1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* See the file NOTICE for conditions of use and distribution. */
8 /* Functions concerned with rewriting headers */
13 /* Names for testing rewriting */
15 static const char *rrname[] = {
26 /* Structure and table for finding source of address for debug printing */
28 typedef struct where_list_block {
33 static where_list_block where_list[] = {
34 { rewrite_sender, CUS"sender:" },
35 { rewrite_from, CUS"from:" },
36 { rewrite_to, CUS"to:" },
37 { rewrite_cc, CUS"cc:" },
38 { rewrite_bcc, CUS"bcc:" },
39 { rewrite_replyto, CUS"reply-to:" },
40 { rewrite_envfrom, CUS"env-from" },
41 { rewrite_envto, CUS"env-to" },
42 { rewrite_smtp, CUS"smtp recipient" },
43 { rewrite_smtp|rewrite_smtp_sender, CUS"smtp sender" }
46 static int where_list_size = sizeof(where_list)/sizeof(where_list_block);
50 /*************************************************
51 * Ensure an address is qualified *
52 *************************************************/
57 is_recipient TRUE if a recipient address; FALSE if a sender address
59 Returns: fully-qualified address
63 rewrite_address_qualify(uschar *s, BOOL is_recipient)
65 return (parse_find_at(s) != NULL)? s :
66 string_sprintf("%s@%s", s,
67 is_recipient? qualify_domain_recipient : qualify_domain_sender);
72 /*************************************************
73 * Rewrite a single address *
74 *************************************************/
76 /* The yield is the input address if there is no rewriting to be done. Assume
77 the input is a valid address, except in the case of SMTP-time rewriting, which
78 is handled specially. When this function is called while processing filter and
79 forward files, the uid may be that of the user. Ensure it is reset while
80 expanding a replacement, in case that involves file lookups.
84 flag indicates where this address comes from; it must match the
85 flags in the rewriting rule
86 whole if not NULL, set TRUE if any rewriting rule contained the
87 "whole" bit and it is a header that is being rewritten
88 add_header if TRUE and rewriting occurs, add an "X-rewrote-xxx" header
89 if headers are in existence; this should be TRUE only when
90 a message is being received, not during delivery
91 name name of header, for use when adding X-rewrote-xxxx
92 rewrite_rules chain of rewriting rules
94 Returns: new address if rewritten; the input address if no change;
95 for a header rewrite, if the "whole" bit is set, the entire
96 rewritten address is returned, not just the active bit.
100 rewrite_one(uschar *s, int flag, BOOL *whole, BOOL add_header, uschar *name,
101 rewrite_rule *rewrite_rules)
106 uschar *domain = NULL;
109 int yield_start = 0, yield_end = 0;
111 if (whole != NULL) *whole = FALSE;
113 /* Scan the rewriting rules */
115 for (rule = rewrite_rules;
116 rule != NULL && !done;
117 rule_number++, rule = rule->next)
119 int start, end, pdomain;
121 uschar *save_localpart;
122 const uschar *save_domain;
123 uschar *error, *new, *newparsed;
125 /* Ensure that the flag matches the flags in the rule. */
127 if ((rule->flags & flag) == 0) continue;
129 /* Come back here for a repeat after a successful rewrite. We do this
130 only so many times. */
134 /* If this is an SMTP-time rewrite, the pattern must be a regex and
135 the subject may have any structure. No local part or domain variables
136 can be set for the expansion. We expand the pattern in order to be consistent
137 with the other kinds of rewrite, where expansion happens inside
138 match_address_list(). */
140 if ((flag & rewrite_smtp) != 0)
142 uschar *key = expand_string(rule->key);
145 if (!expand_string_forcedfail)
146 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand \"%s\" while "
147 "checking for SMTP rewriting: %s", rule->key, expand_string_message);
150 if (match_check_string(subject, key, 0, TRUE, FALSE, FALSE, NULL) != OK)
152 new = expand_string(rule->replacement);
155 /* All other rewrites expect the input to be a valid address, so local part
