projects / exim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Fix default-port TLSA lookup done by callout. Bug 1602
[exim.git] / src / src / verify.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2014 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 /* Functions concerned with verifying things. The original code for callout
9 caching was contributed by Kevin Fleming (but I hacked it around a bit). */
10
11
12 #include "exim.h"
13 #include "transports/smtp.h"
14
15 #define CUTTHROUGH_CMD_TIMEOUT 30 /* timeout for cutthrough-routing calls */
16 #define CUTTHROUGH_DATA_TIMEOUT 60 /* timeout for cutthrough-routing calls */
17 static smtp_outblock ctblock;
18 uschar ctbuffer[8192];
19
20
21 /* Structure for caching DNSBL lookups */
22
23 typedef struct dnsbl_cache_block {
24 dns_address *rhs;
25 uschar *text;
26 int rc;
27 BOOL text_set;
28 } dnsbl_cache_block;
29
30
31 /* Anchor for DNSBL cache */
32
33 static tree_node *dnsbl_cache = NULL;
34
35
36 /* Bits for match_type in one_check_dnsbl() */
37
38 #define MT_NOT 1
39 #define MT_ALL 2
40
41 static uschar cutthrough_response(char, uschar **);
42
43
44 /*************************************************
45 * Retrieve a callout cache record *
46 *************************************************/
47
48 /* If a record exists, check whether it has expired.
49
50 Arguments:
51 dbm_file an open hints file
52 key the record key
53 type "address" or "domain"
54 positive_expire expire time for positive records
55 negative_expire expire time for negative records
56
57 Returns: the cache record if a non-expired one exists, else NULL
58 */
59
60 static dbdata_callout_cache *
61 get_callout_cache_record(open_db *dbm_file, const uschar *key, uschar *type,
62 int positive_expire, int negative_expire)
63 {
64 BOOL negative;
65 int length, expire;
66 time_t now;
67 dbdata_callout_cache *cache_record;
68
69 cache_record = dbfn_read_with_length(dbm_file, key, &length);
70
71 if (cache_record == NULL)
72 {
73 HDEBUG(D_verify) debug_printf("callout cache: no %s record found\n", type);
74 return NULL;
75 }
76
77 /* We treat a record as "negative" if its result field is not positive, or if
78 it is a domain record and the postmaster field is negative. */
79
80 negative = cache_record->result != ccache_accept ||
81 (type[0] == 'd' && cache_record->postmaster_result == ccache_reject);
82 expire = negative? negative_expire : positive_expire;
83 now = time(NULL);
84
85 if (now - cache_record->time_stamp > expire)
86 {
87 HDEBUG(D_verify) debug_printf("callout cache: %s record expired\n", type);
88 return NULL;
89 }
90
91 /* If this is a non-reject domain record, check for the obsolete format version
92 that doesn't have the postmaster and random timestamps, by looking at the
93 length. If so, copy it to a new-style block, replicating the record's
94 timestamp. Then check the additional timestamps. (There's no point wasting
95 effort if connections are rejected.) */
96
97 if (type[0] == 'd' && cache_record->result != ccache_reject)
98 {
99 if (length == sizeof(dbdata_callout_cache_obs))
100 {
101 dbdata_callout_cache *new = store_get(sizeof(dbdata_callout_cache));
102 memcpy(new, cache_record, length);
103 new->postmaster_stamp = new->random_stamp = new->time_stamp;
104 cache_record = new;
105 }
106
107 if (now - cache_record->postmaster_stamp > expire)
108 cache_record->postmaster_result = ccache_unknown;
109
110 if (now - cache_record->random_stamp > expire)
111 cache_record->random_result = ccache_unknown;
112 }
113
114 HDEBUG(D_verify) debug_printf("callout cache: found %s record\n", type);
115 return cache_record;
116 }
117
118
119
120 /*************************************************
121 * Do callout verification for an address *
122 *************************************************/
123
124 /* This function is called from verify_address() when the address has routed to
125 a host list, and a callout has been requested. Callouts are expensive; that is
126 why a cache is used to improve the efficiency.
127
128 Arguments:
129 addr the address that's been routed
130 host_list the list of hosts to try
131 tf the transport feedback block
132
133 ifstring "interface" option from transport, or NULL
134 portstring "port" option from transport, or NULL
135 protocolstring "protocol" option from transport, or NULL
136 callout the per-command callout timeout
137 callout_overall the overall callout timeout (if < 0 use 4*callout)
138 callout_connect the callout connection timeout (if < 0 use callout)
139 options the verification options - these bits are used:
140 vopt_is_recipient => this is a recipient address
141 vopt_callout_no_cache => don't use callout cache
142 vopt_callout_fullpm => if postmaster check, do full one
143 vopt_callout_random => do the "random" thing
144 vopt_callout_recipsender => use real sender for recipient
145 vopt_callout_recippmaster => use postmaster for recipient
146 se_mailfrom MAIL FROM address for sender verify; NULL => ""
147 pm_mailfrom if non-NULL, do the postmaster check with this sender
148
149 Returns: OK/FAIL/DEFER
150 */
151
152 static int
153 do_callout(address_item *addr, host_item *host_list, transport_feedback *tf,
154 int callout, int callout_overall, int callout_connect, int options,
155 uschar *se_mailfrom, uschar *pm_mailfrom)
156 {
157 BOOL is_recipient = (options & vopt_is_recipient) != 0;
158 BOOL callout_no_cache = (options & vopt_callout_no_cache) != 0;
159 BOOL callout_random = (options & vopt_callout_random) != 0;
160
161 int yield = OK;
162 int old_domain_cache_result = ccache_accept;
163 BOOL done = FALSE;
164 uschar *address_key;
165 uschar *from_address;
166 uschar *random_local_part = NULL;
167 const uschar *save_deliver_domain = deliver_domain;
168 uschar **failure_ptr = is_recipient?
169 &recipient_verify_failure : &sender_verify_failure;
170 open_db dbblock;
171 open_db *dbm_file = NULL;
172 dbdata_callout_cache new_domain_record;
173 dbdata_callout_cache_address new_address_record;
174 host_item *host;
175 time_t callout_start_time;
176
177 new_domain_record.result = ccache_unknown;
178 new_domain_record.postmaster_result = ccache_unknown;
179 new_domain_record.random_result = ccache_unknown;
180
181 memset(&new_address_record, 0, sizeof(new_address_record));
182
183 /* For a recipient callout, the key used for the address cache record must
184 include the sender address if we are using the real sender in the callout,
185 because that may influence the result of the callout. */
186
187 address_key = addr->address;
188 from_address = US"";
189
190 if (is_recipient)
191 {
192 if (options & vopt_callout_recipsender)
193 {
194 address_key = string_sprintf("%s/<%s>", addr->address, sender_address);
195 from_address = sender_address;
196 }
197 else if (options & vopt_callout_recippmaster)
198 {
199 address_key = string_sprintf("%s/<postmaster@%s>", addr->address,
200 qualify_domain_sender);
201 from_address = string_sprintf("postmaster@%s", qualify_domain_sender);
202 }
203 }
204
205 /* For a sender callout, we must adjust the key if the mailfrom address is not
206 empty. */
207
208 else
209 {
210 from_address = (se_mailfrom == NULL)? US"" : se_mailfrom;
211 if (from_address[0] != 0)
212 address_key = string_sprintf("%s/<%s>", addr->address, from_address);
213 }
214
215 /* Open the callout cache database, it it exists, for reading only at this
216 stage, unless caching has been disabled. */
217
218 if (callout_no_cache)
219 {
220 HDEBUG(D_verify) debug_printf("callout cache: disabled by no_cache\n");
221 }
222 else if ((dbm_file = dbfn_open(US"callout", O_RDWR, &dbblock, FALSE)) == NULL)
223 {
224 HDEBUG(D_verify) debug_printf("callout cache: not available\n");
225 }
226
227 /* If a cache database is available see if we can avoid the need to do an
228 actual callout by making use of previously-obtained data. */
229
230 if (dbm_file != NULL)
231 {
232 dbdata_callout_cache_address *cache_address_record;
233 dbdata_callout_cache *cache_record = get_callout_cache_record(dbm_file,
234 addr->domain, US"domain",
235 callout_cache_domain_positive_expire,
236 callout_cache_domain_negative_expire);
237
238 /* If an unexpired cache record was found for this domain, see if the callout
239 process can be short-circuited. */
240
241 if (cache_record != NULL)
242 {
243 /* In most cases, if an early command (up to and including MAIL FROM:<>)
244 was rejected, there is no point carrying on. The callout fails. However, if
245 we are doing a recipient verification with use_sender or use_postmaster
246 set, a previous failure of MAIL FROM:<> doesn't count, because this time we
247 will be using a non-empty sender. We have to remember this situation so as
248 not to disturb the cached domain value if this whole verification succeeds
249 (we don't want it turning into "accept"). */
250
251 old_domain_cache_result = cache_record->result;
252
253 if (cache_record->result == ccache_reject ||
254 (*from_address == 0 && cache_record->result == ccache_reject_mfnull))
255 {
256 setflag(addr, af_verify_nsfail);
257 HDEBUG(D_verify)
258 debug_printf("callout cache: domain gave initial rejection, or "
259 "does not accept HELO or MAIL FROM:<>\n");
260 setflag(addr, af_verify_nsfail);
261 addr->user_message = US"(result of an earlier callout reused).";
262 yield = FAIL;
263 *failure_ptr = US"mail";
264 goto END_CALLOUT;
265 }
266
267 /* If a previous check on a "random" local part was accepted, we assume
268 that the server does not do any checking on local parts. There is therefore
269 no point in doing the callout, because it will always be successful. If a
270 random check previously failed, arrange not to do it again, but preserve
271 the data in the new record. If a random check is required but hasn't been
272 done, skip the remaining cache processing. */
273
274 if (callout_random) switch(cache_record->random_result)
275 {
276 case ccache_accept:
277 HDEBUG(D_verify)
278 debug_printf("callout cache: domain accepts random addresses\n");
279 goto END_CALLOUT; /* Default yield is OK */
280
281 case ccache_reject:
282 HDEBUG(D_verify)
283 debug_printf("callout cache: domain rejects random addresses\n");
284 callout_random = FALSE;
285 new_domain_record.random_result = ccache_reject;
286 new_domain_record.random_stamp = cache_record->random_stamp;
287 break;
288
289 default:
290 HDEBUG(D_verify)
291 debug_printf("callout cache: need to check random address handling "
292 "(not cached or cache expired)\n");
293 goto END_CACHE;
294 }
295
296 /* If a postmaster check is requested, but there was a previous failure,
297 there is again no point in carrying on. If a postmaster check is required,
298 but has not been done before, we are going to have to do a callout, so skip
299 remaining cache processing. */
300
301 if (pm_mailfrom != NULL)
302 {
303 if (cache_record->postmaster_result == ccache_reject)
304 {
305 setflag(addr, af_verify_pmfail);
306 HDEBUG(D_verify)
307 debug_printf("callout cache: domain does not accept "
308 "RCPT TO:<postmaster@domain>\n");
309 yield = FAIL;
310 *failure_ptr = US"postmaster";
311 setflag(addr, af_verify_pmfail);
312 addr->user_message = US"(result of earlier verification reused).";
313 goto END_CALLOUT;
314 }
315 if (cache_record->postmaster_result == ccache_unknown)
316 {
317 HDEBUG(D_verify)
318 debug_printf("callout cache: need to check RCPT "
319 "TO:<postmaster@domain> (not cached or cache expired)\n");
320 goto END_CACHE;
321 }
322
323 /* If cache says OK, set pm_mailfrom NULL to prevent a redundant
324 postmaster check if the address itself has to be checked. Also ensure
325 that the value in the cache record is preserved (with its old timestamp).
326 */
327
328 HDEBUG(D_verify) debug_printf("callout cache: domain accepts RCPT "
329 "TO:<postmaster@domain>\n");
330 pm_mailfrom = NULL;
331 new_domain_record.postmaster_result = ccache_accept;
332 new_domain_record.postmaster_stamp = cache_record->postmaster_stamp;
333 }
334 }
335
336 /* We can't give a result based on information about the domain. See if there
337 is an unexpired cache record for this specific address (combined with the
338 sender address if we are doing a recipient callout with a non-empty sender).
339 */
340
341 cache_address_record = (dbdata_callout_cache_address *)
342 get_callout_cache_record(dbm_file,
343 address_key, US"address",
344 callout_cache_positive_expire,
345 callout_cache_negative_expire);
346
347 if (cache_address_record != NULL)
348 {
349 if (cache_address_record->result == ccache_accept)
350 {
351 HDEBUG(D_verify)
352 debug_printf("callout cache: address record is positive\n");
353 }
354 else
355 {
356 HDEBUG(D_verify)
357 debug_printf("callout cache: address record is negative\n");
358 addr->user_message = US"Previous (cached) callout verification failure";
359 *failure_ptr = US"recipient";
360 yield = FAIL;
361 }
362 goto END_CALLOUT;
363 }
364
365 /* Close the cache database while we actually do the callout for real. */
366
367 END_CACHE:
368 dbfn_close(dbm_file);
369 dbm_file = NULL;
370 }
371
372 if (!addr->transport)
373 {
374 HDEBUG(D_verify) debug_printf("cannot callout via null transport\n");
375 }
376 else if (Ustrcmp(addr->transport->driver_name, "smtp") != 0)
377 log_write(0, LOG_MAIN|LOG_PANIC|LOG_CONFIG_FOR, "callout transport '%s': %s is non-smtp",
378 addr->transport->name, addr->transport->driver_name);
379 else
380 {
381 smtp_transport_options_block *ob =
382 (smtp_transport_options_block *)addr->transport->options_block;
383
384 /* The information wasn't available in the cache, so we have to do a real
385 callout and save the result in the cache for next time, unless no_cache is set,
386 or unless we have a previously cached negative random result. If we are to test
387 with a random local part, ensure that such a local part is available. If not,
388 log the fact, but carry on without randomming. */
389
390 if (callout_random && callout_random_local_part != NULL)
391 if (!(random_local_part = expand_string(callout_random_local_part)))
392 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand "
393 "callout_random_local_part: %s", expand_string_message);
394
395 /* Default the connect and overall callout timeouts if not set, and record the
396 time we are starting so that we can enforce it. */
397
398 if (callout_overall < 0) callout_overall = 4 * callout;
399 if (callout_connect < 0) callout_connect = callout;
400 callout_start_time = time(NULL);
401
402 /* Before doing a real callout, if this is an SMTP connection, flush the SMTP
403 output because a callout might take some time. When PIPELINING is active and
404 there are many recipients, the total time for doing lots of callouts can add up
405 and cause the client to time out. So in this case we forgo the PIPELINING
406 optimization. */
407
408 if (smtp_out != NULL && !disable_callout_flush) mac_smtp_fflush();
409
410 /* cutthrough-multi: if a nonfirst rcpt has the same routing as the first,
411 and we are holding a cutthrough conn open, we can just append the rcpt to
412 that conn for verification purposes (and later delivery also). Simplest
413 coding means skipping this whole loop and doing the append separately.
414
415 We will need to remember it has been appended so that rcpt-acl tail code
416 can do it there for the non-rcpt-verify case. For this we keep an addresscount.
417 */
418
419 /* Can we re-use an open cutthrough connection? */
420 if ( cutthrough.fd >= 0
421 && (options & (vopt_callout_recipsender | vopt_callout_recippmaster))
422 == vopt_callout_recipsender
423 && !random_local_part
424 && !pm_mailfrom
425 )
426 {
427 if (addr->transport == cutthrough.addr.transport)
428 for (host = host_list; host; host = host->next)
429 if (Ustrcmp(host->address, cutthrough.host.address) == 0)
430 {
431 int host_af;
432 uschar *interface = NULL; /* Outgoing interface to use; NULL => any */
433 int port = 25;
434
435 deliver_host = host->name;
436 deliver_host_address = host->address;
437 deliver_host_port = host->port;
438 deliver_domain = addr->domain;
439 transport_name = addr->transport->name;
440
441 host_af = (Ustrchr(host->address, ':') == NULL)? AF_INET:AF_INET6;
442
443 if (!smtp_get_interface(tf->interface, host_af, addr, NULL, &interface,
444 US"callout") ||
445 !smtp_get_port(tf->port, addr, &port, US"callout"))
446 log_write(0, LOG_MAIN|LOG_PANIC, "<%s>: %s", addr->address,
447 addr->message);
448
449 if ( ( interface == cutthrough.interface
450 || ( interface
451 && cutthrough.interface
452 && Ustrcmp(interface, cutthrough.interface) == 0
453 ) )
454 && port == cutthrough.host.port
455 )
456 {
457 uschar * resp;
458
459 /* Match! Send the RCPT TO, append the addr, set done */
460 done =
461 smtp_write_command(&ctblock, FALSE, "RCPT TO:<%.1000s>\r\n",
462 transport_rcpt_address(addr,
463 (addr->transport == NULL)? FALSE :
464 addr->transport->rcpt_include_affixes)) >= 0 &&
465 cutthrough_response('2', &resp) == '2';
466
467 /* This would go horribly wrong if a callout fail was ignored by ACL.
