1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2009 */
6 /* See the file NOTICE for conditions of use and distribution. */
8 /* Functions concerned with verifying things. The original code for callout
9 caching was contributed by Kevin Fleming (but I hacked it around a bit). */
15 /* Structure for caching DNSBL lookups */
17 typedef struct dnsbl_cache_block {
25 /* Anchor for DNSBL cache */
27 static tree_node *dnsbl_cache = NULL;
30 /* Bits for match_type in one_check_dnsbl() */
37 /*************************************************
38 * Retrieve a callout cache record *
39 *************************************************/
41 /* If a record exists, check whether it has expired.
44 dbm_file an open hints file
46 type "address" or "domain"
47 positive_expire expire time for positive records
48 negative_expire expire time for negative records
50 Returns: the cache record if a non-expired one exists, else NULL
53 static dbdata_callout_cache *
54 get_callout_cache_record(open_db *dbm_file, uschar *key, uschar *type,
55 int positive_expire, int negative_expire)
60 dbdata_callout_cache *cache_record;
62 cache_record = dbfn_read_with_length(dbm_file, key, &length);
64 if (cache_record == NULL)
66 HDEBUG(D_verify) debug_printf("callout cache: no %s record found\n", type);
70 /* We treat a record as "negative" if its result field is not positive, or if
71 it is a domain record and the postmaster field is negative. */
73 negative = cache_record->result != ccache_accept ||
74 (type[0] == 'd' && cache_record->postmaster_result == ccache_reject);
75 expire = negative? negative_expire : positive_expire;
78 if (now - cache_record->time_stamp > expire)
80 HDEBUG(D_verify) debug_printf("callout cache: %s record expired\n", type);
84 /* If this is a non-reject domain record, check for the obsolete format version
85 that doesn't have the postmaster and random timestamps, by looking at the
86 length. If so, copy it to a new-style block, replicating the record's
87 timestamp. Then check the additional timestamps. (There's no point wasting
88 effort if connections are rejected.) */
90 if (type[0] == 'd' && cache_record->result != ccache_reject)
92 if (length == sizeof(dbdata_callout_cache_obs))
94 dbdata_callout_cache *new = store_get(sizeof(dbdata_callout_cache));
95 memcpy(new, cache_record, length);
96 new->postmaster_stamp = new->random_stamp = new->time_stamp;
100 if (now - cache_record->postmaster_stamp > expire)
101 cache_record->postmaster_result = ccache_unknown;
103 if (now - cache_record->random_stamp > expire)
104 cache_record->random_result = ccache_unknown;
107 HDEBUG(D_verify) debug_printf("callout cache: found %s record\n", type);
113 /*************************************************
114 * Do callout verification for an address *
115 *************************************************/
117 /* This function is called from verify_address() when the address has routed to
118 a host list, and a callout has been requested. Callouts are expensive; that is
119 why a cache is used to improve the efficiency.
122 addr the address that's been routed
123 host_list the list of hosts to try
124 tf the transport feedback block
126 ifstring "interface" option from transport, or NULL
127 portstring "port" option from transport, or NULL
128 protocolstring "protocol" option from transport, or NULL
129 callout the per-command callout timeout
130 callout_overall the overall callout timeout (if < 0 use 4*callout)
131 callout_connect the callout connection timeout (if < 0 use callout)
132 options the verification options - these bits are used:
133 vopt_is_recipient => this is a recipient address
134 vopt_callout_no_cache => don't use callout cache
135 vopt_callout_fullpm => if postmaster check, do full one
136 vopt_callout_random => do the "random" thing
137 vopt_callout_recipsender => use real sender for recipient
138 vopt_callout_recippmaster => use postmaster for recipient
139 se_mailfrom MAIL FROM address for sender verify; NULL => ""
140 pm_mailfrom if non-NULL, do the postmaster check with this sender
142 Returns: OK/FAIL/DEFER
146 do_callout(address_item *addr, host_item *host_list, transport_feedback *tf,
147 int callout, int callout_overall, int callout_connect, int options,
148 uschar *se_mailfrom, uschar *pm_mailfrom)
150 BOOL is_recipient = (options & vopt_is_recipient) != 0;
151 BOOL callout_no_cache = (options & vopt_callout_no_cache) != 0;
152 BOOL callout_random = (options & vopt_callout_random) != 0;
155 int old_domain_cache_result = ccache_accept;
158 uschar *from_address;
159 uschar *random_local_part = NULL;
160 uschar *save_deliver_domain = deliver_domain;
161 uschar **failure_ptr = is_recipient?
