8b8e329731cc0ee9c39c134f27fea364b2ab9add
[exim.git] / src / src / verify.c
1 /* $Cambridge: exim/src/src/verify.c,v 1.13 2005/01/14 10:25:33 ph10 Exp $ */
2
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
6
7 /* Copyright (c) University of Cambridge 1995 - 2005 */
8 /* See the file NOTICE for conditions of use and distribution. */
9
10 /* Functions concerned with verifying things. The original code for callout
11 caching was contributed by Kevin Fleming (but I hacked it around a bit). */
12
13
14 #include "exim.h"
15
16
17 /* Structure for caching DNSBL lookups */
18
19 typedef struct dnsbl_cache_block {
20 dns_address *rhs;
21 uschar *text;
22 int rc;
23 BOOL text_set;
24 } dnsbl_cache_block;
25
26
27 /* Anchor for DNSBL cache */
28
29 static tree_node *dnsbl_cache = NULL;
30
31
32
33 /*************************************************
34 * Retrieve a callout cache record *
35 *************************************************/
36
37 /* If a record exists, check whether it has expired.
38
39 Arguments:
40 dbm_file an open hints file
41 key the record key
42 type "address" or "domain"
43 positive_expire expire time for positive records
44 negative_expire expire time for negative records
45
46 Returns: the cache record if a non-expired one exists, else NULL
47 */
48
49 static dbdata_callout_cache *
50 get_callout_cache_record(open_db *dbm_file, uschar *key, uschar *type,
51 int positive_expire, int negative_expire)
52 {
53 BOOL negative;
54 int length, expire;
55 time_t now;
56 dbdata_callout_cache *cache_record;
57
58 cache_record = dbfn_read_with_length(dbm_file, key, &length);
59
60 if (cache_record == NULL)
61 {
62 HDEBUG(D_verify) debug_printf("callout cache: no %s record found\n", type);
63 return NULL;
64 }
65
66 /* We treat a record as "negative" if its result field is not positive, or if
67 it is a domain record and the postmaster field is negative. */
68
69 negative = cache_record->result != ccache_accept ||
70 (type[0] == 'd' && cache_record->postmaster_result == ccache_reject);
71 expire = negative? negative_expire : positive_expire;
72 now = time(NULL);
73
74 if (now - cache_record->time_stamp > expire)
75 {
76 HDEBUG(D_verify) debug_printf("callout cache: %s record expired\n", type);
77 return NULL;
78 }
79
80 /* If this is a non-reject domain record, check for the obsolete format version
81 that doesn't have the postmaster and random timestamps, by looking at the
82 length. If so, copy it to a new-style block, replicating the record's
83 timestamp. Then check the additional timestamps. (There's no point wasting
84 effort if connections are rejected.) */
85
86 if (type[0] == 'd' && cache_record->result != ccache_reject)
87 {
88 if (length == sizeof(dbdata_callout_cache_obs))
89 {
90 dbdata_callout_cache *new = store_get(sizeof(dbdata_callout_cache));
91 memcpy(new, cache_record, length);
92 new->postmaster_stamp = new->random_stamp = new->time_stamp;
93 cache_record = new;
94 }
95
96 if (now - cache_record->postmaster_stamp > expire)
97 cache_record->postmaster_result = ccache_unknown;
98
99 if (now - cache_record->random_stamp > expire)
100 cache_record->random_result = ccache_unknown;
101 }
102
103 HDEBUG(D_verify) debug_printf("callout cache: found %s record\n", type);
104 return cache_record;
105 }
106
107
108
109 /*************************************************
110 * Do callout verification for an address *
111 *************************************************/
112
113 /* This function is called from verify_address() when the address has routed to
114 a host list, and a callout has been requested. Callouts are expensive; that is
115 why a cache is used to improve the efficiency.
116
117 Arguments:
118 addr the address that's been routed
119 host_list the list of hosts to try
120 tf the transport feedback block
121
122 ifstring "interface" option from transport, or NULL
123 portstring "port" option from transport, or NULL
124 protocolstring "protocol" option from transport, or NULL
125 callout the per-command callout timeout
126 callout_overall the overall callout timeout (if < 0 use 4*callout)
127 callout_connect the callout connection timeout (if < 0 use callout)
128 options the verification options - these bits are used:
129 vopt_is_recipient => this is a recipient address
130 vopt_callout_no_cache => don't use callout cache
131 vopt_callout_random => do the "random" thing
132 vopt_callout_recipsender => use real sender for recipient
133 vopt_callout_recippmaster => use postmaster for recipient
134 se_mailfrom MAIL FROM address for sender verify; NULL => ""
135 pm_mailfrom if non-NULL, do the postmaster check with this sender
136
137 Returns: OK/FAIL/DEFER
138 */
139
140 static int
141 do_callout(address_item *addr, host_item *host_list, transport_feedback *tf,
142 int callout, int callout_overall, int callout_connect, int options,
143 uschar *se_mailfrom, uschar *pm_mailfrom)
144 {
145 BOOL is_recipient = (options & vopt_is_recipient) != 0;
146 BOOL callout_no_cache = (options & vopt_callout_no_cache) != 0;
147 BOOL callout_random = (options & vopt_callout_random) != 0;
148
149 int yield = OK;
150 BOOL done = FALSE;
151 uschar *address_key;
152 uschar *from_address;
153 uschar *random_local_part = NULL;
154 uschar **failure_ptr = is_recipient?
155 &recipient_verify_failure : &sender_verify_failure;
156 open_db dbblock;
157 open_db *dbm_file = NULL;
158 dbdata_callout_cache new_domain_record;
159 dbdata_callout_cache_address new_address_record;
160 host_item *host;
161 time_t callout_start_time;
162
163 new_domain_record.result = ccache_unknown;
164 new_domain_record.postmaster_result = ccache_unknown;
165 new_domain_record.random_result = ccache_unknown;
166
167 memset(&new_address_record, 0, sizeof(new_address_record));
168
169 /* For a recipient callout, the key used for the address cache record must
170 include the sender address if we are using the real sender in the callout,
171 because that may influence the result of the callout. */
172
173 address_key = addr->address;
174 from_address = US"";
175
176 if (is_recipient)
177 {
178 if ((options & vopt_callout_recipsender) != 0)
179 {
180 address_key = string_sprintf("%s/<%s>", addr->address, sender_address);
181 from_address = sender_address;
182 }
183 else if ((options & vopt_callout_recippmaster) != 0)
184 {
185 address_key = string_sprintf("%s/<postmaster@%s>", addr->address,
186 qualify_domain_sender);
187 from_address = string_sprintf("postmaster@%s", qualify_domain_sender);
188 }
189 }
190
191 /* For a sender callout, we must adjust the key if the mailfrom address is not
192 empty. */
193
194 else
195 {
196 from_address = (se_mailfrom == NULL)? US"" : se_mailfrom;
197 if (from_address[0] != 0)
198 address_key = string_sprintf("%s/<%s>", addr->address, from_address);
199 }
200
201 /* Open the callout cache database, it it exists, for reading only at this
202 stage, unless caching has been disabled. */
203
204 if (callout_no_cache)
205 {
206 HDEBUG(D_verify) debug_printf("callout cache: disabled by no_cache\n");
207 }
208 else if ((dbm_file = dbfn_open(US"callout", O_RDWR, &dbblock, FALSE)) == NULL)
209 {
210 HDEBUG(D_verify) debug_printf("callout cache: not available\n");
211 }
212
213 /* If a cache database is available see if we can avoid the need to do an
214 actual callout by making use of previously-obtained data. */
215
216 if (dbm_file != NULL)
217 {
218 dbdata_callout_cache_address *cache_address_record;
219 dbdata_callout_cache *cache_record = get_callout_cache_record(dbm_file,
220 addr->domain, US"domain",
221 callout_cache_domain_positive_expire,
222 callout_cache_domain_negative_expire);
223
224 /* If an unexpired cache record was found for this domain, see if the callout
225 process can be short-circuited. */
226
227 if (cache_record != NULL)
228 {
229 /* If an early command (up to and including MAIL FROM:<>) was rejected,
230 there is no point carrying on. The callout fails. */
231
232 if (cache_record->result == ccache_reject)
233 {
234 setflag(addr, af_verify_nsfail);
235 HDEBUG(D_verify)
236 debug_printf("callout cache: domain gave initial rejection, or "
237 "does not accept HELO or MAIL FROM:<>\n");
238 setflag(addr, af_verify_nsfail);
239 addr->user_message = US"(result of an earlier callout reused).";
240 yield = FAIL;
241 *failure_ptr = US"mail";
242 goto END_CALLOUT;
243 }
244
245 /* If a previous check on a "random" local part was accepted, we assume
246 that the server does not do any checking on local parts. There is therefore
247 no point in doing the callout, because it will always be successful. If a
248 random check previously failed, arrange not to do it again, but preserve
249 the data in the new record. If a random check is required but hasn't been
250 done, skip the remaining cache processing. */
251
252 if (callout_random) switch(cache_record->random_result)
253 {
254 case ccache_accept:
255 HDEBUG(D_verify)
256 debug_printf("callout cache: domain accepts random addresses\n");
257 goto END_CALLOUT; /* Default yield is OK */
258
259 case ccache_reject:
260 HDEBUG(D_verify)
261 debug_printf("callout cache: domain rejects random addresses\n");
262 callout_random = FALSE;
263 new_domain_record.random_result = ccache_reject;
264 new_domain_record.random_stamp = cache_record->random_stamp;
265 break;
266
267 default:
268 HDEBUG(D_verify)
269 debug_printf("callout cache: need to check random address handling "
270 "(not cached or cache expired)\n");
271 goto END_CACHE;
272 }
273
274 /* If a postmaster check is requested, but there was a previous failure,
275 there is again no point in carrying on. If a postmaster check is required,
276 but has not been done before, we are going to have to do a callout, so skip
277 remaining cache processing. */
278
279 if (pm_mailfrom != NULL)
280 {
281 if (cache_record->postmaster_result == ccache_reject)
282 {
283 setflag(addr, af_verify_pmfail);
284 HDEBUG(D_verify)
285 debug_printf("callout cache: domain does not accept "
286 "RCPT TO:<postmaster@domain>\n");
287 yield = FAIL;
288 *failure_ptr = US"postmaster";
289 setflag(addr, af_verify_pmfail);
290 addr->user_message = US"(result of earlier verification reused).";
291 goto END_CALLOUT;
292 }
293 if (cache_record->postmaster_result == ccache_unknown)
294 {
295 HDEBUG(D_verify)
296 debug_printf("callout cache: need to check RCPT "
297 "TO:<postmaster@domain> (not cached or cache expired)\n");
298 goto END_CACHE;
299 }
300
301 /* If cache says OK, set pm_mailfrom NULL to prevent a redundant
302 postmaster check if the address itself has to be checked. Also ensure
303 that the value in the cache record is preserved (with its old timestamp).
304 */
305
306 HDEBUG(D_verify) debug_printf("callout cache: domain accepts RCPT "
307 "TO:<postmaster@domain>\n");
308 pm_mailfrom = NULL;
309 new_domain_record.postmaster_result = ccache_accept;
310 new_domain_record.postmaster_stamp = cache_record->postmaster_stamp;
311 }
312 }
313
314 /* We can't give a result based on information about the domain. See if there
315 is an unexpired cache record for this specific address (combined with the
316 sender address if we are doing a recipient callout with a non-empty sender).
