1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2012 */
6 /* See the file NOTICE for conditions of use and distribution. */
8 /* Code for handling Access Control Lists (ACLs) */
13 /* Default callout timeout */
15 #define CALLOUT_TIMEOUT_DEFAULT 30
17 /* ACL verb codes - keep in step with the table of verbs that follows */
19 enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
24 static uschar *verbs[] =
25 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
28 /* For each verb, the conditions for which "message" or "log_message" are used
29 are held as a bitmap. This is to avoid expanding the strings unnecessarily. For
30 "accept", the FAIL case is used only after "endpass", but that is selected in
33 static int msgcond[] = {
34 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* accept */
37 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* discard */
39 (1<<FAIL) | (1<<FAIL_DROP), /* require */
43 /* ACL condition and modifier codes - keep in step with the table that
44 follows, and the cond_expand_at_top and uschar cond_modifiers tables lower
50 #ifdef EXPERIMENTAL_BRIGHTMAIL
56 #ifdef EXPERIMENTAL_DCC
59 #ifdef WITH_CONTENT_SCAN
63 #ifdef WITH_OLD_DEMIME
77 ACLC_LOG_REJECT_TARGET,
79 #ifdef WITH_CONTENT_SCAN
83 #ifdef WITH_CONTENT_SCAN
88 #ifdef WITH_CONTENT_SCAN
95 #ifdef WITH_CONTENT_SCAN
98 #ifdef EXPERIMENTAL_SPF
104 /* ACL conditions/modifiers: "delay", "control", "continue", "endpass",
105 "message", "log_message", "log_reject_target", "logwrite", and "set" are
106 modifiers that look like conditions but always return TRUE. They are used for
107 their side effects. */
109 static uschar *conditions[] = {
113 #ifdef EXPERIMENTAL_BRIGHTMAIL
119 #ifdef EXPERIMENTAL_DCC
122 #ifdef WITH_CONTENT_SCAN
126 #ifdef WITH_OLD_DEMIME
140 US"log_reject_target",
142 #ifdef WITH_CONTENT_SCAN
146 #ifdef WITH_CONTENT_SCAN
151 #ifdef WITH_CONTENT_SCAN
155 US"sender_domains", US"senders", US"set",
156 #ifdef WITH_CONTENT_SCAN
159 #ifdef EXPERIMENTAL_SPF
166 /* Return values from decode_control(); keep in step with the table of names
170 CONTROL_AUTH_UNADVERTISED,
171 #ifdef EXPERIMENTAL_BRIGHTMAIL
180 CONTROL_CASEFUL_LOCAL_PART,
181 CONTROL_CASELOWER_LOCAL_PART,
182 CONTROL_CUTTHROUGH_DELIVERY,
183 CONTROL_ENFORCE_SYNC,
184 CONTROL_NO_ENFORCE_SYNC,
188 CONTROL_SUPPRESS_LOCAL_FIXUPS,
189 #ifdef WITH_CONTENT_SCAN
190 CONTROL_NO_MBOX_UNSPOOL,
194 CONTROL_NO_MULTILINE,
195 CONTROL_NO_PIPELINING,
196 CONTROL_NO_DELAY_FLUSH,
197 CONTROL_NO_CALLOUT_FLUSH
200 /* ACL control names; keep in step with the table above! This list is used for
201 turning ids into names. The actual list of recognized names is in the variable
202 control_def controls_list[] below. The fact that there are two lists is a mess
203 and should be tidied up. */
205 static uschar *controls[] = {
206 US"allow_auth_unadvertised",
207 #ifdef EXPERIMENTAL_BRIGHTMAIL
212 US"dkim_disable_verify",
216 US"caseful_local_part",
217 US"caselower_local_part",
218 US"cutthrough_delivery",
224 US"suppress_local_fixups",
225 #ifdef WITH_CONTENT_SCAN
230 US"no_multiline_responses",
236 /* Flags to indicate for which conditions/modifiers a string expansion is done
237 at the outer level. In the other cases, expansion already occurs in the
238 checking functions. */
240 static uschar cond_expand_at_top[] = {
242 TRUE, /* add_header */
243 FALSE, /* authenticated */
244 #ifdef EXPERIMENTAL_BRIGHTMAIL
245 TRUE, /* bmi_optin */
247 TRUE, /* condition */
250 #ifdef EXPERIMENTAL_DCC
253 #ifdef WITH_CONTENT_SCAN
257 #ifdef WITH_OLD_DEMIME
261 TRUE, /* dkim_signers */
262 TRUE, /* dkim_status */
266 FALSE, /* encrypted */
269 FALSE, /* local_parts */
270 TRUE, /* log_message */
271 TRUE, /* log_reject_target */
273 #ifdef WITH_CONTENT_SCAN
277 #ifdef WITH_CONTENT_SCAN
278 TRUE, /* mime_regex */
280 TRUE, /* ratelimit */
281 FALSE, /* recipients */
282 #ifdef WITH_CONTENT_SCAN
285 TRUE, /* remove_header */
286 FALSE, /* sender_domains */
289 #ifdef WITH_CONTENT_SCAN
292 #ifdef EXPERIMENTAL_SPF
294 TRUE, /* spf_guess */
299 /* Flags to identify the modifiers */
301 static uschar cond_modifiers[] = {
303 TRUE, /* add_header */
304 FALSE, /* authenticated */
305 #ifdef EXPERIMENTAL_BRIGHTMAIL
306 TRUE, /* bmi_optin */
308 FALSE, /* condition */
311 #ifdef EXPERIMENTAL_DCC
314 #ifdef WITH_CONTENT_SCAN
318 #ifdef WITH_OLD_DEMIME
322 FALSE, /* dkim_signers */
323 FALSE, /* dkim_status */
325 FALSE, /* dnslists */
327 FALSE, /* encrypted */
330 FALSE, /* local_parts */
331 TRUE, /* log_message */
332 TRUE, /* log_reject_target */
334 #ifdef WITH_CONTENT_SCAN
338 #ifdef WITH_CONTENT_SCAN
339 FALSE, /* mime_regex */
341 FALSE, /* ratelimit */
342 FALSE, /* recipients */
343 #ifdef WITH_CONTENT_SCAN
346 TRUE, /* remove_header */
347 FALSE, /* sender_domains */
350 #ifdef WITH_CONTENT_SCAN
353 #ifdef EXPERIMENTAL_SPF
355 FALSE, /* spf_guess */
360 /* Bit map vector of which conditions and modifiers are not allowed at certain
361 times. For each condition and modifier, there's a bitmap of dis-allowed times.
362 For some, it is easier to specify the negation of a small number of allowed
365 static unsigned int cond_forbids[] = {
369 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* add_header */
370 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
371 #ifdef EXPERIMENTAL_PRDR
374 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
376 (1<<ACL_WHERE_NOTSMTP_START)),
378 (1<<ACL_WHERE_NOTSMTP)| /* authenticated */
379 (1<<ACL_WHERE_NOTSMTP_START)|
380 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO),
382 #ifdef EXPERIMENTAL_BRIGHTMAIL
383 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
384 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
385 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
386 #ifdef EXPERIMENTAL_PRDR
389 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
390 (1<<ACL_WHERE_MAILAUTH)|
391 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
392 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA)|
393 (1<<ACL_WHERE_NOTSMTP_START),
400 /* Certain types of control are always allowed, so we let it through
401 always and check in the control processing itself. */
405 #ifdef EXPERIMENTAL_DCC
407 ~((1<<ACL_WHERE_DATA)| /* dcc */
408 #ifdef EXPERIMENTAL_PRDR
410 #endif /* EXPERIMENTAL_PRDR */
411 (1<<ACL_WHERE_NOTSMTP)),
414 #ifdef WITH_CONTENT_SCAN
416 ~(1<<ACL_WHERE_MIME), /* decode */
419 (1<<ACL_WHERE_NOTQUIT), /* delay */
421 #ifdef WITH_OLD_DEMIME
423 ~((1<<ACL_WHERE_DATA)| /* demime */
424 #ifdef EXPERIMENTAL_PRDR
426 #endif /* EXPERIMENTAL_PRDR */
427 (1<<ACL_WHERE_NOTSMTP)),
432 ~(1<<ACL_WHERE_DKIM), /* dkim_signers */
435 ~(1<<ACL_WHERE_DKIM), /* dkim_status */
438 (1<<ACL_WHERE_NOTSMTP)| /* dnslists */
439 (1<<ACL_WHERE_NOTSMTP_START),
442 ~((1<<ACL_WHERE_RCPT) /* domains */
443 #ifdef EXPERIMENTAL_PRDR
448 (1<<ACL_WHERE_NOTSMTP)| /* encrypted */
449 (1<<ACL_WHERE_CONNECT)|
450 (1<<ACL_WHERE_NOTSMTP_START)|
455 (1<<ACL_WHERE_NOTSMTP)| /* hosts */
456 (1<<ACL_WHERE_NOTSMTP_START),
459 ~((1<<ACL_WHERE_RCPT) /* local_parts */
460 #ifdef EXPERIMENTAL_PRDR
467 0, /* log_reject_target */
471 #ifdef WITH_CONTENT_SCAN
473 ~((1<<ACL_WHERE_DATA)| /* malware */
474 #ifdef EXPERIMENTAL_PRDR
476 #endif /* EXPERIMENTAL_PRDR */
477 (1<<ACL_WHERE_NOTSMTP)),
482 #ifdef WITH_CONTENT_SCAN
484 ~(1<<ACL_WHERE_MIME), /* mime_regex */
490 ~(1<<ACL_WHERE_RCPT), /* recipients */
492 #ifdef WITH_CONTENT_SCAN
494 ~((1<<ACL_WHERE_DATA)| /* regex */
495 #ifdef EXPERIMENTAL_PRDR
497 #endif /* EXPERIMENTAL_PRDR */
498 (1<<ACL_WHERE_NOTSMTP)|
499 (1<<ACL_WHERE_MIME)),
503 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* remove_header */
504 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
505 #ifdef EXPERIMENTAL_PRDR
508 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
509 (1<<ACL_WHERE_NOTSMTP_START)),
511 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
513 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
514 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
515 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
517 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
519 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
520 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
521 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
525 #ifdef WITH_CONTENT_SCAN
527 ~((1<<ACL_WHERE_DATA)| /* spam */
528 #ifdef EXPERIMENTAL_PRDR
530 #endif /* EXPERIMENTAL_PRDR */
531 (1<<ACL_WHERE_NOTSMTP)),
534 #ifdef EXPERIMENTAL_SPF
535 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
537 (1<<ACL_WHERE_MAILAUTH)|
538 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
539 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
540 (1<<ACL_WHERE_NOTSMTP)|
541 (1<<ACL_WHERE_NOTSMTP_START),
543 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf_guess */
545 (1<<ACL_WHERE_MAILAUTH)|
546 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
547 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
548 (1<<ACL_WHERE_NOTSMTP)|
549 (1<<ACL_WHERE_NOTSMTP_START),
552 /* Certain types of verify are always allowed, so we let it through
553 always and check in the verify function itself */
559 /* Bit map vector of which controls are not allowed at certain times. For
560 each control, there's a bitmap of dis-allowed times. For some, it is easier to
561 specify the negation of a small number of allowed times. */
563 static unsigned int control_forbids[] = {
565 ~((1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)), /* allow_auth_unadvertised */
567 #ifdef EXPERIMENTAL_BRIGHTMAIL
574 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dkim_disable_verify */
575 #ifdef EXPERIMENTAL_PRDR
577 #endif /* EXPERIMENTAL_PRDR */
578 (1<<ACL_WHERE_NOTSMTP_START),
581 (1<<ACL_WHERE_NOTSMTP)|
582 (1<<ACL_WHERE_NOTSMTP_START)|
583 (1<<ACL_WHERE_NOTQUIT), /* dscp */
588 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
591 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
594 0, /* cutthrough_delivery */
596 (1<<ACL_WHERE_NOTSMTP)| /* enforce_sync */
597 (1<<ACL_WHERE_NOTSMTP_START),
599 (1<<ACL_WHERE_NOTSMTP)| /* no_enforce_sync */
600 (1<<ACL_WHERE_NOTSMTP_START),
603 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
604 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
605 // (1<<ACL_WHERE_PRDR)| /* Not allow one user to freeze for all */
606 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
609 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
610 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
611 // (1<<ACL_WHERE_PRDR)| /* Not allow one user to freeze for all */
612 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
615 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
616 (1<<ACL_WHERE_PREDATA)),
619 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* suppress_local_fixups */
620 (1<<ACL_WHERE_PREDATA)|
621 (1<<ACL_WHERE_NOTSMTP_START)),
623 #ifdef WITH_CONTENT_SCAN
625 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
626 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
627 // (1<<ACL_WHERE_PRDR)| /* Not allow one user to freeze for all */
628 (1<<ACL_WHERE_MIME)),
632 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakedefer */
633 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
634 #ifdef EXPERIMENTAL_PRDR
636 #endif /* EXPERIMENTAL_PRDR */
637 (1<<ACL_WHERE_MIME)),
640 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
641 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
642 #ifdef EXPERIMENTAL_PRDR
644 #endif /* EXPERIMENTAL_PRDR */
645 (1<<ACL_WHERE_MIME)),
647 (1<<ACL_WHERE_NOTSMTP)| /* no_multiline */
648 (1<<ACL_WHERE_NOTSMTP_START),
650 (1<<ACL_WHERE_NOTSMTP)| /* no_pipelining */
651 (1<<ACL_WHERE_NOTSMTP_START),
653 (1<<ACL_WHERE_NOTSMTP)| /* no_delay_flush */
654 (1<<ACL_WHERE_NOTSMTP_START),
656 (1<<ACL_WHERE_NOTSMTP)| /* no_callout_flush */
657 (1<<ACL_WHERE_NOTSMTP_START)
660 /* Structure listing various control arguments, with their characteristics. */
662 typedef struct control_def {
664 int value; /* CONTROL_xxx value */
665 BOOL has_option; /* Has /option(s) following */
668 static control_def controls_list[] = {
669 { US"allow_auth_unadvertised", CONTROL_AUTH_UNADVERTISED, FALSE },
670 #ifdef EXPERIMENTAL_BRIGHTMAIL
671 { US"bmi_run", CONTROL_BMI_RUN, FALSE },
673 { US"debug", CONTROL_DEBUG, TRUE },
675 { US"dkim_disable_verify", CONTROL_DKIM_VERIFY, FALSE },
677 { US"dscp", CONTROL_DSCP, TRUE },
678 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE },
679 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE },
680 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE },
681 { US"freeze", CONTROL_FREEZE, TRUE },
682 { US"no_callout_flush", CONTROL_NO_CALLOUT_FLUSH, FALSE },
683 { US"no_delay_flush", CONTROL_NO_DELAY_FLUSH, FALSE },
684 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE },
685 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE },
686 { US"no_pipelining", CONTROL_NO_PIPELINING, FALSE },
687 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE },
688 #ifdef WITH_CONTENT_SCAN
689 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE },
691 { US"fakedefer", CONTROL_FAKEDEFER, TRUE },
692 { US"fakereject", CONTROL_FAKEREJECT, TRUE },
693 { US"submission", CONTROL_SUBMISSION, TRUE },
694 { US"suppress_local_fixups", CONTROL_SUPPRESS_LOCAL_FIXUPS, FALSE },
695 { US"cutthrough_delivery", CONTROL_CUTTHROUGH_DELIVERY, FALSE }
698 /* Support data structures for Client SMTP Authorization. acl_verify_csa()
699 caches its result in a tree to avoid repeated DNS queries. The result is an
700 integer code which is used as an index into the following tables of
701 explanatory strings and verification return codes. */
703 static tree_node *csa_cache = NULL;
705 enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
706 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
708 /* The acl_verify_csa() return code is translated into an acl_verify() return
709 code using the following table. It is OK unless the client is definitely not
710 authorized. This is because CSA is supposed to be optional for sending sites,
711 so recipients should not be too strict about checking it - especially because
712 DNS problems are quite likely to occur. It's possible to use $csa_status in
713 further ACL conditions to distinguish ok, unknown, and defer if required, but
714 the aim is to make the usual configuration simple. */
716 static int csa_return_code[] = {
718 FAIL, FAIL, FAIL, FAIL
721 static uschar *csa_status_string[] = {
722 US"unknown", US"ok", US"defer", US"defer",
723 US"fail", US"fail", US"fail", US"fail"
726 static uschar *csa_reason_string[] = {
729 US"deferred (SRV lookup failed)",
730 US"deferred (target address lookup failed)",
731 US"failed (explicit authorization required)",
732 US"failed (host name not authorized)",
733 US"failed (no authorized addresses)",
734 US"failed (client address mismatch)"
737 /* Options for the ratelimit condition. Note that there are two variants of
738 the per_rcpt option, depending on the ACL that is used to measure the rate.