156 and domain variables can be set for expansion. For the first rule, to be
157 applied to this address, domain will be NULL and needs to be set. */
161 if (domain == NULL) domain = Ustrrchr(subject, '@') + 1;
163 /* Use the general function for matching an address against a list (here
164 just one item, so use the "impossible value" separator UCHAR_MAX+1). */
166 if (match_address_list(subject, FALSE, TRUE, CUSS &(rule->key), NULL, 0,
167 UCHAR_MAX + 1, NULL) != OK)
170 /* The source address matches, and numerical variables have been
171 set up. If the replacement string consists of precisely "*" then no
172 rewriting is required for this address - the behaviour is as for "fail"
173 in the replacement expansion, but assuming the quit flag. */
175 if (Ustrcmp(rule->replacement, "*") == 0) break;
177 /* Otherwise, expand the replacement string. Set $local_part and $domain to
178 the appropriate values, restoring whatever value they previously had
181 save_localpart = deliver_localpart;
182 save_domain = deliver_domain;
184 /* We have subject pointing to "localpart@domain" and domain pointing to
185 the domain. Temporarily terminate the local part so that it can be
186 set up as an expansion variable */
189 deliver_localpart = subject;
190 deliver_domain = domain;
192 new = expand_string(rule->replacement);
195 deliver_localpart = save_localpart;
196 deliver_domain = save_domain;
199 /* If the expansion failed with the "forcedfail" flag, don't generate
200 an error - just give up on this rewriting rule. If the "q" flag is set,
201 give up altogether. For other expansion failures we have a configuration
206 if (expand_string_forcedfail)
207 { if ((rule->flags & rewrite_quit) != 0) break; else continue; }
209 expand_string_message = expand_hide_passwords(expand_string_message);
211 log_write(0, LOG_MAIN|LOG_PANIC, "Expansion of %s failed while rewriting: "
212 "%s", rule->replacement, expand_string_message);
216 /* Check the what has been generated is a valid RFC 2822 address. Only
217 envelope from or SMTP sender is permitted to be rewritten as <>.*/
219 newparsed = parse_extract_address(new, &error, &start, &end, &pdomain,
220 flag == rewrite_envfrom || flag == (rewrite_smtp|rewrite_smtp_sender));
222 if (newparsed == NULL)
224 log_write(0, LOG_MAIN|LOG_PANIC, "Rewrite of %s yielded unparseable "
225 "address: %s in address %s", subject, error, new);
226 break; /* Give up on this address */
229 /* A non-null unqualified address can be qualified if requested. Otherwise,
230 this is an error unless it's the empty address in circumstances where that is
233 if (pdomain == 0 && (*newparsed != 0 ||
234 (flag != rewrite_envfrom && flag != (rewrite_smtp|rewrite_smtp_sender))))
236 if ((rule->flags & rewrite_qualify) != 0)
238 newparsed = rewrite_address_qualify(newparsed, TRUE);
239 new = string_sprintf("%.*s%s%.*s", start, new, newparsed,
240 Ustrlen(new) - end, new + end);
241 end = start + Ustrlen(newparsed);
245 log_write(0, LOG_MAIN|LOG_PANIC, "Rewrite of %s yielded unqualified "
246 "address \"%s\"", subject, new);
247 break; /* Give up on this address */
251 /* We have a validly rewritten address */
253 if (LOGGING(address_rewrite) || (debug_selector & D_rewrite) != 0)
256 const uschar *where = CUS"?";
258 for (i = 0; i < where_list_size; i++)
260 if (flag == where_list[i].bit)
262 where = where_list[i].string;
266 log_write(L_address_rewrite,
267 LOG_MAIN, "\"%s\" from %s rewritten as \"%s\" by rule %d",
268 yield, where, new, rule_number);
271 /* A header will only actually be added if header_last is non-NULL,
272 i.e. during message reception or delivery, but add_header should not
273 be set TRUE during delivery, as otherwise multiple instances of the header
274 can fill up the -H file and make it embarrassingly large. We don't need
275 to set header_rewritten because the -H file always gets written at the end
276 of message reception. */
279 header_add(htype_old, "X-rewrote-%s: %s\n", name, subject);
281 /* Handle the case when replacement of the whole address is possible.
