE;
2141 if (Ustrncmp(p, "/sender_retain", 14) == 0)
2144 active_local_sender_retain = TRUE;
2145 active_local_from_check = FALSE;
2147 else if (Ustrncmp(p, "/domain=", 8) == 0)
2150 while (*pp != 0 && *pp != '/') pp++;
2151 submission_domain = string_copyn(p+8, pp-p-8);
2154 else if (Ustrncmp(p, "/name=", 6) == 0)
2157 while (*pp != 0 && *pp != '/') pp++;
2158 originator_name = string_copy(parse_fix_phrase(p+6, pp-p-6,
2159 big_buffer, big_buffer_size));
2166 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2173 #ifdef WITH_CONTENT_SCAN
2175 rc = mime_decode(&arg);
2181 int delay = readconf_readtime(arg, 0, FALSE);
2184 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
2185 "modifier: \"%s\" is not a time value", arg);
2190 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
2195 debug_printf("delay skipped in -bh checking mode\n");
2198 /* It appears to be impossible to detect that a TCP/IP connection has
2199 gone away without reading from it. This means that we cannot shorten
2200 the delay below if the client goes away, because we cannot discover
2201 that the client has closed its end of the connection. (The connection
2202 is actually in a half-closed state, waiting for the server to close its
2203 end.) It would be nice to be able to detect this state, so that the
2204 Exim process is not held up unnecessarily. However, it seems that we
2205 can't. The poll() function does not do the right thing, and in any case
2206 it is not always available.
2208 NOTE: If ever this state of affairs changes, remember that we may be
2209 dealing with stdin/stdout here, in addition to TCP/IP connections.
2210 Whatever is done must work in both cases. To detected the stdin/stdout
2211 case, check for smtp_in or smtp_out being NULL. */
2215 while (delay > 0) delay = sleep(delay);
2221 #ifdef WITH_OLD_DEMIME
2227 #ifdef EXPERIMENTAL_DOMAINKEYS
2228 case ACLC_DK_DOMAIN_SOURCE:
2229 if (dk_verify_block == NULL) { rc = FAIL; break; };
2230 /* check header source of domain against given string */
2231 switch (dk_verify_block->address_source) {
2232 case DK_EXIM_ADDRESS_FROM_FROM:
2233 rc = match_isinlist(US"from", &arg, 0, NULL,
2234 NULL, MCL_STRING, TRUE, NULL);
2236 case DK_EXIM_ADDRESS_FROM_SENDER:
2237 rc = match_isinlist(US"sender", &arg, 0, NULL,
2238 NULL, MCL_STRING, TRUE, NULL);
2240 case DK_EXIM_ADDRESS_NONE:
2241 rc = match_isinlist(US"none", &arg, 0, NULL,
2242 NULL, MCL_STRING, TRUE, NULL);
2246 case ACLC_DK_POLICY:
2247 if (dk_verify_block == NULL) { rc = FAIL; break; };
2248 /* check policy against given string, default FAIL */
2250 if (dk_verify_block->signsall)
2251 rc = match_isinlist(US"signsall", &arg, 0, NULL,
2252 NULL, MCL_STRING, TRUE, NULL);
2253 if (dk_verify_block->testing)
2254 rc = match_isinlist(US"testing", &arg, 0, NULL,
2255 NULL, MCL_STRING, TRUE, NULL);
2257 case ACLC_DK_SENDER_DOMAINS:
2258 if (dk_verify_block == NULL) { rc = FAIL; break; };
2259 if (dk_verify_block->domain != NULL)
2260 rc = match_isinlist(dk_verify_block->domain, &arg, 0, &domainlist_anchor,
2261 NULL, MCL_DOMAIN, TRUE, NULL);
2264 case ACLC_DK_SENDER_LOCAL_PARTS:
2265 if (dk_verify_block == NULL) { rc = FAIL; break; };
2266 if (dk_verify_block->local_part != NULL)
2267 rc = match_isinlist(dk_verify_block->local_part, &arg, 0, &localpartlist_anchor,
2268 NULL, MCL_LOCALPART, TRUE, NULL);
2271 case ACLC_DK_SENDERS:
2272 if (dk_verify_block == NULL) { rc = FAIL; break; };
2273 if (dk_verify_block->address != NULL)
