1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) The Exim Maintainers 2020 - 2024 */
6 /* Copyright (c) University of Cambridge 1995 - 2023 */
7 /* See the file NOTICE for conditions of use and distribution. */
8 /* SPDX-License-Identifier: GPL-2.0-or-later */
10 /* Functions concerned with verifying things. The original code for callout
11 caching was contributed by Kevin Fleming (but I hacked it around a bit). */
15 #include "transports/smtp.h"
17 #define CUTTHROUGH_CMD_TIMEOUT 30 /* timeout for cutthrough-routing calls */
18 #define CUTTHROUGH_DATA_TIMEOUT 60 /* timeout for cutthrough-routing calls */
19 static smtp_context ctctx;
20 uschar ctbuffer[8192];
23 static uschar cutthrough_response(client_conn_ctx *, char, uschar **, int);
27 /*************************************************
28 * Retrieve a callout cache record *
29 *************************************************/
31 /* If a record exists, check whether it has expired.
34 dbm_file an open hints file
36 type "address" or "domain"
37 positive_expire expire time for positive records
38 negative_expire expire time for negative records
40 Returns: the cache record if a non-expired one exists, else NULL
43 static dbdata_callout_cache *
44 get_callout_cache_record(open_db *dbm_file, const uschar *key, uschar *type,
45 int positive_expire, int negative_expire)
50 dbdata_callout_cache *cache_record;
52 if (!(cache_record = dbfn_read_with_length(dbm_file, key, &length)))
54 HDEBUG(D_verify) debug_printf_indent("callout cache: no %s record found for %s\n", type, key);
58 /* We treat a record as "negative" if its result field is not positive, or if
59 it is a domain record and the postmaster field is negative. */
61 negative = cache_record->result != ccache_accept ||
62 (type[0] == 'd' && cache_record->postmaster_result == ccache_reject);
63 expire = negative? negative_expire : positive_expire;
66 if (now - cache_record->time_stamp > expire)
68 HDEBUG(D_verify) debug_printf_indent("callout cache: %s record expired for %s\n", type, key);
72 /* If this is a non-reject domain record, check for the obsolete format version
73 that doesn't have the postmaster and random timestamps, by looking at the
74 length. If so, copy it to a new-style block, replicating the record's
75 timestamp. Then check the additional timestamps. (There's no point wasting
76 effort if connections are rejected.) */
78 if (type[0] == 'd' && cache_record->result != ccache_reject)
80 if (length == sizeof(dbdata_callout_cache_obs))
82 dbdata_callout_cache * new = store_get(sizeof(dbdata_callout_cache), GET_UNTAINTED);
83 memcpy(new, cache_record, length);
84 new->postmaster_stamp = new->random_stamp = new->time_stamp;
88 if (now - cache_record->postmaster_stamp > expire)
89 cache_record->postmaster_result = ccache_unknown;
91 if (now - cache_record->random_stamp > expire)
92 cache_record->random_result = ccache_unknown;
95 HDEBUG(D_verify) debug_printf_indent("callout cache: found %s record for %s\n", type, key);
101 /* Check the callout cache.
102 Options * pm_mailfrom may be modified by cache partial results.
104 Return: TRUE if result found
108 cached_callout_lookup(address_item * addr, const uschar * address_key,
109 const uschar * from_address, int * opt_ptr, uschar ** pm_ptr,
110 int * yield, uschar ** failure_ptr,
111 dbdata_callout_cache * new_domain_record, int * old_domain_res)
113 int options = *opt_ptr;
115 open_db *dbm_file = NULL;
117 /* Open the callout cache database, if it exists, for reading only at this
118 stage, unless caching has been disabled. */
120 if (options & vopt_callout_no_cache)
122 HDEBUG(D_verify) debug_printf_indent("callout cache: disabled by no_cache\n");
124 else if (!(dbm_file = dbfn_open(US"callout", O_RDWR|O_CREAT, &dbblock, FALSE, TRUE)))
126 HDEBUG(D_verify) debug_printf_indent("callout cache: not available\n");
130 /* If a cache database is available see if we can avoid the need to do an
131 actual callout by making use of previously-obtained data. */
133 dbdata_callout_cache_address * cache_address_record;
134 dbdata_callout_cache * cache_record = get_callout_cache_record(dbm_file,
135 addr->domain, US"domain",
136 callout_cache_domain_positive_expire, callout_cache_domain_negative_expire);
138 /* If an unexpired cache record was found for this domain, see if the callout
139 process can be short-circuited. */
143 /* In most cases, if an early command (up to and including MAIL FROM:<>)
144 was rejected, there is no point carrying on. The callout fails. However, if
145 we are doing a recipient verification with use_sender or use_postmaster
146 set, a previous failure of MAIL FROM:<> doesn't count, because this time we
147 will be using a non-empty sender. We have to remember this situation so as
148 not to disturb the cached domain value if this whole verification succeeds
149 (we don't want it turning into "accept"). */
151 *old_domain_res = cache_record->result;
153 if ( cache_record->result == ccache_reject
154 || *from_address == 0 && cache_record->result == ccache_reject_mfnull)
157 debug_printf_indent("callout cache: domain gave initial rejection, or "
158 "does not accept HELO or MAIL FROM:<>\n");
159 setflag(addr, af_verify_nsfail);
160 addr->user_message = US"(result of an earlier callout reused).";
162 *failure_ptr = US"mail";
163 dbfn_close(dbm_file);
167 /* If a previous check on a "random" local part was accepted, we assume
168 that the server does not do any checking on local parts. There is therefore
169 no point in doing the callout, because it will always be successful. If a
170 random check previously failed, arrange not to do it again, but preserve
171 the data in the new record. If a random check is required but hasn't been
172 done, skip the remaining cache processing. */
174 if (options & vopt_callout_random) switch(cache_record->random_result)
178 debug_printf_indent("callout cache: domain accepts random addresses\n");
179 *failure_ptr = US"random";
180 dbfn_close(dbm_file);
181 return TRUE; /* Default yield is OK */
185 debug_printf_indent("callout cache: domain rejects random addresses\n");
186 *opt_ptr = options & ~vopt_callout_random;
187 new_domain_record->random_result = ccache_reject;
188 new_domain_record->random_stamp = cache_record->random_stamp;
193 debug_printf_indent("callout cache: need to check random address handling "
194 "(not cached or cache expired)\n");
195 dbfn_close(dbm_file);
199 /* If a postmaster check is requested, but there was a previous failure,
200 there is again no point in carrying on. If a postmaster check is required,
201 but has not been done before, we are going to have to do a callout, so skip
202 remaining cache processing. */
206 if (cache_record->postmaster_result == ccache_reject)
208 setflag(addr, af_verify_pmfail);
210 debug_printf_indent("callout cache: domain does not accept "
211 "RCPT TO:<postmaster@domain>\n");
213 *failure_ptr = US"postmaster";
214 setflag(addr, af_verify_pmfail);
215 addr->user_message = US"(result of earlier verification reused).";
216 dbfn_close(dbm_file);
219 if (cache_record->postmaster_result == ccache_unknown)
222 debug_printf_indent("callout cache: need to check RCPT "
223 "TO:<postmaster@domain> (not cached or cache expired)\n");
224 dbfn_close(dbm_file);
228 /* If cache says OK, set pm_mailfrom NULL to prevent a redundant
229 postmaster check if the address itself has to be checked. Also ensure
230 that the value in the cache record is preserved (with its old timestamp).
233 HDEBUG(D_verify) debug_printf_indent("callout cache: domain accepts RCPT "
234 "TO:<postmaster@domain>\n");
236 new_domain_record->postmaster_result = ccache_accept;
237 new_domain_record->postmaster_stamp = cache_record->postmaster_stamp;
241 /* We can't give a result based on information about the domain. See if there
242 is an unexpired cache record for this specific address (combined with the
243 sender address if we are doing a recipient callout with a non-empty sender).
246 if (!(cache_address_record = (dbdata_callout_cache_address *)
247 get_callout_cache_record(dbm_file, address_key, US"address",
248 callout_cache_positive_expire, callout_cache_negative_expire)))
250 dbfn_close(dbm_file);
254 if (cache_address_record->result == ccache_accept)
257 debug_printf_indent("callout cache: address record is positive\n");
262 debug_printf_indent("callout cache: address record is negative\n");
263 addr->user_message = US"Previous (cached) callout verification failure";
264 *failure_ptr = US"recipient";
268 /* Close the cache database while we actually do the callout for real. */
270 dbfn_close(dbm_file);
277 /* Write results to callout cache
280 cache_callout_write(dbdata_callout_cache * dom_rec, const uschar * domain,
281 int done, dbdata_callout_cache_address * addr_rec, const uschar * address_key)
284 open_db * dbm_file = NULL;
286 /* If we get here with done == TRUE, a successful callout happened, and yield
287 will be set OK or FAIL according to the response to the RCPT command.
288 Otherwise, we looped through the hosts but couldn't complete the business.
289 However, there may be domain-specific information to cache in both cases.
291 The value of the result field in the new_domain record is ccache_unknown if
292 there was an error before or with MAIL FROM:, and errno was not zero,
293 implying some kind of I/O error. We don't want to write the cache in that case.
294 Otherwise the value is ccache_accept, ccache_reject, or ccache_reject_mfnull. */
296 if (dom_rec->result != ccache_unknown)
297 if (!(dbm_file = dbfn_open(US"callout", O_RDWR|O_CREAT, &dbblock, FALSE, TRUE)))
299 HDEBUG(D_verify) debug_printf_indent("callout cache: not available\n");
303 (void)dbfn_write(dbm_file, domain, dom_rec,
304 (int)sizeof(dbdata_callout_cache));
305 HDEBUG(D_verify) debug_printf_indent("wrote callout cache domain record for %s:\n"
306 " result=%d postmaster=%d random=%d\n",
309 dom_rec->postmaster_result,
310 dom_rec->random_result);
313 /* If a definite result was obtained for the callout, cache it unless caching
316 if (done && addr_rec->result != ccache_unknown)
319 dbm_file = dbfn_open(US"callout", O_RDWR|O_CREAT, &dbblock, FALSE, TRUE);
322 HDEBUG(D_verify) debug_printf_indent("no callout cache available\n");
326 (void)dbfn_write(dbm_file, address_key, addr_rec,
327 (int)sizeof(dbdata_callout_cache_address));
328 HDEBUG(D_verify) debug_printf_indent("wrote %s callout cache address record for %s\n",
329 addr_rec->result == ccache_accept ? "positive" : "negative",
334 if (dbm_file) dbfn_close(dbm_file);
338 /* Cutthrough-multi. If the existing cached cutthrough connection matches
339 the one we would make for a subsequent recipient, use it. Send the RCPT TO
340 and check the result, nonpipelined as it may be wanted immediately for
341 recipient-verification.
343 It seems simpler to deal with this case separately from the main callout loop.
344 We will need to remember it has sent, or not, so that rcpt-acl tail code
345 can do it there for the non-rcpt-verify case. For this we keep an addresscount.
347 Return: TRUE for a definitive result for the recipient
350 cutthrough_multi(address_item * addr, host_item * host_list,
351 transport_feedback * tf, int * yield)
355 if (addr->transport == cutthrough.addr.transport)
356 for (host_item * host = host_list; host; host = host->next)
357 if (Ustrcmp(host->address, cutthrough.host.address) == 0)
360 uschar *interface = NULL; /* Outgoing interface to use; NULL => any */
363 deliver_host = host->name;
364 deliver_host_address = host->address;
365 deliver_host_port = host->port;
366 deliver_domain = addr->domain;
367 transport_name = addr->transport->drinst.name;
369 host_af = Ustrchr(host->address, ':') ? AF_INET6 : AF_INET;
371 GET_OPTION("interface");
372 if ( !smtp_get_interface(tf->interface, host_af, addr, &interface,
374 || !smtp_get_port(tf->port, addr, &port, US"callout")
376 log_write(0, LOG_MAIN|LOG_PANIC, "<%s>: %s", addr->address,
379 smtp_port_for_connect(host, port);
381 if ( ( interface == cutthrough.interface
383 && cutthrough.interface
384 && Ustrcmp(interface, cutthrough.interface) == 0
386 && host->port == cutthrough.host.port
389 uschar * resp = NULL;
391 /* Match! Send the RCPT TO, set done from the response */
393 smtp_write_command(&ctctx, SCMD_FLUSH, "RCPT TO:<%.1000s>\r\n",
394 transport_rcpt_address(addr,
395 addr->transport->rcpt_include_affixes)) >= 0
396 && cutthrough_response(&cutthrough.cctx, '2', &resp,
397 CUTTHROUGH_DATA_TIMEOUT) == '2';
399 /* This would go horribly wrong if a callout fail was ignored by ACL.
400 We punt by abandoning cutthrough on a reject, like the
405 address_item * na = store_get(sizeof(address_item), GET_UNTAINTED);
406 *na = cutthrough.addr;
407 cutthrough.addr = *addr;
408 cutthrough.addr.host_used = &cutthrough.host;
409 cutthrough.addr.next = na;
415 cancel_cutthrough_connection(TRUE, US"recipient rejected");
416 if (!resp || errno == ETIMEDOUT)
418 HDEBUG(D_verify) debug_printf("SMTP timeout\n");
423 Ustrcpy(resp, US"connection dropped");
426 string_sprintf("response to \"%s\" was: %s",
427 big_buffer, string_printing(resp));
430 string_sprintf("Callout verification failed:\n%s", resp);
432 /* Hard rejection ends the process */
434 if (resp[0] == '5') /* Address rejected */
442 break; /* host_list */
445 cancel_cutthrough_connection(TRUE, US"incompatible connection");
452 /* A rcpt callout, or cached record of one, verified the address.
453 Set $domain_data and $local_part_data to detainted versions.
456 callout_verified_rcpt(const address_item * addr)
458 address_item a = {.address = addr->address};
459 if (deliver_split_address(&a) != OK) return;
460 deliver_localpart_data = string_copy_taint(a.local_part, GET_UNTAINTED);
461 deliver_domain_data = string_copy_taint(a.domain, GET_UNTAINTED);
465 /*************************************************
466 * Do callout verification for an address *
467 *************************************************/
469 /* This function is called from verify_address() when the address has routed to
470 a host list, and a callout has been requested. Callouts are expensive; that is
471 why a cache is used to improve the efficiency.
