Commit | Line | Data |
---|---|---|
059ec3d9 PH |
1 | /************************************************* |
2 | * Exim - an Internet mail transport agent * | |
3 | *************************************************/ | |
4 | ||
f9ba5e22 | 5 | /* Copyright (c) University of Cambridge 1995 - 2018 */ |
059ec3d9 PH |
6 | /* See the file NOTICE for conditions of use and distribution. */ |
7 | ||
8 | /* Functions for finding hosts, either by gethostbyname(), gethostbyaddr(), or | |
9 | directly via the DNS. When IPv6 is supported, getipnodebyname() and | |
10 | getipnodebyaddr() may be used instead of gethostbyname() and gethostbyaddr(), | |
11 | if the newer functions are available. This module also contains various other | |
12 | functions concerned with hosts and addresses, and a random number function, | |
13 | used for randomizing hosts with equal MXs but available for use in other parts | |
14 | of Exim. */ | |
15 | ||
16 | ||
17 | #include "exim.h" | |
18 | ||
19 | ||
20 | /* Static variable for preserving the list of interface addresses in case it is | |
21 | used more than once. */ | |
22 | ||
23 | static ip_address_item *local_interface_data = NULL; | |
24 | ||
25 | ||
26 | #ifdef USE_INET_NTOA_FIX | |
27 | /************************************************* | |
28 | * Replacement for broken inet_ntoa() * | |
29 | *************************************************/ | |
30 | ||
31 | /* On IRIX systems, gcc uses a different structure passing convention to the | |
32 | native libraries. This causes inet_ntoa() to always yield 0.0.0.0 or | |
33 | 255.255.255.255. To get round this, we provide a private version of the | |
34 | function here. It is used only if USE_INET_NTOA_FIX is set, which should happen | |
35 | only when gcc is in use on an IRIX system. Code send to me by J.T. Breitner, | |
36 | with these comments: | |
37 | ||
38 | code by Stuart Levy | |
39 | as seen in comp.sys.sgi.admin | |
40 | ||
2548ba04 PH |
41 | August 2005: Apparently this is also needed for AIX systems; USE_INET_NTOA_FIX |
42 | should now be set for them as well. | |
43 | ||
059ec3d9 PH |
44 | Arguments: sa an in_addr structure |
45 | Returns: pointer to static text string | |
46 | */ | |
47 | ||
48 | char * | |
49 | inet_ntoa(struct in_addr sa) | |
50 | { | |
51 | static uschar addr[20]; | |
52 | sprintf(addr, "%d.%d.%d.%d", | |
53 | (US &sa.s_addr)[0], | |
54 | (US &sa.s_addr)[1], | |
55 | (US &sa.s_addr)[2], | |
56 | (US &sa.s_addr)[3]); | |
57 | return addr; | |
58 | } | |
59 | #endif | |
60 | ||
61 | ||
62 | ||
63 | /************************************************* | |
64 | * Random number generator * | |
65 | *************************************************/ | |
66 | ||
67 | /* This is a simple pseudo-random number generator. It does not have to be | |
68 | very good for the uses to which it is put. When running the regression tests, | |
69 | start with a fixed seed. | |
70 | ||
17c76198 | 71 | If you need better, see vaguely_random_number() which is potentially stronger, |
9e3331ea TK |
72 | if a crypto library is available, but might end up just calling this instead. |
73 | ||
059ec3d9 PH |
74 | Arguments: |
75 | limit: one more than the largest number required | |
76 | ||
77 | Returns: a pseudo-random number in the range 0 to limit-1 | |
78 | */ | |
79 | ||
80 | int | |
81 | random_number(int limit) | |
82 | { | |
9e3331ea TK |
83 | if (limit < 1) |
84 | return 0; | |
059ec3d9 PH |
85 | if (random_seed == 0) |
86 | { | |
8768d548 | 87 | if (f.running_in_test_harness) random_seed = 42; else |
059ec3d9 PH |
88 | { |
89 | int p = (int)getpid(); | |
90 | random_seed = (int)time(NULL) ^ ((p << 16) | p); | |
91 | } | |
92 | } | |
93 | random_seed = 1103515245 * random_seed + 12345; | |
94 | return (unsigned int)(random_seed >> 16) % limit; | |
95 | } | |
96 | ||
846430d9 JH |
97 | /************************************************* |
98 | * Wrappers for logging lookup times * | |
99 | *************************************************/ | |
100 | ||
101 | /* When the 'slow_lookup_log' variable is enabled, these wrappers will | |
102 | write to the log file all (potential) dns lookups that take more than | |
103 | slow_lookup_log milliseconds | |
104 | */ | |
105 | ||
106 | static void | |
107 | log_long_lookup(const uschar * type, const uschar * data, unsigned long msec) | |
108 | { | |
109 | log_write(0, LOG_MAIN, "Long %s lookup for '%s': %lu msec", | |
110 | type, data, msec); | |
111 | } | |
112 | ||
113 | ||
114 | /* returns the current system epoch time in milliseconds. */ | |
115 | static unsigned long | |
116 | get_time_in_ms() | |
117 | { | |
118 | struct timeval tmp_time; | |
119 | unsigned long seconds, microseconds; | |
120 | ||
121 | gettimeofday(&tmp_time, NULL); | |
122 | seconds = (unsigned long) tmp_time.tv_sec; | |
123 | microseconds = (unsigned long) tmp_time.tv_usec; | |
124 | return seconds*1000 + microseconds/1000; | |
125 | } | |
126 | ||
127 | ||
128 | static int | |
129 | dns_lookup_timerwrap(dns_answer *dnsa, const uschar *name, int type, | |
130 | const uschar **fully_qualified_name) | |
131 | { | |
132 | int retval; | |
133 | unsigned long time_msec; | |
134 | ||
135 | if (!slow_lookup_log) | |
136 | return dns_lookup(dnsa, name, type, fully_qualified_name); | |
137 | ||
138 | time_msec = get_time_in_ms(); | |
139 | retval = dns_lookup(dnsa, name, type, fully_qualified_name); | |
140 | if ((time_msec = get_time_in_ms() - time_msec) > slow_lookup_log) | |
30795c5e | 141 | log_long_lookup(dns_text_type(type), name, time_msec); |
846430d9 JH |
142 | return retval; |
143 | } | |
059ec3d9 PH |
144 | |
145 | ||
e7726cbf PH |
146 | /************************************************* |
147 | * Replace gethostbyname() when testing * | |
148 | *************************************************/ | |
149 | ||
150 | /* This function is called instead of gethostbyname(), gethostbyname2(), or | |
1fb7660f | 151 | getipnodebyname() when running in the test harness. . It also |
7a546ad5 PH |
152 | recognizes an unqualified "localhost" and forces it to the appropriate loopback |
153 | address. IP addresses are treated as literals. For other names, it uses the DNS | |
75e0e026 PH |
154 | to find the host name. In the test harness, this means it will access only the |
155 | fake DNS resolver. | |
e7726cbf PH |
156 | |
157 | Arguments: | |
158 | name the host name or a textual IP address | |
159 | af AF_INET or AF_INET6 | |
160 | error_num where to put an error code: | |
161 | HOST_NOT_FOUND/TRY_AGAIN/NO_RECOVERY/NO_DATA | |
162 | ||
163 | Returns: a hostent structure or NULL for an error | |
164 | */ | |
165 | ||
166 | static struct hostent * | |
55414b25 | 167 | host_fake_gethostbyname(const uschar *name, int af, int *error_num) |
e7726cbf | 168 | { |
70d67ad3 | 169 | #if HAVE_IPV6 |
e7726cbf | 170 | int alen = (af == AF_INET)? sizeof(struct in_addr):sizeof(struct in6_addr); |
70d67ad3 PH |
171 | #else |
172 | int alen = sizeof(struct in_addr); | |
173 | #endif | |
174 | ||
175 | int ipa; | |
55414b25 | 176 | const uschar *lname = name; |
e7726cbf PH |
177 | uschar *adds; |
178 | uschar **alist; | |
179 | struct hostent *yield; | |
8743d3ac | 180 | dns_answer * dnsa = store_get_dns_answer(); |
e7726cbf | 181 | dns_scan dnss; |
e7726cbf PH |
182 | |
183 | DEBUG(D_host_lookup) | |
184 | debug_printf("using host_fake_gethostbyname for %s (%s)\n", name, | |
accf9211 | 185 | af == AF_INET ? "IPv4" : "IPv6"); |
e7726cbf | 186 | |
7a546ad5 PH |
187 | /* Handle unqualified "localhost" */ |
188 | ||
e7726cbf | 189 | if (Ustrcmp(name, "localhost") == 0) |
accf9211 | 190 | lname = af == AF_INET ? US"127.0.0.1" : US"::1"; |
e7726cbf PH |
191 | |
192 | /* Handle a literal IP address */ | |
193 | ||
d7978c0f | 194 | if ((ipa = string_is_ip_address(lname, NULL)) != 0) |
accf9211 JH |
195 | if ( ipa == 4 && af == AF_INET |
196 | || ipa == 6 && af == AF_INET6) | |
e7726cbf | 197 | { |
e7726cbf | 198 | int x[4]; |
f3ebb786 JH |
199 | yield = store_get(sizeof(struct hostent), FALSE); |
200 | alist = store_get(2 * sizeof(char *), FALSE); | |
201 | adds = store_get(alen, FALSE); | |
e7726cbf PH |
202 | yield->h_name = CS name; |
203 | yield->h_aliases = NULL; | |
204 | yield->h_addrtype = af; | |
205 | yield->h_length = alen; | |
206 | yield->h_addr_list = CSS alist; | |
207 | *alist++ = adds; | |
d7978c0f | 208 | for (int n = host_aton(lname, x), i = 0; i < n; i++) |
e7726cbf PH |
209 | { |
210 | int y = x[i]; | |
211 | *adds++ = (y >> 24) & 255; | |
212 | *adds++ = (y >> 16) & 255; | |
213 | *adds++ = (y >> 8) & 255; | |
214 | *adds++ = y & 255; | |
215 | } | |
216 | *alist = NULL; | |
217 | } | |
218 | ||
219 | /* Wrong kind of literal address */ | |
220 | ||
221 | else | |
222 | { | |
223 | *error_num = HOST_NOT_FOUND; | |
224 | return NULL; | |
225 | } | |
e7726cbf PH |
226 | |
227 | /* Handle a host name */ | |
228 | ||
229 | else | |
230 | { | |
accf9211 | 231 | int type = af == AF_INET ? T_A:T_AAAA; |
8743d3ac | 232 | int rc = dns_lookup_timerwrap(dnsa, lname, type, NULL); |
e7726cbf PH |
233 | int count = 0; |
234 | ||
4e0983dc JH |
235 | lookup_dnssec_authenticated = NULL; |
236 | ||
e7726cbf PH |
237 | switch(rc) |
238 | { | |
239 | case DNS_SUCCEED: break; | |
240 | case DNS_NOMATCH: *error_num = HOST_NOT_FOUND; return NULL; | |
241 | case DNS_NODATA: *error_num = NO_DATA; return NULL; | |
242 | case DNS_AGAIN: *error_num = TRY_AGAIN; return NULL; | |
243 | default: | |
244 | case DNS_FAIL: *error_num = NO_RECOVERY; return NULL; | |
245 | } | |
246 | ||
8743d3ac | 247 | for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); |
e1a3f32f | 248 | rr; |
8743d3ac | 249 | rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == type) |
d7978c0f | 250 | count++; |
e7726cbf | 251 | |
f3ebb786 JH |
252 | yield = store_get(sizeof(struct hostent), FALSE); |
253 | alist = store_get((count + 1) * sizeof(char *), FALSE); | |
254 | adds = store_get(count *alen, FALSE); | |
e7726cbf PH |
255 | |
256 | yield->h_name = CS name; | |
257 | yield->h_aliases = NULL; | |
258 | yield->h_addrtype = af; | |
259 | yield->h_length = alen; | |
260 | yield->h_addr_list = CSS alist; | |
261 | ||
8743d3ac | 262 | for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); |
e1a3f32f | 263 | rr; |
8743d3ac | 264 | rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == type) |
e7726cbf | 265 | { |
e7726cbf PH |
266 | int x[4]; |
267 | dns_address *da; | |
8743d3ac | 268 | if (!(da = dns_address_from_rr(dnsa, rr))) break; |
e7726cbf | 269 | *alist++ = adds; |
d7978c0f | 270 | for (int n = host_aton(da->address, x), i = 0; i < n; i++) |
e7726cbf PH |
271 | { |
272 | int y = x[i]; | |
273 | *adds++ = (y >> 24) & 255; | |
274 | *adds++ = (y >> 16) & 255; | |
275 | *adds++ = (y >> 8) & 255; | |
276 | *adds++ = y & 255; | |
277 | } | |
278 | } | |
279 | *alist = NULL; | |
280 | } | |
281 | ||
282 | return yield; | |
283 | } | |
284 | ||
285 | ||
286 | ||
059ec3d9 PH |
287 | /************************************************* |
288 | * Build chain of host items from list * | |
289 | *************************************************/ | |
290 | ||
291 | /* This function builds a chain of host items from a textual list of host | |
292 | names. It does not do any lookups. If randomize is true, the chain is build in | |
293 | a randomized order. There may be multiple groups of independently randomized | |
294 | hosts; they are delimited by a host name consisting of just "+". | |
295 | ||
296 | Arguments: | |
297 | anchor anchor for the chain | |
298 | list text list | |
299 | randomize TRUE for randomizing | |
300 | ||
301 | Returns: nothing | |
302 | */ | |
303 | ||
304 | void | |
55414b25 | 305 | host_build_hostlist(host_item **anchor, const uschar *list, BOOL randomize) |
059ec3d9 PH |
306 | { |
307 | int sep = 0; | |
308 | int fake_mx = MX_NONE; /* This value is actually -1 */ | |
309 | uschar *name; | |
059ec3d9 | 310 | |
8b455685 | 311 | if (!list) return; |
059ec3d9 PH |
312 | if (randomize) fake_mx--; /* Start at -2 for randomizing */ |
313 | ||
314 | *anchor = NULL; | |
315 | ||
8b455685 | 316 | while ((name = string_nextinlist(&list, &sep, NULL, 0))) |
059ec3d9 PH |
317 | { |
318 | host_item *h; | |
319 | ||
320 | if (name[0] == '+' && name[1] == 0) /* "+" delimits a randomized group */ | |
321 | { /* ignore if not randomizing */ | |
322 | if (randomize) fake_mx--; | |
323 | continue; | |
324 | } | |
325 | ||
f3ebb786 | 326 | h = store_get(sizeof(host_item), FALSE); |
55414b25 | 327 | h->name = name; |
059ec3d9 PH |
328 | h->address = NULL; |
329 | h->port = PORT_NONE; | |
330 | h->mx = fake_mx; | |
331 | h->sort_key = randomize? (-fake_mx)*1000 + random_number(1000) : 0; | |
332 | h->status = hstatus_unknown; | |
333 | h->why = hwhy_unknown; | |
334 | h->last_try = 0; | |
335 | ||
8b455685 | 336 | if (!*anchor) |
059ec3d9 PH |
337 | { |
338 | h->next = NULL; | |
339 | *anchor = h; | |
340 | } | |
341 | else | |
342 | { | |
343 | host_item *hh = *anchor; | |
344 | if (h->sort_key < hh->sort_key) | |
345 | { | |
346 | h->next = hh; | |
347 | *anchor = h; | |
348 | } | |
349 | else | |
350 | { | |
8b455685 | 351 | while (hh->next && h->sort_key >= hh->next->sort_key) |
059ec3d9 PH |
352 | hh = hh->next; |
353 | h->next = hh->next; | |
354 | hh->next = h; | |
355 | } | |
356 | } | |
357 | } | |
358 | } | |
359 | ||
360 | ||
361 | ||
362 | ||
363 | ||
364 | /************************************************* | |
365 | * Extract port from address string * | |
366 | *************************************************/ | |
367 | ||
368 | /* In the spool file, and in the -oMa and -oMi options, a host plus port is | |
369 | given as an IP address followed by a dot and a port number. This function | |
370 | decodes this. | |
371 | ||
372 | An alternative format for the -oMa and -oMi options is [ip address]:port which | |
373 | is what Exim 4 uses for output, because it seems to becoming commonly used, | |
374 | whereas the dot form confuses some programs/people. So we recognize that form | |
375 | too. | |
376 | ||
377 | Argument: | |
378 | address points to the string; if there is a port, the '.' in the string | |
379 | is overwritten with zero to terminate the address; if the string | |
380 | is in the [xxx]:ppp format, the address is shifted left and the | |
381 | brackets are removed | |
382 | ||
383 | Returns: 0 if there is no port, else the port number. If there's a syntax | |
384 | error, leave the incoming address alone, and return 0. | |
385 | */ | |
386 | ||
387 | int | |
7cd1141b | 388 | host_address_extract_port(uschar *address) |
059ec3d9 PH |
389 | { |
390 | int port = 0; | |
391 | uschar *endptr; | |
392 | ||
393 | /* Handle the "bracketed with colon on the end" format */ | |
394 | ||
395 | if (*address == '[') | |
396 | { | |
397 | uschar *rb = address + 1; | |
398 | while (*rb != 0 && *rb != ']') rb++; | |
399 | if (*rb++ == 0) return 0; /* Missing ]; leave invalid address */ | |
400 | if (*rb == ':') | |
401 | { | |
402 | port = Ustrtol(rb + 1, &endptr, 10); | |
403 | if (*endptr != 0) return 0; /* Invalid port; leave invalid address */ | |
404 | } | |
405 | else if (*rb != 0) return 0; /* Bad syntax; leave invalid address */ | |
406 | memmove(address, address + 1, rb - address - 2); | |
407 | rb[-2] = 0; | |
408 | } | |
409 | ||
410 | /* Handle the "dot on the end" format */ | |
411 | ||
412 | else | |
413 | { | |
414 | int skip = -3; /* Skip 3 dots in IPv4 addresses */ | |
415 | address--; | |
416 | while (*(++address) != 0) | |
417 | { | |
418 | int ch = *address; | |
419 | if (ch == ':') skip = 0; /* Skip 0 dots in IPv6 addresses */ | |
420 | else if (ch == '.' && skip++ >= 0) break; | |
421 | } | |
422 | if (*address == 0) return 0; | |
423 | port = Ustrtol(address + 1, &endptr, 10); | |
424 | if (*endptr != 0) return 0; /* Invalid port; leave invalid address */ | |
425 | *address = 0; | |
426 | } | |
427 | ||
428 | return port; | |
429 | } | |
430 | ||
431 | ||
7cd1141b PH |
432 | /************************************************* |
433 | * Get port from a host item's name * | |
434 | *************************************************/ | |
435 | ||
436 | /* This function is called when finding the IP address for a host that is in a | |
437 | list of hosts explicitly configured, such as in the manualroute router, or in a | |
438 | fallback hosts list. We see if there is a port specification at the end of the | |
439 | host name, and if so, remove it. A minimum length of 3 is required for the | |
440 | original name; nothing shorter is recognized as having a port. | |
441 | ||
442 | We test for a name ending with a sequence of digits; if preceded by colon we | |
443 | have a port if the character before the colon is ] and the name starts with [ | |
444 | or if there are no other colons in the name (i.e. it's not an IPv6 address). | |
445 | ||
446 | Arguments: pointer to the host item | |
447 | Returns: a port number or PORT_NONE | |
448 | */ | |
449 | ||
450 | int | |
451 | host_item_get_port(host_item *h) | |
452 | { | |
55414b25 | 453 | const uschar *p; |
7cd1141b PH |
454 | int port, x; |
455 | int len = Ustrlen(h->name); | |
456 | ||
457 | if (len < 3 || (p = h->name + len - 1, !isdigit(*p))) return PORT_NONE; | |
458 | ||
459 | /* Extract potential port number */ | |
460 | ||
461 | port = *p-- - '0'; | |
462 | x = 10; | |
463 | ||
464 | while (p > h->name + 1 && isdigit(*p)) | |
465 | { | |
466 | port += (*p-- - '0') * x; | |
467 | x *= 10; | |
468 | } | |
469 | ||
470 | /* The smallest value of p at this point is h->name + 1. */ | |
471 | ||
472 | if (*p != ':') return PORT_NONE; | |
473 | ||
474 | if (p[-1] == ']' && h->name[0] == '[') | |
475 | h->name = string_copyn(h->name + 1, p - h->name - 2); | |
