1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) The Exim Maintainers 2020 - 2024 */
6 /* Copyright (c) University of Cambridge 1995 - 2023 */
7 /* See the file NOTICE for conditions of use and distribution. */
8 /* SPDX-License-Identifier: GPL-2.0-or-later */
10 /* Functions concerned with verifying things. The original code for callout
11 caching was contributed by Kevin Fleming (but I hacked it around a bit). */
15 #include "transports/smtp.h"
17 #define CUTTHROUGH_CMD_TIMEOUT 30 /* timeout for cutthrough-routing calls */
18 #define CUTTHROUGH_DATA_TIMEOUT 60 /* timeout for cutthrough-routing calls */
19 static smtp_context ctctx;
20 uschar ctbuffer[8192];
23 static uschar cutthrough_response(client_conn_ctx *, char, uschar **, int);
27 /*************************************************
28 * Retrieve a callout cache record *
29 *************************************************/
31 /* If a record exists, check whether it has expired.
34 dbm_file an open hints file
36 type "address" or "domain"
37 positive_expire expire time for positive records
38 negative_expire expire time for negative records
40 Returns: the cache record if a non-expired one exists, else NULL
43 static dbdata_callout_cache *
44 get_callout_cache_record(open_db *dbm_file, const uschar *key, uschar *type,
45 int positive_expire, int negative_expire)
50 dbdata_callout_cache *cache_record;
52 if (!(cache_record = dbfn_read_with_length(dbm_file, key, &length)))
54 HDEBUG(D_verify) debug_printf_indent("callout cache: no %s record found for %s\n", type, key);
58 /* We treat a record as "negative" if its result field is not positive, or if
59 it is a domain record and the postmaster field is negative. */
61 negative = cache_record->result != ccache_accept ||
62 (type[0] == 'd' && cache_record->postmaster_result == ccache_reject);
63 expire = negative? negative_expire : positive_expire;
66 if (now - cache_record->time_stamp > expire)
68 HDEBUG(D_verify) debug_printf_indent("callout cache: %s record expired for %s\n", type, key);
72 /* If this is a non-reject domain record, check for the obsolete format version
73 that doesn't have the postmaster and random timestamps, by looking at the
74 length. If so, copy it to a new-style block, replicating the record's
75 timestamp. Then check the additional timestamps. (There's no point wasting
76 effort if connections are rejected.) */
78 if (type[0] == 'd' && cache_record->result != ccache_reject)
80 if (length == sizeof(dbdata_callout_cache_obs))
82 dbdata_callout_cache * new = store_get(sizeof(dbdata_callout_cache), GET_UNTAINTED);
83 memcpy(new, cache_record, length);
84 new->postmaster_stamp = new->random_stamp = new->time_stamp;
88 if (now - cache_record->postmaster_stamp > expire)
89 cache_record->postmaster_result = ccache_unknown;
91 if (now - cache_record->random_stamp > expire)
92 cache_record->random_result = ccache_unknown;
95 HDEBUG(D_verify) debug_printf_indent("callout cache: found %s record for %s\n", type, key);
101 /* Check the callout cache.
102 Options * pm_mailfrom may be modified by cache partial results.
104 Return: TRUE if result found
108 cached_callout_lookup(address_item * addr, const uschar * address_key,
109 const uschar * from_address, int * opt_ptr, uschar ** pm_ptr,
110 int * yield, uschar ** failure_ptr,
111 dbdata_callout_cache * new_domain_record, int * old_domain_res)
113 int options = *opt_ptr;
115 open_db *dbm_file = NULL;
117 /* Open the callout cache database, if it exists, for reading only at this
118 stage, unless caching has been disabled. */
120 if (options & vopt_callout_no_cache)
122 HDEBUG(D_verify) debug_printf_indent("callout cache: disabled by no_cache\n");
124 else if (!(dbm_file = dbfn_open(US"callout", O_RDWR|O_CREAT, &dbblock, FALSE, TRUE)))
126 HDEBUG(D_verify) debug_printf_indent("callout cache: not available\n");
130 /* If a cache database is available see if we can avoid the need to do an
131 actual callout by making use of previously-obtained data. */
133 dbdata_callout_cache_address * cache_address_record;
134 dbdata_callout_cache * cache_record = get_callout_cache_record(dbm_file,
135 addr->domain, US"domain",
136 callout_cache_domain_positive_expire, callout_cache_domain_negative_expire);
138 /* If an unexpired cache record was found for this domain, see if the callout
139 process can be short-circuited. */
143 /* In most cases, if an early command (up to and including MAIL FROM:<>)
144 was rejected, there is no point carrying on. The callout fails. However, if
145 we are doing a recipient verification with use_sender or use_postmaster
146 set, a previous failure of MAIL FROM:<> doesn't count, because this time we
147 will be using a non-empty sender. We have to remember this situation so as
148 not to disturb the cached domain value if this whole verification succeeds
149 (we don't want it turning into "accept"). */
151 *old_domain_res = cache_record->result;
153 if ( cache_record->result == ccache_reject
154 || *from_address == 0 && cache_record->result == ccache_reject_mfnull)
157 debug_printf_indent("callout cache: domain gave initial rejection, or "
158 "does not accept HELO or MAIL FROM:<>\n");
159 setflag(addr, af_verify_nsfail);
160 addr->user_message = US"(result of an earlier callout reused).";
162 *failure_ptr = US"mail";
163 dbfn_close(dbm_file);
167 /* If a previous check on a "random" local part was accepted, we assume
168 that the server does not do any checking on local parts. There is therefore
169 no point in doing the callout, because it will always be successful. If a
170 random check previously failed, arrange not to do it again, but preserve
171 the data in the new record. If a random check is required but hasn't been
172 done, skip the remaining cache processing. */
174 if (options & vopt_callout_random) switch(cache_record->random_result)
178 debug_printf_indent("callout cache: domain accepts random addresses\n");
179 *failure_ptr = US"random";
180 dbfn_close(dbm_file);
181 return TRUE; /* Default yield is OK */
185 debug_printf_indent("callout cache: domain rejects random addresses\n");
186 *opt_ptr = options & ~vopt_callout_random;
187 new_domain_record->random_result = ccache_reject;
188 new_domain_record->random_stamp = cache_record->random_stamp;
193 debug_printf_indent("callout cache: need to check random address handling "
194 "(not cached or cache expired)\n");
195 dbfn_close(dbm_file);
199 /* If a postmaster check is requested, but there was a previous failure,
200 there is again no point in carrying on. If a postmaster check is required,
201 but has not been done before, we are going to have to do a callout, so skip
202 remaining cache processing. */
206 if (cache_record->postmaster_result == ccache_reject)
208 setflag(addr, af_verify_pmfail);
210 debug_printf_indent("callout cache: domain does not accept "
211 "RCPT TO:<postmaster@domain>\n");
213 *failure_ptr = US"postmaster";
214 setflag(addr, af_verify_pmfail);
215 addr->user_message = US"(result of earlier verification reused).";
216 dbfn_close(dbm_file);
219 if (cache_record->postmaster_result == ccache_unknown)
222 debug_printf_indent("callout cache: need to check RCPT "
223 "TO:<postmaster@domain> (not cached or cache expired)\n");
224 dbfn_close(dbm_file);
228 /* If cache says OK, set pm_mailfrom NULL to prevent a redundant
229 postmaster check if the address itself has to be checked. Also ensure
230 that the value in the cache record is preserved (with its old timestamp).
233 HDEBUG(D_verify) debug_printf_indent("callout cache: domain accepts RCPT "
234 "TO:<postmaster@domain>\n");
236 new_domain_record->postmaster_result = ccache_accept;
237 new_domain_record->postmaster_stamp = cache_record->postmaster_stamp;
241 /* We can't give a result based on information about the domain. See if there
242 is an unexpired cache record for this specific address (combined with the
243 sender address if we are doing a recipient callout with a non-empty sender).
246 if (!(cache_address_record = (dbdata_callout_cache_address *)
247 get_callout_cache_record(dbm_file, address_key, US"address",
248 callout_cache_positive_expire, callout_cache_negative_expire)))
250 dbfn_close(dbm_file);
254 if (cache_address_record->result == ccache_accept)
257 debug_printf_indent("callout cache: address record is positive\n");
262 debug_printf_indent("callout cache: address record is negative\n");
263 addr->user_message = US"Previous (cached) callout verification failure";
264 *failure_ptr = US"recipient";
268 /* Close the cache database while we actually do the callout for real. */
270 dbfn_close(dbm_file);
277 /* Write results to callout cache
280 cache_callout_write(dbdata_callout_cache * dom_rec, const uschar * domain,
281 int done, dbdata_callout_cache_address * addr_rec, const uschar * address_key)
284 open_db * dbm_file = NULL;
286 /* If we get here with done == TRUE, a successful callout happened, and yield
287 will be set OK or FAIL according to the response to the RCPT command.
288 Otherwise, we looped through the hosts but couldn't complete the business.
289 However, there may be domain-specific information to cache in both cases.
291 The value of the result field in the new_domain record is ccache_unknown if
292 there was an error before or with MAIL FROM:, and errno was not zero,
293 implying some kind of I/O error. We don't want to write the cache in that case.
294 Otherwise the value is ccache_accept, ccache_reject, or ccache_reject_mfnull. */
296 if (dom_rec->result != ccache_unknown)
297 if (!(dbm_file = dbfn_open(US"callout", O_RDWR|O_CREAT, &dbblock, FALSE, TRUE)))
299 HDEBUG(D_verify) debug_printf_indent("callout cache: not available\n");
303 (void)dbfn_write(dbm_file, domain, dom_rec,
304 (int)sizeof(dbdata_callout_cache));
305 HDEBUG(D_verify) debug_printf_indent("wrote callout cache domain record for %s:\n"
306 " result=%d postmaster=%d random=%d\n",
309 dom_rec->postmaster_result,
310 dom_rec->random_result);
313 /* If a definite result was obtained for the callout, cache it unless caching
316 if (done && addr_rec->result != ccache_unknown)
319 dbm_file = dbfn_open(US"callout", O_RDWR|O_CREAT, &dbblock, FALSE, TRUE);
322 HDEBUG(D_verify) debug_printf_indent("no callout cache available\n");
326 (void)dbfn_write(dbm_file, address_key, addr_rec,
327 (int)sizeof(dbdata_callout_cache_address));
328 HDEBUG(D_verify) debug_printf_indent("wrote %s callout cache address record for %s\n",
329 addr_rec->result == ccache_accept ? "positive" : "negative",
334 if (dbm_file) dbfn_close(dbm_file);
338 /* Cutthrough-multi. If the existing cached cutthrough connection matches
339 the one we would make for a subsequent recipient, use it. Send the RCPT TO
340 and check the result, nonpipelined as it may be wanted immediately for
341 recipient-verification.
343 It seems simpler to deal with this case separately from the main callout loop.
344 We will need to remember it has sent, or not, so that rcpt-acl tail code
345 can do it there for the non-rcpt-verify case. For this we keep an addresscount.
347 Return: TRUE for a definitive result for the recipient
350 cutthrough_multi(address_item * addr, host_item * host_list,
351 transport_feedback * tf, int * yield)
355 if (addr->transport == cutthrough.addr.transport)
356 for (host_item * host = host_list; host; host = host->next)
357 if (Ustrcmp(host->address, cutthrough.host.address) == 0)
360 uschar *interface = NULL; /* Outgoing interface to use; NULL => any */
363 deliver_host = host->name;
364 deliver_host_address = host->address;
365 deliver_host_port = host->port;
366 deliver_domain = addr->domain;
367 transport_name = addr->transport->drinst.name;
369 host_af = Ustrchr(host->address, ':') ? AF_INET6 : AF_INET;
371 GET_OPTION("interface");
372 if ( !smtp_get_interface(tf->interface, host_af, addr, &interface,
374 || !smtp_get_port(tf->port, addr, &port, US"callout")
376 log_write(0, LOG_MAIN|LOG_PANIC, "<%s>: %s", addr->address,
379 smtp_port_for_connect(host, port);
381 if ( ( interface == cutthrough.interface
383 && cutthrough.interface
384 && Ustrcmp(interface, cutthrough.interface) == 0
386 && host->port == cutthrough.host.port
389 uschar * resp = NULL;
391 /* Match! Send the RCPT TO, set done from the response */
394 debug_printf("already-open verify connection matches recipient\n");
397 smtp_write_command(&ctctx, SCMD_FLUSH, "RCPT TO:<%.1000s>\r\n",
398 transport_rcpt_address(addr,
399 addr->transport->rcpt_include_affixes)) >= 0
400 && cutthrough_response(&cutthrough.cctx, '2', &resp,
401 CUTTHROUGH_DATA_TIMEOUT) == '2';
403 /* This would go horribly wrong if a callout fail was ignored by ACL.
404 We punt by abandoning cutthrough on a reject, like the
409 address_item * na = store_get(sizeof(address_item), GET_UNTAINTED);
410 *na = cutthrough.addr;
411 cutthrough.addr = *addr;
412 cutthrough.addr.host_used = &cutthrough.host;
413 cutthrough.addr.next = na;
419 cancel_cutthrough_connection(TRUE, US"recipient rejected");
420 if (!resp || errno == ETIMEDOUT)
422 HDEBUG(D_verify) debug_printf("SMTP timeout\n");
427 Ustrcpy(resp, US"connection dropped");
430 string_sprintf("response to \"%s\" was: %s",
431 big_buffer, string_printing(resp));
434 string_sprintf("Callout verification failed:\n%s", resp);
436 /* Hard rejection ends the process */
438 if (resp[0] == '5') /* Address rejected */
446 break; /* host_list */
454 /* A rcpt callout, or cached record of one, verified the address.
455 Set $domain_data and $local_part_data to detainted versions.
458 callout_verified_rcpt(const address_item * addr)
460 address_item a = {.address = addr->address};
461 if (deliver_split_address(&a) != OK) return;
462 deliver_localpart_data = string_copy_taint(a.local_part, GET_UNTAINTED);
463 deliver_domain_data = string_copy_taint(a.domain, GET_UNTAINTED);
467 /*************************************************
468 * Do callout verification for an address *
469 *************************************************/
471 /* This function is called from verify_address() when the address has routed to
472 a host list, and a callout has been requested. Callouts are expensive; that is
473 why a cache is used to improve the efficiency.