282 This happens only when whole is not NULL and we are rewriting a header.
283 If *whole is already TRUE it means that a previous rule had the w
284 flag set and so we must preserve the non-active portion of the current
285 subject unless the current rule also has the w flag set. */
287 if (whole != NULL && (flag & rewrite_all_headers) != 0)
289 /* Current rule has the w flag set. We must ensure the phrase parts
290 are syntactically valid if they are present. */
292 if ((rule->flags & rewrite_whole) != 0)
294 if (start > 0 && new[start-1] == '<')
296 uschar *p1 = new + start - 1;
297 uschar *p2 = new + end + 1;
298 const uschar *pf1, *pf2;
299 uschar buff1[256], buff2[256];
301 while (p1 > new && p1[-1] == ' ') p1--;
302 pf1 = parse_fix_phrase(new, p1 - new, buff1, sizeof(buff1));
303 while (*p2 == ' ') p2++;
304 pf2 = parse_fix_phrase(p2, Ustrlen(p2), buff2, sizeof(buff2));
306 /* Note that pf1 and pf2 are NOT necessarily buff1 and buff2. For
307 a non-RFC 2047 phrase that does not need to be RFC 2822 quoted, they
308 will be buff1+1 and buff2+1. */
310 start = Ustrlen(pf1) + start + new - p1;
311 end = start + Ustrlen(newparsed);
312 new = string_sprintf("%s%.*s%s", pf1, (int)(p2 - p1), p1, pf2);
315 /* Now accept the whole thing */
324 /* Current rule does not have the w flag set; if not previously
325 done any whole rewriting, behave in non-whole manner. */
327 else if (!*whole) goto NEVER_WHOLE;
329 /* Current rule does not have the w flag set, but a previous
330 rule did rewrite the whole address. Thus yield and subject will be
331 different. Preserve the previous non-active part of the address. */
336 new = string_sprintf("%.*s%s%n%s",
337 yield_start, yield, subject, &end, yield + yield_end);
343 /* Rule just rewrites active part, or handling an envelope. This
344 code is obeyed only when all rules so far have not done "whole"
350 subject = yield = newparsed;
353 domain = NULL; /* Reset for next rule */
355 /* If no further rewrites are to be done, set the done flag. This allows
356 repeats of the current rule if configured before breaking the loop. */
358 if ((rule->flags & rewrite_quit) != 0) done = TRUE;
360 /* Allow the current rule to be applied up to 10 times if
363 if ((rule->flags & rewrite_repeat) != 0)
365 if (count++ < 10) goto REPEAT_RULE;
366 log_write(0, LOG_MAIN|LOG_PANIC, "rewrite rule repeat ignored after 10 "
371 /* Unset expansion numeric variables, and that's it. */
379 /*************************************************
380 * Ensure qualification and rewrite *
381 *************************************************/
383 /* This function is called for envelope addresses, the boolean specifying
384 whether a recipient or a sender. It must first of all ensure the address is
385 fully qualified, and then apply any relevant re-writing rules. The add-header
386 flag causes a header to be added, recording the old address. This is marked
387 "old", so that it is never transported anywhere; it exists for local checking
388 and debugging purposes.
391 s the address to be considered
392 is_recipient TRUE for recipient addresses; FALSE otherwise
393 add_header add "X-rewrote-xxx" header when rewriting; this is
394 set TRUE only for calls from the reception functions
395 rewrite_rules points to chain of rewrite rules
396 existflags bits indicating which headers there are rewrites for
397 (just an optimisation)
399 Returns: possibly rewritten address
403 rewrite_address(uschar *s, BOOL is_recipient, BOOL add_header,
404 rewrite_rule *rewrite_rules, int existflags)
406 int flag = is_recipient? rewrite_envto : rewrite_envfrom;
407 s = rewrite_address_qualify(s, is_recipient);
408 if ((existflags & flag) != 0)
410 uschar *new = rewrite_one(s, flag, NULL, add_header, is_recipient?
411 US"original-recipient" : US"sender", rewrite_rules);
412 if (new != s) s = new;
419 /*************************************************
420 * Qualify and possibly rewrite one header *
421 *************************************************/
423 /* This is called only from rewrite_header() below, either when reading a
424 message. or when routing, in order to rewrite addresses that get changed by a
425 router. This is normally the addition of full qualification to a partial
426 domain. The first rewriting rule in this case is "change routed_old into
427 routed_new", and it applies to all header lines that contain addresses. Then
428 header-specific rewriting rules are applied.
