use smtp_context struct for sync_responses()
[exim.git] / src / src / verify.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
80fea873 5/* Copyright (c) University of Cambridge 1995 - 2016 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
8/* Functions concerned with verifying things. The original code for callout
9caching was contributed by Kevin Fleming (but I hacked it around a bit). */
10
11
12#include "exim.h"
817d9f57 13#include "transports/smtp.h"
059ec3d9 14
e4bdf652
JH
15#define CUTTHROUGH_CMD_TIMEOUT 30 /* timeout for cutthrough-routing calls */
16#define CUTTHROUGH_DATA_TIMEOUT 60 /* timeout for cutthrough-routing calls */
817d9f57
JH
17static smtp_outblock ctblock;
18uschar ctbuffer[8192];
19
059ec3d9
PH
20
21/* Structure for caching DNSBL lookups */
22
23typedef struct dnsbl_cache_block {
14b3c5bc 24 time_t expiry;
059ec3d9
PH
25 dns_address *rhs;
26 uschar *text;
27 int rc;
28 BOOL text_set;
29} dnsbl_cache_block;
30
31
32/* Anchor for DNSBL cache */
33
34static tree_node *dnsbl_cache = NULL;
35
36
431b7361
PH
37/* Bits for match_type in one_check_dnsbl() */
38
39#define MT_NOT 1
40#define MT_ALL 2
41
2760b518 42static uschar cutthrough_response(char, uschar **, int);
431b7361 43
8d330698 44
059ec3d9
PH
45
46/*************************************************
47* Retrieve a callout cache record *
48*************************************************/
49
50/* If a record exists, check whether it has expired.
51
52Arguments:
53 dbm_file an open hints file
54 key the record key
55 type "address" or "domain"
56 positive_expire expire time for positive records
57 negative_expire expire time for negative records
58
59Returns: the cache record if a non-expired one exists, else NULL
60*/
61
62static dbdata_callout_cache *
55414b25 63get_callout_cache_record(open_db *dbm_file, const uschar *key, uschar *type,
059ec3d9
PH
64 int positive_expire, int negative_expire)
65{
66BOOL negative;
67int length, expire;
68time_t now;
69dbdata_callout_cache *cache_record;
70
71cache_record = dbfn_read_with_length(dbm_file, key, &length);
72
73if (cache_record == NULL)
74 {
6f4d5ad3 75 HDEBUG(D_verify) debug_printf("callout cache: no %s record found for %s\n", type, key);
059ec3d9
PH
76 return NULL;
77 }
78
79/* We treat a record as "negative" if its result field is not positive, or if
80it is a domain record and the postmaster field is negative. */
81
82negative = cache_record->result != ccache_accept ||
83 (type[0] == 'd' && cache_record->postmaster_result == ccache_reject);
84expire = negative? negative_expire : positive_expire;
85now = time(NULL);
86
87if (now - cache_record->time_stamp > expire)
88 {
6f4d5ad3 89 HDEBUG(D_verify) debug_printf("callout cache: %s record expired for %s\n", type, key);
059ec3d9
PH
90 return NULL;
91 }
92
93/* If this is a non-reject domain record, check for the obsolete format version
94that doesn't have the postmaster and random timestamps, by looking at the
95length. If so, copy it to a new-style block, replicating the record's
96timestamp. Then check the additional timestamps. (There's no point wasting
97effort if connections are rejected.) */
98
99if (type[0] == 'd' && cache_record->result != ccache_reject)
100 {
101 if (length == sizeof(dbdata_callout_cache_obs))
102 {
103 dbdata_callout_cache *new = store_get(sizeof(dbdata_callout_cache));
104 memcpy(new, cache_record, length);
105 new->postmaster_stamp = new->random_stamp = new->time_stamp;
106 cache_record = new;
107 }
108
109 if (now - cache_record->postmaster_stamp > expire)
110 cache_record->postmaster_result = ccache_unknown;
111
112 if (now - cache_record->random_stamp > expire)
113 cache_record->random_result = ccache_unknown;
114 }
115
6f4d5ad3 116HDEBUG(D_verify) debug_printf("callout cache: found %s record for %s\n", type, key);
059ec3d9
PH
117return cache_record;
118}
119
120
121
707ee5b1
JH
122/* Check the callout cache.
123Options * pm_mailfrom may be modified by cache partial results.
059ec3d9 124
707ee5b1 125Return: TRUE if result found
059ec3d9
PH
126*/
127
707ee5b1
JH
128static BOOL
129cached_callout_lookup(address_item * addr, uschar * address_key,
130 uschar * from_address, int * opt_ptr, uschar ** pm_ptr,
131 int * yield, uschar ** failure_ptr,
132 dbdata_callout_cache * new_domain_record, int * old_domain_res)
059ec3d9 133{
707ee5b1 134int options = *opt_ptr;
059ec3d9
PH
135open_db dbblock;
136open_db *dbm_file = NULL;
059ec3d9
PH
137
138/* Open the callout cache database, it it exists, for reading only at this
139stage, unless caching has been disabled. */
140
8b9476ba 141if (options & vopt_callout_no_cache)
059ec3d9
PH
142 {
143 HDEBUG(D_verify) debug_printf("callout cache: disabled by no_cache\n");
144 }
707ee5b1 145else if (!(dbm_file = dbfn_open(US"callout", O_RDWR, &dbblock, FALSE)))
059ec3d9
PH
146 {
147 HDEBUG(D_verify) debug_printf("callout cache: not available\n");
148 }
707ee5b1 149else
059ec3d9 150 {
707ee5b1
JH
151 /* If a cache database is available see if we can avoid the need to do an
152 actual callout by making use of previously-obtained data. */
153
154 dbdata_callout_cache_address * cache_address_record;
155 dbdata_callout_cache * cache_record = get_callout_cache_record(dbm_file,
156 addr->domain, US"domain",
157 callout_cache_domain_positive_expire, callout_cache_domain_negative_expire);
059ec3d9
PH
158
159 /* If an unexpired cache record was found for this domain, see if the callout
160 process can be short-circuited. */
161
ff5929e3 162 if (cache_record)
059ec3d9 163 {
2b1c6e3a
PH
164 /* In most cases, if an early command (up to and including MAIL FROM:<>)
165 was rejected, there is no point carrying on. The callout fails. However, if
166 we are doing a recipient verification with use_sender or use_postmaster
167 set, a previous failure of MAIL FROM:<> doesn't count, because this time we
168 will be using a non-empty sender. We have to remember this situation so as
169 not to disturb the cached domain value if this whole verification succeeds
170 (we don't want it turning into "accept"). */
171
707ee5b1 172 *old_domain_res = cache_record->result;
2b1c6e3a 173
707ee5b1
JH
174 if ( cache_record->result == ccache_reject
175 || *from_address == 0 && cache_record->result == ccache_reject_mfnull)
059ec3d9
PH
176 {
177 setflag(addr, af_verify_nsfail);
178 HDEBUG(D_verify)
707ee5b1
JH
179 debug_printf("callout cache: domain gave initial rejection, or "
180 "does not accept HELO or MAIL FROM:<>\n");
059ec3d9
PH
181 setflag(addr, af_verify_nsfail);
182 addr->user_message = US"(result of an earlier callout reused).";
707ee5b1 183 *yield = FAIL;
8e669ac1 184 *failure_ptr = US"mail";
707ee5b1
JH
185 dbfn_close(dbm_file);
186 return TRUE;
059ec3d9
PH
187 }
188
189 /* If a previous check on a "random" local part was accepted, we assume
190 that the server does not do any checking on local parts. There is therefore
191 no point in doing the callout, because it will always be successful. If a
192 random check previously failed, arrange not to do it again, but preserve
193 the data in the new record. If a random check is required but hasn't been
194 done, skip the remaining cache processing. */
195
8b9476ba 196 if (options & vopt_callout_random) switch(cache_record->random_result)
059ec3d9
PH
197 {
198 case ccache_accept:
8b9476ba
JH
199 HDEBUG(D_verify)
200 debug_printf("callout cache: domain accepts random addresses\n");
707ee5b1
JH
201 dbfn_close(dbm_file);
202 return TRUE; /* Default yield is OK */
059ec3d9
PH
203
204 case ccache_reject:
8b9476ba
JH
205 HDEBUG(D_verify)
206 debug_printf("callout cache: domain rejects random addresses\n");
707ee5b1
JH
207 *opt_ptr = options & ~vopt_callout_random;
208 new_domain_record->random_result = ccache_reject;
209 new_domain_record->random_stamp = cache_record->random_stamp;
8b9476ba 210 break;
059ec3d9
PH
211
212 default:
8b9476ba
JH
213 HDEBUG(D_verify)
214 debug_printf("callout cache: need to check random address handling "
215 "(not cached or cache expired)\n");
707ee5b1
JH
216 dbfn_close(dbm_file);
217 return FALSE;
059ec3d9
PH
218 }
219
220 /* If a postmaster check is requested, but there was a previous failure,
221 there is again no point in carrying on. If a postmaster check is required,
222 but has not been done before, we are going to have to do a callout, so skip
223 remaining cache processing. */
224
707ee5b1 225 if (*pm_ptr)
059ec3d9
PH
226 {
227 if (cache_record->postmaster_result == ccache_reject)
707ee5b1
JH
228 {
229 setflag(addr, af_verify_pmfail);
230 HDEBUG(D_verify)
231 debug_printf("callout cache: domain does not accept "
232 "RCPT TO:<postmaster@domain>\n");
233 *yield = FAIL;
234 *failure_ptr = US"postmaster";
235 setflag(addr, af_verify_pmfail);
236 addr->user_message = US"(result of earlier verification reused).";
237 dbfn_close(dbm_file);
238 return TRUE;
239 }
059ec3d9 240 if (cache_record->postmaster_result == ccache_unknown)
707ee5b1
JH
241 {
242 HDEBUG(D_verify)
243 debug_printf("callout cache: need to check RCPT "
244 "TO:<postmaster@domain> (not cached or cache expired)\n");
245 dbfn_close(dbm_file);
246 return FALSE;
247 }
059ec3d9
PH
248
249 /* If cache says OK, set pm_mailfrom NULL to prevent a redundant
250 postmaster check if the address itself has to be checked. Also ensure
251 that the value in the cache record is preserved (with its old timestamp).
252 */
253
254 HDEBUG(D_verify) debug_printf("callout cache: domain accepts RCPT "
707ee5b1
JH
255 "TO:<postmaster@domain>\n");
256 *pm_ptr = NULL;
257 new_domain_record->postmaster_result = ccache_accept;
258 new_domain_record->postmaster_stamp = cache_record->postmaster_stamp;
059ec3d9
PH
259 }
260 }
261
262 /* We can't give a result based on information about the domain. See if there
263 is an unexpired cache record for this specific address (combined with the
264 sender address if we are doing a recipient callout with a non-empty sender).
265 */
266
707ee5b1
JH
267 if (!(cache_address_record = (dbdata_callout_cache_address *)
268 get_callout_cache_record(dbm_file, address_key, US"address",
269 callout_cache_positive_expire, callout_cache_negative_expire)))
270 {
271 dbfn_close(dbm_file);
272 return FALSE;
273 }
059ec3d9 274
707ee5b1 275 if (cache_address_record->result == ccache_accept)
059ec3d9 276 {
707ee5b1
JH
277 HDEBUG(D_verify)
278 debug_printf("callout cache: address record is positive\n");
279 }
280 else
281 {
282 HDEBUG(D_verify)
283 debug_printf("callout cache: address record is negative\n");
284 addr->user_message = US"Previous (cached) callout verification failure";
285 *failure_ptr = US"recipient";
286 *yield = FAIL;
059ec3d9
PH
287 }
288
289 /* Close the cache database while we actually do the callout for real. */
290
059ec3d9 291 dbfn_close(dbm_file);
707ee5b1
JH
292 return TRUE;
293 }
294return FALSE;
295}
296
297
298/* Write results to callout cache
299*/
300static void
301cache_callout_write(dbdata_callout_cache * dom_rec, const uschar * domain,
302 int done, dbdata_callout_cache_address * addr_rec, uschar * address_key)
303{
304open_db dbblock;
305open_db *dbm_file = NULL;
306
307/* If we get here with done == TRUE, a successful callout happened, and yield
308will be set OK or FAIL according to the response to the RCPT command.
309Otherwise, we looped through the hosts but couldn't complete the business.
310However, there may be domain-specific information to cache in both cases.
311
312The value of the result field in the new_domain record is ccache_unknown if
313there was an error before or with MAIL FROM:, and errno was not zero,
314implying some kind of I/O error. We don't want to write the cache in that case.
315Otherwise the value is ccache_accept, ccache_reject, or ccache_reject_mfnull. */
316
317if (dom_rec->result != ccache_unknown)
318 if (!(dbm_file = dbfn_open(US"callout", O_RDWR|O_CREAT, &dbblock, FALSE)))
319 {
320 HDEBUG(D_verify) debug_printf("callout cache: not available\n");
321 }
322 else
323 {
324 (void)dbfn_write(dbm_file, domain, dom_rec,
325 (int)sizeof(dbdata_callout_cache));
326 HDEBUG(D_verify) debug_printf("wrote callout cache domain record for %s:\n"
327 " result=%d postmaster=%d random=%d\n",
328 domain,
329 dom_rec->result,
330 dom_rec->postmaster_result,
331 dom_rec->random_result);
332 }
333
334/* If a definite result was obtained for the callout, cache it unless caching
335is disabled. */
336
337if (done && addr_rec->result != ccache_unknown)
338 {
339 if (!dbm_file)
340 dbm_file = dbfn_open(US"callout", O_RDWR|O_CREAT, &dbblock, FALSE);
341 if (!dbm_file)
342 {
343 HDEBUG(D_verify) debug_printf("no callout cache available\n");
344 }
345 else
346 {
347 (void)dbfn_write(dbm_file, address_key, addr_rec,
348 (int)sizeof(dbdata_callout_cache_address));
349 HDEBUG(D_verify) debug_printf("wrote %s callout cache address record for %s\n",
350 addr_rec->result == ccache_accept ? "positive" : "negative",
351 address_key);
352 }
353 }
354
355if (dbm_file) dbfn_close(dbm_file);
356}
357
358
c4c940fd
JH
359/* Cutthrough-multi. If the existing cached cutthrough connection matches
360the one we would make for a subsequent recipient, use it. Send the RCPT TO
361and check the result, nonpipelined as it may be wanted immediately for
362recipient-verification.
363
364It seems simpler to deal with this case separately from the main callout loop.
365We will need to remember it has sent, or not, so that rcpt-acl tail code
366can do it there for the non-rcpt-verify case. For this we keep an addresscount.
367
368Return: TRUE for a definitive result for the recipient
369*/
370static int
371cutthrough_multi(address_item * addr, host_item * host_list,
372 transport_feedback * tf, int * yield)
373{
374BOOL done = FALSE;
375host_item * host;
376
377if (addr->transport == cutthrough.addr.transport)
378 for (host = host_list; host; host = host->next)
379 if (Ustrcmp(host->address, cutthrough.host.address) == 0)
380 {
381 int host_af;
382 uschar *interface = NULL; /* Outgoing interface to use; NULL => any */
383 int port = 25;
384
385 deliver_host = host->name;
386 deliver_host_address = host->address;
387 deliver_host_port = host->port;
388 deliver_domain = addr->domain;
389 transport_name = addr->transport->name;
390
391 host_af = (Ustrchr(host->address, ':') == NULL)? AF_INET:AF_INET6;
392
393 if (!smtp_get_interface(tf->interface, host_af, addr, &interface,
394 US"callout") ||
395 !smtp_get_port(tf->port, addr, &port, US"callout"))
396 log_write(0, LOG_MAIN|LOG_PANIC, "<%s>: %s", addr->address,
397 addr->message);
398
399 if ( ( interface == cutthrough.interface
400 || ( interface
401 && cutthrough.interface
402 && Ustrcmp(interface, cutthrough.interface) == 0
403 ) )
404 && port == cutthrough.host.port
405 )
406 {
407 uschar * resp = NULL;
408
409 /* Match! Send the RCPT TO, set done from the response */
410 done =
411 smtp_write_command(&ctblock, FALSE, "RCPT TO:<%.1000s>\r\n",
412 transport_rcpt_address(addr,
413 addr->transport->rcpt_include_affixes)) >= 0 &&
414 cutthrough_response('2', &resp, CUTTHROUGH_DATA_TIMEOUT) == '2';
415
416 /* This would go horribly wrong if a callout fail was ignored by ACL.
417 We punt by abandoning cutthrough on a reject, like the
418 first-rcpt does. */
419
420 if (done)
421 {
422 address_item * na = store_get(sizeof(address_item));
423 *na = cutthrough.addr;
424 cutthrough.addr = *addr;
425 cutthrough.addr.host_used = &cutthrough.host;
426 cutthrough.addr.next = na;
427
428 cutthrough.nrcpt++;
429 }
430 else
431 {
432 cancel_cutthrough_connection("recipient rejected");
433 if (!resp || errno == ETIMEDOUT)
434 {
435 HDEBUG(D_verify) debug_printf("SMTP timeout\n");
436 }
437 else if (errno == 0)
438 {
439 if (*resp == 0)
440 Ustrcpy(resp, US"connection dropped");
441
442 addr->message =
443 string_sprintf("response to \"%s\" from %s [%s] was: %s",
444 big_buffer, host->name, host->address,
445 string_printing(resp));
446
447 addr->user_message =
448 string_sprintf("Callout verification failed:\n%s", resp);
449
450 /* Hard rejection ends the process */
451
452 if (resp[0] == '5') /* Address rejected */
453 {
454 *yield = FAIL;
455 done = TRUE;
456 }
457 }
458 }
459 }
460 break; /* host_list */
461 }
462if (!done)
463 cancel_cutthrough_connection("incompatible connection");
464return done;
465}
466
467
707ee5b1
JH
468/*************************************************
469* Do callout verification for an address *
470*************************************************/
471
472/* This function is called from verify_address() when the address has routed to
473a host list, and a callout has been requested. Callouts are expensive; that is
474why a cache is used to improve the efficiency.