474 addr the address that's been routed
475 host_list the list of hosts to try
476 tf the transport feedback block
478 ifstring "interface" option from transport, or NULL
479 portstring "port" option from transport, or NULL
480 protocolstring "protocol" option from transport, or NULL
481 callout the per-command callout timeout
482 callout_overall the overall callout timeout (if < 0 use 4*callout)
483 callout_connect the callout connection timeout (if < 0 use callout)
484 options the verification options - these bits are used:
485 vopt_is_recipient => this is a recipient address
486 vopt_callout_no_cache => don't use callout cache
487 vopt_callout_fullpm => if postmaster check, do full one
488 vopt_callout_random => do the "random" thing
489 vopt_callout_recipsender => use real sender for recipient
490 vopt_callout_recippmaster => use postmaster for recipient
491 vopt_callout_hold => lazy close connection
492 se_mailfrom MAIL FROM address for sender verify; NULL => ""
493 pm_mailfrom if non-NULL, do the postmaster check with this sender
495 Returns: OK/FAIL/DEFER
499 do_callout(address_item *addr, host_item *host_list, transport_feedback *tf,
500 int callout, int callout_overall, int callout_connect, int options,
501 uschar *se_mailfrom, uschar *pm_mailfrom)
504 int old_domain_cache_result = ccache_accept;
506 const uschar * address_key;
507 const uschar * from_address;
508 uschar * random_local_part = NULL;
509 const uschar * save_deliver_domain = deliver_domain;
510 uschar ** failure_ptr = options & vopt_is_recipient
511 ? &recipient_verify_failure : &sender_verify_failure;
512 dbdata_callout_cache new_domain_record;
513 dbdata_callout_cache_address new_address_record;
514 time_t callout_start_time;
516 new_domain_record.result = ccache_unknown;
517 new_domain_record.postmaster_result = ccache_unknown;
518 new_domain_record.random_result = ccache_unknown;
520 memset(&new_address_record, 0, sizeof(new_address_record));
522 /* For a recipient callout, the key used for the address cache record must
523 include the sender address if we are using the real sender in the callout,
524 because that may influence the result of the callout. */
526 if (options & vopt_is_recipient)
527 if (options & vopt_callout_recipsender)
529 from_address = sender_address;
530 address_key = string_sprintf("%s/<%s>", addr->address, sender_address);
531 if (cutthrough.delivery) /* cutthrough previously req. */
533 options |= vopt_callout_no_cache; /* in case called by verify= */
534 addr->return_path = from_address; /* for cutthrough logging */
537 else if (options & vopt_callout_recippmaster)
539 from_address = string_sprintf("postmaster@%s", qualify_domain_sender);
540 address_key = string_sprintf("%s/<postmaster@%s>", addr->address,
541 qualify_domain_sender);
546 address_key = addr->address;
549 /* For a sender callout, we must adjust the key if the mailfrom address is not
554 from_address = se_mailfrom ? se_mailfrom : US"";
555 address_key = *from_address
556 ? string_sprintf("%s/<%s>", addr->address, from_address) : addr->address;
559 if (cached_callout_lookup(addr, address_key, from_address,
560 &options, &pm_mailfrom, &yield, failure_ptr,
561 &new_domain_record, &old_domain_cache_result))
563 cancel_cutthrough_connection(TRUE, US"cache-hit");
567 if (!addr->transport)
569 HDEBUG(D_verify) debug_printf("cannot callout via null transport\n");
572 else if (Ustrcmp(addr->transport->drinst.driver_name, "smtp") != 0)
573 log_write(0, LOG_MAIN|LOG_PANIC|LOG_CONFIG_FOR, "callout transport '%s': %s is non-smtp",
574 addr->transport->drinst.name, addr->transport->drinst.driver_name);
577 smtp_transport_options_block * ob = addr->transport->drinst.options_block;
578 smtp_context * sx = NULL;
580 /* The information wasn't available in the cache, so we have to do a real
581 callout and save the result in the cache for next time, unless no_cache is set,
582 or unless we have a previously cached negative random result. If we are to test
583 with a random local part, ensure that such a local part is available. If not,
584 log the fact, but carry on without randomising. */
586 if (options & vopt_callout_random)
588 GET_OPTION("callout_random_local_part");
589 if ( callout_random_local_part
590 && !(random_local_part = expand_string(callout_random_local_part)))
591 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand "
592 "callout_random_local_part: %s", expand_string_message);
595 /* Compile regex' used by client-side smtp */
599 /* Default the connect and overall callout timeouts if not set, and record the
600 time we are starting so that we can enforce it. */
602 if (callout_overall < 0) callout_overall = 4 * callout;
603 if (callout_connect < 0) callout_connect = callout;
604 callout_start_time = time(NULL);
606 /* Before doing a real callout, if this is an SMTP connection, flush the SMTP
607 output because a callout might take some time. When PIPELINING is active and
608 there are many recipients, the total time for doing lots of callouts can add up
609 and cause the client to time out. So in this case we forgo the PIPELINING
612 if (smtp_out && !f.disable_callout_flush) mac_smtp_fflush();
614 clearflag(addr, af_verify_pmfail); /* postmaster callout flag */
615 clearflag(addr, af_verify_nsfail); /* null sender callout flag */
617 /* cutthrough-multi: if a nonfirst rcpt has the same routing as the first,
618 and we are holding a cutthrough conn open, we can just append the rcpt to
619 that conn for verification purposes (and later delivery also). Simplest
620 coding means skipping this whole loop and doing the append separately. */
622 /* Can we re-use an open cutthrough connection? */
623 if ( cutthrough.cctx.sock >= 0
624 && (options & (vopt_callout_recipsender | vopt_callout_recippmaster))
625 == vopt_callout_recipsender
626 && !random_local_part
629 done = cutthrough_multi(addr, host_list, tf, &yield);
631 /* If we did not use a cached connection, make connections to the hosts
632 and do real callouts. The list of hosts is passed in as an argument. */
634 for (host_item * host = host_list; host && !done; host = host->next)
638 uschar * interface = NULL; /* Outgoing interface to use; NULL => any */
642 DEBUG(D_verify) debug_printf("no IP address for host name %s: skipping\n",
647 /* Check the overall callout timeout */
649 if (time(NULL) - callout_start_time >= callout_overall)
651 HDEBUG(D_verify) debug_printf("overall timeout for callout exceeded\n");
655 /* Set IPv4 or IPv6 */
657 host_af = Ustrchr(host->address, ':') ? AF_INET6 : AF_INET;
659 /* Expand and interpret the interface and port strings. The latter will not
660 be used if there is a host-specific port (e.g. from a manualroute router).
661 This has to be delayed till now, because they may expand differently for
662 different hosts. If there's a failure, log it, but carry on with the
665 deliver_host = host->name;
666 deliver_host_address = host->address;
667 deliver_host_port = host->port;
668 deliver_domain = addr->domain;
669 transport_name = addr->transport->drinst.name;
671 GET_OPTION("interface");
672 if ( !smtp_get_interface(tf->interface, host_af, addr, &interface,
674 || !smtp_get_port(tf->port, addr, &port, US"callout")
676 log_write(0, LOG_MAIN|LOG_PANIC, "<%s>: %s", addr->address,
679 if (!sx) sx = store_get(sizeof(*sx), GET_TAINTED); /* tainted buffers */
680 memset(sx, 0, sizeof(*sx));
682 sx->addrlist = sx->first_addr = addr;
683 sx->conn_args.host = host;
684 sx->conn_args.host_af = host_af,
686 sx->conn_args.interface = interface;
687 sx->helo_data = tf->helo_data;
688 sx->conn_args.tblock = addr->transport;
689 sx->cctx.sock = sx->conn_args.sock = -1;
692 tls_retry_connection:
693 /* Set the address state so that errors are recorded in it */
695 addr->transport_return = PENDING_DEFER;
696 ob->connect_timeout = callout_connect;
697 ob->command_timeout = callout;
699 /* Get the channel set up ready for a message (MAIL FROM being the next
700 SMTP command to send. If we tried TLS but it failed, try again without
703 yield = smtp_setup_conn(sx, FALSE);
706 && addr->basic_errno == ERRNO_TLSFAILURE
707 && ob->tls_tempfail_tryclear
708 && verify_check_given_host(CUSS &ob->hosts_require_tls, host) != OK
711 log_write(0, LOG_MAIN,
712 "%s: callout unencrypted to %s [%s] (not in hosts_require_tls)",
713 addr->message, host->name, host->address);
714 addr->transport_return = PENDING_DEFER;
715 yield = smtp_setup_conn(sx, TRUE);
720 smtp_debug_cmd_report(); /*XXX we seem to exit without what should
721 be a common call to this. How? */
722 errno = addr->basic_errno;
724 /* For certain errors we want specifically to log the transport name,
725 for ease of fixing config errors. Slightly ugly doing it here, but we want
726 to not leak that also in the SMTP response. */
731 case EPROTONOSUPPORT:
732 case ESOCKTNOSUPPORT:
740 log_write(0, LOG_MAIN|LOG_PANIC,
741 "%s verify %s (making calloout connection): T=%s %s",
742 options & vopt_is_recipient ? "sender" : "recipient",
743 yield == FAIL ? "fail" : "defer",
744 transport_name, strerror(errno));
747 transport_name = NULL;
748 deliver_host = deliver_host_address = NULL;
749 deliver_domain = save_deliver_domain;
751 /* Failure to accept HELO is cached; this blocks the whole domain for all
752 senders. I/O errors and defer responses are not cached. */
754 if (yield == FAIL && (errno == 0 || errno == ERRNO_SMTPCLOSED))
756 setflag(addr, af_verify_nsfail);
757 new_domain_record.result = ccache_reject;
765 /* If we needed to authenticate, smtp_setup_conn() did that. Copy
766 the AUTH info for logging */
768 addr->authenticator = client_authenticator;
769 addr->auth_id = client_authenticated_id;
771 sx->from_addr = from_address;
772 sx->first_addr = sx->sync_addr = addr;
773 sx->ok = FALSE; /*XXX these 3 last might not be needed for verify? */
774 sx->send_rset = TRUE;
775 sx->completed_addr = FALSE;
777 /*XXX do not want to write a cache record for ATRN */
778 new_domain_record.result = old_domain_cache_result == ccache_reject_mfnull
779 ? ccache_reject_mfnull : ccache_accept;
781 /* Do the random local part check first. Temporarily replace the recipient
782 with the "random" value */
784 if (random_local_part)
786 const uschar * main_address = addr->address;
787 const uschar * rcpt_domain = addr->domain;
790 uschar * errstr = NULL;
791 if ( testflag(addr, af_utf8_downcvt)
792 && (rcpt_domain = string_domain_utf8_to_alabel(rcpt_domain,
796 addr->message = errstr;
797 errno = ERRNO_EXPANDFAIL;
798 setflag(addr, af_verify_nsfail);
800 rcpt_domain = US""; /*XXX errorhandling! */
804 /* This would be ok for 1st rcpt of a cutthrough (the case handled here;
805 subsequents are done in cutthrough_multi()), but no way to
806 handle a subsequent because of the RSET vaporising the MAIL FROM.
807 So refuse to support any. Most cutthrough use will not involve
808 random_local_part, so no loss. */
809 cancel_cutthrough_connection(TRUE, US"random-recipient");
811 addr->address = string_sprintf("%s@%.1000s",
812 random_local_part, rcpt_domain);
815 /* If accepted, we aren't going to do any further tests below.
816 Otherwise, cache a real negative response, and get back to the right
817 state to send RCPT. Unless there's some problem such as a dropped
818 connection, we expect to succeed, because the commands succeeded above.
819 However, some servers drop the connection after responding to an
820 invalid recipient, so on (any) error we drop and remake the connection.
821 XXX We don't care about that for postmaster_full. Should we?
823 XXX could we add another flag to the context, and have the common
824 code emit the RSET too? Even pipelined after the RCPT...
825 Then the main-verify call could use it if there's to be a subsequent
827 The sync_responses() would need to be taught about it and we'd
828 need another return code filtering out to here.
830 Avoid using a SIZE option on the MAIL for all random-rcpt checks.
833 sx->avoid_option = OPTION_SIZE;
835 /* Remember when we last did a random test */
836 new_domain_record.random_stamp = time(NULL);
838 if (smtp_write_mail_and_rcpt_cmds(sx, &yield) == sw_mrc_ok)
839 switch(addr->transport_return)
841 case PENDING_OK: /* random was accepted, unfortunately */
842 new_domain_record.random_result = ccache_accept;
843 yield = OK; /* Only usable verify result we can return */
845 *failure_ptr = US"random";
847 case FAIL: /* rejected: the preferred result */
848 new_domain_record.random_result = ccache_reject;
849 sx->avoid_option = 0;
851 /* Between each check, issue RSET, because some servers accept only
852 one recipient after MAIL FROM:<>.