476 | else if (Ustrchr(h->name, ':') == p) | |
477 | h->name = string_copyn(h->name, p - h->name); | |
478 | else return PORT_NONE; | |
479 | ||
480 | DEBUG(D_route|D_host_lookup) debug_printf("host=%s port=%d\n", h->name, port); | |
481 | return port; | |
482 | } | |
483 | ||
484 | ||
059ec3d9 PH |
485 | |
486 | #ifndef STAND_ALONE /* Omit when standalone testing */ | |
487 | ||
488 | /************************************************* | |
489 | * Build sender_fullhost and sender_rcvhost * | |
490 | *************************************************/ | |
491 | ||
492 | /* This function is called when sender_host_name and/or sender_helo_name | |
493 | have been set. Or might have been set - for a local message read off the spool | |
494 | they won't be. In that case, do nothing. Otherwise, set up the fullhost string | |
495 | as follows: | |
496 | ||
497 | (a) No sender_host_name or sender_helo_name: "[ip address]" | |
498 | (b) Just sender_host_name: "host_name [ip address]" | |
82c19f95 PH |
499 | (c) Just sender_helo_name: "(helo_name) [ip address]" unless helo is IP |
500 | in which case: "[ip address}" | |
501 | (d) The two are identical: "host_name [ip address]" includes helo = IP | |
059ec3d9 PH |
502 | (e) The two are different: "host_name (helo_name) [ip address]" |
503 | ||
504 | If log_incoming_port is set, the sending host's port number is added to the IP | |
505 | address. | |
506 | ||
507 | This function also builds sender_rcvhost for use in Received: lines, whose | |
508 | syntax is a bit different. This value also includes the RFC 1413 identity. | |
509 | There wouldn't be two different variables if I had got all this right in the | |
510 | first place. | |
511 | ||
512 | Because this data may survive over more than one incoming SMTP message, it has | |
a5c60e3c JH |
513 | to be in permanent store. However, STARTTLS has to be forgotten and redone |
514 | on a multi-message conn, so this will be called once per message then. Hence | |
515 | we use malloc, so we can free. | |
059ec3d9 PH |
516 | |
517 | Arguments: none | |
518 | Returns: nothing | |
519 | */ | |
520 | ||
521 | void | |
522 | host_build_sender_fullhost(void) | |
523 | { | |
82c19f95 | 524 | BOOL show_helo = TRUE; |
f3ebb786 JH |
525 | uschar * address, * fullhost, * rcvhost; |
526 | rmark reset_point; | |
82c19f95 | 527 | int len; |
059ec3d9 | 528 | |
2d0dc929 | 529 | if (!sender_host_address) return; |
059ec3d9 | 530 | |
f3ebb786 | 531 | reset_point = store_mark(); |
059ec3d9 PH |
532 | |
533 | /* Set up address, with or without the port. After discussion, it seems that | |
534 | the only format that doesn't cause trouble is [aaaa]:pppp. However, we can't | |
535 | use this directly as the first item for Received: because it ain't an RFC 2822 | |
536 | domain. Sigh. */ | |
537 | ||
538 | address = string_sprintf("[%s]:%d", sender_host_address, sender_host_port); | |
6c6d6e48 | 539 | if (!LOGGING(incoming_port) || sender_host_port <= 0) |
059ec3d9 PH |
540 | *(Ustrrchr(address, ':')) = 0; |
541 | ||
82c19f95 PH |
542 | /* If there's no EHLO/HELO data, we can't show it. */ |
543 | ||
2d0dc929 | 544 | if (!sender_helo_name) show_helo = FALSE; |
82c19f95 PH |
545 | |
546 | /* If HELO/EHLO was followed by an IP literal, it's messy because of two | |
547 | features of IPv6. Firstly, there's the "IPv6:" prefix (Exim is liberal and | |
548 | doesn't require this, for historical reasons). Secondly, IPv6 addresses may not | |
4c04137d | 549 | be given in canonical form, so we have to canonicalize them before comparing. As |
82c19f95 PH |
550 | it happens, the code works for both IPv4 and IPv6. */ |
551 | ||
552 | else if (sender_helo_name[0] == '[' && | |
553 | sender_helo_name[(len=Ustrlen(sender_helo_name))-1] == ']') | |
554 | { | |
555 | int offset = 1; | |
556 | uschar *helo_ip; | |
557 | ||
558 | if (strncmpic(sender_helo_name + 1, US"IPv6:", 5) == 0) offset += 5; | |
559 | if (strncmpic(sender_helo_name + 1, US"IPv4:", 5) == 0) offset += 5; | |
560 | ||
561 | helo_ip = string_copyn(sender_helo_name + offset, len - offset - 1); | |
562 | ||
563 | if (string_is_ip_address(helo_ip, NULL) != 0) | |
564 | { | |
565 | int x[4], y[4]; | |
566 | int sizex, sizey; | |
567 | uschar ipx[48], ipy[48]; /* large enough for full IPv6 */ | |
568 | ||
569 | sizex = host_aton(helo_ip, x); | |
570 | sizey = host_aton(sender_host_address, y); | |
571 | ||
572 | (void)host_nmtoa(sizex, x, -1, ipx, ':'); | |
573 | (void)host_nmtoa(sizey, y, -1, ipy, ':'); | |
574 | ||
575 | if (strcmpic(ipx, ipy) == 0) show_helo = FALSE; | |
576 | } | |
577 | } | |
578 | ||
059ec3d9 PH |
579 | /* Host name is not verified */ |
580 | ||
acec9514 | 581 | if (!sender_host_name) |
059ec3d9 PH |
582 | { |
583 | uschar *portptr = Ustrstr(address, "]:"); | |
acec9514 | 584 | gstring * g; |
059ec3d9 PH |
585 | int adlen; /* Sun compiler doesn't like ++ in initializers */ |
586 | ||
acec9514 | 587 | adlen = portptr ? (++portptr - address) : Ustrlen(address); |
a5c60e3c | 588 | fullhost = sender_helo_name |
acec9514 JH |
589 | ? string_sprintf("(%s) %s", sender_helo_name, address) |
590 | : address; | |
059ec3d9 | 591 | |
acec9514 | 592 | g = string_catn(NULL, address, adlen); |
059ec3d9 | 593 | |
2d0dc929 | 594 | if (sender_ident || show_helo || portptr) |
059ec3d9 PH |
595 | { |
596 | int firstptr; | |
acec9514 JH |
597 | g = string_catn(g, US" (", 2); |
598 | firstptr = g->ptr; | |
059ec3d9 | 599 | |
acec9514 JH |
600 | if (portptr) |
601 | g = string_append(g, 2, US"port=", portptr + 1); | |
059ec3d9 | 602 | |
82c19f95 | 603 | if (show_helo) |
acec9514 JH |
604 | g = string_append(g, 2, |
605 | firstptr == g->ptr ? US"helo=" : US" helo=", sender_helo_name); | |
059ec3d9 | 606 | |
acec9514 JH |
607 | if (sender_ident) |
608 | g = string_append(g, 2, | |
609 | firstptr == g->ptr ? US"ident=" : US" ident=", sender_ident); | |
059ec3d9 | 610 | |
acec9514 | 611 | g = string_catn(g, US")", 1); |
059ec3d9 PH |
612 | } |
613 | ||
a5c60e3c | 614 | rcvhost = string_from_gstring(g); |
059ec3d9 PH |
615 | } |
616 | ||
82c19f95 PH |
617 | /* Host name is known and verified. Unless we've already found that the HELO |
618 | data matches the IP address, compare it with the name. */ | |
059ec3d9 PH |
619 | |
620 | else | |
621 | { | |
82c19f95 PH |
622 | if (show_helo && strcmpic(sender_host_name, sender_helo_name) == 0) |
623 | show_helo = FALSE; | |
5dd9625b | 624 | |
82c19f95 | 625 | if (show_helo) |
059ec3d9 | 626 | { |
a5c60e3c | 627 | fullhost = string_sprintf("%s (%s) %s", sender_host_name, |
059ec3d9 | 628 | sender_helo_name, address); |
a5c60e3c JH |
629 | rcvhost = sender_ident |
630 | ? string_sprintf("%s\n\t(%s helo=%s ident=%s)", sender_host_name, | |
631 | address, sender_helo_name, sender_ident) | |
632 | : string_sprintf("%s (%s helo=%s)", sender_host_name, | |
633 | address, sender_helo_name); | |
059ec3d9 | 634 | } |
82c19f95 PH |
635 | else |
636 | { | |
a5c60e3c JH |
637 | fullhost = string_sprintf("%s %s", sender_host_name, address); |
638 | rcvhost = sender_ident | |
639 | ? string_sprintf("%s (%s ident=%s)", sender_host_name, address, | |
640 | sender_ident) | |
641 | : string_sprintf("%s (%s)", sender_host_name, address); | |
82c19f95 | 642 | } |
059ec3d9 PH |
643 | } |
644 | ||
f3ebb786 JH |
645 | sender_fullhost = string_copy_perm(fullhost, TRUE); |
646 | sender_rcvhost = string_copy_perm(rcvhost, TRUE); | |
a5c60e3c JH |
647 | |
648 | store_reset(reset_point); | |
059ec3d9 PH |
649 | |
650 | DEBUG(D_host_lookup) debug_printf("sender_fullhost = %s\n", sender_fullhost); | |
651 | DEBUG(D_host_lookup) debug_printf("sender_rcvhost = %s\n", sender_rcvhost); | |
652 | } | |
653 | ||
654 | ||
655 | ||
656 | /************************************************* | |
657 | * Build host+ident message * | |
658 | *************************************************/ | |
659 | ||
660 | /* Used when logging rejections and various ACL and SMTP incidents. The text | |
661 | return depends on whether sender_fullhost and sender_ident are set or not: | |
662 | ||
663 | no ident, no host => U=unknown | |
664 | no ident, host set => H=sender_fullhost | |
665 | ident set, no host => U=ident | |
666 | ident set, host set => H=sender_fullhost U=ident | |
667 | ||
f3ebb786 JH |
668 | Use taint-unchecked routines on the assumption we'll never expand the results. |
669 | ||
059ec3d9 PH |
670 | Arguments: |
671 | useflag TRUE if first item to be flagged (H= or U=); if there are two | |
672 | items, the second is always flagged | |
673 | ||
674 | Returns: pointer to a string in big_buffer | |
675 | */ | |
676 | ||
677 | uschar * | |
678 | host_and_ident(BOOL useflag) | |
679 | { | |
8b455685 | 680 | if (!sender_fullhost) |
f3ebb786 | 681 | string_format_nt(big_buffer, big_buffer_size, "%s%s", useflag ? "U=" : "", |
8b455685 | 682 | sender_ident ? sender_ident : US"unknown"); |
059ec3d9 PH |
683 | else |
684 | { | |
8b455685 JH |
685 | uschar * flag = useflag ? US"H=" : US""; |
686 | uschar * iface = US""; | |
687 | if (LOGGING(incoming_interface) && interface_address) | |
059ec3d9 | 688 | iface = string_sprintf(" I=[%s]:%d", interface_address, interface_port); |
8b455685 | 689 | if (sender_ident) |
f3ebb786 | 690 | string_format_nt(big_buffer, big_buffer_size, "%s%s%s U=%s", |
059ec3d9 | 691 | flag, sender_fullhost, iface, sender_ident); |
8b455685 | 692 | else |
f3ebb786 | 693 | string_format_nt(big_buffer, big_buffer_size, "%s%s%s", |
8b455685 | 694 | flag, sender_fullhost, iface); |
059ec3d9 PH |
695 | } |
696 | return big_buffer; | |
697 | } | |
698 | ||
699 | #endif /* STAND_ALONE */ | |
700 | ||
701 | ||
702 | ||
703 | ||
704 | /************************************************* | |
705 | * Build list of local interfaces * | |
706 | *************************************************/ | |
707 | ||
708 | /* This function interprets the contents of the local_interfaces or | |
709 | extra_local_interfaces options, and creates an ip_address_item block for each | |
710 | item on the list. There is no special interpretation of any IP addresses; in | |
711 | particular, 0.0.0.0 and ::0 are returned without modification. If any address | |
712 | includes a port, it is set in the block. Otherwise the port value is set to | |
713 | zero. | |
714 | ||
715 | Arguments: | |
716 | list the list | |
717 | name the name of the option being expanded | |
718 | ||
719 | Returns: a chain of ip_address_items, each containing to a textual | |
720 | version of an IP address, and a port number (host order) or | |
721 | zero if no port was given with the address | |
722 | */ | |
723 | ||
724 | ip_address_item * | |
55414b25 | 725 | host_build_ifacelist(const uschar *list, uschar *name) |
059ec3d9 PH |
726 | { |
727 | int sep = 0; | |
728 | uschar *s; | |
b891534f | 729 | ip_address_item * yield = NULL, * last = NULL, * next; |
ba74fb8d | 730 | BOOL taint = is_tainted(list); |
059ec3d9 | 731 | |
b891534f | 732 | while ((s = string_nextinlist(&list, &sep, NULL, 0))) |
059ec3d9 | 733 | { |
7e66e54d | 734 | int ipv; |
7cd1141b | 735 | int port = host_address_extract_port(s); /* Leaves just the IP address */ |
b891534f JH |
736 | |
737 | if (!(ipv = string_is_ip_address(s, NULL))) | |
059ec3d9 PH |
738 | log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Malformed IP address \"%s\" in %s", |
739 | s, name); | |
740 | ||
7e66e54d PH |
741 | /* Skip IPv6 addresses if IPv6 is disabled. */ |
742 | ||
743 | if (disable_ipv6 && ipv == 6) continue; | |
744 | ||
059ec3d9 PH |
745 | /* This use of strcpy() is OK because we have checked that s is a valid IP |
746 | address above. The field in the ip_address_item is large enough to hold an | |
747 | IPv6 address. */ | |
748 | ||
ba74fb8d | 749 | next = store_get(sizeof(ip_address_item), taint); |
059ec3d9 PH |
750 | next->next = NULL; |
751 | Ustrcpy(next->address, s); | |
752 | next->port = port; | |
753 | next->v6_include_v4 = FALSE; | |
254f38d1 | 754 | next->log = NULL; |
059ec3d9 | 755 | |
b891534f JH |
756 | if (!yield) |
757 | yield = last = next; | |
758 | else | |
059ec3d9 PH |
759 | { |
760 | last->next = next; | |
761 | last = next; | |
762 | } | |
763 | } | |
764 | ||
765 | return yield; | |
766 | } | |
767 | ||
768 | ||
769 | ||
770 | ||
771 | ||
772 | /************************************************* | |
773 | * Find addresses on local interfaces * | |
774 | *************************************************/ | |
775 | ||
776 | /* This function finds the addresses of local IP interfaces. These are used | |
777 | when testing for routing to the local host. As the function may be called more | |
778 | than once, the list is preserved in permanent store, pointed to by a static | |
779 | variable, to save doing the work more than once per process. | |
780 | ||
781 | The generic list of interfaces is obtained by calling host_build_ifacelist() | |
782 | for local_interfaces and extra_local_interfaces. This list scanned to remove | |
783 | duplicates (which may exist with different ports - not relevant here). If | |
784 | either of the wildcard IP addresses (0.0.0.0 and ::0) are encountered, they are | |
785 | replaced by the appropriate (IPv4 or IPv6) list of actual local interfaces, | |
786 | obtained from os_find_running_interfaces(). | |
787 | ||
788 | Arguments: none | |
789 | Returns: a chain of ip_address_items, each containing to a textual | |
790 | version of an IP address; the port numbers are not relevant | |
791 | */ | |
792 | ||
793 | ||
794 | /* First, a local subfunction to add an interface to a list in permanent store, | |
795 | but only if there isn't a previous copy of that address on the list. */ | |
796 | ||
797 | static ip_address_item * | |
798 | add_unique_interface(ip_address_item *list, ip_address_item *ipa) | |
799 | { | |
800 | ip_address_item *ipa2; | |
d7978c0f | 801 | for (ipa2 = list; ipa2; ipa2 = ipa2->next) |
059ec3d9 | 802 | if (Ustrcmp(ipa2->address, ipa->address) == 0) return list; |
f3ebb786 | 803 | ipa2 = store_get_perm(sizeof(ip_address_item), FALSE); |
059ec3d9 PH |
804 | *ipa2 = *ipa; |
805 | ipa2->next = list; | |
806 | return ipa2; | |
807 | } | |
808 | ||
809 | ||
810 | /* This is the globally visible function */ | |
811 | ||
812 | ip_address_item * | |
813 | host_find_interfaces(void) | |
814 | { | |
815 | ip_address_item *running_interfaces = NULL; | |
816 | ||
817 | if (local_interface_data == NULL) | |
818 | { | |
f3ebb786 | 819 | void *reset_item = store_mark(); |
55414b25 | 820 | ip_address_item *dlist = host_build_ifacelist(CUS local_interfaces, |
059ec3d9 | 821 | US"local_interfaces"); |
55414b25 | 822 | ip_address_item *xlist = host_build_ifacelist(CUS extra_local_interfaces, |
059ec3d9 PH |
823 | US"extra_local_interfaces"); |
824 | ip_address_item *ipa; | |
825 | ||
d7978c0f JH |
826 | if (!dlist) dlist = xlist; |
827 | else | |
059ec3d9 | 828 | { |
d7978c0f | 829 | for (ipa = dlist; ipa->next; ipa = ipa->next) ; |
059ec3d9 PH |
830 | ipa->next = xlist; |
831 | } | |
832 | ||
d7978c0f | 833 | for (ipa = dlist; ipa; ipa = ipa->next) |
059ec3d9 PH |
834 | { |
835 | if (Ustrcmp(ipa->address, "0.0.0.0") == 0 || | |
836 | Ustrcmp(ipa->address, "::0") == 0) | |
837 | { | |
059ec3d9 | 838 | BOOL ipv6 = ipa->address[0] == ':'; |
d7978c0f | 839 | if (!running_interfaces) |
059ec3d9 | 840 | running_interfaces = os_find_running_interfaces(); |
d7978c0f | 841 | for (ip_address_item * ipa2 = running_interfaces; ipa2; ipa2 = ipa2->next) |
059ec3d9 PH |
842 | if ((Ustrchr(ipa2->address, ':') != NULL) == ipv6) |
843 | local_interface_data = add_unique_interface(local_interface_data, | |
d7978c0f | 844 | ipa2); |
059ec3d9 PH |
845 | } |
846 | else | |
847 | { | |
848 | local_interface_data = add_unique_interface(local_interface_data, ipa); | |
849 | DEBUG(D_interface) | |
850 | { | |
851 | debug_printf("Configured local interface: address=%s", ipa->address); | |
852 | if (ipa->port != 0) debug_printf(" port=%d", ipa->port); | |
853 | debug_printf("\n"); | |
854 | } | |
855 | } | |
856 | } | |
857 | store_reset(reset_item); | |
858 | } | |
859 | ||
860 | return local_interface_data; | |
861 | } | |
862 | ||
863 | ||
864 | ||
865 | ||
866 | ||
867 | /************************************************* | |
868 | * Convert network IP address to text * | |
869 | *************************************************/ | |
870 | ||
871 | /* Given an IPv4 or IPv6 address in binary, convert it to a text | |
872 | string and return the result in a piece of new store. The address can | |
873 | either be given directly, or passed over in a sockaddr structure. Note | |
874 | that this isn't the converse of host_aton() because of byte ordering | |
875 | differences. See host_nmtoa() below. | |
876 | ||
877 | Arguments: | |
878 | type if < 0 then arg points to a sockaddr, else | |
879 | either AF_INET or AF_INET6 | |
880 | arg points to a sockaddr if type is < 0, or | |
881 | points to an IPv4 address (32 bits), or | |
882 | points to an IPv6 address (128 bits), | |
883 | in both cases, in network byte order | |
884 | buffer if NULL, the result is returned in gotten store; | |
885 | else points to a buffer to hold the answer | |
886 | portptr points to where to put the port number, if non NULL; only | |
887 | used when type < 0 | |
888 | ||
889 | Returns: pointer to character string | |
890 | */ | |
891 | ||
892 | uschar * | |
893 | host_ntoa(int type, const void *arg, uschar *buffer, int *portptr) | |
894 | { | |
895 | uschar *yield; | |
896 | ||
897 | /* The new world. It is annoying that we have to fish out the address from | |
898 | different places in the block, depending on what kind of address it is. It | |
899 | is also a pain that inet_ntop() returns a const uschar *, whereas the IPv4 | |
900 | function inet_ntoa() returns just uschar *, and some picky compilers insist | |
