[exim.git] / src / src / lookups / dnsdb.c

/*************************************************
*     Exim - an Internet mail transport agent    *
*************************************************/

/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */

#include "../exim.h"
#include "lf_functions.h"


/* Ancient systems (e.g. SunOS4) don't appear to have T_TXT defined in their
header files. */

#ifndef T_TXT
# define T_TXT 16
#endif

/* Many systems do not have T_SPF. */
#ifndef T_SPF
# define T_SPF 99
#endif

/* New TLSA record for DANE */
#ifndef T_TLSA
# define T_TLSA 52
#endif

/* Table of recognized DNS record types and their integer values. */

static const char *type_names[] = {
  "a",
#if HAVE_IPV6
  "a+",
  "aaaa",
#endif
  "cname",
  "csa",
  "mx",
  "mxh",
  "ns",
  "ptr",
  "soa",
  "spf",
  "srv",
  "tlsa",
  "txt",
  "zns"
};

static int type_values[] = {
  T_A,
#if HAVE_IPV6
  T_ADDRESSES,     /* Private type for AAAA + A */
  T_AAAA,
#endif
  T_CNAME,
  T_CSA,     /* Private type for "Client SMTP Authorization". */
  T_MX,
  T_MXH,     /* Private type for "MX hostnames" */
  T_NS,
  T_PTR,
  T_SOA,
  T_SPF,
  T_SRV,
  T_TLSA,
  T_TXT,
  T_ZNS      /* Private type for "zone nameservers" */
};


/*************************************************
*              Open entry point                  *
*************************************************/

/* See local README for interface description. */

static void *
dnsdb_open(const uschar * filename, uschar **errmsg)
{
filename = filename;   /* Keep picky compilers happy */
errmsg = errmsg;       /* Ditto */
return (void *)(-1);   /* Any non-0 value */
}


/*************************************************
*           Find entry point for dnsdb           *
*************************************************/

/* See local README for interface description. The query in the "keystring" may
consist of a number of parts.

(a) If the first significant character is '>' then the next character is the
separator character that is used when multiple records are found. The default
separator is newline.

(b) If the next character is ',' then the next character is the separator
character used for multiple items of text in "TXT" records. Alternatively,
if the next character is ';' then these multiple items are concatenated with
no separator. With neither of these options specified, only the first item
is output.  Similarly for "SPF" records, but the default for joining multiple
items in one SPF record is the empty string, for direct concatenation.

(c) Options, all comma-terminated, in any order.  Any unrecognised option
terminates option processing.  Recognised options are:

- 'defer_FOO':  set the defer behaviour to FOO.  The possible behaviours are:
'strict', where any defer causes the whole lookup to defer; 'lax', where a defer
causes the whole lookup to defer only if none of the DNS queries succeeds; and
'never', where all defers are as if the lookup failed. The default is 'lax'.

- 'dnssec_FOO', with 'strict', 'lax' (default), and 'never'.  The meanings are
require, try and don't-try dnssec respectively.

- 'retrans_VAL', set the timeout value.  VAL is an Exim time specification
(eg "5s").  The default is set by the main configuration option 'dns_retrans'.

- 'retry_VAL', set the retry count on timeouts.  VAL is an integer.  The
default is set by the main configuration option "dns_retry".

(d) If the next sequence of characters is a sequence of letters and digits
followed by '=', it is interpreted as the name of the DNS record type. The
default is "TXT".

(e) Then there follows list of domain names. This is a generalized Exim list,
which may start with '<' in order to set a specific separator. The default
separator, as always, is colon. */

static int
dnsdb_find(void * handle, const uschar * filename, const uschar * keystring,
 int length, uschar ** result, uschar ** errmsg, uint * do_cache,
 const uschar * opts)
{
int rc;
int sep = 0;
int defer_mode = PASS;
int dnssec_mode = PASS;
int save_retrans = dns_retrans;
int save_retry =   dns_retry;
int type;
int failrc = FAIL;
const uschar *outsep = CUS"\n";
const uschar *outsep2 = NULL;
uschar *equals, *domain, *found;

dns_answer * dnsa = store_get_dns_answer();
dns_scan dnss;

/* Because we're working in the search pool, we try to reclaim as much
store as possible later, so we preallocate the result here */

gstring * yield = string_get(256);

handle = handle;           /* Keep picky compilers happy */
filename = filename;
length = length;
do_cache = do_cache;

/* If the string starts with '>' we change the output separator.
If it's followed by ';' or ',' we set the TXT output separator. */

while (isspace(*keystring)) keystring++;
if (*keystring == '>')
  {
  outsep = keystring + 1;
  keystring += 2;
  if (*keystring == ',')
    {
    outsep2 = keystring + 1;
    keystring += 2;
    }
  else if (*keystring == ';')
    {
    outsep2 = US"";
    keystring++;
    }
  while (isspace(*keystring)) keystring++;
  }

