[exim.git] / src / src / lookups / dnsdb.c

/*************************************************
*     Exim - an Internet mail transport agent    *
*************************************************/

/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */

#include "../exim.h"
#include "lf_functions.h"


/* Ancient systems (e.g. SunOS4) don't appear to have T_TXT defined in their
header files. */

#ifndef T_TXT
#define T_TXT 16
#endif

/* Many systems do not have T_SPF. */
#ifndef T_SPF
#define T_SPF 99
#endif

/* New TLSA record for DANE */
#ifndef T_TLSA
#define T_TLSA 52
#endif

/* Table of recognized DNS record types and their integer values. */

static const char *type_names[] = {
  "a",
#if HAVE_IPV6
  "a+",
  "aaaa",
  #ifdef SUPPORT_A6
  "a6",
  #endif
#endif
  "cname",
  "csa",
  "mx",
  "mxh",
  "ns",
  "ptr",
  "spf",
  "srv",
  "tlsa",
  "txt",
  "zns"
};

static int type_values[] = {
  T_A,
#if HAVE_IPV6
  T_APL,     /* Private type for AAAA + A */
  T_AAAA,
  #ifdef SUPPORT_A6
  T_A6,
  #endif
#endif
  T_CNAME,
  T_CSA,     /* Private type for "Client SMTP Authorization". */
  T_MX,
  T_MXH,     /* Private type for "MX hostnames" */
  T_NS,
  T_PTR,
  T_SPF,
  T_SRV,
  T_TLSA,
  T_TXT,
  T_ZNS      /* Private type for "zone nameservers" */
};


/*************************************************
*              Open entry point                  *
*************************************************/

/* See local README for interface description. */

static void *
dnsdb_open(uschar *filename, uschar **errmsg)
{
filename = filename;   /* Keep picky compilers happy */
errmsg = errmsg;       /* Ditto */
return (void *)(-1);   /* Any non-0 value */
}


/*************************************************
*           Find entry point for dnsdb           *
*************************************************/

/* See local README for interface description. The query in the "keystring" may
consist of a number of parts.

(a) If the first significant character is '>' then the next character is the
separator character that is used when multiple records are found. The default
separator is newline.

(b) If the next character is ',' then the next character is the separator
character used for multiple items of text in "TXT" records. Alternatively,
if the next character is ';' then these multiple items are concatenated with
no separator. With neither of these options specified, only the first item
is output.  Similarly for "SPF" records, but the default for joining multiple
items in one SPF record is the empty string, for direct concatenation.

(c) If the next sequence of characters is 'defer_FOO' followed by a comma,
the defer behaviour is set to FOO. The possible behaviours are: 'strict', where
any defer causes the whole lookup to defer; 'lax', where a defer causes the
whole lookup to defer only if none of the DNS queries succeeds; and 'never',
where all defers are as if the lookup failed. The default is 'lax'.

(d) Another optional comma-sep field: 'dnssec_FOO', with 'strict', 'lax'
and 'never' (default); can appear before or after (c).  The meanings are
require, try and don't-try dnssec respectively.

(e) If the next sequence of characters is a sequence of letters and digits
followed by '=', it is interpreted as the name of the DNS record type. The
default is "TXT".

(f) Then there follows list of domain names. This is a generalized Exim list,
which may start with '<' in order to set a specific separator. The default
separator, as always, is colon. */

static int
dnsdb_find(void *handle, uschar *filename, uschar *keystring, int length,
  uschar **result, uschar **errmsg, BOOL *do_cache)
{
int rc;
int size = 256;
int ptr = 0;
int sep = 0;
int defer_mode = PASS;
int dnssec_mode = OK;
int type;
int failrc = FAIL;
uschar *outsep = US"\n";
uschar *outsep2 = NULL;
uschar *equals, *domain, *found;
uschar buffer[256];

/* Because we're the working in the search pool, we try to reclaim as much
store as possible later, so we preallocate the result here */

uschar *yield = store_get(size);

dns_record *rr;
dns_answer dnsa;
dns_scan dnss;

handle = handle;           /* Keep picky compilers happy */
filename = filename;
length = length;
do_cache = do_cache;

/* If the string starts with '>' we change the output separator.
If it's followed by ';' or ',' we set the TXT output separator. */

while (isspace(*keystring)) keystring++;
if (*keystring == '>')
  {
  outsep = keystring + 1;
  keystring += 2;
  if (*keystring == ',')
    {
    outsep2 = keystring + 1;
    keystring += 2;
    }
  else if (*keystring == ';')
    {
    outsep2 = US"";
    keystring++;
    }
  while (isspace(*keystring)) keystring++;
  }

