projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Dual-tls - split management of TLS into in- and out-bound connection-handling.
[exim.git] / src / src / verify.c
CommitLineData
059ec3d9
PH		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
0a49a7a4 5/* Copyright (c) University of Cambridge 1995 - 2009 */
059ec3d9
PH		 6/* See the file NOTICE for conditions of use and distribution. */
7
8/* Functions concerned with verifying things. The original code for callout
9caching was contributed by Kevin Fleming (but I hacked it around a bit). */
10
11
12#include "exim.h"
817d9f57 13#include "transports/smtp.h"
059ec3d9 14
e4bdf652
JH		 15#define CUTTHROUGH_CMD_TIMEOUT 30 /* timeout for cutthrough-routing calls */
16#define CUTTHROUGH_DATA_TIMEOUT 60 /* timeout for cutthrough-routing calls */
17address_item cutthrough_addr;
817d9f57
JH		 18static smtp_outblock ctblock;
19uschar ctbuffer[8192];
20
059ec3d9
PH		 21
22/* Structure for caching DNSBL lookups */
23
24typedef struct dnsbl_cache_block {
25 dns_address *rhs;
26 uschar *text;
27 int rc;
28 BOOL text_set;
29} dnsbl_cache_block;
30
31
32/* Anchor for DNSBL cache */
33
34static tree_node *dnsbl_cache = NULL;
35
36
431b7361
PH		 37/* Bits for match_type in one_check_dnsbl() */
38
39#define MT_NOT 1
40#define MT_ALL 2
41
42
059ec3d9
PH		 43
44/*************************************************
45* Retrieve a callout cache record *
46*************************************************/
47
48/* If a record exists, check whether it has expired.
49
50Arguments:
51 dbm_file an open hints file
52 key the record key
53 type "address" or "domain"
54 positive_expire expire time for positive records
55 negative_expire expire time for negative records
56
57Returns: the cache record if a non-expired one exists, else NULL
58*/
59
60static dbdata_callout_cache *
61get_callout_cache_record(open_db *dbm_file, uschar *key, uschar *type,
62 int positive_expire, int negative_expire)
63{
64BOOL negative;
65int length, expire;
66time_t now;
67dbdata_callout_cache *cache_record;
68
69cache_record = dbfn_read_with_length(dbm_file, key, &length);
70
71if (cache_record == NULL)
72 {
73 HDEBUG(D_verify) debug_printf("callout cache: no %s record found\n", type);
74 return NULL;
75 }
76
77/* We treat a record as "negative" if its result field is not positive, or if
78it is a domain record and the postmaster field is negative. */
79
80negative = cache_record->result != ccache_accept ||
81 (type[0] == 'd' && cache_record->postmaster_result == ccache_reject);
82expire = negative? negative_expire : positive_expire;
83now = time(NULL);
84
85if (now - cache_record->time_stamp > expire)
86 {
87 HDEBUG(D_verify) debug_printf("callout cache: %s record expired\n", type);
88 return NULL;
89 }
90
91/* If this is a non-reject domain record, check for the obsolete format version
92that doesn't have the postmaster and random timestamps, by looking at the
93length. If so, copy it to a new-style block, replicating the record's
94timestamp. Then check the additional timestamps. (There's no point wasting
95effort if connections are rejected.) */
96
97if (type[0] == 'd' && cache_record->result != ccache_reject)
98 {
99 if (length == sizeof(dbdata_callout_cache_obs))
100 {
101 dbdata_callout_cache *new = store_get(sizeof(dbdata_callout_cache));
102 memcpy(new, cache_record, length);
103 new->postmaster_stamp = new->random_stamp = new->time_stamp;
104 cache_record = new;
105 }
106
107 if (now - cache_record->postmaster_stamp > expire)
108 cache_record->postmaster_result = ccache_unknown;
109
110 if (now - cache_record->random_stamp > expire)
111 cache_record->random_result = ccache_unknown;
112 }
113
114HDEBUG(D_verify) debug_printf("callout cache: found %s record\n", type);
115return cache_record;
116}
117
118
119
120/*************************************************
121* Do callout verification for an address *
122*************************************************/
123
124/* This function is called from verify_address() when the address has routed to
125a host list, and a callout has been requested. Callouts are expensive; that is
126why a cache is used to improve the efficiency.
127
128Arguments:
129 addr the address that's been routed
130 host_list the list of hosts to try
131 tf the transport feedback block
132
133 ifstring "interface" option from transport, or NULL
134 portstring "port" option from transport, or NULL
135 protocolstring "protocol" option from transport, or NULL
136 callout the per-command callout timeout
4deaf07d
PH		 137 callout_overall the overall callout timeout (if < 0 use 4*callout)
138 callout_connect the callout connection timeout (if < 0 use callout)
059ec3d9
PH		 139 options the verification options - these bits are used:
140 vopt_is_recipient => this is a recipient address
141 vopt_callout_no_cache => don't use callout cache
2a4be8f9 142 vopt_callout_fullpm => if postmaster check, do full one
059ec3d9
PH		 143 vopt_callout_random => do the "random" thing
144 vopt_callout_recipsender => use real sender for recipient
145 vopt_callout_recippmaster => use postmaster for recipient
146 se_mailfrom MAIL FROM address for sender verify; NULL => ""
147 pm_mailfrom if non-NULL, do the postmaster check with this sender
148
149Returns: OK/FAIL/DEFER
150*/
151
152static int
153do_callout(address_item *addr, host_item *host_list, transport_feedback *tf,
8e669ac1 154 int callout, int callout_overall, int callout_connect, int options,
4deaf07d 155 uschar *se_mailfrom, uschar *pm_mailfrom)
059ec3d9 156{
817d9f57 157smtp_transport_options_block *ob = (smtp_transport_options_block *)(addr->transport->options_block);
059ec3d9
PH		 158BOOL is_recipient = (options & vopt_is_recipient) != 0;
159BOOL callout_no_cache = (options & vopt_callout_no_cache) != 0;
160BOOL callout_random = (options & vopt_callout_random) != 0;
161
162int yield = OK;
2b1c6e3a 163int old_domain_cache_result = ccache_accept;
059ec3d9
PH		 164BOOL done = FALSE;
165uschar *address_key;
166uschar *from_address;
167uschar *random_local_part = NULL;
750af86e 168uschar *save_deliver_domain = deliver_domain;
8e669ac1 169uschar **failure_ptr = is_recipient?
2c7db3f5 170 &recipient_verify_failure : &sender_verify_failure;
059ec3d9
PH		 171open_db dbblock;
172open_db *dbm_file = NULL;
173dbdata_callout_cache new_domain_record;
174dbdata_callout_cache_address new_address_record;
175host_item *host;
176time_t callout_start_time;
177
178new_domain_record.result = ccache_unknown;
179new_domain_record.postmaster_result = ccache_unknown;
180new_domain_record.random_result = ccache_unknown;
181
182memset(&new_address_record, 0, sizeof(new_address_record));
183
184/* For a recipient callout, the key used for the address cache record must
185include the sender address if we are using the real sender in the callout,
186because that may influence the result of the callout. */
187
188address_key = addr->address;
189from_address = US"";
190
191if (is_recipient)
192 {
193 if ((options & vopt_callout_recipsender) != 0)
194 {
195 address_key = string_sprintf("%s/<%s>", addr->address, sender_address);
196 from_address = sender_address;
197 }
198 else if ((options & vopt_callout_recippmaster) != 0)
199 {
200 address_key = string_sprintf("%s/<postmaster@%s>", addr->address,
201 qualify_domain_sender);
202 from_address = string_sprintf("postmaster@%s", qualify_domain_sender);
203 }
204 }
205
206/* For a sender callout, we must adjust the key if the mailfrom address is not
207empty. */
208
209else
210 {
211 from_address = (se_mailfrom == NULL)? US"" : se_mailfrom;
212 if (from_address[0] != 0)
213 address_key = string_sprintf("%s/<%s>", addr->address, from_address);
214 }
215
216/* Open the callout cache database, it it exists, for reading only at this
217stage, unless caching has been disabled. */
218
219if (callout_no_cache)
220 {
221 HDEBUG(D_verify) debug_printf("callout cache: disabled by no_cache\n");
222 }
223else if ((dbm_file = dbfn_open(US"callout", O_RDWR, &dbblock, FALSE)) == NULL)
224 {
225 HDEBUG(D_verify) debug_printf("callout cache: not available\n");
226 }
227
228/* If a cache database is available see if we can avoid the need to do an
229actual callout by making use of previously-obtained data. */
230
231if (dbm_file != NULL)
232 {
233 dbdata_callout_cache_address *cache_address_record;
234 dbdata_callout_cache *cache_record = get_callout_cache_record(dbm_file,
235 addr->domain, US"domain",
236 callout_cache_domain_positive_expire,
237 callout_cache_domain_negative_expire);
238
239 /* If an unexpired cache record was found for this domain, see if the callout
240 process can be short-circuited. */
241
242 if (cache_record != NULL)
243 {
2b1c6e3a
PH		 244 /* In most cases, if an early command (up to and including MAIL FROM:<>)
245 was rejected, there is no point carrying on. The callout fails. However, if
246 we are doing a recipient verification with use_sender or use_postmaster
247 set, a previous failure of MAIL FROM:<> doesn't count, because this time we
248 will be using a non-empty sender. We have to remember this situation so as
249 not to disturb the cached domain value if this whole verification succeeds
250 (we don't want it turning into "accept"). */
251
252 old_domain_cache_result = cache_record->result;
253
254 if (cache_record->result == ccache_reject ||
255 (*from_address == 0 && cache_record->result == ccache_reject_mfnull))
059ec3d9
PH		 256 {
257 setflag(addr, af_verify_nsfail);
258 HDEBUG(D_verify)
259 debug_printf("callout cache: domain gave initial rejection, or "
260 "does not accept HELO or MAIL FROM:<>\n");
261 setflag(addr, af_verify_nsfail);
262 addr->user_message = US"(result of an earlier callout reused).";
263 yield = FAIL;
8e669ac1 264 *failure_ptr = US"mail";
059ec3d9
PH		 265 goto END_CALLOUT;
266 }
267
268 /* If a previous check on a "random" local part was accepted, we assume
269 that the server does not do any checking on local parts. There is therefore
270 no point in doing the callout, because it will always be successful. If a
271 random check previously failed, arrange not to do it again, but preserve
272 the data in the new record. If a random check is required but hasn't been
273 done, skip the remaining cache processing. */
274
275 if (callout_random) switch(cache_record->random_result)
276 {
277 case ccache_accept:
278 HDEBUG(D_verify)
279 debug_printf("callout cache: domain accepts random addresses\n");
280 goto END_CALLOUT; /* Default yield is OK */
281
282 case ccache_reject:
283 HDEBUG(D_verify)
284 debug_printf("callout cache: domain rejects random addresses\n");
285 callout_random = FALSE;
286 new_domain_record.random_result = ccache_reject;
287 new_domain_record.random_stamp = cache_record->random_stamp;
288 break;
289
290 default:
291 HDEBUG(D_verify)
292 debug_printf("callout cache: need to check random address handling "
293 "(not cached or cache expired)\n");
294 goto END_CACHE;
295 }
296
297 /* If a postmaster check is requested, but there was a previous failure,
298 there is again no point in carrying on. If a postmaster check is required,
299 but has not been done before, we are going to have to do a callout, so skip
300 remaining cache processing. */
301
302 if (pm_mailfrom != NULL)
303 {
304 if (cache_record->postmaster_result == ccache_reject)
305 {
306 setflag(addr, af_verify_pmfail);
307 HDEBUG(D_verify)
308 debug_printf("callout cache: domain does not accept "
309 "RCPT TO:<postmaster@domain>\n");
310 yield = FAIL;
8e669ac1 311 *failure_ptr = US"postmaster";
059ec3d9
PH		 312 setflag(addr, af_verify_pmfail);
313 addr->user_message = US"(result of earlier verification reused).";
314 goto END_CALLOUT;
315 }
316 if (cache_record->postmaster_result == ccache_unknown)
317 {
318 HDEBUG(D_verify)
319 debug_printf("callout cache: need to check RCPT "
320 "TO:<postmaster@domain> (not cached or cache expired)\n");
321 goto END_CACHE;
322 }
323
324 /* If cache says OK, set pm_mailfrom NULL to prevent a redundant
325 postmaster check if the address itself has to be checked. Also ensure
326 that the value in the cache record is preserved (with its old timestamp).
327 */
328
329 HDEBUG(D_verify) debug_printf("callout cache: domain accepts RCPT "
330 "TO:<postmaster@domain>\n");
331 pm_mailfrom = NULL;
332 new_domain_record.postmaster_result = ccache_accept;
333 new_domain_record.postmaster_stamp = cache_record->postmaster_stamp;
334 }
335 }
336
337 /* We can't give a result based on information about the domain. See if there
338 is an unexpired cache record for this specific address (combined with the
339 sender address if we are doing a recipient callout with a non-empty sender).
340 */
341
342 cache_address_record = (dbdata_callout_cache_address *)
343 get_callout_cache_record(dbm_file,
344 address_key, US"address",
345 callout_cache_positive_expire,
346 callout_cache_negative_expire);
347
348 if (cache_address_record != NULL)
349 {
350 if (cache_address_record->result == ccache_accept)
351 {
352 HDEBUG(D_verify)
353 debug_printf("callout cache: address record is positive\n");
354 }
355 else
356 {
357 HDEBUG(D_verify)
358 debug_printf("callout cache: address record is negative\n");
359 addr->user_message = US"Previous (cached) callout verification failure";
8e669ac1 360 *failure_ptr = US"recipient";
059ec3d9
PH		 361 yield = FAIL;
362 }
363 goto END_CALLOUT;
364 }
365
366 /* Close the cache database while we actually do the callout for real. */
367
368 END_CACHE:
369 dbfn_close(dbm_file);
370 dbm_file = NULL;
371 }
372
373/* The information wasn't available in the cache, so we have to do a real
374callout and save the result in the cache for next time, unless no_cache is set,
375or unless we have a previously cached negative random result. If we are to test
376with a random local part, ensure that such a local part is available. If not,
377log the fact, but carry on without randomming. */
378
379if (callout_random && callout_random_local_part != NULL)
380 {
381 random_local_part = expand_string(callout_random_local_part);
382 if (random_local_part == NULL)
383 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand "
384 "callout_random_local_part: %s", expand_string_message);
385 }
386
4deaf07d
PH		 387/* Default the connect and overall callout timeouts if not set, and record the
388time we are starting so that we can enforce it. */
059ec3d9
PH		 389
390if (callout_overall < 0) callout_overall = 4 * callout;
4deaf07d 391if (callout_connect < 0) callout_connect = callout;
059ec3d9
PH		 392callout_start_time = time(NULL);
393
4c590bd1
PH		 394/* Before doing a real callout, if this is an SMTP connection, flush the SMTP
395output because a callout might take some time. When PIPELINING is active and
396there are many recipients, the total time for doing lots of callouts can add up
397and cause the client to time out. So in this case we forgo the PIPELINING
398optimization. */
399
400if (smtp_out != NULL && !disable_callout_flush) mac_smtp_fflush();
401
817d9f57
JH		 402/* Precompile some regex that are used to recognize parameters in response
403to an EHLO command, if they aren't already compiled. */
404#ifdef SUPPORT_TLS
405if (regex_STARTTLS == NULL) regex_STARTTLS =
406 regex_must_compile(US"\\n250[\\s\\-]STARTTLS(\\s|\\n|$)", FALSE, TRUE);
407#endif
408
059ec3d9
PH		 409/* Now make connections to the hosts and do real callouts. The list of hosts
410is passed in as an argument. */
411
412for (host = host_list; host != NULL && !done; host = host->next)
413 {
414 smtp_inblock inblock;
415 smtp_outblock outblock;
416 int host_af;
417 int port = 25;
8e669ac1 418 BOOL send_quit = TRUE;
26da7e20 419 uschar *active_hostname = smtp_active_hostname;
817d9f57
JH		 420 BOOL lmtp;
421 BOOL smtps;
422 BOOL esmtp;
423 BOOL suppress_tls = FALSE;
059ec3d9
PH		 424 uschar *interface = NULL; /* Outgoing interface to use; NULL => any */
425 uschar inbuffer[4096];
426 uschar outbuffer[1024];
427 uschar responsebuffer[4096];
428
429 clearflag(addr, af_verify_pmfail); /* postmaster callout flag */
430 clearflag(addr, af_verify_nsfail); /* null sender callout flag */
431
432 /* Skip this host if we don't have an IP address for it. */
433
434 if (host->address == NULL)
435 {
436 DEBUG(D_verify) debug_printf("no IP address for host name %s: skipping\n",
437 host->name);
438 continue;
439 }
440
441 /* Check the overall callout timeout */
442
443 if (time(NULL) - callout_start_time >= callout_overall)
444 {
445 HDEBUG(D_verify) debug_printf("overall timeout for callout exceeded\n");
446 break;
447 }
448
449 /* Set IPv4 or IPv6 */
450
451 host_af = (Ustrchr(host->address, ':') == NULL)? AF_INET:AF_INET6;
452
de3a88fb
PH		 453 /* Expand and interpret the interface and port strings. The latter will not
454 be used if there is a host-specific port (e.g. from a manualroute router).