430 Before rewriting can be done, addresses without domains have to be qualified.
431 This should only be done for messages from "local" senders. This is a difficult
432 concept to pin down, what with the use of SMTP both as a submission and as a
433 transmission protocol. Exim normally requires incoming SMTP to contain fully-
434 qualified addresses, but there are options to permit unqualified ones from
435 certain hosts. For those hosts only, addresses in headers can also be
436 qualified. For other hosts, unqualified addresses in headers do not get touched
437 in any way. For locally sourced messages, unqualified addresses always get
438 qualified, except when -bnq is used to explicitly suppress this.
441 h pointer to header line block
442 flag indicates which header this is
443 routed_old if not NULL, this is a rewrite caused by a router, changing
444 this domain into routed_new
445 routed_new new routed domain if routed_old is not NULL
446 rewrite_rules points to chain of rewriting rules
447 existflags bits indicating which rewrites exist
448 replace if TRUE, insert the new header in the chain after the old
449 one, and mark the old one "replaced"
451 Returns: NULL if header unchanged; otherwise the rewritten header
455 rewrite_one_header(header_line *h, int flag,
456 const uschar *routed_old, const uschar *routed_new,
457 rewrite_rule *rewrite_rules, int existflags, BOOL replace)
460 header_line *newh = NULL;
461 void *function_reset_point = store_get(0);
462 uschar *s = Ustrchr(h->text, ':') + 1;
463 while (isspace(*s)) s++;
466 debug_printf("rewrite_one_header: type=%c:\n %s", h->type, h->text);
468 parse_allow_group = TRUE; /* Allow group syntax */
470 /* Loop for multiple addresses in the header. We have to go through them all
471 in case any need qualifying, even if there's no rewriting. Pathological headers
472 may have thousands of addresses in them, so cause the store to be reset for
473 any that don't actually get rewritten. We also play silly games for those that
474 _are_ rewritten so as to avoid runaway store usage for these kinds of header.
475 We want to avoid keeping store for any intermediate versions. */
480 uschar *ss = parse_find_address_end(s, FALSE);
481 uschar *recipient, *new, *errmess;
482 void *loop_reset_point = store_get(0);
483 BOOL changed = FALSE;
484 int terminator = *ss;
485 int start, end, domain;
487 /* Temporarily terminate the string at this point, and extract the
488 operative address within. Then put back the terminator and prepare for
489 the next address, saving the start of the old one. */
492 recipient = parse_extract_address(s,&errmess,&start,&end,&domain,FALSE);
495 s = ss + (terminator? 1:0);
496 while (isspace(*s)) s++;
498 /* There isn't much we can do for syntactic disasters at this stage.
499 Pro tem (possibly for ever) ignore them. */
501 if (recipient == NULL)
503 store_reset(loop_reset_point);
507 /* If routed_old is not NULL, this is a rewrite caused by a router,
508 consisting of changing routed_old into routed_new, and applying to all
509 headers. If the header address has no domain, it is excluded, since a router
510 rewrite affects domains only. The new value should always be fully qualified,
511 but it may be something that has an explicit re-write rule set, so we need to
512 check the configured rules subsequently as well. (Example: there's an
513 explicit rewrite turning *.foo.com into foo.com, and an address is supplied
514 as abc@xyz, which the DNS lookup turns into abc@xyz.foo.com). However, if no
515 change is made here, don't bother carrying on. */
517 if (routed_old != NULL)
519 if (domain <= 0 || strcmpic(recipient+domain, routed_old) != 0) continue;
520 recipient[domain-1] = 0;
521 new = string_sprintf("%s@%s", recipient, routed_new);
524 recipient[domain-1] = '@';
525 debug_printf("%s rewritten by router as %s\n", recipient, new);
531 /* This is not a router-inspired rewrite. Ensure the address is fully
532 qualified if that is permitted. If an unqualified address was received
533 from a host that isn't listed, do not continue rewriting this address.