468 We punt by abandoning cutthrough on a reject, like the
469 first-rcpt does. */
470
471 if (done)
472 {
473 address_item * na = store_get(sizeof(address_item));
474 *na = cutthrough.addr;
475 cutthrough.addr = *addr;
476 cutthrough.addr.host_used = &cutthrough.host;
477 cutthrough.addr.next = na;
478
479 cutthrough.nrcpt++;
480 }
481 else
482 {
483 cancel_cutthrough_connection("recipient rejected");
484 if (errno == ETIMEDOUT)
485 {
486 HDEBUG(D_verify) debug_printf("SMTP timeout\n");
487 }
488 else if (errno == 0)
489 {
490 if (*resp == 0)
491 Ustrcpy(resp, US"connection dropped");
492
493 addr->message =
494 string_sprintf("response to \"%s\" from %s [%s] was: %s",
495 big_buffer, host->name, host->address,
496 string_printing(resp));
497
498 addr->user_message =
499 string_sprintf("Callout verification failed:\n%s", resp);
500
501 /* Hard rejection ends the process */
502
503 if (resp[0] == '5') /* Address rejected */
504 {
505 yield = FAIL;
506 done = TRUE;
507 }
508 }
509 }
510 }
511 break;
512 }
513 if (!done)
514 cancel_cutthrough_connection("incompatible connection");
515 }
516
517 /* Now make connections to the hosts and do real callouts. The list of hosts
518 is passed in as an argument. */
519
520 for (host = host_list; host != NULL && !done; host = host->next)
521 {
522 smtp_inblock inblock;
523 smtp_outblock outblock;
524 int host_af;
525 int port = 25;
526 BOOL send_quit = TRUE;
527 uschar *active_hostname = smtp_active_hostname;
528 BOOL lmtp;
529 BOOL smtps;
530 BOOL esmtp;
531 BOOL suppress_tls = FALSE;
532 uschar *interface = NULL; /* Outgoing interface to use; NULL => any */
533 #if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_DANE)
534 BOOL dane = FALSE;
535 BOOL dane_required;
536 dns_answer tlsa_dnsa;
537 #endif
538 uschar inbuffer[4096];
539 uschar outbuffer[1024];
540 uschar responsebuffer[4096];
541
542 clearflag(addr, af_verify_pmfail); /* postmaster callout flag */
543 clearflag(addr, af_verify_nsfail); /* null sender callout flag */
544
545 /* Skip this host if we don't have an IP address for it. */
546
547 if (host->address == NULL)
548 {
549 DEBUG(D_verify) debug_printf("no IP address for host name %s: skipping\n",
550 host->name);
551 continue;
552 }
553
554 /* Check the overall callout timeout */
555
556 if (time(NULL) - callout_start_time >= callout_overall)
557 {
558 HDEBUG(D_verify) debug_printf("overall timeout for callout exceeded\n");
559 break;
560 }
561
562 /* Set IPv4 or IPv6 */
563
564 host_af = (Ustrchr(host->address, ':') == NULL)? AF_INET:AF_INET6;
565
566 /* Expand and interpret the interface and port strings. The latter will not
567 be used if there is a host-specific port (e.g. from a manualroute router).
568 This has to be delayed till now, because they may expand differently for
569 different hosts. If there's a failure, log it, but carry on with the
570 defaults. */
571
572 deliver_host = host->name;
573 deliver_host_address = host->address;
574 deliver_host_port = host->port;
575 deliver_domain = addr->domain;
576 transport_name = addr->transport->name;
577
578 if ( !smtp_get_interface(tf->interface, host_af, addr, NULL, &interface,
579 US"callout")
580 || !smtp_get_port(tf->port, addr, &port, US"callout")
581 )
582 log_write(0, LOG_MAIN|LOG_PANIC, "<%s>: %s", addr->address,
583 addr->message);
584
585 /* Set HELO string according to the protocol */
586 lmtp= Ustrcmp(tf->protocol, "lmtp") == 0;
587 smtps= Ustrcmp(tf->protocol, "smtps") == 0;
588
589
590 HDEBUG(D_verify) debug_printf("interface=%s port=%d\n", interface, port);
591
592 /* Set up the buffer for reading SMTP response packets. */
593
594 inblock.buffer = inbuffer;
595 inblock.buffersize = sizeof(inbuffer);
596 inblock.ptr = inbuffer;
597 inblock.ptrend = inbuffer;
598
599 /* Set up the buffer for holding SMTP commands while pipelining */
600
601 outblock.buffer = outbuffer;
602 outblock.buffersize = sizeof(outbuffer);
603 outblock.ptr = outbuffer;
604 outblock.cmd_count = 0;
605 outblock.authenticating = FALSE;
606
607 /* Connect to the host; on failure, just loop for the next one, but we
608 set the error for the last one. Use the callout_connect timeout. */
609
610 tls_retry_connection:
611
612 /* Reset the parameters of a TLS session */
613 tls_out.cipher = tls_out.peerdn = tls_out.peercert = NULL;
614
615 inblock.sock = outblock.sock =
616 smtp_connect(host, host_af, port, interface, callout_connect,
617 addr->transport);
618 if (inblock.sock < 0)
619 {
620 addr->message = string_sprintf("could not connect to %s [%s]: %s",
621 host->name, host->address, strerror(errno));
622 transport_name = NULL;
623 deliver_host = deliver_host_address = NULL;
624 deliver_domain = save_deliver_domain;
625 continue;
626 }
627
628 #if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_DANE)
629 {
630 int rc;
631
632 tls_out.dane_verified = FALSE;
633 tls_out.tlsa_usage = 0;
634
635 dane_required =
636 verify_check_given_host(&ob->hosts_require_dane, host) == OK;
637
638 if (host->dnssec == DS_YES)
639 {
640 if( ( dane_required
641 || verify_check_given_host(&ob->hosts_try_dane, host) == OK
642 )
643 && (rc = tlsa_lookup(host, &tlsa_dnsa, dane_required, &dane)) != OK
644 )
645 return rc;
646 }
647 else if (dane_required)
648 {
649 log_write(0, LOG_MAIN, "DANE error: %s lookup not DNSSEC", host->name);
650 return FAIL;
651 }
652
653 if (dane)
654 ob->tls_tempfail_tryclear = FALSE;
655 }
656 #endif /*DANE*/
657
658 /* Expand the helo_data string to find the host name to use. */
659
660 if (tf->helo_data != NULL)
661 {
662 uschar *s = expand_string(tf->helo_data);
663 if (s == NULL)
664 log_write(0, LOG_MAIN|LOG_PANIC, "<%s>: failed to expand transport's "
665 "helo_data value for callout: %s", addr->address,
666 expand_string_message);
667 else active_hostname = s;
668 }
669
670 /* Wait for initial response, and send HELO. The smtp_write_command()
671 function leaves its command in big_buffer. This is used in error responses.
672 Initialize it in case the connection is rejected. */
673
674 Ustrcpy(big_buffer, "initial connection");
675
676 /* Unless ssl-on-connect, wait for the initial greeting */
677 smtps_redo_greeting:
678
679 #ifdef SUPPORT_TLS
680 if (!smtps || (smtps && tls_out.active >= 0))
681 #endif
682 {
683 if (!(done= smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer), '2', callout)))
684 goto RESPONSE_FAILED;
685
686 #ifdef EXPERIMENTAL_EVENT
687 lookup_dnssec_authenticated = host->dnssec==DS_YES ? US"yes"
688 : host->dnssec==DS_NO ? US"no" : NULL;
689 if (event_raise(addr->transport->event_action,
690 US"smtp:connect", responsebuffer))
691 {
692 lookup_dnssec_authenticated = NULL;
693 /* Logging? Debug? */
694 goto RESPONSE_FAILED;
695 }
696 lookup_dnssec_authenticated = NULL;
697 #endif
698 }
699
700 /* Not worth checking greeting line for ESMTP support */
701 if (!(esmtp = verify_check_given_host(&ob->hosts_avoid_esmtp, host) != OK))
702 DEBUG(D_transport)
703 debug_printf("not sending EHLO (host matches hosts_avoid_esmtp)\n");
704
705 tls_redo_helo:
706
707 #ifdef SUPPORT_TLS
708 if (smtps && tls_out.active < 0) /* ssl-on-connect, first pass */
709 {
710 tls_offered = TRUE;
711 ob->tls_tempfail_tryclear = FALSE;
712 }
713 else /* all other cases */
714 #endif
715
716 { esmtp_retry:
717
718 if (!(done= smtp_write_command(&outblock, FALSE, "%s %s\r\n",
719 !esmtp? "HELO" : lmtp? "LHLO" : "EHLO", active_hostname) >= 0))
720 goto SEND_FAILED;
721 if (!smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer), '2', callout))
722 {
723 if (errno != 0 || responsebuffer[0] == 0 || lmtp || !esmtp || tls_out.active >= 0)
724 {
725 done= FALSE;
726 goto RESPONSE_FAILED;
727 }
728 #ifdef SUPPORT_TLS
729 tls_offered = FALSE;
730 #endif
731 esmtp = FALSE;
732 goto esmtp_retry; /* fallback to HELO */
733 }
734
735 /* Set tls_offered if the response to EHLO specifies support for STARTTLS. */
736 #ifdef SUPPORT_TLS
737 if (esmtp && !suppress_tls && tls_out.active < 0)
738 {
739 if (regex_STARTTLS == NULL) regex_STARTTLS =
740 regex_must_compile(US"\\n250[\\s\\-]STARTTLS(\\s|\\n|$)", FALSE, TRUE);
741
742 tls_offered = pcre_exec(regex_STARTTLS, NULL, CS responsebuffer,
743 Ustrlen(responsebuffer), 0, PCRE_EOPT, NULL, 0) >= 0;
744 }
745 else
746 tls_offered = FALSE;
747 #endif
748 }
749
750 /* If TLS is available on this connection attempt to
751 start up a TLS session, unless the host is in hosts_avoid_tls. If successful,
752 send another EHLO - the server may give a different answer in secure mode. We
753 use a separate buffer for reading the response to STARTTLS so that if it is
754 negative, the original EHLO data is available for subsequent analysis, should
755 the client not be required to use TLS. If the response is bad, copy the buffer
756 for error analysis. */
757
758 #ifdef SUPPORT_TLS
759 if ( tls_offered
760 && verify_check_given_host(&ob->hosts_avoid_tls, host) != OK
761 && verify_check_given_host(&ob->hosts_verify_avoid_tls, host) != OK
762 )
763 {
764 uschar buffer2[4096];
765 if ( !smtps
766 && !(done= smtp_write_command(&outblock, FALSE, "STARTTLS\r\n") >= 0))
767 goto SEND_FAILED;
768
769 /* If there is an I/O error, transmission of this message is deferred. If
770 there is a temporary rejection of STARRTLS and tls_tempfail_tryclear is
771 false, we also defer. However, if there is a temporary rejection of STARTTLS
772 and tls_tempfail_tryclear is true, or if there is an outright rejection of
773 STARTTLS, we carry on. This means we will try to send the message in clear,
774 unless the host is in hosts_require_tls (tested below). */
775
776 if (!smtps && !smtp_read_response(&inblock, buffer2, sizeof(buffer2), '2',
777 ob->command_timeout))
778 {
779 if (errno != 0 || buffer2[0] == 0 ||
780 (buffer2[0] == '4' && !ob->tls_tempfail_tryclear))
781 {
782 Ustrncpy(responsebuffer, buffer2, sizeof(responsebuffer));
783 done= FALSE;
784 goto RESPONSE_FAILED;
785 }
786 }
787
788 /* STARTTLS accepted or ssl-on-connect: try to negotiate a TLS session. */
789 else
790 {
791 int oldtimeout = ob->command_timeout;
792 int rc;
793
794 tls_negotiate:
795 ob->command_timeout = callout;
796 rc = tls_client_start(inblock.sock, host, addr, addr->transport
797 # ifdef EXPERIMENTAL_DANE
798 , dane ? &tlsa_dnsa : NULL
799 # endif
800 );
801 ob->command_timeout = oldtimeout;
802
803 /* TLS negotiation failed; give an error. Try in clear on a new
804 connection, if the options permit it for this host. */
805 if (rc != OK)
806 {
807 if (rc == DEFER)
808 {
809 (void)close(inblock.sock);
810 # ifdef EXPERIMENTAL_EVENT
811 (void) event_raise(addr->transport->event_action,
812 US"tcp:close", NULL);
813 # endif
814 # ifdef EXPERIMENTAL_DANE
815 if (dane)
816 {
817 if (!dane_required)
818 {
819 log_write(0, LOG_MAIN, "DANE attempt failed;"
820 " trying CA-root TLS to %s [%s] (not in hosts_require_dane)",
821 host->name, host->address);
822 dane = FALSE;
823 goto tls_negotiate;
824 }
825 }
826 else
827 # endif
828 if ( ob->tls_tempfail_tryclear
829 && !smtps
830 && verify_check_given_host(&ob->hosts_require_tls, host) != OK
831 )
832 {
833 log_write(0, LOG_MAIN, "TLS session failure:"
834 " delivering unencrypted to %s [%s] (not in hosts_require_tls)",
835 host->name, host->address);
836 suppress_tls = TRUE;
837 goto tls_retry_connection;
838 }
839 }
840
841 /*save_errno = ERRNO_TLSFAILURE;*/
842 /*message = US"failure while setting up TLS session";*/
843 send_quit = FALSE;
844 done= FALSE;
845 goto TLS_FAILED;
846 }
847
848 /* TLS session is set up. Copy info for logging. */
849 addr->cipher = tls_out.cipher;
850 addr->peerdn = tls_out.peerdn;
851
852 /* For SMTPS we need to wait for the initial OK response, then do HELO. */
853 if (smtps)
854 goto smtps_redo_greeting;
855
856 /* For STARTTLS we need to redo EHLO */
857 goto tls_redo_helo;
858 }
859 }
860
861 /* If the host is required to use a secure channel, ensure that we have one. */
862 if (tls_out.active < 0)
863 if (
864 # ifdef EXPERIMENTAL_DANE
865 dane ||
866 # endif
867 verify_check_given_host(&ob->hosts_require_tls, host) == OK
868 )
869 {
870 /*save_errno = ERRNO_TLSREQUIRED;*/
871 log_write(0, LOG_MAIN,
872 "H=%s [%s]: a TLS session is required for this host, but %s",
873 host->name, host->address,
874 tls_offered ? "an attempt to start TLS failed"
875 : "the server did not offer TLS support");
876 done= FALSE;
877 goto TLS_FAILED;
878 }
879
880 #endif /*SUPPORT_TLS*/
881
882 done = TRUE; /* so far so good; have response to HELO */
883
884 /*XXX the EHLO response would be analyzed here for IGNOREQUOTA, SIZE, PIPELINING */
885
886 /* For now, transport_filter by cutthrough-delivery is not supported */
887 /* Need proper integration with the proper transport mechanism. */
888 if (cutthrough.delivery)
889 {
890 if (addr->transport->filter_command)
891 {
892 cutthrough.delivery = FALSE;
893 HDEBUG(D_acl|D_v) debug_printf("Cutthrough cancelled by presence of transport filter\n");
894 }
895 #ifndef DISABLE_DKIM
896 if (ob->dkim_domain)
897 {
898 cutthrough.delivery = FALSE;
899 HDEBUG(D_acl|D_v) debug_printf("Cutthrough cancelled by presence of DKIM signing\n");
900 }
901 #endif
902 }
903
904 SEND_FAILED:
905 RESPONSE_FAILED:
906 TLS_FAILED:
907 ;
908 /* Clear down of the TLS, SMTP and TCP layers on error is handled below. */
909
910 /* Failure to accept HELO is cached; this blocks the whole domain for all
911 senders. I/O errors and defer responses are not cached. */
912
913 if (!done)
914 {
915 *failure_ptr = US"mail"; /* At or before MAIL */
916 if (errno == 0 && responsebuffer[0] == '5')
917 {
918 setflag(addr, af_verify_nsfail);
919 new_domain_record.result = ccache_reject;
920 }
921 }
922
923 /* If we haven't authenticated, but are required to, give up. */
924 /* Try to AUTH */
925
926 else done = smtp_auth(responsebuffer, sizeof(responsebuffer),
927 addr, host, ob, esmtp, &inblock, &outblock) == OK &&
928
929 /* Copy AUTH info for logging */
930 ( (addr->authenticator = client_authenticator),
931 (addr->auth_id = client_authenticated_id),
932
933 /* Build a mail-AUTH string (re-using responsebuffer for convenience */
934 !smtp_mail_auth_str(responsebuffer, sizeof(responsebuffer), addr, ob)
935 ) &&
936
937 ( (addr->auth_sndr = client_authenticated_sender),
938
939 /* Send the MAIL command */
940 (smtp_write_command(&outblock, FALSE, "MAIL FROM:<%s>%s\r\n",
941 from_address, responsebuffer) >= 0)
942 ) &&
943
944 smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
945 '2', callout);
946
947 deliver_host = deliver_host_address = NULL;
948 deliver_domain = save_deliver_domain;
949
950 /* If the host does not accept MAIL FROM:<>, arrange to cache this
951 information, but again, don't record anything for an I/O error or a defer. Do
952 not cache rejections of MAIL when a non-empty sender has been used, because
953 that blocks the whole domain for all senders. */
954
955 if (!done)
956 {
957 *failure_ptr = US"mail"; /* At or before MAIL */
958 if (errno == 0 && responsebuffer[0] == '5')
959 {
960 setflag(addr, af_verify_nsfail);
961 if (from_address[0] == 0)
962 new_domain_record.result = ccache_reject_mfnull;
963 }
964 }
965
966 /* Otherwise, proceed to check a "random" address (if required), then the
967 given address, and the postmaster address (if required). Between each check,
968 issue RSET, because some servers accept only one recipient after MAIL
969 FROM:<>.
970
971 Before doing this, set the result in the domain cache record to "accept",
972 unless its previous value was ccache_reject_mfnull. In that case, the domain
973 rejects MAIL FROM:<> and we want to continue to remember that. When that is
974 the case, we have got here only in the case of a recipient verification with
975 a non-null sender. */
976
977 else
978 {
979 new_domain_record.result =
980 (old_domain_cache_result == ccache_reject_mfnull)?