/* Check for a modifier keyword. */

for (;;)
  {
  if (strncmpic(keystring, US"defer_", 6) == 0)
    {
    keystring += 6;
    if (strncmpic(keystring, US"strict", 6) == 0)
      { defer_mode = DEFER; keystring += 6; }
    else if (strncmpic(keystring, US"lax", 3) == 0)
      { defer_mode = PASS; keystring += 3; }
    else if (strncmpic(keystring, US"never", 5) == 0)
      { defer_mode = OK; keystring += 5; }
    else
      {
      *errmsg = US"unsupported dnsdb defer behaviour";
      return DEFER;
      }
    }
  else if (strncmpic(keystring, US"dnssec_", 7) == 0)
    {
    keystring += 7;
    if (strncmpic(keystring, US"strict", 6) == 0)
      { dnssec_mode = DEFER; keystring += 6; }
    else if (strncmpic(keystring, US"lax", 3) == 0)
      { dnssec_mode = PASS; keystring += 3; }
    else if (strncmpic(keystring, US"never", 5) == 0)
      { dnssec_mode = OK; keystring += 5; }
    else
      {
      *errmsg = US"unsupported dnsdb dnssec behaviour";
      return DEFER;
      }
    }
  else if (strncmpic(keystring, US"retrans_", 8) == 0)
    {
    int timeout_sec;
    if ((timeout_sec = readconf_readtime(keystring += 8, ',', FALSE)) <= 0)
      {
      *errmsg = US"unsupported dnsdb timeout value";
      return DEFER;
      }
    dns_retrans = timeout_sec;
    while (*keystring != ',') keystring++;
    }
  else if (strncmpic(keystring, US"retry_", 6) == 0)
    {
    int retries;
    if ((retries = (int)strtol(CCS keystring + 6, CSS &keystring, 0)) < 0)
      {
      *errmsg = US"unsupported dnsdb retry count";
      return DEFER;
      }
    dns_retry = retries;
    }
  else
    break;

  while (isspace(*keystring)) keystring++;
  if (*keystring++ != ',')
    {
    *errmsg = US"dnsdb modifier syntax error";
    return DEFER;
    }
  while (isspace(*keystring)) keystring++;
  }

/* Figure out the "type" value if it is not T_TXT.
If the keystring contains an = this must be preceded by a valid type name. */

type = T_TXT;
if ((equals = Ustrchr(keystring, '=')) != NULL)
  {
  int i, len;
  uschar *tend = equals;

  while (tend > keystring && isspace(tend[-1])) tend--;
  len = tend - keystring;

  for (i = 0; i < nelem(type_names); i++)
    if (len == Ustrlen(type_names[i]) &&
        strncmpic(keystring, US type_names[i], len) == 0)
      {
      type = type_values[i];
      break;
      }

  if (i >= nelem(type_names))
    {
    *errmsg = US"unsupported DNS record type";
    return DEFER;
    }

  keystring = equals + 1;
  while (isspace(*keystring)) keystring++;
  }

/* Initialize the resolver in case this is the first time it has been used. */

dns_init(FALSE, FALSE, dnssec_mode != OK);

/* The remainder of the string must be a list of domains. As long as the lookup
for at least one of them succeeds, we return success. Failure means that none
of them were found.

The original implementation did not support a list of domains. Adding the list
feature is compatible, except in one case: when PTR records are being looked up
for a single IPv6 address. Fortunately, we can hack in a compatibility feature
here: If the type is PTR and no list separator is specified, and the entire
remaining string is valid as an IP address, set an impossible separator so that
it is treated as one item. */

if (type == T_PTR && keystring[0] != '<' &&
    string_is_ip_address(keystring, NULL) != 0)
  sep = -1;

/* SPF strings should be concatenated without a separator, thus make
it the default if not defined (see RFC 4408 section 3.1.3).
Multiple SPF records are forbidden (section 3.1.2) but are currently
not handled specially, thus they are concatenated with \n by default.
MX priority and value are space-separated by default.
SRV and TLSA record parts are space-separated by default. */

if (!outsep2) switch(type)
  {
  case T_SPF:                         outsep2 = US"";  break;
  case T_SRV: case T_MX: case T_TLSA: outsep2 = US" "; break;
  }

/* Now scan the list and do a lookup for each item */

while ((domain = string_nextinlist(&keystring, &sep, NULL, 0)))
  {
  int searchtype = type == T_CSA ? T_SRV :         /* record type we want */
                   type == T_MXH ? T_MX :
                   type == T_ZNS ? T_NS : type;

  /* If the type is PTR or CSA, we have to construct the relevant magic lookup
  key if the original is an IP address (some experimental protocols are using
  PTR records for different purposes where the key string is a host name, and
  Exim's extended CSA can be keyed by domains or IP addresses). This code for
  doing the reversal is now in a separate function. */

  if ((type == T_PTR || type == T_CSA) &&
      string_is_ip_address(domain, NULL) != 0)
    domain = dns_build_reverse(domain);

  do
    {
    DEBUG(D_lookup) debug_printf_indent("dnsdb key: %s\n", domain);