/* Check for a modifier keyword. */

while (  strncmpic(keystring, US"defer_", 6) == 0
      || strncmpic(keystring, US"dnssec_", 7) == 0
      )
  {
  if (strncmpic(keystring, US"defer_", 6) == 0)
    {
    keystring += 6;
    if (strncmpic(keystring, US"strict", 6) == 0)
      {
      defer_mode = DEFER;
      keystring += 6;
      }
    else if (strncmpic(keystring, US"lax", 3) == 0)
      {
      defer_mode = PASS;
      keystring += 3;
      }
    else if (strncmpic(keystring, US"never", 5) == 0)
      {
      defer_mode = OK;
      keystring += 5;
      }
    else
      {
      *errmsg = US"unsupported dnsdb defer behaviour";
      return DEFER;
      }
    }
  else
    {
    keystring += 7;
    if (strncmpic(keystring, US"strict", 6) == 0)
      {
      dnssec_mode = DEFER;
      keystring += 6;
      }
    else if (strncmpic(keystring, US"lax", 3) == 0)
      {
      dnssec_mode = PASS;
      keystring += 3;
      }
    else if (strncmpic(keystring, US"never", 5) == 0)
      {
      dnssec_mode = OK;
      keystring += 5;
      }
    else
      {
      *errmsg = US"unsupported dnsdb dnssec behaviour";
      return DEFER;
      }
    }
  while (isspace(*keystring)) keystring++;
  if (*keystring++ != ',')
    {
    *errmsg = US"dnsdb modifier syntax error";
    return DEFER;
    }
  while (isspace(*keystring)) keystring++;
  }

/* Figure out the "type" value if it is not T_TXT.
If the keystring contains an = this must be preceded by a valid type name. */

type = T_TXT;
if ((equals = Ustrchr(keystring, '=')) != NULL)
  {
  int i, len;
  uschar *tend = equals;

  while (tend > keystring && isspace(tend[-1])) tend--;
  len = tend - keystring;

  for (i = 0; i < sizeof(type_names)/sizeof(uschar *); i++)
    {
    if (len == Ustrlen(type_names[i]) &&
        strncmpic(keystring, US type_names[i], len) == 0)
      {
      type = type_values[i];
      break;
      }
    }

  if (i >= sizeof(type_names)/sizeof(uschar *))
    {
    *errmsg = US"unsupported DNS record type";
    return DEFER;
    }

  keystring = equals + 1;
  while (isspace(*keystring)) keystring++;
  }

/* Initialize the resolver in case this is the first time it has been used. */

dns_init(FALSE, FALSE, dnssec_mode != OK);

/* The remainder of the string must be a list of domains. As long as the lookup
for at least one of them succeeds, we return success. Failure means that none
of them were found.

The original implementation did not support a list of domains. Adding the list
feature is compatible, except in one case: when PTR records are being looked up
for a single IPv6 address. Fortunately, we can hack in a compatibility feature
here: If the type is PTR and no list separator is specified, and the entire
remaining string is valid as an IP address, set an impossible separator so that
it is treated as one item. */

if (type == T_PTR && keystring[0] != '<' &&
    string_is_ip_address(keystring, NULL) != 0)
  sep = -1;

/* SPF strings should be concatenated without a separator, thus make
it the default if not defined (see RFC 4408 section 3.1.3).
Multiple SPF records are forbidden (section 3.1.2) but are currently
not handled specially, thus they are concatenated with \n by default. */

if (type == T_SPF && outsep2 == NULL)
  outsep2 = US"";

/* Now scan the list and do a lookup for each item */

while ((domain = string_nextinlist(&keystring, &sep, buffer, sizeof(buffer)))
        != NULL)
  {
  uschar rbuffer[256];
  int searchtype = (type == T_CSA)? T_SRV :         /* record type we want */
                   (type == T_MXH)? T_MX :
                   (type == T_ZNS)? T_NS : type;

  /* If the type is PTR or CSA, we have to construct the relevant magic lookup
  key if the original is an IP address (some experimental protocols are using
  PTR records for different purposes where the key string is a host name, and
  Exim's extended CSA can be keyed by domains or IP addresses). This code for
  doing the reversal is now in a separate function. */

  if ((type == T_PTR || type == T_CSA) &&
      string_is_ip_address(domain, NULL) != 0)
    {
    dns_build_reverse(domain, rbuffer);
    domain = rbuffer;
    }

  do
    {
    DEBUG(D_lookup) debug_printf("dnsdb key: %s\n", domain);

    /* Do the lookup and sort out the result. There are four special types that
    are handled specially: T_CSA, T_ZNS, T_APL and T_MXH.
    The first two are handled in a special lookup function so that the facility
    could be used from other parts of the Exim code. T_APL is handled by looping
    over the types of A lookup.  T_MXH affects only what happens later on in
    this function, but for tidiness it is handled by the "special". If the
    lookup fails, continue with the next domain. In the case of DEFER, adjust
    the final "nothing found" result, but carry on to the next domain. */

    found = domain;
#if HAVE_IPV6
    if (type == T_APL)		/* NB cannot happen unless HAVE_IPV6 */
      {
      if (searchtype == T_APL)
# if defined(SUPPORT_A6)
                                     searchtype = T_A6;
# else
                                     searchtype = T_AAAA;
# endif
      else if (searchtype == T_A6)   searchtype = T_AAAA;
      else if (searchtype == T_AAAA) searchtype = T_A;
      rc = dns_special_lookup(&dnsa, domain, searchtype, &found);
      }
    else
#endif
      rc = dns_special_lookup(&dnsa, domain, type, &found);

    lookup_dnssec_authenticated = dnssec_mode==OK ? NULL
      : dns_is_secure(&dnsa) ? US"yes" : US"no";

    if (rc == DNS_NOMATCH || rc == DNS_NODATA) continue;
    if (  rc != DNS_SUCCEED
       || dnssec_mode == DEFER && !dns_is_secure(&dnsa)
       )
      {
      if (defer_mode == DEFER)
	{
	dns_init(FALSE, FALSE, FALSE);			/* clr dnssec bit */
	return DEFER;					/* always defer */
	}
      if (defer_mode == PASS) failrc = DEFER;         /* defer only if all do */
      continue;                                       /* treat defer as fail */
      }


