1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* Copyright (c) The Exim Maintainers 2020 */
7 /* See the file NOTICE for conditions of use and distribution. */
9 /* Code for handling Access Control Lists (ACLs) */
14 /* Default callout timeout */
16 #define CALLOUT_TIMEOUT_DEFAULT 30
18 /* Default quota cache TTLs */
20 #define QUOTA_POS_DEFAULT (5*60)
21 #define QUOTA_NEG_DEFAULT (60*60)
24 /* ACL verb codes - keep in step with the table of verbs that follows */
26 enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
31 static uschar *verbs[] = {
32 [ACL_ACCEPT] = US"accept",
33 [ACL_DEFER] = US"defer",
34 [ACL_DENY] = US"deny",
35 [ACL_DISCARD] = US"discard",
36 [ACL_DROP] = US"drop",
37 [ACL_REQUIRE] = US"require",
41 /* For each verb, the conditions for which "message" or "log_message" are used
42 are held as a bitmap. This is to avoid expanding the strings unnecessarily. For
43 "accept", the FAIL case is used only after "endpass", but that is selected in
46 static int msgcond[] = {
47 [ACL_ACCEPT] = BIT(OK) | BIT(FAIL) | BIT(FAIL_DROP),
48 [ACL_DEFER] = BIT(OK),
50 [ACL_DISCARD] = BIT(OK) | BIT(FAIL) | BIT(FAIL_DROP),
52 [ACL_REQUIRE] = BIT(FAIL) | BIT(FAIL_DROP),
56 /* ACL condition and modifier codes - keep in step with the table that
63 #ifdef EXPERIMENTAL_BRIGHTMAIL
69 #ifdef EXPERIMENTAL_DCC
72 #ifdef WITH_CONTENT_SCAN
90 ACLC_LOG_REJECT_TARGET,
92 #ifdef WITH_CONTENT_SCAN
96 #ifdef WITH_CONTENT_SCAN
102 #ifdef WITH_CONTENT_SCAN
110 #ifdef WITH_CONTENT_SCAN
120 /* ACL conditions/modifiers: "delay", "control", "continue", "endpass",
121 "message", "log_message", "log_reject_target", "logwrite", "queue" and "set" are
122 modifiers that look like conditions but always return TRUE. They are used for
123 their side effects. Do not invent new modifier names that result in one name
124 being the prefix of another; the binary-search in the list will go wrong. */
126 typedef struct condition_def {
129 /* Flag to indicate the condition/modifier has a string expansion done
130 at the outer level. In the other cases, expansion already occurs in the
131 checking functions. */
132 BOOL expand_at_top:1;
136 /* Bit map vector of which conditions and modifiers are not allowed at certain
137 times. For each condition and modifier, there's a bitmap of dis-allowed times.
138 For some, it is easier to specify the negation of a small number of allowed
144 static condition_def conditions[] = {
145 [ACLC_ACL] = { US"acl", FALSE, FALSE, 0 },
147 [ACLC_ADD_HEADER] = { US"add_header", TRUE, TRUE,
149 ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
150 ACL_BIT_PREDATA | ACL_BIT_DATA |
154 ACL_BIT_MIME | ACL_BIT_NOTSMTP |
156 ACL_BIT_NOTSMTP_START),
159 [ACLC_AUTHENTICATED] = { US"authenticated", FALSE, FALSE,
160 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START |
161 ACL_BIT_CONNECT | ACL_BIT_HELO,
163 #ifdef EXPERIMENTAL_BRIGHTMAIL
164 [ACLC_BMI_OPTIN] = { US"bmi_optin", TRUE, TRUE,
166 ACL_BIT_CONNECT | ACL_BIT_HELO |
167 ACL_BIT_DATA | ACL_BIT_MIME |
168 # ifndef DISABLE_PRDR
171 ACL_BIT_ETRN | ACL_BIT_EXPN |
173 ACL_BIT_MAIL | ACL_BIT_STARTTLS |
174 ACL_BIT_VRFY | ACL_BIT_PREDATA |
175 ACL_BIT_NOTSMTP_START,
178 [ACLC_CONDITION] = { US"condition", TRUE, FALSE, 0 },
179 [ACLC_CONTINUE] = { US"continue", TRUE, TRUE, 0 },
181 /* Certain types of control are always allowed, so we let it through
182 always and check in the control processing itself. */
183 [ACLC_CONTROL] = { US"control", TRUE, TRUE, 0 },
185 #ifdef EXPERIMENTAL_DCC
186 [ACLC_DCC] = { US"dcc", TRUE, FALSE,
189 # ifndef DISABLE_PRDR
195 #ifdef WITH_CONTENT_SCAN
196 [ACLC_DECODE] = { US"decode", TRUE, FALSE, (unsigned int) ~ACL_BIT_MIME },
199 [ACLC_DELAY] = { US"delay", TRUE, TRUE, ACL_BIT_NOTQUIT },
201 [ACLC_DKIM_SIGNER] = { US"dkim_signers", TRUE, FALSE, (unsigned int) ~ACL_BIT_DKIM },
202 [ACLC_DKIM_STATUS] = { US"dkim_status", TRUE, FALSE, (unsigned int) ~ACL_BIT_DKIM },
205 [ACLC_DMARC_STATUS] = { US"dmarc_status", TRUE, FALSE, (unsigned int) ~ACL_BIT_DATA },
208 /* Explicit key lookups can be made in non-smtp ACLs so pass
209 always and check in the verify processing itself. */
210 [ACLC_DNSLISTS] = { US"dnslists", TRUE, FALSE, 0 },
212 [ACLC_DOMAINS] = { US"domains", FALSE, FALSE,
214 ~(ACL_BIT_RCPT | ACL_BIT_VRFY
220 [ACLC_ENCRYPTED] = { US"encrypted", FALSE, FALSE,
221 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START |
225 [ACLC_ENDPASS] = { US"endpass", TRUE, TRUE, 0 },
227 [ACLC_HOSTS] = { US"hosts", FALSE, FALSE,
228 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START,
230 [ACLC_LOCAL_PARTS] = { US"local_parts", FALSE, FALSE,
232 ~(ACL_BIT_RCPT | ACL_BIT_VRFY
239 [ACLC_LOG_MESSAGE] = { US"log_message", TRUE, TRUE, 0 },
240 [ACLC_LOG_REJECT_TARGET] = { US"log_reject_target", TRUE, TRUE, 0 },
241 [ACLC_LOGWRITE] = { US"logwrite", TRUE, TRUE, 0 },
243 #ifdef WITH_CONTENT_SCAN
244 [ACLC_MALWARE] = { US"malware", TRUE, FALSE,
247 # ifndef DISABLE_PRDR
254 [ACLC_MESSAGE] = { US"message", TRUE, TRUE, 0 },
255 #ifdef WITH_CONTENT_SCAN
256 [ACLC_MIME_REGEX] = { US"mime_regex", TRUE, FALSE, (unsigned int) ~ACL_BIT_MIME },
259 [ACLC_QUEUE] = { US"queue", TRUE, TRUE,
267 [ACLC_RATELIMIT] = { US"ratelimit", TRUE, FALSE, 0 },
268 [ACLC_RECIPIENTS] = { US"recipients", FALSE, FALSE, (unsigned int) ~ACL_BIT_RCPT },
270 #ifdef WITH_CONTENT_SCAN
271 [ACLC_REGEX] = { US"regex", TRUE, FALSE,
274 # ifndef DISABLE_PRDR
282 [ACLC_REMOVE_HEADER] = { US"remove_header", TRUE, TRUE,
284 ~(ACL_BIT_MAIL|ACL_BIT_RCPT |
285 ACL_BIT_PREDATA | ACL_BIT_DATA |
289 ACL_BIT_MIME | ACL_BIT_NOTSMTP |
290 ACL_BIT_NOTSMTP_START),
292 [ACLC_SEEN] = { US"seen", TRUE, FALSE, 0 },
293 [ACLC_SENDER_DOMAINS] = { US"sender_domains", FALSE, FALSE,
294 ACL_BIT_AUTH | ACL_BIT_CONNECT |
296 ACL_BIT_MAILAUTH | ACL_BIT_QUIT |
297 ACL_BIT_ETRN | ACL_BIT_EXPN |
298 ACL_BIT_STARTTLS | ACL_BIT_VRFY,
300 [ACLC_SENDERS] = { US"senders", FALSE, FALSE,
301 ACL_BIT_AUTH | ACL_BIT_CONNECT |
303 ACL_BIT_MAILAUTH | ACL_BIT_QUIT |
304 ACL_BIT_ETRN | ACL_BIT_EXPN |
305 ACL_BIT_STARTTLS | ACL_BIT_VRFY,
308 [ACLC_SET] = { US"set", TRUE, TRUE, 0 },
310 #ifdef WITH_CONTENT_SCAN
311 [ACLC_SPAM] = { US"spam", TRUE, FALSE,
312 (unsigned int) ~(ACL_BIT_DATA |
313 # ifndef DISABLE_PRDR
320 [ACLC_SPF] = { US"spf", TRUE, FALSE,
321 ACL_BIT_AUTH | ACL_BIT_CONNECT |
322 ACL_BIT_HELO | ACL_BIT_MAILAUTH |
323 ACL_BIT_ETRN | ACL_BIT_EXPN |
324 ACL_BIT_STARTTLS | ACL_BIT_VRFY |
325 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START,
327 [ACLC_SPF_GUESS] = { US"spf_guess", TRUE, FALSE,
328 ACL_BIT_AUTH | ACL_BIT_CONNECT |
329 ACL_BIT_HELO | ACL_BIT_MAILAUTH |
330 ACL_BIT_ETRN | ACL_BIT_EXPN |
331 ACL_BIT_STARTTLS | ACL_BIT_VRFY |
332 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START,
335 [ACLC_UDPSEND] = { US"udpsend", TRUE, TRUE, 0 },
337 /* Certain types of verify are always allowed, so we let it through
338 always and check in the verify function itself */
339 [ACLC_VERIFY] = { US"verify", TRUE, FALSE, 0 },
344 /* Return values from decode_control(); used as index so keep in step
345 with the controls_list table that follows! */
348 CONTROL_AUTH_UNADVERTISED,
349 #ifdef EXPERIMENTAL_BRIGHTMAIL
352 CONTROL_CASEFUL_LOCAL_PART,
353 CONTROL_CASELOWER_LOCAL_PART,
354 CONTROL_CUTTHROUGH_DELIVERY,
360 CONTROL_DMARC_VERIFY,
361 CONTROL_DMARC_FORENSIC,
364 CONTROL_ENFORCE_SYNC,
365 CONTROL_ERROR, /* pseudo-value for decode errors */
370 CONTROL_NO_CALLOUT_FLUSH,
371 CONTROL_NO_DELAY_FLUSH,
372 CONTROL_NO_ENFORCE_SYNC,
373 #ifdef WITH_CONTENT_SCAN
374 CONTROL_NO_MBOX_UNSPOOL,
376 CONTROL_NO_MULTILINE,
377 CONTROL_NO_PIPELINING,
381 CONTROL_SUPPRESS_LOCAL_FIXUPS,
383 CONTROL_UTF8_DOWNCONVERT,
389 /* Structure listing various control arguments, with their characteristics.
390 For each control, there's a bitmap of dis-allowed times. For some, it is easier
391 to specify the negation of a small number of allowed times. */
393 typedef struct control_def {
395 BOOL has_option; /* Has /option(s) following */
396 unsigned forbids; /* bitmap of dis-allowed times */
399 static control_def controls_list[] = {
400 /* name has_option forbids */
401 [CONTROL_AUTH_UNADVERTISED] =
402 { US"allow_auth_unadvertised", FALSE,
404 ~(ACL_BIT_CONNECT | ACL_BIT_HELO)
406 #ifdef EXPERIMENTAL_BRIGHTMAIL
408 { US"bmi_run", FALSE, 0 },
410 [CONTROL_CASEFUL_LOCAL_PART] =
411 { US"caseful_local_part", FALSE, (unsigned) ~ACL_BIT_RCPT },
412 [CONTROL_CASELOWER_LOCAL_PART] =
413 { US"caselower_local_part", FALSE, (unsigned) ~ACL_BIT_RCPT },
414 [CONTROL_CUTTHROUGH_DELIVERY] =
415 { US"cutthrough_delivery", TRUE, 0 },
417 { US"debug", TRUE, 0 },
420 [CONTROL_DKIM_VERIFY] =
421 { US"dkim_disable_verify", FALSE,
422 ACL_BIT_DATA | ACL_BIT_NOTSMTP |
423 # ifndef DISABLE_PRDR
426 ACL_BIT_NOTSMTP_START
431 [CONTROL_DMARC_VERIFY] =
432 { US"dmarc_disable_verify", FALSE,
433 ACL_BIT_DATA | ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
435 [CONTROL_DMARC_FORENSIC] =
436 { US"dmarc_enable_forensic", FALSE,
437 ACL_BIT_DATA | ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
443 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START | ACL_BIT_NOTQUIT
445 [CONTROL_ENFORCE_SYNC] =
446 { US"enforce_sync", FALSE,
447 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
450 /* Pseudo-value for decode errors */
452 { US"error", FALSE, 0 },
454 [CONTROL_FAKEDEFER] =
455 { US"fakedefer", TRUE,
457 ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
458 ACL_BIT_PREDATA | ACL_BIT_DATA |
464 [CONTROL_FAKEREJECT] =
465 { US"fakereject", TRUE,
467 ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
468 ACL_BIT_PREDATA | ACL_BIT_DATA |
477 ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
478 ACL_BIT_PREDATA | ACL_BIT_DATA |
479 // ACL_BIT_PRDR| /* Not allow one user to freeze for all */
480 ACL_BIT_NOTSMTP | ACL_BIT_MIME)
483 [CONTROL_NO_CALLOUT_FLUSH] =
484 { US"no_callout_flush", FALSE,
485 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
487 [CONTROL_NO_DELAY_FLUSH] =
488 { US"no_delay_flush", FALSE,
489 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
492 [CONTROL_NO_ENFORCE_SYNC] =
493 { US"no_enforce_sync", FALSE,
494 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
496 #ifdef WITH_CONTENT_SCAN
497 [CONTROL_NO_MBOX_UNSPOOL] =
498 { US"no_mbox_unspool", FALSE,
500 ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
501 ACL_BIT_PREDATA | ACL_BIT_DATA |
502 // ACL_BIT_PRDR| /* Not allow one user to freeze for all */
506 [CONTROL_NO_MULTILINE] =
507 { US"no_multiline_responses", FALSE,
508 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
510 [CONTROL_NO_PIPELINING] =
511 { US"no_pipelining", FALSE,
512 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
518 ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
519 ACL_BIT_PREDATA | ACL_BIT_DATA |
520 // ACL_BIT_PRDR| /* Not allow one user to freeze for all */
521 ACL_BIT_NOTSMTP | ACL_BIT_MIME)
524 [CONTROL_SUBMISSION] =
525 { US"submission", TRUE,
527 ~(ACL_BIT_MAIL | ACL_BIT_RCPT | ACL_BIT_PREDATA)
529 [CONTROL_SUPPRESS_LOCAL_FIXUPS] =
530 { US"suppress_local_fixups", FALSE,
532 ~(ACL_BIT_MAIL | ACL_BIT_RCPT | ACL_BIT_PREDATA |
533 ACL_BIT_NOTSMTP_START)
536 [CONTROL_UTF8_DOWNCONVERT] =
537 { US"utf8_downconvert", TRUE, (unsigned) ~(ACL_BIT_RCPT | ACL_BIT_VRFY)
542 /* Support data structures for Client SMTP Authorization. acl_verify_csa()
543 caches its result in a tree to avoid repeated DNS queries. The result is an
544 integer code which is used as an index into the following tables of
545 explanatory strings and verification return codes. */
547 static tree_node *csa_cache = NULL;
549 enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
550 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
552 /* The acl_verify_csa() return code is translated into an acl_verify() return
553 code using the following table. It is OK unless the client is definitely not
554 authorized. This is because CSA is supposed to be optional for sending sites,
555 so recipients should not be too strict about checking it - especially because
556 DNS problems are quite likely to occur. It's possible to use $csa_status in
557 further ACL conditions to distinguish ok, unknown, and defer if required, but
558 the aim is to make the usual configuration simple. */
560 static int csa_return_code[] = {
563 [CSA_DEFER_SRV] = OK,
564 [CSA_DEFER_ADDR] = OK,
565 [CSA_FAIL_EXPLICIT] = FAIL,
566 [CSA_FAIL_DOMAIN] = FAIL,
567 [CSA_FAIL_NOADDR] = FAIL,
568 [CSA_FAIL_MISMATCH] = FAIL
571 static uschar *csa_status_string[] = {
572 [CSA_UNKNOWN] = US"unknown",
574 [CSA_DEFER_SRV] = US"defer",
575 [CSA_DEFER_ADDR] = US"defer",
576 [CSA_FAIL_EXPLICIT] = US"fail",
577 [CSA_FAIL_DOMAIN] = US"fail",
578 [CSA_FAIL_NOADDR] = US"fail",
579 [CSA_FAIL_MISMATCH] = US"fail"
582 static uschar *csa_reason_string[] = {
583 [CSA_UNKNOWN] = US"unknown",
585 [CSA_DEFER_SRV] = US"deferred (SRV lookup failed)",
586 [CSA_DEFER_ADDR] = US"deferred (target address lookup failed)",
587 [CSA_FAIL_EXPLICIT] = US"failed (explicit authorization required)",
588 [CSA_FAIL_DOMAIN] = US"failed (host name not authorized)",
589 [CSA_FAIL_NOADDR] = US"failed (no authorized addresses)",
590 [CSA_FAIL_MISMATCH] = US"failed (client address mismatch)"
593 /* Options for the ratelimit condition. Note that there are two variants of
594 the per_rcpt option, depending on the ACL that is used to measure the rate.