    /* Do the lookup and sort out the result. There are four special types that
    are handled specially: T_CSA, T_ZNS, T_ADDRESSES and T_MXH.
    The first two are handled in a special lookup function so that the facility
    could be used from other parts of the Exim code. T_ADDRESSES is handled by looping
    over the types of A lookup.  T_MXH affects only what happens later on in
    this function, but for tidiness it is handled by the "special". If the
    lookup fails, continue with the next domain. In the case of DEFER, adjust
    the final "nothing found" result, but carry on to the next domain. */

    found = domain;
#if HAVE_IPV6
    if (type == T_ADDRESSES)		/* NB cannot happen unless HAVE_IPV6 */
      {
      if (searchtype == T_ADDRESSES) searchtype = T_AAAA;
      else if (searchtype == T_AAAA) searchtype = T_A;
      rc = dns_special_lookup(dnsa, domain, searchtype, CUSS &found);
      }
    else
#endif
      rc = dns_special_lookup(dnsa, domain, type, CUSS &found);

    lookup_dnssec_authenticated = dnssec_mode==OK ? NULL
      : dns_is_secure(dnsa) ? US"yes" : US"no";

    if (rc == DNS_NOMATCH || rc == DNS_NODATA) continue;
    if (  rc != DNS_SUCCEED
       || (dnssec_mode == DEFER && !dns_is_secure(dnsa))
       )
      {
      if (defer_mode == DEFER)
	{
	dns_retrans = save_retrans;
	dns_retry = save_retry;
	dns_init(FALSE, FALSE, FALSE);			/* clr dnssec bit */
	return DEFER;					/* always defer */
	}
      if (defer_mode == PASS) failrc = DEFER;         /* defer only if all do */
      continue;                                       /* treat defer as fail */
      }


    /* Search the returned records */

    for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
         rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == searchtype)
      {
      if (*do_cache > rr->ttl)
	*do_cache = rr->ttl;

      if (type == T_A || type == T_AAAA || type == T_ADDRESSES)
        {
        for (dns_address * da = dns_address_from_rr(dnsa, rr); da; da = da->next)
          {
          if (yield->ptr) yield = string_catn(yield, outsep, 1);
          yield = string_cat(yield, da->address);
          }
        continue;
        }

      /* Other kinds of record just have one piece of data each, but there may be
      several of them, of course. */

      if (yield->ptr) yield = string_catn(yield, outsep, 1);

      if (type == T_TXT || type == T_SPF)
        {
        if (outsep2 == NULL)	/* output only the first item of data */
          yield = string_catn(yield, US (rr->data+1), (rr->data)[0]);
        else
          {
          /* output all items */
          int data_offset = 0;
          while (data_offset < rr->size)
            {
            uschar chunk_len = (rr->data)[data_offset++];
            if (outsep2[0] != '\0' && data_offset != 1)
              yield = string_catn(yield, outsep2, 1);
            yield = string_catn(yield, US ((rr->data)+data_offset), chunk_len);
            data_offset += chunk_len;
            }
          }
        }
      else if (type == T_TLSA)
        {
        uint8_t usage, selector, matching_type;
        uint16_t payload_length;
        uschar s[MAX_TLSA_EXPANDED_SIZE];
	uschar * sp = s;
        uschar * p = US rr->data;

        usage = *p++;
        selector = *p++;
        matching_type = *p++;
        /* What's left after removing the first 3 bytes above */
        payload_length = rr->size - 3;
        sp += sprintf(CS s, "%d%c%d%c%d%c", usage, *outsep2,
		selector, *outsep2, matching_type, *outsep2);
        /* Now append the cert/identifier, one hex char at a time */
	while (payload_length-- > 0 && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4))
          sp += sprintf(CS sp, "%02x", *p++);

        yield = string_cat(yield, s);
        }
      else   /* T_CNAME, T_CSA, T_MX, T_MXH, T_NS, T_PTR, T_SOA, T_SRV */
        {
        int priority, weight, port;
        uschar s[264];
        uschar * p = US rr->data;

	switch (type)
	  {
	  case T_MXH:
	    /* mxh ignores the priority number and includes only the hostnames */
	    GETSHORT(priority, p);
	    break;

	  case T_MX:
	    GETSHORT(priority, p);
	    sprintf(CS s, "%d%c", priority, *outsep2);
	    yield = string_cat(yield, s);
	    break;

	  case T_SRV:
	    GETSHORT(priority, p);
	    GETSHORT(weight, p);
	    GETSHORT(port, p);
	    sprintf(CS s, "%d%c%d%c%d%c", priority, *outsep2,
			      weight, *outsep2, port, *outsep2);
	    yield = string_cat(yield, s);
	    break;

	  case T_CSA:
	    /* See acl_verify_csa() for more comments about CSA. */
	    GETSHORT(priority, p);
	    GETSHORT(weight, p);
	    GETSHORT(port, p);

	    if (priority != 1) continue;      /* CSA version must be 1 */

	    /* If the CSA record we found is not the one we asked for, analyse
	    the subdomain assertions in the port field, else analyse the direct
	    authorization status in the weight field. */

	    if (Ustrcmp(found, domain) != 0)
	      {
	      if (port & 1) *s = 'X';         /* explicit authorization required */
	      else *s = '?';                  /* no subdomain assertions here */
	      }
	    else
	      {
	      if (weight < 2) *s = 'N';       /* not authorized */
	      else if (weight == 2) *s = 'Y'; /* authorized */
	      else if (weight == 3) *s = '?'; /* unauthorizable */
	      else continue;                  /* invalid */
	      }

	    s[1] = ' ';
	    yield = string_catn(yield, s, 2);
	    break;

	  default:
	    break;
	  }

        /* GETSHORT() has advanced the pointer to the target domain. */

        rc = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, p,
          (DN_EXPAND_ARG4_TYPE)s, sizeof(s));