475
476Arguments:
477 addr the address that's been routed
478 host_list the list of hosts to try
479 tf the transport feedback block
480
481 ifstring "interface" option from transport, or NULL
482 portstring "port" option from transport, or NULL
483 protocolstring "protocol" option from transport, or NULL
484 callout the per-command callout timeout
485 callout_overall the overall callout timeout (if < 0 use 4*callout)
486 callout_connect the callout connection timeout (if < 0 use callout)
487 options the verification options - these bits are used:
488 vopt_is_recipient => this is a recipient address
489 vopt_callout_no_cache => don't use callout cache
490 vopt_callout_fullpm => if postmaster check, do full one
491 vopt_callout_random => do the "random" thing
492 vopt_callout_recipsender => use real sender for recipient
493 vopt_callout_recippmaster => use postmaster for recipient
494 se_mailfrom MAIL FROM address for sender verify; NULL => ""
495 pm_mailfrom if non-NULL, do the postmaster check with this sender
496
497Returns: OK/FAIL/DEFER
498*/
499
500static int
501do_callout(address_item *addr, host_item *host_list, transport_feedback *tf,
502 int callout, int callout_overall, int callout_connect, int options,
503 uschar *se_mailfrom, uschar *pm_mailfrom)
504{
505int yield = OK;
506int old_domain_cache_result = ccache_accept;
507BOOL done = FALSE;
508uschar *address_key;
509uschar *from_address;
510uschar *random_local_part = NULL;
511const uschar *save_deliver_domain = deliver_domain;
512uschar **failure_ptr = options & vopt_is_recipient
513 ? &recipient_verify_failure : &sender_verify_failure;
514dbdata_callout_cache new_domain_record;
515dbdata_callout_cache_address new_address_record;
707ee5b1
JH
516time_t callout_start_time;
517
518new_domain_record.result = ccache_unknown;
519new_domain_record.postmaster_result = ccache_unknown;
520new_domain_record.random_result = ccache_unknown;
521
522memset(&new_address_record, 0, sizeof(new_address_record));
523
524/* For a recipient callout, the key used for the address cache record must
525include the sender address if we are using the real sender in the callout,
526because that may influence the result of the callout. */
527
528if (options & vopt_is_recipient)
529 if (options & vopt_callout_recipsender)
530 {
531 from_address = sender_address;
532 address_key = string_sprintf("%s/<%s>", addr->address, sender_address);
533 if (cutthrough.delivery) options |= vopt_callout_no_cache;
534 }
535 else if (options & vopt_callout_recippmaster)
536 {
537 from_address = string_sprintf("postmaster@%s", qualify_domain_sender);
538 address_key = string_sprintf("%s/<postmaster@%s>", addr->address,
539 qualify_domain_sender);
540 }
541 else
542 {
543 from_address = US"";
544 address_key = addr->address;
545 }
546
547/* For a sender callout, we must adjust the key if the mailfrom address is not
548empty. */
549
550else
551 {
552 from_address = se_mailfrom ? se_mailfrom : US"";
553 address_key = *from_address
554 ? string_sprintf("%s/<%s>", addr->address, from_address) : addr->address;
059ec3d9
PH
555 }
556
707ee5b1
JH
557if (cached_callout_lookup(addr, address_key, from_address,
558 &options, &pm_mailfrom, &yield, failure_ptr,
559 &new_domain_record, &old_domain_cache_result))
560 goto END_CALLOUT;
561
193e3acd 562if (!addr->transport)
059ec3d9 563 {
193e3acd 564 HDEBUG(D_verify) debug_printf("cannot callout via null transport\n");
059ec3d9 565 }
6681531a
HSHR
566else if (Ustrcmp(addr->transport->driver_name, "smtp") != 0)
567 log_write(0, LOG_MAIN|LOG_PANIC|LOG_CONFIG_FOR, "callout transport '%s': %s is non-smtp",
568 addr->transport->name, addr->transport->driver_name);
193e3acd
JH
569else
570 {
571 smtp_transport_options_block *ob =
9d9c3746 572 (smtp_transport_options_block *)addr->transport->options_block;
c4c940fd 573 host_item * host;
059ec3d9 574
193e3acd
JH
575 /* The information wasn't available in the cache, so we have to do a real
576 callout and save the result in the cache for next time, unless no_cache is set,
577 or unless we have a previously cached negative random result. If we are to test
578 with a random local part, ensure that such a local part is available. If not,
4c04137d 579 log the fact, but carry on without randomising. */
059ec3d9 580
707ee5b1 581 if (options & vopt_callout_random && callout_random_local_part)
65f1c92a 582 if (!(random_local_part = expand_string(callout_random_local_part)))
193e3acd
JH
583 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand "
584 "callout_random_local_part: %s", expand_string_message);
059ec3d9 585
193e3acd
JH
586 /* Default the connect and overall callout timeouts if not set, and record the
587 time we are starting so that we can enforce it. */
4c590bd1 588
193e3acd
JH
589 if (callout_overall < 0) callout_overall = 4 * callout;
590 if (callout_connect < 0) callout_connect = callout;
591 callout_start_time = time(NULL);
4c590bd1 592
193e3acd
JH
593 /* Before doing a real callout, if this is an SMTP connection, flush the SMTP
594 output because a callout might take some time. When PIPELINING is active and
595 there are many recipients, the total time for doing lots of callouts can add up
596 and cause the client to time out. So in this case we forgo the PIPELINING
597 optimization. */
817d9f57 598
ff5929e3 599 if (smtp_out && !disable_callout_flush) mac_smtp_fflush();
059ec3d9 600
c4c940fd
JH
601 clearflag(addr, af_verify_pmfail); /* postmaster callout flag */
602 clearflag(addr, af_verify_nsfail); /* null sender callout flag */
603
5032d1cf
JH
604/* cutthrough-multi: if a nonfirst rcpt has the same routing as the first,
605and we are holding a cutthrough conn open, we can just append the rcpt to
606that conn for verification purposes (and later delivery also). Simplest
c4c940fd 607coding means skipping this whole loop and doing the append separately. */
5032d1cf
JH
608
609 /* Can we re-use an open cutthrough connection? */
610 if ( cutthrough.fd >= 0
611 && (options & (vopt_callout_recipsender | vopt_callout_recippmaster))
612 == vopt_callout_recipsender
613 && !random_local_part
614 && !pm_mailfrom
615 )
c4c940fd 616 done = cutthrough_multi(addr, host_list, tf, &yield);
5032d1cf 617
c4c940fd
JH
618 /* If we did not use a cached connection, make connections to the hosts
619 and do real callouts. The list of hosts is passed in as an argument. */
059ec3d9 620
ff5929e3 621 for (host = host_list; host && !done; host = host->next)
059ec3d9 622 {
193e3acd
JH
623 int host_af;
624 int port = 25;
193e3acd 625 uschar *interface = NULL; /* Outgoing interface to use; NULL => any */
02b41d71 626 smtp_context sx;
193e3acd
JH
627 uschar responsebuffer[4096];
628
ff5929e3 629 if (!host->address)
193e3acd
JH
630 {
631 DEBUG(D_verify) debug_printf("no IP address for host name %s: skipping\n",
632 host->name);
633 continue;
634 }
059ec3d9 635
193e3acd 636 /* Check the overall callout timeout */
059ec3d9 637
193e3acd
JH
638 if (time(NULL) - callout_start_time >= callout_overall)
639 {
640 HDEBUG(D_verify) debug_printf("overall timeout for callout exceeded\n");
641 break;
642 }
059ec3d9 643
193e3acd 644 /* Set IPv4 or IPv6 */
059ec3d9 645
ff5929e3 646 host_af = Ustrchr(host->address, ':') == NULL ? AF_INET : AF_INET6;
de3a88fb 647
193e3acd
JH
648 /* Expand and interpret the interface and port strings. The latter will not
649 be used if there is a host-specific port (e.g. from a manualroute router).
650 This has to be delayed till now, because they may expand differently for
651 different hosts. If there's a failure, log it, but carry on with the
652 defaults. */
de3a88fb 653
193e3acd
JH
654 deliver_host = host->name;
655 deliver_host_address = host->address;
a7538db1 656 deliver_host_port = host->port;
193e3acd 657 deliver_domain = addr->domain;
aec45841 658 transport_name = addr->transport->name;
059ec3d9 659
6f6dedcc 660 if ( !smtp_get_interface(tf->interface, host_af, addr, &interface,
bf7aabb4
JH
661 US"callout")
662 || !smtp_get_port(tf->port, addr, &port, US"callout")
663 )
193e3acd
JH
664 log_write(0, LOG_MAIN|LOG_PANIC, "<%s>: %s", addr->address,
665 addr->message);
059ec3d9 666
02b41d71
JH
667 sx.addrlist = addr;
668 sx.host = host;
669 sx.host_af = host_af,
670 sx.port = port;
671 sx.interface = interface;
672 sx.helo_data = tf->helo_data;
673 sx.tblock = addr->transport;
674
675tls_retry_connection:
676 /* Set the address state so that errors are recorded in it */
677
678 addr->transport_return = PENDING_DEFER;
679 ob->connect_timeout = callout_connect;
680 ob->command_timeout = callout;
681
682 /* Get the channel set up ready for a message (MAIL FROM being the next
683 SMTP command to send. If we tried TLS but it failed, try again without
684 if permitted */
685
686 if ( (yield = smtp_setup_conn(&sx, FALSE, TRUE)) == DEFER
687 && addr->basic_errno == ERRNO_TLSFAILURE
688 && ob->tls_tempfail_tryclear
689 && verify_check_given_host(&ob->hosts_require_tls, host) != OK
690 )
193e3acd 691 {
02b41d71
JH
692 log_write(0, LOG_MAIN, "TLS session failure:"
693 " callout unencrypted to %s [%s] (not in hosts_require_tls)",
694 host->name, host->address);
695 yield = smtp_setup_conn(&sx, TRUE, TRUE);
696 }
697 if (yield != OK)
698 {
699 if (addr->message) addr->message = string_sprintf("%s [%s] %s",
700 host->name, host->address, addr->message);
701 errno = addr->basic_errno;
aec45841 702 transport_name = NULL;
193e3acd
JH
703 deliver_host = deliver_host_address = NULL;
704 deliver_domain = save_deliver_domain;
bf7aabb4 705
02b41d71
JH
706 /* Failure to accept HELO is cached; this blocks the whole domain for all
707 senders. I/O errors and defer responses are not cached. */
770747fd 708
02b41d71 709 if (yield == FAIL && (errno == 0 || errno == ERRNO_SMTPCLOSED))
a7538db1 710 {
02b41d71
JH
711 setflag(addr, af_verify_nsfail);
712 new_domain_record.result = ccache_reject;
713 done = TRUE;
a7538db1 714 }
193e3acd 715 else
02b41d71
JH
716 done = FALSE;
717 goto no_conn;
3c8b3577 718 }
9bfc60eb 719
02b41d71
JH
720 /* If we needed to authenticate, smtp_setup_conn() did that. Copy
721 the AUTH info for logging */
fcc8e047 722
02b41d71
JH
723 addr->authenticator = client_authenticator;
724 addr->auth_id = client_authenticated_id;
b4a2b536 725
fcc8e047 726 /* Build a mail-AUTH string (re-using responsebuffer for convenience */
b4a2b536 727
02b41d71 728 done =
c4c940fd
JH
729 !smtp_mail_auth_str(responsebuffer, sizeof(responsebuffer), addr, ob);
730
731 if (done)
732 {
733 addr->auth_sndr = client_authenticated_sender;
fcc8e047 734
c4c940fd 735 /* Send the MAIL command */
02b41d71 736
c4c940fd 737 done =
02b41d71 738 (smtp_write_command(&sx.outblock, FALSE,
8c5d388a 739#ifdef SUPPORT_I18N
02b41d71
JH
740 addr->prop.utf8_msg && !addr->prop.utf8_downcvt
741 ? "MAIL FROM:<%s>%s%s SMTPUTF8\r\n"
742 :
9bfc60eb 743#endif
02b41d71
JH
744 "MAIL FROM:<%s>%s%s\r\n",
745 from_address,
746 responsebuffer,
747 options & vopt_is_recipient && sx.peer_offered & PEER_OFFERED_SIZE
748 ? string_sprintf(" SIZE=%d", message_size + ob->size_addition)
749 : US""
02b41d71 750 ) >= 0)
2b1c6e3a 751
c4c940fd
JH
752 && smtp_read_response(&sx.inblock, responsebuffer, sizeof(responsebuffer),
753 '2', callout);
754 }
059ec3d9 755
00bff6f6
JH
756 deliver_host = deliver_host_address = NULL;
757 deliver_domain = save_deliver_domain;
758
193e3acd
JH
759 /* If the host does not accept MAIL FROM:<>, arrange to cache this
760 information, but again, don't record anything for an I/O error or a defer. Do
761 not cache rejections of MAIL when a non-empty sender has been used, because
762 that blocks the whole domain for all senders. */
059ec3d9 763
193e3acd 764 if (!done)
059ec3d9 765 {
193e3acd
JH
766 *failure_ptr = US"mail"; /* At or before MAIL */
767 if (errno == 0 && responsebuffer[0] == '5')
768 {
769 setflag(addr, af_verify_nsfail);
770 if (from_address[0] == 0)
771 new_domain_record.result = ccache_reject_mfnull;
772 }
059ec3d9 773 }
059ec3d9 774
193e3acd
JH
775 /* Otherwise, proceed to check a "random" address (if required), then the
776 given address, and the postmaster address (if required). Between each check,
777 issue RSET, because some servers accept only one recipient after MAIL
778 FROM:<>.
2b1c6e3a 779
193e3acd
JH
780 Before doing this, set the result in the domain cache record to "accept",
781 unless its previous value was ccache_reject_mfnull. In that case, the domain
782 rejects MAIL FROM:<> and we want to continue to remember that. When that is
783 the case, we have got here only in the case of a recipient verification with
784 a non-null sender. */
059ec3d9 785
193e3acd 786 else
059ec3d9 787 {
921dfc11
JH
788 const uschar * rcpt_domain = addr->domain;
789
8c5d388a 790#ifdef SUPPORT_I18N
921dfc11
JH
791 uschar * errstr = NULL;
792 if ( testflag(addr, af_utf8_downcvt)
793 && (rcpt_domain = string_domain_utf8_to_alabel(rcpt_domain,
794 &errstr), errstr)
795 )
796 {
797 addr->message = errstr;
798 errno = ERRNO_EXPANDFAIL;
799 setflag(addr, af_verify_nsfail);
800 done = FALSE;
801 rcpt_domain = US""; /*XXX errorhandling! */
802 }
803#endif
804
707ee5b1
JH
805 new_domain_record.result = old_domain_cache_result == ccache_reject_mfnull
806 ? ccache_reject_mfnull : ccache_accept;
059ec3d9 807
193e3acd 808 /* Do the random local part check first */
059ec3d9 809
c4c940fd 810 if (random_local_part)
059ec3d9 811 {
193e3acd
JH
812 uschar randombuffer[1024];
813 BOOL random_ok =
02b41d71 814 smtp_write_command(&sx.outblock, FALSE,
193e3acd 815 "RCPT TO:<%.1000s@%.1000s>\r\n", random_local_part,
921dfc11 816 rcpt_domain) >= 0 &&
02b41d71 817 smtp_read_response(&sx.inblock, randombuffer,
193e3acd 818 sizeof(randombuffer), '2', callout);
059ec3d9 819
193e3acd 820 /* Remember when we last did a random test */
059ec3d9 821
193e3acd 822 new_domain_record.random_stamp = time(NULL);
059ec3d9 823
193e3acd 824 /* If accepted, we aren't going to do any further tests below. */
059ec3d9 825
193e3acd 826 if (random_ok)
193e3acd 827 new_domain_record.random_result = ccache_accept;
059ec3d9 828
193e3acd
JH
829 /* Otherwise, cache a real negative response, and get back to the right
830 state to send RCPT. Unless there's some problem such as a dropped
65f1c92a
JH
831 connection, we expect to succeed, because the commands succeeded above.
832 However, some servers drop the connection after responding to an
833 invalid recipient, so on (any) error we drop and remake the connection.