455 This has to be delayed till now, because they may expand differently for
456 different hosts. If there's a failure, log it, but carry on with the
457 defaults. */
059ec3d9
PH		 458
459 deliver_host = host->name;
460 deliver_host_address = host->address;
750af86e 461 deliver_domain = addr->domain;
de3a88fb 462
059ec3d9
PH		 463 if (!smtp_get_interface(tf->interface, host_af, addr, NULL, &interface,
464 US"callout") ||
465 !smtp_get_port(tf->port, addr, &port, US"callout"))
466 log_write(0, LOG_MAIN|LOG_PANIC, "<%s>: %s", addr->address,
467 addr->message);
de3a88fb 468
059ec3d9 469 /* Set HELO string according to the protocol */
817d9f57
JH		 470 lmtp= Ustrcmp(tf->protocol, "lmtp") == 0;
471 smtps= Ustrcmp(tf->protocol, "smtps") == 0;
059ec3d9 472
059ec3d9
PH		 473
474 HDEBUG(D_verify) debug_printf("interface=%s port=%d\n", interface, port);
475
476 /* Set up the buffer for reading SMTP response packets. */
477
478 inblock.buffer = inbuffer;
479 inblock.buffersize = sizeof(inbuffer);
480 inblock.ptr = inbuffer;
481 inblock.ptrend = inbuffer;
482
483 /* Set up the buffer for holding SMTP commands while pipelining */
484
485 outblock.buffer = outbuffer;
486 outblock.buffersize = sizeof(outbuffer);
487 outblock.ptr = outbuffer;
488 outblock.cmd_count = 0;
489 outblock.authenticating = FALSE;
490
817d9f57
JH		 491 /* Reset the parameters of a TLS session */
492 tls_out.cipher = tls_out.peerdn = NULL;
493
059ec3d9 494 /* Connect to the host; on failure, just loop for the next one, but we
4deaf07d 495 set the error for the last one. Use the callout_connect timeout. */
059ec3d9 496
817d9f57
JH		 497 tls_retry_connection:
498
059ec3d9 499 inblock.sock = outblock.sock =
9e4f5962
PP		 500 smtp_connect(host, host_af, port, interface, callout_connect, TRUE, NULL);
501 /* reconsider DSCP here */
059ec3d9
PH		 502 if (inblock.sock < 0)
503 {
504 addr->message = string_sprintf("could not connect to %s [%s]: %s",
505 host->name, host->address, strerror(errno));
41c7c167
PH		 506 deliver_host = deliver_host_address = NULL;
507 deliver_domain = save_deliver_domain;
059ec3d9
PH		 508 continue;
509 }
510
41c7c167
PH		 511 /* Expand the helo_data string to find the host name to use. */
512
513 if (tf->helo_data != NULL)
514 {
515 uschar *s = expand_string(tf->helo_data);
516 if (s == NULL)
517 log_write(0, LOG_MAIN|LOG_PANIC, "<%s>: failed to expand transport's "
518 "helo_data value for callout: %s", addr->address,
519 expand_string_message);
520 else active_hostname = s;
521 }
522
523 deliver_host = deliver_host_address = NULL;
524 deliver_domain = save_deliver_domain;
525
2b1c6e3a
PH		 526 /* Wait for initial response, and send HELO. The smtp_write_command()
527 function leaves its command in big_buffer. This is used in error responses.
528 Initialize it in case the connection is rejected. */
059ec3d9
PH		 529
530 Ustrcpy(big_buffer, "initial connection");
531
817d9f57
JH		 532 /* Unless ssl-on-connect, wait for the initial greeting */
533 smtps_redo_greeting:
534
535 #ifdef SUPPORT_TLS
536 if (!smtps || (smtps && tls_out.active >= 0))
537 #endif
538 if (!(done= smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer), '2', callout)))
539 goto RESPONSE_FAILED;
540
541 /* Not worth checking greeting line for ESMTP support */
542 if (!(esmtp = verify_check_this_host(&(ob->hosts_avoid_esmtp), NULL,
543 host->name, host->address, NULL) != OK))
544 DEBUG(D_transport)
545 debug_printf("not sending EHLO (host matches hosts_avoid_esmtp)\n");
546
547 tls_redo_helo:
548
549 #ifdef SUPPORT_TLS
550 if (smtps && tls_out.active < 0) /* ssl-on-connect, first pass */
551 {
552 tls_offered = TRUE;
553 ob->tls_tempfail_tryclear = FALSE;
554 }
555 else /* all other cases */
556 #endif
557
558 { esmtp_retry:
559
560 if (!(done= smtp_write_command(&outblock, FALSE, "%s %s\r\n",
561 !esmtp? "HELO" : lmtp? "LHLO" : "EHLO", active_hostname) >= 0))
562 goto SEND_FAILED;
563 if (!smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer), '2', callout))
564 {
565 if (errno != 0 || responsebuffer[0] == 0 || lmtp || !esmtp || tls_out.active >= 0)
566 {
567 done= FALSE;
568 goto RESPONSE_FAILED;
569 }
570 #ifdef SUPPORT_TLS
571 tls_offered = FALSE;
572 #endif
573 esmtp = FALSE;
574 goto esmtp_retry; /* fallback to HELO */
575 }
576
577 /* Set tls_offered if the response to EHLO specifies support for STARTTLS. */
578 #ifdef SUPPORT_TLS
579 tls_offered = esmtp && !suppress_tls && tls_out.active < 0 &&
580 pcre_exec(regex_STARTTLS, NULL, CS responsebuffer, Ustrlen(responsebuffer), 0,
581 PCRE_EOPT, NULL, 0) >= 0;
582 #endif
583 }
584
585 /* If TLS is available on this connection attempt to
586 start up a TLS session, unless the host is in hosts_avoid_tls. If successful,
587 send another EHLO - the server may give a different answer in secure mode. We
588 use a separate buffer for reading the response to STARTTLS so that if it is
589 negative, the original EHLO data is available for subsequent analysis, should
590 the client not be required to use TLS. If the response is bad, copy the buffer
591 for error analysis. */
592
593 #ifdef SUPPORT_TLS
594 if (tls_offered &&
595 verify_check_this_host(&(ob->hosts_avoid_tls), NULL, host->name,
596 host->address, NULL) != OK)
597 {
598 uschar buffer2[4096];
599 if ( !smtps
600 && !(done= smtp_write_command(&outblock, FALSE, "STARTTLS\r\n") >= 0))
601 goto SEND_FAILED;
602
603 /* If there is an I/O error, transmission of this message is deferred. If
604 there is a temporary rejection of STARRTLS and tls_tempfail_tryclear is
605 false, we also defer. However, if there is a temporary rejection of STARTTLS
606 and tls_tempfail_tryclear is true, or if there is an outright rejection of
607 STARTTLS, we carry on. This means we will try to send the message in clear,
608 unless the host is in hosts_require_tls (tested below). */
609
610 if (!smtps && !smtp_read_response(&inblock, buffer2, sizeof(buffer2), '2',
611 ob->command_timeout))
612 {
613 if (errno != 0 || buffer2[0] == 0 ||
614 (buffer2[0] == '4' && !ob->tls_tempfail_tryclear))
615 {
616 Ustrncpy(responsebuffer, buffer2, sizeof(responsebuffer));
617 done= FALSE;
618 goto RESPONSE_FAILED;
619 }
620 }
621
622 /* STARTTLS accepted or ssl-on-connect: try to negotiate a TLS session. */
623 else
624 {
625 int rc = tls_client_start(inblock.sock, host, addr,
626 NULL, /* No DH param */
627 ob->tls_certificate, ob->tls_privatekey,
628 ob->tls_sni,
629 ob->tls_verify_certificates, ob->tls_crl,
630 ob->tls_require_ciphers,
631 ob->gnutls_require_mac, ob->gnutls_require_kx, ob->gnutls_require_proto,
632 callout);
633
634 /* TLS negotiation failed; give an error. Try in clear on a new connection,
635 if the options permit it for this host. */
636 if (rc != OK)
637 {
638 if (rc == DEFER && ob->tls_tempfail_tryclear && !smtps &&
639 verify_check_this_host(&(ob->hosts_require_tls), NULL, host->name,
640 host->address, NULL) != OK)
641 {
642 (void)close(inblock.sock);
643 log_write(0, LOG_MAIN, "TLS session failure: delivering unencrypted "
644 "to %s [%s] (not in hosts_require_tls)", host->name, host->address);
645 suppress_tls = TRUE;
646 goto tls_retry_connection;
647 }
648 /*save_errno = ERRNO_TLSFAILURE;*/
649 /*message = US"failure while setting up TLS session";*/
650 send_quit = FALSE;
651 done= FALSE;
652 goto TLS_FAILED;
653 }
654
655 /* TLS session is set up. Copy info for logging. */
656 addr->cipher = tls_out.cipher;
657 addr->peerdn = tls_out.peerdn;
658
659 /* For SMTPS we need to wait for the initial OK response, then do HELO. */
660 if (smtps)
661 goto smtps_redo_greeting;
662
663 /* For STARTTLS we need to redo EHLO */
664 goto tls_redo_helo;
665 }
666 }
667
668 /* If the host is required to use a secure channel, ensure that we have one. */
669 if (tls_out.active < 0)
670 if (verify_check_this_host(&(ob->hosts_require_tls), NULL, host->name,
671 host->address, NULL) == OK)
672 {
673 /*save_errno = ERRNO_TLSREQUIRED;*/
674 log_write(0, LOG_MAIN, "a TLS session is required for %s [%s], but %s",
675 host->name, host->address,
676 tls_offered? "an attempt to start TLS failed" : "the server did not offer TLS support");
677 done= FALSE;
678 goto TLS_FAILED;
679 }
680
681 #endif /*SUPPORT_TLS*/
682
683 done = TRUE; /* so far so good; have response to HELO */
684
685 /*XXX the EHLO response would be analyzed here for IGNOREQUOTA, SIZE, PIPELINING, AUTH */
686 /* If we haven't authenticated, but are required to, give up. */
687
688 /*XXX "filter command specified for this transport" ??? */
689 /* for now, transport_filter by cutthrough-delivery is not supported */
690 /* Need proper integration with the proper transport mechanism. */
691
692
693 SEND_FAILED:
694 RESPONSE_FAILED:
695 TLS_FAILED:
696 ;
697 /* Clear down of the TLS, SMTP and TCP layers on error is handled below. */
698
059ec3d9 699
2b1c6e3a
PH		 700 /* Failure to accept HELO is cached; this blocks the whole domain for all
701 senders. I/O errors and defer responses are not cached. */
702
703 if (!done)
704 {
705 *failure_ptr = US"mail"; /* At or before MAIL */
706 if (errno == 0 && responsebuffer[0] == '5')
707 {
708 setflag(addr, af_verify_nsfail);
709 new_domain_record.result = ccache_reject;
710 }
711 }
712
713 /* Send the MAIL command */
714
715 else done =
059ec3d9
PH		 716 smtp_write_command(&outblock, FALSE, "MAIL FROM:<%s>\r\n",
717 from_address) >= 0 &&
718 smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
719 '2', callout);
720
2b1c6e3a
PH		 721 /* If the host does not accept MAIL FROM:<>, arrange to cache this
722 information, but again, don't record anything for an I/O error or a defer. Do
723 not cache rejections of MAIL when a non-empty sender has been used, because
724 that blocks the whole domain for all senders. */
059ec3d9
PH		 725
726 if (!done)
727 {
2b1c6e3a 728 *failure_ptr = US"mail"; /* At or before MAIL */
059ec3d9
PH		 729 if (errno == 0 && responsebuffer[0] == '5')
730 {
731 setflag(addr, af_verify_nsfail);
2b1c6e3a
PH		 732 if (from_address[0] == 0)
733 new_domain_record.result = ccache_reject_mfnull;
059ec3d9
PH		 734 }
735 }
736
737 /* Otherwise, proceed to check a "random" address (if required), then the
738 given address, and the postmaster address (if required). Between each check,
739 issue RSET, because some servers accept only one recipient after MAIL
2b1c6e3a
PH		 740 FROM:<>.
741
742 Before doing this, set the result in the domain cache record to "accept",
743 unless its previous value was ccache_reject_mfnull. In that case, the domain
744 rejects MAIL FROM:<> and we want to continue to remember that. When that is
745 the case, we have got here only in the case of a recipient verification with
746 a non-null sender. */
059ec3d9
PH		 747
748 else
749 {
2b1c6e3a
PH		 750 new_domain_record.result =
751 (old_domain_cache_result == ccache_reject_mfnull)?
752 ccache_reject_mfnull: ccache_accept;
059ec3d9
PH		 753
754 /* Do the random local part check first */
755
756 if (random_local_part != NULL)
757 {
758 uschar randombuffer[1024];
759 BOOL random_ok =
760 smtp_write_command(&outblock, FALSE,
761 "RCPT TO:<%.1000s@%.1000s>\r\n", random_local_part,
762 addr->domain) >= 0 &&
763 smtp_read_response(&inblock, randombuffer,
764 sizeof(randombuffer), '2', callout);
765
766 /* Remember when we last did a random test */
767
768 new_domain_record.random_stamp = time(NULL);
769
770 /* If accepted, we aren't going to do any further tests below. */
771
772 if (random_ok)
773 {
774 new_domain_record.random_result = ccache_accept;
775 }
776
777 /* Otherwise, cache a real negative response, and get back to the right
778 state to send RCPT. Unless there's some problem such as a dropped
779 connection, we expect to succeed, because the commands succeeded above. */
780
781 else if (errno == 0)
782 {
783 if (randombuffer[0] == '5')
784 new_domain_record.random_result = ccache_reject;
785
786 done =
787 smtp_write_command(&outblock, FALSE, "RSET\r\n") >= 0 &&
788 smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
789 '2', callout) &&
790
90e9ce59
PH		 791 smtp_write_command(&outblock, FALSE, "MAIL FROM:<%s>\r\n",
792 from_address) >= 0 &&
059ec3d9
PH		 793 smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
794 '2', callout);
795 }
796 else done = FALSE; /* Some timeout/connection problem */
797 } /* Random check */
798
799 /* If the host is accepting all local parts, as determined by the "random"
800 check, we don't need to waste time doing any further checking. */
801
802 if (new_domain_record.random_result != ccache_accept && done)
803 {
5417f6d1
PH		 804 /* Get the rcpt_include_affixes flag from the transport if there is one,
805 but assume FALSE if there is not. */
806
059ec3d9
PH		 807 done =
808 smtp_write_command(&outblock, FALSE, "RCPT TO:<%.1000s>\r\n",
c688b954 809 transport_rcpt_address(addr,
5417f6d1
PH		 810 (addr->transport == NULL)? FALSE :
811 addr->transport->rcpt_include_affixes)) >= 0 &&
059ec3d9
PH		 812 smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
813 '2', callout);
814
815 if (done)
816 new_address_record.result = ccache_accept;
817 else if (errno == 0 && responsebuffer[0] == '5')
2c7db3f5 818 {
8e669ac1 819 *failure_ptr = US"recipient";
059ec3d9 820 new_address_record.result = ccache_reject;
8e669ac1 821 }
059ec3d9 822
2a4be8f9
PH		 823 /* Do postmaster check if requested; if a full check is required, we
824 check for RCPT TO:<postmaster> (no domain) in accordance with RFC 821. */
059ec3d9
PH		 825
826 if (done && pm_mailfrom != NULL)
827 {
e4bdf652
JH		 828 /*XXX not suitable for cutthrough - sequencing problems */
829 cutthrough_delivery= FALSE;
817d9f57 830 HDEBUG(D_acl|D_v) debug_printf("Cutthrough cancelled by presence of postmaster verify\n");
e4bdf652 831
059ec3d9
PH		 832 done =
833 smtp_write_command(&outblock, FALSE, "RSET\r\n") >= 0 &&
834 smtp_read_response(&inblock, responsebuffer,
835 sizeof(responsebuffer), '2', callout) &&
836
837 smtp_write_command(&outblock, FALSE,
838 "MAIL FROM:<%s>\r\n", pm_mailfrom) >= 0 &&
839 smtp_read_response(&inblock, responsebuffer,
840 sizeof(responsebuffer), '2', callout) &&
841
2a4be8f9
PH		 842 /* First try using the current domain */
843
844 ((
059ec3d9
PH		 845 smtp_write_command(&outblock, FALSE,
846 "RCPT TO:<postmaster@%.1000s>\r\n", addr->domain) >= 0 &&
847 smtp_read_response(&inblock, responsebuffer,
2a4be8f9
PH		 848 sizeof(responsebuffer), '2', callout)
849 )
850
851 ||
852
853 /* If that doesn't work, and a full check is requested,
854 try without the domain. */
855
856 (
857 (options & vopt_callout_fullpm) != 0 &&
858 smtp_write_command(&outblock, FALSE,
859 "RCPT TO:<postmaster>\r\n") >= 0 &&
860 smtp_read_response(&inblock, responsebuffer,
861 sizeof(responsebuffer), '2', callout)
862 ));
863
864 /* Sort out the cache record */
059ec3d9
PH		 865
866 new_domain_record.postmaster_stamp = time(NULL);
867
868 if (done)
869 new_domain_record.postmaster_result = ccache_accept;
870 else if (errno == 0 && responsebuffer[0] == '5')
871 {
8e669ac1 872 *failure_ptr = US"postmaster";
059ec3d9
PH		 873 setflag(addr, af_verify_pmfail);
874 new_domain_record.postmaster_result = ccache_reject;
875 }
876 }
877 } /* Random not accepted */
90e9ce59 878 } /* MAIL FROM: accepted */
059ec3d9
PH		 879
880 /* For any failure of the main check, other than a negative response, we just
881 close the connection and carry on. We can identify a negative response by the
882 fact that errno is zero. For I/O errors it will be non-zero
883
884 Set up different error texts for logging and for sending back to the caller
885 as an SMTP response. Log in all cases, using a one-line format. For sender
886 callouts, give a full response to the caller, but for recipient callouts,
887 don't give the IP address because this may be an internal host whose identity
888 is not to be widely broadcast. */
889
890 if (!done)
891 {
892 if (errno == ETIMEDOUT)
893 {
894 HDEBUG(D_verify) debug_printf("SMTP timeout\n");
8e669ac1 895 send_quit = FALSE;
059ec3d9
PH		 896 }
897 else if (errno == 0)
898 {
899 if (*responsebuffer == 0) Ustrcpy(responsebuffer, US"connection dropped");
900
901 addr->message =
902 string_sprintf("response to \"%s\" from %s [%s] was: %s",
903 big_buffer, host->name, host->address,
904 string_printing(responsebuffer));
905
906 addr->user_message = is_recipient?