317 */
318
319 cache_address_record = (dbdata_callout_cache_address *)
320 get_callout_cache_record(dbm_file,
321 address_key, US"address",
322 callout_cache_positive_expire,
323 callout_cache_negative_expire);
324
325 if (cache_address_record != NULL)
326 {
327 if (cache_address_record->result == ccache_accept)
328 {
329 HDEBUG(D_verify)
330 debug_printf("callout cache: address record is positive\n");
331 }
332 else
333 {
334 HDEBUG(D_verify)
335 debug_printf("callout cache: address record is negative\n");
336 addr->user_message = US"Previous (cached) callout verification failure";
337 *failure_ptr = US"recipient";
338 yield = FAIL;
339 }
340 goto END_CALLOUT;
341 }
342
343 /* Close the cache database while we actually do the callout for real. */
344
345 END_CACHE:
346 dbfn_close(dbm_file);
347 dbm_file = NULL;
348 }
349
350 /* The information wasn't available in the cache, so we have to do a real
351 callout and save the result in the cache for next time, unless no_cache is set,
352 or unless we have a previously cached negative random result. If we are to test
353 with a random local part, ensure that such a local part is available. If not,
354 log the fact, but carry on without randomming. */
355
356 if (callout_random && callout_random_local_part != NULL)
357 {
358 random_local_part = expand_string(callout_random_local_part);
359 if (random_local_part == NULL)
360 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand "
361 "callout_random_local_part: %s", expand_string_message);
362 }
363
364 /* Default the connect and overall callout timeouts if not set, and record the
365 time we are starting so that we can enforce it. */
366
367 if (callout_overall < 0) callout_overall = 4 * callout;
368 if (callout_connect < 0) callout_connect = callout;
369 callout_start_time = time(NULL);
370
371 /* Now make connections to the hosts and do real callouts. The list of hosts
372 is passed in as an argument. */
373
374 for (host = host_list; host != NULL && !done; host = host->next)
375 {
376 smtp_inblock inblock;
377 smtp_outblock outblock;
378 int host_af;
379 int port = 25;
380 BOOL send_quit = TRUE;
381 uschar *helo = US"HELO";
382 uschar *interface = NULL; /* Outgoing interface to use; NULL => any */
383 uschar inbuffer[4096];
384 uschar outbuffer[1024];
385 uschar responsebuffer[4096];
386
387 clearflag(addr, af_verify_pmfail); /* postmaster callout flag */
388 clearflag(addr, af_verify_nsfail); /* null sender callout flag */
389
390 /* Skip this host if we don't have an IP address for it. */
391
392 if (host->address == NULL)
393 {
394 DEBUG(D_verify) debug_printf("no IP address for host name %s: skipping\n",
395 host->name);
396 continue;
397 }
398
399 /* Check the overall callout timeout */
400
401 if (time(NULL) - callout_start_time >= callout_overall)
402 {
403 HDEBUG(D_verify) debug_printf("overall timeout for callout exceeded\n");
404 break;
405 }
406
407 /* Set IPv4 or IPv6 */
408
409 host_af = (Ustrchr(host->address, ':') == NULL)? AF_INET:AF_INET6;
410
411 /* Expand and interpret the interface and port strings. This has to
412 be delayed till now, because they may expand differently for different
413 hosts. If there's a failure, log it, but carry on with the defaults. */
414
415 deliver_host = host->name;
416 deliver_host_address = host->address;
417 if (!smtp_get_interface(tf->interface, host_af, addr, NULL, &interface,
418 US"callout") ||
419 !smtp_get_port(tf->port, addr, &port, US"callout"))
420 log_write(0, LOG_MAIN|LOG_PANIC, "<%s>: %s", addr->address,
421 addr->message);
422 deliver_host = deliver_host_address = NULL;
423
424 /* Set HELO string according to the protocol */
425
426 if (Ustrcmp(tf->protocol, "lmtp") == 0) helo = US"LHLO";
427
428 HDEBUG(D_verify) debug_printf("interface=%s port=%d\n", interface, port);
429
430 /* Set up the buffer for reading SMTP response packets. */
431
432 inblock.buffer = inbuffer;
433 inblock.buffersize = sizeof(inbuffer);
434 inblock.ptr = inbuffer;
435 inblock.ptrend = inbuffer;
436
437 /* Set up the buffer for holding SMTP commands while pipelining */
438
439 outblock.buffer = outbuffer;
440 outblock.buffersize = sizeof(outbuffer);
441 outblock.ptr = outbuffer;
442 outblock.cmd_count = 0;
443 outblock.authenticating = FALSE;
444
445 /* Connect to the host; on failure, just loop for the next one, but we
446 set the error for the last one. Use the callout_connect timeout. */
447
448 inblock.sock = outblock.sock =
449 smtp_connect(host, host_af, port, interface, callout_connect, TRUE);
450 if (inblock.sock < 0)
451 {
452 addr->message = string_sprintf("could not connect to %s [%s]: %s",
453 host->name, host->address, strerror(errno));
454 continue;
455 }
456
457 /* Wait for initial response, and then run the initial SMTP commands. The
458 smtp_write_command() function leaves its command in big_buffer. This is
459 used in error responses. Initialize it in case the connection is
460 rejected. */
461
462 Ustrcpy(big_buffer, "initial connection");
463
464 done =
465 smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
466 '2', callout) &&
467
468 smtp_write_command(&outblock, FALSE, "%s %s\r\n", helo,
469 smtp_active_hostname) >= 0 &&
470 smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
471 '2', callout) &&
472
473 smtp_write_command(&outblock, FALSE, "MAIL FROM:<%s>\r\n",
474 from_address) >= 0 &&
475 smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
476 '2', callout);
477
478 /* If the host gave an initial error, or does not accept HELO or MAIL
479 FROM:<>, arrange to cache this information, but don't record anything for an
480 I/O error or a defer. Do not cache rejections when a non-empty sender has
481 been used, because that blocks the whole domain for all senders. */
482
483 if (!done)
484 {
485 *failure_ptr = US"mail";
486 if (errno == 0 && responsebuffer[0] == '5')
487 {
488 setflag(addr, af_verify_nsfail);
489 if (from_address[0] == 0) new_domain_record.result = ccache_reject;
490 }
491 }
492
493 /* Otherwise, proceed to check a "random" address (if required), then the
494 given address, and the postmaster address (if required). Between each check,
495 issue RSET, because some servers accept only one recipient after MAIL
496 FROM:<>. */
497
498 else
499 {
500 new_domain_record.result = ccache_accept;
501
502 /* Do the random local part check first */
503
504 if (random_local_part != NULL)
505 {
506 uschar randombuffer[1024];
507 BOOL random_ok =
508 smtp_write_command(&outblock, FALSE,
509 "RCPT TO:<%.1000s@%.1000s>\r\n", random_local_part,
510 addr->domain) >= 0 &&
511 smtp_read_response(&inblock, randombuffer,
512 sizeof(randombuffer), '2', callout);
513
514 /* Remember when we last did a random test */
515
516 new_domain_record.random_stamp = time(NULL);
517
518 /* If accepted, we aren't going to do any further tests below. */
519
520 if (random_ok)
521 {
522 new_domain_record.random_result = ccache_accept;
523 }
524
525 /* Otherwise, cache a real negative response, and get back to the right
526 state to send RCPT. Unless there's some problem such as a dropped
527 connection, we expect to succeed, because the commands succeeded above. */
528
529 else if (errno == 0)
530 {
531 if (randombuffer[0] == '5')
532 new_domain_record.random_result = ccache_reject;
533
534 done =
535 smtp_write_command(&outblock, FALSE, "RSET\r\n") >= 0 &&
536 smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
537 '2', callout) &&
538
539 smtp_write_command(&outblock, FALSE, "MAIL FROM:<>\r\n") >= 0 &&
540 smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
541 '2', callout);
542 }
543 else done = FALSE; /* Some timeout/connection problem */
544 } /* Random check */
545
546 /* If the host is accepting all local parts, as determined by the "random"
547 check, we don't need to waste time doing any further checking. */
548
549 if (new_domain_record.random_result != ccache_accept && done)
550 {
551 done =
552 smtp_write_command(&outblock, FALSE, "RCPT TO:<%.1000s>\r\n",
553 addr->address) >= 0 &&
554 smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
555 '2', callout);
556
557 if (done)
558 new_address_record.result = ccache_accept;
559 else if (errno == 0 && responsebuffer[0] == '5')
560 {
561 *failure_ptr = US"recipient";
562 new_address_record.result = ccache_reject;
563 }
564
565 /* Do postmaster check if requested */
566
567 if (done && pm_mailfrom != NULL)
568 {
569 done =
570 smtp_write_command(&outblock, FALSE, "RSET\r\n") >= 0 &&
571 smtp_read_response(&inblock, responsebuffer,
572 sizeof(responsebuffer), '2', callout) &&
573
574 smtp_write_command(&outblock, FALSE,
575 "MAIL FROM:<%s>\r\n", pm_mailfrom) >= 0 &&
576 smtp_read_response(&inblock, responsebuffer,
577 sizeof(responsebuffer), '2', callout) &&
578
579 smtp_write_command(&outblock, FALSE,
580 "RCPT TO:<postmaster@%.1000s>\r\n", addr->domain) >= 0 &&
581 smtp_read_response(&inblock, responsebuffer,
582 sizeof(responsebuffer), '2', callout);
583
584 new_domain_record.postmaster_stamp = time(NULL);
585
586 if (done)
587 new_domain_record.postmaster_result = ccache_accept;
588 else if (errno == 0 && responsebuffer[0] == '5')
589 {
590 *failure_ptr = US"postmaster";
591 setflag(addr, af_verify_pmfail);
592 new_domain_record.postmaster_result = ccache_reject;
593 }
594 }
595 } /* Random not accepted */
596 } /* MAIL FROM:<> accepted */
597
598 /* For any failure of the main check, other than a negative response, we just
599 close the connection and carry on. We can identify a negative response by the
600 fact that errno is zero. For I/O errors it will be non-zero
601
602 Set up different error texts for logging and for sending back to the caller
603 as an SMTP response. Log in all cases, using a one-line format. For sender
604 callouts, give a full response to the caller, but for recipient callouts,
605 don't give the IP address because this may be an internal host whose identity
606 is not to be widely broadcast. */
607
608 if (!done)
609 {
610 if (errno == ETIMEDOUT)
611 {
612 HDEBUG(D_verify) debug_printf("SMTP timeout\n");
613 send_quit = FALSE;
614 }
615 else if (errno == 0)
616 {
617 if (*responsebuffer == 0) Ustrcpy(responsebuffer, US"connection dropped");
618
619 addr->message =
620 string_sprintf("response to \"%s\" from %s [%s] was: %s",
621 big_buffer, host->name, host->address,
622 string_printing(responsebuffer));
623
624 addr->user_message = is_recipient?
625 string_sprintf("Callout verification failed:\n%s", responsebuffer)
626 :
627 string_sprintf("Called: %s\nSent: %s\nResponse: %s",
628 host->address, big_buffer, responsebuffer);
629
630 /* Hard rejection ends the process */
631
632 if (responsebuffer[0] == '5') /* Address rejected */
633 {
634 yield = FAIL;
635 done = TRUE;
636 }
637 }
638 }
639
640 /* End the SMTP conversation and close the connection. */
641
642 if (send_quit) (void)smtp_write_command(&outblock, FALSE, "QUIT\r\n");
643 close(inblock.sock);
644 } /* Loop through all hosts, while !done */
645
646 /* If we get here with done == TRUE, a successful callout happened, and yield
647 will be set OK or FAIL according to the response to the RCPT command.
648 Otherwise, we looped through the hosts but couldn't complete the business.
649 However, there may be domain-specific information to cache in both cases.
650
651 The value of the result field in the new_domain record is ccache_unknown if
652 there was an error before or with MAIL FROM:<>, and errno was not zero,
653 implying some kind of I/O error. We don't want to write the cache in that case.