2274 rc = match_address_list(dk_verify_block->address, TRUE, TRUE, &arg, NULL, -1, 0, NULL);
2277 case ACLC_DK_STATUS:
2278 if (dk_verify_block == NULL) { rc = FAIL; break; };
2279 if (dk_verify_block->result > 0) {
2280 switch(dk_verify_block->result) {
2281 case DK_EXIM_RESULT_BAD_FORMAT:
2282 rc = match_isinlist(US"bad format", &arg, 0, NULL,
2283 NULL, MCL_STRING, TRUE, NULL);
2285 case DK_EXIM_RESULT_NO_KEY:
2286 rc = match_isinlist(US"no key", &arg, 0, NULL,
2287 NULL, MCL_STRING, TRUE, NULL);
2289 case DK_EXIM_RESULT_NO_SIGNATURE:
2290 rc = match_isinlist(US"no signature", &arg, 0, NULL,
2291 NULL, MCL_STRING, TRUE, NULL);
2293 case DK_EXIM_RESULT_REVOKED:
2294 rc = match_isinlist(US"revoked", &arg, 0, NULL,
2295 NULL, MCL_STRING, TRUE, NULL);
2297 case DK_EXIM_RESULT_NON_PARTICIPANT:
2298 rc = match_isinlist(US"non-participant", &arg, 0, NULL,
2299 NULL, MCL_STRING, TRUE, NULL);
2301 case DK_EXIM_RESULT_GOOD:
2302 rc = match_isinlist(US"good", &arg, 0, NULL,
2303 NULL, MCL_STRING, TRUE, NULL);
2305 case DK_EXIM_RESULT_BAD:
2306 rc = match_isinlist(US"bad", &arg, 0, NULL,
2307 NULL, MCL_STRING, TRUE, NULL);
2315 rc = verify_check_dnsbl(&arg);
2319 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
2320 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
2323 /* The value in tls_cipher is the full cipher name, for example,
2324 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
2325 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
2326 what may in practice come out of the SSL library - which at the time of
2327 writing is poorly documented. */
2329 case ACLC_ENCRYPTED:
2330 if (tls_cipher == NULL) rc = FAIL; else
2332 uschar *endcipher = NULL;
2333 uschar *cipher = Ustrchr(tls_cipher, ':');
2334 if (cipher == NULL) cipher = tls_cipher; else
2336 endcipher = Ustrchr(++cipher, ':');
2337 if (endcipher != NULL) *endcipher = 0;
2339 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
2340 if (endcipher != NULL) *endcipher = ':';
2344 /* Use verify_check_this_host() instead of verify_check_host() so that
2345 we can pass over &host_data to catch any looked up data. Once it has been
2346 set, it retains its value so that it's still there if another ACL verb
2347 comes through here and uses the cache. However, we must put it into
2348 permanent store in case it is also expected to be used in a subsequent
2349 message in the same SMTP connection. */
2352 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
2353 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
2354 if (host_data != NULL) host_data = string_copy_malloc(host_data);
2357 case ACLC_LOCAL_PARTS:
2358 rc = match_isinlist(addr->cc_local_part, &arg, 0,
2359 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
2360 &deliver_localpart_data);
2372 if (Ustrncmp(s, "main", 4) == 0)
2373 { logbits |= LOG_MAIN; s += 4; }
2374 else if (Ustrncmp(s, "panic", 5) == 0)
2375 { logbits |= LOG_PANIC; s += 5; }
2376 else if (Ustrncmp(s, "reject", 6) == 0)
2377 { logbits |= LOG_REJECT; s += 6; }
2380 logbits = LOG_MAIN|LOG_PANIC;
2381 s = string_sprintf(":unknown log name in \"%s\" in "
2382 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
2388 while (isspace(*s)) s++;
2389 if (logbits == 0) logbits = LOG_MAIN;
2390 log_write(0, logbits, "%s", string_printing(s));
2394 #ifdef WITH_CONTENT_SCAN
2397 /* Seperate the regular expression and any optional parameters. */
2398 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2399 /* Run the malware backend. */
