projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Safety check in deliver_split_address()
[exim.git] / src / src / verify.c
CommitLineData
059ec3d9
PH		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
80fea873 5/* Copyright (c) University of Cambridge 1995 - 2016 */
059ec3d9
PH		 6/* See the file NOTICE for conditions of use and distribution. */
7
8/* Functions concerned with verifying things. The original code for callout
9caching was contributed by Kevin Fleming (but I hacked it around a bit). */
10
11
12#include "exim.h"
817d9f57 13#include "transports/smtp.h"
059ec3d9 14
e4bdf652
JH		 15#define CUTTHROUGH_CMD_TIMEOUT 30 /* timeout for cutthrough-routing calls */
16#define CUTTHROUGH_DATA_TIMEOUT 60 /* timeout for cutthrough-routing calls */
817d9f57
JH		 17static smtp_outblock ctblock;
18uschar ctbuffer[8192];
19
059ec3d9
PH		 20
21/* Structure for caching DNSBL lookups */
22
23typedef struct dnsbl_cache_block {
14b3c5bc 24 time_t expiry;
059ec3d9
PH		 25 dns_address *rhs;
26 uschar *text;
27 int rc;
28 BOOL text_set;
29} dnsbl_cache_block;
30
31
32/* Anchor for DNSBL cache */
33
34static tree_node *dnsbl_cache = NULL;
35
36
431b7361
PH		 37/* Bits for match_type in one_check_dnsbl() */
38
39#define MT_NOT 1
40#define MT_ALL 2
41
5032d1cf 42static uschar cutthrough_response(char, uschar **);
431b7361 43
059ec3d9
PH		 44
45/*************************************************
46* Retrieve a callout cache record *
47*************************************************/
48
49/* If a record exists, check whether it has expired.
50
51Arguments:
52 dbm_file an open hints file
53 key the record key
54 type "address" or "domain"
55 positive_expire expire time for positive records
56 negative_expire expire time for negative records
57
58Returns: the cache record if a non-expired one exists, else NULL
59*/
60
61static dbdata_callout_cache *
55414b25 62get_callout_cache_record(open_db *dbm_file, const uschar *key, uschar *type,
059ec3d9
PH		 63 int positive_expire, int negative_expire)
64{
65BOOL negative;
66int length, expire;
67time_t now;
68dbdata_callout_cache *cache_record;
69
70cache_record = dbfn_read_with_length(dbm_file, key, &length);
71
72if (cache_record == NULL)
73 {
6f4d5ad3 74 HDEBUG(D_verify) debug_printf("callout cache: no %s record found for %s\n", type, key);
059ec3d9
PH		 75 return NULL;
76 }
77
78/* We treat a record as "negative" if its result field is not positive, or if
79it is a domain record and the postmaster field is negative. */
80
81negative = cache_record->result != ccache_accept ||
82 (type[0] == 'd' && cache_record->postmaster_result == ccache_reject);
83expire = negative? negative_expire : positive_expire;
84now = time(NULL);
85
86if (now - cache_record->time_stamp > expire)
87 {
6f4d5ad3 88 HDEBUG(D_verify) debug_printf("callout cache: %s record expired for %s\n", type, key);
059ec3d9
PH		 89 return NULL;
90 }
91
92/* If this is a non-reject domain record, check for the obsolete format version
93that doesn't have the postmaster and random timestamps, by looking at the
94length. If so, copy it to a new-style block, replicating the record's
95timestamp. Then check the additional timestamps. (There's no point wasting
96effort if connections are rejected.) */
97
98if (type[0] == 'd' && cache_record->result != ccache_reject)
99 {
100 if (length == sizeof(dbdata_callout_cache_obs))
101 {
102 dbdata_callout_cache *new = store_get(sizeof(dbdata_callout_cache));
103 memcpy(new, cache_record, length);
104 new->postmaster_stamp = new->random_stamp = new->time_stamp;
105 cache_record = new;
106 }
107
108 if (now - cache_record->postmaster_stamp > expire)
109 cache_record->postmaster_result = ccache_unknown;
110
111 if (now - cache_record->random_stamp > expire)
112 cache_record->random_result = ccache_unknown;
113 }
114
6f4d5ad3 115HDEBUG(D_verify) debug_printf("callout cache: found %s record for %s\n", type, key);
059ec3d9
PH		 116return cache_record;
117}
118
119
120
121/*************************************************
122* Do callout verification for an address *
123*************************************************/
124
125/* This function is called from verify_address() when the address has routed to
126a host list, and a callout has been requested. Callouts are expensive; that is
127why a cache is used to improve the efficiency.
128
129Arguments:
130 addr the address that's been routed
131 host_list the list of hosts to try
132 tf the transport feedback block
133
134 ifstring "interface" option from transport, or NULL
135 portstring "port" option from transport, or NULL
136 protocolstring "protocol" option from transport, or NULL
137 callout the per-command callout timeout
4deaf07d
PH		 138 callout_overall the overall callout timeout (if < 0 use 4*callout)
139 callout_connect the callout connection timeout (if < 0 use callout)
059ec3d9
PH		 140 options the verification options - these bits are used:
141 vopt_is_recipient => this is a recipient address
142 vopt_callout_no_cache => don't use callout cache
2a4be8f9 143 vopt_callout_fullpm => if postmaster check, do full one
059ec3d9
PH		 144 vopt_callout_random => do the "random" thing
145 vopt_callout_recipsender => use real sender for recipient
146 vopt_callout_recippmaster => use postmaster for recipient
147 se_mailfrom MAIL FROM address for sender verify; NULL => ""
148 pm_mailfrom if non-NULL, do the postmaster check with this sender
149
150Returns: OK/FAIL/DEFER
151*/
152
153static int
154do_callout(address_item *addr, host_item *host_list, transport_feedback *tf,
8e669ac1 155 int callout, int callout_overall, int callout_connect, int options,
4deaf07d 156 uschar *se_mailfrom, uschar *pm_mailfrom)
059ec3d9
PH		 157{
158BOOL is_recipient = (options & vopt_is_recipient) != 0;
159BOOL callout_no_cache = (options & vopt_callout_no_cache) != 0;
160BOOL callout_random = (options & vopt_callout_random) != 0;
161
162int yield = OK;
2b1c6e3a 163int old_domain_cache_result = ccache_accept;
059ec3d9
PH		 164BOOL done = FALSE;
165uschar *address_key;
166uschar *from_address;
167uschar *random_local_part = NULL;
55414b25 168const uschar *save_deliver_domain = deliver_domain;
8e669ac1 169uschar **failure_ptr = is_recipient?
2c7db3f5 170 &recipient_verify_failure : &sender_verify_failure;
059ec3d9
PH		 171open_db dbblock;
172open_db *dbm_file = NULL;
173dbdata_callout_cache new_domain_record;
174dbdata_callout_cache_address new_address_record;
175host_item *host;
176time_t callout_start_time;
9094b84b 177uschar peer_offered = 0;
059ec3d9
PH		 178
179new_domain_record.result = ccache_unknown;
180new_domain_record.postmaster_result = ccache_unknown;
181new_domain_record.random_result = ccache_unknown;
182
183memset(&new_address_record, 0, sizeof(new_address_record));
184
185/* For a recipient callout, the key used for the address cache record must
186include the sender address if we are using the real sender in the callout,
187because that may influence the result of the callout. */
188
189address_key = addr->address;
190from_address = US"";
191
192if (is_recipient)
193 {
5032d1cf 194 if (options & vopt_callout_recipsender)
059ec3d9
PH		 195 {
196 address_key = string_sprintf("%s/<%s>", addr->address, sender_address);
197 from_address = sender_address;
198 }
5032d1cf 199 else if (options & vopt_callout_recippmaster)
059ec3d9
PH		 200 {
201 address_key = string_sprintf("%s/<postmaster@%s>", addr->address,
202 qualify_domain_sender);
203 from_address = string_sprintf("postmaster@%s", qualify_domain_sender);
204 }
205 }
206
207/* For a sender callout, we must adjust the key if the mailfrom address is not
208empty. */
209
210else
211 {
212 from_address = (se_mailfrom == NULL)? US"" : se_mailfrom;
213 if (from_address[0] != 0)
214 address_key = string_sprintf("%s/<%s>", addr->address, from_address);
215 }
216
217/* Open the callout cache database, it it exists, for reading only at this
218stage, unless caching has been disabled. */
219
220if (callout_no_cache)
221 {
222 HDEBUG(D_verify) debug_printf("callout cache: disabled by no_cache\n");
223 }
224else if ((dbm_file = dbfn_open(US"callout", O_RDWR, &dbblock, FALSE)) == NULL)
225 {
226 HDEBUG(D_verify) debug_printf("callout cache: not available\n");
227 }
228
229/* If a cache database is available see if we can avoid the need to do an
230actual callout by making use of previously-obtained data. */
231
232if (dbm_file != NULL)
233 {
234 dbdata_callout_cache_address *cache_address_record;
235 dbdata_callout_cache *cache_record = get_callout_cache_record(dbm_file,
236 addr->domain, US"domain",
237 callout_cache_domain_positive_expire,
238 callout_cache_domain_negative_expire);
239
240 /* If an unexpired cache record was found for this domain, see if the callout
241 process can be short-circuited. */
242
243 if (cache_record != NULL)
244 {
2b1c6e3a
PH		 245 /* In most cases, if an early command (up to and including MAIL FROM:<>)
246 was rejected, there is no point carrying on. The callout fails. However, if
247 we are doing a recipient verification with use_sender or use_postmaster
248 set, a previous failure of MAIL FROM:<> doesn't count, because this time we
249 will be using a non-empty sender. We have to remember this situation so as
250 not to disturb the cached domain value if this whole verification succeeds
251 (we don't want it turning into "accept"). */
252
253 old_domain_cache_result = cache_record->result;
254
255 if (cache_record->result == ccache_reject ||
256 (*from_address == 0 && cache_record->result == ccache_reject_mfnull))
059ec3d9
PH		 257 {
258 setflag(addr, af_verify_nsfail);
259 HDEBUG(D_verify)
260 debug_printf("callout cache: domain gave initial rejection, or "
261 "does not accept HELO or MAIL FROM:<>\n");
262 setflag(addr, af_verify_nsfail);
263 addr->user_message = US"(result of an earlier callout reused).";
264 yield = FAIL;
8e669ac1 265 *failure_ptr = US"mail";
059ec3d9
PH		 266 goto END_CALLOUT;
267 }
268
269 /* If a previous check on a "random" local part was accepted, we assume
270 that the server does not do any checking on local parts. There is therefore
271 no point in doing the callout, because it will always be successful. If a
272 random check previously failed, arrange not to do it again, but preserve
273 the data in the new record. If a random check is required but hasn't been
274 done, skip the remaining cache processing. */
275
276 if (callout_random) switch(cache_record->random_result)
277 {
278 case ccache_accept:
279 HDEBUG(D_verify)
280 debug_printf("callout cache: domain accepts random addresses\n");
281 goto END_CALLOUT; /* Default yield is OK */
282
283 case ccache_reject:
284 HDEBUG(D_verify)
285 debug_printf("callout cache: domain rejects random addresses\n");
286 callout_random = FALSE;
287 new_domain_record.random_result = ccache_reject;
288 new_domain_record.random_stamp = cache_record->random_stamp;
289 break;
290
291 default:
292 HDEBUG(D_verify)
293 debug_printf("callout cache: need to check random address handling "
294 "(not cached or cache expired)\n");
295 goto END_CACHE;
296 }
297
298 /* If a postmaster check is requested, but there was a previous failure,
299 there is again no point in carrying on. If a postmaster check is required,
300 but has not been done before, we are going to have to do a callout, so skip
301 remaining cache processing. */
302
303 if (pm_mailfrom != NULL)
304 {
305 if (cache_record->postmaster_result == ccache_reject)
306 {
307 setflag(addr, af_verify_pmfail);
308 HDEBUG(D_verify)
309 debug_printf("callout cache: domain does not accept "
310 "RCPT TO:<postmaster@domain>\n");
311 yield = FAIL;
8e669ac1 312 *failure_ptr = US"postmaster";
059ec3d9
PH		 313 setflag(addr, af_verify_pmfail);
314 addr->user_message = US"(result of earlier verification reused).";
315 goto END_CALLOUT;
316 }
317 if (cache_record->postmaster_result == ccache_unknown)
318 {
319 HDEBUG(D_verify)
320 debug_printf("callout cache: need to check RCPT "
321 "TO:<postmaster@domain> (not cached or cache expired)\n");
322 goto END_CACHE;
323 }
324
325 /* If cache says OK, set pm_mailfrom NULL to prevent a redundant
326 postmaster check if the address itself has to be checked. Also ensure
327 that the value in the cache record is preserved (with its old timestamp).
328 */
329
330 HDEBUG(D_verify) debug_printf("callout cache: domain accepts RCPT "
331 "TO:<postmaster@domain>\n");
332 pm_mailfrom = NULL;
333 new_domain_record.postmaster_result = ccache_accept;
334 new_domain_record.postmaster_stamp = cache_record->postmaster_stamp;
335 }
336 }
337
338 /* We can't give a result based on information about the domain. See if there
339 is an unexpired cache record for this specific address (combined with the
340 sender address if we are doing a recipient callout with a non-empty sender).
341 */
342
343 cache_address_record = (dbdata_callout_cache_address *)
344 get_callout_cache_record(dbm_file,
345 address_key, US"address",
346 callout_cache_positive_expire,
347 callout_cache_negative_expire);
348
349 if (cache_address_record != NULL)
350 {
351 if (cache_address_record->result == ccache_accept)
352 {
353 HDEBUG(D_verify)
354 debug_printf("callout cache: address record is positive\n");
355 }
356 else
357 {
358 HDEBUG(D_verify)
359 debug_printf("callout cache: address record is negative\n");
360 addr->user_message = US"Previous (cached) callout verification failure";
8e669ac1 361 *failure_ptr = US"recipient";
059ec3d9
PH		 362 yield = FAIL;
363 }
364 goto END_CALLOUT;
365 }
366
367 /* Close the cache database while we actually do the callout for real. */
368
369 END_CACHE:
370 dbfn_close(dbm_file);
371 dbm_file = NULL;
372 }
373
193e3acd 374if (!addr->transport)
059ec3d9 375 {
193e3acd 376 HDEBUG(D_verify) debug_printf("cannot callout via null transport\n");
059ec3d9 377 }
6681531a
HSHR		 378else if (Ustrcmp(addr->transport->driver_name, "smtp") != 0)
379 log_write(0, LOG_MAIN|LOG_PANIC|LOG_CONFIG_FOR, "callout transport '%s': %s is non-smtp",
380 addr->transport->name, addr->transport->driver_name);
193e3acd
JH		 381else
382 {
383 smtp_transport_options_block *ob =
9d9c3746 384 (smtp_transport_options_block *)addr->transport->options_block;
059ec3d9 385
193e3acd
JH		 386 /* The information wasn't available in the cache, so we have to do a real
387 callout and save the result in the cache for next time, unless no_cache is set,
388 or unless we have a previously cached negative random result. If we are to test
389 with a random local part, ensure that such a local part is available. If not,
390 log the fact, but carry on without randomming. */
059ec3d9 391
193e3acd 392 if (callout_random && callout_random_local_part != NULL)
65f1c92a 393 if (!(random_local_part = expand_string(callout_random_local_part)))
193e3acd
JH		 394 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand "
395 "callout_random_local_part: %s", expand_string_message);
059ec3d9 396
193e3acd
JH		 397 /* Default the connect and overall callout timeouts if not set, and record the
398 time we are starting so that we can enforce it. */
4c590bd1 399
193e3acd
JH		 400 if (callout_overall < 0) callout_overall = 4 * callout;
401 if (callout_connect < 0) callout_connect = callout;
402 callout_start_time = time(NULL);
4c590bd1 403
193e3acd
JH		 404 /* Before doing a real callout, if this is an SMTP connection, flush the SMTP
405 output because a callout might take some time. When PIPELINING is active and
406 there are many recipients, the total time for doing lots of callouts can add up
407 and cause the client to time out. So in this case we forgo the PIPELINING
408 optimization. */
817d9f57 409
193e3acd 410 if (smtp_out != NULL && !disable_callout_flush) mac_smtp_fflush();
059ec3d9 411
5032d1cf
JH		 412/* cutthrough-multi: if a nonfirst rcpt has the same routing as the first,
413and we are holding a cutthrough conn open, we can just append the rcpt to
414that conn for verification purposes (and later delivery also). Simplest
415coding means skipping this whole loop and doing the append separately.
416
417We will need to remember it has been appended so that rcpt-acl tail code
418can do it there for the non-rcpt-verify case. For this we keep an addresscount.
419*/
420
421 /* Can we re-use an open cutthrough connection? */
422 if ( cutthrough.fd >= 0
423 && (options & (vopt_callout_recipsender | vopt_callout_recippmaster))
424 == vopt_callout_recipsender
425 && !random_local_part
426 && !pm_mailfrom
427 )
428 {
429 if (addr->transport == cutthrough.addr.transport)
430 for (host = host_list; host; host = host->next)
431 if (Ustrcmp(host->address, cutthrough.host.address) == 0)
432 {
433 int host_af;
434 uschar *interface = NULL; /* Outgoing interface to use; NULL => any */
435 int port = 25;
436
437 deliver_host = host->name;
438 deliver_host_address = host->address;
439 deliver_host_port = host->port;
440 deliver_domain = addr->domain;
441 transport_name = addr->transport->name;
442
443 host_af = (Ustrchr(host->address, ':') == NULL)? AF_INET:AF_INET6;
444
6f6dedcc 445 if (!smtp_get_interface(tf->interface, host_af, addr, &interface,
5032d1cf
JH		 446 US"callout") ||
447 !smtp_get_port(tf->port, addr, &port, US"callout"))
448 log_write(0, LOG_MAIN|LOG_PANIC, "<%s>: %s", addr->address,
449 addr->message);
450
451 if ( ( interface == cutthrough.interface
452 || ( interface
453 && cutthrough.interface
454 && Ustrcmp(interface, cutthrough.interface) == 0
455 ) )
456 && port == cutthrough.host.port
457 )
458 {
806c3df9 459 uschar * resp = NULL;
5032d1cf
JH		 460
461 /* Match! Send the RCPT TO, append the addr, set done */
462 done =
463 smtp_write_command(&ctblock, FALSE, "RCPT TO:<%.1000s>\r\n",
464 transport_rcpt_address(addr,
465 (addr->transport == NULL)? FALSE :
466 addr->transport->rcpt_include_affixes)) >= 0 &&
467 cutthrough_response('2', &resp) == '2';
468
469 /* This would go horribly wrong if a callout fail was ignored by ACL.
470 We punt by abandoning cutthrough on a reject, like the
471 first-rcpt does. */
472
473 if (done)
474 {
475 address_item * na = store_get(sizeof(address_item));
476 *na = cutthrough.addr;
477 cutthrough.addr = *addr;
478 cutthrough.addr.host_used = &cutthrough.host;
479 cutthrough.addr.next = na;
480
481 cutthrough.nrcpt++;
482 }
483 else
484 {
485 cancel_cutthrough_connection("recipient rejected");
806c3df9 486 if (!resp || errno == ETIMEDOUT)
5032d1cf
JH		 487 {
488 HDEBUG(D_verify) debug_printf("SMTP timeout\n");
489 }
490 else if (errno == 0)
491 {
492 if (*resp == 0)
493 Ustrcpy(resp, US"connection dropped");
494
495 addr->message =
496 string_sprintf("response to \"%s\" from %s [%s] was: %s",
497 big_buffer, host->name, host->address,
498 string_printing(resp));
499
500 addr->user_message =
501 string_sprintf("Callout verification failed:\n%s", resp);
502
503 /* Hard rejection ends the process */
504
505 if (resp[0] == '5') /* Address rejected */
506 {
507 yield = FAIL;
508 done = TRUE;
509 }
510 }
511 }
512 }
513 break;
514 }
515 if (!done)
516 cancel_cutthrough_connection("incompatible connection");
517 }
518
193e3acd
JH		 519 /* Now make connections to the hosts and do real callouts. The list of hosts
520 is passed in as an argument. */
059ec3d9 521
193e3acd 522 for (host = host_list; host != NULL && !done; host = host->next)
059ec3d9 523 {
193e3acd
JH		 524 smtp_inblock inblock;
525 smtp_outblock outblock;
526 int host_af;
527 int port = 25;
528 BOOL send_quit = TRUE;
529 uschar *active_hostname = smtp_active_hostname;
530 BOOL lmtp;
531 BOOL smtps;
532 BOOL esmtp;
533 BOOL suppress_tls = FALSE;
534 uschar *interface = NULL; /* Outgoing interface to use; NULL => any */
0e66b3b6
JH		 535#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_DANE)
536 BOOL dane = FALSE;
6ebd79ec 537 BOOL dane_required;
0e66b3b6
JH		 538 dns_answer tlsa_dnsa;
539#endif
193e3acd
JH		 540 uschar inbuffer[4096];
541 uschar outbuffer[1024];
542 uschar responsebuffer[4096];
9094b84b 543 uschar * size_str;
193e3acd
JH		 544
545 clearflag(addr, af_verify_pmfail); /* postmaster callout flag */
546 clearflag(addr, af_verify_nsfail); /* null sender callout flag */
547
548 /* Skip this host if we don't have an IP address for it. */
549
550 if (host->address == NULL)
551 {
552 DEBUG(D_verify) debug_printf("no IP address for host name %s: skipping\n",
553 host->name);
554 continue;
555 }
059ec3d9 556
193e3acd 557 /* Check the overall callout timeout */
059ec3d9 558
193e3acd
JH		 559 if (time(NULL) - callout_start_time >= callout_overall)
560 {
561 HDEBUG(D_verify) debug_printf("overall timeout for callout exceeded\n");
562 break;
563 }
059ec3d9 564
193e3acd 565 /* Set IPv4 or IPv6 */
059ec3d9 566
193e3acd 567 host_af = (Ustrchr(host->address, ':') == NULL)? AF_INET:AF_INET6;
de3a88fb 568
193e3acd
JH		 569 /* Expand and interpret the interface and port strings. The latter will not
570 be used if there is a host-specific port (e.g. from a manualroute router).
