X-Git-Url: https://vcs.fsf.org/?p=exim.git;a=blobdiff_plain;f=src%2Fsrc%2Fverify.c;h=ef95394d36aeaf340c47cc6c596abbae993509b5;hp=8a408686fbb3d9a791e8109cd760db01703a7fc1;hb=66802652b8500bae10ac530b6fe4976669f5dcff;hpb=ded5de1587888a66a86aa02549098c8821bd8efb diff --git a/src/src/verify.c b/src/src/verify.c index 8a408686f..ef95394d3 100644 --- a/src/src/verify.c +++ b/src/src/verify.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2014 */ +/* Copyright (c) University of Cambridge 1995 - 2015 */ /* See the file NOTICE for conditions of use and distribution. */ /* Functions concerned with verifying things. The original code for callout @@ -21,6 +21,7 @@ uschar ctbuffer[8192]; /* Structure for caching DNSBL lookups */ typedef struct dnsbl_cache_block { + time_t expiry; dns_address *rhs; uschar *text; int rc; @@ -70,7 +71,7 @@ cache_record = dbfn_read_with_length(dbm_file, key, &length); if (cache_record == NULL) { - HDEBUG(D_verify) debug_printf("callout cache: no %s record found\n", type); + HDEBUG(D_verify) debug_printf("callout cache: no %s record found for %s\n", type, key); return NULL; } @@ -84,7 +85,7 @@ now = time(NULL); if (now - cache_record->time_stamp > expire) { - HDEBUG(D_verify) debug_printf("callout cache: %s record expired\n", type); + HDEBUG(D_verify) debug_printf("callout cache: %s record expired for %s\n", type, key); return NULL; } @@ -111,7 +112,7 @@ if (type[0] == 'd' && cache_record->result != ccache_reject) cache_record->random_result = ccache_unknown; } -HDEBUG(D_verify) debug_printf("callout cache: found %s record\n", type); +HDEBUG(D_verify) debug_printf("callout cache: found %s record for %s\n", type, key); return cache_record; } @@ -173,7 +174,7 @@ dbdata_callout_cache new_domain_record; dbdata_callout_cache_address new_address_record; host_item *host; time_t callout_start_time; -#ifdef EXPERIMENTAL_INTERNATIONAL +#ifdef SUPPORT_I18N BOOL utf8_offered = FALSE; #endif @@ -443,7 +444,7 @@ can do it there for the non-rcpt-verify case. For this we keep an addresscount. host_af = (Ustrchr(host->address, ':') == NULL)? AF_INET:AF_INET6; - if (!smtp_get_interface(tf->interface, host_af, addr, NULL, &interface, + if (!smtp_get_interface(tf->interface, host_af, addr, &interface, US"callout") || !smtp_get_port(tf->port, addr, &port, US"callout")) log_write(0, LOG_MAIN|LOG_PANIC, "<%s>: %s", addr->address, @@ -578,7 +579,7 @@ can do it there for the non-rcpt-verify case. For this we keep an addresscount. deliver_domain = addr->domain; transport_name = addr->transport->name; - if ( !smtp_get_interface(tf->interface, host_af, addr, NULL, &interface, + if ( !smtp_get_interface(tf->interface, host_af, addr, &interface, US"callout") || !smtp_get_port(tf->port, addr, &port, US"callout") ) @@ -686,7 +687,7 @@ can do it there for the non-rcpt-verify case. For this we keep an addresscount. if (!(done= smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer), '2', callout))) goto RESPONSE_FAILED; -#ifdef EXPERIMENTAL_EVENT +#ifndef DISABLE_EVENT lookup_dnssec_authenticated = host->dnssec==DS_YES ? US"yes" : host->dnssec==DS_NO ? US"no" : NULL; if (event_raise(addr->transport->event_action, @@ -810,7 +811,7 @@ can do it there for the non-rcpt-verify case. For this we keep an addresscount. if (rc == DEFER) { (void)close(inblock.sock); -# ifdef EXPERIMENTAL_EVENT +# ifndef DISABLE_EVENT (void) event_raise(addr->transport->event_action, US"tcp:close", NULL); # endif @@ -923,7 +924,7 @@ can do it there for the non-rcpt-verify case. For this we keep an addresscount. } } -#ifdef EXPERIMENTAL_INTERNATIONAL +#ifdef SUPPORT_I18N else if ( addr->prop.utf8_msg && !addr->prop.utf8_downcvt && !