* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2012 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
#include "../exim.h"
#define T_SPF 99
#endif
+/* New TLSA record for DANE */
+#ifndef T_TLSA
+#define T_TLSA 52
+#endif
+
/* Table of recognized DNS record types and their integer values. */
static const char *type_names[] = {
"a",
#if HAVE_IPV6
+ "a+",
"aaaa",
#ifdef SUPPORT_A6
"a6",
"ptr",
"spf",
"srv",
+ "tlsa",
"txt",
"zns"
};
static int type_values[] = {
T_A,
#if HAVE_IPV6
+ T_ADDRESSES, /* Private type for AAAA + A */
T_AAAA,
#ifdef SUPPORT_A6
T_A6,
T_PTR,
T_SPF,
T_SRV,
+ T_TLSA,
T_TXT,
T_ZNS /* Private type for "zone nameservers" */
};
character used for multiple items of text in "TXT" records. Alternatively,
if the next character is ';' then these multiple items are concatenated with
no separator. With neither of these options specified, only the first item
-is output.
+is output. Similarly for "SPF" records, but the default for joining multiple
+items in one SPF record is the empty string, for direct concatenation.
(c) If the next sequence of characters is 'defer_FOO' followed by a comma,
the defer behaviour is set to FOO. The possible behaviours are: 'strict', where
whole lookup to defer only if none of the DNS queries succeeds; and 'never',
where all defers are as if the lookup failed. The default is 'lax'.
-(d) If the next sequence of characters is a sequence of letters and digits
+(d) Another optional comma-sep field: 'dnssec_FOO', with 'strict', 'lax'
+and 'never' (default); can appear before or after (c). The meanings are
+require, try and don't-try dnssec respectively.
+
+(e) If the next sequence of characters is a sequence of letters and digits
followed by '=', it is interpreted as the name of the DNS record type. The
default is "TXT".
-(e) Then there follows list of domain names. This is a generalized Exim list,
+(f) Then there follows list of domain names. This is a generalized Exim list,
which may start with '<' in order to set a specific separator. The default
separator, as always, is colon. */
int ptr = 0;
int sep = 0;
int defer_mode = PASS;
-int type = T_TXT;
+int dnssec_mode = OK;
+int type;
int failrc = FAIL;
uschar *outsep = US"\n";
uschar *outsep2 = NULL;
while (isspace(*keystring)) keystring++;
}
-/* Check for a defer behaviour keyword. */
+/* Check for a modifier keyword. */
-if (strncmpic(keystring, US"defer_", 6) == 0)
+while ( strncmpic(keystring, US"defer_", 6) == 0
+ || strncmpic(keystring, US"dnssec_", 7) == 0
+ )
{
- keystring += 6;
- if (strncmpic(keystring, US"strict", 6) == 0)
+ if (strncmpic(keystring, US"defer_", 6) == 0)
{
- defer_mode = DEFER;
keystring += 6;
- }
- else if (strncmpic(keystring, US"lax", 3) == 0)
- {
- defer_mode = PASS;
- keystring += 3;
- }
- else if (strncmpic(keystring, US"never", 5) == 0)
- {
- defer_mode = OK;
- keystring += 5;
+ if (strncmpic(keystring, US"strict", 6) == 0)
+ {
+ defer_mode = DEFER;
+ keystring += 6;
+ }
+ else if (strncmpic(keystring, US"lax", 3) == 0)
+ {
+ defer_mode = PASS;
+ keystring += 3;
+ }
+ else if (strncmpic(keystring, US"never", 5) == 0)
+ {
+ defer_mode = OK;
+ keystring += 5;
+ }
+ else
+ {
+ *errmsg = US"unsupported dnsdb defer behaviour";
+ return DEFER;
+ }
}
else
{
- *errmsg = US"unsupported dnsdb defer behaviour";
- return DEFER;
+ keystring += 7;
+ if (strncmpic(keystring, US"strict", 6) == 0)
+ {
+ dnssec_mode = DEFER;
+ keystring += 6;
+ }
+ else if (strncmpic(keystring, US"lax", 3) == 0)
+ {
+ dnssec_mode = PASS;
+ keystring += 3;
+ }
+ else if (strncmpic(keystring, US"never", 5) == 0)
+ {
+ dnssec_mode = OK;
+ keystring += 5;
+ }
+ else
+ {
+ *errmsg = US"unsupported dnsdb dnssec behaviour";
+ return DEFER;
+ }
}
while (isspace(*keystring)) keystring++;
if (*keystring++ != ',')
{
- *errmsg = US"dnsdb defer behaviour syntax error";
+ *errmsg = US"dnsdb modifier syntax error";
return DEFER;
}
while (isspace(*keystring)) keystring++;
}
-/* If the keystring contains an = this must be preceded by a valid type name. */
+/* Figure out the "type" value if it is not T_TXT.
