tidying
[exim.git] / src / src / verify.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
80fea873 5/* Copyright (c) University of Cambridge 1995 - 2016 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
8/* Functions concerned with verifying things. The original code for callout
9caching was contributed by Kevin Fleming (but I hacked it around a bit). */
10
11
12#include "exim.h"
817d9f57 13#include "transports/smtp.h"
059ec3d9 14
e4bdf652
JH
15#define CUTTHROUGH_CMD_TIMEOUT 30 /* timeout for cutthrough-routing calls */
16#define CUTTHROUGH_DATA_TIMEOUT 60 /* timeout for cutthrough-routing calls */
817d9f57
JH
17static smtp_outblock ctblock;
18uschar ctbuffer[8192];
19
059ec3d9
PH
20
21/* Structure for caching DNSBL lookups */
22
23typedef struct dnsbl_cache_block {
14b3c5bc 24 time_t expiry;
059ec3d9
PH
25 dns_address *rhs;
26 uschar *text;
27 int rc;
28 BOOL text_set;
29} dnsbl_cache_block;
30
31
32/* Anchor for DNSBL cache */
33
34static tree_node *dnsbl_cache = NULL;
35
36
431b7361
PH
37/* Bits for match_type in one_check_dnsbl() */
38
39#define MT_NOT 1
40#define MT_ALL 2
41
5032d1cf 42static uschar cutthrough_response(char, uschar **);
431b7361 43
059ec3d9
PH
44
45/*************************************************
46* Retrieve a callout cache record *
47*************************************************/
48
49/* If a record exists, check whether it has expired.
50
51Arguments:
52 dbm_file an open hints file
53 key the record key
54 type "address" or "domain"
55 positive_expire expire time for positive records
56 negative_expire expire time for negative records
57
58Returns: the cache record if a non-expired one exists, else NULL
59*/
60
61static dbdata_callout_cache *
55414b25 62get_callout_cache_record(open_db *dbm_file, const uschar *key, uschar *type,
059ec3d9
PH
63 int positive_expire, int negative_expire)
64{
65BOOL negative;
66int length, expire;
67time_t now;
68dbdata_callout_cache *cache_record;
69
70cache_record = dbfn_read_with_length(dbm_file, key, &length);
71
72if (cache_record == NULL)
73 {
6f4d5ad3 74 HDEBUG(D_verify) debug_printf("callout cache: no %s record found for %s\n", type, key);
059ec3d9
PH
75 return NULL;
76 }
77
78/* We treat a record as "negative" if its result field is not positive, or if
79it is a domain record and the postmaster field is negative. */
80
81negative = cache_record->result != ccache_accept ||
82 (type[0] == 'd' && cache_record->postmaster_result == ccache_reject);
83expire = negative? negative_expire : positive_expire;
84now = time(NULL);
85
86if (now - cache_record->time_stamp > expire)
87 {
6f4d5ad3 88 HDEBUG(D_verify) debug_printf("callout cache: %s record expired for %s\n", type, key);
059ec3d9
PH
89 return NULL;
90 }
91
92/* If this is a non-reject domain record, check for the obsolete format version
93that doesn't have the postmaster and random timestamps, by looking at the
94length. If so, copy it to a new-style block, replicating the record's
95timestamp. Then check the additional timestamps. (There's no point wasting
96effort if connections are rejected.) */
97
98if (type[0] == 'd' && cache_record->result != ccache_reject)
99 {
100 if (length == sizeof(dbdata_callout_cache_obs))
101 {
102 dbdata_callout_cache *new = store_get(sizeof(dbdata_callout_cache));
103 memcpy(new, cache_record, length);
104 new->postmaster_stamp = new->random_stamp = new->time_stamp;
105 cache_record = new;
106 }
107
108 if (now - cache_record->postmaster_stamp > expire)
109 cache_record->postmaster_result = ccache_unknown;
110
111 if (now - cache_record->random_stamp > expire)
112 cache_record->random_result = ccache_unknown;
113 }
114
6f4d5ad3 115HDEBUG(D_verify) debug_printf("callout cache: found %s record for %s\n", type, key);
059ec3d9
PH
116return cache_record;
117}
118
119
120
121/*************************************************
122* Do callout verification for an address *
123*************************************************/
124
125/* This function is called from verify_address() when the address has routed to
126a host list, and a callout has been requested. Callouts are expensive; that is
127why a cache is used to improve the efficiency.
128
129Arguments:
130 addr the address that's been routed
131 host_list the list of hosts to try
132 tf the transport feedback block
133
134 ifstring "interface" option from transport, or NULL
135 portstring "port" option from transport, or NULL
136 protocolstring "protocol" option from transport, or NULL
137 callout the per-command callout timeout
4deaf07d
PH
138 callout_overall the overall callout timeout (if < 0 use 4*callout)
139 callout_connect the callout connection timeout (if < 0 use callout)
059ec3d9
PH
140 options the verification options - these bits are used:
141 vopt_is_recipient => this is a recipient address
142 vopt_callout_no_cache => don't use callout cache
2a4be8f9 143 vopt_callout_fullpm => if postmaster check, do full one
059ec3d9
PH
144 vopt_callout_random => do the "random" thing
145 vopt_callout_recipsender => use real sender for recipient
146 vopt_callout_recippmaster => use postmaster for recipient
147 se_mailfrom MAIL FROM address for sender verify; NULL => ""
148 pm_mailfrom if non-NULL, do the postmaster check with this sender
149
150Returns: OK/FAIL/DEFER
151*/
152
153static int
154do_callout(address_item *addr, host_item *host_list, transport_feedback *tf,
8e669ac1 155 int callout, int callout_overall, int callout_connect, int options,
4deaf07d 156 uschar *se_mailfrom, uschar *pm_mailfrom)
059ec3d9 157{
059ec3d9 158int yield = OK;
2b1c6e3a 159int old_domain_cache_result = ccache_accept;
059ec3d9
PH
160BOOL done = FALSE;
161uschar *address_key;
162uschar *from_address;
163uschar *random_local_part = NULL;
55414b25 164const uschar *save_deliver_domain = deliver_domain;
8b9476ba
JH
165uschar **failure_ptr = options & vopt_is_recipient
166 ? &recipient_verify_failure : &sender_verify_failure;
059ec3d9
PH
167open_db dbblock;
168open_db *dbm_file = NULL;
169dbdata_callout_cache new_domain_record;
170dbdata_callout_cache_address new_address_record;
171host_item *host;
172time_t callout_start_time;
9094b84b 173uschar peer_offered = 0;
059ec3d9
PH
174
175new_domain_record.result = ccache_unknown;
176new_domain_record.postmaster_result = ccache_unknown;
177new_domain_record.random_result = ccache_unknown;
178
179memset(&new_address_record, 0, sizeof(new_address_record));
180
181/* For a recipient callout, the key used for the address cache record must
182include the sender address if we are using the real sender in the callout,
183because that may influence the result of the callout. */
184
185address_key = addr->address;
186from_address = US"";
187
8b9476ba 188if (options & vopt_is_recipient)
059ec3d9 189 {
5032d1cf 190 if (options & vopt_callout_recipsender)
059ec3d9
PH
191 {
192 address_key = string_sprintf("%s/<%s>", addr->address, sender_address);
193 from_address = sender_address;
8b9476ba 194 if (cutthrough.delivery) options |= vopt_callout_no_cache;
059ec3d9 195 }
5032d1cf 196 else if (options & vopt_callout_recippmaster)
059ec3d9
PH
197 {
198 address_key = string_sprintf("%s/<postmaster@%s>", addr->address,
199 qualify_domain_sender);
200 from_address = string_sprintf("postmaster@%s", qualify_domain_sender);
201 }
202 }
203
204/* For a sender callout, we must adjust the key if the mailfrom address is not
205empty. */
206
207else
208 {
209 from_address = (se_mailfrom == NULL)? US"" : se_mailfrom;
210 if (from_address[0] != 0)
211 address_key = string_sprintf("%s/<%s>", addr->address, from_address);
212 }
213
214/* Open the callout cache database, it it exists, for reading only at this
215stage, unless caching has been disabled. */
216
8b9476ba 217if (options & vopt_callout_no_cache)
059ec3d9
PH
218 {
219 HDEBUG(D_verify) debug_printf("callout cache: disabled by no_cache\n");
220 }
221else if ((dbm_file = dbfn_open(US"callout", O_RDWR, &dbblock, FALSE)) == NULL)
222 {
223 HDEBUG(D_verify) debug_printf("callout cache: not available\n");
224 }
225
226/* If a cache database is available see if we can avoid the need to do an
227actual callout by making use of previously-obtained data. */
228
229if (dbm_file != NULL)
230 {
231 dbdata_callout_cache_address *cache_address_record;
232 dbdata_callout_cache *cache_record = get_callout_cache_record(dbm_file,
233 addr->domain, US"domain",
234 callout_cache_domain_positive_expire,
235 callout_cache_domain_negative_expire);
236
237 /* If an unexpired cache record was found for this domain, see if the callout
238 process can be short-circuited. */
239
240 if (cache_record != NULL)
241 {
2b1c6e3a
PH
242 /* In most cases, if an early command (up to and including MAIL FROM:<>)
243 was rejected, there is no point carrying on. The callout fails. However, if
244 we are doing a recipient verification with use_sender or use_postmaster
245 set, a previous failure of MAIL FROM:<> doesn't count, because this time we
246 will be using a non-empty sender. We have to remember this situation so as
247 not to disturb the cached domain value if this whole verification succeeds
248 (we don't want it turning into "accept"). */
249
250 old_domain_cache_result = cache_record->result;
251
252 if (cache_record->result == ccache_reject ||
253 (*from_address == 0 && cache_record->result == ccache_reject_mfnull))
059ec3d9
PH
254 {
255 setflag(addr, af_verify_nsfail);
256 HDEBUG(D_verify)
257 debug_printf("callout cache: domain gave initial rejection, or "
258 "does not accept HELO or MAIL FROM:<>\n");
259 setflag(addr, af_verify_nsfail);
260 addr->user_message = US"(result of an earlier callout reused).";
261 yield = FAIL;
8e669ac1 262 *failure_ptr = US"mail";
059ec3d9
PH
263 goto END_CALLOUT;
264 }
265
266 /* If a previous check on a "random" local part was accepted, we assume
267 that the server does not do any checking on local parts. There is therefore
268 no point in doing the callout, because it will always be successful. If a
269 random check previously failed, arrange not to do it again, but preserve
270 the data in the new record. If a random check is required but hasn't been
271 done, skip the remaining cache processing. */
272
8b9476ba 273 if (options & vopt_callout_random) switch(cache_record->random_result)
059ec3d9
PH
274 {
275 case ccache_accept:
8b9476ba
JH
276 HDEBUG(D_verify)
277 debug_printf("callout cache: domain accepts random addresses\n");
278 goto END_CALLOUT; /* Default yield is OK */
059ec3d9
PH
279
280 case ccache_reject:
8b9476ba
JH
281 HDEBUG(D_verify)
282 debug_printf("callout cache: domain rejects random addresses\n");
283 options &= ~vopt_callout_random;
284 new_domain_record.random_result = ccache_reject;
285 new_domain_record.random_stamp = cache_record->random_stamp;
286 break;
059ec3d9
PH
287
288 default:
8b9476ba
JH
289 HDEBUG(D_verify)
290 debug_printf("callout cache: need to check random address handling "
291 "(not cached or cache expired)\n");
292 goto END_CACHE;
059ec3d9
PH
293 }
294
295 /* If a postmaster check is requested, but there was a previous failure,
296 there is again no point in carrying on. If a postmaster check is required,
297 but has not been done before, we are going to have to do a callout, so skip
298 remaining cache processing. */
299
300 if (pm_mailfrom != NULL)
301 {
302 if (cache_record->postmaster_result == ccache_reject)
303 {
304 setflag(addr, af_verify_pmfail);
305 HDEBUG(D_verify)
306 debug_printf("callout cache: domain does not accept "
307 "RCPT TO:<postmaster@domain>\n");
308 yield = FAIL;
8e669ac1 309 *failure_ptr = US"postmaster";
059ec3d9
PH
310 setflag(addr, af_verify_pmfail);
311 addr->user_message = US"(result of earlier verification reused).";
312 goto END_CALLOUT;
313 }
314 if (cache_record->postmaster_result == ccache_unknown)
315 {
316 HDEBUG(D_verify)
317 debug_printf("callout cache: need to check RCPT "
318 "TO:<postmaster@domain> (not cached or cache expired)\n");
319 goto END_CACHE;
320 }
321
322 /* If cache says OK, set pm_mailfrom NULL to prevent a redundant
323 postmaster check if the address itself has to be checked. Also ensure
324 that the value in the cache record is preserved (with its old timestamp).
325 */
326
327 HDEBUG(D_verify) debug_printf("callout cache: domain accepts RCPT "
328 "TO:<postmaster@domain>\n");
329 pm_mailfrom = NULL;
330 new_domain_record.postmaster_result = ccache_accept;
331 new_domain_record.postmaster_stamp = cache_record->postmaster_stamp;
332 }
333 }
334
335 /* We can't give a result based on information about the domain. See if there
336 is an unexpired cache record for this specific address (combined with the
337 sender address if we are doing a recipient callout with a non-empty sender).
338 */
339
340 cache_address_record = (dbdata_callout_cache_address *)
341 get_callout_cache_record(dbm_file,
342 address_key, US"address",
343 callout_cache_positive_expire,
344 callout_cache_negative_expire);
345
346 if (cache_address_record != NULL)
347 {
348 if (cache_address_record->result == ccache_accept)
349 {
350 HDEBUG(D_verify)
351 debug_printf("callout cache: address record is positive\n");
352 }
353 else
354 {
355 HDEBUG(D_verify)
356 debug_printf("callout cache: address record is negative\n");
357 addr->user_message = US"Previous (cached) callout verification failure";
8e669ac1 358 *failure_ptr = US"recipient";
059ec3d9
PH
359 yield = FAIL;
360 }
361 goto END_CALLOUT;
362 }
363
364 /* Close the cache database while we actually do the callout for real. */
365
366 END_CACHE:
367 dbfn_close(dbm_file);
368 dbm_file = NULL;
369 }
370
193e3acd 371if (!addr->transport)
059ec3d9 372 {
193e3acd 373 HDEBUG(D_verify) debug_printf("cannot callout via null transport\n");
059ec3d9 374 }
6681531a
HSHR
375else if (Ustrcmp(addr->transport->driver_name, "smtp") != 0)
376 log_write(0, LOG_MAIN|LOG_PANIC|LOG_CONFIG_FOR, "callout transport '%s': %s is non-smtp",
377 addr->transport->name, addr->transport->driver_name);
193e3acd
JH
378else
379 {
380 smtp_transport_options_block *ob =
9d9c3746 381 (smtp_transport_options_block *)addr->transport->options_block;
059ec3d9 382
193e3acd
JH
383 /* The information wasn't available in the cache, so we have to do a real
384 callout and save the result in the cache for next time, unless no_cache is set,
385 or unless we have a previously cached negative random result. If we are to test
386 with a random local part, ensure that such a local part is available. If not,
387 log the fact, but carry on without randomming. */
059ec3d9 388
8b9476ba 389 if (options & vopt_callout_random && callout_random_local_part != NULL)
65f1c92a 390 if (!(random_local_part = expand_string(callout_random_local_part)))
193e3acd
JH
391 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand "
392 "callout_random_local_part: %s", expand_string_message);
059ec3d9 393
193e3acd
JH
394 /* Default the connect and overall callout timeouts if not set, and record the
395 time we are starting so that we can enforce it. */
4c590bd1 396
193e3acd
JH
397 if (callout_overall < 0) callout_overall = 4 * callout;
398 if (callout_connect < 0) callout_connect = callout;
399 callout_start_time = time(NULL);
4c590bd1 400
193e3acd
JH
401 /* Before doing a real callout, if this is an SMTP connection, flush the SMTP
402 output because a callout might take some time. When PIPELINING is active and
403 there are many recipients, the total time for doing lots of callouts can add up
404 and cause the client to time out. So in this case we forgo the PIPELINING
405 optimization. */
817d9f57 406
193e3acd 407 if (smtp_out != NULL && !disable_callout_flush) mac_smtp_fflush();
059ec3d9 408
5032d1cf
JH
409/* cutthrough-multi: if a nonfirst rcpt has the same routing as the first,
410and we are holding a cutthrough conn open, we can just append the rcpt to
411that conn for verification purposes (and later delivery also). Simplest
412coding means skipping this whole loop and doing the append separately.
413
414We will need to remember it has been appended so that rcpt-acl tail code
415can do it there for the non-rcpt-verify case. For this we keep an addresscount.
416*/
417
418 /* Can we re-use an open cutthrough connection? */
419 if ( cutthrough.fd >= 0
420 && (options & (vopt_callout_recipsender | vopt_callout_recippmaster))
421 == vopt_callout_recipsender
422 && !random_local_part
423 && !pm_mailfrom
424 )
425 {
426 if (addr->transport == cutthrough.addr.transport)
427 for (host = host_list; host; host = host->next)
428 if (Ustrcmp(host->address, cutthrough.host.address) == 0)
429 {
430 int host_af;
431 uschar *interface = NULL; /* Outgoing interface to use; NULL => any */
432 int port = 25;
433
434 deliver_host = host->name;
435 deliver_host_address = host->address;
436 deliver_host_port = host->port;
437 deliver_domain = addr->domain;
438 transport_name = addr->transport->name;
439
440 host_af = (Ustrchr(host->address, ':') == NULL)? AF_INET:AF_INET6;
441
6f6dedcc 442 if (!smtp_get_interface(tf->interface, host_af, addr, &interface,
5032d1cf
JH
443 US"callout") ||
444 !smtp_get_port(tf->port, addr, &port, US"callout"))
445 log_write(0, LOG_MAIN|LOG_PANIC, "<%s>: %s", addr->address,
446 addr->message);
447
448 if ( ( interface == cutthrough.interface
449 || ( interface
450 && cutthrough.interface
451 && Ustrcmp(interface, cutthrough.interface) == 0
452 ) )
453 && port == cutthrough.host.port
454 )
455 {
806c3df9 456 uschar * resp = NULL;
5032d1cf
JH
457
458 /* Match! Send the RCPT TO, append the addr, set done */
459 done =
460 smtp_write_command(&ctblock, FALSE, "RCPT TO:<%.1000s>\r\n",
461 transport_rcpt_address(addr,
462 (addr->transport == NULL)? FALSE :
463 addr->transport->rcpt_include_affixes)) >= 0 &&
464 cutthrough_response('2', &resp) == '2';
465
466 /* This would go horribly wrong if a callout fail was ignored by ACL.