654 Otherwise the value is ccache_accept or ccache_reject. */
655
656 if (!callout_no_cache && new_domain_record.result != ccache_unknown)
657 {
658 if ((dbm_file = dbfn_open(US"callout", O_RDWR|O_CREAT, &dbblock, FALSE))
659 == NULL)
660 {
661 HDEBUG(D_verify) debug_printf("callout cache: not available\n");
662 }
663 else
664 {
665 (void)dbfn_write(dbm_file, addr->domain, &new_domain_record,
666 (int)sizeof(dbdata_callout_cache));
667 HDEBUG(D_verify) debug_printf("wrote callout cache domain record:\n"
668 " result=%d postmaster=%d random=%d\n",
669 new_domain_record.result,
670 new_domain_record.postmaster_result,
671 new_domain_record.random_result);
672 }
673 }
674
675 /* If a definite result was obtained for the callout, cache it unless caching
676 is disabled. */
677
678 if (done)
679 {
680 if (!callout_no_cache && new_address_record.result != ccache_unknown)
681 {
682 if (dbm_file == NULL)
683 dbm_file = dbfn_open(US"callout", O_RDWR|O_CREAT, &dbblock, FALSE);
684 if (dbm_file == NULL)
685 {
686 HDEBUG(D_verify) debug_printf("no callout cache available\n");
687 }
688 else
689 {
690 (void)dbfn_write(dbm_file, address_key, &new_address_record,
691 (int)sizeof(dbdata_callout_cache_address));
692 HDEBUG(D_verify) debug_printf("wrote %s callout cache address record\n",
693 (new_address_record.result == ccache_accept)? "positive" : "negative");
694 }
695 }
696 } /* done */
697
698 /* Failure to connect to any host, or any response other than 2xx or 5xx is a
699 temporary error. If there was only one host, and a response was received, leave
700 it alone if supplying details. Otherwise, give a generic response. */
701
702 else /* !done */
703 {
704 uschar *dullmsg = string_sprintf("Could not complete %s verify callout",
705 is_recipient? "recipient" : "sender");
706 yield = DEFER;
707
708 if (host_list->next != NULL || addr->message == NULL) addr->message = dullmsg;
709
710 addr->user_message = (!smtp_return_error_details)? dullmsg :
711 string_sprintf("%s for <%s>.\n"
712 "The mail server(s) for the domain may be temporarily unreachable, or\n"
713 "they may be permanently unreachable from this server. In the latter case,\n%s",
714 dullmsg, addr->address,
715 is_recipient?
716 "the address will never be accepted."
717 :
718 "you need to change the address or create an MX record for its domain\n"
719 "if it is supposed to be generally accessible from the Internet.\n"
720 "Talk to your mail administrator for details.");
721
722 /* Force a specific error code */
723
724 addr->basic_errno = ERRNO_CALLOUTDEFER;
725 }
726
727 /* Come here from within the cache-reading code on fast-track exit. */
728
729 END_CALLOUT:
730 if (dbm_file != NULL) dbfn_close(dbm_file);
731 return yield;
732 }
733
734
735
736 /*************************************************
737 * Copy error to toplevel address *
738 *************************************************/
739
740 /* This function is used when a verify fails or defers, to ensure that the
741 failure or defer information is in the original toplevel address. This applies
742 when an address is redirected to a single new address, and the failure or
743 deferral happens to the child address.
744
745 Arguments:
746 vaddr the verify address item
747 addr the final address item
748 yield FAIL or DEFER
749
750 Returns: the value of YIELD
751 */
752
753 static int
754 copy_error(address_item *vaddr, address_item *addr, int yield)
755 {
756 if (addr != vaddr)
757 {
758 vaddr->message = addr->message;
759 vaddr->user_message = addr->user_message;
760 vaddr->basic_errno = addr->basic_errno;
761 vaddr->more_errno = addr->more_errno;
762 }
763 return yield;
764 }
765
766
767
768
769 /*************************************************
770 * Verify an email address *
771 *************************************************/
772
773 /* This function is used both for verification (-bv and at other times) and
774 address testing (-bt), which is indicated by address_test_mode being set.
775
776 Arguments:
777 vaddr contains the address to verify; the next field in this block
778 must be NULL
779 f if not NULL, write the result to this file
780 options various option bits:
781 vopt_fake_sender => this sender verify is not for the real
782 sender (it was verify=sender=xxxx or an address from a
783 header line) - rewriting must not change sender_address
784 vopt_is_recipient => this is a recipient address, otherwise
785 it's a sender address - this affects qualification and
786 rewriting and messages from callouts
787 vopt_qualify => qualify an unqualified address; else error
788 vopt_expn => called from SMTP EXPN command
789
790 These ones are used by do_callout() -- the options variable
791 is passed to it.
792
793 vopt_callout_no_cache => don't use callout cache
794 vopt_callout_random => do the "random" thing
795 vopt_callout_recipsender => use real sender for recipient
796 vopt_callout_recippmaster => use postmaster for recipient
797
798 callout if > 0, specifies that callout is required, and gives timeout
799 for individual commands
800 callout_overall if > 0, gives overall timeout for the callout function;
801 if < 0, a default is used (see do_callout())
802 callout_connect the connection timeout for callouts
803 se_mailfrom when callout is requested to verify a sender, use this
804 in MAIL FROM; NULL => ""
805 pm_mailfrom when callout is requested, if non-NULL, do the postmaster
806 thing and use this as the sender address (may be "")
807
808 routed if not NULL, set TRUE if routing succeeded, so we can
809 distinguish between routing failed and callout failed
810
811 Returns: OK address verified
812 FAIL address failed to verify
813 DEFER can't tell at present
814 */
815
816 int
817 verify_address(address_item *vaddr, FILE *f, int options, int callout,
818 int callout_overall, int callout_connect, uschar *se_mailfrom,
819 uschar *pm_mailfrom, BOOL *routed)
820 {
821 BOOL allok = TRUE;
822 BOOL full_info = (f == NULL)? FALSE : (debug_selector != 0);
823 BOOL is_recipient = (options & vopt_is_recipient) != 0;
824 BOOL expn = (options & vopt_expn) != 0;
825 int i;
826 int yield = OK;
827 int verify_type = expn? v_expn :
828 address_test_mode? v_none :
829 is_recipient? v_recipient : v_sender;
830 address_item *addr_list;
831 address_item *addr_new = NULL;
832 address_item *addr_remote = NULL;
833 address_item *addr_local = NULL;
834 address_item *addr_succeed = NULL;
835 uschar **failure_ptr = is_recipient?
836 &recipient_verify_failure : &sender_verify_failure;
837 uschar *ko_prefix, *cr;
838 uschar *address = vaddr->address;
839 uschar *save_sender;
840 uschar null_sender[] = { 0 }; /* Ensure writeable memory */
841
842 /* Clear, just in case */
843
844 *failure_ptr = NULL;
845
846 /* Set up a prefix and suffix for error message which allow us to use the same
847 output statements both in EXPN mode (where an SMTP response is needed) and when
848 debugging with an output file. */
849
850 if (expn)
851 {
852 ko_prefix = US"553 ";
853 cr = US"\r";
854 }
855 else ko_prefix = cr = US"";
856
857 /* Add qualify domain if permitted; otherwise an unqualified address fails. */
858
859 if (parse_find_at(address) == NULL)
860 {
861 if ((options & vopt_qualify) == 0)
862 {
863 if (f != NULL)
864 fprintf(f, "%sA domain is required for \"%s\"%s\n", ko_prefix, address,
865 cr);
866 *failure_ptr = US"qualify";
867 return FAIL;
868 }
869 address = rewrite_address_qualify(address, is_recipient);
870 }
871
872 DEBUG(D_verify)
873 {
874 debug_printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
875 debug_printf("%s %s\n", address_test_mode? "Testing" : "Verifying", address);
876 }
877
878 /* Rewrite and report on it. Clear the domain and local part caches - these
879 may have been set by domains and local part tests during an ACL. */
880
881 if (global_rewrite_rules != NULL)
882 {
883 uschar *old = address;
884 address = rewrite_address(address, is_recipient, FALSE,
885 global_rewrite_rules, rewrite_existflags);
886 if (address != old)
887 {
888 for (i = 0; i < (MAX_NAMED_LIST * 2)/32; i++) vaddr->localpart_cache[i] = 0;
889 for (i = 0; i < (MAX_NAMED_LIST * 2)/32; i++) vaddr->domain_cache[i] = 0;
890 if (f != NULL && !expn) fprintf(f, "Address rewritten as: %s\n", address);
891 }
892 }
893
894 /* If this is the real sender address, we must update sender_address at
895 this point, because it may be referred to in the routers. */
896
897 if ((options & (vopt_fake_sender|vopt_is_recipient)) == 0)
898 sender_address = address;
899
900 /* If the address was rewritten to <> no verification can be done, and we have
901 to return OK. This rewriting is permitted only for sender addresses; for other
902 addresses, such rewriting fails. */
903
904 if (address[0] == 0) return OK;
905
906 /* Save a copy of the sender address for re-instating if we change it to <>
907 while verifying a sender address (a nice bit of self-reference there). */
908
909 save_sender = sender_address;
910
911 /* Update the address structure with the possibly qualified and rewritten
912 address. Set it up as the starting address on the chain of new addresses. */
913
914 vaddr->address = address;
915 addr_new = vaddr;
916
917 /* We need a loop, because an address can generate new addresses. We must also
918 cope with generated pipes and files at the top level. (See also the code and
919 comment in deliver.c.) However, it is usually the case that the router for
920 user's .forward files has its verify flag turned off.
921
922 If an address generates more than one child, the loop is used only when
923 full_info is set, and this can only be set locally. Remote enquiries just get
924 information about the top level address, not anything that it generated. */
925
926 while (addr_new != NULL)
927 {
928 int rc;
929 address_item *addr = addr_new;
930
931 addr_new = addr->next;
932 addr->next = NULL;
933
934 DEBUG(D_verify)
935 {
936 debug_printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
937 debug_printf("Considering %s\n", addr->address);
938 }
939
940 /* Handle generated pipe, file or reply addresses. We don't get these
941 when handling EXPN, as it does only one level of expansion. */
942
943 if (testflag(addr, af_pfr))
944 {
945 allok = FALSE;
946 if (f != NULL)
947 {
948 BOOL allow;
949
950 if (addr->address[0] == '>')
951 {
952 allow = testflag(addr, af_allow_reply);
953 fprintf(f, "%s -> mail %s", addr->parent->address, addr->address + 1);
954 }
955 else
956 {
957 allow = (addr->address[0] == '|')?
958 testflag(addr, af_allow_pipe) : testflag(addr, af_allow_file);
959 fprintf(f, "%s -> %s", addr->parent->address, addr->address);
960 }
961
962 if (addr->basic_errno == ERRNO_BADTRANSPORT)
963 fprintf(f, "\n*** Error in setting up pipe, file, or autoreply:\n"
964 "%s\n", addr->message);
965 else if (allow)
966 fprintf(f, "\n transport = %s\n", addr->transport->name);
967 else
968 fprintf(f, " *** forbidden ***\n");
969 }
970 continue;
971 }
972
973 /* Just in case some router parameter refers to it. */
974
975 return_path = (addr->p.errors_address != NULL)?