907 string_sprintf("Callout verification failed:\n%s", responsebuffer)
908 :
909 string_sprintf("Called: %s\nSent: %s\nResponse: %s",
910 host->address, big_buffer, responsebuffer);
911
912 /* Hard rejection ends the process */
913
914 if (responsebuffer[0] == '5') /* Address rejected */
915 {
916 yield = FAIL;
917 done = TRUE;
918 }
919 }
920 }
921
922 /* End the SMTP conversation and close the connection. */
923
817d9f57 924 /* Cutthrough - on a successfull connect and recipient-verify with use-sender
e4bdf652
JH		 925 and we have no cutthrough conn so far
926 here is where we want to leave the conn open */
e4bdf652
JH		 927 if ( cutthrough_delivery
928 && done
929 && yield == OK
e4bdf652
JH		 930 && (options & (vopt_callout_recipsender|vopt_callout_recippmaster)) == vopt_callout_recipsender
931 && !random_local_part
932 && !pm_mailfrom
817d9f57 933 && cutthrough_fd < 0
e4bdf652
JH		 934 )
935 {
936 cutthrough_fd= outblock.sock; /* We assume no buffer in use in the outblock */
817d9f57
JH		 937 cutthrough_addr = *addr; /* Save the address_item for later logging */
938 cutthrough_addr.host_used = store_get(sizeof(host_item));
939 cutthrough_addr.host_used->name = host->name;
940 cutthrough_addr.host_used->address = host->address;
941 cutthrough_addr.host_used->port = port;
942 if (addr->parent)
943 *(cutthrough_addr.parent = store_get(sizeof(address_item)))= *addr->parent;
944 ctblock.buffer = ctbuffer;
945 ctblock.buffersize = sizeof(ctbuffer);
946 ctblock.ptr = ctbuffer;
947 /* ctblock.cmd_count = 0; ctblock.authenticating = FALSE; */
948 ctblock.sock = cutthrough_fd;
e4bdf652
JH		 949 }
950 else
951 {
817d9f57
JH		 952 if (options & vopt_callout_recipsender)
953 cancel_cutthrough_connection(); /* Ensure no cutthrough on multiple address verifies */
e4bdf652 954 if (send_quit) (void)smtp_write_command(&outblock, FALSE, "QUIT\r\n");
817d9f57
JH		 955
956 #ifdef SUPPORT_TLS
957 tls_close(FALSE, TRUE);
958 #endif
e4bdf652
JH		 959 (void)close(inblock.sock);
960 }
961
059ec3d9
PH		 962 } /* Loop through all hosts, while !done */
963
964/* If we get here with done == TRUE, a successful callout happened, and yield
965will be set OK or FAIL according to the response to the RCPT command.
966Otherwise, we looped through the hosts but couldn't complete the business.
967However, there may be domain-specific information to cache in both cases.
968
969The value of the result field in the new_domain record is ccache_unknown if
90e9ce59 970there was an error before or with MAIL FROM:, and errno was not zero,
059ec3d9 971implying some kind of I/O error. We don't want to write the cache in that case.
2b1c6e3a 972Otherwise the value is ccache_accept, ccache_reject, or ccache_reject_mfnull. */
059ec3d9
PH		 973
974if (!callout_no_cache && new_domain_record.result != ccache_unknown)
975 {
976 if ((dbm_file = dbfn_open(US"callout", O_RDWR|O_CREAT, &dbblock, FALSE))
977 == NULL)
978 {
979 HDEBUG(D_verify) debug_printf("callout cache: not available\n");
980 }
981 else
982 {
983 (void)dbfn_write(dbm_file, addr->domain, &new_domain_record,
984 (int)sizeof(dbdata_callout_cache));
985 HDEBUG(D_verify) debug_printf("wrote callout cache domain record:\n"
986 " result=%d postmaster=%d random=%d\n",
987 new_domain_record.result,
988 new_domain_record.postmaster_result,
989 new_domain_record.random_result);
990 }
991 }
992
993/* If a definite result was obtained for the callout, cache it unless caching
994is disabled. */
995
996if (done)
997 {
998 if (!callout_no_cache && new_address_record.result != ccache_unknown)
999 {
1000 if (dbm_file == NULL)
1001 dbm_file = dbfn_open(US"callout", O_RDWR|O_CREAT, &dbblock, FALSE);
1002 if (dbm_file == NULL)
1003 {
1004 HDEBUG(D_verify) debug_printf("no callout cache available\n");
1005 }
1006 else
1007 {
1008 (void)dbfn_write(dbm_file, address_key, &new_address_record,
1009 (int)sizeof(dbdata_callout_cache_address));
1010 HDEBUG(D_verify) debug_printf("wrote %s callout cache address record\n",
1011 (new_address_record.result == ccache_accept)? "positive" : "negative");
1012 }
1013 }
1014 } /* done */
1015
1016/* Failure to connect to any host, or any response other than 2xx or 5xx is a
1017temporary error. If there was only one host, and a response was received, leave
1018it alone if supplying details. Otherwise, give a generic response. */
1019
1020else /* !done */
1021 {
1022 uschar *dullmsg = string_sprintf("Could not complete %s verify callout",
1023 is_recipient? "recipient" : "sender");
1024 yield = DEFER;
1025
1026 if (host_list->next != NULL || addr->message == NULL) addr->message = dullmsg;
1027
1028 addr->user_message = (!smtp_return_error_details)? dullmsg :
1029 string_sprintf("%s for <%s>.\n"
1030 "The mail server(s) for the domain may be temporarily unreachable, or\n"
1031 "they may be permanently unreachable from this server. In the latter case,\n%s",
1032 dullmsg, addr->address,
1033 is_recipient?
1034 "the address will never be accepted."
1035 :
1036 "you need to change the address or create an MX record for its domain\n"
1037 "if it is supposed to be generally accessible from the Internet.\n"
1038 "Talk to your mail administrator for details.");
1039
1040 /* Force a specific error code */
1041
1042 addr->basic_errno = ERRNO_CALLOUTDEFER;
1043 }
1044
1045/* Come here from within the cache-reading code on fast-track exit. */
1046
1047END_CALLOUT:
1048if (dbm_file != NULL) dbfn_close(dbm_file);
1049return yield;
1050}
1051
1052
1053
817d9f57
JH		 1054/* Called after recipient-acl to get a cutthrough connection open when
1055 one was requested and a recipient-verify wasn't subsequently done.
1056*/
e4bdf652
JH		 1057void
1058open_cutthrough_connection( address_item * addr )
1059{
1060address_item addr2;
1061
1062/* Use a recipient-verify-callout to set up the cutthrough connection. */
1063/* We must use a copy of the address for verification, because it might
1064get rewritten. */
1065
1066addr2 = *addr;
1067HDEBUG(D_acl) debug_printf("----------- start cutthrough setup ------------\n");
1068(void) verify_address(&addr2, NULL,
1069 vopt_is_recipient | vopt_callout_recipsender | vopt_callout_no_cache,
1070 CUTTHROUGH_CMD_TIMEOUT, -1, -1,
1071 NULL, NULL, NULL);
1072HDEBUG(D_acl) debug_printf("----------- end cutthrough setup ------------\n");
1073return;
1074}
1075
1076
e4bdf652 1077
817d9f57
JH		 1078/* Send given number of bytes from the buffer */
1079static BOOL
1080cutthrough_send(int n)
e4bdf652 1081{
817d9f57
JH		 1082if(cutthrough_fd < 0)
1083 return TRUE;
e4bdf652 1084
817d9f57
JH		 1085if(
1086#ifdef SUPPORT_TLS
1087 (tls_out.active == cutthrough_fd) ? tls_write(FALSE, ctblock.buffer, n) :
1088#endif
1089 send(cutthrough_fd, ctblock.buffer, n, 0) > 0
1090 )
1091{
1092 transport_count += n;
1093 ctblock.ptr= ctblock.buffer;
1094 return TRUE;
1095}
e4bdf652 1096
817d9f57
JH		 1097HDEBUG(D_transport|D_acl) debug_printf("cutthrough_send failed: %s\n", strerror(errno));
1098return FALSE;
e4bdf652
JH		 1099}
1100
1101
1102
817d9f57
JH		 1103static BOOL
1104_cutthrough_puts(uschar * cp, int n)
1105{
1106while(n--)
1107 {
1108 if(ctblock.ptr >= ctblock.buffer+ctblock.buffersize)
1109 if(!cutthrough_send(ctblock.buffersize))
1110 return FALSE;
1111
1112 *ctblock.ptr++ = *cp++;
1113 }
1114return TRUE;
1115}
1116
1117/* Buffered output of counted data block. Return boolean success */
e4bdf652
JH		 1118BOOL
1119cutthrough_puts(uschar * cp, int n)
1120{
817d9f57
JH		 1121if (cutthrough_fd < 0) return TRUE;
1122if (_cutthrough_puts(cp, n)) return TRUE;
1123cancel_cutthrough_connection();
1124return FALSE;
1125}
e4bdf652 1126
e4bdf652 1127
817d9f57
JH		 1128static BOOL
1129_cutthrough_flush_send( void )
1130{
1131int n= ctblock.ptr-ctblock.buffer;
e4bdf652 1132
817d9f57
JH		 1133if(n>0)
1134 if(!cutthrough_send(n))
1135 return FALSE;
1136return TRUE;
e4bdf652
JH		 1137}
1138
817d9f57
JH		 1139
1140/* Send out any bufferred output. Return boolean success. */
e4bdf652
JH		 1141BOOL
1142cutthrough_flush_send( void )
1143{
817d9f57 1144if (_cutthrough_flush_send()) return TRUE;
e4bdf652
JH		 1145cancel_cutthrough_connection();
1146return FALSE;
1147}
1148
1149
1150BOOL
1151cutthrough_put_nl( void )
1152{
1153return cutthrough_puts(US"\r\n", 2);
1154}
1155
1156
1157/* Get and check response from cutthrough target */
1158static uschar
1159cutthrough_response(char expect, uschar ** copy)
1160{
1161smtp_inblock inblock;
1162uschar inbuffer[4096];
1163uschar responsebuffer[4096];
1164
1165inblock.buffer = inbuffer;
1166inblock.buffersize = sizeof(inbuffer);
1167inblock.ptr = inbuffer;
1168inblock.ptrend = inbuffer;
1169inblock.sock = cutthrough_fd;
817d9f57 1170/* this relies on (inblock.sock == tls_out.active) */
e4bdf652
JH		 1171if(!smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer), expect, CUTTHROUGH_DATA_TIMEOUT))
1172 cancel_cutthrough_connection();
1173
1174if(copy != NULL)
1175 {
1176 uschar * cp;
1177 *copy= cp= string_copy(responsebuffer);
1178 /* Trim the trailing end of line */
1179 cp += Ustrlen(responsebuffer);
1180 if(cp > *copy && cp[-1] == '\n') *--cp = '\0';
1181 if(cp > *copy && cp[-1] == '\r') *--cp = '\0';
1182 }
1183
1184return responsebuffer[0];
1185}
1186
1187
1188/* Negotiate dataphase with the cutthrough target, returning success boolean */
1189BOOL
1190cutthrough_predata( void )
1191{
e4bdf652
JH		 1192if(cutthrough_fd < 0)
1193 return FALSE;
1194
1195HDEBUG(D_transport|D_acl|D_v) debug_printf(" SMTP>> DATA\n");
817d9f57
JH		 1196cutthrough_puts(US"DATA\r\n", 6);
1197cutthrough_flush_send();
e4bdf652
JH		 1198
1199/* Assume nothing buffered. If it was it gets ignored. */
1200return cutthrough_response('3', NULL) == '3';
1201}
1202
1203
1204/* Buffered send of headers. Return success boolean. */
817d9f57 1205/* Expands newlines to wire format (CR,NL). */
e4bdf652 1206/* Also sends header-terminating blank line. */
e4bdf652
JH		 1207BOOL
1208cutthrough_headers_send( void )
1209{
1210header_line * h;
817d9f57 1211uschar * cp1, * cp2;
e4bdf652
JH		 1212
1213if(cutthrough_fd < 0)
1214 return FALSE;
1215
e4bdf652
JH		 1216for(h= header_list; h != NULL; h= h->next)
1217 if(h->type != htype_old && h->text != NULL)
817d9f57
JH		 1218 for (cp1 = h->text; *cp1 && (cp2 = Ustrchr(cp1, '\n')); cp1 = cp2+1)
1219 if( !cutthrough_puts(cp1, cp2-cp1)
1220 || !cutthrough_put_nl())
1221 return FALSE;
e4bdf652 1222
817d9f57
JH		 1223HDEBUG(D_transport|D_acl|D_v) debug_printf(" SMTP>>(nl)\n");
1224return cutthrough_put_nl();
1225}
1226
1227
1228static void
1229close_cutthrough_connection( void )
1230{
1231if(cutthrough_fd >= 0)
1232 {
1233 /* We could be sending this after a bunch of data, but that is ok as
1234 the only way to cancel the transfer in dataphase is to drop the tcp
1235 conn before the final dot.
1236 */
1237 ctblock.ptr = ctbuffer;
1238 HDEBUG(D_transport|D_acl|D_v) debug_printf(" SMTP>> QUIT\n");
1239 _cutthrough_puts(US"QUIT\r\n", 6); /* avoid recursion */
1240 _cutthrough_flush_send();
1241 /* No wait for response */
1242
1243 #ifdef SUPPORT_TLS
1244 tls_close(FALSE, TRUE);
1245 #endif
1246 (void)close(cutthrough_fd);
1247 cutthrough_fd= -1;
1248 HDEBUG(D_acl) debug_printf("----------- cutthrough shutdown ------------\n");
1249 }
1250ctblock.ptr = ctbuffer;
e4bdf652
JH		 1251}
1252
817d9f57
JH		 1253void
1254cancel_cutthrough_connection( void )
1255{
1256close_cutthrough_connection();
1257cutthrough_delivery= FALSE;
1258}
1259
1260
1261
e4bdf652
JH		 1262
1263/* Have senders final-dot. Send one to cutthrough target, and grab the response.
1264 Log an OK response as a transmission.
817d9f57 1265 Close the connection.
e4bdf652 1266 Return smtp response-class digit.
e4bdf652
JH		 1267*/
1268uschar *
1269cutthrough_finaldot( void )
1270{
1271HDEBUG(D_transport|D_acl|D_v) debug_printf(" SMTP>> .\n");
1272
1273/* Assume data finshed with new-line */
817d9f57 1274if(!cutthrough_puts(US".", 1) || !cutthrough_put_nl() || !cutthrough_flush_send())
e4bdf652
JH		 1275 return cutthrough_addr.message;
1276
817d9f57
JH		 1277switch(cutthrough_response('2', &cutthrough_addr.message))
1278 {
1279 case '2':
1280 delivery_log(LOG_MAIN, &cutthrough_addr, (int)'>', NULL);
1281 close_cutthrough_connection();
1282 break;
1283
1284 case '4':
1285 delivery_log(LOG_MAIN, &cutthrough_addr, 0, US"tmp-reject from cutthrough after DATA:");
1286 break;
e4bdf652 1287
817d9f57
JH		 1288 case '5':
1289 delivery_log(LOG_MAIN|LOG_REJECT, &cutthrough_addr, 0, US"rejected after DATA:");
1290 break;
e4bdf652 1291
817d9f57
JH		 1292 default:
1293 break;
1294 }
1295 return cutthrough_addr.message;
e4bdf652
JH		 1296}
1297
1298
817d9f57 1299
059ec3d9
PH		 1300/*************************************************
1301* Copy error to toplevel address *
1302*************************************************/
1303
1304/* This function is used when a verify fails or defers, to ensure that the
1305failure or defer information is in the original toplevel address. This applies
1306when an address is redirected to a single new address, and the failure or
1307deferral happens to the child address.
1308
1309Arguments:
1310 vaddr the verify address item
1311 addr the final address item
1312 yield FAIL or DEFER
1313
1314Returns: the value of YIELD
1315*/
1316
1317static int
1318copy_error(address_item *vaddr, address_item *addr, int yield)
1319{
1320if (addr != vaddr)
1321 {
1322 vaddr->message = addr->message;
1323 vaddr->user_message = addr->user_message;
1324 vaddr->basic_errno = addr->basic_errno;
1325 vaddr->more_errno = addr->more_errno;
b37c4101 1326 vaddr->p.address_data = addr->p.address_data;
42855d71 1327 copyflag(vaddr, addr, af_pass_message);
059ec3d9
PH		 1328 }
1329return yield;
1330}
1331
1332
1333
1334
ce552449
NM		 1335/**************************************************
1336* printf that automatically handles TLS if needed *
1337***************************************************/
1338
1339/* This function is used by verify_address() as a substitute for all fprintf()
1340calls; a direct fprintf() will not produce output in a TLS SMTP session, such
1341as a response to an EXPN command. smtp_in.c makes smtp_printf available but
1342that assumes that we always use the smtp_out FILE* when not using TLS or the
1343ssl buffer when we are. Instead we take a FILE* parameter and check to see if
1344that is smtp_out; if so, smtp_printf() with TLS support, otherwise regular
1345fprintf().
