1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* Copyright (c) The Exim Maintainers 2021 */
7 /* See the file NOTICE for conditions of use and distribution. */
9 /* Functions concerned with rewriting headers */
14 /* Names for testing rewriting */
16 static const char *rrname[] = {
27 /* Structure and table for finding source of address for debug printing */
29 typedef struct where_list_block {
34 static where_list_block where_list[] = {
35 { rewrite_sender, CUS"sender:" },
36 { rewrite_from, CUS"from:" },
37 { rewrite_to, CUS"to:" },
38 { rewrite_cc, CUS"cc:" },
39 { rewrite_bcc, CUS"bcc:" },
40 { rewrite_replyto, CUS"reply-to:" },
41 { rewrite_envfrom, CUS"env-from" },
42 { rewrite_envto, CUS"env-to" },
43 { rewrite_smtp, CUS"smtp recipient" },
44 { rewrite_smtp|rewrite_smtp_sender, CUS"smtp sender" }
47 static int where_list_size = sizeof(where_list)/sizeof(where_list_block);
51 /*************************************************
52 * Ensure an address is qualified *
53 *************************************************/
58 is_recipient TRUE if a recipient address; FALSE if a sender address
60 Returns: fully-qualified address
64 rewrite_address_qualify(const uschar *s, BOOL is_recipient)
66 return parse_find_at(s)
67 ? s : string_sprintf("%s@%s", s,
68 is_recipient ? qualify_domain_recipient : qualify_domain_sender);
73 /*************************************************
74 * Rewrite a single address *
75 *************************************************/
77 /* The yield is the input address if there is no rewriting to be done. Assume
78 the input is a valid address, except in the case of SMTP-time rewriting, which
79 is handled specially. When this function is called while processing filter and
80 forward files, the uid may be that of the user. Ensure it is reset while
81 expanding a replacement, in case that involves file lookups.
85 flag indicates where this address comes from; it must match the
86 flags in the rewriting rule
87 whole if not NULL, set TRUE if any rewriting rule contained the
88 "whole" bit and it is a header that is being rewritten
89 add_header if TRUE and rewriting occurs, add an "X-rewrote-xxx" header
90 if headers are in existence; this should be TRUE only when
91 a message is being received, not during delivery
92 name name of header, for use when adding X-rewrote-xxxx
93 rewrite_rules chain of rewriting rules
95 Returns: new address if rewritten; the input address if no change;
96 for a header rewrite, if the "whole" bit is set, the entire
97 rewritten address is returned, not just the active bit.
101 rewrite_one(const uschar *s, int flag, BOOL *whole, BOOL add_header, uschar *name,
102 rewrite_rule *rewrite_rules)
104 const uschar *yield = s;
105 const uschar *subject = s;
106 uschar *domain = NULL;
109 int yield_start = 0, yield_end = 0;
111 if (whole) *whole = FALSE;
113 /* Scan the rewriting rules, ignoring any without matching flag */
115 for (rewrite_rule * rule = rewrite_rules;
117 rule_number++, rule = rule->next) if (rule->flags & flag)
119 int start, end, pdomain;
121 uschar *save_localpart;
122 const uschar *save_domain;
124 const uschar * newparsed;
126 /* Come back here for a repeat after a successful rewrite. We do this
127 only so many times. */
131 /* If this is an SMTP-time rewrite, the pattern must be a regex and
132 the subject may have any structure. No local part or domain variables
133 can be set for the expansion. We expand the pattern in order to be consistent
134 with the other kinds of rewrite, where expansion happens inside
135 match_address_list(). */
137 if (flag & rewrite_smtp)
139 uschar *key = expand_string(rule->key);
142 if (!f.expand_string_forcedfail)
143 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand \"%s\" while "
144 "checking for SMTP rewriting: %s", rule->key, expand_string_message);
147 if (match_check_string(subject, key, 0, TRUE, FALSE, FALSE, NULL) != OK)
149 new = expand_string(rule->replacement);
152 /* All other rewrites expect the input to be a valid address, so local part