834 */
059ec3d9 835
193e3acd
JH
836 else if (errno == 0)
837 {
65f1c92a
JH
838 /* This would be ok for 1st rcpt a cutthrough, but no way to
839 handle a subsequent. So refuse to support any */
5032d1cf
JH
840 cancel_cutthrough_connection("random-recipient");
841
193e3acd
JH
842 if (randombuffer[0] == '5')
843 new_domain_record.random_result = ccache_reject;
844
845 done =
02b41d71
JH
846 smtp_write_command(&sx.outblock, FALSE, "RSET\r\n") >= 0 &&
847 smtp_read_response(&sx.inblock, responsebuffer, sizeof(responsebuffer),
193e3acd
JH
848 '2', callout) &&
849
02b41d71 850 smtp_write_command(&sx.outblock, FALSE,
8c5d388a 851#ifdef SUPPORT_I18N
921dfc11 852 addr->prop.utf8_msg && !addr->prop.utf8_downcvt
9bfc60eb
JH
853 ? "MAIL FROM:<%s> SMTPUTF8\r\n"
854 :
855#endif
856 "MAIL FROM:<%s>\r\n",
193e3acd 857 from_address) >= 0 &&
02b41d71 858 smtp_read_response(&sx.inblock, responsebuffer, sizeof(responsebuffer),
193e3acd 859 '2', callout);
65f1c92a
JH
860
861 if (!done)
862 {
863 HDEBUG(D_acl|D_v)
864 debug_printf("problem after random/rset/mfrom; reopen conn\n");
865 random_local_part = NULL;
866#ifdef SUPPORT_TLS
867 tls_close(FALSE, TRUE);
868#endif
ae5afa61 869 HDEBUG(D_transport|D_acl|D_v) debug_printf(" SMTP(close)>>\n");
02b41d71 870 (void)close(sx.inblock.sock);
0cbf2b82 871#ifndef DISABLE_EVENT
65f1c92a
JH
872 (void) event_raise(addr->transport->event_action,
873 US"tcp:close", NULL);
874#endif
875 goto tls_retry_connection;
876 }
193e3acd
JH
877 }
878 else done = FALSE; /* Some timeout/connection problem */
879 } /* Random check */
059ec3d9 880
193e3acd
JH
881 /* If the host is accepting all local parts, as determined by the "random"
882 check, we don't need to waste time doing any further checking. */
059ec3d9 883
193e3acd 884 if (new_domain_record.random_result != ccache_accept && done)
059ec3d9 885 {
193e3acd
JH
886 /* Get the rcpt_include_affixes flag from the transport if there is one,
887 but assume FALSE if there is not. */
e4bdf652 888
921dfc11
JH
889 uschar * rcpt = transport_rcpt_address(addr,
890 addr->transport ? addr->transport->rcpt_include_affixes : FALSE);
891
8c5d388a 892#ifdef SUPPORT_I18N
921dfc11 893 /*XXX should the conversion be moved into transport_rcpt_address() ? */
921dfc11 894 if ( testflag(addr, af_utf8_downcvt)
9427e879
JH
895 && !(rcpt = string_address_utf8_to_alabel(rcpt, NULL))
896 )
897 {
898 errno = ERRNO_EXPANDFAIL;
899 *failure_ptr = US"recipient";
900 done = FALSE;
901 }
921dfc11
JH
902 else
903#endif
904
059ec3d9 905 done =
02b41d71 906 smtp_write_command(&sx.outblock, FALSE, "RCPT TO:<%.1000s>\r\n",
921dfc11 907 rcpt) >= 0 &&
02b41d71 908 smtp_read_response(&sx.inblock, responsebuffer, sizeof(responsebuffer),
193e3acd 909 '2', callout);
059ec3d9 910
193e3acd
JH
911 if (done)
912 new_address_record.result = ccache_accept;
913 else if (errno == 0 && responsebuffer[0] == '5')
914 {
915 *failure_ptr = US"recipient";
916 new_address_record.result = ccache_reject;
917 }
059ec3d9 918
193e3acd
JH
919 /* Do postmaster check if requested; if a full check is required, we
920 check for RCPT TO:<postmaster> (no domain) in accordance with RFC 821. */
2a4be8f9 921
02b41d71 922 if (done && pm_mailfrom)
193e3acd 923 {
65f1c92a
JH
924 /* Could possibly shift before main verify, just above, and be ok
925 for cutthrough. But no way to handle a subsequent rcpt, so just
926 refuse any */
5032d1cf 927 cancel_cutthrough_connection("postmaster verify");
193e3acd
JH
928 HDEBUG(D_acl|D_v) debug_printf("Cutthrough cancelled by presence of postmaster verify\n");
929
930 done =
02b41d71
JH
931 smtp_write_command(&sx.outblock, FALSE, "RSET\r\n") >= 0 &&
932 smtp_read_response(&sx.inblock, responsebuffer,
193e3acd
JH
933 sizeof(responsebuffer), '2', callout) &&
934
02b41d71 935 smtp_write_command(&sx.outblock, FALSE,
193e3acd 936 "MAIL FROM:<%s>\r\n", pm_mailfrom) >= 0 &&
02b41d71 937 smtp_read_response(&sx.inblock, responsebuffer,
193e3acd
JH
938 sizeof(responsebuffer), '2', callout) &&
939
940 /* First try using the current domain */
941
942 ((
02b41d71 943 smtp_write_command(&sx.outblock, FALSE,
921dfc11 944 "RCPT TO:<postmaster@%.1000s>\r\n", rcpt_domain) >= 0 &&
02b41d71 945 smtp_read_response(&sx.inblock, responsebuffer,
193e3acd
JH
946 sizeof(responsebuffer), '2', callout)
947 )
948
949 ||
950
951 /* If that doesn't work, and a full check is requested,
952 try without the domain. */
953
954 (
955 (options & vopt_callout_fullpm) != 0 &&
02b41d71 956 smtp_write_command(&sx.outblock, FALSE,
193e3acd 957 "RCPT TO:<postmaster>\r\n") >= 0 &&
02b41d71 958 smtp_read_response(&sx.inblock, responsebuffer,
193e3acd
JH
959 sizeof(responsebuffer), '2', callout)
960 ));
961
962 /* Sort out the cache record */
963
964 new_domain_record.postmaster_stamp = time(NULL);
965
966 if (done)
967 new_domain_record.postmaster_result = ccache_accept;
968 else if (errno == 0 && responsebuffer[0] == '5')
969 {
970 *failure_ptr = US"postmaster";
971 setflag(addr, af_verify_pmfail);
972 new_domain_record.postmaster_result = ccache_reject;
973 }
974 }
975 } /* Random not accepted */
976 } /* MAIL FROM: accepted */
2a4be8f9 977
193e3acd
JH
978 /* For any failure of the main check, other than a negative response, we just
979 close the connection and carry on. We can identify a negative response by the
980 fact that errno is zero. For I/O errors it will be non-zero
2a4be8f9 981
193e3acd
JH
982 Set up different error texts for logging and for sending back to the caller
983 as an SMTP response. Log in all cases, using a one-line format. For sender
984 callouts, give a full response to the caller, but for recipient callouts,
985 don't give the IP address because this may be an internal host whose identity
986 is not to be widely broadcast. */
2a4be8f9 987
02b41d71
JH
988no_conn:
989 if (!done) switch(errno)
193e3acd 990 {
02b41d71
JH
991 case ETIMEDOUT:
992 HDEBUG(D_verify) debug_printf("SMTP timeout\n");
993 sx.send_quit = FALSE;
994 break;
995
8c5d388a 996#ifdef SUPPORT_I18N
02b41d71 997 case ERRNO_UTF8_FWD:
9bfc60eb
JH
998 {
999 extern int acl_where; /* src/acl.c */
1000 errno = 0;
1001 addr->message = string_sprintf(
02b41d71
JH
1002 "response to \"EHLO\" from %s [%s] did not include SMTPUTF8",
1003 host->name, host->address);
1004 addr->user_message = acl_where == ACL_WHERE_RCPT
1005 ? US"533 no support for internationalised mailbox name"
9bfc60eb
JH
1006 : US"550 mailbox unavailable";
1007 yield = FAIL;
1008 done = TRUE;
1009 }
02b41d71 1010 break;
9bfc60eb 1011#endif
02b41d71
JH
1012 case ECONNREFUSED:
1013 sx.send_quit = FALSE;
1014 break;
2a4be8f9 1015
02b41d71
JH
1016 case 0:
1017 if (*responsebuffer == 0) Ustrcpy(responsebuffer, US"connection dropped");
059ec3d9 1018
02b41d71
JH
1019 addr->message =
1020 string_sprintf("response to \"%s\" from %s [%s] was: %s",
1021 big_buffer, host->name, host->address,
1022 string_printing(responsebuffer));
1023
1024 addr->user_message = options & vopt_is_recipient
8b9476ba 1025 ? string_sprintf("Callout verification failed:\n%s", responsebuffer)
02b41d71
JH
1026 : string_sprintf("Called: %s\nSent: %s\nResponse: %s",
1027 host->address, big_buffer, responsebuffer);
059ec3d9 1028
02b41d71 1029 /* Hard rejection ends the process */
193e3acd 1030
02b41d71
JH
1031 if (responsebuffer[0] == '5') /* Address rejected */
1032 {
1033 yield = FAIL;
1034 done = TRUE;
1035 }
1036 break;
193e3acd 1037 }
059ec3d9 1038
193e3acd
JH
1039 /* End the SMTP conversation and close the connection. */
1040
4c04137d 1041 /* Cutthrough - on a successful connect and recipient-verify with
5032d1cf 1042 use-sender and we are 1st rcpt and have no cutthrough conn so far
193e3acd 1043 here is where we want to leave the conn open */
5032d1cf
JH
1044 if ( cutthrough.delivery
1045 && rcpt_count == 1
193e3acd
JH
1046 && done
1047 && yield == OK
98c82a3d
JH
1048 && (options & (vopt_callout_recipsender|vopt_callout_recippmaster|vopt_success_on_redirect))
1049 == vopt_callout_recipsender
193e3acd
JH
1050 && !random_local_part
1051 && !pm_mailfrom
5032d1cf 1052 && cutthrough.fd < 0
02b41d71 1053 && !sx.lmtp
193e3acd 1054 )
059ec3d9 1055 {
8b9476ba
JH
1056 HDEBUG(D_acl|D_v) debug_printf("holding verify callout open for cutthrough delivery\n");
1057
02b41d71 1058 cutthrough.fd = sx.outblock.sock; /* We assume no buffer in use in the outblock */
5032d1cf
JH
1059 cutthrough.nrcpt = 1;
1060 cutthrough.interface = interface;
1061 cutthrough.host = *host;
1062 cutthrough.addr = *addr; /* Save the address_item for later logging */
1063 cutthrough.addr.next = NULL;
1064 cutthrough.addr.host_used = &cutthrough.host;
193e3acd 1065 if (addr->parent)
5032d1cf
JH
1066 *(cutthrough.addr.parent = store_get(sizeof(address_item))) =
1067 *addr->parent;
193e3acd
JH
1068 ctblock.buffer = ctbuffer;
1069 ctblock.buffersize = sizeof(ctbuffer);
1070 ctblock.ptr = ctbuffer;
1071 /* ctblock.cmd_count = 0; ctblock.authenticating = FALSE; */
5032d1cf 1072 ctblock.sock = cutthrough.fd;
059ec3d9 1073 }
193e3acd 1074 else
059ec3d9 1075 {
2e5b33cd 1076 /* Ensure no cutthrough on multiple address verifies */
193e3acd 1077 if (options & vopt_callout_recipsender)
ff5929e3 1078 cancel_cutthrough_connection("not usable for cutthrough");
02b41d71 1079 if (sx.send_quit)
2760b518 1080 {
02b41d71 1081 (void) smtp_write_command(&sx.outblock, FALSE, "QUIT\r\n");
059ec3d9 1082
2760b518 1083 /* Wait a short time for response, and discard it */
02b41d71 1084 smtp_read_response(&sx.inblock, responsebuffer, sizeof(responsebuffer),
2760b518
JH
1085 '2', 1);
1086 }
1087
02b41d71
JH
1088 if (sx.inblock.sock >= 0)
1089 {
a7538db1 1090#ifdef SUPPORT_TLS
02b41d71 1091 tls_close(FALSE, TRUE);
a7538db1 1092#endif
02b41d71
JH
1093 HDEBUG(D_transport|D_acl|D_v) debug_printf(" SMTP(close)>>\n");
1094 (void)close(sx.inblock.sock);
1095 sx.inblock.sock = sx.outblock.sock = -1;
0cbf2b82 1096#ifndef DISABLE_EVENT
02b41d71 1097 (void) event_raise(addr->transport->event_action, US"tcp:close", NULL);
a7538db1 1098#endif
02b41d71 1099 }
059ec3d9 1100 }
059ec3d9 1101
193e3acd
JH
1102 } /* Loop through all hosts, while !done */
1103 }
059ec3d9
PH
1104
1105/* If we get here with done == TRUE, a successful callout happened, and yield
1106will be set OK or FAIL according to the response to the RCPT command.
1107Otherwise, we looped through the hosts but couldn't complete the business.
707ee5b1 1108However, there may be domain-specific information to cache in both cases. */
059ec3d9 1109
707ee5b1
JH
1110if (!(options & vopt_callout_no_cache))
1111 cache_callout_write(&new_domain_record, addr->domain,
1112 done, &new_address_record, address_key);
059ec3d9
PH
1113
1114/* Failure to connect to any host, or any response other than 2xx or 5xx is a
1115temporary error. If there was only one host, and a response was received, leave
1116it alone if supplying details. Otherwise, give a generic response. */
1117
707ee5b1 1118if (!done)
059ec3d9 1119 {
ff5929e3 1120 uschar * dullmsg = string_sprintf("Could not complete %s verify callout",
8b9476ba 1121 options & vopt_is_recipient ? "recipient" : "sender");
059ec3d9
PH
1122 yield = DEFER;
1123
02b41d71
JH
1124 addr->message = host_list->next || !addr->message
1125 ? dullmsg : string_sprintf("%s: %s", dullmsg, addr->message);
059ec3d9 1126
ff5929e3
JH
1127 addr->user_message = smtp_return_error_details
1128 ? string_sprintf("%s for <%s>.\n"
059ec3d9
PH
1129 "The mail server(s) for the domain may be temporarily unreachable, or\n"
1130 "they may be permanently unreachable from this server. In the latter case,\n%s",
1131 dullmsg, addr->address,
8b9476ba 1132 options & vopt_is_recipient
ff5929e3 1133 ? "the address will never be accepted."
8b9476ba
JH
1134 : "you need to change the address or create an MX record for its domain\n"
1135 "if it is supposed to be generally accessible from the Internet.\n"
ff5929e3
JH
1136 "Talk to your mail administrator for details.")
1137 : dullmsg;
059ec3d9
PH
1138
1139 /* Force a specific error code */
1140
1141 addr->basic_errno = ERRNO_CALLOUTDEFER;
1142 }
1143
1144/* Come here from within the cache-reading code on fast-track exit. */
1145
1146END_CALLOUT:
02b41d71 1147tls_modify_variables(&tls_in);
059ec3d9
PH
1148return yield;
1149}
1150
1151
1152
817d9f57
JH
1153/* Called after recipient-acl to get a cutthrough connection open when
1154 one was requested and a recipient-verify wasn't subsequently done.
1155*/
f9334a28 1156int
e4bdf652
JH
1157open_cutthrough_connection( address_item * addr )
1158{
1159address_item addr2;
f9334a28 1160int rc;
e4bdf652
JH
1161
1162/* Use a recipient-verify-callout to set up the cutthrough connection. */
1163/* We must use a copy of the address for verification, because it might
1164get rewritten. */
1165
1166addr2 = *addr;
5032d1cf
JH
1167HDEBUG(D_acl) debug_printf("----------- %s cutthrough setup ------------\n",
1168 rcpt_count > 1 ? "more" : "start");
ff5929e3 1169rc = verify_address(&addr2, NULL,
e4bdf652
JH
1170 vopt_is_recipient | vopt_callout_recipsender | vopt_callout_no_cache,
1171 CUTTHROUGH_CMD_TIMEOUT, -1, -1,
1172 NULL, NULL, NULL);
ff5929e3
JH
1173addr->message = addr2.message;
1174addr->user_message = addr2.user_message;
e4bdf652 1175HDEBUG(D_acl) debug_printf("----------- end cutthrough setup ------------\n");
f9334a28 1176return rc;
e4bdf652
JH
1177}
1178
1179
e4bdf652 1180
817d9f57
JH
1181/* Send given number of bytes from the buffer */
1182static BOOL
1183cutthrough_send(int n)
e4bdf652 1184{
5032d1cf 1185if(cutthrough.fd < 0)
817d9f57 1186 return TRUE;
e4bdf652 1187
817d9f57
JH
1188if(
1189#ifdef SUPPORT_TLS
5032d1cf 1190 (tls_out.active == cutthrough.fd) ? tls_write(FALSE, ctblock.buffer, n) :
817d9f57 1191#endif
5032d1cf 1192 send(cutthrough.fd, ctblock.buffer, n, 0) > 0
817d9f57
JH
1193 )
1194{
1195 transport_count += n;
1196 ctblock.ptr= ctblock.buffer;
1197 return TRUE;
1198}
e4bdf652 1199
817d9f57
JH
1200HDEBUG(D_transport|D_acl) debug_printf("cutthrough_send failed: %s\n", strerror(errno));
1201return FALSE;
e4bdf652
JH
1202}
1203
1204
1205
817d9f57
JH
1206static BOOL
1207_cutthrough_puts(uschar * cp, int n)
1208{
1209while(n--)
1210 {
1211 if(ctblock.ptr >= ctblock.buffer+ctblock.buffersize)
1212 if(!cutthrough_send(ctblock.buffersize))
1213 return FALSE;
1214
1215 *ctblock.ptr++ = *cp++;
1216 }
1217return TRUE;
1218}
1219
1220/* Buffered output of counted data block. Return boolean success */
e4bdf652
JH
1221BOOL
1222cutthrough_puts(uschar * cp, int n)
1223{
5032d1cf 1224if (cutthrough.fd < 0) return TRUE;
817d9f57 1225if (_cutthrough_puts(cp, n)) return TRUE;
2e5b33cd 1226cancel_cutthrough_connection("transmit failed");
817d9f57
JH
1227return FALSE;
1228}
e4bdf652 1229
e4bdf652 1230
817d9f57 1231static BOOL
5032d1cf 1232_cutthrough_flush_send(void)
817d9f57
JH
1233{
1234int n= ctblock.ptr-ctblock.buffer;
e4bdf652 1235
817d9f57
JH
1236if(n>0)
1237 if(!cutthrough_send(n))
1238 return FALSE;
1239return TRUE;
e4bdf652
JH
1240}
1241
817d9f57
JH
1242
1243/* Send out any bufferred output. Return boolean success. */
e4bdf652 1244BOOL
5032d1cf 1245cutthrough_flush_send(void)
e4bdf652 1246{
817d9f57 1247if (_cutthrough_flush_send()) return TRUE;
2e5b33cd 1248cancel_cutthrough_connection("transmit failed");
e4bdf652
JH
1249return FALSE;
1250}
1251
1252
1253BOOL
5032d1cf 1254cutthrough_put_nl(void)
e4bdf652
JH
1255{
1256return cutthrough_puts(US"\r\n", 2);
1257}
1258
1259
1260/* Get and check response from cutthrough target */
1261static uschar
2760b518 1262cutthrough_response(char expect, uschar ** copy, int timeout)
e4bdf652
JH
1263{
1264smtp_inblock inblock;
1265uschar inbuffer[4096];
1266uschar responsebuffer[4096];
1267
1268inblock.buffer = inbuffer;
1269inblock.buffersize = sizeof(inbuffer);
1270inblock.ptr = inbuffer;
1271inblock.ptrend = inbuffer;
5032d1cf 1272inblock.sock = cutthrough.fd;
817d9f57 1273/* this relies on (inblock.sock == tls_out.active) */
2760b518 1274if(!smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer), expect, timeout))
2e5b33cd 1275 cancel_cutthrough_connection("target timeout on read");
e4bdf652
JH
1276
1277if(copy != NULL)
1278 {
1279 uschar * cp;
5032d1cf 1280 *copy = cp = string_copy(responsebuffer);
e4bdf652
JH
1281 /* Trim the trailing end of line */
1282 cp += Ustrlen(responsebuffer);
1283 if(cp > *copy && cp[-1] == '\n') *--cp = '\0';
1284 if(cp > *copy && cp[-1] == '\r') *--cp = '\0';
1285 }
1286
1287return responsebuffer[0];
1288}
1289
1290
1291/* Negotiate dataphase with the cutthrough target, returning success boolean */
1292BOOL
5032d1cf 1293cutthrough_predata(void)
e4bdf652 1294{
5032d1cf 1295if(cutthrough.fd < 0)
e4bdf652
JH
1296 return FALSE;
1297
1298HDEBUG(D_transport|D_acl|D_v) debug_printf(" SMTP>> DATA\n");
817d9f57
JH
1299cutthrough_puts(US"DATA\r\n", 6);
1300cutthrough_flush_send();
e4bdf652
JH
1301
1302/* Assume nothing buffered. If it was it gets ignored. */
2760b518 1303return cutthrough_response('3', NULL, CUTTHROUGH_DATA_TIMEOUT) == '3';
e4bdf652
JH
1304}
1305
1306
6d5c916c 1307/* fd and tctx args only to match write_chunk() */
511a6c14 1308static BOOL
6d5c916c 1309cutthrough_write_chunk(int fd, transport_ctx * tctx, uschar * s, int len)
511a6c14
JH
1310{
1311uschar * s2;
1312while(s && (s2 = Ustrchr(s, '\n')))
1313 {
1314 if(!cutthrough_puts(s, s2-s) || !cutthrough_put_nl())
1315 return FALSE;
1316 s = s2+1;
1317 }
1318return TRUE;
1319}
1320
1321
e4bdf652 1322/* Buffered send of headers. Return success boolean. */
817d9f57 1323/* Expands newlines to wire format (CR,NL). */
e4bdf652 1324/* Also sends header-terminating blank line. */
e4bdf652 1325BOOL
5032d1cf 1326cutthrough_headers_send(void)
e4bdf652 1327{
6d5c916c
JH
1328transport_ctx tctx;
1329
5032d1cf 1330if(cutthrough.fd < 0)
e4bdf652
JH
1331 return FALSE;
1332
511a6c14
JH
1333/* We share a routine with the mainline transport to handle header add/remove/rewrites,
1334 but having a separate buffered-output function (for now)
1335*/
1336HDEBUG(D_acl) debug_printf("----------- start cutthrough headers send -----------\n");
e4bdf652 1337
6d5c916c
JH
1338tctx.tblock = cutthrough.addr.transport;
1339tctx.addr = &cutthrough.addr;
1340tctx.check_string = US".";
1341tctx.escape_string = US"..";
1342tctx.options = topt_use_crlf;
1343
1344if (!transport_headers_send(cutthrough.fd, &tctx, &cutthrough_write_chunk))
511a6c14
JH
1345 return FALSE;
1346
1347HDEBUG(D_acl) debug_printf("----------- done cutthrough headers send ------------\n");
1348return TRUE;
817d9f57
JH
1349}
1350
1351
1352static void
5032d1cf 1353close_cutthrough_connection(const char * why)
817d9f57 1354{
5032d1cf 1355if(cutthrough.fd >= 0)
817d9f57
JH
1356 {
1357 /* We could be sending this after a bunch of data, but that is ok as
1358 the only way to cancel the transfer in dataphase is to drop the tcp
1359 conn before the final dot.