901 | on warning if one assigns a const uschar * to a uschar *. Hence the casts. */ | |
902 | ||
903 | #if HAVE_IPV6 | |
904 | uschar addr_buffer[46]; | |
905 | if (type < 0) | |
906 | { | |
907 | int family = ((struct sockaddr *)arg)->sa_family; | |
908 | if (family == AF_INET6) | |
909 | { | |
910 | struct sockaddr_in6 *sk = (struct sockaddr_in6 *)arg; | |
5903c6ff | 911 | yield = US inet_ntop(family, &(sk->sin6_addr), CS addr_buffer, |
059ec3d9 PH |
912 | sizeof(addr_buffer)); |
913 | if (portptr != NULL) *portptr = ntohs(sk->sin6_port); | |
914 | } | |
915 | else | |
916 | { | |
917 | struct sockaddr_in *sk = (struct sockaddr_in *)arg; | |
5903c6ff | 918 | yield = US inet_ntop(family, &(sk->sin_addr), CS addr_buffer, |
059ec3d9 PH |
919 | sizeof(addr_buffer)); |
920 | if (portptr != NULL) *portptr = ntohs(sk->sin_port); | |
921 | } | |
922 | } | |
923 | else | |
924 | { | |
5903c6ff | 925 | yield = US inet_ntop(type, arg, CS addr_buffer, sizeof(addr_buffer)); |
059ec3d9 PH |
926 | } |
927 | ||
928 | /* If the result is a mapped IPv4 address, show it in V4 format. */ | |
929 | ||
930 | if (Ustrncmp(yield, "::ffff:", 7) == 0) yield += 7; | |
931 | ||
932 | #else /* HAVE_IPV6 */ | |
933 | ||
934 | /* The old world */ | |
935 | ||
936 | if (type < 0) | |
937 | { | |
938 | yield = US inet_ntoa(((struct sockaddr_in *)arg)->sin_addr); | |
939 | if (portptr != NULL) *portptr = ntohs(((struct sockaddr_in *)arg)->sin_port); | |
940 | } | |
941 | else | |
942 | yield = US inet_ntoa(*((struct in_addr *)arg)); | |
943 | #endif | |
944 | ||
945 | /* If there is no buffer, put the string into some new store. */ | |
946 | ||
f8d78f74 | 947 | if (!buffer) buffer = store_get(46, FALSE); |
059ec3d9 PH |
948 | |
949 | /* Callers of this function with a non-NULL buffer must ensure that it is | |
950 | large enough to hold an IPv6 address, namely, at least 46 bytes. That's what | |
f8d78f74 JH |
951 | makes this use of strcpy() OK. |
952 | If the library returned apparently an apparently tainted string, clean it; | |
953 | we trust IP addresses. */ | |
059ec3d9 | 954 | |
f8d78f74 | 955 | string_format_nt(buffer, 46, "%s", yield); |
059ec3d9 PH |
956 | return buffer; |
957 | } | |
958 | ||
959 | ||
960 | ||
961 | ||
962 | /************************************************* | |
963 | * Convert address text to binary * | |
964 | *************************************************/ | |
965 | ||
966 | /* Given the textual form of an IP address, convert it to binary in an | |
967 | array of ints. IPv4 addresses occupy one int; IPv6 addresses occupy 4 ints. | |
968 | The result has the first byte in the most significant byte of the first int. In | |
969 | other words, the result is not in network byte order, but in host byte order. | |
970 | As a result, this is not the converse of host_ntoa(), which expects network | |
971 | byte order. See host_nmtoa() below. | |
972 | ||
973 | Arguments: | |
974 | address points to the textual address, checked for syntax | |
975 | bin points to an array of 4 ints | |
976 | ||
977 | Returns: the number of ints used | |
978 | */ | |
979 | ||
980 | int | |
55414b25 | 981 | host_aton(const uschar *address, int *bin) |
059ec3d9 PH |
982 | { |
983 | int x[4]; | |
984 | int v4offset = 0; | |
985 | ||
8e669ac1 | 986 | /* Handle IPv6 address, which may end with an IPv4 address. It may also end |
7e634d24 PH |
987 | with a "scope", introduced by a percent sign. This code is NOT enclosed in #if |
988 | HAVE_IPV6 in order that IPv6 addresses are recognized even if IPv6 is not | |
989 | supported. */ | |
059ec3d9 PH |
990 | |
991 | if (Ustrchr(address, ':') != NULL) | |
992 | { | |
55414b25 JH |
993 | const uschar *p = address; |
994 | const uschar *component[8]; | |
059ec3d9 PH |
995 | BOOL ipv4_ends = FALSE; |
996 | int ci = 0; | |
997 | int nulloffset = 0; | |
998 | int v6count = 8; | |
999 | int i; | |
1000 | ||
1001 | /* If the address starts with a colon, it will start with two colons. | |
1002 | Just lose the first one, which will leave a null first component. */ | |
8e669ac1 | 1003 | |
059ec3d9 PH |
1004 | if (*p == ':') p++; |
1005 | ||
8e669ac1 PH |
1006 | /* Split the address into components separated by colons. The input address |
1007 | is supposed to be checked for syntax. There was a case where this was | |
1008 | overlooked; to guard against that happening again, check here and crash if | |
7e634d24 | 1009 | there are too many components. */ |
059ec3d9 | 1010 | |
7e634d24 | 1011 | while (*p != 0 && *p != '%') |
059ec3d9 | 1012 | { |
7e634d24 | 1013 | int len = Ustrcspn(p, ":%"); |
059ec3d9 | 1014 | if (len == 0) nulloffset = ci; |
8e669ac1 | 1015 | if (ci > 7) log_write(0, LOG_MAIN|LOG_PANIC_DIE, |
b975ba52 | 1016 | "Internal error: invalid IPv6 address \"%s\" passed to host_aton()", |
8e669ac1 | 1017 | address); |
059ec3d9 PH |
1018 | component[ci++] = p; |
1019 | p += len; | |
1020 | if (*p == ':') p++; | |
1021 | } | |
1022 | ||
1023 | /* If the final component contains a dot, it is a trailing v4 address. | |
1024 | As the syntax is known to be checked, just set up for a trailing | |
1025 | v4 address and restrict the v6 part to 6 components. */ | |
1026 | ||
1027 | if (Ustrchr(component[ci-1], '.') != NULL) | |
1028 | { | |
1029 | address = component[--ci]; | |
1030 | ipv4_ends = TRUE; | |
1031 | v4offset = 3; | |
1032 | v6count = 6; | |
1033 | } | |
1034 | ||
1035 | /* If there are fewer than 6 or 8 components, we have to insert some | |
1036 | more empty ones in the middle. */ | |
1037 | ||
1038 | if (ci < v6count) | |
1039 | { | |
1040 | int insert_count = v6count - ci; | |
1041 | for (i = v6count-1; i > nulloffset + insert_count; i--) | |
1042 | component[i] = component[i - insert_count]; | |
1043 | while (i > nulloffset) component[i--] = US""; | |
1044 | } | |
1045 | ||
1046 | /* Now turn the components into binary in pairs and bung them | |
1047 | into the vector of ints. */ | |
1048 | ||
1049 | for (i = 0; i < v6count; i += 2) | |
1050 | bin[i/2] = (Ustrtol(component[i], NULL, 16) << 16) + | |
1051 | Ustrtol(component[i+1], NULL, 16); | |
1052 | ||
1053 | /* If there was no terminating v4 component, we are done. */ | |
1054 | ||
1055 | if (!ipv4_ends) return 4; | |
1056 | } | |
1057 | ||
1058 | /* Handle IPv4 address */ | |
1059 | ||
ff790e47 | 1060 | (void)sscanf(CS address, "%d.%d.%d.%d", x, x+1, x+2, x+3); |
13559da6 | 1061 | bin[v4offset] = ((uint)x[0] << 24) + (x[1] << 16) + (x[2] << 8) + x[3]; |
059ec3d9 PH |
1062 | return v4offset+1; |
1063 | } | |
1064 | ||
1065 | ||
1066 | /************************************************* | |
1067 | * Apply mask to an IP address * | |
1068 | *************************************************/ | |
1069 | ||
1070 | /* Mask an address held in 1 or 4 ints, with the ms bit in the ms bit of the | |
1071 | first int, etc. | |
1072 | ||
1073 | Arguments: | |
1074 | count the number of ints | |
1075 | binary points to the ints to be masked | |
1076 | mask the count of ms bits to leave, or -1 if no masking | |
1077 | ||
1078 | Returns: nothing | |
1079 | */ | |
1080 | ||
1081 | void | |
1082 | host_mask(int count, int *binary, int mask) | |
1083 | { | |
059ec3d9 | 1084 | if (mask < 0) mask = 99999; |
d7978c0f | 1085 | for (int i = 0; i < count; i++) |
059ec3d9 PH |
1086 | { |
1087 | int wordmask; | |
1088 | if (mask == 0) wordmask = 0; | |
1089 | else if (mask < 32) | |
1090 | { | |
13559da6 | 1091 | wordmask = (uint)(-1) << (32 - mask); |
059ec3d9 PH |
1092 | mask = 0; |
1093 | } | |
1094 | else | |
1095 | { | |
1096 | wordmask = -1; | |
1097 | mask -= 32; | |
1098 | } | |
1099 | binary[i] &= wordmask; | |
1100 | } | |
1101 | } | |
1102 | ||
1103 | ||
1104 | ||
1105 | ||
1106 | /************************************************* | |
1107 | * Convert masked IP address in ints to text * | |
1108 | *************************************************/ | |
1109 | ||
1110 | /* We can't use host_ntoa() because it assumes the binary values are in network | |
1111 | byte order, and these are the result of host_aton(), which puts them in ints in | |
1112 | host byte order. Also, we really want IPv6 addresses to be in a canonical | |
6f0c9a4f PH |
1113 | format, so we output them with no abbreviation. In a number of cases we can't |
1114 | use the normal colon separator in them because it terminates keys in lsearch | |
8e669ac1 | 1115 | files, so we want to use dot instead. There's an argument that specifies what |
6f0c9a4f | 1116 | to use for IPv6 addresses. |
059ec3d9 PH |
1117 | |
1118 | Arguments: | |
1119 | count 1 or 4 (number of ints) | |
1120 | binary points to the ints | |
1121 | mask mask value; if < 0 don't add to result | |
1122 | buffer big enough to hold the result | |
8e669ac1 | 1123 | sep component separator character for IPv6 addresses |
059ec3d9 PH |
1124 | |
1125 | Returns: the number of characters placed in buffer, not counting | |
1126 | the final nul. | |
1127 | */ | |
1128 | ||
1129 | int | |
6f0c9a4f | 1130 | host_nmtoa(int count, int *binary, int mask, uschar *buffer, int sep) |
059ec3d9 | 1131 | { |
d7978c0f | 1132 | int j; |
059ec3d9 PH |
1133 | uschar *tt = buffer; |
1134 | ||
1135 | if (count == 1) | |
1136 | { | |
1137 | j = binary[0]; | |
d7978c0f | 1138 | for (int i = 24; i >= 0; i -= 8) |
fc4a7f70 | 1139 | tt += sprintf(CS tt, "%d.", (j >> i) & 255); |
059ec3d9 PH |
1140 | } |
1141 | else | |
d7978c0f | 1142 | for (int i = 0; i < 4; i++) |
059ec3d9 PH |
1143 | { |
1144 | j = binary[i]; | |
fc4a7f70 | 1145 | tt += sprintf(CS tt, "%04x%c%04x%c", (j >> 16) & 0xffff, sep, j & 0xffff, sep); |
059ec3d9 | 1146 | } |
059ec3d9 | 1147 | |
6f0c9a4f | 1148 | tt--; /* lose final separator */ |
059ec3d9 PH |
1149 | |
1150 | if (mask < 0) | |
1151 | *tt = 0; | |
1152 | else | |
5976eb99 | 1153 | tt += sprintf(CS tt, "/%d", mask); |
059ec3d9 PH |
1154 | |
1155 | return tt - buffer; | |
1156 | } | |
1157 | ||
1158 | ||
fc4a7f70 JH |
1159 | /* Like host_nmtoa() but: ipv6-only, canonical output, no mask |
1160 | ||
1161 | Arguments: | |
1162 | binary points to the ints | |
1163 | buffer big enough to hold the result | |
1164 | ||
1165 | Returns: the number of characters placed in buffer, not counting | |
1166 | the final nul. | |
1167 | */ | |
1168 | ||
1169 | int | |
1170 | ipv6_nmtoa(int * binary, uschar * buffer) | |
1171 | { | |
1172 | int i, j, k; | |
1173 | uschar * c = buffer; | |
39755c16 | 1174 | uschar * d = NULL; /* shut insufficiently "clever" compiler up */ |
fc4a7f70 JH |
1175 | |
1176 | for (i = 0; i < 4; i++) | |
1177 | { /* expand to text */ | |
1178 | j = binary[i]; | |
1179 | c += sprintf(CS c, "%x:%x:", (j >> 16) & 0xffff, j & 0xffff); | |
1180 | } | |
1181 | ||
1182 | for (c = buffer, k = -1, i = 0; i < 8; i++) | |
1183 | { /* find longest 0-group sequence */ | |
1184 | if (*c == '0') /* must be "0:" */ | |
1185 | { | |
1186 | uschar * s = c; | |
1187 | j = i; | |
1188 | while (c[2] == '0') i++, c += 2; | |
1189 | if (i-j > k) | |
1190 | { | |
1191 | k = i-j; /* length of sequence */ | |
1192 | d = s; /* start of sequence */ | |
1193 | } | |
1194 | } | |
1195 | while (*++c != ':') ; | |
1196 | c++; | |
1197 | } | |
1198 | ||
1199 | c[-1] = '\0'; /* drop trailing colon */ | |
1200 | ||
1201 | /* debug_printf("%s: D k %d <%s> <%s>\n", __FUNCTION__, k, d, d + 2*(k+1)); */ | |
1202 | if (k >= 0) | |
1203 | { /* collapse */ | |
1204 | c = d + 2*(k+1); | |
1205 | if (d == buffer) c--; /* need extra colon */ | |
1206 | *d++ = ':'; /* 1st 0 */ | |
39755c16 | 1207 | while ((*d++ = *c++)) ; |
fc4a7f70 JH |
1208 | } |
1209 | else | |
1210 | d = c; | |
1211 | ||
1212 | return d - buffer; | |
1213 | } | |
1214 | ||
1215 | ||
059ec3d9 PH |
1216 | |
1217 | /************************************************* | |
1218 | * Check port for tls_on_connect * | |
1219 | *************************************************/ | |
1220 | ||
1221 | /* This function checks whether a given incoming port is configured for tls- | |
1222 | on-connect. It is called from the daemon and from inetd handling. If the global | |
1223 | option tls_on_connect is already set, all ports operate this way. Otherwise, we | |
1224 | check the tls_on_connect_ports option for a list of ports. | |
1225 | ||
1226 | Argument: a port number | |
1227 | Returns: TRUE or FALSE | |
1228 | */ | |
1229 | ||
1230 | BOOL | |
1231 | host_is_tls_on_connect_port(int port) | |
1232 | { | |
1233 | int sep = 0; | |
1234 | uschar buffer[32]; | |
55414b25 | 1235 | const uschar *list = tls_in.on_connect_ports; |
059ec3d9 | 1236 | uschar *s; |
071c51f7 | 1237 | uschar *end; |
059ec3d9 | 1238 | |
817d9f57 | 1239 | if (tls_in.on_connect) return TRUE; |
059ec3d9 | 1240 | |
071c51f7 JH |
1241 | while ((s = string_nextinlist(&list, &sep, buffer, sizeof(buffer)))) |
1242 | if (Ustrtol(s, &end, 10) == port) | |
1243 | return TRUE; | |
059ec3d9 PH |
1244 | |
1245 | return FALSE; | |
1246 | } | |
1247 | ||
1248 | ||
1249 | ||
1250 | /************************************************* | |
1251 | * Check whether host is in a network * | |
1252 | *************************************************/ | |
1253 | ||
1254 | /* This function checks whether a given IP address matches a pattern that | |
1255 | represents either a single host, or a network (using CIDR notation). The caller | |
1256 | of this function must check the syntax of the arguments before calling it. | |
1257 | ||
1258 | Arguments: | |
1259 | host string representation of the ip-address to check | |
1260 | net string representation of the network, with optional CIDR mask | |
1261 | maskoffset offset to the / that introduces the mask in the key | |
1262 | zero if there is no mask | |
1263 | ||
1264 | Returns: | |
1265 | TRUE the host is inside the network | |
1266 | FALSE the host is NOT inside the network | |
1267 | */ | |
1268 | ||
1269 | BOOL | |
55414b25 | 1270 | host_is_in_net(const uschar *host, const uschar *net, int maskoffset) |
059ec3d9 | 1271 | { |
059ec3d9 PH |
1272 | int address[4]; |
1273 | int incoming[4]; | |
1274 | int mlen; | |
1275 | int size = host_aton(net, address); | |
1276 | int insize; | |
1277 | ||
1278 | /* No mask => all bits to be checked */ | |
1279 | ||
1280 | if (maskoffset == 0) mlen = 99999; /* Big number */ | |
1281 | else mlen = Uatoi(net + maskoffset + 1); | |
1282 | ||
1283 | /* Convert the incoming address to binary. */ | |
1284 | ||
1285 | insize = host_aton(host, incoming); | |
1286 | ||
1287 | /* Convert IPv4 addresses given in IPv6 compatible mode, which represent | |
1288 | connections from IPv4 hosts to IPv6 hosts, that is, addresses of the form | |
1289 | ::ffff:<v4address>, to IPv4 format. */ | |
1290 | ||
1291 | if (insize == 4 && incoming[0] == 0 && incoming[1] == 0 && | |
1292 | incoming[2] == 0xffff) | |
1293 | { | |
1294 | insize = 1; | |
1295 | incoming[0] = incoming[3]; | |
1296 | } | |
1297 | ||
1298 | /* No match if the sizes don't agree. */ | |
1299 | ||
1300 | if (insize != size) return FALSE; | |
1301 | ||
1302 | /* Else do the masked comparison. */ | |
1303 | ||
d7978c0f | 1304 | for (int i = 0; i < size; i++) |
059ec3d9 PH |
1305 | { |
1306 | int mask; | |
1307 | if (mlen == 0) mask = 0; | |
1308 | else if (mlen < 32) | |
1309 | { | |
13559da6 | 1310 | mask = (uint)(-1) << (32 - mlen); |
059ec3d9 PH |
1311 | mlen = 0; |
1312 | } | |
1313 | else | |
1314 | { | |
1315 | mask = -1; | |
1316 | mlen -= 32; | |
1317 | } | |
1318 | if ((incoming[i] & mask) != (address[i] & mask)) return FALSE; | |
1319 | } | |
1320 | ||
1321 | return TRUE; | |
1322 | } | |
1323 | ||
1324 | ||
1325 | ||
1326 | /************************************************* | |
1327 | * Scan host list for local hosts * | |
1328 | *************************************************/ | |
1329 | ||
1330 | /* Scan through a chain of addresses and check whether any of them is the | |
1331 | address of an interface on the local machine. If so, remove that address and | |
1332 | any previous ones with the same MX value, and all subsequent ones (which will | |
1333 | have greater or equal MX values) from the chain. Note: marking them as unusable | |
1334 | is NOT the right thing to do because it causes the hosts not to be used for | |
1335 | other domains, for which they may well be correct. | |
1336 | ||
1337 | The hosts may be part of a longer chain; we only process those between the | |
1338 | initial pointer and the "last" pointer. | |
1339 | ||
1340 | There is also a list of "pseudo-local" host names which are checked against the | |
1341 | host names. Any match causes that host item to be treated the same as one which | |
1342 | matches a local IP address. | |
1343 | ||
1344 | If the very first host is a local host, then all MX records had a precedence | |
1345 | greater than or equal to that of the local host. Either there's a problem in | |
1346 | the DNS, or an apparently remote name turned out to be an abbreviation for the | |
1347 | local host. Give a specific return code, and let the caller decide what to do. | |
1348 | Otherwise, give a success code if at least one host address has been found. | |
1349 | ||
1350 | Arguments: | |
1351 | host pointer to the first host in the chain | |
1352 | lastptr pointer to pointer to the last host in the chain (may be updated) | |
1353 | removed if not NULL, set TRUE if some local addresses were removed | |
1354 | from the list | |
1355 | ||
1356 | Returns: | |
1357 | HOST_FOUND if there is at least one host with an IP address on the chain | |
1358 | and an MX value less than any MX value associated with the | |
1359 | local host | |
1360 | HOST_FOUND_LOCAL if a local host is among the lowest-numbered MX hosts; when | |
1361 | the host addresses were obtained from A records or | |
1362 | gethostbyname(), the MX values are set to -1. | |