595 However any ACL must be able to look up per_rcpt rates in /noupdate mode,
596 so the two variants must have the same internal representation as well as
597 the same configuration string. */
600 RATE_PER_WHAT, RATE_PER_CLASH, RATE_PER_ADDR, RATE_PER_BYTE, RATE_PER_CMD,
601 RATE_PER_CONN, RATE_PER_MAIL, RATE_PER_RCPT, RATE_PER_ALLRCPTS
604 #define RATE_SET(var,new) \
605 (((var) == RATE_PER_WHAT) ? ((var) = RATE_##new) : ((var) = RATE_PER_CLASH))
607 static uschar *ratelimit_option_string[] = {
608 [RATE_PER_WHAT] = US"?",
609 [RATE_PER_CLASH] = US"!",
610 [RATE_PER_ADDR] = US"per_addr",
611 [RATE_PER_BYTE] = US"per_byte",
612 [RATE_PER_CMD] = US"per_cmd",
613 [RATE_PER_CONN] = US"per_conn",
614 [RATE_PER_MAIL] = US"per_mail",
615 [RATE_PER_RCPT] = US"per_rcpt",
616 [RATE_PER_ALLRCPTS] = US"per_rcpt"
619 /* Enable recursion between acl_check_internal() and acl_check_condition() */
621 static int acl_check_wargs(int, address_item *, const uschar *, uschar **,
625 /*************************************************
626 * Find control in list *
627 *************************************************/
629 /* The lists are always in order, so binary chop can be used.
632 name the control name to search for
633 ol the first entry in the control list
634 last one more than the offset of the last entry in the control list
636 Returns: index of a control entry, or -1 if not found
640 find_control(const uschar * name, control_def * ol, int last)
642 for (int first = 0; last > first; )
644 int middle = (first + last)/2;
645 uschar * s = ol[middle].name;
646 int c = Ustrncmp(name, s, Ustrlen(s));
647 if (c == 0) return middle;
648 else if (c > 0) first = middle + 1;
656 /*************************************************
657 * Pick out condition from list *
658 *************************************************/
660 /* Use a binary chop method
664 list list of conditions
667 Returns: offset in list, or -1 if not found
671 acl_checkcondition(uschar * name, condition_def * list, int end)
673 for (int start = 0; start < end; )
675 int mid = (start + end)/2;
676 int c = Ustrcmp(name, list[mid].name);
677 if (c == 0) return mid;
678 if (c < 0) end = mid;
679 else start = mid + 1;
685 /*************************************************
686 * Pick out name from list *
687 *************************************************/
689 /* Use a binary chop method
696 Returns: offset in list, or -1 if not found
700 acl_checkname(uschar *name, uschar **list, int end)
702 for (int start = 0; start < end; )
704 int mid = (start + end)/2;
705 int c = Ustrcmp(name, list[mid]);
706 if (c == 0) return mid;
707 if (c < 0) end = mid; else start = mid + 1;
714 /*************************************************
715 * Read and parse one ACL *
716 *************************************************/
718 /* This function is called both from readconf in order to parse the ACLs in the
719 configuration file, and also when an ACL is encountered dynamically (e.g. as
720 the result of an expansion). It is given a function to call in order to
721 retrieve the lines of the ACL. This function handles skipping comments and
722 blank lines (where relevant).
725 func function to get next line of ACL
726 error where to put an error message
728 Returns: pointer to ACL, or NULL
729 NULL can be legal (empty ACL); in this case error will be NULL
733 acl_read(uschar *(*func)(void), uschar **error)
735 acl_block *yield = NULL;
736 acl_block **lastp = &yield;
737 acl_block *this = NULL;
738 acl_condition_block *cond;
739 acl_condition_block **condp = NULL;
744 while ((s = (*func)()))
747 BOOL negated = FALSE;
748 uschar *saveline = s;
749 uschar name[EXIM_DRIVERNAME_MAX];
751 /* Conditions (but not verbs) are allowed to be negated by an initial
754 if (Uskip_whitespace(&s) == '!')
760 /* Read the name of a verb or a condition, or the start of a new ACL, which
761 can be started by a name, or by a macro definition. */
763 s = readconf_readname(name, sizeof(name), s);
764 if (*s == ':' || (isupper(name[0]) && *s == '=')) return yield;
766 /* If a verb is unrecognized, it may be another condition or modifier that
767 continues the previous verb. */
769 if ((v = acl_checkname(name, verbs, nelem(verbs))) < 0)
773 *error = string_sprintf("unknown ACL verb \"%s\" in \"%s\"", name,
785 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
788 this = store_get(sizeof(acl_block), FALSE);
790 lastp = &(this->next);
792 this->condition = NULL;
794 this->srcline = config_lineno; /* for debug output */
795 this->srcfile = config_filename; /**/
796 condp = &(this->condition);
797 if (*s == 0) continue; /* No condition on this line */
803 s = readconf_readname(name, sizeof(name), s); /* Condition name */
806 /* Handle a condition or modifier. */
808 if ((c = acl_checkcondition(name, conditions, nelem(conditions))) < 0)
810 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
815 /* The modifiers may not be negated */
817 if (negated && conditions[c].is_modifier)
819 *error = string_sprintf("ACL error: negation is not allowed with "
820 "\"%s\"", conditions[c].name);
824 /* ENDPASS may occur only with ACCEPT or DISCARD. */
826 if (c == ACLC_ENDPASS &&
827 this->verb != ACL_ACCEPT &&
828 this->verb != ACL_DISCARD)
830 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
831 conditions[c].name, verbs[this->verb]);
835 cond = store_get(sizeof(acl_condition_block), FALSE);
838 cond->u.negated = negated;
841 condp = &(cond->next);
843 /* The "set" modifier is different in that its argument is "name=value"
844 rather than just a value, and we can check the validity of the name, which
845 gives us a variable name to insert into the data block. The original ACL
846 variable names were acl_c0 ... acl_c9 and acl_m0 ... acl_m9. This was
847 extended to 20 of each type, but after that people successfully argued for
848 arbitrary names. In the new scheme, the names must start with acl_c or acl_m.
849 After that, we allow alphanumerics and underscores, but the first character
850 after c or m must be a digit or an underscore. This retains backwards
855 if ( Ustrncmp(s, "dkim_verify_status", 18) == 0
856 || Ustrncmp(s, "dkim_verify_reason", 18) == 0)
858 uschar * endptr = s+18;
860 if (isalnum(*endptr))
862 *error = string_sprintf("invalid variable name after \"set\" in ACL "
863 "modifier \"set %s\" "
864 "(only \"dkim_verify_status\" or \"dkim_verify_reason\" permitted)",
868 cond->u.varname = string_copyn(s, 18);
870 Uskip_whitespace(&s);
877 if (Ustrncmp(s, "acl_c", 5) != 0 && Ustrncmp(s, "acl_m", 5) != 0)
879 *error = string_sprintf("invalid variable name after \"set\" in ACL "
880 "modifier \"set %s\" (must start \"acl_c\" or \"acl_m\")", s);
885 if (!isdigit(*endptr) && *endptr != '_')
887 *error = string_sprintf("invalid variable name after \"set\" in ACL "
888 "modifier \"set %s\" (digit or underscore must follow acl_c or acl_m)",
893 while (*endptr && *endptr != '=' && !isspace(*endptr))
895 if (!isalnum(*endptr) && *endptr != '_')
897 *error = string_sprintf("invalid character \"%c\" in variable name "
898 "in ACL modifier \"set %s\"", *endptr, s);
904 cond->u.varname = string_copyn(s + 4, endptr - s - 4);
906 Uskip_whitespace(&s);
909 /* For "set", we are now positioned for the data. For the others, only
910 "endpass" has no data */
912 if (c != ACLC_ENDPASS)
916 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
917 conditions[c].is_modifier ? US"modifier" : US"condition");
920 Uskip_whitespace(&s);
921 cond->arg = string_copy(s);
930 /*************************************************
931 * Set up added header line(s) *
932 *************************************************/
934 /* This function is called by the add_header modifier, and also from acl_warn()
935 to implement the now-deprecated way of adding header lines using "message" on a
936 "warn" verb. The argument is treated as a sequence of header lines which are
937 added to a chain, provided there isn't an identical one already there.
939 Argument: string of header lines
944 setup_header(const uschar *hstring)
947 int hlen = Ustrlen(hstring);
949 /* Ignore any leading newlines */
950 while (*hstring == '\n') hstring++, hlen--;
952 /* An empty string does nothing; ensure exactly one final newline. */
953 if (hlen <= 0) return;
954 if (hstring[--hlen] != '\n') /* no newline */
955 q = string_sprintf("%s\n", hstring);
956 else if (hstring[hlen-1] == '\n') /* double newline */
958 uschar * s = string_copy(hstring);
959 while(s[--hlen] == '\n')
966 /* Loop for multiple header lines, taking care about continuations */
968 for (p = q; *p; p = q)
972 int newtype = htype_add_bot;
973 header_line **hptr = &acl_added_headers;
975 /* Find next header line within the string */
979 q = Ustrchr(q, '\n'); /* we know there was a newline */
980 if (*++q != ' ' && *q != '\t') break;
983 /* If the line starts with a colon, interpret the instruction for where to
984 add it. This temporarily sets up a new type. */
988 if (strncmpic(p, US":after_received:", 16) == 0)
990 newtype = htype_add_rec;
993 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
995 newtype = htype_add_rfc;
998 else if (strncmpic(p, US":at_start:", 10) == 0)
1000 newtype = htype_add_top;
1003 else if (strncmpic(p, US":at_end:", 8) == 0)
1005 newtype = htype_add_bot;
1008 while (*p == ' ' || *p == '\t') p++;
1011 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
1012 to the front of it. */
1014 for (s = p; s < q - 1; s++)
1015 if (*s == ':' || !isgraph(*s)) break;
1017 hdr = string_sprintf("%s%.*s", *s == ':' ? "" : "X-ACL-Warn: ", (int) (q - p), p);
1018 hlen = Ustrlen(hdr);
1020 /* See if this line has already been added */
1024 if (Ustrncmp((*hptr)->text, hdr, hlen) == 0) break;
1025 hptr = &(*hptr)->next;
1028 /* Add if not previously present */
1032 /* The header_line struct itself is not tainted, though it points to
1033 possibly tainted data. */
1034 header_line * h = store_get(sizeof(header_line), FALSE);
1047 /*************************************************
1048 * List the added header lines *
1049 *************************************************/
1055 for (header_line * h = acl_added_headers; h; h = h->next)
1058 if (h->text[i-1] == '\n') i--;
1059 g = string_append_listele_n(g, '\n', h->text, i);
1062 return g ? g->s : NULL;
1066 /*************************************************
1067 * Set up removed header line(s) *
1068 *************************************************/
1070 /* This function is called by the remove_header modifier. The argument is
1071 treated as a sequence of header names which are added to a colon separated
1072 list, provided there isn't an identical one already there.
1074 Argument: string of header names
1079 setup_remove_header(const uschar *hnames)
1082 acl_removed_headers = acl_removed_headers
1083 ? string_sprintf("%s : %s", acl_removed_headers, hnames)
1084 : string_copy(hnames);
1089 /*************************************************
1091 *************************************************/
1093 /* This function is called when a WARN verb's conditions are true. It adds to
1094 the message's headers, and/or writes information to the log. In each case, this
1095 only happens once (per message for headers, per connection for log).
1097 ** NOTE: The header adding action using the "message" setting is historic, and
1098 its use is now deprecated. The new add_header modifier should be used instead.
1101 where ACL_WHERE_xxxx indicating which ACL this is
1102 user_message message for adding to headers
1103 log_message message for logging, if different
1109 acl_warn(int where, uschar *user_message, uschar *log_message)
1111 if (log_message != NULL && log_message != user_message)
1114 string_item *logged;
1116 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
1117 string_printing(log_message));
1119 /* If a sender verification has failed, and the log message is "sender verify
1120 failed", add the failure message. */
1122 if (sender_verified_failed != NULL &&
1123 sender_verified_failed->message != NULL &&
1124 strcmpic(log_message, US"sender verify failed") == 0)
1125 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
1127 /* Search previously logged warnings. They are kept in malloc
1128 store so they can be freed at the start of a new message. */
1130 for (logged = acl_warn_logged; logged; logged = logged->next)
1131 if (Ustrcmp(logged->text, text) == 0) break;
1135 int length = Ustrlen(text) + 1;
1136 log_write(0, LOG_MAIN, "%s", text);
1137 logged = store_malloc(sizeof(string_item) + length);
1138 logged->text = US logged + sizeof(string_item);
1139 memcpy(logged->text, text, length);
1140 logged->next = acl_warn_logged;
1141 acl_warn_logged = logged;
1145 /* If there's no user message, we are done. */
1147 if (!user_message) return;
1149 /* If this isn't a message ACL, we can't do anything with a user message.
1152 if (where > ACL_WHERE_NOTSMTP)
1154 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
1155 "found in a non-message (%s) ACL: cannot specify header lines here: "
1156 "message ignored", acl_wherenames[where]);
1160 /* The code for setting up header lines is now abstracted into a separate
1161 function so that it can be used for the add_header modifier as well. */
1163 setup_header(user_message);
1168 /*************************************************
1169 * Verify and check reverse DNS *
1170 *************************************************/
1172 /* Called from acl_verify() below. We look up the host name(s) of the client IP
1173 address if this has not yet been done. The host_name_lookup() function checks
1174 that one of these names resolves to an address list that contains the client IP
1175 address, so we don't actually have to do the check here.
1178 user_msgptr pointer for user message
1179 log_msgptr pointer for log message
1181 Returns: OK verification condition succeeded
1182 FAIL verification failed
1183 DEFER there was a problem verifying
1187 acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
1191 /* Previous success */
1193 if (sender_host_name != NULL) return OK;
1195 /* Previous failure */
1197 if (host_lookup_failed)
1199 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
1203 /* Need to do a lookup */
1206 debug_printf_indent("looking up host name to force name/address consistency check\n");
1208 if ((rc = host_name_lookup()) != OK)
1210 *log_msgptr = rc == DEFER
1211 ? US"host lookup deferred for reverse lookup check"
1212 : string_sprintf("host lookup failed for reverse lookup check%s",
1214 return rc; /* DEFER or FAIL */
1217 host_build_sender_fullhost();
1223 /*************************************************
1224 * Check client IP address matches CSA target *
1225 *************************************************/
1227 /* Called from acl_verify_csa() below. This routine scans a section of a DNS
1228 response for address records belonging to the CSA target hostname. The section
1229 is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
1230 If one of the addresses matches the client's IP address, then the client is
1231 authorized by CSA. If there are target IP addresses but none of them match
1232 then the client is using an unauthorized IP address. If there are no target IP
1233 addresses then the client cannot be using an authorized IP address. (This is
1234 an odd configuration - why didn't the SRV record have a weight of 1 instead?)
1237 dnsa the DNS answer block
1238 dnss a DNS scan block for us to use
1239 reset option specifying what portion to scan, as described above
1240 target the target hostname to use for matching RR names
1242 Returns: CSA_OK successfully authorized
1243 CSA_FAIL_MISMATCH addresses found but none matched
1244 CSA_FAIL_NOADDR no target addresses found
1248 acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1251 int rc = CSA_FAIL_NOADDR;
1253 for (dns_record * rr = dns_next_rr(dnsa, dnss, reset);
1255 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1257 /* Check this is an address RR for the target hostname. */
1261 && rr->type != T_AAAA
1265 if (strcmpic(target, rr->name) != 0) continue;
1267 rc = CSA_FAIL_MISMATCH;
1269 /* Turn the target address RR into a list of textual IP addresses and scan
1270 the list. There may be more than one if it is an A6 RR. */
1272 for (dns_address * da = dns_address_from_rr(dnsa, rr); da; da = da->next)
1274 /* If the client IP address matches the target IP address, it's good! */
1276 DEBUG(D_acl) debug_printf_indent("CSA target address is %s\n", da->address);
1278 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1282 /* If we found some target addresses but none of them matched, the client is
1283 using an unauthorized IP address, otherwise the target has no authorized IP
1291 /*************************************************
1292 * Verify Client SMTP Authorization *
1293 *************************************************/
1295 /* Called from acl_verify() below. This routine calls dns_lookup_special()
1296 to find the CSA SRV record corresponding to the domain argument, or
1297 $sender_helo_name if no argument is provided. It then checks that the
1298 client is authorized, and that its IP address corresponds to the SRV
1299 target's address by calling acl_verify_csa_address() above. The address
1300 should have been returned in the DNS response's ADDITIONAL section, but if
1301 not we perform another DNS lookup to get it.
