1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2012 */
6 /* See the file NOTICE for conditions of use and distribution. */
8 /* Code for handling Access Control Lists (ACLs) */
13 /* Default callout timeout */
15 #define CALLOUT_TIMEOUT_DEFAULT 30
17 /* ACL verb codes - keep in step with the table of verbs that follows */
19 enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
24 static uschar *verbs[] =
25 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
28 /* For each verb, the conditions for which "message" or "log_message" are used
29 are held as a bitmap. This is to avoid expanding the strings unnecessarily. For
30 "accept", the FAIL case is used only after "endpass", but that is selected in
33 static int msgcond[] = {
34 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* accept */
37 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* discard */
39 (1<<FAIL) | (1<<FAIL_DROP), /* require */
43 /* ACL condition and modifier codes - keep in step with the table that
44 follows, and the cond_expand_at_top and uschar cond_modifiers tables lower
50 #ifdef EXPERIMENTAL_BRIGHTMAIL
56 #ifdef EXPERIMENTAL_DCC
59 #ifdef WITH_CONTENT_SCAN
63 #ifdef WITH_OLD_DEMIME
70 #ifdef EXPERIMENTAL_DMARC
80 ACLC_LOG_REJECT_TARGET,
82 #ifdef WITH_CONTENT_SCAN
86 #ifdef WITH_CONTENT_SCAN
91 #ifdef WITH_CONTENT_SCAN
98 #ifdef WITH_CONTENT_SCAN
101 #ifdef EXPERIMENTAL_SPF
107 /* ACL conditions/modifiers: "delay", "control", "continue", "endpass",
108 "message", "log_message", "log_reject_target", "logwrite", and "set" are
109 modifiers that look like conditions but always return TRUE. They are used for
110 their side effects. */
112 static uschar *conditions[] = {
116 #ifdef EXPERIMENTAL_BRIGHTMAIL
122 #ifdef EXPERIMENTAL_DCC
125 #ifdef WITH_CONTENT_SCAN
129 #ifdef WITH_OLD_DEMIME
136 #ifdef EXPERIMENTAL_DMARC
146 US"log_reject_target",
148 #ifdef WITH_CONTENT_SCAN
152 #ifdef WITH_CONTENT_SCAN
157 #ifdef WITH_CONTENT_SCAN
161 US"sender_domains", US"senders", US"set",
162 #ifdef WITH_CONTENT_SCAN
165 #ifdef EXPERIMENTAL_SPF
172 /* Return values from decode_control(); keep in step with the table of names
176 CONTROL_AUTH_UNADVERTISED,
177 #ifdef EXPERIMENTAL_BRIGHTMAIL
184 #ifdef EXPERIMENTAL_DMARC
185 CONTROL_DMARC_VERIFY,
186 CONTROL_DMARC_FORENSIC,
190 CONTROL_CASEFUL_LOCAL_PART,
191 CONTROL_CASELOWER_LOCAL_PART,
192 CONTROL_CUTTHROUGH_DELIVERY,
193 CONTROL_ENFORCE_SYNC,
194 CONTROL_NO_ENFORCE_SYNC,
198 CONTROL_SUPPRESS_LOCAL_FIXUPS,
199 #ifdef WITH_CONTENT_SCAN
200 CONTROL_NO_MBOX_UNSPOOL,
204 CONTROL_NO_MULTILINE,
205 CONTROL_NO_PIPELINING,
206 CONTROL_NO_DELAY_FLUSH,
207 CONTROL_NO_CALLOUT_FLUSH
210 /* ACL control names; keep in step with the table above! This list is used for
211 turning ids into names. The actual list of recognized names is in the variable
212 control_def controls_list[] below. The fact that there are two lists is a mess
213 and should be tidied up. */
215 static uschar *controls[] = {
216 US"allow_auth_unadvertised",
217 #ifdef EXPERIMENTAL_BRIGHTMAIL
222 US"dkim_disable_verify",
224 #ifdef EXPERIMENTAL_DMARC
225 US"dmarc_disable_verify",
226 US"dmarc_enable_forensic",
230 US"caseful_local_part",
231 US"caselower_local_part",
232 US"cutthrough_delivery",
238 US"suppress_local_fixups",
239 #ifdef WITH_CONTENT_SCAN
244 US"no_multiline_responses",
250 /* Flags to indicate for which conditions/modifiers a string expansion is done
251 at the outer level. In the other cases, expansion already occurs in the
252 checking functions. */
254 static uschar cond_expand_at_top[] = {
256 TRUE, /* add_header */
257 FALSE, /* authenticated */
258 #ifdef EXPERIMENTAL_BRIGHTMAIL
259 TRUE, /* bmi_optin */
261 TRUE, /* condition */
264 #ifdef EXPERIMENTAL_DCC
267 #ifdef WITH_CONTENT_SCAN
271 #ifdef WITH_OLD_DEMIME
275 TRUE, /* dkim_signers */
276 TRUE, /* dkim_status */
278 #ifdef EXPERIMENTAL_DMARC
279 TRUE, /* dmarc_status */
283 FALSE, /* encrypted */
286 FALSE, /* local_parts */
287 TRUE, /* log_message */
288 TRUE, /* log_reject_target */
290 #ifdef WITH_CONTENT_SCAN
294 #ifdef WITH_CONTENT_SCAN
295 TRUE, /* mime_regex */
297 TRUE, /* ratelimit */
298 FALSE, /* recipients */
299 #ifdef WITH_CONTENT_SCAN
302 TRUE, /* remove_header */
303 FALSE, /* sender_domains */
306 #ifdef WITH_CONTENT_SCAN
309 #ifdef EXPERIMENTAL_SPF
311 TRUE, /* spf_guess */
316 /* Flags to identify the modifiers */
318 static uschar cond_modifiers[] = {
320 TRUE, /* add_header */
321 FALSE, /* authenticated */
322 #ifdef EXPERIMENTAL_BRIGHTMAIL
323 TRUE, /* bmi_optin */
325 FALSE, /* condition */
328 #ifdef EXPERIMENTAL_DCC
331 #ifdef WITH_CONTENT_SCAN
335 #ifdef WITH_OLD_DEMIME
339 FALSE, /* dkim_signers */
340 FALSE, /* dkim_status */
342 #ifdef EXPERIMENTAL_DMARC
343 FALSE, /* dmarc_status */
345 FALSE, /* dnslists */
347 FALSE, /* encrypted */
350 FALSE, /* local_parts */
351 TRUE, /* log_message */
352 TRUE, /* log_reject_target */
354 #ifdef WITH_CONTENT_SCAN
358 #ifdef WITH_CONTENT_SCAN
359 FALSE, /* mime_regex */
361 FALSE, /* ratelimit */
362 FALSE, /* recipients */
363 #ifdef WITH_CONTENT_SCAN
366 TRUE, /* remove_header */
367 FALSE, /* sender_domains */
370 #ifdef WITH_CONTENT_SCAN
373 #ifdef EXPERIMENTAL_SPF
375 FALSE, /* spf_guess */
380 /* Bit map vector of which conditions and modifiers are not allowed at certain
381 times. For each condition and modifier, there's a bitmap of dis-allowed times.
382 For some, it is easier to specify the negation of a small number of allowed
385 static unsigned int cond_forbids[] = {
389 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* add_header */
390 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
391 #ifdef EXPERIMENTAL_PRDR
394 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
396 (1<<ACL_WHERE_NOTSMTP_START)),
398 (1<<ACL_WHERE_NOTSMTP)| /* authenticated */
399 (1<<ACL_WHERE_NOTSMTP_START)|
400 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO),
402 #ifdef EXPERIMENTAL_BRIGHTMAIL
403 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
404 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
405 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
406 #ifdef EXPERIMENTAL_PRDR
409 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
410 (1<<ACL_WHERE_MAILAUTH)|
411 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
412 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA)|
413 (1<<ACL_WHERE_NOTSMTP_START),
420 /* Certain types of control are always allowed, so we let it through
421 always and check in the control processing itself. */
425 #ifdef EXPERIMENTAL_DCC
427 ~((1<<ACL_WHERE_DATA)| /* dcc */
428 #ifdef EXPERIMENTAL_PRDR
430 #endif /* EXPERIMENTAL_PRDR */
431 (1<<ACL_WHERE_NOTSMTP)),
434 #ifdef WITH_CONTENT_SCAN
436 ~(1<<ACL_WHERE_MIME), /* decode */
439 (1<<ACL_WHERE_NOTQUIT), /* delay */
441 #ifdef WITH_OLD_DEMIME
443 ~((1<<ACL_WHERE_DATA)| /* demime */
444 #ifdef EXPERIMENTAL_PRDR
446 #endif /* EXPERIMENTAL_PRDR */
447 (1<<ACL_WHERE_NOTSMTP)),
452 ~(1<<ACL_WHERE_DKIM), /* dkim_signers */
455 ~(1<<ACL_WHERE_DKIM), /* dkim_status */
458 #ifdef EXPERIMENTAL_DMARC
460 ~(1<<ACL_WHERE_DATA), /* dmarc_status */
463 (1<<ACL_WHERE_NOTSMTP)| /* dnslists */
464 (1<<ACL_WHERE_NOTSMTP_START),
467 ~((1<<ACL_WHERE_RCPT) /* domains */
468 #ifdef EXPERIMENTAL_PRDR
473 (1<<ACL_WHERE_NOTSMTP)| /* encrypted */
474 (1<<ACL_WHERE_CONNECT)|
475 (1<<ACL_WHERE_NOTSMTP_START)|
480 (1<<ACL_WHERE_NOTSMTP)| /* hosts */
481 (1<<ACL_WHERE_NOTSMTP_START),
484 ~((1<<ACL_WHERE_RCPT) /* local_parts */
485 #ifdef EXPERIMENTAL_PRDR
492 0, /* log_reject_target */
496 #ifdef WITH_CONTENT_SCAN
498 ~((1<<ACL_WHERE_DATA)| /* malware */
499 #ifdef EXPERIMENTAL_PRDR
501 #endif /* EXPERIMENTAL_PRDR */
502 (1<<ACL_WHERE_NOTSMTP)),
507 #ifdef WITH_CONTENT_SCAN
509 ~(1<<ACL_WHERE_MIME), /* mime_regex */
515 ~(1<<ACL_WHERE_RCPT), /* recipients */
517 #ifdef WITH_CONTENT_SCAN
519 ~((1<<ACL_WHERE_DATA)| /* regex */
520 #ifdef EXPERIMENTAL_PRDR
522 #endif /* EXPERIMENTAL_PRDR */
523 (1<<ACL_WHERE_NOTSMTP)|
524 (1<<ACL_WHERE_MIME)),
528 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* remove_header */
529 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
530 #ifdef EXPERIMENTAL_PRDR
533 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
534 (1<<ACL_WHERE_NOTSMTP_START)),
536 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
538 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
539 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
540 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
542 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
544 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
545 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
546 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
550 #ifdef WITH_CONTENT_SCAN
552 ~((1<<ACL_WHERE_DATA)| /* spam */
553 #ifdef EXPERIMENTAL_PRDR
555 #endif /* EXPERIMENTAL_PRDR */
556 (1<<ACL_WHERE_NOTSMTP)),
559 #ifdef EXPERIMENTAL_SPF
560 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
562 (1<<ACL_WHERE_MAILAUTH)|
563 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
564 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
565 (1<<ACL_WHERE_NOTSMTP)|
566 (1<<ACL_WHERE_NOTSMTP_START),
568 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf_guess */
570 (1<<ACL_WHERE_MAILAUTH)|
571 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
572 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
573 (1<<ACL_WHERE_NOTSMTP)|
574 (1<<ACL_WHERE_NOTSMTP_START),
577 /* Certain types of verify are always allowed, so we let it through
578 always and check in the verify function itself */
584 /* Bit map vector of which controls are not allowed at certain times. For
585 each control, there's a bitmap of dis-allowed times. For some, it is easier to
586 specify the negation of a small number of allowed times. */
588 static unsigned int control_forbids[] = {
590 ~((1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)), /* allow_auth_unadvertised */
592 #ifdef EXPERIMENTAL_BRIGHTMAIL
599 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dkim_disable_verify */
600 #ifdef EXPERIMENTAL_PRDR
602 #endif /* EXPERIMENTAL_PRDR */
603 (1<<ACL_WHERE_NOTSMTP_START),
606 #ifdef EXPERIMENTAL_DMARC
607 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dmarc_disable_verify */
608 (1<<ACL_WHERE_NOTSMTP_START),
609 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dmarc_enable_forensic */
610 (1<<ACL_WHERE_NOTSMTP_START),
613 (1<<ACL_WHERE_NOTSMTP)|
614 (1<<ACL_WHERE_NOTSMTP_START)|
615 (1<<ACL_WHERE_NOTQUIT), /* dscp */
620 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
623 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
626 0, /* cutthrough_delivery */
628 (1<<ACL_WHERE_NOTSMTP)| /* enforce_sync */
629 (1<<ACL_WHERE_NOTSMTP_START),
631 (1<<ACL_WHERE_NOTSMTP)| /* no_enforce_sync */
632 (1<<ACL_WHERE_NOTSMTP_START),
635 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
636 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
637 // (1<<ACL_WHERE_PRDR)| /* Not allow one user to freeze for all */
638 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
641 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
642 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
643 // (1<<ACL_WHERE_PRDR)| /* Not allow one user to freeze for all */
644 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
647 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
648 (1<<ACL_WHERE_PREDATA)),
651 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* suppress_local_fixups */
652 (1<<ACL_WHERE_PREDATA)|
653 (1<<ACL_WHERE_NOTSMTP_START)),
655 #ifdef WITH_CONTENT_SCAN
657 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
658 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
659 // (1<<ACL_WHERE_PRDR)| /* Not allow one user to freeze for all */
660 (1<<ACL_WHERE_MIME)),
664 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakedefer */
665 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
666 #ifdef EXPERIMENTAL_PRDR
668 #endif /* EXPERIMENTAL_PRDR */
669 (1<<ACL_WHERE_MIME)),
672 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
673 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
674 #ifdef EXPERIMENTAL_PRDR
676 #endif /* EXPERIMENTAL_PRDR */
677 (1<<ACL_WHERE_MIME)),
679 (1<<ACL_WHERE_NOTSMTP)| /* no_multiline */
680 (1<<ACL_WHERE_NOTSMTP_START),
682 (1<<ACL_WHERE_NOTSMTP)| /* no_pipelining */
683 (1<<ACL_WHERE_NOTSMTP_START),
685 (1<<ACL_WHERE_NOTSMTP)| /* no_delay_flush */
686 (1<<ACL_WHERE_NOTSMTP_START),
688 (1<<ACL_WHERE_NOTSMTP)| /* no_callout_flush */
689 (1<<ACL_WHERE_NOTSMTP_START)
692 /* Structure listing various control arguments, with their characteristics. */
694 typedef struct control_def {
696 int value; /* CONTROL_xxx value */
697 BOOL has_option; /* Has /option(s) following */
700 static control_def controls_list[] = {
701 { US"allow_auth_unadvertised", CONTROL_AUTH_UNADVERTISED, FALSE },
702 #ifdef EXPERIMENTAL_BRIGHTMAIL
703 { US"bmi_run", CONTROL_BMI_RUN, FALSE },
705 { US"debug", CONTROL_DEBUG, TRUE },
707 { US"dkim_disable_verify", CONTROL_DKIM_VERIFY, FALSE },
709 #ifdef EXPERIMENTAL_DMARC
710 { US"dmarc_disable_verify", CONTROL_DMARC_VERIFY, FALSE },
711 { US"dmarc_enable_forensic", CONTROL_DMARC_FORENSIC, FALSE },
713 { US"dscp", CONTROL_DSCP, TRUE },
714 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE },
715 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE },
716 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE },
717 { US"freeze", CONTROL_FREEZE, TRUE },
718 { US"no_callout_flush", CONTROL_NO_CALLOUT_FLUSH, FALSE },
719 { US"no_delay_flush", CONTROL_NO_DELAY_FLUSH, FALSE },
720 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE },
721 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE },
722 { US"no_pipelining", CONTROL_NO_PIPELINING, FALSE },
723 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE },
724 #ifdef WITH_CONTENT_SCAN
725 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE },
727 { US"fakedefer", CONTROL_FAKEDEFER, TRUE },
728 { US"fakereject", CONTROL_FAKEREJECT, TRUE },
729 { US"submission", CONTROL_SUBMISSION, TRUE },
730 { US"suppress_local_fixups", CONTROL_SUPPRESS_LOCAL_FIXUPS, FALSE },
731 { US"cutthrough_delivery", CONTROL_CUTTHROUGH_DELIVERY, FALSE }
734 /* Support data structures for Client SMTP Authorization. acl_verify_csa()
735 caches its result in a tree to avoid repeated DNS queries. The result is an
736 integer code which is used as an index into the following tables of
737 explanatory strings and verification return codes. */
739 static tree_node *csa_cache = NULL;
741 enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
742 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
744 /* The acl_verify_csa() return code is translated into an acl_verify() return
745 code using the following table. It is OK unless the client is definitely not
746 authorized. This is because CSA is supposed to be optional for sending sites,
747 so recipients should not be too strict about checking it - especially because
748 DNS problems are quite likely to occur. It's possible to use $csa_status in
749 further ACL conditions to distinguish ok, unknown, and defer if required, but
750 the aim is to make the usual configuration simple. */
752 static int csa_return_code[] = {
754 FAIL, FAIL, FAIL, FAIL
757 static uschar *csa_status_string[] = {
758 US"unknown", US"ok", US"defer", US"defer",
759 US"fail", US"fail", US"fail", US"fail"
762 static uschar *csa_reason_string[] = {
765 US"deferred (SRV lookup failed)",
766 US"deferred (target address lookup failed)",
767 US"failed (explicit authorization required)",
768 US"failed (host name not authorized)",
769 US"failed (no authorized addresses)",
770 US"failed (client address mismatch)"
773 /* Options for the ratelimit condition. Note that there are two variants of
774 the per_rcpt option, depending on the ACL that is used to measure the rate.
