1 /* $Cambridge: exim/src/src/acl.c,v 1.26 2005/03/29 10:56:48 ph10 Exp $ */
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
7 /* Copyright (c) University of Cambridge 1995 - 2005 */
8 /* See the file NOTICE for conditions of use and distribution. */
10 /* Code for handling Access Control Lists (ACLs) */
15 /* Default callout timeout */
17 #define CALLOUT_TIMEOUT_DEFAULT 30
19 /* ACL verb codes - keep in step with the table of verbs that follows */
21 enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
26 static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
30 /* For each verb, the condition for which "message" is used */
32 static int msgcond[] = { FAIL, OK, OK, FAIL, OK, FAIL, OK };
34 /* ACL condition and modifier codes - keep in step with the table that
37 enum { ACLC_ACL, ACLC_AUTHENTICATED,
38 #ifdef EXPERIMENTAL_BRIGHTMAIL
41 ACLC_CONDITION, ACLC_CONTROL,
42 #ifdef WITH_CONTENT_SCAN
46 #ifdef WITH_OLD_DEMIME
49 #ifdef EXPERIMENTAL_DOMAINKEYS
50 ACLC_DK_DOMAIN_SOURCE,
52 ACLC_DK_SENDER_DOMAINS,
53 ACLC_DK_SENDER_LOCAL_PARTS,
57 ACLC_DNSLISTS, ACLC_DOMAINS, ACLC_ENCRYPTED, ACLC_ENDPASS,
58 ACLC_HOSTS, ACLC_LOCAL_PARTS, ACLC_LOG_MESSAGE, ACLC_LOGWRITE,
59 #ifdef WITH_CONTENT_SCAN
63 #ifdef WITH_CONTENT_SCAN
67 #ifdef WITH_CONTENT_SCAN
70 ACLC_SENDER_DOMAINS, ACLC_SENDERS, ACLC_SET,
71 #ifdef WITH_CONTENT_SCAN
74 #ifdef EXPERIMENTAL_SPF
79 /* ACL conditions/modifiers: "delay", "control", "endpass", "message",
80 "log_message", "logwrite", and "set" are modifiers that look like conditions
81 but always return TRUE. They are used for their side effects. */
83 static uschar *conditions[] = { US"acl", US"authenticated",
84 #ifdef EXPERIMENTAL_BRIGHTMAIL
89 #ifdef WITH_CONTENT_SCAN
93 #ifdef WITH_OLD_DEMIME
96 #ifdef EXPERIMENTAL_DOMAINKEYS
99 US"dk_sender_domains",
100 US"dk_sender_local_parts",
104 US"dnslists", US"domains", US"encrypted",
105 US"endpass", US"hosts", US"local_parts", US"log_message", US"logwrite",
106 #ifdef WITH_CONTENT_SCAN
110 #ifdef WITH_CONTENT_SCAN
114 #ifdef WITH_CONTENT_SCAN
117 US"sender_domains", US"senders", US"set",
118 #ifdef WITH_CONTENT_SCAN
121 #ifdef EXPERIMENTAL_SPF
126 /* ACL control names */
128 static uschar *controls[] = { US"error", US"caseful_local_part",
129 US"caselower_local_part", US"enforce_sync", US"no_enforce_sync", US"freeze",
130 US"queue_only", US"submission", US"no_multiline"};
132 /* Flags to indicate for which conditions /modifiers a string expansion is done
133 at the outer level. In the other cases, expansion already occurs in the
134 checking functions. */
136 static uschar cond_expand_at_top[] = {
138 FALSE, /* authenticated */
139 #ifdef EXPERIMENTAL_BRIGHTMAIL
140 TRUE, /* bmi_optin */
142 TRUE, /* condition */
144 #ifdef WITH_CONTENT_SCAN
148 #ifdef WITH_OLD_DEMIME
151 #ifdef EXPERIMENTAL_DOMAINKEYS
152 TRUE, /* dk_domain_source */
153 TRUE, /* dk_policy */
154 TRUE, /* dk_sender_domains */
155 TRUE, /* dk_sender_local_parts */
156 TRUE, /* dk_senders */
157 TRUE, /* dk_status */
161 FALSE, /* encrypted */
164 FALSE, /* local_parts */
165 TRUE, /* log_message */
167 #ifdef WITH_CONTENT_SCAN
171 #ifdef WITH_CONTENT_SCAN
172 TRUE, /* mime_regex */
174 FALSE, /* recipients */
175 #ifdef WITH_CONTENT_SCAN
178 FALSE, /* sender_domains */
181 #ifdef WITH_CONTENT_SCAN
184 #ifdef EXPERIMENTAL_SPF
190 /* Flags to identify the modifiers */
192 static uschar cond_modifiers[] = {
194 FALSE, /* authenticated */
195 #ifdef EXPERIMENTAL_BRIGHTMAIL
196 TRUE, /* bmi_optin */
198 FALSE, /* condition */
200 #ifdef WITH_CONTENT_SCAN
204 #ifdef WITH_OLD_DEMIME
207 #ifdef EXPERIMENTAL_DOMAINKEYS
208 FALSE, /* dk_domain_source */
209 FALSE, /* dk_policy */
210 FALSE, /* dk_sender_domains */
211 FALSE, /* dk_sender_local_parts */
212 FALSE, /* dk_senders */
213 FALSE, /* dk_status */
215 FALSE, /* dnslists */
217 FALSE, /* encrypted */
220 FALSE, /* local_parts */
221 TRUE, /* log_message */
223 #ifdef WITH_CONTENT_SCAN
227 #ifdef WITH_CONTENT_SCAN
228 FALSE, /* mime_regex */
230 FALSE, /* recipients */
231 #ifdef WITH_CONTENT_SCAN
234 FALSE, /* sender_domains */
237 #ifdef WITH_CONTENT_SCAN
240 #ifdef EXPERIMENTAL_SPF
246 /* Bit map vector of which conditions are not allowed at certain times. For
247 each condition, there's a bitmap of dis-allowed times. For some, it is easier
248 to specify the negation of a small number of allowed times. */
250 static unsigned int cond_forbids[] = {
253 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* authenticated */
256 #ifdef EXPERIMENTAL_BRIGHTMAIL
257 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
258 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
259 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
260 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
261 (1<<ACL_WHERE_MAILAUTH)|
262 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
263 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA),
268 /* Certain types of control are always allowed, so we let it through
269 always and check in the control processing itself. */
273 #ifdef WITH_CONTENT_SCAN
275 ~(1<<ACL_WHERE_MIME), /* decode */
280 #ifdef WITH_OLD_DEMIME
282 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* demime */
285 #ifdef EXPERIMENTAL_DOMAINKEYS
286 (1<<ACL_WHERE_AUTH)| /* dk_domain_source */
287 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
288 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
289 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
290 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
291 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
294 (1<<ACL_WHERE_AUTH)| /* dk_policy */
295 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
296 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
297 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
298 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
299 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
302 (1<<ACL_WHERE_AUTH)| /* dk_sender_domains */
303 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
304 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
305 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
306 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
307 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
310 (1<<ACL_WHERE_AUTH)| /* dk_sender_local_parts */
311 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
312 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
313 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
314 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
315 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
318 (1<<ACL_WHERE_AUTH)| /* dk_senders */
319 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
320 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
321 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
322 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
323 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
326 (1<<ACL_WHERE_AUTH)| /* dk_status */
327 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
328 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
329 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
330 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
331 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
335 (1<<ACL_WHERE_NOTSMTP), /* dnslists */
338 ~(1<<ACL_WHERE_RCPT), /* domains */
340 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* encrypted */
345 (1<<ACL_WHERE_NOTSMTP), /* hosts */
348 ~(1<<ACL_WHERE_RCPT), /* local_parts */
354 #ifdef WITH_CONTENT_SCAN
356 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* malware */
361 #ifdef WITH_CONTENT_SCAN
363 ~(1<<ACL_WHERE_MIME), /* mime_regex */
367 ~(1<<ACL_WHERE_RCPT), /* recipients */
369 #ifdef WITH_CONTENT_SCAN
371 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* regex */
372 (1<<ACL_WHERE_MIME)),
375 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
377 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