153 and domain variables can be set for expansion. For the first rule, to be
154 applied to this address, domain will be NULL and needs to be set. */
158 if (!domain) domain = Ustrrchr(subject, '@') + 1;
160 /* Use the general function for matching an address against a list (here
161 just one item, so use the "impossible value" separator UCHAR_MAX+1). */
163 if (match_address_list(subject, FALSE, TRUE, CUSS &(rule->key), NULL, 0,
164 UCHAR_MAX + 1, NULL) != OK)
167 /* The source address matches, and numerical variables have been
168 set up. If the replacement string consists of precisely "*" then no
169 rewriting is required for this address - the behaviour is as for "fail"
170 in the replacement expansion, but assuming the quit flag. */
172 if (Ustrcmp(rule->replacement, "*") == 0) break;
174 /* Otherwise, expand the replacement string. Set $local_part and $domain to
175 the appropriate values, restoring whatever value they previously had
178 save_localpart = deliver_localpart;
179 save_domain = deliver_domain;
181 /* We have subject pointing to "localpart@domain" and domain pointing to
182 the domain. Temporarily terminate the local part so that it can be
183 set up as an expansion variable */
186 deliver_localpart = US subject;
187 deliver_domain = domain;
189 new = expand_string(rule->replacement);
192 deliver_localpart = save_localpart;
193 deliver_domain = save_domain;
196 /* If the expansion failed with the "forcedfail" flag, don't generate
197 an error - just give up on this rewriting rule. If the "q" flag is set,
198 give up altogether. For other expansion failures we have a configuration
203 if (f.expand_string_forcedfail)
204 { if (rule->flags & rewrite_quit) break; else continue; }
206 expand_string_message = expand_hide_passwords(expand_string_message);
208 log_write(0, LOG_MAIN|LOG_PANIC, "Expansion of %s failed while rewriting: "
209 "%s", rule->replacement, expand_string_message);
213 /* Check the what has been generated is a valid RFC 2822 address. Only
214 envelope from or SMTP sender is permitted to be rewritten as <>.*/
216 newparsed = parse_extract_address(new, &error, &start, &end, &pdomain,
217 flag == rewrite_envfrom || flag == (rewrite_smtp|rewrite_smtp_sender));
221 log_write(0, LOG_MAIN|LOG_PANIC, "Rewrite of %s yielded unparseable "
222 "address: %s in address %s", subject, error, new);
223 break; /* Give up on this address */
226 /* A non-null unqualified address can be qualified if requested. Otherwise,
227 this is an error unless it's the empty address in circumstances where that is
230 if (pdomain == 0 && (*newparsed != 0 ||
231 (flag != rewrite_envfrom && flag != (rewrite_smtp|rewrite_smtp_sender))))
233 if (rule->flags & rewrite_qualify)
235 newparsed = rewrite_address_qualify(newparsed, TRUE);
236 new = string_sprintf("%.*s%s%.*s", start, new, newparsed,
237 Ustrlen(new) - end, new + end);
238 end = start + Ustrlen(newparsed);
242 log_write(0, LOG_MAIN|LOG_PANIC, "Rewrite of %s yielded unqualified "
243 "address \"%s\"", subject, new);
244 break; /* Give up on this address */
248 /* We have a validly rewritten address */
250 if (LOGGING(address_rewrite) || (debug_selector & D_rewrite) != 0)
252 const uschar *where = CUS"?";
254 for (int i = 0; i < where_list_size; i++)
255 if (flag == where_list[i].bit)
257 where = where_list[i].string;
260 log_write(L_address_rewrite,
261 LOG_MAIN, "\"%s\" from %s rewritten as \"%s\" by rule %d",
262 yield, where, new, rule_number);
265 /* A header will only actually be added if header_last is non-NULL,
266 i.e. during message reception or delivery, but add_header should not
267 be set TRUE during delivery, as otherwise multiple instances of the header
268 can fill up the -H file and make it embarrassingly large. We don't need
269 to set header_rewritten because the -H file always gets written at the end
270 of message reception. */
273 header_add(htype_old, "X-rewrote-%s: %s\n", name, subject);
275 /* Handle the case when replacement of the whole address is possible.