775 However any ACL must be able to look up per_rcpt rates in /noupdate mode,
776 so the two variants must have the same internal representation as well as
777 the same configuration string. */
780 RATE_PER_WHAT, RATE_PER_CLASH, RATE_PER_ADDR, RATE_PER_BYTE, RATE_PER_CMD,
781 RATE_PER_CONN, RATE_PER_MAIL, RATE_PER_RCPT, RATE_PER_ALLRCPTS
784 #define RATE_SET(var,new) \
785 (((var) == RATE_PER_WHAT) ? ((var) = RATE_##new) : ((var) = RATE_PER_CLASH))
787 static uschar *ratelimit_option_string[] = {
788 US"?", US"!", US"per_addr", US"per_byte", US"per_cmd",
789 US"per_conn", US"per_mail", US"per_rcpt", US"per_rcpt"
792 /* Enable recursion between acl_check_internal() and acl_check_condition() */
794 static int acl_check_wargs(int, address_item *, uschar *, int, uschar **,
798 /*************************************************
799 * Pick out name from list *
800 *************************************************/
802 /* Use a binary chop method
809 Returns: offset in list, or -1 if not found
813 acl_checkname(uschar *name, uschar **list, int end)
819 int mid = (start + end)/2;
820 int c = Ustrcmp(name, list[mid]);
821 if (c == 0) return mid;
822 if (c < 0) end = mid; else start = mid + 1;
829 /*************************************************
830 * Read and parse one ACL *
831 *************************************************/
833 /* This function is called both from readconf in order to parse the ACLs in the
834 configuration file, and also when an ACL is encountered dynamically (e.g. as
835 the result of an expansion). It is given a function to call in order to
836 retrieve the lines of the ACL. This function handles skipping comments and
837 blank lines (where relevant).
840 func function to get next line of ACL
841 error where to put an error message
843 Returns: pointer to ACL, or NULL
844 NULL can be legal (empty ACL); in this case error will be NULL
848 acl_read(uschar *(*func)(void), uschar **error)
850 acl_block *yield = NULL;
851 acl_block **lastp = &yield;
852 acl_block *this = NULL;
853 acl_condition_block *cond;
854 acl_condition_block **condp = NULL;
859 while ((s = (*func)()) != NULL)
862 BOOL negated = FALSE;
863 uschar *saveline = s;
866 /* Conditions (but not verbs) are allowed to be negated by an initial
869 while (isspace(*s)) s++;
876 /* Read the name of a verb or a condition, or the start of a new ACL, which
877 can be started by a name, or by a macro definition. */
879 s = readconf_readname(name, sizeof(name), s);
880 if (*s == ':' || (isupper(name[0]) && *s == '=')) return yield;
882 /* If a verb is unrecognized, it may be another condition or modifier that
883 continues the previous verb. */
885 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
890 *error = string_sprintf("unknown ACL verb \"%s\" in \"%s\"", name,
902 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
905 this = store_get(sizeof(acl_block));
907 lastp = &(this->next);
910 this->condition = NULL;
911 condp = &(this->condition);
912 if (*s == 0) continue; /* No condition on this line */
918 s = readconf_readname(name, sizeof(name), s); /* Condition name */
921 /* Handle a condition or modifier. */
923 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
926 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
931 /* The modifiers may not be negated */
933 if (negated && cond_modifiers[c])
935 *error = string_sprintf("ACL error: negation is not allowed with "
936 "\"%s\"", conditions[c]);
940 /* ENDPASS may occur only with ACCEPT or DISCARD. */
942 if (c == ACLC_ENDPASS &&
943 this->verb != ACL_ACCEPT &&
944 this->verb != ACL_DISCARD)
946 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
947 conditions[c], verbs[this->verb]);
951 cond = store_get(sizeof(acl_condition_block));
954 cond->u.negated = negated;
957 condp = &(cond->next);
959 /* The "set" modifier is different in that its argument is "name=value"
960 rather than just a value, and we can check the validity of the name, which
961 gives us a variable name to insert into the data block. The original ACL
962 variable names were acl_c0 ... acl_c9 and acl_m0 ... acl_m9. This was
963 extended to 20 of each type, but after that people successfully argued for
964 arbitrary names. In the new scheme, the names must start with acl_c or acl_m.
965 After that, we allow alphanumerics and underscores, but the first character
966 after c or m must be a digit or an underscore. This retains backwards
973 if (Ustrncmp(s, "acl_c", 5) != 0 &&
974 Ustrncmp(s, "acl_m", 5) != 0)
976 *error = string_sprintf("invalid variable name after \"set\" in ACL "
977 "modifier \"set %s\" (must start \"acl_c\" or \"acl_m\")", s);
982 if (!isdigit(*endptr) && *endptr != '_')
984 *error = string_sprintf("invalid variable name after \"set\" in ACL "
985 "modifier \"set %s\" (digit or underscore must follow acl_c or acl_m)",
990 while (*endptr != 0 && *endptr != '=' && !isspace(*endptr))
992 if (!isalnum(*endptr) && *endptr != '_')
994 *error = string_sprintf("invalid character \"%c\" in variable name "
995 "in ACL modifier \"set %s\"", *endptr, s);
1001 cond->u.varname = string_copyn(s + 4, endptr - s - 4);
1003 while (isspace(*s)) s++;
1006 /* For "set", we are now positioned for the data. For the others, only
1007 "endpass" has no data */
1009 if (c != ACLC_ENDPASS)
1013 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
1014 cond_modifiers[c]? US"modifier" : US"condition");
1017 while (isspace(*s)) s++;
1018 cond->arg = string_copy(s);
1027 /*************************************************
1028 * Set up added header line(s) *
1029 *************************************************/
1031 /* This function is called by the add_header modifier, and also from acl_warn()
1032 to implement the now-deprecated way of adding header lines using "message" on a
1033 "warn" verb. The argument is treated as a sequence of header lines which are
1034 added to a chain, provided there isn't an identical one already there.
1036 Argument: string of header lines
1041 setup_header(uschar *hstring)
1044 int hlen = Ustrlen(hstring);
1046 /* Ignore any leading newlines */
1047 while (*hstring == '\n') hstring++, hlen--;
1049 /* An empty string does nothing; ensure exactly one final newline. */
1050 if (hlen <= 0) return;
1051 if (hstring[--hlen] != '\n') hstring = string_sprintf("%s\n", hstring);
1052 else while(hstring[--hlen] == '\n') hstring[hlen+1] = '\0';
1054 /* Loop for multiple header lines, taking care about continuations */
1056 for (p = q = hstring; *p != 0; )
1059 int newtype = htype_add_bot;
1060 header_line **hptr = &acl_added_headers;
1062 /* Find next header line within the string */
1066 q = Ustrchr(q, '\n');
1067 if (*(++q) != ' ' && *q != '\t') break;
1070 /* If the line starts with a colon, interpret the instruction for where to
1071 add it. This temporarily sets up a new type. */
1075 if (strncmpic(p, US":after_received:", 16) == 0)
1077 newtype = htype_add_rec;
1080 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
1082 newtype = htype_add_rfc;
1085 else if (strncmpic(p, US":at_start:", 10) == 0)
1087 newtype = htype_add_top;
1090 else if (strncmpic(p, US":at_end:", 8) == 0)
1092 newtype = htype_add_bot;
1095 while (*p == ' ' || *p == '\t') p++;
1098 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
1099 to the front of it. */
1101 for (s = p; s < q - 1; s++)
1103 if (*s == ':' || !isgraph(*s)) break;
1106 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", (int) (q - p), p);
1109 /* See if this line has already been added */
1111 while (*hptr != NULL)
1113 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
1114 hptr = &((*hptr)->next);
1117 /* Add if not previously present */
1121 header_line *h = store_get(sizeof(header_line));
1130 /* Advance for next header line within the string */
1138 /*************************************************
1139 * List the added header lines *
1140 *************************************************/
1144 uschar * ret = NULL;
1145 header_line * h = acl_added_headers;
1151 if (!h) return NULL;
1156 while ((cp = Ustrchr(s, '\n')) != NULL)
1158 if (cp[1] == '\0') break;
1160 /* contains embedded newline; needs doubling */
1161 ret = string_cat(ret, &size, &ptr, s, cp-s+1);
1162 ret = string_cat(ret, &size, &ptr, US"\n", 1);
1165 /* last bit of header */
1167 ret = string_cat(ret, &size, &ptr, s, cp-s+1); /* newline-sep list */
1169 while((h = h->next));
1171 ret[ptr-1] = '\0'; /* overwrite last newline */
1176 /*************************************************
1177 * Set up removed header line(s) *
1178 *************************************************/
1180 /* This function is called by the remove_header modifier. The argument is
1181 treated as a sequence of header names which are added to a colon separated
1182 list, provided there isn't an identical one already there.
1184 Argument: string of header names
1189 setup_remove_header(uschar *hnames)
1193 if (acl_removed_headers == NULL)
1194 acl_removed_headers = hnames;
1196 acl_removed_headers = string_sprintf("%s : %s", acl_removed_headers, hnames);
1202 /*************************************************
1204 *************************************************/
1206 /* This function is called when a WARN verb's conditions are true. It adds to
1207 the message's headers, and/or writes information to the log. In each case, this
1208 only happens once (per message for headers, per connection for log).
1210 ** NOTE: The header adding action using the "message" setting is historic, and
1211 its use is now deprecated. The new add_header modifier should be used instead.