1363 | HOST_FIND_FAILED if no valid hosts with set IP addresses were found | |
1364 | */ | |
1365 | ||
1366 | int | |
1367 | host_scan_for_local_hosts(host_item *host, host_item **lastptr, BOOL *removed) | |
1368 | { | |
1369 | int yield = HOST_FIND_FAILED; | |
1370 | host_item *last = *lastptr; | |
1371 | host_item *prev = NULL; | |
1372 | host_item *h; | |
1373 | ||
1374 | if (removed != NULL) *removed = FALSE; | |
1375 | ||
1376 | if (local_interface_data == NULL) local_interface_data = host_find_interfaces(); | |
1377 | ||
1378 | for (h = host; h != last->next; h = h->next) | |
1379 | { | |
1380 | #ifndef STAND_ALONE | |
1381 | if (hosts_treat_as_local != NULL) | |
1382 | { | |
1383 | int rc; | |
55414b25 | 1384 | const uschar *save = deliver_domain; |
059ec3d9 | 1385 | deliver_domain = h->name; /* set $domain */ |
55414b25 | 1386 | rc = match_isinlist(string_copylc(h->name), CUSS &hosts_treat_as_local, 0, |
059ec3d9 PH |
1387 | &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL); |
1388 | deliver_domain = save; | |
1389 | if (rc == OK) goto FOUND_LOCAL; | |
1390 | } | |
1391 | #endif | |
1392 | ||
1393 | /* It seems that on many operating systems, 0.0.0.0 is treated as a synonym | |
1394 | for 127.0.0.1 and refers to the local host. We therefore force it always to | |
1395 | be treated as local. */ | |
1396 | ||
1397 | if (h->address != NULL) | |
1398 | { | |
059ec3d9 | 1399 | if (Ustrcmp(h->address, "0.0.0.0") == 0) goto FOUND_LOCAL; |
d7978c0f | 1400 | for (ip_address_item * ip = local_interface_data; ip; ip = ip->next) |
059ec3d9 PH |
1401 | if (Ustrcmp(h->address, ip->address) == 0) goto FOUND_LOCAL; |
1402 | yield = HOST_FOUND; /* At least one remote address has been found */ | |
1403 | } | |
1404 | ||
1405 | /* Update prev to point to the last host item before any that have | |
1406 | the same MX value as the one we have just considered. */ | |
1407 | ||
1408 | if (h->next == NULL || h->next->mx != h->mx) prev = h; | |
1409 | } | |
1410 | ||
1411 | return yield; /* No local hosts found: return HOST_FOUND or HOST_FIND_FAILED */ | |
1412 | ||
1413 | /* A host whose IP address matches a local IP address, or whose name matches | |
1414 | something in hosts_treat_as_local has been found. */ | |
1415 | ||
1416 | FOUND_LOCAL: | |
1417 | ||
1418 | if (prev == NULL) | |
1419 | { | |
1420 | HDEBUG(D_host_lookup) debug_printf((h->mx >= 0)? | |
1421 | "local host has lowest MX\n" : | |
1422 | "local host found for non-MX address\n"); | |
1423 | return HOST_FOUND_LOCAL; | |
1424 | } | |
1425 | ||
1426 | HDEBUG(D_host_lookup) | |
1427 | { | |
1428 | debug_printf("local host in host list - removed hosts:\n"); | |
1429 | for (h = prev->next; h != last->next; h = h->next) | |
1430 | debug_printf(" %s %s %d\n", h->name, h->address, h->mx); | |
1431 | } | |
1432 | ||
1433 | if (removed != NULL) *removed = TRUE; | |
1434 | prev->next = last->next; | |
1435 | *lastptr = prev; | |
1436 | return yield; | |
1437 | } | |
1438 | ||
1439 | ||
1440 | ||
1441 | ||
1442 | /************************************************* | |
1443 | * Remove duplicate IPs in host list * | |
1444 | *************************************************/ | |
1445 | ||
1446 | /* You would think that administrators could set up their DNS records so that | |
1447 | one ended up with a list of unique IP addresses after looking up A or MX | |
1448 | records, but apparently duplication is common. So we scan such lists and | |
1449 | remove the later duplicates. Note that we may get lists in which some host | |
1450 | addresses are not set. | |
1451 | ||
1452 | Arguments: | |
1453 | host pointer to the first host in the chain | |
1454 | lastptr pointer to pointer to the last host in the chain (may be updated) | |
1455 | ||
1456 | Returns: nothing | |
1457 | */ | |
1458 | ||
1459 | static void | |
1460 | host_remove_duplicates(host_item *host, host_item **lastptr) | |
1461 | { | |
1462 | while (host != *lastptr) | |
1463 | { | |
1464 | if (host->address != NULL) | |
1465 | { | |
1466 | host_item *h = host; | |
1467 | while (h != *lastptr) | |
1468 | { | |
1469 | if (h->next->address != NULL && | |
1470 | Ustrcmp(h->next->address, host->address) == 0) | |
1471 | { | |
1472 | DEBUG(D_host_lookup) debug_printf("duplicate IP address %s (MX=%d) " | |
1473 | "removed\n", host->address, h->next->mx); | |
1474 | if (h->next == *lastptr) *lastptr = h; | |
1475 | h->next = h->next->next; | |
1476 | } | |
1477 | else h = h->next; | |
1478 | } | |
1479 | } | |
1480 | /* If the last item was removed, host may have become == *lastptr */ | |
1481 | if (host != *lastptr) host = host->next; | |
1482 | } | |
1483 | } | |
1484 | ||
1485 | ||
1486 | ||
1487 | ||
1488 | /************************************************* | |
1489 | * Find sender host name by gethostbyaddr() * | |
1490 | *************************************************/ | |
1491 | ||
1492 | /* This used to be the only way it was done, but it turns out that not all | |
1493 | systems give aliases for calls to gethostbyaddr() - or one of the modern | |
1494 | equivalents like getipnodebyaddr(). Fortunately, multiple PTR records are rare, | |
1495 | but they can still exist. This function is now used only when a DNS lookup of | |
1496 | the IP address fails, in order to give access to /etc/hosts. | |
1497 | ||
1498 | Arguments: none | |
1499 | Returns: OK, DEFER, FAIL | |
1500 | */ | |
1501 | ||
1502 | static int | |
1503 | host_name_lookup_byaddr(void) | |
1504 | { | |
d70fc283 | 1505 | struct hostent * hosts; |
059ec3d9 | 1506 | struct in_addr addr; |
f2cb6292 | 1507 | unsigned long time_msec = 0; /* init to quieten dumb static analysis */ |
846430d9 JH |
1508 | |
1509 | if (slow_lookup_log) time_msec = get_time_in_ms(); | |
059ec3d9 PH |
1510 | |
1511 | /* Lookup on IPv6 system */ | |
1512 | ||
1513 | #if HAVE_IPV6 | |
1514 | if (Ustrchr(sender_host_address, ':') != NULL) | |
1515 | { | |
1516 | struct in6_addr addr6; | |
1517 | if (inet_pton(AF_INET6, CS sender_host_address, &addr6) != 1) | |
1518 | log_write(0, LOG_MAIN|LOG_PANIC_DIE, "unable to parse \"%s\" as an " | |
1519 | "IPv6 address", sender_host_address); | |
1520 | #if HAVE_GETIPNODEBYADDR | |
1521 | hosts = getipnodebyaddr(CS &addr6, sizeof(addr6), AF_INET6, &h_errno); | |
1522 | #else | |
1523 | hosts = gethostbyaddr(CS &addr6, sizeof(addr6), AF_INET6); | |
1524 | #endif | |
1525 | } | |
1526 | else | |
1527 | { | |
1528 | if (inet_pton(AF_INET, CS sender_host_address, &addr) != 1) | |
1529 | log_write(0, LOG_MAIN|LOG_PANIC_DIE, "unable to parse \"%s\" as an " | |
1530 | "IPv4 address", sender_host_address); | |
1531 | #if HAVE_GETIPNODEBYADDR | |
1532 | hosts = getipnodebyaddr(CS &addr, sizeof(addr), AF_INET, &h_errno); | |
1533 | #else | |
1534 | hosts = gethostbyaddr(CS &addr, sizeof(addr), AF_INET); | |
1535 | #endif | |
1536 | } | |
1537 | ||
1538 | /* Do lookup on IPv4 system */ | |
1539 | ||
1540 | #else | |
1541 | addr.s_addr = (S_ADDR_TYPE)inet_addr(CS sender_host_address); | |
1542 | hosts = gethostbyaddr(CS(&addr), sizeof(addr), AF_INET); | |
1543 | #endif | |
1544 | ||
846430d9 JH |
1545 | if ( slow_lookup_log |
1546 | && (time_msec = get_time_in_ms() - time_msec) > slow_lookup_log | |
1547 | ) | |
30795c5e | 1548 | log_long_lookup(US"gethostbyaddr", sender_host_address, time_msec); |
846430d9 | 1549 | |
059ec3d9 PH |
1550 | /* Failed to look up the host. */ |
1551 | ||
f3ebb786 | 1552 | if (!hosts) |
059ec3d9 PH |
1553 | { |
1554 | HDEBUG(D_host_lookup) debug_printf("IP address lookup failed: h_errno=%d\n", | |
1555 | h_errno); | |
1556 | return (h_errno == TRY_AGAIN || h_errno == NO_RECOVERY) ? DEFER : FAIL; | |
1557 | } | |
1558 | ||
1559 | /* It seems there are some records in the DNS that yield an empty name. We | |
1560 | treat this as non-existent. In some operating systems, this is returned as an | |
1561 | empty string; in others as a single dot. */ | |
1562 | ||
f3ebb786 | 1563 | if (!hosts->h_name || !hosts->h_name[0] || hosts->h_name[0] == '.') |
059ec3d9 PH |
1564 | { |
1565 | HDEBUG(D_host_lookup) debug_printf("IP address lookup yielded an empty name: " | |
1566 | "treated as non-existent host name\n"); | |
1567 | return FAIL; | |
1568 | } | |
1569 | ||
1570 | /* Copy and lowercase the name, which is in static storage in many systems. | |
1571 | Put it in permanent memory. */ | |
1572 | ||
f3ebb786 JH |
1573 | { |
1574 | int old_pool = store_pool; | |
1575 | store_pool = POOL_TAINT_PERM; /* names are tainted */ | |
059ec3d9 | 1576 | |
f3ebb786 | 1577 | sender_host_name = string_copylc(US hosts->h_name); |
059ec3d9 | 1578 | |
f3ebb786 JH |
1579 | /* If the host has aliases, build a copy of the alias list */ |
1580 | ||
1581 | if (hosts->h_aliases) | |
059ec3d9 | 1582 | { |
f3ebb786 JH |
1583 | int count = 1; |
1584 | uschar **ptr; | |
1585 | ||
1586 | for (uschar ** aliases = USS hosts->h_aliases; *aliases; aliases++) count++; | |
1587 | store_pool = POOL_PERM; | |
1588 | ptr = sender_host_aliases = store_get(count * sizeof(uschar *), FALSE); | |
1589 | store_pool = POOL_TAINT_PERM; | |
1590 | ||
1591 | for (uschar ** aliases = USS hosts->h_aliases; *aliases; aliases++) | |
1592 | *ptr++ = string_copylc(*aliases); | |
1593 | *ptr = NULL; | |
059ec3d9 | 1594 | } |
f3ebb786 | 1595 | store_pool = old_pool; |
059ec3d9 PH |
1596 | } |
1597 | ||
1598 | return OK; | |
1599 | } | |
1600 | ||
1601 | ||
1602 | ||
1603 | /************************************************* | |
1604 | * Find host name for incoming call * | |
1605 | *************************************************/ | |
1606 | ||
1607 | /* Put the name in permanent store, pointed to by sender_host_name. We also set | |
1608 | up a list of alias names, pointed to by sender_host_alias. The list is | |
1609 | NULL-terminated. The incoming address is in sender_host_address, either in | |
1610 | dotted-quad form for IPv4 or in colon-separated form for IPv6. | |
1611 | ||
1612 | This function does a thorough check that the names it finds point back to the | |
1613 | incoming IP address. Any that do not are discarded. Note that this is relied on | |
1614 | by the ACL reverse_host_lookup check. | |
1615 | ||
1616 | On some systems, get{host,ipnode}byaddr() appears to do this internally, but | |
1617 | this it not universally true. Also, for release 4.30, this function was changed | |
1618 | to do a direct DNS lookup first, by default[1], because it turns out that that | |
1619 | is the only guaranteed way to find all the aliases on some systems. My | |
1620 | experiments indicate that Solaris gethostbyaddr() gives the aliases for but | |
1621 | Linux does not. | |
1622 | ||
1623 | [1] The actual order is controlled by the host_lookup_order option. | |
1624 | ||
1625 | Arguments: none | |
1626 | Returns: OK on success, the answer being placed in the global variable | |
1627 | sender_host_name, with any aliases in a list hung off | |
1628 | sender_host_aliases | |
1629 | FAIL if no host name can be found | |
1630 | DEFER if a temporary error was encountered | |
1631 | ||
4c04137d | 1632 | The variable host_lookup_msg is set to an empty string on success, or to a |
059ec3d9 | 1633 | reason for the failure otherwise, in a form suitable for tagging onto an error |
8e669ac1 | 1634 | message, and also host_lookup_failed is set TRUE if the lookup failed. If there |
b08b24c8 PH |
1635 | was a defer, host_lookup_deferred is set TRUE. |
1636 | ||
1637 | Any dynamically constructed string for host_lookup_msg must be in permanent | |
1638 | store, because it might be used for several incoming messages on the same SMTP | |
059ec3d9 PH |
1639 | connection. */ |
1640 | ||
1641 | int | |
1642 | host_name_lookup(void) | |
1643 | { | |
1644 | int old_pool, rc; | |
1645 | int sep = 0; | |
d7978c0f | 1646 | uschar *save_hostname; |
059ec3d9 | 1647 | uschar **aliases; |
059ec3d9 | 1648 | uschar *ordername; |
55414b25 | 1649 | const uschar *list = host_lookup_order; |
8743d3ac | 1650 | dns_answer * dnsa = store_get_dns_answer(); |
059ec3d9 PH |
1651 | dns_scan dnss; |
1652 | ||
1f4a55da | 1653 | sender_host_dnssec = host_lookup_deferred = host_lookup_failed = FALSE; |
b08b24c8 | 1654 | |
059ec3d9 PH |
1655 | HDEBUG(D_host_lookup) |
1656 | debug_printf("looking up host name for %s\n", sender_host_address); | |
1657 | ||
1658 | /* For testing the case when a lookup does not complete, we have a special | |
1659 | reserved IP address. */ | |
1660 | ||
8768d548 | 1661 | if (f.running_in_test_harness && |
059ec3d9 PH |
1662 | Ustrcmp(sender_host_address, "99.99.99.99") == 0) |
1663 | { | |
1664 | HDEBUG(D_host_lookup) | |
1665 | debug_printf("Test harness: host name lookup returns DEFER\n"); | |
8e669ac1 | 1666 | host_lookup_deferred = TRUE; |
059ec3d9 PH |
1667 | return DEFER; |
1668 | } | |
1669 | ||
1670 | /* Do lookups directly in the DNS or via gethostbyaddr() (or equivalent), in | |
1671 | the order specified by the host_lookup_order option. */ | |
1672 | ||
152481a0 | 1673 | while ((ordername = string_nextinlist(&list, &sep, NULL, 0))) |
059ec3d9 PH |
1674 | { |
1675 | if (strcmpic(ordername, US"bydns") == 0) | |
1676 | { | |
152481a0 JH |
1677 | uschar * name = dns_build_reverse(sender_host_address); |
1678 | ||
9d9c3746 | 1679 | dns_init(FALSE, FALSE, FALSE); /* dnssec ctrl by dns_dnssec_ok glbl */ |
152481a0 | 1680 | rc = dns_lookup_timerwrap(dnsa, name, T_PTR, NULL); |
059ec3d9 PH |
1681 | |
1682 | /* The first record we come across is used for the name; others are | |
1683 | considered to be aliases. We have to scan twice, in order to find out the | |
1684 | number of aliases. However, if all the names are empty, we will behave as | |
1685 | if failure. (PTR records that yield empty names have been encountered in | |
1686 | the DNS.) */ | |
1687 | ||
1688 | if (rc == DNS_SUCCEED) | |
1689 | { | |
1690 | uschar **aptr = NULL; | |
1691 | int ssize = 264; | |
1692 | int count = 0; | |
1693 | int old_pool = store_pool; | |
1694 | ||
8743d3ac | 1695 | sender_host_dnssec = dns_is_secure(dnsa); |
1f4a55da PP |
1696 | DEBUG(D_dns) |
1697 | debug_printf("Reverse DNS security status: %s\n", | |
1698 | sender_host_dnssec ? "DNSSEC verified (AD)" : "unverified"); | |
1699 | ||
059ec3d9 PH |
1700 | store_pool = POOL_PERM; /* Save names in permanent storage */ |
1701 | ||
8743d3ac | 1702 | for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); |
1705dd20 | 1703 | rr; |
8743d3ac | 1704 | rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == T_PTR) |
d7978c0f | 1705 | count++; |
059ec3d9 PH |
1706 | |
1707 | /* Get store for the list of aliases. For compatibility with | |
1708 | gethostbyaddr, we make an empty list if there are none. */ | |
1709 | ||
f3ebb786 | 1710 | aptr = sender_host_aliases = store_get(count * sizeof(uschar *), FALSE); |
059ec3d9 PH |
1711 | |
1712 | /* Re-scan and extract the names */ | |
1713 | ||
8743d3ac | 1714 | for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); |
1705dd20 | 1715 | rr; |
8743d3ac | 1716 | rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == T_PTR) |
059ec3d9 | 1717 | { |
f3ebb786 | 1718 | uschar * s = store_get(ssize, TRUE); /* names are tainted */ |
059ec3d9 PH |
1719 | |
1720 | /* If an overlong response was received, the data will have been | |
1721 | truncated and dn_expand may fail. */ | |
1722 | ||
8743d3ac | 1723 | if (dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, |
5903c6ff | 1724 | US (rr->data), (DN_EXPAND_ARG4_TYPE)(s), ssize) < 0) |
059ec3d9 PH |
1725 | { |
1726 | log_write(0, LOG_MAIN, "host name alias list truncated for %s", | |
1727 | sender_host_address); | |
1728 | break; | |
1729 | } | |
1730 | ||
f3ebb786 JH |
1731 | store_release_above(s + Ustrlen(s) + 1); |
1732 | if (!s[0]) | |
059ec3d9 PH |
1733 | { |
1734 | HDEBUG(D_host_lookup) debug_printf("IP address lookup yielded an " | |
1735 | "empty name: treated as non-existent host name\n"); | |
1736 | continue; | |
1737 | } | |
1f155f8e JH |
1738 | if (!sender_host_name) sender_host_name = s; |
1739 | else *aptr++ = s; | |
f3ebb786 | 1740 | while (*s) { *s = tolower(*s); s++; } |
059ec3d9 PH |
1741 | } |
1742 | ||
1743 | *aptr = NULL; /* End of alias list */ | |
1744 | store_pool = old_pool; /* Reset store pool */ | |
1745 | ||
f3ebb786 | 1746 | /* If we've found a name, break out of the "order" loop */ |
059ec3d9 | 1747 | |
f3ebb786 | 1748 | if (sender_host_name) break; |
059ec3d9 PH |
1749 | } |
1750 | ||
1751 | /* If the DNS lookup deferred, we must also defer. */ | |
1752 | ||
1753 | if (rc == DNS_AGAIN) | |
1754 | { | |
1755 | HDEBUG(D_host_lookup) | |
1756 | debug_printf("IP address PTR lookup gave temporary error\n"); | |
8e669ac1 | 1757 | host_lookup_deferred = TRUE; |
059ec3d9 PH |
1758 | return DEFER; |
1759 | } | |
1760 | } | |
1761 | ||
1762 | /* Do a lookup using gethostbyaddr() - or equivalent */ | |
1763 | ||
1764 | else if (strcmpic(ordername, US"byaddr") == 0) | |
1765 | { | |
1766 | HDEBUG(D_host_lookup) | |
1767 | debug_printf("IP address lookup using gethostbyaddr()\n"); | |
059ec3d9 | 1768 | rc = host_name_lookup_byaddr(); |
8e669ac1 | 1769 | if (rc == DEFER) |
b08b24c8 | 1770 | { |
8e669ac1 | 1771 | host_lookup_deferred = TRUE; |
b08b24c8 | 1772 | return rc; /* Can't carry on */ |
8e669ac1 | 1773 | } |
059ec3d9 PH |
1774 | if (rc == OK) break; /* Found a name */ |
1775 | } | |
1776 | } /* Loop for bydns/byaddr scanning */ | |
1777 | ||
1778 | /* If we have failed to find a name, return FAIL and log when required. | |
1779 | NB host_lookup_msg must be in permanent store. */ | |
1780 | ||
94759fce | 1781 | if (!sender_host_name) |
059ec3d9 | 1782 | { |
8768d548 | 1783 | if (host_checking || !f.log_testing_mode) |
059ec3d9 PH |
1784 | log_write(L_host_lookup_failed, LOG_MAIN, "no host name found for IP " |