571 This has to be delayed till now, because they may expand differently for
572 different hosts. If there's a failure, log it, but carry on with the
573 defaults. */
de3a88fb 574
193e3acd
JH		 575 deliver_host = host->name;
576 deliver_host_address = host->address;
a7538db1 577 deliver_host_port = host->port;
193e3acd 578 deliver_domain = addr->domain;
aec45841 579 transport_name = addr->transport->name;
059ec3d9 580
6f6dedcc 581 if ( !smtp_get_interface(tf->interface, host_af, addr, &interface,
bf7aabb4
JH		 582 US"callout")
583 || !smtp_get_port(tf->port, addr, &port, US"callout")
584 )
193e3acd
JH		 585 log_write(0, LOG_MAIN|LOG_PANIC, "<%s>: %s", addr->address,
586 addr->message);
059ec3d9 587
193e3acd
JH		 588 /* Set HELO string according to the protocol */
589 lmtp= Ustrcmp(tf->protocol, "lmtp") == 0;
590 smtps= Ustrcmp(tf->protocol, "smtps") == 0;
059ec3d9 591
059ec3d9 592
193e3acd 593 HDEBUG(D_verify) debug_printf("interface=%s port=%d\n", interface, port);
059ec3d9 594
193e3acd 595 /* Set up the buffer for reading SMTP response packets. */
059ec3d9 596
193e3acd
JH		 597 inblock.buffer = inbuffer;
598 inblock.buffersize = sizeof(inbuffer);
599 inblock.ptr = inbuffer;
600 inblock.ptrend = inbuffer;
059ec3d9 601
193e3acd 602 /* Set up the buffer for holding SMTP commands while pipelining */
817d9f57 603
193e3acd
JH		 604 outblock.buffer = outbuffer;
605 outblock.buffersize = sizeof(outbuffer);
606 outblock.ptr = outbuffer;
607 outblock.cmd_count = 0;
608 outblock.authenticating = FALSE;
059ec3d9 609
193e3acd
JH		 610 /* Connect to the host; on failure, just loop for the next one, but we
611 set the error for the last one. Use the callout_connect timeout. */
059ec3d9 612
193e3acd 613 tls_retry_connection:
41c7c167 614
65f1c92a
JH		 615 /* Reset the parameters of a TLS session */
616 tls_out.cipher = tls_out.peerdn = tls_out.peercert = NULL;
617
193e3acd 618 inblock.sock = outblock.sock =
7eb6c37c
JH		 619 smtp_connect(host, host_af, port, interface, callout_connect,
620 addr->transport);
193e3acd
JH		 621 if (inblock.sock < 0)
622 {
623 addr->message = string_sprintf("could not connect to %s [%s]: %s",
624 host->name, host->address, strerror(errno));
aec45841 625 transport_name = NULL;
193e3acd
JH		 626 deliver_host = deliver_host_address = NULL;
627 deliver_domain = save_deliver_domain;
628 continue;
629 }
41c7c167 630
bf7aabb4
JH		 631#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_DANE)
632 {
633 int rc;
634
635 tls_out.dane_verified = FALSE;
636 tls_out.tlsa_usage = 0;
637
638 dane_required =
639 verify_check_given_host(&ob->hosts_require_dane, host) == OK;
640
641 if (host->dnssec == DS_YES)
642 {
4b0fe319
JH		 643 if( dane_required
644 || verify_check_given_host(&ob->hosts_try_dane, host) == OK
bf7aabb4 645 )
4b0fe319
JH		 646 {
647 if ((rc = tlsa_lookup(host, &tlsa_dnsa, dane_required)) != OK)
648 return rc;
649 dane = TRUE;
650 }
bf7aabb4
JH		 651 }
652 else if (dane_required)
653 {
654 log_write(0, LOG_MAIN, "DANE error: %s lookup not DNSSEC", host->name);
655 return FAIL;
656 }
657
658 if (dane)
659 ob->tls_tempfail_tryclear = FALSE;
660 }
661#endif /*DANE*/
662
193e3acd 663 /* Expand the helo_data string to find the host name to use. */
41c7c167 664
193e3acd
JH		 665 if (tf->helo_data != NULL)
666 {
667 uschar *s = expand_string(tf->helo_data);
668 if (s == NULL)
669 log_write(0, LOG_MAIN|LOG_PANIC, "<%s>: failed to expand transport's "
670 "helo_data value for callout: %s", addr->address,
671 expand_string_message);
672 else active_hostname = s;
673 }
059ec3d9 674
193e3acd
JH		 675 /* Wait for initial response, and send HELO. The smtp_write_command()
676 function leaves its command in big_buffer. This is used in error responses.
677 Initialize it in case the connection is rejected. */
817d9f57 678
193e3acd 679 Ustrcpy(big_buffer, "initial connection");
817d9f57 680
193e3acd
JH		 681 /* Unless ssl-on-connect, wait for the initial greeting */
682 smtps_redo_greeting:
817d9f57 683
a7538db1 684#ifdef SUPPORT_TLS
193e3acd 685 if (!smtps || (smtps && tls_out.active >= 0))
a7538db1
JH		 686#endif
687 {
193e3acd
JH		 688 if (!(done= smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer), '2', callout)))
689 goto RESPONSE_FAILED;
770747fd 690
0cbf2b82 691#ifndef DISABLE_EVENT
aaedd1b5
JH		 692 lookup_dnssec_authenticated = host->dnssec==DS_YES ? US"yes"
693 : host->dnssec==DS_NO ? US"no" : NULL;
774ef2d7 694 if (event_raise(addr->transport->event_action,
b30275b8 695 US"smtp:connect", responsebuffer))
a7538db1 696 {
aaedd1b5 697 lookup_dnssec_authenticated = NULL;
a7538db1
JH		 698 /* Logging? Debug? */
699 goto RESPONSE_FAILED;
700 }
aaedd1b5 701 lookup_dnssec_authenticated = NULL;
a7538db1
JH		 702#endif
703 }
704
193e3acd 705 /* Not worth checking greeting line for ESMTP support */
55414b25 706 if (!(esmtp = verify_check_given_host(&ob->hosts_avoid_esmtp, host) != OK))
193e3acd
JH		 707 DEBUG(D_transport)
708 debug_printf("not sending EHLO (host matches hosts_avoid_esmtp)\n");
817d9f57 709
193e3acd 710 tls_redo_helo:
817d9f57 711
a7538db1 712#ifdef SUPPORT_TLS
193e3acd 713 if (smtps && tls_out.active < 0) /* ssl-on-connect, first pass */
817d9f57 714 {
9094b84b 715 peer_offered &= ~PEER_OFFERED_TLS;
193e3acd 716 ob->tls_tempfail_tryclear = FALSE;
817d9f57 717 }
a7538db1
JH		 718 else /* all other cases */
719#endif
817d9f57 720
193e3acd 721 { esmtp_retry:
817d9f57 722
193e3acd
JH		 723 if (!(done= smtp_write_command(&outblock, FALSE, "%s %s\r\n",
724 !esmtp? "HELO" : lmtp? "LHLO" : "EHLO", active_hostname) >= 0))
725 goto SEND_FAILED;
726 if (!smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer), '2', callout))
727 {
4ed8d31a
JH		 728 if (errno != 0 || responsebuffer[0] == 0 || lmtp || !esmtp || tls_out.active >= 0)
729 {
730 done= FALSE;
731 goto RESPONSE_FAILED;
732 }
a7538db1 733#ifdef SUPPORT_TLS
9094b84b 734 peer_offered &= ~PEER_OFFERED_TLS;
a7538db1 735#endif
193e3acd
JH		 736 esmtp = FALSE;
737 goto esmtp_retry; /* fallback to HELO */
738 }
739
740 /* Set tls_offered if the response to EHLO specifies support for STARTTLS. */
4ed8d31a 741
9094b84b
JH		 742 peer_offered = esmtp
743 ? ehlo_response(responsebuffer, sizeof(responsebuffer),
744 (!suppress_tls && tls_out.active < 0 ? PEER_OFFERED_TLS : 0)
745 | 0 /* no IGNQ */
746 | 0 /* no PRDR */
747#ifdef SUPPORT_I18N
748 | (addr->prop.utf8_msg && !addr->prop.utf8_downcvt
749 ? PEER_OFFERED_UTF8 : 0)
a7538db1 750#endif
9094b84b
JH		 751 | 0 /* no DSN */
752 | 0 /* no PIPE */
753
754 /* only care about SIZE if we have size from inbound */
755 | (message_size > 0 && ob->size_addition >= 0
756 ? PEER_OFFERED_SIZE : 0)
757 )
758 : 0;
817d9f57
JH		 759 }
760
9094b84b
JH		 761 size_str = peer_offered & PEER_OFFERED_SIZE
762 ? string_sprintf(" SIZE=%d", message_size + ob->size_addition) : US"";
763
764#ifdef SUPPORT_TLS
765 tls_offered = !!(peer_offered & PEER_OFFERED_TLS);
766#endif
767
193e3acd
JH		 768 /* If TLS is available on this connection attempt to
769 start up a TLS session, unless the host is in hosts_avoid_tls. If successful,
770 send another EHLO - the server may give a different answer in secure mode. We
771 use a separate buffer for reading the response to STARTTLS so that if it is
772 negative, the original EHLO data is available for subsequent analysis, should
773 the client not be required to use TLS. If the response is bad, copy the buffer
774 for error analysis. */
775
a7538db1 776#ifdef SUPPORT_TLS
9094b84b 777 if ( peer_offered & PEER_OFFERED_TLS
5130845b
JH		 778 && verify_check_given_host(&ob->hosts_avoid_tls, host) != OK
779 && verify_check_given_host(&ob->hosts_verify_avoid_tls, host) != OK
99400968 780 )
817d9f57 781 {
193e3acd
JH		 782 uschar buffer2[4096];
783 if ( !smtps
784 && !(done= smtp_write_command(&outblock, FALSE, "STARTTLS\r\n") >= 0))
785 goto SEND_FAILED;
786
787 /* If there is an I/O error, transmission of this message is deferred. If
788 there is a temporary rejection of STARRTLS and tls_tempfail_tryclear is
789 false, we also defer. However, if there is a temporary rejection of STARTTLS
790 and tls_tempfail_tryclear is true, or if there is an outright rejection of
791 STARTTLS, we carry on. This means we will try to send the message in clear,
792 unless the host is in hosts_require_tls (tested below). */
793
794 if (!smtps && !smtp_read_response(&inblock, buffer2, sizeof(buffer2), '2',
795 ob->command_timeout))
817d9f57 796 {
4b0fe319
JH		 797 if ( errno != 0
798 || buffer2[0] == 0
799 || buffer2[0] == '4' && !ob->tls_tempfail_tryclear
800 )
a7538db1
JH		 801 {
802 Ustrncpy(responsebuffer, buffer2, sizeof(responsebuffer));
803 done= FALSE;
804 goto RESPONSE_FAILED;
805 }
193e3acd 806 }
817d9f57 807
193e3acd
JH		 808 /* STARTTLS accepted or ssl-on-connect: try to negotiate a TLS session. */
809 else
810 {
65867078
JH		 811 int oldtimeout = ob->command_timeout;
812 int rc;
813
6ebd79ec 814 tls_negotiate:
65867078 815 ob->command_timeout = callout;
0e66b3b6 816 rc = tls_client_start(inblock.sock, host, addr, addr->transport
5032d1cf 817# ifdef EXPERIMENTAL_DANE
0e66b3b6 818 , dane ? &tlsa_dnsa : NULL
5032d1cf 819# endif
0e66b3b6 820 );
65867078 821 ob->command_timeout = oldtimeout;
193e3acd 822
6ebd79ec
JH		 823 /* TLS negotiation failed; give an error. Try in clear on a new
824 connection, if the options permit it for this host. */
193e3acd 825 if (rc != OK)
83b27293 826 {
6ebd79ec 827 if (rc == DEFER)
a1bccd48 828 {
83b27293 829 (void)close(inblock.sock);
0cbf2b82 830# ifndef DISABLE_EVENT
774ef2d7 831 (void) event_raise(addr->transport->event_action,
83b27293 832 US"tcp:close", NULL);
5032d1cf 833# endif
4b0fe319
JH		 834 if ( ob->tls_tempfail_tryclear
835 && !smtps
836 && verify_check_given_host(&ob->hosts_require_tls, host) != OK
837 )
6ebd79ec
JH		 838 {
839 log_write(0, LOG_MAIN, "TLS session failure:"
840 " delivering unencrypted to %s [%s] (not in hosts_require_tls)",
841 host->name, host->address);
842 suppress_tls = TRUE;
843 goto tls_retry_connection;
844 }
a7538db1 845 }
6ebd79ec 846
a7538db1
JH		 847 /*save_errno = ERRNO_TLSFAILURE;*/
848 /*message = US"failure while setting up TLS session";*/
849 send_quit = FALSE;
850 done= FALSE;
851 goto TLS_FAILED;
852 }
193e3acd
JH		 853
854 /* TLS session is set up. Copy info for logging. */
855 addr->cipher = tls_out.cipher;
856 addr->peerdn = tls_out.peerdn;
857
858 /* For SMTPS we need to wait for the initial OK response, then do HELO. */
859 if (smtps)
a7538db1 860 goto smtps_redo_greeting;
193e3acd
JH		 861
862 /* For STARTTLS we need to redo EHLO */
863 goto tls_redo_helo;
864 }
817d9f57
JH		 865 }
866
193e3acd
JH		 867 /* If the host is required to use a secure channel, ensure that we have one. */
868 if (tls_out.active < 0)
0e66b3b6 869 if (
5032d1cf 870# ifdef EXPERIMENTAL_DANE
0e66b3b6 871 dane ||
5032d1cf 872# endif
5130845b 873 verify_check_given_host(&ob->hosts_require_tls, host) == OK
7a31d643 874 )
193e3acd
JH		 875 {
876 /*save_errno = ERRNO_TLSREQUIRED;*/
c562fd30
JH		 877 log_write(0, LOG_MAIN,
878 "H=%s [%s]: a TLS session is required for this host, but %s",
193e3acd 879 host->name, host->address,
9094b84b
JH		 880 peer_offered & PEER_OFFERED_TLS
881 ? "an attempt to start TLS failed"
882 : "the server did not offer TLS support");
193e3acd
JH		 883 done= FALSE;
884 goto TLS_FAILED;
885 }
817d9f57 886
5032d1cf 887#endif /*SUPPORT_TLS*/
817d9f57 888
193e3acd 889 done = TRUE; /* so far so good; have response to HELO */
817d9f57 890
d6e96b36 891 /* For now, transport_filter by cutthrough-delivery is not supported */
193e3acd 892 /* Need proper integration with the proper transport mechanism. */
5032d1cf 893 if (cutthrough.delivery)
d6e96b36 894 {
6e62c454
JH		 895 if (addr->transport->filter_command)
896 {
5032d1cf 897 cutthrough.delivery = FALSE;
6e62c454
JH		 898 HDEBUG(D_acl|D_v) debug_printf("Cutthrough cancelled by presence of transport filter\n");
899 }
a7538db1 900#ifndef DISABLE_DKIM
6e62c454
JH		 901 if (ob->dkim_domain)
902 {
5032d1cf 903 cutthrough.delivery = FALSE;
6e62c454
JH		 904 HDEBUG(D_acl|D_v) debug_printf("Cutthrough cancelled by presence of DKIM signing\n");
905 }
a7538db1 906#endif
d6e96b36 907 }
817d9f57 908
193e3acd
JH		 909 SEND_FAILED:
910 RESPONSE_FAILED:
911 TLS_FAILED:
912 ;
913 /* Clear down of the TLS, SMTP and TCP layers on error is handled below. */
059ec3d9 914
193e3acd
JH		 915 /* Failure to accept HELO is cached; this blocks the whole domain for all
916 senders. I/O errors and defer responses are not cached. */
917
918 if (!done)
2b1c6e3a 919 {
193e3acd
JH		 920 *failure_ptr = US"mail"; /* At or before MAIL */
921 if (errno == 0 && responsebuffer[0] == '5')
922 {
923 setflag(addr, af_verify_nsfail);
924 new_domain_record.result = ccache_reject;
925 }
2b1c6e3a 926 }
2b1c6e3a 927
8c5d388a 928#ifdef SUPPORT_I18N
3c8b3577
JH		 929 else if ( addr->prop.utf8_msg
930 && !addr->prop.utf8_downcvt
9094b84b
JH		 931 && !(peer_offered & PEER_OFFERED_UTF8)
932 )
9bfc60eb
JH		 933 {
934 HDEBUG(D_acl|D_v) debug_printf("utf8 required but not offered\n");
935 errno = ERRNO_UTF8_FWD;
936 setflag(addr, af_verify_nsfail);
937 done = FALSE;
938 }
3c8b3577 939 else if ( addr->prop.utf8_msg
9094b84b 940 && (addr->prop.utf8_downcvt || !(peer_offered & PEER_OFFERED_UTF8))
921dfc11
JH		 941 && (setflag(addr, af_utf8_downcvt),
942 from_address = string_address_utf8_to_alabel(from_address,
943 &addr->message),
944 addr->message
945 ) )
3c8b3577
JH		 946 {
947 errno = ERRNO_EXPANDFAIL;
948 setflag(addr, af_verify_nsfail);
949 done = FALSE;
950 }
9bfc60eb
JH		 951#endif
952
d6e96b36 953 /* If we haven't authenticated, but are required to, give up. */
fcc8e047
JH		 954 /* Try to AUTH */
955
956 else done = smtp_auth(responsebuffer, sizeof(responsebuffer),
957 addr, host, ob, esmtp, &inblock, &outblock) == OK &&
958
b4a2b536
JH		 959 /* Copy AUTH info for logging */
960 ( (addr->authenticator = client_authenticator),
961 (addr->auth_id = client_authenticated_id),
962
fcc8e047 963 /* Build a mail-AUTH string (re-using responsebuffer for convenience */
b4a2b536
JH		 964 !smtp_mail_auth_str(responsebuffer, sizeof(responsebuffer), addr, ob)
965 ) &&
966
967 ( (addr->auth_sndr = client_authenticated_sender),
fcc8e047 968
193e3acd 969 /* Send the MAIL command */
9bfc60eb 970 (smtp_write_command(&outblock, FALSE,
8c5d388a 971#ifdef SUPPORT_I18N
921dfc11 972 addr->prop.utf8_msg && !addr->prop.utf8_downcvt
9094b84b 973 ? "MAIL FROM:<%s>%s%s SMTPUTF8\r\n"
9bfc60eb
JH		 974 :
975#endif
9094b84b
JH		 976 "MAIL FROM:<%s>%s%s\r\n",
977 from_address, responsebuffer, size_str) >= 0)
b4a2b536 978 ) &&
2b1c6e3a 979
193e3acd
JH		 980 smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
981 '2', callout);
059ec3d9 982
00bff6f6
JH		 983 deliver_host = deliver_host_address = NULL;
984 deliver_domain = save_deliver_domain;
985
193e3acd
JH		 986 /* If the host does not accept MAIL FROM:<>, arrange to cache this
987 information, but again, don't record anything for an I/O error or a defer. Do
988 not cache rejections of MAIL when a non-empty sender has been used, because
989 that blocks the whole domain for all senders. */
059ec3d9 990
193e3acd 991 if (!done)
059ec3d9 992 {
193e3acd
JH		 993 *failure_ptr = US"mail"; /* At or before MAIL */
994 if (errno == 0 && responsebuffer[0] == '5')
995 {
996 setflag(addr, af_verify_nsfail);
997 if (from_address[0] == 0)
998 new_domain_record.result = ccache_reject_mfnull;
999 }
059ec3d9 1000 }
059ec3d9 1001
193e3acd
JH		 1002 /* Otherwise, proceed to check a "random" address (if required), then the
1003 given address, and the postmaster address (if required). Between each check,
1004 issue RSET, because some servers accept only one recipient after MAIL
1005 FROM:<>.
2b1c6e3a 1006
193e3acd
JH		 1007 Before doing this, set the result in the domain cache record to "accept",
1008 unless its previous value was ccache_reject_mfnull. In that case, the domain
1009 rejects MAIL FROM:<> and we want to continue to remember that. When that is
1010 the case, we have got here only in the case of a recipient verification with
1011 a non-null sender. */
059ec3d9 1012
193e3acd 1013 else
059ec3d9 1014 {
921dfc11
JH		 1015 const uschar * rcpt_domain = addr->domain;
1016
8c5d388a 1017#ifdef SUPPORT_I18N
921dfc11
JH		 1018 uschar * errstr = NULL;
1019 if ( testflag(addr, af_utf8_downcvt)
1020 && (rcpt_domain = string_domain_utf8_to_alabel(rcpt_domain,
1021 &errstr), errstr)
1022 )
1023 {
1024 addr->message = errstr;
1025 errno = ERRNO_EXPANDFAIL;
1026 setflag(addr, af_verify_nsfail);
1027 done = FALSE;
1028 rcpt_domain = US""; /*XXX errorhandling! */
1029 }
1030#endif
1031
193e3acd
JH		 1032 new_domain_record.result =
1033 (old_domain_cache_result == ccache_reject_mfnull)?