1346
1347Arguments:
1348 f the candidate FILE* to write to
1349 format format string
1350 ... optional arguments
1351
1352Returns:
1353 nothing
1354*/
1355
1356static void PRINTF_FUNCTION(2,3)
1ba28e2b 1357respond_printf(FILE *f, const char *format, ...)
ce552449
NM		 1358{
1359va_list ap;
1360
1361va_start(ap, format);
1362if (smtp_out && (f == smtp_out))
1363 smtp_vprintf(format, ap);
1364else
513afc6a 1365 vfprintf(f, format, ap);
ce552449
NM		 1366va_end(ap);
1367}
1368
1369
1370
059ec3d9
PH		 1371/*************************************************
1372* Verify an email address *
1373*************************************************/
1374
1375/* This function is used both for verification (-bv and at other times) and
1376address testing (-bt), which is indicated by address_test_mode being set.
1377
1378Arguments:
1379 vaddr contains the address to verify; the next field in this block
1380 must be NULL
1381 f if not NULL, write the result to this file
1382 options various option bits:
1383 vopt_fake_sender => this sender verify is not for the real
1384 sender (it was verify=sender=xxxx or an address from a
1385 header line) - rewriting must not change sender_address
1386 vopt_is_recipient => this is a recipient address, otherwise
1387 it's a sender address - this affects qualification and
1388 rewriting and messages from callouts
1389 vopt_qualify => qualify an unqualified address; else error
1390 vopt_expn => called from SMTP EXPN command
eafd343b
TK		 1391 vopt_success_on_redirect => when a new address is generated
1392 the verification instantly succeeds
059ec3d9
PH		 1393
1394 These ones are used by do_callout() -- the options variable
1395 is passed to it.
1396
2a4be8f9 1397 vopt_callout_fullpm => if postmaster check, do full one
059ec3d9
PH		 1398 vopt_callout_no_cache => don't use callout cache
1399 vopt_callout_random => do the "random" thing
1400 vopt_callout_recipsender => use real sender for recipient
1401 vopt_callout_recippmaster => use postmaster for recipient
1402
1403 callout if > 0, specifies that callout is required, and gives timeout
4deaf07d 1404 for individual commands
059ec3d9
PH		 1405 callout_overall if > 0, gives overall timeout for the callout function;
1406 if < 0, a default is used (see do_callout())
8e669ac1 1407 callout_connect the connection timeout for callouts
059ec3d9
PH		 1408 se_mailfrom when callout is requested to verify a sender, use this
1409 in MAIL FROM; NULL => ""
1410 pm_mailfrom when callout is requested, if non-NULL, do the postmaster
1411 thing and use this as the sender address (may be "")
1412
1413 routed if not NULL, set TRUE if routing succeeded, so we can
1414 distinguish between routing failed and callout failed
1415
1416Returns: OK address verified
1417 FAIL address failed to verify
1418 DEFER can't tell at present
1419*/
1420
1421int
1422verify_address(address_item *vaddr, FILE *f, int options, int callout,
8e669ac1 1423 int callout_overall, int callout_connect, uschar *se_mailfrom,
4deaf07d 1424 uschar *pm_mailfrom, BOOL *routed)
059ec3d9
PH		 1425{
1426BOOL allok = TRUE;
1427BOOL full_info = (f == NULL)? FALSE : (debug_selector != 0);
1428BOOL is_recipient = (options & vopt_is_recipient) != 0;
1429BOOL expn = (options & vopt_expn) != 0;
eafd343b 1430BOOL success_on_redirect = (options & vopt_success_on_redirect) != 0;
059ec3d9
PH		 1431int i;
1432int yield = OK;
1433int verify_type = expn? v_expn :
1434 address_test_mode? v_none :
1435 is_recipient? v_recipient : v_sender;
1436address_item *addr_list;
1437address_item *addr_new = NULL;
1438address_item *addr_remote = NULL;
1439address_item *addr_local = NULL;
1440address_item *addr_succeed = NULL;
8e669ac1 1441uschar **failure_ptr = is_recipient?
2c7db3f5 1442 &recipient_verify_failure : &sender_verify_failure;
059ec3d9
PH		 1443uschar *ko_prefix, *cr;
1444uschar *address = vaddr->address;
1445uschar *save_sender;
1446uschar null_sender[] = { 0 }; /* Ensure writeable memory */
1447
2c7db3f5
PH		 1448/* Clear, just in case */
1449
1450*failure_ptr = NULL;
1451
059ec3d9
PH		 1452/* Set up a prefix and suffix for error message which allow us to use the same
1453output statements both in EXPN mode (where an SMTP response is needed) and when
1454debugging with an output file. */
1455
1456if (expn)
1457 {
1458 ko_prefix = US"553 ";
1459 cr = US"\r";
1460 }
1461else ko_prefix = cr = US"";
1462
1463/* Add qualify domain if permitted; otherwise an unqualified address fails. */
1464
1465if (parse_find_at(address) == NULL)
1466 {
1467 if ((options & vopt_qualify) == 0)
1468 {
1469 if (f != NULL)
ce552449
NM		 1470 respond_printf(f, "%sA domain is required for \"%s\"%s\n",
1471 ko_prefix, address, cr);
8e669ac1 1472 *failure_ptr = US"qualify";
059ec3d9
PH		 1473 return FAIL;
1474 }
1475 address = rewrite_address_qualify(address, is_recipient);
1476 }
1477
1478DEBUG(D_verify)
1479 {
1480 debug_printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
1481 debug_printf("%s %s\n", address_test_mode? "Testing" : "Verifying", address);
1482 }
1483
1484/* Rewrite and report on it. Clear the domain and local part caches - these
1485may have been set by domains and local part tests during an ACL. */
1486
1487if (global_rewrite_rules != NULL)
1488 {
1489 uschar *old = address;
1490 address = rewrite_address(address, is_recipient, FALSE,
1491 global_rewrite_rules, rewrite_existflags);
1492 if (address != old)
1493 {
1494 for (i = 0; i < (MAX_NAMED_LIST * 2)/32; i++) vaddr->localpart_cache[i] = 0;
1495 for (i = 0; i < (MAX_NAMED_LIST * 2)/32; i++) vaddr->domain_cache[i] = 0;
1496 if (f != NULL && !expn) fprintf(f, "Address rewritten as: %s\n", address);
1497 }
1498 }
1499
1500/* If this is the real sender address, we must update sender_address at
1501this point, because it may be referred to in the routers. */
1502
1503if ((options & (vopt_fake_sender|vopt_is_recipient)) == 0)
1504 sender_address = address;
1505
1506/* If the address was rewritten to <> no verification can be done, and we have
1507to return OK. This rewriting is permitted only for sender addresses; for other
1508addresses, such rewriting fails. */
1509
1510if (address[0] == 0) return OK;
1511
1512/* Save a copy of the sender address for re-instating if we change it to <>
1513while verifying a sender address (a nice bit of self-reference there). */
1514
1515save_sender = sender_address;
1516
1517/* Update the address structure with the possibly qualified and rewritten
1518address. Set it up as the starting address on the chain of new addresses. */
1519
1520vaddr->address = address;
1521addr_new = vaddr;
1522
1523/* We need a loop, because an address can generate new addresses. We must also
1524cope with generated pipes and files at the top level. (See also the code and
1525comment in deliver.c.) However, it is usually the case that the router for
1526user's .forward files has its verify flag turned off.
1527
1528If an address generates more than one child, the loop is used only when
1529full_info is set, and this can only be set locally. Remote enquiries just get
1530information about the top level address, not anything that it generated. */
1531
1532while (addr_new != NULL)
1533 {
1534 int rc;
1535 address_item *addr = addr_new;
1536
1537 addr_new = addr->next;
1538 addr->next = NULL;
1539
1540 DEBUG(D_verify)
1541 {
1542 debug_printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
1543 debug_printf("Considering %s\n", addr->address);
1544 }
1545
1546 /* Handle generated pipe, file or reply addresses. We don't get these
1547 when handling EXPN, as it does only one level of expansion. */
1548
1549 if (testflag(addr, af_pfr))
1550 {
1551 allok = FALSE;
1552 if (f != NULL)
1553 {
1554 BOOL allow;
1555
1556 if (addr->address[0] == '>')
1557 {
1558 allow = testflag(addr, af_allow_reply);
1559 fprintf(f, "%s -> mail %s", addr->parent->address, addr->address + 1);
1560 }
1561 else
1562 {
1563 allow = (addr->address[0] == '|')?
1564 testflag(addr, af_allow_pipe) : testflag(addr, af_allow_file);
1565 fprintf(f, "%s -> %s", addr->parent->address, addr->address);
1566 }
1567
1568 if (addr->basic_errno == ERRNO_BADTRANSPORT)
1569 fprintf(f, "\n*** Error in setting up pipe, file, or autoreply:\n"
1570 "%s\n", addr->message);
1571 else if (allow)
1572 fprintf(f, "\n transport = %s\n", addr->transport->name);
1573 else
1574 fprintf(f, " *** forbidden ***\n");
1575 }
1576 continue;
1577 }
1578
1579 /* Just in case some router parameter refers to it. */
1580
1581 return_path = (addr->p.errors_address != NULL)?
1582 addr->p.errors_address : sender_address;
1583
1584 /* Split the address into domain and local part, handling the %-hack if
1585 necessary, and then route it. While routing a sender address, set
1586 $sender_address to <> because that is what it will be if we were trying to
1587 send a bounce to the sender. */
1588
1589 if (routed != NULL) *routed = FALSE;
1590 if ((rc = deliver_split_address(addr)) == OK)
1591 {
1592 if (!is_recipient) sender_address = null_sender;
1593 rc = route_address(addr, &addr_local, &addr_remote, &addr_new,
1594 &addr_succeed, verify_type);
1595 sender_address = save_sender; /* Put back the real sender */
1596 }
1597
1598 /* If routing an address succeeded, set the flag that remembers, for use when
1599 an ACL cached a sender verify (in case a callout fails). Then if routing set
1600 up a list of hosts or the transport has a host list, and the callout option
1601 is set, and we aren't in a host checking run, do the callout verification,
1602 and set another flag that notes that a callout happened. */
1603
1604 if (rc == OK)
1605 {
1606 if (routed != NULL) *routed = TRUE;
1607 if (callout > 0)
1608 {
1609 host_item *host_list = addr->host_list;
1610
26da7e20
PH		 1611 /* Make up some data for use in the case where there is no remote
1612 transport. */
1613
1614 transport_feedback tf = {
1615 NULL, /* interface (=> any) */
1616 US"smtp", /* port */
1617 US"smtp", /* protocol */
1618 NULL, /* hosts */
1619 US"$smtp_active_hostname", /* helo_data */
1620 FALSE, /* hosts_override */
1621 FALSE, /* hosts_randomize */
1622 FALSE, /* gethostbyname */
1623 TRUE, /* qualify_single */
1624 FALSE /* search_parents */
1625 };
059ec3d9
PH		 1626
1627 /* If verification yielded a remote transport, we want to use that
1628 transport's options, so as to mimic what would happen if we were really
1629 sending a message to this address. */
1630
1631 if (addr->transport != NULL && !addr->transport->info->local)
1632 {
929ba01c 1633 (void)(addr->transport->setup)(addr->transport, addr, &tf, 0, 0, NULL);
059ec3d9
PH		 1634
1635 /* If the transport has hosts and the router does not, or if the
1636 transport is configured to override the router's hosts, we must build a
1637 host list of the transport's hosts, and find the IP addresses */
1638
1639 if (tf.hosts != NULL && (host_list == NULL || tf.hosts_override))
1640 {
1641 uschar *s;
750af86e
PH		 1642 uschar *save_deliver_domain = deliver_domain;
1643 uschar *save_deliver_localpart = deliver_localpart;
059ec3d9
PH		 1644
1645 host_list = NULL; /* Ignore the router's hosts */
1646
1647 deliver_domain = addr->domain;
1648 deliver_localpart = addr->local_part;
1649 s = expand_string(tf.hosts);
750af86e
PH		 1650 deliver_domain = save_deliver_domain;
1651 deliver_localpart = save_deliver_localpart;
059ec3d9
PH		 1652
1653 if (s == NULL)
1654 {
1655 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand list of hosts "
1656 "\"%s\" in %s transport for callout: %s", tf.hosts,
1657 addr->transport->name, expand_string_message);
1658 }
1659 else
1660 {
322050c2 1661 int flags;
059ec3d9 1662 uschar *canonical_name;
d8ef3577 1663 host_item *host, *nexthost;
059ec3d9
PH		 1664 host_build_hostlist(&host_list, s, tf.hosts_randomize);
1665
1666 /* Just ignore failures to find a host address. If we don't manage
8e669ac1
PH		 1667 to find any addresses, the callout will defer. Note that more than
1668 one address may be found for a single host, which will result in
1669 additional host items being inserted into the chain. Hence we must
d8ef3577 1670 save the next host first. */
059ec3d9 1671
322050c2
PH		 1672 flags = HOST_FIND_BY_A;
1673 if (tf.qualify_single) flags |= HOST_FIND_QUALIFY_SINGLE;
1674 if (tf.search_parents) flags |= HOST_FIND_SEARCH_PARENTS;
1675
d8ef3577 1676 for (host = host_list; host != NULL; host = nexthost)
059ec3d9 1677 {
d8ef3577 1678 nexthost = host->next;
8e669ac1 1679 if (tf.gethostbyname ||
7e66e54d 1680 string_is_ip_address(host->name, NULL) != 0)
322050c2 1681 (void)host_find_byname(host, NULL, flags, &canonical_name, TRUE);
059ec3d9 1682 else
059ec3d9
PH		 1683 (void)host_find_bydns(host, NULL, flags, NULL, NULL, NULL,
1684 &canonical_name, NULL);
059ec3d9
PH		 1685 }
1686 }
1687 }
1688 }
1689
8e669ac1 1690 /* Can only do a callout if we have at least one host! If the callout
2c7db3f5 1691 fails, it will have set ${sender,recipient}_verify_failure. */
059ec3d9
PH		 1692
1693 if (host_list != NULL)
1694 {
1695 HDEBUG(D_verify) debug_printf("Attempting full verification using callout\n");
1696 if (host_checking && !host_checking_callout)
1697 {
1698 HDEBUG(D_verify)
1699 debug_printf("... callout omitted by default when host testing\n"
1700 "(Use -bhc if you want the callouts to happen.)\n");
1701 }
1702 else
1703 {
1704 rc = do_callout(addr, host_list, &tf, callout, callout_overall,
4deaf07d 1705 callout_connect, options, se_mailfrom, pm_mailfrom);
059ec3d9
PH		 1706 }
1707 }
1708 else
1709 {
1710 HDEBUG(D_verify) debug_printf("Cannot do callout: neither router nor "
1711 "transport provided a host list\n");
1712 }
1713 }
1714 }
8e669ac1 1715
2c7db3f5 1716 /* Otherwise, any failure is a routing failure */
8e669ac1
PH		 1717
1718 else *failure_ptr = US"route";
059ec3d9
PH		 1719
1720 /* A router may return REROUTED if it has set up a child address as a result
1721 of a change of domain name (typically from widening). In this case we always
1722 want to continue to verify the new child. */
1723
1724 if (rc == REROUTED) continue;
8e669ac1 1725
059ec3d9
PH		 1726 /* Handle hard failures */
1727
1728 if (rc == FAIL)
1729 {
1730 allok = FALSE;
1731 if (f != NULL)
1732 {
e6f6568e
PH		 1733 address_item *p = addr->parent;
1734
ce552449
NM		 1735 respond_printf(f, "%s%s %s", ko_prefix,
1736 full_info? addr->address : address,
059ec3d9
PH		 1737 address_test_mode? "is undeliverable" : "failed to verify");
1738 if (!expn && admin_user)
1739 {
1740 if (addr->basic_errno > 0)
ce552449 1741 respond_printf(f, ": %s", strerror(addr->basic_errno));
059ec3d9 1742 if (addr->message != NULL)
ce552449 1743 respond_printf(f, ": %s", addr->message);
e6f6568e
PH		 1744 }
1745
1746 /* Show parents iff doing full info */
1747
1748 if (full_info) while (p != NULL)
1749 {
ce552449 1750 respond_printf(f, "%s\n <-- %s", cr, p->address);
e6f6568e 1751 p = p->parent;
059ec3d9 1752 }
ce552449 1753 respond_printf(f, "%s\n", cr);
059ec3d9 1754 }
e4bdf652 1755 cancel_cutthrough_connection();
059ec3d9
PH		 1756
1757 if (!full_info) return copy_error(vaddr, addr, FAIL);
1758 else yield = FAIL;
1759 }
1760
1761 /* Soft failure */
1762
1763 else if (rc == DEFER)
1764 {
1765 allok = FALSE;
1766 if (f != NULL)
1767 {
e6f6568e 1768 address_item *p = addr->parent;
ce552449 1769 respond_printf(f, "%s%s cannot be resolved at this time", ko_prefix,
322050c2 1770 full_info? addr->address : address);
059ec3d9
PH		 1771 if (!expn && admin_user)
1772 {
1773 if (addr->basic_errno > 0)
ce552449 1774 respond_printf(f, ": %s", strerror(addr->basic_errno));
059ec3d9 1775 if (addr->message != NULL)
ce552449 1776 respond_printf(f, ": %s", addr->message);
059ec3d9 1777 else if (addr->basic_errno <= 0)
ce552449 1778 respond_printf(f, ": unknown error");
059ec3d9
PH		 1779 }
1780
e6f6568e
PH		 1781 /* Show parents iff doing full info */
1782
1783 if (full_info) while (p != NULL)
1784 {
ce552449 1785 respond_printf(f, "%s\n <-- %s", cr, p->address);
e6f6568e
PH		 1786 p = p->parent;
1787 }
ce552449 1788 respond_printf(f, "%s\n", cr);
059ec3d9 1789 }
e4bdf652
JH		 1790 cancel_cutthrough_connection();
1791
059ec3d9
PH		 1792 if (!full_info) return copy_error(vaddr, addr, DEFER);
1793 else if (yield == OK) yield = DEFER;
1794 }
1795
1796 /* If we are handling EXPN, we do not want to continue to route beyond
e6f6568e 1797 the top level (whose address is in "address"). */
059ec3d9
PH		 1798
1799 else if (expn)
1800 {
1801 uschar *ok_prefix = US"250-";
1802 if (addr_new == NULL)
1803 {
1804 if (addr_local == NULL && addr_remote == NULL)
ce552449 1805 respond_printf(f, "250 mail to <%s> is discarded\r\n", address);
059ec3d9 1806 else
ce552449 1807 respond_printf(f, "250 <%s>\r\n", address);
059ec3d9
PH		 1808 }
1809 else while (addr_new != NULL)
1810 {
1811 address_item *addr2 = addr_new;
1812 addr_new = addr2->next;
1813 if (addr_new == NULL) ok_prefix = US"250 ";
ce552449 1814 respond_printf(f, "%s<%s>\r\n", ok_prefix, addr2->address);
059ec3d9
PH		 1815 }
1816 return OK;
1817 }
1818
1819 /* Successful routing other than EXPN. */
1820
1821 else
1822 {
1823 /* Handle successful routing when short info wanted. Otherwise continue for
1824 other (generated) addresses. Short info is the operational case. Full info
1825 can be requested only when debug_selector != 0 and a file is supplied.