    /* Search the returned records */

    for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
         rr != NULL;
         rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
      {
      if (rr->type != searchtype) continue;

      /* There may be several addresses from an A6 record. Put the configured
      separator between them, just as for between several records. However, A6
      support is not normally configured these days. */

      if (type == T_A ||
          #ifdef SUPPORT_A6
          type == T_A6 ||
          #endif
          type == T_AAAA ||
	  type == T_APL)
        {
        dns_address *da;
        for (da = dns_address_from_rr(&dnsa, rr); da != NULL; da = da->next)
          {
          if (ptr != 0) yield = string_cat(yield, &size, &ptr, outsep, 1);
          yield = string_cat(yield, &size, &ptr, da->address,
            Ustrlen(da->address));
          }
        continue;
        }

      /* Other kinds of record just have one piece of data each, but there may be
      several of them, of course. */

      if (ptr != 0) yield = string_cat(yield, &size, &ptr, outsep, 1);

      if (type == T_TXT || type == T_SPF)
        {
        if (outsep2 == NULL)
          {
          /* output only the first item of data */
          yield = string_cat(yield, &size, &ptr, (uschar *)(rr->data+1),
            (rr->data)[0]);
          }
        else
          {
          /* output all items */
          int data_offset = 0;
          while (data_offset < rr->size)
            {
            uschar chunk_len = (rr->data)[data_offset++];
            if (outsep2[0] != '\0' && data_offset != 1)
              yield = string_cat(yield, &size, &ptr, outsep2, 1);
            yield = string_cat(yield, &size, &ptr,
                             (uschar *)((rr->data)+data_offset), chunk_len);
            data_offset += chunk_len;
            }
          }
        }
      else if (type == T_TLSA)
        {
        uint8_t usage, selector, matching_type;
        uint16_t i, payload_length;
        uschar s[MAX_TLSA_EXPANDED_SIZE];
	uschar * sp = s;
        uschar *p = (uschar *)(rr->data);

        usage = *p++;
        selector = *p++;
        matching_type = *p++;
        /* What's left after removing the first 3 bytes above */
        payload_length = rr->size - 3;
        sp += sprintf(CS s, "%d %d %d ", usage, selector, matching_type);
        /* Now append the cert/identifier, one hex char at a time */
        for (i=0;
             i < payload_length && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4);
             i++)
          {
          sp += sprintf(CS sp, "%02x", (unsigned char)p[i]);
          }
        yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
        }
      else   /* T_CNAME, T_CSA, T_MX, T_MXH, T_NS, T_PTR, T_SRV */
        {
        int priority, weight, port;
        uschar s[264];
        uschar *p = (uschar *)(rr->data);

        if (type == T_MXH)
          {
          /* mxh ignores the priority number and includes only the hostnames */
          GETSHORT(priority, p);
          }
        else if (type == T_MX)
          {
          GETSHORT(priority, p);
          sprintf(CS s, "%d ", priority);
          yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
          }
        else if (type == T_SRV)
          {
          GETSHORT(priority, p);
          GETSHORT(weight, p);
          GETSHORT(port, p);
          sprintf(CS s, "%d %d %d ", priority, weight, port);
          yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
          }
        else if (type == T_CSA)
          {
          /* See acl_verify_csa() for more comments about CSA. */

          GETSHORT(priority, p);
          GETSHORT(weight, p);
          GETSHORT(port, p);

          if (priority != 1) continue;      /* CSA version must be 1 */

          /* If the CSA record we found is not the one we asked for, analyse
          the subdomain assertions in the port field, else analyse the direct
          authorization status in the weight field. */

          if (found != domain)
            {
            if (port & 1) *s = 'X';         /* explicit authorization required */
            else *s = '?';                  /* no subdomain assertions here */
            }
          else
            {
            if (weight < 2) *s = 'N';       /* not authorized */
            else if (weight == 2) *s = 'Y'; /* authorized */
            else if (weight == 3) *s = '?'; /* unauthorizable */
            else continue;                  /* invalid */
            }

          s[1] = ' ';
          yield = string_cat(yield, &size, &ptr, s, 2);
          }

        /* GETSHORT() has advanced the pointer to the target domain. */

        rc = dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
          (DN_EXPAND_ARG4_TYPE)(s), sizeof(s));

        /* If an overlong response was received, the data will have been
        truncated and dn_expand may fail. */

        if (rc < 0)
          {
          log_write(0, LOG_MAIN, "host name alias list truncated: type=%s "
            "domain=%s", dns_text_type(type), domain);
          break;
          }
        else yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
        }
      }    /* Loop for list of returned records */

           /* Loop for set of A-lookupu types */
    } while (type == T_APL && searchtype != T_A);