534 Sender, From or Reply-To headers are treated as senders, the rest as
535 recipients. This matters only when there are different qualify strings. */
540 (flag & (rewrite_sender | rewrite_from | rewrite_replyto)) == 0;
541 new = rewrite_address_qualify(recipient, is_recipient);
542 changed = (new != recipient);
545 /* Can only qualify if permitted; if not, no rewrite. */
547 if (changed && ((is_recipient && !allow_unqualified_recipient) ||
548 (!is_recipient && !allow_unqualified_sender)))
550 store_reset(loop_reset_point);
555 /* If there are rewrite rules for this type of header, apply
556 them. This test is just for efficiency, to save scanning the rules
557 in cases when nothing is going to change. If any rewrite rule had the
558 "whole" flag set, adjust the pointers so that the whole address gets
559 replaced, except possibly a final \n. */
561 if ((existflags & flag) != 0)
564 new = rewrite_one(recipient, flag, &whole, FALSE, NULL, rewrite_rules);
565 if (new != recipient)
572 if (sprev[end-1] == '\n') end--;
577 /* If nothing has changed, lose all dynamic store obtained in this loop, and
578 move on to the next address. We can't reset to the function start store
579 point, because we may have a rewritten line from a previous time round the
582 if (!changed) store_reset(loop_reset_point);
584 /* If the address has changed, create a new header containing the
585 rewritten address. We do not need to set the chain pointers at this
586 stage. We want to avoid using more and more memory if the header is very long
587 and contains lots and lots of rewritten addresses. Therefore, we build the
588 new text string in malloc store, then at the end we reset dynamic store
589 before copying the new header to a new block (and then freeing the malloc
590 block). The header must end up in dynamic store so that it's freed at the end
591 of receiving a message. */
596 int newlen = Ustrlen(new);
597 int oldlen = end - start;
599 header_line *prev = (newh == NULL)? h : newh;
600 uschar *newt = store_malloc(prev->slen - oldlen + newlen + 4);
601 uschar *newtstart = newt;
603 int type = prev->type;
604 int slen = prev->slen - oldlen + newlen;
606 /* Build the new header text by copying the old and putting in the
607 replacement. This process may make the header substantially longer
608 than it was before - qualification of a list of bare addresses can
609 often do this - so we stick in a newline after the re-written address
610 if it has increased in length and ends more than 40 characters in. In
611 fact, the code is not perfect, since it does not scan for existing
612 newlines in the header, but it doesn't seem worth going to that
613 amount of trouble. */
615 Ustrncpy(newt, prev->text, sprev - prev->text + start);
616 newt += sprev - prev->text + start;
620 remlen = s - (sprev + end);
623 Ustrncpy(newt, sprev + end, remlen);
628 /* Must check that there isn't a newline here anyway; in particular, there
629 will be one at the very end of the header, where we DON'T want to insert
630 another one! The pointer s has been skipped over white space, so just
631 look back to see if the last non-space-or-tab was a newline. */
633 if (newlen > oldlen && newt - newtstart - lastnewline > 40)
636 while (p >= prev->text && (*p == ' ' || *p == '\t')) p--;
639 lastnewline = newt - newtstart;
640 Ustrcat(newt, "\n\t");
645 /* Finally, the remaining unprocessed addresses, if any. */
649 DEBUG(D_rewrite) debug_printf("newlen=%d newtype=%c newtext:\n%s",
650 slen, type, newtstart);
652 /* Compute the length of the rest of the header line before we possibly
653 flatten a previously rewritten copy. */
655 remlen = (s - prev->text) - oldlen + newlen;
657 /* We have the new text in a malloc block. That enables us to release all
658 the memory that has been used, back to the point at which the function was
659 entered. Then set up a new header in dynamic store. This will override a
660 rewritten copy from a previous time round this loop. */
662 store_reset(function_reset_point);
663 newh = store_get(sizeof(header_line));
666 newh->text = string_copyn(newtstart, slen);
667 store_free(newtstart);
669 /* Set up for scanning the rest of the header */
671 s = newh->text + remlen;
672 DEBUG(D_rewrite) debug_printf("remainder: %s", (*s == 0)? US"\n" : s);
676 parse_allow_group = FALSE; /* Reset group flags */
677 parse_found_group = FALSE;
679 /* If a rewrite happened and "replace" is true, put the new header into the
680 chain following the old one, and mark the old one as replaced. */
682 if (newh != NULL && replace)
684 newh->next = h->next;
685 if (newh->next == NULL) header_last = newh;
696 /*************************************************
697 * Rewrite a header line *
698 *************************************************/
700 /* This function may be passed any old header line. It must detect those which
701 contain addresses, then then apply any rewriting rules that apply. If
702 routed_old is NULL, only the configured rewriting rules are consulted.