1785 | "address %s", sender_host_address); | |
1786 | host_lookup_msg = US" (failed to find host name from IP address)"; | |
b08b24c8 | 1787 | host_lookup_failed = TRUE; |
059ec3d9 PH |
1788 | return FAIL; |
1789 | } | |
1790 | ||
059ec3d9 PH |
1791 | HDEBUG(D_host_lookup) |
1792 | { | |
1793 | uschar **aliases = sender_host_aliases; | |
de11307f JH |
1794 | debug_printf("IP address lookup yielded \"%s\"\n", sender_host_name); |
1795 | while (*aliases != NULL) debug_printf(" alias \"%s\"\n", *aliases++); | |
059ec3d9 PH |
1796 | } |
1797 | ||
1798 | /* We need to verify that a forward lookup on the name we found does indeed | |
1799 | correspond to the address. This is for security: in principle a malefactor who | |
1800 | happened to own a reverse zone could set it to point to any names at all. | |
1801 | ||
1802 | This code was present in versions of Exim before 3.20. At that point I took it | |
1803 | out because I thought that gethostbyaddr() did the check anyway. It turns out | |
1804 | that this isn't always the case, so it's coming back in at 4.01. This version | |
1805 | is actually better, because it also checks aliases. | |
1806 | ||
1807 | The code was made more robust at release 4.21. Prior to that, it accepted all | |
1808 | the names if any of them had the correct IP address. Now the code checks all | |
1809 | the names, and accepts only those that have the correct IP address. */ | |
1810 | ||
1811 | save_hostname = sender_host_name; /* Save for error messages */ | |
1812 | aliases = sender_host_aliases; | |
d7978c0f | 1813 | for (uschar * hname = sender_host_name; hname; hname = *aliases++) |
059ec3d9 PH |
1814 | { |
1815 | int rc; | |
1816 | BOOL ok = FALSE; | |
94759fce JH |
1817 | host_item h = { .next = NULL, .name = hname, .mx = MX_NONE, .address = NULL }; |
1818 | dnssec_domains d = | |
1819 | { .request = sender_host_dnssec ? US"*" : NULL, .require = NULL }; | |
059ec3d9 | 1820 | |
66387a73 | 1821 | if ( (rc = host_find_bydns(&h, NULL, HOST_FIND_BY_A | HOST_FIND_BY_AAAA, |
1f155f8e JH |
1822 | NULL, NULL, NULL, &d, NULL, NULL)) == HOST_FOUND |
1823 | || rc == HOST_FOUND_LOCAL | |
1824 | ) | |
059ec3d9 | 1825 | { |
059ec3d9 | 1826 | HDEBUG(D_host_lookup) debug_printf("checking addresses for %s\n", hname); |
1f155f8e JH |
1827 | |
1828 | /* If the forward lookup was not secure we cancel the is-secure variable */ | |
1829 | ||
1830 | DEBUG(D_dns) debug_printf("Forward DNS security status: %s\n", | |
1831 | h.dnssec == DS_YES ? "DNSSEC verified (AD)" : "unverified"); | |
1832 | if (h.dnssec != DS_YES) sender_host_dnssec = FALSE; | |
1833 | ||
d7978c0f | 1834 | for (host_item * hh = &h; hh; hh = hh->next) |
d27f1df3 | 1835 | if (host_is_in_net(hh->address, sender_host_address, 0)) |
059ec3d9 PH |
1836 | { |
1837 | HDEBUG(D_host_lookup) debug_printf(" %s OK\n", hh->address); | |
1838 | ok = TRUE; | |
1839 | break; | |
1840 | } | |
1841 | else | |
059ec3d9 | 1842 | HDEBUG(D_host_lookup) debug_printf(" %s\n", hh->address); |
1f155f8e | 1843 | |
059ec3d9 PH |
1844 | if (!ok) HDEBUG(D_host_lookup) |
1845 | debug_printf("no IP address for %s matched %s\n", hname, | |
1846 | sender_host_address); | |
1847 | } | |
1848 | else if (rc == HOST_FIND_AGAIN) | |
1849 | { | |
1850 | HDEBUG(D_host_lookup) debug_printf("temporary error for host name lookup\n"); | |
8e669ac1 | 1851 | host_lookup_deferred = TRUE; |
55728a4f | 1852 | sender_host_name = NULL; |
059ec3d9 PH |
1853 | return DEFER; |
1854 | } | |
1855 | else | |
059ec3d9 | 1856 | HDEBUG(D_host_lookup) debug_printf("no IP addresses found for %s\n", hname); |
059ec3d9 PH |
1857 | |
1858 | /* If this name is no good, and it's the sender name, set it null pro tem; | |
1859 | if it's an alias, just remove it from the list. */ | |
1860 | ||
1861 | if (!ok) | |
1862 | { | |
1863 | if (hname == sender_host_name) sender_host_name = NULL; else | |
1864 | { | |
1865 | uschar **a; /* Don't amalgamate - some */ | |
1866 | a = --aliases; /* compilers grumble */ | |
1867 | while (*a != NULL) { *a = a[1]; a++; } | |
1868 | } | |
1869 | } | |
1870 | } | |
1871 | ||
1872 | /* If sender_host_name == NULL, it means we didn't like the name. Replace | |
1873 | it with the first alias, if there is one. */ | |
1874 | ||
1875 | if (sender_host_name == NULL && *sender_host_aliases != NULL) | |
1876 | sender_host_name = *sender_host_aliases++; | |
1877 | ||
1878 | /* If we now have a main name, all is well. */ | |
1879 | ||
1880 | if (sender_host_name != NULL) return OK; | |
1881 | ||
1882 | /* We have failed to find an address that matches. */ | |
1883 | ||
1884 | HDEBUG(D_host_lookup) | |
1885 | debug_printf("%s does not match any IP address for %s\n", | |
1886 | sender_host_address, save_hostname); | |
1887 | ||
1888 | /* This message must be in permanent store */ | |
1889 | ||
1890 | old_pool = store_pool; | |
1891 | store_pool = POOL_PERM; | |
1892 | host_lookup_msg = string_sprintf(" (%s does not match any IP address for %s)", | |
1893 | sender_host_address, save_hostname); | |
1894 | store_pool = old_pool; | |
059ec3d9 PH |
1895 | host_lookup_failed = TRUE; |
1896 | return FAIL; | |
1897 | } | |
1898 | ||
1899 | ||
1900 | ||
1901 | ||
1902 | /************************************************* | |
1903 | * Find IP address(es) for host by name * | |
1904 | *************************************************/ | |
1905 | ||
1906 | /* The input is a host_item structure with the name filled in and the address | |
322050c2 PH |
1907 | field set to NULL. We use gethostbyname() or getipnodebyname() or |
1908 | gethostbyname2(), as appropriate. Of course, these functions may use the DNS, | |
1909 | but they do not do MX processing. It appears, however, that in some systems the | |
1910 | current setting of resolver options is used when one of these functions calls | |
1911 | the resolver. For this reason, we call dns_init() at the start, with arguments | |
1912 | influenced by bits in "flags", just as we do for host_find_bydns(). | |
059ec3d9 PH |
1913 | |
1914 | The second argument provides a host list (usually an IP list) of hosts to | |
1915 | ignore. This makes it possible to ignore IPv6 link-local addresses or loopback | |
1916 | addresses in unreasonable places. | |
1917 | ||
1918 | The lookup may result in a change of name. For compatibility with the dns | |
1919 | lookup, return this via fully_qualified_name as well as updating the host item. | |
1920 | The lookup may also yield more than one IP address, in which case chain on | |
1921 | subsequent host_item structures. | |
1922 | ||
1923 | Arguments: | |
1924 | host a host item with the name and MX filled in; | |
1925 | the address is to be filled in; | |
1926 | multiple IP addresses cause other host items to be | |
1927 | chained on. | |
1928 | ignore_target_hosts a list of hosts to ignore | |
322050c2 PH |
1929 | flags HOST_FIND_QUALIFY_SINGLE ) passed to |
1930 | HOST_FIND_SEARCH_PARENTS ) dns_init() | |
059ec3d9 PH |
1931 | fully_qualified_name if not NULL, set to point to host name for |
1932 | compatibility with host_find_bydns | |
1933 | local_host_check TRUE if a check for the local host is wanted | |
1934 | ||
1935 | Returns: HOST_FIND_FAILED Failed to find the host or domain | |
1936 | HOST_FIND_AGAIN Try again later | |
1937 | HOST_FOUND Host found - data filled in | |
1938 | HOST_FOUND_LOCAL Host found and is the local host | |
1939 | */ | |
1940 | ||
1941 | int | |
55414b25 JH |
1942 | host_find_byname(host_item *host, const uschar *ignore_target_hosts, int flags, |
1943 | const uschar **fully_qualified_name, BOOL local_host_check) | |
059ec3d9 | 1944 | { |
d7978c0f | 1945 | int yield, times; |
059ec3d9 PH |
1946 | host_item *last = NULL; |
1947 | BOOL temp_error = FALSE; | |
b08b24c8 PH |
1948 | #if HAVE_IPV6 |
1949 | int af; | |
1950 | #endif | |
1951 | ||
322050c2 PH |
1952 | /* Make sure DNS options are set as required. This appears to be necessary in |
1953 | some circumstances when the get..byname() function actually calls the DNS. */ | |
1954 | ||
1955 | dns_init((flags & HOST_FIND_QUALIFY_SINGLE) != 0, | |
8c51eead | 1956 | (flags & HOST_FIND_SEARCH_PARENTS) != 0, |
7cd171b7 | 1957 | FALSE); /* Cannot retrieve dnssec status so do not request */ |
322050c2 | 1958 | |
7e66e54d PH |
1959 | /* In an IPv6 world, unless IPv6 has been disabled, we need to scan for both |
1960 | kinds of address, so go round the loop twice. Note that we have ensured that | |
1961 | AF_INET6 is defined even in an IPv4 world, which makes for slightly tidier | |
1962 | code. However, if dns_ipv4_lookup matches the domain, we also just do IPv4 | |
1963 | lookups here (except when testing standalone). */ | |
059ec3d9 PH |
1964 | |
1965 | #if HAVE_IPV6 | |
322050c2 PH |
1966 | #ifdef STAND_ALONE |
1967 | if (disable_ipv6) | |
1968 | #else | |
1969 | if (disable_ipv6 || | |
1970 | (dns_ipv4_lookup != NULL && | |
55414b25 JH |
1971 | match_isinlist(host->name, CUSS &dns_ipv4_lookup, 0, NULL, NULL, |
1972 | MCL_DOMAIN, TRUE, NULL) == OK)) | |
322050c2 PH |
1973 | #endif |
1974 | ||
059ec3d9 PH |
1975 | { af = AF_INET; times = 1; } |
1976 | else | |
059ec3d9 PH |
1977 | { af = AF_INET6; times = 2; } |
1978 | ||
1979 | /* No IPv6 support */ | |
1980 | ||
1981 | #else /* HAVE_IPV6 */ | |
1982 | times = 1; | |
1983 | #endif /* HAVE_IPV6 */ | |
1984 | ||
1985 | /* Initialize the flag that gets set for DNS syntax check errors, so that the | |
1986 | interface to this function can be similar to host_find_bydns. */ | |
1987 | ||
8768d548 | 1988 | f.host_find_failed_syntax = FALSE; |
059ec3d9 PH |
1989 | |
1990 | /* Loop to look up both kinds of address in an IPv6 world */ | |
1991 | ||
d7978c0f | 1992 | for (int i = 1; i <= times; |
059ec3d9 PH |
1993 | #if HAVE_IPV6 |
1994 | af = AF_INET, /* If 2 passes, IPv4 on the second */ | |
1995 | #endif | |
1996 | i++) | |
1997 | { | |
1998 | BOOL ipv4_addr; | |
91ecef39 | 1999 | int error_num = 0; |
059ec3d9 | 2000 | struct hostent *hostdata; |
0539a19d | 2001 | unsigned long time_msec = 0; /* compiler quietening */ |
059ec3d9 | 2002 | |
322050c2 PH |
2003 | #ifdef STAND_ALONE |
2004 | printf("Looking up: %s\n", host->name); | |
2005 | #endif | |
2006 | ||
846430d9 JH |
2007 | if (slow_lookup_log) time_msec = get_time_in_ms(); |
2008 | ||
059ec3d9 | 2009 | #if HAVE_IPV6 |
8768d548 | 2010 | if (f.running_in_test_harness) |
e7726cbf PH |
2011 | hostdata = host_fake_gethostbyname(host->name, af, &error_num); |
2012 | else | |
2013 | { | |
059ec3d9 PH |
2014 | #if HAVE_GETIPNODEBYNAME |
2015 | hostdata = getipnodebyname(CS host->name, af, 0, &error_num); | |
2016 | #else | |
2017 | hostdata = gethostbyname2(CS host->name, af); | |
2018 | error_num = h_errno; | |
2019 | #endif | |
e7726cbf PH |
2020 | } |
2021 | ||
2022 | #else /* not HAVE_IPV6 */ | |
8768d548 | 2023 | if (f.running_in_test_harness) |
e7726cbf PH |
2024 | hostdata = host_fake_gethostbyname(host->name, AF_INET, &error_num); |
2025 | else | |
2026 | { | |
2027 | hostdata = gethostbyname(CS host->name); | |
2028 | error_num = h_errno; | |
2029 | } | |
2030 | #endif /* HAVE_IPV6 */ | |
059ec3d9 | 2031 | |
0539a19d | 2032 | if ( slow_lookup_log |
abe1353e | 2033 | && (time_msec = get_time_in_ms() - time_msec) > slow_lookup_log) |
30795c5e | 2034 | log_long_lookup(US"gethostbyname", host->name, time_msec); |
846430d9 | 2035 | |
accf9211 | 2036 | if (!hostdata) |
059ec3d9 PH |
2037 | { |
2038 | uschar *error; | |
2039 | switch (error_num) | |
2040 | { | |
2041 | case HOST_NOT_FOUND: error = US"HOST_NOT_FOUND"; break; | |
4a452c43 JH |
2042 | case TRY_AGAIN: error = US"TRY_AGAIN"; break; |
2043 | case NO_RECOVERY: error = US"NO_RECOVERY"; break; | |
2044 | case NO_DATA: error = US"NO_DATA"; break; | |
accf9211 | 2045 | #if NO_DATA != NO_ADDRESS |
4a452c43 | 2046 | case NO_ADDRESS: error = US"NO_ADDRESS"; break; |
accf9211 | 2047 | #endif |
059ec3d9 PH |
2048 | default: error = US"?"; break; |
2049 | } | |
2050 | ||
2051 | DEBUG(D_host_lookup) debug_printf("%s returned %d (%s)\n", | |
accf9211 | 2052 | f.running_in_test_harness ? "host_fake_gethostbyname" : |
059ec3d9 PH |
2053 | #if HAVE_IPV6 |
2054 | #if HAVE_GETIPNODEBYNAME | |
accf9211 | 2055 | af == AF_INET6 ? "getipnodebyname(af=inet6)" : "getipnodebyname(af=inet)", |
059ec3d9 | 2056 | #else |
accf9211 | 2057 | af == AF_INET6 ? "gethostbyname2(af=inet6)" : "gethostbyname2(af=inet)", |
059ec3d9 PH |
2058 | #endif |
2059 | #else | |
2060 | "gethostbyname", | |
2061 | #endif | |
2062 | error_num, error); | |
2063 | ||
2064 | if (error_num == TRY_AGAIN || error_num == NO_RECOVERY) temp_error = TRUE; | |
2065 | continue; | |
2066 | } | |
2067 | if ((hostdata->h_addr_list)[0] == NULL) continue; | |
2068 | ||
2069 | /* Replace the name with the fully qualified one if necessary, and fill in | |
2070 | the fully_qualified_name pointer. */ | |
2071 | ||
2072 | if (hostdata->h_name[0] != 0 && | |
2073 | Ustrcmp(host->name, hostdata->h_name) != 0) | |
5903c6ff | 2074 | host->name = string_copy_dnsdomain(US hostdata->h_name); |
059ec3d9 PH |
2075 | if (fully_qualified_name != NULL) *fully_qualified_name = host->name; |
2076 | ||
2077 | /* Get the list of addresses. IPv4 and IPv6 addresses can be distinguished | |
2078 | by their different lengths. Scan the list, ignoring any that are to be | |
2079 | ignored, and build a chain from the rest. */ | |
2080 | ||
2081 | ipv4_addr = hostdata->h_length == sizeof(struct in_addr); | |
2082 | ||
d7978c0f | 2083 | for (uschar ** addrlist = USS hostdata->h_addr_list; *addrlist; addrlist++) |
059ec3d9 PH |
2084 | { |
2085 | uschar *text_address = | |
2086 | host_ntoa(ipv4_addr? AF_INET:AF_INET6, *addrlist, NULL, NULL); | |
2087 | ||
2088 | #ifndef STAND_ALONE | |
2089 | if (ignore_target_hosts != NULL && | |
2090 | verify_check_this_host(&ignore_target_hosts, NULL, host->name, | |
2091 | text_address, NULL) == OK) | |
2092 | { | |
2093 | DEBUG(D_host_lookup) | |
2094 | debug_printf("ignored host %s [%s]\n", host->name, text_address); | |
2095 | continue; | |
2096 | } | |
2097 | #endif | |
2098 | ||
2099 | /* If this is the first address, last == NULL and we put the data in the | |
2100 | original block. */ | |
2101 | ||
2102 | if (last == NULL) | |
2103 | { | |
2104 | host->address = text_address; | |
2105 | host->port = PORT_NONE; | |
2106 | host->status = hstatus_unknown; | |
2107 | host->why = hwhy_unknown; | |
783b385f | 2108 | host->dnssec = DS_UNK; |
059ec3d9 PH |
2109 | last = host; |
2110 | } | |
2111 | ||
2112 | /* Else add further host item blocks for any other addresses, keeping | |
2113 | the order. */ | |
2114 | ||
2115 | else | |
2116 | { | |
f3ebb786 | 2117 | host_item *next = store_get(sizeof(host_item), FALSE); |
059ec3d9 PH |
2118 | next->name = host->name; |
2119 | next->mx = host->mx; | |
2120 | next->address = text_address; | |
2121 | next->port = PORT_NONE; | |
2122 | next->status = hstatus_unknown; | |
2123 | next->why = hwhy_unknown; | |
783b385f | 2124 | next->dnssec = DS_UNK; |
059ec3d9 PH |
2125 | next->last_try = 0; |
2126 | next->next = last->next; | |
2127 | last->next = next; | |
2128 | last = next; | |
2129 | } | |
2130 | } | |
2131 | } | |
2132 | ||
2133 | /* If no hosts were found, the address field in the original host block will be | |
2134 | NULL. If temp_error is set, at least one of the lookups gave a temporary error, | |
2135 | so we pass that back. */ | |
2136 | ||
2137 | if (host->address == NULL) | |
2138 | { | |
2139 | uschar *msg = | |
2140 | #ifndef STAND_ALONE | |
2141 | (message_id[0] == 0 && smtp_in != NULL)? | |
2142 | string_sprintf("no IP address found for host %s (during %s)", host->name, | |
2143 | smtp_get_connection_info()) : | |
2144 | #endif | |
2145 | string_sprintf("no IP address found for host %s", host->name); | |
2146 | ||
2147 | HDEBUG(D_host_lookup) debug_printf("%s\n", msg); | |
9b8fadde | 2148 | if (temp_error) goto RETURN_AGAIN; |
8768d548 | 2149 | if (host_checking || !f.log_testing_mode) |
059ec3d9 PH |
2150 | log_write(L_host_lookup_failed, LOG_MAIN, "%s", msg); |
2151 | return HOST_FIND_FAILED; | |
2152 | } | |
2153 | ||
2154 | /* Remove any duplicate IP addresses, then check to see if this is the local | |
2155 | host if required. */ | |
2156 | ||
2157 | host_remove_duplicates(host, &last); | |
2158 | yield = local_host_check? | |
2159 | host_scan_for_local_hosts(host, &last, NULL) : HOST_FOUND; | |
2160 | ||
059ec3d9 PH |
2161 | HDEBUG(D_host_lookup) |
2162 | { | |
d7978c0f | 2163 | if (fully_qualified_name) |
059ec3d9 PH |
2164 | debug_printf("fully qualified name = %s\n", *fully_qualified_name); |
2165 | debug_printf("%s looked up these IP addresses:\n", | |
2166 | #if HAVE_IPV6 | |
2167 | #if HAVE_GETIPNODEBYNAME | |
2168 | "getipnodebyname" | |
2169 | #else | |
2170 | "gethostbyname2" | |
2171 | #endif | |
2172 | #else | |
2173 | "gethostbyname" | |
2174 | #endif | |
2175 | ); | |
d7978c0f | 2176 | for (const host_item * h = host; h != last->next; h = h->next) |
059ec3d9 | 2177 | debug_printf(" name=%s address=%s\n", h->name, |
d7978c0f | 2178 | h->address ? h->address : US"<null>"); |
059ec3d9 PH |
2179 | } |
2180 | ||
2181 | /* Return the found status. */ | |
2182 | ||
2183 | return yield; | |
9b8fadde PH |
2184 | |
2185 | /* Handle the case when there is a temporary error. If the name matches | |
2186 | dns_again_means_nonexist, return permanent rather than temporary failure. */ | |
2187 | ||
2188 | RETURN_AGAIN: | |
2189 | { | |
2190 | #ifndef STAND_ALONE | |
2191 | int rc; | |
55414b25 | 2192 | const uschar *save = deliver_domain; |
9b8fadde | 2193 | deliver_domain = host->name; /* set $domain */ |
55414b25 | 2194 | rc = match_isinlist(host->name, CUSS &dns_again_means_nonexist, 0, NULL, NULL, |
9b8fadde PH |
2195 | MCL_DOMAIN, TRUE, NULL); |