276 This happens only when whole is not NULL and we are rewriting a header.
277 If *whole is already TRUE it means that a previous rule had the w
278 flag set and so we must preserve the non-active portion of the current
279 subject unless the current rule also has the w flag set. */
281 if (whole && (flag & rewrite_all_headers))
283 /* Current rule has the w flag set. We must ensure the phrase parts
284 are syntactically valid if they are present. */
286 if (rule->flags & rewrite_whole)
288 if (start > 0 && new[start-1] == '<')
290 uschar *p1 = new + start - 1;
291 uschar *p2 = new + end + 1;
292 const uschar *pf1, *pf2;
294 while (p1 > new && p1[-1] == ' ') p1--;
295 pf1 = parse_fix_phrase(new, p1 - new);
296 while (*p2 == ' ') p2++;
297 pf2 = parse_fix_phrase(p2, Ustrlen(p2));
299 start = Ustrlen(pf1) + start + new - p1;
300 end = start + Ustrlen(newparsed);
301 new = string_sprintf("%s%.*s%s", pf1, (int)(p2 - p1), p1, pf2);
304 /* Now accept the whole thing */
313 /* Current rule does not have the w flag set; if not previously
314 done any whole rewriting, behave in non-whole manner. */
316 else if (!*whole) goto NEVER_WHOLE;
318 /* Current rule does not have the w flag set, but a previous
319 rule did rewrite the whole address. Thus yield and subject will be
320 different. Preserve the previous non-active part of the address. */
325 new = string_sprintf("%.*s%s%n%s",
326 yield_start, yield, subject, &end, yield + yield_end);
332 /* Rule just rewrites active part, or handling an envelope. This
333 code is obeyed only when all rules so far have not done "whole"
339 subject = yield = newparsed;
342 domain = NULL; /* Reset for next rule */
344 /* If no further rewrites are to be done, set the done flag. This allows
345 repeats of the current rule if configured before breaking the loop. */
347 if (rule->flags & rewrite_quit) done = TRUE;
349 /* Allow the current rule to be applied up to 10 times if
352 if (rule->flags & rewrite_repeat)
354 if (count++ < 10) goto REPEAT_RULE;
355 log_write(0, LOG_MAIN|LOG_PANIC, "rewrite rule repeat ignored after 10 "
360 /* Unset expansion numeric variables, and that's it. */
368 /*************************************************
369 * Ensure qualification and rewrite *
370 *************************************************/
372 /* This function is called for envelope addresses, the boolean specifying
373 whether a recipient or a sender. It must first of all ensure the address is
374 fully qualified, and then apply any relevant re-writing rules. The add-header
375 flag causes a header to be added, recording the old address. This is marked
376 "old", so that it is never transported anywhere; it exists for local checking
377 and debugging purposes.
380 s the address to be considered
381 is_recipient TRUE for recipient addresses; FALSE otherwise
382 add_header add "X-rewrote-xxx" header when rewriting; this is
383 set TRUE only for calls from the reception functions
384 rewrite_rules points to chain of rewrite rules
385 existflags bits indicating which headers there are rewrites for
386 (just an optimisation)
388 Returns: possibly rewritten address
392 rewrite_address(const uschar *s, BOOL is_recipient, BOOL add_header,
393 rewrite_rule *rewrite_rules, int existflags)
395 int flag = is_recipient ? rewrite_envto : rewrite_envfrom;
397 s = rewrite_address_qualify(s, is_recipient);
398 if (existflags & flag)
400 const uschar *new = rewrite_one(s, flag, NULL, add_header, is_recipient?
401 US"original-recipient" : US"sender", rewrite_rules);
402 if (new != s) s = new;
409 /*************************************************
410 * Qualify and possibly rewrite one header *
411 *************************************************/
413 /* This is called only from rewrite_header() below, either when reading a
414 message. or when routing, in order to rewrite addresses that get changed by a
415 router. This is normally the addition of full qualification to a partial
416 domain. The first rewriting rule in this case is "change routed_old into
417 routed_new", and it applies to all header lines that contain addresses. Then
418 header-specific rewriting rules are applied.