853 XXX We don't care about that for postmaster_full. Should we? */
856 smtp_write_command(sx, SCMD_FLUSH, "RSET\r\n") >= 0 &&
857 smtp_read_response(sx, sx->buffer, sizeof(sx->buffer), '2', callout)))
861 debug_printf_indent("problem after random/rset/mfrom; reopen conn\n");
862 random_local_part = NULL;
864 tls_close(sx->cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT);
866 HDEBUG(D_transport|D_acl|D_v) debug_printf_indent(" SMTP(close)>>\n");
867 (void)close(sx->cctx.sock);
869 #ifndef DISABLE_EVENT
870 (void) event_raise(addr->transport->event_action,
871 US"tcp:close", NULL, NULL);
873 addr->address = main_address;
874 addr->transport_return = PENDING_DEFER;
875 sx->first_addr = sx->sync_addr = addr;
877 sx->send_rset = TRUE;
878 sx->completed_addr = FALSE;
879 goto tls_retry_connection;
880 case DEFER: /* 4xx response to random */
881 break; /* Just to be clear. ccache_unknown, !done. */
884 /* Re-setup for main verify, or for the error message when failing */
885 addr->address = main_address;
886 addr->transport_return = PENDING_DEFER;
887 sx->first_addr = sx->sync_addr = addr;
889 sx->send_rset = TRUE;
890 sx->completed_addr = FALSE;
895 /* Main verify. For rcpt-verify use SIZE if we know it and we're not cacheing;
896 for sndr-verify never use it. */
898 if (done && !(options & vopt_atrn))
900 if (!(options & vopt_is_recipient && options & vopt_callout_no_cache))
901 sx->avoid_option = OPTION_SIZE;
904 switch(smtp_write_mail_and_rcpt_cmds(sx, &yield))
907 switch(addr->transport_return) /* ok so far */
909 case PENDING_OK: done = TRUE;
910 new_address_record.result = ccache_accept;
912 case FAIL: done = TRUE;
914 *failure_ptr = US"recipient";
915 new_address_record.result = ccache_reject;
921 case sw_mrc_bad_mail: /* MAIL response error */
922 *failure_ptr = US"mail";
923 if (errno == 0 && sx->buffer[0] == '5')
925 setflag(addr, af_verify_nsfail);
926 if (from_address[0] == 0)
927 new_domain_record.result = ccache_reject_mfnull;
930 /* non-MAIL read i/o error */
931 /* non-MAIL response timeout */
932 /* internal error; channel still usable */
933 default: break; /* transmit failed */
937 addr->auth_sndr = client_authenticated_sender;
939 deliver_host = deliver_host_address = NULL;
940 deliver_domain = save_deliver_domain;
942 /* Do postmaster check if requested; if a full check is required, we
943 check for RCPT TO:<postmaster> (no domain) in accordance with RFC 821. */
945 if (done && pm_mailfrom)
947 /* Could possibly shift before main verify, just above, and be ok
948 for cutthrough. But no way to handle a subsequent rcpt, so just
950 cancel_cutthrough_connection(TRUE, US"postmaster verify");
951 HDEBUG(D_acl|D_v) debug_printf_indent("Cutthrough cancelled by presence of postmaster verify\n");
953 done = smtp_write_command(sx, SCMD_FLUSH, "RSET\r\n") >= 0
954 && smtp_read_response(sx, sx->buffer, sizeof(sx->buffer), '2', callout);
958 const uschar * main_address = addr->address;
960 /*XXX oops, affixes */
961 addr->address = string_sprintf("postmaster@%.1000s", addr->domain);
962 addr->transport_return = PENDING_DEFER;
964 sx->from_addr = pm_mailfrom;
965 sx->first_addr = sx->sync_addr = addr;
967 sx->send_rset = TRUE;
968 sx->completed_addr = FALSE;
969 sx->avoid_option = OPTION_SIZE;
971 if( smtp_write_mail_and_rcpt_cmds(sx, &yield) == sw_mrc_ok
972 && addr->transport_return == PENDING_OK
976 done = (options & vopt_callout_fullpm) != 0
977 && smtp_write_command(sx, SCMD_FLUSH,
978 "RCPT TO:<postmaster>\r\n") >= 0
979 && smtp_read_response(sx, sx->buffer,
980 sizeof(sx->buffer), '2', callout);
982 /* Sort out the cache record */
984 new_domain_record.postmaster_stamp = time(NULL);
987 new_domain_record.postmaster_result = ccache_accept;
988 else if (errno == 0 && sx->buffer[0] == '5')
990 *failure_ptr = US"postmaster";
991 setflag(addr, af_verify_pmfail);
992 new_domain_record.postmaster_result = ccache_reject;
995 addr->address = main_address;
998 /* For any failure of the main check, other than a negative response, we just
999 close the connection and carry on. We can identify a negative response by the
1000 fact that errno is zero. For I/O errors it will be non-zero
1002 Set up different error texts for logging and for sending back to the caller
1003 as an SMTP response. Log in all cases, using a one-line format. For sender
1004 callouts, give a full response to the caller, but for recipient callouts,
1005 don't give the IP address because this may be an internal host whose identity
1006 is not to be widely broadcast. */
1012 HDEBUG(D_verify) debug_printf("SMTP timeout\n");
1013 sx->send_quit = FALSE;
1017 case ERRNO_UTF8_FWD:
1019 extern int acl_where; /* src/acl.c */
1021 addr->message = US"response to \"EHLO\" did not include SMTPUTF8";
1022 addr->user_message = acl_where == ACL_WHERE_RCPT
1023 ? US"533 no support for internationalised mailbox name"
1024 : US"550 mailbox unavailable";
1031 sx->send_quit = FALSE;
1035 if (*sx->buffer == 0) Ustrcpy(sx->buffer, US"connection dropped");
1037 /*XXX test here is ugly; seem to have a split of responsibility for
1038 building this message. Need to rationalise. Where is it done
1039 before here, and when not?
1040 Not == 5xx resp to MAIL on main-verify
1042 if (!addr->message) addr->message =
1043 string_sprintf("response to \"%s\" was: %s",
1044 big_buffer, string_printing(sx->buffer));
1046 /* RFC 5321 section 4.2: the text portion of the response may have only
1047 HT, SP, Printable US-ASCII. Deal with awkward chars by cutting the
1048 received message off before passing it onward. Newlines are ok; they
1049 just become a multiline response (but wrapped in the error code we
1052 for (uschar * s = sx->buffer;
1053 *s && s < sx->buffer + sizeof(sx->buffer);
1057 if (c != '\t' && c != '\n' && (c < ' ' || c > '~'))
1059 if (s - sx->buffer < sizeof(sx->buffer) - 12)
1060 memcpy(s, "(truncated)", 12);
1066 addr->user_message = options & vopt_is_recipient
1067 ? string_sprintf("Callout verification failed:\n%s", sx->buffer)
1068 : string_sprintf("Called: %s\nSent: %s\nResponse: %s",
1069 host->address, big_buffer, sx->buffer);
1071 /* Hard rejection ends the process */
1073 if (sx->buffer[0] == '5') /* Address rejected */
1081 /* End the SMTP conversation and close the connection. */
1083 /* Cutthrough - on a successful connect and recipient-verify with
1084 use-sender and we are 1st rcpt and have no cutthrough conn so far
1085 here is where we want to leave the conn open. Ditto for a lazy-close
1088 if (cutthrough.delivery)
1090 if (addr->transport->filter_command)
1092 cutthrough.delivery= FALSE;
1093 HDEBUG(D_acl|D_v) debug_printf("Cutthrough cancelled by presence of transport filter\n");
1095 #ifndef DISABLE_DKIM
1096 /* DKIM signing needs to add a header after seeing the whole body, so we cannot just copy
1097 body bytes to the outbound as they are received, which is the intent of cutthrough. */
1098 if (ob->dkim.dkim_domain)
1100 cutthrough.delivery= FALSE;
1101 HDEBUG(D_acl|D_v) debug_printf("Cutthrough cancelled by presence of DKIM signing\n");
1104 #ifdef EXPERIMENTAL_ARC
1107 cutthrough.delivery= FALSE;
1108 HDEBUG(D_acl|D_v) debug_printf("Cutthrough cancelled by presence of ARC signing\n");
1113 if ( (cutthrough.delivery || options & vopt_callout_hold)
1117 && (options & (vopt_callout_recipsender|vopt_callout_recippmaster|vopt_success_on_redirect))
1118 == vopt_callout_recipsender
1119 && !random_local_part
1121 && cutthrough.cctx.sock < 0
1125 HDEBUG(D_acl|D_v) debug_printf_indent("holding verify callout open for %s\n",
1127 ? "cutthrough delivery" : "potential further verifies and delivery");
1129 cutthrough.callout_hold_only = !cutthrough.delivery;
1130 cutthrough.is_tls = tls_out.active.sock >= 0;
1131 /* We assume no buffer in use in the outblock */
1132 cutthrough.cctx = sx->cctx;
1133 cutthrough.nrcpt = 1;
1134 cutthrough.transport = addr->transport->drinst.name;
1135 cutthrough.interface = interface;
1136 cutthrough.snd_port = sending_port;
1137 cutthrough.peer_options = smtp_peer_options;
1138 cutthrough.host = *host;
1140 int oldpool = store_pool;
1141 store_pool = POOL_PERM;
1142 cutthrough.snd_ip = string_copy(sending_ip_address);
1143 cutthrough.host.name = string_copy(host->name);
1144 cutthrough.host.address = string_copy(host->address);
1145 store_pool = oldpool;
1148 /* Save the address_item and parent chain for later logging */
1149 cutthrough.addr = *addr;
1150 cutthrough.addr.next = NULL;
1151 cutthrough.addr.host_used = &cutthrough.host;
1152 for (address_item * caddr = &cutthrough.addr, * parent = addr->parent;
1154 caddr = caddr->parent, parent = parent->parent)
1155 *(caddr->parent = store_get(sizeof(address_item), GET_UNTAINTED)) = *parent;
1157 ctctx.outblock.buffer = ctbuffer;
1158 ctctx.outblock.buffersize = sizeof(ctbuffer);
1159 ctctx.outblock.ptr = ctbuffer;
1160 /* ctctx.outblock.cmd_count = 0; ctctx.outblock.authenticating = FALSE; */
1161 ctctx.outblock.cctx = &cutthrough.cctx;
1165 /* Ensure no cutthrough on multiple verifies that were incompatible */
1166 if (options & vopt_callout_recipsender)
1167 cancel_cutthrough_connection(TRUE, US"not usable for cutthrough");
1168 if (sx->send_quit && sx->cctx.sock >= 0)
1169 if (smtp_write_command(sx, SCMD_FLUSH, "QUIT\r\n") != -1)
1170 /* Wait a short time for response, and discard it */
1171 smtp_read_response(sx, sx->buffer, sizeof(sx->buffer), '2', 1);
1173 if (sx->cctx.sock >= 0)
1176 if (sx->cctx.tls_ctx)
1178 tls_close(sx->cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT);
1179 sx->cctx.tls_ctx = NULL;
1182 HDEBUG(D_transport|D_acl|D_v) debug_printf_indent(" SMTP(close)>>\n");
1183 (void)close(sx->cctx.sock);
1185 smtp_debug_cmd_report();
1186 #ifndef DISABLE_EVENT
1187 (void) event_raise(addr->transport->event_action, US"tcp:close", NULL, NULL);
1192 if (!done || yield != OK)
1193 addr->message = string_sprintf("%s [%s] : %s", host->name, host->address,
1195 } /* Loop through all hosts, while !done */
1198 /* If we get here with done == TRUE, a successful callout happened, and yield
1199 will be set OK or FAIL according to the response to the RCPT command.
1200 Otherwise, we looped through the hosts but couldn't complete the business.
1201 However, there may be domain-specific information to cache in both cases. */
1203 if (!(options & vopt_callout_no_cache))
1204 cache_callout_write(&new_domain_record, addr->domain,
1205 done, &new_address_record, address_key);
1207 /* Failure to connect to any host, or any response other than 2xx or 5xx is a
1208 temporary error. If there was only one host, and a response was received, leave
1209 it alone if supplying details. Otherwise, give a generic response. */
1213 uschar * dullmsg = string_sprintf("Could not complete %s verify callout",
1214 options & vopt_is_recipient ? "recipient" : "sender");
1217 addr->message = host_list->next || !addr->message
1218 ? dullmsg : string_sprintf("%s: %s", dullmsg, addr->message);
1220 addr->user_message = smtp_return_error_details
1221 ? string_sprintf("%s for <%s>.\n"
1222 "The mail server(s) for the domain may be temporarily unreachable, or\n"
1223 "they may be permanently unreachable from this server. In the latter case,\n%s",
1224 dullmsg, addr->address,
1225 options & vopt_is_recipient
1226 ? "the address will never be accepted."
1227 : "you need to change the address or create an MX record for its domain\n"
1228 "if it is supposed to be generally accessible from the Internet.\n"
1229 "Talk to your mail administrator for details.")
1232 /* Force a specific error code */
1234 addr->basic_errno = ERRNO_CALLOUTDEFER;
1237 /* Come here from within the cache-reading code on fast-track exit. */
1240 if (!(options & vopt_atrn))
1241 tls_modify_variables(&tls_in); /* return variables to inbound values */
1247 /* Called after recipient-acl to get a cutthrough connection open when
1248 one was requested and a recipient-verify wasn't subsequently done.
1251 open_cutthrough_connection(address_item * addr)
1256 /* Use a recipient-verify-callout to set up the cutthrough connection. */
1257 /* We must use a copy of the address for verification, because it might
1261 HDEBUG(D_acl) debug_printf_indent("----------- %s cutthrough setup ------------\n",
1262 rcpt_count > 1 ? "more" : "start");
1263 rc = verify_address(&addr2, NULL,
1264 vopt_is_recipient | vopt_callout_recipsender | vopt_callout_no_cache,
1265 CUTTHROUGH_CMD_TIMEOUT, -1, -1,
1267 addr->message = addr2.message;
1268 addr->user_message = addr2.user_message;
1269 HDEBUG(D_acl) debug_printf_indent("----------- end cutthrough setup ------------\n");
1275 /* Send given number of bytes from the buffer */
1277 cutthrough_send(int n)
1279 if(cutthrough.cctx.sock < 0)
1285 ? tls_write(cutthrough.cctx.tls_ctx, ctctx.outblock.buffer, n, FALSE)
1288 send(cutthrough.cctx.sock, ctctx.outblock.buffer, n, 0) > 0
1291 transport_count += n;
1292 ctctx.outblock.ptr= ctctx.outblock.buffer;
1296 HDEBUG(D_transport|D_acl) debug_printf_indent("cutthrough_send failed: %s\n", strerror(errno));
1303 _cutthrough_puts(const uschar * cp, int n)
1307 if(ctctx.outblock.ptr >= ctctx.outblock.buffer+ctctx.outblock.buffersize)
1308 if(!cutthrough_send(ctctx.outblock.buffersize))
1311 *ctctx.outblock.ptr++ = *cp++;
1316 /* Buffered output of counted data block. Return boolean success */
1318 cutthrough_puts(const uschar * cp, int n)
1320 if (cutthrough.cctx.sock < 0) return TRUE;
1321 if (_cutthrough_puts(cp, n)) return TRUE;
1322 cancel_cutthrough_connection(TRUE, US"transmit failed");
1327 cutthrough_data_puts(uschar * cp, int n)
1329 if (cutthrough.delivery) (void) cutthrough_puts(cp, n);
1335 _cutthrough_flush_send(void)
1337 int n = ctctx.outblock.ptr - ctctx.outblock.buffer;
1340 if(!cutthrough_send(n))
1346 /* Send out any bufferred output. Return boolean success. */
1348 cutthrough_flush_send(void)
1350 if (_cutthrough_flush_send()) return TRUE;
1351 cancel_cutthrough_connection(TRUE, US"transmit failed");
1357 cutthrough_put_nl(void)
1359 return cutthrough_puts(US"\r\n", 2);
1364 cutthrough_data_put_nl(void)
1366 cutthrough_data_puts(US"\r\n", 2);
1370 /* Get and check response from cutthrough target.