981 ccache_reject_mfnull: ccache_accept;
982
983 /* Do the random local part check first */
984
985 if (random_local_part != NULL)
986 {
987 uschar randombuffer[1024];
988 BOOL random_ok =
989 smtp_write_command(&outblock, FALSE,
990 "RCPT TO:<%.1000s@%.1000s>\r\n", random_local_part,
991 addr->domain) >= 0 &&
992 smtp_read_response(&inblock, randombuffer,
993 sizeof(randombuffer), '2', callout);
994
995 /* Remember when we last did a random test */
996
997 new_domain_record.random_stamp = time(NULL);
998
999 /* If accepted, we aren't going to do any further tests below. */
1000
1001 if (random_ok)
1002 new_domain_record.random_result = ccache_accept;
1003
1004 /* Otherwise, cache a real negative response, and get back to the right
1005 state to send RCPT. Unless there's some problem such as a dropped
1006 connection, we expect to succeed, because the commands succeeded above.
1007 However, some servers drop the connection after responding to an
1008 invalid recipient, so on (any) error we drop and remake the connection.
1009 */
1010
1011 else if (errno == 0)
1012 {
1013 /* This would be ok for 1st rcpt a cutthrough, but no way to
1014 handle a subsequent. So refuse to support any */
1015 cancel_cutthrough_connection("random-recipient");
1016
1017 if (randombuffer[0] == '5')
1018 new_domain_record.random_result = ccache_reject;
1019
1020 done =
1021 smtp_write_command(&outblock, FALSE, "RSET\r\n") >= 0 &&
1022 smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
1023 '2', callout) &&
1024
1025 smtp_write_command(&outblock, FALSE, "MAIL FROM:<%s>\r\n",
1026 from_address) >= 0 &&
1027 smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
1028 '2', callout);
1029
1030 if (!done)
1031 {
1032 HDEBUG(D_acl|D_v)
1033 debug_printf("problem after random/rset/mfrom; reopen conn\n");
1034 random_local_part = NULL;
1035 #ifdef SUPPORT_TLS
1036 tls_close(FALSE, TRUE);
1037 #endif
1038 (void)close(inblock.sock);
1039 #ifdef EXPERIMENTAL_EVENT
1040 (void) event_raise(addr->transport->event_action,
1041 US"tcp:close", NULL);
1042 #endif
1043 goto tls_retry_connection;
1044 }
1045 }
1046 else done = FALSE; /* Some timeout/connection problem */
1047 } /* Random check */
1048
1049 /* If the host is accepting all local parts, as determined by the "random"
1050 check, we don't need to waste time doing any further checking. */
1051
1052 if (new_domain_record.random_result != ccache_accept && done)
1053 {
1054 /* Get the rcpt_include_affixes flag from the transport if there is one,
1055 but assume FALSE if there is not. */
1056
1057 done =
1058 smtp_write_command(&outblock, FALSE, "RCPT TO:<%.1000s>\r\n",
1059 transport_rcpt_address(addr,
1060 (addr->transport == NULL)? FALSE :
1061 addr->transport->rcpt_include_affixes)) >= 0 &&
1062 smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
1063 '2', callout);
1064
1065 if (done)
1066 new_address_record.result = ccache_accept;
1067 else if (errno == 0 && responsebuffer[0] == '5')
1068 {
1069 *failure_ptr = US"recipient";
1070 new_address_record.result = ccache_reject;
1071 }
1072
1073 /* Do postmaster check if requested; if a full check is required, we
1074 check for RCPT TO:<postmaster> (no domain) in accordance with RFC 821. */
1075
1076 if (done && pm_mailfrom != NULL)
1077 {
1078 /* Could possibly shift before main verify, just above, and be ok
1079 for cutthrough. But no way to handle a subsequent rcpt, so just
1080 refuse any */
1081 cancel_cutthrough_connection("postmaster verify");
1082 HDEBUG(D_acl|D_v) debug_printf("Cutthrough cancelled by presence of postmaster verify\n");
1083
1084 done =
1085 smtp_write_command(&outblock, FALSE, "RSET\r\n") >= 0 &&
1086 smtp_read_response(&inblock, responsebuffer,
1087 sizeof(responsebuffer), '2', callout) &&
1088
1089 smtp_write_command(&outblock, FALSE,
1090 "MAIL FROM:<%s>\r\n", pm_mailfrom) >= 0 &&
1091 smtp_read_response(&inblock, responsebuffer,
1092 sizeof(responsebuffer), '2', callout) &&
1093
1094 /* First try using the current domain */
1095
1096 ((
1097 smtp_write_command(&outblock, FALSE,
1098 "RCPT TO:<postmaster@%.1000s>\r\n", addr->domain) >= 0 &&
1099 smtp_read_response(&inblock, responsebuffer,
1100 sizeof(responsebuffer), '2', callout)
1101 )
1102
1103 ||
1104
1105 /* If that doesn't work, and a full check is requested,
1106 try without the domain. */
1107
1108 (
1109 (options & vopt_callout_fullpm) != 0 &&
1110 smtp_write_command(&outblock, FALSE,
1111 "RCPT TO:<postmaster>\r\n") >= 0 &&
1112 smtp_read_response(&inblock, responsebuffer,
1113 sizeof(responsebuffer), '2', callout)
1114 ));
1115
1116 /* Sort out the cache record */
1117
1118 new_domain_record.postmaster_stamp = time(NULL);
1119
1120 if (done)
1121 new_domain_record.postmaster_result = ccache_accept;
1122 else if (errno == 0 && responsebuffer[0] == '5')
1123 {
1124 *failure_ptr = US"postmaster";
1125 setflag(addr, af_verify_pmfail);
1126 new_domain_record.postmaster_result = ccache_reject;
1127 }
1128 }
1129 } /* Random not accepted */
1130 } /* MAIL FROM: accepted */
1131
1132 /* For any failure of the main check, other than a negative response, we just
1133 close the connection and carry on. We can identify a negative response by the
1134 fact that errno is zero. For I/O errors it will be non-zero
1135
1136 Set up different error texts for logging and for sending back to the caller
1137 as an SMTP response. Log in all cases, using a one-line format. For sender
1138 callouts, give a full response to the caller, but for recipient callouts,
1139 don't give the IP address because this may be an internal host whose identity
1140 is not to be widely broadcast. */
1141
1142 if (!done)
1143 {
1144 if (errno == ETIMEDOUT)
1145 {
1146 HDEBUG(D_verify) debug_printf("SMTP timeout\n");
1147 send_quit = FALSE;
1148 }
1149 else if (errno == 0)
1150 {
1151 if (*responsebuffer == 0) Ustrcpy(responsebuffer, US"connection dropped");
1152
1153 addr->message =
1154 string_sprintf("response to \"%s\" from %s [%s] was: %s",
1155 big_buffer, host->name, host->address,
1156 string_printing(responsebuffer));
1157
1158 addr->user_message = is_recipient?
1159 string_sprintf("Callout verification failed:\n%s", responsebuffer)
1160 :
1161 string_sprintf("Called: %s\nSent: %s\nResponse: %s",
1162 host->address, big_buffer, responsebuffer);
1163
1164 /* Hard rejection ends the process */
1165
1166 if (responsebuffer[0] == '5') /* Address rejected */
1167 {
1168 yield = FAIL;
1169 done = TRUE;
1170 }
1171 }
1172 }
1173
1174 /* End the SMTP conversation and close the connection. */
1175
1176 /* Cutthrough - on a successfull connect and recipient-verify with
1177 use-sender and we are 1st rcpt and have no cutthrough conn so far
1178 here is where we want to leave the conn open */
1179 if ( cutthrough.delivery
1180 && rcpt_count == 1
1181 && done
1182 && yield == OK
1183 && (options & (vopt_callout_recipsender|vopt_callout_recippmaster)) == vopt_callout_recipsender
1184 && !random_local_part
1185 && !pm_mailfrom
1186 && cutthrough.fd < 0
1187 && !lmtp
1188 )
1189 {
1190 cutthrough.fd = outblock.sock; /* We assume no buffer in use in the outblock */
1191 cutthrough.nrcpt = 1;
1192 cutthrough.interface = interface;
1193 cutthrough.host = *host;
1194 cutthrough.addr = *addr; /* Save the address_item for later logging */
1195 cutthrough.addr.next = NULL;
1196 cutthrough.addr.host_used = &cutthrough.host;
1197 if (addr->parent)
1198 *(cutthrough.addr.parent = store_get(sizeof(address_item))) =
1199 *addr->parent;
1200 ctblock.buffer = ctbuffer;
1201 ctblock.buffersize = sizeof(ctbuffer);
1202 ctblock.ptr = ctbuffer;
1203 /* ctblock.cmd_count = 0; ctblock.authenticating = FALSE; */
1204 ctblock.sock = cutthrough.fd;
1205 }
1206 else
1207 {
1208 /* Ensure no cutthrough on multiple address verifies */
1209 if (options & vopt_callout_recipsender)
1210 cancel_cutthrough_connection("multiple verify calls");
1211 if (send_quit) (void)smtp_write_command(&outblock, FALSE, "QUIT\r\n");
1212
1213 #ifdef SUPPORT_TLS
1214 tls_close(FALSE, TRUE);
1215 #endif
1216 (void)close(inblock.sock);
1217 #ifdef EXPERIMENTAL_EVENT
1218 (void) event_raise(addr->transport->event_action,
1219 US"tcp:close", NULL);
1220 #endif
1221 }
1222
1223 } /* Loop through all hosts, while !done */
1224 }
1225
1226 /* If we get here with done == TRUE, a successful callout happened, and yield
1227 will be set OK or FAIL according to the response to the RCPT command.
1228 Otherwise, we looped through the hosts but couldn't complete the business.
1229 However, there may be domain-specific information to cache in both cases.
1230
1231 The value of the result field in the new_domain record is ccache_unknown if
1232 there was an error before or with MAIL FROM:, and errno was not zero,
1233 implying some kind of I/O error. We don't want to write the cache in that case.
1234 Otherwise the value is ccache_accept, ccache_reject, or ccache_reject_mfnull. */
1235
1236 if (!callout_no_cache && new_domain_record.result != ccache_unknown)
1237 {
1238 if ((dbm_file = dbfn_open(US"callout", O_RDWR|O_CREAT, &dbblock, FALSE))
1239 == NULL)
1240 {
1241 HDEBUG(D_verify) debug_printf("callout cache: not available\n");
1242 }
1243 else
1244 {
1245 (void)dbfn_write(dbm_file, addr->domain, &new_domain_record,
1246 (int)sizeof(dbdata_callout_cache));
1247 HDEBUG(D_verify) debug_printf("wrote callout cache domain record:\n"
1248 " result=%d postmaster=%d random=%d\n",
1249 new_domain_record.result,
1250 new_domain_record.postmaster_result,
1251 new_domain_record.random_result);
1252 }
1253 }
1254
1255 /* If a definite result was obtained for the callout, cache it unless caching
1256 is disabled. */
1257
1258 if (done)
1259 {
1260 if (!callout_no_cache && new_address_record.result != ccache_unknown)
1261 {
1262 if (dbm_file == NULL)
1263 dbm_file = dbfn_open(US"callout", O_RDWR|O_CREAT, &dbblock, FALSE);
1264 if (dbm_file == NULL)
1265 {
1266 HDEBUG(D_verify) debug_printf("no callout cache available\n");
1267 }
1268 else
1269 {
1270 (void)dbfn_write(dbm_file, address_key, &new_address_record,
1271 (int)sizeof(dbdata_callout_cache_address));
1272 HDEBUG(D_verify) debug_printf("wrote %s callout cache address record\n",
1273 (new_address_record.result == ccache_accept)? "positive" : "negative");
1274 }
1275 }
1276 } /* done */
1277
1278 /* Failure to connect to any host, or any response other than 2xx or 5xx is a
1279 temporary error. If there was only one host, and a response was received, leave
1280 it alone if supplying details. Otherwise, give a generic response. */
1281
1282 else /* !done */
1283 {
1284 uschar *dullmsg = string_sprintf("Could not complete %s verify callout",
1285 is_recipient? "recipient" : "sender");
1286 yield = DEFER;
1287
1288 if (host_list->next != NULL || addr->message == NULL) addr->message = dullmsg;
1289
1290 addr->user_message = (!smtp_return_error_details)? dullmsg :
1291 string_sprintf("%s for <%s>.\n"
1292 "The mail server(s) for the domain may be temporarily unreachable, or\n"
1293 "they may be permanently unreachable from this server. In the latter case,\n%s",
1294 dullmsg, addr->address,
1295 is_recipient?
1296 "the address will never be accepted."
1297 :
1298 "you need to change the address or create an MX record for its domain\n"
1299 "if it is supposed to be generally accessible from the Internet.\n"
1300 "Talk to your mail administrator for details.");
1301
1302 /* Force a specific error code */
1303
1304 addr->basic_errno = ERRNO_CALLOUTDEFER;
1305 }
1306
1307 /* Come here from within the cache-reading code on fast-track exit. */
1308
1309 END_CALLOUT:
1310 if (dbm_file != NULL) dbfn_close(dbm_file);
1311 return yield;
1312 }
1313
1314
1315
1316 /* Called after recipient-acl to get a cutthrough connection open when
1317 one was requested and a recipient-verify wasn't subsequently done.
1318 */
1319 void
1320 open_cutthrough_connection( address_item * addr )
1321 {
1322 address_item addr2;
1323
1324 /* Use a recipient-verify-callout to set up the cutthrough connection. */
1325 /* We must use a copy of the address for verification, because it might
1326 get rewritten. */
1327
1328 addr2 = *addr;
1329 HDEBUG(D_acl) debug_printf("----------- %s cutthrough setup ------------\n",
1330 rcpt_count > 1 ? "more" : "start");
1331 (void) verify_address(&addr2, NULL,
1332 vopt_is_recipient | vopt_callout_recipsender | vopt_callout_no_cache,
1333 CUTTHROUGH_CMD_TIMEOUT, -1, -1,
1334 NULL, NULL, NULL);
1335 HDEBUG(D_acl) debug_printf("----------- end cutthrough setup ------------\n");
1336 return;
1337 }
1338
1339
1340
1341 /* Send given number of bytes from the buffer */
1342 static BOOL
1343 cutthrough_send(int n)
1344 {
1345 if(cutthrough.fd < 0)
1346 return TRUE;
1347
1348 if(
1349 #ifdef SUPPORT_TLS
1350 (tls_out.active == cutthrough.fd) ? tls_write(FALSE, ctblock.buffer, n) :
1351 #endif
1352 send(cutthrough.fd, ctblock.buffer, n, 0) > 0
1353 )
1354 {
1355 transport_count += n;
1356 ctblock.ptr= ctblock.buffer;
1357 return TRUE;
1358 }
1359
1360 HDEBUG(D_transport|D_acl) debug_printf("cutthrough_send failed: %s\n", strerror(errno));
1361 return FALSE;
1362 }
1363
1364
1365
1366 static BOOL
1367 _cutthrough_puts(uschar * cp, int n)
1368 {
1369 while(n--)
1370 {
1371 if(ctblock.ptr >= ctblock.buffer+ctblock.buffersize)
1372 if(!cutthrough_send(ctblock.buffersize))
1373 return FALSE;
1374
1375 *ctblock.ptr++ = *cp++;
1376 }
1377 return TRUE;
1378 }
1379
1380 /* Buffered output of counted data block. Return boolean success */
1381 BOOL
1382 cutthrough_puts(uschar * cp, int n)
1383 {
1384 if (cutthrough.fd < 0) return TRUE;
1385 if (_cutthrough_puts(cp, n)) return TRUE;
1386 cancel_cutthrough_connection("transmit failed");
1387 return FALSE;
1388 }
1389
1390
1391 static BOOL
1392 _cutthrough_flush_send(void)
1393 {
1394 int n= ctblock.ptr-ctblock.buffer;
1395
1396 if(n>0)
1397 if(!cutthrough_send(n))
1398 return FALSE;
1399 return TRUE;
1400 }
1401
1402
1403 /* Send out any bufferred output. Return boolean success. */
1404 BOOL
1405 cutthrough_flush_send(void)
1406 {
1407 if (_cutthrough_flush_send()) return TRUE;
1408 cancel_cutthrough_connection("transmit failed");
1409 return FALSE;
1410 }
1411
1412
1413 BOOL
1414 cutthrough_put_nl(void)
1415 {
1416 return cutthrough_puts(US"\r\n", 2);
1417 }
1418
1419
1420 /* Get and check response from cutthrough target */
1421 static uschar
1422 cutthrough_response(char expect, uschar ** copy)
1423 {
1424 smtp_inblock inblock;
1425 uschar inbuffer[4096];
1426 uschar responsebuffer[4096];
1427
1428 inblock.buffer = inbuffer;
1429 inblock.buffersize = sizeof(inbuffer);
1430 inblock.ptr = inbuffer;
1431 inblock.ptrend = inbuffer;
1432 inblock.sock = cutthrough.fd;
1433 /* this relies on (inblock.sock == tls_out.active) */
1434 if(!smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer), expect, CUTTHROUGH_DATA_TIMEOUT))
1435 cancel_cutthrough_connection("target timeout on read");
1436
1437 if(copy != NULL)
1438 {
1439 uschar * cp;
1440 *copy = cp = string_copy(responsebuffer);
1441 /* Trim the trailing end of line */
1442 cp += Ustrlen(responsebuffer);
1443 if(cp > *copy && cp[-1] == '\n') *--cp = '\0';
1444 if(cp > *copy && cp[-1] == '\r') *--cp = '\0';
1445 }
1446
1447 return responsebuffer[0];
1448 }
1449
1450
1451 /* Negotiate dataphase with the cutthrough target, returning success boolean */
1452 BOOL
1453 cutthrough_predata(void)
1454 {
1455 if(cutthrough.fd < 0)
1456 return FALSE;
1457
1458 HDEBUG(D_transport|D_acl|D_v) debug_printf(" SMTP>> DATA\n");
1459 cutthrough_puts(US"DATA\r\n", 6);
1460 cutthrough_flush_send();
1461
1462 /* Assume nothing buffered. If it was it gets ignored. */
1463 return cutthrough_response('3', NULL) == '3';
1464 }
1465
1466
1467 /* fd and use_crlf args only to match write_chunk() */
1468 static BOOL
1469 cutthrough_write_chunk(int fd, uschar * s, int len, BOOL use_crlf)
1470 {
1471 uschar * s2;
1472 while(s && (s2 = Ustrchr(s, '\n')))
1473 {
1474 if(!cutthrough_puts(s, s2-s) || !cutthrough_put_nl())
1475 return FALSE;
1476 s = s2+1;
1477 }
1478 return TRUE;
1479 }
1480
1481
1482 /* Buffered send of headers. Return success boolean. */
1483 /* Expands newlines to wire format (CR,NL). */
1484 /* Also sends header-terminating blank line. */
1485 BOOL
1486 cutthrough_headers_send(void)
1487 {
1488 if(cutthrough.fd < 0)
1489 return FALSE;
1490
1491 /* We share a routine with the mainline transport to handle header add/remove/rewrites,
1492 but having a separate buffered-output function (for now)
1493 */
1494 HDEBUG(D_acl) debug_printf("----------- start cutthrough headers send -----------\n");
1495
1496 if (!transport_headers_send(&cutthrough.addr, cutthrough.fd,
1497 cutthrough.addr.transport->add_headers,
1498 cutthrough.addr.transport->remove_headers,
1499 &cutthrough_write_chunk, TRUE,
1500 cutthrough.addr.transport->rewrite_rules,
1501 cutthrough.addr.transport->rewrite_existflags))
1502 return FALSE;
1503
1504 HDEBUG(D_acl) debug_printf("----------- done cutthrough headers send ------------\n");
1505 return TRUE;
1506 }
1507
1508
1509 static void
1510 close_cutthrough_connection(const char * why)
1511 {
1512 if(cutthrough.fd >= 0)
1513 {
1514 /* We could be sending this after a bunch of data, but that is ok as
1515 the only way to cancel the transfer in dataphase is to drop the tcp
1516 conn before the final dot.