378 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
379 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
381 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
383 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
384 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
385 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
389 #ifdef WITH_CONTENT_SCAN
391 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* spam */
394 #ifdef EXPERIMENTAL_SPF
395 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
397 (1<<ACL_WHERE_MAILAUTH)|
398 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
399 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
402 /* Certain types of verify are always allowed, so we let it through
403 always and check in the verify function itself */
409 /* Return values from decode_control() */
412 #ifdef EXPERIMENTAL_BRIGHTMAIL
415 #ifdef EXPERIMENTAL_DOMAINKEYS
418 CONTROL_ERROR, CONTROL_CASEFUL_LOCAL_PART, CONTROL_CASELOWER_LOCAL_PART,
419 CONTROL_ENFORCE_SYNC, CONTROL_NO_ENFORCE_SYNC, CONTROL_FREEZE,
420 CONTROL_QUEUE_ONLY, CONTROL_SUBMISSION,
421 #ifdef WITH_CONTENT_SCAN
422 CONTROL_NO_MBOX_UNSPOOL,
424 CONTROL_FAKEREJECT, CONTROL_NO_MULTILINE };
426 /* Bit map vector of which controls are not allowed at certain times. For
427 each control, there's a bitmap of dis-allowed times. For some, it is easier to
428 specify the negation of a small number of allowed times. */
430 static unsigned int control_forbids[] = {
431 #ifdef EXPERIMENTAL_BRIGHTMAIL
434 #ifdef EXPERIMENTAL_DOMAINKEYS
435 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), /* dk_verify */
441 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
444 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
446 (1<<ACL_WHERE_NOTSMTP), /* enforce_sync */
448 (1<<ACL_WHERE_NOTSMTP), /* no_enforce_sync */
451 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
452 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
453 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
456 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
457 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
458 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
461 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
462 (1<<ACL_WHERE_PREDATA)),
464 #ifdef WITH_CONTENT_SCAN
466 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
467 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
468 (1<<ACL_WHERE_MIME)),
472 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
473 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
474 (1<<ACL_WHERE_MIME)),
476 (1<<ACL_WHERE_NOTSMTP) /* no_multiline */
479 /* Structure listing various control arguments, with their characteristics. */
481 typedef struct control_def {
483 int value; /* CONTROL_xxx value */
484 BOOL has_option; /* Has /option(s) following */
487 static control_def controls_list[] = {
488 #ifdef EXPERIMENTAL_BRIGHTMAIL
489 { US"bmi_run", CONTROL_BMI_RUN, FALSE},
491 #ifdef EXPERIMENTAL_DOMAINKEYS
492 { US"dk_verify", CONTROL_DK_VERIFY, FALSE},
494 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE},
495 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE},
496 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE},
497 { US"freeze", CONTROL_FREEZE, FALSE},
498 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE},
499 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE},
500 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE},
501 #ifdef WITH_CONTENT_SCAN
502 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE},
504 { US"fakereject", CONTROL_FAKEREJECT, TRUE},
505 { US"submission", CONTROL_SUBMISSION, TRUE}
508 /* Enable recursion between acl_check_internal() and acl_check_condition() */
510 static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
514 /*************************************************
515 * Pick out name from list *
516 *************************************************/
518 /* Use a binary chop method
525 Returns: offset in list, or -1 if not found
529 acl_checkname(uschar *name, uschar **list, int end)
535 int mid = (start + end)/2;
536 int c = Ustrcmp(name, list[mid]);
537 if (c == 0) return mid;
538 if (c < 0) end = mid; else start = mid + 1;
545 /*************************************************
546 * Read and parse one ACL *
547 *************************************************/
549 /* This function is called both from readconf in order to parse the ACLs in the
550 configuration file, and also when an ACL is encountered dynamically (e.g. as
551 the result of an expansion). It is given a function to call in order to
552 retrieve the lines of the ACL. This function handles skipping comments and
553 blank lines (where relevant).
556 func function to get next line of ACL
557 error where to put an error message
559 Returns: pointer to ACL, or NULL
560 NULL can be legal (empty ACL); in this case error will be NULL
564 acl_read(uschar *(*func)(void), uschar **error)
566 acl_block *yield = NULL;
567 acl_block **lastp = &yield;
568 acl_block *this = NULL;
569 acl_condition_block *cond;
570 acl_condition_block **condp = NULL;
575 while ((s = (*func)()) != NULL)
578 BOOL negated = FALSE;
579 uschar *saveline = s;
582 /* Conditions (but not verbs) are allowed to be negated by an initial
585 while (isspace(*s)) s++;
592 /* Read the name of a verb or a condition, or the start of a new ACL */
594 s = readconf_readname(name, sizeof(name), s);
597 if (negated || name[0] == 0)
599 *error = string_sprintf("malformed ACL name in \"%s\"", saveline);
605 /* If a verb is unrecognized, it may be another condition or modifier that
606 continues the previous verb. */
608 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
613 *error = string_sprintf("unknown ACL verb in \"%s\"", saveline);
624 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
627 this = store_get(sizeof(acl_block));
629 lastp = &(this->next);
632 this->condition = NULL;
633 condp = &(this->condition);
634 if (*s == 0) continue; /* No condition on this line */
640 s = readconf_readname(name, sizeof(name), s); /* Condition name */
643 /* Handle a condition or modifier. */
645 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
648 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
653 /* The modifiers may not be negated */
655 if (negated && cond_modifiers[c])
657 *error = string_sprintf("ACL error: negation is not allowed with "
658 "\"%s\"", conditions[c]);
662 /* ENDPASS may occur only with ACCEPT or DISCARD. */
664 if (c == ACLC_ENDPASS &&
665 this->verb != ACL_ACCEPT &&
666 this->verb != ACL_DISCARD)
668 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
669 conditions[c], verbs[this->verb]);
673 cond = store_get(sizeof(acl_condition_block));
676 cond->u.negated = negated;
679 condp = &(cond->next);
681 /* The "set" modifier is different in that its argument is "name=value"
682 rather than just a value, and we can check the validity of the name, which
683 gives us a variable number to insert into the data block. */
687 if (Ustrncmp(s, "acl_", 4) != 0 || (s[4] != 'c' && s[4] != 'm') ||
688 !isdigit(s[5]) || (!isspace(s[6]) && s[6] != '='))
690 *error = string_sprintf("unrecognized name after \"set\" in ACL "
691 "modifier \"set %s\"", s);
695 cond->u.varnumber = s[5] - '0';
696 if (s[4] == 'm') cond->u.varnumber += ACL_C_MAX;
698 while (isspace(*s)) s++;
701 /* For "set", we are now positioned for the data. For the others, only
702 "endpass" has no data */
704 if (c != ACLC_ENDPASS)
708 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
709 cond_modifiers[c]? US"modifier" : US"condition");
712 while (isspace(*s)) s++;
713 cond->arg = string_copy(s);
722 /*************************************************
724 *************************************************/
726 /* This function is called when a WARN verb's conditions are true. It adds to
727 the message's headers, and/or writes information to the log. In each case, this
728 only happens once (per message for headers, per connection for log).