1375 - cutthrough conn close
1378 cutthrough_response(client_conn_ctx * cctx, char expect, uschar ** copy, int timeout)
1380 smtp_context sx = {0};
1381 uschar inbuffer[4096];
1382 uschar responsebuffer[4096];
1384 sx.inblock.buffer = inbuffer;
1385 sx.inblock.buffersize = sizeof(inbuffer);
1386 sx.inblock.ptr = inbuffer;
1387 sx.inblock.ptrend = inbuffer;
1388 sx.inblock.cctx = cctx;
1389 if(!smtp_read_response(&sx, responsebuffer, sizeof(responsebuffer), expect, timeout))
1390 cancel_cutthrough_connection(TRUE, US"unexpected response to smtp command");
1395 *copy = cp = string_copy(responsebuffer);
1396 /* Trim the trailing end of line */
1397 cp += Ustrlen(responsebuffer);
1398 if(cp > *copy && cp[-1] == '\n') *--cp = '\0';
1399 if(cp > *copy && cp[-1] == '\r') *--cp = '\0';
1402 return responsebuffer[0];
1406 /* Negotiate dataphase with the cutthrough target, returning success boolean */
1408 cutthrough_predata(void)
1410 if(cutthrough.cctx.sock < 0 || cutthrough.callout_hold_only)
1413 smtp_debug_cmd(US"DATA", 0);
1414 cutthrough_puts(US"DATA\r\n", 6);
1415 cutthrough_flush_send();
1417 /* Assume nothing buffered. If it was it gets ignored. */
1418 return cutthrough_response(&cutthrough.cctx, '3', NULL, CUTTHROUGH_DATA_TIMEOUT) == '3';
1422 /* tctx arg only to match write_chunk() */
1424 cutthrough_write_chunk(transport_ctx * tctx, const uschar * s, int len)
1427 while(s && (s2 = Ustrchr(s, '\n')))
1429 if(!cutthrough_puts(s, s2-s) || !cutthrough_put_nl())
1437 /* Buffered send of headers. Return success boolean. */
1438 /* Expands newlines to wire format (CR,NL). */
1439 /* Also sends header-terminating blank line. */
1441 cutthrough_headers_send(void)
1445 if(cutthrough.cctx.sock < 0 || cutthrough.callout_hold_only)
1448 /* We share a routine with the mainline transport to handle header add/remove/rewrites,
1449 but having a separate buffered-output function (for now)
1451 HDEBUG(D_acl) debug_printf_indent("----------- start cutthrough headers send -----------\n");
1453 tctx.u.fd = cutthrough.cctx.sock;
1454 tctx.tblock = cutthrough.addr.transport;
1455 tctx.addr = &cutthrough.addr;
1456 tctx.check_string = US".";
1457 tctx.escape_string = US"..";
1458 /*XXX check under spool_files_wireformat. Might be irrelevant */
1459 tctx.options = topt_use_crlf;
1461 if (!transport_headers_send(&tctx, &cutthrough_write_chunk))
1464 HDEBUG(D_acl) debug_printf_indent("----------- done cutthrough headers send ------------\n");
1470 close_cutthrough_connection(const uschar * why)
1472 int fd = cutthrough.cctx.sock;
1475 /* We could be sending this after a bunch of data, but that is ok as
1476 the only way to cancel the transfer in dataphase is to drop the tcp
1477 conn before the final dot.
1479 client_conn_ctx tmp_ctx = cutthrough.cctx;
1480 ctctx.outblock.ptr = ctbuffer;
1481 smtp_debug_cmd(US"QUIT", 0);
1482 _cutthrough_puts(US"QUIT\r\n", 6); /* avoid recursion */
1483 _cutthrough_flush_send();
1484 cutthrough.cctx.sock = -1; /* avoid recursion via read timeout */
1485 cutthrough.nrcpt = 0; /* permit re-cutthrough on subsequent message */
1487 /* Wait a short time for response, and discard it */
1488 cutthrough_response(&tmp_ctx, '2', NULL, 1);
1491 if (cutthrough.is_tls)
1493 tls_close(cutthrough.cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT);
1494 cutthrough.cctx.tls_ctx = NULL;
1495 cutthrough.is_tls = FALSE;
1498 HDEBUG(D_transport|D_acl|D_v) debug_printf_indent(" SMTP(close)>>\n");
1500 smtp_debug_cmd_report();
1501 HDEBUG(D_acl) debug_printf_indent("----------- cutthrough shutdown (%s) ------------\n", why);
1503 ctctx.outblock.ptr = ctbuffer;
1507 cancel_cutthrough_connection(BOOL close_noncutthrough_verifies, const uschar * why)
1509 if (cutthrough.delivery || close_noncutthrough_verifies)
1510 close_cutthrough_connection(why);
1511 cutthrough.delivery = cutthrough.callout_hold_only = FALSE;
1516 release_cutthrough_connection(const uschar * why)
1518 if (cutthrough.cctx.sock < 0) return;
1519 HDEBUG(D_acl) debug_printf_indent("release cutthrough conn: %s\n", why);
1520 cutthrough.cctx.sock = -1;
1521 cutthrough.cctx.tls_ctx = NULL;
1522 cutthrough.delivery = cutthrough.callout_hold_only = FALSE;
1528 /* Have senders final-dot. Send one to cutthrough target, and grab the response.
1529 Log an OK response as a transmission.
1530 Close the connection.
1531 Return smtp response-class digit.
1534 cutthrough_finaldot(void)
1537 HDEBUG(D_transport|D_acl|D_v) debug_printf_indent(" SMTP>> .\n");
1539 /* Assume data finshed with new-line */
1540 if( !cutthrough_puts(US".", 1)
1541 || !cutthrough_put_nl()
1542 || !cutthrough_flush_send()
1544 return cutthrough.addr.message;
1546 res = cutthrough_response(&cutthrough.cctx, '2', &cutthrough.addr.message,
1547 CUTTHROUGH_DATA_TIMEOUT);
1548 for (address_item * addr = &cutthrough.addr; addr; addr = addr->next)
1550 addr->message = cutthrough.addr.message;
1554 delivery_log(LOG_MAIN, addr, (int)'>', NULL);
1555 close_cutthrough_connection(US"delivered");
1559 delivery_log(LOG_MAIN, addr, 0,
1560 US"tmp-reject from cutthrough after DATA:");
1564 delivery_log(LOG_MAIN|LOG_REJECT, addr, 0,
1565 US"rejected after DATA:");
1572 return cutthrough.addr.message;
1577 /*************************************************
1578 * Copy error to toplevel address *
1579 *************************************************/
1581 /* This function is used when a verify fails or defers, to ensure that the
1582 failure or defer information is in the original toplevel address. This applies
1583 when an address is redirected to a single new address, and the failure or
1584 deferral happens to the child address.
1587 vaddr the verify address item
1588 addr the final address item
1591 Returns: the value of YIELD
1595 copy_error(address_item *vaddr, address_item *addr, int yield)
1599 vaddr->message = addr->message;
1600 vaddr->user_message = addr->user_message;
1601 vaddr->basic_errno = addr->basic_errno;
1602 vaddr->more_errno = addr->more_errno;
1603 vaddr->prop.address_data = addr->prop.address_data;
1604 vaddr->prop.variables = NULL;
1605 tree_dup((tree_node **)&vaddr->prop.variables, addr->prop.variables);
1606 copyflag(vaddr, addr, af_pass_message);
1614 /**************************************************
1615 * printf that automatically handles TLS if needed *
1616 ***************************************************/
1618 /* This function is used by verify_address() as a substitute for all fprintf()
1619 calls; a direct fprintf() will not produce output in a TLS SMTP session, such
1620 as a response to an EXPN command. smtp_in.c makes smtp_printf available but
1621 that assumes that we always use the smtp_out FILE* when not using TLS or the
1622 ssl buffer when we are. Instead we take a FILE* parameter and check to see if
1623 that is smtp_out; if so, smtp_printf() with TLS support, otherwise regular
1627 f the candidate FILE* to write to
1628 format format string
1629 ... optional arguments
1635 static void PRINTF_FUNCTION(2,3)
1636 respond_printf(FILE *f, const char *format, ...)
1640 va_start(ap, format);
1641 if (smtp_out && (f == smtp_out))
1642 smtp_vprintf(format, FALSE, ap);
1644 vfprintf(f, format, ap);
1650 /*************************************************
1651 * Verify an email address *
1652 *************************************************/
1654 /* This function is used both for verification (-bv and at other times) and
1655 address testing (-bt), which is indicated by address_test_mode being set.
1658 vaddr contains the address to verify; the next field in this block
1660 fp if not NULL, write the result to this file
1661 options various option bits:
1662 vopt_fake_sender => this sender verify is not for the real
1663 sender (it was verify=sender=xxxx or an address from a
1664 header line) - rewriting must not change sender_address
1665 vopt_is_recipient => this is a recipient address, otherwise
1666 it's a sender address - this affects qualification and
1667 rewriting and messages from callouts
1668 vopt_qualify => qualify an unqualified address; else error
1669 vopt_expn => called from SMTP EXPN command
1670 vopt_success_on_redirect => when a new address is generated
1671 the verification instantly succeeds
1673 These ones are used by do_callout() -- the options variable
1676 vopt_callout_fullpm => if postmaster check, do full one
1677 vopt_callout_no_cache => don't use callout cache
1678 vopt_callout_random => do the "random" thing
1679 vopt_callout_recipsender => use real sender for recipient
1680 vopt_callout_recippmaster => use postmaster for recipient
1682 callout if > 0, specifies that callout is required, and gives timeout
1683 for individual commands
1684 callout_overall if > 0, gives overall timeout for the callout function;
1685 if < 0, a default is used (see do_callout())
1686 callout_connect the connection timeout for callouts
1687 se_mailfrom when callout is requested to verify a sender, use this
1688 in MAIL FROM; NULL => ""
1689 pm_mailfrom when callout is requested, if non-NULL, do the postmaster
1690 thing and use this as the sender address (may be "")
1692 routed if not NULL, set TRUE if routing succeeded, so we can
1693 distinguish between routing failed and callout failed
1695 Returns: OK address verified
1696 FAIL address failed to verify
1697 DEFER can't tell at present
1701 verify_address(address_item * vaddr, FILE * fp, int options, int callout,
1702 int callout_overall, int callout_connect, uschar * se_mailfrom,
1703 uschar *pm_mailfrom, BOOL *routed)
1706 BOOL full_info = fp ? debug_selector != 0 : FALSE;
1707 BOOL expn = (options & vopt_expn) != 0;
1708 BOOL success_on_redirect = (options & vopt_success_on_redirect) != 0;
1711 int verify_type = expn ? v_expn :
1712 f.address_test_mode ? v_none :
1713 options & vopt_is_recipient ? v_recipient : v_sender;
1714 address_item * addr_list, * addr_new = NULL, * addr_remote = NULL;
1715 address_item * addr_local = NULL, * addr_succeed = NULL;
1716 uschar ** failure_ptr = options & vopt_is_recipient
1717 ? &recipient_verify_failure : &sender_verify_failure;
1718 uschar * ko_prefix, * cr;
1719 const uschar * address = vaddr->address, * save_sender;
1720 uschar null_sender[] = { 0 }; /* Ensure writeable memory */
1722 /* Clear, just in case */
1724 *failure_ptr = NULL;
1726 /* Set up a prefix and suffix for error message which allow us to use the same
1727 output statements both in EXPN mode (where an SMTP response is needed) and when
1728 debugging with an output file. */
1732 ko_prefix = US"553 ";
1735 else ko_prefix = cr = US"";
1737 /* Add qualify domain if permitted; otherwise an unqualified address fails. */
1739 if (parse_find_at(address) == NULL)
1741 if (!(options & vopt_qualify))
1744 respond_printf(fp, "%sA domain is required for \"%s\"%s\n",
1745 ko_prefix, address, cr);
1746 *failure_ptr = US"qualify";
1749 /* deconst ok as address was not const */
1750 address = US rewrite_address_qualify(address, options & vopt_is_recipient);
1755 debug_printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
1756 debug_printf("%s %s\n", f.address_test_mode? "Testing" : "Verifying", address);
1759 /* Rewrite and report on it. Clear the domain and local part caches - these
1760 may have been set by domains and local part tests during an ACL. */
1762 if (global_rewrite_rules)
1764 const uschar * old = address;
1765 address = rewrite_address(address, options & vopt_is_recipient, FALSE,
1766 global_rewrite_rules, rewrite_existflags);
1769 for (int i = 0; i < (MAX_NAMED_LIST * 2)/32; i++) vaddr->localpart_cache[i] = 0;
1770 for (int i = 0; i < (MAX_NAMED_LIST * 2)/32; i++) vaddr->domain_cache[i] = 0;
1771 if (fp && !expn) fprintf(fp, "Address rewritten as: %s\n", address);
1775 /* If this is the real sender address, we must update sender_address at
1776 this point, because it may be referred to in the routers. */
1778 if (!(options & (vopt_fake_sender|vopt_is_recipient)))
1779 sender_address = address;
1781 /* If the address was rewritten to <> no verification can be done, and we have
1782 to return OK. This rewriting is permitted only for sender addresses; for other
1783 addresses, such rewriting fails. */
1785 if (!address[0]) return OK;
1787 /* Flip the legacy TLS-related variables over to the outbound set in case
1788 they're used in the context of a transport used by verification. Reset them
1789 at exit from this routine (so no returns allowed from here on). */
1791 tls_modify_variables(&tls_out);
1793 /* Save a copy of the sender address for re-instating if we change it to <>
1794 while verifying a sender address (a nice bit of self-reference there). */
1796 save_sender = sender_address;
1798 /* Observability variable for router/transport use */
1800 verify_mode = options & vopt_is_recipient ? US"R" : US"S";
1802 /* Update the address structure with the possibly qualified and rewritten
1803 address. Set it up as the starting address on the chain of new addresses. */
1805 vaddr->address = address;
1808 /* We need a loop, because an address can generate new addresses. We must also
1809 cope with generated pipes and files at the top level. (See also the code and
1810 comment in deliver.c.) However, it is usually the case that the router for
1811 user's .forward files has its verify flag turned off.