162 &recipient_verify_failure : &sender_verify_failure;
164 open_db *dbm_file = NULL;
165 dbdata_callout_cache new_domain_record;
166 dbdata_callout_cache_address new_address_record;
168 time_t callout_start_time;
170 new_domain_record.result = ccache_unknown;
171 new_domain_record.postmaster_result = ccache_unknown;
172 new_domain_record.random_result = ccache_unknown;
174 memset(&new_address_record, 0, sizeof(new_address_record));
176 /* For a recipient callout, the key used for the address cache record must
177 include the sender address if we are using the real sender in the callout,
178 because that may influence the result of the callout. */
180 address_key = addr->address;
185 if ((options & vopt_callout_recipsender) != 0)
187 address_key = string_sprintf("%s/<%s>", addr->address, sender_address);
188 from_address = sender_address;
190 else if ((options & vopt_callout_recippmaster) != 0)
192 address_key = string_sprintf("%s/<postmaster@%s>", addr->address,
193 qualify_domain_sender);
194 from_address = string_sprintf("postmaster@%s", qualify_domain_sender);
198 /* For a sender callout, we must adjust the key if the mailfrom address is not
203 from_address = (se_mailfrom == NULL)? US"" : se_mailfrom;
204 if (from_address[0] != 0)
205 address_key = string_sprintf("%s/<%s>", addr->address, from_address);
208 /* Open the callout cache database, it it exists, for reading only at this
209 stage, unless caching has been disabled. */
211 if (callout_no_cache)
213 HDEBUG(D_verify) debug_printf("callout cache: disabled by no_cache\n");
215 else if ((dbm_file = dbfn_open(US"callout", O_RDWR, &dbblock, FALSE)) == NULL)
217 HDEBUG(D_verify) debug_printf("callout cache: not available\n");
220 /* If a cache database is available see if we can avoid the need to do an
221 actual callout by making use of previously-obtained data. */
223 if (dbm_file != NULL)
225 dbdata_callout_cache_address *cache_address_record;
226 dbdata_callout_cache *cache_record = get_callout_cache_record(dbm_file,
227 addr->domain, US"domain",
228 callout_cache_domain_positive_expire,
229 callout_cache_domain_negative_expire);
231 /* If an unexpired cache record was found for this domain, see if the callout
232 process can be short-circuited. */
234 if (cache_record != NULL)
236 /* In most cases, if an early command (up to and including MAIL FROM:<>)
237 was rejected, there is no point carrying on. The callout fails. However, if
238 we are doing a recipient verification with use_sender or use_postmaster
239 set, a previous failure of MAIL FROM:<> doesn't count, because this time we
240 will be using a non-empty sender. We have to remember this situation so as
241 not to disturb the cached domain value if this whole verification succeeds
242 (we don't want it turning into "accept"). */
244 old_domain_cache_result = cache_record->result;
246 if (cache_record->result == ccache_reject ||
247 (*from_address == 0 && cache_record->result == ccache_reject_mfnull))
249 setflag(addr, af_verify_nsfail);
251 debug_printf("callout cache: domain gave initial rejection, or "
252 "does not accept HELO or MAIL FROM:<>\n");
253 setflag(addr, af_verify_nsfail);
254 addr->user_message = US"(result of an earlier callout reused).";
256 *failure_ptr = US"mail";
260 /* If a previous check on a "random" local part was accepted, we assume
261 that the server does not do any checking on local parts. There is therefore
262 no point in doing the callout, because it will always be successful. If a
263 random check previously failed, arrange not to do it again, but preserve
264 the data in the new record. If a random check is required but hasn't been
265 done, skip the remaining cache processing. */
267 if (callout_random) switch(cache_record->random_result)
271 debug_printf("callout cache: domain accepts random addresses\n");
272 goto END_CALLOUT; /* Default yield is OK */
276 debug_printf("callout cache: domain rejects random addresses\n");
277 callout_random = FALSE;
278 new_domain_record.random_result = ccache_reject;
279 new_domain_record.random_stamp = cache_record->random_stamp;
284 debug_printf("callout cache: need to check random address handling "
285 "(not cached or cache expired)\n");
289 /* If a postmaster check is requested, but there was a previous failure,
290 there is again no point in carrying on. If a postmaster check is required,
291 but has not been done before, we are going to have to do a callout, so skip
292 remaining cache processing. */
294 if (pm_mailfrom != NULL)
296 if (cache_record->postmaster_result == ccache_reject)
298 setflag(addr, af_verify_pmfail);
300 debug_printf("callout cache: domain does not accept "
301 "RCPT TO:<postmaster@domain>\n");
303 *failure_ptr = US"postmaster";
304 setflag(addr, af_verify_pmfail);
305 addr->user_message = US"(result of earlier verification reused).";
308 if (cache_record->postmaster_result == ccache_unknown)
311 debug_printf("callout cache: need to check RCPT "
312 "TO:<postmaster@domain> (not cached or cache expired)\n");
316 /* If cache says OK, set pm_mailfrom NULL to prevent a redundant
317 postmaster check if the address itself has to be checked. Also ensure
318 that the value in the cache record is preserved (with its old timestamp).