1360 */
1361 ctblock.ptr = ctbuffer;
1362 HDEBUG(D_transport|D_acl|D_v) debug_printf(" SMTP>> QUIT\n");
1363 _cutthrough_puts(US"QUIT\r\n", 6); /* avoid recursion */
1364 _cutthrough_flush_send();
2760b518
JH
1365
1366 /* Wait a short time for response, and discard it */
1367 cutthrough_response('2', NULL, 1);
817d9f57
JH
1368
1369 #ifdef SUPPORT_TLS
1370 tls_close(FALSE, TRUE);
1371 #endif
ae5afa61 1372 HDEBUG(D_transport|D_acl|D_v) debug_printf(" SMTP(close)>>\n");
5032d1cf
JH
1373 (void)close(cutthrough.fd);
1374 cutthrough.fd = -1;
2e5b33cd 1375 HDEBUG(D_acl) debug_printf("----------- cutthrough shutdown (%s) ------------\n", why);
817d9f57
JH
1376 }
1377ctblock.ptr = ctbuffer;
e4bdf652
JH
1378}
1379
817d9f57 1380void
5032d1cf 1381cancel_cutthrough_connection(const char * why)
817d9f57 1382{
2e5b33cd 1383close_cutthrough_connection(why);
5032d1cf 1384cutthrough.delivery = FALSE;
817d9f57
JH
1385}
1386
1387
1388
e4bdf652
JH
1389
1390/* Have senders final-dot. Send one to cutthrough target, and grab the response.
1391 Log an OK response as a transmission.
817d9f57 1392 Close the connection.
e4bdf652 1393 Return smtp response-class digit.
e4bdf652
JH
1394*/
1395uschar *
5032d1cf 1396cutthrough_finaldot(void)
e4bdf652 1397{
5032d1cf
JH
1398uschar res;
1399address_item * addr;
e4bdf652
JH
1400HDEBUG(D_transport|D_acl|D_v) debug_printf(" SMTP>> .\n");
1401
1402/* Assume data finshed with new-line */
5032d1cf
JH
1403if( !cutthrough_puts(US".", 1)
1404 || !cutthrough_put_nl()
1405 || !cutthrough_flush_send()
1406 )
1407 return cutthrough.addr.message;
e4bdf652 1408
2760b518 1409res = cutthrough_response('2', &cutthrough.addr.message, CUTTHROUGH_DATA_TIMEOUT);
5032d1cf 1410for (addr = &cutthrough.addr; addr; addr = addr->next)
817d9f57 1411 {
5032d1cf
JH
1412 addr->message = cutthrough.addr.message;
1413 switch(res)
1414 {
1415 case '2':
1416 delivery_log(LOG_MAIN, addr, (int)'>', NULL);
1417 close_cutthrough_connection("delivered");
1418 break;
817d9f57 1419
5032d1cf
JH
1420 case '4':
1421 delivery_log(LOG_MAIN, addr, 0,
1422 US"tmp-reject from cutthrough after DATA:");
1423 break;
e4bdf652 1424
5032d1cf
JH
1425 case '5':
1426 delivery_log(LOG_MAIN|LOG_REJECT, addr, 0,
1427 US"rejected after DATA:");
1428 break;
e4bdf652 1429
5032d1cf
JH
1430 default:
1431 break;
1432 }
817d9f57 1433 }
5032d1cf 1434return cutthrough.addr.message;
e4bdf652
JH
1435}
1436
1437
817d9f57 1438
059ec3d9
PH
1439/*************************************************
1440* Copy error to toplevel address *
1441*************************************************/
1442
1443/* This function is used when a verify fails or defers, to ensure that the
1444failure or defer information is in the original toplevel address. This applies
1445when an address is redirected to a single new address, and the failure or
1446deferral happens to the child address.
1447
1448Arguments:
1449 vaddr the verify address item
1450 addr the final address item
1451 yield FAIL or DEFER
1452
1453Returns: the value of YIELD
1454*/
1455
1456static int
1457copy_error(address_item *vaddr, address_item *addr, int yield)
1458{
1459if (addr != vaddr)
1460 {
1461 vaddr->message = addr->message;
1462 vaddr->user_message = addr->user_message;
1463 vaddr->basic_errno = addr->basic_errno;
1464 vaddr->more_errno = addr->more_errno;
d43cbe25 1465 vaddr->prop.address_data = addr->prop.address_data;
42855d71 1466 copyflag(vaddr, addr, af_pass_message);
059ec3d9
PH
1467 }
1468return yield;
1469}
1470
1471
1472
1473
ce552449
NM
1474/**************************************************
1475* printf that automatically handles TLS if needed *
1476***************************************************/
1477
1478/* This function is used by verify_address() as a substitute for all fprintf()
1479calls; a direct fprintf() will not produce output in a TLS SMTP session, such
1480as a response to an EXPN command. smtp_in.c makes smtp_printf available but
1481that assumes that we always use the smtp_out FILE* when not using TLS or the
1482ssl buffer when we are. Instead we take a FILE* parameter and check to see if
1483that is smtp_out; if so, smtp_printf() with TLS support, otherwise regular
1484fprintf().
1485
1486Arguments:
1487 f the candidate FILE* to write to
1488 format format string
1489 ... optional arguments
1490
1491Returns:
1492 nothing
1493*/
1494
1495static void PRINTF_FUNCTION(2,3)
1ba28e2b 1496respond_printf(FILE *f, const char *format, ...)
ce552449
NM
1497{
1498va_list ap;
1499
1500va_start(ap, format);
1501if (smtp_out && (f == smtp_out))
1502 smtp_vprintf(format, ap);
1503else
513afc6a 1504 vfprintf(f, format, ap);
ce552449
NM
1505va_end(ap);
1506}
1507
1508
1509
059ec3d9
PH
1510/*************************************************
1511* Verify an email address *
1512*************************************************/
1513
1514/* This function is used both for verification (-bv and at other times) and
1515address testing (-bt), which is indicated by address_test_mode being set.
1516
1517Arguments:
1518 vaddr contains the address to verify; the next field in this block
1519 must be NULL
1520 f if not NULL, write the result to this file
1521 options various option bits:
1522 vopt_fake_sender => this sender verify is not for the real
1523 sender (it was verify=sender=xxxx or an address from a
1524 header line) - rewriting must not change sender_address
1525 vopt_is_recipient => this is a recipient address, otherwise
1526 it's a sender address - this affects qualification and
1527 rewriting and messages from callouts
1528 vopt_qualify => qualify an unqualified address; else error
1529 vopt_expn => called from SMTP EXPN command
eafd343b
TK
1530 vopt_success_on_redirect => when a new address is generated
1531 the verification instantly succeeds
059ec3d9
PH
1532
1533 These ones are used by do_callout() -- the options variable
1534 is passed to it.
1535
2a4be8f9 1536 vopt_callout_fullpm => if postmaster check, do full one
059ec3d9
PH
1537 vopt_callout_no_cache => don't use callout cache
1538 vopt_callout_random => do the "random" thing
1539 vopt_callout_recipsender => use real sender for recipient
1540 vopt_callout_recippmaster => use postmaster for recipient
1541
1542 callout if > 0, specifies that callout is required, and gives timeout
4deaf07d 1543 for individual commands
059ec3d9
PH
1544 callout_overall if > 0, gives overall timeout for the callout function;
1545 if < 0, a default is used (see do_callout())
8e669ac1 1546 callout_connect the connection timeout for callouts
059ec3d9
PH
1547 se_mailfrom when callout is requested to verify a sender, use this
1548 in MAIL FROM; NULL => ""
1549 pm_mailfrom when callout is requested, if non-NULL, do the postmaster
1550 thing and use this as the sender address (may be "")
1551
1552 routed if not NULL, set TRUE if routing succeeded, so we can
1553 distinguish between routing failed and callout failed
1554
1555Returns: OK address verified
1556 FAIL address failed to verify
1557 DEFER can't tell at present
1558*/
1559
1560int
1561verify_address(address_item *vaddr, FILE *f, int options, int callout,
8e669ac1 1562 int callout_overall, int callout_connect, uschar *se_mailfrom,
4deaf07d 1563 uschar *pm_mailfrom, BOOL *routed)
059ec3d9
PH
1564{
1565BOOL allok = TRUE;
1566BOOL full_info = (f == NULL)? FALSE : (debug_selector != 0);
059ec3d9 1567BOOL expn = (options & vopt_expn) != 0;
eafd343b 1568BOOL success_on_redirect = (options & vopt_success_on_redirect) != 0;
059ec3d9
PH
1569int i;
1570int yield = OK;
1571int verify_type = expn? v_expn :
1572 address_test_mode? v_none :
8b9476ba 1573 options & vopt_is_recipient? v_recipient : v_sender;
059ec3d9
PH
1574address_item *addr_list;
1575address_item *addr_new = NULL;
1576address_item *addr_remote = NULL;
1577address_item *addr_local = NULL;
1578address_item *addr_succeed = NULL;
8b9476ba
JH
1579uschar **failure_ptr = options & vopt_is_recipient
1580 ? &recipient_verify_failure : &sender_verify_failure;
059ec3d9
PH
1581uschar *ko_prefix, *cr;
1582uschar *address = vaddr->address;
1583uschar *save_sender;
1584uschar null_sender[] = { 0 }; /* Ensure writeable memory */
1585
2c7db3f5
PH
1586/* Clear, just in case */
1587
1588*failure_ptr = NULL;
1589
059ec3d9
PH
1590/* Set up a prefix and suffix for error message which allow us to use the same
1591output statements both in EXPN mode (where an SMTP response is needed) and when
1592debugging with an output file. */
1593
1594if (expn)
1595 {
1596 ko_prefix = US"553 ";
1597 cr = US"\r";
1598 }
1599else ko_prefix = cr = US"";
1600
1601/* Add qualify domain if permitted; otherwise an unqualified address fails. */
1602
1603if (parse_find_at(address) == NULL)
1604 {
1605 if ((options & vopt_qualify) == 0)
1606 {
1607 if (f != NULL)
ce552449
NM
1608 respond_printf(f, "%sA domain is required for \"%s\"%s\n",
1609 ko_prefix, address, cr);
8e669ac1 1610 *failure_ptr = US"qualify";
059ec3d9
PH
1611 return FAIL;
1612 }
8b9476ba 1613 address = rewrite_address_qualify(address, options & vopt_is_recipient);
059ec3d9
PH
1614 }
1615
1616DEBUG(D_verify)
1617 {
1618 debug_printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
1619 debug_printf("%s %s\n", address_test_mode? "Testing" : "Verifying", address);
1620 }
1621
1622/* Rewrite and report on it. Clear the domain and local part caches - these
1623may have been set by domains and local part tests during an ACL. */
1624
1625if (global_rewrite_rules != NULL)
1626 {
1627 uschar *old = address;
8b9476ba 1628 address = rewrite_address(address, options & vopt_is_recipient, FALSE,
059ec3d9
PH
1629 global_rewrite_rules, rewrite_existflags);
1630 if (address != old)
1631 {
1632 for (i = 0; i < (MAX_NAMED_LIST * 2)/32; i++) vaddr->localpart_cache[i] = 0;
1633 for (i = 0; i < (MAX_NAMED_LIST * 2)/32; i++) vaddr->domain_cache[i] = 0;
1634 if (f != NULL && !expn) fprintf(f, "Address rewritten as: %s\n", address);
1635 }
1636 }
1637
1638/* If this is the real sender address, we must update sender_address at
1639this point, because it may be referred to in the routers. */
1640
1641if ((options & (vopt_fake_sender|vopt_is_recipient)) == 0)
1642 sender_address = address;
1643
1644/* If the address was rewritten to <> no verification can be done, and we have
1645to return OK. This rewriting is permitted only for sender addresses; for other
1646addresses, such rewriting fails. */
1647
1648if (address[0] == 0) return OK;
1649
d9b2312b
JH
1650/* Flip the legacy TLS-related variables over to the outbound set in case
1651they're used in the context of a transport used by verification. Reset them
ea90b718 1652at exit from this routine (so no returns allowed from here on). */
d9b2312b 1653
35aba663 1654tls_modify_variables(&tls_out);
d9b2312b 1655
059ec3d9
PH
1656/* Save a copy of the sender address for re-instating if we change it to <>
1657while verifying a sender address (a nice bit of self-reference there). */
1658
1659save_sender = sender_address;
1660
ea90b718
JH
1661/* Observability variable for router/transport use */
1662
8b9476ba 1663verify_mode = options & vopt_is_recipient ? US"R" : US"S";
ea90b718 1664
059ec3d9
PH
1665/* Update the address structure with the possibly qualified and rewritten
1666address. Set it up as the starting address on the chain of new addresses. */
1667
1668vaddr->address = address;
1669addr_new = vaddr;
1670
1671/* We need a loop, because an address can generate new addresses. We must also
1672cope with generated pipes and files at the top level. (See also the code and
1673comment in deliver.c.) However, it is usually the case that the router for
1674user's .forward files has its verify flag turned off.
1675
1676If an address generates more than one child, the loop is used only when
1677full_info is set, and this can only be set locally. Remote enquiries just get
1678information about the top level address, not anything that it generated. */
1679
ea90b718 1680while (addr_new)
059ec3d9
PH
1681 {
1682 int rc;
1683 address_item *addr = addr_new;
1684
1685 addr_new = addr->next;
1686 addr->next = NULL;
1687
1688 DEBUG(D_verify)
1689 {
1690 debug_printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
1691 debug_printf("Considering %s\n", addr->address);
1692 }
1693
1694 /* Handle generated pipe, file or reply addresses. We don't get these
1695 when handling EXPN, as it does only one level of expansion. */
1696
1697 if (testflag(addr, af_pfr))
1698 {
1699 allok = FALSE;
1700 if (f != NULL)
1701 {
1702 BOOL allow;
1703
1704 if (addr->address[0] == '>')
1705 {
1706 allow = testflag(addr, af_allow_reply);
1707 fprintf(f, "%s -> mail %s", addr->parent->address, addr->address + 1);
1708 }
1709 else
1710 {
1711 allow = (addr->address[0] == '|')?