+If the keystring contains an = this must be preceded by a valid type name. */
+type = T_TXT;
if ((equals = Ustrchr(keystring, '=')) != NULL)
{
int i, len;
/* Initialize the resolver in case this is the first time it has been used. */
-dns_init(FALSE, FALSE);
+dns_init(FALSE, FALSE, dnssec_mode != OK);
/* The remainder of the string must be a list of domains. As long as the lookup
for at least one of them succeeds, we return success. Failure means that none
string_is_ip_address(keystring, NULL) != 0)
sep = -1;
+/* SPF strings should be concatenated without a separator, thus make
+it the default if not defined (see RFC 4408 section 3.1.3).
+Multiple SPF records are forbidden (section 3.1.2) but are currently
+not handled specially, thus they are concatenated with \n by default. */
+
+if (type == T_SPF && outsep2 == NULL)
+ outsep2 = US"";
+
/* Now scan the list and do a lookup for each item */
while ((domain = string_nextinlist(&keystring, &sep, buffer, sizeof(buffer)))
domain = rbuffer;
}
- DEBUG(D_lookup) debug_printf("dnsdb key: %s\n", domain);
-
- /* Do the lookup and sort out the result. There are three special types that
- are handled specially: T_CSA, T_ZNS and T_MXH. The former two are handled in
- a special lookup function so that the facility could be used from other
- parts of the Exim code. The latter affects only what happens later on in
- this function, but for tidiness it is handled in a similar way. If the
- lookup fails, continue with the next domain. In the case of DEFER, adjust
- the final "nothing found" result, but carry on to the next domain. */
-
- found = domain;
- rc = dns_special_lookup(&dnsa, domain, type, &found);
-
- if (rc == DNS_NOMATCH || rc == DNS_NODATA) continue;
- if (rc != DNS_SUCCEED)
- {
- if (defer_mode == DEFER) return DEFER; /* always defer */
- else if (defer_mode == PASS) failrc = DEFER; /* defer only if all do */
- continue; /* treat defer as fail */
- }
-
- /* Search the returned records */
-
- for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
- rr != NULL;
- rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
+ do
{
- if (rr->type != searchtype) continue;
+ DEBUG(D_lookup) debug_printf("dnsdb key: %s\n", domain);
+
+ /* Do the lookup and sort out the result. There are four special types that
+ are handled specially: T_CSA, T_ZNS, T_ADDRESSES and T_MXH.
+ The first two are handled in a special lookup function so that the facility
+ could be used from other parts of the Exim code. T_ADDRESSES is handled by looping
+ over the types of A lookup. T_MXH affects only what happens later on in
+ this function, but for tidiness it is handled by the "special". If the
+ lookup fails, continue with the next domain. In the case of DEFER, adjust
+ the final "nothing found" result, but carry on to the next domain. */
+
+ found = domain;
+#if HAVE_IPV6
+ if (type == T_ADDRESSES) /* NB cannot happen unless HAVE_IPV6 */
+ {
+ if (searchtype == T_ADDRESSES)
+# if defined(SUPPORT_A6)
+ searchtype = T_A6;
+# else
+ searchtype = T_AAAA;
+# endif
+ else if (searchtype == T_A6) searchtype = T_AAAA;
+ else if (searchtype == T_AAAA) searchtype = T_A;
+ rc = dns_special_lookup(&dnsa, domain, searchtype, &found);
+ }
+ else
+#endif
+ rc = dns_special_lookup(&dnsa, domain, type, &found);
- /* There may be several addresses from an A6 record. Put the configured
- separator between them, just as for between several records. However, A6
- support is not normally configured these days. */
+ lookup_dnssec_authenticated = dnssec_mode==OK ? NULL
+ : dns_is_secure(&dnsa) ? US"yes" : US"no";
- if (type == T_A ||
- #ifdef SUPPORT_A6
- type == T_A6 ||
- #endif
- type == T_AAAA)
+ if (rc == DNS_NOMATCH || rc == DNS_NODATA) continue;
+ if ( rc != DNS_SUCCEED
+ || (dnssec_mode == DEFER && !dns_is_secure(&dnsa))
+ )
{
- dns_address *da;
- for (da = dns_address_from_rr(&dnsa, rr); da != NULL; da = da->next)
- {
- if (ptr != 0) yield = string_cat(yield, &size, &ptr, outsep, 1);