476 addr the address that's been routed
477 host_list the list of hosts to try
478 tf the transport feedback block
480 ifstring "interface" option from transport, or NULL
481 portstring "port" option from transport, or NULL
482 protocolstring "protocol" option from transport, or NULL
483 callout the per-command callout timeout
484 callout_overall the overall callout timeout (if < 0 use 4*callout)
485 callout_connect the callout connection timeout (if < 0 use callout)
486 options the verification options - these bits are used:
487 vopt_is_recipient => this is a recipient address
488 vopt_callout_no_cache => don't use callout cache
489 vopt_callout_fullpm => if postmaster check, do full one
490 vopt_callout_random => do the "random" thing
491 vopt_callout_recipsender => use original sender addres
492 vopt_callout_r_pmaster => use postmaster as sender
493 vopt_callout_r_tptsender => use sender defined by tpt
494 vopt_callout_hold => lazy close connection
495 se_mailfrom MAIL FROM address for sender verify; NULL => ""
496 pm_mailfrom if non-NULL, do the postmaster check with this sender
498 Returns: OK/FAIL/DEFER
502 do_callout(address_item *addr, host_item *host_list, transport_feedback *tf,
503 int callout, int callout_overall, int callout_connect, int options,
504 uschar *se_mailfrom, uschar *pm_mailfrom)
507 int old_domain_cache_result = ccache_accept;
509 const uschar * address_key;
510 const uschar * from_address;
511 uschar * random_local_part = NULL;
512 const uschar * save_deliver_domain = deliver_domain;
513 uschar ** failure_ptr = options & vopt_is_recipient
514 ? &recipient_verify_failure : &sender_verify_failure;
515 dbdata_callout_cache new_domain_record;
516 dbdata_callout_cache_address new_address_record;
517 time_t callout_start_time;
519 new_domain_record.result = ccache_unknown;
520 new_domain_record.postmaster_result = ccache_unknown;
521 new_domain_record.random_result = ccache_unknown;
523 memset(&new_address_record, 0, sizeof(new_address_record));
525 /* For a recipient callout, the key used for the address cache record must
526 include the sender address if we are using anything but a blank sender in the
527 callout, because that may influence the result of the callout. */
529 if (options & vopt_is_recipient)
530 if (options & ( vopt_callout_recipsender
531 | vopt_callout_r_tptsender
532 | vopt_callout_r_pmaster)
535 if (options & vopt_callout_recipsender)
536 from_address = sender_address;
537 else if (options & vopt_callout_r_tptsender)
539 transport_instance * tp = addr->transport;
540 from_address = addr->prop.errors_address
541 ? addr->prop.errors_address : sender_address;
543 debug_printf(" return-path from routed addr: %s\n", from_address);
545 GET_OPTION("return_path");
548 uschar * new_return_path = expand_string(tp->return_path);
550 from_address = new_return_path;
551 else if (!f.expand_string_forcedfail)
554 debug_printf(" return-path from transport: %s\n", from_address);
557 else /* if (options & vopt_callout_recippmaster) */
558 from_address = string_sprintf("postmaster@%s", qualify_domain_sender);
560 address_key = string_sprintf("%s/<%s>", addr->address, from_address);
561 addr->return_path = from_address; /* for cutthrough logging */
562 if (cutthrough.delivery) /* cutthrough previously req. */
563 options |= vopt_callout_no_cache; /* in case called by verify= */
568 address_key = addr->address;
571 /* For a sender callout, we must adjust the key if the mailfrom address is not
576 from_address = se_mailfrom ? se_mailfrom : US"";
577 address_key = *from_address
578 ? string_sprintf("%s/<%s>", addr->address, from_address) : addr->address;
581 if (cached_callout_lookup(addr, address_key, from_address,
582 &options, &pm_mailfrom, &yield, failure_ptr,
583 &new_domain_record, &old_domain_cache_result))
585 cancel_cutthrough_connection(TRUE, US"cache-hit");
589 if (!addr->transport)
591 HDEBUG(D_verify) debug_printf("cannot callout via null transport\n");
594 else if (Ustrcmp(addr->transport->drinst.driver_name, "smtp") != 0)
595 log_write(0, LOG_MAIN|LOG_PANIC|LOG_CONFIG_FOR, "callout transport '%s': %s is non-smtp",
596 addr->transport->drinst.name, addr->transport->drinst.driver_name);
599 smtp_transport_options_block * ob = addr->transport->drinst.options_block;
600 smtp_context * sx = NULL;
602 /* The information wasn't available in the cache, so we have to do a real
603 callout and save the result in the cache for next time, unless no_cache is set,
604 or unless we have a previously cached negative random result. If we are to test
605 with a random local part, ensure that such a local part is available. If not,
606 log the fact, but carry on without randomising. */
608 if (options & vopt_callout_random)
610 GET_OPTION("callout_random_local_part");
611 if ( callout_random_local_part
612 && !(random_local_part = expand_string(callout_random_local_part)))
613 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand "
614 "callout_random_local_part: %s", expand_string_message);
617 /* Compile regex' used by client-side smtp */
621 /* Default the connect and overall callout timeouts if not set, and record the
622 time we are starting so that we can enforce it. */
624 if (callout_overall < 0) callout_overall = 4 * callout;
625 if (callout_connect < 0) callout_connect = callout;
626 callout_start_time = time(NULL);
628 /* Before doing a real callout, if this is an SMTP connection, flush the SMTP
629 output because a callout might take some time. When PIPELINING is active and
630 there are many recipients, the total time for doing lots of callouts can add up
631 and cause the client to time out. So in this case we forgo the PIPELINING
634 if (smtp_out && !f.disable_callout_flush) mac_smtp_fflush();
636 clearflag(addr, af_verify_pmfail); /* postmaster callout flag */
637 clearflag(addr, af_verify_nsfail); /* null sender callout flag */
639 /* cutthrough-multi: if a nonfirst rcpt has the same routing as the first,
640 and we are holding a cutthrough conn open, we can just append the rcpt to
641 that conn for verification purposes (and later delivery also). Simplest
642 coding means skipping this whole loop and doing the append separately. */
644 /* Can we re-use an open cutthrough connection? */
646 if (cutthrough.cctx.sock >= 0)
648 if ( !(options & vopt_callout_r_pmaster)
649 && !random_local_part
651 && Ustrcmp(addr->return_path, cutthrough.addr.return_path) == 0
653 done = cutthrough_multi(addr, host_list, tf, &yield);
656 cancel_cutthrough_connection(TRUE, US"incompatible connection");
659 /* If we did not use a cached connection, make connections to the hosts
660 and do real callouts. The list of hosts is passed in as an argument. */
662 for (host_item * host = host_list; host && !done; host = host->next)
666 uschar * interface = NULL; /* Outgoing interface to use; NULL => any */
670 DEBUG(D_verify) debug_printf("no IP address for host name %s: skipping\n",
675 /* Check the overall callout timeout */
677 if (time(NULL) - callout_start_time >= callout_overall)
679 HDEBUG(D_verify) debug_printf("overall timeout for callout exceeded\n");
683 /* Set IPv4 or IPv6 */
685 host_af = Ustrchr(host->address, ':') ? AF_INET6 : AF_INET;
687 /* Expand and interpret the interface and port strings. The latter will not
688 be used if there is a host-specific port (e.g. from a manualroute router).
689 This has to be delayed till now, because they may expand differently for
690 different hosts. If there's a failure, log it, but carry on with the
693 deliver_host = host->name;
694 deliver_host_address = host->address;
695 deliver_host_port = host->port;
696 deliver_domain = addr->domain;
697 transport_name = addr->transport->drinst.name;
699 GET_OPTION("interface");
700 if ( !smtp_get_interface(tf->interface, host_af, addr, &interface,
702 || !smtp_get_port(tf->port, addr, &port, US"callout")
704 log_write(0, LOG_MAIN|LOG_PANIC, "<%s>: %s", addr->address,
707 if (!sx) sx = store_get(sizeof(*sx), GET_TAINTED); /* tainted buffers */
708 memset(sx, 0, sizeof(*sx));
710 sx->addrlist = sx->first_addr = addr;
711 sx->conn_args.host = host;
712 sx->conn_args.host_af = host_af,
714 sx->conn_args.interface = interface;
715 sx->helo_data = tf->helo_data;
716 sx->conn_args.tblock = addr->transport;
717 sx->cctx.sock = sx->conn_args.sock = -1;
720 tls_retry_connection:
721 /* Set the address state so that errors are recorded in it */
723 addr->transport_return = PENDING_DEFER;
724 ob->connect_timeout = callout_connect;
725 ob->command_timeout = callout;
727 /* Get the channel set up ready for a message (MAIL FROM being the next
728 SMTP command to send. If we tried TLS but it failed, try again without
731 yield = smtp_setup_conn(sx, FALSE);
734 && addr->basic_errno == ERRNO_TLSFAILURE
735 && ob->tls_tempfail_tryclear
736 && verify_check_given_host(CUSS &ob->hosts_require_tls, host) != OK
739 log_write(0, LOG_MAIN,
740 "%s: callout unencrypted to %s [%s] (not in hosts_require_tls)",
741 addr->message, host->name, host->address);
742 addr->transport_return = PENDING_DEFER;
743 yield = smtp_setup_conn(sx, TRUE);
748 smtp_debug_cmd_report(); /*XXX we seem to exit without what should
749 be a common call to this. How? */
750 errno = addr->basic_errno;
752 /* For certain errors we want specifically to log the transport name,
753 for ease of fixing config errors. Slightly ugly doing it here, but we want
754 to not leak that also in the SMTP response. */
759 case EPROTONOSUPPORT:
760 case ESOCKTNOSUPPORT:
768 log_write(0, LOG_MAIN|LOG_PANIC,
769 "%s verify %s (making calloout connection): T=%s %s",
770 options & vopt_is_recipient ? "sender" : "recipient",
771 yield == FAIL ? "fail" : "defer",
772 transport_name, strerror(errno));
775 transport_name = NULL;
776 deliver_host = deliver_host_address = NULL;
777 deliver_domain = save_deliver_domain;
779 /* Failure to accept HELO is cached; this blocks the whole domain for all
780 senders. I/O errors and defer responses are not cached. */
782 if (yield == FAIL && (errno == 0 || errno == ERRNO_SMTPCLOSED))
784 setflag(addr, af_verify_nsfail);
785 new_domain_record.result = ccache_reject;
793 /* If we needed to authenticate, smtp_setup_conn() did that. Copy
794 the AUTH info for logging */
796 addr->authenticator = client_authenticator;
797 addr->auth_id = client_authenticated_id;
799 sx->from_addr = from_address;
800 sx->first_addr = sx->sync_addr = addr;
801 sx->ok = FALSE; /*XXX these 3 last might not be needed for verify? */
802 sx->send_rset = TRUE;
803 sx->completed_addr = FALSE;
805 /*XXX do not want to write a cache record for ATRN */
806 new_domain_record.result = old_domain_cache_result == ccache_reject_mfnull
807 ? ccache_reject_mfnull : ccache_accept;
809 /* Do the random local part check first. Temporarily replace the recipient
810 with the "random" value */
812 if (random_local_part)
814 const uschar * main_address = addr->address;
815 const uschar * rcpt_domain = addr->domain;
818 uschar * errstr = NULL;
819 if ( testflag(addr, af_utf8_downcvt)
820 && (rcpt_domain = string_domain_utf8_to_alabel(rcpt_domain,
824 addr->message = errstr;
825 errno = ERRNO_EXPANDFAIL;
826 setflag(addr, af_verify_nsfail);
828 rcpt_domain = US""; /*XXX errorhandling! */
832 /* This would be ok for 1st rcpt of a cutthrough (the case handled here;
833 subsequents are done in cutthrough_multi()), but no way to
834 handle a subsequent because of the RSET vaporising the MAIL FROM.
835 So refuse to support any. Most cutthrough use will not involve
836 random_local_part, so no loss. */
837 cancel_cutthrough_connection(TRUE, US"random-recipient");
839 addr->address = string_sprintf("%s@%.1000s",
840 random_local_part, rcpt_domain);
843 /* If accepted, we aren't going to do any further tests below.
844 Otherwise, cache a real negative response, and get back to the right
845 state to send RCPT. Unless there's some problem such as a dropped
846 connection, we expect to succeed, because the commands succeeded above.
847 However, some servers drop the connection after responding to an
848 invalid recipient, so on (any) error we drop and remake the connection.
849 XXX We don't care about that for postmaster_full. Should we?
851 XXX could we add another flag to the context, and have the common
852 code emit the RSET too? Even pipelined after the RCPT...
853 Then the main-verify call could use it if there's to be a subsequent
855 The sync_responses() would need to be taught about it and we'd
856 need another return code filtering out to here.
858 Avoid using a SIZE option on the MAIL for all random-rcpt checks.
861 sx->avoid_option = OPTION_SIZE;
863 /* Remember when we last did a random test */
864 new_domain_record.random_stamp = time(NULL);
866 if (smtp_write_mail_and_rcpt_cmds(sx, &yield) == sw_mrc_ok)
867 switch(addr->transport_return)
869 case PENDING_OK: /* random was accepted, unfortunately */
870 new_domain_record.random_result = ccache_accept;
871 yield = OK; /* Only usable verify result we can return */
873 *failure_ptr = US"random";
875 case FAIL: /* rejected: the preferred result */
876 new_domain_record.random_result = ccache_reject;
877 sx->avoid_option = 0;
879 /* Between each check, issue RSET, because some servers accept only
880 one recipient after MAIL FROM:<>.