1304 domain pointer to optional parameter following verify = csa
1306 Returns: CSA_UNKNOWN no valid CSA record found
1307 CSA_OK successfully authorized
1308 CSA_FAIL_* client is definitely not authorized
1309 CSA_DEFER_* there was a DNS problem
1313 acl_verify_csa(const uschar *domain)
1316 const uschar *found;
1317 int priority, weight, port;
1321 int rc, type, yield;
1322 #define TARGET_SIZE 256
1323 uschar * target = store_get(TARGET_SIZE, TRUE);
1325 /* Work out the domain we are using for the CSA lookup. The default is the
1326 client's HELO domain. If the client has not said HELO, use its IP address
1327 instead. If it's a local client (exim -bs), CSA isn't applicable. */
1329 while (isspace(*domain) && *domain != '\0') ++domain;
1330 if (*domain == '\0') domain = sender_helo_name;
1331 if (!domain) domain = sender_host_address;
1332 if (!sender_host_address) return CSA_UNKNOWN;
1334 /* If we have an address literal, strip off the framing ready for turning it
1335 into a domain. The framing consists of matched square brackets possibly
1336 containing a keyword and a colon before the actual IP address. */
1338 if (domain[0] == '[')
1340 const uschar *start = Ustrchr(domain, ':');
1341 if (start == NULL) start = domain;
1342 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1345 /* Turn domains that look like bare IP addresses into domains in the reverse
1346 DNS. This code also deals with address literals and $sender_host_address. It's
1347 not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1348 address literals, but it's probably the most friendly thing to do. This is an
1349 extension to CSA, so we allow it to be turned off for proper conformance. */
1351 if (string_is_ip_address(domain, NULL) != 0)
1353 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1354 domain = dns_build_reverse(domain);
1357 /* Find out if we've already done the CSA check for this domain. If we have,
1358 return the same result again. Otherwise build a new cached result structure
1359 for this domain. The name is filled in now, and the value is filled in when
1360 we return from this function. */
1362 if ((t = tree_search(csa_cache, domain)))
1365 t = store_get_perm(sizeof(tree_node) + Ustrlen(domain), is_tainted(domain));
1366 Ustrcpy(t->name, domain);
1367 (void)tree_insertnode(&csa_cache, t);
1369 /* Now we are ready to do the actual DNS lookup(s). */
1372 dnsa = store_get_dns_answer();
1373 switch (dns_special_lookup(dnsa, domain, T_CSA, &found))
1375 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1378 yield = CSA_DEFER_SRV;
1381 /* If we found nothing, the client's authorization is unknown. */
1385 yield = CSA_UNKNOWN;
1388 /* We got something! Go on to look at the reply in more detail. */
1394 /* Scan the reply for well-formed CSA SRV records. */
1396 for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
1398 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == T_SRV)
1400 const uschar * p = rr->data;
1402 /* Extract the numerical SRV fields (p is incremented) */
1404 GETSHORT(priority, p);
1405 GETSHORT(weight, p);
1409 debug_printf_indent("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1411 /* Check the CSA version number */
1413 if (priority != 1) continue;
1415 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1416 found by dns_special_lookup() is a parent of the one we asked for), we check
1417 the subdomain assertions in the port field. At the moment there's only one
1418 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1419 SRV records of their own. */
1421 if (Ustrcmp(found, domain) != 0)
1423 yield = port & 1 ? CSA_FAIL_EXPLICIT : CSA_UNKNOWN;
1427 /* This CSA SRV record refers directly to our domain, so we check the value
1428 in the weight field to work out the domain's authorization. 0 and 1 are
1429 unauthorized; 3 means the client is authorized but we can't check the IP
1430 address in order to authenticate it, so we treat it as unknown; values
1431 greater than 3 are undefined. */
1435 yield = CSA_FAIL_DOMAIN;
1439 if (weight > 2) continue;
1441 /* Weight == 2, which means the domain is authorized. We must check that the
1442 client's IP address is listed as one of the SRV target addresses. Save the
1443 target hostname then break to scan the additional data for its addresses. */
1445 (void)dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, p,
1446 (DN_EXPAND_ARG4_TYPE)target, TARGET_SIZE);
1448 DEBUG(D_acl) debug_printf_indent("CSA target is %s\n", target);
1453 /* If we didn't break the loop then no appropriate records were found. */
1457 yield = CSA_UNKNOWN;
1461 /* Do not check addresses if the target is ".", in accordance with RFC 2782.
1462 A target of "." indicates there are no valid addresses, so the client cannot
1463 be authorized. (This is an odd configuration because weight=2 target=. is
1464 equivalent to weight=1, but we check for it in order to keep load off the
1465 root name servers.) Note that dn_expand() turns "." into "". */
1467 if (Ustrcmp(target, "") == 0)
1469 yield = CSA_FAIL_NOADDR;
1473 /* Scan the additional section of the CSA SRV reply for addresses belonging
1474 to the target. If the name server didn't return any additional data (e.g.
1475 because it does not fully support SRV records), we need to do another lookup
1476 to obtain the target addresses; otherwise we have a definitive result. */
1478 rc = acl_verify_csa_address(dnsa, &dnss, RESET_ADDITIONAL, target);
1479 if (rc != CSA_FAIL_NOADDR)
1485 /* The DNS lookup type corresponds to the IP version used by the client. */
1488 if (Ustrchr(sender_host_address, ':') != NULL)
1491 #endif /* HAVE_IPV6 */
1495 lookup_dnssec_authenticated = NULL;
1496 switch (dns_lookup(dnsa, target, type, NULL))
1498 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1501 yield = CSA_DEFER_ADDR;
1504 /* If the query succeeded, scan the addresses and return the result. */
1507 rc = acl_verify_csa_address(dnsa, &dnss, RESET_ANSWERS, target);
1508 if (rc != CSA_FAIL_NOADDR)
1513 /* else fall through */
1515 /* If the target has no IP addresses, the client cannot have an authorized
1516 IP address. However, if the target site uses A6 records (not AAAA records)
1517 we have to do yet another lookup in order to check them. */
1521 yield = CSA_FAIL_NOADDR;
1527 store_free_dns_answer(dnsa);
1528 return t->data.val = yield;
1533 /*************************************************
1534 * Handle verification (address & other) *
1535 *************************************************/
1537 enum { VERIFY_REV_HOST_LKUP, VERIFY_CERT, VERIFY_HELO, VERIFY_CSA, VERIFY_HDR_SYNTAX,
1538 VERIFY_NOT_BLIND, VERIFY_HDR_SNDR, VERIFY_SNDR, VERIFY_RCPT,
1539 VERIFY_HDR_NAMES_ASCII, VERIFY_ARC
1544 unsigned where_allowed; /* bitmap */
1545 BOOL no_options; /* Never has /option(s) following */
1546 unsigned alt_opt_sep; /* >0 Non-/ option separator (custom parser) */
1548 static verify_type_t verify_type_list[] = {
1549 /* name value where no-opt opt-sep */
1550 { US"reverse_host_lookup", VERIFY_REV_HOST_LKUP, (unsigned)~0, FALSE, 0 },
1551 { US"certificate", VERIFY_CERT, (unsigned)~0, TRUE, 0 },
1552 { US"helo", VERIFY_HELO, (unsigned)~0, TRUE, 0 },
1553 { US"csa", VERIFY_CSA, (unsigned)~0, FALSE, 0 },
1554 { US"header_syntax", VERIFY_HDR_SYNTAX, ACL_BITS_HAVEDATA, TRUE, 0 },
1555 { US"not_blind", VERIFY_NOT_BLIND, ACL_BITS_HAVEDATA, FALSE, 0 },
1556 { US"header_sender", VERIFY_HDR_SNDR, ACL_BITS_HAVEDATA, FALSE, 0 },
1557 { US"sender", VERIFY_SNDR, ACL_BIT_MAIL | ACL_BIT_RCPT
1558 | ACL_BIT_PREDATA | ACL_BIT_DATA | ACL_BIT_NOTSMTP,
1560 { US"recipient", VERIFY_RCPT, ACL_BIT_RCPT, FALSE, 0 },
1561 { US"header_names_ascii", VERIFY_HDR_NAMES_ASCII, ACL_BITS_HAVEDATA, TRUE, 0 },
1562 #ifdef EXPERIMENTAL_ARC
1563 { US"arc", VERIFY_ARC, ACL_BIT_DATA, FALSE , 0 },
1568 enum { CALLOUT_DEFER_OK, CALLOUT_NOCACHE, CALLOUT_RANDOM, CALLOUT_USE_SENDER,
1569 CALLOUT_USE_POSTMASTER, CALLOUT_POSTMASTER, CALLOUT_FULLPOSTMASTER,
1570 CALLOUT_MAILFROM, CALLOUT_POSTMASTER_MAILFROM, CALLOUT_MAXWAIT, CALLOUT_CONNECT,
1571 CALLOUT_HOLD, CALLOUT_TIME /* TIME must be last */
1577 BOOL has_option; /* Has =option(s) following */
1578 BOOL timeval; /* Has a time value */
1580 static callout_opt_t callout_opt_list[] = {
1581 /* name value flag has-opt has-time */
1582 { US"defer_ok", CALLOUT_DEFER_OK, 0, FALSE, FALSE },
1583 { US"no_cache", CALLOUT_NOCACHE, vopt_callout_no_cache, FALSE, FALSE },
1584 { US"random", CALLOUT_RANDOM, vopt_callout_random, FALSE, FALSE },
1585 { US"use_sender", CALLOUT_USE_SENDER, vopt_callout_recipsender, FALSE, FALSE },
1586 { US"use_postmaster", CALLOUT_USE_POSTMASTER,vopt_callout_recippmaster, FALSE, FALSE },
1587 { US"postmaster_mailfrom",CALLOUT_POSTMASTER_MAILFROM,0, TRUE, FALSE },
1588 { US"postmaster", CALLOUT_POSTMASTER, 0, FALSE, FALSE },
1589 { US"fullpostmaster", CALLOUT_FULLPOSTMASTER,vopt_callout_fullpm, FALSE, FALSE },
1590 { US"mailfrom", CALLOUT_MAILFROM, 0, TRUE, FALSE },
1591 { US"maxwait", CALLOUT_MAXWAIT, 0, TRUE, TRUE },
1592 { US"connect", CALLOUT_CONNECT, 0, TRUE, TRUE },
1593 { US"hold", CALLOUT_HOLD, vopt_callout_hold, FALSE, FALSE },
1594 { NULL, CALLOUT_TIME, 0, FALSE, TRUE }
1600 v_period(const uschar * s, const uschar * arg, uschar ** log_msgptr)
1603 if ((period = readconf_readtime(s, 0, FALSE)) < 0)
1605 *log_msgptr = string_sprintf("bad time value in ACL condition "
1606 "\"verify %s\"", arg);
1613 /* This function implements the "verify" condition. It is called when
1614 encountered in any ACL, because some tests are almost always permitted. Some
1615 just don't make sense, and always fail (for example, an attempt to test a host
1616 lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1619 where where called from
1620 addr the recipient address that the ACL is handling, or NULL
1621 arg the argument of "verify"
1622 user_msgptr pointer for user message
1623 log_msgptr pointer for log message
1624 basic_errno where to put verify errno
1626 Returns: OK verification condition succeeded
1627 FAIL verification failed
1628 DEFER there was a problem verifying
1633 acl_verify(int where, address_item *addr, const uschar *arg,
1634 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1638 int callout_overall = -1;
1639 int callout_connect = -1;
1640 int verify_options = 0;
1642 BOOL verify_header_sender = FALSE;
1643 BOOL defer_ok = FALSE;
1644 BOOL callout_defer_ok = FALSE;
1645 BOOL no_details = FALSE;
1646 BOOL success_on_redirect = FALSE;
1648 int quota_pos_cache = QUOTA_POS_DEFAULT, quota_neg_cache = QUOTA_NEG_DEFAULT;
1649 address_item *sender_vaddr = NULL;
1650 uschar *verify_sender_address = NULL;
1651 uschar *pm_mailfrom = NULL;
1652 uschar *se_mailfrom = NULL;
1654 /* Some of the verify items have slash-separated options; some do not. Diagnose
1655 an error if options are given for items that don't expect them.