739 However any ACL must be able to look up per_rcpt rates in /noupdate mode,
740 so the two variants must have the same internal representation as well as
741 the same configuration string. */
744 RATE_PER_WHAT, RATE_PER_CLASH, RATE_PER_ADDR, RATE_PER_BYTE, RATE_PER_CMD,
745 RATE_PER_CONN, RATE_PER_MAIL, RATE_PER_RCPT, RATE_PER_ALLRCPTS
748 #define RATE_SET(var,new) \
749 (((var) == RATE_PER_WHAT) ? ((var) = RATE_##new) : ((var) = RATE_PER_CLASH))
751 static uschar *ratelimit_option_string[] = {
752 US"?", US"!", US"per_addr", US"per_byte", US"per_cmd",
753 US"per_conn", US"per_mail", US"per_rcpt", US"per_rcpt"
756 /* Enable recursion between acl_check_internal() and acl_check_condition() */
758 static int acl_check_wargs(int, address_item *, uschar *, int, uschar **,
762 /*************************************************
763 * Pick out name from list *
764 *************************************************/
766 /* Use a binary chop method
773 Returns: offset in list, or -1 if not found
777 acl_checkname(uschar *name, uschar **list, int end)
783 int mid = (start + end)/2;
784 int c = Ustrcmp(name, list[mid]);
785 if (c == 0) return mid;
786 if (c < 0) end = mid; else start = mid + 1;
793 /*************************************************
794 * Read and parse one ACL *
795 *************************************************/
797 /* This function is called both from readconf in order to parse the ACLs in the
798 configuration file, and also when an ACL is encountered dynamically (e.g. as
799 the result of an expansion). It is given a function to call in order to
800 retrieve the lines of the ACL. This function handles skipping comments and
801 blank lines (where relevant).
804 func function to get next line of ACL
805 error where to put an error message
807 Returns: pointer to ACL, or NULL
808 NULL can be legal (empty ACL); in this case error will be NULL
812 acl_read(uschar *(*func)(void), uschar **error)
814 acl_block *yield = NULL;
815 acl_block **lastp = &yield;
816 acl_block *this = NULL;
817 acl_condition_block *cond;
818 acl_condition_block **condp = NULL;
823 while ((s = (*func)()) != NULL)
826 BOOL negated = FALSE;
827 uschar *saveline = s;
830 /* Conditions (but not verbs) are allowed to be negated by an initial
833 while (isspace(*s)) s++;
840 /* Read the name of a verb or a condition, or the start of a new ACL, which
841 can be started by a name, or by a macro definition. */
843 s = readconf_readname(name, sizeof(name), s);
844 if (*s == ':' || (isupper(name[0]) && *s == '=')) return yield;
846 /* If a verb is unrecognized, it may be another condition or modifier that
847 continues the previous verb. */
849 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
854 *error = string_sprintf("unknown ACL verb \"%s\" in \"%s\"", name,
866 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
869 this = store_get(sizeof(acl_block));
871 lastp = &(this->next);
874 this->condition = NULL;
875 condp = &(this->condition);
876 if (*s == 0) continue; /* No condition on this line */
882 s = readconf_readname(name, sizeof(name), s); /* Condition name */
885 /* Handle a condition or modifier. */
887 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
890 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
895 /* The modifiers may not be negated */
897 if (negated && cond_modifiers[c])
899 *error = string_sprintf("ACL error: negation is not allowed with "
900 "\"%s\"", conditions[c]);
904 /* ENDPASS may occur only with ACCEPT or DISCARD. */
906 if (c == ACLC_ENDPASS &&
907 this->verb != ACL_ACCEPT &&
908 this->verb != ACL_DISCARD)
910 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
911 conditions[c], verbs[this->verb]);
915 cond = store_get(sizeof(acl_condition_block));
918 cond->u.negated = negated;
921 condp = &(cond->next);
923 /* The "set" modifier is different in that its argument is "name=value"
924 rather than just a value, and we can check the validity of the name, which
925 gives us a variable name to insert into the data block. The original ACL
926 variable names were acl_c0 ... acl_c9 and acl_m0 ... acl_m9. This was
927 extended to 20 of each type, but after that people successfully argued for
928 arbitrary names. In the new scheme, the names must start with acl_c or acl_m.
929 After that, we allow alphanumerics and underscores, but the first character
930 after c or m must be a digit or an underscore. This retains backwards
937 if (Ustrncmp(s, "acl_c", 5) != 0 &&
938 Ustrncmp(s, "acl_m", 5) != 0)
940 *error = string_sprintf("invalid variable name after \"set\" in ACL "
941 "modifier \"set %s\" (must start \"acl_c\" or \"acl_m\")", s);
946 if (!isdigit(*endptr) && *endptr != '_')
948 *error = string_sprintf("invalid variable name after \"set\" in ACL "
949 "modifier \"set %s\" (digit or underscore must follow acl_c or acl_m)",
954 while (*endptr != 0 && *endptr != '=' && !isspace(*endptr))
956 if (!isalnum(*endptr) && *endptr != '_')
958 *error = string_sprintf("invalid character \"%c\" in variable name "
959 "in ACL modifier \"set %s\"", *endptr, s);
965 cond->u.varname = string_copyn(s + 4, endptr - s - 4);
967 while (isspace(*s)) s++;
970 /* For "set", we are now positioned for the data. For the others, only
971 "endpass" has no data */
973 if (c != ACLC_ENDPASS)
977 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
978 cond_modifiers[c]? US"modifier" : US"condition");
981 while (isspace(*s)) s++;
982 cond->arg = string_copy(s);
991 /*************************************************
992 * Set up added header line(s) *
993 *************************************************/
995 /* This function is called by the add_header modifier, and also from acl_warn()
996 to implement the now-deprecated way of adding header lines using "message" on a
997 "warn" verb. The argument is treated as a sequence of header lines which are
998 added to a chain, provided there isn't an identical one already there.
1000 Argument: string of header lines
1005 setup_header(uschar *hstring)
1008 int hlen = Ustrlen(hstring);
1010 /* Ignore any leading newlines */
1011 while (*hstring == '\n') hstring++, hlen--;
1013 /* An empty string does nothing; ensure exactly one final newline. */
1014 if (hlen <= 0) return;
1015 if (hstring[--hlen] != '\n') hstring = string_sprintf("%s\n", hstring);
1016 else while(hstring[--hlen] == '\n') hstring[hlen+1] = '\0';
1018 /* Loop for multiple header lines, taking care about continuations */
1020 for (p = q = hstring; *p != 0; )
1023 int newtype = htype_add_bot;
1024 header_line **hptr = &acl_added_headers;
1026 /* Find next header line within the string */
1030 q = Ustrchr(q, '\n');
1031 if (*(++q) != ' ' && *q != '\t') break;
1034 /* If the line starts with a colon, interpret the instruction for where to
1035 add it. This temporarily sets up a new type. */
1039 if (strncmpic(p, US":after_received:", 16) == 0)
1041 newtype = htype_add_rec;
1044 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
1046 newtype = htype_add_rfc;
1049 else if (strncmpic(p, US":at_start:", 10) == 0)
1051 newtype = htype_add_top;
1054 else if (strncmpic(p, US":at_end:", 8) == 0)
1056 newtype = htype_add_bot;
1059 while (*p == ' ' || *p == '\t') p++;
1062 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
1063 to the front of it. */
1065 for (s = p; s < q - 1; s++)
1067 if (*s == ':' || !isgraph(*s)) break;
1070 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", (int) (q - p), p);
1073 /* See if this line has already been added */
1075 while (*hptr != NULL)
1077 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
1078 hptr = &((*hptr)->next);
1081 /* Add if not previously present */
1085 header_line *h = store_get(sizeof(header_line));
1094 /* Advance for next header line within the string */
1102 /*************************************************
1103 * List the added header lines *
1104 *************************************************/
1108 uschar * ret = NULL;
1109 header_line * h = acl_added_headers;
1115 if (!h) return NULL;
1120 while ((cp = Ustrchr(s, '\n')) != NULL)
1122 if (cp[1] == '\0') break;
1124 /* contains embedded newline; needs doubling */
1125 ret = string_cat(ret, &size, &ptr, s, cp-s+1);
1126 ret = string_cat(ret, &size, &ptr, US"\n", 1);
1129 /* last bit of header */
1131 ret = string_cat(ret, &size, &ptr, s, cp-s+1); /* newline-sep list */
1133 while((h = h->next));
1135 ret[ptr-1] = '\0'; /* overwrite last newline */
1140 /*************************************************
1141 * Set up removed header line(s) *
1142 *************************************************/
1144 /* This function is called by the remove_header modifier. The argument is
1145 treated as a sequence of header names which are added to a colon separated
1146 list, provided there isn't an identical one already there.
1148 Argument: string of header names
1153 setup_remove_header(uschar *hnames)
1157 if (acl_removed_headers == NULL)
1158 acl_removed_headers = hnames;
1160 acl_removed_headers = string_sprintf("%s : %s", acl_removed_headers, hnames);
1166 /*************************************************
1168 *************************************************/
1170 /* This function is called when a WARN verb's conditions are true. It adds to
1171 the message's headers, and/or writes information to the log. In each case, this
1172 only happens once (per message for headers, per connection for log).
1174 ** NOTE: The header adding action using the "message" setting is historic, and
1175 its use is now deprecated. The new add_header modifier should be used instead.
1178 where ACL_WHERE_xxxx indicating which ACL this is
1179 user_message message for adding to headers
1180 log_message message for logging, if different
1186 acl_warn(int where, uschar *user_message, uschar *log_message)
1188 if (log_message != NULL && log_message != user_message)
1191 string_item *logged;
1193 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
1194 string_printing(log_message));
1196 /* If a sender verification has failed, and the log message is "sender verify
1197 failed", add the failure message. */
1199 if (sender_verified_failed != NULL &&
1200 sender_verified_failed->message != NULL &&
1201 strcmpic(log_message, US"sender verify failed") == 0)
1202 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
1204 /* Search previously logged warnings. They are kept in malloc
1205 store so they can be freed at the start of a new message. */
1207 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
1208 if (Ustrcmp(logged->text, text) == 0) break;
1212 int length = Ustrlen(text) + 1;
1213 log_write(0, LOG_MAIN, "%s", text);
1214 logged = store_malloc(sizeof(string_item) + length);
1215 logged->text = (uschar *)logged + sizeof(string_item);
1216 memcpy(logged->text, text, length);
1217 logged->next = acl_warn_logged;
1218 acl_warn_logged = logged;
1222 /* If there's no user message, we are done. */
1224 if (user_message == NULL) return;
1226 /* If this isn't a message ACL, we can't do anything with a user message.