1517 */
1518 ctblock.ptr = ctbuffer;
1519 HDEBUG(D_transport|D_acl|D_v) debug_printf(" SMTP>> QUIT\n");
1520 _cutthrough_puts(US"QUIT\r\n", 6); /* avoid recursion */
1521 _cutthrough_flush_send();
1522 /* No wait for response */
1523
1524 #ifdef SUPPORT_TLS
1525 tls_close(FALSE, TRUE);
1526 #endif
1527 (void)close(cutthrough.fd);
1528 cutthrough.fd = -1;
1529 HDEBUG(D_acl) debug_printf("----------- cutthrough shutdown (%s) ------------\n", why);
1530 }
1531 ctblock.ptr = ctbuffer;
1532 }
1533
1534 void
1535 cancel_cutthrough_connection(const char * why)
1536 {
1537 close_cutthrough_connection(why);
1538 cutthrough.delivery = FALSE;
1539 }
1540
1541
1542
1543
1544 /* Have senders final-dot. Send one to cutthrough target, and grab the response.
1545 Log an OK response as a transmission.
1546 Close the connection.
1547 Return smtp response-class digit.
1548 */
1549 uschar *
1550 cutthrough_finaldot(void)
1551 {
1552 uschar res;
1553 address_item * addr;
1554 HDEBUG(D_transport|D_acl|D_v) debug_printf(" SMTP>> .\n");
1555
1556 /* Assume data finshed with new-line */
1557 if( !cutthrough_puts(US".", 1)
1558 || !cutthrough_put_nl()
1559 || !cutthrough_flush_send()
1560 )
1561 return cutthrough.addr.message;
1562
1563 res = cutthrough_response('2', &cutthrough.addr.message);
1564 for (addr = &cutthrough.addr; addr; addr = addr->next)
1565 {
1566 addr->message = cutthrough.addr.message;
1567 switch(res)
1568 {
1569 case '2':
1570 delivery_log(LOG_MAIN, addr, (int)'>', NULL);
1571 close_cutthrough_connection("delivered");
1572 break;
1573
1574 case '4':
1575 delivery_log(LOG_MAIN, addr, 0,
1576 US"tmp-reject from cutthrough after DATA:");
1577 break;
1578
1579 case '5':
1580 delivery_log(LOG_MAIN|LOG_REJECT, addr, 0,
1581 US"rejected after DATA:");
1582 break;
1583
1584 default:
1585 break;
1586 }
1587 }
1588 return cutthrough.addr.message;
1589 }
1590
1591
1592
1593 /*************************************************
1594 * Copy error to toplevel address *
1595 *************************************************/
1596
1597 /* This function is used when a verify fails or defers, to ensure that the
1598 failure or defer information is in the original toplevel address. This applies
1599 when an address is redirected to a single new address, and the failure or
1600 deferral happens to the child address.
1601
1602 Arguments:
1603 vaddr the verify address item
1604 addr the final address item
1605 yield FAIL or DEFER
1606
1607 Returns: the value of YIELD
1608 */
1609
1610 static int
1611 copy_error(address_item *vaddr, address_item *addr, int yield)
1612 {
1613 if (addr != vaddr)
1614 {
1615 vaddr->message = addr->message;
1616 vaddr->user_message = addr->user_message;
1617 vaddr->basic_errno = addr->basic_errno;
1618 vaddr->more_errno = addr->more_errno;
1619 vaddr->p.address_data = addr->p.address_data;
1620 copyflag(vaddr, addr, af_pass_message);
1621 }
1622 return yield;
1623 }
1624
1625
1626
1627
1628 /**************************************************
1629 * printf that automatically handles TLS if needed *
1630 ***************************************************/
1631
1632 /* This function is used by verify_address() as a substitute for all fprintf()
1633 calls; a direct fprintf() will not produce output in a TLS SMTP session, such
1634 as a response to an EXPN command. smtp_in.c makes smtp_printf available but
1635 that assumes that we always use the smtp_out FILE* when not using TLS or the
1636 ssl buffer when we are. Instead we take a FILE* parameter and check to see if
1637 that is smtp_out; if so, smtp_printf() with TLS support, otherwise regular
1638 fprintf().
1639
1640 Arguments:
1641 f the candidate FILE* to write to
1642 format format string
1643 ... optional arguments
1644
1645 Returns:
1646 nothing
1647 */
1648
1649 static void PRINTF_FUNCTION(2,3)
1650 respond_printf(FILE *f, const char *format, ...)
1651 {
1652 va_list ap;
1653
1654 va_start(ap, format);
1655 if (smtp_out && (f == smtp_out))
1656 smtp_vprintf(format, ap);
1657 else
1658 vfprintf(f, format, ap);
1659 va_end(ap);
1660 }
1661
1662
1663
1664 /*************************************************
1665 * Verify an email address *
1666 *************************************************/
1667
1668 /* This function is used both for verification (-bv and at other times) and
1669 address testing (-bt), which is indicated by address_test_mode being set.
1670
1671 Arguments:
1672 vaddr contains the address to verify; the next field in this block
1673 must be NULL
1674 f if not NULL, write the result to this file
1675 options various option bits:
1676 vopt_fake_sender => this sender verify is not for the real
1677 sender (it was verify=sender=xxxx or an address from a
1678 header line) - rewriting must not change sender_address
1679 vopt_is_recipient => this is a recipient address, otherwise
1680 it's a sender address - this affects qualification and
1681 rewriting and messages from callouts
1682 vopt_qualify => qualify an unqualified address; else error
1683 vopt_expn => called from SMTP EXPN command
1684 vopt_success_on_redirect => when a new address is generated
1685 the verification instantly succeeds
1686
1687 These ones are used by do_callout() -- the options variable
1688 is passed to it.
1689
1690 vopt_callout_fullpm => if postmaster check, do full one
1691 vopt_callout_no_cache => don't use callout cache
1692 vopt_callout_random => do the "random" thing
1693 vopt_callout_recipsender => use real sender for recipient
1694 vopt_callout_recippmaster => use postmaster for recipient
1695
1696 callout if > 0, specifies that callout is required, and gives timeout
1697 for individual commands
1698 callout_overall if > 0, gives overall timeout for the callout function;
1699 if < 0, a default is used (see do_callout())
1700 callout_connect the connection timeout for callouts
1701 se_mailfrom when callout is requested to verify a sender, use this
1702 in MAIL FROM; NULL => ""
1703 pm_mailfrom when callout is requested, if non-NULL, do the postmaster
1704 thing and use this as the sender address (may be "")
1705
1706 routed if not NULL, set TRUE if routing succeeded, so we can
1707 distinguish between routing failed and callout failed
1708
1709 Returns: OK address verified
1710 FAIL address failed to verify
1711 DEFER can't tell at present
1712 */
1713
1714 int
1715 verify_address(address_item *vaddr, FILE *f, int options, int callout,
1716 int callout_overall, int callout_connect, uschar *se_mailfrom,
1717 uschar *pm_mailfrom, BOOL *routed)
1718 {
1719 BOOL allok = TRUE;
1720 BOOL full_info = (f == NULL)? FALSE : (debug_selector != 0);
1721 BOOL is_recipient = (options & vopt_is_recipient) != 0;
1722 BOOL expn = (options & vopt_expn) != 0;
1723 BOOL success_on_redirect = (options & vopt_success_on_redirect) != 0;
1724 int i;
1725 int yield = OK;
1726 int verify_type = expn? v_expn :
1727 address_test_mode? v_none :
1728 is_recipient? v_recipient : v_sender;
1729 address_item *addr_list;
1730 address_item *addr_new = NULL;
1731 address_item *addr_remote = NULL;
1732 address_item *addr_local = NULL;
1733 address_item *addr_succeed = NULL;
1734 uschar **failure_ptr = is_recipient?
1735 &recipient_verify_failure : &sender_verify_failure;
1736 uschar *ko_prefix, *cr;
1737 uschar *address = vaddr->address;
1738 uschar *save_sender;
1739 uschar null_sender[] = { 0 }; /* Ensure writeable memory */
1740
1741 /* Clear, just in case */
1742
1743 *failure_ptr = NULL;
1744
1745 /* Set up a prefix and suffix for error message which allow us to use the same
1746 output statements both in EXPN mode (where an SMTP response is needed) and when
1747 debugging with an output file. */
1748
1749 if (expn)
1750 {
1751 ko_prefix = US"553 ";
1752 cr = US"\r";
1753 }
1754 else ko_prefix = cr = US"";
1755
1756 /* Add qualify domain if permitted; otherwise an unqualified address fails. */
1757
1758 if (parse_find_at(address) == NULL)
1759 {
1760 if ((options & vopt_qualify) == 0)
1761 {
1762 if (f != NULL)
1763 respond_printf(f, "%sA domain is required for \"%s\"%s\n",
1764 ko_prefix, address, cr);
1765 *failure_ptr = US"qualify";
1766 return FAIL;
1767 }
1768 address = rewrite_address_qualify(address, is_recipient);
1769 }
1770
1771 DEBUG(D_verify)
1772 {
1773 debug_printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
1774 debug_printf("%s %s\n", address_test_mode? "Testing" : "Verifying", address);
1775 }
1776
1777 /* Rewrite and report on it. Clear the domain and local part caches - these
1778 may have been set by domains and local part tests during an ACL. */
1779
1780 if (global_rewrite_rules != NULL)
1781 {
1782 uschar *old = address;
1783 address = rewrite_address(address, is_recipient, FALSE,
1784 global_rewrite_rules, rewrite_existflags);
1785 if (address != old)
1786 {
1787 for (i = 0; i < (MAX_NAMED_LIST * 2)/32; i++) vaddr->localpart_cache[i] = 0;
1788 for (i = 0; i < (MAX_NAMED_LIST * 2)/32; i++) vaddr->domain_cache[i] = 0;
1789 if (f != NULL && !expn) fprintf(f, "Address rewritten as: %s\n", address);
1790 }
1791 }
1792
1793 /* If this is the real sender address, we must update sender_address at
1794 this point, because it may be referred to in the routers. */
1795
1796 if ((options & (vopt_fake_sender|vopt_is_recipient)) == 0)
1797 sender_address = address;
1798
1799 /* If the address was rewritten to <> no verification can be done, and we have
1800 to return OK. This rewriting is permitted only for sender addresses; for other
1801 addresses, such rewriting fails. */
1802
1803 if (address[0] == 0) return OK;
1804
1805 /* Flip the legacy TLS-related variables over to the outbound set in case
1806 they're used in the context of a transport used by verification. Reset them
1807 at exit from this routine. */
1808
1809 tls_modify_variables(&tls_out);
1810
1811 /* Save a copy of the sender address for re-instating if we change it to <>
1812 while verifying a sender address (a nice bit of self-reference there). */
1813
1814 save_sender = sender_address;
1815
1816 /* Update the address structure with the possibly qualified and rewritten
1817 address. Set it up as the starting address on the chain of new addresses. */
1818
1819 vaddr->address = address;
1820 addr_new = vaddr;
1821
1822 /* We need a loop, because an address can generate new addresses. We must also
1823 cope with generated pipes and files at the top level. (See also the code and
1824 comment in deliver.c.) However, it is usually the case that the router for
1825 user's .forward files has its verify flag turned off.
1826
1827 If an address generates more than one child, the loop is used only when
1828 full_info is set, and this can only be set locally. Remote enquiries just get
1829 information about the top level address, not anything that it generated. */
1830
1831 while (addr_new != NULL)
1832 {
1833 int rc;
1834 address_item *addr = addr_new;
1835
1836 addr_new = addr->next;
1837 addr->next = NULL;
1838
1839 DEBUG(D_verify)
1840 {
1841 debug_printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
1842 debug_printf("Considering %s\n", addr->address);
1843 }
1844
1845 /* Handle generated pipe, file or reply addresses. We don't get these
1846 when handling EXPN, as it does only one level of expansion. */
1847
1848 if (testflag(addr, af_pfr))
1849 {
1850 allok = FALSE;
1851 if (f != NULL)
1852 {
1853 BOOL allow;
1854
1855 if (addr->address[0] == '>')
1856 {
1857 allow = testflag(addr, af_allow_reply);
1858 fprintf(f, "%s -> mail %s", addr->parent->address, addr->address + 1);
1859 }
1860 else
1861 {
1862 allow = (addr->address[0] == '|')?
1863 testflag(addr, af_allow_pipe) : testflag(addr, af_allow_file);
1864 fprintf(f, "%s -> %s", addr->parent->address, addr->address);
1865 }
1866
1867 if (addr->basic_errno == ERRNO_BADTRANSPORT)
1868 fprintf(f, "\n*** Error in setting up pipe, file, or autoreply:\n"
1869 "%s\n", addr->message);
1870 else if (allow)
1871 fprintf(f, "\n transport = %s\n", addr->transport->name);
1872 else
1873 fprintf(f, " *** forbidden ***\n");
1874 }
1875 continue;
1876 }
1877
1878 /* Just in case some router parameter refers to it. */
1879
1880 return_path = (addr->p.errors_address != NULL)?
