X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;f=src%2Fsrc%2Fverify.c;h=ea733b60596dae968d61efdd382853cff059ad10;hb=65867078f62db450bd8f91100600f6de559e7590;hp=c83748a12f5c7f067d0e2d6ce68c85d1a7062501;hpb=a63be306e4bcb803e7aa3ab673a2e1d867adaaba;p=exim.git diff --git a/src/src/verify.c b/src/src/verify.c index c83748a12..ea733b605 100644 --- a/src/src/verify.c +++ b/src/src/verify.c @@ -373,10 +373,13 @@ if (!addr->transport) { HDEBUG(D_verify) debug_printf("cannot callout via null transport\n"); } +else if (Ustrcmp(addr->transport->driver_name, "smtp") != 0) + log_write(0, LOG_MAIN|LOG_PANIC|LOG_CONFIG_FOR, "callout transport '%s': %s is non-smtp", + addr->transport->name, addr->transport->driver_name); else { smtp_transport_options_block *ob = - (smtp_transport_options_block *)(addr->transport->options_block); + (smtp_transport_options_block *)addr->transport->options_block; /* The information wasn't available in the cache, so we have to do a real callout and save the result in the cache for next time, unless no_cache is set, @@ -538,7 +541,7 @@ else #endif if (!(done= smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer), '2', callout))) goto RESPONSE_FAILED; - + /* Not worth checking greeting line for ESMTP support */ if (!(esmtp = verify_check_this_host(&(ob->hosts_avoid_esmtp), NULL, host->name, host->address, NULL) != OK)) @@ -633,16 +636,12 @@ else /* STARTTLS accepted or ssl-on-connect: try to negotiate a TLS session. */ else { - int rc = tls_client_start(inblock.sock, host, addr, - ob->tls_certificate, ob->tls_privatekey, - ob->tls_sni, - ob->tls_verify_certificates, ob->tls_crl, - ob->tls_require_ciphers, -#ifdef EXPERIMENTAL_OCSP - ob->hosts_require_ocsp, -#endif - ob->tls_dh_min_bits, callout, - ob->tls_verify_hosts, ob->tls_try_verify_hosts); + int oldtimeout = ob->command_timeout; + int rc; + + ob->command_timeout = callout; + rc = tls_client_start(inblock.sock, host, addr, ob); + ob->command_timeout = oldtimeout; /* TLS negotiation failed; give an error. Try in clear on a new connection, if the options permit it for this host. */ @@ -706,11 +705,13 @@ else cutthrough_delivery= FALSE; HDEBUG(D_acl|D_v) debug_printf("Cutthrough cancelled by presence of transport filter\n"); } + #ifndef DISABLE_DKIM if (ob->dkim_domain) { cutthrough_delivery= FALSE; HDEBUG(D_acl|D_v) debug_printf("Cutthrough cancelled by presence of DKIM signing\n"); } + #endif } SEND_FAILED: @@ -974,6 +975,7 @@ else { cutthrough_fd= outblock.sock; /* We assume no buffer in use in the outblock */ cutthrough_addr = *addr; /* Save the address_item for later logging */ + cutthrough_addr.next = NULL; cutthrough_addr.host_used = store_get(sizeof(host_item)); cutthrough_addr.host_used->name = host->name; cutthrough_addr.host_used->address = host->address; @@ -1242,27 +1244,43 @@ return cutthrough_response('3', NULL) == '3'; } +/* fd and use_crlf args only to match write_chunk() */ +static BOOL +cutthrough_write_chunk(int fd, uschar * s, int len, BOOL use_crlf) +{ +uschar * s2; +while(s && (s2 = Ustrchr(s, '\n'))) + { + if(!cutthrough_puts(s, s2-s) || !cutthrough_put_nl()) + return FALSE; + s = s2+1; + } +return TRUE; +} + + /* Buffered send of headers. Return success boolean. */ /* Expands newlines to wire format (CR,NL). */ /* Also sends header-terminating blank line. */ BOOL cutthrough_headers_send( void ) { -header_line * h; -uschar * cp1, * cp2; - if(cutthrough_fd < 0) return FALSE; -for(h= header_list; h != NULL; h= h->next) - if(h->type != htype_old && h->text != NULL) - for (cp1 = h->text; *cp1 && (cp2 = Ustrchr(cp1, '\n')); cp1 = cp2+1) - if( !cutthrough_puts(cp1, cp2-cp1) - || !cutthrough_put_nl()) - return FALSE; +/* We share a routine with the mainline transport to