1214 where ACL_WHERE_xxxx indicating which ACL this is
1215 user_message message for adding to headers
1216 log_message message for logging, if different
1222 acl_warn(int where, uschar *user_message, uschar *log_message)
1224 if (log_message != NULL && log_message != user_message)
1227 string_item *logged;
1229 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
1230 string_printing(log_message));
1232 /* If a sender verification has failed, and the log message is "sender verify
1233 failed", add the failure message. */
1235 if (sender_verified_failed != NULL &&
1236 sender_verified_failed->message != NULL &&
1237 strcmpic(log_message, US"sender verify failed") == 0)
1238 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
1240 /* Search previously logged warnings. They are kept in malloc
1241 store so they can be freed at the start of a new message. */
1243 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
1244 if (Ustrcmp(logged->text, text) == 0) break;
1248 int length = Ustrlen(text) + 1;
1249 log_write(0, LOG_MAIN, "%s", text);
1250 logged = store_malloc(sizeof(string_item) + length);
1251 logged->text = (uschar *)logged + sizeof(string_item);
1252 memcpy(logged->text, text, length);
1253 logged->next = acl_warn_logged;
1254 acl_warn_logged = logged;
1258 /* If there's no user message, we are done. */
1260 if (user_message == NULL) return;
1262 /* If this isn't a message ACL, we can't do anything with a user message.
1265 if (where > ACL_WHERE_NOTSMTP)
1267 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
1268 "found in a non-message (%s) ACL: cannot specify header lines here: "
1269 "message ignored", acl_wherenames[where]);
1273 /* The code for setting up header lines is now abstracted into a separate
1274 function so that it can be used for the add_header modifier as well. */
1276 setup_header(user_message);
1281 /*************************************************
1282 * Verify and check reverse DNS *
1283 *************************************************/
1285 /* Called from acl_verify() below. We look up the host name(s) of the client IP
1286 address if this has not yet been done. The host_name_lookup() function checks
1287 that one of these names resolves to an address list that contains the client IP
1288 address, so we don't actually have to do the check here.
1291 user_msgptr pointer for user message
1292 log_msgptr pointer for log message
1294 Returns: OK verification condition succeeded
1295 FAIL verification failed
1296 DEFER there was a problem verifying
1300 acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
1304 user_msgptr = user_msgptr; /* stop compiler warning */
1306 /* Previous success */
1308 if (sender_host_name != NULL) return OK;
1310 /* Previous failure */
1312 if (host_lookup_failed)
1314 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
1318 /* Need to do a lookup */
1321 debug_printf("looking up host name to force name/address consistency check\n");
1323 if ((rc = host_name_lookup()) != OK)
1325 *log_msgptr = (rc == DEFER)?
1326 US"host lookup deferred for reverse lookup check"
1328 string_sprintf("host lookup failed for reverse lookup check%s",
1330 return rc; /* DEFER or FAIL */
1333 host_build_sender_fullhost();
1339 /*************************************************
1340 * Check client IP address matches CSA target *
1341 *************************************************/
1343 /* Called from acl_verify_csa() below. This routine scans a section of a DNS
1344 response for address records belonging to the CSA target hostname. The section
1345 is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
1346 If one of the addresses matches the client's IP address, then the client is
1347 authorized by CSA. If there are target IP addresses but none of them match
1348 then the client is using an unauthorized IP address. If there are no target IP
1349 addresses then the client cannot be using an authorized IP address. (This is
1350 an odd configuration - why didn't the SRV record have a weight of 1 instead?)
1353 dnsa the DNS answer block
1354 dnss a DNS scan block for us to use
1355 reset option specifing what portion to scan, as described above
1356 target the target hostname to use for matching RR names
1358 Returns: CSA_OK successfully authorized
1359 CSA_FAIL_MISMATCH addresses found but none matched
1360 CSA_FAIL_NOADDR no target addresses found
1364 acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1370 BOOL target_found = FALSE;
1372 for (rr = dns_next_rr(dnsa, dnss, reset);
1374 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1376 /* Check this is an address RR for the target hostname. */
1380 && rr->type != T_AAAA
1387 if (strcmpic(target, rr->name) != 0) continue;
1389 target_found = TRUE;
1391 /* Turn the target address RR into a list of textual IP addresses and scan
1392 the list. There may be more than one if it is an A6 RR. */
1394 for (da = dns_address_from_rr(dnsa, rr); da != NULL; da = da->next)
1396 /* If the client IP address matches the target IP address, it's good! */
1398 DEBUG(D_acl) debug_printf("CSA target address is %s\n", da->address);
1400 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1404 /* If we found some target addresses but none of them matched, the client is
1405 using an unauthorized IP address, otherwise the target has no authorized IP
1408 if (target_found) return CSA_FAIL_MISMATCH;
1409 else return CSA_FAIL_NOADDR;
1414 /*************************************************
1415 * Verify Client SMTP Authorization *
1416 *************************************************/
1418 /* Called from acl_verify() below. This routine calls dns_lookup_special()
1419 to find the CSA SRV record corresponding to the domain argument, or
1420 $sender_helo_name if no argument is provided. It then checks that the
1421 client is authorized, and that its IP address corresponds to the SRV
1422 target's address by calling acl_verify_csa_address() above. The address
1423 should have been returned in the DNS response's ADDITIONAL section, but if
1424 not we perform another DNS lookup to get it.
1427 domain pointer to optional parameter following verify = csa
1429 Returns: CSA_UNKNOWN no valid CSA record found
1430 CSA_OK successfully authorized
1431 CSA_FAIL_* client is definitely not authorized
1432 CSA_DEFER_* there was a DNS problem
1436 acl_verify_csa(uschar *domain)
1440 int priority, weight, port;
1447 /* Work out the domain we are using for the CSA lookup. The default is the
1448 client's HELO domain. If the client has not said HELO, use its IP address
1449 instead. If it's a local client (exim -bs), CSA isn't applicable. */
1451 while (isspace(*domain) && *domain != '\0') ++domain;
1452 if (*domain == '\0') domain = sender_helo_name;
1453 if (domain == NULL) domain = sender_host_address;
1454 if (sender_host_address == NULL) return CSA_UNKNOWN;
1456 /* If we have an address literal, strip off the framing ready for turning it
1457 into a domain. The framing consists of matched square brackets possibly
1458 containing a keyword and a colon before the actual IP address. */
1460 if (domain[0] == '[')
1462 uschar *start = Ustrchr(domain, ':');
1463 if (start == NULL) start = domain;
1464 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1467 /* Turn domains that look like bare IP addresses into domains in the reverse
1468 DNS. This code also deals with address literals and $sender_host_address. It's
1469 not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1470 address literals, but it's probably the most friendly thing to do. This is an
1471 extension to CSA, so we allow it to be turned off for proper conformance. */
1473 if (string_is_ip_address(domain, NULL) != 0)
1475 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1476 dns_build_reverse(domain, target);
1480 /* Find out if we've already done the CSA check for this domain. If we have,
1481 return the same result again. Otherwise build a new cached result structure
1482 for this domain. The name is filled in now, and the value is filled in when
1483 we return from this function. */
1485 t = tree_search(csa_cache, domain);
1486 if (t != NULL) return t->data.val;
1488 t = store_get_perm(sizeof(tree_node) + Ustrlen(domain));
1489 Ustrcpy(t->name, domain);
1490 (void)tree_insertnode(&csa_cache, t);
1492 /* Now we are ready to do the actual DNS lookup(s). */
1495 switch (dns_special_lookup(&dnsa, domain, T_CSA, &found))
1497 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1500 return t->data.val = CSA_DEFER_SRV;
1502 /* If we found nothing, the client's authorization is unknown. */
1506 return t->data.val = CSA_UNKNOWN;
1508 /* We got something! Go on to look at the reply in more detail. */
1514 /* Scan the reply for well-formed CSA SRV records. */
1516 for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
1518 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
1520 if (rr->type != T_SRV) continue;
1522 /* Extract the numerical SRV fields (p is incremented) */
1525 GETSHORT(priority, p);
1526 GETSHORT(weight, p);
1530 debug_printf("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1532 /* Check the CSA version number */
1534 if (priority != 1) continue;
1536 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1537 found by dns_special_lookup() is a parent of the one we asked for), we check
1538 the subdomain assertions in the port field. At the moment there's only one
1539 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1540 SRV records of their own. */
1542 if (found != domain)
1545 return t->data.val = CSA_FAIL_EXPLICIT;
1547 return t->data.val = CSA_UNKNOWN;
1550 /* This CSA SRV record refers directly to our domain, so we check the value
1551 in the weight field to work out the domain's authorization. 0 and 1 are
1552 unauthorized; 3 means the client is authorized but we can't check the IP
1553 address in order to authenticate it, so we treat it as unknown; values
1554 greater than 3 are undefined. */
1556 if (weight < 2) return t->data.val = CSA_FAIL_DOMAIN;
1558 if (weight > 2) continue;
1560 /* Weight == 2, which means the domain is authorized. We must check that the
1561 client's IP address is listed as one of the SRV target addresses. Save the
1562 target hostname then break to scan the additional data for its addresses. */
1564 (void)dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
1565 (DN_EXPAND_ARG4_TYPE)target, sizeof(target));
1567 DEBUG(D_acl) debug_printf("CSA target is %s\n", target);
1572 /* If we didn't break the loop then no appropriate records were found. */
1574 if (rr == NULL) return t->data.val = CSA_UNKNOWN;
1576 /* Do not check addresses if the target is ".", in accordance with RFC 2782.
1577 A target of "." indicates there are no valid addresses, so the client cannot
1578 be authorized. (This is an odd configuration because weight=2 target=. is
1579 equivalent to weight=1, but we check for it in order to keep load off the
1580 root name servers.) Note that dn_expand() turns "." into "". */
1582 if (Ustrcmp(target, "") == 0) return t->data.val = CSA_FAIL_NOADDR;
1584 /* Scan the additional section of the CSA SRV reply for addresses belonging
1585 to the target. If the name server didn't return any additional data (e.g.
1586 because it does not fully support SRV records), we need to do another lookup
1587 to obtain the target addresses; otherwise we have a definitive result. */
1589 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ADDITIONAL, target);
1590 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1592 /* The DNS lookup type corresponds to the IP version used by the client. */
1595 if (Ustrchr(sender_host_address, ':') != NULL)
1598 #endif /* HAVE_IPV6 */
1602 #if HAVE_IPV6 && defined(SUPPORT_A6)
1606 switch (dns_lookup(&dnsa, target, type, NULL))
1608 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1611 return t->data.val = CSA_DEFER_ADDR;
1613 /* If the query succeeded, scan the addresses and return the result. */
1616 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ANSWERS, target);
1617 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1618 /* else fall through */
1620 /* If the target has no IP addresses, the client cannot have an authorized
1621 IP address. However, if the target site uses A6 records (not AAAA records)
1622 we have to do yet another lookup in order to check them. */
1627 #if HAVE_IPV6 && defined(SUPPORT_A6)
1628 if (type == T_AAAA) { type = T_A6; goto DNS_LOOKUP_AGAIN; }
1631 return t->data.val = CSA_FAIL_NOADDR;
1637 /*************************************************
1638 * Handle verification (address & other) *
1639 *************************************************/
1641 enum { VERIFY_REV_HOST_LKUP, VERIFY_CERT, VERIFY_HELO, VERIFY_CSA, VERIFY_HDR_SYNTAX,
1642 VERIFY_NOT_BLIND, VERIFY_HDR_SNDR, VERIFY_SNDR, VERIFY_RCPT
1647 unsigned where_allowed; /* bitmap */
1648 BOOL no_options; /* Never has /option(s) following */
1649 unsigned alt_opt_sep; /* >0 Non-/ option separator (custom parser) */
1651 static verify_type_t verify_type_list[] = {
1652 { US"reverse_host_lookup", VERIFY_REV_HOST_LKUP, ~0, TRUE, 0 },
1653 { US"certificate", VERIFY_CERT, ~0, TRUE, 0 },
1654 { US"helo", VERIFY_HELO, ~0, TRUE, 0 },
1655 { US"csa", VERIFY_CSA, ~0, FALSE, 0 },
1656 { US"header_syntax", VERIFY_HDR_SYNTAX, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), TRUE, 0 },
1657 { US"not_blind", VERIFY_NOT_BLIND, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), TRUE, 0 },
1658 { US"header_sender", VERIFY_HDR_SNDR, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), FALSE, 0 },
1659 { US"sender", VERIFY_SNDR, (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)
1660 |(1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP),
1662 { US"recipient", VERIFY_RCPT, (1<<ACL_WHERE_RCPT), FALSE, 0 }
1666 enum { CALLOUT_DEFER_OK, CALLOUT_NOCACHE, CALLOUT_RANDOM, CALLOUT_USE_SENDER,
1667 CALLOUT_USE_POSTMASTER, CALLOUT_POSTMASTER, CALLOUT_FULLPOSTMASTER,
1668 CALLOUT_MAILFROM, CALLOUT_POSTMASTER_MAILFROM, CALLOUT_MAXWAIT, CALLOUT_CONNECT,
1675 BOOL has_option; /* Has =option(s) following */
1676 BOOL timeval; /* Has a time value */
1678 static callout_opt_t callout_opt_list[] = {
1679 { US"defer_ok", CALLOUT_DEFER_OK, 0, FALSE, FALSE },
1680 { US"no_cache", CALLOUT_NOCACHE, vopt_callout_no_cache, FALSE, FALSE },
1681 { US"random", CALLOUT_RANDOM, vopt_callout_random, FALSE, FALSE },
1682 { US"use_sender", CALLOUT_USE_SENDER, vopt_callout_recipsender, FALSE, FALSE },
1683 { US"use_postmaster", CALLOUT_USE_POSTMASTER,vopt_callout_recippmaster, FALSE, FALSE },
1684 { US"postmaster_mailfrom",CALLOUT_POSTMASTER_MAILFROM,0, TRUE, FALSE },
1685 { US"postmaster", CALLOUT_POSTMASTER, 0, FALSE, FALSE },
1686 { US"fullpostmaster", CALLOUT_FULLPOSTMASTER,vopt_callout_fullpm, FALSE, FALSE },
1687 { US"mailfrom", CALLOUT_MAILFROM, 0, TRUE, FALSE },
1688 { US"maxwait", CALLOUT_MAXWAIT, 0, TRUE, TRUE },
1689 { US"connect", CALLOUT_CONNECT, 0, TRUE, TRUE },
1690 { NULL, CALLOUT_TIME, 0, FALSE, TRUE }
1695 /* This function implements the "verify" condition. It is called when
1696 encountered in any ACL, because some tests are almost always permitted. Some
1697 just don't make sense, and always fail (for example, an attempt to test a host
1698 lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1701 where where called from
1702 addr the recipient address that the ACL is handling, or NULL
1703 arg the argument of "verify"
1704 user_msgptr pointer for user message
1705 log_msgptr pointer for log message
1706 basic_errno where to put verify errno
1708 Returns: OK verification condition succeeded
1709 FAIL verification failed
1710 DEFER there was a problem verifying
1715 acl_verify(int where, address_item *addr, uschar *arg,
1716 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1720 int callout_overall = -1;
1721 int callout_connect = -1;
1722 int verify_options = 0;
1724 BOOL verify_header_sender = FALSE;
1725 BOOL defer_ok = FALSE;
1726 BOOL callout_defer_ok = FALSE;
1727 BOOL no_details = FALSE;
1728 BOOL success_on_redirect = FALSE;
1729 address_item *sender_vaddr = NULL;
1730 uschar *verify_sender_address = NULL;
1731 uschar *pm_mailfrom = NULL;
1732 uschar *se_mailfrom = NULL;
1734 /* Some of the verify items have slash-separated options; some do not. Diagnose
1735 an error if options are given for items that don't expect them.