1658 uschar *slash = Ustrchr(arg, '/');
1659 const uschar *list = arg;
1660 uschar *ss = string_nextinlist(&list, &sep, NULL, 0);
1663 if (!ss) goto BAD_VERIFY;
1665 /* Handle name/address consistency verification in a separate function. */
1667 for (vp = verify_type_list;
1668 CS vp < CS verify_type_list + sizeof(verify_type_list);
1671 if (vp->alt_opt_sep ? strncmpic(ss, vp->name, vp->alt_opt_sep) == 0
1672 : strcmpic (ss, vp->name) == 0)
1674 if (CS vp >= CS verify_type_list + sizeof(verify_type_list))
1677 if (vp->no_options && slash)
1679 *log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1680 "(this verify item has no options)", arg);
1683 if (!(vp->where_allowed & BIT(where)))
1685 *log_msgptr = string_sprintf("cannot verify %s in ACL for %s",
1686 vp->name, acl_wherenames[where]);
1691 case VERIFY_REV_HOST_LKUP:
1692 if (!sender_host_address) return OK;
1693 if ((rc = acl_verify_reverse(user_msgptr, log_msgptr)) == DEFER)
1694 while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
1695 if (strcmpic(ss, US"defer_ok") == 0)
1700 /* TLS certificate verification is done at STARTTLS time; here we just
1701 test whether it was successful or not. (This is for optional verification; for
1702 mandatory verification, the connection doesn't last this long.) */
1704 if (tls_in.certificate_verified) return OK;
1705 *user_msgptr = US"no verified certificate";
1709 /* We can test the result of optional HELO verification that might have
1710 occurred earlier. If not, we can attempt the verification now. */
1712 if (!f.helo_verified && !f.helo_verify_failed) smtp_verify_helo();
1713 return f.helo_verified ? OK : FAIL;
1716 /* Do Client SMTP Authorization checks in a separate function, and turn the
1717 result code into user-friendly strings. */
1719 rc = acl_verify_csa(list);
1720 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1721 csa_reason_string[rc]);
1722 csa_status = csa_status_string[rc];
1723 DEBUG(D_acl) debug_printf_indent("CSA result %s\n", csa_status);
1724 return csa_return_code[rc];
1726 #ifdef EXPERIMENTAL_ARC
1728 { /* Do Authenticated Received Chain checks in a separate function. */
1729 const uschar * condlist = CUS string_nextinlist(&list, &sep, NULL, 0);
1733 if (!(arc_state = acl_verify_arc())) return DEFER;
1734 DEBUG(D_acl) debug_printf_indent("ARC verify result %s %s%s%s\n", arc_state,
1735 arc_state_reason ? "(":"", arc_state_reason, arc_state_reason ? ")":"");
1737 if (!condlist) condlist = US"none:pass";
1738 while ((cond = string_nextinlist(&condlist, &csep, NULL, 0)))
1739 if (Ustrcmp(arc_state, cond) == 0) return OK;
1744 case VERIFY_HDR_SYNTAX:
1745 /* Check that all relevant header lines have the correct 5322-syntax. If there is
1746 a syntax error, we return details of the error to the sender if configured to
1747 send out full details. (But a "message" setting on the ACL can override, as
1750 rc = verify_check_headers(log_msgptr);
1751 if (rc != OK && *log_msgptr)
1752 if (smtp_return_error_details)
1753 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1755 acl_verify_message = *log_msgptr;
1758 case VERIFY_HDR_NAMES_ASCII:
1759 /* Check that all header names are true 7 bit strings
1760 See RFC 5322, 2.2. and RFC 6532, 3. */
1762 rc = verify_check_header_names_ascii(log_msgptr);
1763 if (rc != OK && smtp_return_error_details && *log_msgptr)
1764 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1767 case VERIFY_NOT_BLIND:
1768 /* Check that no recipient of this message is "blind", that is, every envelope
1769 recipient must be mentioned in either To: or Cc:. */
1771 BOOL case_sensitive = TRUE;
1773 while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
1774 if (strcmpic(ss, US"case_insensitive") == 0)
1775 case_sensitive = FALSE;
1778 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1779 "condition \"verify %s\"", ss, arg);
1783 if ((rc = verify_check_notblind(case_sensitive)) != OK)
1785 *log_msgptr = US"bcc recipient detected";
1786 if (smtp_return_error_details)
1787 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1792 /* The remaining verification tests check recipient and sender addresses,
1793 either from the envelope or from the header. There are a number of
1794 slash-separated options that are common to all of them. */
1796 case VERIFY_HDR_SNDR:
1797 verify_header_sender = TRUE;
1801 /* In the case of a sender, this can optionally be followed by an address to use
1802 in place of the actual sender (rare special-case requirement). */
1806 verify_sender_address = sender_address;
1809 while (isspace(*s)) s++;
1810 if (*s++ != '=') goto BAD_VERIFY;
1811 while (isspace(*s)) s++;
1812 verify_sender_address = string_copy(s);
1823 /* Remaining items are optional; they apply to sender and recipient
1824 verification, including "header sender" verification. */
1826 while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
1828 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1829 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1830 else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
1832 /* These two old options are left for backwards compatibility */
1834 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1836 callout_defer_ok = TRUE;
1837 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1840 else if (strcmpic(ss, US"check_postmaster") == 0)
1843 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1846 /* The callout option has a number of sub-options, comma separated */
1848 else if (strncmpic(ss, US"callout", 7) == 0)
1850 callout = CALLOUT_TIMEOUT_DEFAULT;
1853 while (isspace(*ss)) ss++;
1856 const uschar * sublist = ss;
1859 while (isspace(*sublist)) sublist++;
1860 for (uschar * opt; opt = string_nextinlist(&sublist, &optsep, NULL, 0); )
1863 double period = 1.0F;
1865 for (op= callout_opt_list; op->name; op++)
1866 if (strncmpic(opt, op->name, Ustrlen(op->name)) == 0)
1869 verify_options |= op->flag;
1872 opt += Ustrlen(op->name);
1873 while (isspace(*opt)) opt++;
1876 *log_msgptr = string_sprintf("'=' expected after "
1877 "\"%s\" in ACL verify condition \"%s\"", op->name, arg);
1880 while (isspace(*opt)) opt++;
1882 if (op->timeval && (period = v_period(opt, arg, log_msgptr)) < 0)
1887 case CALLOUT_DEFER_OK: callout_defer_ok = TRUE; break;
1888 case CALLOUT_POSTMASTER: pm_mailfrom = US""; break;
1889 case CALLOUT_FULLPOSTMASTER: pm_mailfrom = US""; break;
1890 case CALLOUT_MAILFROM:
1891 if (!verify_header_sender)
1893 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1894 "callout option only for verify=header_sender (detected in ACL "
1895 "condition \"%s\")", arg);
1898 se_mailfrom = string_copy(opt);
1900 case CALLOUT_POSTMASTER_MAILFROM: pm_mailfrom = string_copy(opt); break;
1901 case CALLOUT_MAXWAIT: callout_overall = period; break;
1902 case CALLOUT_CONNECT: callout_connect = period; break;
1903 case CALLOUT_TIME: callout = period; break;
1909 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1910 "ACL condition \"%s\"", arg);
1916 /* The quota option has sub-options, comma-separated */
1918 else if (strncmpic(ss, US"quota", 5) == 0)
1923 while (isspace(*ss)) ss++;
1926 const uschar * sublist = ss;
1930 while (isspace(*sublist)) sublist++;
1931 for (uschar * opt; opt = string_nextinlist(&sublist, &optsep, NULL, 0); )
1932 if (Ustrncmp(opt, "cachepos=", 9) == 0)
1933 if ((period = v_period(opt += 9, arg, log_msgptr)) < 0)
1936 quota_pos_cache = period;
1937 else if (Ustrncmp(opt, "cacheneg=", 9) == 0)
1938 if ((period = v_period(opt += 9, arg, log_msgptr)) < 0)
1941 quota_neg_cache = period;
1942 else if (Ustrcmp(opt, "no_cache") == 0)
1943 quota_pos_cache = quota_neg_cache = 0;
1948 /* Option not recognized */
1952 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1953 "condition \"verify %s\"", ss, arg);
1958 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1959 (vopt_callout_recipsender|vopt_callout_recippmaster))
1961 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1962 "for a recipient callout";
1966 /* Handle quota verification */
1969 if (vp->value != VERIFY_RCPT)
1971 *log_msgptr = US"can only verify quota of recipient";
1975 if ((rc = verify_quota_call(addr->address,
1976 quota_pos_cache, quota_neg_cache, log_msgptr)) != OK)
1978 *basic_errno = errno;
1979 if (smtp_return_error_details)
1981 if (!*user_msgptr && *log_msgptr)
1982 *user_msgptr = string_sprintf("Rejected after %s: %s",
1983 smtp_names[smtp_connection_had[SMTP_HBUFF_PREV(smtp_ch_index)]],
1985 if (rc == DEFER) f.acl_temp_details = TRUE;
1992 /* Handle sender-in-header verification. Default the user message to the log
1993 message if giving out verification details. */
1995 if (verify_header_sender)
1999 if ((rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
2000 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
2003 *basic_errno = verrno;
2004 if (smtp_return_error_details)
2006 if (!*user_msgptr && *log_msgptr)
2007 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
2008 if (rc == DEFER) f.acl_temp_details = TRUE;
2013 /* Handle a sender address. The default is to verify *the* sender address, but
2014 optionally a different address can be given, for special requirements. If the
2015 address is empty, we are dealing with a bounce message that has no sender, so
2016 we cannot do any checking. If the real sender address gets rewritten during
2017 verification (e.g. DNS widening), set the flag to stop it being rewritten again
2018 during message reception.
2020 A list of verified "sender" addresses is kept to try to avoid doing to much
2021 work repetitively when there are multiple recipients in a message and they all
2022 require sender verification. However, when callouts are involved, it gets too
2023 complicated because different recipients may require different callout options.
2024 Therefore, we always do a full sender verify when any kind of callout is
2025 specified. Caching elsewhere, for instance in the DNS resolver and in the
2026 callout handling, should ensure that this is not terribly inefficient. */
2028 else if (verify_sender_address)
2030 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)))
2032 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
2033 "sender verify callout";
2037 sender_vaddr = verify_checked_sender(verify_sender_address);
2038 if ( sender_vaddr /* Previously checked */
2039 && callout <= 0) /* No callout needed this time */
2041 /* If the "routed" flag is set, it means that routing worked before, so
2042 this check can give OK (the saved return code value, if set, belongs to a
2043 callout that was done previously). If the "routed" flag is not set, routing
2044 must have failed, so we use the saved return code. */
2046 if (testflag(sender_vaddr, af_verify_routed))
2050 rc = sender_vaddr->special_action;
2051 *basic_errno = sender_vaddr->basic_errno;
2053 HDEBUG(D_acl) debug_printf_indent("using cached sender verify result\n");
2056 /* Do a new verification, and cache the result. The cache is used to avoid
2057 verifying the sender multiple times for multiple RCPTs when callouts are not
2058 specified (see comments above).
2060 The cache is also used on failure to give details in response to the first
2061 RCPT that gets bounced for this reason. However, this can be suppressed by
2062 the no_details option, which sets the flag that says "this detail has already
2063 been sent". The cache normally contains just one address, but there may be
2064 more in esoteric circumstances. */
2069 uschar *save_address_data = deliver_address_data;
2071 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
2073 if ((sender_vaddr->prop.utf8_msg = message_smtputf8))
2075 sender_vaddr->prop.utf8_downcvt = message_utf8_downconvert == 1;
2076 sender_vaddr->prop.utf8_downcvt_maybe = message_utf8_downconvert == -1;
2079 if (no_details) setflag(sender_vaddr, af_sverify_told);
2080 if (verify_sender_address[0] != 0)
2082 /* If this is the real sender address, save the unrewritten version
2083 for use later in receive. Otherwise, set a flag so that rewriting the
2084 sender in verify_address() does not update sender_address. */
2086 if (verify_sender_address == sender_address)
2087 sender_address_unrewritten = sender_address;
2089 verify_options |= vopt_fake_sender;
2091 if (success_on_redirect)
2092 verify_options |= vopt_success_on_redirect;
2094 /* The recipient, qualify, and expn options are never set in
2097 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
2098 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
2100 HDEBUG(D_acl) debug_printf_indent("----------- end verify ------------\n");
2103 *basic_errno = sender_vaddr->basic_errno;
2106 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
2107 debug_printf_indent("sender %s verified ok as %s\n",
2108 verify_sender_address, sender_vaddr->address);
2110 debug_printf_indent("sender %s verified ok\n",
2111 verify_sender_address);
2114 rc = OK; /* Null sender */
2116 /* Cache the result code */
2118 if (routed) setflag(sender_vaddr, af_verify_routed);
2119 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
2120 sender_vaddr->special_action = rc;
2121 sender_vaddr->next = sender_verified_list;
2122 sender_verified_list = sender_vaddr;
2124 /* Restore the recipient address data, which might have been clobbered by
2125 the sender verification. */
2127 deliver_address_data = save_address_data;
2130 /* Put the sender address_data value into $sender_address_data */
2132 sender_address_data = sender_vaddr->prop.address_data;
2135 /* A recipient address just gets a straightforward verify; again we must handle
2136 the DEFER overrides. */
2142 if (success_on_redirect)
2143 verify_options |= vopt_success_on_redirect;
2145 /* We must use a copy of the address for verification, because it might
2149 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
2150 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
2151 HDEBUG(D_acl) debug_printf_indent("----------- end verify ------------\n");
2153 *basic_errno = addr2.basic_errno;
2154 *log_msgptr = addr2.message;
2155 *user_msgptr = addr2.user_message ? addr2.user_message : addr2.message;
2157 /* Allow details for temporary error if the address is so flagged. */
2158 if (testflag((&addr2), af_pass_message)) f.acl_temp_details = TRUE;
2160 /* Make $address_data visible */
2161 deliver_address_data = addr2.prop.address_data;
2164 /* We have a result from the relevant test. Handle defer overrides first. */
2168 || callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER
2171 HDEBUG(D_acl) debug_printf_indent("verify defer overridden by %s\n",
2172 defer_ok? "defer_ok" : "callout_defer_ok");
2176 /* If we've failed a sender, set up a recipient message, and point
2177 sender_verified_failed to the address item that actually failed. */
2179 if (rc != OK && verify_sender_address)
2182 *log_msgptr = *user_msgptr = US"Sender verify failed";
2183 else if (*basic_errno != ERRNO_CALLOUTDEFER)
2184 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
2187 *log_msgptr = US"Could not complete sender verify callout";
2188 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
2192 sender_verified_failed = sender_vaddr;
2195 /* Verifying an address messes up the values of $domain and $local_part,
2196 so reset them before returning if this is a RCPT ACL. */
2200 deliver_domain = addr->domain;
2201 deliver_localpart = addr->local_part;
2205 /* Syntax errors in the verify argument come here. */
2208 *log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
2209 "\"helo\", \"header_syntax\", \"header_sender\", \"header_names_ascii\" "
2210 "or \"reverse_host_lookup\" at start of ACL condition "
2211 "\"verify %s\"", arg);
2218 /*************************************************
2219 * Check argument for control= modifier *
2220 *************************************************/
2222 /* Called from acl_check_condition() below.
2223 To handle the case "queue_only" we accept an _ in the
2224 initial / option-switch position.
2227 arg the argument string for control=
2228 pptr set to point to the terminating character
2229 where which ACL we are in
2230 log_msgptr for error messages
2232 Returns: CONTROL_xxx value
2236 decode_control(const uschar *arg, const uschar **pptr, int where, uschar **log_msgptr)
2242 if ( (idx = find_control(arg, controls_list, nelem(controls_list))) < 0
2243 || ( (c = arg[len = Ustrlen((d = controls_list+idx)->name)]) != 0
2244 && (!d->has_option || c != '/' && c != '_')
2247 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2248 return CONTROL_ERROR;
2258 /*************************************************
2259 * Return a ratelimit error *
2260 *************************************************/
2262 /* Called from acl_ratelimit() below
2265 log_msgptr for error messages
2266 format format string
2267 ... supplementary arguments
2273 ratelimit_error(uschar **log_msgptr, const char *format, ...)
2277 string_cat(NULL, US"error in arguments to \"ratelimit\" condition: ");
2279 va_start(ap, format);
2280 g = string_vformat(g, SVFMT_EXTEND|SVFMT_REBUFFER, format, ap);
2283 gstring_release_unused(g);
2284 *log_msgptr = string_from_gstring(g);
2291 /*************************************************
2292 * Handle rate limiting *
2293 *************************************************/
2295 /* Called by acl_check_condition() below to calculate the result
2296 of the ACL ratelimit condition.
2298 Note that the return value might be slightly unexpected: if the
2299 sender's rate is above the limit then the result is OK. This is
2300 similar to the dnslists condition, and is so that you can write
2301 ACL clauses like: defer ratelimit = 15 / 1h
2304 arg the option string for ratelimit=
2305 where ACL_WHERE_xxxx indicating which ACL this is
2306 log_msgptr for error messages
2308 Returns: OK - Sender's rate is above limit
2309 FAIL - Sender's rate is below limit
2310 DEFER - Problem opening ratelimit database
2311 ERROR - Syntax error in options.
2315 acl_ratelimit(const uschar *arg, int where, uschar **log_msgptr)
2317 double limit, period, count;
2320 uschar *unique = NULL;
2322 BOOL leaky = FALSE, strict = FALSE, readonly = FALSE;
2323 BOOL noupdate = FALSE, badacl = FALSE;
2324 int mode = RATE_PER_WHAT;
2326 tree_node **anchor, *t;
2327 open_db dbblock, *dbm;
2329 dbdata_ratelimit *dbd;
2330 dbdata_ratelimit_unique *dbdb;
2333 /* Parse the first two options and record their values in expansion
2334 variables. These variables allow the configuration to have informative
2335 error messages based on rate limits obtained from a table lookup. */
2337 /* First is the maximum number of messages per period / maximum burst
2338 size, which must be greater than or equal to zero. Zero is useful for
2339 rate measurement as opposed to rate limiting. */
2341 if (!(sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0)))
2342 return ratelimit_error(log_msgptr, "sender rate limit not set");
2344 limit = Ustrtod(sender_rate_limit, &ss);
2345 if (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
2346 else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
2347 else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
2349 if (limit < 0.0 || *ss != '\0')
2350 return ratelimit_error(log_msgptr,
2351 "\"%s\" is not a positive number", sender_rate_limit);
2353 /* Second is the rate measurement period / exponential smoothing time
2354 constant. This must be strictly greater than zero, because zero leads to
2355 run-time division errors. */
2357 period = !(sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0))
2358 ? -1.0 : readconf_readtime(sender_rate_period, 0, FALSE);
2360 return ratelimit_error(log_msgptr,
2361 "\"%s\" is not a time value", sender_rate_period);
2363 /* By default we are counting one of something, but the per_rcpt,
2364 per_byte, and count options can change this. */
2368 /* Parse the other options. */
2370 while ((ss = string_nextinlist(&arg, &sep, NULL, 0)))
2372 if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
2373 else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
2374 else if (strcmpic(ss, US"noupdate") == 0) noupdate = TRUE;
2375 else if (strcmpic(ss, US"readonly") == 0) readonly = TRUE;
2376 else if (strcmpic(ss, US"per_cmd") == 0) RATE_SET(mode, PER_CMD);
2377 else if (strcmpic(ss, US"per_conn") == 0)
2379 RATE_SET(mode, PER_CONN);
2380 if (where == ACL_WHERE_NOTSMTP || where == ACL_WHERE_NOTSMTP_START)
2383 else if (strcmpic(ss, US"per_mail") == 0)
2385 RATE_SET(mode, PER_MAIL);
2386 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2388 else if (strcmpic(ss, US"per_rcpt") == 0)
2390 /* If we are running in the RCPT ACL, then we'll count the recipients
2391 one by one, but if we are running when we have accumulated the whole
2392 list then we'll add them all in one batch. */
2393 if (where == ACL_WHERE_RCPT)
2394 RATE_SET(mode, PER_RCPT);
2395 else if (where >= ACL_WHERE_PREDATA && where <= ACL_WHERE_NOTSMTP)
2396 RATE_SET(mode, PER_ALLRCPTS), count = (double)recipients_count;
2397 else if (where == ACL_WHERE_MAIL || where > ACL_WHERE_NOTSMTP)
2398 RATE_SET(mode, PER_RCPT), badacl = TRUE;
2400 else if (strcmpic(ss, US"per_byte") == 0)
2402 /* If we have not yet received the message data and there was no SIZE
2403 declaration on the MAIL command, then it's safe to just use a value of
2404 zero and let the recorded rate decay as if nothing happened. */
2405 RATE_SET(mode, PER_MAIL);
2406 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2407 else count = message_size < 0 ? 0.0 : (double)message_size;
2409 else if (strcmpic(ss, US"per_addr") == 0)
2411 RATE_SET(mode, PER_RCPT);
2412 if (where != ACL_WHERE_RCPT) badacl = TRUE, unique = US"*";
2413 else unique = string_sprintf("%s@%s", deliver_localpart, deliver_domain);
2415 else if (strncmpic(ss, US"count=", 6) == 0)
2418 count = Ustrtod(ss+6, &e);
2419 if (count < 0.0 || *e != '\0')
2420 return ratelimit_error(log_msgptr, "\"%s\" is not a positive number", ss);
2422 else if (strncmpic(ss, US"unique=", 7) == 0)
2423 unique = string_copy(ss + 7);
2425 key = string_copy(ss);
2427 key = string_sprintf("%s/%s", key, ss);
2430 /* Sanity check. When the badacl flag is set the update mode must either
2431 be readonly (which is the default if it is omitted) or, for backwards
2432 compatibility, a combination of noupdate and strict or leaky. */
2434 if (mode == RATE_PER_CLASH)
2435 return ratelimit_error(log_msgptr, "conflicting per_* options");
2436 if (leaky + strict + readonly > 1)
2437 return ratelimit_error(log_msgptr, "conflicting update modes");
2438 if (badacl && (leaky || strict) && !noupdate)
2439 return ratelimit_error(log_msgptr,
2440 "\"%s\" must not have /leaky or /strict option, or cannot be used in %s ACL",
2441 ratelimit_option_string[mode], acl_wherenames[where]);
2443 /* Set the default values of any unset options. In readonly mode we
2444 perform the rate computation without any increment so that its value
2445 decays to eventually allow over-limit senders through. */
2447 if (noupdate) readonly = TRUE, leaky = strict = FALSE;
2448 if (badacl) readonly = TRUE;
2449 if (readonly) count = 0.0;
2450 if (!strict && !readonly) leaky = TRUE;
2451 if (mode == RATE_PER_WHAT) mode = RATE_PER_MAIL;
2453 /* Create the lookup key. If there is no explicit key, use sender_host_address.