731 where ACL_WHERE_xxxx indicating which ACL this is
732 user_message message for adding to headers
733 log_message message for logging, if different
739 acl_warn(int where, uschar *user_message, uschar *log_message)
743 if (log_message != NULL && log_message != user_message)
748 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
749 string_printing(log_message));
751 /* If a sender verification has failed, and the log message is "sender verify
752 failed", add the failure message. */
754 if (sender_verified_failed != NULL &&
755 sender_verified_failed->message != NULL &&
756 strcmpic(log_message, US"sender verify failed") == 0)
757 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
759 /* Search previously logged warnings. They are kept in malloc store so they
760 can be freed at the start of a new message. */
762 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
763 if (Ustrcmp(logged->text, text) == 0) break;
767 int length = Ustrlen(text) + 1;
768 log_write(0, LOG_MAIN, "%s", text);
769 logged = store_malloc(sizeof(string_item) + length);
770 logged->text = (uschar *)logged + sizeof(string_item);
771 memcpy(logged->text, text, length);
772 logged->next = acl_warn_logged;
773 acl_warn_logged = logged;
777 /* If there's no user message, we are done. */
779 if (user_message == NULL) return;
781 /* If this isn't a message ACL, we can't do anything with a user message.
784 if (where > ACL_WHERE_NOTSMTP)
786 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
787 "found in a non-message (%s) ACL: cannot specify header lines here: "
788 "message ignored", acl_wherenames[where]);
792 /* Treat the user message as a sequence of one or more header lines. */
794 hlen = Ustrlen(user_message);
797 uschar *text, *p, *q;
799 /* Add a final newline if not present */
801 text = ((user_message)[hlen-1] == '\n')? user_message :
802 string_sprintf("%s\n", user_message);
804 /* Loop for multiple header lines, taking care about continuations */
806 for (p = q = text; *p != 0; )
809 int newtype = htype_add_bot;
810 header_line **hptr = &acl_warn_headers;
812 /* Find next header line within the string */
816 q = Ustrchr(q, '\n');
817 if (*(++q) != ' ' && *q != '\t') break;
820 /* If the line starts with a colon, interpret the instruction for where to
821 add it. This temporarily sets up a new type. */
825 if (strncmpic(p, US":after_received:", 16) == 0)
827 newtype = htype_add_rec;
830 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
832 newtype = htype_add_rfc;
835 else if (strncmpic(p, US":at_start:", 10) == 0)
837 newtype = htype_add_top;
840 else if (strncmpic(p, US":at_end:", 8) == 0)
842 newtype = htype_add_bot;
845 while (*p == ' ' || *p == '\t') p++;
848 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
849 to the front of it. */
851 for (s = p; s < q - 1; s++)
853 if (*s == ':' || !isgraph(*s)) break;
856 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
859 /* See if this line has already been added */
861 while (*hptr != NULL)
863 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
864 hptr = &((*hptr)->next);
867 /* Add if not previously present */
871 header_line *h = store_get(sizeof(header_line));
880 /* Advance for next header line within the string */
889 /*************************************************
890 * Verify and check reverse DNS *
891 *************************************************/
893 /* Called from acl_verify() below. We look up the host name(s) of the client IP
894 address if this has not yet been done. The host_name_lookup() function checks
895 that one of these names resolves to an address list that contains the client IP
896 address, so we don't actually have to do the check here.
899 user_msgptr pointer for user message
900 log_msgptr pointer for log message
902 Returns: OK verification condition succeeded
903 FAIL verification failed
904 DEFER there was a problem verifying
908 acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
912 user_msgptr = user_msgptr; /* stop compiler warning */
914 /* Previous success */
916 if (sender_host_name != NULL) return OK;
918 /* Previous failure */
920 if (host_lookup_failed)
922 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
926 /* Need to do a lookup */
929 debug_printf("looking up host name to force name/address consistency check\n");
931 if ((rc = host_name_lookup()) != OK)
933 *log_msgptr = (rc == DEFER)?
934 US"host lookup deferred for reverse lookup check"
936 string_sprintf("host lookup failed for reverse lookup check%s",
938 return rc; /* DEFER or FAIL */
941 host_build_sender_fullhost();
947 /*************************************************
948 * Handle verification (address & other) *
949 *************************************************/
951 /* This function implements the "verify" condition. It is called when
952 encountered in any ACL, because some tests are almost always permitted. Some
953 just don't make sense, and always fail (for example, an attempt to test a host
954 lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
957 where where called from
958 addr the recipient address that the ACL is handling, or NULL
959 arg the argument of "verify"
960 user_msgptr pointer for user message
961 log_msgptr pointer for log message
962 basic_errno where to put verify errno
964 Returns: OK verification condition succeeded
965 FAIL verification failed
966 DEFER there was a problem verifying
971 acl_verify(int where, address_item *addr, uschar *arg,
972 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
976 int callout_overall = -1;
977 int callout_connect = -1;
978 int verify_options = 0;
980 BOOL verify_header_sender = FALSE;
981 BOOL defer_ok = FALSE;
982 BOOL callout_defer_ok = FALSE;
983 BOOL no_details = FALSE;
984 address_item *sender_vaddr = NULL;
985 uschar *verify_sender_address = NULL;
986 uschar *pm_mailfrom = NULL;
987 uschar *se_mailfrom = NULL;
989 /* Some of the verify items have slash-separated options; some do not. Diagnose
990 an error if options are given for items that don't expect them. This code has
991 now got very message. Refactoring to use a table would be a good idea one day.
994 uschar *slash = Ustrchr(arg, '/');
996 uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
998 if (ss == NULL) goto BAD_VERIFY;
1000 /* Handle name/address consistency verification in a separate function. */
1002 if (strcmpic(ss, US"reverse_host_lookup") == 0)
1004 if (slash != NULL) goto NO_OPTIONS;
1005 if (sender_host_address == NULL) return OK;
1006 return acl_verify_reverse(user_msgptr, log_msgptr);
1009 /* TLS certificate verification is done at STARTTLS time; here we just
1010 test whether it was successful or not. (This is for optional verification; for
1011 mandatory verification, the connection doesn't last this long.) */
1013 if (strcmpic(ss, US"certificate") == 0)
1015 if (slash != NULL) goto NO_OPTIONS;
1016 if (tls_certificate_verified) return OK;
1017 *user_msgptr = US"no verified certificate";
1021 /* We can test the result of optional HELO verification */
1023 if (strcmpic(ss, US"helo") == 0)
1025 if (slash != NULL) goto NO_OPTIONS;
1026 return helo_verified? OK : FAIL;
1029 /* Check that all relevant header lines have the correct syntax. If there is
1030 a syntax error, we return details of the error to the sender if configured to
1031 send out full details. (But a "message" setting on the ACL can override, as
1034 if (strcmpic(ss, US"header_syntax") == 0)
1036 if (slash != NULL) goto NO_OPTIONS;
1037 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
1039 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
1040 "(only possible in ACL for DATA)", acl_wherenames[where]);
1043 rc = verify_check_headers(log_msgptr);
1044 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1045 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1050 /* The remaining verification tests check recipient and sender addresses,
1051 either from the envelope or from the header. There are a number of
1052 slash-separated options that are common to all of them. */
1055 /* Check that there is at least one verifiable sender address in the relevant
1056 header lines. This can be followed by callout and defer options, just like
1057 sender and recipient. */
1059 if (strcmpic(ss, US"header_sender") == 0)
1061 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
1063 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
1064 "(only possible in ACL for DATA)", acl_wherenames[where]);
1067 verify_header_sender = TRUE;
1070 /* Otherwise, first item in verify argument must be "sender" or "recipient".
