Commit | Line | Data |
---|---|---|
059ec3d9 PH |
1 | /************************************************* |
2 | * Exim - an Internet mail transport agent * | |
3 | *************************************************/ | |
4 | ||
f9ba5e22 | 5 | /* Copyright (c) University of Cambridge 1995 - 2018 */ |
059ec3d9 PH |
6 | /* See the file NOTICE for conditions of use and distribution. */ |
7 | ||
8 | /* Functions for finding hosts, either by gethostbyname(), gethostbyaddr(), or | |
9 | directly via the DNS. When IPv6 is supported, getipnodebyname() and | |
10 | getipnodebyaddr() may be used instead of gethostbyname() and gethostbyaddr(), | |
11 | if the newer functions are available. This module also contains various other | |
12 | functions concerned with hosts and addresses, and a random number function, | |
13 | used for randomizing hosts with equal MXs but available for use in other parts | |
14 | of Exim. */ | |
15 | ||
16 | ||
17 | #include "exim.h" | |
18 | ||
19 | ||
20 | /* Static variable for preserving the list of interface addresses in case it is | |
21 | used more than once. */ | |
22 | ||
23 | static ip_address_item *local_interface_data = NULL; | |
24 | ||
25 | ||
26 | #ifdef USE_INET_NTOA_FIX | |
27 | /************************************************* | |
28 | * Replacement for broken inet_ntoa() * | |
29 | *************************************************/ | |
30 | ||
31 | /* On IRIX systems, gcc uses a different structure passing convention to the | |
32 | native libraries. This causes inet_ntoa() to always yield 0.0.0.0 or | |
33 | 255.255.255.255. To get round this, we provide a private version of the | |
34 | function here. It is used only if USE_INET_NTOA_FIX is set, which should happen | |
35 | only when gcc is in use on an IRIX system. Code send to me by J.T. Breitner, | |
36 | with these comments: | |
37 | ||
38 | code by Stuart Levy | |
39 | as seen in comp.sys.sgi.admin | |
40 | ||
2548ba04 PH |
41 | August 2005: Apparently this is also needed for AIX systems; USE_INET_NTOA_FIX |
42 | should now be set for them as well. | |
43 | ||
059ec3d9 PH |
44 | Arguments: sa an in_addr structure |
45 | Returns: pointer to static text string | |
46 | */ | |
47 | ||
48 | char * | |
49 | inet_ntoa(struct in_addr sa) | |
50 | { | |
51 | static uschar addr[20]; | |
52 | sprintf(addr, "%d.%d.%d.%d", | |
53 | (US &sa.s_addr)[0], | |
54 | (US &sa.s_addr)[1], | |
55 | (US &sa.s_addr)[2], | |
56 | (US &sa.s_addr)[3]); | |
57 | return addr; | |
58 | } | |
59 | #endif | |
60 | ||
61 | ||
62 | ||
63 | /************************************************* | |
64 | * Random number generator * | |
65 | *************************************************/ | |
66 | ||
67 | /* This is a simple pseudo-random number generator. It does not have to be | |
68 | very good for the uses to which it is put. When running the regression tests, | |
69 | start with a fixed seed. | |
70 | ||
17c76198 | 71 | If you need better, see vaguely_random_number() which is potentially stronger, |
9e3331ea TK |
72 | if a crypto library is available, but might end up just calling this instead. |
73 | ||
059ec3d9 PH |
74 | Arguments: |
75 | limit: one more than the largest number required | |
76 | ||
77 | Returns: a pseudo-random number in the range 0 to limit-1 | |
78 | */ | |
79 | ||
80 | int | |
81 | random_number(int limit) | |
82 | { | |
9e3331ea TK |
83 | if (limit < 1) |
84 | return 0; | |
059ec3d9 PH |
85 | if (random_seed == 0) |
86 | { | |
8768d548 | 87 | if (f.running_in_test_harness) random_seed = 42; else |
059ec3d9 PH |
88 | { |
89 | int p = (int)getpid(); | |
90 | random_seed = (int)time(NULL) ^ ((p << 16) | p); | |
91 | } | |
92 | } | |
93 | random_seed = 1103515245 * random_seed + 12345; | |
94 | return (unsigned int)(random_seed >> 16) % limit; | |
95 | } | |
96 | ||
846430d9 JH |
97 | /************************************************* |
98 | * Wrappers for logging lookup times * | |
99 | *************************************************/ | |
100 | ||
101 | /* When the 'slow_lookup_log' variable is enabled, these wrappers will | |
102 | write to the log file all (potential) dns lookups that take more than | |
103 | slow_lookup_log milliseconds | |
104 | */ | |
105 | ||
106 | static void | |
107 | log_long_lookup(const uschar * type, const uschar * data, unsigned long msec) | |
108 | { | |
109 | log_write(0, LOG_MAIN, "Long %s lookup for '%s': %lu msec", | |
110 | type, data, msec); | |
111 | } | |
112 | ||
113 | ||
114 | /* returns the current system epoch time in milliseconds. */ | |
115 | static unsigned long | |
116 | get_time_in_ms() | |
117 | { | |
118 | struct timeval tmp_time; | |
119 | unsigned long seconds, microseconds; | |
120 | ||
121 | gettimeofday(&tmp_time, NULL); | |
122 | seconds = (unsigned long) tmp_time.tv_sec; | |
123 | microseconds = (unsigned long) tmp_time.tv_usec; | |
124 | return seconds*1000 + microseconds/1000; | |
125 | } | |
126 | ||
127 | ||
128 | static int | |
129 | dns_lookup_timerwrap(dns_answer *dnsa, const uschar *name, int type, | |
130 | const uschar **fully_qualified_name) | |
131 | { | |
132 | int retval; | |
133 | unsigned long time_msec; | |
134 | ||
135 | if (!slow_lookup_log) | |
136 | return dns_lookup(dnsa, name, type, fully_qualified_name); | |
137 | ||
138 | time_msec = get_time_in_ms(); | |
139 | retval = dns_lookup(dnsa, name, type, fully_qualified_name); | |
140 | if ((time_msec = get_time_in_ms() - time_msec) > slow_lookup_log) | |
30795c5e | 141 | log_long_lookup(dns_text_type(type), name, time_msec); |
846430d9 JH |
142 | return retval; |
143 | } | |
059ec3d9 PH |
144 | |
145 | ||
e7726cbf PH |
146 | /************************************************* |
147 | * Replace gethostbyname() when testing * | |
148 | *************************************************/ | |
149 | ||
150 | /* This function is called instead of gethostbyname(), gethostbyname2(), or | |
1fb7660f | 151 | getipnodebyname() when running in the test harness. . It also |
7a546ad5 PH |
152 | recognizes an unqualified "localhost" and forces it to the appropriate loopback |
153 | address. IP addresses are treated as literals. For other names, it uses the DNS | |
75e0e026 PH |
154 | to find the host name. In the test harness, this means it will access only the |
155 | fake DNS resolver. | |
e7726cbf PH |
156 | |
157 | Arguments: | |
158 | name the host name or a textual IP address | |
159 | af AF_INET or AF_INET6 | |
160 | error_num where to put an error code: | |
161 | HOST_NOT_FOUND/TRY_AGAIN/NO_RECOVERY/NO_DATA | |
162 | ||
163 | Returns: a hostent structure or NULL for an error | |
164 | */ | |
165 | ||
166 | static struct hostent * | |
55414b25 | 167 | host_fake_gethostbyname(const uschar *name, int af, int *error_num) |
e7726cbf | 168 | { |
70d67ad3 | 169 | #if HAVE_IPV6 |
e7726cbf | 170 | int alen = (af == AF_INET)? sizeof(struct in_addr):sizeof(struct in6_addr); |
70d67ad3 PH |
171 | #else |
172 | int alen = sizeof(struct in_addr); | |
173 | #endif | |
174 | ||
175 | int ipa; | |
55414b25 | 176 | const uschar *lname = name; |
e7726cbf PH |
177 | uschar *adds; |
178 | uschar **alist; | |
179 | struct hostent *yield; | |
8743d3ac | 180 | dns_answer * dnsa = store_get_dns_answer(); |
e7726cbf | 181 | dns_scan dnss; |
e7726cbf PH |
182 | |
183 | DEBUG(D_host_lookup) | |
184 | debug_printf("using host_fake_gethostbyname for %s (%s)\n", name, | |
185 | (af == AF_INET)? "IPv4" : "IPv6"); | |
186 | ||
7a546ad5 PH |
187 | /* Handle unqualified "localhost" */ |
188 | ||
e7726cbf PH |
189 | if (Ustrcmp(name, "localhost") == 0) |
190 | lname = (af == AF_INET)? US"127.0.0.1" : US"::1"; | |
191 | ||
192 | /* Handle a literal IP address */ | |
193 | ||
d7978c0f | 194 | if ((ipa = string_is_ip_address(lname, NULL)) != 0) |
e7726cbf PH |
195 | { |
196 | if ((ipa == 4 && af == AF_INET) || | |
197 | (ipa == 6 && af == AF_INET6)) | |
198 | { | |
e7726cbf | 199 | int x[4]; |
f3ebb786 JH |
200 | yield = store_get(sizeof(struct hostent), FALSE); |
201 | alist = store_get(2 * sizeof(char *), FALSE); | |
202 | adds = store_get(alen, FALSE); | |
e7726cbf PH |
203 | yield->h_name = CS name; |
204 | yield->h_aliases = NULL; | |
205 | yield->h_addrtype = af; | |
206 | yield->h_length = alen; | |
207 | yield->h_addr_list = CSS alist; | |
208 | *alist++ = adds; | |
d7978c0f | 209 | for (int n = host_aton(lname, x), i = 0; i < n; i++) |
e7726cbf PH |
210 | { |
211 | int y = x[i]; | |
212 | *adds++ = (y >> 24) & 255; | |
213 | *adds++ = (y >> 16) & 255; | |
214 | *adds++ = (y >> 8) & 255; | |
215 | *adds++ = y & 255; | |
216 | } | |
217 | *alist = NULL; | |
218 | } | |
219 | ||
220 | /* Wrong kind of literal address */ | |
221 | ||
222 | else | |
223 | { | |
224 | *error_num = HOST_NOT_FOUND; | |
225 | return NULL; | |
226 | } | |
227 | } | |
228 | ||
229 | /* Handle a host name */ | |
230 | ||
231 | else | |
232 | { | |
233 | int type = (af == AF_INET)? T_A:T_AAAA; | |
8743d3ac | 234 | int rc = dns_lookup_timerwrap(dnsa, lname, type, NULL); |
e7726cbf PH |
235 | int count = 0; |
236 | ||
4e0983dc JH |
237 | lookup_dnssec_authenticated = NULL; |
238 | ||
e7726cbf PH |
239 | switch(rc) |
240 | { | |
241 | case DNS_SUCCEED: break; | |
242 | case DNS_NOMATCH: *error_num = HOST_NOT_FOUND; return NULL; | |
243 | case DNS_NODATA: *error_num = NO_DATA; return NULL; | |
244 | case DNS_AGAIN: *error_num = TRY_AGAIN; return NULL; | |
245 | default: | |
246 | case DNS_FAIL: *error_num = NO_RECOVERY; return NULL; | |
247 | } | |
248 | ||
8743d3ac | 249 | for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); |
e1a3f32f | 250 | rr; |
8743d3ac | 251 | rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == type) |
d7978c0f | 252 | count++; |
e7726cbf | 253 | |
f3ebb786 JH |
254 | yield = store_get(sizeof(struct hostent), FALSE); |
255 | alist = store_get((count + 1) * sizeof(char *), FALSE); | |
256 | adds = store_get(count *alen, FALSE); | |
e7726cbf PH |
257 | |
258 | yield->h_name = CS name; | |
259 | yield->h_aliases = NULL; | |
260 | yield->h_addrtype = af; | |
261 | yield->h_length = alen; | |
262 | yield->h_addr_list = CSS alist; | |
263 | ||
8743d3ac | 264 | for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); |
e1a3f32f | 265 | rr; |
8743d3ac | 266 | rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == type) |
e7726cbf | 267 | { |
e7726cbf PH |
268 | int x[4]; |
269 | dns_address *da; | |
8743d3ac | 270 | if (!(da = dns_address_from_rr(dnsa, rr))) break; |
e7726cbf | 271 | *alist++ = adds; |
d7978c0f | 272 | for (int n = host_aton(da->address, x), i = 0; i < n; i++) |
e7726cbf PH |
273 | { |
274 | int y = x[i]; | |
275 | *adds++ = (y >> 24) & 255; | |
276 | *adds++ = (y >> 16) & 255; | |
277 | *adds++ = (y >> 8) & 255; | |
278 | *adds++ = y & 255; | |
279 | } | |
280 | } | |
281 | *alist = NULL; | |
282 | } | |
283 | ||
284 | return yield; | |
285 | } | |
286 | ||
287 | ||
288 | ||
059ec3d9 PH |
289 | /************************************************* |
290 | * Build chain of host items from list * | |
291 | *************************************************/ | |
292 | ||
293 | /* This function builds a chain of host items from a textual list of host | |
294 | names. It does not do any lookups. If randomize is true, the chain is build in | |
295 | a randomized order. There may be multiple groups of independently randomized | |
296 | hosts; they are delimited by a host name consisting of just "+". | |
297 | ||
298 | Arguments: | |
299 | anchor anchor for the chain | |
300 | list text list | |
301 | randomize TRUE for randomizing | |
302 | ||
303 | Returns: nothing | |
304 | */ | |
305 | ||
306 | void | |
55414b25 | 307 | host_build_hostlist(host_item **anchor, const uschar *list, BOOL randomize) |
059ec3d9 PH |
308 | { |
309 | int sep = 0; | |
310 | int fake_mx = MX_NONE; /* This value is actually -1 */ | |
311 | uschar *name; | |
059ec3d9 | 312 | |
8b455685 | 313 | if (!list) return; |
059ec3d9 PH |
314 | if (randomize) fake_mx--; /* Start at -2 for randomizing */ |
315 | ||
316 | *anchor = NULL; | |
317 | ||
8b455685 | 318 | while ((name = string_nextinlist(&list, &sep, NULL, 0))) |
059ec3d9 PH |
319 | { |
320 | host_item *h; | |
321 | ||
322 | if (name[0] == '+' && name[1] == 0) /* "+" delimits a randomized group */ | |
323 | { /* ignore if not randomizing */ | |
324 | if (randomize) fake_mx--; | |
325 | continue; | |
326 | } | |
327 | ||
f3ebb786 | 328 | h = store_get(sizeof(host_item), FALSE); |
55414b25 | 329 | h->name = name; |
059ec3d9 PH |
330 | h->address = NULL; |
331 | h->port = PORT_NONE; | |
332 | h->mx = fake_mx; | |
333 | h->sort_key = randomize? (-fake_mx)*1000 + random_number(1000) : 0; | |
334 | h->status = hstatus_unknown; | |
335 | h->why = hwhy_unknown; | |
336 | h->last_try = 0; | |
337 | ||
8b455685 | 338 | if (!*anchor) |
059ec3d9 PH |
339 | { |
340 | h->next = NULL; | |
341 | *anchor = h; | |
342 | } | |
343 | else | |
344 | { | |
345 | host_item *hh = *anchor; | |
346 | if (h->sort_key < hh->sort_key) | |
347 | { | |
348 | h->next = hh; | |
349 | *anchor = h; | |
350 | } | |
351 | else | |
352 | { | |
8b455685 | 353 | while (hh->next && h->sort_key >= hh->next->sort_key) |
059ec3d9 PH |
354 | hh = hh->next; |
355 | h->next = hh->next; | |
356 | hh->next = h; | |
357 | } | |
358 | } | |
359 | } | |
360 | } | |
361 | ||
362 | ||
363 | ||
364 | ||
365 | ||
366 | /************************************************* | |
367 | * Extract port from address string * | |
368 | *************************************************/ | |
369 | ||
370 | /* In the spool file, and in the -oMa and -oMi options, a host plus port is | |
371 | given as an IP address followed by a dot and a port number. This function | |
372 | decodes this. | |
373 | ||
374 | An alternative format for the -oMa and -oMi options is [ip address]:port which | |
375 | is what Exim 4 uses for output, because it seems to becoming commonly used, | |
376 | whereas the dot form confuses some programs/people. So we recognize that form | |
377 | too. | |
378 | ||
379 | Argument: | |
380 | address points to the string; if there is a port, the '.' in the string | |
381 | is overwritten with zero to terminate the address; if the string | |
382 | is in the [xxx]:ppp format, the address is shifted left and the | |
383 | brackets are removed | |
384 | ||
385 | Returns: 0 if there is no port, else the port number. If there's a syntax | |
386 | error, leave the incoming address alone, and return 0. | |
387 | */ | |
388 | ||
389 | int | |
7cd1141b | 390 | host_address_extract_port(uschar *address) |
059ec3d9 PH |
391 | { |
392 | int port = 0; | |
393 | uschar *endptr; | |
394 | ||
395 | /* Handle the "bracketed with colon on the end" format */ | |
396 | ||
397 | if (*address == '[') | |
398 | { | |
399 | uschar *rb = address + 1; | |
400 | while (*rb != 0 && *rb != ']') rb++; | |
401 | if (*rb++ == 0) return 0; /* Missing ]; leave invalid address */ | |
402 | if (*rb == ':') | |
403 | { | |
404 | port = Ustrtol(rb + 1, &endptr, 10); | |
405 | if (*endptr != 0) return 0; /* Invalid port; leave invalid address */ | |
406 | } | |
407 | else if (*rb != 0) return 0; /* Bad syntax; leave invalid address */ | |
408 | memmove(address, address + 1, rb - address - 2); | |
409 | rb[-2] = 0; | |
410 | } | |
411 | ||
412 | /* Handle the "dot on the end" format */ | |
413 | ||
414 | else | |
415 | { | |
416 | int skip = -3; /* Skip 3 dots in IPv4 addresses */ | |
417 | address--; | |
418 | while (*(++address) != 0) | |
419 | { | |
420 | int ch = *address; | |
421 | if (ch == ':') skip = 0; /* Skip 0 dots in IPv6 addresses */ | |
422 | else if (ch == '.' && skip++ >= 0) break; | |
423 | } | |
424 | if (*address == 0) return 0; | |
425 | port = Ustrtol(address + 1, &endptr, 10); | |
426 | if (*endptr != 0) return 0; /* Invalid port; leave invalid address */ | |
427 | *address = 0; | |
428 | } | |
429 | ||
430 | return port; | |
431 | } | |
432 | ||
433 | ||
7cd1141b PH |
434 | /************************************************* |
435 | * Get port from a host item's name * | |
436 | *************************************************/ | |
437 | ||
438 | /* This function is called when finding the IP address for a host that is in a | |
439 | list of hosts explicitly configured, such as in the manualroute router, or in a | |
440 | fallback hosts list. We see if there is a port specification at the end of the | |
441 | host name, and if so, remove it. A minimum length of 3 is required for the | |
442 | original name; nothing shorter is recognized as having a port. | |
443 | ||
444 | We test for a name ending with a sequence of digits; if preceded by colon we | |
445 | have a port if the character before the colon is ] and the name starts with [ | |
446 | or if there are no other colons in the name (i.e. it's not an IPv6 address). | |
447 | ||
448 | Arguments: pointer to the host item | |
449 | Returns: a port number or PORT_NONE | |
450 | */ | |
451 | ||
452 | int | |
453 | host_item_get_port(host_item *h) | |
454 | { | |
55414b25 | 455 | const uschar *p; |
7cd1141b PH |
456 | int port, x; |
457 | int len = Ustrlen(h->name); | |
458 | ||
459 | if (len < 3 || (p = h->name + len - 1, !isdigit(*p))) return PORT_NONE; | |
460 | ||
461 | /* Extract potential port number */ | |
462 | ||
463 | port = *p-- - '0'; | |
464 | x = 10; | |
465 | ||
466 | while (p > h->name + 1 && isdigit(*p)) | |
467 | { | |
468 | port += (*p-- - '0') * x; | |
469 | x *= 10; | |
470 | } | |
471 | ||
472 | /* The smallest value of p at this point is h->name + 1. */ | |
473 | ||
474 | if (*p != ':') return PORT_NONE; | |
475 | ||
476 | if (p[-1] == ']' && h->name[0] == '[') | |
477 | h->name = string_copyn(h->name + 1, p - h->name - 2); | |
478 | else if (Ustrchr(h->name, ':') == p) | |