( esmtp @@ -975,7 +976,7 @@ can do it there for the non-rcpt-verify case. For this we keep an addresscount. /* Send the MAIL command */ (smtp_write_command(&outblock, FALSE, -#ifdef EXPERIMENTAL_INTERNATIONAL +#ifdef SUPPORT_I18N addr->prop.utf8_msg && !addr->prop.utf8_downcvt ? "MAIL FROM:<%s>%s SMTPUTF8\r\n" : @@ -1021,7 +1022,7 @@ can do it there for the non-rcpt-verify case. For this we keep an addresscount. { const uschar * rcpt_domain = addr->domain; -#ifdef EXPERIMENTAL_INTERNATIONAL +#ifdef SUPPORT_I18N uschar * errstr = NULL; if ( testflag(addr, af_utf8_downcvt) && (rcpt_domain = string_domain_utf8_to_alabel(rcpt_domain, @@ -1083,7 +1084,7 @@ can do it there for the non-rcpt-verify case. For this we keep an addresscount. '2', callout) && smtp_write_command(&outblock, FALSE, -#ifdef EXPERIMENTAL_INTERNATIONAL +#ifdef SUPPORT_I18N addr->prop.utf8_msg && !addr->prop.utf8_downcvt ? "MAIL FROM:<%s> SMTPUTF8\r\n" : @@ -1102,7 +1103,7 @@ can do it there for the non-rcpt-verify case. For this we keep an addresscount. tls_close(FALSE, TRUE); #endif (void)close(inblock.sock); -#ifdef EXPERIMENTAL_EVENT +#ifndef DISABLE_EVENT (void) event_raise(addr->transport->event_action, US"tcp:close", NULL); #endif @@ -1123,7 +1124,7 @@ can do it there for the non-rcpt-verify case. For this we keep an addresscount. uschar * rcpt = transport_rcpt_address(addr, addr->transport ? addr->transport->rcpt_include_affixes : FALSE); -#ifdef EXPERIMENTAL_INTERNATIONAL +#ifdef SUPPORT_I18N /*XXX should the conversion be moved into transport_rcpt_address() ? */ uschar * dummy_errstr = NULL; if ( testflag(addr, af_utf8_downcvt) @@ -1228,7 +1229,7 @@ can do it there for the non-rcpt-verify case. For this we keep an addresscount. HDEBUG(D_verify) debug_printf("SMTP timeout\n"); send_quit = FALSE; } -#ifdef EXPERIMENTAL_INTERNATIONAL +#ifdef SUPPORT_I18N else if (errno == ERRNO_UTF8_FWD) { extern int acl_where; /* src/acl.c */ @@ -1311,9 +1312,8 @@ can do it there for the non-rcpt-verify case. For this we keep an addresscount. tls_close(FALSE, TRUE); #endif (void)close(inblock.sock); -#ifdef EXPERIMENTAL_EVENT - (void) event_raise(addr->transport->event_action, - US"tcp:close", NULL); +#ifndef DISABLE_EVENT + (void) event_raise(addr->transport->event_action, US"tcp:close", NULL); #endif } @@ -2003,6 +2003,7 @@ while (addr_new != NULL) if (callout > 0) { host_item *host_list = addr->host_list; + transport_instance * tp; /* Make up some data for use in the case where there is no remote transport. */ @@ -2024,9 +2025,9 @@ while (addr_new != NULL) transport's options, so as to mimic what would happen if we were really sending a message to this address. */ - if (addr->transport != NULL && !addr->transport->info->local) + if ((tp = addr->transport) && !tp->info->local) { - (void)(addr->transport->setup)(addr->transport, addr, &tf, 0, 0, NULL); + (void)(tp->setup)(tp, addr, &tf, 0, 0, NULL); /* If the