1826
1827 There is a conflict between the use of aliasing as an alternate email
1828 address, and as a sort of mailing list. If an alias turns the incoming
1829 address into just one address (e.g. J.Caesar->jc44) you may well want to
1830 carry on verifying the generated address to ensure it is valid when
1831 checking incoming mail. If aliasing generates multiple addresses, you
1832 probably don't want to do this. Exim therefore treats the generation of
1833 just a single new address as a special case, and continues on to verify the
1834 generated address. */
1835
1836 if (!full_info && /* Stop if short info wanted AND */
eafd343b
TK		 1837 (((addr_new == NULL || /* No new address OR */
1838 addr_new->next != NULL || /* More than one new address OR */
1839 testflag(addr_new, af_pfr))) /* New address is pfr */
1840 || /* OR */
1841 (addr_new != NULL && /* At least one new address AND */
1842 success_on_redirect))) /* success_on_redirect is set */
059ec3d9 1843 {
322050c2 1844 if (f != NULL) fprintf(f, "%s %s\n", address,
059ec3d9
PH		 1845 address_test_mode? "is deliverable" : "verified");
1846
1847 /* If we have carried on to verify a child address, we want the value
1848 of $address_data to be that of the child */
1849
1850 vaddr->p.address_data = addr->p.address_data;
1851 return OK;
1852 }
1853 }
1854 } /* Loop for generated addresses */
1855
1856/* Display the full results of the successful routing, including any generated
1857addresses. Control gets here only when full_info is set, which requires f not
1858to be NULL, and this occurs only when a top-level verify is called with the
1859debugging switch on.
1860
1861If there are no local and no remote addresses, and there were no pipes, files,
1862or autoreplies, and there were no errors or deferments, the message is to be
1863discarded, usually because of the use of :blackhole: in an alias file. */
1864
1865if (allok && addr_local == NULL && addr_remote == NULL)
dbcef0ea 1866 {
059ec3d9 1867 fprintf(f, "mail to %s is discarded\n", address);
dbcef0ea
PH		 1868 return yield;
1869 }
059ec3d9 1870
dbcef0ea 1871for (addr_list = addr_local, i = 0; i < 2; addr_list = addr_remote, i++)
059ec3d9
PH		 1872 {
1873 while (addr_list != NULL)
1874 {
1875 address_item *addr = addr_list;
1876 address_item *p = addr->parent;
1877 addr_list = addr->next;
1878
1879 fprintf(f, "%s", CS addr->address);
384152a6
TK		 1880#ifdef EXPERIMENTAL_SRS
1881 if(addr->p.srs_sender)
1882 fprintf(f, " [srs = %s]", addr->p.srs_sender);
1883#endif
dbcef0ea
PH		 1884
1885 /* If the address is a duplicate, show something about it. */
1886
1887 if (!testflag(addr, af_pfr))
1888 {
1889 tree_node *tnode;
1890 if ((tnode = tree_search(tree_duplicates, addr->unique)) != NULL)
1891 fprintf(f, " [duplicate, would not be delivered]");
1892 else tree_add_duplicate(addr->unique, addr);
1893 }
1894
1895 /* Now show its parents */
1896
059ec3d9
PH		 1897 while (p != NULL)
1898 {
1899 fprintf(f, "\n <-- %s", p->address);
1900 p = p->parent;
1901 }
1902 fprintf(f, "\n ");
1903
1904 /* Show router, and transport */
1905
1906 fprintf(f, "router = %s, ", addr->router->name);
1907 fprintf(f, "transport = %s\n", (addr->transport == NULL)? US"unset" :
1908 addr->transport->name);
1909
1910 /* Show any hosts that are set up by a router unless the transport
1911 is going to override them; fiddle a bit to get a nice format. */
1912
1913 if (addr->host_list != NULL && addr->transport != NULL &&
1914 !addr->transport->overrides_hosts)
1915 {
1916 host_item *h;
1917 int maxlen = 0;
1918 int maxaddlen = 0;
1919 for (h = addr->host_list; h != NULL; h = h->next)
1920 {
1921 int len = Ustrlen(h->name);
1922 if (len > maxlen) maxlen = len;
1923 len = (h->address != NULL)? Ustrlen(h->address) : 7;
1924 if (len > maxaddlen) maxaddlen = len;
1925 }
1926 for (h = addr->host_list; h != NULL; h = h->next)
1927 {
1928 int len = Ustrlen(h->name);
1929 fprintf(f, " host %s ", h->name);
1930 while (len++ < maxlen) fprintf(f, " ");
1931 if (h->address != NULL)
1932 {
1933 fprintf(f, "[%s] ", h->address);
1934 len = Ustrlen(h->address);
1935 }
1936 else if (!addr->transport->info->local) /* Omit [unknown] for local */
1937 {
1938 fprintf(f, "[unknown] ");
1939 len = 7;
1940 }
1941 else len = -3;
1942 while (len++ < maxaddlen) fprintf(f," ");
1943 if (h->mx >= 0) fprintf(f, "MX=%d", h->mx);
1944 if (h->port != PORT_NONE) fprintf(f, " port=%d", h->port);
1945 if (h->status == hstatus_unusable) fprintf(f, " ** unusable **");
1946 fprintf(f, "\n");
1947 }
1948 }
1949 }
1950 }
1951
8e669ac1 1952/* Will be DEFER or FAIL if any one address has, only for full_info (which is
2c7db3f5
PH		 1953the -bv or -bt case). */
1954
8e669ac1 1955return yield;
059ec3d9
PH		 1956}
1957
1958
1959
1960
1961/*************************************************
1962* Check headers for syntax errors *
1963*************************************************/
1964
1965/* This function checks those header lines that contain addresses, and verifies
1966that all the addresses therein are syntactially correct.
1967
1968Arguments:
1969 msgptr where to put an error message
1970
1971Returns: OK
1972 FAIL
1973*/
1974
1975int
1976verify_check_headers(uschar **msgptr)
1977{
1978header_line *h;
1979uschar *colon, *s;
1eccaa59 1980int yield = OK;
059ec3d9 1981
1eccaa59 1982for (h = header_list; h != NULL && yield == OK; h = h->next)
059ec3d9
PH		 1983 {
1984 if (h->type != htype_from &&
1985 h->type != htype_reply_to &&
1986 h->type != htype_sender &&
1987 h->type != htype_to &&
1988 h->type != htype_cc &&
1989 h->type != htype_bcc)
1990 continue;
1991
1992 colon = Ustrchr(h->text, ':');
1993 s = colon + 1;
1994 while (isspace(*s)) s++;
1995
1eccaa59
PH		 1996 /* Loop for multiple addresses in the header, enabling group syntax. Note
1997 that we have to reset this after the header has been scanned. */
059ec3d9 1998
1eccaa59 1999 parse_allow_group = TRUE;
059ec3d9
PH		 2000
2001 while (*s != 0)
2002 {
2003 uschar *ss = parse_find_address_end(s, FALSE);
2004 uschar *recipient, *errmess;
2005 int terminator = *ss;
2006 int start, end, domain;
2007
2008 /* Temporarily terminate the string at this point, and extract the
1eccaa59 2009 operative address within, allowing group syntax. */
059ec3d9
PH		 2010
2011 *ss = 0;
2012 recipient = parse_extract_address(s,&errmess,&start,&end,&domain,FALSE);
2013 *ss = terminator;
2014
2015 /* Permit an unqualified address only if the message is local, or if the
2016 sending host is configured to be permitted to send them. */
2017
2018 if (recipient != NULL && domain == 0)
2019 {
2020 if (h->type == htype_from || h->type == htype_sender)
2021 {
2022 if (!allow_unqualified_sender) recipient = NULL;
2023 }
2024 else
2025 {
2026 if (!allow_unqualified_recipient) recipient = NULL;
2027 }
2028 if (recipient == NULL) errmess = US"unqualified address not permitted";
2029 }
2030
2031 /* It's an error if no address could be extracted, except for the special
2032 case of an empty address. */
2033
2034 if (recipient == NULL && Ustrcmp(errmess, "empty address") != 0)
2035 {
2036 uschar *verb = US"is";
2037 uschar *t = ss;
1ab95fa6 2038 uschar *tt = colon;
059ec3d9
PH		 2039 int len;
2040
2041 /* Arrange not to include any white space at the end in the
1ab95fa6 2042 error message or the header name. */
059ec3d9
PH		 2043
2044 while (t > s && isspace(t[-1])) t--;
1ab95fa6 2045 while (tt > h->text && isspace(tt[-1])) tt--;
059ec3d9 2046
1ab95fa6 2047 /* Add the address that failed to the error message, since in a
059ec3d9
PH		 2048 header with very many addresses it is sometimes hard to spot
2049 which one is at fault. However, limit the amount of address to
2050 quote - cases have been seen where, for example, a missing double
2051 quote in a humungous To: header creates an "address" that is longer
2052 than string_sprintf can handle. */
2053
2054 len = t - s;
2055 if (len > 1024)
2056 {
2057 len = 1024;
2058 verb = US"begins";
2059 }
2060
2061 *msgptr = string_printing(
1ab95fa6
PH		 2062 string_sprintf("%s: failing address in \"%.*s:\" header %s: %.*s",
2063 errmess, tt - h->text, h->text, verb, len, s));
059ec3d9 2064
1eccaa59
PH		 2065 yield = FAIL;
2066 break; /* Out of address loop */
059ec3d9
PH		 2067 }
2068
2069 /* Advance to the next address */
2070
2071 s = ss + (terminator? 1:0);
2072 while (isspace(*s)) s++;
2073 } /* Next address */
059ec3d9 2074
1eccaa59
PH		 2075 parse_allow_group = FALSE;
2076 parse_found_group = FALSE;
2077 } /* Next header unless yield has been set FALSE */
2078
2079return yield;
059ec3d9
PH		 2080}
2081
2082
2083
1c41c9cc
PH		 2084/*************************************************
2085* Check for blind recipients *
2086*************************************************/
2087
2088/* This function checks that every (envelope) recipient is mentioned in either
2089the To: or Cc: header lines, thus detecting blind carbon copies.
2090
2091There are two ways of scanning that could be used: either scan the header lines
2092and tick off the recipients, or scan the recipients and check the header lines.
2093The original proposed patch did the former, but I have chosen to do the latter,
2094because (a) it requires no memory and (b) will use fewer resources when there
2095are many addresses in To: and/or Cc: and only one or two envelope recipients.
2096
2097Arguments: none
2098Returns: OK if there are no blind recipients
2099 FAIL if there is at least one blind recipient
2100*/
2101
2102int
2103verify_check_notblind(void)
2104{
2105int i;
2106for (i = 0; i < recipients_count; i++)
2107 {
2108 header_line *h;
2109 BOOL found = FALSE;
2110 uschar *address = recipients_list[i].address;
2111
2112 for (h = header_list; !found && h != NULL; h = h->next)
2113 {
2114 uschar *colon, *s;
2115
2116 if (h->type != htype_to && h->type != htype_cc) continue;
2117
2118 colon = Ustrchr(h->text, ':');
2119 s = colon + 1;
2120 while (isspace(*s)) s++;
2121
1eccaa59
PH		 2122 /* Loop for multiple addresses in the header, enabling group syntax. Note
2123 that we have to reset this after the header has been scanned. */
1c41c9cc 2124
1eccaa59 2125 parse_allow_group = TRUE;
1c41c9cc
PH		 2126
2127 while (*s != 0)
2128 {
2129 uschar *ss = parse_find_address_end(s, FALSE);
2130 uschar *recipient,*errmess;
2131 int terminator = *ss;
2132 int start, end, domain;
2133
2134 /* Temporarily terminate the string at this point, and extract the
1eccaa59 2135 operative address within, allowing group syntax. */
1c41c9cc
PH		 2136
2137 *ss = 0;
2138 recipient = parse_extract_address(s,&errmess,&start,&end,&domain,FALSE);
2139 *ss = terminator;
2140
2141 /* If we found a valid recipient that has a domain, compare it with the
2142 envelope recipient. Local parts are compared case-sensitively, domains
2143 case-insensitively. By comparing from the start with length "domain", we
2144 include the "@" at the end, which ensures that we are comparing the whole
2145 local part of each address. */
2146
2147 if (recipient != NULL && domain != 0)
2148 {
2149 found = Ustrncmp(recipient, address, domain) == 0 &&
2150 strcmpic(recipient + domain, address + domain) == 0;
2151 if (found) break;
2152 }
2153
2154 /* Advance to the next address */
2155
2156 s = ss + (terminator? 1:0);
2157 while (isspace(*s)) s++;
2158 } /* Next address */
1eccaa59
PH		 2159
2160 parse_allow_group = FALSE;
2161 parse_found_group = FALSE;
1c41c9cc
PH		 2162 } /* Next header (if found is false) */
2163
2164 if (!found) return FAIL;
2165 } /* Next recipient */
2166
2167return OK;
2168}
2169
2170
059ec3d9
PH		 2171
2172/*************************************************
2173* Find if verified sender *
2174*************************************************/
2175
2176/* Usually, just a single address is verified as the sender of the message.
2177However, Exim can be made to verify other addresses as well (often related in
2178some way), and this is useful in some environments. There may therefore be a
2179chain of such addresses that have previously been tested. This function finds
2180whether a given address is on the chain.
2181
2182Arguments: the address to be verified
2183Returns: pointer to an address item, or NULL
2184*/
2185
2186address_item *
2187verify_checked_sender(uschar *sender)
2188{
2189address_item *addr;
2190for (addr = sender_verified_list; addr != NULL; addr = addr->next)
2191 if (Ustrcmp(sender, addr->address) == 0) break;
2192return addr;
2193}
2194
2195
2196
2197
2198
2199/*************************************************
2200* Get valid header address *
2201*************************************************/
2202
2203/* Scan the originator headers of the message, looking for an address that
2204verifies successfully. RFC 822 says:
2205
2206 o The "Sender" field mailbox should be sent notices of
2207 any problems in transport or delivery of the original
2208 messages. If there is no "Sender" field, then the
2209 "From" field mailbox should be used.
2210
2211 o If the "Reply-To" field exists, then the reply should
2212 go to the addresses indicated in that field and not to
2213 the address(es) indicated in the "From" field.
2214
2215So we check a Sender field if there is one, else a Reply_to field, else a From
2216field. As some strange messages may have more than one of these fields,
2217especially if they are resent- fields, check all of them if there is more than
2218one.
2219
2220Arguments:
2221 user_msgptr points to where to put a user error message
2222 log_msgptr points to where to put a log error message
2223 callout timeout for callout check (passed to verify_address())
2224 callout_overall overall callout timeout (ditto)
8e669ac1 2225 callout_connect connect callout timeout (ditto)
059ec3d9
PH		 2226 se_mailfrom mailfrom for verify; NULL => ""
2227 pm_mailfrom sender for pm callout check (passed to verify_address())
2228 options callout options (passed to verify_address())
8e669ac1 2229 verrno where to put the address basic_errno
059ec3d9
PH		 2230
2231If log_msgptr is set to something without setting user_msgptr, the caller
2232normally uses log_msgptr for both things.