467 We punt by abandoning cutthrough on a reject, like the
468 first-rcpt does. */
469
470 if (done)
471 {
472 address_item * na = store_get(sizeof(address_item));
473 *na = cutthrough.addr;
474 cutthrough.addr = *addr;
475 cutthrough.addr.host_used = &cutthrough.host;
476 cutthrough.addr.next = na;
477
478 cutthrough.nrcpt++;
479 }
480 else
481 {
482 cancel_cutthrough_connection("recipient rejected");
806c3df9 483 if (!resp || errno == ETIMEDOUT)
5032d1cf
JH
484 {
485 HDEBUG(D_verify) debug_printf("SMTP timeout\n");
486 }
487 else if (errno == 0)
488 {
489 if (*resp == 0)
490 Ustrcpy(resp, US"connection dropped");
491
492 addr->message =
493 string_sprintf("response to \"%s\" from %s [%s] was: %s",
494 big_buffer, host->name, host->address,
495 string_printing(resp));
496
497 addr->user_message =
498 string_sprintf("Callout verification failed:\n%s", resp);
499
500 /* Hard rejection ends the process */
501
502 if (resp[0] == '5') /* Address rejected */
503 {
504 yield = FAIL;
505 done = TRUE;
506 }
507 }
508 }
509 }
510 break;
511 }
512 if (!done)
513 cancel_cutthrough_connection("incompatible connection");
514 }
515
193e3acd
JH
516 /* Now make connections to the hosts and do real callouts. The list of hosts
517 is passed in as an argument. */
059ec3d9 518
193e3acd 519 for (host = host_list; host != NULL && !done; host = host->next)
059ec3d9 520 {
193e3acd
JH
521 smtp_inblock inblock;
522 smtp_outblock outblock;
523 int host_af;
524 int port = 25;
525 BOOL send_quit = TRUE;
526 uschar *active_hostname = smtp_active_hostname;
527 BOOL lmtp;
528 BOOL smtps;
529 BOOL esmtp;
530 BOOL suppress_tls = FALSE;
531 uschar *interface = NULL; /* Outgoing interface to use; NULL => any */
0e66b3b6
JH
532#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_DANE)
533 BOOL dane = FALSE;
6ebd79ec 534 BOOL dane_required;
0e66b3b6
JH
535 dns_answer tlsa_dnsa;
536#endif
193e3acd
JH
537 uschar inbuffer[4096];
538 uschar outbuffer[1024];
539 uschar responsebuffer[4096];
9094b84b 540 uschar * size_str;
193e3acd
JH
541
542 clearflag(addr, af_verify_pmfail); /* postmaster callout flag */
543 clearflag(addr, af_verify_nsfail); /* null sender callout flag */
544
545 /* Skip this host if we don't have an IP address for it. */
546
547 if (host->address == NULL)
548 {
549 DEBUG(D_verify) debug_printf("no IP address for host name %s: skipping\n",
550 host->name);
551 continue;
552 }
059ec3d9 553
193e3acd 554 /* Check the overall callout timeout */
059ec3d9 555
193e3acd
JH
556 if (time(NULL) - callout_start_time >= callout_overall)
557 {
558 HDEBUG(D_verify) debug_printf("overall timeout for callout exceeded\n");
559 break;
560 }
059ec3d9 561
193e3acd 562 /* Set IPv4 or IPv6 */
059ec3d9 563
193e3acd 564 host_af = (Ustrchr(host->address, ':') == NULL)? AF_INET:AF_INET6;
de3a88fb 565
193e3acd
JH
566 /* Expand and interpret the interface and port strings. The latter will not
567 be used if there is a host-specific port (e.g. from a manualroute router).
568 This has to be delayed till now, because they may expand differently for
569 different hosts. If there's a failure, log it, but carry on with the
570 defaults. */
de3a88fb 571
193e3acd
JH
572 deliver_host = host->name;
573 deliver_host_address = host->address;
a7538db1 574 deliver_host_port = host->port;
193e3acd 575 deliver_domain = addr->domain;
aec45841 576 transport_name = addr->transport->name;
059ec3d9 577
6f6dedcc 578 if ( !smtp_get_interface(tf->interface, host_af, addr, &interface,
bf7aabb4
JH
579 US"callout")
580 || !smtp_get_port(tf->port, addr, &port, US"callout")
581 )
193e3acd
JH
582 log_write(0, LOG_MAIN|LOG_PANIC, "<%s>: %s", addr->address,
583 addr->message);
059ec3d9 584
193e3acd
JH
585 /* Set HELO string according to the protocol */
586 lmtp= Ustrcmp(tf->protocol, "lmtp") == 0;
587 smtps= Ustrcmp(tf->protocol, "smtps") == 0;
059ec3d9 588
059ec3d9 589
193e3acd 590 HDEBUG(D_verify) debug_printf("interface=%s port=%d\n", interface, port);
059ec3d9 591
193e3acd 592 /* Set up the buffer for reading SMTP response packets. */
059ec3d9 593
193e3acd
JH
594 inblock.buffer = inbuffer;
595 inblock.buffersize = sizeof(inbuffer);
596 inblock.ptr = inbuffer;
597 inblock.ptrend = inbuffer;
059ec3d9 598
193e3acd 599 /* Set up the buffer for holding SMTP commands while pipelining */
817d9f57 600
193e3acd
JH
601 outblock.buffer = outbuffer;
602 outblock.buffersize = sizeof(outbuffer);
603 outblock.ptr = outbuffer;
604 outblock.cmd_count = 0;
605 outblock.authenticating = FALSE;
059ec3d9 606
193e3acd
JH
607 /* Connect to the host; on failure, just loop for the next one, but we
608 set the error for the last one. Use the callout_connect timeout. */
059ec3d9 609
193e3acd 610 tls_retry_connection:
41c7c167 611
65f1c92a
JH
612 /* Reset the parameters of a TLS session */
613 tls_out.cipher = tls_out.peerdn = tls_out.peercert = NULL;
614
193e3acd 615 inblock.sock = outblock.sock =
7eb6c37c
JH
616 smtp_connect(host, host_af, port, interface, callout_connect,
617 addr->transport);
193e3acd
JH
618 if (inblock.sock < 0)
619 {
620 addr->message = string_sprintf("could not connect to %s [%s]: %s",
621 host->name, host->address, strerror(errno));
aec45841 622 transport_name = NULL;
193e3acd
JH
623 deliver_host = deliver_host_address = NULL;
624 deliver_domain = save_deliver_domain;
625 continue;
626 }
41c7c167 627
bf7aabb4
JH
628#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_DANE)
629 {
630 int rc;
631
632 tls_out.dane_verified = FALSE;
633 tls_out.tlsa_usage = 0;
634
635 dane_required =
636 verify_check_given_host(&ob->hosts_require_dane, host) == OK;
637
638 if (host->dnssec == DS_YES)
639 {
4b0fe319
JH
640 if( dane_required
641 || verify_check_given_host(&ob->hosts_try_dane, host) == OK
bf7aabb4 642 )
4b0fe319
JH
643 {
644 if ((rc = tlsa_lookup(host, &tlsa_dnsa, dane_required)) != OK)
645 return rc;
646 dane = TRUE;
647 }
bf7aabb4
JH
648 }
649 else if (dane_required)
650 {
651 log_write(0, LOG_MAIN, "DANE error: %s lookup not DNSSEC", host->name);
652 return FAIL;
653 }
654
655 if (dane)
656 ob->tls_tempfail_tryclear = FALSE;
657 }
658#endif /*DANE*/
659
193e3acd 660 /* Expand the helo_data string to find the host name to use. */
41c7c167 661
193e3acd
JH
662 if (tf->helo_data != NULL)
663 {
664 uschar *s = expand_string(tf->helo_data);
665 if (s == NULL)
666 log_write(0, LOG_MAIN|LOG_PANIC, "<%s>: failed to expand transport's "
667 "helo_data value for callout: %s", addr->address,
668 expand_string_message);
669 else active_hostname = s;
670 }
059ec3d9 671
193e3acd
JH
672 /* Wait for initial response, and send HELO. The smtp_write_command()
673 function leaves its command in big_buffer. This is used in error responses.
674 Initialize it in case the connection is rejected. */
817d9f57 675
193e3acd 676 Ustrcpy(big_buffer, "initial connection");
817d9f57 677
193e3acd
JH
678 /* Unless ssl-on-connect, wait for the initial greeting */
679 smtps_redo_greeting:
817d9f57 680
a7538db1 681#ifdef SUPPORT_TLS
193e3acd 682 if (!smtps || (smtps && tls_out.active >= 0))
a7538db1
JH
683#endif
684 {
193e3acd
JH
685 if (!(done= smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer), '2', callout)))
686 goto RESPONSE_FAILED;
770747fd 687
0cbf2b82 688#ifndef DISABLE_EVENT
aaedd1b5
JH
689 lookup_dnssec_authenticated = host->dnssec==DS_YES ? US"yes"
690 : host->dnssec==DS_NO ? US"no" : NULL;
774ef2d7 691 if (event_raise(addr->transport->event_action,
b30275b8 692 US"smtp:connect", responsebuffer))
a7538db1 693 {
aaedd1b5 694 lookup_dnssec_authenticated = NULL;
a7538db1
JH
695 /* Logging? Debug? */
696 goto RESPONSE_FAILED;
697 }
aaedd1b5 698 lookup_dnssec_authenticated = NULL;
a7538db1
JH
699#endif
700 }
701
193e3acd 702 /* Not worth checking greeting line for ESMTP support */
55414b25 703 if (!(esmtp = verify_check_given_host(&ob->hosts_avoid_esmtp, host) != OK))
193e3acd
JH
704 DEBUG(D_transport)
705 debug_printf("not sending EHLO (host matches hosts_avoid_esmtp)\n");
817d9f57 706
193e3acd 707 tls_redo_helo:
817d9f57 708
a7538db1 709#ifdef SUPPORT_TLS
193e3acd 710 if (smtps && tls_out.active < 0) /* ssl-on-connect, first pass */
817d9f57 711 {
9094b84b 712 peer_offered &= ~PEER_OFFERED_TLS;
193e3acd 713 ob->tls_tempfail_tryclear = FALSE;
817d9f57 714 }
a7538db1
JH
715 else /* all other cases */
716#endif
817d9f57 717
193e3acd 718 { esmtp_retry:
817d9f57 719
193e3acd
JH
720 if (!(done= smtp_write_command(&outblock, FALSE, "%s %s\r\n",
721 !esmtp? "HELO" : lmtp? "LHLO" : "EHLO", active_hostname) >= 0))
722 goto SEND_FAILED;
723 if (!smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer), '2', callout))
724 {
4ed8d31a
JH
725 if (errno != 0 || responsebuffer[0] == 0 || lmtp || !esmtp || tls_out.active >= 0)
726 {
727 done= FALSE;
728 goto RESPONSE_FAILED;
729 }
a7538db1 730#ifdef SUPPORT_TLS
9094b84b 731 peer_offered &= ~PEER_OFFERED_TLS;
a7538db1 732#endif
193e3acd
JH
733 esmtp = FALSE;
734 goto esmtp_retry; /* fallback to HELO */
735 }
736
737 /* Set tls_offered if the response to EHLO specifies support for STARTTLS. */
4ed8d31a 738
9094b84b
JH
739 peer_offered = esmtp
740 ? ehlo_response(responsebuffer, sizeof(responsebuffer),
741 (!suppress_tls && tls_out.active < 0 ? PEER_OFFERED_TLS : 0)
742 | 0 /* no IGNQ */
743 | 0 /* no PRDR */
744#ifdef SUPPORT_I18N
745 | (addr->prop.utf8_msg && !addr->prop.utf8_downcvt
746 ? PEER_OFFERED_UTF8 : 0)
a7538db1 747#endif
9094b84b
JH
748 | 0 /* no DSN */
749 | 0 /* no PIPE */
750
751 /* only care about SIZE if we have size from inbound */
752 | (message_size > 0 && ob->size_addition >= 0
753 ? PEER_OFFERED_SIZE : 0)
754 )
755 : 0;
817d9f57
JH
756 }
757
9094b84b
JH
758 size_str = peer_offered & PEER_OFFERED_SIZE
759 ? string_sprintf(" SIZE=%d", message_size + ob->size_addition) : US"";
760
761#ifdef SUPPORT_TLS
762 tls_offered = !!(peer_offered & PEER_OFFERED_TLS);
763#endif
764
193e3acd
JH
765 /* If TLS is available on this connection attempt to
766 start up a TLS session, unless the host is in hosts_avoid_tls. If successful,
767 send another EHLO - the server may give a different answer in secure mode. We
768 use a separate buffer for reading the response to STARTTLS so that if it is
769 negative, the original EHLO data is available for subsequent analysis, should
770 the client not be required to use TLS. If the response is bad, copy the buffer
771 for error analysis. */
772
a7538db1 773#ifdef SUPPORT_TLS
9094b84b 774 if ( peer_offered & PEER_OFFERED_TLS
5130845b
JH
775 && verify_check_given_host(&ob->hosts_avoid_tls, host) != OK
776 && verify_check_given_host(&ob->hosts_verify_avoid_tls, host) != OK
99400968 777 )
817d9f57 778 {
193e3acd
JH
779 uschar buffer2[4096];
780 if ( !smtps
781 && !(done= smtp_write_command(&outblock, FALSE, "STARTTLS\r\n") >= 0))
782 goto SEND_FAILED;
783
784 /* If there is an I/O error, transmission of this message is deferred. If
785 there is a temporary rejection of STARRTLS and tls_tempfail_tryclear is
786 false, we also defer. However, if there is a temporary rejection of STARTTLS
787 and tls_tempfail_tryclear is true, or if there is an outright rejection of
788 STARTTLS, we carry on. This means we will try to send the message in clear,
789 unless the host is in hosts_require_tls (tested below). */
790
791 if (!smtps && !smtp_read_response(&inblock, buffer2, sizeof(buffer2), '2',
792 ob->command_timeout))
817d9f57 793 {
4b0fe319
JH
794 if ( errno != 0
795 || buffer2[0] == 0
796 || buffer2[0] == '4' && !ob->tls_tempfail_tryclear
797 )
a7538db1
JH
798 {
799 Ustrncpy(responsebuffer, buffer2, sizeof(responsebuffer));
800 done= FALSE;
801 goto RESPONSE_FAILED;
802 }
193e3acd 803 }
817d9f57 804
193e3acd
JH
805 /* STARTTLS accepted or ssl-on-connect: try to negotiate a TLS session. */
806 else
807 {
65867078
JH
808 int oldtimeout = ob->command_timeout;
809 int rc;
810
6ebd79ec 811 tls_negotiate:
65867078 812 ob->command_timeout = callout;
0e66b3b6 813 rc = tls_client_start(inblock.sock, host, addr, addr->transport
5032d1cf 814# ifdef EXPERIMENTAL_DANE
0e66b3b6 815 , dane ? &tlsa_dnsa : NULL
5032d1cf 816# endif
0e66b3b6 817 );
65867078 818 ob->command_timeout = oldtimeout;
193e3acd 819
6ebd79ec
JH
820 /* TLS negotiation failed; give an error. Try in clear on a new
821 connection, if the options permit it for this host. */
193e3acd 822 if (rc != OK)
83b27293 823 {
6ebd79ec 824 if (rc == DEFER)
a1bccd48 825 {
83b27293 826 (void)close(inblock.sock);
0cbf2b82 827# ifndef DISABLE_EVENT
774ef2d7 828 (void) event_raise(addr->transport->event_action,
83b27293 829 US"tcp:close", NULL);
5032d1cf 830# endif
4b0fe319
JH
831 if ( ob->tls_tempfail_tryclear
832 && !smtps
833 && verify_check_given_host(&ob->hosts_require_tls, host) != OK
834 )
6ebd79ec
JH
835 {
836 log_write(0, LOG_MAIN, "TLS session failure:"
837 " delivering unencrypted to %s [%s] (not in hosts_require_tls)",
838 host->name, host->address);
839 suppress_tls = TRUE;
840 goto tls_retry_connection;
841 }
a7538db1 842 }
6ebd79ec 843
a7538db1
JH
844 /*save_errno = ERRNO_TLSFAILURE;*/
845 /*message = US"failure while setting up TLS session";*/
846 send_quit = FALSE;
847 done= FALSE;
848 goto TLS_FAILED;
849 }
193e3acd
JH
850
851 /* TLS session is set up. Copy info for logging. */
852 addr->cipher = tls_out.cipher;
853 addr->peerdn = tls_out.peerdn;
854
855 /* For SMTPS we need to wait for the initial OK response, then do HELO. */
856 if (smtps)
a7538db1 857 goto smtps_redo_greeting;
193e3acd
JH
858
859 /* For STARTTLS we need to redo EHLO */
860 goto tls_redo_helo;
861 }
817d9f57
JH
862 }
863
193e3acd
JH
864 /* If the host is required to use a secure channel, ensure that we have one. */
865 if (tls_out.active < 0)
0e66b3b6 866 if (
5032d1cf 867# ifdef EXPERIMENTAL_DANE
0e66b3b6 868 dane ||
5032d1cf 869# endif
5130845b 870 verify_check_given_host(&ob->hosts_require_tls, host) == OK
7a31d643 871 )
193e3acd
JH
872 {
873 /*save_errno = ERRNO_TLSREQUIRED;*/
c562fd30
JH
874 log_write(0, LOG_MAIN,
875 "H=%s [%s]: a TLS session is required for this host, but %s",
193e3acd 876 host->name, host->address,
9094b84b
JH
877 peer_offered & PEER_OFFERED_TLS
878 ? "an attempt to start TLS failed"
879 : "the server did not offer TLS support");
193e3acd
JH
880 done= FALSE;
881 goto TLS_FAILED;
882 }
817d9f57 883
5032d1cf 884#endif /*SUPPORT_TLS*/
817d9f57 885
193e3acd 886 done = TRUE; /* so far so good; have response to HELO */
817d9f57 887
d6e96b36 888 /* For now, transport_filter by cutthrough-delivery is not supported */
193e3acd 889 /* Need proper integration with the proper transport mechanism. */
5032d1cf 890 if (cutthrough.delivery)
d6e96b36 891 {
07eeb4df 892#ifndef DISABLE_DKIM
ae8386f0 893 uschar * s;
07eeb4df 894#endif
6e62c454
JH
895 if (addr->transport->filter_command)
896 {
5032d1cf 897 cutthrough.delivery = FALSE;
6e62c454
JH
898 HDEBUG(D_acl|D_v) debug_printf("Cutthrough cancelled by presence of transport filter\n");
899 }
a7538db1 900#ifndef DISABLE_DKIM
ff5aac2b 901 else if ((s = ob->dkim.dkim_domain) && (s = expand_string(s)) && *s)
6e62c454 902 {
5032d1cf 903 cutthrough.delivery = FALSE;
6e62c454
JH
904 HDEBUG(D_acl|D_v) debug_printf("Cutthrough cancelled by presence of DKIM signing\n");
905 }
a7538db1 906#endif
d6e96b36 907 }
817d9f57 908
193e3acd
JH
909 SEND_FAILED:
910 RESPONSE_FAILED:
911 TLS_FAILED:
912 ;
913 /* Clear down of the TLS, SMTP and TCP layers on error is handled below. */
059ec3d9 914
193e3acd
JH
915 /* Failure to accept HELO is cached; this blocks the whole domain for all
916 senders. I/O errors and defer responses are not cached. */
917
918 if (!done)
2b1c6e3a 919 {
193e3acd
JH
920 *failure_ptr = US"mail"; /* At or before MAIL */
921 if (errno == 0 && responsebuffer[0] == '5')
922 {
923 setflag(addr, af_verify_nsfail);
924 new_domain_record.result = ccache_reject;
925 }
2b1c6e3a 926 }
2b1c6e3a 927
8c5d388a 928#ifdef SUPPORT_I18N
3c8b3577
JH
929 else if ( addr->prop.utf8_msg
930 && !addr->prop.utf8_downcvt
9094b84b
JH
931 && !(peer_offered & PEER_OFFERED_UTF8)
932 )
9bfc60eb
JH
933 {
934 HDEBUG(D_acl|D_v) debug_printf("utf8 required but not offered\n");
935 errno = ERRNO_UTF8_FWD;
936 setflag(addr, af_verify_nsfail);
937 done = FALSE;
938 }
3c8b3577 939 else if ( addr->prop.utf8_msg
9094b84b 940 && (addr->prop.utf8_downcvt || !(peer_offered & PEER_OFFERED_UTF8))
921dfc11
JH
941 && (setflag(addr, af_utf8_downcvt),
942 from_address = string_address_utf8_to_alabel(from_address,
943 &addr->message),
944 addr->message
945 ) )
3c8b3577
JH
946 {
947 errno = ERRNO_EXPANDFAIL;
948 setflag(addr, af_verify_nsfail);
949 done = FALSE;
950 }
9bfc60eb
JH
951#endif
952
d6e96b36 953 /* If we haven't authenticated, but are required to, give up. */
fcc8e047
JH
954 /* Try to AUTH */
955
956 else done = smtp_auth(responsebuffer, sizeof(responsebuffer),
957 addr, host, ob, esmtp, &inblock, &outblock) == OK &&
958
b4a2b536
JH
959 /* Copy AUTH info for logging */
960 ( (addr->authenticator = client_authenticator),
961 (addr->auth_id = client_authenticated_id),
962
fcc8e047 963 /* Build a mail-AUTH string (re-using responsebuffer for convenience */
b4a2b536
JH
964 !smtp_mail_auth_str(responsebuffer, sizeof(responsebuffer), addr, ob)
965 ) &&
966
967 ( (addr->auth_sndr = client_authenticated_sender),
fcc8e047 968
193e3acd 969 /* Send the MAIL command */
9bfc60eb 970 (smtp_write_command(&outblock, FALSE,
8c5d388a 971#ifdef SUPPORT_I18N
921dfc11 972 addr->prop.utf8_msg && !addr->prop.utf8_downcvt
9094b84b 973 ? "MAIL FROM:<%s>%s%s SMTPUTF8\r\n"
9bfc60eb
JH
974 :
975#endif
9094b84b
JH
976 "MAIL FROM:<%s>%s%s\r\n",
977 from_address, responsebuffer, size_str) >= 0)
b4a2b536 978 ) &&
2b1c6e3a 979
193e3acd
JH
980 smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
981 '2', callout);
059ec3d9 982
00bff6f6
JH
983 deliver_host = deliver_host_address = NULL;
984 deliver_domain = save_deliver_domain;
985
193e3acd
JH
986 /* If the host does not accept MAIL FROM:<>, arrange to cache this
987 information, but again, don't record anything for an I/O error or a defer. Do
988 not cache rejections of MAIL when a non-empty sender has been used, because
989 that blocks the whole domain for all senders. */
059ec3d9 990
193e3acd 991 if (!done)
059ec3d9 992 {
193e3acd
JH
993 *failure_ptr = US"mail"; /* At or before MAIL */
994 if (errno == 0 && responsebuffer[0] == '5')
995 {
996 setflag(addr, af_verify_nsfail);
997 if (from_address[0] == 0)
998 new_domain_record.result = ccache_reject_mfnull;
999 }
059ec3d9 1000 }
059ec3d9 1001
193e3acd
JH
1002 /* Otherwise, proceed to check a "random" address (if required), then the
1003 given address, and the postmaster address (if required). Between each check,
1004 issue RSET, because some servers accept only one recipient after MAIL
1005 FROM:<>.
2b1c6e3a 1006
193e3acd
JH
1007 Before doing this, set the result in the domain cache record to "accept",
1008 unless its previous value was ccache_reject_mfnull. In that case, the domain
1009 rejects MAIL FROM:<> and we want to continue to remember that. When that is
1010 the case, we have got here only in the case of a recipient verification with
1011 a non-null sender. */
059ec3d9 1012
193e3acd 1013 else
059ec3d9 1014 {
921dfc11
JH
1015 const uschar * rcpt_domain = addr->domain;
1016
8c5d388a 1017#ifdef SUPPORT_I18N
921dfc11
JH
1018 uschar * errstr = NULL;
1019 if ( testflag(addr, af_utf8_downcvt)
1020 && (rcpt_domain = string_domain_utf8_to_alabel(rcpt_domain,
1021 &errstr), errstr)
1022 )
1023 {
1024 addr->message = errstr;
1025 errno = ERRNO_EXPANDFAIL;
1026 setflag(addr, af_verify_nsfail);
1027 done = FALSE;
1028 rcpt_domain = US""; /*XXX errorhandling! */
1029 }
1030#endif
1031
193e3acd
JH
1032 new_domain_record.result =
1033 (old_domain_cache_result == ccache_reject_mfnull)?
1034 ccache_reject_mfnull: ccache_accept;
059ec3d9 1035
193e3acd 1036 /* Do the random local part check first */
059ec3d9 1037
193e3acd 1038 if (random_local_part != NULL)
059ec3d9 1039 {
193e3acd
JH
1040 uschar randombuffer[1024];
1041 BOOL random_ok =
1042 smtp_write_command(&outblock, FALSE,
1043 "RCPT TO:<%.1000s@%.1000s>\r\n", random_local_part,
921dfc11 1044 rcpt_domain) >= 0 &&
193e3acd
JH
1045 smtp_read_response(&inblock, randombuffer,
1046 sizeof(randombuffer), '2', callout);
059ec3d9 1047
193e3acd 1048 /* Remember when we last did a random test */
059ec3d9 1049
193e3acd 1050 new_domain_record.random_stamp = time(NULL);
059ec3d9 1051
193e3acd 1052 /* If accepted, we aren't going to do any further tests below. */
059ec3d9 1053
193e3acd 1054 if (random_ok)
193e3acd 1055 new_domain_record.random_result = ccache_accept;
059ec3d9 1056
193e3acd
JH
1057 /* Otherwise, cache a real negative response, and get back to the right
1058 state to send RCPT. Unless there's some problem such as a dropped
65f1c92a
JH
1059 connection, we expect to succeed, because the commands succeeded above.
1060 However, some servers drop the connection after responding to an
1061 invalid recipient, so on (any) error we drop and remake the connection.
1062 */
059ec3d9 1063
193e3acd
JH
1064 else if (errno == 0)
1065 {
65f1c92a
JH
1066 /* This would be ok for 1st rcpt a cutthrough, but no way to
1067 handle a subsequent. So refuse to support any */
5032d1cf
JH
1068 cancel_cutthrough_connection("random-recipient");
1069
193e3acd
JH
1070 if (randombuffer[0] == '5')
1071 new_domain_record.random_result = ccache_reject;
1072
1073 done =
1074 smtp_write_command(&outblock, FALSE, "RSET\r\n") >= 0 &&
1075 smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
1076 '2', callout) &&
1077
9bfc60eb 1078 smtp_write_command(&outblock, FALSE,
8c5d388a 1079#ifdef SUPPORT_I18N
921dfc11 1080 addr->prop.utf8_msg && !addr->prop.utf8_downcvt
9bfc60eb
JH
1081 ? "MAIL FROM:<%s> SMTPUTF8\r\n"
1082 :
1083#endif
1084 "MAIL FROM:<%s>\r\n",
193e3acd
JH
1085 from_address) >= 0 &&
1086 smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
1087 '2', callout);
65f1c92a
JH
1088
1089 if (!done)
1090 {
1091 HDEBUG(D_acl|D_v)
1092 debug_printf("problem after random/rset/mfrom; reopen conn\n");
1093 random_local_part = NULL;
1094#ifdef SUPPORT_TLS
1095 tls_close(FALSE, TRUE);
1096#endif
1097 (void)close(inblock.sock);
0cbf2b82 1098#ifndef DISABLE_EVENT
65f1c92a
JH
1099 (void) event_raise(addr->transport->event_action,
1100 US"tcp:close", NULL);
1101#endif
1102 goto tls_retry_connection;
1103 }
193e3acd
JH
1104 }
1105 else done = FALSE; /* Some timeout/connection problem */
1106 } /* Random check */
059ec3d9 1107
193e3acd
JH
1108 /* If the host is accepting all local parts, as determined by the "random"
1109 check, we don't need to waste time doing any further checking. */
059ec3d9 1110
193e3acd 1111 if (new_domain_record.random_result != ccache_accept && done)
059ec3d9 1112 {
193e3acd
JH
1113 /* Get the rcpt_include_affixes flag from the transport if there is one,
1114 but assume FALSE if there is not. */
e4bdf652 1115
921dfc11
JH
1116 uschar * rcpt = transport_rcpt_address(addr,
1117 addr->transport ? addr->transport->rcpt_include_affixes : FALSE);
1118
8c5d388a 1119#ifdef SUPPORT_I18N
921dfc11
JH
1120 /*XXX should the conversion be moved into transport_rcpt_address() ? */
1121 uschar * dummy_errstr = NULL;
1122 if ( testflag(addr, af_utf8_downcvt)
1123 && (rcpt = string_address_utf8_to_alabel(rcpt, &dummy_errstr),
1124 dummy_errstr
1125 ) )
1126 {
1127 errno = ERRNO_EXPANDFAIL;
1128 *failure_ptr = US"recipient";
1129 done = FALSE;
1130 }
1131 else
1132#endif
1133
059ec3d9 1134 done =
193e3acd 1135 smtp_write_command(&outblock, FALSE, "RCPT TO:<%.1000s>\r\n",
921dfc11 1136 rcpt) >= 0 &&
193e3acd
JH
1137 smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
1138 '2', callout);
059ec3d9 1139
193e3acd
JH
1140 if (done)
1141 new_address_record.result = ccache_accept;
1142 else if (errno == 0 && responsebuffer[0] == '5')
1143 {
1144 *failure_ptr = US"recipient";
1145 new_address_record.result = ccache_reject;
1146 }
059ec3d9 1147
193e3acd
JH
1148 /* Do postmaster check if requested; if a full check is required, we
1149 check for RCPT TO:<postmaster> (no domain) in accordance with RFC 821. */
2a4be8f9 1150
193e3acd
JH
1151 if (done && pm_mailfrom != NULL)
1152 {
65f1c92a
JH
1153 /* Could possibly shift before main verify, just above, and be ok
1154 for cutthrough. But no way to handle a subsequent rcpt, so just
1155 refuse any */
5032d1cf 1156 cancel_cutthrough_connection("postmaster verify");
193e3acd
JH
1157 HDEBUG(D_acl|D_v) debug_printf("Cutthrough cancelled by presence of postmaster verify\n");
1158
1159 done =
1160 smtp_write_command(&outblock, FALSE, "RSET\r\n") >= 0 &&
1161 smtp_read_response(&inblock, responsebuffer,
1162 sizeof(responsebuffer), '2', callout) &&
1163
1164 smtp_write_command(&outblock, FALSE,
1165 "MAIL FROM:<%s>\r\n", pm_mailfrom) >= 0 &&
1166 smtp_read_response(&inblock, responsebuffer,
1167 sizeof(responsebuffer), '2', callout) &&
1168
1169 /* First try using the current domain */
1170
1171 ((
1172 smtp_write_command(&outblock, FALSE,
921dfc11 1173 "RCPT TO:<postmaster@%.1000s>\r\n", rcpt_domain) >= 0 &&
193e3acd
JH
1174 smtp_read_response(&inblock, responsebuffer,
1175 sizeof(responsebuffer), '2', callout)
1176 )
1177
1178 ||
1179
1180 /* If that doesn't work, and a full check is requested,
1181 try without the domain. */
1182
1183 (
1184 (options & vopt_callout_fullpm) != 0 &&
1185 smtp_write_command(&outblock, FALSE,
1186 "RCPT TO:<postmaster>\r\n") >= 0 &&
1187 smtp_read_response(&inblock, responsebuffer,
1188 sizeof(responsebuffer), '2', callout)
1189 ));
1190
1191 /* Sort out the cache record */
1192
1193 new_domain_record.postmaster_stamp = time(NULL);
1194
1195 if (done)
1196 new_domain_record.postmaster_result = ccache_accept;
1197 else if (errno == 0 && responsebuffer[0] == '5')
1198 {
1199 *failure_ptr = US"postmaster";
1200 setflag(addr, af_verify_pmfail);
1201 new_domain_record.postmaster_result = ccache_reject;
1202 }
1203 }
1204 } /* Random not accepted */
1205 } /* MAIL FROM: accepted */
2a4be8f9 1206
193e3acd
JH
1207 /* For any failure of the main check, other than a negative response, we just
1208 close the connection and carry on. We can identify a negative response by the
1209 fact that errno is zero. For I/O errors it will be non-zero
2a4be8f9 1210
193e3acd
JH
1211 Set up different error texts for logging and for sending back to the caller
1212 as an SMTP response. Log in all cases, using a one-line format. For sender
1213 callouts, give a full response to the caller, but for recipient callouts,
1214 don't give the IP address because this may be an internal host whose identity
1215 is not to be widely broadcast. */
2a4be8f9 1216
193e3acd
JH
1217 if (!done)
1218 {
1219 if (errno == ETIMEDOUT)
1220 {
1221 HDEBUG(D_verify) debug_printf("SMTP timeout\n");
1222 send_quit = FALSE;
1223 }
8c5d388a 1224#ifdef SUPPORT_I18N
9bfc60eb
JH
1225 else if (errno == ERRNO_UTF8_FWD)
1226 {
1227 extern int acl_where; /* src/acl.c */
1228 errno = 0;
1229 addr->message = string_sprintf(
1230 "response to \"%s\" from %s [%s] did not include SMTPUTF8",
1231 big_buffer, host->name, host->address);
1232 addr->user_message = acl_where == ACL_WHERE_RCPT
1233 ? US"533 mailbox name not allowed"
1234 : US"550 mailbox unavailable";
1235 yield = FAIL;
1236 done = TRUE;
1237 }
1238#endif
193e3acd
JH
1239 else if (errno == 0)
1240 {
1241 if (*responsebuffer == 0) Ustrcpy(responsebuffer, US"connection dropped");
2a4be8f9 1242
193e3acd
JH
1243 addr->message =
1244 string_sprintf("response to \"%s\" from %s [%s] was: %s",
1245 big_buffer, host->name, host->address,
1246 string_printing(responsebuffer));
059ec3d9 1247
8b9476ba
JH
1248 addr->user_message = options & vopt_is_recipient
1249 ? string_sprintf("Callout verification failed:\n%s", responsebuffer)
1250 : string_sprintf("Called: %s\nSent: %s\nResponse: %s",
193e3acd 1251 host->address, big_buffer, responsebuffer);
059ec3d9 1252
193e3acd
JH
1253 /* Hard rejection ends the process */
1254
1255 if (responsebuffer[0] == '5') /* Address rejected */
059ec3d9 1256 {
193e3acd
JH
1257 yield = FAIL;
1258 done = TRUE;
059ec3d9
PH
1259 }
1260 }
193e3acd 1261 }
059ec3d9 1262
193e3acd
JH
1263 /* End the SMTP conversation and close the connection. */
1264
5032d1cf
JH
1265 /* Cutthrough - on a successfull connect and recipient-verify with
1266 use-sender and we are 1st rcpt and have no cutthrough conn so far
193e3acd 1267 here is where we want to leave the conn open */
5032d1cf
JH
1268 if ( cutthrough.delivery
1269 && rcpt_count == 1
193e3acd
JH
1270 && done
1271 && yield == OK
98c82a3d
JH
1272 && (options & (vopt_callout_recipsender|vopt_callout_recippmaster|vopt_success_on_redirect))
1273 == vopt_callout_recipsender
193e3acd
JH
1274 && !random_local_part
1275 && !pm_mailfrom
5032d1cf 1276 && cutthrough.fd < 0
66ba1a69 1277 && !lmtp
193e3acd 1278 )
059ec3d9 1279 {
8b9476ba
JH
1280 HDEBUG(D_acl|D_v) debug_printf("holding verify callout open for cutthrough delivery\n");
1281
5032d1cf
JH
1282 cutthrough.fd = outblock.sock; /* We assume no buffer in use in the outblock */
1283 cutthrough.nrcpt = 1;
1284 cutthrough.interface = interface;
1285 cutthrough.host = *host;
1286 cutthrough.addr = *addr; /* Save the address_item for later logging */
1287 cutthrough.addr.next = NULL;
1288 cutthrough.addr.host_used = &cutthrough.host;
193e3acd 1289 if (addr->parent)
5032d1cf
JH
1290 *(cutthrough.addr.parent = store_get(sizeof(address_item))) =
1291 *addr->parent;
193e3acd
JH
1292 ctblock.buffer = ctbuffer;
1293 ctblock.buffersize = sizeof(ctbuffer);
1294 ctblock.ptr = ctbuffer;
1295 /* ctblock.cmd_count = 0; ctblock.authenticating = FALSE; */
5032d1cf 1296 ctblock.sock = cutthrough.fd;
059ec3d9 1297 }
193e3acd 1298 else
059ec3d9 1299 {
2e5b33cd 1300 /* Ensure no cutthrough on multiple address verifies */
193e3acd 1301 if (options & vopt_callout_recipsender)
2e5b33cd 1302 cancel_cutthrough_connection("multiple verify calls");
193e3acd 1303 if (send_quit) (void)smtp_write_command(&outblock, FALSE, "QUIT\r\n");
059ec3d9 1304
a7538db1 1305#ifdef SUPPORT_TLS
193e3acd 1306 tls_close(FALSE, TRUE);
a7538db1 1307#endif
193e3acd 1308 (void)close(inblock.sock);
0cbf2b82 1309#ifndef DISABLE_EVENT
08f3b11b 1310 (void) event_raise(addr->transport->event_action, US"tcp:close", NULL);
a7538db1 1311#endif
059ec3d9 1312 }
059ec3d9 1313
193e3acd
JH
1314 } /* Loop through all hosts, while !done */
1315 }
059ec3d9
PH
1316
1317/* If we get here with done == TRUE, a successful callout happened, and yield
1318will be set OK or FAIL according to the response to the RCPT command.