420 Before rewriting can be done, addresses without domains have to be qualified.
421 This should only be done for messages from "local" senders. This is a difficult
422 concept to pin down, what with the use of SMTP both as a submission and as a
423 transmission protocol. Exim normally requires incoming SMTP to contain fully-
424 qualified addresses, but there are options to permit unqualified ones from
425 certain hosts. For those hosts only, addresses in headers can also be
426 qualified. For other hosts, unqualified addresses in headers do not get touched
427 in any way. For locally sourced messages, unqualified addresses always get
428 qualified, except when -bnq is used to explicitly suppress this.
431 h pointer to header line block
432 flag indicates which header this is
433 routed_old if not NULL, this is a rewrite caused by a router, changing
434 this domain into routed_new
435 routed_new new routed domain if routed_old is not NULL
436 rewrite_rules points to chain of rewriting rules
437 existflags bits indicating which rewrites exist
438 replace if TRUE, insert the new header in the chain after the old
439 one, and mark the old one "replaced"
441 Returns: NULL if header unchanged; otherwise the rewritten header
445 rewrite_one_header(header_line *h, int flag,
446 const uschar *routed_old, const uschar *routed_new,
447 rewrite_rule *rewrite_rules, int existflags, BOOL replace)
450 header_line *newh = NULL;
451 rmark function_reset_point = store_mark();
452 uschar *s = Ustrchr(h->text, ':') + 1;
454 while (isspace(*s)) s++;
457 debug_printf("rewrite_one_header: type=%c:\n %s", h->type, h->text);
459 f.parse_allow_group = TRUE; /* Allow group syntax */
461 /* Loop for multiple addresses in the header. We have to go through them all
462 in case any need qualifying, even if there's no rewriting. Pathological headers
463 may have thousands of addresses in them, so cause the store to be reset for
464 any that don't actually get rewritten. We also play silly games for those that
465 _are_ rewritten so as to avoid runaway store usage for these kinds of header.
466 We want to avoid keeping store for any intermediate versions. */
471 uschar *ss = parse_find_address_end(s, FALSE);
472 uschar *recipient, *new;
473 rmark loop_reset_point = store_mark();
474 uschar *errmess = NULL;
475 BOOL changed = FALSE;
476 int terminator = *ss;
477 int start, end, domain;
479 /* Temporarily terminate the string at this point, and extract the
480 operative address within. Then put back the terminator and prepare for
481 the next address, saving the start of the old one. */
484 recipient = parse_extract_address(s, &errmess, &start, &end, &domain, FALSE);
487 s = ss + (terminator ? 1 :0);
488 while (isspace(*s)) s++;
490 /* There isn't much we can do for syntactic disasters at this stage.
491 Pro tem (possibly for ever) ignore them.
492 If we got nothing, then there was any sort of error: non-parsable address,
493 empty address, overlong addres. Sometimes the result matters, sometimes not.
494 It seems this function is called for *any* header we see. */
501 This was(!) an attempt tho handle empty rewrits, but seemingly it
502 needs more effort to decide if the returned empty address matters.
503 Now this will now break test 471 again.
505 471 fails now because it uses an overlong address, for wich parse_extract_address()
506 returns an empty address (which was not expected).
508 Checking the output and exit if rewrite_rules or routed_old are present
509 isn't a good idea either: It's enough to have *any* rewrite rule
510 in the configuration plus "To: undisclosed recpients:;" to exit(), which
514 if (rewrite_rules || routed_old)
516 log_write(0, LOG_MAIN, "rewrite: %s", errmess);
517 exim_exit(EXIT_FAILURE);
520 loop_reset_point = store_reset(loop_reset_point);
524 /* If routed_old is not NULL, this is a rewrite caused by a router,
525 consisting of changing routed_old into routed_new, and applying to all
526 headers. If the header address has no domain, it is excluded, since a router
527 rewrite affects domains only. The new value should always be fully qualified,
528 but it may be something that has an explicit re-write rule set, so we need to
529 check the configured rules subsequently as well. (Example: there's an
530 explicit rewrite turning *.foo.com into foo.com, and an address is supplied
531 as abc@xyz, which the DNS lookup turns into abc@xyz.foo.com). However, if no
532 change is made here, don't bother carrying on. */
536 if (domain <= 0 || strcmpic(recipient+domain, routed_old) != 0) continue;
537 recipient[domain-1] = 0;
538 new = string_sprintf("%s@%s", recipient, routed_new);
541 recipient[domain-1] = '@';
542 debug_printf("%s rewritten by router as %s\n", recipient, new);
548 /* This is not a router-inspired rewrite. Ensure the address is fully
549 qualified if that is permitted. If an unqualified address was received
550 from a host that isn't listed, do not continue rewriting this address.