1229 if (where > ACL_WHERE_NOTSMTP)
1231 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
1232 "found in a non-message (%s) ACL: cannot specify header lines here: "
1233 "message ignored", acl_wherenames[where]);
1237 /* The code for setting up header lines is now abstracted into a separate
1238 function so that it can be used for the add_header modifier as well. */
1240 setup_header(user_message);
1245 /*************************************************
1246 * Verify and check reverse DNS *
1247 *************************************************/
1249 /* Called from acl_verify() below. We look up the host name(s) of the client IP
1250 address if this has not yet been done. The host_name_lookup() function checks
1251 that one of these names resolves to an address list that contains the client IP
1252 address, so we don't actually have to do the check here.
1255 user_msgptr pointer for user message
1256 log_msgptr pointer for log message
1258 Returns: OK verification condition succeeded
1259 FAIL verification failed
1260 DEFER there was a problem verifying
1264 acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
1268 user_msgptr = user_msgptr; /* stop compiler warning */
1270 /* Previous success */
1272 if (sender_host_name != NULL) return OK;
1274 /* Previous failure */
1276 if (host_lookup_failed)
1278 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
1282 /* Need to do a lookup */
1285 debug_printf("looking up host name to force name/address consistency check\n");
1287 if ((rc = host_name_lookup()) != OK)
1289 *log_msgptr = (rc == DEFER)?
1290 US"host lookup deferred for reverse lookup check"
1292 string_sprintf("host lookup failed for reverse lookup check%s",
1294 return rc; /* DEFER or FAIL */
1297 host_build_sender_fullhost();
1303 /*************************************************
1304 * Check client IP address matches CSA target *
1305 *************************************************/
1307 /* Called from acl_verify_csa() below. This routine scans a section of a DNS
1308 response for address records belonging to the CSA target hostname. The section
1309 is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
1310 If one of the addresses matches the client's IP address, then the client is
1311 authorized by CSA. If there are target IP addresses but none of them match
1312 then the client is using an unauthorized IP address. If there are no target IP
1313 addresses then the client cannot be using an authorized IP address. (This is
1314 an odd configuration - why didn't the SRV record have a weight of 1 instead?)
1317 dnsa the DNS answer block
1318 dnss a DNS scan block for us to use
1319 reset option specifing what portion to scan, as described above
1320 target the target hostname to use for matching RR names
1322 Returns: CSA_OK successfully authorized
1323 CSA_FAIL_MISMATCH addresses found but none matched
1324 CSA_FAIL_NOADDR no target addresses found
1328 acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1334 BOOL target_found = FALSE;
1336 for (rr = dns_next_rr(dnsa, dnss, reset);
1338 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1340 /* Check this is an address RR for the target hostname. */
1344 && rr->type != T_AAAA
1351 if (strcmpic(target, rr->name) != 0) continue;
1353 target_found = TRUE;
1355 /* Turn the target address RR into a list of textual IP addresses and scan
1356 the list. There may be more than one if it is an A6 RR. */
1358 for (da = dns_address_from_rr(dnsa, rr); da != NULL; da = da->next)
1360 /* If the client IP address matches the target IP address, it's good! */
1362 DEBUG(D_acl) debug_printf("CSA target address is %s\n", da->address);
1364 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1368 /* If we found some target addresses but none of them matched, the client is
1369 using an unauthorized IP address, otherwise the target has no authorized IP
1372 if (target_found) return CSA_FAIL_MISMATCH;
1373 else return CSA_FAIL_NOADDR;
1378 /*************************************************
1379 * Verify Client SMTP Authorization *
1380 *************************************************/
1382 /* Called from acl_verify() below. This routine calls dns_lookup_special()
1383 to find the CSA SRV record corresponding to the domain argument, or
1384 $sender_helo_name if no argument is provided. It then checks that the
1385 client is authorized, and that its IP address corresponds to the SRV
1386 target's address by calling acl_verify_csa_address() above. The address
1387 should have been returned in the DNS response's ADDITIONAL section, but if
1388 not we perform another DNS lookup to get it.
1391 domain pointer to optional parameter following verify = csa
1393 Returns: CSA_UNKNOWN no valid CSA record found
1394 CSA_OK successfully authorized
1395 CSA_FAIL_* client is definitely not authorized
1396 CSA_DEFER_* there was a DNS problem
1400 acl_verify_csa(uschar *domain)
1404 int priority, weight, port;
1411 /* Work out the domain we are using for the CSA lookup. The default is the
1412 client's HELO domain. If the client has not said HELO, use its IP address
1413 instead. If it's a local client (exim -bs), CSA isn't applicable. */
1415 while (isspace(*domain) && *domain != '\0') ++domain;
1416 if (*domain == '\0') domain = sender_helo_name;
1417 if (domain == NULL) domain = sender_host_address;
1418 if (sender_host_address == NULL) return CSA_UNKNOWN;
1420 /* If we have an address literal, strip off the framing ready for turning it
1421 into a domain. The framing consists of matched square brackets possibly
1422 containing a keyword and a colon before the actual IP address. */
1424 if (domain[0] == '[')
1426 uschar *start = Ustrchr(domain, ':');
1427 if (start == NULL) start = domain;
1428 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1431 /* Turn domains that look like bare IP addresses into domains in the reverse
1432 DNS. This code also deals with address literals and $sender_host_address. It's
1433 not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1434 address literals, but it's probably the most friendly thing to do. This is an
1435 extension to CSA, so we allow it to be turned off for proper conformance. */
1437 if (string_is_ip_address(domain, NULL) != 0)
1439 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1440 dns_build_reverse(domain, target);
1444 /* Find out if we've already done the CSA check for this domain. If we have,
1445 return the same result again. Otherwise build a new cached result structure
1446 for this domain. The name is filled in now, and the value is filled in when
1447 we return from this function. */
1449 t = tree_search(csa_cache, domain);
1450 if (t != NULL) return t->data.val;
1452 t = store_get_perm(sizeof(tree_node) + Ustrlen(domain));
1453 Ustrcpy(t->name, domain);
1454 (void)tree_insertnode(&csa_cache, t);
1456 /* Now we are ready to do the actual DNS lookup(s). */
1459 switch (dns_special_lookup(&dnsa, domain, T_CSA, &found))
1461 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1464 return t->data.val = CSA_DEFER_SRV;
1466 /* If we found nothing, the client's authorization is unknown. */
1470 return t->data.val = CSA_UNKNOWN;
1472 /* We got something! Go on to look at the reply in more detail. */
1478 /* Scan the reply for well-formed CSA SRV records. */
1480 for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
1482 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
1484 if (rr->type != T_SRV) continue;
1486 /* Extract the numerical SRV fields (p is incremented) */
1489 GETSHORT(priority, p);
1490 GETSHORT(weight, p);
1494 debug_printf("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1496 /* Check the CSA version number */
1498 if (priority != 1) continue;
1500 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1501 found by dns_special_lookup() is a parent of the one we asked for), we check
1502 the subdomain assertions in the port field. At the moment there's only one
1503 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1504 SRV records of their own. */
1506 if (found != domain)
1509 return t->data.val = CSA_FAIL_EXPLICIT;
1511 return t->data.val = CSA_UNKNOWN;
1514 /* This CSA SRV record refers directly to our domain, so we check the value
1515 in the weight field to work out the domain's authorization. 0 and 1 are
1516 unauthorized; 3 means the client is authorized but we can't check the IP
1517 address in order to authenticate it, so we treat it as unknown; values
1518 greater than 3 are undefined. */
1520 if (weight < 2) return t->data.val = CSA_FAIL_DOMAIN;
1522 if (weight > 2) continue;
1524 /* Weight == 2, which means the domain is authorized. We must check that the
1525 client's IP address is listed as one of the SRV target addresses. Save the
1526 target hostname then break to scan the additional data for its addresses. */
1528 (void)dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
1529 (DN_EXPAND_ARG4_TYPE)target, sizeof(target));
1531 DEBUG(D_acl) debug_printf("CSA target is %s\n", target);
1536 /* If we didn't break the loop then no appropriate records were found. */
1538 if (rr == NULL) return t->data.val = CSA_UNKNOWN;
1540 /* Do not check addresses if the target is ".", in accordance with RFC 2782.
1541 A target of "." indicates there are no valid addresses, so the client cannot
1542 be authorized. (This is an odd configuration because weight=2 target=. is
1543 equivalent to weight=1, but we check for it in order to keep load off the
1544 root name servers.) Note that dn_expand() turns "." into "". */
1546 if (Ustrcmp(target, "") == 0) return t->data.val = CSA_FAIL_NOADDR;
1548 /* Scan the additional section of the CSA SRV reply for addresses belonging
1549 to the target. If the name server didn't return any additional data (e.g.
1550 because it does not fully support SRV records), we need to do another lookup
1551 to obtain the target addresses; otherwise we have a definitive result. */
1553 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ADDITIONAL, target);
1554 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1556 /* The DNS lookup type corresponds to the IP version used by the client. */
1559 if (Ustrchr(sender_host_address, ':') != NULL)
1562 #endif /* HAVE_IPV6 */
1566 #if HAVE_IPV6 && defined(SUPPORT_A6)
1570 switch (dns_lookup(&dnsa, target, type, NULL))
1572 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1575 return t->data.val = CSA_DEFER_ADDR;
1577 /* If the query succeeded, scan the addresses and return the result. */
1580 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ANSWERS, target);
1581 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1582 /* else fall through */
1584 /* If the target has no IP addresses, the client cannot have an authorized
1585 IP address. However, if the target site uses A6 records (not AAAA records)
1586 we have to do yet another lookup in order to check them. */
1591 #if HAVE_IPV6 && defined(SUPPORT_A6)
1592 if (type == T_AAAA) { type = T_A6; goto DNS_LOOKUP_AGAIN; }
1595 return t->data.val = CSA_FAIL_NOADDR;
1601 /*************************************************
1602 * Handle verification (address & other) *
1603 *************************************************/
1605 enum { VERIFY_REV_HOST_LKUP, VERIFY_CERT, VERIFY_HELO, VERIFY_CSA, VERIFY_HDR_SYNTAX,
1606 VERIFY_NOT_BLIND, VERIFY_HDR_SNDR, VERIFY_SNDR, VERIFY_RCPT
1611 unsigned where_allowed; /* bitmap */
1612 BOOL no_options; /* Never has /option(s) following */
1613 unsigned alt_opt_sep; /* >0 Non-/ option separator (custom parser) */
1615 static verify_type_t verify_type_list[] = {
1616 { US"reverse_host_lookup", VERIFY_REV_HOST_LKUP, ~0, TRUE, 0 },
1617 { US"certificate", VERIFY_CERT, ~0, TRUE, 0 },
1618 { US"helo", VERIFY_HELO, ~0, TRUE, 0 },
1619 { US"csa", VERIFY_CSA, ~0, FALSE, 0 },
1620 { US"header_syntax", VERIFY_HDR_SYNTAX, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), TRUE, 0 },
1621 { US"not_blind", VERIFY_NOT_BLIND, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), TRUE, 0 },
1622 { US"header_sender", VERIFY_HDR_SNDR, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), FALSE, 0 },
1623 { US"sender", VERIFY_SNDR, (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)
1624 |(1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP),
1626 { US"recipient", VERIFY_RCPT, (1<<ACL_WHERE_RCPT), FALSE, 0 }
1630 enum { CALLOUT_DEFER_OK, CALLOUT_NOCACHE, CALLOUT_RANDOM, CALLOUT_USE_SENDER,
1631 CALLOUT_USE_POSTMASTER, CALLOUT_POSTMASTER, CALLOUT_FULLPOSTMASTER,
1632 CALLOUT_MAILFROM, CALLOUT_POSTMASTER_MAILFROM, CALLOUT_MAXWAIT, CALLOUT_CONNECT,
1639 BOOL has_option; /* Has =option(s) following */
1640 BOOL timeval; /* Has a time value */
1642 static callout_opt_t callout_opt_list[] = {
1643 { US"defer_ok", CALLOUT_DEFER_OK, 0, FALSE, FALSE },
1644 { US"no_cache", CALLOUT_NOCACHE, vopt_callout_no_cache, FALSE, FALSE },
1645 { US"random", CALLOUT_RANDOM, vopt_callout_random, FALSE, FALSE },
1646 { US"use_sender", CALLOUT_USE_SENDER, vopt_callout_recipsender, FALSE, FALSE },
1647 { US"use_postmaster", CALLOUT_USE_POSTMASTER,vopt_callout_recippmaster, FALSE, FALSE },
1648 { US"postmaster_mailfrom",CALLOUT_POSTMASTER_MAILFROM,0, TRUE, FALSE },
1649 { US"postmaster", CALLOUT_POSTMASTER, 0, FALSE, FALSE },
1650 { US"fullpostmaster", CALLOUT_FULLPOSTMASTER,vopt_callout_fullpm, FALSE, FALSE },
1651 { US"mailfrom", CALLOUT_MAILFROM, 0, TRUE, FALSE },
1652 { US"maxwait", CALLOUT_MAXWAIT, 0, TRUE, TRUE },
1653 { US"connect", CALLOUT_CONNECT, 0, TRUE, TRUE },
1654 { NULL, CALLOUT_TIME, 0, FALSE, TRUE }
1659 /* This function implements the "verify" condition. It is called when
1660 encountered in any ACL, because some tests are almost always permitted. Some
1661 just don't make sense, and always fail (for example, an attempt to test a host
1662 lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1665 where where called from
1666 addr the recipient address that the ACL is handling, or NULL
1667 arg the argument of "verify"
1668 user_msgptr pointer for user message
1669 log_msgptr pointer for log message
1670 basic_errno where to put verify errno
1672 Returns: OK verification condition succeeded
1673 FAIL verification failed
1674 DEFER there was a problem verifying
1679 acl_verify(int where, address_item *addr, uschar *arg,
1680 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1684 int callout_overall = -1;
1685 int callout_connect = -1;
1686 int verify_options = 0;
1688 BOOL verify_header_sender = FALSE;
1689 BOOL defer_ok = FALSE;
1690 BOOL callout_defer_ok = FALSE;
1691 BOOL no_details = FALSE;
1692 BOOL success_on_redirect = FALSE;
1693 address_item *sender_vaddr = NULL;
1694 uschar *verify_sender_address = NULL;
1695 uschar *pm_mailfrom = NULL;
1696 uschar *se_mailfrom = NULL;
1698 /* Some of the verify items have slash-separated options; some do not. Diagnose
1699 an error if options are given for items that don't expect them.