2401 /* Modify return code based upon the existance of options. */
2402 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2404 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2406 /* FAIL so that the message is passed to the next ACL */
2413 case ACLC_MIME_REGEX:
2414 rc = mime_regex(&arg);
2418 case ACLC_RECIPIENTS:
2419 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
2423 #ifdef WITH_CONTENT_SCAN
2429 case ACLC_SENDER_DOMAINS:
2432 sdomain = Ustrrchr(sender_address, '@');
2433 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
2434 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
2435 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
2440 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
2441 sender_address_cache, -1, 0, &sender_data);
2444 /* Connection variables must persist forever */
2448 int old_pool = store_pool;
2449 if (cb->u.varnumber < ACL_C_MAX) store_pool = POOL_PERM;
2450 acl_var[cb->u.varnumber] = string_copy(arg);
2451 store_pool = old_pool;
2455 #ifdef WITH_CONTENT_SCAN
2458 /* Seperate the regular expression and any optional parameters. */
2459 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2460 /* Run the spam backend. */
2462 /* Modify return code based upon the existance of options. */
2463 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2465 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2467 /* FAIL so that the message is passed to the next ACL */
2475 #ifdef EXPERIMENTAL_SPF
2477 rc = spf_process(&arg, sender_address);
2481 /* If the verb is WARN, discard any user message from verification, because
2482 such messages are SMTP responses, not header additions. The latter come
2483 only from explicit "message" modifiers. However, put the user message into
2484 $acl_verify_message so it can be used in subsequent conditions or modifiers
2485 (until something changes it). */
2488 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
2489 acl_verify_message = *user_msgptr;
2490 if (verb == ACL_WARN) *user_msgptr = NULL;
2494 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
2495 "condition %d", cb->type);
2499 /* If a condition was negated, invert OK/FAIL. */
2501 if (!cond_modifiers[cb->type] && cb->u.negated)
2503 if (rc == OK) rc = FAIL;
2504 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
2507 if (rc != OK) break; /* Conditions loop */
2511 /* If the result is the one for which "message" and/or "log_message" are used,
2512 handle the values of these options. Most verbs have but a single return for
2513 which the messages are relevant, but for "discard", it's useful to have the log
2514 message both when it succeeds and when it fails. Also, for an "accept" that
2515 appears in a QUIT ACL, we want to handle the user message. Since only "accept"
2516 and "warn" are permitted in that ACL, we don't need to test the verb.
2518 These modifiers act in different ways:
2520 "message" is a user message that will be included in an SMTP response. Unless
2521 it is empty, it overrides any previously set user message.
2523 "log_message" is a non-user message, and it adds to any existing non-user
2524 message that is already set.
2526 If there isn't a log message set, we make it the same as the user message. */
2528 if (((rc == FAIL_DROP)? FAIL : rc) == msgcond[verb] ||
2529 (verb == ACL_DISCARD && rc == OK) ||
2530 (where == ACL_WHERE_QUIT))
2534 /* If the verb is "warn", messages generated by conditions (verification or
2535 nested ACLs) are discarded. Only messages specified at this level are used.