- yield = string_cat(yield, &size, &ptr, da->address,
- Ustrlen(da->address));
- }
- continue;
+ if (defer_mode == DEFER)
+ {
+ dns_init(FALSE, FALSE, FALSE); /* clr dnssec bit */
+ return DEFER; /* always defer */
+ }
+ if (defer_mode == PASS) failrc = DEFER; /* defer only if all do */
+ continue; /* treat defer as fail */
}
- /* Other kinds of record just have one piece of data each, but there may be
- several of them, of course. */
- if (ptr != 0) yield = string_cat(yield, &size, &ptr, outsep, 1);
+ /* Search the returned records */
- if (type == T_TXT || type == T_SPF)
+ for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
+ rr != NULL;
+ rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
{
- if (outsep2 == NULL)
+ if (rr->type != searchtype) continue;
+
+ /* There may be several addresses from an A6 record. Put the configured
+ separator between them, just as for between several records. However, A6
+ support is not normally configured these days. */
+
+ if (type == T_A ||
+ #ifdef SUPPORT_A6
+ type == T_A6 ||
+ #endif
+ type == T_AAAA ||
+ type == T_ADDRESSES)
{
- /* output only the first item of data */
- yield = string_cat(yield, &size, &ptr, (uschar *)(rr->data+1),
- (rr->data)[0]);
- }
- else
- {
- /* output all items */
- int data_offset = 0;
- while (data_offset < rr->size)
+ dns_address *da;
+ for (da = dns_address_from_rr(&dnsa, rr); da != NULL; da = da->next)
{
- uschar chunk_len = (rr->data)[data_offset++];
- if (outsep2[0] != '\0' && data_offset != 1)
- yield = string_cat(yield, &size, &ptr, outsep2, 1);
- yield = string_cat(yield, &size, &ptr,
- (uschar *)((rr->data)+data_offset), chunk_len);
- data_offset += chunk_len;
+ if (ptr != 0) yield = string_cat(yield, &size, &ptr, outsep, 1);
+ yield = string_cat(yield, &size, &ptr, da->address,
+ Ustrlen(da->address));
}
+ continue;
}
- }
- else /* T_CNAME, T_CSA, T_MX, T_MXH, T_NS, T_PTR, T_SRV */
- {
- int priority, weight, port;
- uschar s[264];
- uschar *p = (uschar *)(rr->data);
- if (type == T_MXH)
- {
- /* mxh ignores the priority number and includes only the hostnames */
- GETSHORT(priority, p);
- }
- else if (type == T_MX)
+ /* Other kinds of record just have one piece of data each, but there may be
+ several of them, of course. */
+
+ if (ptr != 0) yield = string_cat(yield, &size, &ptr, outsep, 1);
+
+ if (type == T_TXT || type == T_SPF)
{
- GETSHORT(priority, p);
- sprintf(CS s, "%d ", priority);
- yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
+ if (outsep2 == NULL)
+ {
+ /* output only the first item of data */
+ yield = string_cat(yield, &size, &ptr, (uschar *)(rr->data+1),
+ (rr->data)[0]);
+ }
+ else
+ {
+ /* output all items */
+ int data_offset = 0;
+ while (data_offset < rr->size)
+ {
+ uschar chunk_len = (rr->data)[data_offset++];
+ if (outsep2[0] != '\0' && data_offset != 1)
+ yield = string_cat(yield, &size, &ptr, outsep2, 1);
+ yield = string_cat(yield, &size, &ptr,
+ (uschar *)((rr->data)+data_offset), chunk_len);
+ data_offset += chunk_len;
+ }
+ }
}
- else if (type == T_SRV)
+ else if (type == T_TLSA)
{
- GETSHORT(priority, p);
- GETSHORT(weight, p);
- GETSHORT(port, p);
- sprintf(CS s, "%d %d %d ", priority, weight, port);
+ uint8_t usage, selector, matching_type;
+ uint16_t i, payload_length;
+ uschar s[MAX_TLSA_EXPANDED_SIZE];
+ uschar * sp = s;
+ uschar *p = (uschar *)(rr->data);
+
+ usage = *p++;
+ selector = *p++;
+ matching_type = *p++;
+ /* What's left after removing the first 3 bytes above */
+ payload_length = rr->size - 3;
+ sp += sprintf(CS s, "%d %d %d ", usage, selector, matching_type);
+ /* Now append the cert/identifier, one hex char at a time */
+ for (i=0;
+ i < payload_length && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4);
+ i++)
+ {
+ sp += sprintf(CS sp, "%02x", (unsigned char)p[i]);
+ }
yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
}
- else if (type == T_CSA)