1881 addr->p.errors_address : sender_address;
1882
1883 /* Split the address into domain and local part, handling the %-hack if
1884 necessary, and then route it. While routing a sender address, set
1885 $sender_address to <> because that is what it will be if we were trying to
1886 send a bounce to the sender. */
1887
1888 if (routed != NULL) *routed = FALSE;
1889 if ((rc = deliver_split_address(addr)) == OK)
1890 {
1891 if (!is_recipient) sender_address = null_sender;
1892 rc = route_address(addr, &addr_local, &addr_remote, &addr_new,
1893 &addr_succeed, verify_type);
1894 sender_address = save_sender; /* Put back the real sender */
1895 }
1896
1897 /* If routing an address succeeded, set the flag that remembers, for use when
1898 an ACL cached a sender verify (in case a callout fails). Then if routing set
1899 up a list of hosts or the transport has a host list, and the callout option
1900 is set, and we aren't in a host checking run, do the callout verification,
1901 and set another flag that notes that a callout happened. */
1902
1903 if (rc == OK)
1904 {
1905 if (routed != NULL) *routed = TRUE;
1906 if (callout > 0)
1907 {
1908 host_item *host_list = addr->host_list;
1909
1910 /* Make up some data for use in the case where there is no remote
1911 transport. */
1912
1913 transport_feedback tf = {
1914 NULL, /* interface (=> any) */
1915 US"smtp", /* port */
1916 US"smtp", /* protocol */
1917 NULL, /* hosts */
1918 US"$smtp_active_hostname", /* helo_data */
1919 FALSE, /* hosts_override */
1920 FALSE, /* hosts_randomize */
1921 FALSE, /* gethostbyname */
1922 TRUE, /* qualify_single */
1923 FALSE /* search_parents */
1924 };
1925
1926 /* If verification yielded a remote transport, we want to use that
1927 transport's options, so as to mimic what would happen if we were really
1928 sending a message to this address. */
1929
1930 if (addr->transport != NULL && !addr->transport->info->local)
1931 {
1932 (void)(addr->transport->setup)(addr->transport, addr, &tf, 0, 0, NULL);
1933
1934 /* If the transport has hosts and the router does not, or if the
1935 transport is configured to override the router's hosts, we must build a
1936 host list of the transport's hosts, and find the IP addresses */
1937
1938 if (tf.hosts != NULL && (host_list == NULL || tf.hosts_override))
1939 {
1940 uschar *s;
1941 const uschar *save_deliver_domain = deliver_domain;
1942 uschar *save_deliver_localpart = deliver_localpart;
1943
1944 host_list = NULL; /* Ignore the router's hosts */
1945
1946 deliver_domain = addr->domain;
1947 deliver_localpart = addr->local_part;
1948 s = expand_string(tf.hosts);
1949 deliver_domain = save_deliver_domain;
1950 deliver_localpart = save_deliver_localpart;
1951
1952 if (s == NULL)
1953 {
1954 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand list of hosts "
1955 "\"%s\" in %s transport for callout: %s", tf.hosts,
1956 addr->transport->name, expand_string_message);
1957 }
1958 else
1959 {
1960 int flags;
1961 host_item *host, *nexthost;
1962 host_build_hostlist(&host_list, s, tf.hosts_randomize);
1963
1964 /* Just ignore failures to find a host address. If we don't manage
1965 to find any addresses, the callout will defer. Note that more than
1966 one address may be found for a single host, which will result in
1967 additional host items being inserted into the chain. Hence we must
1968 save the next host first. */
1969
1970 flags = HOST_FIND_BY_A;
1971 if (tf.qualify_single) flags |= HOST_FIND_QUALIFY_SINGLE;
1972 if (tf.search_parents) flags |= HOST_FIND_SEARCH_PARENTS;
1973
1974 for (host = host_list; host != NULL; host = nexthost)
1975 {
1976 nexthost = host->next;
1977 if (tf.gethostbyname ||
1978 string_is_ip_address(host->name, NULL) != 0)
1979 (void)host_find_byname(host, NULL, flags, NULL, TRUE);
1980 else
1981 {
1982 uschar * d_request = NULL, * d_require = NULL;
1983 if (Ustrcmp(addr->transport->driver_name, "smtp") == 0)
1984 {
1985 smtp_transport_options_block * ob =
1986 (smtp_transport_options_block *)
1987 addr->transport->options_block;
1988 d_request = ob->dnssec_request_domains;
1989 d_require = ob->dnssec_require_domains;
1990 }
1991
1992 (void)host_find_bydns(host, NULL, flags, NULL, NULL, NULL,
1993 d_request, d_require, NULL, NULL);
1994 }
1995 }
1996 }
1997 }
1998 }
1999
2000 /* Can only do a callout if we have at least one host! If the callout
2001 fails, it will have set ${sender,recipient}_verify_failure. */
2002
2003 if (host_list != NULL)
2004 {
2005 HDEBUG(D_verify) debug_printf("Attempting full verification using callout\n");
2006 if (host_checking && !host_checking_callout)
2007 {
2008 HDEBUG(D_verify)
2009 debug_printf("... callout omitted by default when host testing\n"
2010 "(Use -bhc if you want the callouts to happen.)\n");
2011 }
2012 else
2013 {
2014 #ifdef SUPPORT_TLS
2015 deliver_set_expansions(addr);
2016 #endif
2017 verify_mode = is_recipient ? US"R" : US"S";
2018 rc = do_callout(addr, host_list, &tf, callout, callout_overall,
2019 callout_connect, options, se_mailfrom, pm_mailfrom);
2020 verify_mode = NULL;
2021 }
2022 }
2023 else
2024 {
2025 HDEBUG(D_verify) debug_printf("Cannot do callout: neither router nor "
2026 "transport provided a host list\n");
2027 }
2028 }
2029 }
2030
2031 /* Otherwise, any failure is a routing failure */
2032
2033 else *failure_ptr = US"route";
2034
2035 /* A router may return REROUTED if it has set up a child address as a result
2036 of a change of domain name (typically from widening). In this case we always
2037 want to continue to verify the new child. */
2038
2039 if (rc == REROUTED) continue;
2040
2041 /* Handle hard failures */
2042
2043 if (rc == FAIL)
2044 {
2045 allok = FALSE;
2046 if (f != NULL)
2047 {
2048 address_item *p = addr->parent;
2049
2050 respond_printf(f, "%s%s %s", ko_prefix,
2051 full_info? addr->address : address,
2052 address_test_mode? "is undeliverable" : "failed to verify");
2053 if (!expn && admin_user)
2054 {
2055 if (addr->basic_errno > 0)
2056 respond_printf(f, ": %s", strerror(addr->basic_errno));
2057 if (addr->message != NULL)
2058 respond_printf(f, ": %s", addr->message);
2059 }
2060
2061 /* Show parents iff doing full info */
2062
2063 if (full_info) while (p != NULL)
2064 {
2065 respond_printf(f, "%s\n <-- %s", cr, p->address);
2066 p = p->parent;
2067 }
2068 respond_printf(f, "%s\n", cr);
2069 }
2070 cancel_cutthrough_connection("routing hard fail");
2071
2072 if (!full_info)
2073 {
2074 yield = copy_error(vaddr, addr, FAIL);
2075 goto out;
2076 }
2077 else yield = FAIL;
2078 }
2079
2080 /* Soft failure */
2081
2082 else if (rc == DEFER)
2083 {
2084 allok = FALSE;
2085 if (f != NULL)
2086 {
2087 address_item *p = addr->parent;
2088 respond_printf(f, "%s%s cannot be resolved at this time", ko_prefix,
2089 full_info? addr->address : address);
2090 if (!expn && admin_user)
2091 {
2092 if (addr->basic_errno > 0)
2093 respond_printf(f, ": %s", strerror(addr->basic_errno));
2094 if (addr->message != NULL)
2095 respond_printf(f, ": %s", addr->message);
2096 else if (addr->basic_errno <= 0)
2097 respond_printf(f, ": unknown error");
2098 }
2099
2100 /* Show parents iff doing full info */
2101
2102 if (full_info) while (p != NULL)
2103 {
2104 respond_printf(f, "%s\n <-- %s", cr, p->address);
2105 p = p->parent;
2106 }
2107 respond_printf(f, "%s\n", cr);
2108 }
2109 cancel_cutthrough_connection("routing soft fail");
2110
2111 if (!full_info)
2112 {
2113 yield = copy_error(vaddr, addr, DEFER);
2114 goto out;
2115 }
2116 else if (yield == OK) yield = DEFER;
2117 }
2118
2119 /* If we are handling EXPN, we do not want to continue to route beyond
2120 the top level (whose address is in "address"). */
2121
2122 else if (expn)
2123 {
2124 uschar *ok_prefix = US"250-";
2125 if (addr_new == NULL)
2126 {
2127 if (addr_local == NULL && addr_remote == NULL)
2128 respond_printf(f, "250 mail to <%s> is discarded\r\n", address);
2129 else
2130 respond_printf(f, "250 <%s>\r\n", address);
2131 }
2132 else while (addr_new != NULL)
2133 {
2134 address_item *addr2 = addr_new;
2135 addr_new = addr2->next;
2136 if (addr_new == NULL) ok_prefix = US"250 ";
2137 respond_printf(f, "%s<%s>\r\n", ok_prefix, addr2->address);
2138 }
2139 yield = OK;
2140 goto out;
2141 }
2142
2143 /* Successful routing other than EXPN. */
2144
2145 else
2146 {
2147 /* Handle successful routing when short info wanted. Otherwise continue for
2148 other (generated) addresses. Short info is the operational case. Full info
2149 can be requested only when debug_selector != 0 and a file is supplied.
2150
2151 There is a conflict between the use of aliasing as an alternate email
2152 address, and as a sort of mailing list. If an alias turns the incoming
2153 address into just one address (e.g. J.Caesar->jc44) you may well want to
2154 carry on verifying the generated address to ensure it is valid when
2155 checking incoming mail. If aliasing generates multiple addresses, you
2156 probably don't want to do this. Exim therefore treats the generation of
2157 just a single new address as a special case, and continues on to verify the
2158 generated address. */
2159
2160 if (!full_info && /* Stop if short info wanted AND */
2161 (((addr_new == NULL || /* No new address OR */
2162 addr_new->next != NULL || /* More than one new address OR */
2163 testflag(addr_new, af_pfr))) /* New address is pfr */
2164 || /* OR */
2165 (addr_new != NULL && /* At least one new address AND */
2166 success_on_redirect))) /* success_on_redirect is set */
2167 {
2168 if (f != NULL) fprintf(f, "%s %s\n", address,
2169 address_test_mode? "is deliverable" : "verified");
2170
2171 /* If we have carried on to verify a child address, we want the value
2172 of $address_data to be that of the child */
2173
2174 vaddr->p.address_data = addr->p.address_data;
2175 yield = OK;
2176 goto out;
2177 }
2178 }
2179 } /* Loop for generated addresses */
2180
2181 /* Display the full results of the successful routing, including any generated
2182 addresses. Control gets here only when full_info is set, which requires f not
2183 to be NULL, and this occurs only when a top-level verify is called with the
2184 debugging switch on.
2185
2186 If there are no local and no remote addresses, and there were no pipes, files,
2187 or autoreplies, and there were no errors or deferments, the message is to be
2188 discarded, usually because of the use of :blackhole: in an alias file. */
2189
2190 if (allok && addr_local == NULL && addr_remote == NULL)
2191 {
2192 fprintf(f, "mail to %s is discarded\n", address);
2193 goto out;
2194 }
2195
2196 for (addr_list = addr_local, i = 0; i < 2; addr_list = addr_remote, i++)
2197 {
2198 while (addr_list != NULL)
2199 {
2200 address_item *addr = addr_list;
2201 address_item *p = addr->parent;
2202 addr_list = addr->next;
2203
2204 fprintf(f, "%s", CS addr->address);
2205 #ifdef EXPERIMENTAL_SRS
2206 if(addr->p.srs_sender)
2207 fprintf(f, " [srs = %s]", addr->p.srs_sender);
2208 #endif
2209
2210 /* If the address is a duplicate, show something about it. */
2211
2212 if (!testflag(addr, af_pfr))
2213 {
2214 tree_node *tnode;
2215 if ((tnode = tree_search(tree_duplicates, addr->unique)) != NULL)
2216 fprintf(f, " [duplicate, would not be delivered]");
2217 else tree_add_duplicate(addr->unique, addr);
2218 }
2219
2220 /* Now show its parents */
2221
2222 while (p != NULL)
2223 {
2224 fprintf(f, "\n <-- %s", p->address);
2225 p = p->parent;
2226 }
2227 fprintf(f, "\n ");
2228
2229 /* Show router, and transport */
2230
2231 fprintf(f, "router = %s, ", addr->router->name);
2232 fprintf(f, "transport = %s\n", (addr->transport == NULL)? US"unset" :
2233 addr->transport->name);
2234
2235 /* Show any hosts that are set up by a router unless the transport
2236 is going to override them; fiddle a bit to get a nice format. */
2237
2238 if (addr->host_list != NULL && addr->transport != NULL &&
2239 !addr->transport->overrides_hosts)
2240 {
2241 host_item *h;
2242 int maxlen = 0;
2243 int maxaddlen = 0;
2244 for (h = addr->host_list; h != NULL; h = h->next)
2245 {
2246 int len = Ustrlen(h->name);
2247 if (len > maxlen) maxlen = len;
2248 len = (h->address != NULL)? Ustrlen(h->address) : 7;
2249 if (len > maxaddlen) maxaddlen = len;
2250 }
2251 for (h = addr->host_list; h != NULL; h = h->next)
2252 {
2253 int len = Ustrlen(h->name);
2254 fprintf(f, " host %s ", h->name);
2255 while (len++ < maxlen) fprintf(f, " ");
2256 if (h->address != NULL)
2257 {
2258 fprintf(f, "[%s] ", h->address);
2259 len = Ustrlen(h->address);
2260 }
2261 else if (!addr->transport->info->local) /* Omit [unknown] for local */
2262 {
2263 fprintf(f, "[unknown] ");
2264 len = 7;
2265 }
2266 else len = -3;
2267 while (len++ < maxaddlen) fprintf(f," ");
2268 if (h->mx >= 0) fprintf(f, "MX=%d", h->mx);
2269 if (h->port != PORT_NONE) fprintf(f, " port=%d", h->port);
2270 if (h->status == hstatus_unusable) fprintf(f, " ** unusable **");
2271 fprintf(f, "\n");
2272 }
2273 }
2274 }
2275 }
2276
2277 /* Yield will be DEFER or FAIL if any one address has, only for full_info (which is
2278 the -bv or -bt case). */
2279
2280 out:
2281 tls_modify_variables(&tls_in);
2282
2283 return yield;
2284 }
2285
2286
2287
2288
2289 /*************************************************
2290 * Check headers for syntax errors *
2291 *************************************************/
2292
2293 /* This function checks those header lines that contain addresses, and verifies
2294 that all the addresses therein are syntactially correct.
2295
2296 Arguments:
2297 msgptr where to put an error message
2298
2299 Returns: OK
2300 FAIL
2301 */
2302
2303 int
2304 verify_check_headers(uschar **msgptr)
2305 {
2306 header_line *h;
2307 uschar *colon, *s;
2308 int yield = OK;
2309
2310 for (h = header_list; h != NULL && yield == OK; h = h->next)
2311 {
2312 if (h->type != htype_from &&
2313 h->type != htype_reply_to &&
2314 h->type != htype_sender &&
2315 h->type != htype_to &&
2316 h->type != htype_cc &&
2317 h->type != htype_bcc)
2318 continue;
2319
2320 colon = Ustrchr(h->text, ':');
2321 s = colon + 1;
2322 while (isspace(*s)) s++;
2323
2324 /* Loop for multiple addresses in the header, enabling group syntax. Note
2325 that we have to reset this after the header has been scanned. */
2326
2327 parse_allow_group = TRUE;
2328
2329 while (*s != 0)
2330 {
2331 uschar *ss = parse_find_address_end(s, FALSE);
2332 uschar *recipient, *errmess;
2333 int terminator = *ss;
2334 int start, end, domain;
2335
2336 /* Temporarily terminate the string at this point, and extract the
2337 operative address within, allowing group syntax. */
2338
2339 *ss = 0;
2340 recipient = parse_extract_address(s,&errmess,&start,&end,&domain,FALSE);
2341 *ss = terminator;
2342
2343 /* Permit an unqualified address only if the message is local, or if the
2344 sending host is configured to be permitted to send them. */
2345
2346 if (recipient != NULL && domain == 0)
2347 {
2348 if (h->type == htype_from || h->type == htype_sender)
2349 {
2350 if (!allow_unqualified_sender) recipient = NULL;
2351 }
2352 else
2353 {
2354 if (!allow_unqualified_recipient) recipient = NULL;
2355 }
2356 if (recipient == NULL) errmess = US"unqualified address not permitted";
2357 }
2358
2359 /* It's an error if no address could be extracted, except for the special
2360 case of an empty address. */
2361
2362 if (recipient == NULL && Ustrcmp(errmess, "empty address") != 0)
2363 {
2364 uschar *verb = US"is";
2365 uschar *t = ss;
2366 uschar *tt = colon;
2367 int len;
2368
2369 /* Arrange not to include any white space at the end in the
2370 error message or the header name. */
2371
2372 while (t > s && isspace(t[-1])) t--;
2373 while (tt > h->text && isspace(tt[-1])) tt--;
2374
2375 /* Add the address that failed to the error message, since in a
2376 header with very many addresses it is sometimes hard to spot
2377 which one is at fault. However, limit the amount of address to
2378 quote - cases have been seen where, for example, a missing double
2379 quote in a humungous To: header creates an "address" that is longer
2380 than string_sprintf can handle. */
2381
2382 len = t - s;
2383 if (len > 1024)
2384 {
2385 len = 1024;
2386 verb = US"begins";
2387 }
2388
2389 /* deconst cast ok as we're passing a non-const to string_printing() */
2390 *msgptr = US string_printing(
2391 string_sprintf("%s: failing address in \"%.*s:\" header %s: %.*s",
2392 errmess, tt - h->text, h->text, verb, len, s));
2393
2394 yield = FAIL;
2395 break; /* Out of address loop */
2396 }
2397
2398 /* Advance to the next address */
2399
2400 s = ss + (terminator? 1:0);
2401 while (isspace(*s)) s++;
2402 } /* Next address */
2403
2404 parse_allow_group = FALSE;
2405 parse_found_group = FALSE;
2406 } /* Next header unless yield has been set FALSE */
2407
2408 return yield;
2409 }
2410
2411
2412 /*************************************************
2413 * Check header names for 8-bit characters *
2414 *************************************************/
2415
2416 /* This function checks for invalid charcters in header names. See
2417 RFC 5322, 2.2. and RFC 6532, 3.
2418
2419 Arguments:
2420 msgptr where to put an error message
2421
2422 Returns: OK
2423 FAIL
2424 */
2425
2426 int
2427 verify_check_header_names_ascii(uschar **msgptr)
2428 {
2429 header_line *h;
2430 uschar *colon, *s;
2431
2432 for (h = header_list; h != NULL; h = h->next)
2433 {
2434 colon = Ustrchr(h->text, ':');
2435 for(s = h->text; s < colon; s++)
2436 {
2437 if ((*s < 33) || (*s > 126))
2438 {
2439 *msgptr = string_sprintf("Invalid character in header \"%.*s\" found",
2440 colon - h->text, h->text);
2441 return FAIL;
2442 }
2443 }
2444 }
2445 return OK;
2446 }
2447
2448 /*************************************************
2449 * Check for blind recipients *
2450 *************************************************/
2451
2452 /* This function checks that every (envelope) recipient is mentioned in either
2453 the To: or Cc: header lines, thus detecting blind carbon copies.
2454
2455 There are two ways of scanning that could be used: either scan the header lines
2456 and tick off the recipients, or scan the recipients and check the header lines.
2457 The original proposed patch did the former, but I have chosen to do the latter,
2458 because (a) it requires no memory and (b) will use fewer resources when there
2459 are many addresses in To: and/or Cc: and only one or two envelope recipients.