976 addr->p.errors_address : sender_address;
977
978 /* Split the address into domain and local part, handling the %-hack if
979 necessary, and then route it. While routing a sender address, set
980 $sender_address to <> because that is what it will be if we were trying to
981 send a bounce to the sender. */
982
983 if (routed != NULL) *routed = FALSE;
984 if ((rc = deliver_split_address(addr)) == OK)
985 {
986 if (!is_recipient) sender_address = null_sender;
987 rc = route_address(addr, &addr_local, &addr_remote, &addr_new,
988 &addr_succeed, verify_type);
989 sender_address = save_sender; /* Put back the real sender */
990 }
991
992 /* If routing an address succeeded, set the flag that remembers, for use when
993 an ACL cached a sender verify (in case a callout fails). Then if routing set
994 up a list of hosts or the transport has a host list, and the callout option
995 is set, and we aren't in a host checking run, do the callout verification,
996 and set another flag that notes that a callout happened. */
997
998 if (rc == OK)
999 {
1000 if (routed != NULL) *routed = TRUE;
1001 if (callout > 0)
1002 {
1003 host_item *host_list = addr->host_list;
1004
1005 /* Default, if no remote transport, to NULL for the interface (=> any),
1006 "smtp" for the port, and "smtp" for the protocol. */
1007
1008 transport_feedback tf = { NULL, US"smtp", US"smtp", NULL, FALSE, FALSE };
1009
1010 /* If verification yielded a remote transport, we want to use that
1011 transport's options, so as to mimic what would happen if we were really
1012 sending a message to this address. */
1013
1014 if (addr->transport != NULL && !addr->transport->info->local)
1015 {
1016 (void)(addr->transport->setup)(addr->transport, addr, &tf, NULL);
1017
1018 /* If the transport has hosts and the router does not, or if the
1019 transport is configured to override the router's hosts, we must build a
1020 host list of the transport's hosts, and find the IP addresses */
1021
1022 if (tf.hosts != NULL && (host_list == NULL || tf.hosts_override))
1023 {
1024 uschar *s;
1025
1026 host_list = NULL; /* Ignore the router's hosts */
1027
1028 deliver_domain = addr->domain;
1029 deliver_localpart = addr->local_part;
1030 s = expand_string(tf.hosts);
1031 deliver_domain = deliver_localpart = NULL;
1032
1033 if (s == NULL)
1034 {
1035 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand list of hosts "
1036 "\"%s\" in %s transport for callout: %s", tf.hosts,
1037 addr->transport->name, expand_string_message);
1038 }
1039 else
1040 {
1041 uschar *canonical_name;
1042 host_item *host, *nexthost;
1043 host_build_hostlist(&host_list, s, tf.hosts_randomize);
1044
1045 /* Just ignore failures to find a host address. If we don't manage
1046 to find any addresses, the callout will defer. Note that more than
1047 one address may be found for a single host, which will result in
1048 additional host items being inserted into the chain. Hence we must
1049 save the next host first. */
1050
1051 for (host = host_list; host != NULL; host = nexthost)
1052 {
1053 nexthost = host->next;
1054 if (tf.gethostbyname ||
1055 string_is_ip_address(host->name, NULL) > 0)
1056 (void)host_find_byname(host, NULL, &canonical_name, TRUE);
1057 else
1058 {
1059 int flags = HOST_FIND_BY_A;
1060 if (tf.qualify_single) flags |= HOST_FIND_QUALIFY_SINGLE;
1061 if (tf.search_parents) flags |= HOST_FIND_SEARCH_PARENTS;
1062 (void)host_find_bydns(host, NULL, flags, NULL, NULL, NULL,
1063 &canonical_name, NULL);
1064 }
1065 }
1066 }
1067 }
1068 }
1069
1070 /* Can only do a callout if we have at least one host! If the callout
1071 fails, it will have set ${sender,recipient}_verify_failure. */
1072
1073 if (host_list != NULL)
1074 {
1075 HDEBUG(D_verify) debug_printf("Attempting full verification using callout\n");
1076 if (host_checking && !host_checking_callout)
1077 {
1078 HDEBUG(D_verify)
1079 debug_printf("... callout omitted by default when host testing\n"
1080 "(Use -bhc if you want the callouts to happen.)\n");
1081 }
1082 else
1083 {
1084 rc = do_callout(addr, host_list, &tf, callout, callout_overall,
1085 callout_connect, options, se_mailfrom, pm_mailfrom);
1086 }
1087 }
1088 else
1089 {
1090 HDEBUG(D_verify) debug_printf("Cannot do callout: neither router nor "
1091 "transport provided a host list\n");
1092 }
1093 }
1094 }
1095
1096 /* Otherwise, any failure is a routing failure */
1097
1098 else *failure_ptr = US"route";
1099
1100 /* A router may return REROUTED if it has set up a child address as a result
1101 of a change of domain name (typically from widening). In this case we always
1102 want to continue to verify the new child. */
1103
1104 if (rc == REROUTED) continue;
1105
1106 /* Handle hard failures */
1107
1108 if (rc == FAIL)
1109 {
1110 allok = FALSE;
1111 if (f != NULL)
1112 {
1113 fprintf(f, "%s%s %s", ko_prefix, address,
1114 address_test_mode? "is undeliverable" : "failed to verify");
1115 if (!expn && admin_user)
1116 {
1117 if (addr->basic_errno > 0)
1118 fprintf(f, ": %s", strerror(addr->basic_errno));
1119 if (addr->message != NULL)
1120 fprintf(f, ":\n %s", addr->message);
1121 }
1122 fprintf(f, "%s\n", cr);
1123 }
1124
1125 if (!full_info) return copy_error(vaddr, addr, FAIL);
1126 else yield = FAIL;
1127 }
1128
1129 /* Soft failure */
1130
1131 else if (rc == DEFER)
1132 {
1133 allok = FALSE;
1134 if (f != NULL)
1135 {
1136 fprintf(f, "%s%s cannot be resolved at this time", ko_prefix, address);
1137 if (!expn && admin_user)
1138 {
1139 if (addr->basic_errno > 0)
1140 fprintf(f, ":\n %s", strerror(addr->basic_errno));
1141 if (addr->message != NULL)
1142 fprintf(f, ":\n %s", addr->message);
1143 else if (addr->basic_errno <= 0)
1144 fprintf(f, ":\n unknown error");
1145 }
1146
1147 fprintf(f, "%s\n", cr);
1148 }
1149 if (!full_info) return copy_error(vaddr, addr, DEFER);
1150 else if (yield == OK) yield = DEFER;
1151 }
1152
1153 /* If we are handling EXPN, we do not want to continue to route beyond
1154 the top level. */
1155
1156 else if (expn)
1157 {
1158 uschar *ok_prefix = US"250-";
1159 if (addr_new == NULL)
1160 {
1161 if (addr_local == NULL && addr_remote == NULL)
1162 fprintf(f, "250 mail to <%s> is discarded\r\n", address);
1163 else
1164 fprintf(f, "250 <%s>\r\n", address);
1165 }
1166 else while (addr_new != NULL)
1167 {
1168 address_item *addr2 = addr_new;
1169 addr_new = addr2->next;
1170 if (addr_new == NULL) ok_prefix = US"250 ";
1171 fprintf(f, "%s<%s>\r\n", ok_prefix, addr2->address);
1172 }
1173 return OK;
1174 }
1175
1176 /* Successful routing other than EXPN. */
1177
1178 else
1179 {
1180 /* Handle successful routing when short info wanted. Otherwise continue for
1181 other (generated) addresses. Short info is the operational case. Full info
1182 can be requested only when debug_selector != 0 and a file is supplied.
1183
1184 There is a conflict between the use of aliasing as an alternate email
1185 address, and as a sort of mailing list. If an alias turns the incoming
1186 address into just one address (e.g. J.Caesar->jc44) you may well want to
1187 carry on verifying the generated address to ensure it is valid when
1188 checking incoming mail. If aliasing generates multiple addresses, you
1189 probably don't want to do this. Exim therefore treats the generation of
1190 just a single new address as a special case, and continues on to verify the
1191 generated address. */
1192
1193 if (!full_info && /* Stop if short info wanted AND */
1194 (addr_new == NULL || /* No new address OR */
1195 addr_new->next != NULL || /* More than one new address OR */
1196 testflag(addr_new, af_pfr))) /* New address is pfr */
1197 {
1198 if (f != NULL) fprintf(f, "%s %s\n", address,
1199 address_test_mode? "is deliverable" : "verified");
1200
1201 /* If we have carried on to verify a child address, we want the value
1202 of $address_data to be that of the child */
1203
1204 vaddr->p.address_data = addr->p.address_data;
1205 return OK;
1206 }
1207 }
1208 } /* Loop for generated addresses */
1209
1210 /* Display the full results of the successful routing, including any generated
1211 addresses. Control gets here only when full_info is set, which requires f not
1212 to be NULL, and this occurs only when a top-level verify is called with the
1213 debugging switch on.
1214
1215 If there are no local and no remote addresses, and there were no pipes, files,
1216 or autoreplies, and there were no errors or deferments, the message is to be
1217 discarded, usually because of the use of :blackhole: in an alias file. */
1218
1219 if (allok && addr_local == NULL && addr_remote == NULL)
1220 fprintf(f, "mail to %s is discarded\n", address);
1221
1222 else for (addr_list = addr_local, i = 0; i < 2; addr_list = addr_remote, i++)
1223 {
1224 while (addr_list != NULL)
1225 {
1226 address_item *addr = addr_list;
1227 address_item *p = addr->parent;
1228 addr_list = addr->next;
1229
1230 fprintf(f, "%s", CS addr->address);
1231 while (p != NULL)
1232 {
1233 fprintf(f, "\n <-- %s", p->address);
1234 p = p->parent;
1235 }
1236 fprintf(f, "\n ");
1237
1238 /* Show router, and transport */
1239
1240 fprintf(f, "router = %s, ", addr->router->name);
1241 fprintf(f, "transport = %s\n", (addr->transport == NULL)? US"unset" :
1242 addr->transport->name);
1243
1244 /* Show any hosts that are set up by a router unless the transport
1245 is going to override them; fiddle a bit to get a nice format. */
1246
1247 if (addr->host_list != NULL && addr->transport != NULL &&
1248 !addr->transport->overrides_hosts)
1249 {
1250 host_item *h;
1251 int maxlen = 0;
1252 int maxaddlen = 0;
1253 for (h = addr->host_list; h != NULL; h = h->next)
1254 {
1255 int len = Ustrlen(h->name);
1256 if (len > maxlen) maxlen = len;
1257 len = (h->address != NULL)? Ustrlen(h->address) : 7;
1258 if (len > maxaddlen) maxaddlen = len;
1259 }
1260 for (h = addr->host_list; h != NULL; h = h->next)
1261 {
1262 int len = Ustrlen(h->name);
1263 fprintf(f, " host %s ", h->name);
1264 while (len++ < maxlen) fprintf(f, " ");
1265 if (h->address != NULL)
1266 {
1267 fprintf(f, "[%s] ", h->address);
1268 len = Ustrlen(h->address);
1269 }
1270 else if (!addr->transport->info->local) /* Omit [unknown] for local */
1271 {
1272 fprintf(f, "[unknown] ");
1273 len = 7;
1274 }
1275 else len = -3;
1276 while (len++ < maxaddlen) fprintf(f," ");
1277 if (h->mx >= 0) fprintf(f, "MX=%d", h->mx);
1278 if (h->port != PORT_NONE) fprintf(f, " port=%d", h->port);
1279 if (h->status == hstatus_unusable) fprintf(f, " ** unusable **");
1280 fprintf(f, "\n");
1281 }
1282 }
1283 }
1284 }
1285
1286 /* Will be DEFER or FAIL if any one address has, only for full_info (which is
1287 the -bv or -bt case). */
1288
1289 return yield;
1290 }
1291
1292
1293
1294
1295 /*************************************************
1296 * Check headers for syntax errors *
1297 *************************************************/
1298
1299 /* This function checks those header lines that contain addresses, and verifies
1300 that all the addresses therein are syntactially correct.