transport has hosts and the router does not, or if the transport is configured to override the router's hosts, we must build a @@ -2050,7 +2051,7 @@ while (addr_new != NULL) { log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand list of hosts " "\"%s\" in %s transport for callout: %s", tf.hosts, - addr->transport->name, expand_string_message); + tp->name, expand_string_message); } else { @@ -2076,18 +2077,16 @@ while (addr_new != NULL) (void)host_find_byname(host, NULL, flags, NULL, TRUE); else { - uschar * d_request = NULL, * d_require = NULL; - if (Ustrcmp(addr->transport->driver_name, "smtp") == 0) + dnssec_domains * dnssec_domains = NULL; + if (Ustrcmp(tp->driver_name, "smtp") == 0) { smtp_transport_options_block * ob = - (smtp_transport_options_block *) - addr->transport->options_block; - d_request = ob->dnssec_request_domains; - d_require = ob->dnssec_require_domains; + (smtp_transport_options_block *) tp->options_block; + dnssec_domains = &ob->dnssec; } (void)host_find_bydns(host, NULL, flags, NULL, NULL, NULL, - d_request, d_require, NULL, NULL); + dnssec_domains, NULL, NULL); } } } @@ -2291,11 +2290,12 @@ if (allok && addr_local == NULL && addr_remote == NULL) } for (addr_list = addr_local, i = 0; i < 2; addr_list = addr_remote, i++) - { - while (addr_list != NULL) + while (addr_list) { address_item *addr = addr_list; address_item *p = addr->parent; + transport_instance * tp = addr->transport; + addr_list = addr->next; fprintf(f, "%s", CS addr->address); @@ -2309,73 +2309,56 @@ for (addr_list = addr_local, i = 0; i < 2; addr_list = addr_remote, i++) if (!testflag(addr, af_pfr)) { tree_node *tnode; - if ((tnode = tree_search(tree_duplicates, addr->unique)) != NULL) + if ((tnode = tree_search(tree_duplicates, addr->unique))) fprintf(f, " [duplicate, would not be delivered]"); else tree_add_duplicate(addr->unique, addr); } /* Now show its parents */ - while (p != NULL) - { + for (p = addr->parent; p; p = p->parent) fprintf(f, "\n <-- %s", p->address); - p = p->parent; - } fprintf(f, "\n "); /* Show router, and transport */ - fprintf(f, "router = %s, ", addr->router->name); - fprintf(f, "transport = %s\n", (addr->transport == NULL)? US"unset" : - addr->transport->name); + fprintf(f, "router = %s, transport = %s\n", + addr->router->name, tp ? tp->name : US"unset"); /* Show any hosts that are set up by a router unless the transport is going to override them; fiddle a bit to get a nice format. */ - if (addr->host_list != NULL && addr->transport != NULL && - !addr->transport->overrides_hosts) + if (addr->host_list && tp && !tp->overrides_hosts) { host_item *h; int maxlen = 0; int maxaddlen = 0; - for (h = addr->host_list; h != NULL; h = h->next) - { + for (h = addr->host_list; h; h = h->next) + { /* get max lengths of host names, addrs */ int len = Ustrlen(h->name); if (len > maxlen) maxlen = len; - len = (h->address != NULL)? Ustrlen(h->address) : 7; + len = h->address ? Ustrlen(h->address) : 7; if (len > maxaddlen) maxaddlen = len; } - for (h = addr->host_list; h != NULL; h = h->next) - { - int len = Ustrlen(h->name); - fprintf(f, " host %s ", h->name); - while (len++ < maxlen) fprintf(f, " "); - if (h->address != NULL) - { - fprintf(f, "[%s] ", h->address); - len = Ustrlen(h->address); - } - else if (!addr->transport->info->local) /* Omit [unknown] for local */ - { - fprintf(f, "[unknown] "); - len = 7; - } - else len = -3; - while (len++ < maxaddlen) fprintf(f," "); - if (h->mx >= 0) fprintf(f, "MX=%d", h->mx); + for (h = addr->host_list; h; h = h->next) + { + fprintf(f, " host %-*s ", maxlen, h->name); + + if (h->address) + fprintf(f, "[%s%-*c", h->address, maxaddlen+1 - Ustrlen(h->address), ']'); + else if (tp->info->local) + fprintf(f, " %-*s ", maxaddlen, ""); /* Omit [unknown] for local */ + else + fprintf(f, "[%s%-*c", "unknown", maxaddlen+1 - 7, ']'); + + if (h->mx >= 0) fprintf(f, " MX=%d", h->mx); if (h->port != PORT_NONE) fprintf(f, " port=%d", h->port); - if (running_in_test_harness) -#ifndef DISABLE_DNSSEC - fprintf(f, " ad=%s", h->dnssec==DS_YES ? "yes" : "no"); -#else - fprintf(f, " ad=no"); -#endif - if (h->status == hstatus_unusable) fprintf(f, " ** unusable **"); - fprintf(f, "\n"); + if (running_in_test_harness && h->dnssec == DS_YES) fputs(" AD", f); + if (h->status == hstatus_unusable) fputs(" ** unusable **", f); + fputc('\n', f); } } } - } /* Yield will be DEFER or FAIL if any one address has, only for full_info (which is the -bv or -bt case). */ @@ -2917,7 +2900,7 @@ if (ip_bind(sock, host_af, interface_address, 0) < 0) if (ip_connect(sock, host_af, sender_host_address, port, rfc1413_query_timeout) < 0) { - if (errno == ETIMEDOUT && (log_extra_selector & LX_ident_timeout) != 0) + if (errno == ETIMEDOUT && LOGGING(ident_timeout)) { log_write(0, LOG_MAIN, "ident connection to %s timed out", sender_host_address); @@ -3247,6 +3230,10 @@ if (*t == 0) h.address = NULL; h.mx = MX_NONE; + /* Using byname rather than bydns here means we cannot determine dnssec + status. On the other hand it is unclear how that could be either + propagated up or enforced. */ + rc = host_find_byname(&h, NULL, HOST_FIND_QUALIFY_SINGLE, NULL, FALSE); if (rc == HOST_FOUND || rc == HOST_FOUND_LOCAL) { @@ -3581,21 +3568,37 @@ if (!string_format(query, sizeof(query), "%s.%s", prepend, domain)) /* Look for this query in the cache. */ -t = tree_search(dnsbl_cache, query); +if ( (t = tree_search(dnsbl_cache, query)) + && (cb = t->data.ptr)->expiry > time(NULL) + ) + +/* Previous lookup was cached */ + + { + HDEBUG(D_dnsbl) debug_printf("using result of previous DNS lookup\n"); + } /* If not cached from a previous lookup, we must do a DNS lookup, and cache the result in permanent memory. */ -if (t == NULL) +else { + uint ttl = 3600; + store_pool = POOL_PERM; - /* Set up a tree entry to cache the lookup */ + if (t) + { + HDEBUG(D_dnsbl) debug_printf("cached data found but past valid time; "); + } - t = store_get(sizeof(tree_node) + Ustrlen(query)); - Ustrcpy(t->name, query); - t->data.ptr = cb = store_get(sizeof(dnsbl_cache_block)); - (void)tree_insertnode(&dnsbl_cache, t); + else + { /* Set up a tree entry to cache the lookup */ + t = store_get(sizeof(tree_node) + Ustrlen(query)); + Ustrcpy(t->name, query); + t->data.ptr = cb = store_get(sizeof(dnsbl_cache_block)); + (void)tree_insertnode(&dnsbl_cache, t); + } /* Do the DNS loopup . */ @@ -3613,24 +3616,28 @@ if (t == NULL) Quite apart from one A6 RR generating multiple addresses, there are DNS lists that return more than one A record, so we must handle multiple - addresses generated in that way as well. */ + addresses