2460
2461 Arguments: none
2462 Returns: OK if there are no blind recipients
2463 FAIL if there is at least one blind recipient
2464 */
2465
2466 int
2467 verify_check_notblind(void)
2468 {
2469 int i;
2470 for (i = 0; i < recipients_count; i++)
2471 {
2472 header_line *h;
2473 BOOL found = FALSE;
2474 uschar *address = recipients_list[i].address;
2475
2476 for (h = header_list; !found && h != NULL; h = h->next)
2477 {
2478 uschar *colon, *s;
2479
2480 if (h->type != htype_to && h->type != htype_cc) continue;
2481
2482 colon = Ustrchr(h->text, ':');
2483 s = colon + 1;
2484 while (isspace(*s)) s++;
2485
2486 /* Loop for multiple addresses in the header, enabling group syntax. Note
2487 that we have to reset this after the header has been scanned. */
2488
2489 parse_allow_group = TRUE;
2490
2491 while (*s != 0)
2492 {
2493 uschar *ss = parse_find_address_end(s, FALSE);
2494 uschar *recipient,*errmess;
2495 int terminator = *ss;
2496 int start, end, domain;
2497
2498 /* Temporarily terminate the string at this point, and extract the
2499 operative address within, allowing group syntax. */
2500
2501 *ss = 0;
2502 recipient = parse_extract_address(s,&errmess,&start,&end,&domain,FALSE);
2503 *ss = terminator;
2504
2505 /* If we found a valid recipient that has a domain, compare it with the
2506 envelope recipient. Local parts are compared case-sensitively, domains
2507 case-insensitively. By comparing from the start with length "domain", we
2508 include the "@" at the end, which ensures that we are comparing the whole
2509 local part of each address. */
2510
2511 if (recipient != NULL && domain != 0)
2512 {
2513 found = Ustrncmp(recipient, address, domain) == 0 &&
2514 strcmpic(recipient + domain, address + domain) == 0;
2515 if (found) break;
2516 }
2517
2518 /* Advance to the next address */
2519
2520 s = ss + (terminator? 1:0);
2521 while (isspace(*s)) s++;
2522 } /* Next address */
2523
2524 parse_allow_group = FALSE;
2525 parse_found_group = FALSE;
2526 } /* Next header (if found is false) */
2527
2528 if (!found) return FAIL;
2529 } /* Next recipient */
2530
2531 return OK;
2532 }
2533
2534
2535
2536 /*************************************************
2537 * Find if verified sender *
2538 *************************************************/
2539
2540 /* Usually, just a single address is verified as the sender of the message.
2541 However, Exim can be made to verify other addresses as well (often related in
2542 some way), and this is useful in some environments. There may therefore be a
2543 chain of such addresses that have previously been tested. This function finds
2544 whether a given address is on the chain.
2545
2546 Arguments: the address to be verified
2547 Returns: pointer to an address item, or NULL
2548 */
2549
2550 address_item *
2551 verify_checked_sender(uschar *sender)
2552 {
2553 address_item *addr;
2554 for (addr = sender_verified_list; addr != NULL; addr = addr->next)
2555 if (Ustrcmp(sender, addr->address) == 0) break;
2556 return addr;
2557 }
2558
2559
2560
2561
2562
2563 /*************************************************
2564 * Get valid header address *
2565 *************************************************/
2566
2567 /* Scan the originator headers of the message, looking for an address that
2568 verifies successfully. RFC 822 says:
2569
2570 o The "Sender" field mailbox should be sent notices of
2571 any problems in transport or delivery of the original
2572 messages. If there is no "Sender" field, then the
2573 "From" field mailbox should be used.
2574
2575 o If the "Reply-To" field exists, then the reply should
2576 go to the addresses indicated in that field and not to
2577 the address(es) indicated in the "From" field.
2578
2579 So we check a Sender field if there is one, else a Reply_to field, else a From
2580 field. As some strange messages may have more than one of these fields,
2581 especially if they are resent- fields, check all of them if there is more than
2582 one.
2583
2584 Arguments:
2585 user_msgptr points to where to put a user error message
2586 log_msgptr points to where to put a log error message
2587 callout timeout for callout check (passed to verify_address())
2588 callout_overall overall callout timeout (ditto)
2589 callout_connect connect callout timeout (ditto)
2590 se_mailfrom mailfrom for verify; NULL => ""
2591 pm_mailfrom sender for pm callout check (passed to verify_address())
2592 options callout options (passed to verify_address())
2593 verrno where to put the address basic_errno
2594
2595 If log_msgptr is set to something without setting user_msgptr, the caller
2596 normally uses log_msgptr for both things.
2597
2598 Returns: result of the verification attempt: OK, FAIL, or DEFER;
2599 FAIL is given if no appropriate headers are found
2600 */
2601
2602 int
2603 verify_check_header_address(uschar **user_msgptr, uschar **log_msgptr,
2604 int callout, int callout_overall, int callout_connect, uschar *se_mailfrom,
2605 uschar *pm_mailfrom, int options, int *verrno)
2606 {
2607 static int header_types[] = { htype_sender, htype_reply_to, htype_from };
2608 BOOL done = FALSE;
2609 int yield = FAIL;
2610 int i;
2611
2612 for (i = 0; i < 3 && !done; i++)
2613 {
2614 header_line *h;
2615 for (h = header_list; h != NULL && !done; h = h->next)
2616 {
2617 int terminator, new_ok;
2618 uschar *s, *ss, *endname;
2619
2620 if (h->type != header_types[i]) continue;
2621 s = endname = Ustrchr(h->text, ':') + 1;
2622
2623 /* Scan the addresses in the header, enabling group syntax. Note that we
2624 have to reset this after the header has been scanned. */
2625
2626 parse_allow_group = TRUE;
2627
2628 while (*s != 0)
2629 {
2630 address_item *vaddr;
2631
2632 while (isspace(*s) || *s == ',') s++;
2633 if (*s == 0) break; /* End of header */
2634
2635 ss = parse_find_address_end(s, FALSE);
2636
2637 /* The terminator is a comma or end of header, but there may be white
2638 space preceding it (including newline for the last address). Move back
2639 past any white space so we can check against any cached envelope sender
2640 address verifications. */
2641
2642 while (isspace(ss[-1])) ss--;
2643 terminator = *ss;
2644 *ss = 0;
2645
2646 HDEBUG(D_verify) debug_printf("verifying %.*s header address %s\n",
2647 (int)(endname - h->text), h->text, s);
2648
2649 /* See if we have already verified this address as an envelope sender,
2650 and if so, use the previous answer. */
2651
2652 vaddr = verify_checked_sender(s);
2653
2654 if (vaddr != NULL && /* Previously checked */
2655 (callout <= 0 || /* No callout needed; OR */
2656 vaddr->special_action > 256)) /* Callout was done */
2657 {
2658 new_ok = vaddr->special_action & 255;
2659 HDEBUG(D_verify) debug_printf("previously checked as envelope sender\n");
2660 *ss = terminator; /* Restore shortened string */
2661 }
2662
2663 /* Otherwise we run the verification now. We must restore the shortened
2664 string before running the verification, so the headers are correct, in
2665 case there is any rewriting. */
2666
2667 else
2668 {
2669 int start, end, domain;
2670 uschar *address = parse_extract_address(s, log_msgptr, &start, &end,
2671 &domain, FALSE);
2672
2673 *ss = terminator;
2674
2675 /* If we found an empty address, just carry on with the next one, but
2676 kill the message. */
2677
2678 if (address == NULL && Ustrcmp(*log_msgptr, "empty address") == 0)
2679 {
2680 *log_msgptr = NULL;
2681 s = ss;
2682 continue;
2683 }
2684
2685 /* If verification failed because of a syntax error, fail this
2686 function, and ensure that the failing address gets added to the error
2687 message. */
2688
2689 if (address == NULL)
2690 {
2691 new_ok = FAIL;
2692 while (ss > s && isspace(ss[-1])) ss--;
2693 *log_msgptr = string_sprintf("syntax error in '%.*s' header when "
2694 "scanning for sender: %s in \"%.*s\"",
2695 endname - h->text, h->text, *log_msgptr, ss - s, s);
2696 yield = FAIL;
2697 done = TRUE;
2698 break;
2699 }
2700
2701 /* Else go ahead with the sender verification. But it isn't *the*
2702 sender of the message, so set vopt_fake_sender to stop sender_address
2703 being replaced after rewriting or qualification. */
2704
2705 else
2706 {
2707 vaddr = deliver_make_addr(address, FALSE);
2708 new_ok = verify_address(vaddr, NULL, options | vopt_fake_sender,
2709 callout, callout_overall, callout_connect, se_mailfrom,
2710 pm_mailfrom, NULL);
2711 }
2712 }
2713
2714 /* We now have the result, either newly found, or cached. If we are
2715 giving out error details, set a specific user error. This means that the
2716 last of these will be returned to the user if all three fail. We do not
2717 set a log message - the generic one below will be used. */
2718
2719 if (new_ok != OK)
2720 {
2721 *verrno = vaddr->basic_errno;
2722 if (smtp_return_error_details)
2723 {
2724 *user_msgptr = string_sprintf("Rejected after DATA: "
2725 "could not verify \"%.*s\" header address\n%s: %s",
2726 endname - h->text, h->text, vaddr->address, vaddr->message);
2727 }
2728 }
2729
2730 /* Success or defer */
2731
2732 if (new_ok == OK)
2733 {
2734 yield = OK;
2735 done = TRUE;
2736 break;
2737 }
2738
2739 if (new_ok == DEFER) yield = DEFER;
2740
2741 /* Move on to any more addresses in the header */
2742
2743 s = ss;
2744 } /* Next address */
2745
2746 parse_allow_group = FALSE;
2747 parse_found_group = FALSE;
2748 } /* Next header, unless done */
2749 } /* Next header type unless done */
2750
2751 if (yield == FAIL && *log_msgptr == NULL)
2752 *log_msgptr = US"there is no valid sender in any header line";
2753
2754 if (yield == DEFER && *log_msgptr == NULL)
2755 *log_msgptr = US"all attempts to verify a sender in a header line deferred";
2756
2757 return yield;
2758 }
2759
2760
2761
2762
2763 /*************************************************
2764 * Get RFC 1413 identification *
2765 *************************************************/
2766
2767 /* Attempt to get an id from the sending machine via the RFC 1413 protocol. If
2768 the timeout is set to zero, then the query is not done. There may also be lists
2769 of hosts and nets which are exempt. To guard against malefactors sending
2770 non-printing characters which could, for example, disrupt a message's headers,
2771 make sure the string consists of printing characters only.
2772
2773 Argument:
2774 port the port to connect to; usually this is IDENT_PORT (113), but when
2775 running in the test harness with -bh a different value is used.
2776
2777 Returns: nothing
2778
2779 Side effect: any received ident value is put in sender_ident (NULL otherwise)
2780 */
2781
2782 void
2783 verify_get_ident(int port)
2784 {
2785 int sock, host_af, qlen;
2786 int received_sender_port, received_interface_port, n;
2787 uschar *p;
2788 uschar buffer[2048];
2789
2790 /* Default is no ident. Check whether we want to do an ident check for this
2791 host. */
2792
2793 sender_ident = NULL;
2794 if (rfc1413_query_timeout <= 0 || verify_check_host(&rfc1413_hosts) != OK)
2795 return;
2796
2797 DEBUG(D_ident) debug_printf("doing ident callback\n");
2798
2799 /* Set up a connection to the ident port of the remote host. Bind the local end
2800 to the incoming interface address. If the sender host address is an IPv6
2801 address, the incoming interface address will also be IPv6. */
2802
2803 host_af = (Ustrchr(sender_host_address, ':') == NULL)? AF_INET : AF_INET6;
2804 sock = ip_socket(SOCK_STREAM, host_af);
2805 if (sock < 0) return;
2806
2807 if (ip_bind(sock, host_af, interface_address, 0) < 0)
2808 {
2809 DEBUG(D_ident) debug_printf("bind socket for ident failed: %s\n",
2810 strerror(errno));
2811 goto END_OFF;
2812 }
2813
2814 if (ip_connect(sock, host_af, sender_host_address, port, rfc1413_query_timeout)
2815 < 0)
2816 {
2817 if (errno == ETIMEDOUT && (log_extra_selector & LX_ident_timeout) != 0)
2818 {
2819 log_write(0, LOG_MAIN, "ident connection to %s timed out",
2820 sender_host_address);
2821 }
2822 else
2823 {
2824 DEBUG(D_ident) debug_printf("ident connection to %s failed: %s\n",
2825 sender_host_address, strerror(errno));
2826 }
2827 goto END_OFF;
2828 }
2829
2830 /* Construct and send the query. */
2831
2832 sprintf(CS buffer, "%d , %d\r\n", sender_host_port, interface_port);
2833 qlen = Ustrlen(buffer);
2834 if (send(sock, buffer, qlen, 0) < 0)
2835 {
2836 DEBUG(D_ident) debug_printf("ident send failed: %s\n", strerror(errno));
2837 goto END_OFF;
2838 }
2839
2840 /* Read a response line. We put it into the rest of the buffer, using several
2841 recv() calls if necessary. */
2842
2843 p = buffer + qlen;
2844
2845 for (;;)
2846 {
2847 uschar *pp;
2848 int count;
2849 int size = sizeof(buffer) - (p - buffer);
2850
2851 if (size <= 0) goto END_OFF; /* Buffer filled without seeing \n. */
2852 count = ip_recv(sock, p, size, rfc1413_query_timeout);
2853 if (count <= 0) goto END_OFF; /* Read error or EOF */
2854
2855 /* Scan what we just read, to see if we have reached the terminating \r\n. Be
2856 generous, and accept a plain \n terminator as well. The only illegal
2857 character is 0. */
2858
2859 for (pp = p; pp < p + count; pp++)
2860 {
2861 if (*pp == 0) goto END_OFF; /* Zero octet not allowed */
2862 if (*pp == '\n')
2863 {
2864 if (pp[-1] == '\r') pp--;
2865 *pp = 0;
2866 goto GOT_DATA; /* Break out of both loops */
2867 }
2868 }
2869
2870 /* Reached the end of the data without finding \n. Let the loop continue to
2871 read some more, if there is room. */
2872
2873 p = pp;
2874 }
2875
2876 GOT_DATA:
2877
2878 /* We have received a line of data. Check it carefully. It must start with the
2879 same two port numbers that we sent, followed by data as defined by the RFC. For
2880 example,
2881
2882 12345 , 25 : USERID : UNIX :root
2883
2884 However, the amount of white space may be different to what we sent. In the
2885 "osname" field there may be several sub-fields, comma separated. The data we
2886 actually want to save follows the third colon. Some systems put leading spaces
2887 in it - we discard those. */
2888
2889 if (sscanf(CS buffer + qlen, "%d , %d%n", &received_sender_port,
2890 &received_interface_port, &n) != 2 ||
2891 received_sender_port != sender_host_port ||
2892 received_interface_port != interface_port)
2893 goto END_OFF;
2894
2895 p = buffer + qlen + n;
2896 while(isspace(*p)) p++;
2897 if (*p++ != ':') goto END_OFF;
2898 while(isspace(*p)) p++;
2899 if (Ustrncmp(p, "USERID", 6) != 0) goto END_OFF;
2900 p += 6;
2901 while(isspace(*p)) p++;
2902 if (*p++ != ':') goto END_OFF;
2903 while (*p != 0 && *p != ':') p++;
2904 if (*p++ == 0) goto END_OFF;
2905 while(isspace(*p)) p++;
2906 if (*p == 0) goto END_OFF;
2907
2908 /* The rest of the line is the data we want. We turn it into printing
2909 characters when we save it, so that it cannot mess up the format of any logging
2910 or Received: lines into which it gets inserted. We keep a maximum of 127
2911 characters. The deconst cast is ok as we fed a nonconst to string_printing() */
2912
2913 sender_ident = US string_printing(string_copyn(p, 127));
2914 DEBUG(D_ident) debug_printf("sender_ident = %s\n", sender_ident);
2915
2916 END_OFF:
2917 (void)close(sock);
2918 return;
2919 }
2920
2921
2922
2923
2924 /*************************************************
2925 * Match host to a single host-list item *
2926 *************************************************/
2927
2928 /* This function compares a host (name or address) against a single item
2929 from a host list. The host name gets looked up if it is needed and is not
2930 already known. The function is called from verify_check_this_host() via
2931 match_check_list(), which is why most of its arguments are in a single block.