321 HDEBUG(D_verify) debug_printf("callout cache: domain accepts RCPT "
322 "TO:<postmaster@domain>\n");
324 new_domain_record.postmaster_result = ccache_accept;
325 new_domain_record.postmaster_stamp = cache_record->postmaster_stamp;
329 /* We can't give a result based on information about the domain. See if there
330 is an unexpired cache record for this specific address (combined with the
331 sender address if we are doing a recipient callout with a non-empty sender).
334 cache_address_record = (dbdata_callout_cache_address *)
335 get_callout_cache_record(dbm_file,
336 address_key, US"address",
337 callout_cache_positive_expire,
338 callout_cache_negative_expire);
340 if (cache_address_record != NULL)
342 if (cache_address_record->result == ccache_accept)
345 debug_printf("callout cache: address record is positive\n");
350 debug_printf("callout cache: address record is negative\n");
351 addr->user_message = US"Previous (cached) callout verification failure";
352 *failure_ptr = US"recipient";
358 /* Close the cache database while we actually do the callout for real. */
361 dbfn_close(dbm_file);
365 /* The information wasn't available in the cache, so we have to do a real
366 callout and save the result in the cache for next time, unless no_cache is set,
367 or unless we have a previously cached negative random result. If we are to test
368 with a random local part, ensure that such a local part is available. If not,
369 log the fact, but carry on without randomming. */
371 if (callout_random && callout_random_local_part != NULL)
373 random_local_part = expand_string(callout_random_local_part);
374 if (random_local_part == NULL)
375 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand "
376 "callout_random_local_part: %s", expand_string_message);
379 /* Default the connect and overall callout timeouts if not set, and record the
380 time we are starting so that we can enforce it. */
382 if (callout_overall < 0) callout_overall = 4 * callout;
383 if (callout_connect < 0) callout_connect = callout;
384 callout_start_time = time(NULL);
386 /* Before doing a real callout, if this is an SMTP connection, flush the SMTP
387 output because a callout might take some time. When PIPELINING is active and
388 there are many recipients, the total time for doing lots of callouts can add up
389 and cause the client to time out. So in this case we forgo the PIPELINING
392 if (smtp_out != NULL && !disable_callout_flush) mac_smtp_fflush();
394 /* Now make connections to the hosts and do real callouts. The list of hosts
395 is passed in as an argument. */
397 for (host = host_list; host != NULL && !done; host = host->next)
399 smtp_inblock inblock;
400 smtp_outblock outblock;
403 BOOL send_quit = TRUE;
404 uschar *active_hostname = smtp_active_hostname;
405 uschar *helo = US"HELO";
406 uschar *interface = NULL; /* Outgoing interface to use; NULL => any */
407 uschar inbuffer[4096];
408 uschar outbuffer[1024];
409 uschar responsebuffer[4096];
411 clearflag(addr, af_verify_pmfail); /* postmaster callout flag */
412 clearflag(addr, af_verify_nsfail); /* null sender callout flag */
414 /* Skip this host if we don't have an IP address for it. */
416 if (host->address == NULL)
418 DEBUG(D_verify) debug_printf("no IP address for host name %s: skipping\n",
423 /* Check the overall callout timeout */
425 if (time(NULL) - callout_start_time >= callout_overall)
427 HDEBUG(D_verify) debug_printf("overall timeout for callout exceeded\n");
431 /* Set IPv4 or IPv6 */
433 host_af = (Ustrchr(host->address, ':') == NULL)? AF_INET:AF_INET6;
435 /* Expand and interpret the interface and port strings. The latter will not
436 be used if there is a host-specific port (e.g. from a manualroute router).
437 This has to be delayed till now, because they may expand differently for
438 different hosts. If there's a failure, log it, but carry on with the
441 deliver_host = host->name;
442 deliver_host_address = host->address;
443 deliver_domain = addr->domain;
445 if (!smtp_get_interface(tf->interface, host_af, addr, NULL, &interface,
447 !smtp_get_port(tf->port, addr, &port, US"callout"))
448 log_write(0, LOG_MAIN|LOG_PANIC, "<%s>: %s", addr->address,
451 /* Set HELO string according to the protocol */
453 if (Ustrcmp(tf->protocol, "lmtp") == 0) helo = US"LHLO";
455 HDEBUG(D_verify) debug_printf("interface=%s port=%d\n", interface, port);
457 /* Set up the buffer for reading SMTP response packets. */
459 inblock.buffer = inbuffer;
460 inblock.buffersize = sizeof(inbuffer);
461 inblock.ptr = inbuffer;
462 inblock.ptrend = inbuffer;
464 /* Set up the buffer for holding SMTP commands while pipelining */
466 outblock.buffer = outbuffer;
467 outblock.buffersize = sizeof(outbuffer);
468 outblock.ptr = outbuffer;
469 outblock.cmd_count = 0;
470 outblock.authenticating = FALSE;
472 /* Connect to the host; on failure, just loop for the next one, but we
473 set the error for the last one. Use the callout_connect timeout. */
475 inblock.sock = outblock.sock =
476 smtp_connect(host, host_af, port, interface, callout_connect, TRUE, NULL);
477 /* reconsider DSCP here */
478 if (inblock.sock < 0)
480 addr->message = string_sprintf("could not connect to %s [%s]: %s",
481 host->name, host->address, strerror(errno));
482 deliver_host = deliver_host_address = NULL;
483 deliver_domain = save_deliver_domain;
487 /* Expand the helo_data string to find the host name to use. */
489 if (tf->helo_data != NULL)
491 uschar *s = expand_string(tf->helo_data);
493 log_write(0, LOG_MAIN|LOG_PANIC, "<%s>: failed to expand transport's "
494 "helo_data value for callout: %s", addr->address,
495 expand_string_message);
496 else active_hostname = s;
499 deliver_host = deliver_host_address = NULL;
500 deliver_domain = save_deliver_domain;
502 /* Wait for initial response, and send HELO. The smtp_write_command()
503 function leaves its command in big_buffer. This is used in error responses.