551 Sender, From or Reply-To headers are treated as senders, the rest as
552 recipients. This matters only when there are different qualify strings. */
557 (flag & (rewrite_sender | rewrite_from | rewrite_replyto)) == 0;
558 /* deconst ok as recipient was notconst */
559 new = US rewrite_address_qualify(recipient, is_recipient);
560 changed = (new != recipient);
563 /* Can only qualify if permitted; if not, no rewrite. */
565 if (changed && ((is_recipient && !f.allow_unqualified_recipient) ||
566 (!is_recipient && !f.allow_unqualified_sender)))
568 loop_reset_point = store_reset(loop_reset_point);
573 /* If there are rewrite rules for this type of header, apply
574 them. This test is just for efficiency, to save scanning the rules
575 in cases when nothing is going to change. If any rewrite rule had the
576 "whole" flag set, adjust the pointers so that the whole address gets
577 replaced, except possibly a final \n. */
579 if (existflags & flag)
582 /* deconst ok as recipient was notconst */
583 new = US rewrite_one(recipient, flag, &whole, FALSE, NULL, rewrite_rules);
584 if (new != recipient)
591 if (sprev[end-1] == '\n') end--;
596 /* If nothing has changed, lose all dynamic store obtained in this loop, and
597 move on to the next address. We can't reset to the function start store
598 point, because we may have a rewritten line from a previous time round the
601 if (!changed) loop_reset_point = store_reset(loop_reset_point);
603 /* If the address has changed, create a new header containing the
604 rewritten address. We do not need to set the chain pointers at this
605 stage. We want to avoid using more and more memory if the header is very long
606 and contains lots and lots of rewritten addresses. Therefore, we build the
607 new text string in malloc store, then at the end we reset dynamic store
608 before copying the new header to a new block (and then freeing the malloc
609 block). The header must end up in dynamic store so that it's freed at the end
610 of receiving a message. */
615 int newlen = Ustrlen(new);
616 int oldlen = end - start;
618 header_line * prev = newh ? newh : h;
619 uschar * newt = store_get_perm(prev->slen - oldlen + newlen + 4, TRUE);
620 uschar * newtstart = newt;
622 int type = prev->type;
623 int slen = prev->slen - oldlen + newlen;
625 /* Build the new header text by copying the old and putting in the
626 replacement. This process may make the header substantially longer
627 than it was before - qualification of a list of bare addresses can
628 often do this - so we stick in a newline after the re-written address
629 if it has increased in length and ends more than 40 characters in. In
630 fact, the code is not perfect, since it does not scan for existing
631 newlines in the header, but it doesn't seem worth going to that
632 amount of trouble. */
634 Ustrncpy(newt, prev->text, sprev - prev->text + start);
635 newt += sprev - prev->text + start;
639 remlen = s - (sprev + end);
642 Ustrncpy(newt, sprev + end, remlen);
647 /* Must check that there isn't a newline here anyway; in particular, there
648 will be one at the very end of the header, where we DON'T want to insert
649 another one! The pointer s has been skipped over white space, so just
650 look back to see if the last non-space-or-tab was a newline. */
652 if (newlen > oldlen && newt - newtstart - lastnewline > 40)
655 while (p >= prev->text && (*p == ' ' || *p == '\t')) p--;
658 lastnewline = newt - newtstart;
659 Ustrcat(newt, US"\n\t");
664 /* Finally, the remaining unprocessed addresses, if any. */
668 DEBUG(D_rewrite) debug_printf("newlen=%d newtype=%c newtext:\n%s",
669 slen, type, newtstart);
671 /* Compute the length of the rest of the header line before we possibly
672 flatten a previously rewritten copy. */
674 remlen = (s - prev->text) - oldlen + newlen;
676 /* We have the new text in a malloc block. That enables us to release all
677 the memory that has been used, back to the point at which the function was
678 entered. Then set up a new header in dynamic store. This will override a
679 rewritten copy from a previous time round this loop. */
681 store_reset(function_reset_point);
682 function_reset_point = store_mark();
683 newh = store_get(sizeof(header_line), FALSE);
686 newh->text = string_copyn(newtstart, slen);
688 /* Set up for scanning the rest of the header */
690 s = newh->text + remlen;
691 DEBUG(D_rewrite) debug_printf("remainder: %s", *s ? s : US"\n");
695 f.parse_allow_group = FALSE; /* Reset group flags */
696 f.parse_found_group = FALSE;
698 /* If a rewrite happened and "replace" is true, put the new header into the
699 chain following the old one, and mark the old one as replaced. */
703 newh->next = h->next;
704 if (!newh->next) header_last = newh;
715 /*************************************************
716 * Rewrite a header line *
717 *************************************************/
719 /* This function may be passed any old header line. It must detect those which
720 contain addresses, then then apply any rewriting rules that apply. If
721 routed_old is NULL, only the configured rewriting rules are consulted.