1034 ccache_reject_mfnull: ccache_accept;
059ec3d9 1035
193e3acd 1036 /* Do the random local part check first */
059ec3d9 1037
193e3acd 1038 if (random_local_part != NULL)
059ec3d9 1039 {
193e3acd
JH		 1040 uschar randombuffer[1024];
1041 BOOL random_ok =
1042 smtp_write_command(&outblock, FALSE,
1043 "RCPT TO:<%.1000s@%.1000s>\r\n", random_local_part,
921dfc11 1044 rcpt_domain) >= 0 &&
193e3acd
JH		 1045 smtp_read_response(&inblock, randombuffer,
1046 sizeof(randombuffer), '2', callout);
059ec3d9 1047
193e3acd 1048 /* Remember when we last did a random test */
059ec3d9 1049
193e3acd 1050 new_domain_record.random_stamp = time(NULL);
059ec3d9 1051
193e3acd 1052 /* If accepted, we aren't going to do any further tests below. */
059ec3d9 1053
193e3acd 1054 if (random_ok)
193e3acd 1055 new_domain_record.random_result = ccache_accept;
059ec3d9 1056
193e3acd
JH		 1057 /* Otherwise, cache a real negative response, and get back to the right
1058 state to send RCPT. Unless there's some problem such as a dropped
65f1c92a
JH		 1059 connection, we expect to succeed, because the commands succeeded above.
1060 However, some servers drop the connection after responding to an
1061 invalid recipient, so on (any) error we drop and remake the connection.
1062 */
059ec3d9 1063
193e3acd
JH		 1064 else if (errno == 0)
1065 {
65f1c92a
JH		 1066 /* This would be ok for 1st rcpt a cutthrough, but no way to
1067 handle a subsequent. So refuse to support any */
5032d1cf
JH		 1068 cancel_cutthrough_connection("random-recipient");
1069
193e3acd
JH		 1070 if (randombuffer[0] == '5')
1071 new_domain_record.random_result = ccache_reject;
1072
1073 done =
1074 smtp_write_command(&outblock, FALSE, "RSET\r\n") >= 0 &&
1075 smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
1076 '2', callout) &&
1077
9bfc60eb 1078 smtp_write_command(&outblock, FALSE,
8c5d388a 1079#ifdef SUPPORT_I18N
921dfc11 1080 addr->prop.utf8_msg && !addr->prop.utf8_downcvt
9bfc60eb
JH		 1081 ? "MAIL FROM:<%s> SMTPUTF8\r\n"
1082 :
1083#endif
1084 "MAIL FROM:<%s>\r\n",
193e3acd
JH		 1085 from_address) >= 0 &&
1086 smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
1087 '2', callout);
65f1c92a
JH		 1088
1089 if (!done)
1090 {
1091 HDEBUG(D_acl|D_v)
1092 debug_printf("problem after random/rset/mfrom; reopen conn\n");
1093 random_local_part = NULL;
1094#ifdef SUPPORT_TLS
1095 tls_close(FALSE, TRUE);
1096#endif
1097 (void)close(inblock.sock);
0cbf2b82 1098#ifndef DISABLE_EVENT
65f1c92a
JH		 1099 (void) event_raise(addr->transport->event_action,
1100 US"tcp:close", NULL);
1101#endif
1102 goto tls_retry_connection;
1103 }
193e3acd
JH		 1104 }
1105 else done = FALSE; /* Some timeout/connection problem */
1106 } /* Random check */
059ec3d9 1107
193e3acd
JH		 1108 /* If the host is accepting all local parts, as determined by the "random"
1109 check, we don't need to waste time doing any further checking. */
059ec3d9 1110
193e3acd 1111 if (new_domain_record.random_result != ccache_accept && done)
059ec3d9 1112 {
193e3acd
JH		 1113 /* Get the rcpt_include_affixes flag from the transport if there is one,
1114 but assume FALSE if there is not. */
e4bdf652 1115
921dfc11
JH		 1116 uschar * rcpt = transport_rcpt_address(addr,
1117 addr->transport ? addr->transport->rcpt_include_affixes : FALSE);
1118
8c5d388a 1119#ifdef SUPPORT_I18N
921dfc11
JH		 1120 /*XXX should the conversion be moved into transport_rcpt_address() ? */
1121 uschar * dummy_errstr = NULL;
1122 if ( testflag(addr, af_utf8_downcvt)
1123 && (rcpt = string_address_utf8_to_alabel(rcpt, &dummy_errstr),
1124 dummy_errstr
1125 ) )
1126 {
1127 errno = ERRNO_EXPANDFAIL;
1128 *failure_ptr = US"recipient";
1129 done = FALSE;
1130 }
1131 else
1132#endif
1133
059ec3d9 1134 done =
193e3acd 1135 smtp_write_command(&outblock, FALSE, "RCPT TO:<%.1000s>\r\n",
921dfc11 1136 rcpt) >= 0 &&
193e3acd
JH		 1137 smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
1138 '2', callout);
059ec3d9 1139
193e3acd
JH		 1140 if (done)
1141 new_address_record.result = ccache_accept;
1142 else if (errno == 0 && responsebuffer[0] == '5')
1143 {
1144 *failure_ptr = US"recipient";
1145 new_address_record.result = ccache_reject;
1146 }
059ec3d9 1147
193e3acd
JH		 1148 /* Do postmaster check if requested; if a full check is required, we
1149 check for RCPT TO:<postmaster> (no domain) in accordance with RFC 821. */
2a4be8f9 1150
193e3acd
JH		 1151 if (done && pm_mailfrom != NULL)
1152 {
65f1c92a
JH		 1153 /* Could possibly shift before main verify, just above, and be ok
1154 for cutthrough. But no way to handle a subsequent rcpt, so just
1155 refuse any */
5032d1cf 1156 cancel_cutthrough_connection("postmaster verify");
193e3acd
JH		 1157 HDEBUG(D_acl|D_v) debug_printf("Cutthrough cancelled by presence of postmaster verify\n");
1158
1159 done =
1160 smtp_write_command(&outblock, FALSE, "RSET\r\n") >= 0 &&
1161 smtp_read_response(&inblock, responsebuffer,
1162 sizeof(responsebuffer), '2', callout) &&
1163
1164 smtp_write_command(&outblock, FALSE,
1165 "MAIL FROM:<%s>\r\n", pm_mailfrom) >= 0 &&
1166 smtp_read_response(&inblock, responsebuffer,
1167 sizeof(responsebuffer), '2', callout) &&
1168
1169 /* First try using the current domain */
1170
1171 ((
1172 smtp_write_command(&outblock, FALSE,
921dfc11 1173 "RCPT TO:<postmaster@%.1000s>\r\n", rcpt_domain) >= 0 &&
193e3acd
JH		 1174 smtp_read_response(&inblock, responsebuffer,
1175 sizeof(responsebuffer), '2', callout)
1176 )
1177
1178 ||
1179
1180 /* If that doesn't work, and a full check is requested,
1181 try without the domain. */
1182
1183 (
1184 (options & vopt_callout_fullpm) != 0 &&
1185 smtp_write_command(&outblock, FALSE,
1186 "RCPT TO:<postmaster>\r\n") >= 0 &&
1187 smtp_read_response(&inblock, responsebuffer,
1188 sizeof(responsebuffer), '2', callout)
1189 ));
1190
1191 /* Sort out the cache record */
1192
1193 new_domain_record.postmaster_stamp = time(NULL);
1194
1195 if (done)
1196 new_domain_record.postmaster_result = ccache_accept;
1197 else if (errno == 0 && responsebuffer[0] == '5')
1198 {
1199 *failure_ptr = US"postmaster";
1200 setflag(addr, af_verify_pmfail);
1201 new_domain_record.postmaster_result = ccache_reject;
1202 }
1203 }
1204 } /* Random not accepted */
1205 } /* MAIL FROM: accepted */
2a4be8f9 1206
193e3acd
JH		 1207 /* For any failure of the main check, other than a negative response, we just
1208 close the connection and carry on. We can identify a negative response by the
1209 fact that errno is zero. For I/O errors it will be non-zero
2a4be8f9 1210
193e3acd
JH		 1211 Set up different error texts for logging and for sending back to the caller
1212 as an SMTP response. Log in all cases, using a one-line format. For sender
1213 callouts, give a full response to the caller, but for recipient callouts,
1214 don't give the IP address because this may be an internal host whose identity
1215 is not to be widely broadcast. */
2a4be8f9 1216
193e3acd
JH		 1217 if (!done)
1218 {
1219 if (errno == ETIMEDOUT)
1220 {
1221 HDEBUG(D_verify) debug_printf("SMTP timeout\n");
1222 send_quit = FALSE;
1223 }
8c5d388a 1224#ifdef SUPPORT_I18N
9bfc60eb
JH		 1225 else if (errno == ERRNO_UTF8_FWD)
1226 {
1227 extern int acl_where; /* src/acl.c */
1228 errno = 0;
1229 addr->message = string_sprintf(
1230 "response to \"%s\" from %s [%s] did not include SMTPUTF8",
1231 big_buffer, host->name, host->address);
1232 addr->user_message = acl_where == ACL_WHERE_RCPT
1233 ? US"533 mailbox name not allowed"
1234 : US"550 mailbox unavailable";
1235 yield = FAIL;
1236 done = TRUE;
1237 }
1238#endif
193e3acd
JH		 1239 else if (errno == 0)
1240 {
1241 if (*responsebuffer == 0) Ustrcpy(responsebuffer, US"connection dropped");
2a4be8f9 1242
193e3acd
JH		 1243 addr->message =
1244 string_sprintf("response to \"%s\" from %s [%s] was: %s",
1245 big_buffer, host->name, host->address,
1246 string_printing(responsebuffer));
059ec3d9 1247
193e3acd
JH		 1248 addr->user_message = is_recipient?
1249 string_sprintf("Callout verification failed:\n%s", responsebuffer)
1250 :
1251 string_sprintf("Called: %s\nSent: %s\nResponse: %s",
1252 host->address, big_buffer, responsebuffer);
059ec3d9 1253
193e3acd
JH		 1254 /* Hard rejection ends the process */
1255
1256 if (responsebuffer[0] == '5') /* Address rejected */
059ec3d9 1257 {
193e3acd
JH		 1258 yield = FAIL;
1259 done = TRUE;
059ec3d9
PH		 1260 }
1261 }
193e3acd 1262 }
059ec3d9 1263
193e3acd
JH		 1264 /* End the SMTP conversation and close the connection. */
1265
5032d1cf
JH		 1266 /* Cutthrough - on a successfull connect and recipient-verify with
1267 use-sender and we are 1st rcpt and have no cutthrough conn so far
193e3acd 1268 here is where we want to leave the conn open */
5032d1cf
JH		 1269 if ( cutthrough.delivery
1270 && rcpt_count == 1
193e3acd
JH		 1271 && done
1272 && yield == OK
1273 && (options & (vopt_callout_recipsender|vopt_callout_recippmaster)) == vopt_callout_recipsender
1274 && !random_local_part
1275 && !pm_mailfrom
5032d1cf 1276 && cutthrough.fd < 0
66ba1a69 1277 && !lmtp
193e3acd 1278 )
059ec3d9 1279 {
5032d1cf
JH		 1280 cutthrough.fd = outblock.sock; /* We assume no buffer in use in the outblock */
1281 cutthrough.nrcpt = 1;
1282 cutthrough.interface = interface;
1283 cutthrough.host = *host;
1284 cutthrough.addr = *addr; /* Save the address_item for later logging */
1285 cutthrough.addr.next = NULL;
1286 cutthrough.addr.host_used = &cutthrough.host;
193e3acd 1287 if (addr->parent)
5032d1cf
JH		 1288 *(cutthrough.addr.parent = store_get(sizeof(address_item))) =
1289 *addr->parent;
193e3acd
JH		 1290 ctblock.buffer = ctbuffer;
1291 ctblock.buffersize = sizeof(ctbuffer);
1292 ctblock.ptr = ctbuffer;
1293 /* ctblock.cmd_count = 0; ctblock.authenticating = FALSE; */
5032d1cf 1294 ctblock.sock = cutthrough.fd;
059ec3d9 1295 }
193e3acd 1296 else
059ec3d9 1297 {
2e5b33cd 1298 /* Ensure no cutthrough on multiple address verifies */
193e3acd 1299 if (options & vopt_callout_recipsender)
2e5b33cd 1300 cancel_cutthrough_connection("multiple verify calls");
193e3acd 1301 if (send_quit) (void)smtp_write_command(&outblock, FALSE, "QUIT\r\n");
059ec3d9 1302
a7538db1 1303#ifdef SUPPORT_TLS
193e3acd 1304 tls_close(FALSE, TRUE);
a7538db1 1305#endif
193e3acd 1306 (void)close(inblock.sock);
0cbf2b82 1307#ifndef DISABLE_EVENT
08f3b11b 1308 (void) event_raise(addr->transport->event_action, US"tcp:close", NULL);
a7538db1 1309#endif
059ec3d9 1310 }
059ec3d9 1311
193e3acd
JH		 1312 } /* Loop through all hosts, while !done */
1313 }
059ec3d9
PH		 1314
1315/* If we get here with done == TRUE, a successful callout happened, and yield
1316will be set OK or FAIL according to the response to the RCPT command.
1317Otherwise, we looped through the hosts but couldn't complete the business.
1318However, there may be domain-specific information to cache in both cases.
1319
1320The value of the result field in the new_domain record is ccache_unknown if
90e9ce59 1321there was an error before or with MAIL FROM:, and errno was not zero,
059ec3d9 1322implying some kind of I/O error. We don't want to write the cache in that case.
2b1c6e3a 1323Otherwise the value is ccache_accept, ccache_reject, or ccache_reject_mfnull. */
059ec3d9
PH		 1324
1325if (!callout_no_cache && new_domain_record.result != ccache_unknown)
1326 {
1327 if ((dbm_file = dbfn_open(US"callout", O_RDWR|O_CREAT, &dbblock, FALSE))
1328 == NULL)
1329 {
1330 HDEBUG(D_verify) debug_printf("callout cache: not available\n");
1331 }
1332 else
1333 {
1334 (void)dbfn_write(dbm_file, addr->domain, &new_domain_record,
1335 (int)sizeof(dbdata_callout_cache));
1336 HDEBUG(D_verify) debug_printf("wrote callout cache domain record:\n"
1337 " result=%d postmaster=%d random=%d\n",
1338 new_domain_record.result,
1339 new_domain_record.postmaster_result,
1340 new_domain_record.random_result);
1341 }
1342 }
1343
1344/* If a definite result was obtained for the callout, cache it unless caching
1345is disabled. */
1346
1347if (done)
1348 {
1349 if (!callout_no_cache && new_address_record.result != ccache_unknown)
1350 {
1351 if (dbm_file == NULL)
1352 dbm_file = dbfn_open(US"callout", O_RDWR|O_CREAT, &dbblock, FALSE);
1353 if (dbm_file == NULL)
1354 {
1355 HDEBUG(D_verify) debug_printf("no callout cache available\n");
1356 }
1357 else
1358 {
1359 (void)dbfn_write(dbm_file, address_key, &new_address_record,
1360 (int)sizeof(dbdata_callout_cache_address));
1361 HDEBUG(D_verify) debug_printf("wrote %s callout cache address record\n",
1362 (new_address_record.result == ccache_accept)? "positive" : "negative");
1363 }
1364 }
1365 } /* done */
1366
1367/* Failure to connect to any host, or any response other than 2xx or 5xx is a
1368temporary error. If there was only one host, and a response was received, leave
1369it alone if supplying details. Otherwise, give a generic response. */
1370
1371else /* !done */
1372 {
1373 uschar *dullmsg = string_sprintf("Could not complete %s verify callout",
1374 is_recipient? "recipient" : "sender");
1375 yield = DEFER;
1376
1377 if (host_list->next != NULL || addr->message == NULL) addr->message = dullmsg;
1378
1379 addr->user_message = (!smtp_return_error_details)? dullmsg :
1380 string_sprintf("%s for <%s>.\n"
1381 "The mail server(s) for the domain may be temporarily unreachable, or\n"
1382 "they may be permanently unreachable from this server. In the latter case,\n%s",
1383 dullmsg, addr->address,
1384 is_recipient?
1385 "the address will never be accepted."
1386 :
1387 "you need to change the address or create an MX record for its domain\n"
1388 "if it is supposed to be generally accessible from the Internet.\n"
1389 "Talk to your mail administrator for details.");
1390
1391 /* Force a specific error code */
1392
1393 addr->basic_errno = ERRNO_CALLOUTDEFER;
1394 }
1395
1396/* Come here from within the cache-reading code on fast-track exit. */
1397
1398END_CALLOUT:
1399if (dbm_file != NULL) dbfn_close(dbm_file);
1400return yield;
1401}
1402
1403
1404
817d9f57
JH		 1405/* Called after recipient-acl to get a cutthrough connection open when
1406 one was requested and a recipient-verify wasn't subsequently done.