1301
1302 Arguments:
1303 msgptr where to put an error message
1304
1305 Returns: OK
1306 FAIL
1307 */
1308
1309 int
1310 verify_check_headers(uschar **msgptr)
1311 {
1312 header_line *h;
1313 uschar *colon, *s;
1314
1315 for (h = header_list; h != NULL; h = h->next)
1316 {
1317 if (h->type != htype_from &&
1318 h->type != htype_reply_to &&
1319 h->type != htype_sender &&
1320 h->type != htype_to &&
1321 h->type != htype_cc &&
1322 h->type != htype_bcc)
1323 continue;
1324
1325 colon = Ustrchr(h->text, ':');
1326 s = colon + 1;
1327 while (isspace(*s)) s++;
1328
1329 parse_allow_group = TRUE; /* Allow group syntax */
1330
1331 /* Loop for multiple addresses in the header */
1332
1333 while (*s != 0)
1334 {
1335 uschar *ss = parse_find_address_end(s, FALSE);
1336 uschar *recipient, *errmess;
1337 int terminator = *ss;
1338 int start, end, domain;
1339
1340 /* Temporarily terminate the string at this point, and extract the
1341 operative address within. */
1342
1343 *ss = 0;
1344 recipient = parse_extract_address(s,&errmess,&start,&end,&domain,FALSE);
1345 *ss = terminator;
1346
1347 /* Permit an unqualified address only if the message is local, or if the
1348 sending host is configured to be permitted to send them. */
1349
1350 if (recipient != NULL && domain == 0)
1351 {
1352 if (h->type == htype_from || h->type == htype_sender)
1353 {
1354 if (!allow_unqualified_sender) recipient = NULL;
1355 }
1356 else
1357 {
1358 if (!allow_unqualified_recipient) recipient = NULL;
1359 }
1360 if (recipient == NULL) errmess = US"unqualified address not permitted";
1361 }
1362
1363 /* It's an error if no address could be extracted, except for the special
1364 case of an empty address. */
1365
1366 if (recipient == NULL && Ustrcmp(errmess, "empty address") != 0)
1367 {
1368 uschar *verb = US"is";
1369 uschar *t = ss;
1370 int len;
1371
1372 /* Arrange not to include any white space at the end in the
1373 error message. */
1374
1375 while (t > s && isspace(t[-1])) t--;
1376
1377 /* Add the address which failed to the error message, since in a
1378 header with very many addresses it is sometimes hard to spot
1379 which one is at fault. However, limit the amount of address to
1380 quote - cases have been seen where, for example, a missing double
1381 quote in a humungous To: header creates an "address" that is longer
1382 than string_sprintf can handle. */
1383
1384 len = t - s;
1385 if (len > 1024)
1386 {
1387 len = 1024;
1388 verb = US"begins";
1389 }
1390
1391 *msgptr = string_printing(
1392 string_sprintf("%s: failing address in \"%.*s\" header %s: %.*s",
1393 errmess, colon - h->text, h->text, verb, len, s));
1394
1395 return FAIL;
1396 }
1397
1398 /* Advance to the next address */
1399
1400 s = ss + (terminator? 1:0);
1401 while (isspace(*s)) s++;
1402 } /* Next address */
1403 } /* Next header */
1404
1405 return OK;
1406 }
1407
1408
1409
1410
1411 /*************************************************
1412 * Find if verified sender *
1413 *************************************************/
1414
1415 /* Usually, just a single address is verified as the sender of the message.
1416 However, Exim can be made to verify other addresses as well (often related in
1417 some way), and this is useful in some environments. There may therefore be a
1418 chain of such addresses that have previously been tested. This function finds
1419 whether a given address is on the chain.
1420
1421 Arguments: the address to be verified
1422 Returns: pointer to an address item, or NULL
1423 */
1424
1425 address_item *
1426 verify_checked_sender(uschar *sender)
1427 {
1428 address_item *addr;
1429 for (addr = sender_verified_list; addr != NULL; addr = addr->next)
1430 if (Ustrcmp(sender, addr->address) == 0) break;
1431 return addr;
1432 }
1433
1434
1435
1436
1437
1438 /*************************************************
1439 * Get valid header address *
1440 *************************************************/
1441
1442 /* Scan the originator headers of the message, looking for an address that
1443 verifies successfully. RFC 822 says:
1444
1445 o The "Sender" field mailbox should be sent notices of
1446 any problems in transport or delivery of the original
1447 messages. If there is no "Sender" field, then the
1448 "From" field mailbox should be used.
1449
1450 o If the "Reply-To" field exists, then the reply should
1451 go to the addresses indicated in that field and not to
1452 the address(es) indicated in the "From" field.
1453
1454 So we check a Sender field if there is one, else a Reply_to field, else a From
1455 field. As some strange messages may have more than one of these fields,
1456 especially if they are resent- fields, check all of them if there is more than
1457 one.
1458
1459 Arguments:
1460 user_msgptr points to where to put a user error message
1461 log_msgptr points to where to put a log error message
1462 callout timeout for callout check (passed to verify_address())
1463 callout_overall overall callout timeout (ditto)
1464 callout_connect connect callout timeout (ditto)
1465 se_mailfrom mailfrom for verify; NULL => ""
1466 pm_mailfrom sender for pm callout check (passed to verify_address())
1467 options callout options (passed to verify_address())
1468
1469 If log_msgptr is set to something without setting user_msgptr, the caller
1470 normally uses log_msgptr for both things.
1471
1472 Returns: result of the verification attempt: OK, FAIL, or DEFER;
1473 FAIL is given if no appropriate headers are found
1474 */
1475
1476 int
1477 verify_check_header_address(uschar **user_msgptr, uschar **log_msgptr,
1478 int callout, int callout_overall, int callout_connect, uschar *se_mailfrom,
1479 uschar *pm_mailfrom, int options)
1480 {
1481 static int header_types[] = { htype_sender, htype_reply_to, htype_from };
1482 int yield = FAIL;
1483 int i;
1484
1485 for (i = 0; i < 3; i++)
1486 {
1487 header_line *h;
1488 for (h = header_list; h != NULL; h = h->next)
1489 {
1490 int terminator, new_ok;
1491 uschar *s, *ss, *endname;
1492
1493 if (h->type != header_types[i]) continue;
1494 s = endname = Ustrchr(h->text, ':') + 1;
1495
1496 while (*s != 0)
1497 {
1498 address_item *vaddr;
1499
1500 while (isspace(*s) || *s == ',') s++;
1501 if (*s == 0) break; /* End of header */
1502
1503 ss = parse_find_address_end(s, FALSE);
1504
1505 /* The terminator is a comma or end of header, but there may be white
1506 space preceding it (including newline for the last address). Move back
1507 past any white space so we can check against any cached envelope sender
1508 address verifications. */
1509
1510 while (isspace(ss[-1])) ss--;
1511 terminator = *ss;
1512 *ss = 0;
1513
1514 HDEBUG(D_verify) debug_printf("verifying %.*s header address %s\n",
1515 (int)(endname - h->text), h->text, s);
1516
1517 /* See if we have already verified this address as an envelope sender,
1518 and if so, use the previous answer. */
1519
1520 vaddr = verify_checked_sender(s);
1521
1522 if (vaddr != NULL && /* Previously checked */
1523 (callout <= 0 || /* No callout needed; OR */
1524 vaddr->special_action > 256)) /* Callout was done */
1525 {
1526 new_ok = vaddr->special_action & 255;
1527 HDEBUG(D_verify) debug_printf("previously checked as envelope sender\n");
1528 *ss = terminator; /* Restore shortened string */
1529 }
1530
1531 /* Otherwise we run the verification now. We must restore the shortened
1532 string before running the verification, so the headers are correct, in
1533 case there is any rewriting. */
1534
1535 else
1536 {
1537 int start, end, domain;
1538 uschar *address = parse_extract_address(s, log_msgptr, &start,
1539 &end, &domain, FALSE);
1540
1541 *ss = terminator;
1542
1543 /* If verification failed because of a syntax error, fail this
1544 function, and ensure that the failing address gets added to the error
1545 message. */
1546
1547 if (address == NULL)
1548 {
1549 new_ok = FAIL;
1550 if (*log_msgptr != NULL)
1551 {
1552 while (ss > s && isspace(ss[-1])) ss--;
1553 *log_msgptr = string_sprintf("syntax error in '%.*s' header when "
1554 "scanning for sender: %s in \"%.*s\"",
1555 endname - h->text, h->text, *log_msgptr, ss - s, s);
1556 return FAIL;
1557 }
1558 }
1559
1560 /* Else go ahead with the sender verification. But it isn't *the*
1561 sender of the message, so set vopt_fake_sender to stop sender_address
1562 being replaced after rewriting or qualification. */
1563
1564 else
1565 {
1566 vaddr = deliver_make_addr(address, FALSE);
1567 new_ok = verify_address(vaddr, NULL, options | vopt_fake_sender,
1568 callout, callout_overall, callout_connect, se_mailfrom,
1569 pm_mailfrom, NULL);
1570 }
1571 }
1572
1573 /* We now have the result, either newly found, or cached. If we are
1574 giving out error details, set a specific user error. This means that the
1575 last of these will be returned to the user if all three fail. We do not
1576 set a log message - the generic one below will be used. */
1577
1578 if (new_ok != OK && smtp_return_error_details)
1579 {
1580 *user_msgptr = string_sprintf("Rejected after DATA: "
1581 "could not verify \"%.*s\" header address\n%s: %s",
1582 endname - h->text, h->text, vaddr->address, vaddr->message);
1583 }
1584
1585 /* Success or defer */
1586
1587 if (new_ok == OK) return OK;
1588 if (new_ok == DEFER) yield = DEFER;
1589
1590 /* Move on to any more addresses in the header */
1591
1592 s = ss;
1593 }
1594 }
1595 }
1596
1597 if (yield == FAIL && *log_msgptr == NULL)
1598 *log_msgptr = US"there is no valid sender in any header line";
1599
1600 if (yield == DEFER && *log_msgptr == NULL)
1601 *log_msgptr = US"all attempts to verify a sender in a header line deferred";
1602
1603 return yield;
1604 }
1605
1606
1607
1608
1609 /*************************************************
1610 * Get RFC 1413 identification *
1611 *************************************************/
1612
1613 /* Attempt to get an id from the sending machine via the RFC 1413 protocol. If
1614 the timeout is set to zero, then the query is not done. There may also be lists
1615 of hosts and nets which are exempt. To guard against malefactors sending
1616 non-printing characters which could, for example, disrupt a message's headers,
1617 make sure the string consists of printing characters only.
1618
1619 Argument:
1620 port the port to connect to; usually this is IDENT_PORT (113), but when
1621 running in the test harness with -bh a different value is used.