881 XXX We don't care about that for postmaster_full. Should we? */
884 smtp_write_command(sx, SCMD_FLUSH, "RSET\r\n") >= 0 &&
885 smtp_read_response(sx, sx->buffer, sizeof(sx->buffer), '2', callout)))
889 debug_printf_indent("problem after random/rset/mfrom; reopen conn\n");
890 random_local_part = NULL;
892 tls_close(sx->cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT);
894 HDEBUG(D_transport|D_acl|D_v) debug_printf_indent(" SMTP(close)>>\n");
895 (void)close(sx->cctx.sock);
897 #ifndef DISABLE_EVENT
898 (void) event_raise(addr->transport->event_action,
899 US"tcp:close", NULL, NULL);
901 addr->address = main_address;
902 addr->transport_return = PENDING_DEFER;
903 sx->first_addr = sx->sync_addr = addr;
905 sx->send_rset = TRUE;
906 sx->completed_addr = FALSE;
907 goto tls_retry_connection;
908 case DEFER: /* 4xx response to random */
909 break; /* Just to be clear. ccache_unknown, !done. */
912 /* Re-setup for main verify, or for the error message when failing */
913 addr->address = main_address;
914 addr->transport_return = PENDING_DEFER;
915 sx->first_addr = sx->sync_addr = addr;
917 sx->send_rset = TRUE;
918 sx->completed_addr = FALSE;
923 /* Main verify. For rcpt-verify use SIZE if we know it and we're not cacheing;
924 for sndr-verify never use it. */
926 if (done && !(options & vopt_atrn))
928 if (!(options & vopt_is_recipient && options & vopt_callout_no_cache))
929 sx->avoid_option = OPTION_SIZE;
932 switch(smtp_write_mail_and_rcpt_cmds(sx, &yield))
935 switch(addr->transport_return) /* ok so far */
937 case PENDING_OK: done = TRUE;
938 new_address_record.result = ccache_accept;
940 case FAIL: done = TRUE;
942 *failure_ptr = US"recipient";
943 new_address_record.result = ccache_reject;
949 case sw_mrc_bad_mail: /* MAIL response error */
950 *failure_ptr = US"mail";
951 if (errno == 0 && sx->buffer[0] == '5')
953 setflag(addr, af_verify_nsfail);
954 if (from_address[0] == 0)
955 new_domain_record.result = ccache_reject_mfnull;
958 /* non-MAIL read i/o error */
959 /* non-MAIL response timeout */
960 /* internal error; channel still usable */
961 default: break; /* transmit failed */
965 addr->auth_sndr = client_authenticated_sender;
967 deliver_host = deliver_host_address = NULL;
968 deliver_domain = save_deliver_domain;
970 /* Do postmaster check if requested; if a full check is required, we
971 check for RCPT TO:<postmaster> (no domain) in accordance with RFC 821. */
973 if (done && pm_mailfrom)
975 /* Could possibly shift before main verify, just above, and be ok
976 for cutthrough. But no way to handle a subsequent rcpt, so just
978 cancel_cutthrough_connection(TRUE, US"postmaster verify");
979 HDEBUG(D_acl|D_v) debug_printf_indent("Cutthrough cancelled by presence of postmaster verify\n");
981 done = smtp_write_command(sx, SCMD_FLUSH, "RSET\r\n") >= 0
982 && smtp_read_response(sx, sx->buffer, sizeof(sx->buffer), '2', callout);
986 const uschar * main_address = addr->address;
988 /*XXX oops, affixes */
989 addr->address = string_sprintf("postmaster@%.1000s", addr->domain);
990 addr->transport_return = PENDING_DEFER;
992 sx->from_addr = pm_mailfrom;
993 sx->first_addr = sx->sync_addr = addr;
995 sx->send_rset = TRUE;
996 sx->completed_addr = FALSE;
997 sx->avoid_option = OPTION_SIZE;
999 if( smtp_write_mail_and_rcpt_cmds(sx, &yield) == sw_mrc_ok
1000 && addr->transport_return == PENDING_OK
1004 done = (options & vopt_callout_fullpm) != 0
1005 && smtp_write_command(sx, SCMD_FLUSH,
1006 "RCPT TO:<postmaster>\r\n") >= 0
1007 && smtp_read_response(sx, sx->buffer,
1008 sizeof(sx->buffer), '2', callout);
1010 /* Sort out the cache record */
1012 new_domain_record.postmaster_stamp = time(NULL);
1015 new_domain_record.postmaster_result = ccache_accept;
1016 else if (errno == 0 && sx->buffer[0] == '5')
1018 *failure_ptr = US"postmaster";
1019 setflag(addr, af_verify_pmfail);
1020 new_domain_record.postmaster_result = ccache_reject;
1023 addr->address = main_address;
1026 /* For any failure of the main check, other than a negative response, we just
1027 close the connection and carry on. We can identify a negative response by the
1028 fact that errno is zero. For I/O errors it will be non-zero
1030 Set up different error texts for logging and for sending back to the caller
1031 as an SMTP response. Log in all cases, using a one-line format. For sender
1032 callouts, give a full response to the caller, but for recipient callouts,
1033 don't give the IP address because this may be an internal host whose identity
1034 is not to be widely broadcast. */
1040 HDEBUG(D_verify) debug_printf("SMTP timeout\n");
1041 sx->send_quit = FALSE;
1045 case ERRNO_UTF8_FWD:
1047 extern int acl_where; /* src/acl.c */
1049 addr->message = US"response to \"EHLO\" did not include SMTPUTF8";
1050 addr->user_message = acl_where == ACL_WHERE_RCPT
1051 ? US"533 no support for internationalised mailbox name"
1052 : US"550 mailbox unavailable";
1059 sx->send_quit = FALSE;
1063 if (*sx->buffer == 0) Ustrcpy(sx->buffer, US"connection dropped");
1065 /*XXX test here is ugly; seem to have a split of responsibility for
1066 building this message. Need to rationalise. Where is it done
1067 before here, and when not?
1068 Not == 5xx resp to MAIL on main-verify
1070 if (!addr->message) addr->message =
1071 string_sprintf("response to \"%s\" was: %s",
1072 big_buffer, string_printing(sx->buffer));
1074 /* RFC 5321 section 4.2: the text portion of the response may have only
1075 HT, SP, Printable US-ASCII. Deal with awkward chars by cutting the
1076 received message off before passing it onward. Newlines are ok; they
1077 just become a multiline response (but wrapped in the error code we
1080 for (uschar * s = sx->buffer;
1081 *s && s < sx->buffer + sizeof(sx->buffer);
1085 if (c != '\t' && c != '\n' && (c < ' ' || c > '~'))
1087 if (s - sx->buffer < sizeof(sx->buffer) - 12)
1088 memcpy(s, "(truncated)", 12);
1094 addr->user_message = options & vopt_is_recipient
1095 ? string_sprintf("Callout verification failed:\n%s", sx->buffer)
1096 : string_sprintf("Called: %s\nSent: %s\nResponse: %s",
1097 host->address, big_buffer, sx->buffer);
1099 /* Hard rejection ends the process */
1101 if (sx->buffer[0] == '5') /* Address rejected */
1109 /* End the SMTP conversation and close the connection. */
1111 /* Cutthrough - on a successful connect and recipient-verify with
1112 use-sender and we are 1st rcpt and have no cutthrough conn so far
1113 here is where we want to leave the conn open. Ditto for a lazy-close
1116 if (cutthrough.delivery)
1118 if (addr->transport->filter_command)
1120 cutthrough.delivery= FALSE;
1121 HDEBUG(D_acl|D_v) debug_printf("Cutthrough cancelled by presence of transport filter\n");
1123 #ifndef DISABLE_DKIM
1124 /* DKIM signing needs to add a header after seeing the whole body, so we cannot just copy
1125 body bytes to the outbound as they are received, which is the intent of cutthrough. */
1126 if (ob->dkim.dkim_domain)
1128 cutthrough.delivery= FALSE;
1129 HDEBUG(D_acl|D_v) debug_printf("Cutthrough cancelled by presence of DKIM signing\n");
1132 #ifdef EXPERIMENTAL_ARC
1135 cutthrough.delivery= FALSE;
1136 HDEBUG(D_acl|D_v) debug_printf("Cutthrough cancelled by presence of ARC signing\n");
1141 if ( (cutthrough.delivery || options & vopt_callout_hold)
1145 && !(options & (vopt_callout_r_pmaster| vopt_success_on_redirect))
1146 && !random_local_part
1148 && cutthrough.cctx.sock < 0
1152 HDEBUG(D_acl|D_v) debug_printf_indent("holding verify callout open for %s\n",
1154 ? "cutthrough delivery" : "potential further verifies and delivery");
1156 cutthrough.callout_hold_only = !cutthrough.delivery;
1157 cutthrough.is_tls = tls_out.active.sock >= 0;
1158 /* We assume no buffer in use in the outblock */
1159 cutthrough.cctx = sx->cctx;
1160 cutthrough.nrcpt = 1;
1161 cutthrough.transport = addr->transport->drinst.name;
1162 cutthrough.interface = interface;
1163 cutthrough.snd_port = sending_port;
1164 cutthrough.peer_options = smtp_peer_options;
1165 cutthrough.host = *host;
1167 int oldpool = store_pool;
1168 store_pool = POOL_PERM;
1169 cutthrough.snd_ip = string_copy(sending_ip_address);
1170 cutthrough.host.name = string_copy(host->name);
1171 cutthrough.host.address = string_copy(host->address);
1172 store_pool = oldpool;
1175 /* Save the address_item and parent chain for later logging */
1176 cutthrough.addr = *addr;
1177 cutthrough.addr.next = NULL;
1178 cutthrough.addr.host_used = &cutthrough.host;
1179 for (address_item * caddr = &cutthrough.addr, * parent = addr->parent;
1181 caddr = caddr->parent, parent = parent->parent)
1182 *(caddr->parent = store_get(sizeof(address_item), GET_UNTAINTED)) = *parent;
1184 ctctx.outblock.buffer = ctbuffer;
1185 ctctx.outblock.buffersize = sizeof(ctbuffer);
1186 ctctx.outblock.ptr = ctbuffer;
1187 /* ctctx.outblock.cmd_count = 0; ctctx.outblock.authenticating = FALSE; */
1188 ctctx.outblock.cctx = &cutthrough.cctx;
1192 /* Ensure no cutthrough on multiple verifies that were incompatible */
1193 if (options & (vopt_callout_recipsender | vopt_callout_r_tptsender))
1194 cancel_cutthrough_connection(TRUE, US"not usable for cutthrough");
1195 if (sx->send_quit && sx->cctx.sock >= 0)
1196 if (smtp_write_command(sx, SCMD_FLUSH, "QUIT\r\n") != -1)
1197 /* Wait a short time for response, and discard it */
1198 smtp_read_response(sx, sx->buffer, sizeof(sx->buffer), '2', 1);
1200 if (sx->cctx.sock >= 0)
1203 if (sx->cctx.tls_ctx)
1205 tls_close(sx->cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT);
1206 sx->cctx.tls_ctx = NULL;
1209 HDEBUG(D_transport|D_acl|D_v) debug_printf_indent(" SMTP(close)>>\n");
1210 (void)close(sx->cctx.sock);
1212 smtp_debug_cmd_report();
1213 #ifndef DISABLE_EVENT
1214 (void) event_raise(addr->transport->event_action, US"tcp:close", NULL, NULL);
1219 if (!done || yield != OK)
1220 addr->message = string_sprintf("%s [%s] : %s", host->name, host->address,
1222 } /* Loop through all hosts, while !done */
1225 /* If we get here with done == TRUE, a successful callout happened, and yield
1226 will be set OK or FAIL according to the response to the RCPT command.
1227 Otherwise, we looped through the hosts but couldn't complete the business.
1228 However, there may be domain-specific information to cache in both cases. */
1230 if (!(options & vopt_callout_no_cache))
1231 cache_callout_write(&new_domain_record, addr->domain,
1232 done, &new_address_record, address_key);
1234 /* Failure to connect to any host, or any response other than 2xx or 5xx is a
1235 temporary error. If there was only one host, and a response was received, leave
1236 it alone if supplying details. Otherwise, give a generic response. */
1240 uschar * dullmsg = string_sprintf("Could not complete %s verify callout",
1241 options & vopt_is_recipient ? "recipient" : "sender");
1244 addr->message = host_list->next || !addr->message
1245 ? dullmsg : string_sprintf("%s: %s", dullmsg, addr->message);
1247 addr->user_message = smtp_return_error_details
1248 ? string_sprintf("%s for <%s>.\n"
1249 "The mail server(s) for the domain may be temporarily unreachable, or\n"
1250 "they may be permanently unreachable from this server. In the latter case,\n%s",
1251 dullmsg, addr->address,
1252 options & vopt_is_recipient
1253 ? "the address will never be accepted."
1254 : "you need to change the address or create an MX record for its domain\n"
1255 "if it is supposed to be generally accessible from the Internet.\n"
1256 "Talk to your mail administrator for details.")
1259 /* Force a specific error code */
1261 addr->basic_errno = ERRNO_CALLOUTDEFER;
1264 /* Come here from within the cache-reading code on fast-track exit. */
1267 if (!(options & vopt_atrn))
1268 tls_modify_variables(&tls_in); /* return variables to inbound values */
1274 /* Called after recipient-acl to get a cutthrough connection open when
1275 one was requested and a recipient-verify wasn't subsequently done.