2233
2234Returns: result of the verification attempt: OK, FAIL, or DEFER;
2235 FAIL is given if no appropriate headers are found
2236*/
2237
2238int
2239verify_check_header_address(uschar **user_msgptr, uschar **log_msgptr,
8e669ac1 2240 int callout, int callout_overall, int callout_connect, uschar *se_mailfrom,
fe5b5d0b 2241 uschar *pm_mailfrom, int options, int *verrno)
059ec3d9
PH		 2242{
2243static int header_types[] = { htype_sender, htype_reply_to, htype_from };
1eccaa59 2244BOOL done = FALSE;
059ec3d9
PH		 2245int yield = FAIL;
2246int i;
2247
1eccaa59 2248for (i = 0; i < 3 && !done; i++)
059ec3d9
PH		 2249 {
2250 header_line *h;
1eccaa59 2251 for (h = header_list; h != NULL && !done; h = h->next)
059ec3d9
PH		 2252 {
2253 int terminator, new_ok;
2254 uschar *s, *ss, *endname;
2255
2256 if (h->type != header_types[i]) continue;
2257 s = endname = Ustrchr(h->text, ':') + 1;
2258
1eccaa59
PH		 2259 /* Scan the addresses in the header, enabling group syntax. Note that we
2260 have to reset this after the header has been scanned. */
2261
2262 parse_allow_group = TRUE;
2263
059ec3d9
PH		 2264 while (*s != 0)
2265 {
2266 address_item *vaddr;
2267
2268 while (isspace(*s) || *s == ',') s++;
2269 if (*s == 0) break; /* End of header */
2270
2271 ss = parse_find_address_end(s, FALSE);
2272
2273 /* The terminator is a comma or end of header, but there may be white
2274 space preceding it (including newline for the last address). Move back
2275 past any white space so we can check against any cached envelope sender
2276 address verifications. */
2277
2278 while (isspace(ss[-1])) ss--;
2279 terminator = *ss;
2280 *ss = 0;
2281
2282 HDEBUG(D_verify) debug_printf("verifying %.*s header address %s\n",
2283 (int)(endname - h->text), h->text, s);
2284
2285 /* See if we have already verified this address as an envelope sender,
2286 and if so, use the previous answer. */
2287
2288 vaddr = verify_checked_sender(s);
2289
2290 if (vaddr != NULL && /* Previously checked */
2291 (callout <= 0 || /* No callout needed; OR */
2292 vaddr->special_action > 256)) /* Callout was done */
2293 {
2294 new_ok = vaddr->special_action & 255;
2295 HDEBUG(D_verify) debug_printf("previously checked as envelope sender\n");
2296 *ss = terminator; /* Restore shortened string */
2297 }
2298
2299 /* Otherwise we run the verification now. We must restore the shortened
2300 string before running the verification, so the headers are correct, in
2301 case there is any rewriting. */
2302
2303 else
2304 {
2305 int start, end, domain;
1eccaa59
PH		 2306 uschar *address = parse_extract_address(s, log_msgptr, &start, &end,
2307 &domain, FALSE);
059ec3d9
PH		 2308
2309 *ss = terminator;
2310
1eccaa59
PH		 2311 /* If we found an empty address, just carry on with the next one, but
2312 kill the message. */
2313
2314 if (address == NULL && Ustrcmp(*log_msgptr, "empty address") == 0)
2315 {
2316 *log_msgptr = NULL;
2317 s = ss;
2318 continue;
2319 }
2320
059ec3d9
PH		 2321 /* If verification failed because of a syntax error, fail this
2322 function, and ensure that the failing address gets added to the error
2323 message. */
2324
2325 if (address == NULL)
2326 {
2327 new_ok = FAIL;
1eccaa59
PH		 2328 while (ss > s && isspace(ss[-1])) ss--;
2329 *log_msgptr = string_sprintf("syntax error in '%.*s' header when "
2330 "scanning for sender: %s in \"%.*s\"",
2331 endname - h->text, h->text, *log_msgptr, ss - s, s);
2332 yield = FAIL;
2333 done = TRUE;
2334 break;
059ec3d9
PH		 2335 }
2336
2f6603e1 2337 /* Else go ahead with the sender verification. But it isn't *the*
059ec3d9
PH		 2338 sender of the message, so set vopt_fake_sender to stop sender_address
2339 being replaced after rewriting or qualification. */
2340
2341 else
2342 {
2343 vaddr = deliver_make_addr(address, FALSE);
2344 new_ok = verify_address(vaddr, NULL, options | vopt_fake_sender,
8e669ac1 2345 callout, callout_overall, callout_connect, se_mailfrom,
4deaf07d 2346 pm_mailfrom, NULL);
059ec3d9
PH		 2347 }
2348 }
2349
2350 /* We now have the result, either newly found, or cached. If we are
2351 giving out error details, set a specific user error. This means that the
2352 last of these will be returned to the user if all three fail. We do not
2353 set a log message - the generic one below will be used. */
2354
fe5b5d0b 2355 if (new_ok != OK)
059ec3d9 2356 {
8e669ac1 2357 *verrno = vaddr->basic_errno;
fe5b5d0b
PH		 2358 if (smtp_return_error_details)
2359 {
2360 *user_msgptr = string_sprintf("Rejected after DATA: "
2361 "could not verify \"%.*s\" header address\n%s: %s",
2362 endname - h->text, h->text, vaddr->address, vaddr->message);
2363 }
8e669ac1 2364 }
059ec3d9
PH		 2365
2366 /* Success or defer */
2367
1eccaa59
PH		 2368 if (new_ok == OK)
2369 {
2370 yield = OK;
2371 done = TRUE;
2372 break;
2373 }
2374
059ec3d9
PH		 2375 if (new_ok == DEFER) yield = DEFER;
2376
2377 /* Move on to any more addresses in the header */
2378
2379 s = ss;
1eccaa59
PH		 2380 } /* Next address */
2381
2382 parse_allow_group = FALSE;
2383 parse_found_group = FALSE;
2384 } /* Next header, unless done */
2385 } /* Next header type unless done */
059ec3d9
PH		 2386
2387if (yield == FAIL && *log_msgptr == NULL)
2388 *log_msgptr = US"there is no valid sender in any header line";
2389
2390if (yield == DEFER && *log_msgptr == NULL)
2391 *log_msgptr = US"all attempts to verify a sender in a header line deferred";
2392
2393return yield;
2394}
2395
2396
2397
2398
2399/*************************************************
2400* Get RFC 1413 identification *
2401*************************************************/
2402
2403/* Attempt to get an id from the sending machine via the RFC 1413 protocol. If
2404the timeout is set to zero, then the query is not done. There may also be lists
2405of hosts and nets which are exempt. To guard against malefactors sending
2406non-printing characters which could, for example, disrupt a message's headers,
2407make sure the string consists of printing characters only.
2408
2409Argument:
2410 port the port to connect to; usually this is IDENT_PORT (113), but when
2411 running in the test harness with -bh a different value is used.
2412
2413Returns: nothing
2414
2415Side effect: any received ident value is put in sender_ident (NULL otherwise)
2416*/
2417
2418void
2419verify_get_ident(int port)
2420{
2421int sock, host_af, qlen;
2422int received_sender_port, received_interface_port, n;
2423uschar *p;
2424uschar buffer[2048];
2425
2426/* Default is no ident. Check whether we want to do an ident check for this
2427host. */
2428
2429sender_ident = NULL;
2430if (rfc1413_query_timeout <= 0 || verify_check_host(&rfc1413_hosts) != OK)
2431 return;
2432
2433DEBUG(D_ident) debug_printf("doing ident callback\n");
2434
2435/* Set up a connection to the ident port of the remote host. Bind the local end
2436to the incoming interface address. If the sender host address is an IPv6
2437address, the incoming interface address will also be IPv6. */
2438
2439host_af = (Ustrchr(sender_host_address, ':') == NULL)? AF_INET : AF_INET6;
2440sock = ip_socket(SOCK_STREAM, host_af);
2441if (sock < 0) return;
2442
2443if (ip_bind(sock, host_af, interface_address, 0) < 0)
2444 {
2445 DEBUG(D_ident) debug_printf("bind socket for ident failed: %s\n",
2446 strerror(errno));
2447 goto END_OFF;
2448 }
2449
2450if (ip_connect(sock, host_af, sender_host_address, port, rfc1413_query_timeout)
2451 < 0)
2452 {
2453 if (errno == ETIMEDOUT && (log_extra_selector & LX_ident_timeout) != 0)
2454 {
2455 log_write(0, LOG_MAIN, "ident connection to %s timed out",
2456 sender_host_address);
2457 }
2458 else
2459 {
2460 DEBUG(D_ident) debug_printf("ident connection to %s failed: %s\n",
2461 sender_host_address, strerror(errno));
2462 }
2463 goto END_OFF;
2464 }
2465
2466/* Construct and send the query. */
2467
2468sprintf(CS buffer, "%d , %d\r\n", sender_host_port, interface_port);
2469qlen = Ustrlen(buffer);
2470if (send(sock, buffer, qlen, 0) < 0)
2471 {
2472 DEBUG(D_ident) debug_printf("ident send failed: %s\n", strerror(errno));
2473 goto END_OFF;
2474 }
2475
2476/* Read a response line. We put it into the rest of the buffer, using several
2477recv() calls if necessary. */
2478
2479p = buffer + qlen;
2480
2481for (;;)
2482 {
2483 uschar *pp;
2484 int count;
2485 int size = sizeof(buffer) - (p - buffer);
2486
2487 if (size <= 0) goto END_OFF; /* Buffer filled without seeing \n. */
2488 count = ip_recv(sock, p, size, rfc1413_query_timeout);
2489 if (count <= 0) goto END_OFF; /* Read error or EOF */
2490
2491 /* Scan what we just read, to see if we have reached the terminating \r\n. Be
2492 generous, and accept a plain \n terminator as well. The only illegal
2493 character is 0. */
2494
2495 for (pp = p; pp < p + count; pp++)
2496 {
2497 if (*pp == 0) goto END_OFF; /* Zero octet not allowed */
2498 if (*pp == '\n')
2499 {
2500 if (pp[-1] == '\r') pp--;
2501 *pp = 0;
2502 goto GOT_DATA; /* Break out of both loops */
2503 }
2504 }
2505
2506 /* Reached the end of the data without finding \n. Let the loop continue to
2507 read some more, if there is room. */
2508
2509 p = pp;
2510 }
2511
2512GOT_DATA:
2513
2514/* We have received a line of data. Check it carefully. It must start with the
2515same two port numbers that we sent, followed by data as defined by the RFC. For
2516example,
2517
2518 12345 , 25 : USERID : UNIX :root
2519
2520However, the amount of white space may be different to what we sent. In the
2521"osname" field there may be several sub-fields, comma separated. The data we
2522actually want to save follows the third colon. Some systems put leading spaces
2523in it - we discard those. */
2524
2525if (sscanf(CS buffer + qlen, "%d , %d%n", &received_sender_port,
2526 &received_interface_port, &n) != 2 ||
2527 received_sender_port != sender_host_port ||
2528 received_interface_port != interface_port)
2529 goto END_OFF;
2530
2531p = buffer + qlen + n;
2532while(isspace(*p)) p++;
2533if (*p++ != ':') goto END_OFF;
2534while(isspace(*p)) p++;
2535if (Ustrncmp(p, "USERID", 6) != 0) goto END_OFF;
2536p += 6;
2537while(isspace(*p)) p++;
2538if (*p++ != ':') goto END_OFF;
2539while (*p != 0 && *p != ':') p++;
2540if (*p++ == 0) goto END_OFF;
2541while(isspace(*p)) p++;
2542if (*p == 0) goto END_OFF;
2543
2544/* The rest of the line is the data we want. We turn it into printing
2545characters when we save it, so that it cannot mess up the format of any logging
2546or Received: lines into which it gets inserted. We keep a maximum of 127
2547characters. */
2548
2549sender_ident = string_printing(string_copyn(p, 127));
2550DEBUG(D_ident) debug_printf("sender_ident = %s\n", sender_ident);
2551
2552END_OFF:
f1e894f3 2553(void)close(sock);
059ec3d9
PH		 2554return;
2555}
2556
2557
2558
2559
2560/*************************************************
2561* Match host to a single host-list item *
2562*************************************************/
2563
2564/* This function compares a host (name or address) against a single item
2565from a host list. The host name gets looked up if it is needed and is not
2566already known. The function is called from verify_check_this_host() via
2567match_check_list(), which is why most of its arguments are in a single block.
2568
2569Arguments:
2570 arg the argument block (see below)
2571 ss the host-list item
2572 valueptr where to pass back looked up data, or NULL
2573 error for error message when returning ERROR
2574
2575The block contains:
32d668a5
PH		 2576 host_name (a) the host name, or
2577 (b) NULL, implying use sender_host_name and
2578 sender_host_aliases, looking them up if required, or
2579 (c) the empty string, meaning that only IP address matches
2580 are permitted
059ec3d9
PH		 2581 host_address the host address
2582 host_ipv4 the IPv4 address taken from an IPv6 one
2583
2584Returns: OK matched
2585 FAIL did not match
2586 DEFER lookup deferred
32d668a5
PH		 2587 ERROR (a) failed to find the host name or IP address, or
2588 (b) unknown lookup type specified, or
2589 (c) host name encountered when only IP addresses are
2590 being matched
059ec3d9
PH		 2591*/
2592
32d668a5 2593int
059ec3d9
PH		 2594check_host(void *arg, uschar *ss, uschar **valueptr, uschar **error)
2595{
2596check_host_block *cb = (check_host_block *)arg;
32d668a5 2597int mlen = -1;
059ec3d9 2598int maskoffset;
32d668a5 2599BOOL iplookup = FALSE;
059ec3d9 2600BOOL isquery = FALSE;
32d668a5 2601BOOL isiponly = cb->host_name != NULL && cb->host_name[0] == 0;
1688f43b 2602uschar *t;
32d668a5 2603uschar *semicolon;
059ec3d9
PH		 2604uschar **aliases;
2605
2606/* Optimize for the special case when the pattern is "*". */
2607
2608if (*ss == '*' && ss[1] == 0) return OK;
2609
2610/* If the pattern is empty, it matches only in the case when there is no host -
2611this can occur in ACL checking for SMTP input using the -bs option. In this
2612situation, the host address is the empty string. */
2613
2614if (cb->host_address[0] == 0) return (*ss == 0)? OK : FAIL;
2615if (*ss == 0) return FAIL;
2616
32d668a5
PH		 2617/* If the pattern is precisely "@" then match against the primary host name,
2618provided that host name matching is permitted; if it's "@[]" match against the
2619local host's IP addresses. */
059ec3d9
PH		 2620
2621if (*ss == '@')
2622 {
32d668a5
PH		 2623 if (ss[1] == 0)
2624 {
2625 if (isiponly) return ERROR;
2626 ss = primary_hostname;
2627 }
059ec3d9
PH		 2628 else if (Ustrcmp(ss, "@[]") == 0)
2629 {
2630 ip_address_item *ip;
2631 for (ip = host_find_interfaces(); ip != NULL; ip = ip->next)
2632 if (Ustrcmp(ip->address, cb->host_address) == 0) return OK;
2633 return FAIL;
2634 }
2635 }
2636
2637/* If the pattern is an IP address, optionally followed by a bitmask count, do
2638a (possibly masked) comparision with the current IP address. */
2639
7e66e54d 2640if (string_is_ip_address(ss, &maskoffset) != 0)
059ec3d9
PH		 2641 return (host_is_in_net(cb->host_address, ss, maskoffset)? OK : FAIL);
2642
1688f43b
PH		 2643/* The pattern is not an IP address. A common error that people make is to omit
2644one component of an IPv4 address, either by accident, or believing that, for
2645example, 1.2.3/24 is the same as 1.2.3.0/24, or 1.2.3 is the same as 1.2.3.0,
2646which it isn't. (Those applications that do accept 1.2.3 as an IP address
2647interpret it as 1.2.0.3 because the final component becomes 16-bit - this is an
2648ancient specification.) To aid in debugging these cases, we give a specific
2649error if the pattern contains only digits and dots or contains a slash preceded
2650only by digits and dots (a slash at the start indicates a file name and of
2651course slashes may be present in lookups, but not preceded only by digits and
2652dots). */
2653
2654for (t = ss; isdigit(*t) || *t == '.'; t++);
2655if (*t == 0 || (*t == '/' && t != ss))
2656 {
2657 *error = US"malformed IPv4 address or address mask";
2658 return ERROR;
2659 }
2660
32d668a5 2661/* See if there is a semicolon in the pattern */
059ec3d9 2662
32d668a5
PH		 2663semicolon = Ustrchr(ss, ';');
2664
2665/* If we are doing an IP address only match, then all lookups must be IP
df199fec 2666address lookups, even if there is no "net-". */
32d668a5
PH		 2667
2668if (isiponly)
059ec3d9 2669 {
32d668a5
PH		 2670 iplookup = semicolon != NULL;
2671 }
059ec3d9 2672
32d668a5 2673/* Otherwise, if the item is of the form net[n]-lookup;<file|query> then it is
df199fec
PH		 2674a lookup on a masked IP network, in textual form. We obey this code even if we
2675have already set iplookup, so as to skip over the "net-" prefix and to set the
2676mask length. The net- stuff really only applies to single-key lookups where the
2677key is implicit. For query-style lookups the key is specified in the query.
2678From release 4.30, the use of net- for query style is no longer needed, but we
2679retain it for backward compatibility. */
2680
2681if (Ustrncmp(ss, "net", 3) == 0 && semicolon != NULL)
32d668a5
PH		 2682 {
2683 mlen = 0;
2684 for (t = ss + 3; isdigit(*t); t++) mlen = mlen * 10 + *t - '0';
2685 if (mlen == 0 && t == ss+3) mlen = -1; /* No mask supplied */
2686 iplookup = (*t++ == '-');
2687 }
1688f43b 2688else t = ss;
059ec3d9 2689
32d668a5 2690/* Do the IP address lookup if that is indeed what we have */
059ec3d9 2691
32d668a5
PH		 2692if (iplookup)
2693 {
2694 int insize;
2695 int search_type;
2696 int incoming[4];
2697 void *handle;
2698 uschar *filename, *key, *result;
2699 uschar buffer[64];
059ec3d9 2700
32d668a5 2701 /* Find the search type */
059ec3d9 2702
32d668a5 2703 search_type = search_findtype(t, semicolon - t);
059ec3d9 2704
32d668a5
PH		 2705 if (search_type < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s",
2706 search_error_message);
059ec3d9 2707
13b685f9
PH		 2708 /* Adjust parameters for the type of lookup. For a query-style lookup, there
2709 is no file name, and the "key" is just the query. For query-style with a file
2710 name, we have to fish the file off the start of the query. For a single-key
2711 lookup, the key is the current IP address, masked appropriately, and
2712 reconverted to text form, with the mask appended. For IPv6 addresses, specify
6a3bceb1
PH		 2713 dot separators instead of colons, except when the lookup type is "iplsearch".