1622
1623 Returns: nothing
1624
1625 Side effect: any received ident value is put in sender_ident (NULL otherwise)
1626 */
1627
1628 void
1629 verify_get_ident(int port)
1630 {
1631 int sock, host_af, qlen;
1632 int received_sender_port, received_interface_port, n;
1633 uschar *p;
1634 uschar buffer[2048];
1635
1636 /* Default is no ident. Check whether we want to do an ident check for this
1637 host. */
1638
1639 sender_ident = NULL;
1640 if (rfc1413_query_timeout <= 0 || verify_check_host(&rfc1413_hosts) != OK)
1641 return;
1642
1643 DEBUG(D_ident) debug_printf("doing ident callback\n");
1644
1645 /* Set up a connection to the ident port of the remote host. Bind the local end
1646 to the incoming interface address. If the sender host address is an IPv6
1647 address, the incoming interface address will also be IPv6. */
1648
1649 host_af = (Ustrchr(sender_host_address, ':') == NULL)? AF_INET : AF_INET6;
1650 sock = ip_socket(SOCK_STREAM, host_af);
1651 if (sock < 0) return;
1652
1653 if (ip_bind(sock, host_af, interface_address, 0) < 0)
1654 {
1655 DEBUG(D_ident) debug_printf("bind socket for ident failed: %s\n",
1656 strerror(errno));
1657 goto END_OFF;
1658 }
1659
1660 if (ip_connect(sock, host_af, sender_host_address, port, rfc1413_query_timeout)
1661 < 0)
1662 {
1663 if (errno == ETIMEDOUT && (log_extra_selector & LX_ident_timeout) != 0)
1664 {
1665 log_write(0, LOG_MAIN, "ident connection to %s timed out",
1666 sender_host_address);
1667 }
1668 else
1669 {
1670 DEBUG(D_ident) debug_printf("ident connection to %s failed: %s\n",
1671 sender_host_address, strerror(errno));
1672 }
1673 goto END_OFF;
1674 }
1675
1676 /* Construct and send the query. */
1677
1678 sprintf(CS buffer, "%d , %d\r\n", sender_host_port, interface_port);
1679 qlen = Ustrlen(buffer);
1680 if (send(sock, buffer, qlen, 0) < 0)
1681 {
1682 DEBUG(D_ident) debug_printf("ident send failed: %s\n", strerror(errno));
1683 goto END_OFF;
1684 }
1685
1686 /* Read a response line. We put it into the rest of the buffer, using several
1687 recv() calls if necessary. */
1688
1689 p = buffer + qlen;
1690
1691 for (;;)
1692 {
1693 uschar *pp;
1694 int count;
1695 int size = sizeof(buffer) - (p - buffer);
1696
1697 if (size <= 0) goto END_OFF; /* Buffer filled without seeing \n. */
1698 count = ip_recv(sock, p, size, rfc1413_query_timeout);
1699 if (count <= 0) goto END_OFF; /* Read error or EOF */
1700
1701 /* Scan what we just read, to see if we have reached the terminating \r\n. Be
1702 generous, and accept a plain \n terminator as well. The only illegal
1703 character is 0. */
1704
1705 for (pp = p; pp < p + count; pp++)
1706 {
1707 if (*pp == 0) goto END_OFF; /* Zero octet not allowed */
1708 if (*pp == '\n')
1709 {
1710 if (pp[-1] == '\r') pp--;
1711 *pp = 0;
1712 goto GOT_DATA; /* Break out of both loops */
1713 }
1714 }
1715
1716 /* Reached the end of the data without finding \n. Let the loop continue to
1717 read some more, if there is room. */
1718
1719 p = pp;
1720 }
1721
1722 GOT_DATA:
1723
1724 /* We have received a line of data. Check it carefully. It must start with the
1725 same two port numbers that we sent, followed by data as defined by the RFC. For
1726 example,
1727
1728 12345 , 25 : USERID : UNIX :root
1729
1730 However, the amount of white space may be different to what we sent. In the
1731 "osname" field there may be several sub-fields, comma separated. The data we
1732 actually want to save follows the third colon. Some systems put leading spaces
1733 in it - we discard those. */
1734
1735 if (sscanf(CS buffer + qlen, "%d , %d%n", &received_sender_port,
1736 &received_interface_port, &n) != 2 ||
1737 received_sender_port != sender_host_port ||
1738 received_interface_port != interface_port)
1739 goto END_OFF;
1740
1741 p = buffer + qlen + n;
1742 while(isspace(*p)) p++;
1743 if (*p++ != ':') goto END_OFF;
1744 while(isspace(*p)) p++;
1745 if (Ustrncmp(p, "USERID", 6) != 0) goto END_OFF;
1746 p += 6;
1747 while(isspace(*p)) p++;
1748 if (*p++ != ':') goto END_OFF;
1749 while (*p != 0 && *p != ':') p++;
1750 if (*p++ == 0) goto END_OFF;
1751 while(isspace(*p)) p++;
1752 if (*p == 0) goto END_OFF;
1753
1754 /* The rest of the line is the data we want. We turn it into printing
1755 characters when we save it, so that it cannot mess up the format of any logging
1756 or Received: lines into which it gets inserted. We keep a maximum of 127
1757 characters. */
1758
1759 sender_ident = string_printing(string_copyn(p, 127));
1760 DEBUG(D_ident) debug_printf("sender_ident = %s\n", sender_ident);
1761
1762 END_OFF:
1763 close(sock);
1764 return;
1765 }
1766
1767
1768
1769
1770 /*************************************************
1771 * Match host to a single host-list item *
1772 *************************************************/
1773
1774 /* This function compares a host (name or address) against a single item
1775 from a host list. The host name gets looked up if it is needed and is not
1776 already known. The function is called from verify_check_this_host() via
1777 match_check_list(), which is why most of its arguments are in a single block.
1778
1779 Arguments:
1780 arg the argument block (see below)
1781 ss the host-list item
1782 valueptr where to pass back looked up data, or NULL
1783 error for error message when returning ERROR
1784
1785 The block contains:
1786 host_name the host name or NULL, implying use sender_host_name and
1787 sender_host_aliases, looking them up if required
1788 host_address the host address
1789 host_ipv4 the IPv4 address taken from an IPv6 one
1790
1791 Returns: OK matched
1792 FAIL did not match
1793 DEFER lookup deferred
1794 ERROR failed to find the host name or IP address
1795 unknown lookup type specified
1796 */
1797
1798 static int
1799 check_host(void *arg, uschar *ss, uschar **valueptr, uschar **error)
1800 {
1801 check_host_block *cb = (check_host_block *)arg;
1802 int maskoffset;
1803 BOOL isquery = FALSE;
1804 uschar *semicolon, *t;
1805 uschar **aliases;
1806
1807 /* Optimize for the special case when the pattern is "*". */
1808
1809 if (*ss == '*' && ss[1] == 0) return OK;
1810
1811 /* If the pattern is empty, it matches only in the case when there is no host -
1812 this can occur in ACL checking for SMTP input using the -bs option. In this
1813 situation, the host address is the empty string. */
1814
1815 if (cb->host_address[0] == 0) return (*ss == 0)? OK : FAIL;
1816 if (*ss == 0) return FAIL;
1817
1818 /* If the pattern is precisely "@" then match against the primary host name;
1819 if it's "@[]" match against the local host's IP addresses. */
1820
1821 if (*ss == '@')
1822 {
1823 if (ss[1] == 0) ss = primary_hostname;
1824 else if (Ustrcmp(ss, "@[]") == 0)
1825 {
1826 ip_address_item *ip;
1827 for (ip = host_find_interfaces(); ip != NULL; ip = ip->next)
1828 if (Ustrcmp(ip->address, cb->host_address) == 0) return OK;
1829 return FAIL;
1830 }
1831 }
1832
1833 /* If the pattern is an IP address, optionally followed by a bitmask count, do
1834 a (possibly masked) comparision with the current IP address. */
1835
1836 if (string_is_ip_address(ss, &maskoffset) > 0)
1837 return (host_is_in_net(cb->host_address, ss, maskoffset)? OK : FAIL);
1838
1839 /* If the item is of the form net[n]-lookup;<file|query> then it is a lookup on
1840 a masked IP network, in textual form. The net- stuff really only applies to
1841 single-key lookups where the key is implicit. For query-style lookups the key
1842 is specified in the query. From release 4.30, the use of net- for query style
1843 is no longer needed, but we retain it for backward compatibility. */
1844
1845 if (Ustrncmp(ss, "net", 3) == 0 && (semicolon = Ustrchr(ss, ';')) != NULL)
1846 {
1847 int mlen = 0;
1848 for (t = ss + 3; isdigit(*t); t++) mlen = mlen * 10 + *t - '0';
1849 if (*t++ == '-')
1850 {
1851 int insize;
1852 int search_type;
1853 int incoming[4];
1854 void *handle;
1855 uschar *filename, *key, *result;
1856 uschar buffer[64];
1857
1858 /* If no mask was supplied, set a negative value */
1859
1860 if (mlen == 0 && t == ss+4) mlen = -1;
1861
1862 /* Find the search type */
1863
1864 search_type = search_findtype(t, semicolon - t);
1865
1866 if (search_type < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s",
1867 search_error_message);
1868
1869 /* Adjust parameters for the type of lookup. For a query-style
1870 lookup, there is no file name, and the "key" is just the query. For
1871 a single-key lookup, the key is the current IP address, masked
1872 appropriately, and reconverted to text form, with the mask appended.
1873 For IPv6 addresses, specify dot separators instead of colons. */
1874
1875 if (mac_islookup(search_type, lookup_querystyle))
1876 {
1877 filename = NULL;
1878 key = semicolon + 1;
1879 }
1880 else
1881 {
1882 insize = host_aton(cb->host_address, incoming);
1883 host_mask(insize, incoming, mlen);
1884 (void)host_nmtoa(insize, incoming, mlen, buffer, '.');
1885 key = buffer;
1886 filename = semicolon + 1;
1887 }
1888
1889 /* Now do the actual lookup; note that there is no search_close() because
1890 of the caching arrangements. */
1891
1892 handle = search_open(filename, search_type, 0, NULL, NULL);
1893 if (handle == NULL) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s",
1894 search_error_message);
1895 result = search_find(handle, filename, key, -1, NULL, 0, 0, NULL);
1896 if (valueptr != NULL) *valueptr = result;
1897 return (result != NULL)? OK : search_find_defer? DEFER: FAIL;
1898 }
1899 }
1900
1901 /* The pattern is not an IP address or network reference of any kind. That is,
1902 it is a host name pattern. Check the characters of the pattern to see if they
1903 comprise only letters, digits, full stops, and hyphens (the constituents of
1904 domain names). Allow underscores, as they are all too commonly found. Sigh.
1905 Also, if allow_utf8_domains is set, allow top-bit characters. */
1906
1907 for (t = ss; *t != 0; t++)
1908 if (!isalnum(*t) && *t != '.' && *t != '-' && *t != '_' &&
1909 (!allow_utf8_domains || *t < 128)) break;
1910
1911 /* If the pattern is a complete domain name, with no fancy characters, look up
1912 its IP address and match against that. Note that a multi-homed host will add
1913 items to the chain. */
1914
1915 if (*t == 0)
1916 {
1917 int rc;
1918 host_item h;
1919 h.next = NULL;
1920 h.name = ss;
1921 h.address = NULL;
1922 h.mx = MX_NONE;
1923 rc = host_find_byname(&h, NULL, NULL, FALSE);
1924 if (rc == HOST_FOUND || rc == HOST_FOUND_LOCAL)
1925 {
1926 host_item *hh;
1927 for (hh = &h; hh != NULL; hh = hh->next)
1928 {
1929 if (Ustrcmp(hh->address, (Ustrchr(hh->address, ':') == NULL)?