1278 open_cutthrough_connection(address_item * addr, BOOL transport_sender)
1283 /* Use a recipient-verify-callout to set up the cutthrough connection. */
1284 /* We must use a copy of the address for verification, because it might
1288 HDEBUG(D_acl) debug_printf_indent("----------- %s cutthrough setup ------------\n",
1289 rcpt_count > 1 ? "more" : "start");
1291 vopt = transport_sender
1292 ? vopt_is_recipient | vopt_callout_r_tptsender | vopt_callout_no_cache
1293 : vopt_is_recipient | vopt_callout_recipsender | vopt_callout_no_cache;
1295 rc = verify_address(&addr2, NULL, vopt, CUTTHROUGH_CMD_TIMEOUT, -1, -1,
1297 addr->message = addr2.message;
1298 addr->user_message = addr2.user_message;
1299 HDEBUG(D_acl) debug_printf_indent("----------- end cutthrough setup ------------\n");
1305 /* Send given number of bytes from the buffer */
1307 cutthrough_send(int n)
1309 if(cutthrough.cctx.sock < 0)
1315 ? tls_write(cutthrough.cctx.tls_ctx, ctctx.outblock.buffer, n, FALSE)
1318 send(cutthrough.cctx.sock, ctctx.outblock.buffer, n, 0) > 0
1321 transport_count += n;
1322 ctctx.outblock.ptr= ctctx.outblock.buffer;
1326 HDEBUG(D_transport|D_acl) debug_printf_indent("cutthrough_send failed: %s\n", strerror(errno));
1333 _cutthrough_puts(const uschar * cp, int n)
1337 if(ctctx.outblock.ptr >= ctctx.outblock.buffer+ctctx.outblock.buffersize)
1338 if(!cutthrough_send(ctctx.outblock.buffersize))
1341 *ctctx.outblock.ptr++ = *cp++;
1346 /* Buffered output of counted data block. Return boolean success */
1348 cutthrough_puts(const uschar * cp, int n)
1350 if (cutthrough.cctx.sock < 0) return TRUE;
1351 if (_cutthrough_puts(cp, n)) return TRUE;
1352 cancel_cutthrough_connection(TRUE, US"transmit failed");
1357 cutthrough_data_puts(uschar * cp, int n)
1359 if (cutthrough.delivery) (void) cutthrough_puts(cp, n);
1365 _cutthrough_flush_send(void)
1367 int n = ctctx.outblock.ptr - ctctx.outblock.buffer;
1370 if(!cutthrough_send(n))
1376 /* Send out any bufferred output. Return boolean success. */
1378 cutthrough_flush_send(void)
1380 if (_cutthrough_flush_send()) return TRUE;
1381 cancel_cutthrough_connection(TRUE, US"transmit failed");
1387 cutthrough_put_nl(void)
1389 return cutthrough_puts(US"\r\n", 2);
1394 cutthrough_data_put_nl(void)
1396 cutthrough_data_puts(US"\r\n", 2);
1400 /* Get and check response from cutthrough target.
1405 - cutthrough conn close
1408 cutthrough_response(client_conn_ctx * cctx, char expect, uschar ** copy, int timeout)
1410 smtp_context sx = {0};
1411 uschar inbuffer[4096];
1412 uschar responsebuffer[4096];
1414 sx.inblock.buffer = inbuffer;
1415 sx.inblock.buffersize = sizeof(inbuffer);
1416 sx.inblock.ptr = inbuffer;
1417 sx.inblock.ptrend = inbuffer;
1418 sx.inblock.cctx = cctx;
1419 if(!smtp_read_response(&sx, responsebuffer, sizeof(responsebuffer), expect, timeout))
1420 cancel_cutthrough_connection(TRUE, US"unexpected response to smtp command");
1425 *copy = cp = string_copy(responsebuffer);
1426 /* Trim the trailing end of line */
1427 cp += Ustrlen(responsebuffer);
1428 if(cp > *copy && cp[-1] == '\n') *--cp = '\0';
1429 if(cp > *copy && cp[-1] == '\r') *--cp = '\0';
1432 return responsebuffer[0];
1436 /* Negotiate dataphase with the cutthrough target, returning success boolean */
1438 cutthrough_predata(void)
1440 if(cutthrough.cctx.sock < 0 || cutthrough.callout_hold_only)
1443 smtp_debug_cmd(US"DATA", 0);
1444 cutthrough_puts(US"DATA\r\n", 6);
1445 cutthrough_flush_send();
1447 /* Assume nothing buffered. If it was it gets ignored. */
1448 return cutthrough_response(&cutthrough.cctx, '3', NULL, CUTTHROUGH_DATA_TIMEOUT) == '3';
1452 /* tctx arg only to match write_chunk() */
1454 cutthrough_write_chunk(transport_ctx * tctx, const uschar * s, int len)
1457 while(s && (s2 = Ustrchr(s, '\n')))
1459 if(!cutthrough_puts(s, s2-s) || !cutthrough_put_nl())
1467 /* Buffered send of headers. Return success boolean. */
1468 /* Expands newlines to wire format (CR,NL). */
1469 /* Also sends header-terminating blank line. */
1471 cutthrough_headers_send(void)
1475 if(cutthrough.cctx.sock < 0 || cutthrough.callout_hold_only)
1478 /* We share a routine with the mainline transport to handle header add/remove/rewrites,
1479 but having a separate buffered-output function (for now)
1481 HDEBUG(D_acl) debug_printf_indent("----------- start cutthrough headers send -----------\n");
1483 tctx.u.fd = cutthrough.cctx.sock;
1484 tctx.tblock = cutthrough.addr.transport;
1485 tctx.addr = &cutthrough.addr;
1486 tctx.check_string = US".";
1487 tctx.escape_string = US"..";
1488 /*XXX check under spool_files_wireformat. Might be irrelevant */
1489 tctx.options = topt_use_crlf;
1491 if (!transport_headers_send(&tctx, &cutthrough_write_chunk))
1494 HDEBUG(D_acl) debug_printf_indent("----------- done cutthrough headers send ------------\n");
1500 close_cutthrough_connection(const uschar * why)
1502 int fd = cutthrough.cctx.sock;
1505 /* We could be sending this after a bunch of data, but that is ok as
1506 the only way to cancel the transfer in dataphase is to drop the tcp
1507 conn before the final dot.
1509 client_conn_ctx tmp_ctx = cutthrough.cctx;
1510 ctctx.outblock.ptr = ctbuffer;
1511 smtp_debug_cmd(US"QUIT", 0);
1512 _cutthrough_puts(US"QUIT\r\n", 6); /* avoid recursion */
1513 _cutthrough_flush_send();
1514 cutthrough.cctx.sock = -1; /* avoid recursion via read timeout */
1515 cutthrough.nrcpt = 0; /* permit re-cutthrough on subsequent message */
1517 /* Wait a short time for response, and discard it */
1518 cutthrough_response(&tmp_ctx, '2', NULL, 1);
1521 if (cutthrough.is_tls)
1523 tls_close(cutthrough.cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT);
1524 cutthrough.cctx.tls_ctx = NULL;
1525 cutthrough.is_tls = FALSE;
1528 HDEBUG(D_transport|D_acl|D_v) debug_printf_indent(" SMTP(close)>>\n");
1530 smtp_debug_cmd_report();
1531 HDEBUG(D_acl) debug_printf_indent("----------- cutthrough shutdown (%s) ------------\n", why);
1533 ctctx.outblock.ptr = ctbuffer;
1537 cancel_cutthrough_connection(BOOL close_noncutthrough_verifies, const uschar * why)
1539 if (cutthrough.delivery || close_noncutthrough_verifies)
1540 close_cutthrough_connection(why);
1541 cutthrough.delivery = cutthrough.callout_hold_only = FALSE;
1546 release_cutthrough_connection(const uschar * why)
1548 if (cutthrough.cctx.sock < 0) return;
1549 HDEBUG(D_acl) debug_printf_indent("release cutthrough conn: %s\n", why);
1550 cutthrough.cctx.sock = -1;
1551 cutthrough.cctx.tls_ctx = NULL;
1552 cutthrough.delivery = cutthrough.callout_hold_only = FALSE;
1558 /* Have senders final-dot. Send one to cutthrough target, and grab the response.
1559 Log an OK response as a transmission.
1560 Close the connection.
1561 Return smtp response-class digit.
1564 cutthrough_finaldot(void)
1567 HDEBUG(D_transport|D_acl|D_v) debug_printf_indent(" SMTP>> .\n");
1569 /* Assume data finshed with new-line */
1570 if( !cutthrough_puts(US".", 1)
1571 || !cutthrough_put_nl()
1572 || !cutthrough_flush_send()
1574 return cutthrough.addr.message;
1576 res = cutthrough_response(&cutthrough.cctx, '2', &cutthrough.addr.message,
1577 CUTTHROUGH_DATA_TIMEOUT);
1578 for (address_item * addr = &cutthrough.addr; addr; addr = addr->next)
1580 addr->message = cutthrough.addr.message;
1584 delivery_log(LOG_MAIN, addr, (int)'>', NULL);
1585 close_cutthrough_connection(US"delivered");
1589 delivery_log(LOG_MAIN, addr, 0,
1590 US"tmp-reject from cutthrough after DATA:");
1594 delivery_log(LOG_MAIN|LOG_REJECT, addr, 0,
1595 US"rejected after DATA:");
1602 return cutthrough.addr.message;
1607 /*************************************************
1608 * Copy error to toplevel address *
1609 *************************************************/
1611 /* This function is used when a verify fails or defers, to ensure that the
1612 failure or defer information is in the original toplevel address. This applies
1613 when an address is redirected to a single new address, and the failure or
1614 deferral happens to the child address.
1617 vaddr the verify address item
1618 addr the final address item
1621 Returns: the value of YIELD
1625 copy_error(address_item *vaddr, address_item *addr, int yield)
1629 vaddr->message = addr->message;
1630 vaddr->user_message = addr->user_message;
1631 vaddr->basic_errno = addr->basic_errno;
1632 vaddr->more_errno = addr->more_errno;
1633 vaddr->prop.address_data = addr->prop.address_data;
1634 vaddr->prop.variables = NULL;
1635 tree_dup((tree_node **)&vaddr->prop.variables, addr->prop.variables);
1636 copyflag(vaddr, addr, af_pass_message);
1644 /**************************************************
1645 * printf that automatically handles TLS if needed *
1646 ***************************************************/
1648 /* This function is used by verify_address() as a substitute for all fprintf()
1649 calls; a direct fprintf() will not produce output in a TLS SMTP session, such
1650 as a response to an EXPN command. smtp_in.c makes smtp_printf available but
1651 that assumes that we always use the smtp_out FILE* when not using TLS or the
1652 ssl buffer when we are. Instead we take a FILE* parameter and check to see if
1653 that is smtp_out; if so, smtp_printf() with TLS support, otherwise regular
1657 f the candidate FILE* to write to
1658 format format string
1659 ... optional arguments
1665 static void PRINTF_FUNCTION(2,3)
1666 respond_printf(FILE *f, const char *format, ...)
1670 va_start(ap, format);
1671 if (smtp_out && (f == smtp_out))
1672 smtp_vprintf(format, FALSE, ap);
1674 vfprintf(f, format, ap);
1680 /*************************************************
1681 * Verify an email address *
1682 *************************************************/
1684 /* This function is used both for verification (-bv and at other times) and
1685 address testing (-bt), which is indicated by address_test_mode being set.
1688 vaddr contains the address to verify; the next field in this block
1690 fp if not NULL, write the result to this file
1691 options various option bits:
1692 vopt_fake_sender => this sender verify is not for the real
1693 sender (it was verify=sender=xxxx or an address from a
1694 header line) - rewriting must not change sender_address
1695 vopt_is_recipient => this is a recipient address, otherwise
1696 it's a sender address - this affects qualification and
1697 rewriting and messages from callouts
1698 vopt_qualify => qualify an unqualified address; else error
1699 vopt_expn => called from SMTP EXPN command
1700 vopt_success_on_redirect => when a new address is generated
1701 the verification instantly succeeds
1703 These ones are used by do_callout() -- the options variable
1706 vopt_callout_fullpm => if postmaster check, do full one
1707 vopt_callout_no_cache => don't use callout cache
1708 vopt_callout_random => do the "random" thing
1709 vopt_callout_recipsender => use real sender for recipient
1710 vopt_callout_recippmaster => use postmaster for recipient
1711 vopt_callout_r_tptsender => use sender as defined by tpt
1713 callout if > 0, specifies that callout is required, and gives timeout
1714 for individual commands
1715 callout_overall if > 0, gives overall timeout for the callout function;
1716 if < 0, a default is used (see do_callout())
1717 callout_connect the connection timeout for callouts
1718 se_mailfrom when callout is requested to verify a sender, use this
1719 in MAIL FROM; NULL => ""
1720 pm_mailfrom when callout is requested, if non-NULL, do the postmaster
1721 thing and use this as the sender address (may be "")
1723 routed if not NULL, set TRUE if routing succeeded, so we can
1724 distinguish between routing failed and callout failed
1726 Returns: OK address verified
1727 FAIL address failed to verify
1728 DEFER can't tell at present
1732 verify_address(address_item * vaddr, FILE * fp, int options, int callout,
1733 int callout_overall, int callout_connect, uschar * se_mailfrom,
1734 uschar *pm_mailfrom, BOOL *routed)
1737 BOOL full_info = fp ? debug_selector != 0 : FALSE;
1738 BOOL expn = (options & vopt_expn) != 0;
1739 BOOL success_on_redirect = (options & vopt_success_on_redirect) != 0;
1742 int verify_type = expn ? v_expn :
1743 f.address_test_mode ? v_none :
1744 options & vopt_is_recipient ? v_recipient : v_sender;
1745 address_item * addr_list, * addr_new = NULL, * addr_remote = NULL;
1746 address_item * addr_local = NULL, * addr_succeed = NULL;
1747 uschar ** failure_ptr = options & vopt_is_recipient
1748 ? &recipient_verify_failure : &sender_verify_failure;
1749 uschar * ko_prefix, * cr;
1750 const uschar * address = vaddr->address, * save_sender;
1751 uschar null_sender[] = { 0 }; /* Ensure writeable memory */
1753 /* Clear, just in case */
1755 *failure_ptr = NULL;
1757 /* Set up a prefix and suffix for error message which allow us to use the same
1758 output statements both in EXPN mode (where an SMTP response is needed) and when
1759 debugging with an output file. */
1763 ko_prefix = US"553 ";
1766 else ko_prefix = cr = US"";
1768 /* Add qualify domain if permitted; otherwise an unqualified address fails. */
1770 if (parse_find_at(address) == NULL)
1772 if (!(options & vopt_qualify))
1775 respond_printf(fp, "%sA domain is required for \"%s\"%s\n",
1776 ko_prefix, address, cr);
1777 *failure_ptr = US"qualify";
1780 /* deconst ok as address was not const */
1781 address = US rewrite_address_qualify(address, options & vopt_is_recipient);
1786 debug_printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
1787 debug_printf("%s %s\n", f.address_test_mode? "Testing" : "Verifying", address);
1790 /* Rewrite and report on it. Clear the domain and local part caches - these
1791 may have been set by domains and local part tests during an ACL. */
1793 if (global_rewrite_rules)
1795 const uschar * old = address;
1796 address = rewrite_address(address, options & vopt_is_recipient, FALSE,
1797 global_rewrite_rules, rewrite_existflags);
1800 for (int i = 0; i < (MAX_NAMED_LIST * 2)/32; i++) vaddr->localpart_cache[i] = 0;
1801 for (int i = 0; i < (MAX_NAMED_LIST * 2)/32; i++) vaddr->domain_cache[i] = 0;
1802 if (fp && !expn) fprintf(fp, "Address rewritten as: %s\n", address);
1806 /* If this is the real sender address, we must update sender_address at
1807 this point, because it may be referred to in the routers. */
1809 if (!(options & (vopt_fake_sender|vopt_is_recipient)))
1810 sender_address = address;
1812 /* If the address was rewritten to <> no verification can be done, and we have
1813 to return OK. This rewriting is permitted only for sender addresses; for other
1814 addresses, such rewriting fails. */
1816 if (!address[0]) return OK;
1818 /* Flip the legacy TLS-related variables over to the outbound set in case
1819 they're used in the context of a transport used by verification. Reset them
1820 at exit from this routine (so no returns allowed from here on). */
1822 tls_modify_variables(&tls_out);
1824 /* Save a copy of the sender address for re-instating if we change it to <>
1825 while verifying a sender address (a nice bit of self-reference there). */
1827 save_sender = sender_address;
1829 /* Observability variable for router/transport use */
1831 verify_mode = options & vopt_is_recipient ? US"R" : US"S";
1833 /* Update the address structure with the possibly qualified and rewritten
1834 address. Set it up as the starting address on the chain of new addresses. */
1836 vaddr->address = address;
1839 /* We need a loop, because an address can generate new addresses. We must also
1840 cope with generated pipes and files at the top level. (See also the code and
1841 comment in deliver.c.) However, it is usually the case that the router for
1842 user's .forward files has its verify flag turned off.