2536 However, the value of an existing message is available in $acl_verify_message
2537 during expansions. */
2539 uschar *old_user_msgptr = *user_msgptr;
2540 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
2542 if (verb == ACL_WARN) *log_msgptr = *user_msgptr = NULL;
2544 if (user_message != NULL)
2546 acl_verify_message = old_user_msgptr;
2547 expmessage = expand_string(user_message);
2548 if (expmessage == NULL)
2550 if (!expand_string_forcedfail)
2551 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2552 user_message, expand_string_message);
2554 else if (expmessage[0] != 0) *user_msgptr = expmessage;
2557 if (log_message != NULL)
2559 acl_verify_message = old_log_msgptr;
2560 expmessage = expand_string(log_message);
2561 if (expmessage == NULL)
2563 if (!expand_string_forcedfail)
2564 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2565 log_message, expand_string_message);
2567 else if (expmessage[0] != 0)
2569 *log_msgptr = (*log_msgptr == NULL)? expmessage :
2570 string_sprintf("%s: %s", expmessage, *log_msgptr);
2574 /* If no log message, default it to the user message */
2576 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
2579 acl_verify_message = NULL;
2587 /*************************************************
2588 * Get line from a literal ACL *
2589 *************************************************/
2591 /* This function is passed to acl_read() in order to extract individual lines
2592 of a literal ACL, which we access via static pointers. We can destroy the
2593 contents because this is called only once (the compiled ACL is remembered).
2595 This code is intended to treat the data in the same way as lines in the main
2596 Exim configuration file. That is:
2598 . Leading spaces are ignored.
2600 . A \ at the end of a line is a continuation - trailing spaces after the \
2601 are permitted (this is because I don't believe in making invisible things
2602 significant). Leading spaces on the continued part of a line are ignored.
2604 . Physical lines starting (significantly) with # are totally ignored, and
2605 may appear within a sequence of backslash-continued lines.
2607 . Blank lines are ignored, but will end a sequence of continuations.
2610 Returns: a pointer to the next line
2614 static uschar *acl_text; /* Current pointer in the text */
2615 static uschar *acl_text_end; /* Points one past the terminating '0' */
2623 /* This loop handles leading blank lines and comments. */
2627 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
2628 if (*acl_text == 0) return NULL; /* No more data */
2629 yield = acl_text; /* Potential data line */
2631 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2633 /* If we hit the end before a newline, we have the whole logical line. If
2634 it's a comment, there's no more data to be given. Otherwise, yield it. */
2636 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
2638 /* After reaching a newline, end this loop if the physical line does not
2639 start with '#'. If it does, it's a comment, and the loop continues. */
2641 if (*yield != '#') break;
2644 /* This loop handles continuations. We know we have some real data, ending in
2645 newline. See if there is a continuation marker at the end (ignoring trailing
2646 white space). We know that *yield is not white space, so no need to test for
2647 cont > yield in the backwards scanning loop. */
2652 for (cont = acl_text - 1; isspace(*cont); cont--);
2654 /* If no continuation follows, we are done. Mark the end of the line and
2663 /* We have encountered a continuation. Skip over whitespace at the start of
2664 the next line, and indeed the whole of the next line or lines if they are
2669 while (*(++acl_text) == ' ' || *acl_text == '\t');
2670 if (*acl_text != '#') break;
2671 while (*(++acl_text) != 0 && *acl_text != '\n');
2674 /* We have the start of a continuation line. Move all the rest of the data
2675 to join onto the previous line, and then find its end. If the end is not a
2676 newline, we are done. Otherwise loop to look for another continuation. */
2678 memmove(cont, acl_text, acl_text_end - acl_text);
2679 acl_text_end -= acl_text - cont;
2681 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2682 if (*acl_text == 0) return yield;
2685 /* Control does not reach here */
2692 /*************************************************
2693 * Check access using an ACL *
2694 *************************************************/
2696 /* This function is called from address_check. It may recurse via
2697 acl_check_condition() - hence the use of a level to stop looping. The ACL is
2698 passed as a string which is expanded. A forced failure implies no access check
2699 is required. If the result is a single word, it is taken as the name of an ACL
2700 which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
2701 text, complete with newlines, and parsed as such. In both cases, the ACL check
2702 is then run. This function uses an auxiliary function for acl_read() to call
2703 for reading individual lines of a literal ACL. This is acl_getline(), which
2704 appears immediately above.