1813 If an address generates more than one child, the loop is used only when
1814 full_info is set, and this can only be set locally. Remote enquiries just get
1815 information about the top level address, not anything that it generated. */
1820 address_item *addr = addr_new;
1822 addr_new = addr->next;
1827 debug_printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
1828 debug_printf("Considering %s\n", addr->address);
1831 /* Handle generated pipe, file or reply addresses. We don't get these
1832 when handling EXPN, as it does only one level of expansion. */
1834 if (testflag(addr, af_pfr))
1841 if (addr->address[0] == '>')
1843 allow = testflag(addr, af_allow_reply);
1844 fprintf(fp, "%s -> mail %s", addr->parent->address, addr->address + 1);
1848 allow = addr->address[0] == '|'
1849 ? testflag(addr, af_allow_pipe) : testflag(addr, af_allow_file);
1850 fprintf(fp, "%s -> %s", addr->parent->address, addr->address);
1853 if (addr->basic_errno == ERRNO_BADTRANSPORT)
1854 fprintf(fp, "\n*** Error in setting up pipe, file, or autoreply:\n"
1855 "%s\n", addr->message);
1857 fprintf(fp, "\n transport = %s\n", addr->transport->drinst.name);
1859 fprintf(fp, " *** forbidden ***\n");
1864 /* Just in case some router parameter refers to it. */
1866 return_path = addr->prop.errors_address
1867 ? addr->prop.errors_address : sender_address;
1869 /* Split the address into domain and local part, handling the %-hack if
1870 necessary, and then route it. While routing a sender address, set
1871 $sender_address to <> because that is what it will be if we were trying to
1872 send a bounce to the sender. */
1874 if (routed) *routed = FALSE;
1875 if ((rc = deliver_split_address(addr)) == OK)
1877 if (!(options & vopt_is_recipient)) sender_address = null_sender;
1878 rc = route_address(addr, &addr_local, &addr_remote, &addr_new,
1879 &addr_succeed, verify_type);
1880 sender_address = save_sender; /* Put back the real sender */
1883 /* If routing an address succeeded, set the flag that remembers, for use when
1884 an ACL cached a sender verify (in case a callout fails). Then if routing set
1885 up a list of hosts or the transport has a host list, and the callout option
1886 is set, and we aren't in a host checking run, do the callout verification,
1887 and set another flag that notes that a callout happened. */
1891 BOOL local_verify = FALSE;
1893 if (routed) *routed = TRUE;
1896 transport_instance * tp;
1897 host_item * host_list = addr->host_list;
1899 /* Make up some data for use in the case where there is no remote
1902 transport_feedback tf = {
1903 .interface = NULL, /* interface (=> any) */
1905 .protocol = US"smtp",
1907 .helo_data = US"$smtp_active_hostname",
1908 .hosts_override = FALSE,
1909 .hosts_randomize = FALSE,
1910 .gethostbyname = FALSE,
1911 .qualify_single = TRUE,
1912 .search_parents = FALSE
1915 /* If verification yielded a remote transport, we want to use that
1916 transport's options, so as to mimic what would happen if we were really
1917 sending a message to this address. */
1919 if ((tp = addr->transport))
1921 transport_info * ti = tp->drinst.info;
1924 (void)(tp->setup)(tp, addr, &tf, 0, 0, NULL);
1926 /* If the transport has hosts and the router does not, or if the
1927 transport is configured to override the router's hosts, we must build a
1928 host list of the transport's hosts, and find the IP addresses */
1930 if (tf.hosts && (!host_list || tf.hosts_override))
1933 const uschar * save_deliver_domain = deliver_domain;
1934 const uschar * save_deliver_localpart = deliver_localpart;
1936 host_list = NULL; /* Ignore the router's hosts */
1938 deliver_domain = addr->domain;
1939 deliver_localpart = addr->local_part;
1940 s = expand_string(tf.hosts);
1941 deliver_domain = save_deliver_domain;
1942 deliver_localpart = save_deliver_localpart;
1946 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand list of hosts "
1947 "\"%s\" in %s transport for callout: %s", tf.hosts,
1948 tp->drinst.name, expand_string_message);
1953 host_build_hostlist(&host_list, s, tf.hosts_randomize);
1955 /* Just ignore failures to find a host address. If we don't manage
1956 to find any addresses, the callout will defer. Note that more than
1957 one address may be found for a single host, which will result in
1958 additional host items being inserted into the chain. Hence we must
1959 save the next host first. */
1961 flags = HOST_FIND_BY_A | HOST_FIND_BY_AAAA;
1962 if (tf.qualify_single) flags |= HOST_FIND_QUALIFY_SINGLE;
1963 if (tf.search_parents) flags |= HOST_FIND_SEARCH_PARENTS;
1965 for (host_item * host = host_list, * nexthost; host; host = nexthost)
1967 nexthost = host->next;
1968 if (tf.gethostbyname ||
1969 string_is_ip_address(host->name, NULL) != 0)
1970 (void)host_find_byname(host, NULL, flags, NULL, TRUE);
1973 const dnssec_domains * dsp = NULL;
1974 if (Ustrcmp(tp->drinst.driver_name, "smtp") == 0)
1976 smtp_transport_options_block * ob = tp->drinst.options_block;
1980 (void) host_find_bydns(host, NULL, flags, NULL, NULL, NULL,
1987 else if ( options & vopt_quota
1988 && Ustrcmp(tp->drinst.driver_name, "appendfile") == 0)
1989 local_verify = TRUE;
1992 /* Can only do a callout if we have at least one host! If the callout
1993 fails, it will have set ${sender,recipient}_verify_failure. */
1997 HDEBUG(D_verify) debug_printf("Attempting full verification using callout\n");
1998 if (host_checking && !f.host_checking_callout)
2001 debug_printf("... callout omitted by default when host testing\n"
2002 "(Use -bhc if you want the callouts to happen.)\n");
2007 deliver_set_expansions(addr);
2009 rc = do_callout(addr, host_list, &tf, callout, callout_overall,
2010 callout_connect, options, se_mailfrom, pm_mailfrom);
2012 deliver_set_expansions(NULL);
2014 if ( options & vopt_is_recipient
2016 /* set to "random", with OK, for an accepted random */
2017 && !recipient_verify_failure
2019 callout_verified_rcpt(addr);
2022 else if (local_verify)
2024 HDEBUG(D_verify) debug_printf("Attempting quota verification\n");
2026 deliver_set_expansions(addr);
2027 deliver_local(addr, TRUE);
2028 rc = addr->transport_return;
2031 HDEBUG(D_verify) debug_printf("Cannot do callout: neither router nor "
2032 "transport provided a host list, or transport is not smtp\n");
2036 /* Otherwise, any failure is a routing failure */
2038 else *failure_ptr = US"route";
2040 /* A router may return REROUTED if it has set up a child address as a result
2041 of a change of domain name (typically from widening). In this case we always
2042 want to continue to verify the new child. */
2044 if (rc == REROUTED) continue;
2046 /* Handle hard failures */
2053 address_item *p = addr->parent;
2055 respond_printf(fp, "%s%s %s", ko_prefix,
2056 full_info ? addr->address : address,
2057 f.address_test_mode ? "is undeliverable" : "failed to verify");
2058 if (!expn && f.admin_user)
2060 if (addr->basic_errno > 0)
2061 respond_printf(fp, ": %s", strerror(addr->basic_errno));
2063 respond_printf(fp, ": %s", addr->message);
2066 /* Show parents iff doing full info */
2068 if (full_info) while (p)
2070 respond_printf(fp, "%s\n <-- %s", cr, p->address);
2073 respond_printf(fp, "%s\n", cr);
2075 cancel_cutthrough_connection(TRUE, US"routing hard fail");
2079 yield = copy_error(vaddr, addr, FAIL);
2087 else if (rc == DEFER)
2092 address_item *p = addr->parent;
2093 respond_printf(fp, "%s%s cannot be resolved at this time", ko_prefix,
2094 full_info? addr->address : address);
2095 if (!expn && f.admin_user)
2097 if (addr->basic_errno > 0)
2098 respond_printf(fp, ": %s", strerror(addr->basic_errno));
2100 respond_printf(fp, ": %s", addr->message);
2101 else if (addr->basic_errno <= 0)
2102 respond_printf(fp, ": unknown error");
2105 /* Show parents iff doing full info */
2107 if (full_info) while (p)
2109 respond_printf(fp, "%s\n <-- %s", cr, p->address);
2112 respond_printf(fp, "%s\n", cr);
2114 cancel_cutthrough_connection(TRUE, US"routing soft fail");
2118 yield = copy_error(vaddr, addr, DEFER);
2121 if (yield == OK) yield = DEFER;
2124 /* If we are handling EXPN, we do not want to continue to route beyond
2125 the top level (whose address is in "address"). */
2129 uschar *ok_prefix = US"250-";
2132 if (!addr_local && !addr_remote)
2133 respond_printf(fp, "250 mail to <%s> is discarded\r\n", address);
2135 respond_printf(fp, "250 <%s>\r\n", address);
2139 address_item *addr2 = addr_new;
2140 addr_new = addr2->next;
2141 if (!addr_new) ok_prefix = US"250 ";
2142 respond_printf(fp, "%s<%s>\r\n", ok_prefix, addr2->address);
2148 /* Successful routing other than EXPN. */
2152 /* Handle successful routing when short info wanted. Otherwise continue for
2153 other (generated) addresses. Short info is the operational case. Full info
2154 can be requested only when debug_selector != 0 and a file is supplied.
2156 There is a conflict between the use of aliasing as an alternate email
2157 address, and as a sort of mailing list. If an alias turns the incoming
2158 address into just one address (e.g. J.Caesar->jc44) you may well want to
2159 carry on verifying the generated address to ensure it is valid when
2160 checking incoming mail. If aliasing generates multiple addresses, you
2161 probably don't want to do this. Exim therefore treats the generation of
2162 just a single new address as a special case, and continues on to verify the
2163 generated address. */
2165 if ( !full_info /* Stop if short info wanted AND */
2166 && ( ( !addr_new /* No new address OR */
2167 || addr_new->next /* More than one new address OR */
2168 || testflag(addr_new, af_pfr) /* New address is pfr */
2171 ( addr_new /* At least one new address AND */
2172 && success_on_redirect /* success_on_redirect is set */
2176 if (fp) fprintf(fp, "%s %s\n",
2177 address, f.address_test_mode ? "is deliverable" : "verified");
2179 /* If we have carried on to verify a child address, we want the value
2180 of $address_data to be that of the child */
2182 vaddr->prop.address_data = addr->prop.address_data;
2183 vaddr->prop.variables = NULL;
2184 tree_dup((tree_node **)&vaddr->prop.variables, addr->prop.variables);
2186 /* If stopped because more than one new address, cannot cutthrough */
2188 if (addr_new && addr_new->next)
2189 cancel_cutthrough_connection(TRUE, US"multiple addresses from routing");
2195 } /* Loop for generated addresses */
2197 /* Display the full results of the successful routing, including any generated
2198 addresses. Control gets here only when full_info is set, which requires fp not
2199 to be NULL, and this occurs only when a top-level verify is called with the
2200 debugging switch on.