1702 uschar *slash = Ustrchr(arg, '/');
1704 uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
1707 if (ss == NULL) goto BAD_VERIFY;
1709 /* Handle name/address consistency verification in a separate function. */
1711 for (vp= verify_type_list;
1712 (char *)vp < (char *)verify_type_list + sizeof(verify_type_list);
1715 if (vp->alt_opt_sep ? strncmpic(ss, vp->name, vp->alt_opt_sep) == 0
1716 : strcmpic (ss, vp->name) == 0)
1718 if ((char *)vp >= (char *)verify_type_list + sizeof(verify_type_list))
1721 if (vp->no_options && slash != NULL)
1723 *log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1724 "(this verify item has no options)", arg);
1727 if (!(vp->where_allowed & (1<<where)))
1729 *log_msgptr = string_sprintf("cannot verify %s in ACL for %s", vp->name, acl_wherenames[where]);
1734 case VERIFY_REV_HOST_LKUP:
1735 if (sender_host_address == NULL) return OK;
1736 return acl_verify_reverse(user_msgptr, log_msgptr);
1739 /* TLS certificate verification is done at STARTTLS time; here we just
1740 test whether it was successful or not. (This is for optional verification; for
1741 mandatory verification, the connection doesn't last this long.) */
1743 if (tls_in.certificate_verified) return OK;
1744 *user_msgptr = US"no verified certificate";
1748 /* We can test the result of optional HELO verification that might have
1749 occurred earlier. If not, we can attempt the verification now. */
1751 if (!helo_verified && !helo_verify_failed) smtp_verify_helo();
1752 return helo_verified? OK : FAIL;
1755 /* Do Client SMTP Authorization checks in a separate function, and turn the
1756 result code into user-friendly strings. */
1758 rc = acl_verify_csa(list);
1759 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1760 csa_reason_string[rc]);
1761 csa_status = csa_status_string[rc];
1762 DEBUG(D_acl) debug_printf("CSA result %s\n", csa_status);
1763 return csa_return_code[rc];
1765 case VERIFY_HDR_SYNTAX:
1766 /* Check that all relevant header lines have the correct syntax. If there is
1767 a syntax error, we return details of the error to the sender if configured to
1768 send out full details. (But a "message" setting on the ACL can override, as
1771 rc = verify_check_headers(log_msgptr);
1772 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1773 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1776 case VERIFY_NOT_BLIND:
1777 /* Check that no recipient of this message is "blind", that is, every envelope
1778 recipient must be mentioned in either To: or Cc:. */
1780 rc = verify_check_notblind();
1783 *log_msgptr = string_sprintf("bcc recipient detected");
1784 if (smtp_return_error_details)
1785 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1789 /* The remaining verification tests check recipient and sender addresses,
1790 either from the envelope or from the header. There are a number of
1791 slash-separated options that are common to all of them. */
1793 case VERIFY_HDR_SNDR:
1794 verify_header_sender = TRUE;
1798 /* In the case of a sender, this can optionally be followed by an address to use
1799 in place of the actual sender (rare special-case requirement). */
1803 verify_sender_address = sender_address;
1806 while (isspace(*s)) s++;
1807 if (*s++ != '=') goto BAD_VERIFY;
1808 while (isspace(*s)) s++;
1809 verify_sender_address = string_copy(s);
1820 /* Remaining items are optional; they apply to sender and recipient
1821 verification, including "header sender" verification. */
1823 while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1826 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1827 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1828 else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
1830 /* These two old options are left for backwards compatibility */
1832 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1834 callout_defer_ok = TRUE;
1835 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1838 else if (strcmpic(ss, US"check_postmaster") == 0)
1841 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1844 /* The callout option has a number of sub-options, comma separated */
1846 else if (strncmpic(ss, US"callout", 7) == 0)
1848 callout = CALLOUT_TIMEOUT_DEFAULT;
1852 while (isspace(*ss)) ss++;
1858 while (isspace(*ss)) ss++;
1860 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1864 double period = 1.0F;
1866 for (op= callout_opt_list; op->name; op++)
1867 if (strncmpic(opt, op->name, Ustrlen(op->name)) == 0)
1870 verify_options |= op->flag;
1873 opt += Ustrlen(op->name);
1874 while (isspace(*opt)) opt++;
1877 *log_msgptr = string_sprintf("'=' expected after "
1878 "\"%s\" in ACL verify condition \"%s\"", op->name, arg);
1881 while (isspace(*opt)) opt++;
1885 period = readconf_readtime(opt, 0, FALSE);
1888 *log_msgptr = string_sprintf("bad time value in ACL condition "
1889 "\"verify %s\"", arg);
1896 case CALLOUT_DEFER_OK: callout_defer_ok = TRUE; break;
1897 case CALLOUT_POSTMASTER: pm_mailfrom = US""; break;
1898 case CALLOUT_FULLPOSTMASTER: pm_mailfrom = US""; break;
1899 case CALLOUT_MAILFROM:
1900 if (!verify_header_sender)
1902 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1903 "callout option only for verify=header_sender (detected in ACL "
1904 "condition \"%s\")", arg);
1907 se_mailfrom = string_copy(opt);
1909 case CALLOUT_POSTMASTER_MAILFROM: pm_mailfrom = string_copy(opt); break;
1910 case CALLOUT_MAXWAIT: callout_overall = period; break;
1911 case CALLOUT_CONNECT: callout_connect = period; break;
1912 case CALLOUT_TIME: callout = period; break;
1918 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1919 "ACL condition \"%s\"", arg);
1925 /* Option not recognized */
1929 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1930 "condition \"verify %s\"", ss, arg);
1935 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1936 (vopt_callout_recipsender|vopt_callout_recippmaster))
1938 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1939 "for a recipient callout";
1943 /* Handle sender-in-header verification. Default the user message to the log
1944 message if giving out verification details. */
1946 if (verify_header_sender)
1949 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
1950 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1954 *basic_errno = verrno;
1955 if (smtp_return_error_details)
1957 if (*user_msgptr == NULL && *log_msgptr != NULL)
1958 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1959 if (rc == DEFER) acl_temp_details = TRUE;
1964 /* Handle a sender address. The default is to verify *the* sender address, but
1965 optionally a different address can be given, for special requirements. If the
1966 address is empty, we are dealing with a bounce message that has no sender, so
1967 we cannot do any checking. If the real sender address gets rewritten during
1968 verification (e.g. DNS widening), set the flag to stop it being rewritten again
1969 during message reception.
1971 A list of verified "sender" addresses is kept to try to avoid doing to much
1972 work repetitively when there are multiple recipients in a message and they all
1973 require sender verification. However, when callouts are involved, it gets too
1974 complicated because different recipients may require different callout options.
1975 Therefore, we always do a full sender verify when any kind of callout is
1976 specified. Caching elsewhere, for instance in the DNS resolver and in the
1977 callout handling, should ensure that this is not terribly inefficient. */
1979 else if (verify_sender_address != NULL)
1981 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1984 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1985 "sender verify callout";
1989 sender_vaddr = verify_checked_sender(verify_sender_address);
1990 if (sender_vaddr != NULL && /* Previously checked */
1991 callout <= 0) /* No callout needed this time */
1993 /* If the "routed" flag is set, it means that routing worked before, so
1994 this check can give OK (the saved return code value, if set, belongs to a
1995 callout that was done previously). If the "routed" flag is not set, routing
1996 must have failed, so we use the saved return code. */
1998 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
2000 rc = sender_vaddr->special_action;
2001 *basic_errno = sender_vaddr->basic_errno;
2003 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
2006 /* Do a new verification, and cache the result. The cache is used to avoid
2007 verifying the sender multiple times for multiple RCPTs when callouts are not
2008 specified (see comments above).
2010 The cache is also used on failure to give details in response to the first
2011 RCPT that gets bounced for this reason. However, this can be suppressed by
2012 the no_details option, which sets the flag that says "this detail has already
2013 been sent". The cache normally contains just one address, but there may be
2014 more in esoteric circumstances. */
2019 uschar *save_address_data = deliver_address_data;
2021 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
2022 if (no_details) setflag(sender_vaddr, af_sverify_told);
2023 if (verify_sender_address[0] != 0)
2025 /* If this is the real sender address, save the unrewritten version
2026 for use later in receive. Otherwise, set a flag so that rewriting the
2027 sender in verify_address() does not update sender_address. */
2029 if (verify_sender_address == sender_address)
2030 sender_address_unrewritten = sender_address;
2032 verify_options |= vopt_fake_sender;
2034 if (success_on_redirect)
2035 verify_options |= vopt_success_on_redirect;
2037 /* The recipient, qualify, and expn options are never set in
2040 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
2041 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
2043 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
2047 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
2049 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
2050 verify_sender_address, sender_vaddr->address);
2054 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
2055 verify_sender_address);
2058 else *basic_errno = sender_vaddr->basic_errno;
2060 else rc = OK; /* Null sender */
2062 /* Cache the result code */
2064 if (routed) setflag(sender_vaddr, af_verify_routed);
2065 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
2066 sender_vaddr->special_action = rc;
2067 sender_vaddr->next = sender_verified_list;
2068 sender_verified_list = sender_vaddr;
2070 /* Restore the recipient address data, which might have been clobbered by
2071 the sender verification. */
2073 deliver_address_data = save_address_data;
2076 /* Put the sender address_data value into $sender_address_data */
2078 sender_address_data = sender_vaddr->p.address_data;
2081 /* A recipient address just gets a straightforward verify; again we must handle
2082 the DEFER overrides. */
2088 if (success_on_redirect)
2089 verify_options |= vopt_success_on_redirect;
2091 /* We must use a copy of the address for verification, because it might
2095 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
2096 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
2097 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
2099 *basic_errno = addr2.basic_errno;
2100 *log_msgptr = addr2.message;
2101 *user_msgptr = (addr2.user_message != NULL)?
2102 addr2.user_message : addr2.message;
2104 /* Allow details for temporary error if the address is so flagged. */
2105 if (testflag((&addr2), af_pass_message)) acl_temp_details = TRUE;
2107 /* Make $address_data visible */
2108 deliver_address_data = addr2.p.address_data;
2111 /* We have a result from the relevant test. Handle defer overrides first. */
2113 if (rc == DEFER && (defer_ok ||
2114 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
2116 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
2117 defer_ok? "defer_ok" : "callout_defer_ok");
2121 /* If we've failed a sender, set up a recipient message, and point
2122 sender_verified_failed to the address item that actually failed. */
2124 if (rc != OK && verify_sender_address != NULL)
2128 *log_msgptr = *user_msgptr = US"Sender verify failed";
2130 else if (*basic_errno != ERRNO_CALLOUTDEFER)
2132 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
2136 *log_msgptr = US"Could not complete sender verify callout";
2137 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
2141 sender_verified_failed = sender_vaddr;
2144 /* Verifying an address messes up the values of $domain and $local_part,
2145 so reset them before returning if this is a RCPT ACL. */
2149 deliver_domain = addr->domain;
2150 deliver_localpart = addr->local_part;
2154 /* Syntax errors in the verify argument come here. */
2157 *log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
2158 "\"helo\", \"header_syntax\", \"header_sender\" or "
2159 "\"reverse_host_lookup\" at start of ACL condition "
2160 "\"verify %s\"", arg);
2167 /*************************************************
2168 * Check argument for control= modifier *
2169 *************************************************/
2171 /* Called from acl_check_condition() below
2174 arg the argument string for control=
2175 pptr set to point to the terminating character
2176 where which ACL we are in
2177 log_msgptr for error messages
2179 Returns: CONTROL_xxx value
2183 decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
2188 for (d = controls_list;
2189 d < controls_list + sizeof(controls_list)/sizeof(control_def);
2192 len = Ustrlen(d->name);
2193 if (Ustrncmp(d->name, arg, len) == 0) break;
2196 if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
2197 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
2199 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2200 return CONTROL_ERROR;
2210 /*************************************************
2211 * Return a ratelimit error *
2212 *************************************************/
2214 /* Called from acl_ratelimit() below
2217 log_msgptr for error messages
2218 format format string
2219 ... supplementary arguments
2220 ss ratelimit option name
2221 where ACL_WHERE_xxxx indicating which ACL this is
2227 ratelimit_error(uschar **log_msgptr, const char *format, ...)
2230 uschar buffer[STRING_SPRINTF_BUFFER_SIZE];
2231 va_start(ap, format);
2232 if (!string_vformat(buffer, sizeof(buffer), format, ap))
2233 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
2234 "string_sprintf expansion was longer than " SIZE_T_FMT, sizeof(buffer));
2236 *log_msgptr = string_sprintf(
2237 "error in arguments to \"ratelimit\" condition: %s", buffer);
2244 /*************************************************
2245 * Handle rate limiting *
2246 *************************************************/
2248 /* Called by acl_check_condition() below to calculate the result
2249 of the ACL ratelimit condition.