2714 */
059ec3d9 2715
13b685f9
PH		 2716 if (mac_islookup(search_type, lookup_absfilequery))
2717 {
2718 filename = semicolon + 1;
2719 key = filename;
2720 while (*key != 0 && !isspace(*key)) key++;
2721 filename = string_copyn(filename, key - filename);
2722 while (isspace(*key)) key++;
2723 }
2724 else if (mac_islookup(search_type, lookup_querystyle))
32d668a5
PH		 2725 {
2726 filename = NULL;
2727 key = semicolon + 1;
2728 }
6a3bceb1 2729 else /* Single-key style */
32d668a5 2730 {
e6d225ae 2731 int sep = (Ustrcmp(lookup_list[search_type]->name, "iplsearch") == 0)?
6a3bceb1 2732 ':' : '.';
32d668a5
PH		 2733 insize = host_aton(cb->host_address, incoming);
2734 host_mask(insize, incoming, mlen);
6a3bceb1 2735 (void)host_nmtoa(insize, incoming, mlen, buffer, sep);
32d668a5
PH		 2736 key = buffer;
2737 filename = semicolon + 1;
059ec3d9 2738 }
32d668a5
PH		 2739
2740 /* Now do the actual lookup; note that there is no search_close() because
2741 of the caching arrangements. */
2742
2743 handle = search_open(filename, search_type, 0, NULL, NULL);
2744 if (handle == NULL) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s",
2745 search_error_message);
2746 result = search_find(handle, filename, key, -1, NULL, 0, 0, NULL);
2747 if (valueptr != NULL) *valueptr = result;
2748 return (result != NULL)? OK : search_find_defer? DEFER: FAIL;
059ec3d9
PH		 2749 }
2750
2751/* The pattern is not an IP address or network reference of any kind. That is,
32d668a5
PH		 2752it is a host name pattern. If this is an IP only match, there's an error in the
2753host list. */
2754
2755if (isiponly)
2756 {
2757 *error = US"cannot match host name in match_ip list";
2758 return ERROR;
2759 }
2760
2761/* Check the characters of the pattern to see if they comprise only letters,
2762digits, full stops, and hyphens (the constituents of domain names). Allow
2763underscores, as they are all too commonly found. Sigh. Also, if
2764allow_utf8_domains is set, allow top-bit characters. */
059ec3d9
PH		 2765
2766for (t = ss; *t != 0; t++)
2767 if (!isalnum(*t) && *t != '.' && *t != '-' && *t != '_' &&
2768 (!allow_utf8_domains || *t < 128)) break;
2769
2770/* If the pattern is a complete domain name, with no fancy characters, look up
2771its IP address and match against that. Note that a multi-homed host will add
2772items to the chain. */
2773
2774if (*t == 0)
2775 {
2776 int rc;
2777 host_item h;
2778 h.next = NULL;
2779 h.name = ss;
2780 h.address = NULL;
2781 h.mx = MX_NONE;
9b8fadde 2782
322050c2 2783 rc = host_find_byname(&h, NULL, HOST_FIND_QUALIFY_SINGLE, NULL, FALSE);
059ec3d9
PH		 2784 if (rc == HOST_FOUND || rc == HOST_FOUND_LOCAL)
2785 {
2786 host_item *hh;
2787 for (hh = &h; hh != NULL; hh = hh->next)
2788 {
96776534 2789 if (host_is_in_net(hh->address, cb->host_address, 0)) return OK;
059ec3d9
PH		 2790 }
2791 return FAIL;
2792 }
2793 if (rc == HOST_FIND_AGAIN) return DEFER;
2794 *error = string_sprintf("failed to find IP address for %s", ss);
2795 return ERROR;
2796 }
2797
2798/* Almost all subsequent comparisons require the host name, and can be done
2799using the general string matching function. When this function is called for
2800outgoing hosts, the name is always given explicitly. If it is NULL, it means we
2801must use sender_host_name and its aliases, looking them up if necessary. */
2802
2803if (cb->host_name != NULL) /* Explicit host name given */
2804 return match_check_string(cb->host_name, ss, -1, TRUE, TRUE, TRUE,
2805 valueptr);
2806
2807/* Host name not given; in principle we need the sender host name and its
2808aliases. However, for query-style lookups, we do not need the name if the
2809query does not contain $sender_host_name. From release 4.23, a reference to
2810$sender_host_name causes it to be looked up, so we don't need to do the lookup
2811on spec. */
2812
2813if ((semicolon = Ustrchr(ss, ';')) != NULL)
2814 {
2815 uschar *affix;
2816 int partial, affixlen, starflags, id;
2817
2818 *semicolon = 0;
2819 id = search_findtype_partial(ss, &partial, &affix, &affixlen, &starflags);
2820 *semicolon=';';
2821
2822 if (id < 0) /* Unknown lookup type */
2823 {
2824 log_write(0, LOG_MAIN|LOG_PANIC, "%s in host list item \"%s\"",
2825 search_error_message, ss);
2826 return DEFER;
2827 }
13b685f9 2828 isquery = mac_islookup(id, lookup_querystyle|lookup_absfilequery);
059ec3d9
PH		 2829 }
2830
2831if (isquery)
2832 {
2833 switch(match_check_string(US"", ss, -1, TRUE, TRUE, TRUE, valueptr))
2834 {
2835 case OK: return OK;
2836 case DEFER: return DEFER;
2837 default: return FAIL;
2838 }
2839 }
2840
2841/* Not a query-style lookup; must ensure the host name is present, and then we
2842do a check on the name and all its aliases. */
2843
2844if (sender_host_name == NULL)
2845 {
2846 HDEBUG(D_host_lookup)
2847 debug_printf("sender host name required, to match against %s\n", ss);
2848 if (host_lookup_failed || host_name_lookup() != OK)
2849 {
2850 *error = string_sprintf("failed to find host name for %s",
2851 sender_host_address);;
2852 return ERROR;
2853 }
2854 host_build_sender_fullhost();
2855 }
2856
2857/* Match on the sender host name, using the general matching function */
2858
2859switch(match_check_string(sender_host_name, ss, -1, TRUE, TRUE, TRUE,
2860 valueptr))
2861 {
2862 case OK: return OK;
2863 case DEFER: return DEFER;
2864 }
2865
2866/* If there are aliases, try matching on them. */
2867
2868aliases = sender_host_aliases;
2869while (*aliases != NULL)
2870 {
2871 switch(match_check_string(*aliases++, ss, -1, TRUE, TRUE, TRUE, valueptr))
2872 {
2873 case OK: return OK;
2874 case DEFER: return DEFER;
2875 }
2876 }
2877return FAIL;
2878}
2879
2880
2881
2882
2883/*************************************************
2884* Check a specific host matches a host list *
2885*************************************************/
2886
2887/* This function is passed a host list containing items in a number of
2888different formats and the identity of a host. Its job is to determine whether
2889the given host is in the set of hosts defined by the list. The host name is
2890passed as a pointer so that it can be looked up if needed and not already
2891known. This is commonly the case when called from verify_check_host() to check
2892an incoming connection. When called from elsewhere the host name should usually
2893be set.
2894
2895This function is now just a front end to match_check_list(), which runs common
2896code for scanning a list. We pass it the check_host() function to perform a
2897single test.
2898
2899Arguments:
2900 listptr pointer to the host list
2901 cache_bits pointer to cache for named lists, or NULL
2902 host_name the host name or NULL, implying use sender_host_name and
2903 sender_host_aliases, looking them up if required
2904 host_address the IP address
2905 valueptr if not NULL, data from a lookup is passed back here
2906
2907Returns: OK if the host is in the defined set
2908 FAIL if the host is not in the defined set,
2909 DEFER if a data lookup deferred (not a host lookup)
2910
2911If the host name was needed in order to make a comparison, and could not be
2912determined from the IP address, the result is FAIL unless the item
2913"+allow_unknown" was met earlier in the list, in which case OK is returned. */
2914
2915int
2916verify_check_this_host(uschar **listptr, unsigned int *cache_bits,
2917 uschar *host_name, uschar *host_address, uschar **valueptr)
2918{
d4eb88df 2919int rc;
059ec3d9 2920unsigned int *local_cache_bits = cache_bits;
d4eb88df 2921uschar *save_host_address = deliver_host_address;
059ec3d9
PH		 2922check_host_block cb;
2923cb.host_name = host_name;
2924cb.host_address = host_address;
2925
2926if (valueptr != NULL) *valueptr = NULL;
2927
2928/* If the host address starts off ::ffff: it is an IPv6 address in
2929IPv4-compatible mode. Find the IPv4 part for checking against IPv4
2930addresses. */
2931
2932cb.host_ipv4 = (Ustrncmp(host_address, "::ffff:", 7) == 0)?
2933 host_address + 7 : host_address;
2934
8e669ac1
PH		 2935/* During the running of the check, put the IP address into $host_address. In
2936the case of calls from the smtp transport, it will already be there. However,
2937in other calls (e.g. when testing ignore_target_hosts), it won't. Just to be on
d4eb88df
PH		 2938the safe side, any existing setting is preserved, though as I write this
2939(November 2004) I can't see any cases where it is actually needed. */
2940
2941deliver_host_address = host_address;
2942rc = match_check_list(
2943 listptr, /* the list */
2944 0, /* separator character */
2945 &hostlist_anchor, /* anchor pointer */
2946 &local_cache_bits, /* cache pointer */
2947 check_host, /* function for testing */
2948 &cb, /* argument for function */
2949 MCL_HOST, /* type of check */
8e669ac1 2950 (host_address == sender_host_address)?
d4eb88df
PH		 2951 US"host" : host_address, /* text for debugging */
2952 valueptr); /* where to pass back data */
2953deliver_host_address = save_host_address;
8e669ac1 2954return rc;
059ec3d9
PH		 2955}
2956
2957
2958
2959
2960/*************************************************
2961* Check the remote host matches a list *
2962*************************************************/
2963
2964/* This is a front end to verify_check_this_host(), created because checking
2965the remote host is a common occurrence. With luck, a good compiler will spot
2966the tail recursion and optimize it. If there's no host address, this is
2967command-line SMTP input - check against an empty string for the address.
2968
2969Arguments:
2970 listptr pointer to the host list
2971
2972Returns: the yield of verify_check_this_host(),
2973 i.e. OK, FAIL, or DEFER
2974*/
2975
2976int
2977verify_check_host(uschar **listptr)
2978{
2979return verify_check_this_host(listptr, sender_host_cache, NULL,
2980 (sender_host_address == NULL)? US"" : sender_host_address, NULL);
2981}
2982
2983
2984
2985
2986
2987/*************************************************
83e029d5 2988* Invert an IP address *
059ec3d9
PH		 2989*************************************************/
2990
83e029d5
PP		 2991/* Originally just used for DNS xBL lists, now also used for the
2992reverse_ip expansion operator.
2993
059ec3d9
PH		 2994Arguments:
2995 buffer where to put the answer
2996 address the address to invert
2997*/
2998
83e029d5 2999void
059ec3d9
PH		 3000invert_address(uschar *buffer, uschar *address)
3001{
3002int bin[4];
3003uschar *bptr = buffer;
3004
3005/* If this is an IPv4 address mapped into IPv6 format, adjust the pointer
3006to the IPv4 part only. */
3007
3008if (Ustrncmp(address, "::ffff:", 7) == 0) address += 7;
3009
3010/* Handle IPv4 address: when HAVE_IPV6 is false, the result of host_aton() is
3011always 1. */
3012
3013if (host_aton(address, bin) == 1)
3014 {
3015 int i;
3016 int x = bin[0];
3017 for (i = 0; i < 4; i++)
3018 {
3019 sprintf(CS bptr, "%d.", x & 255);
3020 while (*bptr) bptr++;
3021 x >>= 8;
3022 }
3023 }
3024
3025/* Handle IPv6 address. Actually, as far as I know, there are no IPv6 addresses
3026in any DNS black lists, and the format in which they will be looked up is
3027unknown. This is just a guess. */
3028
3029#if HAVE_IPV6
3030else
3031 {
3032 int i, j;
3033 for (j = 3; j >= 0; j--)
3034 {
3035 int x = bin[j];
3036 for (i = 0; i < 8; i++)
3037 {
3038 sprintf(CS bptr, "%x.", x & 15);
3039 while (*bptr) bptr++;
3040 x >>= 4;
3041 }
3042 }
3043 }
3044#endif
d6f6e0dc
PH		 3045
3046/* Remove trailing period -- this is needed so that both arbitrary
3047dnsbl keydomains and inverted addresses may be combined with the
3048same format string, "%s.%s" */
3049
3050*(--bptr) = 0;
059ec3d9
PH		 3051}
3052
3053
3054
0bcb2a0e
PH		 3055/*************************************************
3056* Perform a single dnsbl lookup *
3057*************************************************/
3058
d6f6e0dc
PH		 3059/* This function is called from verify_check_dnsbl() below. It is also called
3060recursively from within itself when domain and domain_txt are different
3061pointers, in order to get the TXT record from the alternate domain.
0bcb2a0e
PH		 3062
3063Arguments:
d6f6e0dc
PH		 3064 domain the outer dnsbl domain
3065 domain_txt alternate domain to lookup TXT record on success; when the
3066 same domain is to be used, domain_txt == domain (that is,
3067 the pointers must be identical, not just the text)
8e669ac1 3068 keydomain the current keydomain (for debug message)
d6f6e0dc
PH		 3069 prepend subdomain to lookup (like keydomain, but
3070 reversed if IP address)
3071 iplist the list of matching IP addresses, or NULL for "any"
8e669ac1 3072 bitmask true if bitmask matching is wanted
431b7361
PH		 3073 match_type condition for 'succeed' result
3074 0 => Any RR in iplist (=)
3075 1 => No RR in iplist (!=)
3076 2 => All RRs in iplist (==)
3077 3 => Some RRs not in iplist (!==)
3078 the two bits are defined as MT_NOT and MT_ALL
8e669ac1 3079 defer_return what to return for a defer
0bcb2a0e
PH		 3080
3081Returns: OK if lookup succeeded
3082 FAIL if not
3083*/
3084
3085static int
d6f6e0dc 3086one_check_dnsbl(uschar *domain, uschar *domain_txt, uschar *keydomain,
431b7361 3087 uschar *prepend, uschar *iplist, BOOL bitmask, int match_type,
d6f6e0dc 3088 int defer_return)
8e669ac1 3089{
0bcb2a0e
PH		 3090dns_answer dnsa;
3091dns_scan dnss;
3092tree_node *t;
3093dnsbl_cache_block *cb;
3094int old_pool = store_pool;
d6f6e0dc
PH		 3095uschar query[256]; /* DNS domain max length */
3096
3097/* Construct the specific query domainname */
3098
3099if (!string_format(query, sizeof(query), "%s.%s", prepend, domain))
3100 {
3101 log_write(0, LOG_MAIN|LOG_PANIC, "dnslist query is too long "
3102 "(ignored): %s...", query);
3103 return FAIL;
3104 }
0bcb2a0e
PH		 3105
3106/* Look for this query in the cache. */
3107
3108t = tree_search(dnsbl_cache, query);
3109
3110/* If not cached from a previous lookup, we must do a DNS lookup, and
3111cache the result in permanent memory. */
3112
3113if (t == NULL)
3114 {
3115 store_pool = POOL_PERM;
3116
3117 /* Set up a tree entry to cache the lookup */
3118
3119 t = store_get(sizeof(tree_node) + Ustrlen(query));
3120 Ustrcpy(t->name, query);
3121 t->data.ptr = cb = store_get(sizeof(dnsbl_cache_block));
3122 (void)tree_insertnode(&dnsbl_cache, t);
3123
3124 /* Do the DNS loopup . */
3125
3126 HDEBUG(D_dnsbl) debug_printf("new DNS lookup for %s\n", query);
3127 cb->rc = dns_basic_lookup(&dnsa, query, T_A);
3128 cb->text_set = FALSE;
3129 cb->text = NULL;
3130 cb->rhs = NULL;
3131
3132 /* If the lookup succeeded, cache the RHS address. The code allows for
3133 more than one address - this was for complete generality and the possible
3134 use of A6 records. However, A6 records have been reduced to experimental
3135 status (August 2001) and may die out. So they may never get used at all,
3136 let alone in dnsbl records. However, leave the code here, just in case.
3137
3138 Quite apart from one A6 RR generating multiple addresses, there are DNS
3139 lists that return more than one A record, so we must handle multiple
3140 addresses generated in that way as well. */
3141
3142 if (cb->rc == DNS_SUCCEED)
3143 {
3144 dns_record *rr;
3145 dns_address **addrp = &(cb->rhs);
3146 for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
3147 rr != NULL;
3148 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
3149 {
3150 if (rr->type == T_A)
3151 {
3152 dns_address *da = dns_address_from_rr(&dnsa, rr);
3153 if (da != NULL)
3154 {
3155 *addrp = da;
3156 while (da->next != NULL) da = da->next;
3157 addrp = &(da->next);
3158 }
3159 }
3160 }
3161
3162 /* If we didn't find any A records, change the return code. This can
3163 happen when there is a CNAME record but there are no A records for what
3164 it points to. */
3165
3166 if (cb->rhs == NULL) cb->rc = DNS_NODATA;
3167 }
3168
3169 store_pool = old_pool;
3170 }
3171
3172/* Previous lookup was cached */
3173
3174else
3175 {
3176 HDEBUG(D_dnsbl) debug_printf("using result of previous DNS lookup\n");
3177 cb = t->data.ptr;
3178 }
3179
3180/* We now have the result of the DNS lookup, either newly done, or cached
3181from a previous call. If the lookup succeeded, check against the address
3182list if there is one. This may be a positive equality list (introduced by
3183"="), a negative equality list (introduced by "!="), a positive bitmask
3184list (introduced by "&"), or a negative bitmask list (introduced by "!&").*/
3185
3186if (cb->rc == DNS_SUCCEED)
3187 {
3188 dns_address *da = NULL;
3189 uschar *addlist = cb->rhs->address;
3190
3191 /* For A and AAAA records, there may be multiple addresses from multiple
3192 records. For A6 records (currently not expected to be used) there may be
3193 multiple addresses from a single record. */
3194
3195 for (da = cb->rhs->next; da != NULL; da = da->next)
3196 addlist = string_sprintf("%s, %s", addlist, da->address);
3197
3198 HDEBUG(D_dnsbl) debug_printf("DNS lookup for %s succeeded (yielding %s)\n",
3199 query, addlist);
3200
3201 /* Address list check; this can be either for equality, or via a bitmask.