504 Initialize it in case the connection is rejected. */
506 Ustrcpy(big_buffer, "initial connection");
509 smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
511 smtp_write_command(&outblock, FALSE, "%s %s\r\n", helo,
512 active_hostname) >= 0 &&
513 smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
516 /* Failure to accept HELO is cached; this blocks the whole domain for all
517 senders. I/O errors and defer responses are not cached. */
521 *failure_ptr = US"mail"; /* At or before MAIL */
522 if (errno == 0 && responsebuffer[0] == '5')
524 setflag(addr, af_verify_nsfail);
525 new_domain_record.result = ccache_reject;
529 /* Send the MAIL command */
532 smtp_write_command(&outblock, FALSE, "MAIL FROM:<%s>\r\n",
533 from_address) >= 0 &&
534 smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
537 /* If the host does not accept MAIL FROM:<>, arrange to cache this
538 information, but again, don't record anything for an I/O error or a defer. Do
539 not cache rejections of MAIL when a non-empty sender has been used, because
540 that blocks the whole domain for all senders. */
544 *failure_ptr = US"mail"; /* At or before MAIL */
545 if (errno == 0 && responsebuffer[0] == '5')
547 setflag(addr, af_verify_nsfail);
548 if (from_address[0] == 0)
549 new_domain_record.result = ccache_reject_mfnull;
553 /* Otherwise, proceed to check a "random" address (if required), then the
554 given address, and the postmaster address (if required). Between each check,
555 issue RSET, because some servers accept only one recipient after MAIL
558 Before doing this, set the result in the domain cache record to "accept",
559 unless its previous value was ccache_reject_mfnull. In that case, the domain
560 rejects MAIL FROM:<> and we want to continue to remember that. When that is
561 the case, we have got here only in the case of a recipient verification with
562 a non-null sender. */
566 new_domain_record.result =
567 (old_domain_cache_result == ccache_reject_mfnull)?
568 ccache_reject_mfnull: ccache_accept;
570 /* Do the random local part check first */
572 if (random_local_part != NULL)
574 uschar randombuffer[1024];
576 smtp_write_command(&outblock, FALSE,
577 "RCPT TO:<%.1000s@%.1000s>\r\n", random_local_part,
578 addr->domain) >= 0 &&
579 smtp_read_response(&inblock, randombuffer,
580 sizeof(randombuffer), '2', callout);
582 /* Remember when we last did a random test */
584 new_domain_record.random_stamp = time(NULL);
586 /* If accepted, we aren't going to do any further tests below. */
590 new_domain_record.random_result = ccache_accept;
593 /* Otherwise, cache a real negative response, and get back to the right
594 state to send RCPT. Unless there's some problem such as a dropped
595 connection, we expect to succeed, because the commands succeeded above. */
599 if (randombuffer[0] == '5')
600 new_domain_record.random_result = ccache_reject;
603 smtp_write_command(&outblock, FALSE, "RSET\r\n") >= 0 &&
604 smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
607 smtp_write_command(&outblock, FALSE, "MAIL FROM:<%s>\r\n",
608 from_address) >= 0 &&
609 smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
612 else done = FALSE; /* Some timeout/connection problem */
615 /* If the host is accepting all local parts, as determined by the "random"
616 check, we don't need to waste time doing any further checking. */
618 if (new_domain_record.random_result != ccache_accept && done)
620 /* Get the rcpt_include_affixes flag from the transport if there is one,
621 but assume FALSE if there is not. */
624 smtp_write_command(&outblock, FALSE, "RCPT TO:<%.1000s>\r\n",
625 transport_rcpt_address(addr,
626 (addr->transport == NULL)? FALSE :