1712 testflag(addr, af_allow_pipe) : testflag(addr, af_allow_file);
1713 fprintf(f, "%s -> %s", addr->parent->address, addr->address);
1714 }
1715
1716 if (addr->basic_errno == ERRNO_BADTRANSPORT)
1717 fprintf(f, "\n*** Error in setting up pipe, file, or autoreply:\n"
1718 "%s\n", addr->message);
1719 else if (allow)
1720 fprintf(f, "\n transport = %s\n", addr->transport->name);
1721 else
1722 fprintf(f, " *** forbidden ***\n");
1723 }
1724 continue;
1725 }
1726
1727 /* Just in case some router parameter refers to it. */
1728
2f682e45
JH
1729 return_path = addr->prop.errors_address
1730 ? addr->prop.errors_address : sender_address;
059ec3d9
PH
1731
1732 /* Split the address into domain and local part, handling the %-hack if
1733 necessary, and then route it. While routing a sender address, set
1734 $sender_address to <> because that is what it will be if we were trying to
1735 send a bounce to the sender. */
1736
2f682e45 1737 if (routed) *routed = FALSE;
059ec3d9
PH
1738 if ((rc = deliver_split_address(addr)) == OK)
1739 {
8b9476ba 1740 if (!(options & vopt_is_recipient)) sender_address = null_sender;
059ec3d9
PH
1741 rc = route_address(addr, &addr_local, &addr_remote, &addr_new,
1742 &addr_succeed, verify_type);
1743 sender_address = save_sender; /* Put back the real sender */
1744 }
1745
1746 /* If routing an address succeeded, set the flag that remembers, for use when
1747 an ACL cached a sender verify (in case a callout fails). Then if routing set
1748 up a list of hosts or the transport has a host list, and the callout option
1749 is set, and we aren't in a host checking run, do the callout verification,
1750 and set another flag that notes that a callout happened. */
1751
1752 if (rc == OK)
1753 {
2f682e45 1754 if (routed) *routed = TRUE;
059ec3d9
PH
1755 if (callout > 0)
1756 {
08f3b11b 1757 transport_instance * tp;
2f682e45 1758 host_item * host_list = addr->host_list;
059ec3d9 1759
26da7e20
PH
1760 /* Make up some data for use in the case where there is no remote
1761 transport. */
1762
1763 transport_feedback tf = {
1764 NULL, /* interface (=> any) */
1765 US"smtp", /* port */
1766 US"smtp", /* protocol */
1767 NULL, /* hosts */
1768 US"$smtp_active_hostname", /* helo_data */
1769 FALSE, /* hosts_override */
1770 FALSE, /* hosts_randomize */
1771 FALSE, /* gethostbyname */
1772 TRUE, /* qualify_single */
1773 FALSE /* search_parents */
1774 };
059ec3d9
PH
1775
1776 /* If verification yielded a remote transport, we want to use that
1777 transport's options, so as to mimic what would happen if we were really
1778 sending a message to this address. */
1779
08f3b11b 1780 if ((tp = addr->transport) && !tp->info->local)
059ec3d9 1781 {
08f3b11b 1782 (void)(tp->setup)(tp, addr, &tf, 0, 0, NULL);
059ec3d9
PH
1783
1784 /* If the transport has hosts and the router does not, or if the
1785 transport is configured to override the router's hosts, we must build a
1786 host list of the transport's hosts, and find the IP addresses */
1787
2f682e45 1788 if (tf.hosts && (!host_list || tf.hosts_override))
059ec3d9
PH
1789 {
1790 uschar *s;
55414b25 1791 const uschar *save_deliver_domain = deliver_domain;
750af86e 1792 uschar *save_deliver_localpart = deliver_localpart;
059ec3d9
PH
1793
1794 host_list = NULL; /* Ignore the router's hosts */
1795
1796 deliver_domain = addr->domain;
1797 deliver_localpart = addr->local_part;
1798 s = expand_string(tf.hosts);
750af86e
PH
1799 deliver_domain = save_deliver_domain;
1800 deliver_localpart = save_deliver_localpart;
059ec3d9 1801
2f682e45 1802 if (!s)
059ec3d9
PH
1803 {
1804 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand list of hosts "
1805 "\"%s\" in %s transport for callout: %s", tf.hosts,
08f3b11b 1806 tp->name, expand_string_message);
059ec3d9
PH
1807 }
1808 else
1809 {
322050c2 1810 int flags;
d8ef3577 1811 host_item *host, *nexthost;
059ec3d9
PH
1812 host_build_hostlist(&host_list, s, tf.hosts_randomize);
1813
1814 /* Just ignore failures to find a host address. If we don't manage
8e669ac1
PH
1815 to find any addresses, the callout will defer. Note that more than
1816 one address may be found for a single host, which will result in
1817 additional host items being inserted into the chain. Hence we must
d8ef3577 1818 save the next host first. */
059ec3d9 1819
322050c2
PH
1820 flags = HOST_FIND_BY_A;
1821 if (tf.qualify_single) flags |= HOST_FIND_QUALIFY_SINGLE;
1822 if (tf.search_parents) flags |= HOST_FIND_SEARCH_PARENTS;
1823
2f682e45 1824 for (host = host_list; host; host = nexthost)
059ec3d9 1825 {
d8ef3577 1826 nexthost = host->next;
8e669ac1 1827 if (tf.gethostbyname ||
7e66e54d 1828 string_is_ip_address(host->name, NULL) != 0)
55414b25 1829 (void)host_find_byname(host, NULL, flags, NULL, TRUE);
059ec3d9 1830 else
9d9c3746 1831 {
7cd171b7 1832 dnssec_domains * dnssec_domains = NULL;
08f3b11b 1833 if (Ustrcmp(tp->driver_name, "smtp") == 0)
9d9c3746
JH
1834 {
1835 smtp_transport_options_block * ob =
08f3b11b 1836 (smtp_transport_options_block *) tp->options_block;
7cd171b7 1837 dnssec_domains = &ob->dnssec;
9d9c3746
JH
1838 }
1839
059ec3d9 1840 (void)host_find_bydns(host, NULL, flags, NULL, NULL, NULL,
7cd171b7 1841 dnssec_domains, NULL, NULL);
9d9c3746 1842 }
059ec3d9
PH
1843 }
1844 }
1845 }
1846 }
1847
8e669ac1 1848 /* Can only do a callout if we have at least one host! If the callout
2c7db3f5 1849 fails, it will have set ${sender,recipient}_verify_failure. */
059ec3d9 1850
2f682e45 1851 if (host_list)
059ec3d9
PH
1852 {
1853 HDEBUG(D_verify) debug_printf("Attempting full verification using callout\n");
1854 if (host_checking && !host_checking_callout)
1855 {
1856 HDEBUG(D_verify)
1857 debug_printf("... callout omitted by default when host testing\n"
1858 "(Use -bhc if you want the callouts to happen.)\n");
1859 }
1860 else
1861 {
4ed8d31a
JH
1862#ifdef SUPPORT_TLS
1863 deliver_set_expansions(addr);
1864#endif
059ec3d9 1865 rc = do_callout(addr, host_list, &tf, callout, callout_overall,
4deaf07d 1866 callout_connect, options, se_mailfrom, pm_mailfrom);
059ec3d9
PH
1867 }
1868 }
1869 else
1870 {
1871 HDEBUG(D_verify) debug_printf("Cannot do callout: neither router nor "
1872 "transport provided a host list\n");
1873 }
1874 }
1875 }
8e669ac1 1876
2c7db3f5 1877 /* Otherwise, any failure is a routing failure */
8e669ac1
PH
1878
1879 else *failure_ptr = US"route";
059ec3d9
PH
1880
1881 /* A router may return REROUTED if it has set up a child address as a result
1882 of a change of domain name (typically from widening). In this case we always
1883 want to continue to verify the new child. */
1884
1885 if (rc == REROUTED) continue;
8e669ac1 1886
059ec3d9
PH
1887 /* Handle hard failures */
1888
1889 if (rc == FAIL)
1890 {
1891 allok = FALSE;
2f682e45 1892 if (f)
059ec3d9 1893 {
e6f6568e
PH
1894 address_item *p = addr->parent;
1895
ce552449 1896 respond_printf(f, "%s%s %s", ko_prefix,
2f682e45
JH
1897 full_info ? addr->address : address,
1898 address_test_mode ? "is undeliverable" : "failed to verify");
059ec3d9
PH
1899 if (!expn && admin_user)
1900 {
1901 if (addr->basic_errno > 0)
ce552449 1902 respond_printf(f, ": %s", strerror(addr->basic_errno));
2f682e45 1903 if (addr->message)
ce552449 1904 respond_printf(f, ": %s", addr->message);
e6f6568e
PH
1905 }
1906
1907 /* Show parents iff doing full info */
1908
2f682e45 1909 if (full_info) while (p)
e6f6568e 1910 {
ce552449 1911 respond_printf(f, "%s\n <-- %s", cr, p->address);
e6f6568e 1912 p = p->parent;
059ec3d9 1913 }
ce552449 1914 respond_printf(f, "%s\n", cr);
059ec3d9 1915 }
2e5b33cd 1916 cancel_cutthrough_connection("routing hard fail");
059ec3d9 1917
d9b2312b 1918 if (!full_info)
2f682e45 1919 {
d9b2312b
JH
1920 yield = copy_error(vaddr, addr, FAIL);
1921 goto out;
2f682e45
JH
1922 }
1923 yield = FAIL;
059ec3d9
PH
1924 }
1925
1926 /* Soft failure */
1927
1928 else if (rc == DEFER)
1929 {
1930 allok = FALSE;
2f682e45 1931 if (f)
059ec3d9 1932 {
e6f6568e 1933 address_item *p = addr->parent;
ce552449 1934 respond_printf(f, "%s%s cannot be resolved at this time", ko_prefix,
322050c2 1935 full_info? addr->address : address);
059ec3d9
PH
1936 if (!expn && admin_user)
1937 {
1938 if (addr->basic_errno > 0)
ce552449 1939 respond_printf(f, ": %s", strerror(addr->basic_errno));
2f682e45 1940 if (addr->message)
ce552449 1941 respond_printf(f, ": %s", addr->message);
059ec3d9 1942 else if (addr->basic_errno <= 0)
ce552449 1943 respond_printf(f, ": unknown error");
059ec3d9
PH
1944 }
1945
e6f6568e
PH
1946 /* Show parents iff doing full info */
1947
2f682e45 1948 if (full_info) while (p)
e6f6568e 1949 {
ce552449 1950 respond_printf(f, "%s\n <-- %s", cr, p->address);
e6f6568e
PH
1951 p = p->parent;
1952 }
ce552449 1953 respond_printf(f, "%s\n", cr);
059ec3d9 1954 }
2e5b33cd 1955 cancel_cutthrough_connection("routing soft fail");
e4bdf652 1956
d9b2312b
JH
1957 if (!full_info)
1958 {
1959 yield = copy_error(vaddr, addr, DEFER);
1960 goto out;
1961 }
2f682e45 1962 if (yield == OK) yield = DEFER;
059ec3d9
PH
1963 }
1964
1965 /* If we are handling EXPN, we do not want to continue to route beyond
e6f6568e 1966 the top level (whose address is in "address"). */
059ec3d9
PH
1967
1968 else if (expn)
1969 {
1970 uschar *ok_prefix = US"250-";
2f682e45
JH
1971
1972 if (!addr_new)
1973 if (!addr_local && !addr_remote)
ce552449 1974 respond_printf(f, "250 mail to <%s> is discarded\r\n", address);
059ec3d9 1975 else
ce552449 1976 respond_printf(f, "250 <%s>\r\n", address);
2f682e45
JH
1977
1978 else do
059ec3d9
PH
1979 {
1980 address_item *addr2 = addr_new;
1981 addr_new = addr2->next;
2f682e45 1982 if (!addr_new) ok_prefix = US"250 ";
ce552449 1983 respond_printf(f, "%s<%s>\r\n", ok_prefix, addr2->address);
2f682e45 1984 } while (addr_new);
d9b2312b
JH
1985 yield = OK;
1986 goto out;
059ec3d9
PH
1987 }
1988
1989 /* Successful routing other than EXPN. */
1990
1991 else
1992 {
1993 /* Handle successful routing when short info wanted. Otherwise continue for
1994 other (generated) addresses. Short info is the operational case. Full info
1995 can be requested only when debug_selector != 0 and a file is supplied.
1996
1997 There is a conflict between the use of aliasing as an alternate email
1998 address, and as a sort of mailing list. If an alias turns the incoming
1999 address into just one address (e.g. J.Caesar->jc44) you may well want to
2000 carry on verifying the generated address to ensure it is valid when
2001 checking incoming mail. If aliasing generates multiple addresses, you
2002 probably don't want to do this. Exim therefore treats the generation of
2003 just a single new address as a special case, and continues on to verify the
2004 generated address. */
2005
2f682e45
JH
2006 if ( !full_info /* Stop if short info wanted AND */
2007 && ( ( !addr_new /* No new address OR */
2008 || addr_new->next /* More than one new address OR */
2009 || testflag(addr_new, af_pfr) /* New address is pfr */
2010 )
2011 || /* OR */
2012 ( addr_new /* At least one new address AND */
2013 && success_on_redirect /* success_on_redirect is set */
2014 ) )
2015 )
059ec3d9 2016 {
2f682e45
JH
2017 if (f) fprintf(f, "%s %s\n",
2018 address, address_test_mode ? "is deliverable" : "verified");
059ec3d9
PH
2019
2020 /* If we have carried on to verify a child address, we want the value
2021 of $address_data to be that of the child */
2022
d43cbe25 2023 vaddr->prop.address_data = addr->prop.address_data;
98c82a3d
JH
2024
2025 /* If stopped because more than one new address, cannot cutthrough */
2026
2027 if (addr_new && addr_new->next)
2028 cancel_cutthrough_connection("multiple addresses from routing");
2029
d9b2312b
JH
2030 yield = OK;
2031 goto out;
059ec3d9
PH
2032 }
2033 }
2034 } /* Loop for generated addresses */
2035
2036/* Display the full results of the successful routing, including any generated
2037addresses. Control gets here only when full_info is set, which requires f not
2038to be NULL, and this occurs only when a top-level verify is called with the
2039debugging switch on.
2040
2041If there are no local and no remote addresses, and there were no pipes, files,
2042or autoreplies, and there were no errors or deferments, the message is to be
2043discarded, usually because of the use of :blackhole: in an alias file. */
2044
2f682e45 2045if (allok && !addr_local && !addr_remote)
dbcef0ea 2046 {
059ec3d9 2047 fprintf(f, "mail to %s is discarded\n", address);
d9b2312b 2048 goto out;
dbcef0ea 2049 }
059ec3d9 2050
dbcef0ea 2051for (addr_list = addr_local, i = 0; i < 2; addr_list = addr_remote, i++)
08f3b11b 2052 while (addr_list)
059ec3d9
PH
2053 {
2054 address_item *addr = addr_list;
2055 address_item *p = addr->parent;
08f3b11b
JH
2056 transport_instance * tp = addr->transport;
2057
059ec3d9
PH
2058 addr_list = addr->next;
2059
2060 fprintf(f, "%s", CS addr->address);
384152a6 2061#ifdef EXPERIMENTAL_SRS
d43cbe25
JH
2062 if(addr->prop.srs_sender)
2063 fprintf(f, " [srs = %s]", addr->prop.srs_sender);
384152a6 2064#endif
dbcef0ea
PH
2065
2066 /* If the address is a duplicate, show something about it. */
2067
2068 if (!testflag(addr, af_pfr))
2069 {
2070 tree_node *tnode;
08f3b11b 2071 if ((tnode = tree_search(tree_duplicates, addr->unique)))
dbcef0ea
PH
2072 fprintf(f, " [duplicate, would not be delivered]");
2073 else tree_add_duplicate(addr->unique, addr);
2074 }
2075
2076 /* Now show its parents */
2077
08f3b11b 2078 for (p = addr->parent; p; p = p->parent)
059ec3d9 2079 fprintf(f, "\n <-- %s", p->address);
059ec3d9
PH
2080 fprintf(f, "\n ");
2081
2082 /* Show router, and transport */
2083
08f3b11b
JH
2084 fprintf(f, "router = %s, transport = %s\n",
2085 addr->router->name, tp ? tp->name : US"unset");
059ec3d9
PH
2086
2087 /* Show any hosts that are set up by a router unless the transport
2088 is going to override them; fiddle a bit to get a nice format. */
2089
08f3b11b 2090 if (addr->host_list && tp && !tp->overrides_hosts)
059ec3d9
PH
2091 {
2092 host_item *h;
2093 int maxlen = 0;
2094 int maxaddlen = 0;
08f3b11b
JH
2095 for (h = addr->host_list; h; h = h->next)
2096 { /* get max lengths of host names, addrs */
059ec3d9
PH
2097 int len = Ustrlen(h->name);
2098 if (len > maxlen) maxlen = len;
08f3b11b 2099 len = h->address ? Ustrlen(h->address) : 7;
059ec3d9
PH
2100 if (len > maxaddlen) maxaddlen = len;
2101 }
08f3b11b
JH
2102 for (h = addr->host_list; h; h = h->next)
2103 {
2104 fprintf(f, " host %-*s ", maxlen, h->name);
2105
2106 if (h->address)
2107 fprintf(f, "[%s%-*c", h->address, maxaddlen+1 - Ustrlen(h->address), ']');
2108 else if (tp->info->local)
2109 fprintf(f, " %-*s ", maxaddlen, ""); /* Omit [unknown] for local */
2110 else
2111 fprintf(f, "[%s%-*c", "unknown", maxaddlen+1 - 7, ']');
2112
2113 if (h->mx >= 0) fprintf(f, " MX=%d", h->mx);
059ec3d9 2114 if (h->port != PORT_NONE) fprintf(f, " port=%d", h->port);
08f3b11b
JH
2115 if (running_in_test_harness && h->dnssec == DS_YES) fputs(" AD", f);
2116 if (h->status == hstatus_unusable) fputs(" ** unusable **", f);
2117 fputc('\n', f);
059ec3d9
PH
2118 }
2119 }
2120 }
059ec3d9 2121
d9b2312b 2122/* Yield will be DEFER or FAIL if any one address has, only for full_info (which is
2c7db3f5
PH
2123the -bv or -bt case). */
2124
d9b2312b 2125out:
ea90b718 2126verify_mode = NULL;
35aba663 2127tls_modify_variables(&tls_in);
d9b2312b 2128
8e669ac1 2129return yield;
059ec3d9
PH
2130}
2131
2132
2133
2134
2135/*************************************************
2136* Check headers for syntax errors *
2137*************************************************/
2138
2139/* This function checks those header lines that contain addresses, and verifies
2140that all the addresses therein are syntactially correct.