1844 If an address generates more than one child, the loop is used only when
1845 full_info is set, and this can only be set locally. Remote enquiries just get
1846 information about the top level address, not anything that it generated. */
1851 address_item *addr = addr_new;
1853 addr_new = addr->next;
1858 debug_printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
1859 debug_printf("Considering %s\n", addr->address);
1862 /* Handle generated pipe, file or reply addresses. We don't get these
1863 when handling EXPN, as it does only one level of expansion. */
1865 if (testflag(addr, af_pfr))
1872 if (addr->address[0] == '>')
1874 allow = testflag(addr, af_allow_reply);
1875 fprintf(fp, "%s -> mail %s", addr->parent->address, addr->address + 1);
1879 allow = addr->address[0] == '|'
1880 ? testflag(addr, af_allow_pipe) : testflag(addr, af_allow_file);
1881 fprintf(fp, "%s -> %s", addr->parent->address, addr->address);
1884 if (addr->basic_errno == ERRNO_BADTRANSPORT)
1885 fprintf(fp, "\n*** Error in setting up pipe, file, or autoreply:\n"
1886 "%s\n", addr->message);
1888 fprintf(fp, "\n transport = %s\n", addr->transport->drinst.name);
1890 fprintf(fp, " *** forbidden ***\n");
1895 /* Just in case some router parameter refers to it. */
1897 return_path = addr->prop.errors_address
1898 ? addr->prop.errors_address : sender_address;
1900 /* Split the address into domain and local part, handling the %-hack if
1901 necessary, and then route it. While routing a sender address, set
1902 $sender_address to <> because that is what it will be if we were trying to
1903 send a bounce to the sender. */
1905 if (routed) *routed = FALSE;
1906 if ((rc = deliver_split_address(addr)) == OK)
1908 if (!(options & vopt_is_recipient)) sender_address = null_sender;
1909 rc = route_address(addr, &addr_local, &addr_remote, &addr_new,
1910 &addr_succeed, verify_type);
1911 sender_address = save_sender; /* Put back the real sender */
1914 /* If routing an address succeeded, set the flag that remembers, for use when
1915 an ACL cached a sender verify (in case a callout fails). Then if routing set
1916 up a list of hosts or the transport has a host list, and the callout option
1917 is set, and we aren't in a host checking run, do the callout verification,
1918 and set another flag that notes that a callout happened. */
1922 BOOL local_verify = FALSE;
1924 if (routed) *routed = TRUE;
1927 transport_instance * tp;
1928 host_item * host_list = addr->host_list;
1930 /* Make up some data for use in the case where there is no remote
1933 transport_feedback tf = {
1934 .interface = NULL, /* interface (=> any) */
1936 .protocol = US"smtp",
1938 .helo_data = US"$smtp_active_hostname",
1939 .hosts_override = FALSE,
1940 .hosts_randomize = FALSE,
1941 .gethostbyname = FALSE,
1942 .qualify_single = TRUE,
1943 .search_parents = FALSE
1946 /* If verification yielded a remote transport, we want to use that
1947 transport's options, so as to mimic what would happen if we were really
1948 sending a message to this address. */
1950 if ((tp = addr->transport))
1952 transport_info * ti = tp->drinst.info;
1955 (void)(tp->setup)(tp, addr, &tf, 0, 0, NULL);
1957 /* If the transport has hosts and the router does not, or if the
1958 transport is configured to override the router's hosts, we must build a
1959 host list of the transport's hosts, and find the IP addresses */
1961 if (tf.hosts && (!host_list || tf.hosts_override))
1964 const uschar * save_deliver_domain = deliver_domain;
1965 const uschar * save_deliver_localpart = deliver_localpart;
1967 host_list = NULL; /* Ignore the router's hosts */
1969 deliver_domain = addr->domain;
1970 deliver_localpart = addr->local_part;
1971 s = expand_string(tf.hosts);
1972 deliver_domain = save_deliver_domain;
1973 deliver_localpart = save_deliver_localpart;
1977 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand list of hosts "
1978 "\"%s\" in %s transport for callout: %s", tf.hosts,
1979 tp->drinst.name, expand_string_message);
1984 host_build_hostlist(&host_list, s, tf.hosts_randomize);
1986 /* Just ignore failures to find a host address. If we don't manage
1987 to find any addresses, the callout will defer. Note that more than
1988 one address may be found for a single host, which will result in
1989 additional host items being inserted into the chain. Hence we must
1990 save the next host first. */
1992 flags = HOST_FIND_BY_A | HOST_FIND_BY_AAAA;
1993 if (tf.qualify_single) flags |= HOST_FIND_QUALIFY_SINGLE;
1994 if (tf.search_parents) flags |= HOST_FIND_SEARCH_PARENTS;
1996 for (host_item * host = host_list, * nexthost; host; host = nexthost)
1998 nexthost = host->next;
1999 if (tf.gethostbyname ||
2000 string_is_ip_address(host->name, NULL) != 0)
2001 (void)host_find_byname(host, NULL, flags, NULL, TRUE);
2004 const dnssec_domains * dsp = NULL;
2005 if (Ustrcmp(tp->drinst.driver_name, "smtp") == 0)
2007 smtp_transport_options_block * ob = tp->drinst.options_block;
2011 (void) host_find_bydns(host, NULL, flags, NULL, NULL, NULL,
2018 else if ( options & vopt_quota
2019 && Ustrcmp(tp->drinst.driver_name, "appendfile") == 0)
2020 local_verify = TRUE;
2023 /* Can only do a callout if we have at least one host! If the callout
2024 fails, it will have set ${sender,recipient}_verify_failure. */
2029 debug_printf("Attempting full verification using callout\n");
2030 if (host_checking && !f.host_checking_callout)
2033 debug_printf("... callout omitted by default when host testing\n"
2034 "(Use -bhc if you want the callouts to happen.)\n");
2038 deliver_set_expansions(addr);
2039 rc = do_callout(addr, host_list, &tf, callout, callout_overall,
2040 callout_connect, options, se_mailfrom, pm_mailfrom);
2041 deliver_set_expansions(NULL);
2043 if ( options & vopt_is_recipient
2045 /* set to "random", with OK, for an accepted random */
2046 && !recipient_verify_failure
2048 callout_verified_rcpt(addr);
2051 else if (local_verify)
2053 HDEBUG(D_verify) debug_printf("Attempting quota verification\n");
2055 deliver_set_expansions(addr);
2056 deliver_local(addr, TRUE);
2057 rc = addr->transport_return;
2060 HDEBUG(D_verify) debug_printf("Cannot do callout: neither router nor "
2061 "transport provided a host list, or transport is not smtp\n");
2065 /* Otherwise, any failure is a routing failure */
2067 else *failure_ptr = US"route";
2069 /* A router may return REROUTED if it has set up a child address as a result
2070 of a change of domain name (typically from widening). In this case we always
2071 want to continue to verify the new child. */
2073 if (rc == REROUTED) continue;
2075 /* Handle hard failures */
2082 address_item *p = addr->parent;
2084 respond_printf(fp, "%s%s %s", ko_prefix,
2085 full_info ? addr->address : address,
2086 f.address_test_mode ? "is undeliverable" : "failed to verify");
2087 if (!expn && f.admin_user)
2089 if (addr->basic_errno > 0)
2090 respond_printf(fp, ": %s", strerror(addr->basic_errno));
2092 respond_printf(fp, ": %s", addr->message);
2095 /* Show parents iff doing full info */
2097 if (full_info) while (p)
2099 respond_printf(fp, "%s\n <-- %s", cr, p->address);
2102 respond_printf(fp, "%s\n", cr);
2104 cancel_cutthrough_connection(TRUE, US"routing hard fail");
2108 yield = copy_error(vaddr, addr, FAIL);
2116 else if (rc == DEFER)
2121 address_item *p = addr->parent;
2122 respond_printf(fp, "%s%s cannot be resolved at this time", ko_prefix,
2123 full_info? addr->address : address);
2124 if (!expn && f.admin_user)
2126 if (addr->basic_errno > 0)
2127 respond_printf(fp, ": %s", strerror(addr->basic_errno));
2129 respond_printf(fp, ": %s", addr->message);
2130 else if (addr->basic_errno <= 0)
2131 respond_printf(fp, ": unknown error");
2134 /* Show parents iff doing full info */
2136 if (full_info) while (p)
2138 respond_printf(fp, "%s\n <-- %s", cr, p->address);
2141 respond_printf(fp, "%s\n", cr);
2143 cancel_cutthrough_connection(TRUE, US"routing soft fail");
2147 yield = copy_error(vaddr, addr, DEFER);
2150 if (yield == OK) yield = DEFER;
2153 /* If we are handling EXPN, we do not want to continue to route beyond
2154 the top level (whose address is in "address"). */
2158 uschar *ok_prefix = US"250-";
2161 if (!addr_local && !addr_remote)
2162 respond_printf(fp, "250 mail to <%s> is discarded\r\n", address);
2164 respond_printf(fp, "250 <%s>\r\n", address);
2168 address_item *addr2 = addr_new;
2169 addr_new = addr2->next;
2170 if (!addr_new) ok_prefix = US"250 ";
2171 respond_printf(fp, "%s<%s>\r\n", ok_prefix, addr2->address);
2177 /* Successful routing other than EXPN. */
2181 /* Handle successful routing when short info wanted. Otherwise continue for
2182 other (generated) addresses. Short info is the operational case. Full info
2183 can be requested only when debug_selector != 0 and a file is supplied.
2185 There is a conflict between the use of aliasing as an alternate email
2186 address, and as a sort of mailing list. If an alias turns the incoming
2187 address into just one address (e.g. J.Caesar->jc44) you may well want to
2188 carry on verifying the generated address to ensure it is valid when
2189 checking incoming mail. If aliasing generates multiple addresses, you
2190 probably don't want to do this. Exim therefore treats the generation of
2191 just a single new address as a special case, and continues on to verify the
2192 generated address. */
2194 if ( !full_info /* Stop if short info wanted AND */
2195 && ( ( !addr_new /* No new address OR */
2196 || addr_new->next /* More than one new address OR */
2197 || testflag(addr_new, af_pfr) /* New address is pfr */
2200 ( addr_new /* At least one new address AND */
2201 && success_on_redirect /* success_on_redirect is set */
2205 if (fp) fprintf(fp, "%s %s\n",
2206 address, f.address_test_mode ? "is deliverable" : "verified");
2208 /* If we have carried on to verify a child address, we want the value
2209 of $address_data to be that of the child */
2211 vaddr->prop.address_data = addr->prop.address_data;
2212 vaddr->prop.variables = NULL;
2213 tree_dup((tree_node **)&vaddr->prop.variables, addr->prop.variables);
2215 /* If stopped because more than one new address, cannot cutthrough */
2217 if (addr_new && addr_new->next)
2218 cancel_cutthrough_connection(TRUE, US"multiple addresses from routing");
2224 } /* Loop for generated addresses */
2226 /* Display the full results of the successful routing, including any generated
2227 addresses. Control gets here only when full_info is set, which requires fp not
2228 to be NULL, and this occurs only when a top-level verify is called with the
2229 debugging switch on.