1319Otherwise, we looped through the hosts but couldn't complete the business.
1320However, there may be domain-specific information to cache in both cases.
1321
1322The value of the result field in the new_domain record is ccache_unknown if
90e9ce59 1323there was an error before or with MAIL FROM:, and errno was not zero,
059ec3d9 1324implying some kind of I/O error. We don't want to write the cache in that case.
2b1c6e3a 1325Otherwise the value is ccache_accept, ccache_reject, or ccache_reject_mfnull. */
059ec3d9 1326
8b9476ba
JH
1327if ( !(options & vopt_callout_no_cache)
1328 && new_domain_record.result != ccache_unknown)
059ec3d9
PH
1329 {
1330 if ((dbm_file = dbfn_open(US"callout", O_RDWR|O_CREAT, &dbblock, FALSE))
1331 == NULL)
1332 {
1333 HDEBUG(D_verify) debug_printf("callout cache: not available\n");
1334 }
1335 else
1336 {
1337 (void)dbfn_write(dbm_file, addr->domain, &new_domain_record,
1338 (int)sizeof(dbdata_callout_cache));
8b9476ba 1339 HDEBUG(D_verify) debug_printf("wrote callout cache domain record for %s:\n"
059ec3d9 1340 " result=%d postmaster=%d random=%d\n",
8b9476ba 1341 addr->domain,
059ec3d9
PH
1342 new_domain_record.result,
1343 new_domain_record.postmaster_result,
1344 new_domain_record.random_result);
1345 }
1346 }
1347
1348/* If a definite result was obtained for the callout, cache it unless caching
1349is disabled. */
1350
1351if (done)
1352 {
8b9476ba
JH
1353 if ( !(options & vopt_callout_no_cache)
1354 && new_address_record.result != ccache_unknown)
059ec3d9
PH
1355 {
1356 if (dbm_file == NULL)
1357 dbm_file = dbfn_open(US"callout", O_RDWR|O_CREAT, &dbblock, FALSE);
1358 if (dbm_file == NULL)
1359 {
1360 HDEBUG(D_verify) debug_printf("no callout cache available\n");
1361 }
1362 else
1363 {
1364 (void)dbfn_write(dbm_file, address_key, &new_address_record,
1365 (int)sizeof(dbdata_callout_cache_address));
8b9476ba
JH
1366 HDEBUG(D_verify) debug_printf("wrote %s callout cache address record for %s\n",
1367 new_address_record.result == ccache_accept ? "positive" : "negative",
1368 address_key);
059ec3d9
PH
1369 }
1370 }
1371 } /* done */
1372
1373/* Failure to connect to any host, or any response other than 2xx or 5xx is a
1374temporary error. If there was only one host, and a response was received, leave
1375it alone if supplying details. Otherwise, give a generic response. */
1376
1377else /* !done */
1378 {
1379 uschar *dullmsg = string_sprintf("Could not complete %s verify callout",
8b9476ba 1380 options & vopt_is_recipient ? "recipient" : "sender");
059ec3d9
PH
1381 yield = DEFER;
1382
1383 if (host_list->next != NULL || addr->message == NULL) addr->message = dullmsg;
1384
1385 addr->user_message = (!smtp_return_error_details)? dullmsg :
1386 string_sprintf("%s for <%s>.\n"
1387 "The mail server(s) for the domain may be temporarily unreachable, or\n"
1388 "they may be permanently unreachable from this server. In the latter case,\n%s",
1389 dullmsg, addr->address,
8b9476ba
JH
1390 options & vopt_is_recipient
1391 ? "the address will never be accepted."
1392 : "you need to change the address or create an MX record for its domain\n"
1393 "if it is supposed to be generally accessible from the Internet.\n"
1394 "Talk to your mail administrator for details.");
059ec3d9
PH
1395
1396 /* Force a specific error code */
1397
1398 addr->basic_errno = ERRNO_CALLOUTDEFER;
1399 }
1400
1401/* Come here from within the cache-reading code on fast-track exit. */
1402
1403END_CALLOUT:
1404if (dbm_file != NULL) dbfn_close(dbm_file);
1405return yield;
1406}
1407
1408
1409
817d9f57
JH
1410/* Called after recipient-acl to get a cutthrough connection open when
1411 one was requested and a recipient-verify wasn't subsequently done.
1412*/
f9334a28 1413int
e4bdf652
JH
1414open_cutthrough_connection( address_item * addr )
1415{
1416address_item addr2;
f9334a28 1417int rc;
e4bdf652
JH
1418
1419/* Use a recipient-verify-callout to set up the cutthrough connection. */
1420/* We must use a copy of the address for verification, because it might
1421get rewritten. */
1422
1423addr2 = *addr;
5032d1cf
JH
1424HDEBUG(D_acl) debug_printf("----------- %s cutthrough setup ------------\n",
1425 rcpt_count > 1 ? "more" : "start");
f9334a28 1426rc= verify_address(&addr2, NULL,
e4bdf652
JH
1427 vopt_is_recipient | vopt_callout_recipsender | vopt_callout_no_cache,
1428 CUTTHROUGH_CMD_TIMEOUT, -1, -1,
1429 NULL, NULL, NULL);
1430HDEBUG(D_acl) debug_printf("----------- end cutthrough setup ------------\n");
f9334a28 1431return rc;
e4bdf652
JH
1432}
1433
1434
e4bdf652 1435
817d9f57
JH
1436/* Send given number of bytes from the buffer */
1437static BOOL
1438cutthrough_send(int n)
e4bdf652 1439{
5032d1cf 1440if(cutthrough.fd < 0)
817d9f57 1441 return TRUE;
e4bdf652 1442
817d9f57
JH
1443if(
1444#ifdef SUPPORT_TLS
5032d1cf 1445 (tls_out.active == cutthrough.fd) ? tls_write(FALSE, ctblock.buffer, n) :
817d9f57 1446#endif
5032d1cf 1447 send(cutthrough.fd, ctblock.buffer, n, 0) > 0
817d9f57
JH
1448 )
1449{
1450 transport_count += n;
1451 ctblock.ptr= ctblock.buffer;
1452 return TRUE;
1453}
e4bdf652 1454
817d9f57
JH
1455HDEBUG(D_transport|D_acl) debug_printf("cutthrough_send failed: %s\n", strerror(errno));
1456return FALSE;
e4bdf652
JH
1457}
1458
1459
1460
817d9f57
JH
1461static BOOL
1462_cutthrough_puts(uschar * cp, int n)
1463{
1464while(n--)
1465 {
1466 if(ctblock.ptr >= ctblock.buffer+ctblock.buffersize)
1467 if(!cutthrough_send(ctblock.buffersize))
1468 return FALSE;
1469
1470 *ctblock.ptr++ = *cp++;
1471 }
1472return TRUE;
1473}
1474
1475/* Buffered output of counted data block. Return boolean success */
e4bdf652
JH
1476BOOL
1477cutthrough_puts(uschar * cp, int n)
1478{
5032d1cf 1479if (cutthrough.fd < 0) return TRUE;
817d9f57 1480if (_cutthrough_puts(cp, n)) return TRUE;
2e5b33cd 1481cancel_cutthrough_connection("transmit failed");
817d9f57
JH
1482return FALSE;
1483}
e4bdf652 1484
e4bdf652 1485
817d9f57 1486static BOOL
5032d1cf 1487_cutthrough_flush_send(void)
817d9f57
JH
1488{
1489int n= ctblock.ptr-ctblock.buffer;
e4bdf652 1490
817d9f57
JH
1491if(n>0)
1492 if(!cutthrough_send(n))
1493 return FALSE;
1494return TRUE;
e4bdf652
JH
1495}
1496
817d9f57
JH
1497
1498/* Send out any bufferred output. Return boolean success. */
e4bdf652 1499BOOL
5032d1cf 1500cutthrough_flush_send(void)
e4bdf652 1501{
817d9f57 1502if (_cutthrough_flush_send()) return TRUE;
2e5b33cd 1503cancel_cutthrough_connection("transmit failed");
e4bdf652
JH
1504return FALSE;
1505}
1506
1507
1508BOOL
5032d1cf 1509cutthrough_put_nl(void)
e4bdf652
JH
1510{
1511return cutthrough_puts(US"\r\n", 2);
1512}
1513
1514
1515/* Get and check response from cutthrough target */
1516static uschar
1517cutthrough_response(char expect, uschar ** copy)
1518{
1519smtp_inblock inblock;
1520uschar inbuffer[4096];
1521uschar responsebuffer[4096];
1522
1523inblock.buffer = inbuffer;
1524inblock.buffersize = sizeof(inbuffer);
1525inblock.ptr = inbuffer;
1526inblock.ptrend = inbuffer;
5032d1cf 1527inblock.sock = cutthrough.fd;
817d9f57 1528/* this relies on (inblock.sock == tls_out.active) */
e4bdf652 1529if(!smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer), expect, CUTTHROUGH_DATA_TIMEOUT))
2e5b33cd 1530 cancel_cutthrough_connection("target timeout on read");
e4bdf652
JH
1531
1532if(copy != NULL)
1533 {
1534 uschar * cp;
5032d1cf 1535 *copy = cp = string_copy(responsebuffer);
e4bdf652
JH
1536 /* Trim the trailing end of line */
1537 cp += Ustrlen(responsebuffer);
1538 if(cp > *copy && cp[-1] == '\n') *--cp = '\0';
1539 if(cp > *copy && cp[-1] == '\r') *--cp = '\0';
1540 }
1541
1542return responsebuffer[0];
1543}
1544
1545
1546/* Negotiate dataphase with the cutthrough target, returning success boolean */
1547BOOL
5032d1cf 1548cutthrough_predata(void)
e4bdf652 1549{
5032d1cf 1550if(cutthrough.fd < 0)
e4bdf652
JH
1551 return FALSE;
1552
1553HDEBUG(D_transport|D_acl|D_v) debug_printf(" SMTP>> DATA\n");
817d9f57
JH
1554cutthrough_puts(US"DATA\r\n", 6);
1555cutthrough_flush_send();
e4bdf652
JH
1556
1557/* Assume nothing buffered. If it was it gets ignored. */
1558return cutthrough_response('3', NULL) == '3';
1559}
1560
1561
511a6c14
JH
1562/* fd and use_crlf args only to match write_chunk() */
1563static BOOL
1564cutthrough_write_chunk(int fd, uschar * s, int len, BOOL use_crlf)
1565{
1566uschar * s2;
1567while(s && (s2 = Ustrchr(s, '\n')))
1568 {
1569 if(!cutthrough_puts(s, s2-s) || !cutthrough_put_nl())
1570 return FALSE;
1571 s = s2+1;
1572 }
1573return TRUE;
1574}
1575
1576
e4bdf652 1577/* Buffered send of headers. Return success boolean. */
817d9f57 1578/* Expands newlines to wire format (CR,NL). */
e4bdf652 1579/* Also sends header-terminating blank line. */
e4bdf652 1580BOOL
5032d1cf 1581cutthrough_headers_send(void)
e4bdf652 1582{
5032d1cf 1583if(cutthrough.fd < 0)
e4bdf652
JH
1584 return FALSE;
1585
511a6c14
JH
1586/* We share a routine with the mainline transport to handle header add/remove/rewrites,
1587 but having a separate buffered-output function (for now)
1588*/
1589HDEBUG(D_acl) debug_printf("----------- start cutthrough headers send -----------\n");
e4bdf652 1590
5032d1cf
JH
1591if (!transport_headers_send(&cutthrough.addr, cutthrough.fd,
1592 cutthrough.addr.transport->add_headers,
1593 cutthrough.addr.transport->remove_headers,
511a6c14 1594 &cutthrough_write_chunk, TRUE,
5032d1cf
JH
1595 cutthrough.addr.transport->rewrite_rules,
1596 cutthrough.addr.transport->rewrite_existflags))
511a6c14
JH
1597 return FALSE;
1598
1599HDEBUG(D_acl) debug_printf("----------- done cutthrough headers send ------------\n");
1600return TRUE;
817d9f57
JH
1601}
1602
1603
1604static void
5032d1cf 1605close_cutthrough_connection(const char * why)
817d9f57 1606{
5032d1cf 1607if(cutthrough.fd >= 0)
817d9f57
JH
1608 {
1609 /* We could be sending this after a bunch of data, but that is ok as
1610 the only way to cancel the transfer in dataphase is to drop the tcp
1611 conn before the final dot.
1612 */
1613 ctblock.ptr = ctbuffer;
1614 HDEBUG(D_transport|D_acl|D_v) debug_printf(" SMTP>> QUIT\n");
1615 _cutthrough_puts(US"QUIT\r\n", 6); /* avoid recursion */
1616 _cutthrough_flush_send();
1617 /* No wait for response */
1618
1619 #ifdef SUPPORT_TLS
1620 tls_close(FALSE, TRUE);
1621 #endif
5032d1cf
JH
1622 (void)close(cutthrough.fd);
1623 cutthrough.fd = -1;
2e5b33cd 1624 HDEBUG(D_acl) debug_printf("----------- cutthrough shutdown (%s) ------------\n", why);
817d9f57
JH
1625 }
1626ctblock.ptr = ctbuffer;
e4bdf652
JH
1627}
1628
817d9f57 1629void
5032d1cf 1630cancel_cutthrough_connection(const char * why)
817d9f57 1631{
2e5b33cd 1632close_cutthrough_connection(why);
5032d1cf 1633cutthrough.delivery = FALSE;
817d9f57
JH
1634}
1635
1636
1637
e4bdf652
JH
1638
1639/* Have senders final-dot. Send one to cutthrough target, and grab the response.
1640 Log an OK response as a transmission.
817d9f57 1641 Close the connection.
e4bdf652 1642 Return smtp response-class digit.
e4bdf652
JH
1643*/
1644uschar *
5032d1cf 1645cutthrough_finaldot(void)
e4bdf652 1646{
5032d1cf
JH
1647uschar res;
1648address_item * addr;
e4bdf652
JH
1649HDEBUG(D_transport|D_acl|D_v) debug_printf(" SMTP>> .\n");
1650
1651/* Assume data finshed with new-line */
5032d1cf
JH
1652if( !cutthrough_puts(US".", 1)
1653 || !cutthrough_put_nl()
1654 || !cutthrough_flush_send()
1655 )
1656 return cutthrough.addr.message;
e4bdf652 1657
5032d1cf
JH
1658res = cutthrough_response('2', &cutthrough.addr.message);
1659for (addr = &cutthrough.addr; addr; addr = addr->next)
817d9f57 1660 {
5032d1cf
JH
1661 addr->message = cutthrough.addr.message;
1662 switch(res)
1663 {
1664 case '2':
1665 delivery_log(LOG_MAIN, addr, (int)'>', NULL);
1666 close_cutthrough_connection("delivered");
1667 break;
817d9f57 1668
5032d1cf
JH
1669 case '4':
1670 delivery_log(LOG_MAIN, addr, 0,
1671 US"tmp-reject from cutthrough after DATA:");
1672 break;
e4bdf652 1673
5032d1cf
JH
1674 case '5':
1675 delivery_log(LOG_MAIN|LOG_REJECT, addr, 0,
1676 US"rejected after DATA:");
1677 break;
e4bdf652 1678
5032d1cf
JH
1679 default:
1680 break;
1681 }
817d9f57 1682 }
5032d1cf 1683return cutthrough.addr.message;
e4bdf652
JH
1684}
1685
1686
817d9f57 1687
059ec3d9
PH
1688/*************************************************
1689* Copy error to toplevel address *
1690*************************************************/
1691
1692/* This function is used when a verify fails or defers, to ensure that the
1693failure or defer information is in the original toplevel address. This applies
1694when an address is redirected to a single new address, and the failure or
1695deferral happens to the child address.