2251 Note that the return value might be slightly unexpected: if the
2252 sender's rate is above the limit then the result is OK. This is
2253 similar to the dnslists condition, and is so that you can write
2254 ACL clauses like: defer ratelimit = 15 / 1h
2257 arg the option string for ratelimit=
2258 where ACL_WHERE_xxxx indicating which ACL this is
2259 log_msgptr for error messages
2261 Returns: OK - Sender's rate is above limit
2262 FAIL - Sender's rate is below limit
2263 DEFER - Problem opening ratelimit database
2264 ERROR - Syntax error in options.
2268 acl_ratelimit(uschar *arg, int where, uschar **log_msgptr)
2270 double limit, period, count;
2273 uschar *unique = NULL;
2275 BOOL leaky = FALSE, strict = FALSE, readonly = FALSE;
2276 BOOL noupdate = FALSE, badacl = FALSE;
2277 int mode = RATE_PER_WHAT;
2279 tree_node **anchor, *t;
2280 open_db dbblock, *dbm;
2282 dbdata_ratelimit *dbd;
2283 dbdata_ratelimit_unique *dbdb;
2286 /* Parse the first two options and record their values in expansion
2287 variables. These variables allow the configuration to have informative
2288 error messages based on rate limits obtained from a table lookup. */
2290 /* First is the maximum number of messages per period / maximum burst
2291 size, which must be greater than or equal to zero. Zero is useful for
2292 rate measurement as opposed to rate limiting. */
2294 sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0);
2295 if (sender_rate_limit == NULL)
2299 limit = Ustrtod(sender_rate_limit, &ss);
2300 if (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
2301 else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
2302 else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
2304 if (limit < 0.0 || *ss != '\0')
2305 return ratelimit_error(log_msgptr,
2306 "\"%s\" is not a positive number", sender_rate_limit);
2308 /* Second is the rate measurement period / exponential smoothing time
2309 constant. This must be strictly greater than zero, because zero leads to
2310 run-time division errors. */
2312 sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0);
2313 if (sender_rate_period == NULL) period = -1.0;
2314 else period = readconf_readtime(sender_rate_period, 0, FALSE);
2316 return ratelimit_error(log_msgptr,
2317 "\"%s\" is not a time value", sender_rate_period);
2319 /* By default we are counting one of something, but the per_rcpt,
2320 per_byte, and count options can change this. */
2324 /* Parse the other options. */
2326 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2329 if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
2330 else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
2331 else if (strcmpic(ss, US"noupdate") == 0) noupdate = TRUE;
2332 else if (strcmpic(ss, US"readonly") == 0) readonly = TRUE;
2333 else if (strcmpic(ss, US"per_cmd") == 0) RATE_SET(mode, PER_CMD);
2334 else if (strcmpic(ss, US"per_conn") == 0)
2336 RATE_SET(mode, PER_CONN);
2337 if (where == ACL_WHERE_NOTSMTP || where == ACL_WHERE_NOTSMTP_START)
2340 else if (strcmpic(ss, US"per_mail") == 0)
2342 RATE_SET(mode, PER_MAIL);
2343 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2345 else if (strcmpic(ss, US"per_rcpt") == 0)
2347 /* If we are running in the RCPT ACL, then we'll count the recipients
2348 one by one, but if we are running when we have accumulated the whole
2349 list then we'll add them all in one batch. */
2350 if (where == ACL_WHERE_RCPT)
2351 RATE_SET(mode, PER_RCPT);
2352 else if (where >= ACL_WHERE_PREDATA && where <= ACL_WHERE_NOTSMTP)
2353 RATE_SET(mode, PER_ALLRCPTS), count = (double)recipients_count;
2354 else if (where == ACL_WHERE_MAIL || where > ACL_WHERE_NOTSMTP)
2355 RATE_SET(mode, PER_RCPT), badacl = TRUE;
2357 else if (strcmpic(ss, US"per_byte") == 0)
2359 /* If we have not yet received the message data and there was no SIZE
2360 declaration on the MAIL comand, then it's safe to just use a value of
2361 zero and let the recorded rate decay as if nothing happened. */
2362 RATE_SET(mode, PER_MAIL);
2363 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2364 else count = message_size < 0 ? 0.0 : (double)message_size;
2366 else if (strcmpic(ss, US"per_addr") == 0)
2368 RATE_SET(mode, PER_RCPT);
2369 if (where != ACL_WHERE_RCPT) badacl = TRUE, unique = US"*";
2370 else unique = string_sprintf("%s@%s", deliver_localpart, deliver_domain);
2372 else if (strncmpic(ss, US"count=", 6) == 0)
2375 count = Ustrtod(ss+6, &e);
2376 if (count < 0.0 || *e != '\0')
2377 return ratelimit_error(log_msgptr,
2378 "\"%s\" is not a positive number", ss);
2380 else if (strncmpic(ss, US"unique=", 7) == 0)
2381 unique = string_copy(ss + 7);
2382 else if (key == NULL)
2383 key = string_copy(ss);
2385 key = string_sprintf("%s/%s", key, ss);
2388 /* Sanity check. When the badacl flag is set the update mode must either
2389 be readonly (which is the default if it is omitted) or, for backwards
2390 compatibility, a combination of noupdate and strict or leaky. */
2392 if (mode == RATE_PER_CLASH)
2393 return ratelimit_error(log_msgptr, "conflicting per_* options");
2394 if (leaky + strict + readonly > 1)
2395 return ratelimit_error(log_msgptr, "conflicting update modes");
2396 if (badacl && (leaky || strict) && !noupdate)
2397 return ratelimit_error(log_msgptr,
2398 "\"%s\" must not have /leaky or /strict option in %s ACL",
2399 ratelimit_option_string[mode], acl_wherenames[where]);
2401 /* Set the default values of any unset options. In readonly mode we
2402 perform the rate computation without any increment so that its value
2403 decays to eventually allow over-limit senders through. */
2405 if (noupdate) readonly = TRUE, leaky = strict = FALSE;
2406 if (badacl) readonly = TRUE;
2407 if (readonly) count = 0.0;
2408 if (!strict && !readonly) leaky = TRUE;
2409 if (mode == RATE_PER_WHAT) mode = RATE_PER_MAIL;
2411 /* Create the lookup key. If there is no explicit key, use sender_host_address.
2412 If there is no sender_host_address (e.g. -bs or acl_not_smtp) then we simply
2413 omit it. The smoothing constant (sender_rate_period) and the per_xxx options
2414 are added to the key because they alter the meaning of the stored data. */
2417 key = (sender_host_address == NULL)? US"" : sender_host_address;
2419 key = string_sprintf("%s/%s/%s%s",
2421 ratelimit_option_string[mode],
2422 unique == NULL ? "" : "unique/",
2426 debug_printf("ratelimit condition count=%.0f %.1f/%s\n", count, limit, key);
2428 /* See if we have already computed the rate by looking in the relevant tree.
2429 For per-connection rate limiting, store tree nodes and dbdata in the permanent
2430 pool so that they survive across resets. In readonly mode we only remember the
2431 result for the rest of this command in case a later command changes it. After
2432 this bit of logic the code is independent of the per_* mode. */
2434 old_pool = store_pool;
2437 anchor = &ratelimiters_cmd;
2440 anchor = &ratelimiters_conn;
2441 store_pool = POOL_PERM;
2445 case RATE_PER_ALLRCPTS:
2446 anchor = &ratelimiters_mail;
2451 anchor = &ratelimiters_cmd;
2454 anchor = NULL; /* silence an "unused" complaint */
2455 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
2456 "internal ACL error: unknown ratelimit mode %d", mode);
2460 t = tree_search(*anchor, key);
2464 /* The following few lines duplicate some of the code below. */
2465 rc = (dbd->rate < limit)? FAIL : OK;
2466 store_pool = old_pool;
2467 sender_rate = string_sprintf("%.1f", dbd->rate);
2469 debug_printf("ratelimit found pre-computed rate %s\n", sender_rate);
2473 /* We aren't using a pre-computed rate, so get a previously recorded rate
2474 from the database, which will be updated and written back if required. */
2476 dbm = dbfn_open(US"ratelimit", O_RDWR, &dbblock, TRUE);
2479 store_pool = old_pool;
2481 HDEBUG(D_acl) debug_printf("ratelimit database not available\n");
2482 *log_msgptr = US"ratelimit database not available";
2485 dbdb = dbfn_read_with_length(dbm, key, &dbdb_size);
2488 gettimeofday(&tv, NULL);
2492 /* Locate the basic ratelimit block inside the DB data. */
2493 HDEBUG(D_acl) debug_printf("ratelimit found key in database\n");
2496 /* Forget the old Bloom filter if it is too old, so that we count each
2497 repeating event once per period. We don't simply clear and re-use the old
2498 filter because we want its size to change if the limit changes. Note that
2499 we keep the dbd pointer for copying the rate into the new data block. */
2501 if(unique != NULL && tv.tv_sec > dbdb->bloom_epoch + period)
2503 HDEBUG(D_acl) debug_printf("ratelimit discarding old Bloom filter\n");
2509 if(unique != NULL && dbdb_size < sizeof(*dbdb))
2511 HDEBUG(D_acl) debug_printf("ratelimit discarding undersize Bloom filter\n");
2516 /* Allocate a new data block if the database lookup failed
2517 or the Bloom filter passed its age limit. */
2523 /* No Bloom filter. This basic ratelimit block is initialized below. */
2524 HDEBUG(D_acl) debug_printf("ratelimit creating new rate data block\n");
2525 dbdb_size = sizeof(*dbd);
2526 dbdb = store_get(dbdb_size);
2531 HDEBUG(D_acl) debug_printf("ratelimit creating new Bloom filter\n");
2533 /* See the long comment below for an explanation of the magic number 2.
2534 The filter has a minimum size in case the rate limit is very small;
2535 this is determined by the definition of dbdata_ratelimit_unique. */
2537 extra = (int)limit * 2 - sizeof(dbdb->bloom);
2538 if (extra < 0) extra = 0;
2539 dbdb_size = sizeof(*dbdb) + extra;
2540 dbdb = store_get(dbdb_size);
2541 dbdb->bloom_epoch = tv.tv_sec;
2542 dbdb->bloom_size = sizeof(dbdb->bloom) + extra;
2543 memset(dbdb->bloom, 0, dbdb->bloom_size);
2545 /* Preserve any basic ratelimit data (which is our longer-term memory)
2546 by copying it from the discarded block. */
2556 /* If we are counting unique events, find out if this event is new or not.
2557 If the client repeats the event during the current period then it should be
2558 counted. We skip this code in readonly mode for efficiency, because any
2559 changes to the filter will be discarded and because count is already set to
2562 if (unique != NULL && !readonly)
2564 /* We identify unique events using a Bloom filter. (You can find my
2565 notes on Bloom filters at http://fanf.livejournal.com/81696.html)
2566 With the per_addr option, an "event" is a recipient address, though the
2567 user can use the unique option to define their own events. We only count
2568 an event if we have not seen it before.
2570 We size the filter according to the rate limit, which (in leaky mode)
2571 is the limit on the population of the filter. We allow 16 bits of space
2572 per entry (see the construction code above) and we set (up to) 8 of them
2573 when inserting an element (see the loop below). The probability of a false
2574 positive (an event we have not seen before but which we fail to count) is
2578 allzero = exp(-numhash * pop / size)
2579 = exp(-0.5 * pop / limit)
2580 fpr = pow(1 - allzero, numhash)
2582 For senders at the limit the fpr is 0.06% or 1 in 1700
2583 and for senders at half the limit it is 0.0006% or 1 in 170000
2585 In strict mode the Bloom filter can fill up beyond the normal limit, in
2586 which case the false positive rate will rise. This means that the
2587 measured rate for very fast senders can bogusly drop off after a while.
2589 At twice the limit, the fpr is 2.5% or 1 in 40
2590 At four times the limit, it is 31% or 1 in 3.2
2592 It takes ln(pop/limit) periods for an over-limit burst of pop events to
2593 decay below the limit, and if this is more than one then the Bloom filter
2594 will be discarded before the decay gets that far. The false positive rate
2595 at this threshold is 9.3% or 1 in 10.7. */
2598 unsigned n, hash, hinc;
2602 /* Instead of using eight independent hash values, we combine two values
2603 using the formula h1 + n * h2. This does not harm the Bloom filter's
2604 performance, and means the amount of hash we need is independent of the
2605 number of bits we set in the filter. */
2607 md5_start(&md5info);
2608 md5_end(&md5info, unique, Ustrlen(unique), md5sum);
2609 hash = md5sum[0] | md5sum[1] << 8 | md5sum[2] << 16 | md5sum[3] << 24;
2610 hinc = md5sum[4] | md5sum[5] << 8 | md5sum[6] << 16 | md5sum[7] << 24;
2612 /* Scan the bits corresponding to this event. A zero bit means we have
2613 not seen it before. Ensure all bits are set to record this event. */
2615 HDEBUG(D_acl) debug_printf("ratelimit checking uniqueness of %s\n", unique);
2618 for (n = 0; n < 8; n++, hash += hinc)
2620 int bit = 1 << (hash % 8);
2621 int byte = (hash / 8) % dbdb->bloom_size;
2622 if ((dbdb->bloom[byte] & bit) == 0)
2624 dbdb->bloom[byte] |= bit;
2629 /* If this event has occurred before, do not count it. */
2633 HDEBUG(D_acl) debug_printf("ratelimit event found in Bloom filter\n");
2637 HDEBUG(D_acl) debug_printf("ratelimit event added to Bloom filter\n");
2640 /* If there was no previous ratelimit data block for this key, initialize
2641 the new one, otherwise update the block from the database. The initial rate
2642 is what would be computed by the code below for an infinite interval. */
2646 HDEBUG(D_acl) debug_printf("ratelimit initializing new key's rate data\n");
2648 dbd->time_stamp = tv.tv_sec;
2649 dbd->time_usec = tv.tv_usec;
2654 /* The smoothed rate is computed using an exponentially weighted moving
2655 average adjusted for variable sampling intervals. The standard EWMA for
2656 a fixed sampling interval is: f'(t) = (1 - a) * f(t) + a * f'(t - 1)
2657 where f() is the measured value and f'() is the smoothed value.