2231 If there are no local and no remote addresses, and there were no pipes, files,
2232 or autoreplies, and there were no errors or deferments, the message is to be
2233 discarded, usually because of the use of :blackhole: in an alias file. */
2235 if (allok && !addr_local && !addr_remote)
2237 fprintf(fp, "mail to %s is discarded\n", address);
2241 for (addr_list = addr_local, i = 0; i < 2; addr_list = addr_remote, i++)
2244 address_item * addr = addr_list;
2245 transport_instance * tp = addr->transport;
2247 addr_list = addr->next;
2249 fprintf(fp, "%s", CS addr->address);
2251 /* If the address is a duplicate, show something about it. */
2253 if (!testflag(addr, af_pfr))
2256 if ((tnode = tree_search(tree_duplicates, addr->unique)))
2257 fprintf(fp, " [duplicate, would not be delivered]");
2258 else tree_add_duplicate(addr->unique, addr);
2261 /* Now show its parents */
2263 for (address_item * p = addr->parent; p; p = p->parent)
2264 fprintf(fp, "\n <-- %s", p->address);
2267 /* Show router, and transport */
2269 fprintf(fp, "router = %s, transport = %s\n",
2270 addr->router->drinst.name, tp ? tp->drinst.name : US"unset");
2272 /* Show any hosts that are set up by a router unless the transport
2273 is going to override them; fiddle a bit to get a nice format. */
2275 if (addr->host_list && tp && !tp->overrides_hosts)
2277 transport_info * ti = tp->drinst.info;
2280 for (host_item * h = addr->host_list; h; h = h->next)
2281 { /* get max lengths of host names, addrs */
2282 int len = Ustrlen(h->name);
2283 if (len > maxlen) maxlen = len;
2284 len = h->address ? Ustrlen(h->address) : 7;
2285 if (len > maxaddlen) maxaddlen = len;
2287 for (host_item * h = addr->host_list; h; h = h->next)
2289 fprintf(fp, " host %-*s ", maxlen, h->name);
2292 fprintf(fp, "[%s%-*c", h->address, maxaddlen+1 - Ustrlen(h->address), ']');
2294 fprintf(fp, " %-*s ", maxaddlen, ""); /* Omit [unknown] for local */
2296 fprintf(fp, "[%s%-*c", "unknown", maxaddlen+1 - 7, ']');
2298 if (h->mx >= 0) fprintf(fp, " MX=%d", h->mx);
2299 if (h->port != PORT_NONE) fprintf(fp, " port=%d", h->port);
2300 if (f.running_in_test_harness && h->dnssec == DS_YES) fputs(" AD", fp);
2301 if (h->status == hstatus_unusable) fputs(" ** unusable **", fp);
2307 /* Yield will be DEFER or FAIL if any one address has, only for full_info (which is
2308 the -bv or -bt case). */
2312 if (!(options & vopt_atrn))
2313 tls_modify_variables(&tls_in); /* return variables to inbound values */
2321 /*************************************************
2322 * Check headers for syntax errors *
2323 *************************************************/
2325 /* This function checks those header lines that contain addresses, and verifies
2326 that all the addresses therein are 5322-syntactially correct.
2329 msgptr where to put an error message
2336 verify_check_headers(uschar **msgptr)
2341 for (header_line * h = header_list; h && yield == OK; h = h->next)
2343 if (h->type != htype_from &&
2344 h->type != htype_reply_to &&
2345 h->type != htype_sender &&
2346 h->type != htype_to &&
2347 h->type != htype_cc &&
2348 h->type != htype_bcc)
2351 colon = Ustrchr(h->text, ':');
2353 Uskip_whitespace(&s);
2355 /* Loop for multiple addresses in the header, enabling group syntax. Note
2356 that we have to reset this after the header has been scanned. */
2358 f.parse_allow_group = TRUE;
2362 uschar *ss = parse_find_address_end(s, FALSE);
2363 uschar *recipient, *errmess;
2364 int terminator = *ss;
2365 int start, end, domain;
2367 /* Temporarily terminate the string at this point, and extract the
2368 operative address within, allowing group syntax. */
2371 recipient = parse_extract_address(s,&errmess,&start,&end,&domain,FALSE);
2374 /* Permit an unqualified address only if the message is local, or if the
2375 sending host is configured to be permitted to send them. */
2377 if (recipient && !domain)
2379 if (h->type == htype_from || h->type == htype_sender)
2381 if (!f.allow_unqualified_sender) recipient = NULL;
2385 if (!f.allow_unqualified_recipient) recipient = NULL;
2387 if (!recipient) errmess = US"unqualified address not permitted";
2390 /* It's an error if no address could be extracted, except for the special
2391 case of an empty address. */
2393 if (!recipient && Ustrcmp(errmess, "empty address") != 0)
2395 uschar *verb = US"is";
2400 /* Arrange not to include any white space at the end in the
2401 error message or the header name. */
2403 while (t > s && isspace(t[-1])) t--;
2404 while (tt > h->text && isspace(tt[-1])) tt--;
2406 /* Add the address that failed to the error message, since in a
2407 header with very many addresses it is sometimes hard to spot
2408 which one is at fault. However, limit the amount of address to
2409 quote - cases have been seen where, for example, a missing double
2410 quote in a humungous To: header creates an "address" that is longer
2411 than string_sprintf can handle. */
2420 /* deconst cast ok as we're passing a non-const to string_printing() */
2421 *msgptr = US string_printing(
2422 string_sprintf("%s: failing address in \"%.*s:\" header %s: %.*s",
2423 errmess, (int)(tt - h->text), h->text, verb, len, s));
2426 break; /* Out of address loop */
2429 /* Advance to the next address */
2431 s = ss + (terminator ? 1 : 0);
2432 Uskip_whitespace(&s);
2433 } /* Next address */
2435 f.parse_allow_group = FALSE;
2436 f.parse_found_group = FALSE;
2437 } /* Next header unless yield has been set FALSE */
2443 /*************************************************
2444 * Check header names for 8-bit characters *
2445 *************************************************/
2447 /* This function checks for invalid characters in header names. See
2448 RFC 5322, 2.2. and RFC 6532, 3.
2451 msgptr where to put an error message
2458 verify_check_header_names_ascii(uschar **msgptr)
2462 for (header_line * h = header_list; h; h = h->next)
2464 colon = Ustrchr(h->text, ':');
2465 for(uschar * s = h->text; s < colon; s++)
2466 if ((*s < 33) || (*s > 126))
2468 *msgptr = string_sprintf("Invalid character in header \"%.*s\" found",
2469 (int)(colon - h->text), h->text);
2476 /*************************************************
2477 * Check for blind recipients *
2478 *************************************************/
2480 /* This function checks that every (envelope) recipient is mentioned in either
2481 the To: or Cc: header lines, thus detecting blind carbon copies.
2483 There are two ways of scanning that could be used: either scan the header lines
2484 and tick off the recipients, or scan the recipients and check the header lines.
2485 The original proposed patch did the former, but I have chosen to do the latter,
2486 because (a) it requires no memory and (b) will use fewer resources when there
2487 are many addresses in To: and/or Cc: and only one or two envelope recipients.
2489 Arguments: case_sensitive true if case sensitive matching should be used
2490 Returns: OK if there are no blind recipients
2491 FAIL if there is at least one blind recipient
2495 verify_check_notblind(BOOL case_sensitive)
2497 for (int i = 0; i < recipients_count; i++)
2500 const uschar * address = recipients_list[i].address;
2502 for (header_line * h = header_list; !found && h; h = h->next)
2504 uschar * colon, * s;
2506 if (h->type != htype_to && h->type != htype_cc) continue;
2508 colon = Ustrchr(h->text, ':');
2510 Uskip_whitespace(&s);
2512 /* Loop for multiple addresses in the header, enabling group syntax. Note
2513 that we have to reset this after the header has been scanned. */
2515 f.parse_allow_group = TRUE;
2519 uschar * ss = parse_find_address_end(s, FALSE);
2520 uschar * recipient, * errmess;
2521 int terminator = *ss;
2522 int start, end, domain;
2524 /* Temporarily terminate the string at this point, and extract the
2525 operative address within, allowing group syntax. */
2528 recipient = parse_extract_address(s,&errmess,&start,&end,&domain,FALSE);
2531 /* If we found a valid recipient that has a domain, compare it with the
2532 envelope recipient. Local parts are compared with case-sensitivity
2533 according to the routine arg, domains case-insensitively.
2534 By comparing from the start with length "domain", we include the "@" at
2535 the end, which ensures that we are comparing the whole local part of each
2538 if (recipient && domain != 0)
2539 if ((found = (case_sensitive
2540 ? Ustrncmp(recipient, address, domain) == 0
2541 : strncmpic(recipient, address, domain) == 0)
2542 && strcmpic(recipient + domain, address + domain) == 0))
2545 /* Advance to the next address */
2547 s = ss + (terminator ? 1:0);
2548 Uskip_whitespace(&s);
2549 } /* Next address */
2551 f.parse_allow_group = FALSE;
2552 f.parse_found_group = FALSE;
2553 } /* Next header (if found is false) */
2555 if (!found) return FAIL;
2556 } /* Next recipient */
2563 /*************************************************
2564 * Find if verified sender *
2565 *************************************************/
2567 /* Usually, just a single address is verified as the sender of the message.
2568 However, Exim can be made to verify other addresses as well (often related in
2569 some way), and this is useful in some environments. There may therefore be a
2570 chain of such addresses that have previously been tested. This function finds
2571 whether a given address is on the chain.
2573 Arguments: the address to be verified
2574 Returns: pointer to an address item, or NULL
2578 verify_checked_sender(const uschar * sender)
2580 for (address_item * addr = sender_verified_list; addr; addr = addr->next)
2581 if (Ustrcmp(sender, addr->address) == 0) return addr;
2589 /*************************************************
2590 * Get valid header address *
2591 *************************************************/
2593 /* Scan the originator headers of the message, looking for an address that
2594 verifies successfully. RFC 822 says:
2596 o The "Sender" field mailbox should be sent notices of
2597 any problems in transport or delivery of the original
2598 messages. If there is no "Sender" field, then the
2599 "From" field mailbox should be used.
2601 o If the "Reply-To" field exists, then the reply should
2602 go to the addresses indicated in that field and not to
2603 the address(es) indicated in the "From" field.
2605 So we check a Sender field if there is one, else a Reply_to field, else a From
2606 field. As some strange messages may have more than one of these fields,
2607 especially if they are resent- fields, check all of them if there is more than
2611 user_msgptr points to where to put a user error message
2612 log_msgptr points to where to put a log error message
2613 callout timeout for callout check (passed to verify_address())
2614 callout_overall overall callout timeout (ditto)
2615 callout_connect connect callout timeout (ditto)
2616 se_mailfrom mailfrom for verify; NULL => ""
2617 pm_mailfrom sender for pm callout check (passed to verify_address())
2618 options callout options (passed to verify_address())
2619 verrno where to put the address basic_errno
2621 If log_msgptr is set to something without setting user_msgptr, the caller
2622 normally uses log_msgptr for both things.
2624 Returns: result of the verification attempt: OK, FAIL, or DEFER;
2625 FAIL is given if no appropriate headers are found
2629 verify_check_header_address(uschar **user_msgptr, uschar **log_msgptr,
2630 int callout, int callout_overall, int callout_connect, uschar *se_mailfrom,
2631 uschar *pm_mailfrom, int options, int *verrno)
2633 static int header_types[] = { htype_sender, htype_reply_to, htype_from };
2637 for (int i = 0; i < 3 && !done; i++)
2638 for (header_line * h = header_list; h != NULL && !done; h = h->next)
2640 int terminator, new_ok;
2641 uschar *s, *ss, *endname;
2643 if (h->type != header_types[i]) continue;
2644 s = endname = Ustrchr(h->text, ':') + 1;
2646 /* Scan the addresses in the header, enabling group syntax. Note that we
2647 have to reset this after the header has been scanned. */
2649 f.parse_allow_group = TRUE;
2653 address_item * vaddr;
2655 while (isspace(*s) || *s == ',') s++;
2656 if (!*s) break; /* End of header */
2658 ss = parse_find_address_end(s, FALSE);
2660 /* The terminator is a comma or end of header, but there may be white
2661 space preceding it (including newline for the last address). Move back
2662 past any white space so we can check against any cached envelope sender
2663 address verifications. */
2665 while (isspace(ss[-1])) ss--;
2669 HDEBUG(D_verify) debug_printf("verifying %.*s header address %s\n",
2670 (int)(endname - h->text), h->text, s);
2672 /* See if we have already verified this address as an envelope sender,
2673 and if so, use the previous answer. */
2675 vaddr = verify_checked_sender(s);
2677 if (vaddr != NULL && /* Previously checked */
2678 (callout <= 0 || /* No callout needed; OR */
2679 vaddr->special_action > 256)) /* Callout was done */
2681 new_ok = vaddr->special_action & 255;
2682 HDEBUG(D_verify) debug_printf("previously checked as envelope sender\n");
2683 *ss = terminator; /* Restore shortened string */
2686 /* Otherwise we run the verification now. We must restore the shortened
2687 string before running the verification, so the headers are correct, in
2688 case there is any rewriting. */
2692 int start, end, domain;
2693 uschar *address = parse_extract_address(s, log_msgptr, &start, &end,
2698 /* If we found an empty address, just carry on with the next one, but
2699 kill the message. */
2701 if (!address && Ustrcmp(*log_msgptr, "empty address") == 0)
2708 /* If verification failed because of a syntax error, fail this
2709 function, and ensure that the failing address gets added to the error
2715 while (ss > s && isspace(ss[-1])) ss--;
2716 *log_msgptr = string_sprintf("syntax error in '%.*s' header when "
2717 "scanning for sender: %s in \"%.*s\"",
2718 (int)(endname - h->text), h->text, *log_msgptr, (int)(ss - s), s);
2724 /* Else go ahead with the sender verification. But it isn't *the*
2725 sender of the message, so set vopt_fake_sender to stop sender_address
2726 being replaced after rewriting or qualification. */
2730 vaddr = deliver_make_addr(address, FALSE);
2731 new_ok = verify_address(vaddr, NULL, options | vopt_fake_sender,
2732 callout, callout_overall, callout_connect, se_mailfrom,
2737 /* We now have the result, either newly found, or cached. If we are
2738 giving out error details, set a specific user error. This means that the
2739 last of these will be returned to the user if all three fail. We do not
2740 set a log message - the generic one below will be used. */
2744 *verrno = vaddr->basic_errno;
2745 if (smtp_return_error_details)
2746 *user_msgptr = string_sprintf("Rejected after DATA: "
2747 "could not verify \"%.*s\" header address\n%s: %s",
2748 (int)(endname - h->text), h->text, vaddr->address, vaddr->message);
2751 /* Success or defer */
2760 if (new_ok == DEFER) yield = DEFER;
2762 /* Move on to any more addresses in the header */
2765 } /* Next address */
2767 f.parse_allow_group = FALSE;
2768 f.parse_found_group = FALSE;
2769 } /* Next header, unless done */
2770 /* Next header type unless done */
2772 if (yield == FAIL && *log_msgptr == NULL)
2773 *log_msgptr = US"there is no valid sender in any header line";
2775 if (yield == DEFER && *log_msgptr == NULL)
2776 *log_msgptr = US"all attempts to verify a sender in a header line deferred";
2784 /*************************************************
2785 * Get RFC 1413 identification *
2786 *************************************************/
2788 /* Attempt to get an id from the sending machine via the RFC 1413 protocol. If
2789 the timeout is set to zero, then the query is not done. There may also be lists
2790 of hosts and nets which are exempt. To guard against malefactors sending
2791 non-printing characters which could, for example, disrupt a message's headers,
2792 make sure the string consists of printing characters only.