627 addr->transport->rcpt_include_affixes)) >= 0 &&
628 smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
632 new_address_record.result = ccache_accept;
633 else if (errno == 0 && responsebuffer[0] == '5')
635 *failure_ptr = US"recipient";
636 new_address_record.result = ccache_reject;
639 /* Do postmaster check if requested; if a full check is required, we
640 check for RCPT TO:<postmaster> (no domain) in accordance with RFC 821. */
642 if (done && pm_mailfrom != NULL)
645 smtp_write_command(&outblock, FALSE, "RSET\r\n") >= 0 &&
646 smtp_read_response(&inblock, responsebuffer,
647 sizeof(responsebuffer), '2', callout) &&
649 smtp_write_command(&outblock, FALSE,
650 "MAIL FROM:<%s>\r\n", pm_mailfrom) >= 0 &&
651 smtp_read_response(&inblock, responsebuffer,
652 sizeof(responsebuffer), '2', callout) &&
654 /* First try using the current domain */
657 smtp_write_command(&outblock, FALSE,
658 "RCPT TO:<postmaster@%.1000s>\r\n", addr->domain) >= 0 &&
659 smtp_read_response(&inblock, responsebuffer,
660 sizeof(responsebuffer), '2', callout)
665 /* If that doesn't work, and a full check is requested,
666 try without the domain. */
669 (options & vopt_callout_fullpm) != 0 &&
670 smtp_write_command(&outblock, FALSE,
671 "RCPT TO:<postmaster>\r\n") >= 0 &&
672 smtp_read_response(&inblock, responsebuffer,
673 sizeof(responsebuffer), '2', callout)
676 /* Sort out the cache record */
678 new_domain_record.postmaster_stamp = time(NULL);
681 new_domain_record.postmaster_result = ccache_accept;
682 else if (errno == 0 && responsebuffer[0] == '5')
684 *failure_ptr = US"postmaster";
685 setflag(addr, af_verify_pmfail);
686 new_domain_record.postmaster_result = ccache_reject;
689 } /* Random not accepted */
690 } /* MAIL FROM: accepted */
692 /* For any failure of the main check, other than a negative response, we just
693 close the connection and carry on. We can identify a negative response by the
694 fact that errno is zero. For I/O errors it will be non-zero
696 Set up different error texts for logging and for sending back to the caller
697 as an SMTP response. Log in all cases, using a one-line format. For sender
698 callouts, give a full response to the caller, but for recipient callouts,
699 don't give the IP address because this may be an internal host whose identity
700 is not to be widely broadcast. */
704 if (errno == ETIMEDOUT)
706 HDEBUG(D_verify) debug_printf("SMTP timeout\n");
711 if (*responsebuffer == 0) Ustrcpy(responsebuffer, US"connection dropped");
714 string_sprintf("response to \"%s\" from %s [%s] was: %s",
715 big_buffer, host->name, host->address,
716 string_printing(responsebuffer));
718 addr->user_message = is_recipient?
719 string_sprintf("Callout verification failed:\n%s", responsebuffer)
721 string_sprintf("Called: %s\nSent: %s\nResponse: %s",
722 host->address, big_buffer, responsebuffer);
724 /* Hard rejection ends the process */
726 if (responsebuffer[0] == '5') /* Address rejected */
734 /* End the SMTP conversation and close the connection. */
736 if (send_quit) (void)smtp_write_command(&outblock, FALSE, "QUIT\r\n");
737 (void)close(inblock.sock);
738 } /* Loop through all hosts, while !done */
740 /* If we get here with done == TRUE, a successful callout happened, and yield
741 will be set OK or FAIL according to the response to the RCPT command.
742 Otherwise, we looped through the hosts but couldn't complete the business.
743 However, there may be domain-specific information to cache in both cases.
745 The value of the result field in the new_domain record is ccache_unknown if
746 there was an error before or with MAIL FROM:, and errno was not zero,
747 implying some kind of I/O error. We don't want to write the cache in that case.