479 | h->name = string_copyn(h->name, p - h->name); | |
480 | else return PORT_NONE; | |
481 | ||
482 | DEBUG(D_route|D_host_lookup) debug_printf("host=%s port=%d\n", h->name, port); | |
483 | return port; | |
484 | } | |
485 | ||
486 | ||
059ec3d9 PH |
487 | |
488 | #ifndef STAND_ALONE /* Omit when standalone testing */ | |
489 | ||
490 | /************************************************* | |
491 | * Build sender_fullhost and sender_rcvhost * | |
492 | *************************************************/ | |
493 | ||
494 | /* This function is called when sender_host_name and/or sender_helo_name | |
495 | have been set. Or might have been set - for a local message read off the spool | |
496 | they won't be. In that case, do nothing. Otherwise, set up the fullhost string | |
497 | as follows: | |
498 | ||
499 | (a) No sender_host_name or sender_helo_name: "[ip address]" | |
500 | (b) Just sender_host_name: "host_name [ip address]" | |
82c19f95 PH |
501 | (c) Just sender_helo_name: "(helo_name) [ip address]" unless helo is IP |
502 | in which case: "[ip address}" | |
503 | (d) The two are identical: "host_name [ip address]" includes helo = IP | |
059ec3d9 PH |
504 | (e) The two are different: "host_name (helo_name) [ip address]" |
505 | ||
506 | If log_incoming_port is set, the sending host's port number is added to the IP | |
507 | address. | |
508 | ||
509 | This function also builds sender_rcvhost for use in Received: lines, whose | |
510 | syntax is a bit different. This value also includes the RFC 1413 identity. | |
511 | There wouldn't be two different variables if I had got all this right in the | |
512 | first place. | |
513 | ||
514 | Because this data may survive over more than one incoming SMTP message, it has | |
a5c60e3c JH |
515 | to be in permanent store. However, STARTTLS has to be forgotten and redone |
516 | on a multi-message conn, so this will be called once per message then. Hence | |
517 | we use malloc, so we can free. | |
059ec3d9 PH |
518 | |
519 | Arguments: none | |
520 | Returns: nothing | |
521 | */ | |
522 | ||
523 | void | |
524 | host_build_sender_fullhost(void) | |
525 | { | |
82c19f95 | 526 | BOOL show_helo = TRUE; |
f3ebb786 JH |
527 | uschar * address, * fullhost, * rcvhost; |
528 | rmark reset_point; | |
82c19f95 | 529 | int len; |
059ec3d9 | 530 | |
2d0dc929 | 531 | if (!sender_host_address) return; |
059ec3d9 | 532 | |
f3ebb786 | 533 | reset_point = store_mark(); |
059ec3d9 PH |
534 | |
535 | /* Set up address, with or without the port. After discussion, it seems that | |
536 | the only format that doesn't cause trouble is [aaaa]:pppp. However, we can't | |
537 | use this directly as the first item for Received: because it ain't an RFC 2822 | |
538 | domain. Sigh. */ | |
539 | ||
540 | address = string_sprintf("[%s]:%d", sender_host_address, sender_host_port); | |
6c6d6e48 | 541 | if (!LOGGING(incoming_port) || sender_host_port <= 0) |
059ec3d9 PH |
542 | *(Ustrrchr(address, ':')) = 0; |
543 | ||
82c19f95 PH |
544 | /* If there's no EHLO/HELO data, we can't show it. */ |
545 | ||
2d0dc929 | 546 | if (!sender_helo_name) show_helo = FALSE; |
82c19f95 PH |
547 | |
548 | /* If HELO/EHLO was followed by an IP literal, it's messy because of two | |
549 | features of IPv6. Firstly, there's the "IPv6:" prefix (Exim is liberal and | |
550 | doesn't require this, for historical reasons). Secondly, IPv6 addresses may not | |
4c04137d | 551 | be given in canonical form, so we have to canonicalize them before comparing. As |
82c19f95 PH |
552 | it happens, the code works for both IPv4 and IPv6. */ |
553 | ||
554 | else if (sender_helo_name[0] == '[' && | |
555 | sender_helo_name[(len=Ustrlen(sender_helo_name))-1] == ']') | |
556 | { | |
557 | int offset = 1; | |
558 | uschar *helo_ip; | |
559 | ||
560 | if (strncmpic(sender_helo_name + 1, US"IPv6:", 5) == 0) offset += 5; | |
561 | if (strncmpic(sender_helo_name + 1, US"IPv4:", 5) == 0) offset += 5; | |
562 | ||
563 | helo_ip = string_copyn(sender_helo_name + offset, len - offset - 1); | |
564 | ||
565 | if (string_is_ip_address(helo_ip, NULL) != 0) | |
566 | { | |
567 | int x[4], y[4]; | |
568 | int sizex, sizey; | |
569 | uschar ipx[48], ipy[48]; /* large enough for full IPv6 */ | |
570 | ||
571 | sizex = host_aton(helo_ip, x); | |
572 | sizey = host_aton(sender_host_address, y); | |
573 | ||
574 | (void)host_nmtoa(sizex, x, -1, ipx, ':'); | |
575 | (void)host_nmtoa(sizey, y, -1, ipy, ':'); | |
576 | ||
577 | if (strcmpic(ipx, ipy) == 0) show_helo = FALSE; | |
578 | } | |
579 | } | |
580 | ||
059ec3d9 PH |
581 | /* Host name is not verified */ |
582 | ||
acec9514 | 583 | if (!sender_host_name) |
059ec3d9 PH |
584 | { |
585 | uschar *portptr = Ustrstr(address, "]:"); | |
acec9514 | 586 | gstring * g; |
059ec3d9 PH |
587 | int adlen; /* Sun compiler doesn't like ++ in initializers */ |
588 | ||
acec9514 | 589 | adlen = portptr ? (++portptr - address) : Ustrlen(address); |
a5c60e3c | 590 | fullhost = sender_helo_name |
acec9514 JH |
591 | ? string_sprintf("(%s) %s", sender_helo_name, address) |
592 | : address; | |
059ec3d9 | 593 | |
acec9514 | 594 | g = string_catn(NULL, address, adlen); |
059ec3d9 | 595 | |
2d0dc929 | 596 | if (sender_ident || show_helo || portptr) |
059ec3d9 PH |
597 | { |
598 | int firstptr; | |
acec9514 JH |
599 | g = string_catn(g, US" (", 2); |
600 | firstptr = g->ptr; | |
059ec3d9 | 601 | |
acec9514 JH |
602 | if (portptr) |
603 | g = string_append(g, 2, US"port=", portptr + 1); | |
059ec3d9 | 604 | |
82c19f95 | 605 | if (show_helo) |
acec9514 JH |
606 | g = string_append(g, 2, |
607 | firstptr == g->ptr ? US"helo=" : US" helo=", sender_helo_name); | |
059ec3d9 | 608 | |
acec9514 JH |
609 | if (sender_ident) |
610 | g = string_append(g, 2, | |
611 | firstptr == g->ptr ? US"ident=" : US" ident=", sender_ident); | |
059ec3d9 | 612 | |
acec9514 | 613 | g = string_catn(g, US")", 1); |
059ec3d9 PH |
614 | } |
615 | ||
a5c60e3c | 616 | rcvhost = string_from_gstring(g); |
059ec3d9 PH |
617 | } |
618 | ||
82c19f95 PH |
619 | /* Host name is known and verified. Unless we've already found that the HELO |
620 | data matches the IP address, compare it with the name. */ | |
059ec3d9 PH |
621 | |
622 | else | |
623 | { | |
82c19f95 PH |
624 | if (show_helo && strcmpic(sender_host_name, sender_helo_name) == 0) |
625 | show_helo = FALSE; | |
5dd9625b | 626 | |
82c19f95 | 627 | if (show_helo) |
059ec3d9 | 628 | { |
a5c60e3c | 629 | fullhost = string_sprintf("%s (%s) %s", sender_host_name, |
059ec3d9 | 630 | sender_helo_name, address); |
a5c60e3c JH |
631 | rcvhost = sender_ident |
632 | ? string_sprintf("%s\n\t(%s helo=%s ident=%s)", sender_host_name, | |
633 | address, sender_helo_name, sender_ident) | |
634 | : string_sprintf("%s (%s helo=%s)", sender_host_name, | |
635 | address, sender_helo_name); | |
059ec3d9 | 636 | } |
82c19f95 PH |
637 | else |
638 | { | |
a5c60e3c JH |
639 | fullhost = string_sprintf("%s %s", sender_host_name, address); |
640 | rcvhost = sender_ident | |
641 | ? string_sprintf("%s (%s ident=%s)", sender_host_name, address, | |
642 | sender_ident) | |
643 | : string_sprintf("%s (%s)", sender_host_name, address); | |
82c19f95 | 644 | } |
059ec3d9 PH |
645 | } |
646 | ||
f3ebb786 JH |
647 | sender_fullhost = string_copy_perm(fullhost, TRUE); |
648 | sender_rcvhost = string_copy_perm(rcvhost, TRUE); | |
a5c60e3c JH |
649 | |
650 | store_reset(reset_point); | |
059ec3d9 PH |
651 | |
652 | DEBUG(D_host_lookup) debug_printf("sender_fullhost = %s\n", sender_fullhost); | |
653 | DEBUG(D_host_lookup) debug_printf("sender_rcvhost = %s\n", sender_rcvhost); | |
654 | } | |
655 | ||
656 | ||
657 | ||
658 | /************************************************* | |
659 | * Build host+ident message * | |
660 | *************************************************/ | |
661 | ||
662 | /* Used when logging rejections and various ACL and SMTP incidents. The text | |
663 | return depends on whether sender_fullhost and sender_ident are set or not: | |
664 | ||
665 | no ident, no host => U=unknown | |
666 | no ident, host set => H=sender_fullhost | |
667 | ident set, no host => U=ident | |
668 | ident set, host set => H=sender_fullhost U=ident | |
669 | ||
f3ebb786 JH |
670 | Use taint-unchecked routines on the assumption we'll never expand the results. |
671 | ||
059ec3d9 PH |
672 | Arguments: |
673 | useflag TRUE if first item to be flagged (H= or U=); if there are two | |
674 | items, the second is always flagged | |
675 | ||
676 | Returns: pointer to a string in big_buffer | |
677 | */ | |
678 | ||
679 | uschar * | |
680 | host_and_ident(BOOL useflag) | |
681 | { | |
8b455685 | 682 | if (!sender_fullhost) |
f3ebb786 | 683 | string_format_nt(big_buffer, big_buffer_size, "%s%s", useflag ? "U=" : "", |
8b455685 | 684 | sender_ident ? sender_ident : US"unknown"); |
059ec3d9 PH |
685 | else |
686 | { | |
8b455685 JH |
687 | uschar * flag = useflag ? US"H=" : US""; |
688 | uschar * iface = US""; | |
689 | if (LOGGING(incoming_interface) && interface_address) | |
059ec3d9 | 690 | iface = string_sprintf(" I=[%s]:%d", interface_address, interface_port); |
8b455685 | 691 | if (sender_ident) |
f3ebb786 | 692 | string_format_nt(big_buffer, big_buffer_size, "%s%s%s U=%s", |
059ec3d9 | 693 | flag, sender_fullhost, iface, sender_ident); |
8b455685 | 694 | else |
f3ebb786 | 695 | string_format_nt(big_buffer, big_buffer_size, "%s%s%s", |
8b455685 | 696 | flag, sender_fullhost, iface); |
059ec3d9 PH |
697 | } |
698 | return big_buffer; | |
699 | } | |
700 | ||
701 | #endif /* STAND_ALONE */ | |
702 | ||
703 | ||
704 | ||
705 | ||
706 | /************************************************* | |
707 | * Build list of local interfaces * | |
708 | *************************************************/ | |
709 | ||
710 | /* This function interprets the contents of the local_interfaces or | |
711 | extra_local_interfaces options, and creates an ip_address_item block for each | |
712 | item on the list. There is no special interpretation of any IP addresses; in | |
713 | particular, 0.0.0.0 and ::0 are returned without modification. If any address | |
714 | includes a port, it is set in the block. Otherwise the port value is set to | |
715 | zero. | |
716 | ||
717 | Arguments: | |
718 | list the list | |
719 | name the name of the option being expanded | |
720 | ||
721 | Returns: a chain of ip_address_items, each containing to a textual | |
722 | version of an IP address, and a port number (host order) or | |
723 | zero if no port was given with the address | |
724 | */ | |
725 | ||
726 | ip_address_item * | |
55414b25 | 727 | host_build_ifacelist(const uschar *list, uschar *name) |
059ec3d9 PH |
728 | { |
729 | int sep = 0; | |
730 | uschar *s; | |
b891534f | 731 | ip_address_item * yield = NULL, * last = NULL, * next; |
ba74fb8d | 732 | BOOL taint = is_tainted(list); |
059ec3d9 | 733 | |
b891534f | 734 | while ((s = string_nextinlist(&list, &sep, NULL, 0))) |
059ec3d9 | 735 | { |
7e66e54d | 736 | int ipv; |
7cd1141b | 737 | int port = host_address_extract_port(s); /* Leaves just the IP address */ |
b891534f JH |
738 | |
739 | if (!(ipv = string_is_ip_address(s, NULL))) | |
059ec3d9 PH |
740 | log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Malformed IP address \"%s\" in %s", |
741 | s, name); | |
742 | ||
7e66e54d PH |
743 | /* Skip IPv6 addresses if IPv6 is disabled. */ |
744 | ||
745 | if (disable_ipv6 && ipv == 6) continue; | |
746 | ||
059ec3d9 PH |
747 | /* This use of strcpy() is OK because we have checked that s is a valid IP |
748 | address above. The field in the ip_address_item is large enough to hold an | |
749 | IPv6 address. */ | |
750 | ||
ba74fb8d | 751 | next = store_get(sizeof(ip_address_item), taint); |
059ec3d9 PH |
752 | next->next = NULL; |
753 | Ustrcpy(next->address, s); | |
754 | next->port = port; | |
755 | next->v6_include_v4 = FALSE; | |
254f38d1 | 756 | next->log = NULL; |
059ec3d9 | 757 | |
b891534f JH |
758 | if (!yield) |
759 | yield = last = next; | |
760 | else | |
059ec3d9 PH |
761 | { |
762 | last->next = next; | |
763 | last = next; | |
764 | } | |
765 | } | |
766 | ||
767 | return yield; | |
768 | } | |
769 | ||
770 | ||
771 | ||
772 | ||
773 | ||
774 | /************************************************* | |
775 | * Find addresses on local interfaces * | |
776 | *************************************************/ | |
777 | ||
778 | /* This function finds the addresses of local IP interfaces. These are used | |
779 | when testing for routing to the local host. As the function may be called more | |
780 | than once, the list is preserved in permanent store, pointed to by a static | |
781 | variable, to save doing the work more than once per process. | |
782 | ||
783 | The generic list of interfaces is obtained by calling host_build_ifacelist() | |
784 | for local_interfaces and extra_local_interfaces. This list scanned to remove | |
785 | duplicates (which may exist with different ports - not relevant here). If | |
786 | either of the wildcard IP addresses (0.0.0.0 and ::0) are encountered, they are | |
787 | replaced by the appropriate (IPv4 or IPv6) list of actual local interfaces, | |
788 | obtained from os_find_running_interfaces(). | |
789 | ||
790 | Arguments: none | |
791 | Returns: a chain of ip_address_items, each containing to a textual | |
792 | version of an IP address; the port numbers are not relevant | |
793 | */ | |
794 | ||
795 | ||
796 | /* First, a local subfunction to add an interface to a list in permanent store, | |
797 | but only if there isn't a previous copy of that address on the list. */ | |
798 | ||
799 | static ip_address_item * | |
800 | add_unique_interface(ip_address_item *list, ip_address_item *ipa) | |
801 | { | |
802 | ip_address_item *ipa2; | |
d7978c0f | 803 | for (ipa2 = list; ipa2; ipa2 = ipa2->next) |
059ec3d9 | 804 | if (Ustrcmp(ipa2->address, ipa->address) == 0) return list; |
f3ebb786 | 805 | ipa2 = store_get_perm(sizeof(ip_address_item), FALSE); |
059ec3d9 PH |
806 | *ipa2 = *ipa; |
807 | ipa2->next = list; | |
808 | return ipa2; | |
809 | } | |
810 | ||
811 | ||
812 | /* This is the globally visible function */ | |
813 | ||
814 | ip_address_item * | |
815 | host_find_interfaces(void) | |
816 | { | |
817 | ip_address_item *running_interfaces = NULL; | |
818 | ||
819 | if (local_interface_data == NULL) | |
820 | { | |
f3ebb786 | 821 | void *reset_item = store_mark(); |
55414b25 | 822 | ip_address_item *dlist = host_build_ifacelist(CUS local_interfaces, |
059ec3d9 | 823 | US"local_interfaces"); |
55414b25 | 824 | ip_address_item *xlist = host_build_ifacelist(CUS extra_local_interfaces, |
059ec3d9 PH |
825 | US"extra_local_interfaces"); |
826 | ip_address_item *ipa; | |
827 | ||
d7978c0f JH |
828 | if (!dlist) dlist = xlist; |
829 | else | |
059ec3d9 | 830 | { |
d7978c0f | 831 | for (ipa = dlist; ipa->next; ipa = ipa->next) ; |
059ec3d9 PH |
832 | ipa->next = xlist; |
833 | } | |
834 | ||
d7978c0f | 835 | for (ipa = dlist; ipa; ipa = ipa->next) |
059ec3d9 PH |
836 | { |
837 | if (Ustrcmp(ipa->address, "0.0.0.0") == 0 || | |
838 | Ustrcmp(ipa->address, "::0") == 0) | |
839 | { | |
059ec3d9 | 840 | BOOL ipv6 = ipa->address[0] == ':'; |
d7978c0f | 841 | if (!running_interfaces) |
059ec3d9 | 842 | running_interfaces = os_find_running_interfaces(); |
d7978c0f | 843 | for (ip_address_item * ipa2 = running_interfaces; ipa2; ipa2 = ipa2->next) |
059ec3d9 PH |
844 | if ((Ustrchr(ipa2->address, ':') != NULL) == ipv6) |
845 | local_interface_data = add_unique_interface(local_interface_data, | |
d7978c0f | 846 | ipa2); |
059ec3d9 PH |
847 | } |
848 | else | |
849 | { | |
850 | local_interface_data = add_unique_interface(local_interface_data, ipa); | |
851 | DEBUG(D_interface) | |
852 | { | |
853 | debug_printf("Configured local interface: address=%s", ipa->address); | |
854 | if (ipa->port != 0) debug_printf(" port=%d", ipa->port); | |
855 | debug_printf("\n"); | |
856 | } | |
857 | } | |
858 | } | |
859 | store_reset(reset_item); | |
860 | } | |
861 | ||
862 | return local_interface_data; | |
863 | } | |
864 | ||
865 | ||
866 | ||
867 | ||
868 | ||
869 | /************************************************* | |
870 | * Convert network IP address to text * | |
871 | *************************************************/ | |
872 | ||
873 | /* Given an IPv4 or IPv6 address in binary, convert it to a text | |
874 | string and return the result in a piece of new store. The address can | |
875 | either be given directly, or passed over in a sockaddr structure. Note | |
876 | that this isn't the converse of host_aton() because of byte ordering | |
877 | differences. See host_nmtoa() below. | |
878 | ||
879 | Arguments: | |
880 | type if < 0 then arg points to a sockaddr, else | |
881 | either AF_INET or AF_INET6 | |
882 | arg points to a sockaddr if type is < 0, or | |
883 | points to an IPv4 address (32 bits), or | |
884 | points to an IPv6 address (128 bits), | |
885 | in both cases, in network byte order | |
886 | buffer if NULL, the result is returned in gotten store; | |
887 | else points to a buffer to hold the answer | |
888 | portptr points to where to put the port number, if non NULL; only | |
889 | used when type < 0 | |
890 | ||
891 | Returns: pointer to character string | |
892 | */ | |
893 | ||
894 | uschar * | |
895 | host_ntoa(int type, const void *arg, uschar *buffer, int *portptr) | |
896 | { | |
897 | uschar *yield; | |
898 | ||
899 | /* The new world. It is annoying that we have to fish out the address from | |
900 | different places in the block, depending on what kind of address it is. It | |
901 | is also a pain that inet_ntop() returns a const uschar *, whereas the IPv4 | |