2932
2933 Arguments:
2934 arg the argument block (see below)
2935 ss the host-list item
2936 valueptr where to pass back looked up data, or NULL
2937 error for error message when returning ERROR
2938
2939 The block contains:
2940 host_name (a) the host name, or
2941 (b) NULL, implying use sender_host_name and
2942 sender_host_aliases, looking them up if required, or
2943 (c) the empty string, meaning that only IP address matches
2944 are permitted
2945 host_address the host address
2946 host_ipv4 the IPv4 address taken from an IPv6 one
2947
2948 Returns: OK matched
2949 FAIL did not match
2950 DEFER lookup deferred
2951 ERROR (a) failed to find the host name or IP address, or
2952 (b) unknown lookup type specified, or
2953 (c) host name encountered when only IP addresses are
2954 being matched
2955 */
2956
2957 int
2958 check_host(void *arg, const uschar *ss, const uschar **valueptr, uschar **error)
2959 {
2960 check_host_block *cb = (check_host_block *)arg;
2961 int mlen = -1;
2962 int maskoffset;
2963 BOOL iplookup = FALSE;
2964 BOOL isquery = FALSE;
2965 BOOL isiponly = cb->host_name != NULL && cb->host_name[0] == 0;
2966 const uschar *t;
2967 uschar *semicolon;
2968 uschar **aliases;
2969
2970 /* Optimize for the special case when the pattern is "*". */
2971
2972 if (*ss == '*' && ss[1] == 0) return OK;
2973
2974 /* If the pattern is empty, it matches only in the case when there is no host -
2975 this can occur in ACL checking for SMTP input using the -bs option. In this
2976 situation, the host address is the empty string. */
2977
2978 if (cb->host_address[0] == 0) return (*ss == 0)? OK : FAIL;
2979 if (*ss == 0) return FAIL;
2980
2981 /* If the pattern is precisely "@" then match against the primary host name,
2982 provided that host name matching is permitted; if it's "@[]" match against the
2983 local host's IP addresses. */
2984
2985 if (*ss == '@')
2986 {
2987 if (ss[1] == 0)
2988 {
2989 if (isiponly) return ERROR;
2990 ss = primary_hostname;
2991 }
2992 else if (Ustrcmp(ss, "@[]") == 0)
2993 {
2994 ip_address_item *ip;
2995 for (ip = host_find_interfaces(); ip != NULL; ip = ip->next)
2996 if (Ustrcmp(ip->address, cb->host_address) == 0) return OK;
2997 return FAIL;
2998 }
2999 }
3000
3001 /* If the pattern is an IP address, optionally followed by a bitmask count, do
3002 a (possibly masked) comparision with the current IP address. */
3003
3004 if (string_is_ip_address(ss, &maskoffset) != 0)
3005 return (host_is_in_net(cb->host_address, ss, maskoffset)? OK : FAIL);
3006
3007 /* The pattern is not an IP address. A common error that people make is to omit
3008 one component of an IPv4 address, either by accident, or believing that, for
3009 example, 1.2.3/24 is the same as 1.2.3.0/24, or 1.2.3 is the same as 1.2.3.0,
3010 which it isn't. (Those applications that do accept 1.2.3 as an IP address
3011 interpret it as 1.2.0.3 because the final component becomes 16-bit - this is an
3012 ancient specification.) To aid in debugging these cases, we give a specific
3013 error if the pattern contains only digits and dots or contains a slash preceded
3014 only by digits and dots (a slash at the start indicates a file name and of
3015 course slashes may be present in lookups, but not preceded only by digits and
3016 dots). */
3017
3018 for (t = ss; isdigit(*t) || *t == '.'; t++);
3019 if (*t == 0 || (*t == '/' && t != ss))
3020 {
3021 *error = US"malformed IPv4 address or address mask";
3022 return ERROR;
3023 }
3024
3025 /* See if there is a semicolon in the pattern */
3026
3027 semicolon = Ustrchr(ss, ';');
3028
3029 /* If we are doing an IP address only match, then all lookups must be IP
3030 address lookups, even if there is no "net-". */
3031
3032 if (isiponly)
3033 {
3034 iplookup = semicolon != NULL;
3035 }
3036
3037 /* Otherwise, if the item is of the form net[n]-lookup;<file|query> then it is
3038 a lookup on a masked IP network, in textual form. We obey this code even if we
3039 have already set iplookup, so as to skip over the "net-" prefix and to set the
3040 mask length. The net- stuff really only applies to single-key lookups where the
3041 key is implicit. For query-style lookups the key is specified in the query.
3042 From release 4.30, the use of net- for query style is no longer needed, but we
3043 retain it for backward compatibility. */
3044
3045 if (Ustrncmp(ss, "net", 3) == 0 && semicolon != NULL)
3046 {
3047 mlen = 0;
3048 for (t = ss + 3; isdigit(*t); t++) mlen = mlen * 10 + *t - '0';
3049 if (mlen == 0 && t == ss+3) mlen = -1; /* No mask supplied */
3050 iplookup = (*t++ == '-');
3051 }
3052 else t = ss;
3053
3054 /* Do the IP address lookup if that is indeed what we have */
3055
3056 if (iplookup)
3057 {
3058 int insize;
3059 int search_type;
3060 int incoming[4];
3061 void *handle;
3062 uschar *filename, *key, *result;
3063 uschar buffer[64];
3064
3065 /* Find the search type */
3066
3067 search_type = search_findtype(t, semicolon - t);
3068
3069 if (search_type < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s",
3070 search_error_message);
3071
3072 /* Adjust parameters for the type of lookup. For a query-style lookup, there
3073 is no file name, and the "key" is just the query. For query-style with a file
3074 name, we have to fish the file off the start of the query. For a single-key
3075 lookup, the key is the current IP address, masked appropriately, and
3076 reconverted to text form, with the mask appended. For IPv6 addresses, specify
3077 dot separators instead of colons, except when the lookup type is "iplsearch".
3078 */
3079
3080 if (mac_islookup(search_type, lookup_absfilequery))
3081 {
3082 filename = semicolon + 1;
3083 key = filename;
3084 while (*key != 0 && !isspace(*key)) key++;
3085 filename = string_copyn(filename, key - filename);
3086 while (isspace(*key)) key++;
3087 }
3088 else if (mac_islookup(search_type, lookup_querystyle))
3089 {
3090 filename = NULL;
3091 key = semicolon + 1;
3092 }
3093 else /* Single-key style */
3094 {
3095 int sep = (Ustrcmp(lookup_list[search_type]->name, "iplsearch") == 0)?
3096 ':' : '.';
3097 insize = host_aton(cb->host_address, incoming);
3098 host_mask(insize, incoming, mlen);
3099 (void)host_nmtoa(insize, incoming, mlen, buffer, sep);
3100 key = buffer;
3101 filename = semicolon + 1;
3102 }
3103
3104 /* Now do the actual lookup; note that there is no search_close() because
3105 of the caching arrangements. */
3106
3107 handle = search_open(filename, search_type, 0, NULL, NULL);
3108 if (handle == NULL) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s",
3109 search_error_message);
3110 result = search_find(handle, filename, key, -1, NULL, 0, 0, NULL);
3111 if (valueptr != NULL) *valueptr = result;
3112 return (result != NULL)? OK : search_find_defer? DEFER: FAIL;
3113 }
3114
3115 /* The pattern is not an IP address or network reference of any kind. That is,
3116 it is a host name pattern. If this is an IP only match, there's an error in the
3117 host list. */
3118
3119 if (isiponly)
3120 {
3121 *error = US"cannot match host name in match_ip list";
3122 return ERROR;
3123 }
3124
3125 /* Check the characters of the pattern to see if they comprise only letters,
3126 digits, full stops, and hyphens (the constituents of domain names). Allow
3127 underscores, as they are all too commonly found. Sigh. Also, if
3128 allow_utf8_domains is set, allow top-bit characters. */
3129
3130 for (t = ss; *t != 0; t++)
3131 if (!isalnum(*t) && *t != '.' && *t != '-' && *t != '_' &&
3132 (!allow_utf8_domains || *t < 128)) break;
3133
3134 /* If the pattern is a complete domain name, with no fancy characters, look up
3135 its IP address and match against that. Note that a multi-homed host will add
3136 items to the chain. */
3137
3138 if (*t == 0)
3139 {
3140 int rc;
3141 host_item h;
3142 h.next = NULL;
3143 h.name = ss;
3144 h.address = NULL;
3145 h.mx = MX_NONE;
3146
3147 rc = host_find_byname(&h, NULL, HOST_FIND_QUALIFY_SINGLE, NULL, FALSE);
3148 if (rc == HOST_FOUND || rc == HOST_FOUND_LOCAL)
3149 {
3150 host_item *hh;
3151 for (hh = &h; hh != NULL; hh = hh->next)
3152 {
3153 if (host_is_in_net(hh->address, cb->host_address, 0)) return OK;
3154 }
3155 return FAIL;
3156 }
3157 if (rc == HOST_FIND_AGAIN) return DEFER;
3158 *error = string_sprintf("failed to find IP address for %s", ss);
3159 return ERROR;
3160 }
3161
3162 /* Almost all subsequent comparisons require the host name, and can be done
3163 using the general string matching function. When this function is called for
3164 outgoing hosts, the name is always given explicitly. If it is NULL, it means we
3165 must use sender_host_name and its aliases, looking them up if necessary. */
3166
3167 if (cb->host_name != NULL) /* Explicit host name given */
3168 return match_check_string(cb->host_name, ss, -1, TRUE, TRUE, TRUE,
3169 valueptr);
3170
3171 /* Host name not given; in principle we need the sender host name and its
3172 aliases. However, for query-style lookups, we do not need the name if the
3173 query does not contain $sender_host_name. From release 4.23, a reference to
3174 $sender_host_name causes it to be looked up, so we don't need to do the lookup
3175 on spec. */
3176
3177 if ((semicolon = Ustrchr(ss, ';')) != NULL)
3178 {
3179 const uschar *affix;
3180 int partial, affixlen, starflags, id;
3181
3182 *semicolon = 0;
3183 id = search_findtype_partial(ss, &partial, &affix, &affixlen, &starflags);
3184 *semicolon=';';
3185
3186 if (id < 0) /* Unknown lookup type */
3187 {
3188 log_write(0, LOG_MAIN|LOG_PANIC, "%s in host list item \"%s\"",
3189 search_error_message, ss);
3190 return DEFER;
3191 }
3192 isquery = mac_islookup(id, lookup_querystyle|lookup_absfilequery);
3193 }
3194
3195 if (isquery)
3196 {
3197 switch(match_check_string(US"", ss, -1, TRUE, TRUE, TRUE, valueptr))
3198 {
3199 case OK: return OK;
3200 case DEFER: return DEFER;
3201 default: return FAIL;
3202 }
3203 }
3204
3205 /* Not a query-style lookup; must ensure the host name is present, and then we
3206 do a check on the name and all its aliases. */
3207
3208 if (sender_host_name == NULL)
3209 {
3210 HDEBUG(D_host_lookup)
3211 debug_printf("sender host name required, to match against %s\n", ss);
3212 if (host_lookup_failed || host_name_lookup() != OK)
3213 {
3214 *error = string_sprintf("failed to find host name for %s",
3215 sender_host_address);;
3216 return ERROR;
3217 }
3218 host_build_sender_fullhost();
3219 }
3220
3221 /* Match on the sender host name, using the general matching function */
3222
3223 switch(match_check_string(sender_host_name, ss, -1, TRUE, TRUE, TRUE,
3224 valueptr))
3225 {
3226 case OK: return OK;
3227 case DEFER: return DEFER;
3228 }
3229
3230 /* If there are aliases, try matching on them. */
3231
3232 aliases = sender_host_aliases;
3233 while (*aliases != NULL)
3234 {
3235 switch(match_check_string(*aliases++, ss, -1, TRUE, TRUE, TRUE, valueptr))
3236 {
3237 case OK: return OK;
3238 case DEFER: return DEFER;
3239 }
3240 }
3241 return FAIL;
3242 }
3243
3244
3245
3246
3247 /*************************************************
3248 * Check a specific host matches a host list *
3249 *************************************************/
3250
3251 /* This function is passed a host list containing items in a number of
3252 different formats and the identity of a host. Its job is to determine whether
3253 the given host is in the set of hosts defined by the list. The host name is
3254 passed as a pointer so that it can be looked up if needed and not already
3255 known. This is commonly the case when called from verify_check_host() to check
3256 an incoming connection. When called from elsewhere the host name should usually
3257 be set.
3258
3259 This function is now just a front end to match_check_list(), which runs common
3260 code for scanning a list. We pass it the check_host() function to perform a
3261 single test.
3262
3263 Arguments:
3264 listptr pointer to the host list
3265 cache_bits pointer to cache for named lists, or NULL
3266 host_name the host name or NULL, implying use sender_host_name and
3267 sender_host_aliases, looking them up if required
3268 host_address the IP address
3269 valueptr if not NULL, data from a lookup is passed back here
3270
3271 Returns: OK if the host is in the defined set
3272 FAIL if the host is not in the defined set,
3273 DEFER if a data lookup deferred (not a host lookup)
3274
3275 If the host name was needed in order to make a comparison, and could not be
3276 determined from the IP address, the result is FAIL unless the item
3277 "+allow_unknown" was met earlier in the list, in which case OK is returned. */
3278
3279 int
3280 verify_check_this_host(const uschar **listptr, unsigned int *cache_bits,
3281 const uschar *host_name, const uschar *host_address, const uschar **valueptr)
3282 {
3283 int rc;
3284 unsigned int *local_cache_bits = cache_bits;
3285 const uschar *save_host_address = deliver_host_address;
3286 check_host_block cb;
3287 cb.host_name = host_name;
3288 cb.host_address = host_address;
3289
3290 if (valueptr != NULL) *valueptr = NULL;
3291
3292 /* If the host address starts off ::ffff: it is an IPv6 address in
3293 IPv4-compatible mode. Find the IPv4 part for checking against IPv4
3294 addresses. */
3295
3296 cb.host_ipv4 = (Ustrncmp(host_address, "::ffff:", 7) == 0)?
3297 host_address + 7 : host_address;
3298
3299 /* During the running of the check, put the IP address into $host_address. In
3300 the case of calls from the smtp transport, it will already be there. However,
3301 in other calls (e.g. when testing ignore_target_hosts), it won't. Just to be on
3302 the safe side, any existing setting is preserved, though as I write this
3303 (November 2004) I can't see any cases where it is actually needed. */
3304
3305 deliver_host_address = host_address;
3306 rc = match_check_list(
3307 listptr, /* the list */
3308 0, /* separator character */
3309 &hostlist_anchor, /* anchor pointer */
3310 &local_cache_bits, /* cache pointer */
3311 check_host, /* function for testing */
3312 &cb, /* argument for function */
3313 MCL_HOST, /* type of check */
3314 (host_address == sender_host_address)?
3315 US"host" : host_address, /* text for debugging */
3316 valueptr); /* where to pass back data */
3317 deliver_host_address = save_host_address;
3318 return rc;
3319 }
3320
3321
3322
3323
3324 /*************************************************
3325 * Check the given host item matches a list *
3326 *************************************************/
3327 int
3328 verify_check_given_host(uschar **listptr, host_item *host)
3329 {
3330 return verify_check_this_host(CUSS listptr, NULL, host->name, host->address, NULL);
3331 }
3332
3333 /*************************************************
3334 * Check the remote host matches a list *
3335 *************************************************/
3336
3337 /* This is a front end to verify_check_this_host(), created because checking
3338 the remote host is a common occurrence. With luck, a good compiler will spot
3339 the tail recursion and optimize it. If there's no host address, this is
3340 command-line SMTP input - check against an empty string for the address.
3341
3342 Arguments:
3343 listptr pointer to the host list
3344
3345 Returns: the yield of verify_check_this_host(),
3346 i.e. OK, FAIL, or DEFER
3347 */
3348
3349 int
3350 verify_check_host(uschar **listptr)
3351 {
3352 return verify_check_this_host(CUSS listptr, sender_host_cache, NULL,
3353 (sender_host_address == NULL)? US"" : sender_host_address, NULL);
3354 }
3355
3356
3357
3358
3359
3360 /*************************************************
3361 * Invert an IP address *
3362 *************************************************/
3363
3364 /* Originally just used for DNS xBL lists, now also used for the
3365 reverse_ip expansion operator.
3366
3367 Arguments:
3368 buffer where to put the answer
3369 address the address to invert
3370 */
3371
3372 void
3373 invert_address(uschar *buffer, uschar *address)
3374 {
3375 int bin[4];
3376 uschar *bptr = buffer;
3377
3378 /* If this is an IPv4 address mapped into IPv6 format, adjust the pointer
3379 to the IPv4 part only. */
3380
3381 if (Ustrncmp(address, "::ffff:", 7) == 0) address += 7;
3382
3383 /* Handle IPv4 address: when HAVE_IPV6 is false, the result of host_aton() is
3384 always 1. */
3385
3386 if (host_aton(address, bin) == 1)
3387 {
3388 int i;
3389 int x = bin[0];
3390 for (i = 0; i < 4; i++)
3391 {
3392 sprintf(CS bptr, "%d.", x & 255);
3393 while (*bptr) bptr++;
3394 x >>= 8;
3395 }
3396 }
3397
3398 /* Handle IPv6 address. Actually, as far as I know, there are no IPv6 addresses
3399 in any DNS black lists, and the format in which they will be looked up is
3400 unknown. This is just a guess. */
3401
3402 #if HAVE_IPV6
3403 else
3404 {
3405 int i, j;
3406 for (j = 3; j >= 0; j--)
3407 {
3408 int x = bin[j];
3409 for (i = 0; i < 8; i++)
3410 {
3411 sprintf(CS bptr, "%x.", x & 15);
3412 while (*bptr) bptr++;
3413 x >>= 4;
3414 }
3415 }
3416 }
3417 #endif
3418
3419 /* Remove trailing period -- this is needed so that both arbitrary
3420 dnsbl keydomains and inverted addresses may be combined with the
3421 same format string, "%s.%s" */
3422
3423 *(--bptr) = 0;
3424 }
3425
3426
3427
3428 /*************************************************
3429 * Perform a single dnsbl lookup *
3430 *************************************************/
3431
3432 /* This function is called from verify_check_dnsbl() below. It is also called
3433 recursively from within itself when domain and domain_txt are different
3434 pointers, in order to get the TXT record from the alternate domain.
3435
3436 Arguments:
3437 domain the outer dnsbl domain
3438 domain_txt alternate domain to lookup TXT record on success; when the
3439 same domain is to be used, domain_txt == domain (that is,
3440 the pointers must be identical, not just the text)
3441 keydomain the current keydomain (for debug message)
3442 prepend subdomain to lookup (like keydomain, but
3443 reversed if IP address)
3444 iplist the list of matching IP addresses, or NULL for "any"
3445 bitmask true if bitmask matching is wanted
3446 match_type condition for 'succeed' result
3447 0 => Any RR in iplist (=)
3448 1 => No RR in iplist (!=)
3449 2 => All RRs in iplist (==)
3450 3 => Some RRs not in iplist (!==)
3451 the two bits are defined as MT_NOT and MT_ALL
3452 defer_return what to return for a defer
3453
3454 Returns: OK if lookup succeeded
3455 FAIL if not
3456 */
3457
3458 static int
3459 one_check_dnsbl(uschar *domain, uschar *domain_txt, uschar *keydomain,
3460 uschar *prepend, uschar *iplist, BOOL bitmask, int match_type,
3461 int defer_return)
3462 {
3463 dns_answer dnsa;
3464 dns_scan dnss;
3465 tree_node *t;
3466 dnsbl_cache_block *cb;
3467 int old_pool = store_pool;
3468 uschar query[256]; /* DNS domain max length */
3469
3470 /* Construct the specific query domainname */
3471
3472 if (!string_format(query, sizeof(query), "%s.%s", prepend, domain))
3473 {
3474 log_write(0, LOG_MAIN|LOG_PANIC, "dnslist query is too long "
3475 "(ignored): %s...", query);
3476 return FAIL;
3477 }
3478
3479 /* Look for this query in the cache. */
3480
3481 t = tree_search(dnsbl_cache, query);
3482
3483 /* If not cached from a previous lookup, we must do a DNS lookup, and
3484 cache the result in permanent memory. */
3485
3486 if (t == NULL)
3487 {
3488 store_pool = POOL_PERM;
3489
3490 /* Set up a tree entry to cache the lookup */
3491
3492 t = store_get(sizeof(tree_node) + Ustrlen(query));
3493 Ustrcpy(t->name, query);
3494 t->data.ptr = cb = store_get(sizeof(dnsbl_cache_block));
3495 (void)tree_insertnode(&dnsbl_cache, t);
3496
3497 /* Do the DNS loopup . */
3498
3499 HDEBUG(D_dnsbl) debug_printf("new DNS lookup for %s\n", query);
3500 cb->rc = dns_basic_lookup(&dnsa, query, T_A);
3501 cb->text_set = FALSE;
3502 cb->text = NULL;
3503 cb->rhs = NULL;
3504
3505 /* If the lookup succeeded, cache the RHS address. The code allows for
3506 more than one address - this was for complete generality and the possible
3507 use of A6 records. However, A6 records have been reduced to experimental
3508 status (August 2001) and may die out. So they may never get used at all,
3509 let alone in dnsbl records. However, leave the code here, just in case.