1407*/
f9334a28 1408int
e4bdf652
JH		 1409open_cutthrough_connection( address_item * addr )
1410{
1411address_item addr2;
f9334a28 1412int rc;
e4bdf652
JH		 1413
1414/* Use a recipient-verify-callout to set up the cutthrough connection. */
1415/* We must use a copy of the address for verification, because it might
1416get rewritten. */
1417
1418addr2 = *addr;
5032d1cf
JH		 1419HDEBUG(D_acl) debug_printf("----------- %s cutthrough setup ------------\n",
1420 rcpt_count > 1 ? "more" : "start");
f9334a28 1421rc= verify_address(&addr2, NULL,
e4bdf652
JH		 1422 vopt_is_recipient | vopt_callout_recipsender | vopt_callout_no_cache,
1423 CUTTHROUGH_CMD_TIMEOUT, -1, -1,
1424 NULL, NULL, NULL);
1425HDEBUG(D_acl) debug_printf("----------- end cutthrough setup ------------\n");
f9334a28 1426return rc;
e4bdf652
JH		 1427}
1428
1429
e4bdf652 1430
817d9f57
JH		 1431/* Send given number of bytes from the buffer */
1432static BOOL
1433cutthrough_send(int n)
e4bdf652 1434{
5032d1cf 1435if(cutthrough.fd < 0)
817d9f57 1436 return TRUE;
e4bdf652 1437
817d9f57
JH		 1438if(
1439#ifdef SUPPORT_TLS
5032d1cf 1440 (tls_out.active == cutthrough.fd) ? tls_write(FALSE, ctblock.buffer, n) :
817d9f57 1441#endif
5032d1cf 1442 send(cutthrough.fd, ctblock.buffer, n, 0) > 0
817d9f57
JH		 1443 )
1444{
1445 transport_count += n;
1446 ctblock.ptr= ctblock.buffer;
1447 return TRUE;
1448}
e4bdf652 1449
817d9f57
JH		 1450HDEBUG(D_transport|D_acl) debug_printf("cutthrough_send failed: %s\n", strerror(errno));
1451return FALSE;
e4bdf652
JH		 1452}
1453
1454
1455
817d9f57
JH		 1456static BOOL
1457_cutthrough_puts(uschar * cp, int n)
1458{
1459while(n--)
1460 {
1461 if(ctblock.ptr >= ctblock.buffer+ctblock.buffersize)
1462 if(!cutthrough_send(ctblock.buffersize))
1463 return FALSE;
1464
1465 *ctblock.ptr++ = *cp++;
1466 }
1467return TRUE;
1468}
1469
1470/* Buffered output of counted data block. Return boolean success */
e4bdf652
JH		 1471BOOL
1472cutthrough_puts(uschar * cp, int n)
1473{
5032d1cf 1474if (cutthrough.fd < 0) return TRUE;
817d9f57 1475if (_cutthrough_puts(cp, n)) return TRUE;
2e5b33cd 1476cancel_cutthrough_connection("transmit failed");
817d9f57
JH		 1477return FALSE;
1478}
e4bdf652 1479
e4bdf652 1480
817d9f57 1481static BOOL
5032d1cf 1482_cutthrough_flush_send(void)
817d9f57
JH		 1483{
1484int n= ctblock.ptr-ctblock.buffer;
e4bdf652 1485
817d9f57
JH		 1486if(n>0)
1487 if(!cutthrough_send(n))
1488 return FALSE;
1489return TRUE;
e4bdf652
JH		 1490}
1491
817d9f57
JH		 1492
1493/* Send out any bufferred output. Return boolean success. */
e4bdf652 1494BOOL
5032d1cf 1495cutthrough_flush_send(void)
e4bdf652 1496{
817d9f57 1497if (_cutthrough_flush_send()) return TRUE;
2e5b33cd 1498cancel_cutthrough_connection("transmit failed");
e4bdf652
JH		 1499return FALSE;
1500}
1501
1502
1503BOOL
5032d1cf 1504cutthrough_put_nl(void)
e4bdf652
JH		 1505{
1506return cutthrough_puts(US"\r\n", 2);
1507}
1508
1509
1510/* Get and check response from cutthrough target */
1511static uschar
1512cutthrough_response(char expect, uschar ** copy)
1513{
1514smtp_inblock inblock;
1515uschar inbuffer[4096];
1516uschar responsebuffer[4096];
1517
1518inblock.buffer = inbuffer;
1519inblock.buffersize = sizeof(inbuffer);
1520inblock.ptr = inbuffer;
1521inblock.ptrend = inbuffer;
5032d1cf 1522inblock.sock = cutthrough.fd;
817d9f57 1523/* this relies on (inblock.sock == tls_out.active) */
e4bdf652 1524if(!smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer), expect, CUTTHROUGH_DATA_TIMEOUT))
2e5b33cd 1525 cancel_cutthrough_connection("target timeout on read");
e4bdf652
JH		 1526
1527if(copy != NULL)
1528 {
1529 uschar * cp;
5032d1cf 1530 *copy = cp = string_copy(responsebuffer);
e4bdf652
JH		 1531 /* Trim the trailing end of line */
1532 cp += Ustrlen(responsebuffer);
1533 if(cp > *copy && cp[-1] == '\n') *--cp = '\0';
1534 if(cp > *copy && cp[-1] == '\r') *--cp = '\0';
1535 }
1536
1537return responsebuffer[0];
1538}
1539
1540
1541/* Negotiate dataphase with the cutthrough target, returning success boolean */
1542BOOL
5032d1cf 1543cutthrough_predata(void)
e4bdf652 1544{
5032d1cf 1545if(cutthrough.fd < 0)
e4bdf652
JH		 1546 return FALSE;
1547
1548HDEBUG(D_transport|D_acl|D_v) debug_printf(" SMTP>> DATA\n");
817d9f57
JH		 1549cutthrough_puts(US"DATA\r\n", 6);
1550cutthrough_flush_send();
e4bdf652
JH		 1551
1552/* Assume nothing buffered. If it was it gets ignored. */
1553return cutthrough_response('3', NULL) == '3';
1554}
1555
1556
511a6c14
JH		 1557/* fd and use_crlf args only to match write_chunk() */
1558static BOOL
1559cutthrough_write_chunk(int fd, uschar * s, int len, BOOL use_crlf)
1560{
1561uschar * s2;
1562while(s && (s2 = Ustrchr(s, '\n')))
1563 {
1564 if(!cutthrough_puts(s, s2-s) || !cutthrough_put_nl())
1565 return FALSE;
1566 s = s2+1;
1567 }
1568return TRUE;
1569}
1570
1571
e4bdf652 1572/* Buffered send of headers. Return success boolean. */
817d9f57 1573/* Expands newlines to wire format (CR,NL). */
e4bdf652 1574/* Also sends header-terminating blank line. */
e4bdf652 1575BOOL
5032d1cf 1576cutthrough_headers_send(void)
e4bdf652 1577{
5032d1cf 1578if(cutthrough.fd < 0)
e4bdf652
JH		 1579 return FALSE;
1580
511a6c14
JH		 1581/* We share a routine with the mainline transport to handle header add/remove/rewrites,
1582 but having a separate buffered-output function (for now)
1583*/
1584HDEBUG(D_acl) debug_printf("----------- start cutthrough headers send -----------\n");
e4bdf652 1585
5032d1cf
JH		 1586if (!transport_headers_send(&cutthrough.addr, cutthrough.fd,
1587 cutthrough.addr.transport->add_headers,
1588 cutthrough.addr.transport->remove_headers,
511a6c14 1589 &cutthrough_write_chunk, TRUE,
5032d1cf
JH		 1590 cutthrough.addr.transport->rewrite_rules,
1591 cutthrough.addr.transport->rewrite_existflags))
511a6c14
JH		 1592 return FALSE;
1593
1594HDEBUG(D_acl) debug_printf("----------- done cutthrough headers send ------------\n");
1595return TRUE;
817d9f57
JH		 1596}
1597
1598
1599static void
5032d1cf 1600close_cutthrough_connection(const char * why)
817d9f57 1601{
5032d1cf 1602if(cutthrough.fd >= 0)
817d9f57
JH		 1603 {
1604 /* We could be sending this after a bunch of data, but that is ok as
1605 the only way to cancel the transfer in dataphase is to drop the tcp
1606 conn before the final dot.
1607 */
1608 ctblock.ptr = ctbuffer;
1609 HDEBUG(D_transport|D_acl|D_v) debug_printf(" SMTP>> QUIT\n");
1610 _cutthrough_puts(US"QUIT\r\n", 6); /* avoid recursion */
1611 _cutthrough_flush_send();
1612 /* No wait for response */
1613
1614 #ifdef SUPPORT_TLS
1615 tls_close(FALSE, TRUE);
1616 #endif
5032d1cf
JH		 1617 (void)close(cutthrough.fd);
1618 cutthrough.fd = -1;
2e5b33cd 1619 HDEBUG(D_acl) debug_printf("----------- cutthrough shutdown (%s) ------------\n", why);
817d9f57
JH		 1620 }
1621ctblock.ptr = ctbuffer;
e4bdf652
JH		 1622}
1623
817d9f57 1624void
5032d1cf 1625cancel_cutthrough_connection(const char * why)
817d9f57 1626{
2e5b33cd 1627close_cutthrough_connection(why);
5032d1cf 1628cutthrough.delivery = FALSE;
817d9f57
JH		 1629}
1630
1631
1632
e4bdf652
JH		 1633
1634/* Have senders final-dot. Send one to cutthrough target, and grab the response.
1635 Log an OK response as a transmission.
817d9f57 1636 Close the connection.
e4bdf652 1637 Return smtp response-class digit.
e4bdf652
JH		 1638*/
1639uschar *
5032d1cf 1640cutthrough_finaldot(void)
e4bdf652 1641{
5032d1cf
JH		 1642uschar res;
1643address_item * addr;
e4bdf652
JH		 1644HDEBUG(D_transport|D_acl|D_v) debug_printf(" SMTP>> .\n");
1645
1646/* Assume data finshed with new-line */
5032d1cf
JH		 1647if( !cutthrough_puts(US".", 1)
1648 || !cutthrough_put_nl()
1649 || !cutthrough_flush_send()
1650 )
1651 return cutthrough.addr.message;
e4bdf652 1652
5032d1cf
JH		 1653res = cutthrough_response('2', &cutthrough.addr.message);
1654for (addr = &cutthrough.addr; addr; addr = addr->next)
817d9f57 1655 {
5032d1cf
JH		 1656 addr->message = cutthrough.addr.message;
1657 switch(res)
1658 {
1659 case '2':
1660 delivery_log(LOG_MAIN, addr, (int)'>', NULL);
1661 close_cutthrough_connection("delivered");
1662 break;
817d9f57 1663
5032d1cf
JH		 1664 case '4':
1665 delivery_log(LOG_MAIN, addr, 0,
1666 US"tmp-reject from cutthrough after DATA:");
1667 break;
e4bdf652 1668
5032d1cf
JH		 1669 case '5':
1670 delivery_log(LOG_MAIN|LOG_REJECT, addr, 0,
1671 US"rejected after DATA:");
1672 break;
e4bdf652 1673
5032d1cf
JH		 1674 default:
1675 break;
1676 }
817d9f57 1677 }
5032d1cf 1678return cutthrough.addr.message;
e4bdf652
JH		 1679}
1680
1681
817d9f57 1682
059ec3d9
PH		 1683/*************************************************
1684* Copy error to toplevel address *
1685*************************************************/
1686
1687/* This function is used when a verify fails or defers, to ensure that the
1688failure or defer information is in the original toplevel address. This applies
1689when an address is redirected to a single new address, and the failure or
1690deferral happens to the child address.
1691
1692Arguments:
1693 vaddr the verify address item
1694 addr the final address item
1695 yield FAIL or DEFER
1696
1697Returns: the value of YIELD
1698*/
1699
1700static int
1701copy_error(address_item *vaddr, address_item *addr, int yield)
1702{
1703if (addr != vaddr)
1704 {
1705 vaddr->message = addr->message;
1706 vaddr->user_message = addr->user_message;
1707 vaddr->basic_errno = addr->basic_errno;
1708 vaddr->more_errno = addr->more_errno;
d43cbe25 1709 vaddr->prop.address_data = addr->prop.address_data;
42855d71 1710 copyflag(vaddr, addr, af_pass_message);
059ec3d9
PH		 1711 }
1712return yield;
1713}
1714
1715
1716
1717
ce552449
NM		 1718/**************************************************
1719* printf that automatically handles TLS if needed *
1720***************************************************/
1721
1722/* This function is used by verify_address() as a substitute for all fprintf()
1723calls; a direct fprintf() will not produce output in a TLS SMTP session, such
1724as a response to an EXPN command. smtp_in.c makes smtp_printf available but
1725that assumes that we always use the smtp_out FILE* when not using TLS or the
1726ssl buffer when we are. Instead we take a FILE* parameter and check to see if
1727that is smtp_out; if so, smtp_printf() with TLS support, otherwise regular
1728fprintf().
1729
1730Arguments:
1731 f the candidate FILE* to write to
1732 format format string
1733 ... optional arguments
1734
1735Returns:
1736 nothing
1737*/
1738
1739static void PRINTF_FUNCTION(2,3)
1ba28e2b 1740respond_printf(FILE *f, const char *format, ...)
ce552449
NM		 1741{
1742va_list ap;
1743
1744va_start(ap, format);
1745if (smtp_out && (f == smtp_out))
1746 smtp_vprintf(format, ap);
1747else
513afc6a 1748 vfprintf(f, format, ap);
ce552449
NM		 1749va_end(ap);
1750}
1751
1752
1753
059ec3d9
PH		 1754/*************************************************
1755* Verify an email address *
1756*************************************************/
1757
1758/* This function is used both for verification (-bv and at other times) and
1759address testing (-bt), which is indicated by address_test_mode being set.
1760
1761Arguments:
1762 vaddr contains the address to verify; the next field in this block
1763 must be NULL
1764 f if not NULL, write the result to this file
1765 options various option bits:
1766 vopt_fake_sender => this sender verify is not for the real
1767 sender (it was verify=sender=xxxx or an address from a
1768 header line) - rewriting must not change sender_address
1769 vopt_is_recipient => this is a recipient address, otherwise
1770 it's a sender address - this affects qualification and
1771 rewriting and messages from callouts
1772 vopt_qualify => qualify an unqualified address; else error
1773 vopt_expn => called from SMTP EXPN command
eafd343b
TK		 1774 vopt_success_on_redirect => when a new address is generated
1775 the verification instantly succeeds
059ec3d9
PH		 1776
1777 These ones are used by do_callout() -- the options variable
1778 is passed to it.
1779
2a4be8f9 1780 vopt_callout_fullpm => if postmaster check, do full one
059ec3d9
PH		 1781 vopt_callout_no_cache => don't use callout cache
1782 vopt_callout_random => do the "random" thing
1783 vopt_callout_recipsender => use real sender for recipient
1784 vopt_callout_recippmaster => use postmaster for recipient
1785
1786 callout if > 0, specifies that callout is required, and gives timeout
4deaf07d 1787 for individual commands
059ec3d9
PH		 1788 callout_overall if > 0, gives overall timeout for the callout function;
1789 if < 0, a default is used (see do_callout())
8e669ac1 1790 callout_connect the connection timeout for callouts
059ec3d9
PH		 1791 se_mailfrom when callout is requested to verify a sender, use this
1792 in MAIL FROM; NULL => ""
1793 pm_mailfrom when callout is requested, if non-NULL, do the postmaster
1794 thing and use this as the sender address (may be "")
1795
1796 routed if not NULL, set TRUE if routing succeeded, so we can
1797 distinguish between routing failed and callout failed
1798
1799Returns: OK address verified
1800 FAIL address failed to verify
1801 DEFER can't tell at present
1802*/
1803
1804int
1805verify_address(address_item *vaddr, FILE *f, int options, int callout,
8e669ac1 1806 int callout_overall, int callout_connect, uschar *se_mailfrom,
4deaf07d 1807 uschar *pm_mailfrom, BOOL *routed)
059ec3d9
PH		 1808{
1809BOOL allok = TRUE;
1810BOOL full_info = (f == NULL)? FALSE : (debug_selector != 0);
1811BOOL is_recipient = (options & vopt_is_recipient) != 0;
1812BOOL expn = (options & vopt_expn) != 0;
eafd343b 1813BOOL success_on_redirect = (options & vopt_success_on_redirect) != 0;
059ec3d9
PH		 1814int i;
1815int yield = OK;
1816int verify_type = expn? v_expn :
1817 address_test_mode? v_none :
1818 is_recipient? v_recipient : v_sender;
1819address_item *addr_list;
1820address_item *addr_new = NULL;
1821address_item *addr_remote = NULL;
1822address_item *addr_local = NULL;
1823address_item *addr_succeed = NULL;
8e669ac1 1824uschar **failure_ptr = is_recipient?
2c7db3f5 1825 &recipient_verify_failure : &sender_verify_failure;
059ec3d9
PH		 1826uschar *ko_prefix, *cr;
1827uschar *address = vaddr->address;
1828uschar *save_sender;
1829uschar null_sender[] = { 0 }; /* Ensure writeable memory */
1830
2c7db3f5
PH		 1831/* Clear, just in case */
1832
1833*failure_ptr = NULL;
1834
059ec3d9
PH		 1835/* Set up a prefix and suffix for error message which allow us to use the same
1836output statements both in EXPN mode (where an SMTP response is needed) and when
1837debugging with an output file. */
1838
1839if (expn)
1840 {
1841 ko_prefix = US"553 ";
1842 cr = US"\r";
1843 }
1844else ko_prefix = cr = US"";
1845
1846/* Add qualify domain if permitted; otherwise an unqualified address fails. */
1847
1848if (parse_find_at(address) == NULL)
1849 {
1850 if ((options & vopt_qualify) == 0)
1851 {
1852 if (f != NULL)
ce552449
NM		 1853 respond_printf(f, "%sA domain is required for \"%s\"%s\n",
1854 ko_prefix, address, cr);
8e669ac1 1855 *failure_ptr = US"qualify";
059ec3d9
PH		 1856 return FAIL;
1857 }
1858 address = rewrite_address_qualify(address, is_recipient);
1859 }
1860
1861DEBUG(D_verify)
1862 {
1863 debug_printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
1864 debug_printf("%s %s\n", address_test_mode? "Testing" : "Verifying", address);
1865 }
1866
1867/* Rewrite and report on it. Clear the domain and local part caches - these
1868may have been set by domains and local part tests during an ACL. */
1869
1870if (global_rewrite_rules != NULL)
1871 {
1872 uschar *old = address;
1873 address = rewrite_address(address, is_recipient, FALSE,
1874 global_rewrite_rules, rewrite_existflags);
1875 if (address != old)
1876 {
1877 for (i = 0; i < (MAX_NAMED_LIST * 2)/32; i++) vaddr->localpart_cache[i] = 0;
1878 for (i = 0; i < (MAX_NAMED_LIST * 2)/32; i++) vaddr->domain_cache[i] = 0;
1879 if (f != NULL && !expn) fprintf(f, "Address rewritten as: %s\n", address);
1880 }
1881 }
1882
1883/* If this is the real sender address, we must update sender_address at
1884this point, because it may be referred to in the routers. */
1885
1886if ((options & (vopt_fake_sender|vopt_is_recipient)) == 0)
1887 sender_address = address;
1888
1889/* If the address was rewritten to <> no verification can be done, and we have
1890to return OK. This rewriting is permitted only for sender addresses; for other
1891addresses, such rewriting fails. */
1892
1893if (address[0] == 0) return OK;
1894
d9b2312b
JH		 1895/* Flip the legacy TLS-related variables over to the outbound set in case
1896they're used in the context of a transport used by verification. Reset them
ea90b718 1897at exit from this routine (so no returns allowed from here on). */
d9b2312b 1898
35aba663 1899tls_modify_variables(&tls_out);
d9b2312b 1900
059ec3d9
PH		 1901/* Save a copy of the sender address for re-instating if we change it to <>
1902while verifying a sender address (a nice bit of self-reference there). */
1903
1904save_sender = sender_address;
1905
ea90b718
JH		 1906/* Observability variable for router/transport use */
1907
1908verify_mode = is_recipient ? US"R" : US"S";
1909
059ec3d9
PH		 1910/* Update the address structure with the possibly qualified and rewritten
1911address. Set it up as the starting address on the chain of new addresses. */
1912
1913vaddr->address = address;
1914addr_new = vaddr;
1915
1916/* We need a loop, because an address can generate new addresses. We must also
1917cope with generated pipes and files at the top level. (See also the code and
1918comment in deliver.c.) However, it is usually the case that the router for
1919user's .forward files has its verify flag turned off.
1920
1921If an address generates more than one child, the loop is used only when
1922full_info is set, and this can only be set locally. Remote enquiries just get
1923information about the top level address, not anything that it generated. */
1924
ea90b718 1925while (addr_new)
059ec3d9
PH		 1926 {
1927 int rc;
1928 address_item *addr = addr_new;
1929
1930 addr_new = addr->next;
1931 addr->next = NULL;
1932
1933 DEBUG(D_verify)
1934 {
1935 debug_printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
1936 debug_printf("Considering %s\n", addr->address);
1937 }
1938
1939 /* Handle generated pipe, file or reply addresses. We don't get these
1940 when handling EXPN, as it does only one level of expansion. */
1941
1942 if (testflag(addr, af_pfr))
1943 {
1944 allok = FALSE;
1945 if (f != NULL)
1946 {
1947 BOOL allow;
1948
1949 if (addr->address[0] == '>')
1950 {
1951 allow = testflag(addr, af_allow_reply);
1952 fprintf(f, "%s -> mail %s", addr->parent->address, addr->address + 1);
1953 }
1954 else
1955 {
1956 allow = (addr->address[0] == '|')?
1957 testflag(addr, af_allow_pipe) : testflag(addr, af_allow_file);
1958 fprintf(f, "%s -> %s", addr->parent->address, addr->address);
1959 }
1960
1961 if (addr->basic_errno == ERRNO_BADTRANSPORT)
1962 fprintf(f, "\n*** Error in setting up pipe, file, or autoreply:\n"
1963 "%s\n", addr->message);
1964 else if (allow)
1965 fprintf(f, "\n transport = %s\n", addr->transport->name);
1966 else
1967 fprintf(f, " *** forbidden ***\n");
1968 }
1969 continue;
1970 }
1971
1972 /* Just in case some router parameter refers to it. */
1973
d43cbe25
JH		 1974 return_path = (addr->prop.errors_address != NULL)?