1738 uschar *slash = Ustrchr(arg, '/');
1740 uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
1743 if (ss == NULL) goto BAD_VERIFY;
1745 /* Handle name/address consistency verification in a separate function. */
1747 for (vp= verify_type_list;
1748 (char *)vp < (char *)verify_type_list + sizeof(verify_type_list);
1751 if (vp->alt_opt_sep ? strncmpic(ss, vp->name, vp->alt_opt_sep) == 0
1752 : strcmpic (ss, vp->name) == 0)
1754 if ((char *)vp >= (char *)verify_type_list + sizeof(verify_type_list))
1757 if (vp->no_options && slash != NULL)
1759 *log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1760 "(this verify item has no options)", arg);
1763 if (!(vp->where_allowed & (1<<where)))
1765 *log_msgptr = string_sprintf("cannot verify %s in ACL for %s", vp->name, acl_wherenames[where]);
1770 case VERIFY_REV_HOST_LKUP:
1771 if (sender_host_address == NULL) return OK;
1772 return acl_verify_reverse(user_msgptr, log_msgptr);
1775 /* TLS certificate verification is done at STARTTLS time; here we just
1776 test whether it was successful or not. (This is for optional verification; for
1777 mandatory verification, the connection doesn't last this long.) */
1779 if (tls_in.certificate_verified) return OK;
1780 *user_msgptr = US"no verified certificate";
1784 /* We can test the result of optional HELO verification that might have
1785 occurred earlier. If not, we can attempt the verification now. */
1787 if (!helo_verified && !helo_verify_failed) smtp_verify_helo();
1788 return helo_verified? OK : FAIL;
1791 /* Do Client SMTP Authorization checks in a separate function, and turn the
1792 result code into user-friendly strings. */
1794 rc = acl_verify_csa(list);
1795 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1796 csa_reason_string[rc]);
1797 csa_status = csa_status_string[rc];
1798 DEBUG(D_acl) debug_printf("CSA result %s\n", csa_status);
1799 return csa_return_code[rc];
1801 case VERIFY_HDR_SYNTAX:
1802 /* Check that all relevant header lines have the correct syntax. If there is
1803 a syntax error, we return details of the error to the sender if configured to
1804 send out full details. (But a "message" setting on the ACL can override, as
1807 rc = verify_check_headers(log_msgptr);
1808 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1809 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1812 case VERIFY_NOT_BLIND:
1813 /* Check that no recipient of this message is "blind", that is, every envelope
1814 recipient must be mentioned in either To: or Cc:. */
1816 rc = verify_check_notblind();
1819 *log_msgptr = string_sprintf("bcc recipient detected");
1820 if (smtp_return_error_details)
1821 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1825 /* The remaining verification tests check recipient and sender addresses,
1826 either from the envelope or from the header. There are a number of
1827 slash-separated options that are common to all of them. */
1829 case VERIFY_HDR_SNDR:
1830 verify_header_sender = TRUE;
1834 /* In the case of a sender, this can optionally be followed by an address to use
1835 in place of the actual sender (rare special-case requirement). */
1839 verify_sender_address = sender_address;
1842 while (isspace(*s)) s++;
1843 if (*s++ != '=') goto BAD_VERIFY;
1844 while (isspace(*s)) s++;
1845 verify_sender_address = string_copy(s);
1856 /* Remaining items are optional; they apply to sender and recipient
1857 verification, including "header sender" verification. */
1859 while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1862 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1863 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1864 else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
1866 /* These two old options are left for backwards compatibility */
1868 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1870 callout_defer_ok = TRUE;
1871 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1874 else if (strcmpic(ss, US"check_postmaster") == 0)
1877 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1880 /* The callout option has a number of sub-options, comma separated */
1882 else if (strncmpic(ss, US"callout", 7) == 0)
1884 callout = CALLOUT_TIMEOUT_DEFAULT;
1888 while (isspace(*ss)) ss++;
1894 while (isspace(*ss)) ss++;
1896 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1900 double period = 1.0F;
1902 for (op= callout_opt_list; op->name; op++)
1903 if (strncmpic(opt, op->name, Ustrlen(op->name)) == 0)
1906 verify_options |= op->flag;
1909 opt += Ustrlen(op->name);
1910 while (isspace(*opt)) opt++;
1913 *log_msgptr = string_sprintf("'=' expected after "
1914 "\"%s\" in ACL verify condition \"%s\"", op->name, arg);
1917 while (isspace(*opt)) opt++;
1921 period = readconf_readtime(opt, 0, FALSE);
1924 *log_msgptr = string_sprintf("bad time value in ACL condition "
1925 "\"verify %s\"", arg);
1932 case CALLOUT_DEFER_OK: callout_defer_ok = TRUE; break;
1933 case CALLOUT_POSTMASTER: pm_mailfrom = US""; break;
1934 case CALLOUT_FULLPOSTMASTER: pm_mailfrom = US""; break;
1935 case CALLOUT_MAILFROM:
1936 if (!verify_header_sender)
1938 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1939 "callout option only for verify=header_sender (detected in ACL "
1940 "condition \"%s\")", arg);
1943 se_mailfrom = string_copy(opt);
1945 case CALLOUT_POSTMASTER_MAILFROM: pm_mailfrom = string_copy(opt); break;
1946 case CALLOUT_MAXWAIT: callout_overall = period; break;
1947 case CALLOUT_CONNECT: callout_connect = period; break;
1948 case CALLOUT_TIME: callout = period; break;
1954 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1955 "ACL condition \"%s\"", arg);
1961 /* Option not recognized */
1965 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1966 "condition \"verify %s\"", ss, arg);
1971 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1972 (vopt_callout_recipsender|vopt_callout_recippmaster))
1974 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1975 "for a recipient callout";
1979 /* Handle sender-in-header verification. Default the user message to the log
1980 message if giving out verification details. */
1982 if (verify_header_sender)
1985 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
1986 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1990 *basic_errno = verrno;
1991 if (smtp_return_error_details)
1993 if (*user_msgptr == NULL && *log_msgptr != NULL)
1994 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1995 if (rc == DEFER) acl_temp_details = TRUE;
2000 /* Handle a sender address. The default is to verify *the* sender address, but
2001 optionally a different address can be given, for special requirements. If the
2002 address is empty, we are dealing with a bounce message that has no sender, so
2003 we cannot do any checking. If the real sender address gets rewritten during
2004 verification (e.g. DNS widening), set the flag to stop it being rewritten again
2005 during message reception.
2007 A list of verified "sender" addresses is kept to try to avoid doing to much
2008 work repetitively when there are multiple recipients in a message and they all
2009 require sender verification. However, when callouts are involved, it gets too
2010 complicated because different recipients may require different callout options.
2011 Therefore, we always do a full sender verify when any kind of callout is
2012 specified. Caching elsewhere, for instance in the DNS resolver and in the
2013 callout handling, should ensure that this is not terribly inefficient. */
2015 else if (verify_sender_address != NULL)
2017 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
2020 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
2021 "sender verify callout";
2025 sender_vaddr = verify_checked_sender(verify_sender_address);
2026 if (sender_vaddr != NULL && /* Previously checked */
2027 callout <= 0) /* No callout needed this time */
2029 /* If the "routed" flag is set, it means that routing worked before, so
2030 this check can give OK (the saved return code value, if set, belongs to a
2031 callout that was done previously). If the "routed" flag is not set, routing
2032 must have failed, so we use the saved return code. */
2034 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
2036 rc = sender_vaddr->special_action;
2037 *basic_errno = sender_vaddr->basic_errno;
2039 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
2042 /* Do a new verification, and cache the result. The cache is used to avoid
2043 verifying the sender multiple times for multiple RCPTs when callouts are not
2044 specified (see comments above).
2046 The cache is also used on failure to give details in response to the first
2047 RCPT that gets bounced for this reason. However, this can be suppressed by
2048 the no_details option, which sets the flag that says "this detail has already
2049 been sent". The cache normally contains just one address, but there may be
2050 more in esoteric circumstances. */
2055 uschar *save_address_data = deliver_address_data;
2057 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
2058 if (no_details) setflag(sender_vaddr, af_sverify_told);
2059 if (verify_sender_address[0] != 0)
2061 /* If this is the real sender address, save the unrewritten version
2062 for use later in receive. Otherwise, set a flag so that rewriting the
2063 sender in verify_address() does not update sender_address. */
2065 if (verify_sender_address == sender_address)
2066 sender_address_unrewritten = sender_address;
2068 verify_options |= vopt_fake_sender;
2070 if (success_on_redirect)
2071 verify_options |= vopt_success_on_redirect;
2073 /* The recipient, qualify, and expn options are never set in
2076 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
2077 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
2079 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
2083 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
2085 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
2086 verify_sender_address, sender_vaddr->address);
2090 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
2091 verify_sender_address);
2094 else *basic_errno = sender_vaddr->basic_errno;
2096 else rc = OK; /* Null sender */
2098 /* Cache the result code */
2100 if (routed) setflag(sender_vaddr, af_verify_routed);
2101 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
2102 sender_vaddr->special_action = rc;
2103 sender_vaddr->next = sender_verified_list;
2104 sender_verified_list = sender_vaddr;
2106 /* Restore the recipient address data, which might have been clobbered by
2107 the sender verification. */
2109 deliver_address_data = save_address_data;
2112 /* Put the sender address_data value into $sender_address_data */
2114 sender_address_data = sender_vaddr->p.address_data;
2117 /* A recipient address just gets a straightforward verify; again we must handle
2118 the DEFER overrides. */
2124 if (success_on_redirect)
2125 verify_options |= vopt_success_on_redirect;
2127 /* We must use a copy of the address for verification, because it might
2131 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
2132 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
2133 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
2135 *basic_errno = addr2.basic_errno;
2136 *log_msgptr = addr2.message;
2137 *user_msgptr = (addr2.user_message != NULL)?
2138 addr2.user_message : addr2.message;
2140 /* Allow details for temporary error if the address is so flagged. */
2141 if (testflag((&addr2), af_pass_message)) acl_temp_details = TRUE;
2143 /* Make $address_data visible */
2144 deliver_address_data = addr2.p.address_data;
2147 /* We have a result from the relevant test. Handle defer overrides first. */
2149 if (rc == DEFER && (defer_ok ||
2150 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
2152 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
2153 defer_ok? "defer_ok" : "callout_defer_ok");
2157 /* If we've failed a sender, set up a recipient message, and point
2158 sender_verified_failed to the address item that actually failed. */
2160 if (rc != OK && verify_sender_address != NULL)
2164 *log_msgptr = *user_msgptr = US"Sender verify failed";
2166 else if (*basic_errno != ERRNO_CALLOUTDEFER)
2168 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
2172 *log_msgptr = US"Could not complete sender verify callout";
2173 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
2177 sender_verified_failed = sender_vaddr;
2180 /* Verifying an address messes up the values of $domain and $local_part,
2181 so reset them before returning if this is a RCPT ACL. */
2185 deliver_domain = addr->domain;
2186 deliver_localpart = addr->local_part;
2190 /* Syntax errors in the verify argument come here. */
2193 *log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
2194 "\"helo\", \"header_syntax\", \"header_sender\" or "
2195 "\"reverse_host_lookup\" at start of ACL condition "
2196 "\"verify %s\"", arg);
2203 /*************************************************
2204 * Check argument for control= modifier *
2205 *************************************************/
2207 /* Called from acl_check_condition() below
2210 arg the argument string for control=
2211 pptr set to point to the terminating character
2212 where which ACL we are in
2213 log_msgptr for error messages
2215 Returns: CONTROL_xxx value
2219 decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
2224 for (d = controls_list;
2225 d < controls_list + sizeof(controls_list)/sizeof(control_def);
2228 len = Ustrlen(d->name);
2229 if (Ustrncmp(d->name, arg, len) == 0) break;
2232 if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
2233 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
2235 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2236 return CONTROL_ERROR;
2246 /*************************************************
2247 * Return a ratelimit error *
2248 *************************************************/
2250 /* Called from acl_ratelimit() below
2253 log_msgptr for error messages
2254 format format string
2255 ... supplementary arguments
2256 ss ratelimit option name
2257 where ACL_WHERE_xxxx indicating which ACL this is
2263 ratelimit_error(uschar **log_msgptr, const char *format, ...)
2266 uschar buffer[STRING_SPRINTF_BUFFER_SIZE];
2267 va_start(ap, format);
2268 if (!string_vformat(buffer, sizeof(buffer), format, ap))
2269 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
2270 "string_sprintf expansion was longer than " SIZE_T_FMT, sizeof(buffer));
2272 *log_msgptr = string_sprintf(
2273 "error in arguments to \"ratelimit\" condition: %s", buffer);
2280 /*************************************************
2281 * Handle rate limiting *
2282 *************************************************/
2284 /* Called by acl_check_condition() below to calculate the result
2285 of the ACL ratelimit condition.