2795 port the port to connect to; usually this is IDENT_PORT (113), but when
2796 running in the test harness with -bh a different value is used.
2800 Side effect: any received ident value is put in sender_ident (NULL otherwise)
2804 verify_get_ident(int port)
2806 client_conn_ctx ident_conn_ctx = {0};
2808 int received_sender_port, received_interface_port, n;
2811 uschar buffer[2048];
2813 /* Default is no ident. Check whether we want to do an ident check for this
2816 sender_ident = NULL;
2817 if (rfc1413_query_timeout <= 0 || verify_check_host(&rfc1413_hosts) != OK)
2820 DEBUG(D_ident) debug_printf("doing ident callback\n");
2822 /* Set up a connection to the ident port of the remote host. Bind the local end
2823 to the incoming interface address. If the sender host address is an IPv6
2824 address, the incoming interface address will also be IPv6. */
2826 host_af = Ustrchr(sender_host_address, ':') == NULL ? AF_INET : AF_INET6;
2827 if ((ident_conn_ctx.sock = ip_socket(SOCK_STREAM, host_af)) < 0) return;
2829 if (ip_bind(ident_conn_ctx.sock, host_af, interface_address, 0) < 0)
2831 DEBUG(D_ident) debug_printf("bind socket for ident failed: %s\n",
2836 /* Construct and send the query. */
2838 qlen = snprintf(CS buffer, sizeof(buffer), "%d , %d\r\n",
2839 sender_host_port, interface_port);
2840 early_data.data = buffer;
2841 early_data.len = qlen;
2843 /*XXX we trust that the query is idempotent */
2844 if (ip_connect(ident_conn_ctx.sock, host_af, sender_host_address, port,
2845 rfc1413_query_timeout, &early_data) < 0)
2847 if (errno == ETIMEDOUT && LOGGING(ident_timeout))
2848 log_write(0, LOG_MAIN, "ident connection to %s timed out",
2849 sender_host_address);
2851 DEBUG(D_ident) debug_printf("ident connection to %s failed: %s\n",
2852 sender_host_address, strerror(errno));
2856 /* Read a response line. We put it into the rest of the buffer, using several
2857 recv() calls if necessary. */
2865 int size = sizeof(buffer) - (p - buffer);
2867 if (size <= 0) goto END_OFF; /* Buffer filled without seeing \n. */
2868 count = ip_recv(&ident_conn_ctx, p, size, time(NULL) + rfc1413_query_timeout);
2869 if (count <= 0) goto END_OFF; /* Read error or EOF */
2871 /* Scan what we just read, to see if we have reached the terminating \r\n. Be
2872 generous, and accept a plain \n terminator as well. The only illegal
2875 for (pp = p; pp < p + count; pp++)
2877 if (*pp == 0) goto END_OFF; /* Zero octet not allowed */
2880 if (pp[-1] == '\r') pp--;
2882 goto GOT_DATA; /* Break out of both loops */
2886 /* Reached the end of the data without finding \n. Let the loop continue to
2887 read some more, if there is room. */
2894 /* We have received a line of data. Check it carefully. It must start with the
2895 same two port numbers that we sent, followed by data as defined by the RFC. For
2898 12345 , 25 : USERID : UNIX :root
2900 However, the amount of white space may be different to what we sent. In the
2901 "osname" field there may be several sub-fields, comma separated. The data we
2902 actually want to save follows the third colon. Some systems put leading spaces
2903 in it - we discard those. */
2905 if (sscanf(CS buffer + qlen, "%d , %d%n", &received_sender_port,
2906 &received_interface_port, &n) != 2 ||
2907 received_sender_port != sender_host_port ||
2908 received_interface_port != interface_port)
2911 p = buffer + qlen + n;
2912 Uskip_whitespace(&p);
2913 if (*p++ != ':') goto END_OFF;
2914 Uskip_whitespace(&p);
2915 if (Ustrncmp(p, "USERID", 6) != 0) goto END_OFF;
2917 Uskip_whitespace(&p);
2918 if (*p++ != ':') goto END_OFF;
2919 while (*p && *p != ':') p++;
2920 if (!*p++) goto END_OFF;
2921 Uskip_whitespace(&p);
2922 if (!*p) goto END_OFF;
2924 /* The rest of the line is the data we want. We turn it into printing
2925 characters when we save it, so that it cannot mess up the format of any logging
2926 or Received: lines into which it gets inserted. We keep a maximum of 127
2927 characters. The deconst cast is ok as we fed a nonconst to string_printing() */
2929 sender_ident = US string_printing(string_copyn(p, 127));
2930 DEBUG(D_ident) debug_printf("sender_ident = %s\n", sender_ident);
2933 (void)close(ident_conn_ctx.sock);
2940 /*************************************************
2941 * Match host to a single host-list item *
2942 *************************************************/
2944 /* This function compares a host (name or address) against a single item
2945 from a host list. The host name gets looked up if it is needed and is not
2946 already known. The function is called from verify_check_this_host() via
2947 match_check_list(), which is why most of its arguments are in a single block.
2950 arg the argument block (see below)
2951 ss the host-list item
2952 valueptr where to pass back looked up data, or NULL
2953 error for error message when returning ERROR
2956 host_name (a) the host name, or
2957 (b) NULL, implying use sender_host_name and
2958 sender_host_aliases, looking them up if required, or
2959 (c) the empty string, meaning that only IP address matches
2961 host_address the host address
2962 host_ipv4 the IPv4 address taken from an IPv6 one
2966 DEFER lookup deferred
2967 ERROR (a) failed to find the host name or IP address, or
2968 (b) unknown lookup type specified, or
2969 (c) host name encountered when only IP addresses are
2974 check_host(void * arg, const uschar * ss, const uschar ** valueptr, uschar ** error)
2976 check_host_block * cb = (check_host_block *)arg;
2979 BOOL iplookup = FALSE, isquery = FALSE;
2980 BOOL isiponly = cb->host_name && !cb->host_name[0];
2982 uschar * semicolon, * endname, * opts;
2985 /* Optimize for the special case when the pattern is "*". */
2987 if (*ss == '*' && !ss[1]) return OK;
2989 /* If the pattern is empty, it matches only in the case when there is no host -
2990 this can occur in ACL checking for SMTP input using the -bs option. In this
2991 situation, the host address is the empty string. */
2993 if (!cb->host_address[0]) return *ss ? FAIL : OK;
2994 if (!*ss) return FAIL;
2996 /* If the pattern is precisely "@" then match against the primary host name,
2997 provided that host name matching is permitted; if it's "@[]" match against the
2998 local host's IP addresses. */
3003 if (isiponly) return ERROR;
3004 ss = primary_hostname;
3006 else if (Ustrcmp(ss, "@[]") == 0)
3008 for (ip_address_item * ip = host_find_interfaces(); ip; ip = ip->next)
3009 if (Ustrcmp(ip->address, cb->host_address) == 0) return OK;
3013 /* If the pattern is an IP address, optionally followed by a bitmask count, do
3014 a (possibly masked) comparison with the current IP address. */
3016 if (string_is_ip_address(ss, &maskoffset) != 0)
3017 return host_is_in_net(cb->host_address, ss, maskoffset) ? OK : FAIL;
3019 /* The pattern is not an IP address. A common error that people make is to omit
3020 one component of an IPv4 address, either by accident, or believing that, for
3021 example, 1.2.3/24 is the same as 1.2.3.0/24, or 1.2.3 is the same as 1.2.3.0,
3022 which it isn't. (Those applications that do accept 1.2.3 as an IP address
3023 interpret it as 1.2.0.3 because the final component becomes 16-bit - this is an
3024 ancient specification.) To aid in debugging these cases, we give a specific
3025 error if the pattern contains only digits and dots or contains a slash preceded
3026 only by digits and dots (a slash at the start indicates a file name and of
3027 course slashes may be present in lookups, but not preceded only by digits and
3028 dots). Then the equivalent for IPv6 (roughly). */
3030 if (Ustrchr(ss, ':'))
3032 for (t = ss; isxdigit(*t) || *t == ':' || *t == '.'; ) t++;
3033 if (!*t || (*t == '/' || *t == '%') && t != ss)
3035 *error = string_sprintf("malformed IPv6 address or address mask: %.*s", (int)(t - ss), ss);
3041 for (t = ss; isdigit(*t) || *t == '.'; ) t++;
3042 if (!*t || (*t == '/' && t != ss))
3044 *error = string_sprintf("malformed IPv4 address or address mask: %.*s", (int)(t - ss), ss);
3049 /* See if there is a semicolon in the pattern, separating a searchtype
3050 prefix. If there is one then check for comma-sep options. */
3052 if ((semicolon = Ustrchr(ss, ';')))
3053 if ((opts = Ustrchr(ss, ',')) && opts < semicolon)
3056 opts = string_copyn(opts, semicolon - opts);
3060 endname = semicolon;
3066 /* If we are doing an IP address only match, then all lookups must be IP
3067 address lookups, even if there is no "net-". */
3070 iplookup = semicolon != NULL;
3072 /* Otherwise, if the item is of the form net[n]-lookup;<file|query> then it is
3073 a lookup on a masked IP network, in textual form. We obey this code even if we
3074 have already set iplookup, so as to skip over the "net-" prefix and to set the
3075 mask length. The net- stuff really only applies to single-key lookups where the
3076 key is implicit. For query-style lookups the key is specified in the query.
3077 From release 4.30, the use of net- for query style is no longer needed, but we
3078 retain it for backward compatibility. */
3080 if (Ustrncmp(ss, "net", 3) == 0 && semicolon)
3083 for (t = ss + 3; isdigit(*t); t++) mlen = mlen * 10 + *t - '0';
3084 if (mlen == 0 && t == ss+3) mlen = -1; /* No mask supplied */
3085 iplookup = *t++ == '-';
3090 /* Do the IP address lookup if that is indeed what we have */
3094 const lookup_info * li;
3095 int incoming[4], insize;
3097 uschar * filename, * key, * result;
3100 /* Find the search type */
3102 if (!(li = search_findtype(t, endname - t)))
3103 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s", search_error_message);
3105 /* Adjust parameters for the type of lookup. For a query-style lookup, there
3106 is no file name, and the "key" is just the query. For query-style with a file
3107 name, we have to fish the file off the start of the query. For a single-key
3108 lookup, the key is the current IP address, masked appropriately, and
3109 reconverted to text form, with the mask appended. For IPv6 addresses, specify
3110 dot separators instead of colons, except when the lookup type is "iplsearch".