1930 cb->host_ipv4 : cb->host_address) == 0)
1931 return OK;
1932 }
1933 return FAIL;
1934 }
1935 if (rc == HOST_FIND_AGAIN) return DEFER;
1936 *error = string_sprintf("failed to find IP address for %s", ss);
1937 return ERROR;
1938 }
1939
1940 /* Almost all subsequent comparisons require the host name, and can be done
1941 using the general string matching function. When this function is called for
1942 outgoing hosts, the name is always given explicitly. If it is NULL, it means we
1943 must use sender_host_name and its aliases, looking them up if necessary. */
1944
1945 if (cb->host_name != NULL) /* Explicit host name given */
1946 return match_check_string(cb->host_name, ss, -1, TRUE, TRUE, TRUE,
1947 valueptr);
1948
1949 /* Host name not given; in principle we need the sender host name and its
1950 aliases. However, for query-style lookups, we do not need the name if the
1951 query does not contain $sender_host_name. From release 4.23, a reference to
1952 $sender_host_name causes it to be looked up, so we don't need to do the lookup
1953 on spec. */
1954
1955 if ((semicolon = Ustrchr(ss, ';')) != NULL)
1956 {
1957 uschar *affix;
1958 int partial, affixlen, starflags, id;
1959
1960 *semicolon = 0;
1961 id = search_findtype_partial(ss, &partial, &affix, &affixlen, &starflags);
1962 *semicolon=';';
1963
1964 if (id < 0) /* Unknown lookup type */
1965 {
1966 log_write(0, LOG_MAIN|LOG_PANIC, "%s in host list item \"%s\"",
1967 search_error_message, ss);
1968 return DEFER;
1969 }
1970 isquery = mac_islookup(id, lookup_querystyle);
1971 }
1972
1973 if (isquery)
1974 {
1975 switch(match_check_string(US"", ss, -1, TRUE, TRUE, TRUE, valueptr))
1976 {
1977 case OK: return OK;
1978 case DEFER: return DEFER;
1979 default: return FAIL;
1980 }
1981 }
1982
1983 /* Not a query-style lookup; must ensure the host name is present, and then we
1984 do a check on the name and all its aliases. */
1985
1986 if (sender_host_name == NULL)
1987 {
1988 HDEBUG(D_host_lookup)
1989 debug_printf("sender host name required, to match against %s\n", ss);
1990 if (host_lookup_failed || host_name_lookup() != OK)
1991 {
1992 *error = string_sprintf("failed to find host name for %s",
1993 sender_host_address);;
1994 return ERROR;
1995 }
1996 host_build_sender_fullhost();
1997 }
1998
1999 /* Match on the sender host name, using the general matching function */
2000
2001 switch(match_check_string(sender_host_name, ss, -1, TRUE, TRUE, TRUE,
2002 valueptr))
2003 {
2004 case OK: return OK;
2005 case DEFER: return DEFER;
2006 }
2007
2008 /* If there are aliases, try matching on them. */
2009
2010 aliases = sender_host_aliases;
2011 while (*aliases != NULL)
2012 {
2013 switch(match_check_string(*aliases++, ss, -1, TRUE, TRUE, TRUE, valueptr))
2014 {
2015 case OK: return OK;
2016 case DEFER: return DEFER;
2017 }
2018 }
2019 return FAIL;
2020 }
2021
2022
2023
2024
2025 /*************************************************
2026 * Check a specific host matches a host list *
2027 *************************************************/
2028
2029 /* This function is passed a host list containing items in a number of
2030 different formats and the identity of a host. Its job is to determine whether
2031 the given host is in the set of hosts defined by the list. The host name is
2032 passed as a pointer so that it can be looked up if needed and not already
2033 known. This is commonly the case when called from verify_check_host() to check
2034 an incoming connection. When called from elsewhere the host name should usually
2035 be set.
2036
2037 This function is now just a front end to match_check_list(), which runs common
2038 code for scanning a list. We pass it the check_host() function to perform a
2039 single test.
2040
2041 Arguments:
2042 listptr pointer to the host list
2043 cache_bits pointer to cache for named lists, or NULL
2044 host_name the host name or NULL, implying use sender_host_name and
2045 sender_host_aliases, looking them up if required
2046 host_address the IP address
2047 valueptr if not NULL, data from a lookup is passed back here
2048
2049 Returns: OK if the host is in the defined set
2050 FAIL if the host is not in the defined set,
2051 DEFER if a data lookup deferred (not a host lookup)
2052
2053 If the host name was needed in order to make a comparison, and could not be
2054 determined from the IP address, the result is FAIL unless the item
2055 "+allow_unknown" was met earlier in the list, in which case OK is returned. */
2056
2057 int
2058 verify_check_this_host(uschar **listptr, unsigned int *cache_bits,
2059 uschar *host_name, uschar *host_address, uschar **valueptr)
2060 {
2061 int rc;
2062 unsigned int *local_cache_bits = cache_bits;
2063 uschar *save_host_address = deliver_host_address;
2064 check_host_block cb;
2065 cb.host_name = host_name;
2066 cb.host_address = host_address;
2067
2068 if (valueptr != NULL) *valueptr = NULL;
2069
2070 /* If the host address starts off ::ffff: it is an IPv6 address in
2071 IPv4-compatible mode. Find the IPv4 part for checking against IPv4
2072 addresses. */
2073
2074 cb.host_ipv4 = (Ustrncmp(host_address, "::ffff:", 7) == 0)?
2075 host_address + 7 : host_address;
2076
2077 /* During the running of the check, put the IP address into $host_address. In
2078 the case of calls from the smtp transport, it will already be there. However,
2079 in other calls (e.g. when testing ignore_target_hosts), it won't. Just to be on
2080 the safe side, any existing setting is preserved, though as I write this
2081 (November 2004) I can't see any cases where it is actually needed. */
2082
2083 deliver_host_address = host_address;
2084 rc = match_check_list(
2085 listptr, /* the list */
2086 0, /* separator character */
2087 &hostlist_anchor, /* anchor pointer */
2088 &local_cache_bits, /* cache pointer */
2089 check_host, /* function for testing */
2090 &cb, /* argument for function */
2091 MCL_HOST, /* type of check */
2092 (host_address == sender_host_address)?
2093 US"host" : host_address, /* text for debugging */
2094 valueptr); /* where to pass back data */
2095 deliver_host_address = save_host_address;
2096 return rc;
2097 }
2098
2099
2100
2101
2102 /*************************************************
2103 * Check the remote host matches a list *
2104 *************************************************/
2105
2106 /* This is a front end to verify_check_this_host(), created because checking
2107 the remote host is a common occurrence. With luck, a good compiler will spot
2108 the tail recursion and optimize it. If there's no host address, this is
2109 command-line SMTP input - check against an empty string for the address.
2110
2111 Arguments:
2112 listptr pointer to the host list
2113
2114 Returns: the yield of verify_check_this_host(),
2115 i.e. OK, FAIL, or DEFER
2116 */
2117
2118 int
2119 verify_check_host(uschar **listptr)
2120 {
2121 return verify_check_this_host(listptr, sender_host_cache, NULL,
2122 (sender_host_address == NULL)? US"" : sender_host_address, NULL);
2123 }
2124
2125
2126
2127
2128
2129 /*************************************************
2130 * Invert an IP address for a DNS black list *
2131 *************************************************/
2132
2133 /*
2134 Arguments:
2135 buffer where to put the answer
2136 address the address to invert
2137 */
2138
2139 static void
2140 invert_address(uschar *buffer, uschar *address)
2141 {
2142 int bin[4];
2143 uschar *bptr = buffer;
2144
2145 /* If this is an IPv4 address mapped into IPv6 format, adjust the pointer
2146 to the IPv4 part only. */
2147
2148 if (Ustrncmp(address, "::ffff:", 7) == 0) address += 7;
2149
2150 /* Handle IPv4 address: when HAVE_IPV6 is false, the result of host_aton() is
2151 always 1. */
2152
2153 if (host_aton(address, bin) == 1)
2154 {
2155 int i;
2156 int x = bin[0];
2157 for (i = 0; i < 4; i++)
2158 {
2159 sprintf(CS bptr, "%d.", x & 255);
2160 while (*bptr) bptr++;
2161 x >>= 8;
2162 }
2163 }
2164
2165 /* Handle IPv6 address. Actually, as far as I know, there are no IPv6 addresses
2166 in any DNS black lists, and the format in which they will be looked up is
2167 unknown. This is just a guess. */
2168
2169 #if HAVE_IPV6
2170 else
2171 {
2172 int i, j;
2173 for (j = 3; j >= 0; j--)
2174 {
2175 int x = bin[j];
2176 for (i = 0; i < 8; i++)
2177 {
2178 sprintf(CS bptr, "%x.", x & 15);
2179 while (*bptr) bptr++;
2180 x >>= 4;
2181 }
2182 }
2183 }
2184 #endif
2185 }
2186
2187
2188
2189 /*************************************************
2190 * Perform a single dnsbl lookup *
2191 *************************************************/
2192
2193 /* This function is called from verify_check_dnsbl() below.
2194
2195 Arguments:
2196 domain the outer dnsbl domain (for debug message)
2197 keydomain the current keydomain (for debug message)
2198 query the domain to be looked up
2199 iplist the list of matching IP addresses
2200 bitmask true if bitmask matching is wanted
2201 invert_result true if result to be inverted
2202 defer_return what to return for a defer
2203
2204 Returns: OK if lookup succeeded
2205 FAIL if not
2206 */
2207
2208 static int
2209 one_check_dnsbl(uschar *domain, uschar *keydomain, uschar *query,
2210 uschar *iplist, BOOL bitmask, BOOL invert_result, int defer_return)
2211 {
2212 dns_answer dnsa;
2213 dns_scan dnss;
2214 tree_node *t;
2215 dnsbl_cache_block *cb;
2216 int old_pool = store_pool;
2217
2218 /* Look for this query in the cache. */
2219
2220 t = tree_search(dnsbl_cache, query);
2221
2222 /* If not cached from a previous lookup, we must do a DNS lookup, and
2223 cache the result in permanent memory. */
2224
2225 if (t == NULL)
2226 {
2227 store_pool = POOL_PERM;
2228
2229 /* Set up a tree entry to cache the lookup */
2230
2231 t = store_get(sizeof(tree_node) + Ustrlen(query));
2232 Ustrcpy(t->name, query);
2233 t->data.ptr = cb = store_get(sizeof(dnsbl_cache_block));
2234 (void)tree_insertnode(&dnsbl_cache, t);
2235
2236 /* Do the DNS loopup . */
2237
2238 HDEBUG(D_dnsbl) debug_printf("new DNS lookup for %s\n", query);
2239 cb->rc = dns_basic_lookup(&dnsa, query, T_A);
2240 cb->text_set = FALSE;
2241 cb->text = NULL;
2242 cb->rhs = NULL;
2243
2244 /* If the lookup succeeded, cache the RHS address. The code allows for
2245 more than one address - this was for complete generality and the possible
2246 use of A6 records. However, A6 records have been reduced to experimental
2247 status (August 2001) and may die out. So they may never get used at all,
2248 let alone in dnsbl records. However, leave the code here, just in case.
2249
2250 Quite apart from one A6 RR generating multiple addresses, there are DNS
2251 lists that return more than one A record, so we must handle multiple
2252 addresses generated in that way as well. */
2253
2254 if (cb->rc == DNS_SUCCEED)
2255 {
2256 dns_record *rr;
2257 dns_address **addrp = &(cb->rhs);
2258 for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
2259 rr != NULL;
2260 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
2261 {
2262 if (rr->type == T_A)
2263 {
2264 dns_address *da = dns_address_from_rr(&dnsa, rr);
2265 if (da != NULL)
2266 {
2267 *addrp = da;
2268 while (da->next != NULL) da = da->next;
2269 addrp = &(da->next);
2270 }
2271 }
2272 }
2273
2274 /* If we didn't find any A records, change the return code. This can
2275 happen when there is a CNAME record but there are no A records for what
2276 it points to. */
2277
2278 if (cb->rhs == NULL) cb->rc = DNS_NODATA;
2279 }
2280
2281 store_pool = old_pool;
2282 }
2283
2284 /* Previous lookup was cached */
2285
2286 else
2287 {
2288 HDEBUG(D_dnsbl) debug_printf("using result of previous DNS lookup\n");
2289 cb = t->data.ptr;
2290 }
2291
2292 /* We now have the result of the DNS lookup, either newly done, or cached
2293 from a previous call. If the lookup succeeded, check against the address
2294 list if there is one. This may be a positive equality list (introduced by
2295 "="), a negative equality list (introduced by "!="), a positive bitmask
2296 list (introduced by "&"), or a negative bitmask list (introduced by "!&").*/
2297
2298 if (cb->rc == DNS_SUCCEED)
2299 {
2300 dns_address *da = NULL;
2301 uschar *addlist = cb->rhs->address;
2302
2303 /* For A and AAAA records, there may be multiple addresses from multiple
2304 records. For A6 records (currently not expected to be used) there may be
2305 multiple addresses from a single record. */
2306
2307 for (da = cb->rhs->next; da != NULL; da = da->next)
2308 addlist = string_sprintf("%s, %s", addlist, da->address);
2309
2310 HDEBUG(D_dnsbl) debug_printf("DNS lookup for %s succeeded (yielding %s)\n",
2311 query, addlist);
2312
2313 /* Address list check; this can be either for equality, or via a bitmask.