2287 Note that the return value might be slightly unexpected: if the
2288 sender's rate is above the limit then the result is OK. This is
2289 similar to the dnslists condition, and is so that you can write
2290 ACL clauses like: defer ratelimit = 15 / 1h
2293 arg the option string for ratelimit=
2294 where ACL_WHERE_xxxx indicating which ACL this is
2295 log_msgptr for error messages
2297 Returns: OK - Sender's rate is above limit
2298 FAIL - Sender's rate is below limit
2299 DEFER - Problem opening ratelimit database
2300 ERROR - Syntax error in options.
2304 acl_ratelimit(uschar *arg, int where, uschar **log_msgptr)
2306 double limit, period, count;
2309 uschar *unique = NULL;
2311 BOOL leaky = FALSE, strict = FALSE, readonly = FALSE;
2312 BOOL noupdate = FALSE, badacl = FALSE;
2313 int mode = RATE_PER_WHAT;
2315 tree_node **anchor, *t;
2316 open_db dbblock, *dbm;
2318 dbdata_ratelimit *dbd;
2319 dbdata_ratelimit_unique *dbdb;
2322 /* Parse the first two options and record their values in expansion
2323 variables. These variables allow the configuration to have informative
2324 error messages based on rate limits obtained from a table lookup. */
2326 /* First is the maximum number of messages per period / maximum burst
2327 size, which must be greater than or equal to zero. Zero is useful for
2328 rate measurement as opposed to rate limiting. */
2330 sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0);
2331 if (sender_rate_limit == NULL)
2335 limit = Ustrtod(sender_rate_limit, &ss);
2336 if (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
2337 else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
2338 else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
2340 if (limit < 0.0 || *ss != '\0')
2341 return ratelimit_error(log_msgptr,
2342 "\"%s\" is not a positive number", sender_rate_limit);
2344 /* Second is the rate measurement period / exponential smoothing time
2345 constant. This must be strictly greater than zero, because zero leads to
2346 run-time division errors. */
2348 sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0);
2349 if (sender_rate_period == NULL) period = -1.0;
2350 else period = readconf_readtime(sender_rate_period, 0, FALSE);
2352 return ratelimit_error(log_msgptr,
2353 "\"%s\" is not a time value", sender_rate_period);
2355 /* By default we are counting one of something, but the per_rcpt,
2356 per_byte, and count options can change this. */
2360 /* Parse the other options. */
2362 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2365 if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
2366 else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
2367 else if (strcmpic(ss, US"noupdate") == 0) noupdate = TRUE;
2368 else if (strcmpic(ss, US"readonly") == 0) readonly = TRUE;
2369 else if (strcmpic(ss, US"per_cmd") == 0) RATE_SET(mode, PER_CMD);
2370 else if (strcmpic(ss, US"per_conn") == 0)
2372 RATE_SET(mode, PER_CONN);
2373 if (where == ACL_WHERE_NOTSMTP || where == ACL_WHERE_NOTSMTP_START)
2376 else if (strcmpic(ss, US"per_mail") == 0)
2378 RATE_SET(mode, PER_MAIL);
2379 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2381 else if (strcmpic(ss, US"per_rcpt") == 0)
2383 /* If we are running in the RCPT ACL, then we'll count the recipients
2384 one by one, but if we are running when we have accumulated the whole
2385 list then we'll add them all in one batch. */
2386 if (where == ACL_WHERE_RCPT)
2387 RATE_SET(mode, PER_RCPT);
2388 else if (where >= ACL_WHERE_PREDATA && where <= ACL_WHERE_NOTSMTP)
2389 RATE_SET(mode, PER_ALLRCPTS), count = (double)recipients_count;
2390 else if (where == ACL_WHERE_MAIL || where > ACL_WHERE_NOTSMTP)
2391 RATE_SET(mode, PER_RCPT), badacl = TRUE;
2393 else if (strcmpic(ss, US"per_byte") == 0)
2395 /* If we have not yet received the message data and there was no SIZE
2396 declaration on the MAIL comand, then it's safe to just use a value of
2397 zero and let the recorded rate decay as if nothing happened. */
2398 RATE_SET(mode, PER_MAIL);
2399 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2400 else count = message_size < 0 ? 0.0 : (double)message_size;
2402 else if (strcmpic(ss, US"per_addr") == 0)
2404 RATE_SET(mode, PER_RCPT);
2405 if (where != ACL_WHERE_RCPT) badacl = TRUE, unique = US"*";
2406 else unique = string_sprintf("%s@%s", deliver_localpart, deliver_domain);
2408 else if (strncmpic(ss, US"count=", 6) == 0)
2411 count = Ustrtod(ss+6, &e);
2412 if (count < 0.0 || *e != '\0')
2413 return ratelimit_error(log_msgptr,
2414 "\"%s\" is not a positive number", ss);
2416 else if (strncmpic(ss, US"unique=", 7) == 0)
2417 unique = string_copy(ss + 7);
2418 else if (key == NULL)
2419 key = string_copy(ss);
2421 key = string_sprintf("%s/%s", key, ss);
2424 /* Sanity check. When the badacl flag is set the update mode must either
2425 be readonly (which is the default if it is omitted) or, for backwards
2426 compatibility, a combination of noupdate and strict or leaky. */
2428 if (mode == RATE_PER_CLASH)
2429 return ratelimit_error(log_msgptr, "conflicting per_* options");
2430 if (leaky + strict + readonly > 1)
2431 return ratelimit_error(log_msgptr, "conflicting update modes");
2432 if (badacl && (leaky || strict) && !noupdate)
2433 return ratelimit_error(log_msgptr,
2434 "\"%s\" must not have /leaky or /strict option in %s ACL",
2435 ratelimit_option_string[mode], acl_wherenames[where]);
2437 /* Set the default values of any unset options. In readonly mode we
2438 perform the rate computation without any increment so that its value
2439 decays to eventually allow over-limit senders through. */
2441 if (noupdate) readonly = TRUE, leaky = strict = FALSE;
2442 if (badacl) readonly = TRUE;
2443 if (readonly) count = 0.0;
2444 if (!strict && !readonly) leaky = TRUE;
2445 if (mode == RATE_PER_WHAT) mode = RATE_PER_MAIL;
2447 /* Create the lookup key. If there is no explicit key, use sender_host_address.
2448 If there is no sender_host_address (e.g. -bs or acl_not_smtp) then we simply
2449 omit it. The smoothing constant (sender_rate_period) and the per_xxx options
2450 are added to the key because they alter the meaning of the stored data. */
2453 key = (sender_host_address == NULL)? US"" : sender_host_address;
2455 key = string_sprintf("%s/%s/%s%s",
2457 ratelimit_option_string[mode],
2458 unique == NULL ? "" : "unique/",
2462 debug_printf("ratelimit condition count=%.0f %.1f/%s\n", count, limit, key);
2464 /* See if we have already computed the rate by looking in the relevant tree.
2465 For per-connection rate limiting, store tree nodes and dbdata in the permanent
2466 pool so that they survive across resets. In readonly mode we only remember the
2467 result for the rest of this command in case a later command changes it. After
2468 this bit of logic the code is independent of the per_* mode. */
2470 old_pool = store_pool;
2473 anchor = &ratelimiters_cmd;
2476 anchor = &ratelimiters_conn;
2477 store_pool = POOL_PERM;
2481 case RATE_PER_ALLRCPTS:
2482 anchor = &ratelimiters_mail;
2487 anchor = &ratelimiters_cmd;
2490 anchor = NULL; /* silence an "unused" complaint */
2491 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
2492 "internal ACL error: unknown ratelimit mode %d", mode);
2496 t = tree_search(*anchor, key);
2500 /* The following few lines duplicate some of the code below. */
2501 rc = (dbd->rate < limit)? FAIL : OK;
2502 store_pool = old_pool;
2503 sender_rate = string_sprintf("%.1f", dbd->rate);
2505 debug_printf("ratelimit found pre-computed rate %s\n", sender_rate);
2509 /* We aren't using a pre-computed rate, so get a previously recorded rate
2510 from the database, which will be updated and written back if required. */
2512 dbm = dbfn_open(US"ratelimit", O_RDWR, &dbblock, TRUE);
2515 store_pool = old_pool;
2517 HDEBUG(D_acl) debug_printf("ratelimit database not available\n");
2518 *log_msgptr = US"ratelimit database not available";
2521 dbdb = dbfn_read_with_length(dbm, key, &dbdb_size);
2524 gettimeofday(&tv, NULL);
2528 /* Locate the basic ratelimit block inside the DB data. */
2529 HDEBUG(D_acl) debug_printf("ratelimit found key in database\n");
2532 /* Forget the old Bloom filter if it is too old, so that we count each
2533 repeating event once per period. We don't simply clear and re-use the old
2534 filter because we want its size to change if the limit changes. Note that
2535 we keep the dbd pointer for copying the rate into the new data block. */
2537 if(unique != NULL && tv.tv_sec > dbdb->bloom_epoch + period)
2539 HDEBUG(D_acl) debug_printf("ratelimit discarding old Bloom filter\n");
2545 if(unique != NULL && dbdb_size < sizeof(*dbdb))
2547 HDEBUG(D_acl) debug_printf("ratelimit discarding undersize Bloom filter\n");
2552 /* Allocate a new data block if the database lookup failed
2553 or the Bloom filter passed its age limit. */
2559 /* No Bloom filter. This basic ratelimit block is initialized below. */
2560 HDEBUG(D_acl) debug_printf("ratelimit creating new rate data block\n");
2561 dbdb_size = sizeof(*dbd);
2562 dbdb = store_get(dbdb_size);
2567 HDEBUG(D_acl) debug_printf("ratelimit creating new Bloom filter\n");
2569 /* See the long comment below for an explanation of the magic number 2.
2570 The filter has a minimum size in case the rate limit is very small;
2571 this is determined by the definition of dbdata_ratelimit_unique. */
2573 extra = (int)limit * 2 - sizeof(dbdb->bloom);
2574 if (extra < 0) extra = 0;
2575 dbdb_size = sizeof(*dbdb) + extra;
2576 dbdb = store_get(dbdb_size);
2577 dbdb->bloom_epoch = tv.tv_sec;
2578 dbdb->bloom_size = sizeof(dbdb->bloom) + extra;
2579 memset(dbdb->bloom, 0, dbdb->bloom_size);
2581 /* Preserve any basic ratelimit data (which is our longer-term memory)
2582 by copying it from the discarded block. */
2592 /* If we are counting unique events, find out if this event is new or not.
2593 If the client repeats the event during the current period then it should be
2594 counted. We skip this code in readonly mode for efficiency, because any
2595 changes to the filter will be discarded and because count is already set to
2598 if (unique != NULL && !readonly)
2600 /* We identify unique events using a Bloom filter. (You can find my
2601 notes on Bloom filters at http://fanf.livejournal.com/81696.html)
2602 With the per_addr option, an "event" is a recipient address, though the
2603 user can use the unique option to define their own events. We only count
2604 an event if we have not seen it before.
2606 We size the filter according to the rate limit, which (in leaky mode)
2607 is the limit on the population of the filter. We allow 16 bits of space
2608 per entry (see the construction code above) and we set (up to) 8 of them
2609 when inserting an element (see the loop below). The probability of a false
2610 positive (an event we have not seen before but which we fail to count) is
2614 allzero = exp(-numhash * pop / size)
2615 = exp(-0.5 * pop / limit)
2616 fpr = pow(1 - allzero, numhash)
2618 For senders at the limit the fpr is 0.06% or 1 in 1700
2619 and for senders at half the limit it is 0.0006% or 1 in 170000
2621 In strict mode the Bloom filter can fill up beyond the normal limit, in
2622 which case the false positive rate will rise. This means that the
2623 measured rate for very fast senders can bogusly drop off after a while.
2625 At twice the limit, the fpr is 2.5% or 1 in 40
2626 At four times the limit, it is 31% or 1 in 3.2
2628 It takes ln(pop/limit) periods for an over-limit burst of pop events to
2629 decay below the limit, and if this is more than one then the Bloom filter
2630 will be discarded before the decay gets that far. The false positive rate
2631 at this threshold is 9.3% or 1 in 10.7. */
2634 unsigned n, hash, hinc;
2638 /* Instead of using eight independent hash values, we combine two values
2639 using the formula h1 + n * h2. This does not harm the Bloom filter's
2640 performance, and means the amount of hash we need is independent of the
2641 number of bits we set in the filter. */
2643 md5_start(&md5info);
2644 md5_end(&md5info, unique, Ustrlen(unique), md5sum);
2645 hash = md5sum[0] | md5sum[1] << 8 | md5sum[2] << 16 | md5sum[3] << 24;
2646 hinc = md5sum[4] | md5sum[5] << 8 | md5sum[6] << 16 | md5sum[7] << 24;
2648 /* Scan the bits corresponding to this event. A zero bit means we have
2649 not seen it before. Ensure all bits are set to record this event. */
2651 HDEBUG(D_acl) debug_printf("ratelimit checking uniqueness of %s\n", unique);
2654 for (n = 0; n < 8; n++, hash += hinc)
2656 int bit = 1 << (hash % 8);
2657 int byte = (hash / 8) % dbdb->bloom_size;
2658 if ((dbdb->bloom[byte] & bit) == 0)
2660 dbdb->bloom[byte] |= bit;
2665 /* If this event has occurred before, do not count it. */
2669 HDEBUG(D_acl) debug_printf("ratelimit event found in Bloom filter\n");
2673 HDEBUG(D_acl) debug_printf("ratelimit event added to Bloom filter\n");
2676 /* If there was no previous ratelimit data block for this key, initialize
2677 the new one, otherwise update the block from the database. The initial rate
2678 is what would be computed by the code below for an infinite interval. */
2682 HDEBUG(D_acl) debug_printf("ratelimit initializing new key's rate data\n");
2684 dbd->time_stamp = tv.tv_sec;
2685 dbd->time_usec = tv.tv_usec;
2690 /* The smoothed rate is computed using an exponentially weighted moving
2691 average adjusted for variable sampling intervals. The standard EWMA for
2692 a fixed sampling interval is: f'(t) = (1 - a) * f(t) + a * f'(t - 1)
2693 where f() is the measured value and f'() is the smoothed value.