  }        /* Loop for list of domains */

/* Reclaim unused memory */

store_reset(yield + ptr + 1);

/* If ptr == 0 we have not found anything. Otherwise, insert the terminating
zero and return the result. */

dns_init(FALSE, FALSE, FALSE);	/* clear the dnssec bit for getaddrbyname */

if (ptr == 0) return failrc;
yield[ptr] = 0;
*result = yield;
return OK;
}


/*************************************************
*         Version reporting entry point          *
*************************************************/

/* See local README for interface description. */

#include "../version.h"

void
dnsdb_version_report(FILE *f)
{
#ifdef DYNLOOKUP
fprintf(f, "Library version: DNSDB: Exim version %s\n", EXIM_VERSION_STR);
#endif
}


static lookup_info _lookup_info = {
  US"dnsdb",                     /* lookup name */
  lookup_querystyle,             /* query style */
  dnsdb_open,                    /* open function */
  NULL,                          /* check function */
  dnsdb_find,                    /* find function */
  NULL,                          /* no close function */
  NULL,                          /* no tidy function */
  NULL,                          /* no quoting function */
  dnsdb_version_report           /* version reporting */
};

#ifdef DYNLOOKUP
#define dnsdb_lookup_module_info _lookup_module_info
#endif

static lookup_info *_lookup_list[] = { &_lookup_info };
lookup_module_info dnsdb_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 1 };