2196 | deliver_domain = save; | |
2197 | if (rc == OK) | |
2198 | { | |
2199 | DEBUG(D_host_lookup) debug_printf("%s is in dns_again_means_nonexist: " | |
2200 | "returning HOST_FIND_FAILED\n", host->name); | |
2201 | return HOST_FIND_FAILED; | |
2202 | } | |
2203 | #endif | |
2204 | return HOST_FIND_AGAIN; | |
2205 | } | |
059ec3d9 PH |
2206 | } |
2207 | ||
2208 | ||
2209 | ||
2210 | /************************************************* | |
2211 | * Fill in a host address from the DNS * | |
2212 | *************************************************/ | |
2213 | ||
1349e1e5 PH |
2214 | /* Given a host item, with its name, port and mx fields set, and its address |
2215 | field set to NULL, fill in its IP address from the DNS. If it is multi-homed, | |
2216 | create additional host items for the additional addresses, copying all the | |
2217 | other fields, and randomizing the order. | |
059ec3d9 | 2218 | |
66387a73 | 2219 | On IPv6 systems, AAAA records are sought first, then A records. |
059ec3d9 PH |
2220 | |
2221 | The host name may be changed if the DNS returns a different name - e.g. fully | |
2222 | qualified or changed via CNAME. If fully_qualified_name is not NULL, dns_lookup | |
2223 | ensures that it points to the fully qualified name. However, this is the fully | |
2224 | qualified version of the original name; if a CNAME is involved, the actual | |
2225 | canonical host name may be different again, and so we get it directly from the | |
2226 | relevant RR. Note that we do NOT change the mx field of the host item in this | |
2227 | function as it may be called to set the addresses of hosts taken from MX | |
2228 | records. | |
2229 | ||
2230 | Arguments: | |
2231 | host points to the host item we're filling in | |
2232 | lastptr points to pointer to last host item in a chain of | |
2233 | host items (may be updated if host is last and gets | |
2234 | extended because multihomed) | |
2235 | ignore_target_hosts list of hosts to ignore | |
2236 | allow_ip if TRUE, recognize an IP address and return it | |
2237 | fully_qualified_name if not NULL, return fully qualified name here if | |
2238 | the contents are different (i.e. it must be preset | |
2239 | to something) | |
221dff13 HSHR |
2240 | dnssec_request if TRUE request the AD bit |
2241 | dnssec_require if TRUE require the AD bit | |
66387a73 | 2242 | whichrrs select ipv4, ipv6 results |
059ec3d9 PH |
2243 | |
2244 | Returns: HOST_FIND_FAILED couldn't find A record | |
2245 | HOST_FIND_AGAIN try again later | |
2546388c | 2246 | HOST_FIND_SECURITY dnssec required but not acheived |
059ec3d9 PH |
2247 | HOST_FOUND found AAAA and/or A record(s) |
2248 | HOST_IGNORED found, but all IPs ignored | |
2249 | */ | |
2250 | ||
2251 | static int | |
2252 | set_address_from_dns(host_item *host, host_item **lastptr, | |
55414b25 JH |
2253 | const uschar *ignore_target_hosts, BOOL allow_ip, |
2254 | const uschar **fully_qualified_name, | |
66387a73 | 2255 | BOOL dnssec_request, BOOL dnssec_require, int whichrrs) |
059ec3d9 | 2256 | { |
059ec3d9 PH |
2257 | host_item *thishostlast = NULL; /* Indicates not yet filled in anything */ |
2258 | BOOL v6_find_again = FALSE; | |
2546388c | 2259 | BOOL dnssec_fail = FALSE; |
059ec3d9 PH |
2260 | int i; |
2261 | ||
2262 | /* If allow_ip is set, a name which is an IP address returns that value | |
2263 | as its address. This is used for MX records when allow_mx_to_ip is set, for | |
2264 | those sites that feel they have to flaunt the RFC rules. */ | |
2265 | ||
2266 | if (allow_ip && string_is_ip_address(host->name, NULL) != 0) | |
2267 | { | |
2268 | #ifndef STAND_ALONE | |
66387a73 JH |
2269 | if ( ignore_target_hosts |
2270 | && verify_check_this_host(&ignore_target_hosts, NULL, host->name, | |
059ec3d9 PH |
2271 | host->name, NULL) == OK) |
2272 | return HOST_IGNORED; | |
2273 | #endif | |
2274 | ||
2275 | host->address = host->name; | |
059ec3d9 PH |
2276 | return HOST_FOUND; |
2277 | } | |
2278 | ||
0539a19d | 2279 | /* On an IPv6 system, unless IPv6 is disabled, go round the loop up to twice, |
66387a73 JH |
2280 | looking for AAAA records the first time. However, unless doing standalone |
2281 | testing, we force an IPv4 lookup if the domain matches dns_ipv4_lookup global. | |
2282 | On an IPv4 system, go round the loop once only, looking only for A records. */ | |
059ec3d9 PH |
2283 | |
2284 | #if HAVE_IPV6 | |
059ec3d9 | 2285 | #ifndef STAND_ALONE |
66387a73 JH |
2286 | if ( disable_ipv6 |
2287 | || !(whichrrs & HOST_FIND_BY_AAAA) | |
2288 | || (dns_ipv4_lookup | |
2289 | && match_isinlist(host->name, CUSS &dns_ipv4_lookup, 0, NULL, NULL, | |
2290 | MCL_DOMAIN, TRUE, NULL) == OK) | |
2291 | ) | |
059ec3d9 PH |
2292 | i = 0; /* look up A records only */ |
2293 | else | |
2294 | #endif /* STAND_ALONE */ | |
2295 | ||
059ec3d9 | 2296 | i = 1; /* look up AAAA and A records */ |
059ec3d9 PH |
2297 | |
2298 | /* The IPv4 world */ | |
2299 | ||
2300 | #else /* HAVE_IPV6 */ | |
2301 | i = 0; /* look up A records only */ | |
2302 | #endif /* HAVE_IPV6 */ | |
2303 | ||
2304 | for (; i >= 0; i--) | |
2305 | { | |
0539a19d | 2306 | static int types[] = { T_A, T_AAAA }; |
059ec3d9 | 2307 | int type = types[i]; |
66387a73 JH |
2308 | int randoffset = i == (whichrrs & HOST_FIND_IPV4_FIRST ? 1 : 0) |
2309 | ? 500 : 0; /* Ensures v6/4 sort order */ | |
8743d3ac | 2310 | dns_answer * dnsa = store_get_dns_answer(); |
059ec3d9 PH |
2311 | dns_scan dnss; |
2312 | ||
8743d3ac | 2313 | int rc = dns_lookup_timerwrap(dnsa, host->name, type, fully_qualified_name); |
cf2b569e | 2314 | lookup_dnssec_authenticated = !dnssec_request ? NULL |
8743d3ac | 2315 | : dns_is_secure(dnsa) ? US"yes" : US"no"; |
059ec3d9 | 2316 | |
221dff13 | 2317 | DEBUG(D_dns) |
0539a19d | 2318 | if ( (dnssec_request || dnssec_require) |
8743d3ac JH |
2319 | && !dns_is_secure(dnsa) |
2320 | && dns_is_aa(dnsa) | |
0539a19d JH |
2321 | ) |
2322 | debug_printf("DNS lookup of %.256s (A/AAAA) requested AD, but got AA\n", host->name); | |
221dff13 | 2323 | |
0539a19d | 2324 | /* We want to return HOST_FIND_AGAIN if one of the A or AAAA lookups |
059ec3d9 PH |
2325 | fails or times out, but not if another one succeeds. (In the early |
2326 | IPv6 days there are name servers that always fail on AAAA, but are happy | |
2327 | to give out an A record. We want to proceed with that A record.) */ | |
8e669ac1 | 2328 | |
059ec3d9 PH |
2329 | if (rc != DNS_SUCCEED) |
2330 | { | |
2331 | if (i == 0) /* Just tried for an A record, i.e. end of loop */ | |
2332 | { | |
0539a19d | 2333 | if (host->address != NULL) return HOST_FOUND; /* AAAA was found */ |
059ec3d9 PH |
2334 | if (rc == DNS_AGAIN || rc == DNS_FAIL || v6_find_again) |
2335 | return HOST_FIND_AGAIN; | |
2336 | return HOST_FIND_FAILED; /* DNS_NOMATCH or DNS_NODATA */ | |
2337 | } | |
2338 | ||
0539a19d | 2339 | /* Tried for an AAAA record: remember if this was a temporary |
059ec3d9 PH |
2340 | error, and look for the next record type. */ |
2341 | ||
2342 | if (rc != DNS_NOMATCH && rc != DNS_NODATA) v6_find_again = TRUE; | |
2343 | continue; | |
2344 | } | |
cf2b569e JH |
2345 | |
2346 | if (dnssec_request) | |
8c51eead | 2347 | { |
8743d3ac | 2348 | if (dns_is_secure(dnsa)) |
cf2b569e JH |
2349 | { |
2350 | DEBUG(D_host_lookup) debug_printf("%s A DNSSEC\n", host->name); | |
2351 | if (host->dnssec == DS_UNK) /* set in host_find_bydns() */ | |
2352 | host->dnssec = DS_YES; | |
2353 | } | |
2354 | else | |
2355 | { | |
2356 | if (dnssec_require) | |
2357 | { | |
2546388c JH |
2358 | dnssec_fail = TRUE; |
2359 | DEBUG(D_host_lookup) debug_printf("dnssec fail on %s for %.256s", | |
0539a19d | 2360 | i>0 ? "AAAA" : "A", host->name); |
cf2b569e JH |
2361 | continue; |
2362 | } | |
2363 | if (host->dnssec == DS_YES) /* set in host_find_bydns() */ | |
2364 | { | |
2365 | DEBUG(D_host_lookup) debug_printf("%s A cancel DNSSEC\n", host->name); | |
2366 | host->dnssec = DS_NO; | |
2367 | lookup_dnssec_authenticated = US"no"; | |
2368 | } | |
2369 | } | |
8c51eead | 2370 | } |
059ec3d9 PH |
2371 | |
2372 | /* Lookup succeeded: fill in the given host item with the first non-ignored | |
2373 | address found; create additional items for any others. A single A6 record | |
8241d8dd JH |
2374 | may generate more than one address. The lookup had a chance to update the |
2375 | fqdn; we do not want any later times round the loop to do so. */ | |
2376 | ||
2377 | fully_qualified_name = NULL; | |
059ec3d9 | 2378 | |
8743d3ac | 2379 | for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); |
e1a3f32f | 2380 | rr; |
8743d3ac | 2381 | rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == type) |
059ec3d9 | 2382 | { |
8743d3ac | 2383 | dns_address * da = dns_address_from_rr(dnsa, rr); |
059ec3d9 | 2384 | |
d7978c0f JH |
2385 | DEBUG(D_host_lookup) |
2386 | if (!da) debug_printf("no addresses extracted from A6 RR for %s\n", | |
2387 | host->name); | |
059ec3d9 | 2388 | |
d7978c0f JH |
2389 | /* This loop runs only once for A and AAAA records, but may run |
2390 | several times for an A6 record that generated multiple addresses. */ | |
059ec3d9 | 2391 | |
d7978c0f JH |
2392 | for (; da; da = da->next) |
2393 | { | |
2394 | #ifndef STAND_ALONE | |
2395 | if (ignore_target_hosts != NULL && | |
2396 | verify_check_this_host(&ignore_target_hosts, NULL, | |
2397 | host->name, da->address, NULL) == OK) | |
2398 | { | |
2399 | DEBUG(D_host_lookup) | |
2400 | debug_printf("ignored host %s [%s]\n", host->name, da->address); | |
2401 | continue; | |
2402 | } | |
2403 | #endif | |
059ec3d9 | 2404 | |
d7978c0f JH |
2405 | /* If this is the first address, stick it in the given host block, |
2406 | and change the name if the returned RR has a different name. */ | |
059ec3d9 | 2407 | |
d7978c0f JH |
2408 | if (thishostlast == NULL) |
2409 | { | |
2410 | if (strcmpic(host->name, rr->name) != 0) | |
2411 | host->name = string_copy_dnsdomain(rr->name); | |
2412 | host->address = da->address; | |
2413 | host->sort_key = host->mx * 1000 + random_number(500) + randoffset; | |
2414 | host->status = hstatus_unknown; | |
2415 | host->why = hwhy_unknown; | |
2416 | thishostlast = host; | |
2417 | } | |
059ec3d9 | 2418 | |
d7978c0f JH |
2419 | /* Not the first address. Check for, and ignore, duplicates. Then |
2420 | insert in the chain at a random point. */ | |
059ec3d9 | 2421 | |
d7978c0f JH |
2422 | else |
2423 | { | |
2424 | int new_sort_key; | |
2425 | host_item *next; | |
2426 | ||
2427 | /* End of our local chain is specified by "thishostlast". */ | |
2428 | ||
2429 | for (next = host;; next = next->next) | |
2430 | { | |
2431 | if (Ustrcmp(CS da->address, next->address) == 0) break; | |
2432 | if (next == thishostlast) { next = NULL; break; } | |
2433 | } | |
2434 | if (next != NULL) continue; /* With loop for next address */ | |
2435 | ||
2436 | /* Not a duplicate */ | |
2437 | ||
2438 | new_sort_key = host->mx * 1000 + random_number(500) + randoffset; | |
f3ebb786 | 2439 | next = store_get(sizeof(host_item), FALSE); |
d7978c0f JH |
2440 | |
2441 | /* New address goes first: insert the new block after the first one | |
2442 | (so as not to disturb the original pointer) but put the new address | |
2443 | in the original block. */ | |
2444 | ||
2445 | if (new_sort_key < host->sort_key) | |
2446 | { | |
2447 | *next = *host; /* Copies port */ | |
2448 | host->next = next; | |
2449 | host->address = da->address; | |
2450 | host->sort_key = new_sort_key; | |
2451 | if (thishostlast == host) thishostlast = next; /* Local last */ | |
2452 | if (*lastptr == host) *lastptr = next; /* Global last */ | |
2453 | } | |
2454 | ||
2455 | /* Otherwise scan down the addresses for this host to find the | |
2456 | one to insert after. */ | |
2457 | ||
2458 | else | |
2459 | { | |
2460 | host_item *h = host; | |
2461 | while (h != thishostlast) | |
2462 | { | |
2463 | if (new_sort_key < h->next->sort_key) break; | |
2464 | h = h->next; | |
2465 | } | |
2466 | *next = *h; /* Copies port */ | |
2467 | h->next = next; | |
2468 | next->address = da->address; | |
2469 | next->sort_key = new_sort_key; | |
2470 | if (h == thishostlast) thishostlast = next; /* Local last */ | |
2471 | if (h == *lastptr) *lastptr = next; /* Global last */ | |
2472 | } | |
2473 | } | |
059ec3d9 PH |
2474 | } |
2475 | } | |
2476 | } | |
2477 | ||
2546388c | 2478 | /* Control gets here only if the second lookup (the A record) succeeded. |
059ec3d9 PH |
2479 | However, the address may not be filled in if it was ignored. */ |
2480 | ||
2546388c JH |
2481 | return host->address |
2482 | ? HOST_FOUND | |
2483 | : dnssec_fail | |
2484 | ? HOST_FIND_SECURITY | |
2485 | : HOST_IGNORED; | |
059ec3d9 PH |
2486 | } |
2487 | ||
2488 | ||
2489 | ||
2490 | ||
2491 | /************************************************* | |
1349e1e5 | 2492 | * Find IP addresses and host names via DNS * |
059ec3d9 PH |
2493 | *************************************************/ |
2494 | ||
1349e1e5 PH |
2495 | /* The input is a host_item structure with the name field filled in and the |
2496 | address field set to NULL. This may be in a chain of other host items. The | |
2497 | lookup may result in more than one IP address, in which case we must created | |
2498 | new host blocks for the additional addresses, and insert them into the chain. | |
2499 | The original name may not be fully qualified. Use the fully_qualified_name | |
2500 | argument to return the official name, as returned by the resolver. | |
059ec3d9 PH |
2501 | |
2502 | Arguments: | |
2503 | host point to initial host item | |
2504 | ignore_target_hosts a list of hosts to ignore | |
2505 | whichrrs flags indicating which RRs to look for: | |
2506 | HOST_FIND_BY_SRV => look for SRV | |
2507 | HOST_FIND_BY_MX => look for MX | |
66387a73 JH |
2508 | HOST_FIND_BY_A => look for A |
2509 | HOST_FIND_BY_AAAA => look for AAAA | |
059ec3d9 PH |
2510 | also flags indicating how the lookup is done |
2511 | HOST_FIND_QUALIFY_SINGLE ) passed to the | |
2512 | HOST_FIND_SEARCH_PARENTS ) resolver | |
66387a73 JH |
2513 | HOST_FIND_IPV4_FIRST => reverse usual result ordering |
2514 | HOST_FIND_IPV4_ONLY => MX results elide ipv6 | |
059ec3d9 PH |
2515 | srv_service when SRV used, the service name |
2516 | srv_fail_domains DNS errors for these domains => assume nonexist | |
2517 | mx_fail_domains DNS errors for these domains => assume nonexist | |
7cd171b7 JH |
2518 | dnssec_d.request => make dnssec request: domainlist |
2519 | dnssec_d.require => ditto and nonexist failures | |
059ec3d9 PH |
2520 | fully_qualified_name if not NULL, return fully-qualified name |
2521 | removed set TRUE if local host was removed from the list | |
2522 | ||
2523 | Returns: HOST_FIND_FAILED Failed to find the host or domain; | |
2524 | if there was a syntax error, | |
2525 | host_find_failed_syntax is set. | |
2526 | HOST_FIND_AGAIN Could not resolve at this time | |
2546388c | 2527 | HOST_FIND_SECURITY dnsssec required but not acheived |
059ec3d9 PH |
2528 | HOST_FOUND Host found |
2529 | HOST_FOUND_LOCAL The lowest MX record points to this | |
2530 | machine, if MX records were found, or | |
2531 | an A record that was found contains | |
2532 | an address of the local host | |
2533 | */ | |
2534 | ||
2535 | int | |
55414b25 | 2536 | host_find_bydns(host_item *host, const uschar *ignore_target_hosts, int whichrrs, |
059ec3d9 | 2537 | uschar *srv_service, uschar *srv_fail_domains, uschar *mx_fail_domains, |
7cd171b7 | 2538 | const dnssec_domains *dnssec_d, |
55414b25 | 2539 | const uschar **fully_qualified_name, BOOL *removed) |
059ec3d9 PH |
2540 | { |
2541 | host_item *h, *last; | |
059ec3d9 PH |
2542 | int rc = DNS_FAIL; |
2543 | int ind_type = 0; | |
2544 | int yield; | |
8743d3ac | 2545 | dns_answer * dnsa = store_get_dns_answer(); |
059ec3d9 | 2546 | dns_scan dnss; |
7cd171b7 JH |
2547 | BOOL dnssec_require = dnssec_d |
2548 | && match_isinlist(host->name, CUSS &dnssec_d->require, | |
8c51eead | 2549 | 0, NULL, NULL, MCL_DOMAIN, TRUE, NULL) == OK; |
783b385f | 2550 | BOOL dnssec_request = dnssec_require |
7cd171b7 JH |
2551 | || ( dnssec_d |
2552 | && match_isinlist(host->name, CUSS &dnssec_d->request, | |
2553 | 0, NULL, NULL, MCL_DOMAIN, TRUE, NULL) == OK); | |
783b385f | 2554 | dnssec_status_t dnssec; |
059ec3d9 PH |
2555 | |
2556 | /* Set the default fully qualified name to the incoming name, initialize the | |
2557 | resolver if necessary, set up the relevant options, and initialize the flag | |
2558 | that gets set for DNS syntax check errors. */ | |
2559 | ||
2560 | if (fully_qualified_name != NULL) *fully_qualified_name = host->name; | |
2561 | dns_init((whichrrs & HOST_FIND_QUALIFY_SINGLE) != 0, | |
8c51eead | 2562 | (whichrrs & HOST_FIND_SEARCH_PARENTS) != 0, |
1f155f8e | 2563 | dnssec_request); |
8768d548 | 2564 | f.host_find_failed_syntax = FALSE; |
059ec3d9 PH |
2565 | |
2566 | /* First, if requested, look for SRV records. The service name is given; we | |
221dff13 | 2567 | assume TCP protocol. DNS domain names are constrained to a maximum of 256 |
059ec3d9 PH |
2568 | characters, so the code below should be safe. */ |
2569 | ||
94759fce | 2570 | if (whichrrs & HOST_FIND_BY_SRV) |
059ec3d9 | 2571 | { |
d12746bc JH |
2572 | gstring * g; |
2573 | uschar * temp_fully_qualified_name; | |
059ec3d9 PH |
2574 | int prefix_length; |
2575 | ||
d12746bc JH |
2576 | g = string_fmt_append(NULL, "_%s._tcp.%n%.256s", |
2577 | srv_service, &prefix_length, host->name); | |
2578 | temp_fully_qualified_name = string_from_gstring(g); | |
059ec3d9 PH |
2579 | ind_type = T_SRV; |
2580 | ||
2581 | /* Search for SRV records. If the fully qualified name is different to | |
2582 | the input name, pass back the new original domain, without the prepended | |
2583 | magic. */ | |
2584 | ||
783b385f JH |