2695 Old data decays out of the smoothed value exponentially, such that data n
2696 samples old is multiplied by a^n. The exponential decay time constant p
2697 is defined such that data p samples old is multiplied by 1/e, which means
2698 that a = exp(-1/p). We can maintain the same time constant for a variable
2699 sampling interval i by using a = exp(-i/p).
2701 The rate we are measuring is messages per period, suitable for directly
2702 comparing with the limit. The average rate between now and the previous
2703 message is period / interval, which we feed into the EWMA as the sample.
2705 It turns out that the number of messages required for the smoothed rate
2706 to reach the limit when they are sent in a burst is equal to the limit.
2707 This can be seen by analysing the value of the smoothed rate after N
2708 messages sent at even intervals. Let k = (1 - a) * p/i
2710 rate_1 = (1 - a) * p/i + a * rate_0
2712 rate_2 = k + a * rate_1
2713 = k + a * k + a^2 * rate_0
2714 rate_3 = k + a * k + a^2 * k + a^3 * rate_0
2715 rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
2716 = rate_0 * a^N + k * (1 - a^N) / (1 - a)
2717 = rate_0 * a^N + p/i * (1 - a^N)
2719 When N is large, a^N -> 0 so rate_N -> p/i as desired.
2721 rate_N = p/i + (rate_0 - p/i) * a^N
2722 a^N = (rate_N - p/i) / (rate_0 - p/i)
2723 N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
2724 N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
2726 Numerical analysis of the above equation, setting the computed rate to
2727 increase from rate_0 = 0 to rate_N = limit, shows that for large sending
2728 rates, p/i, the number of messages N = limit. So limit serves as both the
2729 maximum rate measured in messages per period, and the maximum number of
2730 messages that can be sent in a fast burst. */
2732 double this_time = (double)tv.tv_sec
2733 + (double)tv.tv_usec / 1000000.0;
2734 double prev_time = (double)dbd->time_stamp
2735 + (double)dbd->time_usec / 1000000.0;
2737 /* We must avoid division by zero, and deal gracefully with the clock going
2738 backwards. If we blunder ahead when time is in reverse then the computed
2739 rate will be bogus. To be safe we clamp interval to a very small number. */
2741 double interval = this_time - prev_time <= 0.0 ? 1e-9
2742 : this_time - prev_time;
2744 double i_over_p = interval / period;
2745 double a = exp(-i_over_p);
2747 /* Combine the instantaneous rate (period / interval) with the previous rate
2748 using the smoothing factor a. In order to measure sized events, multiply the
2749 instantaneous rate by the count of bytes or recipients etc. */
2751 dbd->time_stamp = tv.tv_sec;
2752 dbd->time_usec = tv.tv_usec;
2753 dbd->rate = (1 - a) * count / i_over_p + a * dbd->rate;
2755 /* When events are very widely spaced the computed rate tends towards zero.
2756 Although this is accurate it turns out not to be useful for our purposes,
2757 especially when the first event after a long silence is the start of a spam
2758 run. A more useful model is that the rate for an isolated event should be the
2759 size of the event per the period size, ignoring the lack of events outside
2760 the current period and regardless of where the event falls in the period. So,
2761 if the interval was so long that the calculated rate is unhelpfully small, we
2762 re-intialize the rate. In the absence of higher-rate bursts, the condition
2763 below is true if the interval is greater than the period. */
2765 if (dbd->rate < count) dbd->rate = count;
2768 /* Clients sending at the limit are considered to be over the limit.
2769 This matters for edge cases such as a limit of zero, when the client
2770 should be completely blocked. */
2772 rc = (dbd->rate < limit)? FAIL : OK;
2774 /* Update the state if the rate is low or if we are being strict. If we
2775 are in leaky mode and the sender's rate is too high, we do not update
2776 the recorded rate in order to avoid an over-aggressive sender's retry
2777 rate preventing them from getting any email through. If readonly is set,
2778 neither leaky nor strict are set, so we do not do any updates. */
2780 if ((rc == FAIL && leaky) || strict)
2782 dbfn_write(dbm, key, dbdb, dbdb_size);
2783 HDEBUG(D_acl) debug_printf("ratelimit db updated\n");
2787 HDEBUG(D_acl) debug_printf("ratelimit db not updated: %s\n",
2788 readonly? "readonly mode" : "over the limit, but leaky");
2793 /* Store the result in the tree for future reference. */
2795 t = store_get(sizeof(tree_node) + Ustrlen(key));
2797 Ustrcpy(t->name, key);
2798 (void)tree_insertnode(anchor, t);
2800 /* We create the formatted version of the sender's rate very late in
2801 order to ensure that it is done using the correct storage pool. */
2803 store_pool = old_pool;
2804 sender_rate = string_sprintf("%.1f", dbd->rate);
2807 debug_printf("ratelimit computed rate %s\n", sender_rate);
2814 /*************************************************
2815 * Handle conditions/modifiers on an ACL item *
2816 *************************************************/
2818 /* Called from acl_check() below.
2822 cb ACL condition block - if NULL, result is OK
2823 where where called from
2824 addr the address being checked for RCPT, or NULL
2825 level the nesting level
2826 epp pointer to pass back TRUE if "endpass" encountered
2827 (applies only to "accept" and "discard")
2828 user_msgptr user message pointer
2829 log_msgptr log message pointer
2830 basic_errno pointer to where to put verify error
2832 Returns: OK - all conditions are met
2833 DISCARD - an "acl" condition returned DISCARD - only allowed
2834 for "accept" or "discard" verbs
2835 FAIL - at least one condition fails
2836 FAIL_DROP - an "acl" condition returned FAIL_DROP
2837 DEFER - can't tell at the moment (typically, lookup defer,
2838 but can be temporary callout problem)
2839 ERROR - ERROR from nested ACL or expansion failure or other
2844 acl_check_condition(int verb, acl_condition_block *cb, int where,
2845 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
2846 uschar **log_msgptr, int *basic_errno)
2848 uschar *user_message = NULL;
2849 uschar *log_message = NULL;
2850 uschar *debug_tag = NULL;
2851 uschar *debug_opts = NULL;
2854 #ifdef WITH_CONTENT_SCAN
2858 for (; cb != NULL; cb = cb->next)
2863 /* The message and log_message items set up messages to be used in
2864 case of rejection. They are expanded later. */
2866 if (cb->type == ACLC_MESSAGE)
2868 user_message = cb->arg;
2872 if (cb->type == ACLC_LOG_MESSAGE)
2874 log_message = cb->arg;
2878 /* The endpass "condition" just sets a flag to show it occurred. This is
2879 checked at compile time to be on an "accept" or "discard" item. */
2881 if (cb->type == ACLC_ENDPASS)
2887 /* For other conditions and modifiers, the argument is expanded now for some
2888 of them, but not for all, because expansion happens down in some lower level
2889 checking functions in some cases. */
2891 if (cond_expand_at_top[cb->type])
2893 arg = expand_string(cb->arg);
2896 if (expand_string_forcedfail) continue;
2897 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
2898 cb->arg, expand_string_message);
2899 return search_find_defer? DEFER : ERROR;
2904 /* Show condition, and expanded condition if it's different */
2909 debug_printf("check %s%s %n",
2910 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
2911 conditions[cb->type], &lhswidth);
2913 if (cb->type == ACLC_SET)
2915 debug_printf("acl_%s ", cb->u.varname);
2916 lhswidth += 5 + Ustrlen(cb->u.varname);
2919 debug_printf("= %s\n", cb->arg);
2922 debug_printf("%.*s= %s\n", lhswidth,
2926 /* Check that this condition makes sense at this time */
2928 if ((cond_forbids[cb->type] & (1 << where)) != 0)
2930 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
2931 cond_modifiers[cb->type]? "use" : "test",
2932 conditions[cb->type], acl_wherenames[where]);
2936 /* Run the appropriate test for each condition, or take the appropriate
2937 action for the remaining modifiers. */
2941 case ACLC_ADD_HEADER:
2945 /* A nested ACL that returns "discard" makes sense only for an "accept" or
2949 rc = acl_check_wargs(where, addr, arg, level+1, user_msgptr, log_msgptr);
2950 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
2952 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
2953 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
2959 case ACLC_AUTHENTICATED:
2960 rc = (sender_host_authenticated == NULL)? FAIL :
2961 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
2965 #ifdef EXPERIMENTAL_BRIGHTMAIL
2966 case ACLC_BMI_OPTIN:
2968 int old_pool = store_pool;
2969 store_pool = POOL_PERM;
2970 bmi_current_optin = string_copy(arg);
2971 store_pool = old_pool;
2976 case ACLC_CONDITION:
2977 /* The true/false parsing here should be kept in sync with that used in
2978 expand.c when dealing with ECOND_BOOL so that we don't have too many
2979 different definitions of what can be a boolean. */
2980 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
2981 rc = (Uatoi(arg) == 0)? FAIL : OK;
2983 rc = (strcmpic(arg, US"no") == 0 ||
2984 strcmpic(arg, US"false") == 0)? FAIL :
2985 (strcmpic(arg, US"yes") == 0 ||
2986 strcmpic(arg, US"true") == 0)? OK : DEFER;
2988 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
2991 case ACLC_CONTINUE: /* Always succeeds */
2995 control_type = decode_control(arg, &p, where, log_msgptr);
2997 /* Check if this control makes sense at this time */
2999 if ((control_forbids[control_type] & (1 << where)) != 0)
3001 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
3002 controls[control_type], acl_wherenames[where]);
3006 switch(control_type)
3008 case CONTROL_AUTH_UNADVERTISED:
3009 allow_auth_unadvertised = TRUE;
3012 #ifdef EXPERIMENTAL_BRIGHTMAIL
3013 case CONTROL_BMI_RUN:
3018 #ifndef DISABLE_DKIM
3019 case CONTROL_DKIM_VERIFY:
3020 dkim_disable_verify = TRUE;
3021 #ifdef EXPERIMENTAL_DMARC
3022 /* Since DKIM was blocked, skip DMARC too */
3023 dmarc_disable_verify = TRUE;
3024 dmarc_enable_forensic = FALSE;
3029 #ifdef EXPERIMENTAL_DMARC
3030 case CONTROL_DMARC_VERIFY:
3031 dmarc_disable_verify = TRUE;
3034 case CONTROL_DMARC_FORENSIC:
3035 dmarc_enable_forensic = TRUE;
3042 int fd, af, level, optname, value;
3043 /* If we are acting on stdin, the setsockopt may fail if stdin is not
3044 a socket; we can accept that, we'll just debug-log failures anyway. */
3045 fd = fileno(smtp_in);
3046 af = ip_get_address_family(fd);
3050 debug_printf("smtp input is probably not a socket [%s], not setting DSCP\n",
3054 if (dscp_lookup(p+1, af, &level, &optname, &value))
3056 if (setsockopt(fd, level, optname, &value, sizeof(value)) < 0)
3058 HDEBUG(D_acl) debug_printf("failed to set input DSCP[%s]: %s\n",
3059 p+1, strerror(errno));
3063 HDEBUG(D_acl) debug_printf("set input DSCP to \"%s\"\n", p+1);
3068 *log_msgptr = string_sprintf("unrecognised DSCP value in \"control=%s\"", arg);
3074 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3082 case CONTROL_CASEFUL_LOCAL_PART:
3083 deliver_localpart = addr->cc_local_part;
3086 case CONTROL_CASELOWER_LOCAL_PART:
3087 deliver_localpart = addr->lc_local_part;
3090 case CONTROL_ENFORCE_SYNC:
3091 smtp_enforce_sync = TRUE;
3094 case CONTROL_NO_ENFORCE_SYNC:
3095 smtp_enforce_sync = FALSE;
3098 #ifdef WITH_CONTENT_SCAN
3099 case CONTROL_NO_MBOX_UNSPOOL:
3100 no_mbox_unspool = TRUE;
3104 case CONTROL_NO_MULTILINE:
3105 no_multiline_responses = TRUE;
3108 case CONTROL_NO_PIPELINING:
3109 pipelining_enable = FALSE;
3112 case CONTROL_NO_DELAY_FLUSH:
3113 disable_delay_flush = TRUE;
3116 case CONTROL_NO_CALLOUT_FLUSH:
3117 disable_callout_flush = TRUE;
3120 case CONTROL_FAKEDEFER:
3121 case CONTROL_FAKEREJECT:
3122 fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
3126 while (*pp != 0) pp++;
3127 fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
3132 /* Explicitly reset to default string */
3133 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
3137 case CONTROL_FREEZE:
3138 deliver_freeze = TRUE;
3139 deliver_frozen_at = time(NULL);
3140 freeze_tell = freeze_tell_config; /* Reset to configured value */
3141 if (Ustrncmp(p, "/no_tell", 8) == 0)
3148 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3153 case CONTROL_QUEUE_ONLY:
3154 queue_only_policy = TRUE;
3157 case CONTROL_SUBMISSION:
3158 originator_name = US"";
3159 submission_mode = TRUE;
3162 if (Ustrncmp(p, "/sender_retain", 14) == 0)
3165 active_local_sender_retain = TRUE;
3166 active_local_from_check = FALSE;
3168 else if (Ustrncmp(p, "/domain=", 8) == 0)
3171 while (*pp != 0 && *pp != '/') pp++;
3172 submission_domain = string_copyn(p+8, pp-p-8);
3175 /* The name= option must be last, because it swallows the rest of
3177 else if (Ustrncmp(p, "/name=", 6) == 0)
3180 while (*pp != 0) pp++;
3181 submission_name = string_copy(parse_fix_phrase(p+6, pp-p-6,
3182 big_buffer, big_buffer_size));
3189 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3197 if (Ustrncmp(p, "/tag=", 5) == 0)
3200 while (*pp != '\0' && *pp != '/') pp++;
3201 debug_tag = string_copyn(p+5, pp-p-5);
3204 else if (Ustrncmp(p, "/opts=", 6) == 0)
3207 while (*pp != '\0' && *pp != '/') pp++;
3208 debug_opts = string_copyn(p+6, pp-p-6);
3212 debug_logging_activate(debug_tag, debug_opts);
3215 case CONTROL_SUPPRESS_LOCAL_FIXUPS:
3216 suppress_local_fixups = TRUE;
3219 case CONTROL_CUTTHROUGH_DELIVERY:
3222 *log_msgptr = string_sprintf("\"control=%s\" on frozen item", arg);
3225 if (queue_only_policy)
3227 *log_msgptr = string_sprintf("\"control=%s\" on queue-only item", arg);
3230 cutthrough_delivery = TRUE;
3235 #ifdef EXPERIMENTAL_DCC
3238 /* Seperate the regular expression and any optional parameters. */
3239 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3240 /* Run the dcc backend. */
3241 rc = dcc_process(&ss);
3242 /* Modify return code based upon the existance of options. */
3243 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3245 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3247 /* FAIL so that the message is passed to the next ACL */
3255 #ifdef WITH_CONTENT_SCAN
3257 rc = mime_decode(&arg);
3263 int delay = readconf_readtime(arg, 0, FALSE);
3266 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
3267 "modifier: \"%s\" is not a time value", arg);
3272 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
3277 debug_printf("delay skipped in -bh checking mode\n");
3280 /* It appears to be impossible to detect that a TCP/IP connection has
3281 gone away without reading from it. This means that we cannot shorten
3282 the delay below if the client goes away, because we cannot discover
3283 that the client has closed its end of the connection. (The connection
3284 is actually in a half-closed state, waiting for the server to close its
3285 end.) It would be nice to be able to detect this state, so that the
3286 Exim process is not held up unnecessarily. However, it seems that we
3287 can't. The poll() function does not do the right thing, and in any case
3288 it is not always available.