1975 addr->prop.errors_address : sender_address;
059ec3d9
PH		 1976
1977 /* Split the address into domain and local part, handling the %-hack if
1978 necessary, and then route it. While routing a sender address, set
1979 $sender_address to <> because that is what it will be if we were trying to
1980 send a bounce to the sender. */
1981
1982 if (routed != NULL) *routed = FALSE;
1983 if ((rc = deliver_split_address(addr)) == OK)
1984 {
1985 if (!is_recipient) sender_address = null_sender;
1986 rc = route_address(addr, &addr_local, &addr_remote, &addr_new,
1987 &addr_succeed, verify_type);
1988 sender_address = save_sender; /* Put back the real sender */
1989 }
1990
1991 /* If routing an address succeeded, set the flag that remembers, for use when
1992 an ACL cached a sender verify (in case a callout fails). Then if routing set
1993 up a list of hosts or the transport has a host list, and the callout option
1994 is set, and we aren't in a host checking run, do the callout verification,
1995 and set another flag that notes that a callout happened. */
1996
1997 if (rc == OK)
1998 {
1999 if (routed != NULL) *routed = TRUE;
2000 if (callout > 0)
2001 {
2002 host_item *host_list = addr->host_list;
08f3b11b 2003 transport_instance * tp;
059ec3d9 2004
26da7e20
PH		 2005 /* Make up some data for use in the case where there is no remote
2006 transport. */
2007
2008 transport_feedback tf = {
2009 NULL, /* interface (=> any) */
2010 US"smtp", /* port */
2011 US"smtp", /* protocol */
2012 NULL, /* hosts */
2013 US"$smtp_active_hostname", /* helo_data */
2014 FALSE, /* hosts_override */
2015 FALSE, /* hosts_randomize */
2016 FALSE, /* gethostbyname */
2017 TRUE, /* qualify_single */
2018 FALSE /* search_parents */
2019 };
059ec3d9
PH		 2020
2021 /* If verification yielded a remote transport, we want to use that
2022 transport's options, so as to mimic what would happen if we were really
2023 sending a message to this address. */
2024
08f3b11b 2025 if ((tp = addr->transport) && !tp->info->local)
059ec3d9 2026 {
08f3b11b 2027 (void)(tp->setup)(tp, addr, &tf, 0, 0, NULL);
059ec3d9
PH		 2028
2029 /* If the transport has hosts and the router does not, or if the
2030 transport is configured to override the router's hosts, we must build a
2031 host list of the transport's hosts, and find the IP addresses */
2032
2033 if (tf.hosts != NULL && (host_list == NULL || tf.hosts_override))
2034 {
2035 uschar *s;
55414b25 2036 const uschar *save_deliver_domain = deliver_domain;
750af86e 2037 uschar *save_deliver_localpart = deliver_localpart;
059ec3d9
PH		 2038
2039 host_list = NULL; /* Ignore the router's hosts */
2040
2041 deliver_domain = addr->domain;
2042 deliver_localpart = addr->local_part;
2043 s = expand_string(tf.hosts);
750af86e
PH		 2044 deliver_domain = save_deliver_domain;
2045 deliver_localpart = save_deliver_localpart;
059ec3d9
PH		 2046
2047 if (s == NULL)
2048 {
2049 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand list of hosts "
2050 "\"%s\" in %s transport for callout: %s", tf.hosts,
08f3b11b 2051 tp->name, expand_string_message);
059ec3d9
PH		 2052 }
2053 else
2054 {
322050c2 2055 int flags;
d8ef3577 2056 host_item *host, *nexthost;
059ec3d9
PH		 2057 host_build_hostlist(&host_list, s, tf.hosts_randomize);
2058
2059 /* Just ignore failures to find a host address. If we don't manage
8e669ac1
PH		 2060 to find any addresses, the callout will defer. Note that more than
2061 one address may be found for a single host, which will result in
2062 additional host items being inserted into the chain. Hence we must
d8ef3577 2063 save the next host first. */
059ec3d9 2064
322050c2
PH		 2065 flags = HOST_FIND_BY_A;
2066 if (tf.qualify_single) flags |= HOST_FIND_QUALIFY_SINGLE;
2067 if (tf.search_parents) flags |= HOST_FIND_SEARCH_PARENTS;
2068
d8ef3577 2069 for (host = host_list; host != NULL; host = nexthost)
059ec3d9 2070 {
d8ef3577 2071 nexthost = host->next;
8e669ac1 2072 if (tf.gethostbyname ||
7e66e54d 2073 string_is_ip_address(host->name, NULL) != 0)
55414b25 2074 (void)host_find_byname(host, NULL, flags, NULL, TRUE);
059ec3d9 2075 else
9d9c3746 2076 {
7cd171b7 2077 dnssec_domains * dnssec_domains = NULL;
08f3b11b 2078 if (Ustrcmp(tp->driver_name, "smtp") == 0)
9d9c3746
JH		 2079 {
2080 smtp_transport_options_block * ob =
08f3b11b 2081 (smtp_transport_options_block *) tp->options_block;
7cd171b7 2082 dnssec_domains = &ob->dnssec;
9d9c3746
JH		 2083 }
2084
059ec3d9 2085 (void)host_find_bydns(host, NULL, flags, NULL, NULL, NULL,
7cd171b7 2086 dnssec_domains, NULL, NULL);
9d9c3746 2087 }
059ec3d9
PH		 2088 }
2089 }
2090 }
2091 }
2092
8e669ac1 2093 /* Can only do a callout if we have at least one host! If the callout
2c7db3f5 2094 fails, it will have set ${sender,recipient}_verify_failure. */
059ec3d9
PH		 2095
2096 if (host_list != NULL)
2097 {
2098 HDEBUG(D_verify) debug_printf("Attempting full verification using callout\n");
2099 if (host_checking && !host_checking_callout)
2100 {
2101 HDEBUG(D_verify)
2102 debug_printf("... callout omitted by default when host testing\n"
2103 "(Use -bhc if you want the callouts to happen.)\n");
2104 }
2105 else
2106 {
4ed8d31a
JH		 2107#ifdef SUPPORT_TLS
2108 deliver_set_expansions(addr);
2109#endif
059ec3d9 2110 rc = do_callout(addr, host_list, &tf, callout, callout_overall,
4deaf07d 2111 callout_connect, options, se_mailfrom, pm_mailfrom);
059ec3d9
PH		 2112 }
2113 }
2114 else
2115 {
2116 HDEBUG(D_verify) debug_printf("Cannot do callout: neither router nor "
2117 "transport provided a host list\n");
2118 }
2119 }
2120 }
8e669ac1 2121
2c7db3f5 2122 /* Otherwise, any failure is a routing failure */
8e669ac1
PH		 2123
2124 else *failure_ptr = US"route";
059ec3d9
PH		 2125
2126 /* A router may return REROUTED if it has set up a child address as a result
2127 of a change of domain name (typically from widening). In this case we always
2128 want to continue to verify the new child. */
2129
2130 if (rc == REROUTED) continue;
8e669ac1 2131
059ec3d9
PH		 2132 /* Handle hard failures */
2133
2134 if (rc == FAIL)
2135 {
2136 allok = FALSE;
2137 if (f != NULL)
2138 {
e6f6568e
PH		 2139 address_item *p = addr->parent;
2140
ce552449
NM		 2141 respond_printf(f, "%s%s %s", ko_prefix,
2142 full_info? addr->address : address,
059ec3d9
PH		 2143 address_test_mode? "is undeliverable" : "failed to verify");
2144 if (!expn && admin_user)
2145 {
2146 if (addr->basic_errno > 0)
ce552449 2147 respond_printf(f, ": %s", strerror(addr->basic_errno));
059ec3d9 2148 if (addr->message != NULL)
ce552449 2149 respond_printf(f, ": %s", addr->message);
e6f6568e
PH		 2150 }
2151
2152 /* Show parents iff doing full info */
2153
2154 if (full_info) while (p != NULL)
2155 {
ce552449 2156 respond_printf(f, "%s\n <-- %s", cr, p->address);
e6f6568e 2157 p = p->parent;
059ec3d9 2158 }
ce552449 2159 respond_printf(f, "%s\n", cr);
059ec3d9 2160 }
2e5b33cd 2161 cancel_cutthrough_connection("routing hard fail");
059ec3d9 2162
d9b2312b
JH		 2163 if (!full_info)
2164 {
2165 yield = copy_error(vaddr, addr, FAIL);
2166 goto out;
2167 }
2168 else yield = FAIL;
059ec3d9
PH		 2169 }
2170
2171 /* Soft failure */
2172
2173 else if (rc == DEFER)
2174 {
2175 allok = FALSE;
2176 if (f != NULL)
2177 {
e6f6568e 2178 address_item *p = addr->parent;
ce552449 2179 respond_printf(f, "%s%s cannot be resolved at this time", ko_prefix,
322050c2 2180 full_info? addr->address : address);
059ec3d9
PH		 2181 if (!expn && admin_user)
2182 {
2183 if (addr->basic_errno > 0)
ce552449 2184 respond_printf(f, ": %s", strerror(addr->basic_errno));
059ec3d9 2185 if (addr->message != NULL)
ce552449 2186 respond_printf(f, ": %s", addr->message);
059ec3d9 2187 else if (addr->basic_errno <= 0)
ce552449 2188 respond_printf(f, ": unknown error");
059ec3d9
PH		 2189 }
2190
e6f6568e
PH		 2191 /* Show parents iff doing full info */
2192
2193 if (full_info) while (p != NULL)
2194 {
ce552449 2195 respond_printf(f, "%s\n <-- %s", cr, p->address);
e6f6568e
PH		 2196 p = p->parent;
2197 }
ce552449 2198 respond_printf(f, "%s\n", cr);
059ec3d9 2199 }
2e5b33cd 2200 cancel_cutthrough_connection("routing soft fail");
e4bdf652 2201
d9b2312b
JH		 2202 if (!full_info)
2203 {
2204 yield = copy_error(vaddr, addr, DEFER);
2205 goto out;
2206 }
2207 else if (yield == OK) yield = DEFER;
059ec3d9
PH		 2208 }
2209
2210 /* If we are handling EXPN, we do not want to continue to route beyond
e6f6568e 2211 the top level (whose address is in "address"). */
059ec3d9
PH		 2212
2213 else if (expn)
2214 {
2215 uschar *ok_prefix = US"250-";
2216 if (addr_new == NULL)
2217 {
2218 if (addr_local == NULL && addr_remote == NULL)
ce552449 2219 respond_printf(f, "250 mail to <%s> is discarded\r\n", address);
059ec3d9 2220 else
ce552449 2221 respond_printf(f, "250 <%s>\r\n", address);
059ec3d9
PH		 2222 }
2223 else while (addr_new != NULL)
2224 {
2225 address_item *addr2 = addr_new;
2226 addr_new = addr2->next;
2227 if (addr_new == NULL) ok_prefix = US"250 ";
ce552449 2228 respond_printf(f, "%s<%s>\r\n", ok_prefix, addr2->address);
059ec3d9 2229 }
d9b2312b
JH		 2230 yield = OK;
2231 goto out;
059ec3d9
PH		 2232 }
2233
2234 /* Successful routing other than EXPN. */
2235
2236 else
2237 {
2238 /* Handle successful routing when short info wanted. Otherwise continue for
2239 other (generated) addresses. Short info is the operational case. Full info
2240 can be requested only when debug_selector != 0 and a file is supplied.
2241
2242 There is a conflict between the use of aliasing as an alternate email
2243 address, and as a sort of mailing list. If an alias turns the incoming
2244 address into just one address (e.g. J.Caesar->jc44) you may well want to
2245 carry on verifying the generated address to ensure it is valid when
2246 checking incoming mail. If aliasing generates multiple addresses, you
2247 probably don't want to do this. Exim therefore treats the generation of
2248 just a single new address as a special case, and continues on to verify the
2249 generated address. */
2250
2251 if (!full_info && /* Stop if short info wanted AND */
eafd343b
TK		 2252 (((addr_new == NULL || /* No new address OR */
2253 addr_new->next != NULL || /* More than one new address OR */
2254 testflag(addr_new, af_pfr))) /* New address is pfr */
2255 || /* OR */
2256 (addr_new != NULL && /* At least one new address AND */
2257 success_on_redirect))) /* success_on_redirect is set */
059ec3d9 2258 {
322050c2 2259 if (f != NULL) fprintf(f, "%s %s\n", address,
059ec3d9
PH		 2260 address_test_mode? "is deliverable" : "verified");
2261
2262 /* If we have carried on to verify a child address, we want the value
2263 of $address_data to be that of the child */
2264
d43cbe25 2265 vaddr->prop.address_data = addr->prop.address_data;
d9b2312b
JH		 2266 yield = OK;
2267 goto out;
059ec3d9
PH		 2268 }
2269 }
2270 } /* Loop for generated addresses */
2271
2272/* Display the full results of the successful routing, including any generated
2273addresses. Control gets here only when full_info is set, which requires f not
2274to be NULL, and this occurs only when a top-level verify is called with the
2275debugging switch on.
2276
2277If there are no local and no remote addresses, and there were no pipes, files,
2278or autoreplies, and there were no errors or deferments, the message is to be
2279discarded, usually because of the use of :blackhole: in an alias file. */
2280
2281if (allok && addr_local == NULL && addr_remote == NULL)
dbcef0ea 2282 {
059ec3d9 2283 fprintf(f, "mail to %s is discarded\n", address);
d9b2312b 2284 goto out;
dbcef0ea 2285 }
059ec3d9 2286
dbcef0ea 2287for (addr_list = addr_local, i = 0; i < 2; addr_list = addr_remote, i++)
08f3b11b 2288 while (addr_list)
059ec3d9
PH		 2289 {
2290 address_item *addr = addr_list;
2291 address_item *p = addr->parent;
08f3b11b
JH		 2292 transport_instance * tp = addr->transport;
2293
059ec3d9
PH		 2294 addr_list = addr->next;
2295
2296 fprintf(f, "%s", CS addr->address);
384152a6 2297#ifdef EXPERIMENTAL_SRS
d43cbe25
JH		 2298 if(addr->prop.srs_sender)
2299 fprintf(f, " [srs = %s]", addr->prop.srs_sender);
384152a6 2300#endif
dbcef0ea
PH		 2301
2302 /* If the address is a duplicate, show something about it. */
2303
2304 if (!testflag(addr, af_pfr))
2305 {
2306 tree_node *tnode;
08f3b11b 2307 if ((tnode = tree_search(tree_duplicates, addr->unique)))
dbcef0ea
PH		 2308 fprintf(f, " [duplicate, would not be delivered]");
2309 else tree_add_duplicate(addr->unique, addr);
2310 }
2311
2312 /* Now show its parents */
2313
08f3b11b 2314 for (p = addr->parent; p; p = p->parent)
059ec3d9 2315 fprintf(f, "\n <-- %s", p->address);
059ec3d9
PH		 2316 fprintf(f, "\n ");
2317
2318 /* Show router, and transport */
2319
08f3b11b
JH		 2320 fprintf(f, "router = %s, transport = %s\n",
2321 addr->router->name, tp ? tp->name : US"unset");
059ec3d9
PH		 2322
2323 /* Show any hosts that are set up by a router unless the transport
2324 is going to override them; fiddle a bit to get a nice format. */
2325
08f3b11b 2326 if (addr->host_list && tp && !tp->overrides_hosts)
059ec3d9
PH		 2327 {
2328 host_item *h;
2329 int maxlen = 0;
2330 int maxaddlen = 0;
08f3b11b
JH		 2331 for (h = addr->host_list; h; h = h->next)
2332 { /* get max lengths of host names, addrs */
059ec3d9
PH		 2333 int len = Ustrlen(h->name);
2334 if (len > maxlen) maxlen = len;
08f3b11b 2335 len = h->address ? Ustrlen(h->address) : 7;
059ec3d9
PH		 2336 if (len > maxaddlen) maxaddlen = len;
2337 }
08f3b11b
JH		 2338 for (h = addr->host_list; h; h = h->next)
2339 {
2340 fprintf(f, " host %-*s ", maxlen, h->name);
2341
2342 if (h->address)
2343 fprintf(f, "[%s%-*c", h->address, maxaddlen+1 - Ustrlen(h->address), ']');
2344 else if (tp->info->local)
2345 fprintf(f, " %-*s ", maxaddlen, ""); /* Omit [unknown] for local */
2346 else
2347 fprintf(f, "[%s%-*c", "unknown", maxaddlen+1 - 7, ']');
2348
2349 if (h->mx >= 0) fprintf(f, " MX=%d", h->mx);
059ec3d9 2350 if (h->port != PORT_NONE) fprintf(f, " port=%d", h->port);
08f3b11b
JH		 2351 if (running_in_test_harness && h->dnssec == DS_YES) fputs(" AD", f);
2352 if (h->status == hstatus_unusable) fputs(" ** unusable **", f);
2353 fputc('\n', f);
059ec3d9
PH		 2354 }
2355 }
2356 }
059ec3d9 2357
d9b2312b 2358/* Yield will be DEFER or FAIL if any one address has, only for full_info (which is
2c7db3f5
PH		 2359the -bv or -bt case). */
2360
d9b2312b 2361out:
ea90b718 2362verify_mode = NULL;
35aba663 2363tls_modify_variables(&tls_in);
d9b2312b 2364
8e669ac1 2365return yield;
059ec3d9
PH		 2366}
2367
2368
2369
2370
2371/*************************************************
2372* Check headers for syntax errors *
2373*************************************************/
2374
2375/* This function checks those header lines that contain addresses, and verifies
2376that all the addresses therein are syntactially correct.
2377
2378Arguments:
2379 msgptr where to put an error message
2380
2381Returns: OK
2382 FAIL
2383*/
2384
2385int
2386verify_check_headers(uschar **msgptr)
2387{
2388header_line *h;
2389uschar *colon, *s;
1eccaa59 2390int yield = OK;
059ec3d9 2391
1eccaa59 2392for (h = header_list; h != NULL && yield == OK; h = h->next)
059ec3d9
PH		 2393 {
2394 if (h->type != htype_from &&
2395 h->type != htype_reply_to &&
2396 h->type != htype_sender &&
2397 h->type != htype_to &&
2398 h->type != htype_cc &&
2399 h->type != htype_bcc)
2400 continue;
2401
2402 colon = Ustrchr(h->text, ':');
2403 s = colon + 1;
2404 while (isspace(*s)) s++;
2405
1eccaa59
PH		 2406 /* Loop for multiple addresses in the header, enabling group syntax. Note
2407 that we have to reset this after the header has been scanned. */
059ec3d9 2408
1eccaa59 2409 parse_allow_group = TRUE;
059ec3d9
PH		 2410
2411 while (*s != 0)
2412 {
2413 uschar *ss = parse_find_address_end(s, FALSE);
2414 uschar *recipient, *errmess;
2415 int terminator = *ss;
2416 int start, end, domain;
2417
2418 /* Temporarily terminate the string at this point, and extract the
1eccaa59 2419 operative address within, allowing group syntax. */
059ec3d9
PH		 2420
2421 *ss = 0;
2422 recipient = parse_extract_address(s,&errmess,&start,&end,&domain,FALSE);
2423 *ss = terminator;
2424
2425 /* Permit an unqualified address only if the message is local, or if the
2426 sending host is configured to be permitted to send them. */
2427
2428 if (recipient != NULL && domain == 0)
2429 {
2430 if (h->type == htype_from || h->type == htype_sender)
2431 {
2432 if (!allow_unqualified_sender) recipient = NULL;
2433 }
2434 else
2435 {
2436 if (!allow_unqualified_recipient) recipient = NULL;
2437 }
2438 if (recipient == NULL) errmess = US"unqualified address not permitted";
2439 }
2440
2441 /* It's an error if no address could be extracted, except for the special
2442 case of an empty address. */
2443
2444 if (recipient == NULL && Ustrcmp(errmess, "empty address") != 0)
2445 {
2446 uschar *verb = US"is";
2447 uschar *t = ss;
1ab95fa6 2448 uschar *tt = colon;
059ec3d9
PH		 2449 int len;
2450
2451 /* Arrange not to include any white space at the end in the
1ab95fa6 2452 error message or the header name. */
059ec3d9
PH		 2453
2454 while (t > s && isspace(t[-1])) t--;
1ab95fa6 2455 while (tt > h->text && isspace(tt[-1])) tt--;
059ec3d9 2456
1ab95fa6 2457 /* Add the address that failed to the error message, since in a
059ec3d9
PH		 2458 header with very many addresses it is sometimes hard to spot
2459 which one is at fault. However, limit the amount of address to
2460 quote - cases have been seen where, for example, a missing double
2461 quote in a humungous To: header creates an "address" that is longer
2462 than string_sprintf can handle. */
2463
2464 len = t - s;
2465 if (len > 1024)
2466 {
2467 len = 1024;
2468 verb = US"begins";
2469 }
2470
55414b25
JH		 2471 /* deconst cast ok as we're passing a non-const to string_printing() */
2472 *msgptr = US string_printing(
1ab95fa6
PH		 2473 string_sprintf("%s: failing address in \"%.*s:\" header %s: %.*s",
2474 errmess, tt - h->text, h->text, verb, len, s));
059ec3d9 2475
1eccaa59
PH		 2476 yield = FAIL;
2477 break; /* Out of address loop */
059ec3d9
PH		 2478 }
2479
2480 /* Advance to the next address */
2481
2482 s = ss + (terminator? 1:0);
2483 while (isspace(*s)) s++;
2484 } /* Next address */
059ec3d9 2485
1eccaa59
PH		 2486 parse_allow_group = FALSE;
2487 parse_found_group = FALSE;
2488 } /* Next header unless yield has been set FALSE */
2489
2490return yield;
059ec3d9
PH		 2491}
2492
2493
770747fd
MFM		 2494/*************************************************
2495* Check header names for 8-bit characters *
2496*************************************************/
2497
2498/* This function checks for invalid charcters in header names. See
2499RFC 5322, 2.2. and RFC 6532, 3.