generated in that way as well. + + Mark the cache entry with the "now" plus the minimum of the address TTLs, + or some suitably far-future time if none were found. */ if (cb->rc == DNS_SUCCEED) { dns_record *rr; dns_address **addrp = &(cb->rhs); for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS); - rr != NULL; + rr; rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT)) { if (rr->type == T_A) { dns_address *da = dns_address_from_rr(&dnsa, rr); - if (da != NULL) + if (da) { *addrp = da; while (da->next != NULL) da = da->next; addrp = &(da->next); + if (ttl > rr->ttl) ttl = rr->ttl; } } } @@ -3642,17 +3649,10 @@ if (t == NULL) if (cb->rhs == NULL) cb->rc = DNS_NODATA; } + cb->expiry = time(NULL)+ttl; store_pool = old_pool; } -/* Previous lookup was cached */ - -else - { - HDEBUG(D_dnsbl) debug_printf("using result of previous DNS lookup\n"); - cb = t->data.ptr; - } - /* We now have the result of the DNS lookup, either newly done, or cached from a previous call. If the lookup succeeded, check against the address list if there is one. This may be a positive equality list (introduced by @@ -3876,7 +3876,9 @@ Note: an address for testing DUL is 192.203.178.4 Note: a domain for testing RFCI is example.tld.dsn.rfc-ignorant.org Arguments: + where the acl type listptr the domain/address/data list + log_msgptr log message on error Returns: OK successful lookup (i.e. the address is on the list), or lookup deferred after +include_unknown @@ -3886,7 +3888,7 @@ Returns: OK successful lookup (i.e. the address is on the list), or */ int -verify_check_dnsbl(const uschar **listptr) +verify_check_dnsbl(int where, const uschar ** listptr, uschar ** log_msgptr) { int sep = 0; int defer_return = FAIL; @@ -3933,21 +3935,19 @@ while ((domain = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL /* See if there's explicit data to be looked up */ - key = Ustrchr(domain, '/'); - if (key != NULL) *key++ = 0; + if ((key = Ustrchr(domain, '/'))) *key++ = 0; /* See if there's a list of addresses supplied after the domain name. This is introduced by an = or a & character; if preceded by = we require all matches and if preceded by ! we invert the result. */ - iplist = Ustrchr(domain, '='); - if (iplist == NULL) + if (!(iplist = Ustrchr(domain, '='))) { bitmask = TRUE; iplist = Ustrchr(domain, '&'); } - if (iplist != NULL) /* Found either = or & */ + if (iplist) /* Found either = or & */ { if (iplist > domain && iplist[-1] == '!') /* Handle preceding ! */ { @@ -3966,6 +3966,7 @@ while ((domain = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL } } + /* If there is a comma in the domain, it indicates that a second domain for looking up TXT records is provided, before the main domain. Otherwise we must set domain_txt == domain. */ @@ -4011,6 +4012,13 @@ while ((domain = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL if (key == NULL) { + if (where == ACL_WHERE_NOTSMTP_START || where == ACL_WHERE_NOTSMTP) + { + *log_msgptr = string_sprintf + ("cannot test auto-keyed dnslists condition in %s ACL", + acl_wherenames[where]); + return ERROR; + } if (sender_host_address == NULL) return FAIL; /* can never match */ if (revadd[0] == 0) invert_address(revadd, sender_host_address); rc = one_check_dnsbl(domain, domain_txt, sender_host_address, revadd,