2202 If there are no local and no remote addresses, and there were no pipes, files,
2203 or autoreplies, and there were no errors or deferments, the message is to be
2204 discarded, usually because of the use of :blackhole: in an alias file. */
2206 if (allok && !addr_local && !addr_remote)
2208 fprintf(fp, "mail to %s is discarded\n", address);
2212 for (addr_list = addr_local, i = 0; i < 2; addr_list = addr_remote, i++)
2215 address_item *addr = addr_list;
2216 transport_instance * tp = addr->transport;
2218 addr_list = addr->next;
2220 fprintf(fp, "%s", CS addr->address);
2222 /* If the address is a duplicate, show something about it. */
2224 if (!testflag(addr, af_pfr))
2227 if ((tnode = tree_search(tree_duplicates, addr->unique)))
2228 fprintf(fp, " [duplicate, would not be delivered]");
2229 else tree_add_duplicate(addr->unique, addr);
2232 /* Now show its parents */
2234 for (address_item * p = addr->parent; p; p = p->parent)
2235 fprintf(fp, "\n <-- %s", p->address);
2238 /* Show router, and transport */
2240 fprintf(fp, "router = %s, transport = %s\n",
2241 addr->router->drinst.name, tp ? tp->drinst.name : US"unset");
2243 /* Show any hosts that are set up by a router unless the transport
2244 is going to override them; fiddle a bit to get a nice format. */
2246 if (addr->host_list && tp && !tp->overrides_hosts)
2248 transport_info * ti = tp->drinst.info;
2251 for (host_item * h = addr->host_list; h; h = h->next)
2252 { /* get max lengths of host names, addrs */
2253 int len = Ustrlen(h->name);
2254 if (len > maxlen) maxlen = len;
2255 len = h->address ? Ustrlen(h->address) : 7;
2256 if (len > maxaddlen) maxaddlen = len;
2258 for (host_item * h = addr->host_list; h; h = h->next)
2260 fprintf(fp, " host %-*s ", maxlen, h->name);
2263 fprintf(fp, "[%s%-*c", h->address, maxaddlen+1 - Ustrlen(h->address), ']');
2265 fprintf(fp, " %-*s ", maxaddlen, ""); /* Omit [unknown] for local */
2267 fprintf(fp, "[%s%-*c", "unknown", maxaddlen+1 - 7, ']');
2269 if (h->mx >= 0) fprintf(fp, " MX=%d", h->mx);
2270 if (h->port != PORT_NONE) fprintf(fp, " port=%d", h->port);
2271 if (f.running_in_test_harness && h->dnssec == DS_YES) fputs(" AD", fp);
2272 if (h->status == hstatus_unusable) fputs(" ** unusable **", fp);
2278 /* Yield will be DEFER or FAIL if any one address has, only for full_info (which is
2279 the -bv or -bt case). */
2283 if (!(options & vopt_atrn))
2284 tls_modify_variables(&tls_in); /* return variables to inbound values */
2292 /*************************************************
2293 * Check headers for syntax errors *
2294 *************************************************/
2296 /* This function checks those header lines that contain addresses, and verifies
2297 that all the addresses therein are 5322-syntactially correct.
2300 msgptr where to put an error message
2307 verify_check_headers(uschar **msgptr)
2312 for (header_line * h = header_list; h && yield == OK; h = h->next)
2314 if (h->type != htype_from &&
2315 h->type != htype_reply_to &&
2316 h->type != htype_sender &&
2317 h->type != htype_to &&
2318 h->type != htype_cc &&
2319 h->type != htype_bcc)
2322 colon = Ustrchr(h->text, ':');
2324 Uskip_whitespace(&s);
2326 /* Loop for multiple addresses in the header, enabling group syntax. Note
2327 that we have to reset this after the header has been scanned. */
2329 f.parse_allow_group = TRUE;
2333 uschar *ss = parse_find_address_end(s, FALSE);
2334 uschar *recipient, *errmess;
2335 int terminator = *ss;
2336 int start, end, domain;
2338 /* Temporarily terminate the string at this point, and extract the
2339 operative address within, allowing group syntax. */
2342 recipient = parse_extract_address(s,&errmess,&start,&end,&domain,FALSE);
2345 /* Permit an unqualified address only if the message is local, or if the
2346 sending host is configured to be permitted to send them. */
2348 if (recipient && !domain)
2350 if (h->type == htype_from || h->type == htype_sender)
2352 if (!f.allow_unqualified_sender) recipient = NULL;
2356 if (!f.allow_unqualified_recipient) recipient = NULL;
2358 if (!recipient) errmess = US"unqualified address not permitted";
2361 /* It's an error if no address could be extracted, except for the special
2362 case of an empty address. */
2364 if (!recipient && Ustrcmp(errmess, "empty address") != 0)
2366 uschar *verb = US"is";
2371 /* Arrange not to include any white space at the end in the
2372 error message or the header name. */
2374 while (t > s && isspace(t[-1])) t--;
2375 while (tt > h->text && isspace(tt[-1])) tt--;
2377 /* Add the address that failed to the error message, since in a
2378 header with very many addresses it is sometimes hard to spot
2379 which one is at fault. However, limit the amount of address to
2380 quote - cases have been seen where, for example, a missing double
2381 quote in a humungous To: header creates an "address" that is longer
2382 than string_sprintf can handle. */
2391 /* deconst cast ok as we're passing a non-const to string_printing() */
2392 *msgptr = US string_printing(
2393 string_sprintf("%s: failing address in \"%.*s:\" header %s: %.*s",
2394 errmess, (int)(tt - h->text), h->text, verb, len, s));
2397 break; /* Out of address loop */
2400 /* Advance to the next address */
2402 s = ss + (terminator ? 1 : 0);
2403 Uskip_whitespace(&s);
2404 } /* Next address */
2406 f.parse_allow_group = FALSE;
2407 f.parse_found_group = FALSE;
2408 } /* Next header unless yield has been set FALSE */
2414 /*************************************************
2415 * Check header names for 8-bit characters *
2416 *************************************************/
2418 /* This function checks for invalid characters in header names. See
2419 RFC 5322, 2.2. and RFC 6532, 3.
2422 msgptr where to put an error message
2429 verify_check_header_names_ascii(uschar **msgptr)
2433 for (header_line * h = header_list; h; h = h->next)
2435 colon = Ustrchr(h->text, ':');
2436 for(uschar * s = h->text; s < colon; s++)
2437 if ((*s < 33) || (*s > 126))
2439 *msgptr = string_sprintf("Invalid character in header \"%.*s\" found",
2440 (int)(colon - h->text), h->text);
2447 /*************************************************
2448 * Check for blind recipients *
2449 *************************************************/
2451 /* This function checks that every (envelope) recipient is mentioned in either
2452 the To: or Cc: header lines, thus detecting blind carbon copies.
2454 There are two ways of scanning that could be used: either scan the header lines
2455 and tick off the recipients, or scan the recipients and check the header lines.
2456 The original proposed patch did the former, but I have chosen to do the latter,
2457 because (a) it requires no memory and (b) will use fewer resources when there
2458 are many addresses in To: and/or Cc: and only one or two envelope recipients.
2460 Arguments: case_sensitive true if case sensitive matching should be used
2461 Returns: OK if there are no blind recipients
2462 FAIL if there is at least one blind recipient
2466 verify_check_notblind(BOOL case_sensitive)
2468 for (int i = 0; i < recipients_count; i++)
2471 const uschar * address = recipients_list[i].address;
2473 for (header_line * h = header_list; !found && h; h = h->next)
2475 uschar * colon, * s;
2477 if (h->type != htype_to && h->type != htype_cc) continue;
2479 colon = Ustrchr(h->text, ':');
2481 Uskip_whitespace(&s);
2483 /* Loop for multiple addresses in the header, enabling group syntax. Note
2484 that we have to reset this after the header has been scanned. */
2486 f.parse_allow_group = TRUE;
2490 uschar * ss = parse_find_address_end(s, FALSE);
2491 uschar * recipient, * errmess;
2492 int terminator = *ss;
2493 int start, end, domain;
2495 /* Temporarily terminate the string at this point, and extract the
2496 operative address within, allowing group syntax. */
2499 recipient = parse_extract_address(s,&errmess,&start,&end,&domain,FALSE);
2502 /* If we found a valid recipient that has a domain, compare it with the
2503 envelope recipient. Local parts are compared with case-sensitivity
2504 according to the routine arg, domains case-insensitively.
2505 By comparing from the start with length "domain", we include the "@" at
2506 the end, which ensures that we are comparing the whole local part of each
2509 if (recipient && domain != 0)
2510 if ((found = (case_sensitive
2511 ? Ustrncmp(recipient, address, domain) == 0
2512 : strncmpic(recipient, address, domain) == 0)
2513 && strcmpic(recipient + domain, address + domain) == 0))
2516 /* Advance to the next address */
2518 s = ss + (terminator ? 1:0);
2519 Uskip_whitespace(&s);
2520 } /* Next address */
2522 f.parse_allow_group = FALSE;
2523 f.parse_found_group = FALSE;
2524 } /* Next header (if found is false) */
2526 if (!found) return FAIL;
2527 } /* Next recipient */
2534 /*************************************************
2535 * Find if verified sender *
2536 *************************************************/
2538 /* Usually, just a single address is verified as the sender of the message.
2539 However, Exim can be made to verify other addresses as well (often related in
2540 some way), and this is useful in some environments. There may therefore be a
2541 chain of such addresses that have previously been tested. This function finds
2542 whether a given address is on the chain.
2544 Arguments: the address to be verified
2545 Returns: pointer to an address item, or NULL
2549 verify_checked_sender(const uschar * sender)
2551 for (address_item * addr = sender_verified_list; addr; addr = addr->next)
2552 if (Ustrcmp(sender, addr->address) == 0) return addr;
2560 /*************************************************
2561 * Get valid header address *
2562 *************************************************/
2564 /* Scan the originator headers of the message, looking for an address that
2565 verifies successfully. RFC 822 says:
2567 o The "Sender" field mailbox should be sent notices of
2568 any problems in transport or delivery of the original
2569 messages. If there is no "Sender" field, then the
2570 "From" field mailbox should be used.
2572 o If the "Reply-To" field exists, then the reply should
2573 go to the addresses indicated in that field and not to
2574 the address(es) indicated in the "From" field.
2576 So we check a Sender field if there is one, else a Reply_to field, else a From
2577 field. As some strange messages may have more than one of these fields,
2578 especially if they are resent- fields, check all of them if there is more than
2582 user_msgptr points to where to put a user error message
2583 log_msgptr points to where to put a log error message
2584 callout timeout for callout check (passed to verify_address())
2585 callout_overall overall callout timeout (ditto)
2586 callout_connect connect callout timeout (ditto)
2587 se_mailfrom mailfrom for verify; NULL => ""
2588 pm_mailfrom sender for pm callout check (passed to verify_address())
2589 options callout options (passed to verify_address())
2590 verrno where to put the address basic_errno
2592 If log_msgptr is set to something without setting user_msgptr, the caller
2593 normally uses log_msgptr for both things.
2595 Returns: result of the verification attempt: OK, FAIL, or DEFER;
2596 FAIL is given if no appropriate headers are found
2600 verify_check_header_address(uschar **user_msgptr, uschar **log_msgptr,
2601 int callout, int callout_overall, int callout_connect, uschar *se_mailfrom,
2602 uschar *pm_mailfrom, int options, int *verrno)
2604 static int header_types[] = { htype_sender, htype_reply_to, htype_from };
2608 for (int i = 0; i < 3 && !done; i++)
2609 for (header_line * h = header_list; h != NULL && !done; h = h->next)
2611 int terminator, new_ok;
2612 uschar *s, *ss, *endname;
2614 if (h->type != header_types[i]) continue;
2615 s = endname = Ustrchr(h->text, ':') + 1;
2617 /* Scan the addresses in the header, enabling group syntax. Note that we
2618 have to reset this after the header has been scanned. */
2620 f.parse_allow_group = TRUE;
2624 address_item * vaddr;
2626 while (isspace(*s) || *s == ',') s++;
2627 if (!*s) break; /* End of header */
2629 ss = parse_find_address_end(s, FALSE);
2631 /* The terminator is a comma or end of header, but there may be white
2632 space preceding it (including newline for the last address). Move back
2633 past any white space so we can check against any cached envelope sender
2634 address verifications. */
2636 while (isspace(ss[-1])) ss--;
2640 HDEBUG(D_verify) debug_printf("verifying %.*s header address %s\n",
2641 (int)(endname - h->text), h->text, s);
2643 /* See if we have already verified this address as an envelope sender,
2644 and if so, use the previous answer. */
2646 vaddr = verify_checked_sender(s);
2648 if (vaddr != NULL && /* Previously checked */
2649 (callout <= 0 || /* No callout needed; OR */
2650 vaddr->special_action > 256)) /* Callout was done */
2652 new_ok = vaddr->special_action & 255;
2653 HDEBUG(D_verify) debug_printf("previously checked as envelope sender\n");
2654 *ss = terminator; /* Restore shortened string */
2657 /* Otherwise we run the verification now. We must restore the shortened
2658 string before running the verification, so the headers are correct, in
2659 case there is any rewriting. */
2663 int start, end, domain;
2664 uschar *address = parse_extract_address(s, log_msgptr, &start, &end,
2669 /* If we found an empty address, just carry on with the next one, but
2670 kill the message. */
2672 if (!address && Ustrcmp(*log_msgptr, "empty address") == 0)
2679 /* If verification failed because of a syntax error, fail this
2680 function, and ensure that the failing address gets added to the error
2686 while (ss > s && isspace(ss[-1])) ss--;
2687 *log_msgptr = string_sprintf("syntax error in '%.*s' header when "
2688 "scanning for sender: %s in \"%.*s\"",
2689 (int)(endname - h->text), h->text, *log_msgptr, (int)(ss - s), s);
2695 /* Else go ahead with the sender verification. But it isn't *the*
2696 sender of the message, so set vopt_fake_sender to stop sender_address
2697 being replaced after rewriting or qualification. */
2701 vaddr = deliver_make_addr(address, FALSE);
2702 new_ok = verify_address(vaddr, NULL, options | vopt_fake_sender,
2703 callout, callout_overall, callout_connect, se_mailfrom,
2708 /* We now have the result, either newly found, or cached. If we are
2709 giving out error details, set a specific user error. This means that the
2710 last of these will be returned to the user if all three fail. We do not
2711 set a log message - the generic one below will be used. */
2715 *verrno = vaddr->basic_errno;
2716 if (smtp_return_error_details)
2717 *user_msgptr = string_sprintf("Rejected after DATA: "
2718 "could not verify \"%.*s\" header address\n%s: %s",
2719 (int)(endname - h->text), h->text, vaddr->address, vaddr->message);
2722 /* Success or defer */
2731 if (new_ok == DEFER) yield = DEFER;
2733 /* Move on to any more addresses in the header */
2736 } /* Next address */
2738 f.parse_allow_group = FALSE;
2739 f.parse_found_group = FALSE;
2740 } /* Next header, unless done */
2741 /* Next header type unless done */
2743 if (yield == FAIL && *log_msgptr == NULL)
2744 *log_msgptr = US"there is no valid sender in any header line";
2746 if (yield == DEFER && *log_msgptr == NULL)
2747 *log_msgptr = US"all attempts to verify a sender in a header line deferred";
2755 /*************************************************
2756 * Get RFC 1413 identification *
2757 *************************************************/
2759 /* Attempt to get an id from the sending machine via the RFC 1413 protocol. If
2760 the timeout is set to zero, then the query is not done. There may also be lists
2761 of hosts and nets which are exempt. To guard against malefactors sending
2762 non-printing characters which could, for example, disrupt a message's headers,
2763 make sure the string consists of printing characters only.