1696
1697Arguments:
1698 vaddr the verify address item
1699 addr the final address item
1700 yield FAIL or DEFER
1701
1702Returns: the value of YIELD
1703*/
1704
1705static int
1706copy_error(address_item *vaddr, address_item *addr, int yield)
1707{
1708if (addr != vaddr)
1709 {
1710 vaddr->message = addr->message;
1711 vaddr->user_message = addr->user_message;
1712 vaddr->basic_errno = addr->basic_errno;
1713 vaddr->more_errno = addr->more_errno;
d43cbe25 1714 vaddr->prop.address_data = addr->prop.address_data;
42855d71 1715 copyflag(vaddr, addr, af_pass_message);
059ec3d9
PH
1716 }
1717return yield;
1718}
1719
1720
1721
1722
ce552449
NM
1723/**************************************************
1724* printf that automatically handles TLS if needed *
1725***************************************************/
1726
1727/* This function is used by verify_address() as a substitute for all fprintf()
1728calls; a direct fprintf() will not produce output in a TLS SMTP session, such
1729as a response to an EXPN command. smtp_in.c makes smtp_printf available but
1730that assumes that we always use the smtp_out FILE* when not using TLS or the
1731ssl buffer when we are. Instead we take a FILE* parameter and check to see if
1732that is smtp_out; if so, smtp_printf() with TLS support, otherwise regular
1733fprintf().
1734
1735Arguments:
1736 f the candidate FILE* to write to
1737 format format string
1738 ... optional arguments
1739
1740Returns:
1741 nothing
1742*/
1743
1744static void PRINTF_FUNCTION(2,3)
1ba28e2b 1745respond_printf(FILE *f, const char *format, ...)
ce552449
NM
1746{
1747va_list ap;
1748
1749va_start(ap, format);
1750if (smtp_out && (f == smtp_out))
1751 smtp_vprintf(format, ap);
1752else
513afc6a 1753 vfprintf(f, format, ap);
ce552449
NM
1754va_end(ap);
1755}
1756
1757
1758
059ec3d9
PH
1759/*************************************************
1760* Verify an email address *
1761*************************************************/
1762
1763/* This function is used both for verification (-bv and at other times) and
1764address testing (-bt), which is indicated by address_test_mode being set.
1765
1766Arguments:
1767 vaddr contains the address to verify; the next field in this block
1768 must be NULL
1769 f if not NULL, write the result to this file
1770 options various option bits:
1771 vopt_fake_sender => this sender verify is not for the real
1772 sender (it was verify=sender=xxxx or an address from a
1773 header line) - rewriting must not change sender_address
1774 vopt_is_recipient => this is a recipient address, otherwise
1775 it's a sender address - this affects qualification and
1776 rewriting and messages from callouts
1777 vopt_qualify => qualify an unqualified address; else error
1778 vopt_expn => called from SMTP EXPN command
eafd343b
TK
1779 vopt_success_on_redirect => when a new address is generated
1780 the verification instantly succeeds
059ec3d9
PH
1781
1782 These ones are used by do_callout() -- the options variable
1783 is passed to it.
1784
2a4be8f9 1785 vopt_callout_fullpm => if postmaster check, do full one
059ec3d9
PH
1786 vopt_callout_no_cache => don't use callout cache
1787 vopt_callout_random => do the "random" thing
1788 vopt_callout_recipsender => use real sender for recipient
1789 vopt_callout_recippmaster => use postmaster for recipient
1790
1791 callout if > 0, specifies that callout is required, and gives timeout
4deaf07d 1792 for individual commands
059ec3d9
PH
1793 callout_overall if > 0, gives overall timeout for the callout function;
1794 if < 0, a default is used (see do_callout())
8e669ac1 1795 callout_connect the connection timeout for callouts
059ec3d9
PH
1796 se_mailfrom when callout is requested to verify a sender, use this
1797 in MAIL FROM; NULL => ""
1798 pm_mailfrom when callout is requested, if non-NULL, do the postmaster
1799 thing and use this as the sender address (may be "")
1800
1801 routed if not NULL, set TRUE if routing succeeded, so we can
1802 distinguish between routing failed and callout failed
1803
1804Returns: OK address verified
1805 FAIL address failed to verify
1806 DEFER can't tell at present
1807*/
1808
1809int
1810verify_address(address_item *vaddr, FILE *f, int options, int callout,
8e669ac1 1811 int callout_overall, int callout_connect, uschar *se_mailfrom,
4deaf07d 1812 uschar *pm_mailfrom, BOOL *routed)
059ec3d9
PH
1813{
1814BOOL allok = TRUE;
1815BOOL full_info = (f == NULL)? FALSE : (debug_selector != 0);
059ec3d9 1816BOOL expn = (options & vopt_expn) != 0;
eafd343b 1817BOOL success_on_redirect = (options & vopt_success_on_redirect) != 0;
059ec3d9
PH
1818int i;
1819int yield = OK;
1820int verify_type = expn? v_expn :
1821 address_test_mode? v_none :
8b9476ba 1822 options & vopt_is_recipient? v_recipient : v_sender;
059ec3d9
PH
1823address_item *addr_list;
1824address_item *addr_new = NULL;
1825address_item *addr_remote = NULL;
1826address_item *addr_local = NULL;
1827address_item *addr_succeed = NULL;
8b9476ba
JH
1828uschar **failure_ptr = options & vopt_is_recipient
1829 ? &recipient_verify_failure : &sender_verify_failure;
059ec3d9
PH
1830uschar *ko_prefix, *cr;
1831uschar *address = vaddr->address;
1832uschar *save_sender;
1833uschar null_sender[] = { 0 }; /* Ensure writeable memory */
1834
2c7db3f5
PH
1835/* Clear, just in case */
1836
1837*failure_ptr = NULL;
1838
059ec3d9
PH
1839/* Set up a prefix and suffix for error message which allow us to use the same
1840output statements both in EXPN mode (where an SMTP response is needed) and when
1841debugging with an output file. */
1842
1843if (expn)
1844 {
1845 ko_prefix = US"553 ";
1846 cr = US"\r";
1847 }
1848else ko_prefix = cr = US"";
1849
1850/* Add qualify domain if permitted; otherwise an unqualified address fails. */
1851
1852if (parse_find_at(address) == NULL)
1853 {
1854 if ((options & vopt_qualify) == 0)
1855 {
1856 if (f != NULL)
ce552449
NM
1857 respond_printf(f, "%sA domain is required for \"%s\"%s\n",
1858 ko_prefix, address, cr);
8e669ac1 1859 *failure_ptr = US"qualify";
059ec3d9
PH
1860 return FAIL;
1861 }
8b9476ba 1862 address = rewrite_address_qualify(address, options & vopt_is_recipient);
059ec3d9
PH
1863 }
1864
1865DEBUG(D_verify)
1866 {
1867 debug_printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
1868 debug_printf("%s %s\n", address_test_mode? "Testing" : "Verifying", address);
1869 }
1870
1871/* Rewrite and report on it. Clear the domain and local part caches - these
1872may have been set by domains and local part tests during an ACL. */
1873
1874if (global_rewrite_rules != NULL)
1875 {
1876 uschar *old = address;
8b9476ba 1877 address = rewrite_address(address, options & vopt_is_recipient, FALSE,
059ec3d9
PH
1878 global_rewrite_rules, rewrite_existflags);
1879 if (address != old)
1880 {
1881 for (i = 0; i < (MAX_NAMED_LIST * 2)/32; i++) vaddr->localpart_cache[i] = 0;
1882 for (i = 0; i < (MAX_NAMED_LIST * 2)/32; i++) vaddr->domain_cache[i] = 0;
1883 if (f != NULL && !expn) fprintf(f, "Address rewritten as: %s\n", address);
1884 }
1885 }
1886
1887/* If this is the real sender address, we must update sender_address at
1888this point, because it may be referred to in the routers. */
1889
1890if ((options & (vopt_fake_sender|vopt_is_recipient)) == 0)
1891 sender_address = address;
1892
1893/* If the address was rewritten to <> no verification can be done, and we have
1894to return OK. This rewriting is permitted only for sender addresses; for other
1895addresses, such rewriting fails. */
1896
1897if (address[0] == 0) return OK;
1898
d9b2312b
JH
1899/* Flip the legacy TLS-related variables over to the outbound set in case
1900they're used in the context of a transport used by verification. Reset them
ea90b718 1901at exit from this routine (so no returns allowed from here on). */
d9b2312b 1902
35aba663 1903tls_modify_variables(&tls_out);
d9b2312b 1904
059ec3d9
PH
1905/* Save a copy of the sender address for re-instating if we change it to <>
1906while verifying a sender address (a nice bit of self-reference there). */
1907
1908save_sender = sender_address;
1909
ea90b718
JH
1910/* Observability variable for router/transport use */
1911
8b9476ba 1912verify_mode = options & vopt_is_recipient ? US"R" : US"S";
ea90b718 1913
059ec3d9
PH
1914/* Update the address structure with the possibly qualified and rewritten
1915address. Set it up as the starting address on the chain of new addresses. */
1916
1917vaddr->address = address;
1918addr_new = vaddr;
1919
1920/* We need a loop, because an address can generate new addresses. We must also
1921cope with generated pipes and files at the top level. (See also the code and
1922comment in deliver.c.) However, it is usually the case that the router for
1923user's .forward files has its verify flag turned off.
1924
1925If an address generates more than one child, the loop is used only when
1926full_info is set, and this can only be set locally. Remote enquiries just get
1927information about the top level address, not anything that it generated. */
1928
ea90b718 1929while (addr_new)
059ec3d9
PH
1930 {
1931 int rc;
1932 address_item *addr = addr_new;
1933
1934 addr_new = addr->next;
1935 addr->next = NULL;
1936
1937 DEBUG(D_verify)
1938 {
1939 debug_printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
1940 debug_printf("Considering %s\n", addr->address);
1941 }
1942
1943 /* Handle generated pipe, file or reply addresses. We don't get these
1944 when handling EXPN, as it does only one level of expansion. */
1945
1946 if (testflag(addr, af_pfr))
1947 {
1948 allok = FALSE;
1949 if (f != NULL)
1950 {
1951 BOOL allow;
1952
1953 if (addr->address[0] == '>')
1954 {
1955 allow = testflag(addr, af_allow_reply);
1956 fprintf(f, "%s -> mail %s", addr->parent->address, addr->address + 1);
1957 }
1958 else
1959 {
1960 allow = (addr->address[0] == '|')?
1961 testflag(addr, af_allow_pipe) : testflag(addr, af_allow_file);
1962 fprintf(f, "%s -> %s", addr->parent->address, addr->address);
1963 }
1964
1965 if (addr->basic_errno == ERRNO_BADTRANSPORT)
1966 fprintf(f, "\n*** Error in setting up pipe, file, or autoreply:\n"
1967 "%s\n", addr->message);
1968 else if (allow)
1969 fprintf(f, "\n transport = %s\n", addr->transport->name);
1970 else
1971 fprintf(f, " *** forbidden ***\n");
1972 }
1973 continue;
1974 }
1975
1976 /* Just in case some router parameter refers to it. */
1977
2f682e45
JH
1978 return_path = addr->prop.errors_address
1979 ? addr->prop.errors_address : sender_address;
059ec3d9
PH
1980
1981 /* Split the address into domain and local part, handling the %-hack if
1982 necessary, and then route it. While routing a sender address, set
1983 $sender_address to <> because that is what it will be if we were trying to
1984 send a bounce to the sender. */
1985
2f682e45 1986 if (routed) *routed = FALSE;
059ec3d9
PH
1987 if ((rc = deliver_split_address(addr)) == OK)
1988 {
8b9476ba 1989 if (!(options & vopt_is_recipient)) sender_address = null_sender;
059ec3d9
PH
1990 rc = route_address(addr, &addr_local, &addr_remote, &addr_new,
1991 &addr_succeed, verify_type);
1992 sender_address = save_sender; /* Put back the real sender */
1993 }
1994
1995 /* If routing an address succeeded, set the flag that remembers, for use when
1996 an ACL cached a sender verify (in case a callout fails). Then if routing set
1997 up a list of hosts or the transport has a host list, and the callout option
1998 is set, and we aren't in a host checking run, do the callout verification,
1999 and set another flag that notes that a callout happened. */
2000
2001 if (rc == OK)
2002 {
2f682e45 2003 if (routed) *routed = TRUE;
059ec3d9
PH
2004 if (callout > 0)
2005 {
08f3b11b 2006 transport_instance * tp;
2f682e45 2007 host_item * host_list = addr->host_list;
059ec3d9 2008
26da7e20
PH
2009 /* Make up some data for use in the case where there is no remote
2010 transport. */
2011
2012 transport_feedback tf = {
2013 NULL, /* interface (=> any) */
2014 US"smtp", /* port */
2015 US"smtp", /* protocol */
2016 NULL, /* hosts */
2017 US"$smtp_active_hostname", /* helo_data */
2018 FALSE, /* hosts_override */
2019 FALSE, /* hosts_randomize */
2020 FALSE, /* gethostbyname */
2021 TRUE, /* qualify_single */
2022 FALSE /* search_parents */
2023 };
059ec3d9
PH
2024
2025 /* If verification yielded a remote transport, we want to use that
2026 transport's options, so as to mimic what would happen if we were really
2027 sending a message to this address. */
2028
08f3b11b 2029 if ((tp = addr->transport) && !tp->info->local)
059ec3d9 2030 {
08f3b11b 2031 (void)(tp->setup)(tp, addr, &tf, 0, 0, NULL);
059ec3d9
PH
2032
2033 /* If the transport has hosts and the router does not, or if the
2034 transport is configured to override the router's hosts, we must build a
2035 host list of the transport's hosts, and find the IP addresses */
2036
2f682e45 2037 if (tf.hosts && (!host_list || tf.hosts_override))
059ec3d9
PH
2038 {
2039 uschar *s;
55414b25 2040 const uschar *save_deliver_domain = deliver_domain;
750af86e 2041 uschar *save_deliver_localpart = deliver_localpart;
059ec3d9
PH
2042
2043 host_list = NULL; /* Ignore the router's hosts */
2044
2045 deliver_domain = addr->domain;
2046 deliver_localpart = addr->local_part;
2047 s = expand_string(tf.hosts);
750af86e
PH
2048 deliver_domain = save_deliver_domain;
2049 deliver_localpart = save_deliver_localpart;
059ec3d9 2050
2f682e45 2051 if (!s)
059ec3d9
PH
2052 {
2053 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand list of hosts "
2054 "\"%s\" in %s transport for callout: %s", tf.hosts,
08f3b11b 2055 tp->name, expand_string_message);
059ec3d9
PH
2056 }
2057 else
2058 {
322050c2 2059 int flags;
d8ef3577 2060 host_item *host, *nexthost;
059ec3d9
PH
2061 host_build_hostlist(&host_list, s, tf.hosts_randomize);
2062
2063 /* Just ignore failures to find a host address. If we don't manage
8e669ac1
PH
2064 to find any addresses, the callout will defer. Note that more than
2065 one address may be found for a single host, which will result in
2066 additional host items being inserted into the chain. Hence we must
d8ef3577 2067 save the next host first. */
059ec3d9 2068
322050c2
PH
2069 flags = HOST_FIND_BY_A;
2070 if (tf.qualify_single) flags |= HOST_FIND_QUALIFY_SINGLE;
2071 if (tf.search_parents) flags |= HOST_FIND_SEARCH_PARENTS;
2072
2f682e45 2073 for (host = host_list; host; host = nexthost)
059ec3d9 2074 {
d8ef3577 2075 nexthost = host->next;
8e669ac1 2076 if (tf.gethostbyname ||
7e66e54d 2077 string_is_ip_address(host->name, NULL) != 0)
55414b25 2078 (void)host_find_byname(host, NULL, flags, NULL, TRUE);
059ec3d9 2079 else
9d9c3746 2080 {
7cd171b7 2081 dnssec_domains * dnssec_domains = NULL;
08f3b11b 2082 if (Ustrcmp(tp->driver_name, "smtp") == 0)
9d9c3746
JH
2083 {
2084 smtp_transport_options_block * ob =
08f3b11b 2085 (smtp_transport_options_block *) tp->options_block;
7cd171b7 2086 dnssec_domains = &ob->dnssec;
9d9c3746
JH
2087 }
2088
059ec3d9 2089 (void)host_find_bydns(host, NULL, flags, NULL, NULL, NULL,
7cd171b7 2090 dnssec_domains, NULL, NULL);
9d9c3746 2091 }
059ec3d9
PH
2092 }
2093 }
2094 }
2095 }
2096
8e669ac1 2097 /* Can only do a callout if we have at least one host! If the callout
2c7db3f5 2098 fails, it will have set ${sender,recipient}_verify_failure. */
059ec3d9 2099
2f682e45 2100 if (host_list)
059ec3d9
PH
2101 {
2102 HDEBUG(D_verify) debug_printf("Attempting full verification using callout\n");
2103 if (host_checking && !host_checking_callout)
2104 {
2105 HDEBUG(D_verify)
2106 debug_printf("... callout omitted by default when host testing\n"
2107 "(Use -bhc if you want the callouts to happen.)\n");
2108 }
2109 else
2110 {
4ed8d31a
JH
2111#ifdef SUPPORT_TLS
2112 deliver_set_expansions(addr);
2113#endif
059ec3d9 2114 rc = do_callout(addr, host_list, &tf, callout, callout_overall,
4deaf07d 2115 callout_connect, options, se_mailfrom, pm_mailfrom);
059ec3d9
PH
2116 }
2117 }
2118 else
2119 {
2120 HDEBUG(D_verify) debug_printf("Cannot do callout: neither router nor "
2121 "transport provided a host list\n");
2122 }
2123 }
2124 }
8e669ac1 2125
2c7db3f5 2126 /* Otherwise, any failure is a routing failure */
8e669ac1
PH
2127
2128 else *failure_ptr = US"route";
059ec3d9
PH
2129
2130 /* A router may return REROUTED if it has set up a child address as a result
2131 of a change of domain name (typically from widening). In this case we always
2132 want to continue to verify the new child. */
2133
2134 if (rc == REROUTED) continue;
8e669ac1 2135
059ec3d9
PH
2136 /* Handle hard failures */
2137
2138 if (rc == FAIL)
2139 {
2140 allok = FALSE;
2f682e45 2141 if (f)
059ec3d9 2142 {
e6f6568e
PH
2143 address_item *p = addr->parent;
2144
ce552449 2145 respond_printf(f, "%s%s %s", ko_prefix,
2f682e45
JH
2146 full_info ? addr->address : address,
2147 address_test_mode ? "is undeliverable" : "failed to verify");
059ec3d9
PH
2148 if (!expn && admin_user)
2149 {
2150 if (addr->basic_errno > 0)
ce552449 2151 respond_printf(f, ": %s", strerror(addr->basic_errno));
2f682e45 2152 if (addr->message)
ce552449 2153 respond_printf(f, ": %s", addr->message);
e6f6568e
PH
2154 }
2155
2156 /* Show parents iff doing full info */
2157
2f682e45 2158 if (full_info) while (p)
e6f6568e 2159 {
ce552449 2160 respond_printf(f, "%s\n <-- %s", cr, p->address);
e6f6568e 2161 p = p->parent;
059ec3d9 2162 }
ce552449 2163 respond_printf(f, "%s\n", cr);
059ec3d9 2164 }
2e5b33cd 2165 cancel_cutthrough_connection("routing hard fail");
059ec3d9 2166
d9b2312b 2167 if (!full_info)
2f682e45 2168 {
d9b2312b
JH
2169 yield = copy_error(vaddr, addr, FAIL);
2170 goto out;
2f682e45
JH
2171 }
2172 yield = FAIL;
059ec3d9
PH
2173 }
2174
2175 /* Soft failure */
2176
2177 else if (rc == DEFER)
2178 {
2179 allok = FALSE;
2f682e45 2180 if (f)
059ec3d9 2181 {
e6f6568e 2182 address_item *p = addr->parent;
ce552449 2183 respond_printf(f, "%s%s cannot be resolved at this time", ko_prefix,
322050c2 2184 full_info? addr->address : address);
059ec3d9
PH
2185 if (!expn && admin_user)
2186 {
2187 if (addr->basic_errno > 0)
ce552449 2188 respond_printf(f, ": %s", strerror(addr->basic_errno));
2f682e45 2189 if (addr->message)
ce552449 2190 respond_printf(f, ": %s", addr->message);
059ec3d9 2191 else if (addr->basic_errno <= 0)
ce552449 2192 respond_printf(f, ": unknown error");
059ec3d9
PH
2193 }
2194
e6f6568e
PH
2195 /* Show parents iff doing full info */
2196
2f682e45 2197 if (full_info) while (p)
e6f6568e 2198 {
ce552449 2199 respond_printf(f, "%s\n <-- %s", cr, p->address);
e6f6568e
PH
2200 p = p->parent;
2201 }
ce552449 2202 respond_printf(f, "%s\n", cr);
059ec3d9 2203 }
2e5b33cd 2204 cancel_cutthrough_connection("routing soft fail");
e4bdf652 2205
d9b2312b
JH
2206 if (!full_info)
2207 {
2208 yield = copy_error(vaddr, addr, DEFER);
2209 goto out;
2210 }
2f682e45 2211 if (yield == OK) yield = DEFER;
059ec3d9
PH
2212 }
2213
2214 /* If we are handling EXPN, we do not want to continue to route beyond
e6f6568e 2215 the top level (whose address is in "address"). */
059ec3d9
PH
2216
2217 else if (expn)
2218 {
2219 uschar *ok_prefix = US"250-";
2f682e45
JH
2220
2221 if (!addr_new)
2222 if (!addr_local && !addr_remote)
ce552449 2223 respond_printf(f, "250 mail to <%s> is discarded\r\n", address);
059ec3d9 2224 else
ce552449 2225 respond_printf(f, "250 <%s>\r\n", address);
2f682e45
JH
2226
2227 else do
059ec3d9
PH
2228 {
2229 address_item *addr2 = addr_new;
2230 addr_new = addr2->next;
2f682e45 2231 if (!addr_new) ok_prefix = US"250 ";
ce552449 2232 respond_printf(f, "%s<%s>\r\n", ok_prefix, addr2->address);
2f682e45 2233 } while (addr_new);
d9b2312b
JH
2234 yield = OK;
2235 goto out;
059ec3d9
PH
2236 }
2237
2238 /* Successful routing other than EXPN. */
2239
2240 else
2241 {
2242 /* Handle successful routing when short info wanted. Otherwise continue for
2243 other (generated) addresses. Short info is the operational case. Full info
2244 can be requested only when debug_selector != 0 and a file is supplied.