2707 where where called from
2708 addr address item when called from RCPT; otherwise NULL
2709 s the input string; NULL is the same as an empty ACL => DENY
2710 level the nesting level
2711 user_msgptr where to put a user error (for SMTP response)
2712 log_msgptr where to put a logging message (not for SMTP response)
2714 Returns: OK access is granted
2715 DISCARD access is apparently granted...
2716 FAIL access is denied
2717 FAIL_DROP access is denied; drop the connection
2718 DEFER can't tell at the moment
2723 acl_check_internal(int where, address_item *addr, uschar *s, int level,
2724 uschar **user_msgptr, uschar **log_msgptr)
2727 acl_block *acl = NULL;
2728 uschar *acl_name = US"inline ACL";
2731 /* Catch configuration loops */
2735 *log_msgptr = US"ACL nested too deep: possible loop";
2741 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
2745 /* At top level, we expand the incoming string. At lower levels, it has already
2746 been expanded as part of condition processing. */
2750 ss = expand_string(s);
2753 if (expand_string_forcedfail) return OK;
2754 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
2755 expand_string_message);
2761 while (isspace(*ss))ss++;
2763 /* If we can't find a named ACL, the default is to parse it as an inline one.
2764 (Unless it begins with a slash; non-existent files give rise to an error.) */
2768 /* Handle the case of a string that does not contain any spaces. Look for a
2769 named ACL among those read from the configuration, or a previously read file.
2770 It is possible that the pointer to the ACL is NULL if the configuration
2771 contains a name with no data. If not found, and the text begins with '/',
2772 read an ACL from a file, and save it so it can be re-used. */
2774 if (Ustrchr(ss, ' ') == NULL)
2776 tree_node *t = tree_search(acl_anchor, ss);
2779 acl = (acl_block *)(t->data.ptr);
2782 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
2785 acl_name = string_sprintf("ACL \"%s\"", ss);
2786 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
2789 else if (*ss == '/')
2791 struct stat statbuf;
2792 fd = Uopen(ss, O_RDONLY, 0);
2795 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
2800 if (fstat(fd, &statbuf) != 0)
2802 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
2807 acl_text = store_get(statbuf.st_size + 1);
2808 acl_text_end = acl_text + statbuf.st_size + 1;
2810 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
2812 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
2813 ss, strerror(errno));
2816 acl_text[statbuf.st_size] = 0;
2819 acl_name = string_sprintf("ACL \"%s\"", ss);
2820 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
2824 /* Parse an ACL that is still in text form. If it came from a file, remember it
2825 in the ACL tree, having read it into the POOL_PERM store pool so that it
2826 persists between multiple messages. */
2830 int old_pool = store_pool;
2831 if (fd >= 0) store_pool = POOL_PERM;
2832 acl = acl_read(acl_getline, log_msgptr);
2833 store_pool = old_pool;
2834 if (acl == NULL && *log_msgptr != NULL) return ERROR;
2837 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
2838 Ustrcpy(t->name, ss);
2840 (void)tree_insertnode(&acl_anchor, t);
2844 /* Now we have an ACL to use. It's possible it may be NULL. */
2849 int basic_errno = 0;
2850 BOOL endpass_seen = FALSE;
2852 *log_msgptr = *user_msgptr = NULL;
2853 acl_temp_details = FALSE;
2855 if (where == ACL_WHERE_QUIT &&
2856 acl->verb != ACL_ACCEPT &&
2857 acl->verb != ACL_WARN)
2859 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
2864 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
2866 /* Clear out any search error message from a previous check before testing
2869 search_error_message = NULL;
2870 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
2871 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
2873 /* Handle special returns: DEFER causes a return except on a WARN verb;
2874 ERROR always causes a return. */
2879 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
2880 if (basic_errno != ERRNO_CALLOUTDEFER)
2882 if (search_error_message != NULL && *search_error_message != 0)
2883 *log_msgptr = search_error_message;
2884 if (smtp_return_error_details) acl_temp_details = TRUE;
2888 acl_temp_details = TRUE;
2890 if (acl->verb != ACL_WARN) return DEFER;