2500
2501Arguments:
2502 msgptr where to put an error message
2503
2504Returns: OK
2505 FAIL
2506*/
2507
2508int
2509verify_check_header_names_ascii(uschar **msgptr)
2510{
2511header_line *h;
2512uschar *colon, *s;
2513
2514for (h = header_list; h != NULL; h = h->next)
2515 {
2516 colon = Ustrchr(h->text, ':');
2517 for(s = h->text; s < colon; s++)
2518 {
2519 if ((*s < 33) || (*s > 126))
2520 {
2521 *msgptr = string_sprintf("Invalid character in header \"%.*s\" found",
2522 colon - h->text, h->text);
2523 return FAIL;
2524 }
2525 }
2526 }
2527return OK;
2528}
059ec3d9 2529
1c41c9cc
PH		 2530/*************************************************
2531* Check for blind recipients *
2532*************************************************/
2533
2534/* This function checks that every (envelope) recipient is mentioned in either
2535the To: or Cc: header lines, thus detecting blind carbon copies.
2536
2537There are two ways of scanning that could be used: either scan the header lines
2538and tick off the recipients, or scan the recipients and check the header lines.
2539The original proposed patch did the former, but I have chosen to do the latter,
2540because (a) it requires no memory and (b) will use fewer resources when there
2541are many addresses in To: and/or Cc: and only one or two envelope recipients.
2542
2543Arguments: none
2544Returns: OK if there are no blind recipients
2545 FAIL if there is at least one blind recipient
2546*/
2547
2548int
2549verify_check_notblind(void)
2550{
2551int i;
2552for (i = 0; i < recipients_count; i++)
2553 {
2554 header_line *h;
2555 BOOL found = FALSE;
2556 uschar *address = recipients_list[i].address;
2557
2558 for (h = header_list; !found && h != NULL; h = h->next)
2559 {
2560 uschar *colon, *s;
2561
2562 if (h->type != htype_to && h->type != htype_cc) continue;
2563
2564 colon = Ustrchr(h->text, ':');
2565 s = colon + 1;
2566 while (isspace(*s)) s++;
2567
1eccaa59
PH		 2568 /* Loop for multiple addresses in the header, enabling group syntax. Note
2569 that we have to reset this after the header has been scanned. */
1c41c9cc 2570
1eccaa59 2571 parse_allow_group = TRUE;
1c41c9cc
PH		 2572
2573 while (*s != 0)
2574 {
2575 uschar *ss = parse_find_address_end(s, FALSE);
2576 uschar *recipient,*errmess;
2577 int terminator = *ss;
2578 int start, end, domain;
2579
2580 /* Temporarily terminate the string at this point, and extract the
1eccaa59 2581 operative address within, allowing group syntax. */
1c41c9cc
PH		 2582
2583 *ss = 0;
2584 recipient = parse_extract_address(s,&errmess,&start,&end,&domain,FALSE);
2585 *ss = terminator;
2586
2587 /* If we found a valid recipient that has a domain, compare it with the
2588 envelope recipient. Local parts are compared case-sensitively, domains
2589 case-insensitively. By comparing from the start with length "domain", we
2590 include the "@" at the end, which ensures that we are comparing the whole
2591 local part of each address. */
2592
2593 if (recipient != NULL && domain != 0)
2594 {
2595 found = Ustrncmp(recipient, address, domain) == 0 &&
2596 strcmpic(recipient + domain, address + domain) == 0;
2597 if (found) break;
2598 }
2599
2600 /* Advance to the next address */
2601
2602 s = ss + (terminator? 1:0);
2603 while (isspace(*s)) s++;
2604 } /* Next address */
1eccaa59
PH		 2605
2606 parse_allow_group = FALSE;
2607 parse_found_group = FALSE;
1c41c9cc
PH		 2608 } /* Next header (if found is false) */
2609
2610 if (!found) return FAIL;
2611 } /* Next recipient */
2612
2613return OK;
2614}
2615
2616
059ec3d9
PH		 2617
2618/*************************************************
2619* Find if verified sender *
2620*************************************************/
2621
2622/* Usually, just a single address is verified as the sender of the message.
2623However, Exim can be made to verify other addresses as well (often related in
2624some way), and this is useful in some environments. There may therefore be a
2625chain of such addresses that have previously been tested. This function finds
2626whether a given address is on the chain.
2627
2628Arguments: the address to be verified
2629Returns: pointer to an address item, or NULL
2630*/
2631
2632address_item *
2633verify_checked_sender(uschar *sender)
2634{
2635address_item *addr;
2636for (addr = sender_verified_list; addr != NULL; addr = addr->next)
2637 if (Ustrcmp(sender, addr->address) == 0) break;
2638return addr;
2639}
2640
2641
2642
2643
2644
2645/*************************************************
2646* Get valid header address *
2647*************************************************/
2648
2649/* Scan the originator headers of the message, looking for an address that
2650verifies successfully. RFC 822 says:
2651
2652 o The "Sender" field mailbox should be sent notices of
2653 any problems in transport or delivery of the original
2654 messages. If there is no "Sender" field, then the
2655 "From" field mailbox should be used.
2656
2657 o If the "Reply-To" field exists, then the reply should
2658 go to the addresses indicated in that field and not to
2659 the address(es) indicated in the "From" field.
2660
2661So we check a Sender field if there is one, else a Reply_to field, else a From
2662field. As some strange messages may have more than one of these fields,
2663especially if they are resent- fields, check all of them if there is more than
2664one.
2665
2666Arguments:
2667 user_msgptr points to where to put a user error message
2668 log_msgptr points to where to put a log error message
2669 callout timeout for callout check (passed to verify_address())
2670 callout_overall overall callout timeout (ditto)
8e669ac1 2671 callout_connect connect callout timeout (ditto)
059ec3d9
PH		 2672 se_mailfrom mailfrom for verify; NULL => ""
2673 pm_mailfrom sender for pm callout check (passed to verify_address())
2674 options callout options (passed to verify_address())
8e669ac1 2675 verrno where to put the address basic_errno
059ec3d9
PH		 2676
2677If log_msgptr is set to something without setting user_msgptr, the caller
2678normally uses log_msgptr for both things.
2679
2680Returns: result of the verification attempt: OK, FAIL, or DEFER;
2681 FAIL is given if no appropriate headers are found
2682*/
2683
2684int
2685verify_check_header_address(uschar **user_msgptr, uschar **log_msgptr,
8e669ac1 2686 int callout, int callout_overall, int callout_connect, uschar *se_mailfrom,
fe5b5d0b 2687 uschar *pm_mailfrom, int options, int *verrno)
059ec3d9
PH		 2688{
2689static int header_types[] = { htype_sender, htype_reply_to, htype_from };
1eccaa59 2690BOOL done = FALSE;
059ec3d9
PH		 2691int yield = FAIL;
2692int i;
2693
1eccaa59 2694for (i = 0; i < 3 && !done; i++)
059ec3d9
PH		 2695 {
2696 header_line *h;
1eccaa59 2697 for (h = header_list; h != NULL && !done; h = h->next)
059ec3d9
PH		 2698 {
2699 int terminator, new_ok;
2700 uschar *s, *ss, *endname;
2701
2702 if (h->type != header_types[i]) continue;
2703 s = endname = Ustrchr(h->text, ':') + 1;
2704
1eccaa59
PH		 2705 /* Scan the addresses in the header, enabling group syntax. Note that we
2706 have to reset this after the header has been scanned. */
2707
2708 parse_allow_group = TRUE;
2709
059ec3d9
PH		 2710 while (*s != 0)
2711 {
2712 address_item *vaddr;
2713
2714 while (isspace(*s) || *s == ',') s++;
2715 if (*s == 0) break; /* End of header */
2716
2717 ss = parse_find_address_end(s, FALSE);
2718
2719 /* The terminator is a comma or end of header, but there may be white
2720 space preceding it (including newline for the last address). Move back
2721 past any white space so we can check against any cached envelope sender
2722 address verifications. */
2723
2724 while (isspace(ss[-1])) ss--;
2725 terminator = *ss;
2726 *ss = 0;
2727
2728 HDEBUG(D_verify) debug_printf("verifying %.*s header address %s\n",
2729 (int)(endname - h->text), h->text, s);
2730
2731 /* See if we have already verified this address as an envelope sender,
2732 and if so, use the previous answer. */
2733
2734 vaddr = verify_checked_sender(s);
2735
2736 if (vaddr != NULL && /* Previously checked */
2737 (callout <= 0 || /* No callout needed; OR */
2738 vaddr->special_action > 256)) /* Callout was done */
2739 {
2740 new_ok = vaddr->special_action & 255;
2741 HDEBUG(D_verify) debug_printf("previously checked as envelope sender\n");
2742 *ss = terminator; /* Restore shortened string */
2743 }
2744
2745 /* Otherwise we run the verification now. We must restore the shortened
2746 string before running the verification, so the headers are correct, in
2747 case there is any rewriting. */
2748
2749 else
2750 {
2751 int start, end, domain;
1eccaa59
PH		 2752 uschar *address = parse_extract_address(s, log_msgptr, &start, &end,
2753 &domain, FALSE);
059ec3d9
PH		 2754
2755 *ss = terminator;
2756
1eccaa59
PH		 2757 /* If we found an empty address, just carry on with the next one, but
2758 kill the message. */
2759
2760 if (address == NULL && Ustrcmp(*log_msgptr, "empty address") == 0)
2761 {
2762 *log_msgptr = NULL;
2763 s = ss;
2764 continue;
2765 }
2766
059ec3d9
PH		 2767 /* If verification failed because of a syntax error, fail this
2768 function, and ensure that the failing address gets added to the error
2769 message. */
2770
2771 if (address == NULL)
2772 {
2773 new_ok = FAIL;
1eccaa59
PH		 2774 while (ss > s && isspace(ss[-1])) ss--;
2775 *log_msgptr = string_sprintf("syntax error in '%.*s' header when "
2776 "scanning for sender: %s in \"%.*s\"",
2777 endname - h->text, h->text, *log_msgptr, ss - s, s);
2778 yield = FAIL;
2779 done = TRUE;
2780 break;
059ec3d9
PH		 2781 }
2782
2f6603e1 2783 /* Else go ahead with the sender verification. But it isn't *the*
059ec3d9
PH		 2784 sender of the message, so set vopt_fake_sender to stop sender_address
2785 being replaced after rewriting or qualification. */
2786
2787 else
2788 {
2789 vaddr = deliver_make_addr(address, FALSE);
2790 new_ok = verify_address(vaddr, NULL, options | vopt_fake_sender,
8e669ac1 2791 callout, callout_overall, callout_connect, se_mailfrom,
4deaf07d 2792 pm_mailfrom, NULL);
059ec3d9
PH		 2793 }
2794 }
2795
2796 /* We now have the result, either newly found, or cached. If we are
2797 giving out error details, set a specific user error. This means that the
2798 last of these will be returned to the user if all three fail. We do not
2799 set a log message - the generic one below will be used. */
2800
fe5b5d0b 2801 if (new_ok != OK)
059ec3d9 2802 {
8e669ac1 2803 *verrno = vaddr->basic_errno;
fe5b5d0b
PH		 2804 if (smtp_return_error_details)
2805 {
2806 *user_msgptr = string_sprintf("Rejected after DATA: "
2807 "could not verify \"%.*s\" header address\n%s: %s",
2808 endname - h->text, h->text, vaddr->address, vaddr->message);
2809 }
8e669ac1 2810 }
059ec3d9
PH		 2811
2812 /* Success or defer */
2813
1eccaa59
PH		 2814 if (new_ok == OK)
2815 {
2816 yield = OK;
2817 done = TRUE;
2818 break;
2819 }
2820
059ec3d9
PH		 2821 if (new_ok == DEFER) yield = DEFER;
2822
2823 /* Move on to any more addresses in the header */
2824
2825 s = ss;
1eccaa59
PH		 2826 } /* Next address */
2827
2828 parse_allow_group = FALSE;
2829 parse_found_group = FALSE;
2830 } /* Next header, unless done */
2831 } /* Next header type unless done */
059ec3d9
PH		 2832
2833if (yield == FAIL && *log_msgptr == NULL)
2834 *log_msgptr = US"there is no valid sender in any header line";
2835
2836if (yield == DEFER && *log_msgptr == NULL)
2837 *log_msgptr = US"all attempts to verify a sender in a header line deferred";
2838
2839return yield;
2840}
2841
2842
2843
2844
2845/*************************************************
2846* Get RFC 1413 identification *
2847*************************************************/
2848
2849/* Attempt to get an id from the sending machine via the RFC 1413 protocol. If
2850the timeout is set to zero, then the query is not done. There may also be lists
2851of hosts and nets which are exempt. To guard against malefactors sending
2852non-printing characters which could, for example, disrupt a message's headers,
2853make sure the string consists of printing characters only.
2854
2855Argument:
2856 port the port to connect to; usually this is IDENT_PORT (113), but when
2857 running in the test harness with -bh a different value is used.
2858
2859Returns: nothing
2860
2861Side effect: any received ident value is put in sender_ident (NULL otherwise)
2862*/
2863
2864void
2865verify_get_ident(int port)
2866{
2867int sock, host_af, qlen;
2868int received_sender_port, received_interface_port, n;
2869uschar *p;
2870uschar buffer[2048];
2871
2872/* Default is no ident. Check whether we want to do an ident check for this
2873host. */
2874
2875sender_ident = NULL;
2876if (rfc1413_query_timeout <= 0 || verify_check_host(&rfc1413_hosts) != OK)
2877 return;
2878
2879DEBUG(D_ident) debug_printf("doing ident callback\n");
2880
2881/* Set up a connection to the ident port of the remote host. Bind the local end
2882to the incoming interface address. If the sender host address is an IPv6
2883address, the incoming interface address will also be IPv6. */
2884
2885host_af = (Ustrchr(sender_host_address, ':') == NULL)? AF_INET : AF_INET6;
2886sock = ip_socket(SOCK_STREAM, host_af);
2887if (sock < 0) return;
2888
2889if (ip_bind(sock, host_af, interface_address, 0) < 0)
2890 {
2891 DEBUG(D_ident) debug_printf("bind socket for ident failed: %s\n",
2892 strerror(errno));
2893 goto END_OFF;
2894 }
2895
2896if (ip_connect(sock, host_af, sender_host_address, port, rfc1413_query_timeout)
2897 < 0)
2898 {
6c6d6e48 2899 if (errno == ETIMEDOUT && LOGGING(ident_timeout))
059ec3d9
PH		 2900 {
2901 log_write(0, LOG_MAIN, "ident connection to %s timed out",
2902 sender_host_address);
2903 }
2904 else
2905 {
2906 DEBUG(D_ident) debug_printf("ident connection to %s failed: %s\n",
2907 sender_host_address, strerror(errno));
2908 }
2909 goto END_OFF;
2910 }
2911
2912/* Construct and send the query. */
2913
2914sprintf(CS buffer, "%d , %d\r\n", sender_host_port, interface_port);
2915qlen = Ustrlen(buffer);
2916if (send(sock, buffer, qlen, 0) < 0)
2917 {
2918 DEBUG(D_ident) debug_printf("ident send failed: %s\n", strerror(errno));
2919 goto END_OFF;
2920 }
2921
2922/* Read a response line. We put it into the rest of the buffer, using several
2923recv() calls if necessary. */
2924
2925p = buffer + qlen;
2926
2927for (;;)
2928 {
2929 uschar *pp;
2930 int count;
2931 int size = sizeof(buffer) - (p - buffer);
2932
2933 if (size <= 0) goto END_OFF; /* Buffer filled without seeing \n. */
2934 count = ip_recv(sock, p, size, rfc1413_query_timeout);
2935 if (count <= 0) goto END_OFF; /* Read error or EOF */
2936
2937 /* Scan what we just read, to see if we have reached the terminating \r\n. Be
2938 generous, and accept a plain \n terminator as well. The only illegal
2939 character is 0. */
2940
2941 for (pp = p; pp < p + count; pp++)
2942 {
2943 if (*pp == 0) goto END_OFF; /* Zero octet not allowed */
2944 if (*pp == '\n')
2945 {
2946 if (pp[-1] == '\r') pp--;
2947 *pp = 0;
2948 goto GOT_DATA; /* Break out of both loops */
2949 }
2950 }
2951
2952 /* Reached the end of the data without finding \n. Let the loop continue to
2953 read some more, if there is room. */
2954
2955 p = pp;
2956 }
2957
2958GOT_DATA:
2959
2960/* We have received a line of data. Check it carefully. It must start with the
2961same two port numbers that we sent, followed by data as defined by the RFC. For
2962example,
2963
2964 12345 , 25 : USERID : UNIX :root
2965
2966However, the amount of white space may be different to what we sent. In the
2967"osname" field there may be several sub-fields, comma separated. The data we
2968actually want to save follows the third colon. Some systems put leading spaces
2969in it - we discard those. */
2970
2971if (sscanf(CS buffer + qlen, "%d , %d%n", &received_sender_port,
2972 &received_interface_port, &n) != 2 ||
2973 received_sender_port != sender_host_port ||
2974 received_interface_port != interface_port)
2975 goto END_OFF;
2976
2977p = buffer + qlen + n;
2978while(isspace(*p)) p++;
2979if (*p++ != ':') goto END_OFF;
2980while(isspace(*p)) p++;
2981if (Ustrncmp(p, "USERID", 6) != 0) goto END_OFF;
2982p += 6;
2983while(isspace(*p)) p++;
2984if (*p++ != ':') goto END_OFF;
2985while (*p != 0 && *p != ':') p++;
2986if (*p++ == 0) goto END_OFF;
2987while(isspace(*p)) p++;
2988if (*p == 0) goto END_OFF;
2989
2990/* The rest of the line is the data we want. We turn it into printing
2991characters when we save it, so that it cannot mess up the format of any logging
2992or Received: lines into which it gets inserted. We keep a maximum of 127
55414b25 2993characters. The deconst cast is ok as we fed a nonconst to string_printing() */
059ec3d9 2994
55414b25 2995sender_ident = US string_printing(string_copyn(p, 127));
059ec3d9
PH		 2996DEBUG(D_ident) debug_printf("sender_ident = %s\n", sender_ident);
2997
2998END_OFF:
f1e894f3 2999(void)close(sock);
059ec3d9
PH		 3000return;
3001}
3002
3003
3004
3005
3006/*************************************************
3007* Match host to a single host-list item *
3008*************************************************/
3009
3010/* This function compares a host (name or address) against a single item
3011from a host list. The host name gets looked up if it is needed and is not
3012already known. The function is called from verify_check_this_host() via
3013match_check_list(), which is why most of its arguments are in a single block.