        /* If an overlong response was received, the data will have been
        truncated and dn_expand may fail. */

        if (rc < 0)
          {
          log_write(0, LOG_MAIN, "host name alias list truncated: type=%s "
            "domain=%s", dns_text_type(type), domain);
          break;
          }
        else yield = string_cat(yield, s);

	if (type == T_SOA && outsep2 != NULL)
	  {
	  unsigned long serial, refresh, retry, expire, minimum;

	  p += rc;
	  yield = string_catn(yield, outsep2, 1);

	  rc = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, p,
	    (DN_EXPAND_ARG4_TYPE)s, sizeof(s));
	  if (rc < 0)
	    {
	    log_write(0, LOG_MAIN, "responsible-mailbox truncated: type=%s "
	      "domain=%s", dns_text_type(type), domain);
	    break;
	    }
	  else yield = string_cat(yield, s);

	  p += rc;
	  GETLONG(serial, p); GETLONG(refresh, p);
	  GETLONG(retry,  p); GETLONG(expire,  p); GETLONG(minimum, p);
	  sprintf(CS s, "%c%lu%c%lu%c%lu%c%lu%c%lu",
	    *outsep2, serial, *outsep2, refresh,
	    *outsep2, retry,  *outsep2, expire,  *outsep2, minimum);
	  yield = string_cat(yield, s);
	  }
        }
      }    /* Loop for list of returned records */

           /* Loop for set of A-lookup types */
    } while (type == T_ADDRESSES && searchtype != T_A);

  }        /* Loop for list of domains */

/* Reclaim unused memory */

gstring_release_unused(yield);

/* If yield NULL we have not found anything. Otherwise, insert the terminating
zero and return the result. */

dns_retrans = save_retrans;
dns_retry = save_retry;
dns_init(FALSE, FALSE, FALSE);	/* clear the dnssec bit for getaddrbyname */

if (!yield || !yield->ptr) return failrc;

*result = string_from_gstring(yield);
return OK;
}


/*************************************************
*         Version reporting entry point          *
*************************************************/

/* See local README for interface description. */

#include "../version.h"

void
dnsdb_version_report(FILE *f)
{
#ifdef DYNLOOKUP
fprintf(f, "Library version: DNSDB: Exim version %s\n", EXIM_VERSION_STR);
#endif
}


static lookup_info _lookup_info = {
  US"dnsdb",                     /* lookup name */
  lookup_querystyle,             /* query style */
  dnsdb_open,                    /* open function */
  NULL,                          /* check function */
  dnsdb_find,                    /* find function */
  NULL,                          /* no close function */
  NULL,                          /* no tidy function */
  NULL,                          /* no quoting function */
  dnsdb_version_report           /* version reporting */
};

#ifdef DYNLOOKUP
#define dnsdb_lookup_module_info _lookup_module_info
#endif

static lookup_info *_lookup_list[] = { &_lookup_info };
lookup_module_info dnsdb_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 1 };