/* vi: aw ai sw=2
*/
/* End of lookups/dnsdb.c */
Commit	Line	Data
0756eb3c PH	1	/*************************************************
	2	* Exim - an Internet mail transport agent *
	3	*************************************************/
	4
5a66c31b	5	/* Copyright (c) University of Cambridge 1995 - 2014 */
0756eb3c PH	6	/* See the file NOTICE for conditions of use and distribution. */
	7
	8	#include "../exim.h"
	9	#include "lf_functions.h"
0756eb3c PH	10
	11
	12
	13	/* Ancient systems (e.g. SunOS4) don't appear to have T_TXT defined in their
	14	header files. */
	15
	16	#ifndef T_TXT
	17	#define T_TXT 16
	18	#endif
	19
eae0036b PP	20	/* Many systems do not have T_SPF. */
	21	#ifndef T_SPF
	22	#define T_SPF 99
	23	#endif
	24
1e06383a TL	25	/* New TLSA record for DANE */
	26	#ifndef T_TLSA
	27	#define T_TLSA 52
	28	#endif
	29
0756eb3c PH	30	/* Table of recognized DNS record types and their integer values. */
0756eb3c PH	31
1ba28e2b	32	static const char *type_names[] = {
0756eb3c PH	33	"a",
0756eb3c PH	34	#if HAVE_IPV6
3a796370	35	"a+",
0756eb3c PH	36	"aaaa",
	37	#ifdef SUPPORT_A6
	38	"a6",
	39	#endif
	40	#endif
	41	"cname",
e5a9dba6	42	"csa",
0756eb3c	43	"mx",
ea3bc19b	44	"mxh",
0756eb3c PH	45	"ns",
0756eb3c PH	46	"ptr",
eae0036b	47	"spf",
0756eb3c	48	"srv",
1e06383a	49	"tlsa",
33397d19	50	"txt",
8e669ac1	51	"zns"
33397d19	52	};
0756eb3c PH	53
	54	static int type_values[] = {
	55	T_A,
	56	#if HAVE_IPV6
3a796370	57	T_APL, /* Private type for AAAA + A */
0756eb3c PH	58	T_AAAA,
	59	#ifdef SUPPORT_A6
	60	T_A6,
	61	#endif
	62	#endif
	63	T_CNAME,
e5a9dba6	64	T_CSA, /* Private type for "Client SMTP Authorization". */
0756eb3c	65	T_MX,
ea3bc19b	66	T_MXH, /* Private type for "MX hostnames" */
0756eb3c PH	67	T_NS,
0756eb3c PH	68	T_PTR,
eae0036b	69	T_SPF,
0756eb3c	70	T_SRV,
1e06383a	71	T_TLSA,
33397d19 PH	72	T_TXT,
	73	T_ZNS /* Private type for "zone nameservers" */
	74	};
0756eb3c PH	75
	76
	77	/*************************************************
	78	* Open entry point *
	79	*************************************************/
	80
	81	/* See local README for interface description. */
	82
e6d225ae	83	static void *
0756eb3c PH	84	dnsdb_open(uschar filename, uschar *errmsg)
	85	{
	86	filename = filename; /* Keep picky compilers happy */
	87	errmsg = errmsg; /* Ditto */
	88	return (void )(-1); / Any non-0 value */
	89	}
	90
	91
	92
	93	/*************************************************
	94	* Find entry point for dnsdb *
	95	*************************************************/
	96
7bb56e1f PH	97	/* See local README for interface description. The query in the "keystring" may
	98	consist of a number of parts.
	99
8e669ac1 PH	100	(a) If the first significant character is '>' then the next character is the
8e669ac1 PH	101	separator character that is used when multiple records are found. The default
7bb56e1f PH	102	separator is newline.
7bb56e1f PH	103
0d0c6357 NM	104	(b) If the next character is ',' then the next character is the separator
	105	character used for multiple items of text in "TXT" records. Alternatively,
	106	if the next character is ';' then these multiple items are concatenated with
	107	no separator. With neither of these options specified, only the first item
8ee4b30e PP	108	is output. Similarly for "SPF" records, but the default for joining multiple
8ee4b30e PP	109	items in one SPF record is the empty string, for direct concatenation.
0d0c6357 NM	110
0d0c6357 NM	111	(c) If the next sequence of characters is 'defer_FOO' followed by a comma,
ff4dbb19 PH	112	the defer behaviour is set to FOO. The possible behaviours are: 'strict', where
	113	any defer causes the whole lookup to defer; 'lax', where a defer causes the
	114	whole lookup to defer only if none of the DNS queries succeeds; and 'never',
	115	where all defers are as if the lookup failed. The default is 'lax'.
	116
fd3b6a4a JH	117	(d) Another optional comma-sep field: 'dnssec_FOO', with 'strict', 'lax'
	118	and 'never' (default); can appear before or after (c). The meanings are
	119	require, try and don't-try dnssec respectively.
	120
	121	(e) If the next sequence of characters is a sequence of letters and digits
8e669ac1	122	followed by '=', it is interpreted as the name of the DNS record type. The
ff4dbb19	123	default is "TXT".
7bb56e1f	124
fd3b6a4a	125	(f) Then there follows list of domain names. This is a generalized Exim list,
8e669ac1	126	which may start with '<' in order to set a specific separator. The default
7bb56e1f	127	separator, as always, is colon. */
0756eb3c	128
e6d225ae	129	static int
0756eb3c PH	130	dnsdb_find(void handle, uschar filename, uschar *keystring, int length,
	131	uschar result, uschar errmsg, BOOL *do_cache)
	132	{
	133	int rc;
	134	int size = 256;
	135	int ptr = 0;
7bb56e1f	136	int sep = 0;
ff4dbb19	137	int defer_mode = PASS;
fd3b6a4a	138	int dnssec_mode = OK;
542bc632	139	int type;
c38d6da9	140	int failrc = FAIL;
7bb56e1f	141	uschar *outsep = US"\n";
0d0c6357	142	uschar *outsep2 = NULL;
e5a9dba6	143	uschar equals, domain, *found;