3113 if (mac_islookup(li, lookup_absfilequery))
3115 filename = semicolon + 1;
3117 Uskip_nonwhite(&key);
3118 filename = string_copyn(filename, key - filename);
3119 Uskip_whitespace(&key);
3121 else if (mac_islookup(li, lookup_querystyle))
3124 key = semicolon + 1;
3126 else /* Single-key style */
3128 int sep = Ustrcmp(li->name, "iplsearch") == 0 ? ':' : '.';
3129 insize = host_aton(cb->host_address, incoming);
3130 host_mask(insize, incoming, mlen);
3131 (void) host_nmtoa(insize, incoming, mlen, buffer, sep);
3133 filename = semicolon + 1;
3136 /* Now do the actual lookup; note that there is no search_close() because
3137 of the caching arrangements. */
3139 if (!(handle = search_open(filename, li, 0, NULL, NULL)))
3140 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s", search_error_message);
3142 result = search_find(handle, filename, key, -1, NULL, 0, 0, NULL, opts);
3143 if (valueptr) *valueptr = result;
3144 return result ? OK : f.search_find_defer ? DEFER: FAIL;
3147 /* The pattern is not an IP address or network reference of any kind. That is,
3148 it is a host name pattern. If this is an IP only match, there's an error in the
3153 *error = US"cannot match host name in match_ip list";
3157 /* Check the characters of the pattern to see if they comprise only letters,
3158 digits, full stops, and hyphens (the constituents of domain names). Allow
3159 underscores, as they are all too commonly found. Sigh. Also, if
3160 allow_utf8_domains is set, allow top-bit characters. */
3162 for (t = ss; *t; t++)
3163 if (!isalnum(*t) && *t != '.' && *t != '-' && *t != '_' &&
3164 (!allow_utf8_domains || *t < 128)) break;
3166 /* If the pattern is a complete domain name, with no fancy characters, look up
3167 its IP address and match against that. Note that a multi-homed host will add
3168 items to the chain. */
3179 /* Using byname rather than bydns here means we cannot determine dnssec
3180 status. On the other hand it is unclear how that could be either
3181 propagated up or enforced. */
3183 rc = host_find_byname(&h, NULL, HOST_FIND_QUALIFY_SINGLE, NULL, FALSE);
3184 if (rc == HOST_FOUND || rc == HOST_FOUND_LOCAL)
3186 for (host_item * hh = &h; hh; hh = hh->next)
3187 if (host_is_in_net(hh->address, cb->host_address, 0)) return OK;
3190 if (rc == HOST_FIND_AGAIN) return DEFER;
3191 *error = string_sprintf("failed to find IP address for %s", ss);
3195 /* Almost all subsequent comparisons require the host name, and can be done
3196 using the general string matching function. When this function is called for
3197 outgoing hosts, the name is always given explicitly. If it is NULL, it means we
3198 must use sender_host_name and its aliases, looking them up if necessary. */
3200 if (cb->host_name) /* Explicit host name given */
3201 return match_check_string(cb->host_name, ss, -1,
3202 MCS_PARTIAL | MCS_CASELESS | MCS_AT_SPECIAL | cb->flags, valueptr);
3204 /* Host name not given; in principle we need the sender host name and its
3205 aliases. However, for query-style lookups, we do not need the name if the
3206 query does not contain $sender_host_name. From release 4.23, a reference to
3207 $sender_host_name causes it to be looked up, so we don't need to do the lookup
3210 if ((semicolon = Ustrchr(ss, ';')))
3212 const uschar * affix, * opts;
3213 int partial, affixlen, starflags;
3214 const lookup_info * li;
3217 li = search_findtype_partial(ss, &partial, &affix, &affixlen, &starflags,
3221 if (!li) /* Unknown lookup type */
3223 log_write(0, LOG_MAIN|LOG_PANIC, "%s in host list item \"%s\"",
3224 search_error_message, ss);
3227 isquery = mac_islookup(li, lookup_querystyle|lookup_absfilequery);
3232 switch(match_check_string(US"", ss, -1,
3233 MCS_PARTIAL| MCS_CASELESS| MCS_AT_SPECIAL | (cb->flags & MCS_CACHEABLE),
3237 case DEFER: return DEFER;
3238 default: return FAIL;
3242 /* Not a query-style lookup; must ensure the host name is present, and then we
3243 do a check on the name and all its aliases. */
3245 if (!sender_host_name)
3247 HDEBUG(D_host_lookup)
3248 debug_printf_indent("sender host name required, to match against %s\n", ss);
3250 if (host_lookup_failed || host_name_lookup() != OK)
3253 *error = string_sprintf("failed to find host name for %s",
3254 sender_host_address);;
3258 host_build_sender_fullhost();
3261 /* Match on the sender host name, using the general matching function */
3263 switch(match_check_string(sender_host_name, ss, -1,
3264 MCS_PARTIAL| MCS_CASELESS| MCS_AT_SPECIAL | (cb->flags & MCS_CACHEABLE),
3268 case DEFER: return DEFER;
3271 /* If there are aliases, try matching on them. */
3273 aliases = sender_host_aliases;
3275 switch(match_check_string(*aliases++, ss, -1,
3276 MCS_PARTIAL| MCS_CASELESS| MCS_AT_SPECIAL | (cb->flags & MCS_CACHEABLE),
3280 case DEFER: return DEFER;
3288 /*************************************************
3289 * Check a specific host matches a host list *
3290 *************************************************/
3292 /* This function is passed a host list containing items in a number of
3293 different formats and the identity of a host. Its job is to determine whether
3294 the given host is in the set of hosts defined by the list. The host name is
3295 passed as a pointer so that it can be looked up if needed and not already
3296 known. This is commonly the case when called from verify_check_host() to check
3297 an incoming connection. When called from elsewhere the host name should usually
3300 This function is now just a front end to match_check_list(), which runs common
3301 code for scanning a list. We pass it the check_host() function to perform a
3305 listptr pointer to the host list
3306 cache_bits pointer to cache for named lists, or NULL
3307 host_name the host name or NULL, implying use sender_host_name and
3308 sender_host_aliases, looking them up if required
3309 host_address the IP address
3310 valueptr if not NULL, data from a lookup is passed back here
3312 Returns: OK if the host is in the defined set
3313 FAIL if the host is not in the defined set,
3314 DEFER if a data lookup deferred (not a host lookup)
3316 If the host name was needed in order to make a comparison, and could not be
3317 determined from the IP address, the result is FAIL unless the item
3318 "+allow_unknown" was met earlier in the list, in which case OK is returned. */
3321 verify_check_this_host(const uschar **listptr, unsigned int *cache_bits,
3322 const uschar *host_name, const uschar *host_address, const uschar **valueptr)
3325 unsigned int *local_cache_bits = cache_bits;
3326 const uschar *save_host_address = deliver_host_address;
3327 check_host_block cb = { .host_name = host_name, .host_address = host_address };
3329 if (valueptr) *valueptr = NULL;
3331 /* If the host address starts off ::ffff: it is an IPv6 address in
3332 IPv4-compatible mode. Find the IPv4 part for checking against IPv4
3335 cb.host_ipv4 = Ustrncmp(host_address, "::ffff:", 7) == 0
3336 ? host_address + 7 : host_address;
3338 /* During the running of the check, put the IP address into $host_address. In
3339 the case of calls from the smtp transport, it will already be there. However,
3340 in other calls (e.g. when testing ignore_target_hosts), it won't. Just to be on
3341 the safe side, any existing setting is preserved, though as I write this
3342 (November 2004) I can't see any cases where it is actually needed. */
3344 deliver_host_address = host_address;
3345 rc = match_check_list(
3346 listptr, /* the list */
3347 0, /* separator character */
3348 &hostlist_anchor, /* anchor pointer */
3349 &local_cache_bits, /* cache pointer */
3350 check_host, /* function for testing */
3351 &cb, /* argument for function */
3352 MCL_HOST, /* type of check */
3353 host_address == sender_host_address
3354 ? US"host" : host_address, /* text for debugging */
3355 valueptr); /* where to pass back data */
3356 deliver_host_address = save_host_address;
3363 /*************************************************
3364 * Check the given host item matches a list *
3365 *************************************************/
3367 verify_check_given_host(const uschar **listptr, const host_item *host)
3369 return verify_check_this_host(listptr, NULL, host->name, host->address, NULL);
3372 /*************************************************
3373 * Check the remote host matches a list *
3374 *************************************************/
3376 /* This is a front end to verify_check_this_host(), created because checking
3377 the remote host is a common occurrence. With luck, a good compiler will spot
3378 the tail recursion and optimize it. If there's no host address, this is
3379 command-line SMTP input - check against an empty string for the address.
3382 listptr pointer to the host list
3384 Returns: the yield of verify_check_this_host(),
3385 i.e. OK, FAIL, or DEFER
3389 verify_check_host(uschar **listptr)
3391 return verify_check_this_host(CUSS listptr, sender_host_cache, NULL,
3392 sender_host_address ? sender_host_address : US"", NULL);
3399 /*************************************************
3400 * Invert an IP address *
3401 *************************************************/
3403 /* Originally just used for DNS xBL lists, now also used for the
3404 reverse_ip expansion operator.
3407 buffer where to put the answer
3408 address the address to invert
3412 invert_address(uschar *buffer, uschar *address)
3415 uschar *bptr = buffer;
3417 /* If this is an IPv4 address mapped into IPv6 format, adjust the pointer
3418 to the IPv4 part only. */
3420 if (Ustrncmp(address, "::ffff:", 7) == 0) address += 7;
3422 /* Handle IPv4 address: when HAVE_IPV6 is false, the result of host_aton() is
3425 if (host_aton(address, bin) == 1)
3428 for (int i = 0; i < 4; i++)
3430 sprintf(CS bptr, "%d.", x & 255);
3431 while (*bptr) bptr++;
3436 /* Handle IPv6 address. Actually, as far as I know, there are no IPv6 addresses
3437 in any DNS black lists, and the format in which they will be looked up is
3438 unknown. This is just a guess. */
3442 for (int j = 3; j >= 0; j--)
3445 for (int i = 0; i < 8; i++)
3447 sprintf(CS bptr, "%x.", x & 15);
3448 while (*bptr) bptr++;
3454 /* Remove trailing period -- this is needed so that both arbitrary
3455 dnsbl keydomains and inverted addresses may be combined with the
3456 same format string, "%s.%s" */
3463 /****************************************************
3464 Verify a local user account for quota sufficiency
3465 ****************************************************/
3467 /* The real work, done via a re-exec for privs, calls
3468 down to the transport for the quota check.
3470 Route and transport (in recipient-verify mode) the
3473 A routing result indicating any transport type other than appendfile
3476 Return, on stdout, a result string containing:
3477 - highlevel result code (OK, DEFER, FAIL)
3484 verify_quota(uschar * address)
3486 address_item vaddr = {.address = address};
3488 uschar * msg = US"\0";
3491 if ((rc = verify_address(&vaddr, NULL, vopt_is_recipient | vopt_quota,
3492 1, 0, 0, NULL, NULL, &routed)) != OK)
3494 uschar * where = recipient_verify_failure;
3495 msg = acl_verify_message ? acl_verify_message : vaddr.message;
3496 if (!msg) msg = US"";
3497 if (rc == DEFER && vaddr.basic_errno == ERRNO_EXIMQUOTA)
3499 rc = FAIL; /* DEFER -> FAIL */
3501 vaddr.basic_errno = 0;
3503 else if (!where) where = US"";
3505 len = 5 + Ustrlen(msg) + 1 + Ustrlen(where);
3506 msg = string_sprintf("%c%c%c%c%c%s%c%s", (uschar)rc,
3507 (vaddr.basic_errno >> 24) & 0xff, (vaddr.basic_errno >> 16) & 0xff,
3508 (vaddr.basic_errno >> 8) & 0xff, vaddr.basic_errno & 0xff,
3512 DEBUG(D_verify) debug_printf_indent("verify_quota: len %d\n", len);
3513 if (write(1, msg, len) != 0) ;
3518 /******************************************************************************/
3520 /* Quota cache lookup. We use the callout hints db also for the quota cache.
3521 Return TRUE if a nonexpired record was found, having filled in the yield
3526 cached_quota_lookup(const uschar * rcpt, int * yield,
3527 int pos_cache, int neg_cache)
3529 open_db dbblock, *dbm_file = NULL;
3530 dbdata_callout_cache_address * cache_address_record;
3532 if (!pos_cache && !neg_cache)
3534 if (!(dbm_file = dbfn_open(US"callout", O_RDWR|O_CREAT, &dbblock, FALSE, TRUE)))
3536 HDEBUG(D_verify) debug_printf_indent("quota cache: not available\n");
3539 if (!(cache_address_record = (dbdata_callout_cache_address *)
3540 get_callout_cache_record(dbm_file, rcpt, US"address",
3541 pos_cache, neg_cache)))
3543 dbfn_close(dbm_file);
3546 if (cache_address_record->result == ccache_accept)
3548 dbfn_close(dbm_file);
3552 /* Quota cache write */
3555 cache_quota_write(const uschar * rcpt, int yield, int pos_cache, int neg_cache)
3557 open_db dbblock, *dbm_file = NULL;
3558 dbdata_callout_cache_address cache_address_record;
3560 if (!pos_cache && !neg_cache)
3562 if (!(dbm_file = dbfn_open(US"callout", O_RDWR|O_CREAT, &dbblock, FALSE, TRUE)))
3564 HDEBUG(D_verify) debug_printf_indent("quota cache: not available\n");
3568 cache_address_record.result = yield == OK ? ccache_accept : ccache_reject;
3570 (void)dbfn_write(dbm_file, rcpt, &cache_address_record,
3571 (int)sizeof(dbdata_callout_cache_address));
3572 HDEBUG(D_verify) debug_printf_indent("wrote %s quota cache record for %s\n",
3573 yield == OK ? "positive" : "negative", rcpt);
3575 dbfn_close(dbm_file);
3580 /* To evaluate a local user's quota, starting in ACL, we need to
3581 fork & exec to regain privileges, to that we can change to the user's
3582 identity for access to their files.
3585 rcpt Recipient account
3586 pos_cache Number of seconds to cache a positive result (delivery
3587 to be accepted). Zero to disable caching.
3588 neg_cache Number of seconds to cache a negative result. Zero to disable.
3589 msg Pointer to result string pointer
3591 Return: OK/DEFER/FAIL code
3595 verify_quota_call(const uschar * rcpt, int pos_cache, int neg_cache,
3598 int pfd[2], pid, save_errno, yield = FAIL;
3599 void (*oldsignal)(int);
3600 const uschar * where = US"socketpair";
3604 if (cached_quota_lookup(rcpt, &yield, pos_cache, neg_cache))
3606 HDEBUG(D_verify) debug_printf_indent("quota cache: address record is %s\n",
3607 yield == OK ? "positive" : "negative");
3610 recipient_verify_failure = US"quota";
3611 acl_verify_message = *msg =
3612 US"Previous (cached) quota verification failure";
3621 oldsignal = signal(SIGCHLD, SIG_DFL);
3622 if ((pid = exim_fork(US"quota-verify")) < 0)
3625 close(pfd[pipe_write]);
3626 close(pfd[pipe_read]);
3631 if (pid == 0) /* child */
3633 close(pfd[pipe_read]);
3634 force_fd(pfd[pipe_write], 1); /* stdout to pipe */
3635 close(pfd[pipe_write]);
3637 if (debug_fd > 0) force_fd(debug_fd, 2);
3639 child_exec_exim(CEE_EXEC_EXIT, FALSE, NULL, FALSE, 3,
3640 US"-MCq", string_sprintf("%d", message_size), rcpt);
3645 close(pfd[pipe_write]);
3649 DEBUG(D_verify) debug_printf_indent(" fork: %s\n", strerror(save_errno));
3654 int n = read(pfd[pipe_read], buf, sizeof(buf));
3657 waitpid(pid, &status, 0);
3662 if (n > 0) yield = buf[0];
3664 save_errno = (buf[1] << 24) | (buf[2] << 16) | (buf[3] << 8) | buf[4];
3665 if ((recipient_verify_failure = n > 5
3666 ? string_copyn_taint(buf+5, n-5, GET_UNTAINTED) : NULL))
3669 s = buf + 5 + Ustrlen(recipient_verify_failure) + 1;
3671 acl_verify_message = *msg =
3672 m > 0 ? string_copyn_taint(s, m, GET_UNTAINTED) : NULL;
3675 DEBUG(D_verify) debug_printf_indent("verify call response:"
3676 " len %d yield %s errno '%s' where '%s' msg '%s'\n",
3677 n, rc_names[yield], strerror(save_errno), recipient_verify_failure, *msg);
3680 || save_errno == 0 && Ustrcmp(recipient_verify_failure, "quota") == 0)
3681 cache_quota_write(rcpt, yield, pos_cache, neg_cache);
3682 else DEBUG(D_verify)
3683 debug_printf_indent("result not cacheable\n");
3688 debug_printf_indent("verify call response: waitpid status 0x%04x\n", status);
3692 close(pfd[pipe_read]);
3693 signal(SIGCHLD, oldsignal);
3698 DEBUG(D_verify) debug_printf_indent("verify_quota_call fail in %s\n", where);
3705 /* End of verify.c */
git://git.exim.org / exim.git / blob