1071 In the case of a sender, this can optionally be followed by an address to use
1072 in place of the actual sender (rare special-case requirement). */
1074 else if (strncmpic(ss, US"sender", 6) == 0)
1077 if (where > ACL_WHERE_NOTSMTP)
1079 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1080 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1081 acl_wherenames[where]);
1085 verify_sender_address = sender_address;
1088 while (isspace(*s)) s++;
1089 if (*s++ != '=') goto BAD_VERIFY;
1090 while (isspace(*s)) s++;
1091 verify_sender_address = string_copy(s);
1096 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1099 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1100 "(only possible for RCPT)", acl_wherenames[where]);
1105 /* Remaining items are optional; they apply to sender and recipient
1106 verification, including "header sender" verification. */
1108 while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1111 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1112 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1114 /* These two old options are left for backwards compatibility */
1116 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1118 callout_defer_ok = TRUE;
1119 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1122 else if (strcmpic(ss, US"check_postmaster") == 0)
1125 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1128 /* The callout option has a number of sub-options, comma separated */
1130 else if (strncmpic(ss, US"callout", 7) == 0)
1132 callout = CALLOUT_TIMEOUT_DEFAULT;
1136 while (isspace(*ss)) ss++;
1142 while (isspace(*ss)) ss++;
1144 /* This callout option handling code has become a mess as new options
1145 have been added in an ad hoc manner. It should be tidied up into some
1146 kind of table-driven thing. */
1148 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1151 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1152 else if (strcmpic(opt, US"no_cache") == 0)
1153 verify_options |= vopt_callout_no_cache;
1154 else if (strcmpic(opt, US"random") == 0)
1155 verify_options |= vopt_callout_random;
1156 else if (strcmpic(opt, US"use_sender") == 0)
1157 verify_options |= vopt_callout_recipsender;
1158 else if (strcmpic(opt, US"use_postmaster") == 0)
1159 verify_options |= vopt_callout_recippmaster;
1160 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
1162 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1164 if (!verify_header_sender)
1166 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1167 "callout option only for verify=header_sender (detected in ACL "
1168 "condition \"%s\")", arg);
1172 while (isspace(*opt)) opt++;
1175 *log_msgptr = string_sprintf("'=' expected after "
1176 "\"mailfrom\" in ACL condition \"%s\"", arg);
1179 while (isspace(*opt)) opt++;
1180 se_mailfrom = string_copy(opt);
1183 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1186 while (isspace(*opt)) opt++;
1189 *log_msgptr = string_sprintf("'=' expected after "
1190 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1193 while (isspace(*opt)) opt++;
1194 pm_mailfrom = string_copy(opt);
1197 else if (strncmpic(opt, US"maxwait", 7) == 0)
1200 while (isspace(*opt)) opt++;
1203 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1204 "ACL condition \"%s\"", arg);
1207 while (isspace(*opt)) opt++;
1208 callout_overall = readconf_readtime(opt, 0, FALSE);
1209 if (callout_overall < 0)
1211 *log_msgptr = string_sprintf("bad time value in ACL condition "
1212 "\"verify %s\"", arg);
1216 else if (strncmpic(opt, US"connect", 7) == 0)
1219 while (isspace(*opt)) opt++;
1222 *log_msgptr = string_sprintf("'=' expected after "
1223 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1226 while (isspace(*opt)) opt++;
1227 callout_connect = readconf_readtime(opt, 0, FALSE);
1228 if (callout_connect < 0)
1230 *log_msgptr = string_sprintf("bad time value in ACL condition "
1231 "\"verify %s\"", arg);
1235 else /* Plain time is callout connect/command timeout */
1237 callout = readconf_readtime(opt, 0, FALSE);
1240 *log_msgptr = string_sprintf("bad time value in ACL condition "
1241 "\"verify %s\"", arg);
1249 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1250 "ACL condition \"%s\"", arg);
1256 /* Option not recognized */
1260 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1261 "condition \"verify %s\"", ss, arg);
1266 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1267 (vopt_callout_recipsender|vopt_callout_recippmaster))
1269 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1270 "for a recipient callout";
1274 /* Handle sender-in-header verification. Default the user message to the log
1275 message if giving out verification details. */
1277 if (verify_header_sender)
1280 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
1281 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1285 *basic_errno = verrno;
1286 if (smtp_return_error_details)
1288 if (*user_msgptr == NULL && *log_msgptr != NULL)
1289 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1290 if (rc == DEFER) acl_temp_details = TRUE;
1295 /* Handle a sender address. The default is to verify *the* sender address, but
1296 optionally a different address can be given, for special requirements. If the
1297 address is empty, we are dealing with a bounce message that has no sender, so
1298 we cannot do any checking. If the real sender address gets rewritten during
1299 verification (e.g. DNS widening), set the flag to stop it being rewritten again
1300 during message reception.
1302 A list of verified "sender" addresses is kept to try to avoid doing to much
1303 work repetitively when there are multiple recipients in a message and they all
1304 require sender verification. However, when callouts are involved, it gets too
1305 complicated because different recipients may require different callout options.
1306 Therefore, we always do a full sender verify when any kind of callout is
1307 specified. Caching elsewhere, for instance in the DNS resolver and in the
1308 callout handling, should ensure that this is not terribly inefficient. */
1310 else if (verify_sender_address != NULL)
1312 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1315 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1316 "sender verify callout";
1320 sender_vaddr = verify_checked_sender(verify_sender_address);
1321 if (sender_vaddr != NULL && /* Previously checked */
1322 callout <= 0) /* No callout needed this time */
1324 /* If the "routed" flag is set, it means that routing worked before, so
1325 this check can give OK (the saved return code value, if set, belongs to a
1326 callout that was done previously). If the "routed" flag is not set, routing
1327 must have failed, so we use the saved return code. */
1329 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1331 rc = sender_vaddr->special_action;
1332 *basic_errno = sender_vaddr->basic_errno;
1334 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1337 /* Do a new verification, and cache the result. The cache is used to avoid
1338 verifying the sender multiple times for multiple RCPTs when callouts are not
1339 specified (see comments above).
1341 The cache is also used on failure to give details in response to the first
1342 RCPT that gets bounced for this reason. However, this can be suppressed by
1343 the no_details option, which sets the flag that says "this detail has already
1344 been sent". The cache normally contains just one address, but there may be
1345 more in esoteric circumstances. */
1350 uschar *save_address_data = deliver_address_data;
1352 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1353 if (no_details) setflag(sender_vaddr, af_sverify_told);
1354 if (verify_sender_address[0] != 0)
1356 /* If this is the real sender address, save the unrewritten version
1357 for use later in receive. Otherwise, set a flag so that rewriting the
1358 sender in verify_address() does not update sender_address. */
1360 if (verify_sender_address == sender_address)
1361 sender_address_unrewritten = sender_address;
1363 verify_options |= vopt_fake_sender;
1365 /* The recipient, qualify, and expn options are never set in
1368 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
1369 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
1371 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1375 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1377 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1378 verify_sender_address, sender_vaddr->address);
1382 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1383 verify_sender_address);
1386 else *basic_errno = sender_vaddr->basic_errno;
1388 else rc = OK; /* Null sender */
1390 /* Cache the result code */
1392 if (routed) setflag(sender_vaddr, af_verify_routed);
1393 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1394 sender_vaddr->special_action = rc;
1395 sender_vaddr->next = sender_verified_list;
1396 sender_verified_list = sender_vaddr;
1398 /* Restore the recipient address data, which might have been clobbered by
1399 the sender verification. */
1401 deliver_address_data = save_address_data;
1404 /* Put the sender address_data value into $sender_address_data */
1406 sender_address_data = sender_vaddr->p.address_data;
1409 /* A recipient address just gets a straightforward verify; again we must handle
1410 the DEFER overrides. */
1416 /* We must use a copy of the address for verification, because it might
1420 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
1421 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
1422 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1424 *log_msgptr = addr2.message;
1425 *user_msgptr = (addr2.user_message != NULL)?