0756eb3c PH	144	uschar buffer[256];
	145
	146	/* Because we're the working in the search pool, we try to reclaim as much
	147	store as possible later, so we preallocate the result here */
	148
	149	uschar *yield = store_get(size);
	150
	151	dns_record *rr;
	152	dns_answer dnsa;
	153	dns_scan dnss;
	154
	155	handle = handle; /* Keep picky compilers happy */
	156	filename = filename;
	157	length = length;
	158	do_cache = do_cache;
	159
0d0c6357 NM	160	/* If the string starts with '>' we change the output separator.
0d0c6357 NM	161	If it's followed by ';' or ',' we set the TXT output separator. */
0756eb3c	162
7bb56e1f PH	163	while (isspace(*keystring)) keystring++;
7bb56e1f PH	164	if (*keystring == '>')
0756eb3c	165	{
7bb56e1f	166	outsep = keystring + 1;
8e669ac1	167	keystring += 2;
0d0c6357 NM	168	if (*keystring == ',')
	169	{
	170	outsep2 = keystring + 1;
	171	keystring += 2;
	172	}
	173	else if (*keystring == ';')
	174	{
	175	outsep2 = US"";
	176	keystring++;
	177	}
7bb56e1f	178	while (isspace(*keystring)) keystring++;
8e669ac1	179	}
7bb56e1f	180
fd3b6a4a	181	/* Check for a modifier keyword. */
ff4dbb19	182
fd3b6a4a JH	183	while ( strncmpic(keystring, US"defer_", 6) == 0
	184	\|\| strncmpic(keystring, US"dnssec_", 7) == 0
	185	)
ff4dbb19	186	{
fd3b6a4a	187	if (strncmpic(keystring, US"defer_", 6) == 0)
ff4dbb19	188	{
ff4dbb19	189	keystring += 6;
fd3b6a4a JH	190	if (strncmpic(keystring, US"strict", 6) == 0)
	191	{
	192	defer_mode = DEFER;
	193	keystring += 6;
	194	}
	195	else if (strncmpic(keystring, US"lax", 3) == 0)
	196	{
	197	defer_mode = PASS;
	198	keystring += 3;
	199	}
	200	else if (strncmpic(keystring, US"never", 5) == 0)
	201	{
	202	defer_mode = OK;
	203	keystring += 5;
	204	}
	205	else
	206	{
	207	*errmsg = US"unsupported dnsdb defer behaviour";
	208	return DEFER;
	209	}
ff4dbb19 PH	210	}
	211	else
	212	{
fd3b6a4a JH	213	keystring += 7;
	214	if (strncmpic(keystring, US"strict", 6) == 0)
	215	{
	216	dnssec_mode = DEFER;
	217	keystring += 6;
	218	}
	219	else if (strncmpic(keystring, US"lax", 3) == 0)
	220	{
	221	dnssec_mode = PASS;
	222	keystring += 3;
	223	}
	224	else if (strncmpic(keystring, US"never", 5) == 0)
	225	{
	226	dnssec_mode = OK;
	227	keystring += 5;
	228	}
	229	else
	230	{
	231	*errmsg = US"unsupported dnsdb dnssec behaviour";
	232	return DEFER;
	233	}
ff4dbb19 PH	234	}
	235	while (isspace(*keystring)) keystring++;
	236	if (*keystring++ != ',')
	237	{
fd3b6a4a	238	*errmsg = US"dnsdb modifier syntax error";
ff4dbb19 PH	239	return DEFER;
	240	}
	241	while (isspace(*keystring)) keystring++;
	242	}
	243
542bc632 PP	244	/* Figure out the "type" value if it is not T_TXT.
542bc632 PP	245	If the keystring contains an = this must be preceded by a valid type name. */
7bb56e1f	246
542bc632	247	type = T_TXT;
7bb56e1f PH	248	if ((equals = Ustrchr(keystring, '=')) != NULL)
	249	{
	250	int i, len;
	251	uschar *tend = equals;
8e669ac1 PH	252
	253	while (tend > keystring && isspace(tend[-1])) tend--;
	254	len = tend - keystring;
	255
0756eb3c PH	256	for (i = 0; i < sizeof(type_names)/sizeof(uschar *); i++)
	257	{
	258	if (len == Ustrlen(type_names[i]) &&
	259	strncmpic(keystring, US type_names[i], len) == 0)
	260	{
	261	type = type_values[i];
	262	break;
	263	}
	264	}
8e669ac1	265
0756eb3c PH	266	if (i >= sizeof(type_names)/sizeof(uschar *))
	267	{
	268	*errmsg = US"unsupported DNS record type";
	269	return DEFER;
	270	}
8e669ac1	271
7bb56e1f PH	272	keystring = equals + 1;
7bb56e1f PH	273	while (isspace(*keystring)) keystring++;
0756eb3c	274	}
8e669ac1	275
7bb56e1f	276	/* Initialize the resolver in case this is the first time it has been used. */
0756eb3c	277
fd3b6a4a	278	dns_init(FALSE, FALSE, dnssec_mode != OK);
0756eb3c	279
8e669ac1 PH	280	/* The remainder of the string must be a list of domains. As long as the lookup
	281	for at least one of them succeeds, we return success. Failure means that none
	282	of them were found.
0756eb3c	283
8e669ac1 PH	284	The original implementation did not support a list of domains. Adding the list
	285	feature is compatible, except in one case: when PTR records are being looked up
	286	for a single IPv6 address. Fortunately, we can hack in a compatibility feature
	287	here: If the type is PTR and no list separator is specified, and the entire
	288	remaining string is valid as an IP address, set an impossible separator so that
7bb56e1f	289	it is treated as one item. */
33397d19	290
7bb56e1f	291	if (type == T_PTR && keystring[0] != '<' &&
7e66e54d	292	string_is_ip_address(keystring, NULL) != 0)
7bb56e1f	293	sep = -1;
0756eb3c	294
542bc632 PP	295	/* SPF strings should be concatenated without a separator, thus make
	296	it the default if not defined (see RFC 4408 section 3.1.3).
	297	Multiple SPF records are forbidden (section 3.1.2) but are currently
	298	not handled specially, thus they are concatenated with \n by default. */
	299
	300	if (type == T_SPF && outsep2 == NULL)
	301	outsep2 = US"";
	302
7bb56e1f	303	/* Now scan the list and do a lookup for each item */