902 | function inet_ntoa() returns just uschar *, and some picky compilers insist | |
903 | on warning if one assigns a const uschar * to a uschar *. Hence the casts. */ | |
904 | ||
905 | #if HAVE_IPV6 | |
906 | uschar addr_buffer[46]; | |
907 | if (type < 0) | |
908 | { | |
909 | int family = ((struct sockaddr *)arg)->sa_family; | |
910 | if (family == AF_INET6) | |
911 | { | |
912 | struct sockaddr_in6 *sk = (struct sockaddr_in6 *)arg; | |
5903c6ff | 913 | yield = US inet_ntop(family, &(sk->sin6_addr), CS addr_buffer, |
059ec3d9 PH |
914 | sizeof(addr_buffer)); |
915 | if (portptr != NULL) *portptr = ntohs(sk->sin6_port); | |
916 | } | |
917 | else | |
918 | { | |
919 | struct sockaddr_in *sk = (struct sockaddr_in *)arg; | |
5903c6ff | 920 | yield = US inet_ntop(family, &(sk->sin_addr), CS addr_buffer, |
059ec3d9 PH |
921 | sizeof(addr_buffer)); |
922 | if (portptr != NULL) *portptr = ntohs(sk->sin_port); | |
923 | } | |
924 | } | |
925 | else | |
926 | { | |
5903c6ff | 927 | yield = US inet_ntop(type, arg, CS addr_buffer, sizeof(addr_buffer)); |
059ec3d9 PH |
928 | } |
929 | ||
930 | /* If the result is a mapped IPv4 address, show it in V4 format. */ | |
931 | ||
932 | if (Ustrncmp(yield, "::ffff:", 7) == 0) yield += 7; | |
933 | ||
934 | #else /* HAVE_IPV6 */ | |
935 | ||
936 | /* The old world */ | |
937 | ||
938 | if (type < 0) | |
939 | { | |
940 | yield = US inet_ntoa(((struct sockaddr_in *)arg)->sin_addr); | |
941 | if (portptr != NULL) *portptr = ntohs(((struct sockaddr_in *)arg)->sin_port); | |
942 | } | |
943 | else | |
944 | yield = US inet_ntoa(*((struct in_addr *)arg)); | |
945 | #endif | |
946 | ||
947 | /* If there is no buffer, put the string into some new store. */ | |
948 | ||
f8d78f74 | 949 | if (!buffer) buffer = store_get(46, FALSE); |
059ec3d9 PH |
950 | |
951 | /* Callers of this function with a non-NULL buffer must ensure that it is | |
952 | large enough to hold an IPv6 address, namely, at least 46 bytes. That's what | |
f8d78f74 JH |
953 | makes this use of strcpy() OK. |
954 | If the library returned apparently an apparently tainted string, clean it; | |
955 | we trust IP addresses. */ | |
059ec3d9 | 956 | |
f8d78f74 | 957 | string_format_nt(buffer, 46, "%s", yield); |
059ec3d9 PH |
958 | return buffer; |
959 | } | |
960 | ||
961 | ||
962 | ||
963 | ||
964 | /************************************************* | |
965 | * Convert address text to binary * | |
966 | *************************************************/ | |
967 | ||
968 | /* Given the textual form of an IP address, convert it to binary in an | |
969 | array of ints. IPv4 addresses occupy one int; IPv6 addresses occupy 4 ints. | |
970 | The result has the first byte in the most significant byte of the first int. In | |
971 | other words, the result is not in network byte order, but in host byte order. | |
972 | As a result, this is not the converse of host_ntoa(), which expects network | |
973 | byte order. See host_nmtoa() below. | |
974 | ||
975 | Arguments: | |
976 | address points to the textual address, checked for syntax | |
977 | bin points to an array of 4 ints | |
978 | ||
979 | Returns: the number of ints used | |
980 | */ | |
981 | ||
982 | int | |
55414b25 | 983 | host_aton(const uschar *address, int *bin) |
059ec3d9 PH |
984 | { |
985 | int x[4]; | |
986 | int v4offset = 0; | |
987 | ||
8e669ac1 | 988 | /* Handle IPv6 address, which may end with an IPv4 address. It may also end |
7e634d24 PH |
989 | with a "scope", introduced by a percent sign. This code is NOT enclosed in #if |
990 | HAVE_IPV6 in order that IPv6 addresses are recognized even if IPv6 is not | |
991 | supported. */ | |
059ec3d9 PH |
992 | |
993 | if (Ustrchr(address, ':') != NULL) | |
994 | { | |
55414b25 JH |
995 | const uschar *p = address; |
996 | const uschar *component[8]; | |
059ec3d9 PH |
997 | BOOL ipv4_ends = FALSE; |
998 | int ci = 0; | |
999 | int nulloffset = 0; | |
1000 | int v6count = 8; | |
1001 | int i; | |
1002 | ||
1003 | /* If the address starts with a colon, it will start with two colons. | |
1004 | Just lose the first one, which will leave a null first component. */ | |
8e669ac1 | 1005 | |
059ec3d9 PH |
1006 | if (*p == ':') p++; |
1007 | ||
8e669ac1 PH |
1008 | /* Split the address into components separated by colons. The input address |
1009 | is supposed to be checked for syntax. There was a case where this was | |
1010 | overlooked; to guard against that happening again, check here and crash if | |
7e634d24 | 1011 | there are too many components. */ |
059ec3d9 | 1012 | |
7e634d24 | 1013 | while (*p != 0 && *p != '%') |
059ec3d9 | 1014 | { |
7e634d24 | 1015 | int len = Ustrcspn(p, ":%"); |
059ec3d9 | 1016 | if (len == 0) nulloffset = ci; |
8e669ac1 | 1017 | if (ci > 7) log_write(0, LOG_MAIN|LOG_PANIC_DIE, |
b975ba52 | 1018 | "Internal error: invalid IPv6 address \"%s\" passed to host_aton()", |
8e669ac1 | 1019 | address); |
059ec3d9 PH |
1020 | component[ci++] = p; |
1021 | p += len; | |
1022 | if (*p == ':') p++; | |
1023 | } | |
1024 | ||
1025 | /* If the final component contains a dot, it is a trailing v4 address. | |
1026 | As the syntax is known to be checked, just set up for a trailing | |
1027 | v4 address and restrict the v6 part to 6 components. */ | |
1028 | ||
1029 | if (Ustrchr(component[ci-1], '.') != NULL) | |
1030 | { | |
1031 | address = component[--ci]; | |
1032 | ipv4_ends = TRUE; | |
1033 | v4offset = 3; | |
1034 | v6count = 6; | |
1035 | } | |
1036 | ||
1037 | /* If there are fewer than 6 or 8 components, we have to insert some | |
1038 | more empty ones in the middle. */ | |
1039 | ||
1040 | if (ci < v6count) | |
1041 | { | |
1042 | int insert_count = v6count - ci; | |
1043 | for (i = v6count-1; i > nulloffset + insert_count; i--) | |
1044 | component[i] = component[i - insert_count]; | |
1045 | while (i > nulloffset) component[i--] = US""; | |
1046 | } | |
1047 | ||
1048 | /* Now turn the components into binary in pairs and bung them | |
1049 | into the vector of ints. */ | |
1050 | ||
1051 | for (i = 0; i < v6count; i += 2) | |
1052 | bin[i/2] = (Ustrtol(component[i], NULL, 16) << 16) + | |
1053 | Ustrtol(component[i+1], NULL, 16); | |
1054 | ||
1055 | /* If there was no terminating v4 component, we are done. */ | |
1056 | ||
1057 | if (!ipv4_ends) return 4; | |
1058 | } | |
1059 | ||
1060 | /* Handle IPv4 address */ | |
1061 | ||
ff790e47 | 1062 | (void)sscanf(CS address, "%d.%d.%d.%d", x, x+1, x+2, x+3); |
13559da6 | 1063 | bin[v4offset] = ((uint)x[0] << 24) + (x[1] << 16) + (x[2] << 8) + x[3]; |
059ec3d9 PH |
1064 | return v4offset+1; |
1065 | } | |
1066 | ||
1067 | ||
1068 | /************************************************* | |
1069 | * Apply mask to an IP address * | |
1070 | *************************************************/ | |
1071 | ||
1072 | /* Mask an address held in 1 or 4 ints, with the ms bit in the ms bit of the | |
1073 | first int, etc. | |
1074 | ||
1075 | Arguments: | |
1076 | count the number of ints | |
1077 | binary points to the ints to be masked | |
1078 | mask the count of ms bits to leave, or -1 if no masking | |
1079 | ||
1080 | Returns: nothing | |
1081 | */ | |
1082 | ||
1083 | void | |
1084 | host_mask(int count, int *binary, int mask) | |
1085 | { | |
059ec3d9 | 1086 | if (mask < 0) mask = 99999; |
d7978c0f | 1087 | for (int i = 0; i < count; i++) |
059ec3d9 PH |
1088 | { |
1089 | int wordmask; | |
1090 | if (mask == 0) wordmask = 0; | |
1091 | else if (mask < 32) | |
1092 | { | |
13559da6 | 1093 | wordmask = (uint)(-1) << (32 - mask); |
059ec3d9 PH |
1094 | mask = 0; |
1095 | } | |
1096 | else | |
1097 | { | |
1098 | wordmask = -1; | |
1099 | mask -= 32; | |
1100 | } | |
1101 | binary[i] &= wordmask; | |
1102 | } | |
1103 | } | |
1104 | ||
1105 | ||
1106 | ||
1107 | ||
1108 | /************************************************* | |
1109 | * Convert masked IP address in ints to text * | |
1110 | *************************************************/ | |
1111 | ||
1112 | /* We can't use host_ntoa() because it assumes the binary values are in network | |
1113 | byte order, and these are the result of host_aton(), which puts them in ints in | |
1114 | host byte order. Also, we really want IPv6 addresses to be in a canonical | |
6f0c9a4f PH |
1115 | format, so we output them with no abbreviation. In a number of cases we can't |
1116 | use the normal colon separator in them because it terminates keys in lsearch | |
8e669ac1 | 1117 | files, so we want to use dot instead. There's an argument that specifies what |
6f0c9a4f | 1118 | to use for IPv6 addresses. |
059ec3d9 PH |
1119 | |
1120 | Arguments: | |
1121 | count 1 or 4 (number of ints) | |
1122 | binary points to the ints | |
1123 | mask mask value; if < 0 don't add to result | |
1124 | buffer big enough to hold the result | |
8e669ac1 | 1125 | sep component separator character for IPv6 addresses |
059ec3d9 PH |
1126 | |
1127 | Returns: the number of characters placed in buffer, not counting | |
1128 | the final nul. | |
1129 | */ | |
1130 | ||
1131 | int | |
6f0c9a4f | 1132 | host_nmtoa(int count, int *binary, int mask, uschar *buffer, int sep) |
059ec3d9 | 1133 | { |
d7978c0f | 1134 | int j; |
059ec3d9 PH |
1135 | uschar *tt = buffer; |
1136 | ||
1137 | if (count == 1) | |
1138 | { | |
1139 | j = binary[0]; | |
d7978c0f | 1140 | for (int i = 24; i >= 0; i -= 8) |
fc4a7f70 | 1141 | tt += sprintf(CS tt, "%d.", (j >> i) & 255); |
059ec3d9 PH |
1142 | } |
1143 | else | |
d7978c0f | 1144 | for (int i = 0; i < 4; i++) |
059ec3d9 PH |
1145 | { |
1146 | j = binary[i]; | |
fc4a7f70 | 1147 | tt += sprintf(CS tt, "%04x%c%04x%c", (j >> 16) & 0xffff, sep, j & 0xffff, sep); |
059ec3d9 | 1148 | } |
059ec3d9 | 1149 | |
6f0c9a4f | 1150 | tt--; /* lose final separator */ |
059ec3d9 PH |
1151 | |
1152 | if (mask < 0) | |
1153 | *tt = 0; | |
1154 | else | |
5976eb99 | 1155 | tt += sprintf(CS tt, "/%d", mask); |
059ec3d9 PH |
1156 | |
1157 | return tt - buffer; | |
1158 | } | |
1159 | ||
1160 | ||
fc4a7f70 JH |
1161 | /* Like host_nmtoa() but: ipv6-only, canonical output, no mask |
1162 | ||
1163 | Arguments: | |
1164 | binary points to the ints | |
1165 | buffer big enough to hold the result | |
1166 | ||
1167 | Returns: the number of characters placed in buffer, not counting | |
1168 | the final nul. | |
1169 | */ | |
1170 | ||
1171 | int | |
1172 | ipv6_nmtoa(int * binary, uschar * buffer) | |
1173 | { | |
1174 | int i, j, k; | |
1175 | uschar * c = buffer; | |
39755c16 | 1176 | uschar * d = NULL; /* shut insufficiently "clever" compiler up */ |
fc4a7f70 JH |
1177 | |
1178 | for (i = 0; i < 4; i++) | |
1179 | { /* expand to text */ | |
1180 | j = binary[i]; | |
1181 | c += sprintf(CS c, "%x:%x:", (j >> 16) & 0xffff, j & 0xffff); | |
1182 | } | |
1183 | ||
1184 | for (c = buffer, k = -1, i = 0; i < 8; i++) | |
1185 | { /* find longest 0-group sequence */ | |
1186 | if (*c == '0') /* must be "0:" */ | |
1187 | { | |
1188 | uschar * s = c; | |
1189 | j = i; | |
1190 | while (c[2] == '0') i++, c += 2; | |
1191 | if (i-j > k) | |
1192 | { | |
1193 | k = i-j; /* length of sequence */ | |
1194 | d = s; /* start of sequence */ | |
1195 | } | |
1196 | } | |
1197 | while (*++c != ':') ; | |
1198 | c++; | |
1199 | } | |
1200 | ||
1201 | c[-1] = '\0'; /* drop trailing colon */ | |
1202 | ||
1203 | /* debug_printf("%s: D k %d <%s> <%s>\n", __FUNCTION__, k, d, d + 2*(k+1)); */ | |
1204 | if (k >= 0) | |
1205 | { /* collapse */ | |
1206 | c = d + 2*(k+1); | |
1207 | if (d == buffer) c--; /* need extra colon */ | |
1208 | *d++ = ':'; /* 1st 0 */ | |
39755c16 | 1209 | while ((*d++ = *c++)) ; |
fc4a7f70 JH |
1210 | } |
1211 | else | |
1212 | d = c; | |
1213 | ||
1214 | return d - buffer; | |
1215 | } | |
1216 | ||
1217 | ||
059ec3d9 PH |
1218 | |
1219 | /************************************************* | |
1220 | * Check port for tls_on_connect * | |
1221 | *************************************************/ | |
1222 | ||
1223 | /* This function checks whether a given incoming port is configured for tls- | |
1224 | on-connect. It is called from the daemon and from inetd handling. If the global | |
1225 | option tls_on_connect is already set, all ports operate this way. Otherwise, we | |
1226 | check the tls_on_connect_ports option for a list of ports. | |
1227 | ||
1228 | Argument: a port number | |
1229 | Returns: TRUE or FALSE | |
1230 | */ | |
1231 | ||
1232 | BOOL | |
1233 | host_is_tls_on_connect_port(int port) | |
1234 | { | |
1235 | int sep = 0; | |
1236 | uschar buffer[32]; | |
55414b25 | 1237 | const uschar *list = tls_in.on_connect_ports; |
059ec3d9 | 1238 | uschar *s; |
071c51f7 | 1239 | uschar *end; |
059ec3d9 | 1240 | |
817d9f57 | 1241 | if (tls_in.on_connect) return TRUE; |
059ec3d9 | 1242 | |
071c51f7 JH |
1243 | while ((s = string_nextinlist(&list, &sep, buffer, sizeof(buffer)))) |
1244 | if (Ustrtol(s, &end, 10) == port) | |
1245 | return TRUE; | |
059ec3d9 PH |
1246 | |
1247 | return FALSE; | |
1248 | } | |
1249 | ||
1250 | ||
1251 | ||
1252 | /************************************************* | |
1253 | * Check whether host is in a network * | |
1254 | *************************************************/ | |
1255 | ||
1256 | /* This function checks whether a given IP address matches a pattern that | |
1257 | represents either a single host, or a network (using CIDR notation). The caller | |
1258 | of this function must check the syntax of the arguments before calling it. | |
1259 | ||
1260 | Arguments: | |
1261 | host string representation of the ip-address to check | |
1262 | net string representation of the network, with optional CIDR mask | |
1263 | maskoffset offset to the / that introduces the mask in the key | |
1264 | zero if there is no mask | |
1265 | ||
1266 | Returns: | |
1267 | TRUE the host is inside the network | |
1268 | FALSE the host is NOT inside the network | |
1269 | */ | |
1270 | ||
1271 | BOOL | |
55414b25 | 1272 | host_is_in_net(const uschar *host, const uschar *net, int maskoffset) |
059ec3d9 | 1273 | { |
059ec3d9 PH |
1274 | int address[4]; |
1275 | int incoming[4]; | |
1276 | int mlen; | |
1277 | int size = host_aton(net, address); | |
1278 | int insize; | |
1279 | ||
1280 | /* No mask => all bits to be checked */ | |
1281 | ||
1282 | if (maskoffset == 0) mlen = 99999; /* Big number */ | |
1283 | else mlen = Uatoi(net + maskoffset + 1); | |
1284 | ||
1285 | /* Convert the incoming address to binary. */ | |
1286 | ||
1287 | insize = host_aton(host, incoming); | |
1288 | ||
1289 | /* Convert IPv4 addresses given in IPv6 compatible mode, which represent | |
1290 | connections from IPv4 hosts to IPv6 hosts, that is, addresses of the form | |
1291 | ::ffff:<v4address>, to IPv4 format. */ | |
1292 | ||
1293 | if (insize == 4 && incoming[0] == 0 && incoming[1] == 0 && | |
1294 | incoming[2] == 0xffff) | |
1295 | { | |
1296 | insize = 1; | |
1297 | incoming[0] = incoming[3]; | |
1298 | } | |
1299 | ||
1300 | /* No match if the sizes don't agree. */ | |
1301 | ||
1302 | if (insize != size) return FALSE; | |
1303 | ||
1304 | /* Else do the masked comparison. */ | |
1305 | ||
d7978c0f | 1306 | for (int i = 0; i < size; i++) |
059ec3d9 PH |
1307 | { |
1308 | int mask; | |
1309 | if (mlen == 0) mask = 0; | |
1310 | else if (mlen < 32) | |
1311 | { | |
13559da6 | 1312 | mask = (uint)(-1) << (32 - mlen); |
059ec3d9 PH |
1313 | mlen = 0; |
1314 | } | |
1315 | else | |
1316 | { | |
1317 | mask = -1; | |
1318 | mlen -= 32; | |
1319 | } | |
1320 | if ((incoming[i] & mask) != (address[i] & mask)) return FALSE; | |
1321 | } | |
1322 | ||
1323 | return TRUE; | |
1324 | } | |
1325 | ||
1326 | ||
1327 | ||
1328 | /************************************************* | |
1329 | * Scan host list for local hosts * | |
1330 | *************************************************/ | |
1331 | ||
1332 | /* Scan through a chain of addresses and check whether any of them is the | |
1333 | address of an interface on the local machine. If so, remove that address and | |
1334 | any previous ones with the same MX value, and all subsequent ones (which will | |
1335 | have greater or equal MX values) from the chain. Note: marking them as unusable | |
1336 | is NOT the right thing to do because it causes the hosts not to be used for | |
1337 | other domains, for which they may well be correct. | |
1338 | ||
1339 | The hosts may be part of a longer chain; we only process those between the | |
1340 | initial pointer and the "last" pointer. | |
1341 | ||
1342 | There is also a list of "pseudo-local" host names which are checked against the | |
1343 | host names. Any match causes that host item to be treated the same as one which | |
1344 | matches a local IP address. | |
1345 | ||
1346 | If the very first host is a local host, then all MX records had a precedence | |
1347 | greater than or equal to that of the local host. Either there's a problem in | |
1348 | the DNS, or an apparently remote name turned out to be an abbreviation for the | |
1349 | local host. Give a specific return code, and let the caller decide what to do. | |
1350 | Otherwise, give a success code if at least one host address has been found. | |
1351 | ||
1352 | Arguments: | |
1353 | host pointer to the first host in the chain | |
1354 | lastptr pointer to pointer to the last host in the chain (may be updated) | |
1355 | removed if not NULL, set TRUE if some local addresses were removed | |
1356 | from the list | |
1357 | ||
1358 | Returns: | |
1359 | HOST_FOUND if there is at least one host with an IP address on the chain | |
1360 | and an MX value less than any MX value associated with the | |
1361 | local host | |
1362 | HOST_FOUND_LOCAL if a local host is among the lowest-numbered MX hosts; when | |
1363 | the host addresses were obtained from A records or | |