1426 addr2.user_message : addr2.message;
1427 *basic_errno = addr2.basic_errno;
1429 /* Make $address_data visible */
1430 deliver_address_data = addr2.p.address_data;
1433 /* We have a result from the relevant test. Handle defer overrides first. */
1435 if (rc == DEFER && (defer_ok ||
1436 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1438 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1439 defer_ok? "defer_ok" : "callout_defer_ok");
1443 /* If we've failed a sender, set up a recipient message, and point
1444 sender_verified_failed to the address item that actually failed. */
1446 if (rc != OK && verify_sender_address != NULL)
1450 *log_msgptr = *user_msgptr = US"Sender verify failed";
1452 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1454 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1458 *log_msgptr = US"Could not complete sender verify callout";
1459 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1463 sender_verified_failed = sender_vaddr;
1466 /* Verifying an address messes up the values of $domain and $local_part,
1467 so reset them before returning if this is a RCPT ACL. */
1471 deliver_domain = addr->domain;
1472 deliver_localpart = addr->local_part;
1476 /* Syntax errors in the verify argument come here. */
1479 *log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
1480 "\"helo\", \"header_syntax\", \"header_sender\" or "
1481 "\"reverse_host_lookup\" at start of ACL condition "
1482 "\"verify %s\"", arg);
1485 /* Options supplied when not allowed come here */
1488 *log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1489 "(this verify item has no options)", arg);
1496 /*************************************************
1497 * Check argument for control= modifier *
1498 *************************************************/
1500 /* Called from acl_check_condition() below
1503 arg the argument string for control=
1504 pptr set to point to the terminating character
1505 where which ACL we are in
1506 log_msgptr for error messages
1508 Returns: CONTROL_xxx value
1512 decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
1517 for (d = controls_list;
1518 d < controls_list + sizeof(controls_list)/sizeof(control_def);
1521 len = Ustrlen(d->name);
1522 if (Ustrncmp(d->name, arg, len) == 0) break;
1525 if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
1526 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
1528 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1529 return CONTROL_ERROR;
1538 /*************************************************
1539 * Handle conditions/modifiers on an ACL item *
1540 *************************************************/
1542 /* Called from acl_check() below.
1546 cb ACL condition block - if NULL, result is OK
1547 where where called from
1548 addr the address being checked for RCPT, or NULL
1549 level the nesting level
1550 epp pointer to pass back TRUE if "endpass" encountered
1551 (applies only to "accept" and "discard")
1552 user_msgptr user message pointer
1553 log_msgptr log message pointer
1554 basic_errno pointer to where to put verify error
1556 Returns: OK - all conditions are met
1557 DISCARD - an "acl" condition returned DISCARD - only allowed
1558 for "accept" or "discard" verbs
1559 FAIL - at least one condition fails
1560 FAIL_DROP - an "acl" condition returned FAIL_DROP
1561 DEFER - can't tell at the moment (typically, lookup defer,
1562 but can be temporary callout problem)
1563 ERROR - ERROR from nested ACL or expansion failure or other
1568 acl_check_condition(int verb, acl_condition_block *cb, int where,
1569 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
1570 uschar **log_msgptr, int *basic_errno)
1572 uschar *user_message = NULL;
1573 uschar *log_message = NULL;
1576 #ifdef WITH_CONTENT_SCAN
1580 for (; cb != NULL; cb = cb->next)
1585 /* The message and log_message items set up messages to be used in
1586 case of rejection. They are expanded later. */
1588 if (cb->type == ACLC_MESSAGE)
1590 user_message = cb->arg;
1594 if (cb->type == ACLC_LOG_MESSAGE)
1596 log_message = cb->arg;
1600 /* The endpass "condition" just sets a flag to show it occurred. This is
1601 checked at compile time to be on an "accept" or "discard" item. */
1603 if (cb->type == ACLC_ENDPASS)
1609 /* For other conditions and modifiers, the argument is expanded now for some
1610 of them, but not for all, because expansion happens down in some lower level
1611 checking functions in some cases. */
1613 if (cond_expand_at_top[cb->type])
1615 arg = expand_string(cb->arg);
1618 if (expand_string_forcedfail) continue;
1619 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
1620 cb->arg, expand_string_message);
1621 return search_find_defer? DEFER : ERROR;
1626 /* Show condition, and expanded condition if it's different */
1631 debug_printf("check %s%s %n",
1632 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
1633 conditions[cb->type], &lhswidth);
1635 if (cb->type == ACLC_SET)
1637 int n = cb->u.varnumber;
1638 int t = (n < ACL_C_MAX)? 'c' : 'm';
1639 if (n >= ACL_C_MAX) n -= ACL_C_MAX;
1640 debug_printf("acl_%c%d ", t, n);
1644 debug_printf("= %s\n", cb->arg);
1647 debug_printf("%.*s= %s\n", lhswidth,
1651 /* Check that this condition makes sense at this time */
1653 if ((cond_forbids[cb->type] & (1 << where)) != 0)
1655 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
1656 cond_modifiers[cb->type]? "use" : "test",
1657 conditions[cb->type], acl_wherenames[where]);
1661 /* Run the appropriate test for each condition, or take the appropriate
1662 action for the remaining modifiers. */
1666 /* A nested ACL that returns "discard" makes sense only for an "accept" or
1670 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
1671 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
1673 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
1674 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
1680 case ACLC_AUTHENTICATED:
1681 rc = (sender_host_authenticated == NULL)? FAIL :
1682 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
1686 #ifdef EXPERIMENTAL_BRIGHTMAIL
1687 case ACLC_BMI_OPTIN:
1689 int old_pool = store_pool;
1690 store_pool = POOL_PERM;
1691 bmi_current_optin = string_copy(arg);
1692 store_pool = old_pool;
1697 case ACLC_CONDITION:
1698 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
1699 rc = (Uatoi(arg) == 0)? FAIL : OK;
1701 rc = (strcmpic(arg, US"no") == 0 ||
1702 strcmpic(arg, US"false") == 0)? FAIL :
1703 (strcmpic(arg, US"yes") == 0 ||
1704 strcmpic(arg, US"true") == 0)? OK : DEFER;
1706 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
1710 control_type = decode_control(arg, &p, where, log_msgptr);
1712 /* Check if this control makes sense at this time */
1714 if ((control_forbids[control_type] & (1 << where)) != 0)
1716 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
1717 controls[control_type], acl_wherenames[where]);
1721 switch(control_type)
1723 #ifdef EXPERIMENTAL_BRIGHTMAIL
1724 case CONTROL_BMI_RUN:
1728 #ifdef EXPERIMENTAL_DOMAINKEYS
1729 case CONTROL_DK_VERIFY:
1736 case CONTROL_CASEFUL_LOCAL_PART:
1737 deliver_localpart = addr->cc_local_part;
1740 case CONTROL_CASELOWER_LOCAL_PART:
1741 deliver_localpart = addr->lc_local_part;
1744 case CONTROL_ENFORCE_SYNC:
1745 smtp_enforce_sync = TRUE;
1748 case CONTROL_NO_ENFORCE_SYNC:
1749 smtp_enforce_sync = FALSE;
1752 #ifdef WITH_CONTENT_SCAN
1753 case CONTROL_NO_MBOX_UNSPOOL:
1754 no_mbox_unspool = TRUE;