2141
2142Arguments:
2143 msgptr where to put an error message
2144
2145Returns: OK
2146 FAIL
2147*/
2148
2149int
2150verify_check_headers(uschar **msgptr)
2151{
2152header_line *h;
2153uschar *colon, *s;
1eccaa59 2154int yield = OK;
059ec3d9 2155
1eccaa59 2156for (h = header_list; h != NULL && yield == OK; h = h->next)
059ec3d9
PH
2157 {
2158 if (h->type != htype_from &&
2159 h->type != htype_reply_to &&
2160 h->type != htype_sender &&
2161 h->type != htype_to &&
2162 h->type != htype_cc &&
2163 h->type != htype_bcc)
2164 continue;
2165
2166 colon = Ustrchr(h->text, ':');
2167 s = colon + 1;
2168 while (isspace(*s)) s++;
2169
1eccaa59
PH
2170 /* Loop for multiple addresses in the header, enabling group syntax. Note
2171 that we have to reset this after the header has been scanned. */
059ec3d9 2172
1eccaa59 2173 parse_allow_group = TRUE;
059ec3d9
PH
2174
2175 while (*s != 0)
2176 {
2177 uschar *ss = parse_find_address_end(s, FALSE);
2178 uschar *recipient, *errmess;
2179 int terminator = *ss;
2180 int start, end, domain;
2181
2182 /* Temporarily terminate the string at this point, and extract the
1eccaa59 2183 operative address within, allowing group syntax. */
059ec3d9
PH
2184
2185 *ss = 0;
2186 recipient = parse_extract_address(s,&errmess,&start,&end,&domain,FALSE);
2187 *ss = terminator;
2188
2189 /* Permit an unqualified address only if the message is local, or if the
2190 sending host is configured to be permitted to send them. */
2191
2192 if (recipient != NULL && domain == 0)
2193 {
2194 if (h->type == htype_from || h->type == htype_sender)
2195 {
2196 if (!allow_unqualified_sender) recipient = NULL;
2197 }
2198 else
2199 {
2200 if (!allow_unqualified_recipient) recipient = NULL;
2201 }
2202 if (recipient == NULL) errmess = US"unqualified address not permitted";
2203 }
2204
2205 /* It's an error if no address could be extracted, except for the special
2206 case of an empty address. */
2207
2208 if (recipient == NULL && Ustrcmp(errmess, "empty address") != 0)
2209 {
2210 uschar *verb = US"is";
2211 uschar *t = ss;
1ab95fa6 2212 uschar *tt = colon;
059ec3d9
PH
2213 int len;
2214
2215 /* Arrange not to include any white space at the end in the
1ab95fa6 2216 error message or the header name. */
059ec3d9
PH
2217
2218 while (t > s && isspace(t[-1])) t--;
1ab95fa6 2219 while (tt > h->text && isspace(tt[-1])) tt--;
059ec3d9 2220
1ab95fa6 2221 /* Add the address that failed to the error message, since in a
059ec3d9
PH
2222 header with very many addresses it is sometimes hard to spot
2223 which one is at fault. However, limit the amount of address to
2224 quote - cases have been seen where, for example, a missing double
2225 quote in a humungous To: header creates an "address" that is longer
2226 than string_sprintf can handle. */
2227
2228 len = t - s;
2229 if (len > 1024)
2230 {
2231 len = 1024;
2232 verb = US"begins";
2233 }
2234
55414b25
JH
2235 /* deconst cast ok as we're passing a non-const to string_printing() */
2236 *msgptr = US string_printing(
1ab95fa6
PH
2237 string_sprintf("%s: failing address in \"%.*s:\" header %s: %.*s",
2238 errmess, tt - h->text, h->text, verb, len, s));
059ec3d9 2239
1eccaa59
PH
2240 yield = FAIL;
2241 break; /* Out of address loop */
059ec3d9
PH
2242 }
2243
2244 /* Advance to the next address */
2245
2246 s = ss + (terminator? 1:0);
2247 while (isspace(*s)) s++;
2248 } /* Next address */
059ec3d9 2249
1eccaa59
PH
2250 parse_allow_group = FALSE;
2251 parse_found_group = FALSE;
2252 } /* Next header unless yield has been set FALSE */
2253
2254return yield;
059ec3d9
PH
2255}
2256
2257
770747fd
MFM
2258/*************************************************
2259* Check header names for 8-bit characters *
2260*************************************************/
2261
4c04137d 2262/* This function checks for invalid characters in header names. See
770747fd
MFM
2263RFC 5322, 2.2. and RFC 6532, 3.
2264
2265Arguments:
2266 msgptr where to put an error message
2267
2268Returns: OK
2269 FAIL
2270*/
2271
2272int
2273verify_check_header_names_ascii(uschar **msgptr)
2274{
2275header_line *h;
2276uschar *colon, *s;
2277
2278for (h = header_list; h != NULL; h = h->next)
2279 {
2280 colon = Ustrchr(h->text, ':');
2281 for(s = h->text; s < colon; s++)
2282 {
2283 if ((*s < 33) || (*s > 126))
2284 {
2285 *msgptr = string_sprintf("Invalid character in header \"%.*s\" found",
2286 colon - h->text, h->text);
2287 return FAIL;
2288 }
2289 }
2290 }
2291return OK;
2292}
059ec3d9 2293
1c41c9cc
PH
2294/*************************************************
2295* Check for blind recipients *
2296*************************************************/
2297
2298/* This function checks that every (envelope) recipient is mentioned in either
2299the To: or Cc: header lines, thus detecting blind carbon copies.
2300
2301There are two ways of scanning that could be used: either scan the header lines
2302and tick off the recipients, or scan the recipients and check the header lines.
2303The original proposed patch did the former, but I have chosen to do the latter,
2304because (a) it requires no memory and (b) will use fewer resources when there
2305are many addresses in To: and/or Cc: and only one or two envelope recipients.
2306
2307Arguments: none
2308Returns: OK if there are no blind recipients
2309 FAIL if there is at least one blind recipient
2310*/
2311
2312int
2313verify_check_notblind(void)
2314{
2315int i;
2316for (i = 0; i < recipients_count; i++)
2317 {
2318 header_line *h;
2319 BOOL found = FALSE;
2320 uschar *address = recipients_list[i].address;
2321
2322 for (h = header_list; !found && h != NULL; h = h->next)
2323 {
2324 uschar *colon, *s;
2325
2326 if (h->type != htype_to && h->type != htype_cc) continue;
2327
2328 colon = Ustrchr(h->text, ':');
2329 s = colon + 1;
2330 while (isspace(*s)) s++;
2331
1eccaa59
PH
2332 /* Loop for multiple addresses in the header, enabling group syntax. Note
2333 that we have to reset this after the header has been scanned. */
1c41c9cc 2334
1eccaa59 2335 parse_allow_group = TRUE;
1c41c9cc
PH
2336
2337 while (*s != 0)
2338 {
2339 uschar *ss = parse_find_address_end(s, FALSE);
2340 uschar *recipient,*errmess;
2341 int terminator = *ss;
2342 int start, end, domain;
2343
2344 /* Temporarily terminate the string at this point, and extract the
1eccaa59 2345 operative address within, allowing group syntax. */
1c41c9cc
PH
2346
2347 *ss = 0;
2348 recipient = parse_extract_address(s,&errmess,&start,&end,&domain,FALSE);
2349 *ss = terminator;
2350
2351 /* If we found a valid recipient that has a domain, compare it with the
2352 envelope recipient. Local parts are compared case-sensitively, domains
2353 case-insensitively. By comparing from the start with length "domain", we
2354 include the "@" at the end, which ensures that we are comparing the whole
2355 local part of each address. */
2356
2357 if (recipient != NULL && domain != 0)
2358 {
2359 found = Ustrncmp(recipient, address, domain) == 0 &&
2360 strcmpic(recipient + domain, address + domain) == 0;
2361 if (found) break;
2362 }
2363
2364 /* Advance to the next address */
2365
2366 s = ss + (terminator? 1:0);
2367 while (isspace(*s)) s++;
2368 } /* Next address */
1eccaa59
PH
2369
2370 parse_allow_group = FALSE;
2371 parse_found_group = FALSE;
1c41c9cc
PH
2372 } /* Next header (if found is false) */
2373
2374 if (!found) return FAIL;
2375 } /* Next recipient */
2376
2377return OK;
2378}
2379
2380
059ec3d9
PH
2381
2382/*************************************************
2383* Find if verified sender *
2384*************************************************/
2385
2386/* Usually, just a single address is verified as the sender of the message.
2387However, Exim can be made to verify other addresses as well (often related in
2388some way), and this is useful in some environments. There may therefore be a
2389chain of such addresses that have previously been tested. This function finds
2390whether a given address is on the chain.
2391
2392Arguments: the address to be verified
2393Returns: pointer to an address item, or NULL
2394*/
2395
2396address_item *
2397verify_checked_sender(uschar *sender)
2398{
2399address_item *addr;
2400for (addr = sender_verified_list; addr != NULL; addr = addr->next)
2401 if (Ustrcmp(sender, addr->address) == 0) break;
2402return addr;
2403}
2404
2405
2406
2407
2408
2409/*************************************************
2410* Get valid header address *
2411*************************************************/
2412
2413/* Scan the originator headers of the message, looking for an address that
2414verifies successfully. RFC 822 says:
2415
2416 o The "Sender" field mailbox should be sent notices of
2417 any problems in transport or delivery of the original
2418 messages. If there is no "Sender" field, then the
2419 "From" field mailbox should be used.
2420
2421 o If the "Reply-To" field exists, then the reply should
2422 go to the addresses indicated in that field and not to
2423 the address(es) indicated in the "From" field.
2424
2425So we check a Sender field if there is one, else a Reply_to field, else a From
2426field. As some strange messages may have more than one of these fields,
2427especially if they are resent- fields, check all of them if there is more than
2428one.
2429
2430Arguments:
2431 user_msgptr points to where to put a user error message
2432 log_msgptr points to where to put a log error message
2433 callout timeout for callout check (passed to verify_address())
2434 callout_overall overall callout timeout (ditto)
8e669ac1 2435 callout_connect connect callout timeout (ditto)
059ec3d9
PH
2436 se_mailfrom mailfrom for verify; NULL => ""
2437 pm_mailfrom sender for pm callout check (passed to verify_address())
2438 options callout options (passed to verify_address())
8e669ac1 2439 verrno where to put the address basic_errno
059ec3d9
PH
2440
2441If log_msgptr is set to something without setting user_msgptr, the caller
2442normally uses log_msgptr for both things.
2443
2444Returns: result of the verification attempt: OK, FAIL, or DEFER;
2445 FAIL is given if no appropriate headers are found
2446*/
2447
2448int
2449verify_check_header_address(uschar **user_msgptr, uschar **log_msgptr,
8e669ac1 2450 int callout, int callout_overall, int callout_connect, uschar *se_mailfrom,
fe5b5d0b 2451 uschar *pm_mailfrom, int options, int *verrno)
059ec3d9
PH
2452{
2453static int header_types[] = { htype_sender, htype_reply_to, htype_from };
1eccaa59 2454BOOL done = FALSE;
059ec3d9
PH
2455int yield = FAIL;
2456int i;
2457
1eccaa59 2458for (i = 0; i < 3 && !done; i++)
059ec3d9
PH
2459 {
2460 header_line *h;
1eccaa59 2461 for (h = header_list; h != NULL && !done; h = h->next)
059ec3d9
PH
2462 {
2463 int terminator, new_ok;
2464 uschar *s, *ss, *endname;
2465
2466 if (h->type != header_types[i]) continue;
2467 s = endname = Ustrchr(h->text, ':') + 1;
2468
1eccaa59
PH
2469 /* Scan the addresses in the header, enabling group syntax. Note that we
2470 have to reset this after the header has been scanned. */
2471
2472 parse_allow_group = TRUE;
2473
059ec3d9
PH
2474 while (*s != 0)
2475 {
2476 address_item *vaddr;
2477
2478 while (isspace(*s) || *s == ',') s++;
2479 if (*s == 0) break; /* End of header */
2480
2481 ss = parse_find_address_end(s, FALSE);
2482
2483 /* The terminator is a comma or end of header, but there may be white
2484 space preceding it (including newline for the last address). Move back
2485 past any white space so we can check against any cached envelope sender
2486 address verifications. */
2487
2488 while (isspace(ss[-1])) ss--;
2489 terminator = *ss;
2490 *ss = 0;
2491
2492 HDEBUG(D_verify) debug_printf("verifying %.*s header address %s\n",
2493 (int)(endname - h->text), h->text, s);
2494
2495 /* See if we have already verified this address as an envelope sender,
2496 and if so, use the previous answer. */
2497
2498 vaddr = verify_checked_sender(s);
2499
2500 if (vaddr != NULL && /* Previously checked */
2501 (callout <= 0 || /* No callout needed; OR */
2502 vaddr->special_action > 256)) /* Callout was done */
2503 {
2504 new_ok = vaddr->special_action & 255;
2505 HDEBUG(D_verify) debug_printf("previously checked as envelope sender\n");
2506 *ss = terminator; /* Restore shortened string */
2507 }
2508
2509 /* Otherwise we run the verification now. We must restore the shortened
2510 string before running the verification, so the headers are correct, in
2511 case there is any rewriting. */
2512
2513 else
2514 {
2515 int start, end, domain;
1eccaa59
PH
2516 uschar *address = parse_extract_address(s, log_msgptr, &start, &end,
2517 &domain, FALSE);
059ec3d9
PH
2518
2519 *ss = terminator;
2520
1eccaa59
PH
2521 /* If we found an empty address, just carry on with the next one, but
2522 kill the message. */
2523
2524 if (address == NULL && Ustrcmp(*log_msgptr, "empty address") == 0)
2525 {
2526 *log_msgptr = NULL;
2527 s = ss;
2528 continue;
2529 }
2530
059ec3d9
PH
2531 /* If verification failed because of a syntax error, fail this
2532 function, and ensure that the failing address gets added to the error
2533 message. */
2534
2535 if (address == NULL)
2536 {
2537 new_ok = FAIL;
1eccaa59
PH
2538 while (ss > s && isspace(ss[-1])) ss--;
2539 *log_msgptr = string_sprintf("syntax error in '%.*s' header when "
2540 "scanning for sender: %s in \"%.*s\"",
2541 endname - h->text, h->text, *log_msgptr, ss - s, s);
2542 yield = FAIL;
2543 done = TRUE;
2544 break;
059ec3d9
PH
2545 }
2546
2f6603e1 2547 /* Else go ahead with the sender verification. But it isn't *the*
059ec3d9
PH
2548 sender of the message, so set vopt_fake_sender to stop sender_address
2549 being replaced after rewriting or qualification. */
2550
2551 else
2552 {
2553 vaddr = deliver_make_addr(address, FALSE);
2554 new_ok = verify_address(vaddr, NULL, options | vopt_fake_sender,
8e669ac1 2555 callout, callout_overall, callout_connect, se_mailfrom,
4deaf07d 2556 pm_mailfrom, NULL);
059ec3d9
PH
2557 }
2558 }
2559
2560 /* We now have the result, either newly found, or cached. If we are
2561 giving out error details, set a specific user error. This means that the
2562 last of these will be returned to the user if all three fail. We do not
2563 set a log message - the generic one below will be used. */
2564
fe5b5d0b 2565 if (new_ok != OK)
059ec3d9 2566 {
8e669ac1 2567 *verrno = vaddr->basic_errno;
fe5b5d0b
PH
2568 if (smtp_return_error_details)
2569 {
2570 *user_msgptr = string_sprintf("Rejected after DATA: "
2571 "could not verify \"%.*s\" header address\n%s: %s",
2572 endname - h->text, h->text, vaddr->address, vaddr->message);
2573 }
8e669ac1 2574 }
059ec3d9
PH
2575
2576 /* Success or defer */
2577
1eccaa59
PH
2578 if (new_ok == OK)
2579 {
2580 yield = OK;
2581 done = TRUE;
2582 break;
2583 }
2584
059ec3d9
PH
2585 if (new_ok == DEFER) yield = DEFER;
2586
2587 /* Move on to any more addresses in the header */
2588
2589 s = ss;
1eccaa59
PH
2590 } /* Next address */
2591
2592 parse_allow_group = FALSE;
2593 parse_found_group = FALSE;
2594 } /* Next header, unless done */
2595 } /* Next header type unless done */
059ec3d9
PH
2596
2597if (yield == FAIL && *log_msgptr == NULL)
2598 *log_msgptr = US"there is no valid sender in any header line";
2599
2600if (yield == DEFER && *log_msgptr == NULL)
2601 *log_msgptr = US"all attempts to verify a sender in a header line deferred";
2602
2603return yield;
2604}
2605
2606
2607
2608
2609/*************************************************
2610* Get RFC 1413 identification *
2611*************************************************/
2612
2613/* Attempt to get an id from the sending machine via the RFC 1413 protocol. If
2614the timeout is set to zero, then the query is not done. There may also be lists
2615of hosts and nets which are exempt. To guard against malefactors sending
2616non-printing characters which could, for example, disrupt a message's headers,
2617make sure the string consists of printing characters only.
2618
2619Argument:
2620 port the port to connect to; usually this is IDENT_PORT (113), but when
2621 running in the test harness with -bh a different value is used.