2454 If there is no sender_host_address (e.g. -bs or acl_not_smtp) then we simply
2455 omit it. The smoothing constant (sender_rate_period) and the per_xxx options
2456 are added to the key because they alter the meaning of the stored data. */
2459 key = !sender_host_address ? US"" : sender_host_address;
2461 key = string_sprintf("%s/%s/%s%s",
2463 ratelimit_option_string[mode],
2464 unique == NULL ? "" : "unique/",
2468 debug_printf_indent("ratelimit condition count=%.0f %.1f/%s\n", count, limit, key);
2470 /* See if we have already computed the rate by looking in the relevant tree.
2471 For per-connection rate limiting, store tree nodes and dbdata in the permanent
2472 pool so that they survive across resets. In readonly mode we only remember the
2473 result for the rest of this command in case a later command changes it. After
2474 this bit of logic the code is independent of the per_* mode. */
2476 old_pool = store_pool;
2479 anchor = &ratelimiters_cmd;
2483 anchor = &ratelimiters_conn;
2484 store_pool = POOL_PERM;
2488 case RATE_PER_ALLRCPTS:
2489 anchor = &ratelimiters_mail;
2494 anchor = &ratelimiters_cmd;
2497 anchor = NULL; /* silence an "unused" complaint */
2498 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
2499 "internal ACL error: unknown ratelimit mode %d", mode);
2503 if ((t = tree_search(*anchor, key)))
2506 /* The following few lines duplicate some of the code below. */
2507 rc = (dbd->rate < limit)? FAIL : OK;
2508 store_pool = old_pool;
2509 sender_rate = string_sprintf("%.1f", dbd->rate);
2511 debug_printf_indent("ratelimit found pre-computed rate %s\n", sender_rate);
2515 /* We aren't using a pre-computed rate, so get a previously recorded rate
2516 from the database, which will be updated and written back if required. */
2518 if (!(dbm = dbfn_open(US"ratelimit", O_RDWR, &dbblock, TRUE, TRUE)))
2520 store_pool = old_pool;
2522 HDEBUG(D_acl) debug_printf_indent("ratelimit database not available\n");
2523 *log_msgptr = US"ratelimit database not available";
2526 dbdb = dbfn_read_with_length(dbm, key, &dbdb_size);
2529 gettimeofday(&tv, NULL);
2533 /* Locate the basic ratelimit block inside the DB data. */
2534 HDEBUG(D_acl) debug_printf_indent("ratelimit found key in database\n");
2537 /* Forget the old Bloom filter if it is too old, so that we count each
2538 repeating event once per period. We don't simply clear and re-use the old
2539 filter because we want its size to change if the limit changes. Note that
2540 we keep the dbd pointer for copying the rate into the new data block. */
2542 if(unique && tv.tv_sec > dbdb->bloom_epoch + period)
2544 HDEBUG(D_acl) debug_printf_indent("ratelimit discarding old Bloom filter\n");
2550 if(unique && dbdb_size < sizeof(*dbdb))
2552 HDEBUG(D_acl) debug_printf_indent("ratelimit discarding undersize Bloom filter\n");
2557 /* Allocate a new data block if the database lookup failed
2558 or the Bloom filter passed its age limit. */
2564 /* No Bloom filter. This basic ratelimit block is initialized below. */
2565 HDEBUG(D_acl) debug_printf_indent("ratelimit creating new rate data block\n");
2566 dbdb_size = sizeof(*dbd);
2567 dbdb = store_get(dbdb_size, FALSE); /* not tainted */
2572 HDEBUG(D_acl) debug_printf_indent("ratelimit creating new Bloom filter\n");
2574 /* See the long comment below for an explanation of the magic number 2.
2575 The filter has a minimum size in case the rate limit is very small;
2576 this is determined by the definition of dbdata_ratelimit_unique. */
2578 extra = (int)limit * 2 - sizeof(dbdb->bloom);
2579 if (extra < 0) extra = 0;
2580 dbdb_size = sizeof(*dbdb) + extra;
2581 dbdb = store_get(dbdb_size, FALSE); /* not tainted */
2582 dbdb->bloom_epoch = tv.tv_sec;
2583 dbdb->bloom_size = sizeof(dbdb->bloom) + extra;
2584 memset(dbdb->bloom, 0, dbdb->bloom_size);
2586 /* Preserve any basic ratelimit data (which is our longer-term memory)
2587 by copying it from the discarded block. */
2597 /* If we are counting unique events, find out if this event is new or not.
2598 If the client repeats the event during the current period then it should be
2599 counted. We skip this code in readonly mode for efficiency, because any
2600 changes to the filter will be discarded and because count is already set to
2603 if (unique && !readonly)
2605 /* We identify unique events using a Bloom filter. (You can find my
2606 notes on Bloom filters at http://fanf.livejournal.com/81696.html)
2607 With the per_addr option, an "event" is a recipient address, though the
2608 user can use the unique option to define their own events. We only count
2609 an event if we have not seen it before.
2611 We size the filter according to the rate limit, which (in leaky mode)
2612 is the limit on the population of the filter. We allow 16 bits of space
2613 per entry (see the construction code above) and we set (up to) 8 of them
2614 when inserting an element (see the loop below). The probability of a false
2615 positive (an event we have not seen before but which we fail to count) is
2619 allzero = exp(-numhash * pop / size)
2620 = exp(-0.5 * pop / limit)
2621 fpr = pow(1 - allzero, numhash)
2623 For senders at the limit the fpr is 0.06% or 1 in 1700
2624 and for senders at half the limit it is 0.0006% or 1 in 170000
2626 In strict mode the Bloom filter can fill up beyond the normal limit, in
2627 which case the false positive rate will rise. This means that the
2628 measured rate for very fast senders can bogusly drop off after a while.
2630 At twice the limit, the fpr is 2.5% or 1 in 40
2631 At four times the limit, it is 31% or 1 in 3.2
2633 It takes ln(pop/limit) periods for an over-limit burst of pop events to
2634 decay below the limit, and if this is more than one then the Bloom filter
2635 will be discarded before the decay gets that far. The false positive rate
2636 at this threshold is 9.3% or 1 in 10.7. */
2639 unsigned n, hash, hinc;
2643 /* Instead of using eight independent hash values, we combine two values
2644 using the formula h1 + n * h2. This does not harm the Bloom filter's
2645 performance, and means the amount of hash we need is independent of the
2646 number of bits we set in the filter. */
2648 md5_start(&md5info);
2649 md5_end(&md5info, unique, Ustrlen(unique), md5sum);
2650 hash = md5sum[0] | md5sum[1] << 8 | md5sum[2] << 16 | md5sum[3] << 24;
2651 hinc = md5sum[4] | md5sum[5] << 8 | md5sum[6] << 16 | md5sum[7] << 24;
2653 /* Scan the bits corresponding to this event. A zero bit means we have
2654 not seen it before. Ensure all bits are set to record this event. */
2656 HDEBUG(D_acl) debug_printf_indent("ratelimit checking uniqueness of %s\n", unique);
2659 for (n = 0; n < 8; n++, hash += hinc)
2661 int bit = 1 << (hash % 8);
2662 int byte = (hash / 8) % dbdb->bloom_size;
2663 if ((dbdb->bloom[byte] & bit) == 0)
2665 dbdb->bloom[byte] |= bit;
2670 /* If this event has occurred before, do not count it. */
2674 HDEBUG(D_acl) debug_printf_indent("ratelimit event found in Bloom filter\n");
2678 HDEBUG(D_acl) debug_printf_indent("ratelimit event added to Bloom filter\n");
2681 /* If there was no previous ratelimit data block for this key, initialize
2682 the new one, otherwise update the block from the database. The initial rate
2683 is what would be computed by the code below for an infinite interval. */
2687 HDEBUG(D_acl) debug_printf_indent("ratelimit initializing new key's rate data\n");
2689 dbd->time_stamp = tv.tv_sec;
2690 dbd->time_usec = tv.tv_usec;
2695 /* The smoothed rate is computed using an exponentially weighted moving
2696 average adjusted for variable sampling intervals. The standard EWMA for
2697 a fixed sampling interval is: f'(t) = (1 - a) * f(t) + a * f'(t - 1)
2698 where f() is the measured value and f'() is the smoothed value.
2700 Old data decays out of the smoothed value exponentially, such that data n
2701 samples old is multiplied by a^n. The exponential decay time constant p
2702 is defined such that data p samples old is multiplied by 1/e, which means
2703 that a = exp(-1/p). We can maintain the same time constant for a variable
2704 sampling interval i by using a = exp(-i/p).
2706 The rate we are measuring is messages per period, suitable for directly
2707 comparing with the limit. The average rate between now and the previous
2708 message is period / interval, which we feed into the EWMA as the sample.
2710 It turns out that the number of messages required for the smoothed rate
2711 to reach the limit when they are sent in a burst is equal to the limit.
2712 This can be seen by analysing the value of the smoothed rate after N
2713 messages sent at even intervals. Let k = (1 - a) * p/i
2715 rate_1 = (1 - a) * p/i + a * rate_0
2717 rate_2 = k + a * rate_1
2718 = k + a * k + a^2 * rate_0
2719 rate_3 = k + a * k + a^2 * k + a^3 * rate_0
2720 rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
2721 = rate_0 * a^N + k * (1 - a^N) / (1 - a)
2722 = rate_0 * a^N + p/i * (1 - a^N)
2724 When N is large, a^N -> 0 so rate_N -> p/i as desired.
2726 rate_N = p/i + (rate_0 - p/i) * a^N
2727 a^N = (rate_N - p/i) / (rate_0 - p/i)
2728 N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
2729 N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
2731 Numerical analysis of the above equation, setting the computed rate to
2732 increase from rate_0 = 0 to rate_N = limit, shows that for large sending
2733 rates, p/i, the number of messages N = limit. So limit serves as both the
2734 maximum rate measured in messages per period, and the maximum number of
2735 messages that can be sent in a fast burst. */
2737 double this_time = (double)tv.tv_sec
2738 + (double)tv.tv_usec / 1000000.0;
2739 double prev_time = (double)dbd->time_stamp
2740 + (double)dbd->time_usec / 1000000.0;
2742 /* We must avoid division by zero, and deal gracefully with the clock going
2743 backwards. If we blunder ahead when time is in reverse then the computed
2744 rate will be bogus. To be safe we clamp interval to a very small number. */
2746 double interval = this_time - prev_time <= 0.0 ? 1e-9
2747 : this_time - prev_time;
2749 double i_over_p = interval / period;
2750 double a = exp(-i_over_p);
2752 /* Combine the instantaneous rate (period / interval) with the previous rate
2753 using the smoothing factor a. In order to measure sized events, multiply the
2754 instantaneous rate by the count of bytes or recipients etc. */
2756 dbd->time_stamp = tv.tv_sec;
2757 dbd->time_usec = tv.tv_usec;
2758 dbd->rate = (1 - a) * count / i_over_p + a * dbd->rate;
2760 /* When events are very widely spaced the computed rate tends towards zero.
2761 Although this is accurate it turns out not to be useful for our purposes,
2762 especially when the first event after a long silence is the start of a spam
2763 run. A more useful model is that the rate for an isolated event should be the
2764 size of the event per the period size, ignoring the lack of events outside
2765 the current period and regardless of where the event falls in the period. So,
2766 if the interval was so long that the calculated rate is unhelpfully small, we
2767 re-initialize the rate. In the absence of higher-rate bursts, the condition
2768 below is true if the interval is greater than the period. */
2770 if (dbd->rate < count) dbd->rate = count;
2773 /* Clients sending at the limit are considered to be over the limit.
2774 This matters for edge cases such as a limit of zero, when the client
2775 should be completely blocked. */
2777 rc = dbd->rate < limit ? FAIL : OK;
2779 /* Update the state if the rate is low or if we are being strict. If we
2780 are in leaky mode and the sender's rate is too high, we do not update
2781 the recorded rate in order to avoid an over-aggressive sender's retry
2782 rate preventing them from getting any email through. If readonly is set,
2783 neither leaky nor strict are set, so we do not do any updates. */
2785 if ((rc == FAIL && leaky) || strict)
2787 dbfn_write(dbm, key, dbdb, dbdb_size);
2788 HDEBUG(D_acl) debug_printf_indent("ratelimit db updated\n");
2792 HDEBUG(D_acl) debug_printf_indent("ratelimit db not updated: %s\n",
2793 readonly? "readonly mode" : "over the limit, but leaky");
2798 /* Store the result in the tree for future reference. Take the taint status
2799 from the key for consistency even though it's unlikely we'll ever expand this. */
2801 t = store_get(sizeof(tree_node) + Ustrlen(key), is_tainted(key));
2803 Ustrcpy(t->name, key);
2804 (void)tree_insertnode(anchor, t);
2806 /* We create the formatted version of the sender's rate very late in
2807 order to ensure that it is done using the correct storage pool. */
2809 store_pool = old_pool;
2810 sender_rate = string_sprintf("%.1f", dbd->rate);
2813 debug_printf_indent("ratelimit computed rate %s\n", sender_rate);
2820 /*************************************************
2821 * Handle a check for previously-seen *
2822 *************************************************/
2825 ACL clauses like: seen = -5m / key=$foo / readonly
2827 Return is true for condition-true - but the semantics
2828 depend heavily on the actual use-case.
2830 Negative times test for seen-before, positive for seen-more-recently-than
2831 (the given interval before current time).
2833 All are subject to history not having been cleaned from the DB.
2835 Default for seen-before is to create if not present, and to
2836 update if older than 10d (with the seen-test time).
2837 Default for seen-since is to always create or update.
2840 key=value. Default key is $sender_host_address
2843 refresh=<interval>: update an existing DB entry older than given
2844 amount. Default refresh lacking this option is 10d.
2845 The update sets the record timestamp to the seen-test time.
2847 XXX do we need separate nocreate, noupdate controls?
2850 arg the option string for seen=
2851 where ACL_WHERE_xxxx indicating which ACL this is
2852 log_msgptr for error messages
2854 Returns: OK - Condition is true
2855 FAIL - Condition is false
2856 DEFER - Problem opening history database
2857 ERROR - Syntax error in options
2861 acl_seen(const uschar * arg, int where, uschar ** log_msgptr)
2863 enum { SEEN_DEFAULT, SEEN_READONLY, SEEN_WRITE };
2865 const uschar * list = arg;
2866 int slash = '/', equal = '=', interval, mode = SEEN_DEFAULT, yield = FAIL;
2868 int refresh = 10 * 24 * 60 * 60; /* 10 days */
2869 const uschar * ele, * key = sender_host_address;
2870 open_db dbblock, * dbm;
2874 /* Parse the first element, the time-relation. */
2876 if (!(ele = string_nextinlist(&list, &slash, NULL, 0)))
2878 if ((before = *ele == '-'))
2880 if ((interval = readconf_readtime(ele, 0, FALSE)) < 0)
2883 /* Remaining elements are options */
2885 while ((ele = string_nextinlist(&list, &slash, NULL, 0)))
2886 if (Ustrncmp(ele, "key=", 4) == 0)
2888 else if (Ustrcmp(ele, "readonly") == 0)
2889 mode = SEEN_READONLY;
2890 else if (Ustrcmp(ele, "write") == 0)
2892 else if (Ustrncmp(ele, "refresh=", 8) == 0)
2894 if ((refresh = readconf_readtime(ele + 8, 0, FALSE)) < 0)
2900 if (!(dbm = dbfn_open(US"seen", O_RDWR, &dbblock, TRUE, TRUE)))
2902 HDEBUG(D_acl) debug_printf_indent("database for 'seen' not available\n");
2903 *log_msgptr = US"database for 'seen' not available";
2907 dbd = dbfn_read_with_length(dbm, key, NULL);
2909 if (dbd) /* an existing record */
2911 time_t diff = now - dbd->time_stamp; /* time since the record was written */
2913 if (before ? diff >= interval : diff < interval)
2916 if (mode == SEEN_READONLY)
2917 { HDEBUG(D_acl) debug_printf_indent("seen db not written (readonly)\n"); }
2918 else if (mode == SEEN_WRITE || !before)
2920 dbd->time_stamp = now;
2921 dbfn_write(dbm, key, dbd, sizeof(*dbd));
2922 HDEBUG(D_acl) debug_printf_indent("seen db written (update)\n");
2924 else if (diff >= refresh)
2926 dbd->time_stamp = now - interval;
2927 dbfn_write(dbm, key, dbd, sizeof(*dbd));
2928 HDEBUG(D_acl) debug_printf_indent("seen db written (refresh)\n");
2932 { /* No record found, yield always FAIL */
2933 if (mode != SEEN_READONLY)
2935 dbdata_seen d = {.time_stamp = now};
2936 dbfn_write(dbm, key, &d, sizeof(*dbd));
2937 HDEBUG(D_acl) debug_printf_indent("seen db written (create)\n");
2940 HDEBUG(D_acl) debug_printf_indent("seen db not written (readonly)\n");
2948 *log_msgptr = string_sprintf("failed to parse '%s'", arg);
2951 *log_msgptr = string_sprintf("unrecognised option '%s' in '%s'", ele, arg);
2957 /*************************************************
2958 * The udpsend ACL modifier *
2959 *************************************************/
2961 /* Called by acl_check_condition() below.