3014
3015Arguments:
3016 arg the argument block (see below)
3017 ss the host-list item
3018 valueptr where to pass back looked up data, or NULL
3019 error for error message when returning ERROR
3020
3021The block contains:
32d668a5
PH		 3022 host_name (a) the host name, or
3023 (b) NULL, implying use sender_host_name and
3024 sender_host_aliases, looking them up if required, or
3025 (c) the empty string, meaning that only IP address matches
3026 are permitted
059ec3d9
PH		 3027 host_address the host address
3028 host_ipv4 the IPv4 address taken from an IPv6 one
3029
3030Returns: OK matched
3031 FAIL did not match
3032 DEFER lookup deferred
32d668a5
PH		 3033 ERROR (a) failed to find the host name or IP address, or
3034 (b) unknown lookup type specified, or
3035 (c) host name encountered when only IP addresses are
3036 being matched
059ec3d9
PH		 3037*/
3038
32d668a5 3039int
55414b25 3040check_host(void *arg, const uschar *ss, const uschar **valueptr, uschar **error)
059ec3d9
PH		 3041{
3042check_host_block *cb = (check_host_block *)arg;
32d668a5 3043int mlen = -1;
059ec3d9 3044int maskoffset;
32d668a5 3045BOOL iplookup = FALSE;
059ec3d9 3046BOOL isquery = FALSE;
32d668a5 3047BOOL isiponly = cb->host_name != NULL && cb->host_name[0] == 0;
55414b25 3048const uschar *t;
32d668a5 3049uschar *semicolon;
059ec3d9
PH		 3050uschar **aliases;
3051
3052/* Optimize for the special case when the pattern is "*". */
3053
3054if (*ss == '*' && ss[1] == 0) return OK;
3055
3056/* If the pattern is empty, it matches only in the case when there is no host -
3057this can occur in ACL checking for SMTP input using the -bs option. In this
3058situation, the host address is the empty string. */
3059
3060if (cb->host_address[0] == 0) return (*ss == 0)? OK : FAIL;
3061if (*ss == 0) return FAIL;
3062
32d668a5
PH		 3063/* If the pattern is precisely "@" then match against the primary host name,
3064provided that host name matching is permitted; if it's "@[]" match against the
3065local host's IP addresses. */
059ec3d9
PH		 3066
3067if (*ss == '@')
3068 {
32d668a5
PH		 3069 if (ss[1] == 0)
3070 {
3071 if (isiponly) return ERROR;
3072 ss = primary_hostname;
3073 }
059ec3d9
PH		 3074 else if (Ustrcmp(ss, "@[]") == 0)
3075 {
3076 ip_address_item *ip;
3077 for (ip = host_find_interfaces(); ip != NULL; ip = ip->next)
3078 if (Ustrcmp(ip->address, cb->host_address) == 0) return OK;
3079 return FAIL;
3080 }
3081 }
3082
3083/* If the pattern is an IP address, optionally followed by a bitmask count, do
3084a (possibly masked) comparision with the current IP address. */
3085
7e66e54d 3086if (string_is_ip_address(ss, &maskoffset) != 0)
059ec3d9
PH		 3087 return (host_is_in_net(cb->host_address, ss, maskoffset)? OK : FAIL);
3088
1688f43b
PH		 3089/* The pattern is not an IP address. A common error that people make is to omit
3090one component of an IPv4 address, either by accident, or believing that, for
3091example, 1.2.3/24 is the same as 1.2.3.0/24, or 1.2.3 is the same as 1.2.3.0,
3092which it isn't. (Those applications that do accept 1.2.3 as an IP address
3093interpret it as 1.2.0.3 because the final component becomes 16-bit - this is an
3094ancient specification.) To aid in debugging these cases, we give a specific
3095error if the pattern contains only digits and dots or contains a slash preceded
3096only by digits and dots (a slash at the start indicates a file name and of
3097course slashes may be present in lookups, but not preceded only by digits and
3098dots). */
3099
3100for (t = ss; isdigit(*t) || *t == '.'; t++);
3101if (*t == 0 || (*t == '/' && t != ss))
3102 {
3103 *error = US"malformed IPv4 address or address mask";
3104 return ERROR;
3105 }
3106
32d668a5 3107/* See if there is a semicolon in the pattern */
059ec3d9 3108
32d668a5
PH		 3109semicolon = Ustrchr(ss, ';');
3110
3111/* If we are doing an IP address only match, then all lookups must be IP
df199fec 3112address lookups, even if there is no "net-". */
32d668a5
PH		 3113
3114if (isiponly)
059ec3d9 3115 {
32d668a5
PH		 3116 iplookup = semicolon != NULL;
3117 }
059ec3d9 3118
32d668a5 3119/* Otherwise, if the item is of the form net[n]-lookup;<file|query> then it is
df199fec
PH		 3120a lookup on a masked IP network, in textual form. We obey this code even if we
3121have already set iplookup, so as to skip over the "net-" prefix and to set the
3122mask length. The net- stuff really only applies to single-key lookups where the
3123key is implicit. For query-style lookups the key is specified in the query.
3124From release 4.30, the use of net- for query style is no longer needed, but we
3125retain it for backward compatibility. */
3126
3127if (Ustrncmp(ss, "net", 3) == 0 && semicolon != NULL)
32d668a5
PH		 3128 {
3129 mlen = 0;
3130 for (t = ss + 3; isdigit(*t); t++) mlen = mlen * 10 + *t - '0';
3131 if (mlen == 0 && t == ss+3) mlen = -1; /* No mask supplied */
3132 iplookup = (*t++ == '-');
3133 }
1688f43b 3134else t = ss;
059ec3d9 3135
32d668a5 3136/* Do the IP address lookup if that is indeed what we have */
059ec3d9 3137
32d668a5
PH		 3138if (iplookup)
3139 {
3140 int insize;
3141 int search_type;
3142 int incoming[4];
3143 void *handle;
3144 uschar *filename, *key, *result;
3145 uschar buffer[64];
059ec3d9 3146
32d668a5 3147 /* Find the search type */
059ec3d9 3148
32d668a5 3149 search_type = search_findtype(t, semicolon - t);
059ec3d9 3150
32d668a5
PH		 3151 if (search_type < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s",
3152 search_error_message);
059ec3d9 3153
13b685f9
PH		 3154 /* Adjust parameters for the type of lookup. For a query-style lookup, there
3155 is no file name, and the "key" is just the query. For query-style with a file
3156 name, we have to fish the file off the start of the query. For a single-key
3157 lookup, the key is the current IP address, masked appropriately, and
3158 reconverted to text form, with the mask appended. For IPv6 addresses, specify
6a3bceb1
PH		 3159 dot separators instead of colons, except when the lookup type is "iplsearch".
3160 */
059ec3d9 3161
13b685f9
PH		 3162 if (mac_islookup(search_type, lookup_absfilequery))
3163 {
3164 filename = semicolon + 1;
3165 key = filename;
3166 while (*key != 0 && !isspace(*key)) key++;
3167 filename = string_copyn(filename, key - filename);
3168 while (isspace(*key)) key++;
3169 }
3170 else if (mac_islookup(search_type, lookup_querystyle))
32d668a5
PH		 3171 {
3172 filename = NULL;
3173 key = semicolon + 1;
3174 }
6a3bceb1 3175 else /* Single-key style */
32d668a5 3176 {
e6d225ae 3177 int sep = (Ustrcmp(lookup_list[search_type]->name, "iplsearch") == 0)?
6a3bceb1 3178 ':' : '.';
32d668a5
PH		 3179 insize = host_aton(cb->host_address, incoming);
3180 host_mask(insize, incoming, mlen);
6a3bceb1 3181 (void)host_nmtoa(insize, incoming, mlen, buffer, sep);
32d668a5
PH		 3182 key = buffer;
3183 filename = semicolon + 1;
059ec3d9 3184 }
32d668a5
PH		 3185
3186 /* Now do the actual lookup; note that there is no search_close() because
3187 of the caching arrangements. */
3188
d4ff61d1
JH		 3189 if (!(handle = search_open(filename, search_type, 0, NULL, NULL)))
3190 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s", search_error_message);
3191
32d668a5
PH		 3192 result = search_find(handle, filename, key, -1, NULL, 0, 0, NULL);
3193 if (valueptr != NULL) *valueptr = result;
3194 return (result != NULL)? OK : search_find_defer? DEFER: FAIL;
059ec3d9
PH		 3195 }
3196
3197/* The pattern is not an IP address or network reference of any kind. That is,
32d668a5
PH		 3198it is a host name pattern. If this is an IP only match, there's an error in the
3199host list. */
3200
3201if (isiponly)
3202 {
3203 *error = US"cannot match host name in match_ip list";
3204 return ERROR;
3205 }
3206
3207/* Check the characters of the pattern to see if they comprise only letters,
3208digits, full stops, and hyphens (the constituents of domain names). Allow
3209underscores, as they are all too commonly found. Sigh. Also, if
3210allow_utf8_domains is set, allow top-bit characters. */
059ec3d9
PH		 3211
3212for (t = ss; *t != 0; t++)
3213 if (!isalnum(*t) && *t != '.' && *t != '-' && *t != '_' &&
3214 (!allow_utf8_domains || *t < 128)) break;
3215
3216/* If the pattern is a complete domain name, with no fancy characters, look up
3217its IP address and match against that. Note that a multi-homed host will add
3218items to the chain. */
3219
3220if (*t == 0)
3221 {
3222 int rc;
3223 host_item h;
3224 h.next = NULL;
3225 h.name = ss;
3226 h.address = NULL;
3227 h.mx = MX_NONE;
9b8fadde 3228
1f155f8e
JH		 3229 /* Using byname rather than bydns here means we cannot determine dnssec
3230 status. On the other hand it is unclear how that could be either
3231 propagated up or enforced. */
3232
322050c2 3233 rc = host_find_byname(&h, NULL, HOST_FIND_QUALIFY_SINGLE, NULL, FALSE);
059ec3d9
PH		 3234 if (rc == HOST_FOUND || rc == HOST_FOUND_LOCAL)
3235 {
3236 host_item *hh;
3237 for (hh = &h; hh != NULL; hh = hh->next)
3238 {
96776534 3239 if (host_is_in_net(hh->address, cb->host_address, 0)) return OK;
059ec3d9
PH		 3240 }
3241 return FAIL;
3242 }
3243 if (rc == HOST_FIND_AGAIN) return DEFER;
3244 *error = string_sprintf("failed to find IP address for %s", ss);
3245 return ERROR;
3246 }
3247
3248/* Almost all subsequent comparisons require the host name, and can be done
3249using the general string matching function. When this function is called for
3250outgoing hosts, the name is always given explicitly. If it is NULL, it means we
3251must use sender_host_name and its aliases, looking them up if necessary. */
3252
3253if (cb->host_name != NULL) /* Explicit host name given */
3254 return match_check_string(cb->host_name, ss, -1, TRUE, TRUE, TRUE,
3255 valueptr);
3256
3257/* Host name not given; in principle we need the sender host name and its
3258aliases. However, for query-style lookups, we do not need the name if the
3259query does not contain $sender_host_name. From release 4.23, a reference to
3260$sender_host_name causes it to be looked up, so we don't need to do the lookup
3261on spec. */
3262
3263if ((semicolon = Ustrchr(ss, ';')) != NULL)
3264 {
55414b25 3265 const uschar *affix;
059ec3d9
PH		 3266 int partial, affixlen, starflags, id;
3267
3268 *semicolon = 0;
3269 id = search_findtype_partial(ss, &partial, &affix, &affixlen, &starflags);
3270 *semicolon=';';
3271
3272 if (id < 0) /* Unknown lookup type */
3273 {
3274 log_write(0, LOG_MAIN|LOG_PANIC, "%s in host list item \"%s\"",
3275 search_error_message, ss);
3276 return DEFER;
3277 }
13b685f9 3278 isquery = mac_islookup(id, lookup_querystyle|lookup_absfilequery);
059ec3d9
PH		 3279 }
3280
3281if (isquery)
3282 {
3283 switch(match_check_string(US"", ss, -1, TRUE, TRUE, TRUE, valueptr))
3284 {
3285 case OK: return OK;
3286 case DEFER: return DEFER;
3287 default: return FAIL;
3288 }
3289 }
3290
3291/* Not a query-style lookup; must ensure the host name is present, and then we
3292do a check on the name and all its aliases. */
3293
3294if (sender_host_name == NULL)
3295 {
3296 HDEBUG(D_host_lookup)
3297 debug_printf("sender host name required, to match against %s\n", ss);
3298 if (host_lookup_failed || host_name_lookup() != OK)
3299 {
3300 *error = string_sprintf("failed to find host name for %s",
3301 sender_host_address);;
3302 return ERROR;
3303 }
3304 host_build_sender_fullhost();
3305 }
3306
3307/* Match on the sender host name, using the general matching function */
3308
3309switch(match_check_string(sender_host_name, ss, -1, TRUE, TRUE, TRUE,
3310 valueptr))
3311 {
3312 case OK: return OK;
3313 case DEFER: return DEFER;
3314 }
3315
3316/* If there are aliases, try matching on them. */
3317
3318aliases = sender_host_aliases;
3319while (*aliases != NULL)
3320 {
3321 switch(match_check_string(*aliases++, ss, -1, TRUE, TRUE, TRUE, valueptr))
3322 {
3323 case OK: return OK;
3324 case DEFER: return DEFER;
3325 }
3326 }
3327return FAIL;
3328}
3329
3330
3331
3332
3333/*************************************************
3334* Check a specific host matches a host list *
3335*************************************************/
3336
3337/* This function is passed a host list containing items in a number of
3338different formats and the identity of a host. Its job is to determine whether
3339the given host is in the set of hosts defined by the list. The host name is
3340passed as a pointer so that it can be looked up if needed and not already
3341known. This is commonly the case when called from verify_check_host() to check
3342an incoming connection. When called from elsewhere the host name should usually
3343be set.
3344
3345This function is now just a front end to match_check_list(), which runs common
3346code for scanning a list. We pass it the check_host() function to perform a
3347single test.
3348
3349Arguments:
3350 listptr pointer to the host list
3351 cache_bits pointer to cache for named lists, or NULL
3352 host_name the host name or NULL, implying use sender_host_name and
3353 sender_host_aliases, looking them up if required
3354 host_address the IP address
3355 valueptr if not NULL, data from a lookup is passed back here
3356
3357Returns: OK if the host is in the defined set
3358 FAIL if the host is not in the defined set,
3359 DEFER if a data lookup deferred (not a host lookup)
3360
3361If the host name was needed in order to make a comparison, and could not be
3362determined from the IP address, the result is FAIL unless the item
3363"+allow_unknown" was met earlier in the list, in which case OK is returned. */
3364
3365int
55414b25
JH		 3366verify_check_this_host(const uschar **listptr, unsigned int *cache_bits,
3367 const uschar *host_name, const uschar *host_address, const uschar **valueptr)
059ec3d9 3368{
d4eb88df 3369int rc;
059ec3d9 3370unsigned int *local_cache_bits = cache_bits;
55414b25 3371const uschar *save_host_address = deliver_host_address;
059ec3d9
PH		 3372check_host_block cb;
3373cb.host_name = host_name;
3374cb.host_address = host_address;
3375
3376if (valueptr != NULL) *valueptr = NULL;
3377
3378/* If the host address starts off ::ffff: it is an IPv6 address in
3379IPv4-compatible mode. Find the IPv4 part for checking against IPv4
3380addresses. */
3381
3382cb.host_ipv4 = (Ustrncmp(host_address, "::ffff:", 7) == 0)?
3383 host_address + 7 : host_address;
3384
8e669ac1
PH		 3385/* During the running of the check, put the IP address into $host_address. In
3386the case of calls from the smtp transport, it will already be there. However,
3387in other calls (e.g. when testing ignore_target_hosts), it won't. Just to be on
d4eb88df
PH		 3388the safe side, any existing setting is preserved, though as I write this
3389(November 2004) I can't see any cases where it is actually needed. */
3390
3391deliver_host_address = host_address;
3392rc = match_check_list(
3393 listptr, /* the list */
3394 0, /* separator character */
3395 &hostlist_anchor, /* anchor pointer */
3396 &local_cache_bits, /* cache pointer */
3397 check_host, /* function for testing */
3398 &cb, /* argument for function */
3399 MCL_HOST, /* type of check */
8e669ac1 3400 (host_address == sender_host_address)?
d4eb88df
PH		 3401 US"host" : host_address, /* text for debugging */
3402 valueptr); /* where to pass back data */
3403deliver_host_address = save_host_address;
8e669ac1 3404return rc;
059ec3d9
PH		 3405}
3406
3407
3408
3409
5130845b
JH		 3410/*************************************************
3411* Check the given host item matches a list *
3412*************************************************/
3413int
3414verify_check_given_host(uschar **listptr, host_item *host)
3415{
55414b25 3416return verify_check_this_host(CUSS listptr, NULL, host->name, host->address, NULL);
5130845b
JH		 3417}
3418
059ec3d9
PH		 3419/*************************************************
3420* Check the remote host matches a list *
3421*************************************************/
3422
3423/* This is a front end to verify_check_this_host(), created because checking
3424the remote host is a common occurrence. With luck, a good compiler will spot
3425the tail recursion and optimize it. If there's no host address, this is
3426command-line SMTP input - check against an empty string for the address.
3427
3428Arguments:
3429 listptr pointer to the host list
3430
3431Returns: the yield of verify_check_this_host(),
3432 i.e. OK, FAIL, or DEFER
3433*/
3434
3435int
3436verify_check_host(uschar **listptr)
3437{
55414b25 3438return verify_check_this_host(CUSS listptr, sender_host_cache, NULL,
059ec3d9
PH		 3439 (sender_host_address == NULL)? US"" : sender_host_address, NULL);
3440}
3441
3442
3443
3444
3445
3446/*************************************************
83e029d5 3447* Invert an IP address *
059ec3d9
PH		 3448*************************************************/
3449
83e029d5
PP		 3450/* Originally just used for DNS xBL lists, now also used for the
3451reverse_ip expansion operator.
3452
059ec3d9
PH		 3453Arguments:
3454 buffer where to put the answer
3455 address the address to invert
3456*/
3457
83e029d5 3458void
059ec3d9
PH		 3459invert_address(uschar *buffer, uschar *address)
3460{
3461int bin[4];
3462uschar *bptr = buffer;
3463
3464/* If this is an IPv4 address mapped into IPv6 format, adjust the pointer
3465to the IPv4 part only. */
3466
3467if (Ustrncmp(address, "::ffff:", 7) == 0) address += 7;
3468
3469/* Handle IPv4 address: when HAVE_IPV6 is false, the result of host_aton() is
3470always 1. */
3471
3472if (host_aton(address, bin) == 1)
3473 {
3474 int i;
3475 int x = bin[0];
3476 for (i = 0; i < 4; i++)
3477 {
3478 sprintf(CS bptr, "%d.", x & 255);
3479 while (*bptr) bptr++;
3480 x >>= 8;
3481 }
3482 }
3483
3484/* Handle IPv6 address. Actually, as far as I know, there are no IPv6 addresses
3485in any DNS black lists, and the format in which they will be looked up is
3486unknown. This is just a guess. */
3487
3488#if HAVE_IPV6
3489else
3490 {
3491 int i, j;
3492 for (j = 3; j >= 0; j--)
3493 {
3494 int x = bin[j];
3495 for (i = 0; i < 8; i++)
3496 {
3497 sprintf(CS bptr, "%x.", x & 15);
3498 while (*bptr) bptr++;
3499 x >>= 4;
3500 }
3501 }
3502 }
3503#endif
d6f6e0dc
PH		 3504
3505/* Remove trailing period -- this is needed so that both arbitrary
3506dnsbl keydomains and inverted addresses may be combined with the
3507same format string, "%s.%s" */
3508
3509*(--bptr) = 0;
059ec3d9
PH		 3510}
3511
3512
3513
0bcb2a0e
PH		 3514/*************************************************
3515* Perform a single dnsbl lookup *
3516*************************************************/
3517
d6f6e0dc
PH		 3518/* This function is called from verify_check_dnsbl() below. It is also called
3519recursively from within itself when domain and domain_txt are different
3520pointers, in order to get the TXT record from the alternate domain.
0bcb2a0e
PH		 3521
3522Arguments:
d6f6e0dc
PH		 3523 domain the outer dnsbl domain
3524 domain_txt alternate domain to lookup TXT record on success; when the
3525 same domain is to be used, domain_txt == domain (that is,
3526 the pointers must be identical, not just the text)
8e669ac1 3527 keydomain the current keydomain (for debug message)
d6f6e0dc
PH		 3528 prepend subdomain to lookup (like keydomain, but
3529 reversed if IP address)
3530 iplist the list of matching IP addresses, or NULL for "any"
8e669ac1 3531 bitmask true if bitmask matching is wanted
431b7361
PH		 3532 match_type condition for 'succeed' result
3533 0 => Any RR in iplist (=)
3534 1 => No RR in iplist (!=)
3535 2 => All RRs in iplist (==)
3536 3 => Some RRs not in iplist (!==)
3537 the two bits are defined as MT_NOT and MT_ALL
8e669ac1 3538 defer_return what to return for a defer
0bcb2a0e
PH		 3539
3540Returns: OK if lookup succeeded
3541 FAIL if not
3542*/
3543
3544static int
d6f6e0dc 3545one_check_dnsbl(uschar *domain, uschar *domain_txt, uschar *keydomain,
431b7361 3546 uschar *prepend, uschar *iplist, BOOL bitmask, int match_type,
d6f6e0dc 3547 int defer_return)
8e669ac1 3548{
0bcb2a0e
PH		 3549dns_answer dnsa;
3550dns_scan dnss;
3551tree_node *t;
3552dnsbl_cache_block *cb;
3553int old_pool = store_pool;
d6f6e0dc
PH		 3554uschar query[256]; /* DNS domain max length */
3555
3556/* Construct the specific query domainname */
3557
3558if (!string_format(query, sizeof(query), "%s.%s", prepend, domain))
3559 {
3560 log_write(0, LOG_MAIN|LOG_PANIC, "dnslist query is too long "
3561 "(ignored): %s...", query);
3562 return FAIL;
3563 }
0bcb2a0e
PH		 3564
3565/* Look for this query in the cache. */
3566
14b3c5bc
JH		 3567if ( (t = tree_search(dnsbl_cache, query))
3568 && (cb = t->data.ptr)->expiry > time(NULL)
3569 )
3570
3571/* Previous lookup was cached */
3572
3573 {
3574 HDEBUG(D_dnsbl) debug_printf("using result of previous DNS lookup\n");
3575 }
0bcb2a0e
PH		 3576
3577/* If not cached from a previous lookup, we must do a DNS lookup, and
3578cache the result in permanent memory. */
3579
14b3c5bc 3580else
0bcb2a0e 3581 {
e162fc97 3582 uint ttl = 3600;
14b3c5bc 3583
0bcb2a0e
PH		 3584 store_pool = POOL_PERM;
3585
14b3c5bc
JH		 3586 if (t)
3587 {
3588 HDEBUG(D_dnsbl) debug_printf("cached data found but past valid time; ");
3589 }
0bcb2a0e 3590
14b3c5bc
JH		 3591 else
3592 { /* Set up a tree entry to cache the lookup */
3593 t = store_get(sizeof(tree_node) + Ustrlen(query));
3594 Ustrcpy(t->name, query);
3595 t->data.ptr = cb = store_get(sizeof(dnsbl_cache_block));
3596 (void)tree_insertnode(&dnsbl_cache, t);
3597 }
0bcb2a0e
PH		 3598
3599 /* Do the DNS loopup . */
3600
3601 HDEBUG(D_dnsbl) debug_printf("new DNS lookup for %s\n", query);
3602 cb->rc = dns_basic_lookup(&dnsa, query, T_A);
3603 cb->text_set = FALSE;
3604 cb->text = NULL;
3605 cb->rhs = NULL;
3606
3607 /* If the lookup succeeded, cache the RHS address. The code allows for
3608 more than one address - this was for complete generality and the possible
3609 use of A6 records. However, A6 records have been reduced to experimental
3610 status (August 2001) and may die out. So they may never get used at all,
3611 let alone in dnsbl records. However, leave the code here, just in case.