2622
2623Returns: nothing
2624
2625Side effect: any received ident value is put in sender_ident (NULL otherwise)
2626*/
2627
2628void
2629verify_get_ident(int port)
2630{
2631int sock, host_af, qlen;
2632int received_sender_port, received_interface_port, n;
2633uschar *p;
2634uschar buffer[2048];
2635
2636/* Default is no ident. Check whether we want to do an ident check for this
2637host. */
2638
2639sender_ident = NULL;
2640if (rfc1413_query_timeout <= 0 || verify_check_host(&rfc1413_hosts) != OK)
2641 return;
2642
2643DEBUG(D_ident) debug_printf("doing ident callback\n");
2644
2645/* Set up a connection to the ident port of the remote host. Bind the local end
2646to the incoming interface address. If the sender host address is an IPv6
2647address, the incoming interface address will also be IPv6. */
2648
fb05276a
JH
2649host_af = Ustrchr(sender_host_address, ':') == NULL ? AF_INET : AF_INET6;
2650if ((sock = ip_socket(SOCK_STREAM, host_af)) < 0) return;
059ec3d9
PH
2651
2652if (ip_bind(sock, host_af, interface_address, 0) < 0)
2653 {
2654 DEBUG(D_ident) debug_printf("bind socket for ident failed: %s\n",
2655 strerror(errno));
2656 goto END_OFF;
2657 }
2658
fb05276a
JH
2659if (ip_connect(sock, host_af, sender_host_address, port,
2660 rfc1413_query_timeout, TRUE) < 0)
059ec3d9 2661 {
6c6d6e48 2662 if (errno == ETIMEDOUT && LOGGING(ident_timeout))
059ec3d9
PH
2663 log_write(0, LOG_MAIN, "ident connection to %s timed out",
2664 sender_host_address);
059ec3d9 2665 else
059ec3d9
PH
2666 DEBUG(D_ident) debug_printf("ident connection to %s failed: %s\n",
2667 sender_host_address, strerror(errno));
059ec3d9
PH
2668 goto END_OFF;
2669 }
2670
2671/* Construct and send the query. */
2672
2673sprintf(CS buffer, "%d , %d\r\n", sender_host_port, interface_port);
2674qlen = Ustrlen(buffer);
2675if (send(sock, buffer, qlen, 0) < 0)
2676 {
2677 DEBUG(D_ident) debug_printf("ident send failed: %s\n", strerror(errno));
2678 goto END_OFF;
2679 }
2680
2681/* Read a response line. We put it into the rest of the buffer, using several
2682recv() calls if necessary. */
2683
2684p = buffer + qlen;
2685
2686for (;;)
2687 {
2688 uschar *pp;
2689 int count;
2690 int size = sizeof(buffer) - (p - buffer);
2691
2692 if (size <= 0) goto END_OFF; /* Buffer filled without seeing \n. */
2693 count = ip_recv(sock, p, size, rfc1413_query_timeout);
2694 if (count <= 0) goto END_OFF; /* Read error or EOF */
2695
2696 /* Scan what we just read, to see if we have reached the terminating \r\n. Be
2697 generous, and accept a plain \n terminator as well. The only illegal
2698 character is 0. */
2699
2700 for (pp = p; pp < p + count; pp++)
2701 {
2702 if (*pp == 0) goto END_OFF; /* Zero octet not allowed */
2703 if (*pp == '\n')
2704 {
2705 if (pp[-1] == '\r') pp--;
2706 *pp = 0;
2707 goto GOT_DATA; /* Break out of both loops */
2708 }
2709 }
2710
2711 /* Reached the end of the data without finding \n. Let the loop continue to
2712 read some more, if there is room. */
2713
2714 p = pp;
2715 }
2716
2717GOT_DATA:
2718
2719/* We have received a line of data. Check it carefully. It must start with the
2720same two port numbers that we sent, followed by data as defined by the RFC. For
2721example,
2722
2723 12345 , 25 : USERID : UNIX :root
2724
2725However, the amount of white space may be different to what we sent. In the
2726"osname" field there may be several sub-fields, comma separated. The data we
2727actually want to save follows the third colon. Some systems put leading spaces
2728in it - we discard those. */
2729
2730if (sscanf(CS buffer + qlen, "%d , %d%n", &received_sender_port,
2731 &received_interface_port, &n) != 2 ||
2732 received_sender_port != sender_host_port ||
2733 received_interface_port != interface_port)
2734 goto END_OFF;
2735
2736p = buffer + qlen + n;
2737while(isspace(*p)) p++;
2738if (*p++ != ':') goto END_OFF;
2739while(isspace(*p)) p++;
2740if (Ustrncmp(p, "USERID", 6) != 0) goto END_OFF;
2741p += 6;
2742while(isspace(*p)) p++;
2743if (*p++ != ':') goto END_OFF;
2744while (*p != 0 && *p != ':') p++;
2745if (*p++ == 0) goto END_OFF;
2746while(isspace(*p)) p++;
2747if (*p == 0) goto END_OFF;
2748
2749/* The rest of the line is the data we want. We turn it into printing
2750characters when we save it, so that it cannot mess up the format of any logging
2751or Received: lines into which it gets inserted. We keep a maximum of 127
55414b25 2752characters. The deconst cast is ok as we fed a nonconst to string_printing() */
059ec3d9 2753
55414b25 2754sender_ident = US string_printing(string_copyn(p, 127));
059ec3d9
PH
2755DEBUG(D_ident) debug_printf("sender_ident = %s\n", sender_ident);
2756
2757END_OFF:
f1e894f3 2758(void)close(sock);
059ec3d9
PH
2759return;
2760}
2761
2762
2763
2764
2765/*************************************************
2766* Match host to a single host-list item *
2767*************************************************/
2768
2769/* This function compares a host (name or address) against a single item
2770from a host list. The host name gets looked up if it is needed and is not
2771already known. The function is called from verify_check_this_host() via
2772match_check_list(), which is why most of its arguments are in a single block.
2773
2774Arguments:
2775 arg the argument block (see below)
2776 ss the host-list item
2777 valueptr where to pass back looked up data, or NULL
2778 error for error message when returning ERROR
2779
2780The block contains:
32d668a5
PH
2781 host_name (a) the host name, or
2782 (b) NULL, implying use sender_host_name and
2783 sender_host_aliases, looking them up if required, or
2784 (c) the empty string, meaning that only IP address matches
2785 are permitted
059ec3d9
PH
2786 host_address the host address
2787 host_ipv4 the IPv4 address taken from an IPv6 one
2788
2789Returns: OK matched
2790 FAIL did not match
2791 DEFER lookup deferred
32d668a5
PH
2792 ERROR (a) failed to find the host name or IP address, or
2793 (b) unknown lookup type specified, or
2794 (c) host name encountered when only IP addresses are
2795 being matched
059ec3d9
PH
2796*/
2797
32d668a5 2798int
55414b25 2799check_host(void *arg, const uschar *ss, const uschar **valueptr, uschar **error)
059ec3d9
PH
2800{
2801check_host_block *cb = (check_host_block *)arg;
32d668a5 2802int mlen = -1;
059ec3d9 2803int maskoffset;
32d668a5 2804BOOL iplookup = FALSE;
059ec3d9 2805BOOL isquery = FALSE;
32d668a5 2806BOOL isiponly = cb->host_name != NULL && cb->host_name[0] == 0;
55414b25 2807const uschar *t;
32d668a5 2808uschar *semicolon;
059ec3d9
PH
2809uschar **aliases;
2810
2811/* Optimize for the special case when the pattern is "*". */
2812
2813if (*ss == '*' && ss[1] == 0) return OK;
2814
2815/* If the pattern is empty, it matches only in the case when there is no host -
2816this can occur in ACL checking for SMTP input using the -bs option. In this
2817situation, the host address is the empty string. */
2818
2819if (cb->host_address[0] == 0) return (*ss == 0)? OK : FAIL;
2820if (*ss == 0) return FAIL;
2821
32d668a5
PH
2822/* If the pattern is precisely "@" then match against the primary host name,
2823provided that host name matching is permitted; if it's "@[]" match against the
2824local host's IP addresses. */
059ec3d9
PH
2825
2826if (*ss == '@')
2827 {
32d668a5
PH
2828 if (ss[1] == 0)
2829 {
2830 if (isiponly) return ERROR;
2831 ss = primary_hostname;
2832 }
059ec3d9
PH
2833 else if (Ustrcmp(ss, "@[]") == 0)
2834 {
2835 ip_address_item *ip;
2836 for (ip = host_find_interfaces(); ip != NULL; ip = ip->next)
2837 if (Ustrcmp(ip->address, cb->host_address) == 0) return OK;
2838 return FAIL;
2839 }
2840 }
2841
2842/* If the pattern is an IP address, optionally followed by a bitmask count, do
4c04137d 2843a (possibly masked) comparison with the current IP address. */
059ec3d9 2844
7e66e54d 2845if (string_is_ip_address(ss, &maskoffset) != 0)
059ec3d9
PH
2846 return (host_is_in_net(cb->host_address, ss, maskoffset)? OK : FAIL);
2847
1688f43b
PH
2848/* The pattern is not an IP address. A common error that people make is to omit
2849one component of an IPv4 address, either by accident, or believing that, for
2850example, 1.2.3/24 is the same as 1.2.3.0/24, or 1.2.3 is the same as 1.2.3.0,
2851which it isn't. (Those applications that do accept 1.2.3 as an IP address
2852interpret it as 1.2.0.3 because the final component becomes 16-bit - this is an
2853ancient specification.) To aid in debugging these cases, we give a specific
2854error if the pattern contains only digits and dots or contains a slash preceded
2855only by digits and dots (a slash at the start indicates a file name and of
2856course slashes may be present in lookups, but not preceded only by digits and
2857dots). */
2858
2859for (t = ss; isdigit(*t) || *t == '.'; t++);
2860if (*t == 0 || (*t == '/' && t != ss))
2861 {
2862 *error = US"malformed IPv4 address or address mask";
2863 return ERROR;
2864 }
2865
32d668a5 2866/* See if there is a semicolon in the pattern */
059ec3d9 2867
32d668a5
PH
2868semicolon = Ustrchr(ss, ';');
2869
2870/* If we are doing an IP address only match, then all lookups must be IP
df199fec 2871address lookups, even if there is no "net-". */
32d668a5
PH
2872
2873if (isiponly)
059ec3d9 2874 {
32d668a5
PH
2875 iplookup = semicolon != NULL;
2876 }
059ec3d9 2877
32d668a5 2878/* Otherwise, if the item is of the form net[n]-lookup;<file|query> then it is
df199fec
PH
2879a lookup on a masked IP network, in textual form. We obey this code even if we
2880have already set iplookup, so as to skip over the "net-" prefix and to set the
2881mask length. The net- stuff really only applies to single-key lookups where the
2882key is implicit. For query-style lookups the key is specified in the query.
2883From release 4.30, the use of net- for query style is no longer needed, but we
2884retain it for backward compatibility. */
2885
2886if (Ustrncmp(ss, "net", 3) == 0 && semicolon != NULL)
32d668a5
PH
2887 {
2888 mlen = 0;
2889 for (t = ss + 3; isdigit(*t); t++) mlen = mlen * 10 + *t - '0';
2890 if (mlen == 0 && t == ss+3) mlen = -1; /* No mask supplied */
2891 iplookup = (*t++ == '-');
2892 }
1688f43b 2893else t = ss;
059ec3d9 2894
32d668a5 2895/* Do the IP address lookup if that is indeed what we have */
059ec3d9 2896
32d668a5
PH
2897if (iplookup)
2898 {
2899 int insize;
2900 int search_type;
2901 int incoming[4];
2902 void *handle;
2903 uschar *filename, *key, *result;
2904 uschar buffer[64];
059ec3d9 2905
32d668a5 2906 /* Find the search type */
059ec3d9 2907
32d668a5 2908 search_type = search_findtype(t, semicolon - t);
059ec3d9 2909
32d668a5
PH
2910 if (search_type < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s",
2911 search_error_message);
059ec3d9 2912
13b685f9
PH
2913 /* Adjust parameters for the type of lookup. For a query-style lookup, there
2914 is no file name, and the "key" is just the query. For query-style with a file
2915 name, we have to fish the file off the start of the query. For a single-key
2916 lookup, the key is the current IP address, masked appropriately, and
2917 reconverted to text form, with the mask appended. For IPv6 addresses, specify
6a3bceb1
PH
2918 dot separators instead of colons, except when the lookup type is "iplsearch".
2919 */
059ec3d9 2920
13b685f9
PH
2921 if (mac_islookup(search_type, lookup_absfilequery))
2922 {
2923 filename = semicolon + 1;
2924 key = filename;
2925 while (*key != 0 && !isspace(*key)) key++;
2926 filename = string_copyn(filename, key - filename);
2927 while (isspace(*key)) key++;
2928 }
2929 else if (mac_islookup(search_type, lookup_querystyle))
32d668a5
PH
2930 {
2931 filename = NULL;
2932 key = semicolon + 1;
2933 }
6a3bceb1 2934 else /* Single-key style */
32d668a5 2935 {
e6d225ae 2936 int sep = (Ustrcmp(lookup_list[search_type]->name, "iplsearch") == 0)?
6a3bceb1 2937 ':' : '.';
32d668a5
PH
2938 insize = host_aton(cb->host_address, incoming);
2939 host_mask(insize, incoming, mlen);
6a3bceb1 2940 (void)host_nmtoa(insize, incoming, mlen, buffer, sep);
32d668a5
PH
2941 key = buffer;
2942 filename = semicolon + 1;
059ec3d9 2943 }
32d668a5
PH
2944
2945 /* Now do the actual lookup; note that there is no search_close() because
2946 of the caching arrangements. */
2947
d4ff61d1
JH
2948 if (!(handle = search_open(filename, search_type, 0, NULL, NULL)))
2949 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s", search_error_message);
2950
32d668a5
PH
2951 result = search_find(handle, filename, key, -1, NULL, 0, 0, NULL);
2952 if (valueptr != NULL) *valueptr = result;
2953 return (result != NULL)? OK : search_find_defer? DEFER: FAIL;
059ec3d9
PH
2954 }
2955
2956/* The pattern is not an IP address or network reference of any kind. That is,
32d668a5
PH
2957it is a host name pattern. If this is an IP only match, there's an error in the
2958host list. */
2959
2960if (isiponly)
2961 {
2962 *error = US"cannot match host name in match_ip list";
2963 return ERROR;
2964 }
2965
2966/* Check the characters of the pattern to see if they comprise only letters,
2967digits, full stops, and hyphens (the constituents of domain names). Allow
2968underscores, as they are all too commonly found. Sigh. Also, if
2969allow_utf8_domains is set, allow top-bit characters. */
059ec3d9
PH
2970
2971for (t = ss; *t != 0; t++)
2972 if (!isalnum(*t) && *t != '.' && *t != '-' && *t != '_' &&
2973 (!allow_utf8_domains || *t < 128)) break;
2974
2975/* If the pattern is a complete domain name, with no fancy characters, look up
2976its IP address and match against that. Note that a multi-homed host will add
2977items to the chain. */
2978
2979if (*t == 0)
2980 {
2981 int rc;
2982 host_item h;
2983 h.next = NULL;
2984 h.name = ss;
2985 h.address = NULL;
2986 h.mx = MX_NONE;
9b8fadde 2987
1f155f8e
JH
2988 /* Using byname rather than bydns here means we cannot determine dnssec
2989 status. On the other hand it is unclear how that could be either
2990 propagated up or enforced. */
2991
322050c2 2992 rc = host_find_byname(&h, NULL, HOST_FIND_QUALIFY_SINGLE, NULL, FALSE);
059ec3d9
PH
2993 if (rc == HOST_FOUND || rc == HOST_FOUND_LOCAL)
2994 {
2995 host_item *hh;
2996 for (hh = &h; hh != NULL; hh = hh->next)
2997 {
96776534 2998 if (host_is_in_net(hh->address, cb->host_address, 0)) return OK;
059ec3d9
PH
2999 }
3000 return FAIL;
3001 }
3002 if (rc == HOST_FIND_AGAIN) return DEFER;
3003 *error = string_sprintf("failed to find IP address for %s", ss);
3004 return ERROR;
3005 }
3006
3007/* Almost all subsequent comparisons require the host name, and can be done
3008using the general string matching function. When this function is called for
3009outgoing hosts, the name is always given explicitly. If it is NULL, it means we
3010must use sender_host_name and its aliases, looking them up if necessary. */
3011
3012if (cb->host_name != NULL) /* Explicit host name given */
3013 return match_check_string(cb->host_name, ss, -1, TRUE, TRUE, TRUE,
3014 valueptr);
3015
3016/* Host name not given; in principle we need the sender host name and its
3017aliases. However, for query-style lookups, we do not need the name if the
3018query does not contain $sender_host_name. From release 4.23, a reference to
3019$sender_host_name causes it to be looked up, so we don't need to do the lookup
3020on spec. */
3021
3022if ((semicolon = Ustrchr(ss, ';')) != NULL)
3023 {
55414b25 3024 const uschar *affix;
059ec3d9
PH
3025 int partial, affixlen, starflags, id;
3026
3027 *semicolon = 0;
3028 id = search_findtype_partial(ss, &partial, &affix, &affixlen, &starflags);
3029 *semicolon=';';
3030
3031 if (id < 0) /* Unknown lookup type */
3032 {
3033 log_write(0, LOG_MAIN|LOG_PANIC, "%s in host list item \"%s\"",
3034 search_error_message, ss);
3035 return DEFER;
3036 }
13b685f9 3037 isquery = mac_islookup(id, lookup_querystyle|lookup_absfilequery);
059ec3d9
PH
3038 }
3039
3040if (isquery)
3041 {
3042 switch(match_check_string(US"", ss, -1, TRUE, TRUE, TRUE, valueptr))
3043 {
3044 case OK: return OK;
3045 case DEFER: return DEFER;
3046 default: return FAIL;
3047 }
3048 }
3049
3050/* Not a query-style lookup; must ensure the host name is present, and then we
3051do a check on the name and all its aliases. */
3052
3053if (sender_host_name == NULL)
3054 {
3055 HDEBUG(D_host_lookup)
3056 debug_printf("sender host name required, to match against %s\n", ss);
3057 if (host_lookup_failed || host_name_lookup() != OK)
3058 {
3059 *error = string_sprintf("failed to find host name for %s",
3060 sender_host_address);;
3061 return ERROR;
3062 }
3063 host_build_sender_fullhost();
3064 }
3065
3066/* Match on the sender host name, using the general matching function */
3067
3068switch(match_check_string(sender_host_name, ss, -1, TRUE, TRUE, TRUE,
3069 valueptr))
3070 {
3071 case OK: return OK;
3072 case DEFER: return DEFER;
3073 }
3074
3075/* If there are aliases, try matching on them. */
3076
3077aliases = sender_host_aliases;
3078while (*aliases != NULL)
3079 {
3080 switch(match_check_string(*aliases++, ss, -1, TRUE, TRUE, TRUE, valueptr))
3081 {
3082 case OK: return OK;
3083 case DEFER: return DEFER;
3084 }
3085 }
3086return FAIL;
3087}
3088
3089
3090
3091
3092/*************************************************
3093* Check a specific host matches a host list *
3094*************************************************/
3095
3096/* This function is passed a host list containing items in a number of
3097different formats and the identity of a host. Its job is to determine whether
3098the given host is in the set of hosts defined by the list. The host name is
3099passed as a pointer so that it can be looked up if needed and not already
3100known. This is commonly the case when called from verify_check_host() to check
3101an incoming connection. When called from elsewhere the host name should usually
3102be set.