/* vi: aw ai sw=2
*/
/* End of lookups/dnsdb.c */
Commit	Line	Data
	1	/*************************************************
	2	* Exim - an Internet mail transport agent *
	3	*************************************************/
	4
	5	/* Copyright (c) University of Cambridge 1995 - 2018 */
	6	/* See the file NOTICE for conditions of use and distribution. */
	7
	8	#include "../exim.h"
	9	#include "lf_functions.h"
	10
	11
	12
	13	/* Ancient systems (e.g. SunOS4) don't appear to have T_TXT defined in their
	14	header files. */
	15
	16	#ifndef T_TXT
	17	# define T_TXT 16
	18	#endif
	19
	20	/* Many systems do not have T_SPF. */
	21	#ifndef T_SPF
	22	# define T_SPF 99
	23	#endif
	24
	25	/* New TLSA record for DANE */
	26	#ifndef T_TLSA
	27	# define T_TLSA 52
	28	#endif
	29
	30	/* Table of recognized DNS record types and their integer values. */
	31
	32	static const char *type_names[] = {
	33	"a",
	34	#if HAVE_IPV6
	35	"a+",
	36	"aaaa",
	37	#endif
	38	"cname",
	39	"csa",
	40	"mx",
	41	"mxh",
	42	"ns",
	43	"ptr",
	44	"soa",
	45	"spf",
	46	"srv",
	47	"tlsa",
	48	"txt",
	49	"zns"
	50	};
	51
	52	static int type_values[] = {
	53	T_A,
	54	#if HAVE_IPV6
	55	T_ADDRESSES, /* Private type for AAAA + A */
	56	T_AAAA,
	57	#endif
	58	T_CNAME,
	59	T_CSA, /* Private type for "Client SMTP Authorization". */
	60	T_MX,
	61	T_MXH, /* Private type for "MX hostnames" */
	62	T_NS,
	63	T_PTR,
	64	T_SOA,
	65	T_SPF,
	66	T_SRV,
	67	T_TLSA,
	68	T_TXT,
	69	T_ZNS /* Private type for "zone nameservers" */
	70	};
	71
	72
	73	/*************************************************
	74	* Open entry point *
	75	*************************************************/
	76
	77	/* See local README for interface description. */
	78
	79	static void *
	80	dnsdb_open(const uschar * filename, uschar **errmsg)
	81	{
	82	filename = filename; /* Keep picky compilers happy */
	83	errmsg = errmsg; /* Ditto */
	84	return (void )(-1); / Any non-0 value */
	85	}
	86
	87
	88
	89	/*************************************************
	90	* Find entry point for dnsdb *
	91	*************************************************/
	92
	93	/* See local README for interface description. The query in the "keystring" may
	94	consist of a number of parts.
	95
	96	(a) If the first significant character is '>' then the next character is the
	97	separator character that is used when multiple records are found. The default
	98	separator is newline.
	99
	100	(b) If the next character is ',' then the next character is the separator
	101	character used for multiple items of text in "TXT" records. Alternatively,
	102	if the next character is ';' then these multiple items are concatenated with
	103	no separator. With neither of these options specified, only the first item
	104	is output. Similarly for "SPF" records, but the default for joining multiple
	105	items in one SPF record is the empty string, for direct concatenation.
	106
	107	(c) Options, all comma-terminated, in any order. Any unrecognised option
	108	terminates option processing. Recognised options are:
	109
	110	- 'defer_FOO': set the defer behaviour to FOO. The possible behaviours are:
	111	'strict', where any defer causes the whole lookup to defer; 'lax', where a defer
	112	causes the whole lookup to defer only if none of the DNS queries succeeds; and
	113	'never', where all defers are as if the lookup failed. The default is 'lax'.
	114
	115	- 'dnssec_FOO', with 'strict', 'lax' (default), and 'never'. The meanings are
	116	require, try and don't-try dnssec respectively.
	117
	118	- 'retrans_VAL', set the timeout value. VAL is an Exim time specification
	119	(eg "5s"). The default is set by the main configuration option 'dns_retrans'.
	120
	121	- 'retry_VAL', set the retry count on timeouts. VAL is an integer. The
	122	default is set by the main configuration option "dns_retry".
	123
	124	(d) If the next sequence of characters is a sequence of letters and digits
	125	followed by '=', it is interpreted as the name of the DNS record type. The
	126	default is "TXT".
	127
	128	(e) Then there follows list of domain names. This is a generalized Exim list,
	129	which may start with '<' in order to set a specific separator. The default
	130	separator, as always, is colon. */
	131
	132	static int
	133	dnsdb_find(void * handle, const uschar * filename, const uschar * keystring,
	134	int length, uschar result, uschar errmsg, uint * do_cache,
	135	const uschar * opts)
	136	{
	137	int rc;
	138	int sep = 0;
	139	int defer_mode = PASS;
	140	int dnssec_mode = PASS;
	141	int save_retrans = dns_retrans;
	142	int save_retry = dns_retry;
	143	int type;
	144	int failrc = FAIL;
	145	const uschar *outsep = CUS"\n";
	146	const uschar *outsep2 = NULL;
	147	uschar equals, domain, *found;
	148
	149	dns_answer * dnsa = store_get_dns_answer();