2766 port the port to connect to; usually this is IDENT_PORT (113), but when
2767 running in the test harness with -bh a different value is used.
2771 Side effect: any received ident value is put in sender_ident (NULL otherwise)
2775 verify_get_ident(int port)
2777 client_conn_ctx ident_conn_ctx = {0};
2779 int received_sender_port, received_interface_port, n;
2782 uschar buffer[2048];
2784 /* Default is no ident. Check whether we want to do an ident check for this
2787 sender_ident = NULL;
2788 if (rfc1413_query_timeout <= 0 || verify_check_host(&rfc1413_hosts) != OK)
2791 DEBUG(D_ident) debug_printf("doing ident callback\n");
2793 /* Set up a connection to the ident port of the remote host. Bind the local end
2794 to the incoming interface address. If the sender host address is an IPv6
2795 address, the incoming interface address will also be IPv6. */
2797 host_af = Ustrchr(sender_host_address, ':') == NULL ? AF_INET : AF_INET6;
2798 if ((ident_conn_ctx.sock = ip_socket(SOCK_STREAM, host_af)) < 0) return;
2800 if (ip_bind(ident_conn_ctx.sock, host_af, interface_address, 0) < 0)
2802 DEBUG(D_ident) debug_printf("bind socket for ident failed: %s\n",
2807 /* Construct and send the query. */
2809 qlen = snprintf(CS buffer, sizeof(buffer), "%d , %d\r\n",
2810 sender_host_port, interface_port);
2811 early_data.data = buffer;
2812 early_data.len = qlen;
2814 /*XXX we trust that the query is idempotent */
2815 if (ip_connect(ident_conn_ctx.sock, host_af, sender_host_address, port,
2816 rfc1413_query_timeout, &early_data) < 0)
2818 if (errno == ETIMEDOUT && LOGGING(ident_timeout))
2819 log_write(0, LOG_MAIN, "ident connection to %s timed out",
2820 sender_host_address);
2822 DEBUG(D_ident) debug_printf("ident connection to %s failed: %s\n",
2823 sender_host_address, strerror(errno));
2827 /* Read a response line. We put it into the rest of the buffer, using several
2828 recv() calls if necessary. */
2836 int size = sizeof(buffer) - (p - buffer);
2838 if (size <= 0) goto END_OFF; /* Buffer filled without seeing \n. */
2839 count = ip_recv(&ident_conn_ctx, p, size, time(NULL) + rfc1413_query_timeout);
2840 if (count <= 0) goto END_OFF; /* Read error or EOF */
2842 /* Scan what we just read, to see if we have reached the terminating \r\n. Be
2843 generous, and accept a plain \n terminator as well. The only illegal
2846 for (pp = p; pp < p + count; pp++)
2848 if (*pp == 0) goto END_OFF; /* Zero octet not allowed */
2851 if (pp[-1] == '\r') pp--;
2853 goto GOT_DATA; /* Break out of both loops */
2857 /* Reached the end of the data without finding \n. Let the loop continue to
2858 read some more, if there is room. */
2865 /* We have received a line of data. Check it carefully. It must start with the
2866 same two port numbers that we sent, followed by data as defined by the RFC. For
2869 12345 , 25 : USERID : UNIX :root
2871 However, the amount of white space may be different to what we sent. In the
2872 "osname" field there may be several sub-fields, comma separated. The data we
2873 actually want to save follows the third colon. Some systems put leading spaces
2874 in it - we discard those. */
2876 if (sscanf(CS buffer + qlen, "%d , %d%n", &received_sender_port,
2877 &received_interface_port, &n) != 2 ||
2878 received_sender_port != sender_host_port ||
2879 received_interface_port != interface_port)
2882 p = buffer + qlen + n;
2883 Uskip_whitespace(&p);
2884 if (*p++ != ':') goto END_OFF;
2885 Uskip_whitespace(&p);
2886 if (Ustrncmp(p, "USERID", 6) != 0) goto END_OFF;
2888 Uskip_whitespace(&p);
2889 if (*p++ != ':') goto END_OFF;
2890 while (*p && *p != ':') p++;
2891 if (!*p++) goto END_OFF;
2892 Uskip_whitespace(&p);
2893 if (!*p) goto END_OFF;
2895 /* The rest of the line is the data we want. We turn it into printing
2896 characters when we save it, so that it cannot mess up the format of any logging
2897 or Received: lines into which it gets inserted. We keep a maximum of 127
2898 characters. The deconst cast is ok as we fed a nonconst to string_printing() */
2900 sender_ident = US string_printing(string_copyn(p, 127));
2901 DEBUG(D_ident) debug_printf("sender_ident = %s\n", sender_ident);
2904 (void)close(ident_conn_ctx.sock);
2911 /*************************************************
2912 * Match host to a single host-list item *
2913 *************************************************/
2915 /* This function compares a host (name or address) against a single item
2916 from a host list. The host name gets looked up if it is needed and is not
2917 already known. The function is called from verify_check_this_host() via
2918 match_check_list(), which is why most of its arguments are in a single block.
2921 arg the argument block (see below)
2922 ss the host-list item
2923 valueptr where to pass back looked up data, or NULL
2924 error for error message when returning ERROR
2927 host_name (a) the host name, or
2928 (b) NULL, implying use sender_host_name and
2929 sender_host_aliases, looking them up if required, or
2930 (c) the empty string, meaning that only IP address matches
2932 host_address the host address
2933 host_ipv4 the IPv4 address taken from an IPv6 one
2937 DEFER lookup deferred
2938 ERROR (a) failed to find the host name or IP address, or
2939 (b) unknown lookup type specified, or
2940 (c) host name encountered when only IP addresses are
2945 check_host(void * arg, const uschar * ss, const uschar ** valueptr, uschar ** error)
2947 check_host_block * cb = (check_host_block *)arg;
2950 BOOL iplookup = FALSE, isquery = FALSE;
2951 BOOL isiponly = cb->host_name && !cb->host_name[0];
2953 uschar * semicolon, * endname, * opts;
2956 /* Optimize for the special case when the pattern is "*". */
2958 if (*ss == '*' && !ss[1]) return OK;
2960 /* If the pattern is empty, it matches only in the case when there is no host -
2961 this can occur in ACL checking for SMTP input using the -bs option. In this
2962 situation, the host address is the empty string. */
2964 if (!cb->host_address[0]) return *ss ? FAIL : OK;
2965 if (!*ss) return FAIL;
2967 /* If the pattern is precisely "@" then match against the primary host name,
2968 provided that host name matching is permitted; if it's "@[]" match against the
2969 local host's IP addresses. */
2974 if (isiponly) return ERROR;
2975 ss = primary_hostname;
2977 else if (Ustrcmp(ss, "@[]") == 0)
2979 for (ip_address_item * ip = host_find_interfaces(); ip; ip = ip->next)
2980 if (Ustrcmp(ip->address, cb->host_address) == 0) return OK;
2984 /* If the pattern is an IP address, optionally followed by a bitmask count, do
2985 a (possibly masked) comparison with the current IP address. */
2987 if (string_is_ip_address(ss, &maskoffset) != 0)
2988 return host_is_in_net(cb->host_address, ss, maskoffset) ? OK : FAIL;
2990 /* The pattern is not an IP address. A common error that people make is to omit
2991 one component of an IPv4 address, either by accident, or believing that, for
2992 example, 1.2.3/24 is the same as 1.2.3.0/24, or 1.2.3 is the same as 1.2.3.0,
2993 which it isn't. (Those applications that do accept 1.2.3 as an IP address
2994 interpret it as 1.2.0.3 because the final component becomes 16-bit - this is an
2995 ancient specification.) To aid in debugging these cases, we give a specific
2996 error if the pattern contains only digits and dots or contains a slash preceded
2997 only by digits and dots (a slash at the start indicates a file name and of
2998 course slashes may be present in lookups, but not preceded only by digits and
2999 dots). Then the equivalent for IPv6 (roughly). */
3001 if (Ustrchr(ss, ':'))
3003 for (t = ss; isxdigit(*t) || *t == ':' || *t == '.'; ) t++;
3004 if (!*t || (*t == '/' || *t == '%') && t != ss)
3006 *error = string_sprintf("malformed IPv6 address or address mask: %.*s", (int)(t - ss), ss);
3012 for (t = ss; isdigit(*t) || *t == '.'; ) t++;
3013 if (!*t || (*t == '/' && t != ss))
3015 *error = string_sprintf("malformed IPv4 address or address mask: %.*s", (int)(t - ss), ss);
3020 /* See if there is a semicolon in the pattern, separating a searchtype
3021 prefix. If there is one then check for comma-sep options. */
3023 if ((semicolon = Ustrchr(ss, ';')))
3024 if ((opts = Ustrchr(ss, ',')) && opts < semicolon)
3027 opts = string_copyn(opts, semicolon - opts);
3031 endname = semicolon;
3037 /* If we are doing an IP address only match, then all lookups must be IP
3038 address lookups, even if there is no "net-". */
3041 iplookup = semicolon != NULL;
3043 /* Otherwise, if the item is of the form net[n]-lookup;<file|query> then it is
3044 a lookup on a masked IP network, in textual form. We obey this code even if we
3045 have already set iplookup, so as to skip over the "net-" prefix and to set the
3046 mask length. The net- stuff really only applies to single-key lookups where the
3047 key is implicit. For query-style lookups the key is specified in the query.
3048 From release 4.30, the use of net- for query style is no longer needed, but we
3049 retain it for backward compatibility. */
3051 if (Ustrncmp(ss, "net", 3) == 0 && semicolon)
3054 for (t = ss + 3; isdigit(*t); t++) mlen = mlen * 10 + *t - '0';
3055 if (mlen == 0 && t == ss+3) mlen = -1; /* No mask supplied */
3056 iplookup = *t++ == '-';
3061 /* Do the IP address lookup if that is indeed what we have */
3065 const lookup_info * li;
3066 int incoming[4], insize;
3068 uschar * filename, * key, * result;
3071 /* Find the search type */
3073 if (!(li = search_findtype(t, endname - t)))
3074 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s", search_error_message);
3076 /* Adjust parameters for the type of lookup. For a query-style lookup, there
3077 is no file name, and the "key" is just the query. For query-style with a file
3078 name, we have to fish the file off the start of the query. For a single-key
3079 lookup, the key is the current IP address, masked appropriately, and
3080 reconverted to text form, with the mask appended. For IPv6 addresses, specify
3081 dot separators instead of colons, except when the lookup type is "iplsearch".