3202 In the latter case, all the bits must match. */
3203
3204 if (iplist != NULL)
3205 {
431b7361 3206 for (da = cb->rhs; da != NULL; da = da->next)
0bcb2a0e 3207 {
431b7361
PH		 3208 int ipsep = ',';
3209 uschar ip[46];
3210 uschar *ptr = iplist;
3211 uschar *res;
3212
0bcb2a0e 3213 /* Handle exact matching */
431b7361 3214
0bcb2a0e
PH		 3215 if (!bitmask)
3216 {
431b7361 3217 while ((res = string_nextinlist(&ptr, &ipsep, ip, sizeof(ip))) != NULL)
0bcb2a0e
PH		 3218 {
3219 if (Ustrcmp(CS da->address, ip) == 0) break;
3220 }
3221 }
431b7361 3222
0bcb2a0e 3223 /* Handle bitmask matching */
431b7361 3224
0bcb2a0e
PH		 3225 else
3226 {
3227 int address[4];
3228 int mask = 0;
3229
3230 /* At present, all known DNS blocking lists use A records, with
3231 IPv4 addresses on the RHS encoding the information they return. I
3232 wonder if this will linger on as the last vestige of IPv4 when IPv6
3233 is ubiquitous? Anyway, for now we use paranoia code to completely
3234 ignore IPv6 addresses. The default mask is 0, which always matches.
3235 We change this only for IPv4 addresses in the list. */
3236
431b7361 3237 if (host_aton(da->address, address) == 1) mask = address[0];
0bcb2a0e
PH		 3238
3239 /* Scan the returned addresses, skipping any that are IPv6 */
3240
431b7361 3241 while ((res = string_nextinlist(&ptr, &ipsep, ip, sizeof(ip))) != NULL)
0bcb2a0e 3242 {
431b7361
PH		 3243 if (host_aton(ip, address) != 1) continue;
3244 if ((address[0] & mask) == address[0]) break;
0bcb2a0e
PH		 3245 }
3246 }
3247
431b7361
PH		 3248 /* If either
3249
3250 (a) An IP address in an any ('=') list matched, or
3251 (b) No IP address in an all ('==') list matched
0bcb2a0e 3252
431b7361
PH		 3253 then we're done searching. */
3254
3255 if (((match_type & MT_ALL) != 0) == (res == NULL)) break;
0bcb2a0e
PH		 3256 }
3257
431b7361 3258 /* If da == NULL, either
0bcb2a0e 3259
431b7361
PH		 3260 (a) No IP address in an any ('=') list matched, or
3261 (b) An IP address in an all ('==') list didn't match
0bcb2a0e 3262
431b7361
PH		 3263 so behave as if the DNSBL lookup had not succeeded, i.e. the host is not on
3264 the list. */
0bcb2a0e 3265
431b7361 3266 if ((match_type == MT_NOT || match_type == MT_ALL) != (da == NULL))
0bcb2a0e
PH		 3267 {
3268 HDEBUG(D_dnsbl)
3269 {
431b7361
PH		 3270 uschar *res = NULL;
3271 switch(match_type)
3272 {
3273 case 0:
3274 res = US"was no match";
3275 break;
3276 case MT_NOT:
3277 res = US"was an exclude match";
3278 break;
3279 case MT_ALL:
3280 res = US"was an IP address that did not match";
3281 break;
3282 case MT_NOT|MT_ALL:
3283 res = US"were no IP addresses that did not match";
3284 break;
3285 }
0bcb2a0e 3286 debug_printf("=> but we are not accepting this block class because\n");
431b7361
PH		 3287 debug_printf("=> there %s for %s%c%s\n",
3288 res,
3289 ((match_type & MT_ALL) == 0)? "" : "=",
3290 bitmask? '&' : '=', iplist);
0bcb2a0e 3291 }
8e669ac1 3292 return FAIL;
0bcb2a0e
PH		 3293 }
3294 }
3295
d6f6e0dc
PH		 3296 /* Either there was no IP list, or the record matched, implying that the
3297 domain is on the list. We now want to find a corresponding TXT record. If an
3298 alternate domain is specified for the TXT record, call this function
3299 recursively to look that up; this has the side effect of re-checking that
3300 there is indeed an A record at the alternate domain. */
3301
3302 if (domain_txt != domain)
3303 return one_check_dnsbl(domain_txt, domain_txt, keydomain, prepend, NULL,
431b7361 3304 FALSE, match_type, defer_return);
d6f6e0dc
PH		 3305
3306 /* If there is no alternate domain, look up a TXT record in the main domain
3307 if it has not previously been cached. */
0bcb2a0e
PH		 3308
3309 if (!cb->text_set)
3310 {
3311 cb->text_set = TRUE;
3312 if (dns_basic_lookup(&dnsa, query, T_TXT) == DNS_SUCCEED)
3313 {
3314 dns_record *rr;
3315 for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
3316 rr != NULL;
3317 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
3318 if (rr->type == T_TXT) break;
3319 if (rr != NULL)
3320 {
3321 int len = (rr->data)[0];
3322 if (len > 511) len = 127;
3323 store_pool = POOL_PERM;
3324 cb->text = string_sprintf("%.*s", len, (const uschar *)(rr->data+1));
3325 store_pool = old_pool;
3326 }
3327 }
3328 }
3329
3330 dnslist_value = addlist;
3331 dnslist_text = cb->text;
3332 return OK;
3333 }
3334
3335/* There was a problem with the DNS lookup */
3336
3337if (cb->rc != DNS_NOMATCH && cb->rc != DNS_NODATA)
3338 {
3339 log_write(L_dnslist_defer, LOG_MAIN,
3340 "DNS list lookup defer (probably timeout) for %s: %s", query,
3341 (defer_return == OK)? US"assumed in list" :
3342 (defer_return == FAIL)? US"assumed not in list" :
3343 US"returned DEFER");
3344 return defer_return;
3345 }
3346
3347/* No entry was found in the DNS; continue for next domain */
3348
3349HDEBUG(D_dnsbl)
3350 {
3351 debug_printf("DNS lookup for %s failed\n", query);
3352 debug_printf("=> that means %s is not listed at %s\n",
3353 keydomain, domain);
3354 }
3355
3356return FAIL;
3357}
3358
3359
3360
3361
059ec3d9
PH		 3362/*************************************************
3363* Check host against DNS black lists *
3364*************************************************/
3365
3366/* This function runs checks against a list of DNS black lists, until one
3367matches. Each item on the list can be of the form
3368
3369 domain=ip-address/key
3370
3371The domain is the right-most domain that is used for the query, for example,
3372blackholes.mail-abuse.org. If the IP address is present, there is a match only
3373if the DNS lookup returns a matching IP address. Several addresses may be
3374given, comma-separated, for example: x.y.z=127.0.0.1,127.0.0.2.
3375
3376If no key is given, what is looked up in the domain is the inverted IP address
3377of the current client host. If a key is given, it is used to construct the
d6f6e0dc 3378domain for the lookup. For example:
059ec3d9
PH		 3379
3380 dsn.rfc-ignorant.org/$sender_address_domain
3381
3382After finding a match in the DNS, the domain is placed in $dnslist_domain, and
3383then we check for a TXT record for an error message, and if found, save its
3384value in $dnslist_text. We also cache everything in a tree, to optimize
3385multiple lookups.
3386
d6f6e0dc
PH		 3387The TXT record is normally looked up in the same domain as the A record, but
3388when many lists are combined in a single DNS domain, this will not be a very
3389specific message. It is possible to specify a different domain for looking up
3390TXT records; this is given before the main domain, comma-separated. For
3391example:
3392
3393 dnslists = http.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.2 : \
3394 socks.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.3
3395
3396The caching ensures that only one lookup in dnsbl.sorbs.net is done.
3397
059ec3d9
PH		 3398Note: an address for testing RBL is 192.203.178.39
3399Note: an address for testing DUL is 192.203.178.4
3400Note: a domain for testing RFCI is example.tld.dsn.rfc-ignorant.org
3401
3402Arguments:
3403 listptr the domain/address/data list
3404
3405Returns: OK successful lookup (i.e. the address is on the list), or
3406 lookup deferred after +include_unknown
3407 FAIL name not found, or no data found for the given type, or
3408 lookup deferred after +exclude_unknown (default)
3409 DEFER lookup failure, if +defer_unknown was set
3410*/
3411
3412int
3413verify_check_dnsbl(uschar **listptr)
3414{
3415int sep = 0;
3416int defer_return = FAIL;
059ec3d9
PH		 3417uschar *list = *listptr;
3418uschar *domain;
3419uschar *s;
3420uschar buffer[1024];
059ec3d9
PH		 3421uschar revadd[128]; /* Long enough for IPv6 address */
3422
3423/* Indicate that the inverted IP address is not yet set up */
3424
3425revadd[0] = 0;
3426
0bcb2a0e
PH		 3427/* In case this is the first time the DNS resolver is being used. */
3428
3429dns_init(FALSE, FALSE);
3430
059ec3d9
PH		 3431/* Loop through all the domains supplied, until something matches */
3432
3433while ((domain = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL)
3434 {
0bcb2a0e 3435 int rc;
059ec3d9 3436 BOOL bitmask = FALSE;
431b7361 3437 int match_type = 0;
d6f6e0dc
PH		 3438 uschar *domain_txt;
3439 uschar *comma;
059ec3d9
PH		 3440 uschar *iplist;
3441 uschar *key;
059ec3d9
PH		 3442
3443 HDEBUG(D_dnsbl) debug_printf("DNS list check: %s\n", domain);
3444
3445 /* Deal with special values that change the behaviour on defer */
3446
3447 if (domain[0] == '+')
3448 {
3449 if (strcmpic(domain, US"+include_unknown") == 0) defer_return = OK;
3450 else if (strcmpic(domain, US"+exclude_unknown") == 0) defer_return = FAIL;
3451 else if (strcmpic(domain, US"+defer_unknown") == 0) defer_return = DEFER;
3452 else
3453 log_write(0, LOG_MAIN|LOG_PANIC, "unknown item in dnslist (ignored): %s",
3454 domain);
3455 continue;
3456 }
3457
3458 /* See if there's explicit data to be looked up */
3459
3460 key = Ustrchr(domain, '/');
3461 if (key != NULL) *key++ = 0;
3462
3463 /* See if there's a list of addresses supplied after the domain name. This is
431b7361
PH		 3464 introduced by an = or a & character; if preceded by = we require all matches
3465 and if preceded by ! we invert the result. */
059ec3d9
PH		 3466
3467 iplist = Ustrchr(domain, '=');
3468 if (iplist == NULL)
3469 {
3470 bitmask = TRUE;
3471 iplist = Ustrchr(domain, '&');
3472 }
3473
431b7361 3474 if (iplist != NULL) /* Found either = or & */
059ec3d9 3475 {
431b7361 3476 if (iplist > domain && iplist[-1] == '!') /* Handle preceding ! */
059ec3d9 3477 {
431b7361 3478 match_type |= MT_NOT;
059ec3d9
PH		 3479 iplist[-1] = 0;
3480 }
431b7361
PH		 3481
3482 *iplist++ = 0; /* Terminate domain, move on */
3483
3484 /* If we found = (bitmask == FALSE), check for == or =& */
3485
3486 if (!bitmask && (*iplist == '=' || *iplist == '&'))
3487 {
3488 bitmask = *iplist++ == '&';
3489 match_type |= MT_ALL;
3490 }
059ec3d9
PH		 3491 }
3492
d6f6e0dc
PH		 3493 /* If there is a comma in the domain, it indicates that a second domain for
3494 looking up TXT records is provided, before the main domain. Otherwise we must
3495 set domain_txt == domain. */
3496
3497 domain_txt = domain;
3498 comma = Ustrchr(domain, ',');
3499 if (comma != NULL)
3500 {
3501 *comma++ = 0;
3502 domain = comma;
3503 }
3504
059ec3d9
PH		 3505 /* Check that what we have left is a sensible domain name. There is no reason
3506 why these domains should in fact use the same syntax as hosts and email
3507 domains, but in practice they seem to. However, there is little point in
3508 actually causing an error here, because that would no doubt hold up incoming
3509 mail. Instead, I'll just log it. */
3510
3511 for (s = domain; *s != 0; s++)
3512 {
09dcaba9 3513 if (!isalnum(*s) && *s != '-' && *s != '.' && *s != '_')
059ec3d9
PH		 3514 {
3515 log_write(0, LOG_MAIN, "dnslists domain \"%s\" contains "
3516 "strange characters - is this right?", domain);
3517 break;
3518 }
3519 }
3520
d6f6e0dc
PH		 3521 /* Check the alternate domain if present */
3522
3523 if (domain_txt != domain) for (s = domain_txt; *s != 0; s++)
3524 {
09dcaba9 3525 if (!isalnum(*s) && *s != '-' && *s != '.' && *s != '_')
d6f6e0dc
PH		 3526 {
3527 log_write(0, LOG_MAIN, "dnslists domain \"%s\" contains "
3528 "strange characters - is this right?", domain_txt);
3529 break;
3530 }
3531 }
3532
8e669ac1 3533 /* If there is no key string, construct the query by adding the domain name
0bcb2a0e 3534 onto the inverted host address, and perform a single DNS lookup. */
8e669ac1 3535
059ec3d9
PH		 3536 if (key == NULL)
3537 {
3538 if (sender_host_address == NULL) return FAIL; /* can never match */
3539 if (revadd[0] == 0) invert_address(revadd, sender_host_address);
d6f6e0dc 3540 rc = one_check_dnsbl(domain, domain_txt, sender_host_address, revadd,
431b7361 3541 iplist, bitmask, match_type, defer_return);
0bcb2a0e
PH		 3542 if (rc == OK)
3543 {
d6f6e0dc 3544 dnslist_domain = string_copy(domain_txt);
93655c46 3545 dnslist_matched = string_copy(sender_host_address);
8e669ac1 3546 HDEBUG(D_dnsbl) debug_printf("=> that means %s is listed at %s\n",
d6f6e0dc 3547 sender_host_address, dnslist_domain);
0bcb2a0e 3548 }
0bcb2a0e 3549 if (rc != FAIL) return rc; /* OK or DEFER */
059ec3d9 3550 }
8e669ac1
PH		 3551
3552 /* If there is a key string, it can be a list of domains or IP addresses to
0bcb2a0e 3553 be concatenated with the main domain. */
8e669ac1 3554
059ec3d9
PH		 3555 else
3556 {
0bcb2a0e 3557 int keysep = 0;
8e669ac1
PH		 3558 BOOL defer = FALSE;
3559 uschar *keydomain;
0bcb2a0e 3560 uschar keybuffer[256];
d6f6e0dc 3561 uschar keyrevadd[128];
8e669ac1
PH		 3562
3563 while ((keydomain = string_nextinlist(&key, &keysep, keybuffer,
0bcb2a0e 3564 sizeof(keybuffer))) != NULL)
8e669ac1 3565 {
d6f6e0dc
PH		 3566 uschar *prepend = keydomain;
3567
7e66e54d 3568 if (string_is_ip_address(keydomain, NULL) != 0)
059ec3d9 3569 {
0bcb2a0e 3570 invert_address(keyrevadd, keydomain);
d6f6e0dc 3571 prepend = keyrevadd;
059ec3d9 3572 }
8e669ac1 3573
d6f6e0dc 3574 rc = one_check_dnsbl(domain, domain_txt, keydomain, prepend, iplist,
431b7361 3575 bitmask, match_type, defer_return);
8e669ac1 3576
0bcb2a0e 3577 if (rc == OK)
059ec3d9 3578 {
d6f6e0dc 3579 dnslist_domain = string_copy(domain_txt);
93655c46 3580 dnslist_matched = string_copy(keydomain);
8e669ac1 3581 HDEBUG(D_dnsbl) debug_printf("=> that means %s is listed at %s\n",
d6f6e0dc 3582 keydomain, dnslist_domain);
8e669ac1 3583 return OK;
059ec3d9 3584 }
8e669ac1 3585
c38d6da9
PH		 3586 /* If the lookup deferred, remember this fact. We keep trying the rest
3587 of the list to see if we get a useful result, and if we don't, we return
3588 DEFER at the end. */
059ec3d9 3589
c38d6da9 3590 if (rc == DEFER) defer = TRUE;
0bcb2a0e 3591 } /* continue with next keystring domain/address */
c38d6da9
PH		 3592
3593 if (defer) return DEFER;
8e669ac1 3594 }
0bcb2a0e 3595 } /* continue with next dnsdb outer domain */
059ec3d9
PH		 3596
3597return FAIL;
3598}
3599
3600/* End of verify.c */
Unnamed repository; edit this file 'description' to name the repository.