748 Otherwise the value is ccache_accept, ccache_reject, or ccache_reject_mfnull. */
750 if (!callout_no_cache && new_domain_record.result != ccache_unknown)
752 if ((dbm_file = dbfn_open(US"callout", O_RDWR|O_CREAT, &dbblock, FALSE))
755 HDEBUG(D_verify) debug_printf("callout cache: not available\n");
759 (void)dbfn_write(dbm_file, addr->domain, &new_domain_record,
760 (int)sizeof(dbdata_callout_cache));
761 HDEBUG(D_verify) debug_printf("wrote callout cache domain record:\n"
762 " result=%d postmaster=%d random=%d\n",
763 new_domain_record.result,
764 new_domain_record.postmaster_result,
765 new_domain_record.random_result);
769 /* If a definite result was obtained for the callout, cache it unless caching
774 if (!callout_no_cache && new_address_record.result != ccache_unknown)
776 if (dbm_file == NULL)
777 dbm_file = dbfn_open(US"callout", O_RDWR|O_CREAT, &dbblock, FALSE);
778 if (dbm_file == NULL)
780 HDEBUG(D_verify) debug_printf("no callout cache available\n");
784 (void)dbfn_write(dbm_file, address_key, &new_address_record,
785 (int)sizeof(dbdata_callout_cache_address));
786 HDEBUG(D_verify) debug_printf("wrote %s callout cache address record\n",
787 (new_address_record.result == ccache_accept)? "positive" : "negative");
792 /* Failure to connect to any host, or any response other than 2xx or 5xx is a
793 temporary error. If there was only one host, and a response was received, leave
794 it alone if supplying details. Otherwise, give a generic response. */
798 uschar *dullmsg = string_sprintf("Could not complete %s verify callout",
799 is_recipient? "recipient" : "sender");
802 if (host_list->next != NULL || addr->message == NULL) addr->message = dullmsg;
804 addr->user_message = (!smtp_return_error_details)? dullmsg :
805 string_sprintf("%s for <%s>.\n"
806 "The mail server(s) for the domain may be temporarily unreachable, or\n"
807 "they may be permanently unreachable from this server. In the latter case,\n%s",
808 dullmsg, addr->address,
810 "the address will never be accepted."
812 "you need to change the address or create an MX record for its domain\n"
813 "if it is supposed to be generally accessible from the Internet.\n"
814 "Talk to your mail administrator for details.");
816 /* Force a specific error code */
818 addr->basic_errno = ERRNO_CALLOUTDEFER;
821 /* Come here from within the cache-reading code on fast-track exit. */
824 if (dbm_file != NULL) dbfn_close(dbm_file);
830 /*************************************************
831 * Copy error to toplevel address *
832 *************************************************/
834 /* This function is used when a verify fails or defers, to ensure that the
835 failure or defer information is in the original toplevel address. This applies
836 when an address is redirected to a single new address, and the failure or
837 deferral happens to the child address.
840 vaddr the verify address item
841 addr the final address item
844 Returns: the value of YIELD
848 copy_error(address_item *vaddr, address_item *addr, int yield)
852 vaddr->message = addr->message;
853 vaddr->user_message = addr->user_message;
854 vaddr->basic_errno = addr->basic_errno;
855 vaddr->more_errno = addr->more_errno;
856 vaddr->p.address_data = addr->p.address_data;
857 copyflag(vaddr, addr, af_pass_message);
865 /**************************************************
866 * printf that automatically handles TLS if needed *
867 ***************************************************/
869 /* This function is used by verify_address() as a substitute for all fprintf()
870 calls; a direct fprintf() will not produce output in a TLS SMTP session, such
871 as a response to an EXPN command. smtp_in.c makes smtp_printf available but
872 that assumes that we always use the smtp_out FILE* when not using TLS or the
873 ssl buffer when we are. Instead we take a FILE* parameter and check to see if
874 that is smtp_out; if so, smtp_printf() with TLS support, otherwise regular
878 f the candidate FILE* to write to
880 ... optional arguments
886 static void PRINTF_FUNCTION(2,3)
887 respond_printf(FILE *f, const char *format, ...)
891 va_start(ap, format);
892 if (smtp_out && (f == smtp_out))
893 smtp_vprintf(format, ap);
895 vfprintf(f, format, ap);
901 /*************************************************
902 * Verify an email address *
903 *************************************************/
905 /* This function is used both for verification (-bv and at other times) and
906 address testing (-bt), which is indicated by address_test_mode being set.
909 vaddr contains the address to verify; the next field in this block
911 f if not NULL, write the result to this file
912 options various option bits:
913 vopt_fake_sender => this sender verify is not for the real
914 sender (it was verify=sender=xxxx or an address from a
915 header line) - rewriting must not change sender_address
916 vopt_is_recipient => this is a recipient address, otherwise
917 it's a sender address - this affects qualification and
918 rewriting and messages from callouts
919 vopt_qualify => qualify an unqualified address; else error
920 vopt_expn => called from SMTP EXPN command
921 vopt_success_on_redirect => when a new address is generated
922 the verification instantly succeeds
924 These ones are used by do_callout() -- the options variable
927 vopt_callout_fullpm => if postmaster check, do full one
928 vopt_callout_no_cache => don't use callout cache
929 vopt_callout_random => do the "random" thing
930 vopt_callout_recipsender => use real sender for recipient
931 vopt_callout_recippmaster => use postmaster for recipient
933 callout if > 0, specifies that callout is required, and gives timeout
934 for individual commands
935 callout_overall if > 0, gives overall timeout for the callout function;
936 if < 0, a default is used (see do_callout())
937 callout_connect the connection timeout for callouts
938 se_mailfrom when callout is requested to verify a sender, use this
939 in MAIL FROM; NULL => ""
940 pm_mailfrom when callout is requested, if non-NULL, do the postmaster
941 thing and use this as the sender address (may be "")
943 routed if not NULL, set TRUE if routing succeeded, so we can
944 distinguish between routing failed and callout failed
946 Returns: OK address verified
947 FAIL address failed to verify
948 DEFER can't tell at present
952 verify_address(address_item *vaddr, FILE *f, int options, int callout,
953 int callout_overall, int callout_connect, uschar *se_mailfrom,
954 uschar *pm_mailfrom, BOOL *routed)
957 BOOL full_info = (f == NULL)? FALSE : (debug_selector != 0);
958 BOOL is_recipient = (options & vopt_is_recipient) != 0;
959 BOOL expn = (options & vopt_expn) != 0;
960 BOOL success_on_redirect = (options & vopt_success_on_redirect) != 0;
963 int verify_type = expn? v_expn :
964 address_test_mode? v_none :
965 is_recipient? v_recipient : v_sender;
966 address_item *addr_list;
967 address_item *addr_new = NULL;
968 address_item *addr_remote = NULL;
969 address_item *addr_local = NULL;
970 address_item *addr_succeed = NULL;
971 uschar **failure_ptr = is_recipient?