722 Otherwise, the rewriting rule is "change routed_old into routed_new", and it
723 applies to all header lines that contain addresses. Then header-specific
724 rewriting rules are applied.
726 The old header line is flagged as "old". Old headers are saved on the spool for
727 debugging but are never sent to any recipients.
730 h header line to rewrite
731 routed_old if not NULL, this is a rewrite caused by a router, changing
732 this domain into routed_new
733 routed_new new routed domain if routed_old is not NULL
734 rewrite_rules points to chain of rewrite rules
735 existflags bits indicating which rewrites exist
736 replace if TRUE, the new header is inserted into the header chain
737 after the old one, and the old one is marked replaced
739 Returns: NULL if header unchanged; otherwise the rewritten header
743 rewrite_header(header_line *h,
744 const uschar *routed_old, const uschar *routed_new,
745 rewrite_rule *rewrite_rules, int existflags, BOOL replace)
750 case htype_sender: flag = rewrite_sender; break;
751 case htype_from: flag = rewrite_from; break;
752 case htype_to: flag = rewrite_to; break;
753 case htype_cc: flag = rewrite_cc; break;
754 case htype_bcc: flag = rewrite_bcc; break;
755 case htype_reply_to: flag = rewrite_replyto; break;
756 default: return NULL;
758 return rewrite_one_header(h, flag, routed_old, routed_new,
759 rewrite_rules, existflags, replace);
764 /************************************************
765 * Test rewriting rules *
766 ************************************************/
768 /* Called from the mainline as a result of the -brw option. Test the
769 address for all possible cases.
771 Argument: the address to test
776 rewrite_test(const uschar *s)
778 uschar *recipient, *error;
779 int start, end, domain;
780 BOOL done_smtp = FALSE;
782 if (rewrite_existflags == 0)
784 printf("No rewrite rules are defined\n");
788 /* Do SMTP rewrite only if a rule with the S flag exists. Allow <> by
789 pretending it is a sender. */
791 if ((rewrite_existflags & rewrite_smtp) != 0)
793 const uschar * new = rewrite_one(s, rewrite_smtp|rewrite_smtp_sender, NULL,
794 FALSE, US"", global_rewrite_rules);
798 printf(" SMTP: <>\n");
800 printf(" SMTP: %s\n", new);
805 /* Do the other rewrites only if a rule without the S flag exists */
807 if ((rewrite_existflags & ~rewrite_smtp) == 0) return;
809 /* Qualify if necessary before extracting the address */
811 if (parse_find_at(s) == NULL)
812 s = string_sprintf("%s@%s", s, qualify_domain_recipient);
814 recipient = parse_extract_address(s, &error, &start, &end, &domain, FALSE);
819 printf("Syntax error in %s\n%c%s\n", s, toupper(error[0]), error+1);
823 for (int i = 0; i < 8; i++)
827 const uschar * new = rewrite_one(recipient, flag, &whole, FALSE, US"",
828 global_rewrite_rules);
829 printf("%s: ", rrname[i]);
832 else if (whole || (flag & rewrite_all_headers) == 0)
833 printf("%s\n", CS new);
834 else printf("%.*s%s%s\n", start, s, new, s+end);
838 /* End of rewrite.c */