2659 Old data decays out of the smoothed value exponentially, such that data n
2660 samples old is multiplied by a^n. The exponential decay time constant p
2661 is defined such that data p samples old is multiplied by 1/e, which means
2662 that a = exp(-1/p). We can maintain the same time constant for a variable
2663 sampling interval i by using a = exp(-i/p).
2665 The rate we are measuring is messages per period, suitable for directly
2666 comparing with the limit. The average rate between now and the previous
2667 message is period / interval, which we feed into the EWMA as the sample.
2669 It turns out that the number of messages required for the smoothed rate
2670 to reach the limit when they are sent in a burst is equal to the limit.
2671 This can be seen by analysing the value of the smoothed rate after N
2672 messages sent at even intervals. Let k = (1 - a) * p/i
2674 rate_1 = (1 - a) * p/i + a * rate_0
2676 rate_2 = k + a * rate_1
2677 = k + a * k + a^2 * rate_0
2678 rate_3 = k + a * k + a^2 * k + a^3 * rate_0
2679 rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
2680 = rate_0 * a^N + k * (1 - a^N) / (1 - a)
2681 = rate_0 * a^N + p/i * (1 - a^N)
2683 When N is large, a^N -> 0 so rate_N -> p/i as desired.
2685 rate_N = p/i + (rate_0 - p/i) * a^N
2686 a^N = (rate_N - p/i) / (rate_0 - p/i)
2687 N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
2688 N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
2690 Numerical analysis of the above equation, setting the computed rate to
2691 increase from rate_0 = 0 to rate_N = limit, shows that for large sending
2692 rates, p/i, the number of messages N = limit. So limit serves as both the
2693 maximum rate measured in messages per period, and the maximum number of
2694 messages that can be sent in a fast burst. */
2696 double this_time = (double)tv.tv_sec
2697 + (double)tv.tv_usec / 1000000.0;
2698 double prev_time = (double)dbd->time_stamp
2699 + (double)dbd->time_usec / 1000000.0;
2701 /* We must avoid division by zero, and deal gracefully with the clock going
2702 backwards. If we blunder ahead when time is in reverse then the computed
2703 rate will be bogus. To be safe we clamp interval to a very small number. */
2705 double interval = this_time - prev_time <= 0.0 ? 1e-9
2706 : this_time - prev_time;
2708 double i_over_p = interval / period;
2709 double a = exp(-i_over_p);
2711 /* Combine the instantaneous rate (period / interval) with the previous rate
2712 using the smoothing factor a. In order to measure sized events, multiply the
2713 instantaneous rate by the count of bytes or recipients etc. */
2715 dbd->time_stamp = tv.tv_sec;
2716 dbd->time_usec = tv.tv_usec;
2717 dbd->rate = (1 - a) * count / i_over_p + a * dbd->rate;
2719 /* When events are very widely spaced the computed rate tends towards zero.
2720 Although this is accurate it turns out not to be useful for our purposes,
2721 especially when the first event after a long silence is the start of a spam
2722 run. A more useful model is that the rate for an isolated event should be the
2723 size of the event per the period size, ignoring the lack of events outside
2724 the current period and regardless of where the event falls in the period. So,
2725 if the interval was so long that the calculated rate is unhelpfully small, we
2726 re-intialize the rate. In the absence of higher-rate bursts, the condition
2727 below is true if the interval is greater than the period. */
2729 if (dbd->rate < count) dbd->rate = count;
2732 /* Clients sending at the limit are considered to be over the limit.
2733 This matters for edge cases such as a limit of zero, when the client
2734 should be completely blocked. */
2736 rc = (dbd->rate < limit)? FAIL : OK;
2738 /* Update the state if the rate is low or if we are being strict. If we
2739 are in leaky mode and the sender's rate is too high, we do not update
2740 the recorded rate in order to avoid an over-aggressive sender's retry
2741 rate preventing them from getting any email through. If readonly is set,
2742 neither leaky nor strict are set, so we do not do any updates. */
2744 if ((rc == FAIL && leaky) || strict)
2746 dbfn_write(dbm, key, dbdb, dbdb_size);
2747 HDEBUG(D_acl) debug_printf("ratelimit db updated\n");
2751 HDEBUG(D_acl) debug_printf("ratelimit db not updated: %s\n",
2752 readonly? "readonly mode" : "over the limit, but leaky");
2757 /* Store the result in the tree for future reference. */
2759 t = store_get(sizeof(tree_node) + Ustrlen(key));
2761 Ustrcpy(t->name, key);
2762 (void)tree_insertnode(anchor, t);
2764 /* We create the formatted version of the sender's rate very late in
2765 order to ensure that it is done using the correct storage pool. */
2767 store_pool = old_pool;
2768 sender_rate = string_sprintf("%.1f", dbd->rate);
2771 debug_printf("ratelimit computed rate %s\n", sender_rate);
2778 /*************************************************
2779 * Handle conditions/modifiers on an ACL item *
2780 *************************************************/
2782 /* Called from acl_check() below.
2786 cb ACL condition block - if NULL, result is OK
2787 where where called from
2788 addr the address being checked for RCPT, or NULL
2789 level the nesting level
2790 epp pointer to pass back TRUE if "endpass" encountered
2791 (applies only to "accept" and "discard")
2792 user_msgptr user message pointer
2793 log_msgptr log message pointer
2794 basic_errno pointer to where to put verify error
2796 Returns: OK - all conditions are met
2797 DISCARD - an "acl" condition returned DISCARD - only allowed
2798 for "accept" or "discard" verbs
2799 FAIL - at least one condition fails
2800 FAIL_DROP - an "acl" condition returned FAIL_DROP
2801 DEFER - can't tell at the moment (typically, lookup defer,
2802 but can be temporary callout problem)
2803 ERROR - ERROR from nested ACL or expansion failure or other
2808 acl_check_condition(int verb, acl_condition_block *cb, int where,
2809 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
2810 uschar **log_msgptr, int *basic_errno)
2812 uschar *user_message = NULL;
2813 uschar *log_message = NULL;
2814 uschar *debug_tag = NULL;
2815 uschar *debug_opts = NULL;
2818 #ifdef WITH_CONTENT_SCAN
2822 for (; cb != NULL; cb = cb->next)
2827 /* The message and log_message items set up messages to be used in
2828 case of rejection. They are expanded later. */
2830 if (cb->type == ACLC_MESSAGE)
2832 user_message = cb->arg;
2836 if (cb->type == ACLC_LOG_MESSAGE)
2838 log_message = cb->arg;
2842 /* The endpass "condition" just sets a flag to show it occurred. This is
2843 checked at compile time to be on an "accept" or "discard" item. */
2845 if (cb->type == ACLC_ENDPASS)
2851 /* For other conditions and modifiers, the argument is expanded now for some
2852 of them, but not for all, because expansion happens down in some lower level
2853 checking functions in some cases. */
2855 if (cond_expand_at_top[cb->type])
2857 arg = expand_string(cb->arg);
2860 if (expand_string_forcedfail) continue;
2861 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
2862 cb->arg, expand_string_message);
2863 return search_find_defer? DEFER : ERROR;
2868 /* Show condition, and expanded condition if it's different */
2873 debug_printf("check %s%s %n",
2874 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
2875 conditions[cb->type], &lhswidth);
2877 if (cb->type == ACLC_SET)
2879 debug_printf("acl_%s ", cb->u.varname);
2880 lhswidth += 5 + Ustrlen(cb->u.varname);
2883 debug_printf("= %s\n", cb->arg);
2886 debug_printf("%.*s= %s\n", lhswidth,
2890 /* Check that this condition makes sense at this time */
2892 if ((cond_forbids[cb->type] & (1 << where)) != 0)
2894 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
2895 cond_modifiers[cb->type]? "use" : "test",
2896 conditions[cb->type], acl_wherenames[where]);
2900 /* Run the appropriate test for each condition, or take the appropriate
2901 action for the remaining modifiers. */
2905 case ACLC_ADD_HEADER:
2909 /* A nested ACL that returns "discard" makes sense only for an "accept" or
2913 rc = acl_check_wargs(where, addr, arg, level+1, user_msgptr, log_msgptr);
2914 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
2916 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
2917 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
2923 case ACLC_AUTHENTICATED:
2924 rc = (sender_host_authenticated == NULL)? FAIL :
2925 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
2929 #ifdef EXPERIMENTAL_BRIGHTMAIL
2930 case ACLC_BMI_OPTIN:
2932 int old_pool = store_pool;
2933 store_pool = POOL_PERM;
2934 bmi_current_optin = string_copy(arg);
2935 store_pool = old_pool;
2940 case ACLC_CONDITION:
2941 /* The true/false parsing here should be kept in sync with that used in
2942 expand.c when dealing with ECOND_BOOL so that we don't have too many
2943 different definitions of what can be a boolean. */
2944 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
2945 rc = (Uatoi(arg) == 0)? FAIL : OK;
2947 rc = (strcmpic(arg, US"no") == 0 ||
2948 strcmpic(arg, US"false") == 0)? FAIL :
2949 (strcmpic(arg, US"yes") == 0 ||
2950 strcmpic(arg, US"true") == 0)? OK : DEFER;
2952 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
2955 case ACLC_CONTINUE: /* Always succeeds */
2959 control_type = decode_control(arg, &p, where, log_msgptr);
2961 /* Check if this control makes sense at this time */
2963 if ((control_forbids[control_type] & (1 << where)) != 0)
2965 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
2966 controls[control_type], acl_wherenames[where]);
2970 switch(control_type)
2972 case CONTROL_AUTH_UNADVERTISED:
2973 allow_auth_unadvertised = TRUE;
2976 #ifdef EXPERIMENTAL_BRIGHTMAIL
2977 case CONTROL_BMI_RUN:
2982 #ifndef DISABLE_DKIM
2983 case CONTROL_DKIM_VERIFY:
2984 dkim_disable_verify = TRUE;
2991 int fd, af, level, optname, value;
2992 /* If we are acting on stdin, the setsockopt may fail if stdin is not
2993 a socket; we can accept that, we'll just debug-log failures anyway. */
2994 fd = fileno(smtp_in);
2995 af = ip_get_address_family(fd);
2999 debug_printf("smtp input is probably not a socket [%s], not setting DSCP\n",
3003 if (dscp_lookup(p+1, af, &level, &optname, &value))
3005 if (setsockopt(fd, level, optname, &value, sizeof(value)) < 0)
3007 HDEBUG(D_acl) debug_printf("failed to set input DSCP[%s]: %s\n",
3008 p+1, strerror(errno));
3012 HDEBUG(D_acl) debug_printf("set input DSCP to \"%s\"\n", p+1);
3017 *log_msgptr = string_sprintf("unrecognised DSCP value in \"control=%s\"", arg);
3023 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3031 case CONTROL_CASEFUL_LOCAL_PART:
3032 deliver_localpart = addr->cc_local_part;
3035 case CONTROL_CASELOWER_LOCAL_PART:
3036 deliver_localpart = addr->lc_local_part;
3039 case CONTROL_ENFORCE_SYNC:
3040 smtp_enforce_sync = TRUE;
3043 case CONTROL_NO_ENFORCE_SYNC:
3044 smtp_enforce_sync = FALSE;
3047 #ifdef WITH_CONTENT_SCAN
3048 case CONTROL_NO_MBOX_UNSPOOL:
3049 no_mbox_unspool = TRUE;
3053 case CONTROL_NO_MULTILINE:
3054 no_multiline_responses = TRUE;
3057 case CONTROL_NO_PIPELINING:
3058 pipelining_enable = FALSE;
3061 case CONTROL_NO_DELAY_FLUSH:
3062 disable_delay_flush = TRUE;
3065 case CONTROL_NO_CALLOUT_FLUSH:
3066 disable_callout_flush = TRUE;
3069 case CONTROL_FAKEDEFER:
3070 case CONTROL_FAKEREJECT:
3071 fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
3075 while (*pp != 0) pp++;
3076 fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
3081 /* Explicitly reset to default string */
3082 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
3086 case CONTROL_FREEZE:
3087 deliver_freeze = TRUE;
3088 deliver_frozen_at = time(NULL);
3089 freeze_tell = freeze_tell_config; /* Reset to configured value */
3090 if (Ustrncmp(p, "/no_tell", 8) == 0)
3097 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3102 case CONTROL_QUEUE_ONLY:
3103 queue_only_policy = TRUE;
3106 case CONTROL_SUBMISSION:
3107 originator_name = US"";
3108 submission_mode = TRUE;
3111 if (Ustrncmp(p, "/sender_retain", 14) == 0)
3114 active_local_sender_retain = TRUE;
3115 active_local_from_check = FALSE;
3117 else if (Ustrncmp(p, "/domain=", 8) == 0)
3120 while (*pp != 0 && *pp != '/') pp++;
3121 submission_domain = string_copyn(p+8, pp-p-8);
3124 /* The name= option must be last, because it swallows the rest of
3126 else if (Ustrncmp(p, "/name=", 6) == 0)
3129 while (*pp != 0) pp++;
3130 submission_name = string_copy(parse_fix_phrase(p+6, pp-p-6,
3131 big_buffer, big_buffer_size));
3138 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3146 if (Ustrncmp(p, "/tag=", 5) == 0)
3149 while (*pp != '\0' && *pp != '/') pp++;
3150 debug_tag = string_copyn(p+5, pp-p-5);
3153 else if (Ustrncmp(p, "/opts=", 6) == 0)
3156 while (*pp != '\0' && *pp != '/') pp++;
3157 debug_opts = string_copyn(p+6, pp-p-6);
3161 debug_logging_activate(debug_tag, debug_opts);
3164 case CONTROL_SUPPRESS_LOCAL_FIXUPS:
3165 suppress_local_fixups = TRUE;
3168 case CONTROL_CUTTHROUGH_DELIVERY:
3171 *log_msgptr = string_sprintf("\"control=%s\" on frozen item", arg);
3174 if (queue_only_policy)
3176 *log_msgptr = string_sprintf("\"control=%s\" on queue-only item", arg);
3179 cutthrough_delivery = TRUE;
3184 #ifdef EXPERIMENTAL_DCC
3187 /* Seperate the regular expression and any optional parameters. */
3188 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3189 /* Run the dcc backend. */
3190 rc = dcc_process(&ss);
3191 /* Modify return code based upon the existance of options. */
3192 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3194 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3196 /* FAIL so that the message is passed to the next ACL */
3204 #ifdef WITH_CONTENT_SCAN
3206 rc = mime_decode(&arg);
3212 int delay = readconf_readtime(arg, 0, FALSE);
3215 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
3216 "modifier: \"%s\" is not a time value", arg);
3221 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
3226 debug_printf("delay skipped in -bh checking mode\n");
3229 /* It appears to be impossible to detect that a TCP/IP connection has
3230 gone away without reading from it. This means that we cannot shorten
3231 the delay below if the client goes away, because we cannot discover
3232 that the client has closed its end of the connection. (The connection
3233 is actually in a half-closed state, waiting for the server to close its
3234 end.) It would be nice to be able to detect this state, so that the
3235 Exim process is not held up unnecessarily. However, it seems that we
3236 can't. The poll() function does not do the right thing, and in any case
3237 it is not always available.