3290 NOTE 1: If ever this state of affairs changes, remember that we may be
3291 dealing with stdin/stdout here, in addition to TCP/IP connections.
3292 Also, delays may be specified for non-SMTP input, where smtp_out and
3293 smtp_in will be NULL. Whatever is done must work in all cases.
3295 NOTE 2: The added feature of flushing the output before a delay must
3296 apply only to SMTP input. Hence the test for smtp_out being non-NULL.
3301 if (smtp_out != NULL && !disable_delay_flush) mac_smtp_fflush();
3302 while (delay > 0) delay = sleep(delay);
3308 #ifdef WITH_OLD_DEMIME
3314 #ifndef DISABLE_DKIM
3315 case ACLC_DKIM_SIGNER:
3316 if (dkim_cur_signer != NULL)
3317 rc = match_isinlist(dkim_cur_signer,
3318 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
3323 case ACLC_DKIM_STATUS:
3324 rc = match_isinlist(dkim_exim_expand_query(DKIM_VERIFY_STATUS),
3325 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
3329 #ifdef EXPERIMENTAL_DMARC
3330 case ACLC_DMARC_STATUS:
3331 if (dmarc_has_been_checked++ == 0)
3333 /* used long way of dmarc_exim_expand_query() in case we need more
3334 * view into the process in the future. */
3335 rc = match_isinlist(dmarc_exim_expand_query(DMARC_VERIFY_STATUS),
3336 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
3341 rc = verify_check_dnsbl(&arg);
3345 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
3346 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
3349 /* The value in tls_cipher is the full cipher name, for example,
3350 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
3351 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
3352 what may in practice come out of the SSL library - which at the time of
3353 writing is poorly documented. */
3355 case ACLC_ENCRYPTED:
3356 if (tls_in.cipher == NULL) rc = FAIL; else
3358 uschar *endcipher = NULL;
3359 uschar *cipher = Ustrchr(tls_in.cipher, ':');
3360 if (cipher == NULL) cipher = tls_in.cipher; else
3362 endcipher = Ustrchr(++cipher, ':');
3363 if (endcipher != NULL) *endcipher = 0;
3365 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
3366 if (endcipher != NULL) *endcipher = ':';
3370 /* Use verify_check_this_host() instead of verify_check_host() so that
3371 we can pass over &host_data to catch any looked up data. Once it has been
3372 set, it retains its value so that it's still there if another ACL verb
3373 comes through here and uses the cache. However, we must put it into
3374 permanent store in case it is also expected to be used in a subsequent
3375 message in the same SMTP connection. */
3378 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
3379 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
3380 if (host_data != NULL) host_data = string_copy_malloc(host_data);
3383 case ACLC_LOCAL_PARTS:
3384 rc = match_isinlist(addr->cc_local_part, &arg, 0,
3385 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
3386 &deliver_localpart_data);
3389 case ACLC_LOG_REJECT_TARGET:
3395 while ((ss = string_nextinlist(&s, &sep, big_buffer, big_buffer_size))
3398 if (Ustrcmp(ss, "main") == 0) logbits |= LOG_MAIN;
3399 else if (Ustrcmp(ss, "panic") == 0) logbits |= LOG_PANIC;
3400 else if (Ustrcmp(ss, "reject") == 0) logbits |= LOG_REJECT;
3403 logbits |= LOG_MAIN|LOG_REJECT;
3404 log_write(0, LOG_MAIN|LOG_PANIC, "unknown log name \"%s\" in "
3405 "\"log_reject_target\" in %s ACL", ss, acl_wherenames[where]);
3408 log_reject_target = logbits;
3421 if (Ustrncmp(s, "main", 4) == 0)
3422 { logbits |= LOG_MAIN; s += 4; }
3423 else if (Ustrncmp(s, "panic", 5) == 0)
3424 { logbits |= LOG_PANIC; s += 5; }
3425 else if (Ustrncmp(s, "reject", 6) == 0)
3426 { logbits |= LOG_REJECT; s += 6; }
3429 logbits = LOG_MAIN|LOG_PANIC;
3430 s = string_sprintf(":unknown log name in \"%s\" in "
3431 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
3437 while (isspace(*s)) s++;
3440 if (logbits == 0) logbits = LOG_MAIN;
3441 log_write(0, logbits, "%s", string_printing(s));
3445 #ifdef WITH_CONTENT_SCAN
3448 /* Separate the regular expression and any optional parameters. */
3449 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3450 /* Run the malware backend. */
3452 /* Modify return code based upon the existance of options. */
3453 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3455 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3457 /* FAIL so that the message is passed to the next ACL */
3464 case ACLC_MIME_REGEX:
3465 rc = mime_regex(&arg);
3469 case ACLC_RATELIMIT:
3470 rc = acl_ratelimit(arg, where, log_msgptr);
3473 case ACLC_RECIPIENTS:
3474 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
3478 #ifdef WITH_CONTENT_SCAN
3484 case ACLC_REMOVE_HEADER:
3485 setup_remove_header(arg);
3488 case ACLC_SENDER_DOMAINS:
3491 sdomain = Ustrrchr(sender_address, '@');
3492 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
3493 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
3494 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
3499 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
3500 sender_address_cache, -1, 0, &sender_data);
3503 /* Connection variables must persist forever */
3507 int old_pool = store_pool;
3508 if (cb->u.varname[0] == 'c') store_pool = POOL_PERM;
3509 acl_var_create(cb->u.varname)->data.ptr = string_copy(arg);
3510 store_pool = old_pool;
3514 #ifdef WITH_CONTENT_SCAN
3517 /* Seperate the regular expression and any optional parameters. */
3518 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3519 /* Run the spam backend. */
3521 /* Modify return code based upon the existance of options. */
3522 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3524 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3526 /* FAIL so that the message is passed to the next ACL */
3534 #ifdef EXPERIMENTAL_SPF
3536 rc = spf_process(&arg, sender_address, SPF_PROCESS_NORMAL);
3538 case ACLC_SPF_GUESS:
3539 rc = spf_process(&arg, sender_address, SPF_PROCESS_GUESS);
3543 /* If the verb is WARN, discard any user message from verification, because
3544 such messages are SMTP responses, not header additions. The latter come
3545 only from explicit "message" modifiers. However, put the user message into
3546 $acl_verify_message so it can be used in subsequent conditions or modifiers
3547 (until something changes it). */
3550 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
3551 acl_verify_message = *user_msgptr;
3552 if (verb == ACL_WARN) *user_msgptr = NULL;
3556 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
3557 "condition %d", cb->type);
3561 /* If a condition was negated, invert OK/FAIL. */
3563 if (!cond_modifiers[cb->type] && cb->u.negated)
3565 if (rc == OK) rc = FAIL;
3566 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
3569 if (rc != OK) break; /* Conditions loop */
3573 /* If the result is the one for which "message" and/or "log_message" are used,
3574 handle the values of these modifiers. If there isn't a log message set, we make
3575 it the same as the user message.
3577 "message" is a user message that will be included in an SMTP response. Unless
3578 it is empty, it overrides any previously set user message.
3580 "log_message" is a non-user message, and it adds to any existing non-user
3581 message that is already set.
3583 Most verbs have but a single return for which the messages are relevant, but
3584 for "discard", it's useful to have the log message both when it succeeds and
3585 when it fails. For "accept", the message is used in the OK case if there is no
3586 "endpass", but (for backwards compatibility) in the FAIL case if "endpass" is
3589 if (*epp && rc == OK) user_message = NULL;
3591 if (((1<<rc) & msgcond[verb]) != 0)
3594 uschar *old_user_msgptr = *user_msgptr;
3595 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
3597 /* If the verb is "warn", messages generated by conditions (verification or
3598 nested ACLs) are always discarded. This also happens for acceptance verbs
3599 when they actually do accept. Only messages specified at this level are used.
3600 However, the value of an existing message is available in $acl_verify_message
3601 during expansions. */
3603 if (verb == ACL_WARN ||
3604 (rc == OK && (verb == ACL_ACCEPT || verb == ACL_DISCARD)))
3605 *log_msgptr = *user_msgptr = NULL;
3607 if (user_message != NULL)
3609 acl_verify_message = old_user_msgptr;
3610 expmessage = expand_string(user_message);
3611 if (expmessage == NULL)
3613 if (!expand_string_forcedfail)
3614 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3615 user_message, expand_string_message);
3617 else if (expmessage[0] != 0) *user_msgptr = expmessage;
3620 if (log_message != NULL)
3622 acl_verify_message = old_log_msgptr;
3623 expmessage = expand_string(log_message);
3624 if (expmessage == NULL)
3626 if (!expand_string_forcedfail)
3627 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3628 log_message, expand_string_message);
3630 else if (expmessage[0] != 0)
3632 *log_msgptr = (*log_msgptr == NULL)? expmessage :
3633 string_sprintf("%s: %s", expmessage, *log_msgptr);
3637 /* If no log message, default it to the user message */
3639 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
3642 acl_verify_message = NULL;
3650 /*************************************************
3651 * Get line from a literal ACL *
3652 *************************************************/
3654 /* This function is passed to acl_read() in order to extract individual lines
3655 of a literal ACL, which we access via static pointers. We can destroy the
3656 contents because this is called only once (the compiled ACL is remembered).
3658 This code is intended to treat the data in the same way as lines in the main
3659 Exim configuration file. That is:
3661 . Leading spaces are ignored.
3663 . A \ at the end of a line is a continuation - trailing spaces after the \
3664 are permitted (this is because I don't believe in making invisible things
3665 significant). Leading spaces on the continued part of a line are ignored.
3667 . Physical lines starting (significantly) with # are totally ignored, and
3668 may appear within a sequence of backslash-continued lines.
3670 . Blank lines are ignored, but will end a sequence of continuations.
3673 Returns: a pointer to the next line
3677 static uschar *acl_text; /* Current pointer in the text */
3678 static uschar *acl_text_end; /* Points one past the terminating '0' */
3686 /* This loop handles leading blank lines and comments. */
3690 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
3691 if (*acl_text == 0) return NULL; /* No more data */
3692 yield = acl_text; /* Potential data line */
3694 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3696 /* If we hit the end before a newline, we have the whole logical line. If
3697 it's a comment, there's no more data to be given. Otherwise, yield it. */
3699 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
3701 /* After reaching a newline, end this loop if the physical line does not
3702 start with '#'. If it does, it's a comment, and the loop continues. */
3704 if (*yield != '#') break;
3707 /* This loop handles continuations. We know we have some real data, ending in
3708 newline. See if there is a continuation marker at the end (ignoring trailing
3709 white space). We know that *yield is not white space, so no need to test for
3710 cont > yield in the backwards scanning loop. */
3715 for (cont = acl_text - 1; isspace(*cont); cont--);
3717 /* If no continuation follows, we are done. Mark the end of the line and
3726 /* We have encountered a continuation. Skip over whitespace at the start of
3727 the next line, and indeed the whole of the next line or lines if they are
3732 while (*(++acl_text) == ' ' || *acl_text == '\t');
3733 if (*acl_text != '#') break;
3734 while (*(++acl_text) != 0 && *acl_text != '\n');
3737 /* We have the start of a continuation line. Move all the rest of the data
3738 to join onto the previous line, and then find its end. If the end is not a
3739 newline, we are done. Otherwise loop to look for another continuation. */
3741 memmove(cont, acl_text, acl_text_end - acl_text);
3742 acl_text_end -= acl_text - cont;
3744 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3745 if (*acl_text == 0) return yield;
3748 /* Control does not reach here */
3755 /*************************************************
3756 * Check access using an ACL *
3757 *************************************************/
3759 /* This function is called from address_check. It may recurse via
3760 acl_check_condition() - hence the use of a level to stop looping. The ACL is
3761 passed as a string which is expanded. A forced failure implies no access check
3762 is required. If the result is a single word, it is taken as the name of an ACL
3763 which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
3764 text, complete with newlines, and parsed as such. In both cases, the ACL check
3765 is then run. This function uses an auxiliary function for acl_read() to call
3766 for reading individual lines of a literal ACL. This is acl_getline(), which
3767 appears immediately above.