1364 | gethostbyname(), the MX values are set to -1. | |
1365 | HOST_FIND_FAILED if no valid hosts with set IP addresses were found | |
1366 | */ | |
1367 | ||
1368 | int | |
1369 | host_scan_for_local_hosts(host_item *host, host_item **lastptr, BOOL *removed) | |
1370 | { | |
1371 | int yield = HOST_FIND_FAILED; | |
1372 | host_item *last = *lastptr; | |
1373 | host_item *prev = NULL; | |
1374 | host_item *h; | |
1375 | ||
1376 | if (removed != NULL) *removed = FALSE; | |
1377 | ||
1378 | if (local_interface_data == NULL) local_interface_data = host_find_interfaces(); | |
1379 | ||
1380 | for (h = host; h != last->next; h = h->next) | |
1381 | { | |
1382 | #ifndef STAND_ALONE | |
1383 | if (hosts_treat_as_local != NULL) | |
1384 | { | |
1385 | int rc; | |
55414b25 | 1386 | const uschar *save = deliver_domain; |
059ec3d9 | 1387 | deliver_domain = h->name; /* set $domain */ |
55414b25 | 1388 | rc = match_isinlist(string_copylc(h->name), CUSS &hosts_treat_as_local, 0, |
059ec3d9 PH |
1389 | &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL); |
1390 | deliver_domain = save; | |
1391 | if (rc == OK) goto FOUND_LOCAL; | |
1392 | } | |
1393 | #endif | |
1394 | ||
1395 | /* It seems that on many operating systems, 0.0.0.0 is treated as a synonym | |
1396 | for 127.0.0.1 and refers to the local host. We therefore force it always to | |
1397 | be treated as local. */ | |
1398 | ||
1399 | if (h->address != NULL) | |
1400 | { | |
059ec3d9 | 1401 | if (Ustrcmp(h->address, "0.0.0.0") == 0) goto FOUND_LOCAL; |
d7978c0f | 1402 | for (ip_address_item * ip = local_interface_data; ip; ip = ip->next) |
059ec3d9 PH |
1403 | if (Ustrcmp(h->address, ip->address) == 0) goto FOUND_LOCAL; |
1404 | yield = HOST_FOUND; /* At least one remote address has been found */ | |
1405 | } | |
1406 | ||
1407 | /* Update prev to point to the last host item before any that have | |
1408 | the same MX value as the one we have just considered. */ | |
1409 | ||
1410 | if (h->next == NULL || h->next->mx != h->mx) prev = h; | |
1411 | } | |
1412 | ||
1413 | return yield; /* No local hosts found: return HOST_FOUND or HOST_FIND_FAILED */ | |
1414 | ||
1415 | /* A host whose IP address matches a local IP address, or whose name matches | |
1416 | something in hosts_treat_as_local has been found. */ | |
1417 | ||
1418 | FOUND_LOCAL: | |
1419 | ||
1420 | if (prev == NULL) | |
1421 | { | |
1422 | HDEBUG(D_host_lookup) debug_printf((h->mx >= 0)? | |
1423 | "local host has lowest MX\n" : | |
1424 | "local host found for non-MX address\n"); | |
1425 | return HOST_FOUND_LOCAL; | |
1426 | } | |
1427 | ||
1428 | HDEBUG(D_host_lookup) | |
1429 | { | |
1430 | debug_printf("local host in host list - removed hosts:\n"); | |
1431 | for (h = prev->next; h != last->next; h = h->next) | |
1432 | debug_printf(" %s %s %d\n", h->name, h->address, h->mx); | |
1433 | } | |
1434 | ||
1435 | if (removed != NULL) *removed = TRUE; | |
1436 | prev->next = last->next; | |
1437 | *lastptr = prev; | |
1438 | return yield; | |
1439 | } | |
1440 | ||
1441 | ||
1442 | ||
1443 | ||
1444 | /************************************************* | |
1445 | * Remove duplicate IPs in host list * | |
1446 | *************************************************/ | |
1447 | ||
1448 | /* You would think that administrators could set up their DNS records so that | |
1449 | one ended up with a list of unique IP addresses after looking up A or MX | |
1450 | records, but apparently duplication is common. So we scan such lists and | |
1451 | remove the later duplicates. Note that we may get lists in which some host | |
1452 | addresses are not set. | |
1453 | ||
1454 | Arguments: | |
1455 | host pointer to the first host in the chain | |
1456 | lastptr pointer to pointer to the last host in the chain (may be updated) | |
1457 | ||
1458 | Returns: nothing | |
1459 | */ | |
1460 | ||
1461 | static void | |
1462 | host_remove_duplicates(host_item *host, host_item **lastptr) | |
1463 | { | |
1464 | while (host != *lastptr) | |
1465 | { | |
1466 | if (host->address != NULL) | |
1467 | { | |
1468 | host_item *h = host; | |
1469 | while (h != *lastptr) | |
1470 | { | |
1471 | if (h->next->address != NULL && | |
1472 | Ustrcmp(h->next->address, host->address) == 0) | |
1473 | { | |
1474 | DEBUG(D_host_lookup) debug_printf("duplicate IP address %s (MX=%d) " | |
1475 | "removed\n", host->address, h->next->mx); | |
1476 | if (h->next == *lastptr) *lastptr = h; | |
1477 | h->next = h->next->next; | |
1478 | } | |
1479 | else h = h->next; | |
1480 | } | |
1481 | } | |
1482 | /* If the last item was removed, host may have become == *lastptr */ | |
1483 | if (host != *lastptr) host = host->next; | |
1484 | } | |
1485 | } | |
1486 | ||
1487 | ||
1488 | ||
1489 | ||
1490 | /************************************************* | |
1491 | * Find sender host name by gethostbyaddr() * | |
1492 | *************************************************/ | |
1493 | ||
1494 | /* This used to be the only way it was done, but it turns out that not all | |
1495 | systems give aliases for calls to gethostbyaddr() - or one of the modern | |
1496 | equivalents like getipnodebyaddr(). Fortunately, multiple PTR records are rare, | |
1497 | but they can still exist. This function is now used only when a DNS lookup of | |
1498 | the IP address fails, in order to give access to /etc/hosts. | |
1499 | ||
1500 | Arguments: none | |
1501 | Returns: OK, DEFER, FAIL | |
1502 | */ | |
1503 | ||
1504 | static int | |
1505 | host_name_lookup_byaddr(void) | |
1506 | { | |
d70fc283 | 1507 | struct hostent * hosts; |
059ec3d9 | 1508 | struct in_addr addr; |
f2cb6292 | 1509 | unsigned long time_msec = 0; /* init to quieten dumb static analysis */ |
846430d9 JH |
1510 | |
1511 | if (slow_lookup_log) time_msec = get_time_in_ms(); | |
059ec3d9 PH |
1512 | |
1513 | /* Lookup on IPv6 system */ | |
1514 | ||
1515 | #if HAVE_IPV6 | |
1516 | if (Ustrchr(sender_host_address, ':') != NULL) | |
1517 | { | |
1518 | struct in6_addr addr6; | |
1519 | if (inet_pton(AF_INET6, CS sender_host_address, &addr6) != 1) | |
1520 | log_write(0, LOG_MAIN|LOG_PANIC_DIE, "unable to parse \"%s\" as an " | |
1521 | "IPv6 address", sender_host_address); | |
1522 | #if HAVE_GETIPNODEBYADDR | |
1523 | hosts = getipnodebyaddr(CS &addr6, sizeof(addr6), AF_INET6, &h_errno); | |
1524 | #else | |
1525 | hosts = gethostbyaddr(CS &addr6, sizeof(addr6), AF_INET6); | |
1526 | #endif | |
1527 | } | |
1528 | else | |
1529 | { | |
1530 | if (inet_pton(AF_INET, CS sender_host_address, &addr) != 1) | |
1531 | log_write(0, LOG_MAIN|LOG_PANIC_DIE, "unable to parse \"%s\" as an " | |
1532 | "IPv4 address", sender_host_address); | |
1533 | #if HAVE_GETIPNODEBYADDR | |
1534 | hosts = getipnodebyaddr(CS &addr, sizeof(addr), AF_INET, &h_errno); | |
1535 | #else | |
1536 | hosts = gethostbyaddr(CS &addr, sizeof(addr), AF_INET); | |
1537 | #endif | |
1538 | } | |
1539 | ||
1540 | /* Do lookup on IPv4 system */ | |
1541 | ||
1542 | #else | |
1543 | addr.s_addr = (S_ADDR_TYPE)inet_addr(CS sender_host_address); | |
1544 | hosts = gethostbyaddr(CS(&addr), sizeof(addr), AF_INET); | |
1545 | #endif | |
1546 | ||
846430d9 JH |
1547 | if ( slow_lookup_log |
1548 | && (time_msec = get_time_in_ms() - time_msec) > slow_lookup_log | |
1549 | ) | |
30795c5e | 1550 | log_long_lookup(US"gethostbyaddr", sender_host_address, time_msec); |
846430d9 | 1551 | |
059ec3d9 PH |
1552 | /* Failed to look up the host. */ |
1553 | ||
f3ebb786 | 1554 | if (!hosts) |
059ec3d9 PH |
1555 | { |
1556 | HDEBUG(D_host_lookup) debug_printf("IP address lookup failed: h_errno=%d\n", | |
1557 | h_errno); | |
1558 | return (h_errno == TRY_AGAIN || h_errno == NO_RECOVERY) ? DEFER : FAIL; | |
1559 | } | |
1560 | ||
1561 | /* It seems there are some records in the DNS that yield an empty name. We | |
1562 | treat this as non-existent. In some operating systems, this is returned as an | |
1563 | empty string; in others as a single dot. */ | |
1564 | ||
f3ebb786 | 1565 | if (!hosts->h_name || !hosts->h_name[0] || hosts->h_name[0] == '.') |
059ec3d9 PH |
1566 | { |
1567 | HDEBUG(D_host_lookup) debug_printf("IP address lookup yielded an empty name: " | |
1568 | "treated as non-existent host name\n"); | |
1569 | return FAIL; | |
1570 | } | |
1571 | ||
1572 | /* Copy and lowercase the name, which is in static storage in many systems. | |
1573 | Put it in permanent memory. */ | |
1574 | ||
f3ebb786 JH |
1575 | { |
1576 | int old_pool = store_pool; | |
1577 | store_pool = POOL_TAINT_PERM; /* names are tainted */ | |
059ec3d9 | 1578 | |
f3ebb786 | 1579 | sender_host_name = string_copylc(US hosts->h_name); |
059ec3d9 | 1580 | |
f3ebb786 JH |
1581 | /* If the host has aliases, build a copy of the alias list */ |
1582 | ||
1583 | if (hosts->h_aliases) | |
059ec3d9 | 1584 | { |
f3ebb786 JH |
1585 | int count = 1; |
1586 | uschar **ptr; | |
1587 | ||
1588 | for (uschar ** aliases = USS hosts->h_aliases; *aliases; aliases++) count++; | |
1589 | store_pool = POOL_PERM; | |
1590 | ptr = sender_host_aliases = store_get(count * sizeof(uschar *), FALSE); | |
1591 | store_pool = POOL_TAINT_PERM; | |
1592 | ||
1593 | for (uschar ** aliases = USS hosts->h_aliases; *aliases; aliases++) | |
1594 | *ptr++ = string_copylc(*aliases); | |
1595 | *ptr = NULL; | |
059ec3d9 | 1596 | } |
f3ebb786 | 1597 | store_pool = old_pool; |
059ec3d9 PH |
1598 | } |
1599 | ||
1600 | return OK; | |
1601 | } | |
1602 | ||
1603 | ||
1604 | ||
1605 | /************************************************* | |
1606 | * Find host name for incoming call * | |
1607 | *************************************************/ | |
1608 | ||
1609 | /* Put the name in permanent store, pointed to by sender_host_name. We also set | |
1610 | up a list of alias names, pointed to by sender_host_alias. The list is | |
1611 | NULL-terminated. The incoming address is in sender_host_address, either in | |
1612 | dotted-quad form for IPv4 or in colon-separated form for IPv6. | |
1613 | ||
1614 | This function does a thorough check that the names it finds point back to the | |
1615 | incoming IP address. Any that do not are discarded. Note that this is relied on | |
1616 | by the ACL reverse_host_lookup check. | |
1617 | ||
1618 | On some systems, get{host,ipnode}byaddr() appears to do this internally, but | |
1619 | this it not universally true. Also, for release 4.30, this function was changed | |
1620 | to do a direct DNS lookup first, by default[1], because it turns out that that | |
1621 | is the only guaranteed way to find all the aliases on some systems. My | |
1622 | experiments indicate that Solaris gethostbyaddr() gives the aliases for but | |
1623 | Linux does not. | |
1624 | ||
1625 | [1] The actual order is controlled by the host_lookup_order option. | |
1626 | ||
1627 | Arguments: none | |
1628 | Returns: OK on success, the answer being placed in the global variable | |
1629 | sender_host_name, with any aliases in a list hung off | |
1630 | sender_host_aliases | |
1631 | FAIL if no host name can be found | |
1632 | DEFER if a temporary error was encountered | |
1633 | ||
4c04137d | 1634 | The variable host_lookup_msg is set to an empty string on success, or to a |
059ec3d9 | 1635 | reason for the failure otherwise, in a form suitable for tagging onto an error |
8e669ac1 | 1636 | message, and also host_lookup_failed is set TRUE if the lookup failed. If there |
b08b24c8 PH |
1637 | was a defer, host_lookup_deferred is set TRUE. |
1638 | ||
1639 | Any dynamically constructed string for host_lookup_msg must be in permanent | |
1640 | store, because it might be used for several incoming messages on the same SMTP | |
059ec3d9 PH |
1641 | connection. */ |
1642 | ||
1643 | int | |
1644 | host_name_lookup(void) | |
1645 | { | |
1646 | int old_pool, rc; | |
1647 | int sep = 0; | |
d7978c0f | 1648 | uschar *save_hostname; |
059ec3d9 | 1649 | uschar **aliases; |
059ec3d9 | 1650 | uschar *ordername; |
55414b25 | 1651 | const uschar *list = host_lookup_order; |
8743d3ac | 1652 | dns_answer * dnsa = store_get_dns_answer(); |
059ec3d9 PH |
1653 | dns_scan dnss; |
1654 | ||
1f4a55da | 1655 | sender_host_dnssec = host_lookup_deferred = host_lookup_failed = FALSE; |
b08b24c8 | 1656 | |
059ec3d9 PH |
1657 | HDEBUG(D_host_lookup) |
1658 | debug_printf("looking up host name for %s\n", sender_host_address); | |
1659 | ||
1660 | /* For testing the case when a lookup does not complete, we have a special | |
1661 | reserved IP address. */ | |
1662 | ||
8768d548 | 1663 | if (f.running_in_test_harness && |
059ec3d9 PH |
1664 | Ustrcmp(sender_host_address, "99.99.99.99") == 0) |
1665 | { | |
1666 | HDEBUG(D_host_lookup) | |
1667 | debug_printf("Test harness: host name lookup returns DEFER\n"); | |
8e669ac1 | 1668 | host_lookup_deferred = TRUE; |
059ec3d9 PH |
1669 | return DEFER; |
1670 | } | |
1671 | ||
1672 | /* Do lookups directly in the DNS or via gethostbyaddr() (or equivalent), in | |
1673 | the order specified by the host_lookup_order option. */ | |
1674 | ||
152481a0 | 1675 | while ((ordername = string_nextinlist(&list, &sep, NULL, 0))) |
059ec3d9 PH |
1676 | { |
1677 | if (strcmpic(ordername, US"bydns") == 0) | |
1678 | { | |
152481a0 JH |
1679 | uschar * name = dns_build_reverse(sender_host_address); |
1680 | ||
9d9c3746 | 1681 | dns_init(FALSE, FALSE, FALSE); /* dnssec ctrl by dns_dnssec_ok glbl */ |
152481a0 | 1682 | rc = dns_lookup_timerwrap(dnsa, name, T_PTR, NULL); |
059ec3d9 PH |
1683 | |
1684 | /* The first record we come across is used for the name; others are | |
1685 | considered to be aliases. We have to scan twice, in order to find out the | |
1686 | number of aliases. However, if all the names are empty, we will behave as | |
1687 | if failure. (PTR records that yield empty names have been encountered in | |
1688 | the DNS.) */ | |
1689 | ||
1690 | if (rc == DNS_SUCCEED) | |
1691 | { | |
1692 | uschar **aptr = NULL; | |
1693 | int ssize = 264; | |
1694 | int count = 0; | |
1695 | int old_pool = store_pool; | |
1696 | ||
8743d3ac | 1697 | sender_host_dnssec = dns_is_secure(dnsa); |
1f4a55da PP |
1698 | DEBUG(D_dns) |
1699 | debug_printf("Reverse DNS security status: %s\n", | |
1700 | sender_host_dnssec ? "DNSSEC verified (AD)" : "unverified"); | |
1701 | ||
059ec3d9 PH |
1702 | store_pool = POOL_PERM; /* Save names in permanent storage */ |
1703 | ||
8743d3ac | 1704 | for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); |
1705dd20 | 1705 | rr; |
8743d3ac | 1706 | rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == T_PTR) |
d7978c0f | 1707 | count++; |
059ec3d9 PH |
1708 | |
1709 | /* Get store for the list of aliases. For compatibility with | |
1710 | gethostbyaddr, we make an empty list if there are none. */ | |
1711 | ||
f3ebb786 | 1712 | aptr = sender_host_aliases = store_get(count * sizeof(uschar *), FALSE); |
059ec3d9 PH |
1713 | |
1714 | /* Re-scan and extract the names */ | |
1715 | ||
8743d3ac | 1716 | for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); |
1705dd20 | 1717 | rr; |
8743d3ac | 1718 | rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == T_PTR) |
059ec3d9 | 1719 | { |
f3ebb786 | 1720 | uschar * s = store_get(ssize, TRUE); /* names are tainted */ |
059ec3d9 PH |
1721 | |
1722 | /* If an overlong response was received, the data will have been | |
1723 | truncated and dn_expand may fail. */ | |
1724 | ||
8743d3ac | 1725 | if (dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, |
5903c6ff | 1726 | US (rr->data), (DN_EXPAND_ARG4_TYPE)(s), ssize) < 0) |
059ec3d9 PH |
1727 | { |
1728 | log_write(0, LOG_MAIN, "host name alias list truncated for %s", | |
1729 | sender_host_address); | |
1730 | break; | |
1731 | } | |
1732 | ||
f3ebb786 JH |
1733 | store_release_above(s + Ustrlen(s) + 1); |
1734 | if (!s[0]) | |
059ec3d9 PH |
1735 | { |
1736 | HDEBUG(D_host_lookup) debug_printf("IP address lookup yielded an " | |
1737 | "empty name: treated as non-existent host name\n"); | |
1738 | continue; | |
1739 | } | |
1f155f8e JH |
1740 | if (!sender_host_name) sender_host_name = s; |
1741 | else *aptr++ = s; | |
f3ebb786 | 1742 | while (*s) { *s = tolower(*s); s++; } |
059ec3d9 PH |
1743 | } |
1744 | ||
1745 | *aptr = NULL; /* End of alias list */ | |
1746 | store_pool = old_pool; /* Reset store pool */ | |
1747 | ||
f3ebb786 | 1748 | /* If we've found a name, break out of the "order" loop */ |
059ec3d9 | 1749 | |
f3ebb786 | 1750 | if (sender_host_name) break; |
059ec3d9 PH |
1751 | } |
1752 | ||
1753 | /* If the DNS lookup deferred, we must also defer. */ | |
1754 | ||
1755 | if (rc == DNS_AGAIN) | |
1756 | { | |
1757 | HDEBUG(D_host_lookup) | |
1758 | debug_printf("IP address PTR lookup gave temporary error\n"); | |
8e669ac1 | 1759 | host_lookup_deferred = TRUE; |
059ec3d9 PH |
1760 | return DEFER; |
1761 | } | |
1762 | } | |
1763 | ||
1764 | /* Do a lookup using gethostbyaddr() - or equivalent */ | |
1765 | ||
1766 | else if (strcmpic(ordername, US"byaddr") == 0) | |
1767 | { | |
1768 | HDEBUG(D_host_lookup) | |
1769 | debug_printf("IP address lookup using gethostbyaddr()\n"); | |
059ec3d9 | 1770 | rc = host_name_lookup_byaddr(); |
8e669ac1 | 1771 | if (rc == DEFER) |
b08b24c8 | 1772 | { |
8e669ac1 | 1773 | host_lookup_deferred = TRUE; |
b08b24c8 | 1774 | return rc; /* Can't carry on */ |
8e669ac1 | 1775 | } |
059ec3d9 PH |
1776 | if (rc == OK) break; /* Found a name */ |
1777 | } | |
1778 | } /* Loop for bydns/byaddr scanning */ | |
1779 | ||
1780 | /* If we have failed to find a name, return FAIL and log when required. | |
1781 | NB host_lookup_msg must be in permanent store. */ | |
1782 | ||
94759fce | 1783 | if (!sender_host_name) |
059ec3d9 | 1784 | { |
8768d548 | 1785 | if (host_checking || !f.log_testing_mode) |
059ec3d9 PH |