handle header add/remove/rewrites, + but having a separate buffered-output function (for now) +*/ +HDEBUG(D_acl) debug_printf("----------- start cutthrough headers send -----------\n"); + +if (!transport_headers_send(&cutthrough_addr, cutthrough_fd, + cutthrough_addr.transport->add_headers, cutthrough_addr.transport->remove_headers, + &cutthrough_write_chunk, TRUE, + cutthrough_addr.transport->rewrite_rules, cutthrough_addr.transport->rewrite_existflags)) + return FALSE; -HDEBUG(D_transport|D_acl|D_v) debug_printf(" SMTP>>(nl)\n"); -return cutthrough_put_nl(); +HDEBUG(D_acl) debug_printf("----------- done cutthrough headers send ------------\n"); +return TRUE; } @@ -1554,13 +1572,7 @@ if (address[0] == 0) return OK; they're used in the context of a transport used by verification. Reset them at exit from this routine. */ -modify_variable(US"tls_bits", &tls_out.bits); -modify_variable(US"tls_certificate_verified", &tls_out.certificate_verified); -modify_variable(US"tls_cipher", &tls_out.cipher); -modify_variable(US"tls_peerdn", &tls_out.peerdn); -#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS) -modify_variable(US"tls_sni", &tls_out.sni); -#endif +tls_modify_variables(&tls_out); /* Save a copy of the sender address for re-instating if we change it to <> while verifying a sender address (a nice bit of self-reference there). */ @@ -1733,8 +1745,20 @@ while (addr_new != NULL) string_is_ip_address(host->name, NULL) != 0) (void)host_find_byname(host, NULL, flags, &canonical_name, TRUE); else + { + uschar * d_request = NULL, * d_require = NULL; + if (Ustrcmp(addr->transport->driver_name, "smtp") == 0) + { + smtp_transport_options_block * ob = + (smtp_transport_options_block *) + addr->transport->options_block; + d_request = ob->dnssec_request_domains; + d_require = ob->dnssec_require_domains; + } + (void)host_find_bydns(host, NULL, flags, NULL, NULL, NULL, - &canonical_name, NULL); + d_request, d_require, &canonical_name, NULL); + } } } } @@ -2019,14 +2043,7 @@ for (addr_list = addr_local, i = 0; i < 2; addr_list = addr_remote, i++) the -bv or -bt case). */ out: - -modify_variable(US"tls_bits", &tls_in.bits); -modify_variable(US"tls_certificate_verified", &tls_in.certificate_verified); -modify_variable(US"tls_cipher", &tls_in.cipher); -modify_variable(US"tls_peerdn", &tls_in.peerdn); -#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS) -modify_variable(US"tls_sni", &tls_in.sni); -#endif +tls_modify_variables(&tls_in); return yield; } @@ -2156,6 +2173,41 @@ return yield; } +/************************************************* +* Check header names for 8-bit characters * +*************************************************/ + +/* This function checks for invalid charcters in header names. See +RFC 5322, 2.2. and RFC 6532, 3. + +Arguments: + msgptr where to put an error message + +Returns: OK + FAIL +*/ + +int +verify_check_header_names_ascii(uschar **msgptr) +{ +header_line *h; +uschar *colon, *s; + +for (h = header_list; h != NULL; h = h->next) + { + colon = Ustrchr(h->text, ':'); + for(s = h->text; s < colon; s++) + { + if ((*s < 33) || (*s > 126)) + { + *msgptr = string_sprintf("Invalid character in header \"%.*s\" found", + colon - h->text, h->text); + return FAIL; + } + } + } +return OK; +} /************************************************* * Check for blind recipients * @@ -3502,7 +3554,7 @@ revadd[0] = 0; /* In case this is the first time the DNS resolver is being used. */ -dns_init(FALSE, FALSE); +dns_init(FALSE, FALSE, FALSE); /*XXX dnssec? */ /* Loop through all the domains supplied, until something matches */ @@ -3673,4 +3725,6 @@ while ((domain = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL return FAIL; } +/* vi: aw ai sw=2 +*/ /* End of verify.c */