0756eb3c	304
8e669ac1	305	while ((domain = string_nextinlist(&keystring, &sep, buffer, sizeof(buffer)))
7bb56e1f	306	!= NULL)
8e669ac1	307	{
7bb56e1f	308	uschar rbuffer[256];
e5a9dba6 PH	309	int searchtype = (type == T_CSA)? T_SRV : /* record type we want */
	310	(type == T_MXH)? T_MX :
	311	(type == T_ZNS)? T_NS : type;
	312
	313	/* If the type is PTR or CSA, we have to construct the relevant magic lookup
	314	key if the original is an IP address (some experimental protocols are using
	315	PTR records for different purposes where the key string is a host name, and
	316	Exim's extended CSA can be keyed by domains or IP addresses). This code for
	317	doing the reversal is now in a separate function. */
	318
	319	if ((type == T_PTR \|\| type == T_CSA) &&
7e66e54d	320	string_is_ip_address(domain, NULL) != 0)
0756eb3c	321	{
7bb56e1f PH	322	dns_build_reverse(domain, rbuffer);
7bb56e1f PH	323	domain = rbuffer;
0756eb3c	324	}
8e669ac1	325
3a796370	326	do
c38d6da9	327	{
3a796370 JH	328	DEBUG(D_lookup) debug_printf("dnsdb key: %s\n", domain);
	329
	330	/* Do the lookup and sort out the result. There are four special types that
	331	are handled specially: T_CSA, T_ZNS, T_APL and T_MXH.
	332	The first two are handled in a special lookup function so that the facility
	333	could be used from other parts of the Exim code. T_APL is handled by looping
	334	over the types of A lookup. T_MXH affects only what happens later on in
	335	this function, but for tidiness it is handled by the "special". If the
	336	lookup fails, continue with the next domain. In the case of DEFER, adjust
	337	the final "nothing found" result, but carry on to the next domain. */
	338
	339	found = domain;
6abc190a	340	#if HAVE_IPV6
3a796370 JH	341	if (type == T_APL) /* NB cannot happen unless HAVE_IPV6 */
3a796370 JH	342	{
6abc190a JH	343	if (searchtype == T_APL)
	344	# if defined(SUPPORT_A6)
	345	searchtype = T_A6;
	346	# else
	347	searchtype = T_AAAA;
	348	# endif
3a796370 JH	349	else if (searchtype == T_A6) searchtype = T_AAAA;
	350	else if (searchtype == T_AAAA) searchtype = T_A;
	351	rc = dns_special_lookup(&dnsa, domain, searchtype, &found);
	352	}
	353	else
6abc190a	354	#endif
3a796370	355	rc = dns_special_lookup(&dnsa, domain, type, &found);
ea3bc19b	356
4e0983dc JH	357	lookup_dnssec_authenticated = dnssec_mode==OK ? NULL
	358	: dns_is_secure(&dnsa) ? US"yes" : US"no";
	359
3a796370	360	if (rc == DNS_NOMATCH \|\| rc == DNS_NODATA) continue;
91f40ccd JH	361	if ( rc != DNS_SUCCEED
	362	\|\| dnssec_mode == DEFER && !dns_is_secure(&dnsa)
	363	)
3a796370	364	{
fd3b6a4a JH	365	if (defer_mode == DEFER)
fd3b6a4a JH	366	{
9d9c3746	367	dns_init(FALSE, FALSE, FALSE); /* clr dnssec bit */
fd3b6a4a JH	368	return DEFER; /* always defer */
fd3b6a4a JH	369	}
3a796370 JH	370	if (defer_mode == PASS) failrc = DEFER; /* defer only if all do */
	371	continue; /* treat defer as fail */
	372	}
fd3b6a4a	373
8e669ac1	374
3a796370	375	/* Search the returned records */
8e669ac1	376
3a796370 JH	377	for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
	378	rr != NULL;
	379	rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
0756eb3c	380	{
3a796370 JH	381	if (rr->type != searchtype) continue;
	382
	383	/* There may be several addresses from an A6 record. Put the configured
	384	separator between them, just as for between several records. However, A6
	385	support is not normally configured these days. */
	386
	387	if (type == T_A \|\|
	388	#ifdef SUPPORT_A6
	389	type == T_A6 \|\|
	390	#endif
	391	type == T_AAAA \|\|
	392	type == T_APL)
7bb56e1f	393	{
3a796370 JH	394	dns_address *da;
	395	for (da = dns_address_from_rr(&dnsa, rr); da != NULL; da = da->next)
	396	{
	397	if (ptr != 0) yield = string_cat(yield, &size, &ptr, outsep, 1);
	398	yield = string_cat(yield, &size, &ptr, da->address,
	399	Ustrlen(da->address));
	400	}
	401	continue;
7bb56e1f	402	}
8e669ac1	403
3a796370 JH	404	/* Other kinds of record just have one piece of data each, but there may be
3a796370 JH	405	several of them, of course. */
8e669ac1	406
3a796370	407	if (ptr != 0) yield = string_cat(yield, &size, &ptr, outsep, 1);
8e669ac1	408
3a796370	409	if (type == T_TXT \|\| type == T_SPF)
80a47a2c	410	{
3a796370	411	if (outsep2 == NULL)
0d0c6357	412	{
3a796370 JH	413	/* output only the first item of data */
	414	yield = string_cat(yield, &size, &ptr, (uschar *)(rr->data+1),
	415	(rr->data)[0]);
	416	}
	417	else
	418	{
	419	/* output all items */
	420	int data_offset = 0;
	421	while (data_offset < rr->size)
	422	{
	423	uschar chunk_len = (rr->data)[data_offset++];
	424	if (outsep2[0] != '\0' && data_offset != 1)
	425	yield = string_cat(yield, &size, &ptr, outsep2, 1);
	426	yield = string_cat(yield, &size, &ptr,
0d0c6357	427	(uschar *)((rr->data)+data_offset), chunk_len);
3a796370 JH	428	data_offset += chunk_len;
3a796370 JH	429	}
0d0c6357	430	}
80a47a2c	431	}
1e06383a TL	432	else if (type == T_TLSA)
	433	{
	434	uint8_t usage, selector, matching_type;
	435	uint16_t i, payload_length;