2893 default: /* Paranoia */
2895 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
2899 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
2904 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
2907 /* DISCARD and DROP can happen only from a nested ACL condition, and
2908 DISCARD can happen only for an "accept" or "discard" verb. */
2911 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
2916 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
2921 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
2922 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
2923 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
2928 if (cond == OK || cond == DISCARD) return cond;
2931 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
2939 acl_temp_details = TRUE;
2945 if (cond == OK) return FAIL;
2949 if (cond == OK || cond == DISCARD) return DISCARD;
2952 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
2958 if (cond == OK) return FAIL_DROP;
2962 if (cond != OK) return cond;
2967 acl_warn(where, *user_msgptr, *log_msgptr);
2968 else if (cond == DEFER)
2969 log_write(0, LOG_MAIN, "%s Warning: ACL \"warn\" statement skipped: "
2970 "condition test deferred%s%s", host_and_ident(TRUE),
2971 (*log_msgptr == NULL)? US"" : US": ",
2972 (*log_msgptr == NULL)? US"" : *log_msgptr);
2973 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
2977 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
2982 /* Pass to the next ACL item */
2987 /* We have reached the end of the ACL. This is an implicit DENY. */
2989 HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
2994 /*************************************************
2995 * Check access using an ACL *
2996 *************************************************/
2998 /* This is the external interface for ACL checks. It sets up an address and the
2999 expansions for $domain and $local_part when called after RCPT, then calls
3000 acl_check_internal() to do the actual work.
3003 where ACL_WHERE_xxxx indicating where called from
3004 data_string RCPT address, or SMTP command argument, or NULL
3005 s the input string; NULL is the same as an empty ACL => DENY
3006 user_msgptr where to put a user error (for SMTP response)
3007 log_msgptr where to put a logging message (not for SMTP response)
3009 Returns: OK access is granted by an ACCEPT verb
3010 DISCARD access is granted by a DISCARD verb
3011 FAIL access is denied
3012 FAIL_DROP access is denied; drop the connection
3013 DEFER can't tell at the moment
3018 acl_check(int where, uschar *data_string, uschar *s, uschar **user_msgptr,
3019 uschar **log_msgptr)
3025 *user_msgptr = *log_msgptr = NULL;
3026 sender_verified_failed = NULL;
3028 if (where == ACL_WHERE_RCPT)
3030 adb = address_defaults;
3032 addr->address = data_string;
3033 if (deliver_split_address(addr) == DEFER)
3035 *log_msgptr = US"defer in percent_hack_domains check";
3038 deliver_domain = addr->domain;
3039 deliver_localpart = addr->local_part;
3044 smtp_command_argument = data_string;
3047 rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
3049 smtp_command_argument = deliver_domain =
3050 deliver_localpart = deliver_address_data = sender_address_data = NULL;
3052 /* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
3053 ACL, which is really in the middle of an SMTP command. */
3057 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
3059 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
3060 "ACL", acl_wherenames[where]);
3066 /* A DROP response is not permitted from MAILAUTH */
3068 if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
3070 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
3071 "ACL", acl_wherenames[where]);
3075 /* Before giving an error response, take a look at the length of any user
3076 message, and split it up into multiple lines if possible. */
3078 if (rc != OK && *user_msgptr != NULL && Ustrlen(*user_msgptr) > 75)
3080 uschar *s = *user_msgptr = string_copy(*user_msgptr);
3086 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
3087 if (*ss == 0) break;
3094 while (--t > s + 35)
3098 if (t[-1] == ':') { tt = t; break; }
3099 if (tt == NULL) tt = t;
3103 if (tt == NULL) /* Can't split behind - try ahead */
3108 if (*t == ' ' || *t == '\n')
3114 if (tt == NULL) break; /* Can't find anywhere to split */