2245
2246 There is a conflict between the use of aliasing as an alternate email
2247 address, and as a sort of mailing list. If an alias turns the incoming
2248 address into just one address (e.g. J.Caesar->jc44) you may well want to
2249 carry on verifying the generated address to ensure it is valid when
2250 checking incoming mail. If aliasing generates multiple addresses, you
2251 probably don't want to do this. Exim therefore treats the generation of
2252 just a single new address as a special case, and continues on to verify the
2253 generated address. */
2254
2f682e45
JH
2255 if ( !full_info /* Stop if short info wanted AND */
2256 && ( ( !addr_new /* No new address OR */
2257 || addr_new->next /* More than one new address OR */
2258 || testflag(addr_new, af_pfr) /* New address is pfr */
2259 )
2260 || /* OR */
2261 ( addr_new /* At least one new address AND */
2262 && success_on_redirect /* success_on_redirect is set */
2263 ) )
2264 )
059ec3d9 2265 {
2f682e45
JH
2266 if (f) fprintf(f, "%s %s\n",
2267 address, address_test_mode ? "is deliverable" : "verified");
059ec3d9
PH
2268
2269 /* If we have carried on to verify a child address, we want the value
2270 of $address_data to be that of the child */
2271
d43cbe25 2272 vaddr->prop.address_data = addr->prop.address_data;
98c82a3d
JH
2273
2274 /* If stopped because more than one new address, cannot cutthrough */
2275
2276 if (addr_new && addr_new->next)
2277 cancel_cutthrough_connection("multiple addresses from routing");
2278
d9b2312b
JH
2279 yield = OK;
2280 goto out;
059ec3d9
PH
2281 }
2282 }
2283 } /* Loop for generated addresses */
2284
2285/* Display the full results of the successful routing, including any generated
2286addresses. Control gets here only when full_info is set, which requires f not
2287to be NULL, and this occurs only when a top-level verify is called with the
2288debugging switch on.
2289
2290If there are no local and no remote addresses, and there were no pipes, files,
2291or autoreplies, and there were no errors or deferments, the message is to be
2292discarded, usually because of the use of :blackhole: in an alias file. */
2293
2f682e45 2294if (allok && !addr_local && !addr_remote)
dbcef0ea 2295 {
059ec3d9 2296 fprintf(f, "mail to %s is discarded\n", address);
d9b2312b 2297 goto out;
dbcef0ea 2298 }
059ec3d9 2299
dbcef0ea 2300for (addr_list = addr_local, i = 0; i < 2; addr_list = addr_remote, i++)
08f3b11b 2301 while (addr_list)
059ec3d9
PH
2302 {
2303 address_item *addr = addr_list;
2304 address_item *p = addr->parent;
08f3b11b
JH
2305 transport_instance * tp = addr->transport;
2306
059ec3d9
PH
2307 addr_list = addr->next;
2308
2309 fprintf(f, "%s", CS addr->address);
384152a6 2310#ifdef EXPERIMENTAL_SRS
d43cbe25
JH
2311 if(addr->prop.srs_sender)
2312 fprintf(f, " [srs = %s]", addr->prop.srs_sender);
384152a6 2313#endif
dbcef0ea
PH
2314
2315 /* If the address is a duplicate, show something about it. */
2316
2317 if (!testflag(addr, af_pfr))
2318 {
2319 tree_node *tnode;
08f3b11b 2320 if ((tnode = tree_search(tree_duplicates, addr->unique)))
dbcef0ea
PH
2321 fprintf(f, " [duplicate, would not be delivered]");
2322 else tree_add_duplicate(addr->unique, addr);
2323 }
2324
2325 /* Now show its parents */
2326
08f3b11b 2327 for (p = addr->parent; p; p = p->parent)
059ec3d9 2328 fprintf(f, "\n <-- %s", p->address);
059ec3d9
PH
2329 fprintf(f, "\n ");
2330
2331 /* Show router, and transport */
2332
08f3b11b
JH
2333 fprintf(f, "router = %s, transport = %s\n",
2334 addr->router->name, tp ? tp->name : US"unset");
059ec3d9
PH
2335
2336 /* Show any hosts that are set up by a router unless the transport
2337 is going to override them; fiddle a bit to get a nice format. */
2338
08f3b11b 2339 if (addr->host_list && tp && !tp->overrides_hosts)
059ec3d9
PH
2340 {
2341 host_item *h;
2342 int maxlen = 0;
2343 int maxaddlen = 0;
08f3b11b
JH
2344 for (h = addr->host_list; h; h = h->next)
2345 { /* get max lengths of host names, addrs */
059ec3d9
PH
2346 int len = Ustrlen(h->name);
2347 if (len > maxlen) maxlen = len;
08f3b11b 2348 len = h->address ? Ustrlen(h->address) : 7;
059ec3d9
PH
2349 if (len > maxaddlen) maxaddlen = len;
2350 }
08f3b11b
JH
2351 for (h = addr->host_list; h; h = h->next)
2352 {
2353 fprintf(f, " host %-*s ", maxlen, h->name);
2354
2355 if (h->address)
2356 fprintf(f, "[%s%-*c", h->address, maxaddlen+1 - Ustrlen(h->address), ']');
2357 else if (tp->info->local)
2358 fprintf(f, " %-*s ", maxaddlen, ""); /* Omit [unknown] for local */
2359 else
2360 fprintf(f, "[%s%-*c", "unknown", maxaddlen+1 - 7, ']');
2361
2362 if (h->mx >= 0) fprintf(f, " MX=%d", h->mx);
059ec3d9 2363 if (h->port != PORT_NONE) fprintf(f, " port=%d", h->port);
08f3b11b
JH
2364 if (running_in_test_harness && h->dnssec == DS_YES) fputs(" AD", f);
2365 if (h->status == hstatus_unusable) fputs(" ** unusable **", f);
2366 fputc('\n', f);
059ec3d9
PH
2367 }
2368 }
2369 }
059ec3d9 2370
d9b2312b 2371/* Yield will be DEFER or FAIL if any one address has, only for full_info (which is
2c7db3f5
PH
2372the -bv or -bt case). */
2373
d9b2312b 2374out:
ea90b718 2375verify_mode = NULL;
35aba663 2376tls_modify_variables(&tls_in);
d9b2312b 2377
8e669ac1 2378return yield;
059ec3d9
PH
2379}
2380
2381
2382
2383
2384/*************************************************
2385* Check headers for syntax errors *
2386*************************************************/
2387
2388/* This function checks those header lines that contain addresses, and verifies
2389that all the addresses therein are syntactially correct.
2390
2391Arguments:
2392 msgptr where to put an error message
2393
2394Returns: OK
2395 FAIL
2396*/
2397
2398int
2399verify_check_headers(uschar **msgptr)
2400{
2401header_line *h;
2402uschar *colon, *s;
1eccaa59 2403int yield = OK;
059ec3d9 2404
1eccaa59 2405for (h = header_list; h != NULL && yield == OK; h = h->next)
059ec3d9
PH
2406 {
2407 if (h->type != htype_from &&
2408 h->type != htype_reply_to &&
2409 h->type != htype_sender &&
2410 h->type != htype_to &&
2411 h->type != htype_cc &&
2412 h->type != htype_bcc)
2413 continue;
2414
2415 colon = Ustrchr(h->text, ':');
2416 s = colon + 1;
2417 while (isspace(*s)) s++;
2418
1eccaa59
PH
2419 /* Loop for multiple addresses in the header, enabling group syntax. Note
2420 that we have to reset this after the header has been scanned. */
059ec3d9 2421
1eccaa59 2422 parse_allow_group = TRUE;
059ec3d9
PH
2423
2424 while (*s != 0)
2425 {
2426 uschar *ss = parse_find_address_end(s, FALSE);
2427 uschar *recipient, *errmess;
2428 int terminator = *ss;
2429 int start, end, domain;
2430
2431 /* Temporarily terminate the string at this point, and extract the
1eccaa59 2432 operative address within, allowing group syntax. */
059ec3d9
PH
2433
2434 *ss = 0;
2435 recipient = parse_extract_address(s,&errmess,&start,&end,&domain,FALSE);
2436 *ss = terminator;
2437
2438 /* Permit an unqualified address only if the message is local, or if the
2439 sending host is configured to be permitted to send them. */
2440
2441 if (recipient != NULL && domain == 0)
2442 {
2443 if (h->type == htype_from || h->type == htype_sender)
2444 {
2445 if (!allow_unqualified_sender) recipient = NULL;
2446 }
2447 else
2448 {
2449 if (!allow_unqualified_recipient) recipient = NULL;
2450 }
2451 if (recipient == NULL) errmess = US"unqualified address not permitted";
2452 }
2453
2454 /* It's an error if no address could be extracted, except for the special
2455 case of an empty address. */
2456
2457 if (recipient == NULL && Ustrcmp(errmess, "empty address") != 0)
2458 {
2459 uschar *verb = US"is";
2460 uschar *t = ss;
1ab95fa6 2461 uschar *tt = colon;
059ec3d9
PH
2462 int len;
2463
2464 /* Arrange not to include any white space at the end in the
1ab95fa6 2465 error message or the header name. */
059ec3d9
PH
2466
2467 while (t > s && isspace(t[-1])) t--;
1ab95fa6 2468 while (tt > h->text && isspace(tt[-1])) tt--;
059ec3d9 2469
1ab95fa6 2470 /* Add the address that failed to the error message, since in a
059ec3d9
PH
2471 header with very many addresses it is sometimes hard to spot
2472 which one is at fault. However, limit the amount of address to
2473 quote - cases have been seen where, for example, a missing double
2474 quote in a humungous To: header creates an "address" that is longer
2475 than string_sprintf can handle. */
2476
2477 len = t - s;
2478 if (len > 1024)
2479 {
2480 len = 1024;
2481 verb = US"begins";
2482 }
2483
55414b25
JH
2484 /* deconst cast ok as we're passing a non-const to string_printing() */
2485 *msgptr = US string_printing(
1ab95fa6
PH
2486 string_sprintf("%s: failing address in \"%.*s:\" header %s: %.*s",
2487 errmess, tt - h->text, h->text, verb, len, s));
059ec3d9 2488
1eccaa59
PH
2489 yield = FAIL;
2490 break; /* Out of address loop */
059ec3d9
PH
2491 }
2492
2493 /* Advance to the next address */
2494
2495 s = ss + (terminator? 1:0);
2496 while (isspace(*s)) s++;
2497 } /* Next address */
059ec3d9 2498
1eccaa59
PH
2499 parse_allow_group = FALSE;
2500 parse_found_group = FALSE;
2501 } /* Next header unless yield has been set FALSE */
2502
2503return yield;
059ec3d9
PH
2504}
2505
2506
770747fd
MFM
2507/*************************************************
2508* Check header names for 8-bit characters *
2509*************************************************/
2510
2511/* This function checks for invalid charcters in header names. See
2512RFC 5322, 2.2. and RFC 6532, 3.
2513
2514Arguments:
2515 msgptr where to put an error message
2516
2517Returns: OK
2518 FAIL
2519*/
2520
2521int
2522verify_check_header_names_ascii(uschar **msgptr)
2523{
2524header_line *h;
2525uschar *colon, *s;
2526
2527for (h = header_list; h != NULL; h = h->next)
2528 {
2529 colon = Ustrchr(h->text, ':');
2530 for(s = h->text; s < colon; s++)
2531 {
2532 if ((*s < 33) || (*s > 126))
2533 {
2534 *msgptr = string_sprintf("Invalid character in header \"%.*s\" found",
2535 colon - h->text, h->text);
2536 return FAIL;
2537 }
2538 }
2539 }
2540return OK;
2541}
059ec3d9 2542
1c41c9cc
PH
2543/*************************************************
2544* Check for blind recipients *
2545*************************************************/
2546
2547/* This function checks that every (envelope) recipient is mentioned in either
2548the To: or Cc: header lines, thus detecting blind carbon copies.
2549
2550There are two ways of scanning that could be used: either scan the header lines
2551and tick off the recipients, or scan the recipients and check the header lines.
2552The original proposed patch did the former, but I have chosen to do the latter,
2553because (a) it requires no memory and (b) will use fewer resources when there
2554are many addresses in To: and/or Cc: and only one or two envelope recipients.
2555
2556Arguments: none
2557Returns: OK if there are no blind recipients
2558 FAIL if there is at least one blind recipient
2559*/
2560
2561int
2562verify_check_notblind(void)
2563{
2564int i;
2565for (i = 0; i < recipients_count; i++)
2566 {
2567 header_line *h;
2568 BOOL found = FALSE;
2569 uschar *address = recipients_list[i].address;
2570
2571 for (h = header_list; !found && h != NULL; h = h->next)
2572 {
2573 uschar *colon, *s;
2574
2575 if (h->type != htype_to && h->type != htype_cc) continue;
2576
2577 colon = Ustrchr(h->text, ':');
2578 s = colon + 1;
2579 while (isspace(*s)) s++;
2580
1eccaa59
PH
2581 /* Loop for multiple addresses in the header, enabling group syntax. Note
2582 that we have to reset this after the header has been scanned. */
1c41c9cc 2583
1eccaa59 2584 parse_allow_group = TRUE;
1c41c9cc
PH
2585
2586 while (*s != 0)
2587 {
2588 uschar *ss = parse_find_address_end(s, FALSE);
2589 uschar *recipient,*errmess;
2590 int terminator = *ss;
2591 int start, end, domain;
2592
2593 /* Temporarily terminate the string at this point, and extract the
1eccaa59 2594 operative address within, allowing group syntax. */
1c41c9cc
PH
2595
2596 *ss = 0;
2597 recipient = parse_extract_address(s,&errmess,&start,&end,&domain,FALSE);
2598 *ss = terminator;
2599
2600 /* If we found a valid recipient that has a domain, compare it with the
2601 envelope recipient. Local parts are compared case-sensitively, domains
2602 case-insensitively. By comparing from the start with length "domain", we
2603 include the "@" at the end, which ensures that we are comparing the whole
2604 local part of each address. */
2605
2606 if (recipient != NULL && domain != 0)
2607 {
2608 found = Ustrncmp(recipient, address, domain) == 0 &&
2609 strcmpic(recipient + domain, address + domain) == 0;
2610 if (found) break;
2611 }
2612
2613 /* Advance to the next address */
2614
2615 s = ss + (terminator? 1:0);
2616 while (isspace(*s)) s++;
2617 } /* Next address */
1eccaa59
PH
2618
2619 parse_allow_group = FALSE;
2620 parse_found_group = FALSE;
1c41c9cc
PH
2621 } /* Next header (if found is false) */
2622
2623 if (!found) return FAIL;
2624 } /* Next recipient */
2625
2626return OK;
2627}
2628
2629
059ec3d9
PH
2630
2631/*************************************************
2632* Find if verified sender *
2633*************************************************/
2634
2635/* Usually, just a single address is verified as the sender of the message.