3084 if (mac_islookup(li, lookup_absfilequery))
3086 filename = semicolon + 1;
3088 Uskip_nonwhite(&key);
3089 filename = string_copyn(filename, key - filename);
3090 Uskip_whitespace(&key);
3092 else if (mac_islookup(li, lookup_querystyle))
3095 key = semicolon + 1;
3097 else /* Single-key style */
3099 int sep = Ustrcmp(li->name, "iplsearch") == 0 ? ':' : '.';
3100 insize = host_aton(cb->host_address, incoming);
3101 host_mask(insize, incoming, mlen);
3102 (void) host_nmtoa(insize, incoming, mlen, buffer, sep);
3104 filename = semicolon + 1;
3107 /* Now do the actual lookup; note that there is no search_close() because
3108 of the caching arrangements. */
3110 if (!(handle = search_open(filename, li, 0, NULL, NULL)))
3111 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s", search_error_message);
3113 result = search_find(handle, filename, key, -1, NULL, 0, 0, NULL, opts);
3114 if (valueptr) *valueptr = result;
3115 return result ? OK : f.search_find_defer ? DEFER: FAIL;
3118 /* The pattern is not an IP address or network reference of any kind. That is,
3119 it is a host name pattern. If this is an IP only match, there's an error in the
3124 *error = US"cannot match host name in match_ip list";
3128 /* Check the characters of the pattern to see if they comprise only letters,
3129 digits, full stops, and hyphens (the constituents of domain names). Allow
3130 underscores, as they are all too commonly found. Sigh. Also, if
3131 allow_utf8_domains is set, allow top-bit characters. */
3133 for (t = ss; *t; t++)
3134 if (!isalnum(*t) && *t != '.' && *t != '-' && *t != '_' &&
3135 (!allow_utf8_domains || *t < 128)) break;
3137 /* If the pattern is a complete domain name, with no fancy characters, look up
3138 its IP address and match against that. Note that a multi-homed host will add
3139 items to the chain. */
3150 /* Using byname rather than bydns here means we cannot determine dnssec
3151 status. On the other hand it is unclear how that could be either
3152 propagated up or enforced. */
3154 rc = host_find_byname(&h, NULL, HOST_FIND_QUALIFY_SINGLE, NULL, FALSE);
3155 if (rc == HOST_FOUND || rc == HOST_FOUND_LOCAL)
3157 for (host_item * hh = &h; hh; hh = hh->next)
3158 if (host_is_in_net(hh->address, cb->host_address, 0)) return OK;
3161 if (rc == HOST_FIND_AGAIN) return DEFER;
3162 *error = string_sprintf("failed to find IP address for %s", ss);
3166 /* Almost all subsequent comparisons require the host name, and can be done
3167 using the general string matching function. When this function is called for
3168 outgoing hosts, the name is always given explicitly. If it is NULL, it means we
3169 must use sender_host_name and its aliases, looking them up if necessary. */
3171 if (cb->host_name) /* Explicit host name given */
3172 return match_check_string(cb->host_name, ss, -1,
3173 MCS_PARTIAL | MCS_CASELESS | MCS_AT_SPECIAL | cb->flags, valueptr);
3175 /* Host name not given; in principle we need the sender host name and its
3176 aliases. However, for query-style lookups, we do not need the name if the
3177 query does not contain $sender_host_name. From release 4.23, a reference to
3178 $sender_host_name causes it to be looked up, so we don't need to do the lookup
3181 if ((semicolon = Ustrchr(ss, ';')))
3183 const uschar * affix, * opts;
3184 int partial, affixlen, starflags;
3185 const lookup_info * li;
3188 li = search_findtype_partial(ss, &partial, &affix, &affixlen, &starflags,
3192 if (!li) /* Unknown lookup type */
3194 log_write(0, LOG_MAIN|LOG_PANIC, "%s in host list item \"%s\"",
3195 search_error_message, ss);
3198 isquery = mac_islookup(li, lookup_querystyle|lookup_absfilequery);
3203 switch(match_check_string(US"", ss, -1,
3204 MCS_PARTIAL| MCS_CASELESS| MCS_AT_SPECIAL | (cb->flags & MCS_CACHEABLE),
3208 case DEFER: return DEFER;
3209 default: return FAIL;
3213 /* Not a query-style lookup; must ensure the host name is present, and then we
3214 do a check on the name and all its aliases. */
3216 if (!sender_host_name)
3218 HDEBUG(D_host_lookup)
3219 debug_printf_indent("sender host name required, to match against %s\n", ss);
3221 if (host_lookup_failed || host_name_lookup() != OK)
3224 *error = string_sprintf("failed to find host name for %s",
3225 sender_host_address);;
3229 host_build_sender_fullhost();
3232 /* Match on the sender host name, using the general matching function */
3234 switch(match_check_string(sender_host_name, ss, -1,
3235 MCS_PARTIAL| MCS_CASELESS| MCS_AT_SPECIAL | (cb->flags & MCS_CACHEABLE),
3239 case DEFER: return DEFER;
3242 /* If there are aliases, try matching on them. */
3244 aliases = sender_host_aliases;
3246 switch(match_check_string(*aliases++, ss, -1,
3247 MCS_PARTIAL| MCS_CASELESS| MCS_AT_SPECIAL | (cb->flags & MCS_CACHEABLE),
3251 case DEFER: return DEFER;
3259 /*************************************************
3260 * Check a specific host matches a host list *
3261 *************************************************/
3263 /* This function is passed a host list containing items in a number of
3264 different formats and the identity of a host. Its job is to determine whether
3265 the given host is in the set of hosts defined by the list. The host name is
3266 passed as a pointer so that it can be looked up if needed and not already
3267 known. This is commonly the case when called from verify_check_host() to check
3268 an incoming connection. When called from elsewhere the host name should usually
3271 This function is now just a front end to match_check_list(), which runs common
3272 code for scanning a list. We pass it the check_host() function to perform a
3276 listptr pointer to the host list
3277 cache_bits pointer to cache for named lists, or NULL
3278 host_name the host name or NULL, implying use sender_host_name and
3279 sender_host_aliases, looking them up if required
3280 host_address the IP address
3281 valueptr if not NULL, data from a lookup is passed back here
3283 Returns: OK if the host is in the defined set
3284 FAIL if the host is not in the defined set,
3285 DEFER if a data lookup deferred (not a host lookup)
3287 If the host name was needed in order to make a comparison, and could not be
3288 determined from the IP address, the result is FAIL unless the item
3289 "+allow_unknown" was met earlier in the list, in which case OK is returned. */
3292 verify_check_this_host(const uschar **listptr, unsigned int *cache_bits,
3293 const uschar *host_name, const uschar *host_address, const uschar **valueptr)
3296 unsigned int *local_cache_bits = cache_bits;
3297 const uschar *save_host_address = deliver_host_address;
3298 check_host_block cb = { .host_name = host_name, .host_address = host_address };
3300 if (valueptr) *valueptr = NULL;
3302 /* If the host address starts off ::ffff: it is an IPv6 address in
3303 IPv4-compatible mode. Find the IPv4 part for checking against IPv4
3306 cb.host_ipv4 = Ustrncmp(host_address, "::ffff:", 7) == 0
3307 ? host_address + 7 : host_address;
3309 /* During the running of the check, put the IP address into $host_address. In
3310 the case of calls from the smtp transport, it will already be there. However,
3311 in other calls (e.g. when testing ignore_target_hosts), it won't. Just to be on
3312 the safe side, any existing setting is preserved, though as I write this
3313 (November 2004) I can't see any cases where it is actually needed. */
3315 deliver_host_address = host_address;
3316 rc = match_check_list(
3317 listptr, /* the list */
3318 0, /* separator character */
3319 &hostlist_anchor, /* anchor pointer */
3320 &local_cache_bits, /* cache pointer */
3321 check_host, /* function for testing */
3322 &cb, /* argument for function */
3323 MCL_HOST, /* type of check */
3324 host_address == sender_host_address
3325 ? US"host" : host_address, /* text for debugging */
3326 valueptr); /* where to pass back data */
3327 deliver_host_address = save_host_address;
3334 /*************************************************
3335 * Check the given host item matches a list *
3336 *************************************************/
3338 verify_check_given_host(const uschar **listptr, const host_item *host)
3340 return verify_check_this_host(listptr, NULL, host->name, host->address, NULL);
3343 /*************************************************
3344 * Check the remote host matches a list *
3345 *************************************************/
3347 /* This is a front end to verify_check_this_host(), created because checking
3348 the remote host is a common occurrence. With luck, a good compiler will spot
3349 the tail recursion and optimize it. If there's no host address, this is
3350 command-line SMTP input - check against an empty string for the address.
3353 listptr pointer to the host list
3355 Returns: the yield of verify_check_this_host(),
3356 i.e. OK, FAIL, or DEFER
3360 verify_check_host(uschar **listptr)
3362 return verify_check_this_host(CUSS listptr, sender_host_cache, NULL,
3363 sender_host_address ? sender_host_address : US"", NULL);
3370 /*************************************************
3371 * Invert an IP address *
3372 *************************************************/
3374 /* Originally just used for DNS xBL lists, now also used for the
3375 reverse_ip expansion operator.
3378 buffer where to put the answer
3379 address the address to invert
3383 invert_address(uschar *buffer, uschar *address)
3386 uschar *bptr = buffer;
3388 /* If this is an IPv4 address mapped into IPv6 format, adjust the pointer
3389 to the IPv4 part only. */
3391 if (Ustrncmp(address, "::ffff:", 7) == 0) address += 7;
3393 /* Handle IPv4 address: when HAVE_IPV6 is false, the result of host_aton() is
3396 if (host_aton(address, bin) == 1)
3399 for (int i = 0; i < 4; i++)
3401 sprintf(CS bptr, "%d.", x & 255);
3402 while (*bptr) bptr++;
3407 /* Handle IPv6 address. Actually, as far as I know, there are no IPv6 addresses
3408 in any DNS black lists, and the format in which they will be looked up is
3409 unknown. This is just a guess. */
3413 for (int j = 3; j >= 0; j--)
3416 for (int i = 0; i < 8; i++)
3418 sprintf(CS bptr, "%x.", x & 15);
3419 while (*bptr) bptr++;
3425 /* Remove trailing period -- this is needed so that both arbitrary
3426 dnsbl keydomains and inverted addresses may be combined with the
3427 same format string, "%s.%s" */
3434 /****************************************************
3435 Verify a local user account for quota sufficiency
3436 ****************************************************/
3438 /* The real work, done via a re-exec for privs, calls
3439 down to the transport for the quota check.
3441 Route and transport (in recipient-verify mode) the
3444 A routing result indicating any transport type other than appendfile
3447 Return, on stdout, a result string containing:
3448 - highlevel result code (OK, DEFER, FAIL)
3455 verify_quota(uschar * address)
3457 address_item vaddr = {.address = address};
3459 uschar * msg = US"\0";
3462 if ((rc = verify_address(&vaddr, NULL, vopt_is_recipient | vopt_quota,
3463 1, 0, 0, NULL, NULL, &routed)) != OK)
3465 uschar * where = recipient_verify_failure;
3466 msg = acl_verify_message ? acl_verify_message : vaddr.message;
3467 if (!msg) msg = US"";
3468 if (rc == DEFER && vaddr.basic_errno == ERRNO_EXIMQUOTA)
3470 rc = FAIL; /* DEFER -> FAIL */
3472 vaddr.basic_errno = 0;
3474 else if (!where) where = US"";
3476 len = 5 + Ustrlen(msg) + 1 + Ustrlen(where);
3477 msg = string_sprintf("%c%c%c%c%c%s%c%s", (uschar)rc,
3478 (vaddr.basic_errno >> 24) & 0xff, (vaddr.basic_errno >> 16) & 0xff,
3479 (vaddr.basic_errno >> 8) & 0xff, vaddr.basic_errno & 0xff,
3483 DEBUG(D_verify) debug_printf_indent("verify_quota: len %d\n", len);
3484 if (write(1, msg, len) != 0) ;
3489 /******************************************************************************/
3491 /* Quota cache lookup. We use the callout hints db also for the quota cache.
3492 Return TRUE if a nonexpired record was found, having filled in the yield
3497 cached_quota_lookup(const uschar * rcpt, int * yield,
3498 int pos_cache, int neg_cache)
3500 open_db dbblock, *dbm_file = NULL;
3501 dbdata_callout_cache_address * cache_address_record;
3503 if (!pos_cache && !neg_cache)
3505 if (!(dbm_file = dbfn_open(US"callout", O_RDWR|O_CREAT, &dbblock, FALSE, TRUE)))
3507 HDEBUG(D_verify) debug_printf_indent("quota cache: not available\n");
3510 if (!(cache_address_record = (dbdata_callout_cache_address *)
3511 get_callout_cache_record(dbm_file, rcpt, US"address",
3512 pos_cache, neg_cache)))
3514 dbfn_close(dbm_file);
3517 if (cache_address_record->result == ccache_accept)
3519 dbfn_close(dbm_file);
3523 /* Quota cache write */
3526 cache_quota_write(const uschar * rcpt, int yield, int pos_cache, int neg_cache)
3528 open_db dbblock, *dbm_file = NULL;
3529 dbdata_callout_cache_address cache_address_record;
3531 if (!pos_cache && !neg_cache)
3533 if (!(dbm_file = dbfn_open(US"callout", O_RDWR|O_CREAT, &dbblock, FALSE, TRUE)))
3535 HDEBUG(D_verify) debug_printf_indent("quota cache: not available\n");
3539 cache_address_record.result = yield == OK ? ccache_accept : ccache_reject;
3541 (void)dbfn_write(dbm_file, rcpt, &cache_address_record,
3542 (int)sizeof(dbdata_callout_cache_address));
3543 HDEBUG(D_verify) debug_printf_indent("wrote %s quota cache record for %s\n",
3544 yield == OK ? "positive" : "negative", rcpt);
3546 dbfn_close(dbm_file);
3551 /* To evaluate a local user's quota, starting in ACL, we need to
3552 fork & exec to regain privileges, to that we can change to the user's
3553 identity for access to their files.
3556 rcpt Recipient account
3557 pos_cache Number of seconds to cache a positive result (delivery
3558 to be accepted). Zero to disable caching.
3559 neg_cache Number of seconds to cache a negative result. Zero to disable.
3560 msg Pointer to result string pointer
3562 Return: OK/DEFER/FAIL code
3566 verify_quota_call(const uschar * rcpt, int pos_cache, int neg_cache,
3569 int pfd[2], pid, save_errno, yield = FAIL;
3570 void (*oldsignal)(int);
3571 const uschar * where = US"socketpair";
3575 if (cached_quota_lookup(rcpt, &yield, pos_cache, neg_cache))
3577 HDEBUG(D_verify) debug_printf_indent("quota cache: address record is %s\n",
3578 yield == OK ? "positive" : "negative");
3581 recipient_verify_failure = US"quota";
3582 acl_verify_message = *msg =
3583 US"Previous (cached) quota verification failure";
3592 oldsignal = signal(SIGCHLD, SIG_DFL);
3593 if ((pid = exim_fork(US"quota-verify")) < 0)
3596 close(pfd[pipe_write]);
3597 close(pfd[pipe_read]);
3602 if (pid == 0) /* child */
3604 close(pfd[pipe_read]);
3605 force_fd(pfd[pipe_write], 1); /* stdout to pipe */
3606 close(pfd[pipe_write]);
3608 if (debug_fd > 0) force_fd(debug_fd, 2);
3610 child_exec_exim(CEE_EXEC_EXIT, FALSE, NULL, FALSE, 3,
3611 US"-MCq", string_sprintf("%d", message_size), rcpt);
3616 close(pfd[pipe_write]);
3620 DEBUG(D_verify) debug_printf_indent(" fork: %s\n", strerror(save_errno));
3625 int n = read(pfd[pipe_read], buf, sizeof(buf));
3628 waitpid(pid, &status, 0);
3633 if (n > 0) yield = buf[0];
3635 save_errno = (buf[1] << 24) | (buf[2] << 16) | (buf[3] << 8) | buf[4];
3636 if ((recipient_verify_failure = n > 5
3637 ? string_copyn_taint(buf+5, n-5, GET_UNTAINTED) : NULL))
3640 s = buf + 5 + Ustrlen(recipient_verify_failure) + 1;
3642 acl_verify_message = *msg =
3643 m > 0 ? string_copyn_taint(s, m, GET_UNTAINTED) : NULL;
3646 DEBUG(D_verify) debug_printf_indent("verify call response:"
3647 " len %d yield %s errno '%s' where '%s' msg '%s'\n",
3648 n, rc_names[yield], strerror(save_errno), recipient_verify_failure, *msg);
3651 || save_errno == 0 && Ustrcmp(recipient_verify_failure, "quota") == 0)
3652 cache_quota_write(rcpt, yield, pos_cache, neg_cache);
3653 else DEBUG(D_verify)
3654 debug_printf_indent("result not cacheable\n");
3659 debug_printf_indent("verify call response: waitpid status 0x%04x\n", status);
3663 close(pfd[pipe_read]);
3664 signal(SIGCHLD, oldsignal);
3669 DEBUG(D_verify) debug_printf_indent("verify_quota_call fail in %s\n", where);
3676 /* End of verify.c */
git://git.exim.org / exim.git / blob