3103
3104This function is now just a front end to match_check_list(), which runs common
3105code for scanning a list. We pass it the check_host() function to perform a
3106single test.
3107
3108Arguments:
3109 listptr pointer to the host list
3110 cache_bits pointer to cache for named lists, or NULL
3111 host_name the host name or NULL, implying use sender_host_name and
3112 sender_host_aliases, looking them up if required
3113 host_address the IP address
3114 valueptr if not NULL, data from a lookup is passed back here
3115
3116Returns: OK if the host is in the defined set
3117 FAIL if the host is not in the defined set,
3118 DEFER if a data lookup deferred (not a host lookup)
3119
3120If the host name was needed in order to make a comparison, and could not be
3121determined from the IP address, the result is FAIL unless the item
3122"+allow_unknown" was met earlier in the list, in which case OK is returned. */
3123
3124int
55414b25
JH
3125verify_check_this_host(const uschar **listptr, unsigned int *cache_bits,
3126 const uschar *host_name, const uschar *host_address, const uschar **valueptr)
059ec3d9 3127{
d4eb88df 3128int rc;
059ec3d9 3129unsigned int *local_cache_bits = cache_bits;
55414b25 3130const uschar *save_host_address = deliver_host_address;
059ec3d9
PH
3131check_host_block cb;
3132cb.host_name = host_name;
3133cb.host_address = host_address;
3134
3135if (valueptr != NULL) *valueptr = NULL;
3136
3137/* If the host address starts off ::ffff: it is an IPv6 address in
3138IPv4-compatible mode. Find the IPv4 part for checking against IPv4
3139addresses. */
3140
3141cb.host_ipv4 = (Ustrncmp(host_address, "::ffff:", 7) == 0)?
3142 host_address + 7 : host_address;
3143
8e669ac1
PH
3144/* During the running of the check, put the IP address into $host_address. In
3145the case of calls from the smtp transport, it will already be there. However,
3146in other calls (e.g. when testing ignore_target_hosts), it won't. Just to be on
d4eb88df
PH
3147the safe side, any existing setting is preserved, though as I write this
3148(November 2004) I can't see any cases where it is actually needed. */
3149
3150deliver_host_address = host_address;
3151rc = match_check_list(
3152 listptr, /* the list */
3153 0, /* separator character */
3154 &hostlist_anchor, /* anchor pointer */
3155 &local_cache_bits, /* cache pointer */
3156 check_host, /* function for testing */
3157 &cb, /* argument for function */
3158 MCL_HOST, /* type of check */
8e669ac1 3159 (host_address == sender_host_address)?
d4eb88df
PH
3160 US"host" : host_address, /* text for debugging */
3161 valueptr); /* where to pass back data */
3162deliver_host_address = save_host_address;
8e669ac1 3163return rc;
059ec3d9
PH
3164}
3165
3166
3167
3168
3169/*************************************************
5130845b
JH
3170* Check the given host item matches a list *
3171*************************************************/
3172int
3173verify_check_given_host(uschar **listptr, host_item *host)
3174{
55414b25 3175return verify_check_this_host(CUSS listptr, NULL, host->name, host->address, NULL);
5130845b
JH
3176}
3177
3178/*************************************************
059ec3d9
PH
3179* Check the remote host matches a list *
3180*************************************************/
3181
3182/* This is a front end to verify_check_this_host(), created because checking
3183the remote host is a common occurrence. With luck, a good compiler will spot
3184the tail recursion and optimize it. If there's no host address, this is
3185command-line SMTP input - check against an empty string for the address.
3186
3187Arguments:
3188 listptr pointer to the host list
3189
3190Returns: the yield of verify_check_this_host(),
3191 i.e. OK, FAIL, or DEFER
3192*/
3193
3194int
3195verify_check_host(uschar **listptr)
3196{
55414b25 3197return verify_check_this_host(CUSS listptr, sender_host_cache, NULL,
059ec3d9
PH
3198 (sender_host_address == NULL)? US"" : sender_host_address, NULL);
3199}
3200
3201
3202
3203
3204
3205/*************************************************
83e029d5 3206* Invert an IP address *
059ec3d9
PH
3207*************************************************/
3208
83e029d5
PP
3209/* Originally just used for DNS xBL lists, now also used for the
3210reverse_ip expansion operator.
3211
059ec3d9
PH
3212Arguments:
3213 buffer where to put the answer
3214 address the address to invert
3215*/
3216
83e029d5 3217void
059ec3d9
PH
3218invert_address(uschar *buffer, uschar *address)
3219{
3220int bin[4];
3221uschar *bptr = buffer;
3222
3223/* If this is an IPv4 address mapped into IPv6 format, adjust the pointer
3224to the IPv4 part only. */
3225
3226if (Ustrncmp(address, "::ffff:", 7) == 0) address += 7;
3227
3228/* Handle IPv4 address: when HAVE_IPV6 is false, the result of host_aton() is
3229always 1. */
3230
3231if (host_aton(address, bin) == 1)
3232 {
3233 int i;
3234 int x = bin[0];
3235 for (i = 0; i < 4; i++)
3236 {
3237 sprintf(CS bptr, "%d.", x & 255);
3238 while (*bptr) bptr++;
3239 x >>= 8;
3240 }
3241 }
3242
3243/* Handle IPv6 address. Actually, as far as I know, there are no IPv6 addresses
3244in any DNS black lists, and the format in which they will be looked up is
3245unknown. This is just a guess. */
3246
3247#if HAVE_IPV6
3248else
3249 {
3250 int i, j;
3251 for (j = 3; j >= 0; j--)
3252 {
3253 int x = bin[j];
3254 for (i = 0; i < 8; i++)
3255 {
3256 sprintf(CS bptr, "%x.", x & 15);
3257 while (*bptr) bptr++;
3258 x >>= 4;
3259 }
3260 }
3261 }
3262#endif
d6f6e0dc
PH
3263
3264/* Remove trailing period -- this is needed so that both arbitrary
3265dnsbl keydomains and inverted addresses may be combined with the
3266same format string, "%s.%s" */
3267
3268*(--bptr) = 0;
059ec3d9
PH
3269}
3270
3271
3272
3273/*************************************************
0bcb2a0e
PH
3274* Perform a single dnsbl lookup *
3275*************************************************/
3276
d6f6e0dc
PH
3277/* This function is called from verify_check_dnsbl() below. It is also called
3278recursively from within itself when domain and domain_txt are different
3279pointers, in order to get the TXT record from the alternate domain.
0bcb2a0e
PH
3280
3281Arguments:
d6f6e0dc
PH
3282 domain the outer dnsbl domain
3283 domain_txt alternate domain to lookup TXT record on success; when the
3284 same domain is to be used, domain_txt == domain (that is,
3285 the pointers must be identical, not just the text)
8e669ac1 3286 keydomain the current keydomain (for debug message)
d6f6e0dc
PH
3287 prepend subdomain to lookup (like keydomain, but
3288 reversed if IP address)
3289 iplist the list of matching IP addresses, or NULL for "any"
8e669ac1 3290 bitmask true if bitmask matching is wanted
431b7361
PH
3291 match_type condition for 'succeed' result
3292 0 => Any RR in iplist (=)
3293 1 => No RR in iplist (!=)
3294 2 => All RRs in iplist (==)
3295 3 => Some RRs not in iplist (!==)
3296 the two bits are defined as MT_NOT and MT_ALL
8e669ac1 3297 defer_return what to return for a defer
0bcb2a0e
PH
3298
3299Returns: OK if lookup succeeded
3300 FAIL if not
3301*/
3302
3303static int
d6f6e0dc 3304one_check_dnsbl(uschar *domain, uschar *domain_txt, uschar *keydomain,
431b7361 3305 uschar *prepend, uschar *iplist, BOOL bitmask, int match_type,
d6f6e0dc 3306 int defer_return)
8e669ac1 3307{
0bcb2a0e
PH
3308dns_answer dnsa;
3309dns_scan dnss;
3310tree_node *t;
3311dnsbl_cache_block *cb;
3312int old_pool = store_pool;
d6f6e0dc
PH
3313uschar query[256]; /* DNS domain max length */
3314
3315/* Construct the specific query domainname */
3316
3317if (!string_format(query, sizeof(query), "%s.%s", prepend, domain))
3318 {
3319 log_write(0, LOG_MAIN|LOG_PANIC, "dnslist query is too long "
3320 "(ignored): %s...", query);
3321 return FAIL;
3322 }
0bcb2a0e
PH
3323
3324/* Look for this query in the cache. */
3325
14b3c5bc
JH
3326if ( (t = tree_search(dnsbl_cache, query))
3327 && (cb = t->data.ptr)->expiry > time(NULL)
3328 )
3329
3330/* Previous lookup was cached */
3331
3332 {
3333 HDEBUG(D_dnsbl) debug_printf("using result of previous DNS lookup\n");
3334 }
0bcb2a0e
PH
3335
3336/* If not cached from a previous lookup, we must do a DNS lookup, and
3337cache the result in permanent memory. */
3338
14b3c5bc 3339else
0bcb2a0e 3340 {
e162fc97 3341 uint ttl = 3600;
14b3c5bc 3342
0bcb2a0e
PH
3343 store_pool = POOL_PERM;
3344
14b3c5bc
JH
3345 if (t)
3346 {
3347 HDEBUG(D_dnsbl) debug_printf("cached data found but past valid time; ");
3348 }
0bcb2a0e 3349
14b3c5bc
JH
3350 else
3351 { /* Set up a tree entry to cache the lookup */
3352 t = store_get(sizeof(tree_node) + Ustrlen(query));
3353 Ustrcpy(t->name, query);
3354 t->data.ptr = cb = store_get(sizeof(dnsbl_cache_block));
3355 (void)tree_insertnode(&dnsbl_cache, t);
3356 }
0bcb2a0e 3357
4c04137d 3358 /* Do the DNS lookup . */
0bcb2a0e
PH
3359
3360 HDEBUG(D_dnsbl) debug_printf("new DNS lookup for %s\n", query);
3361 cb->rc = dns_basic_lookup(&dnsa, query, T_A);
3362 cb->text_set = FALSE;
3363 cb->text = NULL;
3364 cb->rhs = NULL;
3365
3366 /* If the lookup succeeded, cache the RHS address. The code allows for
3367 more than one address - this was for complete generality and the possible
3368 use of A6 records. However, A6 records have been reduced to experimental
3369 status (August 2001) and may die out. So they may never get used at all,
3370 let alone in dnsbl records. However, leave the code here, just in case.
3371
3372 Quite apart from one A6 RR generating multiple addresses, there are DNS
3373 lists that return more than one A record, so we must handle multiple
e162fc97
JH
3374 addresses generated in that way as well.
3375
3376 Mark the cache entry with the "now" plus the minimum of the address TTLs,
3377 or some suitably far-future time if none were found. */
0bcb2a0e
PH
3378
3379 if (cb->rc == DNS_SUCCEED)
3380 {
3381 dns_record *rr;
3382 dns_address **addrp = &(cb->rhs);
3383 for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
e1a3f32f 3384 rr;
0bcb2a0e
PH
3385 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
3386 {
3387 if (rr->type == T_A)
3388 {
3389 dns_address *da = dns_address_from_rr(&dnsa, rr);
e1a3f32f 3390 if (da)
0bcb2a0e
PH
3391 {
3392 *addrp = da;
3393 while (da->next != NULL) da = da->next;
3394 addrp = &(da->next);
14b3c5bc 3395 if (ttl > rr->ttl) ttl = rr->ttl;
0bcb2a0e
PH
3396 }
3397 }
3398 }
3399
3400 /* If we didn't find any A records, change the return code. This can
3401 happen when there is a CNAME record but there are no A records for what
3402 it points to. */
3403
3404 if (cb->rhs == NULL) cb->rc = DNS_NODATA;
3405 }
3406
14b3c5bc 3407 cb->expiry = time(NULL)+ttl;
0bcb2a0e
PH
3408 store_pool = old_pool;
3409 }
3410
0bcb2a0e
PH
3411/* We now have the result of the DNS lookup, either newly done, or cached
3412from a previous call. If the lookup succeeded, check against the address
3413list if there is one. This may be a positive equality list (introduced by
3414"="), a negative equality list (introduced by "!="), a positive bitmask
3415list (introduced by "&"), or a negative bitmask list (introduced by "!&").*/
3416
3417if (cb->rc == DNS_SUCCEED)
3418 {
3419 dns_address *da = NULL;
3420 uschar *addlist = cb->rhs->address;
3421
3422 /* For A and AAAA records, there may be multiple addresses from multiple
3423 records. For A6 records (currently not expected to be used) there may be
3424 multiple addresses from a single record. */
3425
3426 for (da = cb->rhs->next; da != NULL; da = da->next)
3427 addlist = string_sprintf("%s, %s", addlist, da->address);
3428
3429 HDEBUG(D_dnsbl) debug_printf("DNS lookup for %s succeeded (yielding %s)\n",
3430 query, addlist);
3431
3432 /* Address list check; this can be either for equality, or via a bitmask.
3433 In the latter case, all the bits must match. */
3434
3435 if (iplist != NULL)
3436 {
431b7361 3437 for (da = cb->rhs; da != NULL; da = da->next)
0bcb2a0e 3438 {
431b7361
PH
3439 int ipsep = ',';
3440 uschar ip[46];
55414b25 3441 const uschar *ptr = iplist;
431b7361
PH
3442 uschar *res;
3443
0bcb2a0e 3444 /* Handle exact matching */
431b7361 3445
0bcb2a0e
PH
3446 if (!bitmask)
3447 {
431b7361 3448 while ((res = string_nextinlist(&ptr, &ipsep, ip, sizeof(ip))) != NULL)
0bcb2a0e
PH
3449 {
3450 if (Ustrcmp(CS da->address, ip) == 0) break;
3451 }
3452 }
431b7361 3453
0bcb2a0e 3454 /* Handle bitmask matching */
431b7361 3455
0bcb2a0e
PH
3456 else
3457 {
3458 int address[4];
3459 int mask = 0;
3460
3461 /* At present, all known DNS blocking lists use A records, with
3462 IPv4 addresses on the RHS encoding the information they return. I
3463 wonder if this will linger on as the last vestige of IPv4 when IPv6
3464 is ubiquitous? Anyway, for now we use paranoia code to completely
3465 ignore IPv6 addresses. The default mask is 0, which always matches.
3466 We change this only for IPv4 addresses in the list. */
3467
431b7361 3468 if (host_aton(da->address, address) == 1) mask = address[0];
0bcb2a0e
PH
3469
3470 /* Scan the returned addresses, skipping any that are IPv6 */
3471
431b7361 3472 while ((res = string_nextinlist(&ptr, &ipsep, ip, sizeof(ip))) != NULL)
0bcb2a0e 3473 {
431b7361
PH
3474 if (host_aton(ip, address) != 1) continue;
3475 if ((address[0] & mask) == address[0]) break;
0bcb2a0e
PH
3476 }
3477 }
3478
431b7361
PH
3479 /* If either
3480
3481 (a) An IP address in an any ('=') list matched, or
3482 (b) No IP address in an all ('==') list matched
0bcb2a0e 3483
431b7361
PH
3484 then we're done searching. */
3485
3486 if (((match_type & MT_ALL) != 0) == (res == NULL)) break;
0bcb2a0e
PH
3487 }
3488
431b7361 3489 /* If da == NULL, either
0bcb2a0e 3490
431b7361
PH
3491 (a) No IP address in an any ('=') list matched, or
3492 (b) An IP address in an all ('==') list didn't match
0bcb2a0e 3493
431b7361
PH
3494 so behave as if the DNSBL lookup had not succeeded, i.e. the host is not on
3495 the list. */
0bcb2a0e 3496
431b7361 3497 if ((match_type == MT_NOT || match_type == MT_ALL) != (da == NULL))
0bcb2a0e
PH
3498 {
3499 HDEBUG(D_dnsbl)
3500 {
431b7361
PH
3501 uschar *res = NULL;
3502 switch(match_type)
3503 {
3504 case 0:
3505 res = US"was no match";
3506 break;
3507 case MT_NOT:
3508 res = US"was an exclude match";
3509 break;
3510 case MT_ALL:
3511 res = US"was an IP address that did not match";
3512 break;
3513 case MT_NOT|MT_ALL:
3514 res = US"were no IP addresses that did not match";
3515 break;
3516 }
0bcb2a0e 3517 debug_printf("=> but we are not accepting this block class because\n");
431b7361
PH
3518 debug_printf("=> there %s for %s%c%s\n",
3519 res,
3520 ((match_type & MT_ALL) == 0)? "" : "=",
3521 bitmask? '&' : '=', iplist);
0bcb2a0e 3522 }
8e669ac1 3523 return FAIL;
0bcb2a0e
PH
3524 }
3525 }
3526
d6f6e0dc
PH
3527 /* Either there was no IP list, or the record matched, implying that the
3528 domain is on the list. We now want to find a corresponding TXT record. If an
3529 alternate domain is specified for the TXT record, call this function
3530 recursively to look that up; this has the side effect of re-checking that
3531 there is indeed an A record at the alternate domain. */
3532
3533 if (domain_txt != domain)
3534 return one_check_dnsbl(domain_txt, domain_txt, keydomain, prepend, NULL,
431b7361 3535 FALSE, match_type, defer_return);
d6f6e0dc
PH
3536
3537 /* If there is no alternate domain, look up a TXT record in the main domain
3538 if it has not previously been cached. */
0bcb2a0e
PH
3539
3540 if (!cb->text_set)
3541 {
3542 cb->text_set = TRUE;
3543 if (dns_basic_lookup(&dnsa, query, T_TXT) == DNS_SUCCEED)
3544 {
3545 dns_record *rr;
3546 for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
3547 rr != NULL;
3548 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
3549 if (rr->type ==