1758 case CONTROL_NO_MULTILINE:
1759 no_multiline_responses = TRUE;
1762 case CONTROL_FAKEREJECT:
1767 while (*pp != 0) pp++;
1768 fake_reject_text = expand_string(string_copyn(p+1, pp-p));
1773 /* Explicitly reset to default string */
1774 fake_reject_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
1778 case CONTROL_FREEZE:
1779 deliver_freeze = TRUE;
1780 deliver_frozen_at = time(NULL);
1783 case CONTROL_QUEUE_ONLY:
1784 queue_only_policy = TRUE;
1787 case CONTROL_SUBMISSION:
1788 submission_mode = TRUE;
1791 if (Ustrncmp(p, "/sender_retain", 14) == 0)
1794 active_local_sender_retain = TRUE;
1795 active_local_from_check = FALSE;
1797 else if (Ustrncmp(p, "/domain=", 8) == 0)
1800 while (*pp != 0 && *pp != '/') pp++;
1801 submission_domain = string_copyn(p+8, pp-p);
1808 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1815 #ifdef WITH_CONTENT_SCAN
1817 rc = mime_decode(&arg);
1823 int delay = readconf_readtime(arg, 0, FALSE);
1826 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
1827 "modifier: \"%s\" is not a time value", arg);
1832 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
1837 debug_printf("delay skipped in -bh checking mode\n");
1841 while (delay > 0) delay = sleep(delay);
1847 #ifdef WITH_OLD_DEMIME
1853 #ifdef EXPERIMENTAL_DOMAINKEYS
1854 case ACLC_DK_DOMAIN_SOURCE:
1855 if (dk_verify_block == NULL) { rc = FAIL; break; };
1856 /* check header source of domain against given string */
1857 switch (dk_verify_block->address_source) {
1858 case DK_EXIM_ADDRESS_FROM_FROM:
1859 rc = match_isinlist(US"from", &arg, 0, NULL,
1860 NULL, MCL_STRING, TRUE, NULL);
1862 case DK_EXIM_ADDRESS_FROM_SENDER:
1863 rc = match_isinlist(US"sender", &arg, 0, NULL,
1864 NULL, MCL_STRING, TRUE, NULL);
1866 case DK_EXIM_ADDRESS_NONE:
1867 rc = match_isinlist(US"none", &arg, 0, NULL,
1868 NULL, MCL_STRING, TRUE, NULL);
1872 case ACLC_DK_POLICY:
1873 if (dk_verify_block == NULL) { rc = FAIL; break; };
1874 /* check policy against given string, default FAIL */
1876 if (dk_verify_block->signsall)
1877 rc = match_isinlist(US"signsall", &arg, 0, NULL,
1878 NULL, MCL_STRING, TRUE, NULL);
1879 if (dk_verify_block->testing)
1880 rc = match_isinlist(US"testing", &arg, 0, NULL,
1881 NULL, MCL_STRING, TRUE, NULL);
1883 case ACLC_DK_SENDER_DOMAINS:
1884 if (dk_verify_block == NULL) { rc = FAIL; break; };
1885 if (dk_verify_block->domain != NULL)
1886 rc = match_isinlist(dk_verify_block->domain, &arg, 0, &domainlist_anchor,
1887 NULL, MCL_DOMAIN, TRUE, NULL);
1890 case ACLC_DK_SENDER_LOCAL_PARTS:
1891 if (dk_verify_block == NULL) { rc = FAIL; break; };
1892 if (dk_verify_block->local_part != NULL)
1893 rc = match_isinlist(dk_verify_block->local_part, &arg, 0, &localpartlist_anchor,
1894 NULL, MCL_LOCALPART, TRUE, NULL);
1897 case ACLC_DK_SENDERS:
1898 if (dk_verify_block == NULL) { rc = FAIL; break; };
1899 if (dk_verify_block->address != NULL)
1900 rc = match_address_list(dk_verify_block->address, TRUE, TRUE, &arg, NULL, -1, 0, NULL);
1903 case ACLC_DK_STATUS:
1904 if (dk_verify_block == NULL) { rc = FAIL; break; };
1905 if (dk_verify_block->result > 0) {
1906 switch(dk_verify_block->result) {
1907 case DK_EXIM_RESULT_BAD_FORMAT:
1908 rc = match_isinlist(US"bad format", &arg, 0, NULL,
1909 NULL, MCL_STRING, TRUE, NULL);
1911 case DK_EXIM_RESULT_NO_KEY:
1912 rc = match_isinlist(US"no key", &arg, 0, NULL,
1913 NULL, MCL_STRING, TRUE, NULL);
1915 case DK_EXIM_RESULT_NO_SIGNATURE:
1916 rc = match_isinlist(US"no signature", &arg, 0, NULL,
1917 NULL, MCL_STRING, TRUE, NULL);
1919 case DK_EXIM_RESULT_REVOKED:
1920 rc = match_isinlist(US"revoked", &arg, 0, NULL,
1921 NULL, MCL_STRING, TRUE, NULL);
1923 case DK_EXIM_RESULT_NON_PARTICIPANT:
1924 rc = match_isinlist(US"non-participant", &arg, 0, NULL,
1925 NULL, MCL_STRING, TRUE, NULL);
1927 case DK_EXIM_RESULT_GOOD:
1928 rc = match_isinlist(US"good", &arg, 0, NULL,
1929 NULL, MCL_STRING, TRUE, NULL);
1931 case DK_EXIM_RESULT_BAD:
1932 rc = match_isinlist(US"bad", &arg, 0, NULL,
1933 NULL, MCL_STRING, TRUE, NULL);
1941 rc = verify_check_dnsbl(&arg);
1945 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
1946 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
1949 /* The value in tls_cipher is the full cipher name, for example,
1950 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
1951 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
1952 what may in practice come out of the SSL library - which at the time of
1953 writing is poorly documented. */
1955 case ACLC_ENCRYPTED:
1956 if (tls_cipher == NULL) rc = FAIL; else
1958 uschar *endcipher = NULL;
1959 uschar *cipher = Ustrchr(tls_cipher, ':');
1960 if (cipher == NULL) cipher = tls_cipher; else
1962 endcipher = Ustrchr(++cipher, ':');
1963 if (endcipher != NULL) *endcipher = 0;
1965 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
1966 if (endcipher != NULL) *endcipher = ':';
1970 /* Use verify_check_this_host() instead of verify_check_host() so that
1971 we can pass over &host_data to catch any looked up data. Once it has been
1972 set, it retains its value so that it's still there if another ACL verb
1973 comes through here and uses the cache. However, we must put it into
1974 permanent store in case it is also expected to be used in a subsequent
1975 message in the same SMTP connection. */
1978 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
1979 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
1980 if (host_data != NULL) host_data = string_copy_malloc(host_data);
1983 case ACLC_LOCAL_PARTS:
1984 rc = match_isinlist(addr->cc_local_part, &arg, 0,
1985 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
1986 &deliver_localpart_data);
1998 if (Ustrncmp(s, "main", 4) == 0)
1999 { logbits |= LOG_MAIN; s += 4; }
2000 else if (Ustrncmp(s, "panic", 5) == 0)
2001 { logbits |= LOG_PANIC; s += 5; }
2002 else if (Ustrncmp(s, "reject", 6) == 0)
2003 { logbits |= LOG_REJECT; s += 6; }
2006 logbits = LOG_MAIN|LOG_PANIC;
2007 s = string_sprintf(":unknown log name in \"%s\" in "
2008 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
2014 while (isspace(*s)) s++;
2015 if (logbits == 0) logbits = LOG_MAIN;
2016 log_write(0, logbits, "%s", string_printing(s));
2020 #ifdef WITH_CONTENT_SCAN
2023 /* Seperate the regular expression and any optional parameters. */
2024 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2025 /* Run the malware backend. */
2027 /* Modify return code based upon the existance of options. */
2028 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2030 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2032 /* FAIL so that the message is passed to the next ACL */
2039 case ACLC_MIME_REGEX:
2040 rc = mime_regex(&arg);
2044 case ACLC_RECIPIENTS:
2045 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
2049 #ifdef WITH_CONTENT_SCAN
2055 case ACLC_SENDER_DOMAINS:
2058 sdomain = Ustrrchr(sender_address, '@');
2059 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
2060 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
2061 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
2066 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
2067 sender_address_cache, -1, 0, &sender_data);
2070 /* Connection variables must persist forever */
2074 int old_pool = store_pool;
2075 if (cb->u.varnumber < ACL_C_MAX) store_pool = POOL_PERM;
2076 acl_var[cb->u.varnumber] = string_copy(arg);
2077 store_pool = old_pool;
2081 #ifdef WITH_CONTENT_SCAN