	150	dns_scan dnss;
	151
	152	/* Because we're working in the search pool, we try to reclaim as much
	153	store as possible later, so we preallocate the result here */
	154
	155	gstring * yield = string_get(256);
	156
	157	handle = handle; /* Keep picky compilers happy */
	158	filename = filename;
	159	length = length;
	160	do_cache = do_cache;
	161
	162	/* If the string starts with '>' we change the output separator.
	163	If it's followed by ';' or ',' we set the TXT output separator. */
	164
	165	while (isspace(*keystring)) keystring++;
	166	if (*keystring == '>')
	167	{
	168	outsep = keystring + 1;
	169	keystring += 2;
	170	if (*keystring == ',')
	171	{
	172	outsep2 = keystring + 1;
	173	keystring += 2;
	174	}
	175	else if (*keystring == ';')
	176	{
	177	outsep2 = US"";
	178	keystring++;
	179	}
	180	while (isspace(*keystring)) keystring++;
	181	}
	182
	183	/* Check for a modifier keyword. */
	184
	185	for (;;)
	186	{
	187	if (strncmpic(keystring, US"defer_", 6) == 0)
	188	{
	189	keystring += 6;
	190	if (strncmpic(keystring, US"strict", 6) == 0)
	191	{ defer_mode = DEFER; keystring += 6; }
	192	else if (strncmpic(keystring, US"lax", 3) == 0)
	193	{ defer_mode = PASS; keystring += 3; }
	194	else if (strncmpic(keystring, US"never", 5) == 0)
	195	{ defer_mode = OK; keystring += 5; }
	196	else
	197	{
	198	*errmsg = US"unsupported dnsdb defer behaviour";
	199	return DEFER;
	200	}
	201	}
	202	else if (strncmpic(keystring, US"dnssec_", 7) == 0)
	203	{
	204	keystring += 7;
	205	if (strncmpic(keystring, US"strict", 6) == 0)
	206	{ dnssec_mode = DEFER; keystring += 6; }
	207	else if (strncmpic(keystring, US"lax", 3) == 0)
	208	{ dnssec_mode = PASS; keystring += 3; }
	209	else if (strncmpic(keystring, US"never", 5) == 0)
	210	{ dnssec_mode = OK; keystring += 5; }
	211	else
	212	{
	213	*errmsg = US"unsupported dnsdb dnssec behaviour";
	214	return DEFER;
	215	}
	216	}
	217	else if (strncmpic(keystring, US"retrans_", 8) == 0)
	218	{
	219	int timeout_sec;
	220	if ((timeout_sec = readconf_readtime(keystring += 8, ',', FALSE)) <= 0)
	221	{
	222	*errmsg = US"unsupported dnsdb timeout value";
	223	return DEFER;
	224	}
	225	dns_retrans = timeout_sec;
	226	while (*keystring != ',') keystring++;
	227	}
	228	else if (strncmpic(keystring, US"retry_", 6) == 0)
	229	{
	230	int retries;
	231	if ((retries = (int)strtol(CCS keystring + 6, CSS &keystring, 0)) < 0)
	232	{
	233	*errmsg = US"unsupported dnsdb retry count";
	234	return DEFER;
	235	}
	236	dns_retry = retries;
	237	}
	238	else
	239	break;
	240
	241	while (isspace(*keystring)) keystring++;
	242	if (*keystring++ != ',')
	243	{
	244	*errmsg = US"dnsdb modifier syntax error";
	245	return DEFER;
	246	}
	247	while (isspace(*keystring)) keystring++;
	248	}
	249
	250	/* Figure out the "type" value if it is not T_TXT.
	251	If the keystring contains an = this must be preceded by a valid type name. */
	252
	253	type = T_TXT;
	254	if ((equals = Ustrchr(keystring, '=')) != NULL)
	255	{
	256	int i, len;
	257	uschar *tend = equals;
	258
	259	while (tend > keystring && isspace(tend[-1])) tend--;
	260	len = tend - keystring;
	261
	262	for (i = 0; i < nelem(type_names); i++)
	263	if (len == Ustrlen(type_names[i]) &&
	264	strncmpic(keystring, US type_names[i], len) == 0)
	265	{
	266	type = type_values[i];
	267	break;
	268	}
	269
	270	if (i >= nelem(type_names))
	271	{
	272	*errmsg = US"unsupported DNS record type";
	273	return DEFER;
	274	}
	275
	276	keystring = equals + 1;
	277	while (isspace(*keystring)) keystring++;
	278	}
	279
	280	/* Initialize the resolver in case this is the first time it has been used. */
	281
	282	dns_init(FALSE, FALSE, dnssec_mode != OK);
	283
	284	/* The remainder of the string must be a list of domains. As long as the lookup
	285	for at least one of them succeeds, we return success. Failure means that none
	286	of them were found.
	287
	288	The original implementation did not support a list of domains. Adding the list
	289	feature is compatible, except in one case: when PTR records are being looked up
	290	for a single IPv6 address. Fortunately, we can hack in a compatibility feature
	291	here: If the type is PTR and no list separator is specified, and the entire
	292	remaining string is valid as an IP address, set an impossible separator so that
	293	it is treated as one item. */
	294
	295	if (type == T_PTR && keystring[0] != '<' &&
	296	string_is_ip_address(keystring, NULL) != 0)
	297	sep = -1;
	298
	299	/* SPF strings should be concatenated without a separator, thus make
	300	it the default if not defined (see RFC 4408 section 3.1.3).
	301	Multiple SPF records are forbidden (section 3.1.2) but are currently
	302	not handled specially, thus they are concatenated with \n by default.
	303	MX priority and value are space-separated by default.