	436	uschar s[MAX_TLSA_EXPANDED_SIZE];
	437	uschar * sp = s;
	438	uschar p = (uschar )(rr->data);
	439
	440	usage = *p++;
	441	selector = *p++;
	442	matching_type = *p++;
	443	/* What's left after removing the first 3 bytes above */
	444	payload_length = rr->size - 3;
	445	sp += sprintf(CS s, "%d %d %d ", usage, selector, matching_type);
	446	/* Now append the cert/identifier, one hex char at a time */
	447	for (i=0;
	448	i < payload_length && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4);
	449	i++)
	450	{
	451	sp += sprintf(CS sp, "%02x", (unsigned char)p[i]);
	452	}
	453	yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
	454	}
3a796370	455	else /* T_CNAME, T_CSA, T_MX, T_MXH, T_NS, T_PTR, T_SRV */
e5a9dba6	456	{
3a796370 JH	457	int priority, weight, port;
	458	uschar s[264];
	459	uschar p = (uschar )(rr->data);
e5a9dba6	460
3a796370	461	if (type == T_MXH)
e5a9dba6	462	{
3a796370 JH	463	/* mxh ignores the priority number and includes only the hostnames */
3a796370 JH	464	GETSHORT(priority, p);
e5a9dba6	465	}
3a796370	466	else if (type == T_MX)
e5a9dba6	467	{
3a796370 JH	468	GETSHORT(priority, p);
	469	sprintf(CS s, "%d ", priority);
	470	yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
	471	}
	472	else if (type == T_SRV)
	473	{
	474	GETSHORT(priority, p);
	475	GETSHORT(weight, p);
	476	GETSHORT(port, p);
	477	sprintf(CS s, "%d %d %d ", priority, weight, port);
	478	yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
	479	}
	480	else if (type == T_CSA)
	481	{
	482	/* See acl_verify_csa() for more comments about CSA. */
	483
	484	GETSHORT(priority, p);
	485	GETSHORT(weight, p);
	486	GETSHORT(port, p);
	487
	488	if (priority != 1) continue; /* CSA version must be 1 */
	489
	490	/* If the CSA record we found is not the one we asked for, analyse
	491	the subdomain assertions in the port field, else analyse the direct
	492	authorization status in the weight field. */
	493
	494	if (found != domain)
	495	{
	496	if (port & 1) s = 'X'; / explicit authorization required */
	497	else s = '?'; / no subdomain assertions here */
	498	}
	499	else
	500	{
	501	if (weight < 2) s = 'N'; / not authorized */
	502	else if (weight == 2) s = 'Y'; / authorized */
	503	else if (weight == 3) s = '?'; / unauthorizable */
	504	else continue; /* invalid */
	505	}
	506
	507	s[1] = ' ';
	508	yield = string_cat(yield, &size, &ptr, s, 2);
e5a9dba6 PH	509	}
e5a9dba6 PH	510
3a796370	511	/* GETSHORT() has advanced the pointer to the target domain. */
8e669ac1	512
3a796370 JH	513	rc = dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
3a796370 JH	514	(DN_EXPAND_ARG4_TYPE)(s), sizeof(s));
8e669ac1	515
3a796370 JH	516	/* If an overlong response was received, the data will have been
3a796370 JH	517	truncated and dn_expand may fail. */
8e669ac1	518
3a796370 JH	519	if (rc < 0)
	520	{
	521	log_write(0, LOG_MAIN, "host name alias list truncated: type=%s "
	522	"domain=%s", dns_text_type(type), domain);
	523	break;
	524	}
	525	else yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
7bb56e1f	526	}
3a796370 JH	527	} /* Loop for list of returned records */
	528
	529	/* Loop for set of A-lookupu types */
	530	} while (type == T_APL && searchtype != T_A);
	531
	532	} /* Loop for list of domains */
7bb56e1f PH	533
7bb56e1f PH	534	/* Reclaim unused memory */
0756eb3c	535
7bb56e1f PH	536	store_reset(yield + ptr + 1);
7bb56e1f PH	537
8e669ac1	538	/* If ptr == 0 we have not found anything. Otherwise, insert the terminating
7bb56e1f PH	539	zero and return the result. */
7bb56e1f PH	540
fd3b6a4a JH	541	dns_init(FALSE, FALSE, FALSE); /* clear the dnssec bit for getaddrbyname */
fd3b6a4a JH	542
c38d6da9	543	if (ptr == 0) return failrc;
0756eb3c	544	yield[ptr] = 0;
0756eb3c	545	*result = yield;
0756eb3c PH	546	return OK;
	547	}
	548
6545de78 PP	549
	550
	551	/*************************************************
	552	* Version reporting entry point *
	553	*************************************************/
	554
	555	/* See local README for interface description. */
	556
	557	#include "../version.h"
	558
	559	void
	560	dnsdb_version_report(FILE *f)
	561	{
	562	#ifdef DYNLOOKUP
	563	fprintf(f, "Library version: DNSDB: Exim version %s\n", EXIM_VERSION_STR);
	564	#endif
	565	}
	566
	567
e6d225ae DW	568	static lookup_info _lookup_info = {
	569	US"dnsdb", /* lookup name */
	570	lookup_querystyle, /* query style */
	571	dnsdb_open, /* open function */
	572	NULL, /* check function */
	573	dnsdb_find, /* find function */
	574	NULL, /* no close function */
	575	NULL, /* no tidy function */
6545de78 PP	576	NULL, /* no quoting function */
6545de78 PP	577	dnsdb_version_report /* version reporting */
e6d225ae DW	578	};
	579
	580	#ifdef DYNLOOKUP
	581	#define dnsdb_lookup_module_info _lookup_module_info
	582	#endif
	583
	584	static lookup_info *_lookup_list[] = { &_lookup_info };
	585	lookup_module_info dnsdb_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 1 };
	586
fd3b6a4a JH	587	/* vi: aw ai sw=2
fd3b6a4a JH	588	*/
0756eb3c	589	/* End of lookups/dnsdb.c */