2636However, Exim can be made to verify other addresses as well (often related in
2637some way), and this is useful in some environments. There may therefore be a
2638chain of such addresses that have previously been tested. This function finds
2639whether a given address is on the chain.
2640
2641Arguments: the address to be verified
2642Returns: pointer to an address item, or NULL
2643*/
2644
2645address_item *
2646verify_checked_sender(uschar *sender)
2647{
2648address_item *addr;
2649for (addr = sender_verified_list; addr != NULL; addr = addr->next)
2650 if (Ustrcmp(sender, addr->address) == 0) break;
2651return addr;
2652}
2653
2654
2655
2656
2657
2658/*************************************************
2659* Get valid header address *
2660*************************************************/
2661
2662/* Scan the originator headers of the message, looking for an address that
2663verifies successfully. RFC 822 says:
2664
2665 o The "Sender" field mailbox should be sent notices of
2666 any problems in transport or delivery of the original
2667 messages. If there is no "Sender" field, then the
2668 "From" field mailbox should be used.
2669
2670 o If the "Reply-To" field exists, then the reply should
2671 go to the addresses indicated in that field and not to
2672 the address(es) indicated in the "From" field.
2673
2674So we check a Sender field if there is one, else a Reply_to field, else a From
2675field. As some strange messages may have more than one of these fields,
2676especially if they are resent- fields, check all of them if there is more than
2677one.
2678
2679Arguments:
2680 user_msgptr points to where to put a user error message
2681 log_msgptr points to where to put a log error message
2682 callout timeout for callout check (passed to verify_address())
2683 callout_overall overall callout timeout (ditto)
8e669ac1 2684 callout_connect connect callout timeout (ditto)
059ec3d9
PH
2685 se_mailfrom mailfrom for verify; NULL => ""
2686 pm_mailfrom sender for pm callout check (passed to verify_address())
2687 options callout options (passed to verify_address())
8e669ac1 2688 verrno where to put the address basic_errno
059ec3d9
PH
2689
2690If log_msgptr is set to something without setting user_msgptr, the caller
2691normally uses log_msgptr for both things.
2692
2693Returns: result of the verification attempt: OK, FAIL, or DEFER;
2694 FAIL is given if no appropriate headers are found
2695*/
2696
2697int
2698verify_check_header_address(uschar **user_msgptr, uschar **log_msgptr,
8e669ac1 2699 int callout, int callout_overall, int callout_connect, uschar *se_mailfrom,
fe5b5d0b 2700 uschar *pm_mailfrom, int options, int *verrno)
059ec3d9
PH
2701{
2702static int header_types[] = { htype_sender, htype_reply_to, htype_from };
1eccaa59 2703BOOL done = FALSE;
059ec3d9
PH
2704int yield = FAIL;
2705int i;
2706
1eccaa59 2707for (i = 0; i < 3 && !done; i++)
059ec3d9
PH
2708 {
2709 header_line *h;
1eccaa59 2710 for (h = header_list; h != NULL && !done; h = h->next)
059ec3d9
PH
2711 {
2712 int terminator, new_ok;
2713 uschar *s, *ss, *endname;
2714
2715 if (h->type != header_types[i]) continue;
2716 s = endname = Ustrchr(h->text, ':') + 1;
2717
1eccaa59
PH
2718 /* Scan the addresses in the header, enabling group syntax. Note that we
2719 have to reset this after the header has been scanned. */
2720
2721 parse_allow_group = TRUE;
2722
059ec3d9
PH
2723 while (*s != 0)
2724 {
2725 address_item *vaddr;
2726
2727 while (isspace(*s) || *s == ',') s++;
2728 if (*s == 0) break; /* End of header */
2729
2730 ss = parse_find_address_end(s, FALSE);
2731
2732 /* The terminator is a comma or end of header, but there may be white
2733 space preceding it (including newline for the last address). Move back
2734 past any white space so we can check against any cached envelope sender
2735 address verifications. */
2736
2737 while (isspace(ss[-1])) ss--;
2738 terminator = *ss;
2739 *ss = 0;
2740
2741 HDEBUG(D_verify) debug_printf("verifying %.*s header address %s\n",
2742 (int)(endname - h->text), h->text, s);
2743
2744 /* See if we have already verified this address as an envelope sender,
2745 and if so, use the previous answer. */
2746
2747 vaddr = verify_checked_sender(s);
2748
2749 if (vaddr != NULL && /* Previously checked */
2750 (callout <= 0 || /* No callout needed; OR */
2751 vaddr->special_action > 256)) /* Callout was done */
2752 {
2753 new_ok = vaddr->special_action & 255;
2754 HDEBUG(D_verify) debug_printf("previously checked as envelope sender\n");
2755 *ss = terminator; /* Restore shortened string */
2756 }
2757
2758 /* Otherwise we run the verification now. We must restore the shortened
2759 string before running the verification, so the headers are correct, in
2760 case there is any rewriting. */
2761
2762 else
2763 {
2764 int start, end, domain;
1eccaa59
PH
2765 uschar *address = parse_extract_address(s, log_msgptr, &start, &end,
2766 &domain, FALSE);
059ec3d9
PH
2767
2768 *ss = terminator;
2769
1eccaa59
PH
2770 /* If we found an empty address, just carry on with the next one, but
2771 kill the message. */
2772
2773 if (address == NULL && Ustrcmp(*log_msgptr, "empty address") == 0)
2774 {
2775 *log_msgptr = NULL;
2776 s = ss;
2777 continue;
2778 }
2779
059ec3d9
PH
2780 /* If verification failed because of a syntax error, fail this
2781 function, and ensure that the failing address gets added to the error
2782 message. */
2783
2784 if (address == NULL)
2785 {
2786 new_ok = FAIL;
1eccaa59
PH
2787 while (ss > s && isspace(ss[-1])) ss--;
2788 *log_msgptr = string_sprintf("syntax error in '%.*s' header when "
2789 "scanning for sender: %s in \"%.*s\"",
2790 endname - h->text, h->text, *log_msgptr, ss - s, s);
2791 yield = FAIL;
2792 done = TRUE;
2793 break;
059ec3d9
PH
2794 }
2795
2f6603e1 2796 /* Else go ahead with the sender verification. But it isn't *the*
059ec3d9
PH
2797 sender of the message, so set vopt_fake_sender to stop sender_address
2798 being replaced after rewriting or qualification. */
2799
2800 else
2801 {
2802 vaddr = deliver_make_addr(address, FALSE);
2803 new_ok = verify_address(vaddr, NULL, options | vopt_fake_sender,
8e669ac1 2804 callout, callout_overall, callout_connect, se_mailfrom,
4deaf07d 2805 pm_mailfrom, NULL);
059ec3d9
PH
2806 }
2807 }
2808
2809 /* We now have the result, either newly found, or cached. If we are
2810 giving out error details, set a specific user error. This means that the
2811 last of these will be returned to the user if all three fail. We do not
2812 set a log message - the generic one below will be used. */
2813
fe5b5d0b 2814 if (new_ok != OK)
059ec3d9 2815 {
8e669ac1 2816 *verrno = vaddr->basic_errno;
fe5b5d0b
PH
2817 if (smtp_return_error_details)
2818 {
2819 *user_msgptr = string_sprintf("Rejected after DATA: "
2820 "could not verify \"%.*s\" header address\n%s: %s",
2821 endname - h->text, h->text, vaddr->address, vaddr->message);
2822 }
8e669ac1 2823 }
059ec3d9
PH
2824
2825 /* Success or defer */
2826
1eccaa59
PH
2827 if (new_ok == OK)
2828 {
2829 yield = OK;
2830 done = TRUE;
2831 break;
2832 }
2833
059ec3d9
PH
2834 if (new_ok == DEFER) yield = DEFER;
2835
2836 /* Move on to any more addresses in the header */
2837
2838 s = ss;
1eccaa59
PH
2839 } /* Next address */
2840
2841 parse_allow_group = FALSE;
2842 parse_found_group = FALSE;
2843 } /* Next header, unless done */
2844 } /* Next header type unless done */
059ec3d9
PH
2845
2846if (yield == FAIL && *log_msgptr == NULL)
2847 *log_msgptr = US"there is no valid sender in any header line";
2848
2849if (yield == DEFER && *log_msgptr == NULL)
2850 *log_msgptr = US"all attempts to verify a sender in a header line deferred";
2851
2852return yield;
2853}
2854
2855
2856
2857
2858/*************************************************
2859* Get RFC 1413 identification *
2860*************************************************/
2861
2862/* Attempt to get an id from the sending machine via the RFC 1413 protocol. If
2863the timeout is set to zero, then the query is not done. There may also be lists
2864of hosts and nets which are exempt. To guard against malefactors sending
2865non-printing characters which could, for example, disrupt a message's headers,
2866make sure the string consists of printing characters only.
2867
2868Argument:
2869 port the port to connect to; usually this is IDENT_PORT (113), but when
2870 running in the test harness with -bh a different value is used.
2871
2872Returns: nothing
2873
2874Side effect: any received ident value is put in sender_ident (NULL otherwise)
2875*/
2876
2877void
2878verify_get_ident(int port)
2879{
2880int sock, host_af, qlen;
2881int received_sender_port, received_interface_port, n;
2882uschar *p;
2883uschar buffer[2048];
2884
2885/* Default is no ident. Check whether we want to do an ident check for this
2886host. */
2887
2888sender_ident = NULL;
2889if (rfc1413_query_timeout <= 0 || verify_check_host(&rfc1413_hosts) != OK)
2890 return;
2891
2892DEBUG(D_ident) debug_printf("doing ident callback\n");
2893
2894/* Set up a connection to the ident port of the remote host. Bind the local end
2895to the incoming interface address. If the sender host address is an IPv6
2896address, the incoming interface address will also be IPv6. */
2897
2898host_af = (Ustrchr(sender_host_address, ':') == NULL)? AF_INET : AF_INET6;
2899sock = ip_socket(SOCK_STREAM, host_af);
2900if (sock < 0) return;
2901
2902if (ip_bind(sock, host_af, interface_address, 0) < 0)
2903 {
2904 DEBUG(D_ident) debug_printf("bind socket for ident failed: %s\n",
2905 strerror(errno));
2906 goto END_OFF;
2907 }
2908
2909if (ip_connect(sock, host_af, sender_host_address, port, rfc1413_query_timeout)
2910 < 0)
2911 {
6c6d6e48 2912 if (errno == ETIMEDOUT && LOGGING(ident_timeout))
059ec3d9
PH
2913 {
2914 log_write(0, LOG_MAIN, "ident connection to %s timed out",
2915 sender_host_address);
2916 }
2917 else
2918 {
2919 DEBUG(D_ident) debug_printf("ident connection to %s failed: %s\n",
2920 sender_host_address, strerror(errno));
2921 }
2922 goto END_OFF;
2923 }
2924
2925/* Construct and send the query. */
2926
2927sprintf(CS buffer, "%d , %d\r\n", sender_host_port, interface_port);
2928qlen = Ustrlen(buffer);
2929if (send(sock, buffer, qlen, 0) < 0)
2930 {
2931 DEBUG(D_ident) debug_printf("ident send failed: %s\n", strerror(errno));
2932 goto END_OFF;
2933 }
2934
2935/* Read a response line. We put it into the rest of the buffer, using several
2936recv() calls if necessary. */
2937
2938p = buffer + qlen;
2939
2940for (;;)
2941 {
2942 uschar *pp;
2943 int count;
2944 int size = sizeof(buffer) - (p - buffer);
2945
2946 if (size <= 0) goto END_OFF; /* Buffer filled without seeing \n. */
2947 count = ip_recv(sock, p, size, rfc1413_query_timeout);
2948 if (count <= 0) goto END_OFF; /* Read error or EOF */
2949
2950 /* Scan what we just read, to see if we have reached the terminating \r\n. Be
2951 generous, and accept a plain \n terminator as well. The only illegal
2952 character is 0. */
2953
2954 for (pp = p; pp < p + count; pp++)
2955 {
2956 if (*pp == 0) goto END_OFF; /* Zero octet not allowed */
2957 if (*pp == '\n')
2958 {
2959 if (pp[-1] == '\r') pp--;
2960 *pp = 0;
2961 goto GOT_DATA; /* Break out of both loops */
2962 }
2963 }
2964
2965 /* Reached the end of the data without finding \n. Let the loop continue to
2966 read some more, if there is room. */
2967
2968 p = pp;
2969 }
2970
2971GOT_DATA:
2972
2973/* We have received a line of data. Check it carefully. It must start with the
2974same two port numbers that we sent, followed by data as defined by the RFC. For
2975example,
2976
2977 12345 , 25 : USERID : UNIX :root
2978
2979However, the amount of white space may be different to what we sent. In the
2980"osname" field there may be several sub-fields, comma separated. The data we
2981actually want to save follows the third colon. Some systems put leading spaces
2982in it - we discard those. */
2983
2984if (sscanf(CS buffer + qlen, "%d , %d%n", &received_sender_port,
2985 &received_interface_port, &n) != 2 ||
2986 received_sender_port != sender_host_port ||
2987 received_interface_port != interface_port)
2988 goto END_OFF;
2989
2990p = buffer + qlen + n;
2991while(isspace(*p)) p++;
2992if (*p++ != ':') goto END_OFF;
2993while(isspace(*p)) p++;
2994if (Ustrncmp(p, "USERID", 6) != 0) goto END_OFF;
2995p += 6;
2996while(isspace(*p)) p++;
2997if (*p++ != ':') goto END_OFF;
2998while (*p != 0 && *p != ':') p++;
2999if (*p++ == 0) goto END_OFF;
3000while(isspace(*p)) p++;
3001if (*p == 0) goto END_OFF;
3002
3003/* The rest of the line is the data we want. We turn it into printing
3004characters when we save it, so that it cannot mess up the format of any logging
3005or Received: lines into which it gets inserted. We keep a maximum of 127
55414b25 3006characters. The deconst cast is ok as we fed a nonconst to string_printing() */
059ec3d9 3007
55414b25 3008sender_ident = US string_printing(string_copyn(p, 127));
059ec3d9
PH
3009DEBUG(D_ident) debug_printf("sender_ident = %s\n", sender_ident);
3010
3011END_OFF:
f1e894f3 3012(void)close(sock);
059ec3d9
PH
3013return;
3014}
3015
3016
3017
3018
3019/*************************************************
3020* Match host to a single host-list item *
3021*************************************************/
3022
3023/* This function compares a host (name or address) against a single item
3024from a host list. The host name gets looked up if it is needed and is not
3025already known. The function is called from verify_check_this_host() via
3026match_check_list(), which is why most of its arguments are in a single block.
3027
3028Arguments:
3029 arg the argument block (see below)
3030 ss the host-list item
3031 valueptr where to pass back looked up data, or NULL
3032 error for error message when returning ERROR
3033
3034The block contains:
32d668a5
PH
3035 host_name (a) the host name, or
3036 (b) NULL, implying use sender_host_name and
3037 sender_host_aliases, looking them up if required, or
3038 (c) the empty string, meaning that only IP address matches
3039 are permitted
059ec3d9
PH
3040 host_address the host address
3041 host_ipv4 the IPv4 address taken from an IPv6 one
3042
3043Returns: OK matched
3044 FAIL did not match
3045 DEFER lookup deferred
32d668a5
PH
3046 ERROR (a) failed to find the host name or IP address, or
3047 (b) unknown lookup type specified, or
3048 (c) host name encountered when only IP addresses are
3049 being matched
059ec3d9
PH
3050*/
3051
32d668a5 3052int
55414b25 3053check_host(void *arg, const uschar *ss, const uschar **valueptr, uschar **error)
059ec3d9
PH
3054{
3055check_host_block *cb = (check_host_block *)arg;
32d668a5 3056int mlen = -1;
059ec3d9 3057int maskoffset;
32d668a5 3058BOOL iplookup = FALSE;
059ec3d9 3059BOOL isquery = FALSE;
32d668a5 3060BOOL isiponly = cb->host_name != NULL && cb->host_name[0] == 0;
55414b25 3061const uschar *t;
32d668a5 3062uschar *semicolon;
059ec3d9
PH
3063uschar **aliases;
3064
3065/* Optimize for the special case when the pattern is "*". */
3066
3067if (*ss == '*' && ss[1] == 0) return OK;
3068
3069/* If the pattern is empty, it matches only in the case when there is no host -
3070this can occur in ACL checking for SMTP input using the -bs option. In this
3071situation, the host address is the empty string. */
3072
3073if (cb->host_address[0] == 0) return (*ss == 0)? OK : FAIL;
3074if (*ss == 0) return FAIL;
3075
32d668a5
PH
3076/* If the pattern is precisely "@" then match against the primary host name,
3077provided that host name matching is permitted; if it's "@[]" match against the
3078local host's IP addresses. */
059ec3d9
PH
3079
3080if (*ss == '@')
3081 {
32d668a5
PH
3082 if (ss[1] == 0)
3083 {
3084 if (isiponly) return ERROR;
3085 ss = primary_hostname;
3086 }
059ec3d9
PH
3087 else if (Ustrcmp(ss, "@[]") == 0)
3088 {
3089 ip_address_item *ip;
3090 for (ip = host_find_interfaces(); ip != NULL; ip = ip->next)
3091 if (Ustrcmp(ip->address, cb->host_address) == 0) return OK;
3092 return FAIL;
3093 }
3094 }
3095
3096/* If the pattern is an IP address, optionally followed by a bitmask count, do
3097a (possibly masked) comparision with the current IP address. */
3098
7e66e54d 3099if (string_is_ip_address(ss, &maskoffset) != 0)
059ec3d9
PH
3100 return (host_is_in_net(cb->host_address, ss, maskoffset)? OK : FAIL);
3101
1688f43b
PH
3102/* The pattern is not an IP address. A common error that people make is to omit
3103one component of an IPv4 address, either by accident, or believing that, for
3104example, 1.2.3/24 is the same as 1.2.3.0/24, or 1.2.3 is the same as 1.2.3.0,
3105which it isn't. (Those applications that do accept 1.2.3 as an IP address
3106interpret it as 1.2.0.3 because the final component becomes 16-bit - this is an
3107ancient specification.) To aid in debugging these cases, we give a specific
3108error if the pattern contains only digits and dots or contains a slash preceded
3109only by digits and dots (a slash at the start indicates a file name and of
3110course slashes may be present in lookups, but not preceded only by digits and
3111dots). */
3112
3113for (t = ss; isdigit(*t) || *t == '.'; t++);
3114if (*t == 0 || (*t == '/' && t != ss))
3115 {
3116 *error = US"malformed IPv4 address or address mask";
3117 return ERROR;
3118 }
3119
32d668a5 3120/* See if there is a semicolon in the pattern */
059ec3d9 3121
32d668a5
PH
3122semicolon = Ustrchr(ss, ';');
3123
3124/* If we are doing an IP address only match, then all lookups must be IP
df199fec 3125address lookups, even if there is no "net-". */
32d668a5
PH
3126
3127if (isiponly)
059ec3d9 3128 {
32d668a5
PH
3129 iplookup = semicolon != NULL;
3130 }
059ec3d9 3131
32d668a5 3132/* Otherwise, if the item is of the form net[n]-lookup;<file|query> then it is
df199fec
PH
3133a lookup on a masked IP network, in textual form. We obey this code even if we
3134have already set iplookup, so as to skip over the "net-" prefix and to set the
3135mask length. The net- stuff really only applies to single-key lookups where the
3136key is implicit. For query-style lookups the key is specified in the query.