2964 arg the option string for udpsend=
2965 log_msgptr for error messages
2967 Returns: OK - Completed.
2968 DEFER - Problem with DNS lookup.
2969 ERROR - Syntax error in options.
2973 acl_udpsend(const uschar *arg, uschar **log_msgptr)
2985 hostname = string_nextinlist(&arg, &sep, NULL, 0);
2986 portstr = string_nextinlist(&arg, &sep, NULL, 0);
2990 *log_msgptr = US"missing destination host in \"udpsend\" modifier";
2995 *log_msgptr = US"missing destination port in \"udpsend\" modifier";
3000 *log_msgptr = US"missing datagram payload in \"udpsend\" modifier";
3003 portnum = Ustrtol(portstr, &portend, 10);
3004 if (*portend != '\0')
3006 *log_msgptr = US"bad destination port in \"udpsend\" modifier";
3010 /* Make a single-item host list. */
3011 h = store_get(sizeof(host_item), FALSE);
3012 memset(h, 0, sizeof(host_item));
3017 if (string_is_ip_address(hostname, NULL))
3018 h->address = hostname, r = HOST_FOUND;
3020 r = host_find_byname(h, NULL, 0, NULL, FALSE);
3021 if (r == HOST_FIND_FAILED || r == HOST_FIND_AGAIN)
3023 *log_msgptr = US"DNS lookup failed in \"udpsend\" modifier";
3028 debug_printf_indent("udpsend [%s]:%d %s\n", h->address, portnum, arg);
3030 /*XXX this could better use sendto */
3031 r = s = ip_connectedsocket(SOCK_DGRAM, h->address, portnum, portnum,
3032 1, NULL, &errstr, NULL);
3033 if (r < 0) goto defer;
3035 r = send(s, arg, len, 0);
3038 errstr = US strerror(errno);
3046 string_sprintf("\"udpsend\" truncated from %d to %d octets", len, r);
3051 debug_printf_indent("udpsend %d bytes\n", r);
3056 *log_msgptr = string_sprintf("\"udpsend\" failed: %s", errstr);
3062 /*************************************************
3063 * Handle conditions/modifiers on an ACL item *
3064 *************************************************/
3066 /* Called from acl_check() below.
3070 cb ACL condition block - if NULL, result is OK
3071 where where called from
3072 addr the address being checked for RCPT, or NULL
3073 level the nesting level
3074 epp pointer to pass back TRUE if "endpass" encountered
3075 (applies only to "accept" and "discard")
3076 user_msgptr user message pointer
3077 log_msgptr log message pointer
3078 basic_errno pointer to where to put verify error
3080 Returns: OK - all conditions are met
3081 DISCARD - an "acl" condition returned DISCARD - only allowed
3082 for "accept" or "discard" verbs
3083 FAIL - at least one condition fails
3084 FAIL_DROP - an "acl" condition returned FAIL_DROP
3085 DEFER - can't tell at the moment (typically, lookup defer,
3086 but can be temporary callout problem)
3087 ERROR - ERROR from nested ACL or expansion failure or other
3092 acl_check_condition(int verb, acl_condition_block *cb, int where,
3093 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
3094 uschar **log_msgptr, int *basic_errno)
3096 uschar *user_message = NULL;
3097 uschar *log_message = NULL;
3099 #ifdef WITH_CONTENT_SCAN
3103 for (; cb; cb = cb->next)
3108 /* The message and log_message items set up messages to be used in
3109 case of rejection. They are expanded later. */
3111 if (cb->type == ACLC_MESSAGE)
3113 HDEBUG(D_acl) debug_printf_indent(" message: %s\n", cb->arg);
3114 user_message = cb->arg;
3118 if (cb->type == ACLC_LOG_MESSAGE)
3120 HDEBUG(D_acl) debug_printf_indent("l_message: %s\n", cb->arg);
3121 log_message = cb->arg;
3125 /* The endpass "condition" just sets a flag to show it occurred. This is
3126 checked at compile time to be on an "accept" or "discard" item. */
3128 if (cb->type == ACLC_ENDPASS)
3134 /* For other conditions and modifiers, the argument is expanded now for some
3135 of them, but not for all, because expansion happens down in some lower level
3136 checking functions in some cases. */
3138 if (!conditions[cb->type].expand_at_top)
3140 else if (!(arg = expand_string(cb->arg)))
3142 if (f.expand_string_forcedfail) continue;
3143 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
3144 cb->arg, expand_string_message);
3145 return f.search_find_defer ? DEFER : ERROR;
3148 /* Show condition, and expanded condition if it's different */
3153 debug_printf_indent("check %s%s %n",
3154 (!conditions[cb->type].is_modifier && cb->u.negated)? "!":"",
3155 conditions[cb->type].name, &lhswidth);
3157 if (cb->type == ACLC_SET)
3159 #ifndef DISABLE_DKIM
3160 if ( Ustrcmp(cb->u.varname, "dkim_verify_status") == 0
3161 || Ustrcmp(cb->u.varname, "dkim_verify_reason") == 0)
3163 debug_printf("%s ", cb->u.varname);
3169 debug_printf("acl_%s ", cb->u.varname);
3170 lhswidth += 5 + Ustrlen(cb->u.varname);
3174 debug_printf("= %s\n", cb->arg);
3177 debug_printf("%.*s= %s\n", lhswidth,
3181 /* Check that this condition makes sense at this time */
3183 if ((conditions[cb->type].forbids & (1 << where)) != 0)
3185 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
3186 conditions[cb->type].is_modifier ? "use" : "test",
3187 conditions[cb->type].name, acl_wherenames[where]);
3191 /* Run the appropriate test for each condition, or take the appropriate
3192 action for the remaining modifiers. */
3196 case ACLC_ADD_HEADER:
3200 /* A nested ACL that returns "discard" makes sense only for an "accept" or
3204 rc = acl_check_wargs(where, addr, arg, user_msgptr, log_msgptr);
3205 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
3207 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
3208 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
3214 case ACLC_AUTHENTICATED:
3215 rc = sender_host_authenticated ? match_isinlist(sender_host_authenticated,
3216 &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL) : FAIL;
3219 #ifdef EXPERIMENTAL_BRIGHTMAIL
3220 case ACLC_BMI_OPTIN:
3222 int old_pool = store_pool;
3223 store_pool = POOL_PERM;
3224 bmi_current_optin = string_copy(arg);
3225 store_pool = old_pool;
3230 case ACLC_CONDITION:
3231 /* The true/false parsing here should be kept in sync with that used in
3232 expand.c when dealing with ECOND_BOOL so that we don't have too many
3233 different definitions of what can be a boolean. */
3235 ? Ustrspn(arg+1, "0123456789") == Ustrlen(arg+1) /* Negative number */
3236 : Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
3237 rc = (Uatoi(arg) == 0)? FAIL : OK;
3239 rc = (strcmpic(arg, US"no") == 0 ||
3240 strcmpic(arg, US"false") == 0)? FAIL :
3241 (strcmpic(arg, US"yes") == 0 ||
3242 strcmpic(arg, US"true") == 0)? OK : DEFER;
3244 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
3247 case ACLC_CONTINUE: /* Always succeeds */
3252 const uschar *p = NULL;
3253 control_type = decode_control(arg, &p, where, log_msgptr);
3255 /* Check if this control makes sense at this time */
3257 if (controls_list[control_type].forbids & (1 << where))
3259 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
3260 controls_list[control_type].name, acl_wherenames[where]);
3264 switch(control_type)
3266 case CONTROL_AUTH_UNADVERTISED:
3267 f.allow_auth_unadvertised = TRUE;
3270 #ifdef EXPERIMENTAL_BRIGHTMAIL
3271 case CONTROL_BMI_RUN:
3276 #ifndef DISABLE_DKIM
3277 case CONTROL_DKIM_VERIFY:
3278 f.dkim_disable_verify = TRUE;
3279 # ifdef SUPPORT_DMARC
3280 /* Since DKIM was blocked, skip DMARC too */
3281 f.dmarc_disable_verify = TRUE;
3282 f.dmarc_enable_forensic = FALSE;
3287 #ifdef SUPPORT_DMARC
3288 case CONTROL_DMARC_VERIFY:
3289 f.dmarc_disable_verify = TRUE;
3292 case CONTROL_DMARC_FORENSIC:
3293 f.dmarc_enable_forensic = TRUE;
3300 int fd, af, level, optname, value;
3301 /* If we are acting on stdin, the setsockopt may fail if stdin is not
3302 a socket; we can accept that, we'll just debug-log failures anyway. */
3303 fd = fileno(smtp_in);
3304 if ((af = ip_get_address_family(fd)) < 0)
3307 debug_printf_indent("smtp input is probably not a socket [%s], not setting DSCP\n",
3311 if (dscp_lookup(p+1, af, &level, &optname, &value))
3312 if (setsockopt(fd, level, optname, &value, sizeof(value)) < 0)
3314 HDEBUG(D_acl) debug_printf_indent("failed to set input DSCP[%s]: %s\n",
3315 p+1, strerror(errno));
3319 HDEBUG(D_acl) debug_printf_indent("set input DSCP to \"%s\"\n", p+1);
3323 *log_msgptr = string_sprintf("unrecognised DSCP value in \"control=%s\"", arg);
3329 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3337 case CONTROL_CASEFUL_LOCAL_PART:
3338 deliver_localpart = addr->cc_local_part;
3341 case CONTROL_CASELOWER_LOCAL_PART:
3342 deliver_localpart = addr->lc_local_part;
3345 case CONTROL_ENFORCE_SYNC:
3346 smtp_enforce_sync = TRUE;
3349 case CONTROL_NO_ENFORCE_SYNC:
3350 smtp_enforce_sync = FALSE;
3353 #ifdef WITH_CONTENT_SCAN
3354 case CONTROL_NO_MBOX_UNSPOOL:
3355 f.no_mbox_unspool = TRUE;
3359 case CONTROL_NO_MULTILINE:
3360 f.no_multiline_responses = TRUE;
3363 case CONTROL_NO_PIPELINING:
3364 f.pipelining_enable = FALSE;
3367 case CONTROL_NO_DELAY_FLUSH:
3368 f.disable_delay_flush = TRUE;
3371 case CONTROL_NO_CALLOUT_FLUSH:
3372 f.disable_callout_flush = TRUE;
3375 case CONTROL_FAKEREJECT:
3376 cancel_cutthrough_connection(TRUE, US"fakereject");
3377 case CONTROL_FAKEDEFER:
3378 fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
3381 const uschar *pp = p + 1;
3383 /* The entire control= line was expanded at top so no need to expand
3384 the part after the / */
3385 fake_response_text = string_copyn(p+1, pp-p-1);
3388 else /* Explicitly reset to default string */
3389 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
3392 case CONTROL_FREEZE:
3393 f.deliver_freeze = TRUE;
3394 deliver_frozen_at = time(NULL);
3395 freeze_tell = freeze_tell_config; /* Reset to configured value */
3396 if (Ustrncmp(p, "/no_tell", 8) == 0)
3403 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3406 cancel_cutthrough_connection(TRUE, US"item frozen");
3410 f.queue_only_policy = TRUE;
3411 if (Ustrcmp(p, "_only") == 0)
3413 else while (*p == '/')
3414 if (Ustrncmp(p, "/only", 5) == 0)
3415 { p += 5; f.queue_smtp = FALSE; }
3416 else if (Ustrncmp(p, "/first_pass_route", 17) == 0)
3417 { p += 17; f.queue_smtp = TRUE; }
3420 cancel_cutthrough_connection(TRUE, US"queueing forced");
3423 case CONTROL_SUBMISSION:
3424 originator_name = US"";
3425 f.submission_mode = TRUE;
3428 if (Ustrncmp(p, "/sender_retain", 14) == 0)
3431 f.active_local_sender_retain = TRUE;
3432 f.active_local_from_check = FALSE;
3434 else if (Ustrncmp(p, "/domain=", 8) == 0)
3436 const uschar *pp = p + 8;
3437 while (*pp && *pp != '/') pp++;
3438 submission_domain = string_copyn(p+8, pp-p-8);
3441 /* The name= option must be last, because it swallows the rest of
3443 else if (Ustrncmp(p, "/name=", 6) == 0)
3445 const uschar *pp = p + 6;
3447 submission_name = parse_fix_phrase(p+6, pp-p-6);
3454 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3461 uschar * debug_tag = NULL;
3462 uschar * debug_opts = NULL;
3467 const uschar * pp = p+1;
3468 if (Ustrncmp(pp, "tag=", 4) == 0)
3470 for (pp += 4; *pp && *pp != '/';) pp++;
3471 debug_tag = string_copyn(p+5, pp-p-5);
3473 else if (Ustrncmp(pp, "opts=", 5) == 0)
3475 for (pp += 5; *pp && *pp != '/';) pp++;
3476 debug_opts = string_copyn(p+6, pp-p-6);
3478 else if (Ustrncmp(pp, "kill", 4) == 0)
3480 for (pp += 4; *pp && *pp != '/';) pp++;
3484 while (*pp && *pp != '/') pp++;
3489 debug_logging_stop();
3491 debug_logging_activate(debug_tag, debug_opts);
3495 case CONTROL_SUPPRESS_LOCAL_FIXUPS:
3496 f.suppress_local_fixups = TRUE;
3499 case CONTROL_CUTTHROUGH_DELIVERY:
3501 uschar * ignored = NULL;
3502 #ifndef DISABLE_PRDR
3507 /* Too hard to think about for now. We might in future cutthrough
3508 the case where both sides handle prdr and this-node prdr acl
3510 ignored = US"PRDR active";
3511 else if (f.deliver_freeze)
3512 ignored = US"frozen";
3513 else if (f.queue_only_policy)
3514 ignored = US"queue-only";
3515 else if (fake_response == FAIL)
3516 ignored = US"fakereject";
3517 else if (rcpt_count != 1)
3518 ignored = US"nonfirst rcpt";
3519 else if (cutthrough.delivery)
3520 ignored = US"repeated";
3521 else if (cutthrough.callout_hold_only)
3524 debug_printf_indent(" cutthrough request upgrades callout hold\n");
3525 cutthrough.callout_hold_only = FALSE;
3526 cutthrough.delivery = TRUE; /* control accepted */
3530 cutthrough.delivery = TRUE; /* control accepted */
3533 const uschar * pp = p+1;
3534 if (Ustrncmp(pp, "defer=", 6) == 0)
3537 if (Ustrncmp(pp, "pass", 4) == 0) cutthrough.defer_pass = TRUE;
3538 /* else if (Ustrncmp(pp, "spool") == 0) ; default */
3541 while (*pp && *pp != '/') pp++;
3546 DEBUG(D_acl) if (ignored)
3547 debug_printf(" cutthrough request ignored on %s item\n", ignored);
3552 case CONTROL_UTF8_DOWNCONVERT:
3557 message_utf8_downconvert = 1;
3558 addr->prop.utf8_downcvt = TRUE;
3559 addr->prop.utf8_downcvt_maybe = FALSE;
3565 message_utf8_downconvert = 0;
3566 addr->prop.utf8_downcvt = FALSE;
3567 addr->prop.utf8_downcvt_maybe = FALSE;
3571 if (p[1] == '-' && p[2] == '1')
3573 message_utf8_downconvert = -1;
3574 addr->prop.utf8_downcvt = FALSE;
3575 addr->prop.utf8_downcvt_maybe = TRUE;
3579 *log_msgptr = US"bad option value for control=utf8_downconvert";
3583 message_utf8_downconvert = 1;
3584 addr->prop.utf8_downcvt = TRUE;
3585 addr->prop.utf8_downcvt_maybe = FALSE;
3595 #ifdef EXPERIMENTAL_DCC
3598 /* Separate the regular expression and any optional parameters. */
3599 const uschar * list = arg;
3600 uschar *ss = string_nextinlist(&list, &sep, NULL, 0);
3601 /* Run the dcc backend. */
3602 rc = dcc_process(&ss);
3603 /* Modify return code based upon the existence of options. */
3604 while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
3605 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3606 rc = FAIL; /* FAIL so that the message is passed to the next ACL */
3611 #ifdef WITH_CONTENT_SCAN
3613 rc = mime_decode(&arg);
3619 int delay = readconf_readtime(arg, 0, FALSE);
3622 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
3623 "modifier: \"%s\" is not a time value", arg);
3628 HDEBUG(D_acl) debug_printf_indent("delay modifier requests %d-second delay\n",
3633 debug_printf_indent("delay skipped in -bh checking mode\n");
3636 /* NOTE 1: Remember that we may be
3637 dealing with stdin/stdout here, in addition to TCP/IP connections.