972 &recipient_verify_failure : &sender_verify_failure;
973 uschar *ko_prefix, *cr;
974 uschar *address = vaddr->address;
976 uschar null_sender[] = { 0 }; /* Ensure writeable memory */
978 /* Clear, just in case */
982 /* Set up a prefix and suffix for error message which allow us to use the same
983 output statements both in EXPN mode (where an SMTP response is needed) and when
984 debugging with an output file. */
988 ko_prefix = US"553 ";
991 else ko_prefix = cr = US"";
993 /* Add qualify domain if permitted; otherwise an unqualified address fails. */
995 if (parse_find_at(address) == NULL)
997 if ((options & vopt_qualify) == 0)
1000 respond_printf(f, "%sA domain is required for \"%s\"%s\n",
1001 ko_prefix, address, cr);
1002 *failure_ptr = US"qualify";
1005 address = rewrite_address_qualify(address, is_recipient);
1010 debug_printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
1011 debug_printf("%s %s\n", address_test_mode? "Testing" : "Verifying", address);
1014 /* Rewrite and report on it. Clear the domain and local part caches - these
1015 may have been set by domains and local part tests during an ACL. */
1017 if (global_rewrite_rules != NULL)
1019 uschar *old = address;
1020 address = rewrite_address(address, is_recipient, FALSE,
1021 global_rewrite_rules, rewrite_existflags);
1024 for (i = 0; i < (MAX_NAMED_LIST * 2)/32; i++) vaddr->localpart_cache[i] = 0;
1025 for (i = 0; i < (MAX_NAMED_LIST * 2)/32; i++) vaddr->domain_cache[i] = 0;
1026 if (f != NULL && !expn) fprintf(f, "Address rewritten as: %s\n", address);
1030 /* If this is the real sender address, we must update sender_address at
1031 this point, because it may be referred to in the routers. */
1033 if ((options & (vopt_fake_sender|vopt_is_recipient)) == 0)
1034 sender_address = address;
1036 /* If the address was rewritten to <> no verification can be done, and we have
1037 to return OK. This rewriting is permitted only for sender addresses; for other
1038 addresses, such rewriting fails. */
1040 if (address[0] == 0) return OK;
1042 /* Save a copy of the sender address for re-instating if we change it to <>
1043 while verifying a sender address (a nice bit of self-reference there). */
1045 save_sender = sender_address;
1047 /* Update the address structure with the possibly qualified and rewritten
1048 address. Set it up as the starting address on the chain of new addresses. */
1050 vaddr->address = address;
1053 /* We need a loop, because an address can generate new addresses. We must also
1054 cope with generated pipes and files at the top level. (See also the code and
1055 comment in deliver.c.) However, it is usually the case that the router for
1056 user's .forward files has its verify flag turned off.
1058 If an address generates more than one child, the loop is used only when
1059 full_info is set, and this can only be set locally. Remote enquiries just get
1060 information about the top level address, not anything that it generated. */
1062 while (addr_new != NULL)
1065 address_item *addr = addr_new;
1067 addr_new = addr->next;
1072 debug_printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
1073 debug_printf("Considering %s\n", addr->address);
1076 /* Handle generated pipe, file or reply addresses. We don't get these
1077 when handling EXPN, as it does only one level of expansion. */
1079 if (testflag(addr, af_pfr))
1086 if (addr->address[0] == '>')
1088 allow = testflag(addr, af_allow_reply);
1089 fprintf(f, "%s -> mail %s", addr->parent->address, addr->address + 1);
1093 allow = (addr->address[0] == '|')?
1094 testflag(addr, af_allow_pipe) : testflag(addr, af_allow_file);
1095 fprintf(f, "%s -> %s", addr->parent->address, addr->address);
1098 if (addr->basic_errno == ERRNO_BADTRANSPORT)
1099 fprintf(f, "\n*** Error in setting up pipe, file, or autoreply:\n"
1100 "%s\n", addr->message);
1102 fprintf(f, "\n transport = %s\n", addr->transport->name);
1104 fprintf(f, " *** forbidden ***\n");
1109 /* Just in case some router parameter refers to it. */
1111 return_path = (addr->p.errors_address != NULL)?