3612
3613 Quite apart from one A6 RR generating multiple addresses, there are DNS
3614 lists that return more than one A record, so we must handle multiple
e162fc97
JH		 3615 addresses generated in that way as well.
3616
3617 Mark the cache entry with the "now" plus the minimum of the address TTLs,
3618 or some suitably far-future time if none were found. */
0bcb2a0e
PH		 3619
3620 if (cb->rc == DNS_SUCCEED)
3621 {
3622 dns_record *rr;
3623 dns_address **addrp = &(cb->rhs);
3624 for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
e1a3f32f 3625 rr;
0bcb2a0e
PH		 3626 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
3627 {
3628 if (rr->type == T_A)
3629 {
3630 dns_address *da = dns_address_from_rr(&dnsa, rr);
e1a3f32f 3631 if (da)
0bcb2a0e
PH		 3632 {
3633 *addrp = da;
3634 while (da->next != NULL) da = da->next;
3635 addrp = &(da->next);
14b3c5bc 3636 if (ttl > rr->ttl) ttl = rr->ttl;
0bcb2a0e
PH		 3637 }
3638 }
3639 }
3640
3641 /* If we didn't find any A records, change the return code. This can
3642 happen when there is a CNAME record but there are no A records for what
3643 it points to. */
3644
3645 if (cb->rhs == NULL) cb->rc = DNS_NODATA;
3646 }
3647
14b3c5bc 3648 cb->expiry = time(NULL)+ttl;
0bcb2a0e
PH		 3649 store_pool = old_pool;
3650 }
3651
0bcb2a0e
PH		 3652/* We now have the result of the DNS lookup, either newly done, or cached
3653from a previous call. If the lookup succeeded, check against the address
3654list if there is one. This may be a positive equality list (introduced by
3655"="), a negative equality list (introduced by "!="), a positive bitmask
3656list (introduced by "&"), or a negative bitmask list (introduced by "!&").*/
3657
3658if (cb->rc == DNS_SUCCEED)
3659 {
3660 dns_address *da = NULL;
3661 uschar *addlist = cb->rhs->address;
3662
3663 /* For A and AAAA records, there may be multiple addresses from multiple
3664 records. For A6 records (currently not expected to be used) there may be
3665 multiple addresses from a single record. */
3666
3667 for (da = cb->rhs->next; da != NULL; da = da->next)
3668 addlist = string_sprintf("%s, %s", addlist, da->address);
3669
3670 HDEBUG(D_dnsbl) debug_printf("DNS lookup for %s succeeded (yielding %s)\n",
3671 query, addlist);
3672
3673 /* Address list check; this can be either for equality, or via a bitmask.
3674 In the latter case, all the bits must match. */
3675
3676 if (iplist != NULL)
3677 {
431b7361 3678 for (da = cb->rhs; da != NULL; da = da->next)
0bcb2a0e 3679 {
431b7361
PH		 3680 int ipsep = ',';
3681 uschar ip[46];
55414b25 3682 const uschar *ptr = iplist;
431b7361
PH		 3683 uschar *res;
3684
0bcb2a0e 3685 /* Handle exact matching */
431b7361 3686
0bcb2a0e
PH		 3687 if (!bitmask)
3688 {
431b7361 3689 while ((res = string_nextinlist(&ptr, &ipsep, ip, sizeof(ip))) != NULL)
0bcb2a0e
PH		 3690 {
3691 if (Ustrcmp(CS da->address, ip) == 0) break;
3692 }
3693 }
431b7361 3694
0bcb2a0e 3695 /* Handle bitmask matching */
431b7361 3696
0bcb2a0e
PH		 3697 else
3698 {
3699 int address[4];
3700 int mask = 0;
3701
3702 /* At present, all known DNS blocking lists use A records, with
3703 IPv4 addresses on the RHS encoding the information they return. I
3704 wonder if this will linger on as the last vestige of IPv4 when IPv6
3705 is ubiquitous? Anyway, for now we use paranoia code to completely
3706 ignore IPv6 addresses. The default mask is 0, which always matches.
3707 We change this only for IPv4 addresses in the list. */
3708
431b7361 3709 if (host_aton(da->address, address) == 1) mask = address[0];
0bcb2a0e
PH		 3710
3711 /* Scan the returned addresses, skipping any that are IPv6 */
3712
431b7361 3713 while ((res = string_nextinlist(&ptr, &ipsep, ip, sizeof(ip))) != NULL)
0bcb2a0e 3714 {
431b7361
PH		 3715 if (host_aton(ip, address) != 1) continue;
3716 if ((address[0] & mask) == address[0]) break;
0bcb2a0e
PH		 3717 }
3718 }
3719
431b7361
PH		 3720 /* If either
3721
3722 (a) An IP address in an any ('=') list matched, or
3723 (b) No IP address in an all ('==') list matched
0bcb2a0e 3724
431b7361
PH		 3725 then we're done searching. */
3726
3727 if (((match_type & MT_ALL) != 0) == (res == NULL)) break;
0bcb2a0e
PH		 3728 }
3729
431b7361 3730 /* If da == NULL, either
0bcb2a0e 3731
431b7361
PH		 3732 (a) No IP address in an any ('=') list matched, or
3733 (b) An IP address in an all ('==') list didn't match
0bcb2a0e 3734
431b7361
PH		 3735 so behave as if the DNSBL lookup had not succeeded, i.e. the host is not on
3736 the list. */
0bcb2a0e 3737
431b7361 3738 if ((match_type == MT_NOT || match_type == MT_ALL) != (da == NULL))
0bcb2a0e
PH		 3739 {
3740 HDEBUG(D_dnsbl)
3741 {
431b7361
PH		 3742 uschar *res = NULL;
3743 switch(match_type)
3744 {
3745 case 0:
3746 res = US"was no match";
3747 break;
3748 case MT_NOT:
3749 res = US"was an exclude match";
3750 break;
3751 case MT_ALL:
3752 res = US"was an IP address that did not match";
3753 break;
3754 case MT_NOT|MT_ALL:
3755 res = US"were no IP addresses that did not match";
3756 break;
3757 }
0bcb2a0e 3758 debug_printf("=> but we are not accepting this block class because\n");
431b7361
PH		 3759 debug_printf("=> there %s for %s%c%s\n",
3760 res,
3761 ((match_type & MT_ALL) == 0)? "" : "=",
3762 bitmask? '&' : '=', iplist);
0bcb2a0e 3763 }
8e669ac1 3764 return FAIL;
0bcb2a0e
PH		 3765 }
3766 }
3767
d6f6e0dc
PH		 3768 /* Either there was no IP list, or the record matched, implying that the
3769 domain is on the list. We now want to find a corresponding TXT record. If an
3770 alternate domain is specified for the TXT record, call this function
3771 recursively to look that up; this has the side effect of re-checking that
3772 there is indeed an A record at the alternate domain. */
3773
3774 if (domain_txt != domain)
3775 return one_check_dnsbl(domain_txt, domain_txt, keydomain, prepend, NULL,
431b7361 3776 FALSE, match_type, defer_return);
d6f6e0dc
PH		 3777
3778 /* If there is no alternate domain, look up a TXT record in the main domain
3779 if it has not previously been cached. */
0bcb2a0e
PH		 3780
3781 if (!cb->text_set)
3782 {
3783 cb->text_set = TRUE;
3784 if (dns_basic_lookup(&dnsa, query, T_TXT) == DNS_SUCCEED)
3785 {
3786 dns_record *rr;
3787 for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
3788 rr != NULL;
3789 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
3790 if (rr->type == T_TXT) break;
3791 if (rr != NULL)
3792 {
3793 int len = (rr->data)[0];
3794 if (len > 511) len = 127;
3795 store_pool = POOL_PERM;
3796 cb->text = string_sprintf("%.*s", len, (const uschar *)(rr->data+1));
3797 store_pool = old_pool;
3798 }
3799 }
3800 }
3801
3802 dnslist_value = addlist;
3803 dnslist_text = cb->text;
3804 return OK;
3805 }
3806
3807/* There was a problem with the DNS lookup */
3808
3809if (cb->rc != DNS_NOMATCH && cb->rc != DNS_NODATA)
3810 {
3811 log_write(L_dnslist_defer, LOG_MAIN,
3812 "DNS list lookup defer (probably timeout) for %s: %s", query,
3813 (defer_return == OK)? US"assumed in list" :
3814 (defer_return == FAIL)? US"assumed not in list" :
3815 US"returned DEFER");
3816 return defer_return;
3817 }
3818
3819/* No entry was found in the DNS; continue for next domain */
3820
3821HDEBUG(D_dnsbl)
3822 {
3823 debug_printf("DNS lookup for %s failed\n", query);
3824 debug_printf("=> that means %s is not listed at %s\n",
3825 keydomain, domain);
3826 }
3827
3828return FAIL;
3829}
3830
3831
3832
3833
059ec3d9
PH		 3834/*************************************************
3835* Check host against DNS black lists *
3836*************************************************/
3837
3838/* This function runs checks against a list of DNS black lists, until one
3839matches. Each item on the list can be of the form
3840
3841 domain=ip-address/key
3842
3843The domain is the right-most domain that is used for the query, for example,
3844blackholes.mail-abuse.org. If the IP address is present, there is a match only
3845if the DNS lookup returns a matching IP address. Several addresses may be
3846given, comma-separated, for example: x.y.z=127.0.0.1,127.0.0.2.
3847
3848If no key is given, what is looked up in the domain is the inverted IP address
3849of the current client host. If a key is given, it is used to construct the
d6f6e0dc 3850domain for the lookup. For example:
059ec3d9
PH		 3851
3852 dsn.rfc-ignorant.org/$sender_address_domain
3853
3854After finding a match in the DNS, the domain is placed in $dnslist_domain, and
3855then we check for a TXT record for an error message, and if found, save its
3856value in $dnslist_text. We also cache everything in a tree, to optimize
3857multiple lookups.
3858
d6f6e0dc
PH		 3859The TXT record is normally looked up in the same domain as the A record, but
3860when many lists are combined in a single DNS domain, this will not be a very
3861specific message. It is possible to specify a different domain for looking up
3862TXT records; this is given before the main domain, comma-separated. For
3863example:
3864
3865 dnslists = http.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.2 : \
3866 socks.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.3
3867
3868The caching ensures that only one lookup in dnsbl.sorbs.net is done.
3869
059ec3d9
PH		 3870Note: an address for testing RBL is 192.203.178.39
3871Note: an address for testing DUL is 192.203.178.4
3872Note: a domain for testing RFCI is example.tld.dsn.rfc-ignorant.org
3873
3874Arguments:
379ba7d0 3875 where the acl type
059ec3d9 3876 listptr the domain/address/data list
379ba7d0 3877 log_msgptr log message on error
059ec3d9
PH		 3878
3879Returns: OK successful lookup (i.e. the address is on the list), or
3880 lookup deferred after +include_unknown
3881 FAIL name not found, or no data found for the given type, or
3882 lookup deferred after +exclude_unknown (default)
3883 DEFER lookup failure, if +defer_unknown was set
3884*/
3885
3886int
379ba7d0 3887verify_check_dnsbl(int where, const uschar ** listptr, uschar ** log_msgptr)
059ec3d9
PH		 3888{
3889int sep = 0;
3890int defer_return = FAIL;
55414b25 3891const uschar *list = *listptr;
059ec3d9
PH		 3892uschar *domain;
3893uschar *s;
3894uschar buffer[1024];
059ec3d9
PH		 3895uschar revadd[128]; /* Long enough for IPv6 address */
3896
3897/* Indicate that the inverted IP address is not yet set up */
3898
3899revadd[0] = 0;
3900
0bcb2a0e
PH		 3901/* In case this is the first time the DNS resolver is being used. */
3902
8c51eead 3903dns_init(FALSE, FALSE, FALSE); /*XXX dnssec? */
0bcb2a0e 3904
059ec3d9
PH		 3905/* Loop through all the domains supplied, until something matches */
3906
3907while ((domain = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL)
3908 {
0bcb2a0e 3909 int rc;
059ec3d9 3910 BOOL bitmask = FALSE;
431b7361 3911 int match_type = 0;
d6f6e0dc
PH		 3912 uschar *domain_txt;
3913 uschar *comma;
059ec3d9
PH		 3914 uschar *iplist;
3915 uschar *key;
059ec3d9
PH		 3916
3917 HDEBUG(D_dnsbl) debug_printf("DNS list check: %s\n", domain);
3918
3919 /* Deal with special values that change the behaviour on defer */
3920
3921 if (domain[0] == '+')
3922 {
3923 if (strcmpic(domain, US"+include_unknown") == 0) defer_return = OK;
3924 else if (strcmpic(domain, US"+exclude_unknown") == 0) defer_return = FAIL;
3925 else if (strcmpic(domain, US"+defer_unknown") == 0) defer_return = DEFER;
3926 else
3927 log_write(0, LOG_MAIN|LOG_PANIC, "unknown item in dnslist (ignored): %s",
3928 domain);
3929 continue;
3930 }
3931
3932 /* See if there's explicit data to be looked up */
3933
379ba7d0 3934 if ((key = Ustrchr(domain, '/'))) *key++ = 0;
059ec3d9
PH		 3935
3936 /* See if there's a list of addresses supplied after the domain name. This is
431b7361
PH		 3937 introduced by an = or a & character; if preceded by = we require all matches
3938 and if preceded by ! we invert the result. */
059ec3d9 3939
379ba7d0 3940 if (!(iplist = Ustrchr(domain, '=')))
059ec3d9
PH		 3941 {
3942 bitmask = TRUE;
3943 iplist = Ustrchr(domain, '&');
3944 }
3945
379ba7d0 3946 if (iplist) /* Found either = or & */
059ec3d9 3947 {
431b7361 3948 if (iplist > domain && iplist[-1] == '!') /* Handle preceding ! */
059ec3d9 3949 {
431b7361 3950 match_type |= MT_NOT;
059ec3d9
PH		 3951 iplist[-1] = 0;
3952 }
431b7361
PH		 3953
3954 *iplist++ = 0; /* Terminate domain, move on */
3955
3956 /* If we found = (bitmask == FALSE), check for == or =& */
3957
3958 if (!bitmask && (*iplist == '=' || *iplist == '&'))
3959 {
3960 bitmask = *iplist++ == '&';
3961 match_type |= MT_ALL;
3962 }
059ec3d9
PH		 3963 }
3964
379ba7d0 3965
d6f6e0dc
PH		 3966 /* If there is a comma in the domain, it indicates that a second domain for
3967 looking up TXT records is provided, before the main domain. Otherwise we must
3968 set domain_txt == domain. */
3969
3970 domain_txt = domain;
3971 comma = Ustrchr(domain, ',');
3972 if (comma != NULL)
3973 {
3974 *comma++ = 0;
3975 domain = comma;
3976 }
3977
059ec3d9
PH		 3978 /* Check that what we have left is a sensible domain name. There is no reason
3979 why these domains should in fact use the same syntax as hosts and email
3980 domains, but in practice they seem to. However, there is little point in
3981 actually causing an error here, because that would no doubt hold up incoming
3982 mail. Instead, I'll just log it. */
3983
3984 for (s = domain; *s != 0; s++)
3985 {
09dcaba9 3986 if (!isalnum(*s) && *s != '-' && *s != '.' && *s != '_')
059ec3d9
PH		 3987 {
3988 log_write(0, LOG_MAIN, "dnslists domain \"%s\" contains "
3989 "strange characters - is this right?", domain);
3990 break;
3991 }
3992 }
3993
d6f6e0dc
PH		 3994 /* Check the alternate domain if present */
3995
3996 if (domain_txt != domain) for (s = domain_txt; *s != 0; s++)
3997 {
09dcaba9 3998 if (!isalnum(*s) && *s != '-' && *s != '.' && *s != '_')
d6f6e0dc
PH		 3999 {
4000 log_write(0, LOG_MAIN, "dnslists domain \"%s\" contains "
4001 "strange characters - is this right?", domain_txt);
4002 break;
4003 }
4004 }
4005
8e669ac1 4006 /* If there is no key string, construct the query by adding the domain name
0bcb2a0e 4007 onto the inverted host address, and perform a single DNS lookup. */
8e669ac1 4008
059ec3d9
PH		 4009 if (key == NULL)
4010 {
379ba7d0
JH		 4011 if (where == ACL_WHERE_NOTSMTP_START || where == ACL_WHERE_NOTSMTP)
4012 {
4013 *log_msgptr = string_sprintf
4014 ("cannot test auto-keyed dnslists condition in %s ACL",
4015 acl_wherenames[where]);
4016 return ERROR;
4017 }
059ec3d9
PH		 4018 if (sender_host_address == NULL) return FAIL; /* can never match */
4019 if (revadd[0] == 0) invert_address(revadd, sender_host_address);
d6f6e0dc 4020 rc = one_check_dnsbl(domain, domain_txt, sender_host_address, revadd,
431b7361 4021 iplist, bitmask, match_type, defer_return);
0bcb2a0e
PH		 4022 if (rc == OK)
4023 {
d6f6e0dc 4024 dnslist_domain = string_copy(domain_txt);
93655c46 4025 dnslist_matched = string_copy(sender_host_address);
8e669ac1 4026 HDEBUG(D_dnsbl) debug_printf("=> that means %s is listed at %s\n",
d6f6e0dc 4027 sender_host_address, dnslist_domain);
0bcb2a0e 4028 }
0bcb2a0e 4029 if (rc != FAIL) return rc; /* OK or DEFER */
059ec3d9 4030 }
8e669ac1
PH		 4031
4032 /* If there is a key string, it can be a list of domains or IP addresses to
0bcb2a0e 4033 be concatenated with the main domain. */
8e669ac1 4034
059ec3d9
PH		 4035 else
4036 {
0bcb2a0e 4037 int keysep = 0;
8e669ac1
PH		 4038 BOOL defer = FALSE;
4039 uschar *keydomain;
0bcb2a0e 4040 uschar keybuffer[256];
d6f6e0dc 4041 uschar keyrevadd[128];
8e669ac1 4042
55414b25 4043 while ((keydomain = string_nextinlist(CUSS &key, &keysep, keybuffer,
0bcb2a0e 4044 sizeof(keybuffer))) != NULL)
8e669ac1 4045 {
d6f6e0dc
PH		 4046 uschar *prepend = keydomain;
4047
7e66e54d 4048 if (string_is_ip_address(keydomain, NULL) != 0)
059ec3d9 4049 {
0bcb2a0e 4050 invert_address(keyrevadd, keydomain);
d6f6e0dc 4051 prepend = keyrevadd;
059ec3d9 4052 }
8e669ac1 4053
d6f6e0dc 4054 rc = one_check_dnsbl(domain, domain_txt, keydomain, prepend, iplist,
431b7361 4055 bitmask, match_type, defer_return);
8e669ac1 4056
0bcb2a0e 4057 if (rc == OK)
059ec3d9 4058 {
d6f6e0dc 4059 dnslist_domain = string_copy(domain_txt);
93655c46 4060 dnslist_matched = string_copy(keydomain);
8e669ac1 4061 HDEBUG(D_dnsbl) debug_printf("=> that means %s is listed at %s\n",
d6f6e0dc 4062 keydomain, dnslist_domain);
8e669ac1 4063 return OK;
059ec3d9 4064 }
8e669ac1 4065
c38d6da9
PH		 4066 /* If the lookup deferred, remember this fact. We keep trying the rest
4067 of the list to see if we get a useful result, and if we don't, we return
4068 DEFER at the end. */
059ec3d9 4069
c38d6da9 4070 if (rc == DEFER) defer = TRUE;
0bcb2a0e 4071 } /* continue with next keystring domain/address */
c38d6da9
PH		 4072
4073 if (defer) return DEFER;
8e669ac1 4074 }
0bcb2a0e 4075 } /* continue with next dnsdb outer domain */
059ec3d9
PH		 4076
4077return FAIL;
4078}
4079
511a6c14
JH		 4080/* vi: aw ai sw=2
4081*/
059ec3d9 4082/* End of verify.c */
Unnamed repository; edit this file 'description' to name the repository.