1786 | log_write(L_host_lookup_failed, LOG_MAIN, "no host name found for IP " |
1787 | "address %s", sender_host_address); | |
1788 | host_lookup_msg = US" (failed to find host name from IP address)"; | |
b08b24c8 | 1789 | host_lookup_failed = TRUE; |
059ec3d9 PH |
1790 | return FAIL; |
1791 | } | |
1792 | ||
059ec3d9 PH |
1793 | HDEBUG(D_host_lookup) |
1794 | { | |
1795 | uschar **aliases = sender_host_aliases; | |
de11307f JH |
1796 | debug_printf("IP address lookup yielded \"%s\"\n", sender_host_name); |
1797 | while (*aliases != NULL) debug_printf(" alias \"%s\"\n", *aliases++); | |
059ec3d9 PH |
1798 | } |
1799 | ||
1800 | /* We need to verify that a forward lookup on the name we found does indeed | |
1801 | correspond to the address. This is for security: in principle a malefactor who | |
1802 | happened to own a reverse zone could set it to point to any names at all. | |
1803 | ||
1804 | This code was present in versions of Exim before 3.20. At that point I took it | |
1805 | out because I thought that gethostbyaddr() did the check anyway. It turns out | |
1806 | that this isn't always the case, so it's coming back in at 4.01. This version | |
1807 | is actually better, because it also checks aliases. | |
1808 | ||
1809 | The code was made more robust at release 4.21. Prior to that, it accepted all | |
1810 | the names if any of them had the correct IP address. Now the code checks all | |
1811 | the names, and accepts only those that have the correct IP address. */ | |
1812 | ||
1813 | save_hostname = sender_host_name; /* Save for error messages */ | |
1814 | aliases = sender_host_aliases; | |
d7978c0f | 1815 | for (uschar * hname = sender_host_name; hname; hname = *aliases++) |
059ec3d9 PH |
1816 | { |
1817 | int rc; | |
1818 | BOOL ok = FALSE; | |
94759fce JH |
1819 | host_item h = { .next = NULL, .name = hname, .mx = MX_NONE, .address = NULL }; |
1820 | dnssec_domains d = | |
1821 | { .request = sender_host_dnssec ? US"*" : NULL, .require = NULL }; | |
059ec3d9 | 1822 | |
66387a73 | 1823 | if ( (rc = host_find_bydns(&h, NULL, HOST_FIND_BY_A | HOST_FIND_BY_AAAA, |
1f155f8e JH |
1824 | NULL, NULL, NULL, &d, NULL, NULL)) == HOST_FOUND |
1825 | || rc == HOST_FOUND_LOCAL | |
1826 | ) | |
059ec3d9 | 1827 | { |
059ec3d9 | 1828 | HDEBUG(D_host_lookup) debug_printf("checking addresses for %s\n", hname); |
1f155f8e JH |
1829 | |
1830 | /* If the forward lookup was not secure we cancel the is-secure variable */ | |
1831 | ||
1832 | DEBUG(D_dns) debug_printf("Forward DNS security status: %s\n", | |
1833 | h.dnssec == DS_YES ? "DNSSEC verified (AD)" : "unverified"); | |
1834 | if (h.dnssec != DS_YES) sender_host_dnssec = FALSE; | |
1835 | ||
d7978c0f | 1836 | for (host_item * hh = &h; hh; hh = hh->next) |
d27f1df3 | 1837 | if (host_is_in_net(hh->address, sender_host_address, 0)) |
059ec3d9 PH |
1838 | { |
1839 | HDEBUG(D_host_lookup) debug_printf(" %s OK\n", hh->address); | |
1840 | ok = TRUE; | |
1841 | break; | |
1842 | } | |
1843 | else | |
059ec3d9 | 1844 | HDEBUG(D_host_lookup) debug_printf(" %s\n", hh->address); |
1f155f8e | 1845 | |
059ec3d9 PH |
1846 | if (!ok) HDEBUG(D_host_lookup) |
1847 | debug_printf("no IP address for %s matched %s\n", hname, | |
1848 | sender_host_address); | |
1849 | } | |
1850 | else if (rc == HOST_FIND_AGAIN) | |
1851 | { | |
1852 | HDEBUG(D_host_lookup) debug_printf("temporary error for host name lookup\n"); | |
8e669ac1 | 1853 | host_lookup_deferred = TRUE; |
55728a4f | 1854 | sender_host_name = NULL; |
059ec3d9 PH |
1855 | return DEFER; |
1856 | } | |
1857 | else | |
059ec3d9 | 1858 | HDEBUG(D_host_lookup) debug_printf("no IP addresses found for %s\n", hname); |
059ec3d9 PH |
1859 | |
1860 | /* If this name is no good, and it's the sender name, set it null pro tem; | |
1861 | if it's an alias, just remove it from the list. */ | |
1862 | ||
1863 | if (!ok) | |
1864 | { | |
1865 | if (hname == sender_host_name) sender_host_name = NULL; else | |
1866 | { | |
1867 | uschar **a; /* Don't amalgamate - some */ | |
1868 | a = --aliases; /* compilers grumble */ | |
1869 | while (*a != NULL) { *a = a[1]; a++; } | |
1870 | } | |
1871 | } | |
1872 | } | |
1873 | ||
1874 | /* If sender_host_name == NULL, it means we didn't like the name. Replace | |
1875 | it with the first alias, if there is one. */ | |
1876 | ||
1877 | if (sender_host_name == NULL && *sender_host_aliases != NULL) | |
1878 | sender_host_name = *sender_host_aliases++; | |
1879 | ||
1880 | /* If we now have a main name, all is well. */ | |
1881 | ||
1882 | if (sender_host_name != NULL) return OK; | |
1883 | ||
1884 | /* We have failed to find an address that matches. */ | |
1885 | ||
1886 | HDEBUG(D_host_lookup) | |
1887 | debug_printf("%s does not match any IP address for %s\n", | |
1888 | sender_host_address, save_hostname); | |
1889 | ||
1890 | /* This message must be in permanent store */ | |
1891 | ||
1892 | old_pool = store_pool; | |
1893 | store_pool = POOL_PERM; | |
1894 | host_lookup_msg = string_sprintf(" (%s does not match any IP address for %s)", | |
1895 | sender_host_address, save_hostname); | |
1896 | store_pool = old_pool; | |
059ec3d9 PH |
1897 | host_lookup_failed = TRUE; |
1898 | return FAIL; | |
1899 | } | |
1900 | ||
1901 | ||
1902 | ||
1903 | ||
1904 | /************************************************* | |
1905 | * Find IP address(es) for host by name * | |
1906 | *************************************************/ | |
1907 | ||
1908 | /* The input is a host_item structure with the name filled in and the address | |
322050c2 PH |
1909 | field set to NULL. We use gethostbyname() or getipnodebyname() or |
1910 | gethostbyname2(), as appropriate. Of course, these functions may use the DNS, | |
1911 | but they do not do MX processing. It appears, however, that in some systems the | |
1912 | current setting of resolver options is used when one of these functions calls | |
1913 | the resolver. For this reason, we call dns_init() at the start, with arguments | |
1914 | influenced by bits in "flags", just as we do for host_find_bydns(). | |
059ec3d9 PH |
1915 | |
1916 | The second argument provides a host list (usually an IP list) of hosts to | |
1917 | ignore. This makes it possible to ignore IPv6 link-local addresses or loopback | |
1918 | addresses in unreasonable places. | |
1919 | ||
1920 | The lookup may result in a change of name. For compatibility with the dns | |
1921 | lookup, return this via fully_qualified_name as well as updating the host item. | |
1922 | The lookup may also yield more than one IP address, in which case chain on | |
1923 | subsequent host_item structures. | |
1924 | ||
1925 | Arguments: | |
1926 | host a host item with the name and MX filled in; | |
1927 | the address is to be filled in; | |
1928 | multiple IP addresses cause other host items to be | |
1929 | chained on. | |
1930 | ignore_target_hosts a list of hosts to ignore | |
322050c2 PH |
1931 | flags HOST_FIND_QUALIFY_SINGLE ) passed to |
1932 | HOST_FIND_SEARCH_PARENTS ) dns_init() | |
059ec3d9 PH |
1933 | fully_qualified_name if not NULL, set to point to host name for |
1934 | compatibility with host_find_bydns | |
1935 | local_host_check TRUE if a check for the local host is wanted | |
1936 | ||
1937 | Returns: HOST_FIND_FAILED Failed to find the host or domain | |
1938 | HOST_FIND_AGAIN Try again later | |
1939 | HOST_FOUND Host found - data filled in | |
1940 | HOST_FOUND_LOCAL Host found and is the local host | |
1941 | */ | |
1942 | ||
1943 | int | |
55414b25 JH |
1944 | host_find_byname(host_item *host, const uschar *ignore_target_hosts, int flags, |
1945 | const uschar **fully_qualified_name, BOOL local_host_check) | |
059ec3d9 | 1946 | { |
d7978c0f | 1947 | int yield, times; |
059ec3d9 PH |
1948 | host_item *last = NULL; |
1949 | BOOL temp_error = FALSE; | |
b08b24c8 PH |
1950 | #if HAVE_IPV6 |
1951 | int af; | |
1952 | #endif | |
1953 | ||
322050c2 PH |
1954 | /* Make sure DNS options are set as required. This appears to be necessary in |
1955 | some circumstances when the get..byname() function actually calls the DNS. */ | |
1956 | ||
1957 | dns_init((flags & HOST_FIND_QUALIFY_SINGLE) != 0, | |
8c51eead | 1958 | (flags & HOST_FIND_SEARCH_PARENTS) != 0, |
7cd171b7 | 1959 | FALSE); /* Cannot retrieve dnssec status so do not request */ |
322050c2 | 1960 | |
7e66e54d PH |
1961 | /* In an IPv6 world, unless IPv6 has been disabled, we need to scan for both |
1962 | kinds of address, so go round the loop twice. Note that we have ensured that | |
1963 | AF_INET6 is defined even in an IPv4 world, which makes for slightly tidier | |
1964 | code. However, if dns_ipv4_lookup matches the domain, we also just do IPv4 | |
1965 | lookups here (except when testing standalone). */ | |
059ec3d9 PH |
1966 | |
1967 | #if HAVE_IPV6 | |
322050c2 PH |
1968 | #ifdef STAND_ALONE |
1969 | if (disable_ipv6) | |
1970 | #else | |
1971 | if (disable_ipv6 || | |
1972 | (dns_ipv4_lookup != NULL && | |
55414b25 JH |
1973 | match_isinlist(host->name, CUSS &dns_ipv4_lookup, 0, NULL, NULL, |
1974 | MCL_DOMAIN, TRUE, NULL) == OK)) | |
322050c2 PH |
1975 | #endif |
1976 | ||
059ec3d9 PH |
1977 | { af = AF_INET; times = 1; } |
1978 | else | |
059ec3d9 PH |
1979 | { af = AF_INET6; times = 2; } |
1980 | ||
1981 | /* No IPv6 support */ | |
1982 | ||
1983 | #else /* HAVE_IPV6 */ | |
1984 | times = 1; | |
1985 | #endif /* HAVE_IPV6 */ | |
1986 | ||
1987 | /* Initialize the flag that gets set for DNS syntax check errors, so that the | |
1988 | interface to this function can be similar to host_find_bydns. */ | |
1989 | ||
8768d548 | 1990 | f.host_find_failed_syntax = FALSE; |
059ec3d9 PH |
1991 | |
1992 | /* Loop to look up both kinds of address in an IPv6 world */ | |
1993 | ||
d7978c0f | 1994 | for (int i = 1; i <= times; |
059ec3d9 PH |
1995 | #if HAVE_IPV6 |
1996 | af = AF_INET, /* If 2 passes, IPv4 on the second */ | |
1997 | #endif | |
1998 | i++) | |
1999 | { | |
2000 | BOOL ipv4_addr; | |
91ecef39 | 2001 | int error_num = 0; |
059ec3d9 | 2002 | struct hostent *hostdata; |
0539a19d | 2003 | unsigned long time_msec = 0; /* compiler quietening */ |
059ec3d9 | 2004 | |
322050c2 PH |
2005 | #ifdef STAND_ALONE |
2006 | printf("Looking up: %s\n", host->name); | |
2007 | #endif | |
2008 | ||
846430d9 JH |
2009 | if (slow_lookup_log) time_msec = get_time_in_ms(); |
2010 | ||
059ec3d9 | 2011 | #if HAVE_IPV6 |
8768d548 | 2012 | if (f.running_in_test_harness) |
e7726cbf PH |
2013 | hostdata = host_fake_gethostbyname(host->name, af, &error_num); |
2014 | else | |
2015 | { | |
059ec3d9 PH |
2016 | #if HAVE_GETIPNODEBYNAME |
2017 | hostdata = getipnodebyname(CS host->name, af, 0, &error_num); | |
2018 | #else | |
2019 | hostdata = gethostbyname2(CS host->name, af); | |
2020 | error_num = h_errno; | |
2021 | #endif | |
e7726cbf PH |
2022 | } |
2023 | ||
2024 | #else /* not HAVE_IPV6 */ | |
8768d548 | 2025 | if (f.running_in_test_harness) |
e7726cbf PH |
2026 | hostdata = host_fake_gethostbyname(host->name, AF_INET, &error_num); |
2027 | else | |
2028 | { | |
2029 | hostdata = gethostbyname(CS host->name); | |
2030 | error_num = h_errno; | |
2031 | } | |
2032 | #endif /* HAVE_IPV6 */ | |
059ec3d9 | 2033 | |
0539a19d | 2034 | if ( slow_lookup_log |
abe1353e | 2035 | && (time_msec = get_time_in_ms() - time_msec) > slow_lookup_log) |
30795c5e | 2036 | log_long_lookup(US"gethostbyname", host->name, time_msec); |
846430d9 | 2037 | |
059ec3d9 PH |
2038 | if (hostdata == NULL) |
2039 | { | |
2040 | uschar *error; | |
2041 | switch (error_num) | |
2042 | { | |
2043 | case HOST_NOT_FOUND: error = US"HOST_NOT_FOUND"; break; | |
4a452c43 JH |
2044 | case TRY_AGAIN: error = US"TRY_AGAIN"; break; |
2045 | case NO_RECOVERY: error = US"NO_RECOVERY"; break; | |
2046 | case NO_DATA: error = US"NO_DATA"; break; | |
059ec3d9 | 2047 | #if NO_DATA != NO_ADDRESS |
4a452c43 | 2048 | case NO_ADDRESS: error = US"NO_ADDRESS"; break; |
059ec3d9 PH |
2049 | #endif |
2050 | default: error = US"?"; break; | |
2051 | } | |
2052 | ||
2053 | DEBUG(D_host_lookup) debug_printf("%s returned %d (%s)\n", | |
2054 | #if HAVE_IPV6 | |
2055 | #if HAVE_GETIPNODEBYNAME | |
2056 | (af == AF_INET6)? "getipnodebyname(af=inet6)" : "getipnodebyname(af=inet)", | |
2057 | #else | |
2058 | (af == AF_INET6)? "gethostbyname2(af=inet6)" : "gethostbyname2(af=inet)", | |
2059 | #endif | |
2060 | #else | |
2061 | "gethostbyname", | |
2062 | #endif | |
2063 | error_num, error); | |
2064 | ||
2065 | if (error_num == TRY_AGAIN || error_num == NO_RECOVERY) temp_error = TRUE; | |
2066 | continue; | |
2067 | } | |
2068 | if ((hostdata->h_addr_list)[0] == NULL) continue; | |
2069 | ||
2070 | /* Replace the name with the fully qualified one if necessary, and fill in | |
2071 | the fully_qualified_name pointer. */ | |
2072 | ||
2073 | if (hostdata->h_name[0] != 0 && | |
2074 | Ustrcmp(host->name, hostdata->h_name) != 0) | |
5903c6ff | 2075 | host->name = string_copy_dnsdomain(US hostdata->h_name); |
059ec3d9 PH |
2076 | if (fully_qualified_name != NULL) *fully_qualified_name = host->name; |
2077 | ||
2078 | /* Get the list of addresses. IPv4 and IPv6 addresses can be distinguished | |
2079 | by their different lengths. Scan the list, ignoring any that are to be | |
2080 | ignored, and build a chain from the rest. */ | |
2081 | ||
2082 | ipv4_addr = hostdata->h_length == sizeof(struct in_addr); | |
2083 | ||
d7978c0f | 2084 | for (uschar ** addrlist = USS hostdata->h_addr_list; *addrlist; addrlist++) |
059ec3d9 PH |
2085 | { |
2086 | uschar *text_address = | |
2087 | host_ntoa(ipv4_addr? AF_INET:AF_INET6, *addrlist, NULL, NULL); | |
2088 | ||
2089 | #ifndef STAND_ALONE | |
2090 | if (ignore_target_hosts != NULL && | |
2091 | verify_check_this_host(&ignore_target_hosts, NULL, host->name, | |
2092 | text_address, NULL) == OK) | |
2093 | { | |
2094 | DEBUG(D_host_lookup) | |
2095 | debug_printf("ignored host %s [%s]\n", host->name, text_address); | |
2096 | continue; | |
2097 | } | |
2098 | #endif | |
2099 | ||
2100 | /* If this is the first address, last == NULL and we put the data in the | |
2101 | original block. */ | |
2102 | ||
2103 | if (last == NULL) | |
2104 | { | |
2105 | host->address = text_address; | |
2106 | host->port = PORT_NONE; | |
2107 | host->status = hstatus_unknown; | |
2108 | host->why = hwhy_unknown; | |
783b385f | 2109 | host->dnssec = DS_UNK; |
059ec3d9 PH |
2110 | last = host; |
2111 | } | |
2112 | ||
2113 | /* Else add further host item blocks for any other addresses, keeping | |
2114 | the order. */ | |
2115 | ||
2116 | else | |
2117 | { | |
f3ebb786 | 2118 | host_item *next = store_get(sizeof(host_item), FALSE); |
059ec3d9 PH |
2119 | next->name = host->name; |
2120 | next->mx = host->mx; | |
2121 | next->address = text_address; | |
2122 | next->port = PORT_NONE; | |
2123 | next->status = hstatus_unknown; | |
2124 | next->why = hwhy_unknown; | |
783b385f | 2125 | next->dnssec = DS_UNK; |
059ec3d9 PH |
2126 | next->last_try = 0; |
2127 | next->next = last->next; | |
2128 | last->next = next; | |
2129 | last = next; | |
2130 | } | |
2131 | } | |
2132 | } | |
2133 | ||
2134 | /* If no hosts were found, the address field in the original host block will be | |
2135 | NULL. If temp_error is set, at least one of the lookups gave a temporary error, | |
2136 | so we pass that back. */ | |
2137 | ||
2138 | if (host->address == NULL) | |
2139 | { | |
2140 | uschar *msg = | |
2141 | #ifndef STAND_ALONE | |
2142 | (message_id[0] == 0 && smtp_in != NULL)? | |
2143 | string_sprintf("no IP address found for host %s (during %s)", host->name, | |
2144 | smtp_get_connection_info()) : | |
2145 | #endif | |
2146 | string_sprintf("no IP address found for host %s", host->name); | |
2147 | ||
2148 | HDEBUG(D_host_lookup) debug_printf("%s\n", msg); | |
9b8fadde | 2149 | if (temp_error) goto RETURN_AGAIN; |
8768d548 | 2150 | if (host_checking || !f.log_testing_mode) |
059ec3d9 PH |
2151 | log_write(L_host_lookup_failed, LOG_MAIN, "%s", msg); |
2152 | return HOST_FIND_FAILED; | |
2153 | } | |
2154 | ||
2155 | /* Remove any duplicate IP addresses, then check to see if this is the local | |
2156 | host if required. */ | |
2157 | ||
2158 | host_remove_duplicates(host, &last); | |
2159 | yield = local_host_check? | |
2160 | host_scan_for_local_hosts(host, &last, NULL) : HOST_FOUND; | |
2161 | ||
059ec3d9 PH |
2162 | HDEBUG(D_host_lookup) |
2163 | { | |
d7978c0f | 2164 | if (fully_qualified_name) |
059ec3d9 PH |
2165 | debug_printf("fully qualified name = %s\n", *fully_qualified_name); |
2166 | debug_printf("%s looked up these IP addresses:\n", | |
2167 | #if HAVE_IPV6 | |
2168 | #if HAVE_GETIPNODEBYNAME | |
2169 | "getipnodebyname" | |
2170 | #else | |
2171 | "gethostbyname2" | |
2172 | #endif | |
2173 | #else | |
2174 | "gethostbyname" | |
2175 | #endif | |
2176 | ); | |
d7978c0f | 2177 | for (const host_item * h = host; h != last->next; h = h->next) |
059ec3d9 | 2178 | debug_printf(" name=%s address=%s\n", h->name, |
d7978c0f | 2179 | h->address ? h->address : US"<null>"); |
059ec3d9 PH |
2180 | } |
2181 | ||
2182 | /* Return the found status. */ | |
2183 | ||
2184 | return yield; | |
9b8fadde PH |
2185 | |
2186 | /* Handle the case when there is a temporary error. If the name matches | |
2187 | dns_again_means_nonexist, return permanent rather than temporary failure. */ | |
2188 | ||
2189 | RETURN_AGAIN: | |
2190 | { | |
2191 | #ifndef STAND_ALONE | |
2192 | int rc; | |
55414b25 | 2193 | const uschar *save = deliver_domain; |
9b8fadde | 2194 | deliver_domain = host->name; /* set $domain */ |
55414b25 | 2195 | rc = match_isinlist(host->name, CUSS &dns_again_means_nonexist, 0, NULL, NULL, |
9b8fadde PH |
2196 | MCL_DOMAIN, TRUE, NULL); |
2197 | deliver_domain = save; | |
2198 | if (rc == OK) | |
2199 | { | |