2084 /* Seperate the regular expression and any optional parameters. */
2085 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2086 /* Run the spam backend. */
2088 /* Modify return code based upon the existance of options. */
2089 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2091 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2093 /* FAIL so that the message is passed to the next ACL */
2101 #ifdef EXPERIMENTAL_SPF
2103 rc = spf_process(&arg, sender_address);
2107 /* If the verb is WARN, discard any user message from verification, because
2108 such messages are SMTP responses, not header additions. The latter come
2109 only from explicit "message" modifiers. */
2112 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
2113 if (verb == ACL_WARN) *user_msgptr = NULL;
2117 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
2118 "condition %d", cb->type);
2122 /* If a condition was negated, invert OK/FAIL. */
2124 if (!cond_modifiers[cb->type] && cb->u.negated)
2126 if (rc == OK) rc = FAIL;
2127 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
2130 if (rc != OK) break; /* Conditions loop */
2134 /* If the result is the one for which "message" and/or "log_message" are used,
2135 handle the values of these options. Most verbs have but a single return for
2136 which the messages are relevant, but for "discard", it's useful to have the log
2137 message both when it succeeds and when it fails. Also, for an "accept" that
2138 appears in a QUIT ACL, we want to handle the user message. Since only "accept"
2139 and "warn" are permitted in that ACL, we don't need to test the verb.
2141 These modifiers act in different ways:
2143 "message" is a user message that will be included in an SMTP response. Unless
2144 it is empty, it overrides any previously set user message.
2146 "log_message" is a non-user message, and it adds to any existing non-user
2147 message that is already set.
2149 If there isn't a log message set, we make it the same as the user message. */
2151 if (((rc == FAIL_DROP)? FAIL : rc) == msgcond[verb] ||
2152 (verb == ACL_DISCARD && rc == OK) ||
2153 (where == ACL_WHERE_QUIT))
2157 /* If the verb is "warn", messages generated by conditions (verification or
2158 nested ACLs) are discarded. Only messages specified at this level are used.
2159 However, the value of an existing message is available in $acl_verify_message
2160 during expansions. */
2162 uschar *old_user_msgptr = *user_msgptr;
2163 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
2165 if (verb == ACL_WARN) *log_msgptr = *user_msgptr = NULL;
2167 if (user_message != NULL)
2169 acl_verify_message = old_user_msgptr;
2170 expmessage = expand_string(user_message);
2171 if (expmessage == NULL)
2173 if (!expand_string_forcedfail)
2174 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2175 user_message, expand_string_message);
2177 else if (expmessage[0] != 0) *user_msgptr = expmessage;
2180 if (log_message != NULL)
2182 acl_verify_message = old_log_msgptr;
2183 expmessage = expand_string(log_message);
2184 if (expmessage == NULL)
2186 if (!expand_string_forcedfail)
2187 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2188 log_message, expand_string_message);
2190 else if (expmessage[0] != 0)
2192 *log_msgptr = (*log_msgptr == NULL)? expmessage :
2193 string_sprintf("%s: %s", expmessage, *log_msgptr);
2197 /* If no log message, default it to the user message */
2199 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
2202 acl_verify_message = NULL;
2210 /*************************************************
2211 * Get line from a literal ACL *
2212 *************************************************/
2214 /* This function is passed to acl_read() in order to extract individual lines
2215 of a literal ACL, which we access via static pointers. We can destroy the
2216 contents because this is called only once (the compiled ACL is remembered).
2218 This code is intended to treat the data in the same way as lines in the main
2219 Exim configuration file. That is:
2221 . Leading spaces are ignored.
2223 . A \ at the end of a line is a continuation - trailing spaces after the \
2224 are permitted (this is because I don't believe in making invisible things
2225 significant). Leading spaces on the continued part of a line are ignored.
2227 . Physical lines starting (significantly) with # are totally ignored, and
2228 may appear within a sequence of backslash-continued lines.
2230 . Blank lines are ignored, but will end a sequence of continuations.
2233 Returns: a pointer to the next line
2237 static uschar *acl_text; /* Current pointer in the text */
2238 static uschar *acl_text_end; /* Points one past the terminating '0' */
2246 /* This loop handles leading blank lines and comments. */
2250 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
2251 if (*acl_text == 0) return NULL; /* No more data */
2252 yield = acl_text; /* Potential data line */
2254 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2256 /* If we hit the end before a newline, we have the whole logical line. If
2257 it's a comment, there's no more data to be given. Otherwise, yield it. */
2259 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
2261 /* After reaching a newline, end this loop if the physical line does not
2262 start with '#'. If it does, it's a comment, and the loop continues. */
2264 if (*yield != '#') break;
2267 /* This loop handles continuations. We know we have some real data, ending in
2268 newline. See if there is a continuation marker at the end (ignoring trailing
2269 white space). We know that *yield is not white space, so no need to test for
2270 cont > yield in the backwards scanning loop. */
2275 for (cont = acl_text - 1; isspace(*cont); cont--);
2277 /* If no continuation follows, we are done. Mark the end of the line and
2286 /* We have encountered a continuation. Skip over whitespace at the start of
2287 the next line, and indeed the whole of the next line or lines if they are
2292 while (*(++acl_text) == ' ' || *acl_text == '\t');
2293 if (*acl_text != '#') break;
2294 while (*(++acl_text) != 0 && *acl_text != '\n');
2297 /* We have the start of a continuation line. Move all the rest of the data
2298 to join onto the previous line, and then find its end. If the end is not a
2299 newline, we are done. Otherwise loop to look for another continuation. */
2301 memmove(cont, acl_text, acl_text_end - acl_text);
2302 acl_text_end -= acl_text - cont;
2304 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2305 if (*acl_text == 0) return yield;
2308 /* Control does not reach here */
2315 /*************************************************
2316 * Check access using an ACL *
2317 *************************************************/
2319 /* This function is called from address_check. It may recurse via
2320 acl_check_condition() - hence the use of a level to stop looping. The ACL is
2321 passed as a string which is expanded. A forced failure implies no access check
2322 is required. If the result is a single word, it is taken as the name of an ACL
2323 which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
2324 text, complete with newlines, and parsed as such. In both cases, the ACL check
2325 is then run. This function uses an auxiliary function for acl_read() to call
2326 for reading individual lines of a literal ACL. This is acl_getline(), which
2327 appears immediately above.