2585 | dnssec = DS_UNK; |
2586 | lookup_dnssec_authenticated = NULL; | |
8743d3ac | 2587 | rc = dns_lookup_timerwrap(dnsa, temp_fully_qualified_name, ind_type, |
d12746bc | 2588 | CUSS &temp_fully_qualified_name); |
783b385f | 2589 | |
221dff13 HSHR |
2590 | DEBUG(D_dns) |
2591 | if ((dnssec_request || dnssec_require) | |
8743d3ac JH |
2592 | && !dns_is_secure(dnsa) |
2593 | && dns_is_aa(dnsa)) | |
221dff13 HSHR |
2594 | debug_printf("DNS lookup of %.256s (SRV) requested AD, but got AA\n", host->name); |
2595 | ||
783b385f JH |
2596 | if (dnssec_request) |
2597 | { | |
8743d3ac | 2598 | if (dns_is_secure(dnsa)) |
783b385f JH |
2599 | { dnssec = DS_YES; lookup_dnssec_authenticated = US"yes"; } |
2600 | else | |
2601 | { dnssec = DS_NO; lookup_dnssec_authenticated = US"no"; } | |
2602 | } | |
4e0983dc | 2603 | |
d12746bc | 2604 | if (temp_fully_qualified_name != g->s && fully_qualified_name != NULL) |
059ec3d9 PH |
2605 | *fully_qualified_name = temp_fully_qualified_name + prefix_length; |
2606 | ||
2607 | /* On DNS failures, we give the "try again" error unless the domain is | |
2608 | listed as one for which we continue. */ | |
2609 | ||
8743d3ac | 2610 | if (rc == DNS_SUCCEED && dnssec_require && !dns_is_secure(dnsa)) |
8c51eead JH |
2611 | { |
2612 | log_write(L_host_lookup_failed, LOG_MAIN, | |
2613 | "dnssec fail on SRV for %.256s", host->name); | |
2614 | rc = DNS_FAIL; | |
2615 | } | |
059ec3d9 PH |
2616 | if (rc == DNS_FAIL || rc == DNS_AGAIN) |
2617 | { | |
e7726cbf | 2618 | #ifndef STAND_ALONE |
55414b25 JH |
2619 | if (match_isinlist(host->name, CUSS &srv_fail_domains, 0, NULL, NULL, |
2620 | MCL_DOMAIN, TRUE, NULL) != OK) | |
e7726cbf | 2621 | #endif |
8c51eead | 2622 | { yield = HOST_FIND_AGAIN; goto out; } |
059ec3d9 PH |
2623 | DEBUG(D_host_lookup) debug_printf("DNS_%s treated as DNS_NODATA " |
2624 | "(domain in srv_fail_domains)\n", (rc == DNS_FAIL)? "FAIL":"AGAIN"); | |
2625 | } | |
2626 | } | |
2627 | ||
2628 | /* If we did not find any SRV records, search the DNS for MX records, if | |
2629 | requested to do so. If the result is DNS_NOMATCH, it means there is no such | |
2630 | domain, and there's no point in going on to look for address records with the | |
2631 | same domain. The result will be DNS_NODATA if the domain exists but has no MX | |
2632 | records. On DNS failures, we give the "try again" error unless the domain is | |
2633 | listed as one for which we continue. */ | |
2634 | ||
2546388c | 2635 | if (rc != DNS_SUCCEED && whichrrs & HOST_FIND_BY_MX) |
059ec3d9 PH |
2636 | { |
2637 | ind_type = T_MX; | |
783b385f JH |
2638 | dnssec = DS_UNK; |
2639 | lookup_dnssec_authenticated = NULL; | |
8743d3ac | 2640 | rc = dns_lookup_timerwrap(dnsa, host->name, ind_type, fully_qualified_name); |
783b385f | 2641 | |
221dff13 | 2642 | DEBUG(D_dns) |
2546388c | 2643 | if ( (dnssec_request || dnssec_require) |
8743d3ac JH |
2644 | && !dns_is_secure(dnsa) |
2645 | && dns_is_aa(dnsa)) | |
cf3d165f | 2646 | debug_printf("DNS lookup of %.256s (MX) requested AD, but got AA\n", host->name); |
221dff13 | 2647 | |
783b385f | 2648 | if (dnssec_request) |
8743d3ac | 2649 | if (dns_is_secure(dnsa)) |
94431adb | 2650 | { |
979c462e | 2651 | DEBUG(D_host_lookup) debug_printf("%s (MX resp) DNSSEC\n", host->name); |
cf2b569e JH |
2652 | dnssec = DS_YES; lookup_dnssec_authenticated = US"yes"; |
2653 | } | |
783b385f | 2654 | else |
cf2b569e JH |
2655 | { |
2656 | dnssec = DS_NO; lookup_dnssec_authenticated = US"no"; | |
2657 | } | |
4e0983dc | 2658 | |
8c51eead JH |
2659 | switch (rc) |
2660 | { | |
2661 | case DNS_NOMATCH: | |
2662 | yield = HOST_FIND_FAILED; goto out; | |
2663 | ||
2664 | case DNS_SUCCEED: | |
8743d3ac | 2665 | if (!dnssec_require || dns_is_secure(dnsa)) |
8c51eead | 2666 | break; |
2546388c JH |
2667 | DEBUG(D_host_lookup) |
2668 | debug_printf("dnssec fail on MX for %.256s", host->name); | |
2669 | #ifndef STAND_ALONE | |
2670 | if (match_isinlist(host->name, CUSS &mx_fail_domains, 0, NULL, NULL, | |
2671 | MCL_DOMAIN, TRUE, NULL) != OK) | |
2672 | { yield = HOST_FIND_SECURITY; goto out; } | |
2673 | #endif | |
8c51eead | 2674 | rc = DNS_FAIL; |
cf2b569e | 2675 | /*FALLTHROUGH*/ |
8c51eead JH |
2676 | |
2677 | case DNS_FAIL: | |
2678 | case DNS_AGAIN: | |
2546388c | 2679 | #ifndef STAND_ALONE |
55414b25 JH |
2680 | if (match_isinlist(host->name, CUSS &mx_fail_domains, 0, NULL, NULL, |
2681 | MCL_DOMAIN, TRUE, NULL) != OK) | |
2546388c | 2682 | #endif |
8c51eead JH |
2683 | { yield = HOST_FIND_AGAIN; goto out; } |
2684 | DEBUG(D_host_lookup) debug_printf("DNS_%s treated as DNS_NODATA " | |
2685 | "(domain in mx_fail_domains)\n", (rc == DNS_FAIL)? "FAIL":"AGAIN"); | |
2686 | break; | |
059ec3d9 PH |
2687 | } |
2688 | } | |
2689 | ||
2690 | /* If we haven't found anything yet, and we are requested to do so, try for an | |
2691 | A or AAAA record. If we find it (or them) check to see that it isn't the local | |
2692 | host. */ | |
2693 | ||
2694 | if (rc != DNS_SUCCEED) | |
2695 | { | |
66387a73 | 2696 | if (!(whichrrs & (HOST_FIND_BY_A | HOST_FIND_BY_AAAA))) |
059ec3d9 PH |
2697 | { |
2698 | DEBUG(D_host_lookup) debug_printf("Address records are not being sought\n"); | |
8c51eead JH |
2699 | yield = HOST_FIND_FAILED; |
2700 | goto out; | |
059ec3d9 PH |
2701 | } |
2702 | ||
2703 | last = host; /* End of local chainlet */ | |
2704 | host->mx = MX_NONE; | |
2705 | host->port = PORT_NONE; | |
cf2b569e | 2706 | host->dnssec = DS_UNK; |
783b385f | 2707 | lookup_dnssec_authenticated = NULL; |
059ec3d9 | 2708 | rc = set_address_from_dns(host, &last, ignore_target_hosts, FALSE, |
66387a73 | 2709 | fully_qualified_name, dnssec_request, dnssec_require, whichrrs); |
059ec3d9 PH |
2710 | |
2711 | /* If one or more address records have been found, check that none of them | |
2712 | are local. Since we know the host items all have their IP addresses | |
2713 | inserted, host_scan_for_local_hosts() can only return HOST_FOUND or | |
2714 | HOST_FOUND_LOCAL. We do not need to scan for duplicate IP addresses here, | |
2715 | because set_address_from_dns() removes them. */ | |
2716 | ||
2717 | if (rc == HOST_FOUND) | |
2718 | rc = host_scan_for_local_hosts(host, &last, removed); | |
2719 | else | |
2720 | if (rc == HOST_IGNORED) rc = HOST_FIND_FAILED; /* No special action */ | |
2721 | ||
2722 | DEBUG(D_host_lookup) | |
d7978c0f | 2723 | if (host->address) |
059ec3d9 | 2724 | { |
d7978c0f | 2725 | if (fully_qualified_name) |
059ec3d9 | 2726 | debug_printf("fully qualified name = %s\n", *fully_qualified_name); |
d7978c0f | 2727 | for (host_item * h = host; h != last->next; h = h->next) |
059ec3d9 | 2728 | debug_printf("%s %s mx=%d sort=%d %s\n", h->name, |
d7978c0f JH |
2729 | h->address ? h->address : US"<null>", h->mx, h->sort_key, |
2730 | h->status >= hstatus_unusable ? US"*" : US""); | |
059ec3d9 | 2731 | } |
059ec3d9 | 2732 | |
8c51eead JH |
2733 | yield = rc; |
2734 | goto out; | |
059ec3d9 PH |
2735 | } |
2736 | ||
2737 | /* We have found one or more MX or SRV records. Sort them according to | |
2738 | precedence. Put the data for the first one into the existing host block, and | |
2739 | insert new host_item blocks into the chain for the remainder. For equal | |
2740 | precedences one is supposed to randomize the order. To make this happen, the | |
2741 | sorting is actually done on the MX value * 1000 + a random number. This is put | |
2742 | into a host field called sort_key. | |
2743 | ||
2744 | In the case of hosts with both IPv6 and IPv4 addresses, we want to choose the | |
2745 | IPv6 address in preference. At this stage, we don't know what kind of address | |
2746 | the host has. We choose a random number < 500; if later we find an A record | |
2747 | first, we add 500 to the random number. Then for any other address records, we | |
2748 | use random numbers in the range 0-499 for AAAA records and 500-999 for A | |
2749 | records. | |
2750 | ||
2751 | At this point we remove any duplicates that point to the same host, retaining | |
2752 | only the one with the lowest precedence. We cannot yet check for precedence | |
2753 | greater than that of the local host, because that test cannot be properly done | |
2754 | until the addresses have been found - an MX record may point to a name for this | |
2755 | host which is not the primary hostname. */ | |
2756 | ||
2757 | last = NULL; /* Indicates that not even the first item is filled yet */ | |
2758 | ||
8743d3ac | 2759 | for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); |
dd708fd7 | 2760 | rr; |
8743d3ac | 2761 | rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == ind_type) |
059ec3d9 | 2762 | { |
8c513105 | 2763 | int precedence, weight; |
1349e1e5 | 2764 | int port = PORT_NONE; |
dd708fd7 | 2765 | const uschar * s = rr->data; /* MUST be unsigned for GETSHORT */ |
059ec3d9 PH |
2766 | uschar data[256]; |
2767 | ||
059ec3d9 PH |
2768 | GETSHORT(precedence, s); /* Pointer s is advanced */ |
2769 | ||
2770 | /* For MX records, we use a random "weight" which causes multiple records of | |
2771 | the same precedence to sort randomly. */ | |
2772 | ||
2773 | if (ind_type == T_MX) | |
059ec3d9 | 2774 | weight = random_number(500); |
059ec3d9 PH |
2775 | else |
2776 | { | |
8c513105 JH |
2777 | /* SRV records are specified with a port and a weight. The weight is used |
2778 | in a special algorithm. However, to start with, we just use it to order the | |
2779 | records of equal priority (precedence). */ | |
059ec3d9 PH |
2780 | GETSHORT(weight, s); |
2781 | GETSHORT(port, s); | |
2782 | } | |
2783 | ||
2784 | /* Get the name of the host pointed to. */ | |
2785 | ||
8743d3ac | 2786 | (void)dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, s, |
059ec3d9 PH |
2787 | (DN_EXPAND_ARG4_TYPE)data, sizeof(data)); |
2788 | ||
2789 | /* Check that we haven't already got this host on the chain; if we have, | |
2790 | keep only the lower precedence. This situation shouldn't occur, but you | |
2791 | never know what junk might get into the DNS (and this case has been seen on | |
2792 | more than one occasion). */ | |
2793 | ||
8c513105 | 2794 | if (last) /* This is not the first record */ |
059ec3d9 PH |
2795 | { |
2796 | host_item *prev = NULL; | |
2797 | ||
2798 | for (h = host; h != last->next; prev = h, h = h->next) | |
059ec3d9 PH |
2799 | if (strcmpic(h->name, data) == 0) |
2800 | { | |
2801 | DEBUG(D_host_lookup) | |
2802 | debug_printf("discarded duplicate host %s (MX=%d)\n", data, | |
8c513105 | 2803 | precedence > h->mx ? precedence : h->mx); |
059ec3d9 PH |
2804 | if (precedence >= h->mx) goto NEXT_MX_RR; /* Skip greater precedence */ |
2805 | if (h == host) /* Override first item */ | |
2806 | { | |
2807 | h->mx = precedence; | |
2808 | host->sort_key = precedence * 1000 + weight; | |
2809 | goto NEXT_MX_RR; | |
2810 | } | |
2811 | ||
2812 | /* Unwanted host item is not the first in the chain, so we can get | |
2813 | get rid of it by cutting it out. */ | |
2814 | ||
2815 | prev->next = h->next; | |
2816 | if (h == last) last = prev; | |
2817 | break; | |
2818 | } | |
059ec3d9 PH |
2819 | } |
2820 | ||
2821 | /* If this is the first MX or SRV record, put the data into the existing host | |
2822 | block. Otherwise, add a new block in the correct place; if it has to be | |
2823 | before the first block, copy the first block's data to a new second block. */ | |
2824 | ||
8ac90765 | 2825 | if (!last) |
059ec3d9 PH |
2826 | { |
2827 | host->name = string_copy_dnsdomain(data); | |
2828 | host->address = NULL; | |
2829 | host->port = port; | |
2830 | host->mx = precedence; | |
2831 | host->sort_key = precedence * 1000 + weight; | |
2832 | host->status = hstatus_unknown; | |
2833 | host->why = hwhy_unknown; | |
783b385f | 2834 | host->dnssec = dnssec; |
059ec3d9 PH |
2835 | last = host; |
2836 | } | |
8c513105 | 2837 | else |
059ec3d9 PH |
2838 | |
2839 | /* Make a new host item and seek the correct insertion place */ | |
059ec3d9 PH |
2840 | { |
2841 | int sort_key = precedence * 1000 + weight; | |
f3ebb786 | 2842 | host_item *next = store_get(sizeof(host_item), FALSE); |
059ec3d9 PH |
2843 | next->name = string_copy_dnsdomain(data); |
2844 | next->address = NULL; | |
2845 | next->port = port; | |
2846 | next->mx = precedence; | |
2847 | next->sort_key = sort_key; | |
2848 | next->status = hstatus_unknown; | |
2849 | next->why = hwhy_unknown; | |
783b385f | 2850 | next->dnssec = dnssec; |
059ec3d9 PH |
2851 | next->last_try = 0; |
2852 | ||
2853 | /* Handle the case when we have to insert before the first item. */ | |
2854 | ||
2855 | if (sort_key < host->sort_key) | |
2856 | { | |
2857 | host_item htemp; | |
2858 | htemp = *host; | |
2859 | *host = *next; | |
2860 | *next = htemp; | |
2861 | host->next = next; | |
2862 | if (last == host) last = next; | |
2863 | } | |
8c513105 | 2864 | else |
059ec3d9 PH |
2865 | |
2866 | /* Else scan down the items we have inserted as part of this exercise; | |
2867 | don't go further. */ | |
059ec3d9 PH |
2868 | { |
2869 | for (h = host; h != last; h = h->next) | |
059ec3d9 PH |
2870 | if (sort_key < h->next->sort_key) |
2871 | { | |
2872 | next->next = h->next; | |
2873 | h->next = next; | |
2874 | break; | |
2875 | } | |
059ec3d9 PH |
2876 | |
2877 | /* Join on after the last host item that's part of this | |
2878 | processing if we haven't stopped sooner. */ | |
2879 | ||
2880 | if (h == last) | |
2881 | { | |
2882 | next->next = last->next; | |
2883 | last->next = next; | |
2884 | last = next; | |
2885 | } | |
2886 | } | |
2887 | } | |
2888 | ||
2889 | NEXT_MX_RR: continue; | |
2890 | } | |
2891 | ||
dc8091e7 JH |
2892 | if (!last) /* No rr of correct type; give up */ |
2893 | { | |
2894 | yield = HOST_FIND_FAILED; | |
2895 | goto out; | |
2896 | } | |
2897 | ||
059ec3d9 PH |
2898 | /* If the list of hosts was obtained from SRV records, there are two things to |
2899 | do. First, if there is only one host, and it's name is ".", it means there is | |
2900 | no SMTP service at this domain. Otherwise, we have to sort the hosts of equal | |
2901 | priority according to their weights, using an algorithm that is defined in RFC | |
2902 | 2782. The hosts are currently sorted by priority and weight. For each priority | |
2903 | group we have to pick off one host and put it first, and then repeat for any | |
2904 | remaining in the same priority group. */ | |
2905 | ||
2906 | if (ind_type == T_SRV) | |
2907 | { | |
d7978c0f | 2908 | host_item ** pptr; |
059ec3d9 PH |
2909 | |
2910 | if (host == last && host->name[0] == 0) | |
2911 | { | |
2912 | DEBUG(D_host_lookup) debug_printf("the single SRV record is \".\"\n"); | |
8c51eead JH |
2913 | yield = HOST_FIND_FAILED; |
2914 | goto out; | |
059ec3d9 PH |
2915 | } |
2916 | ||
2917 | DEBUG(D_host_lookup) | |
2918 | { | |
2919 | debug_printf("original ordering of hosts from SRV records:\n"); | |
2920 | for (h = host; h != last->next; h = h->next) | |
2921 | debug_printf(" %s P=%d W=%d\n", h->name, h->mx, h->sort_key % 1000); | |
2922 | } | |
2923 | ||
dc8091e7 | 2924 | for (pptr = &host, h = host; h != last; pptr = &h->next, h = h->next) |
059ec3d9 PH |
2925 | { |
2926 | int sum = 0; | |
2927 | host_item *hh; | |
2928 | ||
2929 | /* Find the last following host that has the same precedence. At the same | |
2930 | time, compute the sum of the weights and the running totals. These can be | |
2931 | stored in the sort_key field. */ | |
2932 | ||
2933 | for (hh = h; hh != last; hh = hh->next) | |
2934 | { | |
2935 | int weight = hh->sort_key % 1000; /* was precedence * 1000 + weight */ | |
2936 | sum += weight; | |
2937 | hh->sort_key = sum; | |
2938 | if (hh->mx != hh->next->mx) break; | |
2939 | } | |
2940 | ||
2941 | /* If there's more than one host at this precedence (priority), we need to | |
2942 | pick one to go first. */ | |
2943 | ||
2944 | if (hh != h) | |
2945 | { | |
2946 | host_item *hhh; | |
2947 | host_item **ppptr; | |
2948 | int randomizer = random_number(sum + 1); | |
2949 | ||
2950 | for (ppptr = pptr, hhh = h; | |
2951 | hhh != hh; | |
8c513105 JH |
2952 | ppptr = &hhh->next, hhh = hhh->next) |
2953 | if (hhh->sort_key >= randomizer) | |
2954 | break; | |
059ec3d9 PH |
2955 | |
2956 | /* hhh now points to the host that should go first; ppptr points to the | |
2957 | place that points to it. Unfortunately, if the start of the minilist is | |
2958 | the start of the entire list, we can't just swap the items over, because | |
2959 | we must not change the value of host, since it is passed in from outside. | |
2960 | One day, this could perhaps be changed. | |
2961 | ||
2962 | The special case is fudged by putting the new item *second* in the chain, | |
2963 | and then transferring the data between the first and second items. We | |
2964 | can't just swap the first and the chosen item, because that would mean | |
2965 | that an item with zero weight might no longer be first. */ | |
2966 | ||
2967 | if (hhh != h) | |
2968 | { | |
2969 | *ppptr = hhh->next; /* Cuts it out of the chain */ | |
2970 | ||
2971 | if (h == host) | |
2972 | { | |
2973 | host_item temp = *h; | |
2974 | *h = *hhh; | |
2975 | *hhh = temp; | |
2976 | hhh->next = temp.next; | |
2977 | h->next = hhh; | |
2978 | } | |
059ec3d9 PH |
2979 | else |
2980 | { | |
2981 | hhh->next = h; /* The rest of the chain follows it */ | |
2982 | *pptr = hhh; /* It takes the place of h */ | |
2983 | h = hhh; /* It's now the start of this minilist */ | |
2984 | } | |
2985 | } | |
2986 | } | |
2987 | ||
2988 | /* A host has been chosen to be first at this priority and h now points | |
2989 | to this host. There may be others at the same priority, or others at a | |
2990 | different priority. Before we leave this host, we need to put back a sort | |