+ else /* T_CNAME, T_CSA, T_MX, T_MXH, T_NS, T_PTR, T_SRV */
{
- /* See acl_verify_csa() for more comments about CSA. */
-
- GETSHORT(priority, p);
- GETSHORT(weight, p);
- GETSHORT(port, p);
-
- if (priority != 1) continue; /* CSA version must be 1 */
+ int priority, weight, port;
+ uschar s[264];
+ uschar *p = (uschar *)(rr->data);
- /* If the CSA record we found is not the one we asked for, analyse
- the subdomain assertions in the port field, else analyse the direct
- authorization status in the weight field. */
-
- if (found != domain)
+ if (type == T_MXH)
{
- if (port & 1) *s = 'X'; /* explicit authorization required */
- else *s = '?'; /* no subdomain assertions here */
+ /* mxh ignores the priority number and includes only the hostnames */
+ GETSHORT(priority, p);
}
- else
+ else if (type == T_MX)
{
- if (weight < 2) *s = 'N'; /* not authorized */
- else if (weight == 2) *s = 'Y'; /* authorized */
- else if (weight == 3) *s = '?'; /* unauthorizable */
- else continue; /* invalid */
+ GETSHORT(priority, p);
+ sprintf(CS s, "%d ", priority);
+ yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
+ }
+ else if (type == T_SRV)
+ {
+ GETSHORT(priority, p);
+ GETSHORT(weight, p);
+ GETSHORT(port, p);
+ sprintf(CS s, "%d %d %d ", priority, weight, port);
+ yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
+ }
+ else if (type == T_CSA)
+ {
+ /* See acl_verify_csa() for more comments about CSA. */
+
+ GETSHORT(priority, p);
+ GETSHORT(weight, p);
+ GETSHORT(port, p);
+
+ if (priority != 1) continue; /* CSA version must be 1 */
+
+ /* If the CSA record we found is not the one we asked for, analyse
+ the subdomain assertions in the port field, else analyse the direct
+ authorization status in the weight field. */
+
+ if (found != domain)
+ {
+ if (port & 1) *s = 'X'; /* explicit authorization required */
+ else *s = '?'; /* no subdomain assertions here */
+ }
+ else
+ {
+ if (weight < 2) *s = 'N'; /* not authorized */
+ else if (weight == 2) *s = 'Y'; /* authorized */
+ else if (weight == 3) *s = '?'; /* unauthorizable */
+ else continue; /* invalid */
+ }
+
+ s[1] = ' ';
+ yield = string_cat(yield, &size, &ptr, s, 2);
}
- s[1] = ' ';
- yield = string_cat(yield, &size, &ptr, s, 2);
- }
-
- /* GETSHORT() has advanced the pointer to the target domain. */
+ /* GETSHORT() has advanced the pointer to the target domain. */
- rc = dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
- (DN_EXPAND_ARG4_TYPE)(s), sizeof(s));
+ rc = dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
+ (DN_EXPAND_ARG4_TYPE)(s), sizeof(s));
- /* If an overlong response was received, the data will have been
- truncated and dn_expand may fail. */
+ /* If an overlong response was received, the data will have been
+ truncated and dn_expand may fail. */
- if (rc < 0)
- {
- log_write(0, LOG_MAIN, "host name alias list truncated: type=%s "
- "domain=%s", dns_text_type(type), domain);
- break;
+ if (rc < 0)
+ {
+ log_write(0, LOG_MAIN, "host name alias list truncated: type=%s "
+ "domain=%s", dns_text_type(type), domain);
+ break;
+ }
+ else yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
}
- else yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
- }
- } /* Loop for list of returned records */
- } /* Loop for list of domains */
+ } /* Loop for list of returned records */
+
+ /* Loop for set of A-lookupu types */
+ } while (type == T_ADDRESSES && searchtype != T_A);
+
+ } /* Loop for list of domains */
/* Reclaim unused memory */
/* If ptr == 0 we have not found anything. Otherwise, insert the terminating
zero and return the result. */
+dns_init(FALSE, FALSE, FALSE); /* clear the dnssec bit for getaddrbyname */
+
if (ptr == 0) return failrc;
yield[ptr] = 0;
*result = yield;
static lookup_info *_lookup_list[] = { &_lookup_info };
lookup_module_info dnsdb_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 1 };
+/* vi: aw ai sw=2
+*/
/* End of lookups/dnsdb.c */
projects / exim.git / blobdiff