2330 where where called from
2331 addr address item when called from RCPT; otherwise NULL
2332 s the input string; NULL is the same as an empty ACL => DENY
2333 level the nesting level
2334 user_msgptr where to put a user error (for SMTP response)
2335 log_msgptr where to put a logging message (not for SMTP response)
2337 Returns: OK access is granted
2338 DISCARD access is apparently granted...
2339 FAIL access is denied
2340 FAIL_DROP access is denied; drop the connection
2341 DEFER can't tell at the moment
2346 acl_check_internal(int where, address_item *addr, uschar *s, int level,
2347 uschar **user_msgptr, uschar **log_msgptr)
2350 acl_block *acl = NULL;
2351 uschar *acl_name = US"inline ACL";
2354 /* Catch configuration loops */
2358 *log_msgptr = US"ACL nested too deep: possible loop";
2364 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
2368 /* At top level, we expand the incoming string. At lower levels, it has already
2369 been expanded as part of condition processing. */
2373 ss = expand_string(s);
2376 if (expand_string_forcedfail) return OK;
2377 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
2378 expand_string_message);
2384 while (isspace(*ss))ss++;
2386 /* If we can't find a named ACL, the default is to parse it as an inline one.
2387 (Unless it begins with a slash; non-existent files give rise to an error.) */
2391 /* Handle the case of a string that does not contain any spaces. Look for a
2392 named ACL among those read from the configuration, or a previously read file.
2393 It is possible that the pointer to the ACL is NULL if the configuration
2394 contains a name with no data. If not found, and the text begins with '/',
2395 read an ACL from a file, and save it so it can be re-used. */
2397 if (Ustrchr(ss, ' ') == NULL)
2399 tree_node *t = tree_search(acl_anchor, ss);
2402 acl = (acl_block *)(t->data.ptr);
2405 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
2408 acl_name = string_sprintf("ACL \"%s\"", ss);
2409 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
2412 else if (*ss == '/')
2414 struct stat statbuf;
2415 fd = Uopen(ss, O_RDONLY, 0);
2418 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
2423 if (fstat(fd, &statbuf) != 0)
2425 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
2430 acl_text = store_get(statbuf.st_size + 1);
2431 acl_text_end = acl_text + statbuf.st_size + 1;
2433 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
2435 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
2436 ss, strerror(errno));
2439 acl_text[statbuf.st_size] = 0;
2442 acl_name = string_sprintf("ACL \"%s\"", ss);
2443 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
2447 /* Parse an ACL that is still in text form. If it came from a file, remember it
2448 in the ACL tree, having read it into the POOL_PERM store pool so that it
2449 persists between multiple messages. */
2453 int old_pool = store_pool;
2454 if (fd >= 0) store_pool = POOL_PERM;
2455 acl = acl_read(acl_getline, log_msgptr);
2456 store_pool = old_pool;
2457 if (acl == NULL && *log_msgptr != NULL) return ERROR;
2460 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
2461 Ustrcpy(t->name, ss);
2463 (void)tree_insertnode(&acl_anchor, t);
2467 /* Now we have an ACL to use. It's possible it may be NULL. */
2472 int basic_errno = 0;
2473 BOOL endpass_seen = FALSE;
2475 *log_msgptr = *user_msgptr = NULL;
2476 acl_temp_details = FALSE;
2478 if (where == ACL_WHERE_QUIT &&
2479 acl->verb != ACL_ACCEPT &&
2480 acl->verb != ACL_WARN)
2482 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
2487 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
2489 /* Clear out any search error message from a previous check before testing
2492 search_error_message = NULL;
2493 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
2494 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
2496 /* Handle special returns: DEFER causes a return except on a WARN verb;
2497 ERROR always causes a return. */
2502 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
2503 if (basic_errno != ERRNO_CALLOUTDEFER)
2505 if (search_error_message != NULL && *search_error_message != 0)
2506 *log_msgptr = search_error_message;
2507 if (smtp_return_error_details) acl_temp_details = TRUE;
2511 acl_temp_details = TRUE;
2513 if (acl->verb != ACL_WARN) return DEFER;
2516 default: /* Paranoia */
2518 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
2522 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
2527 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
2530 /* DISCARD and DROP can happen only from a nested ACL condition, and
2531 DISCARD can happen only for an "accept" or "discard" verb. */
2534 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
2539 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
2544 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
2545 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
2546 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
2551 if (cond == OK || cond == DISCARD) return cond;
2554 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
2562 acl_temp_details = TRUE;
2568 if (cond == OK) return FAIL;
2572 if (cond == OK || cond == DISCARD) return DISCARD;
2575 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
2581 if (cond == OK) return FAIL_DROP;
2585 if (cond != OK) return cond;
2590 acl_warn(where, *user_msgptr, *log_msgptr);
2591 else if (cond == DEFER)
2592 acl_warn(where, NULL, string_sprintf("ACL \"warn\" statement skipped: "
2593 "condition test deferred: %s",
2594 (*log_msgptr == NULL)? US"" : *log_msgptr));
2595 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
2599 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
2604 /* Pass to the next ACL item */
2609 /* We have reached the end of the ACL. This is an implicit DENY. */
2611 HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
2616 /*************************************************
2617 * Check access using an ACL *
2618 *************************************************/
2620 /* This is the external interface for ACL checks. It sets up an address and the
2621 expansions for $domain and $local_part when called after RCPT, then calls
2622 acl_check_internal() to do the actual work.
2625 where ACL_WHERE_xxxx indicating where called from
2626 data_string RCPT address, or SMTP command argument, or NULL
2627 s the input string; NULL is the same as an empty ACL => DENY
2628 user_msgptr where to put a user error (for SMTP response)
2629 log_msgptr where to put a logging message (not for SMTP response)
2631 Returns: OK access is granted by an ACCEPT verb
2632 DISCARD access is granted by a DISCARD verb
2633 FAIL access is denied
2634 FAIL_DROP access is denied; drop the connection
2635 DEFER can't tell at the moment
2640 acl_check(int where, uschar *data_string, uschar *s, uschar **user_msgptr,
2641 uschar **log_msgptr)
2647 *user_msgptr = *log_msgptr = NULL;
2648 sender_verified_failed = NULL;
2650 if (where == ACL_WHERE_RCPT)
2652 adb = address_defaults;
2654 addr->address = data_string;
2655 if (deliver_split_address(addr) == DEFER)
2657 *log_msgptr = US"defer in percent_hack_domains check";
2660 deliver_domain = addr->domain;
2661 deliver_localpart = addr->local_part;
2666 smtp_command_argument = data_string;
2669 rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
2671 smtp_command_argument = deliver_domain =
2672 deliver_localpart = deliver_address_data = sender_address_data = NULL;
2674 /* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
2675 ACL, which is really in the middle of an SMTP command. */
2679 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
2681 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
2682 "ACL", acl_wherenames[where]);
2688 /* A DROP response is not permitted from MAILAUTH */
2690 if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
2692 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
2693 "ACL", acl_wherenames[where]);
2697 /* Before giving an error response, take a look at the length of any user
2698 message, and split it up into multiple lines if possible. */
2700 if (rc != OK && *user_msgptr != NULL && Ustrlen(*user_msgptr) > 75)
2702 uschar *s = *user_msgptr = string_copy(*user_msgptr);
2708 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
2709 if (*ss == 0) break;
2716 while (--t > s + 35)
2720 if (t[-1] == ':') { tt = t; break; }
2721 if (tt == NULL) tt = t;
2725 if (tt == NULL) /* Can't split behind - try ahead */
2730 if (*t == ' ' || *t == '\n')
2736 if (tt == NULL) break; /* Can't find anywhere to split */