3239 NOTE 1: If ever this state of affairs changes, remember that we may be
3240 dealing with stdin/stdout here, in addition to TCP/IP connections.
3241 Also, delays may be specified for non-SMTP input, where smtp_out and
3242 smtp_in will be NULL. Whatever is done must work in all cases.
3244 NOTE 2: The added feature of flushing the output before a delay must
3245 apply only to SMTP input. Hence the test for smtp_out being non-NULL.
3250 if (smtp_out != NULL && !disable_delay_flush) mac_smtp_fflush();
3251 while (delay > 0) delay = sleep(delay);
3257 #ifdef WITH_OLD_DEMIME
3263 #ifndef DISABLE_DKIM
3264 case ACLC_DKIM_SIGNER:
3265 if (dkim_cur_signer != NULL)
3266 rc = match_isinlist(dkim_cur_signer,
3267 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
3272 case ACLC_DKIM_STATUS:
3273 rc = match_isinlist(dkim_exim_expand_query(DKIM_VERIFY_STATUS),
3274 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
3279 rc = verify_check_dnsbl(&arg);
3283 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
3284 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
3287 /* The value in tls_cipher is the full cipher name, for example,
3288 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
3289 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
3290 what may in practice come out of the SSL library - which at the time of
3291 writing is poorly documented. */
3293 case ACLC_ENCRYPTED:
3294 if (tls_in.cipher == NULL) rc = FAIL; else
3296 uschar *endcipher = NULL;
3297 uschar *cipher = Ustrchr(tls_in.cipher, ':');
3298 if (cipher == NULL) cipher = tls_in.cipher; else
3300 endcipher = Ustrchr(++cipher, ':');
3301 if (endcipher != NULL) *endcipher = 0;
3303 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
3304 if (endcipher != NULL) *endcipher = ':';
3308 /* Use verify_check_this_host() instead of verify_check_host() so that
3309 we can pass over &host_data to catch any looked up data. Once it has been
3310 set, it retains its value so that it's still there if another ACL verb
3311 comes through here and uses the cache. However, we must put it into
3312 permanent store in case it is also expected to be used in a subsequent
3313 message in the same SMTP connection. */
3316 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
3317 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
3318 if (host_data != NULL) host_data = string_copy_malloc(host_data);
3321 case ACLC_LOCAL_PARTS:
3322 rc = match_isinlist(addr->cc_local_part, &arg, 0,
3323 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
3324 &deliver_localpart_data);
3327 case ACLC_LOG_REJECT_TARGET:
3333 while ((ss = string_nextinlist(&s, &sep, big_buffer, big_buffer_size))
3336 if (Ustrcmp(ss, "main") == 0) logbits |= LOG_MAIN;
3337 else if (Ustrcmp(ss, "panic") == 0) logbits |= LOG_PANIC;
3338 else if (Ustrcmp(ss, "reject") == 0) logbits |= LOG_REJECT;
3341 logbits |= LOG_MAIN|LOG_REJECT;
3342 log_write(0, LOG_MAIN|LOG_PANIC, "unknown log name \"%s\" in "
3343 "\"log_reject_target\" in %s ACL", ss, acl_wherenames[where]);
3346 log_reject_target = logbits;
3359 if (Ustrncmp(s, "main", 4) == 0)
3360 { logbits |= LOG_MAIN; s += 4; }
3361 else if (Ustrncmp(s, "panic", 5) == 0)
3362 { logbits |= LOG_PANIC; s += 5; }
3363 else if (Ustrncmp(s, "reject", 6) == 0)
3364 { logbits |= LOG_REJECT; s += 6; }
3367 logbits = LOG_MAIN|LOG_PANIC;
3368 s = string_sprintf(":unknown log name in \"%s\" in "
3369 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
3375 while (isspace(*s)) s++;
3378 if (logbits == 0) logbits = LOG_MAIN;
3379 log_write(0, logbits, "%s", string_printing(s));
3383 #ifdef WITH_CONTENT_SCAN
3386 /* Separate the regular expression and any optional parameters. */
3387 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3388 /* Run the malware backend. */
3390 /* Modify return code based upon the existance of options. */
3391 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3393 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3395 /* FAIL so that the message is passed to the next ACL */
3402 case ACLC_MIME_REGEX:
3403 rc = mime_regex(&arg);
3407 case ACLC_RATELIMIT:
3408 rc = acl_ratelimit(arg, where, log_msgptr);
3411 case ACLC_RECIPIENTS:
3412 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
3416 #ifdef WITH_CONTENT_SCAN
3422 case ACLC_REMOVE_HEADER:
3423 setup_remove_header(arg);
3426 case ACLC_SENDER_DOMAINS:
3429 sdomain = Ustrrchr(sender_address, '@');
3430 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
3431 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
3432 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
3437 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
3438 sender_address_cache, -1, 0, &sender_data);
3441 /* Connection variables must persist forever */
3445 int old_pool = store_pool;
3446 if (cb->u.varname[0] == 'c') store_pool = POOL_PERM;
3447 acl_var_create(cb->u.varname)->data.ptr = string_copy(arg);
3448 store_pool = old_pool;
3452 #ifdef WITH_CONTENT_SCAN
3455 /* Seperate the regular expression and any optional parameters. */
3456 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3457 /* Run the spam backend. */
3459 /* Modify return code based upon the existance of options. */
3460 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3462 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3464 /* FAIL so that the message is passed to the next ACL */
3472 #ifdef EXPERIMENTAL_SPF
3474 rc = spf_process(&arg, sender_address, SPF_PROCESS_NORMAL);
3476 case ACLC_SPF_GUESS:
3477 rc = spf_process(&arg, sender_address, SPF_PROCESS_GUESS);
3481 /* If the verb is WARN, discard any user message from verification, because
3482 such messages are SMTP responses, not header additions. The latter come
3483 only from explicit "message" modifiers. However, put the user message into
3484 $acl_verify_message so it can be used in subsequent conditions or modifiers
3485 (until something changes it). */
3488 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
3489 acl_verify_message = *user_msgptr;
3490 if (verb == ACL_WARN) *user_msgptr = NULL;
3494 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
3495 "condition %d", cb->type);
3499 /* If a condition was negated, invert OK/FAIL. */
3501 if (!cond_modifiers[cb->type] && cb->u.negated)
3503 if (rc == OK) rc = FAIL;
3504 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
3507 if (rc != OK) break; /* Conditions loop */
3511 /* If the result is the one for which "message" and/or "log_message" are used,
3512 handle the values of these modifiers. If there isn't a log message set, we make
3513 it the same as the user message.
3515 "message" is a user message that will be included in an SMTP response. Unless
3516 it is empty, it overrides any previously set user message.
3518 "log_message" is a non-user message, and it adds to any existing non-user
3519 message that is already set.
3521 Most verbs have but a single return for which the messages are relevant, but
3522 for "discard", it's useful to have the log message both when it succeeds and
3523 when it fails. For "accept", the message is used in the OK case if there is no
3524 "endpass", but (for backwards compatibility) in the FAIL case if "endpass" is
3527 if (*epp && rc == OK) user_message = NULL;
3529 if (((1<<rc) & msgcond[verb]) != 0)
3532 uschar *old_user_msgptr = *user_msgptr;
3533 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
3535 /* If the verb is "warn", messages generated by conditions (verification or
3536 nested ACLs) are always discarded. This also happens for acceptance verbs
3537 when they actually do accept. Only messages specified at this level are used.
3538 However, the value of an existing message is available in $acl_verify_message
3539 during expansions. */
3541 if (verb == ACL_WARN ||
3542 (rc == OK && (verb == ACL_ACCEPT || verb == ACL_DISCARD)))
3543 *log_msgptr = *user_msgptr = NULL;
3545 if (user_message != NULL)
3547 acl_verify_message = old_user_msgptr;
3548 expmessage = expand_string(user_message);
3549 if (expmessage == NULL)
3551 if (!expand_string_forcedfail)
3552 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3553 user_message, expand_string_message);
3555 else if (expmessage[0] != 0) *user_msgptr = expmessage;
3558 if (log_message != NULL)
3560 acl_verify_message = old_log_msgptr;
3561 expmessage = expand_string(log_message);
3562 if (expmessage == NULL)
3564 if (!expand_string_forcedfail)
3565 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3566 log_message, expand_string_message);
3568 else if (expmessage[0] != 0)
3570 *log_msgptr = (*log_msgptr == NULL)? expmessage :
3571 string_sprintf("%s: %s", expmessage, *log_msgptr);
3575 /* If no log message, default it to the user message */
3577 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
3580 acl_verify_message = NULL;
3588 /*************************************************
3589 * Get line from a literal ACL *
3590 *************************************************/
3592 /* This function is passed to acl_read() in order to extract individual lines
3593 of a literal ACL, which we access via static pointers. We can destroy the
3594 contents because this is called only once (the compiled ACL is remembered).
3596 This code is intended to treat the data in the same way as lines in the main
3597 Exim configuration file. That is:
3599 . Leading spaces are ignored.
3601 . A \ at the end of a line is a continuation - trailing spaces after the \
3602 are permitted (this is because I don't believe in making invisible things
3603 significant). Leading spaces on the continued part of a line are ignored.
3605 . Physical lines starting (significantly) with # are totally ignored, and
3606 may appear within a sequence of backslash-continued lines.
3608 . Blank lines are ignored, but will end a sequence of continuations.
3611 Returns: a pointer to the next line
3615 static uschar *acl_text; /* Current pointer in the text */
3616 static uschar *acl_text_end; /* Points one past the terminating '0' */
3624 /* This loop handles leading blank lines and comments. */
3628 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
3629 if (*acl_text == 0) return NULL; /* No more data */
3630 yield = acl_text; /* Potential data line */
3632 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3634 /* If we hit the end before a newline, we have the whole logical line. If
3635 it's a comment, there's no more data to be given. Otherwise, yield it. */
3637 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
3639 /* After reaching a newline, end this loop if the physical line does not
3640 start with '#'. If it does, it's a comment, and the loop continues. */
3642 if (*yield != '#') break;
3645 /* This loop handles continuations. We know we have some real data, ending in
3646 newline. See if there is a continuation marker at the end (ignoring trailing
3647 white space). We know that *yield is not white space, so no need to test for
3648 cont > yield in the backwards scanning loop. */
3653 for (cont = acl_text - 1; isspace(*cont); cont--);
3655 /* If no continuation follows, we are done. Mark the end of the line and
3664 /* We have encountered a continuation. Skip over whitespace at the start of
3665 the next line, and indeed the whole of the next line or lines if they are
3670 while (*(++acl_text) == ' ' || *acl_text == '\t');
3671 if (*acl_text != '#') break;
3672 while (*(++acl_text) != 0 && *acl_text != '\n');
3675 /* We have the start of a continuation line. Move all the rest of the data
3676 to join onto the previous line, and then find its end. If the end is not a
3677 newline, we are done. Otherwise loop to look for another continuation. */
3679 memmove(cont, acl_text, acl_text_end - acl_text);
3680 acl_text_end -= acl_text - cont;
3682 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3683 if (*acl_text == 0) return yield;
3686 /* Control does not reach here */
3693 /*************************************************
3694 * Check access using an ACL *
3695 *************************************************/
3697 /* This function is called from address_check. It may recurse via
3698 acl_check_condition() - hence the use of a level to stop looping. The ACL is
3699 passed as a string which is expanded. A forced failure implies no access check
3700 is required. If the result is a single word, it is taken as the name of an ACL
3701 which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
3702 text, complete with newlines, and parsed as such. In both cases, the ACL check
3703 is then run. This function uses an auxiliary function for acl_read() to call
3704 for reading individual lines of a literal ACL. This is acl_getline(), which
3705 appears immediately above.