2200 | DEBUG(D_host_lookup) debug_printf("%s is in dns_again_means_nonexist: " | |
2201 | "returning HOST_FIND_FAILED\n", host->name); | |
2202 | return HOST_FIND_FAILED; | |
2203 | } | |
2204 | #endif | |
2205 | return HOST_FIND_AGAIN; | |
2206 | } | |
059ec3d9 PH |
2207 | } |
2208 | ||
2209 | ||
2210 | ||
2211 | /************************************************* | |
2212 | * Fill in a host address from the DNS * | |
2213 | *************************************************/ | |
2214 | ||
1349e1e5 PH |
2215 | /* Given a host item, with its name, port and mx fields set, and its address |
2216 | field set to NULL, fill in its IP address from the DNS. If it is multi-homed, | |
2217 | create additional host items for the additional addresses, copying all the | |
2218 | other fields, and randomizing the order. | |
059ec3d9 | 2219 | |
66387a73 | 2220 | On IPv6 systems, AAAA records are sought first, then A records. |
059ec3d9 PH |
2221 | |
2222 | The host name may be changed if the DNS returns a different name - e.g. fully | |
2223 | qualified or changed via CNAME. If fully_qualified_name is not NULL, dns_lookup | |
2224 | ensures that it points to the fully qualified name. However, this is the fully | |
2225 | qualified version of the original name; if a CNAME is involved, the actual | |
2226 | canonical host name may be different again, and so we get it directly from the | |
2227 | relevant RR. Note that we do NOT change the mx field of the host item in this | |
2228 | function as it may be called to set the addresses of hosts taken from MX | |
2229 | records. | |
2230 | ||
2231 | Arguments: | |
2232 | host points to the host item we're filling in | |
2233 | lastptr points to pointer to last host item in a chain of | |
2234 | host items (may be updated if host is last and gets | |
2235 | extended because multihomed) | |
2236 | ignore_target_hosts list of hosts to ignore | |
2237 | allow_ip if TRUE, recognize an IP address and return it | |
2238 | fully_qualified_name if not NULL, return fully qualified name here if | |
2239 | the contents are different (i.e. it must be preset | |
2240 | to something) | |
221dff13 HSHR |
2241 | dnssec_request if TRUE request the AD bit |
2242 | dnssec_require if TRUE require the AD bit | |
66387a73 | 2243 | whichrrs select ipv4, ipv6 results |
059ec3d9 PH |
2244 | |
2245 | Returns: HOST_FIND_FAILED couldn't find A record | |
2246 | HOST_FIND_AGAIN try again later | |
2546388c | 2247 | HOST_FIND_SECURITY dnssec required but not acheived |
059ec3d9 PH |
2248 | HOST_FOUND found AAAA and/or A record(s) |
2249 | HOST_IGNORED found, but all IPs ignored | |
2250 | */ | |
2251 | ||
2252 | static int | |
2253 | set_address_from_dns(host_item *host, host_item **lastptr, | |
55414b25 JH |
2254 | const uschar *ignore_target_hosts, BOOL allow_ip, |
2255 | const uschar **fully_qualified_name, | |
66387a73 | 2256 | BOOL dnssec_request, BOOL dnssec_require, int whichrrs) |
059ec3d9 | 2257 | { |
059ec3d9 PH |
2258 | host_item *thishostlast = NULL; /* Indicates not yet filled in anything */ |
2259 | BOOL v6_find_again = FALSE; | |
2546388c | 2260 | BOOL dnssec_fail = FALSE; |
059ec3d9 PH |
2261 | int i; |
2262 | ||
2263 | /* If allow_ip is set, a name which is an IP address returns that value | |
2264 | as its address. This is used for MX records when allow_mx_to_ip is set, for | |
2265 | those sites that feel they have to flaunt the RFC rules. */ | |
2266 | ||
2267 | if (allow_ip && string_is_ip_address(host->name, NULL) != 0) | |
2268 | { | |
2269 | #ifndef STAND_ALONE | |
66387a73 JH |
2270 | if ( ignore_target_hosts |
2271 | && verify_check_this_host(&ignore_target_hosts, NULL, host->name, | |
059ec3d9 PH |
2272 | host->name, NULL) == OK) |
2273 | return HOST_IGNORED; | |
2274 | #endif | |
2275 | ||
2276 | host->address = host->name; | |
059ec3d9 PH |
2277 | return HOST_FOUND; |
2278 | } | |
2279 | ||
0539a19d | 2280 | /* On an IPv6 system, unless IPv6 is disabled, go round the loop up to twice, |
66387a73 JH |
2281 | looking for AAAA records the first time. However, unless doing standalone |
2282 | testing, we force an IPv4 lookup if the domain matches dns_ipv4_lookup global. | |
2283 | On an IPv4 system, go round the loop once only, looking only for A records. */ | |
059ec3d9 PH |
2284 | |
2285 | #if HAVE_IPV6 | |
059ec3d9 | 2286 | #ifndef STAND_ALONE |
66387a73 JH |
2287 | if ( disable_ipv6 |
2288 | || !(whichrrs & HOST_FIND_BY_AAAA) | |
2289 | || (dns_ipv4_lookup | |
2290 | && match_isinlist(host->name, CUSS &dns_ipv4_lookup, 0, NULL, NULL, | |
2291 | MCL_DOMAIN, TRUE, NULL) == OK) | |
2292 | ) | |
059ec3d9 PH |
2293 | i = 0; /* look up A records only */ |
2294 | else | |
2295 | #endif /* STAND_ALONE */ | |
2296 | ||
059ec3d9 | 2297 | i = 1; /* look up AAAA and A records */ |
059ec3d9 PH |
2298 | |
2299 | /* The IPv4 world */ | |
2300 | ||
2301 | #else /* HAVE_IPV6 */ | |
2302 | i = 0; /* look up A records only */ | |
2303 | #endif /* HAVE_IPV6 */ | |
2304 | ||
2305 | for (; i >= 0; i--) | |
2306 | { | |
0539a19d | 2307 | static int types[] = { T_A, T_AAAA }; |
059ec3d9 | 2308 | int type = types[i]; |
66387a73 JH |
2309 | int randoffset = i == (whichrrs & HOST_FIND_IPV4_FIRST ? 1 : 0) |
2310 | ? 500 : 0; /* Ensures v6/4 sort order */ | |
8743d3ac | 2311 | dns_answer * dnsa = store_get_dns_answer(); |
059ec3d9 PH |
2312 | dns_scan dnss; |
2313 | ||
8743d3ac | 2314 | int rc = dns_lookup_timerwrap(dnsa, host->name, type, fully_qualified_name); |
cf2b569e | 2315 | lookup_dnssec_authenticated = !dnssec_request ? NULL |
8743d3ac | 2316 | : dns_is_secure(dnsa) ? US"yes" : US"no"; |
059ec3d9 | 2317 | |
221dff13 | 2318 | DEBUG(D_dns) |
0539a19d | 2319 | if ( (dnssec_request || dnssec_require) |
8743d3ac JH |
2320 | && !dns_is_secure(dnsa) |
2321 | && dns_is_aa(dnsa) | |
0539a19d JH |
2322 | ) |
2323 | debug_printf("DNS lookup of %.256s (A/AAAA) requested AD, but got AA\n", host->name); | |
221dff13 | 2324 | |
0539a19d | 2325 | /* We want to return HOST_FIND_AGAIN if one of the A or AAAA lookups |
059ec3d9 PH |
2326 | fails or times out, but not if another one succeeds. (In the early |
2327 | IPv6 days there are name servers that always fail on AAAA, but are happy | |
2328 | to give out an A record. We want to proceed with that A record.) */ | |
8e669ac1 | 2329 | |
059ec3d9 PH |
2330 | if (rc != DNS_SUCCEED) |
2331 | { | |
2332 | if (i == 0) /* Just tried for an A record, i.e. end of loop */ | |
2333 | { | |
0539a19d | 2334 | if (host->address != NULL) return HOST_FOUND; /* AAAA was found */ |
059ec3d9 PH |
2335 | if (rc == DNS_AGAIN || rc == DNS_FAIL || v6_find_again) |
2336 | return HOST_FIND_AGAIN; | |
2337 | return HOST_FIND_FAILED; /* DNS_NOMATCH or DNS_NODATA */ | |
2338 | } | |
2339 | ||
0539a19d | 2340 | /* Tried for an AAAA record: remember if this was a temporary |
059ec3d9 PH |
2341 | error, and look for the next record type. */ |
2342 | ||
2343 | if (rc != DNS_NOMATCH && rc != DNS_NODATA) v6_find_again = TRUE; | |
2344 | continue; | |
2345 | } | |
cf2b569e JH |
2346 | |
2347 | if (dnssec_request) | |
8c51eead | 2348 | { |
8743d3ac | 2349 | if (dns_is_secure(dnsa)) |
cf2b569e JH |
2350 | { |
2351 | DEBUG(D_host_lookup) debug_printf("%s A DNSSEC\n", host->name); | |
2352 | if (host->dnssec == DS_UNK) /* set in host_find_bydns() */ | |
2353 | host->dnssec = DS_YES; | |
2354 | } | |
2355 | else | |
2356 | { | |
2357 | if (dnssec_require) | |
2358 | { | |
2546388c JH |
2359 | dnssec_fail = TRUE; |
2360 | DEBUG(D_host_lookup) debug_printf("dnssec fail on %s for %.256s", | |
0539a19d | 2361 | i>0 ? "AAAA" : "A", host->name); |
cf2b569e JH |
2362 | continue; |
2363 | } | |
2364 | if (host->dnssec == DS_YES) /* set in host_find_bydns() */ | |
2365 | { | |
2366 | DEBUG(D_host_lookup) debug_printf("%s A cancel DNSSEC\n", host->name); | |
2367 | host->dnssec = DS_NO; | |
2368 | lookup_dnssec_authenticated = US"no"; | |
2369 | } | |
2370 | } | |
8c51eead | 2371 | } |
059ec3d9 PH |
2372 | |
2373 | /* Lookup succeeded: fill in the given host item with the first non-ignored | |
2374 | address found; create additional items for any others. A single A6 record | |
8241d8dd JH |
2375 | may generate more than one address. The lookup had a chance to update the |
2376 | fqdn; we do not want any later times round the loop to do so. */ | |
2377 | ||
2378 | fully_qualified_name = NULL; | |
059ec3d9 | 2379 | |
8743d3ac | 2380 | for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); |
e1a3f32f | 2381 | rr; |
8743d3ac | 2382 | rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == type) |
059ec3d9 | 2383 | { |
8743d3ac | 2384 | dns_address * da = dns_address_from_rr(dnsa, rr); |
059ec3d9 | 2385 | |
d7978c0f JH |
2386 | DEBUG(D_host_lookup) |
2387 | if (!da) debug_printf("no addresses extracted from A6 RR for %s\n", | |
2388 | host->name); | |
059ec3d9 | 2389 | |
d7978c0f JH |
2390 | /* This loop runs only once for A and AAAA records, but may run |
2391 | several times for an A6 record that generated multiple addresses. */ | |
059ec3d9 | 2392 | |
d7978c0f JH |
2393 | for (; da; da = da->next) |
2394 | { | |
2395 | #ifndef STAND_ALONE | |
2396 | if (ignore_target_hosts != NULL && | |
2397 | verify_check_this_host(&ignore_target_hosts, NULL, | |
2398 | host->name, da->address, NULL) == OK) | |
2399 | { | |
2400 | DEBUG(D_host_lookup) | |
2401 | debug_printf("ignored host %s [%s]\n", host->name, da->address); | |
2402 | continue; | |
2403 | } | |
2404 | #endif | |
059ec3d9 | 2405 | |
d7978c0f JH |
2406 | /* If this is the first address, stick it in the given host block, |
2407 | and change the name if the returned RR has a different name. */ | |
059ec3d9 | 2408 | |
d7978c0f JH |
2409 | if (thishostlast == NULL) |
2410 | { | |
2411 | if (strcmpic(host->name, rr->name) != 0) | |
2412 | host->name = string_copy_dnsdomain(rr->name); | |
2413 | host->address = da->address; | |
2414 | host->sort_key = host->mx * 1000 + random_number(500) + randoffset; | |
2415 | host->status = hstatus_unknown; | |
2416 | host->why = hwhy_unknown; | |
2417 | thishostlast = host; | |
2418 | } | |
059ec3d9 | 2419 | |
d7978c0f JH |
2420 | /* Not the first address. Check for, and ignore, duplicates. Then |
2421 | insert in the chain at a random point. */ | |
059ec3d9 | 2422 | |
d7978c0f JH |
2423 | else |
2424 | { | |
2425 | int new_sort_key; | |
2426 | host_item *next; | |
2427 | ||
2428 | /* End of our local chain is specified by "thishostlast". */ | |
2429 | ||
2430 | for (next = host;; next = next->next) | |
2431 | { | |
2432 | if (Ustrcmp(CS da->address, next->address) == 0) break; | |
2433 | if (next == thishostlast) { next = NULL; break; } | |
2434 | } | |
2435 | if (next != NULL) continue; /* With loop for next address */ | |
2436 | ||
2437 | /* Not a duplicate */ | |
2438 | ||
2439 | new_sort_key = host->mx * 1000 + random_number(500) + randoffset; | |
f3ebb786 | 2440 | next = store_get(sizeof(host_item), FALSE); |
d7978c0f JH |
2441 | |
2442 | /* New address goes first: insert the new block after the first one | |
2443 | (so as not to disturb the original pointer) but put the new address | |
2444 | in the original block. */ | |
2445 | ||
2446 | if (new_sort_key < host->sort_key) | |
2447 | { | |
2448 | *next = *host; /* Copies port */ | |
2449 | host->next = next; | |
2450 | host->address = da->address; | |
2451 | host->sort_key = new_sort_key; | |
2452 | if (thishostlast == host) thishostlast = next; /* Local last */ | |
2453 | if (*lastptr == host) *lastptr = next; /* Global last */ | |
2454 | } | |
2455 | ||
2456 | /* Otherwise scan down the addresses for this host to find the | |
2457 | one to insert after. */ | |
2458 | ||
2459 | else | |
2460 | { | |
2461 | host_item *h = host; | |
2462 | while (h != thishostlast) | |
2463 | { | |
2464 | if (new_sort_key < h->next->sort_key) break; | |
2465 | h = h->next; | |
2466 | } | |
2467 | *next = *h; /* Copies port */ | |
2468 | h->next = next; | |
2469 | next->address = da->address; | |
2470 | next->sort_key = new_sort_key; | |
2471 | if (h == thishostlast) thishostlast = next; /* Local last */ | |
2472 | if (h == *lastptr) *lastptr = next; /* Global last */ | |
2473 | } | |
2474 | } | |
059ec3d9 PH |
2475 | } |
2476 | } | |
2477 | } | |
2478 | ||
2546388c | 2479 | /* Control gets here only if the second lookup (the A record) succeeded. |
059ec3d9 PH |
2480 | However, the address may not be filled in if it was ignored. */ |
2481 | ||
2546388c JH |
2482 | return host->address |
2483 | ? HOST_FOUND | |
2484 | : dnssec_fail | |
2485 | ? HOST_FIND_SECURITY | |
2486 | : HOST_IGNORED; | |
059ec3d9 PH |
2487 | } |
2488 | ||
2489 | ||
2490 | ||
2491 | ||
2492 | /************************************************* | |
1349e1e5 | 2493 | * Find IP addresses and host names via DNS * |
059ec3d9 PH |
2494 | *************************************************/ |
2495 | ||
1349e1e5 PH |
2496 | /* The input is a host_item structure with the name field filled in and the |
2497 | address field set to NULL. This may be in a chain of other host items. The | |
2498 | lookup may result in more than one IP address, in which case we must created | |
2499 | new host blocks for the additional addresses, and insert them into the chain. | |
2500 | The original name may not be fully qualified. Use the fully_qualified_name | |
2501 | argument to return the official name, as returned by the resolver. | |
059ec3d9 PH |
2502 | |
2503 | Arguments: | |
2504 | host point to initial host item | |
2505 | ignore_target_hosts a list of hosts to ignore | |
2506 | whichrrs flags indicating which RRs to look for: | |
2507 | HOST_FIND_BY_SRV => look for SRV | |
2508 | HOST_FIND_BY_MX => look for MX | |
66387a73 JH |
2509 | HOST_FIND_BY_A => look for A |
2510 | HOST_FIND_BY_AAAA => look for AAAA | |
059ec3d9 PH |
2511 | also flags indicating how the lookup is done |
2512 | HOST_FIND_QUALIFY_SINGLE ) passed to the | |
2513 | HOST_FIND_SEARCH_PARENTS ) resolver | |
66387a73 JH |
2514 | HOST_FIND_IPV4_FIRST => reverse usual result ordering |
2515 | HOST_FIND_IPV4_ONLY => MX results elide ipv6 | |
059ec3d9 PH |
2516 | srv_service when SRV used, the service name |
2517 | srv_fail_domains DNS errors for these domains => assume nonexist | |
2518 | mx_fail_domains DNS errors for these domains => assume nonexist | |
7cd171b7 JH |
2519 | dnssec_d.request => make dnssec request: domainlist |
2520 | dnssec_d.require => ditto and nonexist failures | |
059ec3d9 PH |
2521 | fully_qualified_name if not NULL, return fully-qualified name |
2522 | removed set TRUE if local host was removed from the list | |
2523 | ||
2524 | Returns: HOST_FIND_FAILED Failed to find the host or domain; | |
2525 | if there was a syntax error, | |
2526 | host_find_failed_syntax is set. | |
2527 | HOST_FIND_AGAIN Could not resolve at this time | |
2546388c | 2528 | HOST_FIND_SECURITY dnsssec required but not acheived |
059ec3d9 PH |
2529 | HOST_FOUND Host found |
2530 | HOST_FOUND_LOCAL The lowest MX record points to this | |
2531 | machine, if MX records were found, or | |
2532 | an A record that was found contains | |
2533 | an address of the local host | |
2534 | */ | |
2535 | ||
2536 | int | |
55414b25 | 2537 | host_find_bydns(host_item *host, const uschar *ignore_target_hosts, int whichrrs, |
059ec3d9 | 2538 | uschar *srv_service, uschar *srv_fail_domains, uschar *mx_fail_domains, |
7cd171b7 | 2539 | const dnssec_domains *dnssec_d, |
55414b25 | 2540 | const uschar **fully_qualified_name, BOOL *removed) |
059ec3d9 PH |
2541 | { |
2542 | host_item *h, *last; | |
059ec3d9 PH |
2543 | int rc = DNS_FAIL; |
2544 | int ind_type = 0; | |
2545 | int yield; | |
8743d3ac | 2546 | dns_answer * dnsa = store_get_dns_answer(); |
059ec3d9 | 2547 | dns_scan dnss; |
7cd171b7 JH |
2548 | BOOL dnssec_require = dnssec_d |
2549 | && match_isinlist(host->name, CUSS &dnssec_d->require, | |
8c51eead | 2550 | 0, NULL, NULL, MCL_DOMAIN, TRUE, NULL) == OK; |
783b385f | 2551 | BOOL dnssec_request = dnssec_require |
7cd171b7 JH |
2552 | || ( dnssec_d |
2553 | && match_isinlist(host->name, CUSS &dnssec_d->request, | |
2554 | 0, NULL, NULL, MCL_DOMAIN, TRUE, NULL) == OK); | |
783b385f | 2555 | dnssec_status_t dnssec; |
059ec3d9 PH |
2556 | |
2557 | /* Set the default fully qualified name to the incoming name, initialize the | |
2558 | resolver if necessary, set up the relevant options, and initialize the flag | |
2559 | that gets set for DNS syntax check errors. */ | |
2560 | ||
2561 | if (fully_qualified_name != NULL) *fully_qualified_name = host->name; | |
2562 | dns_init((whichrrs & HOST_FIND_QUALIFY_SINGLE) != 0, | |
8c51eead | 2563 | (whichrrs & HOST_FIND_SEARCH_PARENTS) != 0, |
1f155f8e | 2564 | dnssec_request); |
8768d548 | 2565 | f.host_find_failed_syntax = FALSE; |
059ec3d9 PH |
2566 | |
2567 | /* First, if requested, look for SRV records. The service name is given; we | |
221dff13 | 2568 | assume TCP protocol. DNS domain names are constrained to a maximum of 256 |
059ec3d9 PH |
2569 | characters, so the code below should be safe. */ |
2570 | ||
94759fce | 2571 | if (whichrrs & HOST_FIND_BY_SRV) |
059ec3d9 | 2572 | { |
d12746bc JH |
2573 | gstring * g; |
2574 | uschar * temp_fully_qualified_name; | |
059ec3d9 PH |
2575 | int prefix_length; |
2576 | ||
d12746bc JH |
2577 | g = string_fmt_append(NULL, "_%s._tcp.%n%.256s", |
2578 | srv_service, &prefix_length, host->name); | |
2579 | temp_fully_qualified_name = string_from_gstring(g); | |
059ec3d9 PH |
2580 | ind_type = T_SRV; |
2581 | ||
2582 | /* Search for SRV records. If the fully qualified name is different to | |
2583 | the input name, pass back the new original domain, without the prepended | |
2584 | magic. */ | |
2585 | ||
783b385f JH |
2586 | dnssec = DS_UNK; |
2587 | lookup_dnssec_authenticated = NULL; | |