3770 where where called from
3771 addr address item when called from RCPT; otherwise NULL
3772 s the input string; NULL is the same as an empty ACL => DENY
3773 level the nesting level
3774 user_msgptr where to put a user error (for SMTP response)
3775 log_msgptr where to put a logging message (not for SMTP response)
3777 Returns: OK access is granted
3778 DISCARD access is apparently granted...
3779 FAIL access is denied
3780 FAIL_DROP access is denied; drop the connection
3781 DEFER can't tell at the moment
3786 acl_check_internal(int where, address_item *addr, uschar *s, int level,
3787 uschar **user_msgptr, uschar **log_msgptr)
3790 acl_block *acl = NULL;
3791 uschar *acl_name = US"inline ACL";
3794 /* Catch configuration loops */
3798 *log_msgptr = US"ACL nested too deep: possible loop";
3804 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
3808 /* At top level, we expand the incoming string. At lower levels, it has already
3809 been expanded as part of condition processing. */
3813 ss = expand_string(s);
3816 if (expand_string_forcedfail) return OK;
3817 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
3818 expand_string_message);
3824 while (isspace(*ss))ss++;
3826 /* If we can't find a named ACL, the default is to parse it as an inline one.
3827 (Unless it begins with a slash; non-existent files give rise to an error.) */
3831 /* Handle the case of a string that does not contain any spaces. Look for a
3832 named ACL among those read from the configuration, or a previously read file.
3833 It is possible that the pointer to the ACL is NULL if the configuration
3834 contains a name with no data. If not found, and the text begins with '/',
3835 read an ACL from a file, and save it so it can be re-used. */
3837 if (Ustrchr(ss, ' ') == NULL)
3839 tree_node *t = tree_search(acl_anchor, ss);
3842 acl = (acl_block *)(t->data.ptr);
3845 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
3848 acl_name = string_sprintf("ACL \"%s\"", ss);
3849 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
3852 else if (*ss == '/')
3854 struct stat statbuf;
3855 fd = Uopen(ss, O_RDONLY, 0);
3858 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
3863 if (fstat(fd, &statbuf) != 0)
3865 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
3870 acl_text = store_get(statbuf.st_size + 1);
3871 acl_text_end = acl_text + statbuf.st_size + 1;
3873 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
3875 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
3876 ss, strerror(errno));
3879 acl_text[statbuf.st_size] = 0;
3882 acl_name = string_sprintf("ACL \"%s\"", ss);
3883 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
3887 /* Parse an ACL that is still in text form. If it came from a file, remember it
3888 in the ACL tree, having read it into the POOL_PERM store pool so that it
3889 persists between multiple messages. */
3893 int old_pool = store_pool;
3894 if (fd >= 0) store_pool = POOL_PERM;
3895 acl = acl_read(acl_getline, log_msgptr);
3896 store_pool = old_pool;
3897 if (acl == NULL && *log_msgptr != NULL) return ERROR;
3900 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
3901 Ustrcpy(t->name, ss);
3903 (void)tree_insertnode(&acl_anchor, t);
3907 /* Now we have an ACL to use. It's possible it may be NULL. */
3912 int basic_errno = 0;
3913 BOOL endpass_seen = FALSE;
3915 *log_msgptr = *user_msgptr = NULL;
3916 acl_temp_details = FALSE;
3918 if ((where == ACL_WHERE_QUIT || where == ACL_WHERE_NOTQUIT) &&
3919 acl->verb != ACL_ACCEPT &&
3920 acl->verb != ACL_WARN)
3922 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT or not-QUIT ACL",
3927 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
3929 /* Clear out any search error message from a previous check before testing
3932 search_error_message = NULL;
3933 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
3934 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
3936 /* Handle special returns: DEFER causes a return except on a WARN verb;
3937 ERROR always causes a return. */
3942 HDEBUG(D_acl) debug_printf("%s: condition test deferred in %s\n", verbs[acl->verb], acl_name);
3943 if (basic_errno != ERRNO_CALLOUTDEFER)
3945 if (search_error_message != NULL && *search_error_message != 0)
3946 *log_msgptr = search_error_message;
3947 if (smtp_return_error_details) acl_temp_details = TRUE;
3951 acl_temp_details = TRUE;
3953 if (acl->verb != ACL_WARN) return DEFER;
3956 default: /* Paranoia */
3958 HDEBUG(D_acl) debug_printf("%s: condition test error in %s\n", verbs[acl->verb], acl_name);
3962 HDEBUG(D_acl) debug_printf("%s: condition test succeeded in %s\n",
3963 verbs[acl->verb], acl_name);
3967 HDEBUG(D_acl) debug_printf("%s: condition test failed in %s\n", verbs[acl->verb], acl_name);
3970 /* DISCARD and DROP can happen only from a nested ACL condition, and
3971 DISCARD can happen only for an "accept" or "discard" verb. */
3974 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\" in %s\n",
3975 verbs[acl->verb], acl_name);
3979 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\" in %s\n",
3980 verbs[acl->verb], acl_name);
3984 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
3985 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
3986 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
3991 if (cond == OK || cond == DISCARD) return cond;
3994 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
4002 acl_temp_details = TRUE;
4008 if (cond == OK) return FAIL;
4012 if (cond == OK || cond == DISCARD) return DISCARD;
4015 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
4021 if (cond == OK) return FAIL_DROP;
4025 if (cond != OK) return cond;
4030 acl_warn(where, *user_msgptr, *log_msgptr);
4031 else if (cond == DEFER && (log_extra_selector & LX_acl_warn_skipped) != 0)
4032 log_write(0, LOG_MAIN, "%s Warning: ACL \"warn\" statement skipped: "
4033 "condition test deferred%s%s", host_and_ident(TRUE),
4034 (*log_msgptr == NULL)? US"" : US": ",
4035 (*log_msgptr == NULL)? US"" : *log_msgptr);
4036 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
4040 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
4045 /* Pass to the next ACL item */
4050 /* We have reached the end of the ACL. This is an implicit DENY. */
4052 HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
4059 /* Same args as acl_check_internal() above, but the string s is
4060 the name of an ACL followed optionally by up to 9 space-separated arguments.
4061 The name and args are separately expanded. Args go into $acl_arg globals. */
4063 acl_check_wargs(int where, address_item *addr, uschar *s, int level,
4064 uschar **user_msgptr, uschar **log_msgptr)
4067 uschar * tmp_arg[9]; /* must match acl_arg[] */
4068 uschar * sav_arg[9]; /* must match acl_arg[] */
4074 if (!(tmp = string_dequote(&s)) || !(name = expand_string(tmp)))
4077 for (i = 0; i < 9; i++)
4079 while (*s && isspace(*s)) s++;
4081 if (!(tmp = string_dequote(&s)) || !(tmp_arg[i] = expand_string(tmp)))
4088 sav_narg = acl_narg;
4090 for (i = 0; i < acl_narg; i++)
4092 sav_arg[i] = acl_arg[i];
4093 acl_arg[i] = tmp_arg[i];
4097 sav_arg[i] = acl_arg[i];
4098 acl_arg[i++] = NULL;
4101 ret = acl_check_internal(where, addr, name, level, user_msgptr, log_msgptr);
4103 acl_narg = sav_narg;
4104 for (i = 0; i < 9; i++) acl_arg[i] = sav_arg[i];
4108 if (expand_string_forcedfail) return ERROR;
4109 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
4110 tmp, expand_string_message);
4111 return search_find_defer?DEFER:ERROR;
4116 /*************************************************
4117 * Check access using an ACL *
4118 *************************************************/
4120 /* Alternate interface for ACL, used by expansions */
4122 acl_eval(int where, uschar *s, uschar **user_msgptr, uschar **log_msgptr)
4125 address_item *addr = NULL;
4127 *user_msgptr = *log_msgptr = NULL;
4128 sender_verified_failed = NULL;
4129 ratelimiters_cmd = NULL;
4130 log_reject_target = LOG_MAIN|LOG_REJECT;
4132 if (where == ACL_WHERE_RCPT)
4134 adb = address_defaults;
4136 addr->address = expand_string(US"$local_part@$domain");
4137 addr->domain = deliver_domain;
4138 addr->local_part = deliver_localpart;
4139 addr->cc_local_part = deliver_localpart;
4140 addr->lc_local_part = deliver_localpart;
4143 return acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
4148 /* This is the external interface for ACL checks. It sets up an address and the
4149 expansions for $domain and $local_part when called after RCPT, then calls
4150 acl_check_internal() to do the actual work.
4153 where ACL_WHERE_xxxx indicating where called from
4154 recipient RCPT address for RCPT check, else NULL
4155 s the input string; NULL is the same as an empty ACL => DENY
4156 user_msgptr where to put a user error (for SMTP response)
4157 log_msgptr where to put a logging message (not for SMTP response)
4159 Returns: OK access is granted by an ACCEPT verb
4160 DISCARD access is granted by a DISCARD verb
4161 FAIL access is denied
4162 FAIL_DROP access is denied; drop the connection
4163 DEFER can't tell at the moment
4166 int acl_where = ACL_WHERE_UNKNOWN;
4169 acl_check(int where, uschar *recipient, uschar *s, uschar **user_msgptr,
4170 uschar **log_msgptr)
4174 address_item *addr = NULL;
4176 *user_msgptr = *log_msgptr = NULL;
4177 sender_verified_failed = NULL;
4178 ratelimiters_cmd = NULL;
4179 log_reject_target = LOG_MAIN|LOG_REJECT;
4181 #ifdef EXPERIMENTAL_PRDR
4182 if (where == ACL_WHERE_RCPT || where == ACL_WHERE_PRDR )
4184 if (where == ACL_WHERE_RCPT )
4187 adb = address_defaults;
4189 addr->address = recipient;
4190 if (deliver_split_address(addr) == DEFER)
4192 *log_msgptr = US"defer in percent_hack_domains check";
4195 deliver_domain = addr->domain;
4196 deliver_localpart = addr->local_part;
4200 rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
4201 acl_where = ACL_WHERE_UNKNOWN;
4203 /* Cutthrough - if requested,
4204 and WHERE_RCPT and not yet opened conn as result of recipient-verify,
4205 and rcpt acl returned accept,
4206 and first recipient (cancel on any subsequents)
4207 open one now and run it up to RCPT acceptance.
4208 A failed verify should cancel cutthrough request.
4210 Initial implementation: dual-write to spool.
4211 Assume the rxd datastream is now being copied byte-for-byte to an open cutthrough connection.
4213 Cease cutthrough copy on rxd final dot; do not send one.
4215 On a data acl, if not accept and a cutthrough conn is open, hard-close it (no SMTP niceness).
4217 On data acl accept, terminate the dataphase on an open cutthrough conn. If accepted or
4218 perm-rejected, reflect that to the original sender - and dump the spooled copy.
4219 If temp-reject, close the conn (and keep the spooled copy).
4220 If conn-failure, no action (and keep the spooled copy).
4224 case ACL_WHERE_RCPT:
4225 #ifdef EXPERIMENTAL_PRDR
4226 case ACL_WHERE_PRDR:
4228 if( rcpt_count > 1 )
4229 cancel_cutthrough_connection("more than one recipient");
4230 else if (rc == OK && cutthrough_delivery && cutthrough_fd < 0)
4231 open_cutthrough_connection(addr);
4234 case ACL_WHERE_PREDATA:
4236 cutthrough_predata();
4238 cancel_cutthrough_connection("predata acl not ok");
4241 case ACL_WHERE_QUIT:
4242 case ACL_WHERE_NOTQUIT:
4243 cancel_cutthrough_connection("quit or notquit");
4250 deliver_domain = deliver_localpart = deliver_address_data =
4251 sender_address_data = NULL;
4253 /* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
4254 ACL, which is really in the middle of an SMTP command. */
4258 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
4260 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
4261 "ACL", acl_wherenames[where]);
4267 /* A DROP response is not permitted from MAILAUTH */
4269 if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
4271 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
4272 "ACL", acl_wherenames[where]);
4276 /* Before giving a response, take a look at the length of any user message, and
4277 split it up into multiple lines if possible. */
4279 *user_msgptr = string_split_message(*user_msgptr);
4280 if (fake_response != OK)
4281 fake_response_text = string_split_message(fake_response_text);
4287 /*************************************************
4288 * Create ACL variable *
4289 *************************************************/
4291 /* Create an ACL variable or reuse an existing one. ACL variables are in a
4292 binary tree (see tree.c) with acl_var_c and acl_var_m as root nodes.
4295 name pointer to the variable's name, starting with c or m
4297 Returns the pointer to variable's tree node
4301 acl_var_create(uschar *name)
4303 tree_node *node, **root;
4304 root = (name[0] == 'c')? &acl_var_c : &acl_var_m;
4305 node = tree_search(*root, name);
4308 node = store_get(sizeof(tree_node) + Ustrlen(name));
4309 Ustrcpy(node->name, name);
4310 (void)tree_insertnode(root, node);
4312 node->data.ptr = NULL;
4318 /*************************************************
4319 * Write an ACL variable in spool format *
4320 *************************************************/
4322 /* This function is used as a callback for tree_walk when writing variables to
4323 the spool file. To retain spool file compatibility, what is written is -aclc or
4324 -aclm followed by the rest of the name and the data length, space separated,
4325 then the value itself, starting on a new line, and terminated by an additional
4326 newline. When we had only numbered ACL variables, the first line might look
4327 like this: "-aclc 5 20". Now it might be "-aclc foo 20" for the variable called
4331 name of the variable
4332 value of the variable
4333 ctx FILE pointer (as a void pointer)
4339 acl_var_write(uschar *name, uschar *value, void *ctx)
4341 FILE *f = (FILE *)ctx;
4342 fprintf(f, "-acl%c %s %d\n%s\n", name[0], name+1, Ustrlen(value), value);