3137From release 4.30, the use of net- for query style is no longer needed, but we
3138retain it for backward compatibility. */
3139
3140if (Ustrncmp(ss, "net", 3) == 0 && semicolon != NULL)
32d668a5
PH
3141 {
3142 mlen = 0;
3143 for (t = ss + 3; isdigit(*t); t++) mlen = mlen * 10 + *t - '0';
3144 if (mlen == 0 && t == ss+3) mlen = -1; /* No mask supplied */
3145 iplookup = (*t++ == '-');
3146 }
1688f43b 3147else t = ss;
059ec3d9 3148
32d668a5 3149/* Do the IP address lookup if that is indeed what we have */
059ec3d9 3150
32d668a5
PH
3151if (iplookup)
3152 {
3153 int insize;
3154 int search_type;
3155 int incoming[4];
3156 void *handle;
3157 uschar *filename, *key, *result;
3158 uschar buffer[64];
059ec3d9 3159
32d668a5 3160 /* Find the search type */
059ec3d9 3161
32d668a5 3162 search_type = search_findtype(t, semicolon - t);
059ec3d9 3163
32d668a5
PH
3164 if (search_type < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s",
3165 search_error_message);
059ec3d9 3166
13b685f9
PH
3167 /* Adjust parameters for the type of lookup. For a query-style lookup, there
3168 is no file name, and the "key" is just the query. For query-style with a file
3169 name, we have to fish the file off the start of the query. For a single-key
3170 lookup, the key is the current IP address, masked appropriately, and
3171 reconverted to text form, with the mask appended. For IPv6 addresses, specify
6a3bceb1
PH
3172 dot separators instead of colons, except when the lookup type is "iplsearch".
3173 */
059ec3d9 3174
13b685f9
PH
3175 if (mac_islookup(search_type, lookup_absfilequery))
3176 {
3177 filename = semicolon + 1;
3178 key = filename;
3179 while (*key != 0 && !isspace(*key)) key++;
3180 filename = string_copyn(filename, key - filename);
3181 while (isspace(*key)) key++;
3182 }
3183 else if (mac_islookup(search_type, lookup_querystyle))
32d668a5
PH
3184 {
3185 filename = NULL;
3186 key = semicolon + 1;
3187 }
6a3bceb1 3188 else /* Single-key style */
32d668a5 3189 {
e6d225ae 3190 int sep = (Ustrcmp(lookup_list[search_type]->name, "iplsearch") == 0)?
6a3bceb1 3191 ':' : '.';
32d668a5
PH
3192 insize = host_aton(cb->host_address, incoming);
3193 host_mask(insize, incoming, mlen);
6a3bceb1 3194 (void)host_nmtoa(insize, incoming, mlen, buffer, sep);
32d668a5
PH
3195 key = buffer;
3196 filename = semicolon + 1;
059ec3d9 3197 }
32d668a5
PH
3198
3199 /* Now do the actual lookup; note that there is no search_close() because
3200 of the caching arrangements. */
3201
d4ff61d1
JH
3202 if (!(handle = search_open(filename, search_type, 0, NULL, NULL)))
3203 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s", search_error_message);
3204
32d668a5
PH
3205 result = search_find(handle, filename, key, -1, NULL, 0, 0, NULL);
3206 if (valueptr != NULL) *valueptr = result;
3207 return (result != NULL)? OK : search_find_defer? DEFER: FAIL;
059ec3d9
PH
3208 }
3209
3210/* The pattern is not an IP address or network reference of any kind. That is,
32d668a5
PH
3211it is a host name pattern. If this is an IP only match, there's an error in the
3212host list. */
3213
3214if (isiponly)
3215 {
3216 *error = US"cannot match host name in match_ip list";
3217 return ERROR;
3218 }
3219
3220/* Check the characters of the pattern to see if they comprise only letters,
3221digits, full stops, and hyphens (the constituents of domain names). Allow
3222underscores, as they are all too commonly found. Sigh. Also, if
3223allow_utf8_domains is set, allow top-bit characters. */
059ec3d9
PH
3224
3225for (t = ss; *t != 0; t++)
3226 if (!isalnum(*t) && *t != '.' && *t != '-' && *t != '_' &&
3227 (!allow_utf8_domains || *t < 128)) break;
3228
3229/* If the pattern is a complete domain name, with no fancy characters, look up
3230its IP address and match against that. Note that a multi-homed host will add
3231items to the chain. */
3232
3233if (*t == 0)
3234 {
3235 int rc;
3236 host_item h;
3237 h.next = NULL;
3238 h.name = ss;
3239 h.address = NULL;
3240 h.mx = MX_NONE;
9b8fadde 3241
1f155f8e
JH
3242 /* Using byname rather than bydns here means we cannot determine dnssec
3243 status. On the other hand it is unclear how that could be either
3244 propagated up or enforced. */
3245
322050c2 3246 rc = host_find_byname(&h, NULL, HOST_FIND_QUALIFY_SINGLE, NULL, FALSE);
059ec3d9
PH
3247 if (rc == HOST_FOUND || rc == HOST_FOUND_LOCAL)
3248 {
3249 host_item *hh;
3250 for (hh = &h; hh != NULL; hh = hh->next)
3251 {
96776534 3252 if (host_is_in_net(hh->address, cb->host_address, 0)) return OK;
059ec3d9
PH
3253 }
3254 return FAIL;
3255 }
3256 if (rc == HOST_FIND_AGAIN) return DEFER;
3257 *error = string_sprintf("failed to find IP address for %s", ss);
3258 return ERROR;
3259 }
3260
3261/* Almost all subsequent comparisons require the host name, and can be done
3262using the general string matching function. When this function is called for
3263outgoing hosts, the name is always given explicitly. If it is NULL, it means we
3264must use sender_host_name and its aliases, looking them up if necessary. */
3265
3266if (cb->host_name != NULL) /* Explicit host name given */
3267 return match_check_string(cb->host_name, ss, -1, TRUE, TRUE, TRUE,
3268 valueptr);
3269
3270/* Host name not given; in principle we need the sender host name and its
3271aliases. However, for query-style lookups, we do not need the name if the
3272query does not contain $sender_host_name. From release 4.23, a reference to
3273$sender_host_name causes it to be looked up, so we don't need to do the lookup
3274on spec. */
3275
3276if ((semicolon = Ustrchr(ss, ';')) != NULL)
3277 {
55414b25 3278 const uschar *affix;
059ec3d9
PH
3279 int partial, affixlen, starflags, id;
3280
3281 *semicolon = 0;
3282 id = search_findtype_partial(ss, &partial, &affix, &affixlen, &starflags);
3283 *semicolon=';';
3284
3285 if (id < 0) /* Unknown lookup type */
3286 {
3287 log_write(0, LOG_MAIN|LOG_PANIC, "%s in host list item \"%s\"",
3288 search_error_message, ss);
3289 return DEFER;
3290 }
13b685f9 3291 isquery = mac_islookup(id, lookup_querystyle|lookup_absfilequery);
059ec3d9
PH
3292 }
3293
3294if (isquery)
3295 {
3296 switch(match_check_string(US"", ss, -1, TRUE, TRUE, TRUE, valueptr))
3297 {
3298 case OK: return OK;
3299 case DEFER: return DEFER;
3300 default: return FAIL;
3301 }
3302 }
3303
3304/* Not a query-style lookup; must ensure the host name is present, and then we
3305do a check on the name and all its aliases. */
3306
3307if (sender_host_name == NULL)
3308 {
3309 HDEBUG(D_host_lookup)
3310 debug_printf("sender host name required, to match against %s\n", ss);
3311 if (host_lookup_failed || host_name_lookup() != OK)
3312 {
3313 *error = string_sprintf("failed to find host name for %s",
3314 sender_host_address);;
3315 return ERROR;
3316 }
3317 host_build_sender_fullhost();
3318 }
3319
3320/* Match on the sender host name, using the general matching function */
3321
3322switch(match_check_string(sender_host_name, ss, -1, TRUE, TRUE, TRUE,
3323 valueptr))
3324 {
3325 case OK: return OK;
3326 case DEFER: return DEFER;
3327 }
3328
3329/* If there are aliases, try matching on them. */
3330
3331aliases = sender_host_aliases;
3332while (*aliases != NULL)
3333 {
3334 switch(match_check_string(*aliases++, ss, -1, TRUE, TRUE, TRUE, valueptr))
3335 {
3336 case OK: return OK;
3337 case DEFER: return DEFER;
3338 }
3339 }
3340return FAIL;
3341}
3342
3343
3344
3345
3346/*************************************************
3347* Check a specific host matches a host list *
3348*************************************************/
3349
3350/* This function is passed a host list containing items in a number of
3351different formats and the identity of a host. Its job is to determine whether
3352the given host is in the set of hosts defined by the list. The host name is
3353passed as a pointer so that it can be looked up if needed and not already
3354known. This is commonly the case when called from verify_check_host() to check
3355an incoming connection. When called from elsewhere the host name should usually
3356be set.
3357
3358This function is now just a front end to match_check_list(), which runs common
3359code for scanning a list. We pass it the check_host() function to perform a
3360single test.
3361
3362Arguments:
3363 listptr pointer to the host list
3364 cache_bits pointer to cache for named lists, or NULL
3365 host_name the host name or NULL, implying use sender_host_name and
3366 sender_host_aliases, looking them up if required
3367 host_address the IP address
3368 valueptr if not NULL, data from a lookup is passed back here
3369
3370Returns: OK if the host is in the defined set
3371 FAIL if the host is not in the defined set,
3372 DEFER if a data lookup deferred (not a host lookup)
3373
3374If the host name was needed in order to make a comparison, and could not be
3375determined from the IP address, the result is FAIL unless the item
3376"+allow_unknown" was met earlier in the list, in which case OK is returned. */
3377
3378int
55414b25
JH
3379verify_check_this_host(const uschar **listptr, unsigned int *cache_bits,
3380 const uschar *host_name, const uschar *host_address, const uschar **valueptr)
059ec3d9 3381{
d4eb88df 3382int rc;
059ec3d9 3383unsigned int *local_cache_bits = cache_bits;
55414b25 3384const uschar *save_host_address = deliver_host_address;
059ec3d9
PH
3385check_host_block cb;
3386cb.host_name = host_name;
3387cb.host_address = host_address;
3388
3389if (valueptr != NULL) *valueptr = NULL;
3390
3391/* If the host address starts off ::ffff: it is an IPv6 address in
3392IPv4-compatible mode. Find the IPv4 part for checking against IPv4
3393addresses. */
3394
3395cb.host_ipv4 = (Ustrncmp(host_address, "::ffff:", 7) == 0)?
3396 host_address + 7 : host_address;
3397
8e669ac1
PH
3398/* During the running of the check, put the IP address into $host_address. In
3399the case of calls from the smtp transport, it will already be there. However,
3400in other calls (e.g. when testing ignore_target_hosts), it won't. Just to be on
d4eb88df
PH
3401the safe side, any existing setting is preserved, though as I write this
3402(November 2004) I can't see any cases where it is actually needed. */
3403
3404deliver_host_address = host_address;
3405rc = match_check_list(
3406 listptr, /* the list */
3407 0, /* separator character */
3408 &hostlist_anchor, /* anchor pointer */
3409 &local_cache_bits, /* cache pointer */
3410 check_host, /* function for testing */
3411 &cb, /* argument for function */
3412 MCL_HOST, /* type of check */
8e669ac1 3413 (host_address == sender_host_address)?
d4eb88df
PH
3414 US"host" : host_address, /* text for debugging */
3415 valueptr); /* where to pass back data */
3416deliver_host_address = save_host_address;
8e669ac1 3417return rc;
059ec3d9
PH
3418}
3419
3420
3421
3422
3423/*************************************************
5130845b
JH
3424* Check the given host item matches a list *
3425*************************************************/
3426int
3427verify_check_given_host(uschar **listptr, host_item *host)
3428{
55414b25 3429return verify_check_this_host(CUSS listptr, NULL, host->name, host->address, NULL);
5130845b
JH
3430}
3431
3432/*************************************************
059ec3d9
PH
3433* Check the remote host matches a list *
3434*************************************************/
3435
3436/* This is a front end to verify_check_this_host(), created because checking
3437the remote host is a common occurrence. With luck, a good compiler will spot
3438the tail recursion and optimize it. If there's no host address, this is
3439command-line SMTP input - check against an empty string for the address.
3440
3441Arguments:
3442 listptr pointer to the host list
3443
3444Returns: the yield of verify_check_this_host(),
3445 i.e. OK, FAIL, or DEFER
3446*/
3447
3448int
3449verify_check_host(uschar **listptr)
3450{
55414b25 3451return verify_check_this_host(CUSS listptr, sender_host_cache, NULL,
059ec3d9
PH
3452 (sender_host_address == NULL)? US"" : sender_host_address, NULL);
3453}
3454
3455
3456
3457
3458
3459/*************************************************
83e029d5 3460* Invert an IP address *
059ec3d9
PH
3461*************************************************/
3462
83e029d5
PP
3463/* Originally just used for DNS xBL lists, now also used for the
3464reverse_ip expansion operator.
3465
059ec3d9
PH
3466Arguments:
3467 buffer where to put the answer
3468 address the address to invert
3469*/
3470
83e029d5 3471void
059ec3d9
PH
3472invert_address(uschar *buffer, uschar *address)
3473{
3474int bin[4];
3475uschar *bptr = buffer;
3476
3477/* If this is an IPv4 address mapped into IPv6 format, adjust the pointer
3478to the IPv4 part only. */
3479
3480if (Ustrncmp(address, "::ffff:", 7) == 0) address += 7;
3481
3482/* Handle IPv4 address: when HAVE_IPV6 is false, the result of host_aton() is
3483always 1. */
3484
3485if (host_aton(address, bin) == 1)
3486 {
3487 int i;
3488 int x = bin[0];
3489 for (i = 0; i < 4; i++)
3490 {
3491 sprintf(CS bptr, "%d.", x & 255);
3492 while (*bptr) bptr++;
3493 x >>= 8;
3494 }
3495 }
3496
3497/* Handle IPv6 address. Actually, as far as I know, there are no IPv6 addresses
3498in any DNS black lists, and the format in which they will be looked up is
3499unknown. This is just a guess. */
3500
3501#if HAVE_IPV6
3502else
3503 {
3504 int i, j;
3505 for (j = 3; j >= 0; j--)
3506 {
3507 int x = bin[j];
3508 for (i = 0; i < 8; i++)
3509 {
3510 sprintf(CS bptr, "%x.", x & 15);
3511 while (*bptr) bptr++;
3512 x >>= 4;
3513 }
3514 }
3515 }
3516#endif
d6f6e0dc
PH
3517
3518/* Remove trailing period -- this is needed so that both arbitrary
3519dnsbl keydomains and inverted addresses may be combined with the
3520same format string, "%s.%s" */
3521
3522*(--bptr) = 0;
059ec3d9
PH
3523}
3524
3525
3526
3527/*************************************************
0bcb2a0e
PH
3528* Perform a single dnsbl lookup *
3529*************************************************/
3530
d6f6e0dc
PH
3531/* This function is called from verify_check_dnsbl() below. It is also called
3532recursively from within itself when domain and domain_txt are different
3533pointers, in order to get the TXT record from the alternate domain.
0bcb2a0e
PH
3534
3535Arguments:
d6f6e0dc
PH
3536 domain the outer dnsbl domain
3537 domain_txt alternate domain to lookup TXT record on success; when the
3538 same domain is to be used, domain_txt == domain (that is,
3539 the pointers must be identical, not just the text)
8e669ac1 3540 keydomain the current keydomain (for debug message)
d6f6e0dc
PH
3541 prepend subdomain to lookup (like keydomain, but
3542 reversed if IP address)
3543 iplist the list of matching IP addresses, or NULL for "any"
8e669ac1 3544 bitmask true if bitmask matching is wanted
431b7361
PH
3545 match_type condition for 'succeed' result
3546 0 => Any RR in iplist (=)
3547 1 => No RR in iplist (!=)
3548