8743d3ac | 2588 | rc = dns_lookup_timerwrap(dnsa, temp_fully_qualified_name, ind_type, |
d12746bc | 2589 | CUSS &temp_fully_qualified_name); |
783b385f | 2590 | |
221dff13 HSHR |
2591 | DEBUG(D_dns) |
2592 | if ((dnssec_request || dnssec_require) | |
8743d3ac JH |
2593 | && !dns_is_secure(dnsa) |
2594 | && dns_is_aa(dnsa)) | |
221dff13 HSHR |
2595 | debug_printf("DNS lookup of %.256s (SRV) requested AD, but got AA\n", host->name); |
2596 | ||
783b385f JH |
2597 | if (dnssec_request) |
2598 | { | |
8743d3ac | 2599 | if (dns_is_secure(dnsa)) |
783b385f JH |
2600 | { dnssec = DS_YES; lookup_dnssec_authenticated = US"yes"; } |
2601 | else | |
2602 | { dnssec = DS_NO; lookup_dnssec_authenticated = US"no"; } | |
2603 | } | |
4e0983dc | 2604 | |
d12746bc | 2605 | if (temp_fully_qualified_name != g->s && fully_qualified_name != NULL) |
059ec3d9 PH |
2606 | *fully_qualified_name = temp_fully_qualified_name + prefix_length; |
2607 | ||
2608 | /* On DNS failures, we give the "try again" error unless the domain is | |
2609 | listed as one for which we continue. */ | |
2610 | ||
8743d3ac | 2611 | if (rc == DNS_SUCCEED && dnssec_require && !dns_is_secure(dnsa)) |
8c51eead JH |
2612 | { |
2613 | log_write(L_host_lookup_failed, LOG_MAIN, | |
2614 | "dnssec fail on SRV for %.256s", host->name); | |
2615 | rc = DNS_FAIL; | |
2616 | } | |
059ec3d9 PH |
2617 | if (rc == DNS_FAIL || rc == DNS_AGAIN) |
2618 | { | |
e7726cbf | 2619 | #ifndef STAND_ALONE |
55414b25 JH |
2620 | if (match_isinlist(host->name, CUSS &srv_fail_domains, 0, NULL, NULL, |
2621 | MCL_DOMAIN, TRUE, NULL) != OK) | |
e7726cbf | 2622 | #endif |
8c51eead | 2623 | { yield = HOST_FIND_AGAIN; goto out; } |
059ec3d9 PH |
2624 | DEBUG(D_host_lookup) debug_printf("DNS_%s treated as DNS_NODATA " |
2625 | "(domain in srv_fail_domains)\n", (rc == DNS_FAIL)? "FAIL":"AGAIN"); | |
2626 | } | |
2627 | } | |
2628 | ||
2629 | /* If we did not find any SRV records, search the DNS for MX records, if | |
2630 | requested to do so. If the result is DNS_NOMATCH, it means there is no such | |
2631 | domain, and there's no point in going on to look for address records with the | |
2632 | same domain. The result will be DNS_NODATA if the domain exists but has no MX | |
2633 | records. On DNS failures, we give the "try again" error unless the domain is | |
2634 | listed as one for which we continue. */ | |
2635 | ||
2546388c | 2636 | if (rc != DNS_SUCCEED && whichrrs & HOST_FIND_BY_MX) |
059ec3d9 PH |
2637 | { |
2638 | ind_type = T_MX; | |
783b385f JH |
2639 | dnssec = DS_UNK; |
2640 | lookup_dnssec_authenticated = NULL; | |
8743d3ac | 2641 | rc = dns_lookup_timerwrap(dnsa, host->name, ind_type, fully_qualified_name); |
783b385f | 2642 | |
221dff13 | 2643 | DEBUG(D_dns) |
2546388c | 2644 | if ( (dnssec_request || dnssec_require) |
8743d3ac JH |
2645 | && !dns_is_secure(dnsa) |
2646 | && dns_is_aa(dnsa)) | |
cf3d165f | 2647 | debug_printf("DNS lookup of %.256s (MX) requested AD, but got AA\n", host->name); |
221dff13 | 2648 | |
783b385f | 2649 | if (dnssec_request) |
8743d3ac | 2650 | if (dns_is_secure(dnsa)) |
94431adb | 2651 | { |
979c462e | 2652 | DEBUG(D_host_lookup) debug_printf("%s (MX resp) DNSSEC\n", host->name); |
cf2b569e JH |
2653 | dnssec = DS_YES; lookup_dnssec_authenticated = US"yes"; |
2654 | } | |
783b385f | 2655 | else |
cf2b569e JH |
2656 | { |
2657 | dnssec = DS_NO; lookup_dnssec_authenticated = US"no"; | |
2658 | } | |
4e0983dc | 2659 | |
8c51eead JH |
2660 | switch (rc) |
2661 | { | |
2662 | case DNS_NOMATCH: | |
2663 | yield = HOST_FIND_FAILED; goto out; | |
2664 | ||
2665 | case DNS_SUCCEED: | |
8743d3ac | 2666 | if (!dnssec_require || dns_is_secure(dnsa)) |
8c51eead | 2667 | break; |
2546388c JH |
2668 | DEBUG(D_host_lookup) |
2669 | debug_printf("dnssec fail on MX for %.256s", host->name); | |
2670 | #ifndef STAND_ALONE | |
2671 | if (match_isinlist(host->name, CUSS &mx_fail_domains, 0, NULL, NULL, | |
2672 | MCL_DOMAIN, TRUE, NULL) != OK) | |
2673 | { yield = HOST_FIND_SECURITY; goto out; } | |
2674 | #endif | |
8c51eead | 2675 | rc = DNS_FAIL; |
cf2b569e | 2676 | /*FALLTHROUGH*/ |
8c51eead JH |
2677 | |
2678 | case DNS_FAIL: | |
2679 | case DNS_AGAIN: | |
2546388c | 2680 | #ifndef STAND_ALONE |
55414b25 JH |
2681 | if (match_isinlist(host->name, CUSS &mx_fail_domains, 0, NULL, NULL, |
2682 | MCL_DOMAIN, TRUE, NULL) != OK) | |
2546388c | 2683 | #endif |
8c51eead JH |
2684 | { yield = HOST_FIND_AGAIN; goto out; } |
2685 | DEBUG(D_host_lookup) debug_printf("DNS_%s treated as DNS_NODATA " | |
2686 | "(domain in mx_fail_domains)\n", (rc == DNS_FAIL)? "FAIL":"AGAIN"); | |
2687 | break; | |
059ec3d9 PH |
2688 | } |
2689 | } | |
2690 | ||
2691 | /* If we haven't found anything yet, and we are requested to do so, try for an | |
2692 | A or AAAA record. If we find it (or them) check to see that it isn't the local | |
2693 | host. */ | |
2694 | ||
2695 | if (rc != DNS_SUCCEED) | |
2696 | { | |
66387a73 | 2697 | if (!(whichrrs & (HOST_FIND_BY_A | HOST_FIND_BY_AAAA))) |
059ec3d9 PH |
2698 | { |
2699 | DEBUG(D_host_lookup) debug_printf("Address records are not being sought\n"); | |
8c51eead JH |
2700 | yield = HOST_FIND_FAILED; |
2701 | goto out; | |
059ec3d9 PH |
2702 | } |
2703 | ||
2704 | last = host; /* End of local chainlet */ | |
2705 | host->mx = MX_NONE; | |
2706 | host->port = PORT_NONE; | |
cf2b569e | 2707 | host->dnssec = DS_UNK; |
783b385f | 2708 | lookup_dnssec_authenticated = NULL; |
059ec3d9 | 2709 | rc = set_address_from_dns(host, &last, ignore_target_hosts, FALSE, |
66387a73 | 2710 | fully_qualified_name, dnssec_request, dnssec_require, whichrrs); |
059ec3d9 PH |
2711 | |
2712 | /* If one or more address records have been found, check that none of them | |
2713 | are local. Since we know the host items all have their IP addresses | |
2714 | inserted, host_scan_for_local_hosts() can only return HOST_FOUND or | |
2715 | HOST_FOUND_LOCAL. We do not need to scan for duplicate IP addresses here, | |
2716 | because set_address_from_dns() removes them. */ | |
2717 | ||
2718 | if (rc == HOST_FOUND) | |
2719 | rc = host_scan_for_local_hosts(host, &last, removed); | |
2720 | else | |
2721 | if (rc == HOST_IGNORED) rc = HOST_FIND_FAILED; /* No special action */ | |
2722 | ||
2723 | DEBUG(D_host_lookup) | |
d7978c0f | 2724 | if (host->address) |
059ec3d9 | 2725 | { |
d7978c0f | 2726 | if (fully_qualified_name) |
059ec3d9 | 2727 | debug_printf("fully qualified name = %s\n", *fully_qualified_name); |
d7978c0f | 2728 | for (host_item * h = host; h != last->next; h = h->next) |
059ec3d9 | 2729 | debug_printf("%s %s mx=%d sort=%d %s\n", h->name, |
d7978c0f JH |
2730 | h->address ? h->address : US"<null>", h->mx, h->sort_key, |
2731 | h->status >= hstatus_unusable ? US"*" : US""); | |
059ec3d9 | 2732 | } |
059ec3d9 | 2733 | |
8c51eead JH |
2734 | yield = rc; |
2735 | goto out; | |
059ec3d9 PH |
2736 | } |
2737 | ||
2738 | /* We have found one or more MX or SRV records. Sort them according to | |
2739 | precedence. Put the data for the first one into the existing host block, and | |
2740 | insert new host_item blocks into the chain for the remainder. For equal | |
2741 | precedences one is supposed to randomize the order. To make this happen, the | |
2742 | sorting is actually done on the MX value * 1000 + a random number. This is put | |
2743 | into a host field called sort_key. | |
2744 | ||
2745 | In the case of hosts with both IPv6 and IPv4 addresses, we want to choose the | |
2746 | IPv6 address in preference. At this stage, we don't know what kind of address | |
2747 | the host has. We choose a random number < 500; if later we find an A record | |
2748 | first, we add 500 to the random number. Then for any other address records, we | |
2749 | use random numbers in the range 0-499 for AAAA records and 500-999 for A | |
2750 | records. | |
2751 | ||
2752 | At this point we remove any duplicates that point to the same host, retaining | |
2753 | only the one with the lowest precedence. We cannot yet check for precedence | |
2754 | greater than that of the local host, because that test cannot be properly done | |
2755 | until the addresses have been found - an MX record may point to a name for this | |
2756 | host which is not the primary hostname. */ | |
2757 | ||
2758 | last = NULL; /* Indicates that not even the first item is filled yet */ | |
2759 | ||
8743d3ac | 2760 | for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); |
dd708fd7 | 2761 | rr; |
8743d3ac | 2762 | rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == ind_type) |
059ec3d9 | 2763 | { |
8c513105 | 2764 | int precedence, weight; |
1349e1e5 | 2765 | int port = PORT_NONE; |
dd708fd7 | 2766 | const uschar * s = rr->data; /* MUST be unsigned for GETSHORT */ |
059ec3d9 PH |
2767 | uschar data[256]; |
2768 | ||
059ec3d9 PH |
2769 | GETSHORT(precedence, s); /* Pointer s is advanced */ |
2770 | ||
2771 | /* For MX records, we use a random "weight" which causes multiple records of | |
2772 | the same precedence to sort randomly. */ | |
2773 | ||
2774 | if (ind_type == T_MX) | |
059ec3d9 | 2775 | weight = random_number(500); |
059ec3d9 PH |
2776 | else |
2777 | { | |
8c513105 JH |
2778 | /* SRV records are specified with a port and a weight. The weight is used |
2779 | in a special algorithm. However, to start with, we just use it to order the | |
2780 | records of equal priority (precedence). */ | |
059ec3d9 PH |
2781 | GETSHORT(weight, s); |
2782 | GETSHORT(port, s); | |
2783 | } | |
2784 | ||
2785 | /* Get the name of the host pointed to. */ | |
2786 | ||
8743d3ac | 2787 | (void)dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, s, |
059ec3d9 PH |
2788 | (DN_EXPAND_ARG4_TYPE)data, sizeof(data)); |
2789 | ||
2790 | /* Check that we haven't already got this host on the chain; if we have, | |
2791 | keep only the lower precedence. This situation shouldn't occur, but you | |
2792 | never know what junk might get into the DNS (and this case has been seen on | |
2793 | more than one occasion). */ | |
2794 | ||
8c513105 | 2795 | if (last) /* This is not the first record */ |
059ec3d9 PH |
2796 | { |
2797 | host_item *prev = NULL; | |
2798 | ||
2799 | for (h = host; h != last->next; prev = h, h = h->next) | |
059ec3d9 PH |
2800 | if (strcmpic(h->name, data) == 0) |
2801 | { | |
2802 | DEBUG(D_host_lookup) | |
2803 | debug_printf("discarded duplicate host %s (MX=%d)\n", data, | |
8c513105 | 2804 | precedence > h->mx ? precedence : h->mx); |
059ec3d9 PH |
2805 | if (precedence >= h->mx) goto NEXT_MX_RR; /* Skip greater precedence */ |
2806 | if (h == host) /* Override first item */ | |
2807 | { | |
2808 | h->mx = precedence; | |
2809 | host->sort_key = precedence * 1000 + weight; | |
2810 | goto NEXT_MX_RR; | |
2811 | } | |
2812 | ||
2813 | /* Unwanted host item is not the first in the chain, so we can get | |
2814 | get rid of it by cutting it out. */ | |
2815 | ||
2816 | prev->next = h->next; | |
2817 | if (h == last) last = prev; | |
2818 | break; | |
2819 | } | |
059ec3d9 PH |
2820 | } |
2821 | ||
2822 | /* If this is the first MX or SRV record, put the data into the existing host | |
2823 | block. Otherwise, add a new block in the correct place; if it has to be | |
2824 | before the first block, copy the first block's data to a new second block. */ | |
2825 | ||
8ac90765 | 2826 | if (!last) |
059ec3d9 PH |
2827 | { |
2828 | host->name = string_copy_dnsdomain(data); | |
2829 | host->address = NULL; | |
2830 | host->port = port; | |
2831 | host->mx = precedence; | |
2832 | host->sort_key = precedence * 1000 + weight; | |
2833 | host->status = hstatus_unknown; | |
2834 | host->why = hwhy_unknown; | |
783b385f | 2835 | host->dnssec = dnssec; |
059ec3d9 PH |
2836 | last = host; |
2837 | } | |
8c513105 | 2838 | else |
059ec3d9 PH |
2839 | |
2840 | /* Make a new host item and seek the correct insertion place */ | |
059ec3d9 PH |
2841 | { |
2842 | int sort_key = precedence * 1000 + weight; | |
f3ebb786 | 2843 | host_item *next = store_get(sizeof(host_item), FALSE); |
059ec3d9 PH |
2844 | next->name = string_copy_dnsdomain(data); |
2845 | next->address = NULL; | |
2846 | next->port = port; | |
2847 | next->mx = precedence; | |
2848 | next->sort_key = sort_key; | |
2849 | next->status = hstatus_unknown; | |
2850 | next->why = hwhy_unknown; | |
783b385f | 2851 | next->dnssec = dnssec; |
059ec3d9 PH |
2852 | next->last_try = 0; |
2853 | ||
2854 | /* Handle the case when we have to insert before the first item. */ | |
2855 | ||
2856 | if (sort_key < host->sort_key) | |
2857 | { | |
2858 | host_item htemp; | |
2859 | htemp = *host; | |
2860 | *host = *next; | |
2861 | *next = htemp; | |
2862 | host->next = next; | |
2863 | if (last == host) last = next; | |
2864 | } | |
8c513105 | 2865 | else |
059ec3d9 PH |
2866 | |
2867 | /* Else scan down the items we have inserted as part of this exercise; | |
2868 | don't go further. */ | |
059ec3d9 PH |
2869 | { |
2870 | for (h = host; h != last; h = h->next) | |
059ec3d9 PH |
2871 | if (sort_key < h->next->sort_key) |
2872 | { | |
2873 | next->next = h->next; | |
2874 | h->next = next; | |
2875 | break; | |
2876 | } | |
059ec3d9 PH |
2877 | |
2878 | /* Join on after the last host item that's part of this | |
2879 | processing if we haven't stopped sooner. */ | |
2880 | ||
2881 | if (h == last) | |
2882 | { | |
2883 | next->next = last->next; | |
2884 | last->next = next; | |
2885 | last = next; | |
2886 | } | |
2887 | } | |
2888 | } | |
2889 | ||
2890 | NEXT_MX_RR: continue; | |
2891 | } | |
2892 | ||
dc8091e7 JH |
2893 | if (!last) /* No rr of correct type; give up */ |
2894 | { | |
2895 | yield = HOST_FIND_FAILED; | |
2896 | goto out; | |
2897 | } | |
2898 | ||
059ec3d9 PH |
2899 | /* If the list of hosts was obtained from SRV records, there are two things to |
2900 | do. First, if there is only one host, and it's name is ".", it means there is | |
2901 | no SMTP service at this domain. Otherwise, we have to sort the hosts of equal | |
2902 | priority according to their weights, using an algorithm that is defined in RFC | |
2903 | 2782. The hosts are currently sorted by priority and weight. For each priority | |
2904 | group we have to pick off one host and put it first, and then repeat for any | |
2905 | remaining in the same priority group. */ | |
2906 | ||
2907 | if (ind_type == T_SRV) | |
2908 | { | |
d7978c0f | 2909 | host_item ** pptr; |
059ec3d9 PH |
2910 | |
2911 | if (host == last && host->name[0] == 0) | |
2912 | { | |
2913 | DEBUG(D_host_lookup) debug_printf("the single SRV record is \".\"\n"); | |
8c51eead JH |
2914 | yield = HOST_FIND_FAILED; |
2915 | goto out; | |
059ec3d9 PH |
2916 | } |
2917 | ||
2918 | DEBUG(D_host_lookup) | |
2919 | { | |
2920 | debug_printf("original ordering of hosts from SRV records:\n"); | |
2921 | for (h = host; h != last->next; h = h->next) | |
2922 | debug_printf(" %s P=%d W=%d\n", h->name, h->mx, h->sort_key % 1000); | |
2923 | } | |
2924 | ||
dc8091e7 | 2925 | for (pptr = &host, h = host; h != last; pptr = &h->next, h = h->next) |
059ec3d9 PH |
2926 | { |
2927 | int sum = 0; | |
2928 | host_item *hh; | |
2929 | ||
2930 | /* Find the last following host that has the same precedence. At the same | |
2931 | time, compute the sum of the weights and the running totals. These can be | |
2932 | stored in the sort_key field. */ | |
2933 | ||
2934 | for (hh = h; hh != last; hh = hh->next) | |
2935 | { | |
2936 | int weight = hh->sort_key % 1000; /* was precedence * 1000 + weight */ | |
2937 | sum += weight; | |
2938 | hh->sort_key = sum; | |
2939 | if (hh->mx != hh->next->mx) break; | |
2940 | } | |
2941 | ||
2942 | /* If there's more than one host at this precedence (priority), we need to | |
2943 | pick one to go first. */ | |
2944 | ||
2945 | if (hh != h) | |
2946 | { | |
2947 | host_item *hhh; | |
2948 | host_item **ppptr; | |
2949 | int randomizer = random_number(sum + 1); | |
2950 | ||
2951 | for (ppptr = pptr, hhh = h; | |
2952 | hhh != hh; | |
8c513105 JH |
2953 | ppptr = &hhh->next, hhh = hhh->next) |
2954 | if (hhh->sort_key >= randomizer) | |
2955 | break; | |
059ec3d9 PH |
2956 | |
2957 | /* hhh now points to the host that should go first; ppptr points to the | |
2958 | place that points to it. Unfortunately, if the start of the minilist is | |
2959 | the start of the entire list, we can't just swap the items over, because | |
2960 | we must not change the value of host, since it is passed in from outside. | |
2961 | One day, this could perhaps be changed. | |
2962 | ||
2963 | The special case is fudged by putting the new item *second* in the chain, | |
2964 | and then transferring the data between the first and second items. We | |
2965 | can't just swap the first and the chosen item, because that would mean | |
2966 | that an item with zero weight might no longer be first. */ | |
2967 | ||
2968 | if (hhh != h) | |
2969 | { | |
2970 | *ppptr = hhh->next; /* Cuts it out of the chain */ | |
2971 | ||
2972 | if (h == host) | |
2973 | { | |
2974 | host_item temp = *h; | |
2975 | *h = *hhh; | |
2976 | *hhh = temp; | |
2977 | hhh->next = temp.next; | |
2978 | h->next = hhh; | |
2979 | } | |
059ec3d9 PH |
2980 | else |
2981 | { | |
2982 | hhh->next = h; /* The rest of the chain follows it */ | |
2983 | *pptr = hhh; /* It takes the place of h */ | |
2984 | h = hhh; /* It's now the start of this minilist */ | |
2985 | } | |
2986 | } | |
2987 | } | |
2988 | ||
2989 | /* A host has been chosen to be first at this priority and h now points | |
2990 | to this host. There may be others at the same priority, or others at a | |
2991 | different priority. Before we leave this host, we need to put back a sort | |
2992 | key of the traditional MX kind, in case this host is multihomed, because | |