3510
3511 Quite apart from one A6 RR generating multiple addresses, there are DNS
3512 lists that return more than one A record, so we must handle multiple
3513 addresses generated in that way as well. */
3514
3515 if (cb->rc == DNS_SUCCEED)
3516 {
3517 dns_record *rr;
3518 dns_address **addrp = &(cb->rhs);
3519 for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
3520 rr != NULL;
3521 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
3522 {
3523 if (rr->type == T_A)
3524 {
3525 dns_address *da = dns_address_from_rr(&dnsa, rr);
3526 if (da != NULL)
3527 {
3528 *addrp = da;
3529 while (da->next != NULL) da = da->next;
3530 addrp = &(da->next);
3531 }
3532 }
3533 }
3534
3535 /* If we didn't find any A records, change the return code. This can
3536 happen when there is a CNAME record but there are no A records for what
3537 it points to. */
3538
3539 if (cb->rhs == NULL) cb->rc = DNS_NODATA;
3540 }
3541
3542 store_pool = old_pool;
3543 }
3544
3545 /* Previous lookup was cached */
3546
3547 else
3548 {
3549 HDEBUG(D_dnsbl) debug_printf("using result of previous DNS lookup\n");
3550 cb = t->data.ptr;
3551 }
3552
3553 /* We now have the result of the DNS lookup, either newly done, or cached
3554 from a previous call. If the lookup succeeded, check against the address
3555 list if there is one. This may be a positive equality list (introduced by
3556 "="), a negative equality list (introduced by "!="), a positive bitmask
3557 list (introduced by "&"), or a negative bitmask list (introduced by "!&").*/
3558
3559 if (cb->rc == DNS_SUCCEED)
3560 {
3561 dns_address *da = NULL;
3562 uschar *addlist = cb->rhs->address;
3563
3564 /* For A and AAAA records, there may be multiple addresses from multiple
3565 records. For A6 records (currently not expected to be used) there may be
3566 multiple addresses from a single record. */
3567
3568 for (da = cb->rhs->next; da != NULL; da = da->next)
3569 addlist = string_sprintf("%s, %s", addlist, da->address);
3570
3571 HDEBUG(D_dnsbl) debug_printf("DNS lookup for %s succeeded (yielding %s)\n",
3572 query, addlist);
3573
3574 /* Address list check; this can be either for equality, or via a bitmask.
3575 In the latter case, all the bits must match. */
3576
3577 if (iplist != NULL)
3578 {
3579 for (da = cb->rhs; da != NULL; da = da->next)
3580 {
3581 int ipsep = ',';
3582 uschar ip[46];
3583 const uschar *ptr = iplist;
3584 uschar *res;
3585
3586 /* Handle exact matching */
3587
3588 if (!bitmask)
3589 {
3590 while ((res = string_nextinlist(&ptr, &ipsep, ip, sizeof(ip))) != NULL)
3591 {
3592 if (Ustrcmp(CS da->address, ip) == 0) break;
3593 }
3594 }
3595
3596 /* Handle bitmask matching */
3597
3598 else
3599 {
3600 int address[4];
3601 int mask = 0;
3602
3603 /* At present, all known DNS blocking lists use A records, with
3604 IPv4 addresses on the RHS encoding the information they return. I
3605 wonder if this will linger on as the last vestige of IPv4 when IPv6
3606 is ubiquitous? Anyway, for now we use paranoia code to completely
3607 ignore IPv6 addresses. The default mask is 0, which always matches.
3608 We change this only for IPv4 addresses in the list. */
3609
3610 if (host_aton(da->address, address) == 1) mask = address[0];
3611
3612 /* Scan the returned addresses, skipping any that are IPv6 */
3613
3614 while ((res = string_nextinlist(&ptr, &ipsep, ip, sizeof(ip))) != NULL)
3615 {
3616 if (host_aton(ip, address) != 1) continue;
3617 if ((address[0] & mask) == address[0]) break;
3618 }
3619 }
3620
3621 /* If either
3622
3623 (a) An IP address in an any ('=') list matched, or
3624 (b) No IP address in an all ('==') list matched
3625
3626 then we're done searching. */
3627
3628 if (((match_type & MT_ALL) != 0) == (res == NULL)) break;
3629 }
3630
3631 /* If da == NULL, either
3632
3633 (a) No IP address in an any ('=') list matched, or
3634 (b) An IP address in an all ('==') list didn't match
3635
3636 so behave as if the DNSBL lookup had not succeeded, i.e. the host is not on
3637 the list. */
3638
3639 if ((match_type == MT_NOT || match_type == MT_ALL) != (da == NULL))
3640 {
3641 HDEBUG(D_dnsbl)
3642 {
3643 uschar *res = NULL;
3644 switch(match_type)
3645 {
3646 case 0:
3647 res = US"was no match";
3648 break;
3649 case MT_NOT:
3650 res = US"was an exclude match";
3651 break;
3652 case MT_ALL:
3653 res = US"was an IP address that did not match";
3654 break;
3655 case MT_NOT|MT_ALL:
3656 res = US"were no IP addresses that did not match";
3657 break;
3658 }
3659 debug_printf("=> but we are not accepting this block class because\n");
3660 debug_printf("=> there %s for %s%c%s\n",
3661 res,
3662 ((match_type & MT_ALL) == 0)? "" : "=",
3663 bitmask? '&' : '=', iplist);
3664 }
3665 return FAIL;
3666 }
3667 }
3668
3669 /* Either there was no IP list, or the record matched, implying that the
3670 domain is on the list. We now want to find a corresponding TXT record. If an
3671 alternate domain is specified for the TXT record, call this function
3672 recursively to look that up; this has the side effect of re-checking that
3673 there is indeed an A record at the alternate domain. */
3674
3675 if (domain_txt != domain)
3676 return one_check_dnsbl(domain_txt, domain_txt, keydomain, prepend, NULL,
3677 FALSE, match_type, defer_return);
3678
3679 /* If there is no alternate domain, look up a TXT record in the main domain
3680 if it has not previously been cached. */
3681
3682 if (!cb->text_set)
3683 {
3684 cb->text_set = TRUE;
3685 if (dns_basic_lookup(&dnsa, query, T_TXT) == DNS_SUCCEED)
3686 {
3687 dns_record *rr;
3688 for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
3689 rr != NULL;
3690 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
3691 if (rr->type == T_TXT) break;
3692 if (rr != NULL)
3693 {
3694 int len = (rr->data)[0];
3695 if (len > 511) len = 127;
3696 store_pool = POOL_PERM;
3697 cb->text = string_sprintf("%.*s", len, (const uschar *)(rr->data+1));
3698 store_pool = old_pool;
3699 }
3700 }
3701 }
3702
3703 dnslist_value = addlist;
3704 dnslist_text = cb->text;
3705 return OK;
3706 }
3707
3708 /* There was a problem with the DNS lookup */
3709
3710 if (cb->rc != DNS_NOMATCH && cb->rc != DNS_NODATA)
3711 {
3712 log_write(L_dnslist_defer, LOG_MAIN,
3713 "DNS list lookup defer (probably timeout) for %s: %s", query,
3714 (defer_return == OK)? US"assumed in list" :
3715 (defer_return == FAIL)? US"assumed not in list" :
3716 US"returned DEFER");
3717 return defer_return;
3718 }
3719
3720 /* No entry was found in the DNS; continue for next domain */
3721
3722 HDEBUG(D_dnsbl)
3723 {
3724 debug_printf("DNS lookup for %s failed\n", query);
3725 debug_printf("=> that means %s is not listed at %s\n",
3726 keydomain, domain);
3727 }
3728
3729 return FAIL;
3730 }
3731
3732
3733
3734
3735 /*************************************************
3736 * Check host against DNS black lists *
3737 *************************************************/
3738
3739 /* This function runs checks against a list of DNS black lists, until one
3740 matches. Each item on the list can be of the form
3741
3742 domain=ip-address/key
3743
3744 The domain is the right-most domain that is used for the query, for example,
3745 blackholes.mail-abuse.org. If the IP address is present, there is a match only
3746 if the DNS lookup returns a matching IP address. Several addresses may be
3747 given, comma-separated, for example: x.y.z=127.0.0.1,127.0.0.2.
3748
3749 If no key is given, what is looked up in the domain is the inverted IP address
3750 of the current client host. If a key is given, it is used to construct the
3751 domain for the lookup. For example:
3752
3753 dsn.rfc-ignorant.org/$sender_address_domain
3754
3755 After finding a match in the DNS, the domain is placed in $dnslist_domain, and
3756 then we check for a TXT record for an error message, and if found, save its
3757 value in $dnslist_text. We also cache everything in a tree, to optimize
3758 multiple lookups.
3759
3760 The TXT record is normally looked up in the same domain as the A record, but
3761 when many lists are combined in a single DNS domain, this will not be a very
3762 specific message. It is possible to specify a different domain for looking up
3763 TXT records; this is given before the main domain, comma-separated. For
3764 example:
3765
3766 dnslists = http.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.2 : \
3767 socks.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.3
3768
3769 The caching ensures that only one lookup in dnsbl.sorbs.net is done.
3770
3771 Note: an address for testing RBL is 192.203.178.39
3772 Note: an address for testing DUL is 192.203.178.4
3773 Note: a domain for testing RFCI is example.tld.dsn.rfc-ignorant.org
3774
3775 Arguments:
3776 listptr the domain/address/data list
3777
3778 Returns: OK successful lookup (i.e. the address is on the list), or
3779 lookup deferred after +include_unknown
3780 FAIL name not found, or no data found for the given type, or
3781 lookup deferred after +exclude_unknown (default)
3782 DEFER lookup failure, if +defer_unknown was set
3783 */
3784
3785 int
3786 verify_check_dnsbl(const uschar **listptr)
3787 {
3788 int sep = 0;
3789 int defer_return = FAIL;
3790 const uschar *list = *listptr;
3791 uschar *domain;
3792 uschar *s;
3793 uschar buffer[1024];
3794 uschar revadd[128]; /* Long enough for IPv6 address */
3795
3796 /* Indicate that the inverted IP address is not yet set up */
3797
3798 revadd[0] = 0;
3799
3800 /* In case this is the first time the DNS resolver is being used. */
3801
3802 dns_init(FALSE, FALSE, FALSE); /*XXX dnssec? */
3803
3804 /* Loop through all the domains supplied, until something matches */
3805
3806 while ((domain = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL)
3807 {
3808 int rc;
3809 BOOL bitmask = FALSE;
3810 int match_type = 0;
3811 uschar *domain_txt;
3812 uschar *comma;
3813 uschar *iplist;
3814 uschar *key;
3815
3816 HDEBUG(D_dnsbl) debug_printf("DNS list check: %s\n", domain);
3817
3818 /* Deal with special values that change the behaviour on defer */
3819
3820 if (domain[0] == '+')
3821 {
3822 if (strcmpic(domain, US"+include_unknown") == 0) defer_return = OK;
3823 else if (strcmpic(domain, US"+exclude_unknown") == 0) defer_return = FAIL;
3824 else if (strcmpic(domain, US"+defer_unknown") == 0) defer_return = DEFER;
3825 else
3826 log_write(0, LOG_MAIN|LOG_PANIC, "unknown item in dnslist (ignored): %s",
3827 domain);
3828 continue;
3829 }
3830
3831 /* See if there's explicit data to be looked up */
3832
3833 key = Ustrchr(domain, '/');
3834 if (key != NULL) *key++ = 0;
3835
3836 /* See if there's a list of addresses supplied after the domain name. This is
3837 introduced by an = or a & character; if preceded by = we require all matches
3838 and if preceded by ! we invert the result. */
3839
3840 iplist = Ustrchr(domain, '=');
3841 if (iplist == NULL)
3842 {
3843 bitmask = TRUE;
3844 iplist = Ustrchr(domain, '&');
3845 }
3846
3847 if (iplist != NULL) /* Found either = or & */
3848 {
3849 if (iplist > domain && iplist[-1] == '!') /* Handle preceding ! */
3850 {
3851 match_type |= MT_NOT;
3852 iplist[-1] = 0;
3853 }
3854
3855 *iplist++ = 0; /* Terminate domain, move on */
3856
3857 /* If we found = (bitmask == FALSE), check for == or =& */
3858
3859 if (!bitmask && (*iplist == '=' || *iplist == '&'))
3860 {
3861 bitmask = *iplist++ == '&';
3862 match_type |= MT_ALL;
3863 }
3864 }
3865
3866 /* If there is a comma in the domain, it indicates that a second domain for
3867 looking up TXT records is provided, before the main domain. Otherwise we must
3868 set domain_txt == domain. */
3869
3870 domain_txt = domain;
3871 comma = Ustrchr(domain, ',');
3872 if (comma != NULL)
3873 {
3874 *comma++ = 0;
3875 domain = comma;
3876 }
3877
3878 /* Check that what we have left is a sensible domain name. There is no reason
3879 why these domains should in fact use the same syntax as hosts and email
3880 domains, but in practice they seem to. However, there is little point in
3881 actually causing an error here, because that would no doubt hold up incoming
3882 mail. Instead, I'll just log it. */
3883
3884 for (s = domain; *s != 0; s++)
3885 {
3886 if (!isalnum(*s) && *s != '-' && *s != '.' && *s != '_')
3887 {
3888 log_write(0, LOG_MAIN, "dnslists domain \"%s\" contains "
3889 "strange characters - is this right?", domain);
3890 break;
3891 }
3892 }
3893
3894 /* Check the alternate domain if present */
3895
3896 if (domain_txt != domain) for (s = domain_txt; *s != 0; s++)
3897 {
3898 if (!isalnum(*s) && *s != '-' && *s != '.' && *s != '_')
3899 {
3900 log_write(0, LOG_MAIN, "dnslists domain \"%s\" contains "
3901 "strange characters - is this right?", domain_txt);
3902 break;
3903 }
3904 }
3905
3906 /* If there is no key string, construct the query by adding the domain name
3907 onto the inverted host address, and perform a single DNS lookup. */
3908
3909 if (key == NULL)
3910 {
3911 if (sender_host_address == NULL) return FAIL; /* can never match */
3912 if (revadd[0] == 0) invert_address(revadd, sender_host_address);
3913 rc = one_check_dnsbl(domain, domain_txt, sender_host_address, revadd,
3914 iplist, bitmask, match_type, defer_return);
3915 if (rc == OK)
3916 {
3917 dnslist_domain = string_copy(domain_txt);
3918 dnslist_matched = string_copy(sender_host_address);
3919 HDEBUG(D_dnsbl) debug_printf("=> that means %s is listed at %s\n",
3920 sender_host_address, dnslist_domain);
3921 }
3922 if (rc != FAIL) return rc; /* OK or DEFER */
3923 }
3924
3925 /* If there is a key string, it can be a list of domains or IP addresses to
3926 be concatenated with the main domain. */
3927
3928 else
3929 {
3930 int keysep = 0;
3931 BOOL defer = FALSE;
3932 uschar *keydomain;
3933 uschar keybuffer[256];
3934 uschar keyrevadd[128];
3935
3936 while ((keydomain = string_nextinlist(CUSS &key, &keysep, keybuffer,
3937 sizeof(keybuffer))) != NULL)
3938 {
3939 uschar *prepend = keydomain;
3940
3941 if (string_is_ip_address(keydomain, NULL) != 0)
3942 {
3943 invert_address(keyrevadd, keydomain);
3944 prepend = keyrevadd;
3945 }
3946
3947 rc = one_check_dnsbl(domain, domain_txt, keydomain, prepend, iplist,
3948 bitmask, match_type, defer_return);
3949
3950 if (rc == OK)
3951 {
3952 dnslist_domain = string_copy(domain_txt);
3953 dnslist_matched = string_copy(keydomain);
3954 HDEBUG(D_dnsbl) debug_printf("=> that means %s is listed at %s\n",
3955 keydomain, dnslist_domain);
3956 return OK;
3957 }
3958
3959 /* If the lookup deferred, remember this fact. We keep trying the rest
3960 of the list to see if we get a useful result, and if we don't, we return
3961 DEFER at the end. */
3962
3963 if (rc == DEFER) defer = TRUE;
3964 } /* continue with next keystring domain/address */
3965
3966 if (defer) return DEFER;
3967 }
3968 } /* continue with next dnsdb outer domain */
3969
3970 return FAIL;
3971 }
3972
3973 /* vi: aw ai sw=2
3974 */
3975 /* End of verify.c */
Unnamed repository; edit this file 'description' to name the repository.