3638 Also, delays may be specified for non-SMTP input, where smtp_out and
3639 smtp_in will be NULL. Whatever is done must work in all cases.
3641 NOTE 2: The added feature of flushing the output before a delay must
3642 apply only to SMTP input. Hence the test for smtp_out being non-NULL.
3647 if (smtp_out && !f.disable_delay_flush)
3650 #if !defined(NO_POLL_H) && defined (POLLRDHUP)
3656 p.fd = fileno(smtp_out);
3657 p.events = POLLRDHUP;
3660 if (poll(&p, n, delay*1000) > 0)
3661 HDEBUG(D_acl) debug_printf_indent("delay cancelled by peer close\n");
3664 /* Lacking POLLRDHUP it appears to be impossible to detect that a
3665 TCP/IP connection has gone away without reading from it. This means
3666 that we cannot shorten the delay below if the client goes away,
3667 because we cannot discover that the client has closed its end of the
3668 connection. (The connection is actually in a half-closed state,
3669 waiting for the server to close its end.) It would be nice to be able
3670 to detect this state, so that the Exim process is not held up
3671 unnecessarily. However, it seems that we can't. The poll() function
3672 does not do the right thing, and in any case it is not always
3675 while (delay > 0) delay = sleep(delay);
3682 #ifndef DISABLE_DKIM
3683 case ACLC_DKIM_SIGNER:
3684 if (dkim_cur_signer)
3685 rc = match_isinlist(dkim_cur_signer,
3686 &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
3691 case ACLC_DKIM_STATUS:
3692 rc = match_isinlist(dkim_verify_status,
3693 &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
3697 #ifdef SUPPORT_DMARC
3698 case ACLC_DMARC_STATUS:
3699 if (!f.dmarc_has_been_checked)
3701 f.dmarc_has_been_checked = TRUE;
3702 /* used long way of dmarc_exim_expand_query() in case we need more
3703 * view into the process in the future. */
3704 rc = match_isinlist(dmarc_exim_expand_query(DMARC_VERIFY_STATUS),
3705 &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
3710 rc = verify_check_dnsbl(where, &arg, log_msgptr);
3714 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
3715 addr->domain_cache, MCL_DOMAIN, TRUE, CUSS &deliver_domain_data);
3718 /* The value in tls_cipher is the full cipher name, for example,
3719 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
3720 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
3721 what may in practice come out of the SSL library - which at the time of
3722 writing is poorly documented. */
3724 case ACLC_ENCRYPTED:
3725 if (tls_in.cipher == NULL) rc = FAIL; else
3727 uschar *endcipher = NULL;
3728 uschar *cipher = Ustrchr(tls_in.cipher, ':');
3729 if (!cipher) cipher = tls_in.cipher; else
3731 endcipher = Ustrchr(++cipher, ':');
3732 if (endcipher) *endcipher = 0;
3734 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
3735 if (endcipher) *endcipher = ':';
3739 /* Use verify_check_this_host() instead of verify_check_host() so that
3740 we can pass over &host_data to catch any looked up data. Once it has been
3741 set, it retains its value so that it's still there if another ACL verb
3742 comes through here and uses the cache. However, we must put it into
3743 permanent store in case it is also expected to be used in a subsequent
3744 message in the same SMTP connection. */
3747 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
3748 sender_host_address ? sender_host_address : US"", CUSS &host_data);
3749 if (rc == DEFER) *log_msgptr = search_error_message;
3750 if (host_data) host_data = string_copy_perm(host_data, TRUE);
3753 case ACLC_LOCAL_PARTS:
3754 rc = match_isinlist(addr->cc_local_part, &arg, 0,
3755 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
3756 CUSS &deliver_localpart_data);
3759 case ACLC_LOG_REJECT_TARGET:
3763 const uschar *s = arg;
3765 while ((ss = string_nextinlist(&s, &sep, NULL, 0)))
3767 if (Ustrcmp(ss, "main") == 0) logbits |= LOG_MAIN;
3768 else if (Ustrcmp(ss, "panic") == 0) logbits |= LOG_PANIC;
3769 else if (Ustrcmp(ss, "reject") == 0) logbits |= LOG_REJECT;
3772 logbits |= LOG_MAIN|LOG_REJECT;
3773 log_write(0, LOG_MAIN|LOG_PANIC, "unknown log name \"%s\" in "
3774 "\"log_reject_target\" in %s ACL", ss, acl_wherenames[where]);
3777 log_reject_target = logbits;
3784 const uschar *s = arg;
3790 if (Ustrncmp(s, "main", 4) == 0)
3791 { logbits |= LOG_MAIN; s += 4; }
3792 else if (Ustrncmp(s, "panic", 5) == 0)
3793 { logbits |= LOG_PANIC; s += 5; }
3794 else if (Ustrncmp(s, "reject", 6) == 0)
3795 { logbits |= LOG_REJECT; s += 6; }
3798 logbits = LOG_MAIN|LOG_PANIC;
3799 s = string_sprintf(":unknown log name in \"%s\" in "
3800 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
3806 while (isspace(*s)) s++;
3808 if (logbits == 0) logbits = LOG_MAIN;
3809 log_write(0, logbits, "%s", string_printing(s));
3813 #ifdef WITH_CONTENT_SCAN
3814 case ACLC_MALWARE: /* Run the malware backend. */
3816 /* Separate the regular expression and any optional parameters. */
3817 const uschar * list = arg;
3818 uschar * ss = string_nextinlist(&list, &sep, NULL, 0);
3820 BOOL defer_ok = FALSE;
3823 while ((opt = string_nextinlist(&list, &sep, NULL, 0)))
3824 if (strcmpic(opt, US"defer_ok") == 0)
3826 else if ( strncmpic(opt, US"tmo=", 4) == 0
3827 && (timeout = readconf_readtime(opt+4, '\0', FALSE)) < 0
3830 *log_msgptr = string_sprintf("bad timeout value in '%s'", opt);
3834 rc = malware(ss, timeout);
3835 if (rc == DEFER && defer_ok)
3836 rc = FAIL; /* FAIL so that the message is passed to the next ACL */
3840 case ACLC_MIME_REGEX:
3841 rc = mime_regex(&arg);
3848 if ((m = is_tainted2(arg, 0, "Tainted name '%s' for queue not permitted", arg)))
3853 if (Ustrchr(arg, '/'))
3855 *log_msgptr = string_sprintf(
3856 "Directory separator not permitted in queue name: '%s'", arg);
3859 queue_name = string_copy_perm(arg, FALSE);
3863 case ACLC_RATELIMIT:
3864 rc = acl_ratelimit(arg, where, log_msgptr);
3867 case ACLC_RECIPIENTS:
3868 rc = match_address_list(CUS addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
3869 CUSS &recipient_data);
3872 #ifdef WITH_CONTENT_SCAN
3878 case ACLC_REMOVE_HEADER:
3879 setup_remove_header(arg);
3883 rc = acl_seen(arg, where, log_msgptr);
3886 case ACLC_SENDER_DOMAINS:
3889 sdomain = Ustrrchr(sender_address, '@');
3890 sdomain = sdomain ? sdomain + 1 : US"";
3891 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
3892 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
3897 rc = match_address_list(CUS sender_address, TRUE, TRUE, &arg,
3898 sender_address_cache, -1, 0, CUSS &sender_data);
3901 /* Connection variables must persist forever; message variables not */
3905 int old_pool = store_pool;
3906 if ( cb->u.varname[0] != 'm'
3907 #ifndef DISABLE_EVENT
3908 || event_name /* An event is being delivered */
3911 store_pool = POOL_PERM;
3912 #ifndef DISABLE_DKIM /* Overwriteable dkim result variables */
3913 if (Ustrcmp(cb->u.varname, "dkim_verify_status") == 0)
3914 dkim_verify_status = string_copy(arg);
3915 else if (Ustrcmp(cb->u.varname, "dkim_verify_reason") == 0)
3916 dkim_verify_reason = string_copy(arg);
3919 acl_var_create(cb->u.varname)->data.ptr = string_copy(arg);
3920 store_pool = old_pool;
3924 #ifdef WITH_CONTENT_SCAN
3927 /* Separate the regular expression and any optional parameters. */
3928 const uschar * list = arg;
3929 uschar *ss = string_nextinlist(&list, &sep, NULL, 0);
3931 rc = spam(CUSS &ss);
3932 /* Modify return code based upon the existence of options. */
3933 while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
3934 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3935 rc = FAIL; /* FAIL so that the message is passed to the next ACL */
3942 rc = spf_process(&arg, sender_address, SPF_PROCESS_NORMAL);
3944 case ACLC_SPF_GUESS:
3945 rc = spf_process(&arg, sender_address, SPF_PROCESS_GUESS);
3950 rc = acl_udpsend(arg, log_msgptr);
3953 /* If the verb is WARN, discard any user message from verification, because
3954 such messages are SMTP responses, not header additions. The latter come
3955 only from explicit "message" modifiers. However, put the user message into
3956 $acl_verify_message so it can be used in subsequent conditions or modifiers
3957 (until something changes it). */
3960 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
3962 acl_verify_message = *user_msgptr;
3963 if (verb == ACL_WARN) *user_msgptr = NULL;
3967 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
3968 "condition %d", cb->type);
3972 /* If a condition was negated, invert OK/FAIL. */
3974 if (!conditions[cb->type].is_modifier && cb->u.negated)
3975 if (rc == OK) rc = FAIL;
3976 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
3978 if (rc != OK) break; /* Conditions loop */
3982 /* If the result is the one for which "message" and/or "log_message" are used,
3983 handle the values of these modifiers. If there isn't a log message set, we make
3984 it the same as the user message.
3986 "message" is a user message that will be included in an SMTP response. Unless
3987 it is empty, it overrides any previously set user message.
3989 "log_message" is a non-user message, and it adds to any existing non-user
3990 message that is already set.
3992 Most verbs have but a single return for which the messages are relevant, but
3993 for "discard", it's useful to have the log message both when it succeeds and
3994 when it fails. For "accept", the message is used in the OK case if there is no
3995 "endpass", but (for backwards compatibility) in the FAIL case if "endpass" is
3998 if (*epp && rc == OK) user_message = NULL;
4000 if ((BIT(rc) & msgcond[verb]) != 0)
4003 uschar *old_user_msgptr = *user_msgptr;
4004 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
4006 /* If the verb is "warn", messages generated by conditions (verification or
4007 nested ACLs) are always discarded. This also happens for acceptance verbs
4008 when they actually do accept. Only messages specified at this level are used.
4009 However, the value of an existing message is available in $acl_verify_message
4010 during expansions. */
4012 if (verb == ACL_WARN ||
4013 (rc == OK && (verb == ACL_ACCEPT || verb == ACL_DISCARD)))
4014 *log_msgptr = *user_msgptr = NULL;
4018 acl_verify_message = old_user_msgptr;
4019 expmessage = expand_string(user_message);
4022 if (!f.expand_string_forcedfail)
4023 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
4024 user_message, expand_string_message);
4026 else if (expmessage[0] != 0) *user_msgptr = expmessage;
4031 acl_verify_message = old_log_msgptr;
4032 expmessage = expand_string(log_message);
4035 if (!f.expand_string_forcedfail)
4036 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
4037 log_message, expand_string_message);
4039 else if (expmessage[0] != 0)
4041 *log_msgptr = (*log_msgptr == NULL)? expmessage :
4042 string_sprintf("%s: %s", expmessage, *log_msgptr);
4046 /* If no log message, default it to the user message */
4048 if (!*log_msgptr) *log_msgptr = *user_msgptr;
4051 acl_verify_message = NULL;
4059 /*************************************************
4060 * Get line from a literal ACL *
4061 *************************************************/
4063 /* This function is passed to acl_read() in order to extract individual lines
4064 of a literal ACL, which we access via static pointers. We can destroy the
4065 contents because this is called only once (the compiled ACL is remembered).
4067 This code is intended to treat the data in the same way as lines in the main
4068 Exim configuration file. That is:
4070 . Leading spaces are ignored.
4072 . A \ at the end of a line is a continuation - trailing spaces after the \
4073 are permitted (this is because I don't believe in making invisible things
4074 significant). Leading spaces on the continued part of a line are ignored.
4076 . Physical lines starting (significantly) with # are totally ignored, and
4077 may appear within a sequence of backslash-continued lines.
4079 . Blank lines are ignored, but will end a sequence of continuations.
4082 Returns: a pointer to the next line
4086 static uschar *acl_text; /* Current pointer in the text */
4087 static uschar *acl_text_end; /* Points one past the terminating '0' */
4095 /* This loop handles leading blank lines and comments. */
4099 Uskip_whitespace(&acl_text); /* Leading spaces/empty lines */
4100 if (!*acl_text) return NULL; /* No more data */
4101 yield = acl_text; /* Potential data line */
4103 while (*acl_text && *acl_text != '\n') acl_text++;
4105 /* If we hit the end before a newline, we have the whole logical line. If
4106 it's a comment, there's no more data to be given. Otherwise, yield it. */
4108 if (!*acl_text) return *yield == '#' ? NULL : yield;
4110 /* After reaching a newline, end this loop if the physical line does not
4111 start with '#'. If it does, it's a comment, and the loop continues. */
4113 if (*yield != '#') break;
4116 /* This loop handles continuations. We know we have some real data, ending in
4117 newline. See if there is a continuation marker at the end (ignoring trailing
4118 white space). We know that *yield is not white space, so no need to test for
4119 cont > yield in the backwards scanning loop. */
4124 for (cont = acl_text - 1; isspace(*cont); cont--);
4126 /* If no continuation follows, we are done. Mark the end of the line and
4135 /* We have encountered a continuation. Skip over whitespace at the start of
4136 the next line, and indeed the whole of the next line or lines if they are
4141 while (*(++acl_text) == ' ' || *acl_text == '\t');
4142 if (*acl_text != '#') break;
4143 while (*(++acl_text) != 0 && *acl_text != '\n');
4146 /* We have the start of a continuation line. Move all the rest of the data
4147 to join onto the previous line, and then find its end. If the end is not a
4148 newline, we are done. Otherwise loop to look for another continuation. */
4150 memmove(cont, acl_text, acl_text_end - acl_text);
4151 acl_text_end -= acl_text - cont;
4153 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
4154 if (*acl_text == 0) return yield;
4157 /* Control does not reach here */
4164 /*************************************************
4165 * Check access using an ACL *
4166 *************************************************/
4168 /* This function is called from address_check. It may recurse via
4169 acl_check_condition() - hence the use of a level to stop looping. The ACL is
4170 passed as a string which is expanded. A forced failure implies no access check
4171 is required. If the result is a single word, it is taken as the name of an ACL
4172 which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
4173 text, complete with newlines, and parsed as such. In both cases, the ACL check
4174 is then run. This function uses an auxiliary function for acl_read() to call
4175 for reading individual lines of a literal ACL. This is acl_getline(), which
4176 appears immediately above.
4179 where where called from
4180 addr address item when called from RCPT; otherwise NULL
4181 s the input string; NULL is the same as an empty ACL => DENY
4182 user_msgptr where to put a user error (for SMTP response)
4183 log_msgptr where to put a logging message (not for SMTP response)
4185 Returns: OK access is granted
4186 DISCARD access is apparently granted...
4187 FAIL access is denied
4188 FAIL_DROP access is denied; drop the connection
4189 DEFER can't tell at the moment
4194 acl_check_internal(int where, address_item *addr, uschar *s,
4195 uschar **user_msgptr, uschar **log_msgptr)
4198 acl_block *acl = NULL;
4199 uschar *acl_name = US"inline ACL";
4202 /* Catch configuration loops */
4206 *log_msgptr = US"ACL nested too deep: possible loop";
4212 HDEBUG(D_acl) debug_printf_indent("ACL is NULL: implicit DENY\n");
4216 /* At top level, we expand the incoming string. At lower levels, it has already
4217 been expanded as part of condition processing. */
4221 if (!(ss = expand_string(s)))
4223 if (f.expand_string_forcedfail) return OK;
4224 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
4225 expand_string_message);
4231 while (isspace(*ss)) ss++;
4233 /* If we can't find a named ACL, the default is to parse it as an inline one.