	304	SRV and TLSA record parts are space-separated by default. */
	305
	306	if (!outsep2) switch(type)
	307	{
	308	case T_SPF: outsep2 = US""; break;
	309	case T_SRV: case T_MX: case T_TLSA: outsep2 = US" "; break;
	310	}
	311
	312	/* Now scan the list and do a lookup for each item */
	313
	314	while ((domain = string_nextinlist(&keystring, &sep, NULL, 0)))
	315	{
	316	int searchtype = type == T_CSA ? T_SRV : /* record type we want */
	317	type == T_MXH ? T_MX :
	318	type == T_ZNS ? T_NS : type;
	319
	320	/* If the type is PTR or CSA, we have to construct the relevant magic lookup
	321	key if the original is an IP address (some experimental protocols are using
	322	PTR records for different purposes where the key string is a host name, and
	323	Exim's extended CSA can be keyed by domains or IP addresses). This code for
	324	doing the reversal is now in a separate function. */
	325
	326	if ((type == T_PTR \|\| type == T_CSA) &&
	327	string_is_ip_address(domain, NULL) != 0)
	328	domain = dns_build_reverse(domain);
	329
	330	do
	331	{
	332	DEBUG(D_lookup) debug_printf_indent("dnsdb key: %s\n", domain);
	333
	334	/* Do the lookup and sort out the result. There are four special types that
	335	are handled specially: T_CSA, T_ZNS, T_ADDRESSES and T_MXH.
	336	The first two are handled in a special lookup function so that the facility
	337	could be used from other parts of the Exim code. T_ADDRESSES is handled by looping
	338	over the types of A lookup. T_MXH affects only what happens later on in
	339	this function, but for tidiness it is handled by the "special". If the
	340	lookup fails, continue with the next domain. In the case of DEFER, adjust
	341	the final "nothing found" result, but carry on to the next domain. */
	342
	343	found = domain;
	344	#if HAVE_IPV6
	345	if (type == T_ADDRESSES) /* NB cannot happen unless HAVE_IPV6 */
	346	{
	347	if (searchtype == T_ADDRESSES) searchtype = T_AAAA;
	348	else if (searchtype == T_AAAA) searchtype = T_A;
	349	rc = dns_special_lookup(dnsa, domain, searchtype, CUSS &found);
	350	}
	351	else
	352	#endif
	353	rc = dns_special_lookup(dnsa, domain, type, CUSS &found);
	354
	355	lookup_dnssec_authenticated = dnssec_mode==OK ? NULL
	356	: dns_is_secure(dnsa) ? US"yes" : US"no";
	357
	358	if (rc == DNS_NOMATCH \|\| rc == DNS_NODATA) continue;
	359	if ( rc != DNS_SUCCEED
	360	\|\| (dnssec_mode == DEFER && !dns_is_secure(dnsa))
	361	)
	362	{
	363	if (defer_mode == DEFER)
	364	{
	365	dns_retrans = save_retrans;
	366	dns_retry = save_retry;
	367	dns_init(FALSE, FALSE, FALSE); /* clr dnssec bit */
	368	return DEFER; /* always defer */
	369	}
	370	if (defer_mode == PASS) failrc = DEFER; /* defer only if all do */
	371	continue; /* treat defer as fail */
	372	}
	373
	374
	375	/* Search the returned records */
	376
	377	for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
	378	rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == searchtype)
	379	{
	380	if (*do_cache > rr->ttl)
	381	*do_cache = rr->ttl;
	382
	383	if (type == T_A \|\| type == T_AAAA \|\| type == T_ADDRESSES)
	384	{
	385	for (dns_address * da = dns_address_from_rr(dnsa, rr); da; da = da->next)
	386	{
	387	if (yield->ptr) yield = string_catn(yield, outsep, 1);
	388	yield = string_cat(yield, da->address);
	389	}
	390	continue;
	391	}
	392
	393	/* Other kinds of record just have one piece of data each, but there may be
	394	several of them, of course. */
	395
	396	if (yield->ptr) yield = string_catn(yield, outsep, 1);
	397
	398	if (type == T_TXT \|\| type == T_SPF)
	399	{
	400	if (outsep2 == NULL) /* output only the first item of data */
	401	yield = string_catn(yield, US (rr->data+1), (rr->data)[0]);
	402	else
	403	{
	404	/* output all items */
	405	int data_offset = 0;
	406	while (data_offset < rr->size)
	407	{
	408	uschar chunk_len = (rr->data)[data_offset++];
	409	if (outsep2[0] != '\0' && data_offset != 1)
	410	yield = string_catn(yield, outsep2, 1);
	411	yield = string_catn(yield, US ((rr->data)+data_offset), chunk_len);
	412	data_offset += chunk_len;
	413	}
	414	}
	415	}
	416	else if (type == T_TLSA)
	417	{
	418	uint8_t usage, selector, matching_type;
	419	uint16_t payload_length;
	420	uschar s[MAX_TLSA_EXPANDED_SIZE];
	421	uschar * sp = s;
	422	uschar * p = US rr->data;
	423
	424	usage = *p++;
	425	selector = *p++;
	426	matching_type = *p++;
	427	/* What's left after removing the first 3 bytes above */
	428	payload_length = rr->size - 3;
	429	sp += sprintf(CS s, "%d%c%d%c%d%c", usage, *outsep2,
	430	selector, outsep2, matching_type, outsep2);
	431	/* Now append the cert/identifier, one hex char at a time */
	432	while (payload_length-- > 0 && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4))
	433	sp += sprintf(CS sp, "%02x", *p++);
	434
	435	yield = string_cat(yield, s);
	436	}