2991 | key of the traditional MX kind, in case this host is multihomed, because | |
2992 | the sort key is used for ordering the multiple IP addresses. We do not need | |
2993 | to ensure that these new sort keys actually reflect the order of the hosts, | |
2994 | however. */ | |
2995 | ||
2996 | h->sort_key = h->mx * 1000 + random_number(500); | |
2997 | } /* Move on to the next host */ | |
2998 | } | |
2999 | ||
1349e1e5 PH |
3000 | /* Now we have to find IP addresses for all the hosts. We have ensured above |
3001 | that the names in all the host items are unique. Before release 4.61 we used to | |
3002 | process records from the additional section in the DNS packet that returned the | |
3003 | MX or SRV records. However, a DNS name server is free to drop any resource | |
3004 | records from the additional section. In theory, this has always been a | |
3005 | potential problem, but it is exacerbated by the advent of IPv6. If a host had | |
3006 | several IPv4 addresses and some were not in the additional section, at least | |
3007 | Exim would try the others. However, if a host had both IPv4 and IPv6 addresses | |
3008 | and all the IPv4 (say) addresses were absent, Exim would try only for a IPv6 | |
3009 | connection, and never try an IPv4 address. When there was only IPv4 | |
3010 | connectivity, this was a disaster that did in practice occur. | |
3011 | ||
3012 | So, from release 4.61 onwards, we always search for A and AAAA records | |
3013 | explicitly. The names shouldn't point to CNAMES, but we use the general lookup | |
3014 | function that handles them, just in case. If any lookup gives a soft error, | |
3015 | change the default yield. | |
059ec3d9 PH |
3016 | |
3017 | For these DNS lookups, we must disable qualify_single and search_parents; | |
3018 | otherwise invalid host names obtained from MX or SRV records can cause trouble | |
3019 | if they happen to match something local. */ | |
3020 | ||
1349e1e5 | 3021 | yield = HOST_FIND_FAILED; /* Default yield */ |
8c51eead JH |
3022 | dns_init(FALSE, FALSE, /* Disable qualify_single and search_parents */ |
3023 | dnssec_request || dnssec_require); | |
059ec3d9 PH |
3024 | |
3025 | for (h = host; h != last->next; h = h->next) | |
3026 | { | |
dc8091e7 JH |
3027 | if (h->address) continue; /* Inserted by a multihomed host */ |
3028 | ||
8c51eead | 3029 | rc = set_address_from_dns(h, &last, ignore_target_hosts, allow_mx_to_ip, |
66387a73 JH |
3030 | NULL, dnssec_request, dnssec_require, |
3031 | whichrrs & HOST_FIND_IPV4_ONLY | |
3032 | ? HOST_FIND_BY_A : HOST_FIND_BY_A | HOST_FIND_BY_AAAA); | |
059ec3d9 PH |
3033 | if (rc != HOST_FOUND) |
3034 | { | |
3035 | h->status = hstatus_unusable; | |
2546388c | 3036 | switch (rc) |
059ec3d9 | 3037 | { |
66387a73 JH |
3038 | case HOST_FIND_AGAIN: yield = rc; h->why = hwhy_deferred; break; |
3039 | case HOST_FIND_SECURITY: yield = rc; h->why = hwhy_insecure; break; | |
3040 | case HOST_IGNORED: h->why = hwhy_ignored; break; | |
3041 | default: h->why = hwhy_failed; break; | |
059ec3d9 | 3042 | } |
059ec3d9 PH |
3043 | } |
3044 | } | |
3045 | ||
3046 | /* Scan the list for any hosts that are marked unusable because they have | |
3047 | been explicitly ignored, and remove them from the list, as if they did not | |
3048 | exist. If we end up with just a single, ignored host, flatten its fields as if | |
3049 | nothing was found. */ | |
3050 | ||
2546388c | 3051 | if (ignore_target_hosts) |
059ec3d9 PH |
3052 | { |
3053 | host_item *prev = NULL; | |
3054 | for (h = host; h != last->next; h = h->next) | |
3055 | { | |
3056 | REDO: | |
3057 | if (h->why != hwhy_ignored) /* Non ignored host, just continue */ | |
3058 | prev = h; | |
3059 | else if (prev == NULL) /* First host is ignored */ | |
3060 | { | |
3061 | if (h != last) /* First is not last */ | |
3062 | { | |
3063 | if (h->next == last) last = h; /* Overwrite it with next */ | |
3064 | *h = *(h->next); /* and reprocess it. */ | |
3065 | goto REDO; /* C should have redo, like Perl */ | |
3066 | } | |
3067 | } | |
3068 | else /* Ignored host is not first - */ | |
3069 | { /* cut it out */ | |
3070 | prev->next = h->next; | |
3071 | if (h == last) last = prev; | |
3072 | } | |
3073 | } | |
3074 | ||
3075 | if (host->why == hwhy_ignored) host->address = NULL; | |
3076 | } | |
3077 | ||
3078 | /* There is still one complication in the case of IPv6. Although the code above | |
3079 | arranges that IPv6 addresses take precedence over IPv4 addresses for multihomed | |
3080 | hosts, it doesn't do this for addresses that apply to different hosts with the | |
3081 | same MX precedence, because the sorting on MX precedence happens first. So we | |
3082 | have to make another pass to check for this case. We ensure that, within a | |
3083 | single MX preference value, IPv6 addresses come first. This can separate the | |
3084 | addresses of a multihomed host, but that should not matter. */ | |
3085 | ||
3086 | #if HAVE_IPV6 | |
2546388c | 3087 | if (h != last && !disable_ipv6) for (h = host; h != last; h = h->next) |
059ec3d9 | 3088 | { |
2546388c JH |
3089 | host_item temp; |
3090 | host_item *next = h->next; | |
3091 | ||
66387a73 JH |
3092 | if ( h->mx != next->mx /* If next is different MX */ |
3093 | || !h->address /* OR this one is unset */ | |
3094 | ) | |
3095 | continue; /* move on to next */ | |
3096 | ||
3097 | if ( whichrrs & HOST_FIND_IPV4_FIRST | |
3098 | ? !Ustrchr(h->address, ':') /* OR this one is IPv4 */ | |
3099 | || next->address | |
3100 | && Ustrchr(next->address, ':') /* OR next is IPv6 */ | |
3101 | ||
3102 | : Ustrchr(h->address, ':') /* OR this one is IPv6 */ | |
3103 | || next->address | |
3104 | && !Ustrchr(next->address, ':') /* OR next is IPv4 */ | |
3105 | ) | |
2546388c | 3106 | continue; /* move on to next */ |
66387a73 | 3107 | |
2546388c JH |
3108 | temp = *h; /* otherwise, swap */ |
3109 | temp.next = next->next; | |
3110 | *h = *next; | |
3111 | h->next = next; | |
3112 | *next = temp; | |
059ec3d9 PH |
3113 | } |
3114 | #endif | |
3115 | ||
059ec3d9 PH |
3116 | /* Remove any duplicate IP addresses and then scan the list of hosts for any |
3117 | whose IP addresses are on the local host. If any are found, all hosts with the | |
3118 | same or higher MX values are removed. However, if the local host has the lowest | |
3119 | numbered MX, then HOST_FOUND_LOCAL is returned. Otherwise, if at least one host | |
3120 | with an IP address is on the list, HOST_FOUND is returned. Otherwise, | |
3121 | HOST_FIND_FAILED is returned, but in this case do not update the yield, as it | |
3122 | might have been set to HOST_FIND_AGAIN just above here. If not, it will already | |
3123 | be HOST_FIND_FAILED. */ | |
3124 | ||
3125 | host_remove_duplicates(host, &last); | |
3126 | rc = host_scan_for_local_hosts(host, &last, removed); | |
3127 | if (rc != HOST_FIND_FAILED) yield = rc; | |
3128 | ||
3129 | DEBUG(D_host_lookup) | |
3130 | { | |
d7978c0f | 3131 | if (fully_qualified_name) |
059ec3d9 PH |
3132 | debug_printf("fully qualified name = %s\n", *fully_qualified_name); |
3133 | debug_printf("host_find_bydns yield = %s (%d); returned hosts:\n", | |
d7978c0f JH |
3134 | yield == HOST_FOUND ? "HOST_FOUND" : |
3135 | yield == HOST_FOUND_LOCAL ? "HOST_FOUND_LOCAL" : | |
3136 | yield == HOST_FIND_SECURITY ? "HOST_FIND_SECURITY" : | |
3137 | yield == HOST_FIND_AGAIN ? "HOST_FIND_AGAIN" : | |
3138 | yield == HOST_FIND_FAILED ? "HOST_FIND_FAILED" : "?", | |
059ec3d9 PH |
3139 | yield); |
3140 | for (h = host; h != last->next; h = h->next) | |
3141 | { | |
805c9d53 JH |
3142 | debug_printf(" %s %s MX=%d %s", h->name, |
3143 | !h->address ? US"<null>" : h->address, h->mx, | |
3144 | h->dnssec == DS_YES ? US"DNSSEC " : US""); | |
059ec3d9 PH |
3145 | if (h->port != PORT_NONE) debug_printf("port=%d ", h->port); |
3146 | if (h->status >= hstatus_unusable) debug_printf("*"); | |
3147 | debug_printf("\n"); | |
3148 | } | |
3149 | } | |
3150 | ||
8c51eead JH |
3151 | out: |
3152 | ||
3153 | dns_init(FALSE, FALSE, FALSE); /* clear the dnssec bit for getaddrbyname */ | |
059ec3d9 PH |
3154 | return yield; |
3155 | } | |
3156 | ||
30795c5e JH |
3157 | |
3158 | ||
3159 | ||
3160 | #ifdef SUPPORT_DANE | |
3161 | /* Lookup TLSA record for host/port. | |
3162 | Return: OK success with dnssec; DANE mode | |
3163 | DEFER Do not use this host now, may retry later | |
3164 | FAIL_FORCED No TLSA record; DANE not usable | |
3165 | FAIL Do not use this connection | |
3166 | */ | |
3167 | ||
3168 | int | |
3169 | tlsa_lookup(const host_item * host, dns_answer * dnsa, BOOL dane_required) | |
3170 | { | |
3171 | uschar buffer[300]; | |
3172 | const uschar * fullname = buffer; | |
3173 | int rc; | |
3174 | BOOL sec; | |
3175 | ||
3176 | /* TLSA lookup string */ | |
3177 | (void)sprintf(CS buffer, "_%d._tcp.%.256s", host->port, host->name); | |
3178 | ||
3179 | rc = dns_lookup_timerwrap(dnsa, buffer, T_TLSA, &fullname); | |
3180 | sec = dns_is_secure(dnsa); | |
3181 | DEBUG(D_transport) | |
3182 | debug_printf("TLSA lookup ret %d %sDNSSEC\n", rc, sec ? "" : "not "); | |
3183 | ||
3184 | switch (rc) | |
3185 | { | |
3186 | case DNS_AGAIN: | |
3187 | return DEFER; /* just defer this TLS'd conn */ | |
3188 | ||
3189 | case DNS_SUCCEED: | |
3190 | if (sec) | |
3191 | { | |
3192 | DEBUG(D_transport) | |
3193 | { | |
3194 | dns_scan dnss; | |
3195 | for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr; | |
3196 | rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) | |
3197 | if (rr->type == T_TLSA && rr->size > 3) | |
3198 | { | |
3199 | uint16_t payload_length = rr->size - 3; | |
3200 | uschar s[MAX_TLSA_EXPANDED_SIZE], * sp = s, * p = US rr->data; | |
3201 | ||
3202 | sp += sprintf(CS sp, "%d ", *p++); /* usage */ | |
3203 | sp += sprintf(CS sp, "%d ", *p++); /* selector */ | |
3204 | sp += sprintf(CS sp, "%d ", *p++); /* matchtype */ | |
3205 | while (payload_length-- > 0 && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4)) | |
3206 | sp += sprintf(CS sp, "%02x", *p++); | |
3207 | ||
3208 | debug_printf(" %s\n", s); | |
3209 | } | |
3210 | } | |
3211 | return OK; | |
3212 | } | |
3213 | log_write(0, LOG_MAIN, | |
3214 | "DANE error: TLSA lookup for %s not DNSSEC", host->name); | |
3215 | /*FALLTRHOUGH*/ | |
3216 | ||
3217 | case DNS_NODATA: /* no TLSA RR for this lookup */ | |
3218 | case DNS_NOMATCH: /* no records at all for this lookup */ | |
3219 | return dane_required ? FAIL : FAIL_FORCED; | |
3220 | ||
3221 | default: | |
3222 | case DNS_FAIL: | |
3223 | return dane_required ? FAIL : DEFER; | |
3224 | } | |
3225 | } | |
3226 | #endif /*SUPPORT_DANE*/ | |
3227 | ||
3228 | ||
3229 | ||
059ec3d9 PH |
3230 | /************************************************* |
3231 | ************************************************** | |
3232 | * Stand-alone test program * | |
3233 | ************************************************** | |
3234 | *************************************************/ | |
3235 | ||
3236 | #ifdef STAND_ALONE | |
3237 | ||
059ec3d9 PH |
3238 | int main(int argc, char **cargv) |
3239 | { | |
3240 | host_item h; | |
66387a73 | 3241 | int whichrrs = HOST_FIND_BY_MX | HOST_FIND_BY_A | HOST_FIND_BY_AAAA; |
059ec3d9 PH |
3242 | BOOL byname = FALSE; |
3243 | BOOL qualify_single = TRUE; | |
3244 | BOOL search_parents = FALSE; | |
8c51eead JH |
3245 | BOOL request_dnssec = FALSE; |
3246 | BOOL require_dnssec = FALSE; | |
059ec3d9 PH |
3247 | uschar **argv = USS cargv; |
3248 | uschar buffer[256]; | |
3249 | ||
322050c2 | 3250 | disable_ipv6 = FALSE; |
059ec3d9 PH |
3251 | primary_hostname = US""; |
3252 | store_pool = POOL_MAIN; | |
3253 | debug_selector = D_host_lookup|D_interface; | |
3254 | debug_file = stdout; | |
3255 | debug_fd = fileno(debug_file); | |
3256 | ||
3257 | printf("Exim stand-alone host functions test\n"); | |
3258 | ||
3259 | host_find_interfaces(); | |
3260 | debug_selector = D_host_lookup | D_dns; | |
3261 | ||
3262 | if (argc > 1) primary_hostname = argv[1]; | |
3263 | ||
3264 | /* So that debug level changes can be done first */ | |
3265 | ||
8c51eead | 3266 | dns_init(qualify_single, search_parents, FALSE); |
059ec3d9 PH |
3267 | |
3268 | printf("Testing host lookup\n"); | |
3269 | printf("> "); | |
3270 | while (Ufgets(buffer, 256, stdin) != NULL) | |
3271 | { | |
3272 | int rc; | |
3273 | int len = Ustrlen(buffer); | |
3274 | uschar *fully_qualified_name; | |
3275 | ||
3276 | while (len > 0 && isspace(buffer[len-1])) len--; | |
3277 | buffer[len] = 0; | |
3278 | ||
3279 | if (Ustrcmp(buffer, "q") == 0) break; | |
3280 | ||
3281 | if (Ustrcmp(buffer, "byname") == 0) byname = TRUE; | |
3282 | else if (Ustrcmp(buffer, "no_byname") == 0) byname = FALSE; | |
66387a73 | 3283 | else if (Ustrcmp(buffer, "a_only") == 0) whichrrs = HOST_FIND_BY_A | HOST_FIND_BY_AAAA; |
059ec3d9 PH |
3284 | else if (Ustrcmp(buffer, "mx_only") == 0) whichrrs = HOST_FIND_BY_MX; |
3285 | else if (Ustrcmp(buffer, "srv_only") == 0) whichrrs = HOST_FIND_BY_SRV; | |
3286 | else if (Ustrcmp(buffer, "srv+a") == 0) | |
66387a73 | 3287 | whichrrs = HOST_FIND_BY_SRV | HOST_FIND_BY_A | HOST_FIND_BY_AAAA; |
059ec3d9 PH |
3288 | else if (Ustrcmp(buffer, "srv+mx") == 0) |
3289 | whichrrs = HOST_FIND_BY_SRV | HOST_FIND_BY_MX; | |
3290 | else if (Ustrcmp(buffer, "srv+mx+a") == 0) | |
66387a73 | 3291 | whichrrs = HOST_FIND_BY_SRV | HOST_FIND_BY_MX | HOST_FIND_BY_A | HOST_FIND_BY_AAAA; |
8c51eead | 3292 | else if (Ustrcmp(buffer, "qualify_single") == 0) qualify_single = TRUE; |
059ec3d9 | 3293 | else if (Ustrcmp(buffer, "no_qualify_single") == 0) qualify_single = FALSE; |
8c51eead | 3294 | else if (Ustrcmp(buffer, "search_parents") == 0) search_parents = TRUE; |
059ec3d9 | 3295 | else if (Ustrcmp(buffer, "no_search_parents") == 0) search_parents = FALSE; |
8c51eead JH |
3296 | else if (Ustrcmp(buffer, "request_dnssec") == 0) request_dnssec = TRUE; |
3297 | else if (Ustrcmp(buffer, "no_request_dnssec") == 0) request_dnssec = FALSE; | |
3298 | else if (Ustrcmp(buffer, "require_dnssec") == 0) require_dnssec = TRUE; | |
f988ce57 | 3299 | else if (Ustrcmp(buffer, "no_require_dnssec") == 0) require_dnssec = FALSE; |
e7726cbf | 3300 | else if (Ustrcmp(buffer, "test_harness") == 0) |
8768d548 | 3301 | f.running_in_test_harness = !f.running_in_test_harness; |
322050c2 | 3302 | else if (Ustrcmp(buffer, "ipv6") == 0) disable_ipv6 = !disable_ipv6; |
e7726cbf PH |
3303 | else if (Ustrcmp(buffer, "res_debug") == 0) |
3304 | { | |
3305 | _res.options ^= RES_DEBUG; | |
3306 | } | |
059ec3d9 PH |
3307 | else if (Ustrncmp(buffer, "retrans", 7) == 0) |
3308 | { | |
ff790e47 | 3309 | (void)sscanf(CS(buffer+8), "%d", &dns_retrans); |
059ec3d9 PH |
3310 | _res.retrans = dns_retrans; |
3311 | } | |
3312 | else if (Ustrncmp(buffer, "retry", 5) == 0) | |
3313 | { | |
ff790e47 | 3314 | (void)sscanf(CS(buffer+6), "%d", &dns_retry); |
059ec3d9 PH |
3315 | _res.retry = dns_retry; |
3316 | } | |
059ec3d9 PH |
3317 | else |
3318 | { | |
3319 | int flags = whichrrs; | |
505d976a | 3320 | dnssec_domains d; |
059ec3d9 PH |
3321 | |
3322 | h.name = buffer; | |
3323 | h.next = NULL; | |
3324 | h.mx = MX_NONE; | |
3325 | h.port = PORT_NONE; | |
3326 | h.status = hstatus_unknown; | |
3327 | h.why = hwhy_unknown; | |
3328 | h.address = NULL; | |
3329 | ||
3330 | if (qualify_single) flags |= HOST_FIND_QUALIFY_SINGLE; | |
3331 | if (search_parents) flags |= HOST_FIND_SEARCH_PARENTS; | |
3332 | ||
7cd171b7 JH |
3333 | d.request = request_dnssec ? &h.name : NULL; |
3334 | d.require = require_dnssec ? &h.name : NULL; | |
3335 | ||
8c51eead JH |
3336 | rc = byname |
3337 | ? host_find_byname(&h, NULL, flags, &fully_qualified_name, TRUE) | |
3338 | : host_find_bydns(&h, NULL, flags, US"smtp", NULL, NULL, | |
7cd171b7 | 3339 | &d, &fully_qualified_name, NULL); |
059ec3d9 | 3340 | |
2546388c JH |
3341 | switch (rc) |
3342 | { | |
3343 | case HOST_FIND_FAILED: printf("Failed\n"); break; | |
3344 | case HOST_FIND_AGAIN: printf("Again\n"); break; | |
3345 | case HOST_FIND_SECURITY: printf("Security\n"); break; | |
3346 | case HOST_FOUND_LOCAL: printf("Local\n"); break; | |
3347 | } | |
059ec3d9 PH |
3348 | } |
3349 | ||
3350 | printf("\n> "); | |
3351 | } | |
3352 | ||
3353 | printf("Testing host_aton\n"); | |
3354 | printf("> "); | |
3355 | while (Ufgets(buffer, 256, stdin) != NULL) | |
3356 | { | |
059ec3d9 PH |
3357 | int x[4]; |
3358 | int len = Ustrlen(buffer); | |
3359 | ||
3360 | while (len > 0 && isspace(buffer[len-1])) len--; | |
3361 | buffer[len] = 0; | |
3362 | ||
3363 | if (Ustrcmp(buffer, "q") == 0) break; | |
3364 | ||
3365 | len = host_aton(buffer, x); | |
3366 | printf("length = %d ", len); | |
d7978c0f | 3367 | for (int i = 0; i < len; i++) |
059ec3d9 PH |
3368 | { |
3369 | printf("%04x ", (x[i] >> 16) & 0xffff); | |
3370 | printf("%04x ", x[i] & 0xffff); | |
3371 | } | |
3372 | printf("\n> "); | |
3373 | } | |
3374 | ||
3375 | printf("\n"); | |
3376 | ||
3377 | printf("Testing host_name_lookup\n"); | |
3378 | printf("> "); | |
3379 | while (Ufgets(buffer, 256, stdin) != NULL) | |
3380 | { | |
3381 | int len = Ustrlen(buffer); | |
3382 | while (len > 0 && isspace(buffer[len-1])) len--; | |
3383 | buffer[len] = 0; | |
3384 | if (Ustrcmp(buffer, "q") == 0) break; | |
3385 | sender_host_address = buffer; | |
3386 | sender_host_name = NULL; | |
3387 | sender_host_aliases = NULL; | |
3388 | host_lookup_msg = US""; | |
3389 | host_lookup_failed = FALSE; | |
3390 | if (host_name_lookup() == FAIL) /* Debug causes printing */ | |
3391 | printf("Lookup failed:%s\n", host_lookup_msg); | |
3392 | printf("\n> "); | |
3393 | } | |
3394 | ||
3395 | printf("\n"); | |
3396 | ||
3397 | return 0; | |
3398 | } | |
3399 | #endif /* STAND_ALONE */ | |
3400 | ||
8c51eead JH |
3401 | /* vi: aw ai sw=2 |
3402 | */ | |
059ec3d9 | 3403 | /* End of host.c */ |