4234 (Unless it begins with a slash; non-existent files give rise to an error.) */
4238 if ( !f.running_in_test_harness
4239 && is_tainted2(acl_text, LOG_MAIN|LOG_PANIC,
4240 "Tainted ACL text \"%s\"", acl_text))
4242 /* Avoid leaking info to an attacker */
4243 *log_msgptr = US"internal configuration error";
4247 /* Handle the case of a string that does not contain any spaces. Look for a
4248 named ACL among those read from the configuration, or a previously read file.
4249 It is possible that the pointer to the ACL is NULL if the configuration
4250 contains a name with no data. If not found, and the text begins with '/',
4251 read an ACL from a file, and save it so it can be re-used. */
4253 if (Ustrchr(ss, ' ') == NULL)
4255 tree_node * t = tree_search(acl_anchor, ss);
4258 if (!(acl = (acl_block *)(t->data.ptr)))
4260 HDEBUG(D_acl) debug_printf_indent("ACL \"%s\" is empty: implicit DENY\n", ss);
4263 acl_name = string_sprintf("ACL \"%s\"", ss);
4264 HDEBUG(D_acl) debug_printf_indent("using ACL \"%s\"\n", ss);
4267 else if (*ss == '/')
4269 struct stat statbuf;
4270 if (is_tainted2(ss, LOG_MAIN|LOG_PANIC, "Tainted ACL file name '%s'", ss))
4272 /* Avoid leaking info to an attacker */
4273 *log_msgptr = US"internal configuration error";
4276 if ((fd = Uopen(ss, O_RDONLY, 0)) < 0)
4278 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
4282 if (fstat(fd, &statbuf) != 0)
4284 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
4289 /* If the string being used as a filename is tainted, so is the file content */
4290 acl_text = store_get(statbuf.st_size + 1, is_tainted(ss));
4291 acl_text_end = acl_text + statbuf.st_size + 1;
4293 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
4295 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
4296 ss, strerror(errno));
4299 acl_text[statbuf.st_size] = 0;
4302 acl_name = string_sprintf("ACL \"%s\"", ss);
4303 HDEBUG(D_acl) debug_printf_indent("read ACL from file %s\n", ss);
4307 /* Parse an ACL that is still in text form. If it came from a file, remember it
4308 in the ACL tree, having read it into the POOL_PERM store pool so that it
4309 persists between multiple messages. */
4313 int old_pool = store_pool;
4314 if (fd >= 0) store_pool = POOL_PERM;
4315 acl = acl_read(acl_getline, log_msgptr);
4316 store_pool = old_pool;
4317 if (!acl && *log_msgptr) return ERROR;
4320 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss), is_tainted(ss));
4321 Ustrcpy(t->name, ss);
4323 (void)tree_insertnode(&acl_anchor, t);
4327 /* Now we have an ACL to use. It's possible it may be NULL. */
4332 int basic_errno = 0;
4333 BOOL endpass_seen = FALSE;
4334 BOOL acl_quit_check = acl_level == 0
4335 && (where == ACL_WHERE_QUIT || where == ACL_WHERE_NOTQUIT);
4337 *log_msgptr = *user_msgptr = NULL;
4338 f.acl_temp_details = FALSE;
4340 HDEBUG(D_acl) debug_printf_indent("processing \"%s\" (%s %d)\n",
4341 verbs[acl->verb], acl->srcfile, acl->srcline);
4343 /* Clear out any search error message from a previous check before testing
4346 search_error_message = NULL;
4347 cond = acl_check_condition(acl->verb, acl->condition, where, addr, acl_level,
4348 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
4350 /* Handle special returns: DEFER causes a return except on a WARN verb;
4351 ERROR always causes a return. */
4356 HDEBUG(D_acl) debug_printf_indent("%s: condition test deferred in %s\n",
4357 verbs[acl->verb], acl_name);
4358 if (basic_errno != ERRNO_CALLOUTDEFER)
4360 if (search_error_message != NULL && *search_error_message != 0)
4361 *log_msgptr = search_error_message;
4362 if (smtp_return_error_details) f.acl_temp_details = TRUE;
4365 f.acl_temp_details = TRUE;
4366 if (acl->verb != ACL_WARN) return DEFER;
4369 default: /* Paranoia */
4371 HDEBUG(D_acl) debug_printf_indent("%s: condition test error in %s\n",
4372 verbs[acl->verb], acl_name);
4376 HDEBUG(D_acl) debug_printf_indent("%s: condition test succeeded in %s\n",
4377 verbs[acl->verb], acl_name);
4381 HDEBUG(D_acl) debug_printf_indent("%s: condition test failed in %s\n",
4382 verbs[acl->verb], acl_name);
4385 /* DISCARD and DROP can happen only from a nested ACL condition, and
4386 DISCARD can happen only for an "accept" or "discard" verb. */
4389 HDEBUG(D_acl) debug_printf_indent("%s: condition test yielded \"discard\" in %s\n",
4390 verbs[acl->verb], acl_name);
4394 HDEBUG(D_acl) debug_printf_indent("%s: condition test yielded \"drop\" in %s\n",
4395 verbs[acl->verb], acl_name);
4399 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
4400 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
4401 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
4406 if (cond == OK || cond == DISCARD)
4408 HDEBUG(D_acl) debug_printf_indent("end of %s: ACCEPT\n", acl_name);
4413 HDEBUG(D_acl) debug_printf_indent("accept: endpass encountered - denying access\n");
4421 HDEBUG(D_acl) debug_printf_indent("end of %s: DEFER\n", acl_name);
4422 if (acl_quit_check) goto badquit;
4423 f.acl_temp_details = TRUE;
4431 HDEBUG(D_acl) debug_printf_indent("end of %s: DENY\n", acl_name);
4432 if (acl_quit_check) goto badquit;
4438 if (cond == OK || cond == DISCARD)
4440 HDEBUG(D_acl) debug_printf_indent("end of %s: DISCARD\n", acl_name);
4441 if (acl_quit_check) goto badquit;
4447 debug_printf_indent("discard: endpass encountered - denying access\n");
4455 HDEBUG(D_acl) debug_printf_indent("end of %s: DROP\n", acl_name);
4456 if (acl_quit_check) goto badquit;
4464 HDEBUG(D_acl) debug_printf_indent("end of %s: not OK\n", acl_name);
4465 if (acl_quit_check) goto badquit;
4472 acl_warn(where, *user_msgptr, *log_msgptr);
4473 else if (cond == DEFER && LOGGING(acl_warn_skipped))
4474 log_write(0, LOG_MAIN, "%s Warning: ACL \"warn\" statement skipped: "
4475 "condition test deferred%s%s", host_and_ident(TRUE),
4476 (*log_msgptr == NULL)? US"" : US": ",
4477 (*log_msgptr == NULL)? US"" : *log_msgptr);
4478 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
4482 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
4487 /* Pass to the next ACL item */
4492 /* We have reached the end of the ACL. This is an implicit DENY. */
4494 HDEBUG(D_acl) debug_printf_indent("end of %s: implicit DENY\n", acl_name);
4498 *log_msgptr = string_sprintf("QUIT or not-QUIT toplevel ACL may not fail "
4499 "('%s' verb used incorrectly)", verbs[acl->verb]);
4506 /* Same args as acl_check_internal() above, but the string s is
4507 the name of an ACL followed optionally by up to 9 space-separated arguments.
4508 The name and args are separately expanded. Args go into $acl_arg globals. */
4510 acl_check_wargs(int where, address_item *addr, const uschar *s,
4511 uschar **user_msgptr, uschar **log_msgptr)
4514 uschar * tmp_arg[9]; /* must match acl_arg[] */
4515 uschar * sav_arg[9]; /* must match acl_arg[] */
4521 if (!(tmp = string_dequote(&s)) || !(name = expand_string(tmp)))
4524 for (i = 0; i < 9; i++)
4526 while (*s && isspace(*s)) s++;
4528 if (!(tmp = string_dequote(&s)) || !(tmp_arg[i] = expand_string(tmp)))
4535 sav_narg = acl_narg;
4537 for (i = 0; i < acl_narg; i++)
4539 sav_arg[i] = acl_arg[i];
4540 acl_arg[i] = tmp_arg[i];
4544 sav_arg[i] = acl_arg[i];
4545 acl_arg[i++] = NULL;
4549 ret = acl_check_internal(where, addr, name, user_msgptr, log_msgptr);
4552 acl_narg = sav_narg;
4553 for (i = 0; i < 9; i++) acl_arg[i] = sav_arg[i];
4557 if (f.expand_string_forcedfail) return ERROR;
4558 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
4559 tmp, expand_string_message);
4560 return f.search_find_defer ? DEFER : ERROR;
4565 /*************************************************
4566 * Check access using an ACL *
4567 *************************************************/
4569 /* Alternate interface for ACL, used by expansions */
4571 acl_eval(int where, uschar *s, uschar **user_msgptr, uschar **log_msgptr)
4574 address_item *addr = NULL;
4577 *user_msgptr = *log_msgptr = NULL;
4578 sender_verified_failed = NULL;
4579 ratelimiters_cmd = NULL;
4580 log_reject_target = LOG_MAIN|LOG_REJECT;
4582 if (where == ACL_WHERE_RCPT)
4584 adb = address_defaults;
4586 addr->address = expand_string(US"$local_part@$domain");
4587 addr->domain = deliver_domain;
4588 addr->local_part = deliver_localpart;
4589 addr->cc_local_part = deliver_localpart;
4590 addr->lc_local_part = deliver_localpart;
4594 rc = acl_check_internal(where, addr, s, user_msgptr, log_msgptr);
4601 /* This is the external interface for ACL checks. It sets up an address and the
4602 expansions for $domain and $local_part when called after RCPT, then calls
4603 acl_check_internal() to do the actual work.
4606 where ACL_WHERE_xxxx indicating where called from
4607 recipient RCPT address for RCPT check, else NULL
4608 s the input string; NULL is the same as an empty ACL => DENY
4609 user_msgptr where to put a user error (for SMTP response)
4610 log_msgptr where to put a logging message (not for SMTP response)
4612 Returns: OK access is granted by an ACCEPT verb
4613 DISCARD access is granted by a DISCARD verb
4614 FAIL access is denied
4615 FAIL_DROP access is denied; drop the connection
4616 DEFER can't tell at the moment
4619 int acl_where = ACL_WHERE_UNKNOWN;
4622 acl_check(int where, uschar *recipient, uschar *s, uschar **user_msgptr,
4623 uschar **log_msgptr)
4627 address_item *addr = NULL;
4629 *user_msgptr = *log_msgptr = NULL;
4630 sender_verified_failed = NULL;
4631 ratelimiters_cmd = NULL;
4632 log_reject_target = LOG_MAIN|LOG_REJECT;
4634 #ifndef DISABLE_PRDR
4635 if (where==ACL_WHERE_RCPT || where==ACL_WHERE_VRFY || where==ACL_WHERE_PRDR)
4637 if (where==ACL_WHERE_RCPT || where==ACL_WHERE_VRFY)
4640 adb = address_defaults;
4642 addr->address = recipient;
4643 if (deliver_split_address(addr) == DEFER)
4645 *log_msgptr = US"defer in percent_hack_domains check";
4649 if ((addr->prop.utf8_msg = message_smtputf8))
4651 addr->prop.utf8_downcvt = message_utf8_downconvert == 1;
4652 addr->prop.utf8_downcvt_maybe = message_utf8_downconvert == -1;
4655 deliver_domain = addr->domain;
4656 deliver_localpart = addr->local_part;
4661 rc = acl_check_internal(where, addr, s, user_msgptr, log_msgptr);
4663 acl_where = ACL_WHERE_UNKNOWN;
4665 /* Cutthrough - if requested,
4666 and WHERE_RCPT and not yet opened conn as result of recipient-verify,
4667 and rcpt acl returned accept,
4668 and first recipient (cancel on any subsequents)
4669 open one now and run it up to RCPT acceptance.
4670 A failed verify should cancel cutthrough request,
4671 and will pass the fail to the originator.
4672 Initial implementation: dual-write to spool.
4673 Assume the rxd datastream is now being copied byte-for-byte to an open cutthrough connection.
4675 Cease cutthrough copy on rxd final dot; do not send one.
4677 On a data acl, if not accept and a cutthrough conn is open, hard-close it (no SMTP niceness).
4679 On data acl accept, terminate the dataphase on an open cutthrough conn. If accepted or
4680 perm-rejected, reflect that to the original sender - and dump the spooled copy.
4681 If temp-reject, close the conn (and keep the spooled copy).
4682 If conn-failure, no action (and keep the spooled copy).
4686 case ACL_WHERE_RCPT:
4687 #ifndef DISABLE_PRDR
4688 case ACL_WHERE_PRDR:
4691 if (f.host_checking_callout) /* -bhc mode */
4692 cancel_cutthrough_connection(TRUE, US"host-checking mode");
4695 && cutthrough.delivery
4696 && rcpt_count > cutthrough.nrcpt
4699 if ((rc = open_cutthrough_connection(addr)) == DEFER)
4700 if (cutthrough.defer_pass)
4702 uschar * s = addr->message;
4703 /* Horrid kludge to recover target's SMTP message */
4705 do --s; while (!isdigit(*s));
4706 if (*--s && isdigit(*s) && *--s && isdigit(*s)) *user_msgptr = s;
4707 f.acl_temp_details = TRUE;
4711 HDEBUG(D_acl) debug_printf_indent("cutthrough defer; will spool\n");
4715 else HDEBUG(D_acl) if (cutthrough.delivery)
4716 if (rcpt_count <= cutthrough.nrcpt)
4717 debug_printf_indent("ignore cutthrough request; nonfirst message\n");
4719 debug_printf_indent("ignore cutthrough request; ACL did not accept\n");
4722 case ACL_WHERE_PREDATA:
4724 cutthrough_predata();
4726 cancel_cutthrough_connection(TRUE, US"predata acl not ok");
4729 case ACL_WHERE_QUIT:
4730 case ACL_WHERE_NOTQUIT:
4731 /* Drop cutthrough conns, and drop heldopen verify conns if
4732 the previous was not DATA */
4735 smtp_connection_had[SMTP_HBUFF_PREV(SMTP_HBUFF_PREV(smtp_ch_index))];
4736 BOOL dropverify = !(prev == SCH_DATA || prev == SCH_BDAT);
4738 cancel_cutthrough_connection(dropverify, US"quit or conndrop");
4746 deliver_domain = deliver_localpart = deliver_address_data =
4747 deliver_domain_data = sender_address_data = NULL;
4749 /* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
4750 ACL, which is really in the middle of an SMTP command. */
4754 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
4756 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
4757 "ACL", acl_wherenames[where]);
4763 /* A DROP response is not permitted from MAILAUTH */
4765 if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
4767 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
4768 "ACL", acl_wherenames[where]);
4772 /* Before giving a response, take a look at the length of any user message, and
4773 split it up into multiple lines if possible. */
4775 *user_msgptr = string_split_message(*user_msgptr);
4776 if (fake_response != OK)
4777 fake_response_text = string_split_message(fake_response_text);
4783 /*************************************************
4784 * Create ACL variable *
4785 *************************************************/
4787 /* Create an ACL variable or reuse an existing one. ACL variables are in a
4788 binary tree (see tree.c) with acl_var_c and acl_var_m as root nodes.
4791 name pointer to the variable's name, starting with c or m
4793 Returns the pointer to variable's tree node
4797 acl_var_create(uschar * name)
4799 tree_node * node, ** root = name[0] == 'c' ? &acl_var_c : &acl_var_m;
4800 if (!(node = tree_search(*root, name)))
4802 node = store_get(sizeof(tree_node) + Ustrlen(name), is_tainted(name));
4803 Ustrcpy(node->name, name);
4804 (void)tree_insertnode(root, node);
4806 node->data.ptr = NULL;
4812 /*************************************************
4813 * Write an ACL variable in spool format *
4814 *************************************************/
4816 /* This function is used as a callback for tree_walk when writing variables to
4817 the spool file. To retain spool file compatibility, what is written is -aclc or
4818 -aclm followed by the rest of the name and the data length, space separated,
4819 then the value itself, starting on a new line, and terminated by an additional
4820 newline. When we had only numbered ACL variables, the first line might look
4821 like this: "-aclc 5 20". Now it might be "-aclc foo 20" for the variable called
4825 name of the variable
4826 value of the variable
4827 ctx FILE pointer (as a void pointer)
4833 acl_var_write(uschar *name, uschar *value, void *ctx)
4835 FILE *f = (FILE *)ctx;
4836 if (is_tainted(value)) putc('-', f);
4837 fprintf(f, "-acl%c %s %d\n%s\n", name[0], name+1, Ustrlen(value), value);