2993 | the sort key is used for ordering the multiple IP addresses. We do not need | |
2994 | to ensure that these new sort keys actually reflect the order of the hosts, | |
2995 | however. */ | |
2996 | ||
2997 | h->sort_key = h->mx * 1000 + random_number(500); | |
2998 | } /* Move on to the next host */ | |
2999 | } | |
3000 | ||
1349e1e5 PH |
3001 | /* Now we have to find IP addresses for all the hosts. We have ensured above |
3002 | that the names in all the host items are unique. Before release 4.61 we used to | |
3003 | process records from the additional section in the DNS packet that returned the | |
3004 | MX or SRV records. However, a DNS name server is free to drop any resource | |
3005 | records from the additional section. In theory, this has always been a | |
3006 | potential problem, but it is exacerbated by the advent of IPv6. If a host had | |
3007 | several IPv4 addresses and some were not in the additional section, at least | |
3008 | Exim would try the others. However, if a host had both IPv4 and IPv6 addresses | |
3009 | and all the IPv4 (say) addresses were absent, Exim would try only for a IPv6 | |
3010 | connection, and never try an IPv4 address. When there was only IPv4 | |
3011 | connectivity, this was a disaster that did in practice occur. | |
3012 | ||
3013 | So, from release 4.61 onwards, we always search for A and AAAA records | |
3014 | explicitly. The names shouldn't point to CNAMES, but we use the general lookup | |
3015 | function that handles them, just in case. If any lookup gives a soft error, | |
3016 | change the default yield. | |
059ec3d9 PH |
3017 | |
3018 | For these DNS lookups, we must disable qualify_single and search_parents; | |
3019 | otherwise invalid host names obtained from MX or SRV records can cause trouble | |
3020 | if they happen to match something local. */ | |
3021 | ||
1349e1e5 | 3022 | yield = HOST_FIND_FAILED; /* Default yield */ |
8c51eead JH |
3023 | dns_init(FALSE, FALSE, /* Disable qualify_single and search_parents */ |
3024 | dnssec_request || dnssec_require); | |
059ec3d9 PH |
3025 | |
3026 | for (h = host; h != last->next; h = h->next) | |
3027 | { | |
dc8091e7 JH |
3028 | if (h->address) continue; /* Inserted by a multihomed host */ |
3029 | ||
8c51eead | 3030 | rc = set_address_from_dns(h, &last, ignore_target_hosts, allow_mx_to_ip, |
66387a73 JH |
3031 | NULL, dnssec_request, dnssec_require, |
3032 | whichrrs & HOST_FIND_IPV4_ONLY | |
3033 | ? HOST_FIND_BY_A : HOST_FIND_BY_A | HOST_FIND_BY_AAAA); | |
059ec3d9 PH |
3034 | if (rc != HOST_FOUND) |
3035 | { | |
3036 | h->status = hstatus_unusable; | |
2546388c | 3037 | switch (rc) |
059ec3d9 | 3038 | { |
66387a73 JH |
3039 | case HOST_FIND_AGAIN: yield = rc; h->why = hwhy_deferred; break; |
3040 | case HOST_FIND_SECURITY: yield = rc; h->why = hwhy_insecure; break; | |
3041 | case HOST_IGNORED: h->why = hwhy_ignored; break; | |
3042 | default: h->why = hwhy_failed; break; | |
059ec3d9 | 3043 | } |
059ec3d9 PH |
3044 | } |
3045 | } | |
3046 | ||
3047 | /* Scan the list for any hosts that are marked unusable because they have | |
3048 | been explicitly ignored, and remove them from the list, as if they did not | |
3049 | exist. If we end up with just a single, ignored host, flatten its fields as if | |
3050 | nothing was found. */ | |
3051 | ||
2546388c | 3052 | if (ignore_target_hosts) |
059ec3d9 PH |
3053 | { |
3054 | host_item *prev = NULL; | |
3055 | for (h = host; h != last->next; h = h->next) | |
3056 | { | |
3057 | REDO: | |
3058 | if (h->why != hwhy_ignored) /* Non ignored host, just continue */ | |
3059 | prev = h; | |
3060 | else if (prev == NULL) /* First host is ignored */ | |
3061 | { | |
3062 | if (h != last) /* First is not last */ | |
3063 | { | |
3064 | if (h->next == last) last = h; /* Overwrite it with next */ | |
3065 | *h = *(h->next); /* and reprocess it. */ | |
3066 | goto REDO; /* C should have redo, like Perl */ | |
3067 | } | |
3068 | } | |
3069 | else /* Ignored host is not first - */ | |
3070 | { /* cut it out */ | |
3071 | prev->next = h->next; | |
3072 | if (h == last) last = prev; | |
3073 | } | |
3074 | } | |
3075 | ||
3076 | if (host->why == hwhy_ignored) host->address = NULL; | |
3077 | } | |
3078 | ||
3079 | /* There is still one complication in the case of IPv6. Although the code above | |
3080 | arranges that IPv6 addresses take precedence over IPv4 addresses for multihomed | |
3081 | hosts, it doesn't do this for addresses that apply to different hosts with the | |
3082 | same MX precedence, because the sorting on MX precedence happens first. So we | |
3083 | have to make another pass to check for this case. We ensure that, within a | |
3084 | single MX preference value, IPv6 addresses come first. This can separate the | |
3085 | addresses of a multihomed host, but that should not matter. */ | |
3086 | ||
3087 | #if HAVE_IPV6 | |
2546388c | 3088 | if (h != last && !disable_ipv6) for (h = host; h != last; h = h->next) |
059ec3d9 | 3089 | { |
2546388c JH |
3090 | host_item temp; |
3091 | host_item *next = h->next; | |
3092 | ||
66387a73 JH |
3093 | if ( h->mx != next->mx /* If next is different MX */ |
3094 | || !h->address /* OR this one is unset */ | |
3095 | ) | |
3096 | continue; /* move on to next */ | |
3097 | ||
3098 | if ( whichrrs & HOST_FIND_IPV4_FIRST | |
3099 | ? !Ustrchr(h->address, ':') /* OR this one is IPv4 */ | |
3100 | || next->address | |
3101 | && Ustrchr(next->address, ':') /* OR next is IPv6 */ | |
3102 | ||
3103 | : Ustrchr(h->address, ':') /* OR this one is IPv6 */ | |
3104 | || next->address | |
3105 | && !Ustrchr(next->address, ':') /* OR next is IPv4 */ | |
3106 | ) | |
2546388c | 3107 | continue; /* move on to next */ |
66387a73 | 3108 | |
2546388c JH |
3109 | temp = *h; /* otherwise, swap */ |
3110 | temp.next = next->next; | |
3111 | *h = *next; | |
3112 | h->next = next; | |
3113 | *next = temp; | |
059ec3d9 PH |
3114 | } |
3115 | #endif | |
3116 | ||
059ec3d9 PH |
3117 | /* Remove any duplicate IP addresses and then scan the list of hosts for any |
3118 | whose IP addresses are on the local host. If any are found, all hosts with the | |
3119 | same or higher MX values are removed. However, if the local host has the lowest | |
3120 | numbered MX, then HOST_FOUND_LOCAL is returned. Otherwise, if at least one host | |
3121 | with an IP address is on the list, HOST_FOUND is returned. Otherwise, | |
3122 | HOST_FIND_FAILED is returned, but in this case do not update the yield, as it | |
3123 | might have been set to HOST_FIND_AGAIN just above here. If not, it will already | |
3124 | be HOST_FIND_FAILED. */ | |
3125 | ||
3126 | host_remove_duplicates(host, &last); | |
3127 | rc = host_scan_for_local_hosts(host, &last, removed); | |
3128 | if (rc != HOST_FIND_FAILED) yield = rc; | |
3129 | ||
3130 | DEBUG(D_host_lookup) | |
3131 | { | |
d7978c0f | 3132 | if (fully_qualified_name) |
059ec3d9 PH |
3133 | debug_printf("fully qualified name = %s\n", *fully_qualified_name); |
3134 | debug_printf("host_find_bydns yield = %s (%d); returned hosts:\n", | |
d7978c0f JH |
3135 | yield == HOST_FOUND ? "HOST_FOUND" : |
3136 | yield == HOST_FOUND_LOCAL ? "HOST_FOUND_LOCAL" : | |
3137 | yield == HOST_FIND_SECURITY ? "HOST_FIND_SECURITY" : | |
3138 | yield == HOST_FIND_AGAIN ? "HOST_FIND_AGAIN" : | |
3139 | yield == HOST_FIND_FAILED ? "HOST_FIND_FAILED" : "?", | |
059ec3d9 PH |
3140 | yield); |
3141 | for (h = host; h != last->next; h = h->next) | |
3142 | { | |
805c9d53 JH |
3143 | debug_printf(" %s %s MX=%d %s", h->name, |
3144 | !h->address ? US"<null>" : h->address, h->mx, | |
3145 | h->dnssec == DS_YES ? US"DNSSEC " : US""); | |
059ec3d9 PH |
3146 | if (h->port != PORT_NONE) debug_printf("port=%d ", h->port); |
3147 | if (h->status >= hstatus_unusable) debug_printf("*"); | |
3148 | debug_printf("\n"); | |
3149 | } | |
3150 | } | |
3151 | ||
8c51eead JH |
3152 | out: |
3153 | ||
3154 | dns_init(FALSE, FALSE, FALSE); /* clear the dnssec bit for getaddrbyname */ | |
059ec3d9 PH |
3155 | return yield; |
3156 | } | |
3157 | ||
30795c5e JH |
3158 | |
3159 | ||
3160 | ||
3161 | #ifdef SUPPORT_DANE | |
3162 | /* Lookup TLSA record for host/port. | |
3163 | Return: OK success with dnssec; DANE mode | |
3164 | DEFER Do not use this host now, may retry later | |
3165 | FAIL_FORCED No TLSA record; DANE not usable | |
3166 | FAIL Do not use this connection | |
3167 | */ | |
3168 | ||
3169 | int | |
3170 | tlsa_lookup(const host_item * host, dns_answer * dnsa, BOOL dane_required) | |
3171 | { | |
3172 | uschar buffer[300]; | |
3173 | const uschar * fullname = buffer; | |
3174 | int rc; | |
3175 | BOOL sec; | |
3176 | ||
3177 | /* TLSA lookup string */ | |
3178 | (void)sprintf(CS buffer, "_%d._tcp.%.256s", host->port, host->name); | |
3179 | ||
3180 | rc = dns_lookup_timerwrap(dnsa, buffer, T_TLSA, &fullname); | |
3181 | sec = dns_is_secure(dnsa); | |
3182 | DEBUG(D_transport) | |
3183 | debug_printf("TLSA lookup ret %d %sDNSSEC\n", rc, sec ? "" : "not "); | |
3184 | ||
3185 | switch (rc) | |
3186 | { | |
3187 | case DNS_AGAIN: | |
3188 | return DEFER; /* just defer this TLS'd conn */ | |
3189 | ||
3190 | case DNS_SUCCEED: | |
3191 | if (sec) | |
3192 | { | |
3193 | DEBUG(D_transport) | |
3194 | { | |
3195 | dns_scan dnss; | |
3196 | for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr; | |
3197 | rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) | |
3198 | if (rr->type == T_TLSA && rr->size > 3) | |
3199 | { | |
3200 | uint16_t payload_length = rr->size - 3; | |
3201 | uschar s[MAX_TLSA_EXPANDED_SIZE], * sp = s, * p = US rr->data; | |
3202 | ||
3203 | sp += sprintf(CS sp, "%d ", *p++); /* usage */ | |
3204 | sp += sprintf(CS sp, "%d ", *p++); /* selector */ | |
3205 | sp += sprintf(CS sp, "%d ", *p++); /* matchtype */ | |
3206 | while (payload_length-- > 0 && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4)) | |
3207 | sp += sprintf(CS sp, "%02x", *p++); | |
3208 | ||
3209 | debug_printf(" %s\n", s); | |
3210 | } | |
3211 | } | |
3212 | return OK; | |
3213 | } | |
3214 | log_write(0, LOG_MAIN, | |
3215 | "DANE error: TLSA lookup for %s not DNSSEC", host->name); | |
3216 | /*FALLTRHOUGH*/ | |
3217 | ||
3218 | case DNS_NODATA: /* no TLSA RR for this lookup */ | |
3219 | case DNS_NOMATCH: /* no records at all for this lookup */ | |
3220 | return dane_required ? FAIL : FAIL_FORCED; | |
3221 | ||
3222 | default: | |
3223 | case DNS_FAIL: | |
3224 | return dane_required ? FAIL : DEFER; | |
3225 | } | |
3226 | } | |
3227 | #endif /*SUPPORT_DANE*/ | |
3228 | ||
3229 | ||
3230 | ||
059ec3d9 PH |
3231 | /************************************************* |
3232 | ************************************************** | |
3233 | * Stand-alone test program * | |
3234 | ************************************************** | |
3235 | *************************************************/ | |
3236 | ||
3237 | #ifdef STAND_ALONE | |
3238 | ||
059ec3d9 PH |
3239 | int main(int argc, char **cargv) |
3240 | { | |
3241 | host_item h; | |
66387a73 | 3242 | int whichrrs = HOST_FIND_BY_MX | HOST_FIND_BY_A | HOST_FIND_BY_AAAA; |
059ec3d9 PH |
3243 | BOOL byname = FALSE; |
3244 | BOOL qualify_single = TRUE; | |
3245 | BOOL search_parents = FALSE; | |
8c51eead JH |
3246 | BOOL request_dnssec = FALSE; |
3247 | BOOL require_dnssec = FALSE; | |
059ec3d9 PH |
3248 | uschar **argv = USS cargv; |
3249 | uschar buffer[256]; | |
3250 | ||
322050c2 | 3251 | disable_ipv6 = FALSE; |
059ec3d9 PH |
3252 | primary_hostname = US""; |
3253 | store_pool = POOL_MAIN; | |
3254 | debug_selector = D_host_lookup|D_interface; | |
3255 | debug_file = stdout; | |
3256 | debug_fd = fileno(debug_file); | |
3257 | ||
3258 | printf("Exim stand-alone host functions test\n"); | |
3259 | ||
3260 | host_find_interfaces(); | |
3261 | debug_selector = D_host_lookup | D_dns; | |
3262 | ||
3263 | if (argc > 1) primary_hostname = argv[1]; | |
3264 | ||
3265 | /* So that debug level changes can be done first */ | |
3266 | ||
8c51eead | 3267 | dns_init(qualify_single, search_parents, FALSE); |
059ec3d9 PH |
3268 | |
3269 | printf("Testing host lookup\n"); | |
3270 | printf("> "); | |
3271 | while (Ufgets(buffer, 256, stdin) != NULL) | |
3272 | { | |
3273 | int rc; | |
3274 | int len = Ustrlen(buffer); | |
3275 | uschar *fully_qualified_name; | |
3276 | ||
3277 | while (len > 0 && isspace(buffer[len-1])) len--; | |
3278 | buffer[len] = 0; | |
3279 | ||
3280 | if (Ustrcmp(buffer, "q") == 0) break; | |
3281 | ||
3282 | if (Ustrcmp(buffer, "byname") == 0) byname = TRUE; | |
3283 | else if (Ustrcmp(buffer, "no_byname") == 0) byname = FALSE; | |
66387a73 | 3284 | else if (Ustrcmp(buffer, "a_only") == 0) whichrrs = HOST_FIND_BY_A | HOST_FIND_BY_AAAA; |
059ec3d9 PH |
3285 | else if (Ustrcmp(buffer, "mx_only") == 0) whichrrs = HOST_FIND_BY_MX; |
3286 | else if (Ustrcmp(buffer, "srv_only") == 0) whichrrs = HOST_FIND_BY_SRV; | |
3287 | else if (Ustrcmp(buffer, "srv+a") == 0) | |
66387a73 | 3288 | whichrrs = HOST_FIND_BY_SRV | HOST_FIND_BY_A | HOST_FIND_BY_AAAA; |
059ec3d9 PH |
3289 | else if (Ustrcmp(buffer, "srv+mx") == 0) |
3290 | whichrrs = HOST_FIND_BY_SRV | HOST_FIND_BY_MX; | |
3291 | else if (Ustrcmp(buffer, "srv+mx+a") == 0) | |
66387a73 | 3292 | whichrrs = HOST_FIND_BY_SRV | HOST_FIND_BY_MX | HOST_FIND_BY_A | HOST_FIND_BY_AAAA; |
8c51eead | 3293 | else if (Ustrcmp(buffer, "qualify_single") == 0) qualify_single = TRUE; |
059ec3d9 | 3294 | else if (Ustrcmp(buffer, "no_qualify_single") == 0) qualify_single = FALSE; |
8c51eead | 3295 | else if (Ustrcmp(buffer, "search_parents") == 0) search_parents = TRUE; |
059ec3d9 | 3296 | else if (Ustrcmp(buffer, "no_search_parents") == 0) search_parents = FALSE; |
8c51eead JH |
3297 | else if (Ustrcmp(buffer, "request_dnssec") == 0) request_dnssec = TRUE; |
3298 | else if (Ustrcmp(buffer, "no_request_dnssec") == 0) request_dnssec = FALSE; | |
3299 | else if (Ustrcmp(buffer, "require_dnssec") == 0) require_dnssec = TRUE; | |
f988ce57 | 3300 | else if (Ustrcmp(buffer, "no_require_dnssec") == 0) require_dnssec = FALSE; |
e7726cbf | 3301 | else if (Ustrcmp(buffer, "test_harness") == 0) |
8768d548 | 3302 | f.running_in_test_harness = !f.running_in_test_harness; |
322050c2 | 3303 | else if (Ustrcmp(buffer, "ipv6") == 0) disable_ipv6 = !disable_ipv6; |
e7726cbf PH |
3304 | else if (Ustrcmp(buffer, "res_debug") == 0) |
3305 | { | |
3306 | _res.options ^= RES_DEBUG; | |
3307 | } | |
059ec3d9 PH |
3308 | else if (Ustrncmp(buffer, "retrans", 7) == 0) |
3309 | { | |
ff790e47 | 3310 | (void)sscanf(CS(buffer+8), "%d", &dns_retrans); |
059ec3d9 PH |
3311 | _res.retrans = dns_retrans; |
3312 | } | |
3313 | else if (Ustrncmp(buffer, "retry", 5) == 0) | |
3314 | { | |
ff790e47 | 3315 | (void)sscanf(CS(buffer+6), "%d", &dns_retry); |
059ec3d9 PH |
3316 | _res.retry = dns_retry; |
3317 | } | |
059ec3d9 PH |
3318 | else |
3319 | { | |
3320 | int flags = whichrrs; | |
505d976a | 3321 | dnssec_domains d; |
059ec3d9 PH |
3322 | |
3323 | h.name = buffer; | |
3324 | h.next = NULL; | |
3325 | h.mx = MX_NONE; | |
3326 | h.port = PORT_NONE; | |
3327 | h.status = hstatus_unknown; | |
3328 | h.why = hwhy_unknown; | |
3329 | h.address = NULL; | |
3330 | ||
3331 | if (qualify_single) flags |= HOST_FIND_QUALIFY_SINGLE; | |
3332 | if (search_parents) flags |= HOST_FIND_SEARCH_PARENTS; | |
3333 | ||
7cd171b7 JH |
3334 | d.request = request_dnssec ? &h.name : NULL; |
3335 | d.require = require_dnssec ? &h.name : NULL; | |
3336 | ||
8c51eead JH |
3337 | rc = byname |
3338 | ? host_find_byname(&h, NULL, flags, &fully_qualified_name, TRUE) | |
3339 | : host_find_bydns(&h, NULL, flags, US"smtp", NULL, NULL, | |
7cd171b7 | 3340 | &d, &fully_qualified_name, NULL); |
059ec3d9 | 3341 | |
2546388c JH |
3342 | switch (rc) |
3343 | { | |
3344 | case HOST_FIND_FAILED: printf("Failed\n"); break; | |
3345 | case HOST_FIND_AGAIN: printf("Again\n"); break; | |
3346 | case HOST_FIND_SECURITY: printf("Security\n"); break; | |
3347 | case HOST_FOUND_LOCAL: printf("Local\n"); break; | |
3348 | } | |
059ec3d9 PH |
3349 | } |
3350 | ||
3351 | printf("\n> "); | |
3352 | } | |
3353 | ||
3354 | printf("Testing host_aton\n"); | |
3355 | printf("> "); | |
3356 | while (Ufgets(buffer, 256, stdin) != NULL) | |
3357 | { | |
059ec3d9 PH |
3358 | int x[4]; |
3359 | int len = Ustrlen(buffer); | |
3360 | ||
3361 | while (len > 0 && isspace(buffer[len-1])) len--; | |
3362 | buffer[len] = 0; | |
3363 | ||
3364 | if (Ustrcmp(buffer, "q") == 0) break; | |
3365 | ||
3366 | len = host_aton(buffer, x); | |
3367 | printf("length = %d ", len); | |
d7978c0f | 3368 | for (int i = 0; i < len; i++) |
059ec3d9 PH |
3369 | { |
3370 | printf("%04x ", (x[i] >> 16) & 0xffff); | |
3371 | printf("%04x ", x[i] & 0xffff); | |
3372 | } | |
3373 | printf("\n> "); | |
3374 | } | |
3375 | ||
3376 | printf("\n"); | |
3377 | ||
3378 | printf("Testing host_name_lookup\n"); | |
3379 | printf("> "); | |
3380 | while (Ufgets(buffer, 256, stdin) != NULL) | |
3381 | { | |
3382 | int len = Ustrlen(buffer); | |
3383 | while (len > 0 && isspace(buffer[len-1])) len--; | |
3384 | buffer[len] = 0; | |
3385 | if (Ustrcmp(buffer, "q") == 0) break; | |
3386 | sender_host_address = buffer; | |
3387 | sender_host_name = NULL; | |
3388 | sender_host_aliases = NULL; | |
3389 | host_lookup_msg = US""; | |
3390 | host_lookup_failed = FALSE; | |
3391 | if (host_name_lookup() == FAIL) /* Debug causes printing */ | |
3392 | printf("Lookup failed:%s\n", host_lookup_msg); | |
3393 | printf("\n> "); | |
3394 | } | |
3395 | ||
3396 | printf("\n"); | |
3397 | ||
3398 | return 0; | |
3399 | } | |
3400 | #endif /* STAND_ALONE */ | |
3401 | ||
8c51eead JH |
3402 | /* vi: aw ai sw=2 |
3403 | */ | |
059ec3d9 | 3404 | /* End of host.c */ |