703 Otherwise, the rewriting rule is "change routed_old into routed_new", and it
704 applies to all header lines that contain addresses. Then header-specific
705 rewriting rules are applied.
707 The old header line is flagged as "old". Old headers are saved on the spool for
708 debugging but are never sent to any recipients.
711 h header line to rewrite
712 routed_old if not NULL, this is a rewrite caused by a router, changing
713 this domain into routed_new
714 routed_new new routed domain if routed_old is not NULL
715 rewrite_rules points to chain of rewrite rules
716 existflags bits indicating which rewrites exist
717 replace if TRUE, the new header is inserted into the header chain
718 after the old one, and the old one is marked replaced
720 Returns: NULL if header unchanged; otherwise the rewritten header
724 rewrite_header(header_line *h,
725 const uschar *routed_old, const uschar *routed_new,
726 rewrite_rule *rewrite_rules, int existflags, BOOL replace)
731 return rewrite_one_header(h, rewrite_sender, routed_old, routed_new,
732 rewrite_rules, existflags, replace);
735 return rewrite_one_header(h, rewrite_from, routed_old, routed_new,
736 rewrite_rules, existflags, replace);
739 return rewrite_one_header(h, rewrite_to, routed_old, routed_new,
740 rewrite_rules, existflags, replace);
743 return rewrite_one_header(h, rewrite_cc, routed_old, routed_new,
744 rewrite_rules, existflags, replace);
747 return rewrite_one_header(h, rewrite_bcc, routed_old, routed_new,
748 rewrite_rules, existflags, replace);
751 return rewrite_one_header(h, rewrite_replyto, routed_old, routed_new,
752 rewrite_rules, existflags, replace);
760 /************************************************
761 * Test rewriting rules *
762 ************************************************/
764 /* Called from the mainline as a result of the -brw option. Test the
765 address for all possible cases.
767 Argument: the address to test
771 void rewrite_test(uschar *s)
773 uschar *recipient, *error;
774 int i, start, end, domain;
775 BOOL done_smtp = FALSE;
777 if (rewrite_existflags == 0)
779 printf("No rewrite rules are defined\n");
783 /* Do SMTP rewrite only if a rule with the S flag exists. Allow <> by
784 pretending it is a sender. */
786 if ((rewrite_existflags & rewrite_smtp) != 0)
788 uschar *new = rewrite_one(s, rewrite_smtp|rewrite_smtp_sender, NULL, FALSE,
789 US"", global_rewrite_rules);
793 printf(" SMTP: <>\n");
795 printf(" SMTP: %s\n", new);
800 /* Do the other rewrites only if a rule without the S flag exists */
802 if ((rewrite_existflags & ~rewrite_smtp) == 0) return;
804 /* Qualify if necessary before extracting the address */
806 if (parse_find_at(s) == NULL)
807 s = string_sprintf("%s@%s", s, qualify_domain_recipient);
809 recipient = parse_extract_address(s, &error, &start, &end, &domain, FALSE);
811 if (recipient == NULL)
814 printf("Syntax error in %s\n%c%s\n", s, toupper(error[0]), error+1);
818 for (i = 0; i < 8; i++)
822 uschar *new = rewrite_one(recipient, flag, &whole, FALSE, US"",
823 global_rewrite_rules);
824 printf("%s: ", rrname[i]);
827 else if (whole || (flag & rewrite_all_headers) == 0)
828 printf("%s\n", CS new);
829 else printf("%.*s%s%s\n", start, s, new, s+end);
833 /* End of rewrite.c */