3708 where where called from
3709 addr address item when called from RCPT; otherwise NULL
3710 s the input string; NULL is the same as an empty ACL => DENY
3711 level the nesting level
3712 user_msgptr where to put a user error (for SMTP response)
3713 log_msgptr where to put a logging message (not for SMTP response)
3715 Returns: OK access is granted
3716 DISCARD access is apparently granted...
3717 FAIL access is denied
3718 FAIL_DROP access is denied; drop the connection
3719 DEFER can't tell at the moment
3724 acl_check_internal(int where, address_item *addr, uschar *s, int level,
3725 uschar **user_msgptr, uschar **log_msgptr)
3728 acl_block *acl = NULL;
3729 uschar *acl_name = US"inline ACL";
3732 /* Catch configuration loops */
3736 *log_msgptr = US"ACL nested too deep: possible loop";
3742 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
3746 /* At top level, we expand the incoming string. At lower levels, it has already
3747 been expanded as part of condition processing. */
3751 ss = expand_string(s);
3754 if (expand_string_forcedfail) return OK;
3755 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
3756 expand_string_message);
3762 while (isspace(*ss))ss++;
3764 /* If we can't find a named ACL, the default is to parse it as an inline one.
3765 (Unless it begins with a slash; non-existent files give rise to an error.) */
3769 /* Handle the case of a string that does not contain any spaces. Look for a
3770 named ACL among those read from the configuration, or a previously read file.
3771 It is possible that the pointer to the ACL is NULL if the configuration
3772 contains a name with no data. If not found, and the text begins with '/',
3773 read an ACL from a file, and save it so it can be re-used. */
3775 if (Ustrchr(ss, ' ') == NULL)
3777 tree_node *t = tree_search(acl_anchor, ss);
3780 acl = (acl_block *)(t->data.ptr);
3783 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
3786 acl_name = string_sprintf("ACL \"%s\"", ss);
3787 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
3790 else if (*ss == '/')
3792 struct stat statbuf;
3793 fd = Uopen(ss, O_RDONLY, 0);
3796 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
3801 if (fstat(fd, &statbuf) != 0)
3803 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
3808 acl_text = store_get(statbuf.st_size + 1);
3809 acl_text_end = acl_text + statbuf.st_size + 1;
3811 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
3813 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
3814 ss, strerror(errno));
3817 acl_text[statbuf.st_size] = 0;
3820 acl_name = string_sprintf("ACL \"%s\"", ss);
3821 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
3825 /* Parse an ACL that is still in text form. If it came from a file, remember it
3826 in the ACL tree, having read it into the POOL_PERM store pool so that it
3827 persists between multiple messages. */
3831 int old_pool = store_pool;
3832 if (fd >= 0) store_pool = POOL_PERM;
3833 acl = acl_read(acl_getline, log_msgptr);
3834 store_pool = old_pool;
3835 if (acl == NULL && *log_msgptr != NULL) return ERROR;
3838 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
3839 Ustrcpy(t->name, ss);
3841 (void)tree_insertnode(&acl_anchor, t);
3845 /* Now we have an ACL to use. It's possible it may be NULL. */
3850 int basic_errno = 0;
3851 BOOL endpass_seen = FALSE;
3853 *log_msgptr = *user_msgptr = NULL;
3854 acl_temp_details = FALSE;
3856 if ((where == ACL_WHERE_QUIT || where == ACL_WHERE_NOTQUIT) &&
3857 acl->verb != ACL_ACCEPT &&
3858 acl->verb != ACL_WARN)
3860 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT or not-QUIT ACL",
3865 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
3867 /* Clear out any search error message from a previous check before testing
3870 search_error_message = NULL;
3871 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
3872 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
3874 /* Handle special returns: DEFER causes a return except on a WARN verb;
3875 ERROR always causes a return. */
3880 HDEBUG(D_acl) debug_printf("%s: condition test deferred in %s\n", verbs[acl->verb], acl_name);
3881 if (basic_errno != ERRNO_CALLOUTDEFER)
3883 if (search_error_message != NULL && *search_error_message != 0)
3884 *log_msgptr = search_error_message;
3885 if (smtp_return_error_details) acl_temp_details = TRUE;
3889 acl_temp_details = TRUE;
3891 if (acl->verb != ACL_WARN) return DEFER;
3894 default: /* Paranoia */
3896 HDEBUG(D_acl) debug_printf("%s: condition test error in %s\n", verbs[acl->verb], acl_name);
3900 HDEBUG(D_acl) debug_printf("%s: condition test succeeded in %s\n",
3901 verbs[acl->verb], acl_name);
3905 HDEBUG(D_acl) debug_printf("%s: condition test failed in %s\n", verbs[acl->verb], acl_name);
3908 /* DISCARD and DROP can happen only from a nested ACL condition, and
3909 DISCARD can happen only for an "accept" or "discard" verb. */
3912 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\" in %s\n",
3913 verbs[acl->verb], acl_name);
3917 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\" in %s\n",
3918 verbs[acl->verb], acl_name);
3922 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
3923 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
3924 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
3929 if (cond == OK || cond == DISCARD) return cond;
3932 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
3940 acl_temp_details = TRUE;
3946 if (cond == OK) return FAIL;
3950 if (cond == OK || cond == DISCARD) return DISCARD;
3953 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
3959 if (cond == OK) return FAIL_DROP;
3963 if (cond != OK) return cond;
3968 acl_warn(where, *user_msgptr, *log_msgptr);
3969 else if (cond == DEFER && (log_extra_selector & LX_acl_warn_skipped) != 0)
3970 log_write(0, LOG_MAIN, "%s Warning: ACL \"warn\" statement skipped: "
3971 "condition test deferred%s%s", host_and_ident(TRUE),
3972 (*log_msgptr == NULL)? US"" : US": ",
3973 (*log_msgptr == NULL)? US"" : *log_msgptr);
3974 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
3978 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
3983 /* Pass to the next ACL item */
3988 /* We have reached the end of the ACL. This is an implicit DENY. */
3990 HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
3997 /* Same args as acl_check_internal() above, but the string s is
3998 the name of an ACL followed optionally by up to 9 space-separated arguments.
3999 The name and args are separately expanded. Args go into $acl_arg globals. */
4001 acl_check_wargs(int where, address_item *addr, uschar *s, int level,
4002 uschar **user_msgptr, uschar **log_msgptr)
4005 uschar * tmp_arg[9]; /* must match acl_arg[] */
4006 uschar * sav_arg[9]; /* must match acl_arg[] */
4012 if (!(tmp = string_dequote(&s)) || !(name = expand_string(tmp)))
4015 for (i = 0; i < 9; i++)
4017 while (*s && isspace(*s)) s++;
4019 if (!(tmp = string_dequote(&s)) || !(tmp_arg[i] = expand_string(tmp)))
4026 sav_narg = acl_narg;
4028 for (i = 0; i < acl_narg; i++)
4030 sav_arg[i] = acl_arg[i];
4031 acl_arg[i] = tmp_arg[i];
4035 sav_arg[i] = acl_arg[i];
4036 acl_arg[i++] = NULL;
4039 ret = acl_check_internal(where, addr, name, level, user_msgptr, log_msgptr);
4041 acl_narg = sav_narg;
4042 for (i = 0; i < 9; i++) acl_arg[i] = sav_arg[i];
4046 if (expand_string_forcedfail) return ERROR;
4047 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
4048 tmp, expand_string_message);
4049 return search_find_defer?DEFER:ERROR;
4054 /*************************************************
4055 * Check access using an ACL *
4056 *************************************************/
4058 /* Alternate interface for ACL, used by expansions */
4060 acl_eval(int where, uschar *s, uschar **user_msgptr, uschar **log_msgptr)
4063 address_item *addr = NULL;
4065 *user_msgptr = *log_msgptr = NULL;
4066 sender_verified_failed = NULL;
4067 ratelimiters_cmd = NULL;
4068 log_reject_target = LOG_MAIN|LOG_REJECT;
4070 if (where == ACL_WHERE_RCPT)
4072 adb = address_defaults;
4074 addr->address = expand_string(US"$local_part@$domain");
4075 addr->domain = deliver_domain;
4076 addr->local_part = deliver_localpart;
4077 addr->cc_local_part = deliver_localpart;
4078 addr->lc_local_part = deliver_localpart;
4081 return acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
4086 /* This is the external interface for ACL checks. It sets up an address and the
4087 expansions for $domain and $local_part when called after RCPT, then calls
4088 acl_check_internal() to do the actual work.
4091 where ACL_WHERE_xxxx indicating where called from
4092 recipient RCPT address for RCPT check, else NULL
4093 s the input string; NULL is the same as an empty ACL => DENY
4094 user_msgptr where to put a user error (for SMTP response)
4095 log_msgptr where to put a logging message (not for SMTP response)
4097 Returns: OK access is granted by an ACCEPT verb
4098 DISCARD access is granted by a DISCARD verb
4099 FAIL access is denied
4100 FAIL_DROP access is denied; drop the connection
4101 DEFER can't tell at the moment
4104 int acl_where = ACL_WHERE_UNKNOWN;
4107 acl_check(int where, uschar *recipient, uschar *s, uschar **user_msgptr,
4108 uschar **log_msgptr)
4112 address_item *addr = NULL;
4114 *user_msgptr = *log_msgptr = NULL;
4115 sender_verified_failed = NULL;
4116 ratelimiters_cmd = NULL;
4117 log_reject_target = LOG_MAIN|LOG_REJECT;
4119 #ifdef EXPERIMENTAL_PRDR
4120 if (where == ACL_WHERE_RCPT || where == ACL_WHERE_PRDR )
4122 if (where == ACL_WHERE_RCPT )
4125 adb = address_defaults;
4127 addr->address = recipient;
4128 if (deliver_split_address(addr) == DEFER)
4130 *log_msgptr = US"defer in percent_hack_domains check";
4133 deliver_domain = addr->domain;
4134 deliver_localpart = addr->local_part;
4138 rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
4139 acl_where = ACL_WHERE_UNKNOWN;
4141 /* Cutthrough - if requested,
4142 and WHERE_RCPT and not yet opened conn as result of recipient-verify,
4143 and rcpt acl returned accept,
4144 and first recipient (cancel on any subsequents)
4145 open one now and run it up to RCPT acceptance.
4146 A failed verify should cancel cutthrough request.
4148 Initial implementation: dual-write to spool.
4149 Assume the rxd datastream is now being copied byte-for-byte to an open cutthrough connection.
4151 Cease cutthrough copy on rxd final dot; do not send one.
4153 On a data acl, if not accept and a cutthrough conn is open, hard-close it (no SMTP niceness).
4155 On data acl accept, terminate the dataphase on an open cutthrough conn. If accepted or
4156 perm-rejected, reflect that to the original sender - and dump the spooled copy.
4157 If temp-reject, close the conn (and keep the spooled copy).
4158 If conn-failure, no action (and keep the spooled copy).
4162 case ACL_WHERE_RCPT:
4163 #ifdef EXPERIMENTAL_PRDR
4164 case ACL_WHERE_PRDR:
4166 if( rcpt_count > 1 )
4167 cancel_cutthrough_connection("more than one recipient");
4168 else if (rc == OK && cutthrough_delivery && cutthrough_fd < 0)
4169 open_cutthrough_connection(addr);
4172 case ACL_WHERE_PREDATA:
4174 cutthrough_predata();
4176 cancel_cutthrough_connection("predata acl not ok");
4179 case ACL_WHERE_QUIT:
4180 case ACL_WHERE_NOTQUIT:
4181 cancel_cutthrough_connection("quit or notquit");
4188 deliver_domain = deliver_localpart = deliver_address_data =
4189 sender_address_data = NULL;
4191 /* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
4192 ACL, which is really in the middle of an SMTP command. */
4196 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
4198 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
4199 "ACL", acl_wherenames[where]);
4205 /* A DROP response is not permitted from MAILAUTH */
4207 if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
4209 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
4210 "ACL", acl_wherenames[where]);
4214 /* Before giving a response, take a look at the length of any user message, and
4215 split it up into multiple lines if possible. */
4217 *user_msgptr = string_split_message(*user_msgptr);
4218 if (fake_response != OK)
4219 fake_response_text = string_split_message(fake_response_text);
4225 /*************************************************
4226 * Create ACL variable *
4227 *************************************************/
4229 /* Create an ACL variable or reuse an existing one. ACL variables are in a
4230 binary tree (see tree.c) with acl_var_c and acl_var_m as root nodes.
4233 name pointer to the variable's name, starting with c or m
4235 Returns the pointer to variable's tree node
4239 acl_var_create(uschar *name)
4241 tree_node *node, **root;
4242 root = (name[0] == 'c')? &acl_var_c : &acl_var_m;
4243 node = tree_search(*root, name);
4246 node = store_get(sizeof(tree_node) + Ustrlen(name));
4247 Ustrcpy(node->name, name);
4248 (void)tree_insertnode(root, node);
4250 node->data.ptr = NULL;
4256 /*************************************************
4257 * Write an ACL variable in spool format *
4258 *************************************************/
4260 /* This function is used as a callback for tree_walk when writing variables to
4261 the spool file. To retain spool file compatibility, what is written is -aclc or
4262 -aclm followed by the rest of the name and the data length, space separated,
4263 then the value itself, starting on a new line, and terminated by an additional
4264 newline. When we had only numbered ACL variables, the first line might look
4265 like this: "-aclc 5 20". Now it might be "-aclc foo 20" for the variable called
4269 name of the variable
4270 value of the variable
4271 ctx FILE pointer (as a void pointer)
4277 acl_var_write(uschar *name, uschar *value, void *ctx)
4279 FILE *f = (FILE *)ctx;
4280 fprintf(f, "-acl%c %s %d\n%s\n", name[0], name+1, Ustrlen(value), value);