2314 In the latter case, all the bits must match. */
2315
2316 if (iplist != NULL)
2317 {
2318 int ipsep = ',';
2319 uschar ip[46];
2320 uschar *ptr = iplist;
2321
2322 while (string_nextinlist(&ptr, &ipsep, ip, sizeof(ip)) != NULL)
2323 {
2324 /* Handle exact matching */
2325 if (!bitmask)
2326 {
2327 for (da = cb->rhs; da != NULL; da = da->next)
2328 {
2329 if (Ustrcmp(CS da->address, ip) == 0) break;
2330 }
2331 }
2332 /* Handle bitmask matching */
2333 else
2334 {
2335 int address[4];
2336 int mask = 0;
2337
2338 /* At present, all known DNS blocking lists use A records, with
2339 IPv4 addresses on the RHS encoding the information they return. I
2340 wonder if this will linger on as the last vestige of IPv4 when IPv6
2341 is ubiquitous? Anyway, for now we use paranoia code to completely
2342 ignore IPv6 addresses. The default mask is 0, which always matches.
2343 We change this only for IPv4 addresses in the list. */
2344
2345 if (host_aton(ip, address) == 1) mask = address[0];
2346
2347 /* Scan the returned addresses, skipping any that are IPv6 */
2348
2349 for (da = cb->rhs; da != NULL; da = da->next)
2350 {
2351 if (host_aton(da->address, address) != 1) continue;
2352 if ((address[0] & mask) == mask) break;
2353 }
2354 }
2355
2356 /* Break out if a match has been found */
2357
2358 if (da != NULL) break;
2359 }
2360
2361 /* If either
2362
2363 (a) No IP address in a positive list matched, or
2364 (b) An IP address in a negative list did match
2365
2366 then behave as if the DNSBL lookup had not succeeded, i.e. the host is
2367 not on the list. */
2368
2369 if (invert_result != (da == NULL))
2370 {
2371 HDEBUG(D_dnsbl)
2372 {
2373 debug_printf("=> but we are not accepting this block class because\n");
2374 debug_printf("=> there was %s match for %c%s\n",
2375 invert_result? "an exclude":"no", bitmask? '&' : '=', iplist);
2376 }
2377 return FAIL;
2378 }
2379 }
2380
2381 /* Either there was no IP list, or the record matched. Look up a TXT record
2382 if it hasn't previously been done. */
2383
2384 if (!cb->text_set)
2385 {
2386 cb->text_set = TRUE;
2387 if (dns_basic_lookup(&dnsa, query, T_TXT) == DNS_SUCCEED)
2388 {
2389 dns_record *rr;
2390 for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
2391 rr != NULL;
2392 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
2393 if (rr->type == T_TXT) break;
2394 if (rr != NULL)
2395 {
2396 int len = (rr->data)[0];
2397 if (len > 511) len = 127;
2398 store_pool = POOL_PERM;
2399 cb->text = string_sprintf("%.*s", len, (const uschar *)(rr->data+1));
2400 store_pool = old_pool;
2401 }
2402 }
2403 }
2404
2405 dnslist_value = addlist;
2406 dnslist_text = cb->text;
2407 return OK;
2408 }
2409
2410 /* There was a problem with the DNS lookup */
2411
2412 if (cb->rc != DNS_NOMATCH && cb->rc != DNS_NODATA)
2413 {
2414 log_write(L_dnslist_defer, LOG_MAIN,
2415 "DNS list lookup defer (probably timeout) for %s: %s", query,
2416 (defer_return == OK)? US"assumed in list" :
2417 (defer_return == FAIL)? US"assumed not in list" :
2418 US"returned DEFER");
2419 return defer_return;
2420 }
2421
2422 /* No entry was found in the DNS; continue for next domain */
2423
2424 HDEBUG(D_dnsbl)
2425 {
2426 debug_printf("DNS lookup for %s failed\n", query);
2427 debug_printf("=> that means %s is not listed at %s\n",
2428 keydomain, domain);
2429 }
2430
2431 return FAIL;
2432 }
2433
2434
2435
2436
2437 /*************************************************
2438 * Check host against DNS black lists *
2439 *************************************************/
2440
2441 /* This function runs checks against a list of DNS black lists, until one
2442 matches. Each item on the list can be of the form
2443
2444 domain=ip-address/key
2445
2446 The domain is the right-most domain that is used for the query, for example,
2447 blackholes.mail-abuse.org. If the IP address is present, there is a match only
2448 if the DNS lookup returns a matching IP address. Several addresses may be
2449 given, comma-separated, for example: x.y.z=127.0.0.1,127.0.0.2.
2450
2451 If no key is given, what is looked up in the domain is the inverted IP address
2452 of the current client host. If a key is given, it is used to construct the
2453 domain for the lookup. For example,
2454
2455 dsn.rfc-ignorant.org/$sender_address_domain
2456
2457 After finding a match in the DNS, the domain is placed in $dnslist_domain, and
2458 then we check for a TXT record for an error message, and if found, save its
2459 value in $dnslist_text. We also cache everything in a tree, to optimize
2460 multiple lookups.
2461
2462 Note: an address for testing RBL is 192.203.178.39
2463 Note: an address for testing DUL is 192.203.178.4
2464 Note: a domain for testing RFCI is example.tld.dsn.rfc-ignorant.org
2465
2466 Arguments:
2467 listptr the domain/address/data list
2468
2469 Returns: OK successful lookup (i.e. the address is on the list), or
2470 lookup deferred after +include_unknown
2471 FAIL name not found, or no data found for the given type, or
2472 lookup deferred after +exclude_unknown (default)
2473 DEFER lookup failure, if +defer_unknown was set
2474 */
2475
2476 int
2477 verify_check_dnsbl(uschar **listptr)
2478 {
2479 int sep = 0;
2480 int defer_return = FAIL;
2481 BOOL invert_result = FALSE;
2482 uschar *list = *listptr;
2483 uschar *domain;
2484 uschar *s;
2485 uschar buffer[1024];
2486 uschar query[256]; /* DNS domain max length */
2487 uschar revadd[128]; /* Long enough for IPv6 address */
2488
2489 /* Indicate that the inverted IP address is not yet set up */
2490
2491 revadd[0] = 0;
2492
2493 /* In case this is the first time the DNS resolver is being used. */
2494
2495 dns_init(FALSE, FALSE);
2496
2497 /* Loop through all the domains supplied, until something matches */
2498
2499 while ((domain = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL)
2500 {
2501 int rc;
2502 BOOL frc;
2503 BOOL bitmask = FALSE;
2504 uschar *iplist;
2505 uschar *key;
2506
2507 HDEBUG(D_dnsbl) debug_printf("DNS list check: %s\n", domain);
2508
2509 /* Deal with special values that change the behaviour on defer */
2510
2511 if (domain[0] == '+')
2512 {
2513 if (strcmpic(domain, US"+include_unknown") == 0) defer_return = OK;
2514 else if (strcmpic(domain, US"+exclude_unknown") == 0) defer_return = FAIL;
2515 else if (strcmpic(domain, US"+defer_unknown") == 0) defer_return = DEFER;
2516 else
2517 log_write(0, LOG_MAIN|LOG_PANIC, "unknown item in dnslist (ignored): %s",
2518 domain);
2519 continue;
2520 }
2521
2522 /* See if there's explicit data to be looked up */
2523
2524 key = Ustrchr(domain, '/');
2525 if (key != NULL) *key++ = 0;
2526
2527 /* See if there's a list of addresses supplied after the domain name. This is
2528 introduced by an = or a & character; if preceded by ! we invert the result.
2529 */
2530
2531 iplist = Ustrchr(domain, '=');
2532 if (iplist == NULL)
2533 {
2534 bitmask = TRUE;
2535 iplist = Ustrchr(domain, '&');
2536 }
2537
2538 if (iplist != NULL)
2539 {
2540 if (iplist > domain && iplist[-1] == '!')
2541 {
2542 invert_result = TRUE;
2543 iplist[-1] = 0;
2544 }
2545 *iplist++ = 0;
2546 }
2547
2548 /* Check that what we have left is a sensible domain name. There is no reason
2549 why these domains should in fact use the same syntax as hosts and email
2550 domains, but in practice they seem to. However, there is little point in
2551 actually causing an error here, because that would no doubt hold up incoming
2552 mail. Instead, I'll just log it. */
2553
2554 for (s = domain; *s != 0; s++)
2555 {
2556 if (!isalnum(*s) && *s != '-' && *s != '.')
2557 {
2558 log_write(0, LOG_MAIN, "dnslists domain \"%s\" contains "
2559 "strange characters - is this right?", domain);
2560 break;
2561 }
2562 }
2563
2564 /* If there is no key string, construct the query by adding the domain name
2565 onto the inverted host address, and perform a single DNS lookup. */
2566
2567 if (key == NULL)
2568 {
2569 if (sender_host_address == NULL) return FAIL; /* can never match */
2570 if (revadd[0] == 0) invert_address(revadd, sender_host_address);
2571 frc = string_format(query, sizeof(query), "%s%s", revadd, domain);
2572
2573 if (!frc)
2574 {
2575 log_write(0, LOG_MAIN|LOG_PANIC, "dnslist query is too long "
2576 "(ignored): %s...", query);
2577 continue;
2578 }
2579
2580 rc = one_check_dnsbl(domain, sender_host_address, query, iplist, bitmask,
2581 invert_result, defer_return);
2582
2583 if (rc == OK)
2584 {
2585 dnslist_domain = string_copy(domain);
2586 HDEBUG(D_dnsbl) debug_printf("=> that means %s is listed at %s\n",
2587 sender_host_address, domain);
2588 }
2589
2590 if (rc != FAIL) return rc; /* OK or DEFER */
2591 }
2592
2593 /* If there is a key string, it can be a list of domains or IP addresses to
2594 be concatenated with the main domain. */
2595
2596 else
2597 {
2598 int keysep = 0;
2599 BOOL defer = FALSE;
2600 uschar *keydomain;
2601 uschar keybuffer[256];
2602
2603 while ((keydomain = string_nextinlist(&key, &keysep, keybuffer,
2604 sizeof(keybuffer))) != NULL)
2605 {
2606 if (string_is_ip_address(keydomain, NULL) > 0)
2607 {
2608 uschar keyrevadd[128];
2609 invert_address(keyrevadd, keydomain);
2610 frc = string_format(query, sizeof(query), "%s%s", keyrevadd, domain);
2611 }
2612 else
2613 {
2614 frc = string_format(query, sizeof(query), "%s.%s", keydomain, domain);
2615 }
2616
2617 if (!frc)
2618 {
2619 log_write(0, LOG_MAIN|LOG_PANIC, "dnslist query is too long "
2620 "(ignored): %s...", query);
2621 continue;
2622 }
2623
2624 rc = one_check_dnsbl(domain, keydomain, query, iplist, bitmask,
2625 invert_result, defer_return);
2626
2627 if (rc == OK)
2628 {
2629 dnslist_domain = string_copy(domain);
2630 HDEBUG(D_dnsbl) debug_printf("=> that means %s is listed at %s\n",
2631 keydomain, domain);
2632 return OK;
2633 }
2634
2635 /* If the lookup deferred, remember this fact. We keep trying the rest
2636 of the list to see if we get a useful result, and if we don't, we return
2637 DEFER at the end. */
2638
2639 if (rc == DEFER) defer = TRUE;
2640 } /* continue with next keystring domain/address */
2641
2642 if (defer) return DEFER;
2643 }
2644 } /* continue with next dnsdb outer domain */
2645
2646 return FAIL;
2647 }
2648
2649 /* End of verify.c */