	437	else /* T_CNAME, T_CSA, T_MX, T_MXH, T_NS, T_PTR, T_SOA, T_SRV */
	438	{
	439	int priority, weight, port;
	440	uschar s[264];
	441	uschar * p = US rr->data;
	442
	443	switch (type)
	444	{
	445	case T_MXH:
	446	/* mxh ignores the priority number and includes only the hostnames */
	447	GETSHORT(priority, p);
	448	break;
	449
	450	case T_MX:
	451	GETSHORT(priority, p);
	452	sprintf(CS s, "%d%c", priority, *outsep2);
	453	yield = string_cat(yield, s);
	454	break;
	455
	456	case T_SRV:
	457	GETSHORT(priority, p);
	458	GETSHORT(weight, p);
	459	GETSHORT(port, p);
	460	sprintf(CS s, "%d%c%d%c%d%c", priority, *outsep2,
	461	weight, outsep2, port, outsep2);
	462	yield = string_cat(yield, s);
	463	break;
	464
	465	case T_CSA:
	466	/* See acl_verify_csa() for more comments about CSA. */
	467	GETSHORT(priority, p);
	468	GETSHORT(weight, p);
	469	GETSHORT(port, p);
	470
	471	if (priority != 1) continue; /* CSA version must be 1 */
	472
	473	/* If the CSA record we found is not the one we asked for, analyse
	474	the subdomain assertions in the port field, else analyse the direct
	475	authorization status in the weight field. */
	476
	477	if (Ustrcmp(found, domain) != 0)
	478	{
	479	if (port & 1) s = 'X'; / explicit authorization required */
	480	else s = '?'; / no subdomain assertions here */
	481	}
	482	else
	483	{
	484	if (weight < 2) s = 'N'; / not authorized */
	485	else if (weight == 2) s = 'Y'; / authorized */
	486	else if (weight == 3) s = '?'; / unauthorizable */
	487	else continue; /* invalid */
	488	}
	489
	490	s[1] = ' ';
	491	yield = string_catn(yield, s, 2);
	492	break;
	493
	494	default:
	495	break;
	496	}
	497
	498	/* GETSHORT() has advanced the pointer to the target domain. */
	499
	500	rc = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, p,
	501	(DN_EXPAND_ARG4_TYPE)s, sizeof(s));
	502
	503	/* If an overlong response was received, the data will have been
	504	truncated and dn_expand may fail. */
	505
	506	if (rc < 0)
	507	{
	508	log_write(0, LOG_MAIN, "host name alias list truncated: type=%s "
	509	"domain=%s", dns_text_type(type), domain);
	510	break;
	511	}
	512	else yield = string_cat(yield, s);
	513
	514	if (type == T_SOA && outsep2 != NULL)
	515	{
	516	unsigned long serial, refresh, retry, expire, minimum;
	517
	518	p += rc;
	519	yield = string_catn(yield, outsep2, 1);
	520
	521	rc = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, p,
	522	(DN_EXPAND_ARG4_TYPE)s, sizeof(s));
	523	if (rc < 0)
	524	{
	525	log_write(0, LOG_MAIN, "responsible-mailbox truncated: type=%s "
	526	"domain=%s", dns_text_type(type), domain);
	527	break;
	528	}
	529	else yield = string_cat(yield, s);
	530
	531	p += rc;
	532	GETLONG(serial, p); GETLONG(refresh, p);
	533	GETLONG(retry, p); GETLONG(expire, p); GETLONG(minimum, p);
	534	sprintf(CS s, "%c%lu%c%lu%c%lu%c%lu%c%lu",
	535	outsep2, serial, outsep2, refresh,
	536	outsep2, retry, outsep2, expire, *outsep2, minimum);
	537	yield = string_cat(yield, s);
	538	}
	539	}
	540	} /* Loop for list of returned records */
	541
	542	/* Loop for set of A-lookup types */
	543	} while (type == T_ADDRESSES && searchtype != T_A);
	544
	545	} /* Loop for list of domains */
	546
	547	/* Reclaim unused memory */
	548
	549	gstring_release_unused(yield);
	550
	551	/* If yield NULL we have not found anything. Otherwise, insert the terminating
	552	zero and return the result. */
	553
	554	dns_retrans = save_retrans;
	555	dns_retry = save_retry;
	556	dns_init(FALSE, FALSE, FALSE); /* clear the dnssec bit for getaddrbyname */
	557
	558	if (!yield \|\| !yield->ptr) return failrc;
	559
	560	*result = string_from_gstring(yield);
	561	return OK;
	562	}
	563
	564
	565
	566	/*************************************************
	567	* Version reporting entry point *
	568	*************************************************/
	569
	570	/* See local README for interface description. */
	571
	572	#include "../version.h"
	573
	574	void
	575	dnsdb_version_report(FILE *f)
	576	{
	577	#ifdef DYNLOOKUP
	578	fprintf(f, "Library version: DNSDB: Exim version %s\n", EXIM_VERSION_STR);
	579	#endif
	580	}
	581
	582
	583	static lookup_info _lookup_info = {
	584	US"dnsdb", /* lookup name */
	585	lookup_querystyle, /* query style */
	586	dnsdb_open, /* open function */
	587	NULL, /* check function */
	588	dnsdb_find, /* find function */
	589	NULL, /* no close function */
	590	NULL, /* no tidy function */
	591	NULL, /* no quoting function */
	592	dnsdb_version_report /* version reporting */
	593	};
	594
	595	#ifdef DYNLOOKUP
	596	#define dnsdb_lookup_module_info _lookup_module_info
	597	#endif
	598
	599	static lookup_info *_lookup_list[] = { &_lookup_info };
	600	lookup_module_info dnsdb_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 1 };
	601
	602	/* vi: aw ai sw=2
	603	*/
	604	/* End of lookups/dnsdb.c */