1112 addr->p.errors_address : sender_address;
1114 /* Split the address into domain and local part, handling the %-hack if
1115 necessary, and then route it. While routing a sender address, set
1116 $sender_address to <> because that is what it will be if we were trying to
1117 send a bounce to the sender. */
1119 if (routed != NULL) *routed = FALSE;
1120 if ((rc = deliver_split_address(addr)) == OK)
1122 if (!is_recipient) sender_address = null_sender;
1123 rc = route_address(addr, &addr_local, &addr_remote, &addr_new,
1124 &addr_succeed, verify_type);
1125 sender_address = save_sender; /* Put back the real sender */
1128 /* If routing an address succeeded, set the flag that remembers, for use when
1129 an ACL cached a sender verify (in case a callout fails). Then if routing set
1130 up a list of hosts or the transport has a host list, and the callout option
1131 is set, and we aren't in a host checking run, do the callout verification,
1132 and set another flag that notes that a callout happened. */
1136 if (routed != NULL) *routed = TRUE;
1139 host_item *host_list = addr->host_list;
1141 /* Make up some data for use in the case where there is no remote
1144 transport_feedback tf = {
1145 NULL, /* interface (=> any) */
1146 US"smtp", /* port */
1147 US"smtp", /* protocol */
1149 US"$smtp_active_hostname", /* helo_data */
1150 FALSE, /* hosts_override */
1151 FALSE, /* hosts_randomize */
1152 FALSE, /* gethostbyname */
1153 TRUE, /* qualify_single */
1154 FALSE /* search_parents */
1157 /* If verification yielded a remote transport, we want to use that
1158 transport's options, so as to mimic what would happen if we were really
1159 sending a message to this address. */
1161 if (addr->transport != NULL && !addr->transport->info->local)
1163 (void)(addr->transport->setup)(addr->transport, addr, &tf, 0, 0, NULL);
1165 /* If the transport has hosts and the router does not, or if the
1166 transport is configured to override the router's hosts, we must build a
1167 host list of the transport's hosts, and find the IP addresses */
1169 if (tf.hosts != NULL && (host_list == NULL || tf.hosts_override))
1172 uschar *save_deliver_domain = deliver_domain;
1173 uschar *save_deliver_localpart = deliver_localpart;
1175 host_list = NULL; /* Ignore the router's hosts */
1177 deliver_domain = addr->domain;
1178 deliver_localpart = addr->local_part;
1179 s = expand_string(tf.hosts);
1180 deliver_domain = save_deliver_domain;
1181 deliver_localpart = save_deliver_localpart;
1185 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand list of hosts "
1186 "\"%s\" in %s transport for callout: %s", tf.hosts,
1187 addr->transport->name, expand_string_message);
1192 uschar *canonical_name;
1193 host_item *host, *nexthost;
1194 host_build_hostlist(&host_list, s, tf.hosts_randomize);
1196 /* Just ignore failures to find a host address. If we don't manage
1197 to find any addresses, the callout will defer. Note that more than
1198 one address may be found for a single host, which will result in
1199 additional host items being inserted into the chain. Hence we must
1200 save the next host first. */
1202 flags = HOST_FIND_BY_A;
1203 if (tf.qualify_single) flags |= HOST_FIND_QUALIFY_SINGLE;
1204 if (tf.search_parents) flags |= HOST_FIND_SEARCH_PARENTS;
1206 for (host = host_list; host != NULL; host = nexthost)
1208 nexthost = host->next;
1209 if (tf.gethostbyname ||
1210 string_is_ip_address(host->name, NULL) != 0)
1211 (void)host_find_byname(host, NULL, flags, &canonical_name, TRUE);
1213 (void)host_find_bydns(host, NULL, flags, NULL, NULL, NULL,
1214 &canonical_name, NULL);
1220 /* Can only do a callout if we have at least one host! If the callout
1221 fails, it will have set ${sender,recipient}_verify_failure. */
1223 if (host_list != NULL)
1225 HDEBUG(D_verify) debug_printf("Attempting full verification using callout\n");
1226 if (host_checking && !host_checking_callout)
1229 debug_printf("... callout omitted by default when host testing\n"
1230 "(Use -bhc if you want the callouts to happen.)\n");
1234 rc = do_callout(addr, host_list, &tf, callout, callout_overall,
1235 callout_connect, options, se_mailfrom, pm_mailfrom);
1240 HDEBUG(D_verify) debug_printf("Cannot do callout: neither router nor "
1241 "transport provided a host list\n");
1246 /* Otherwise, any failure is a routing failure */
1248 else *failure_ptr = US"route";
1250 /* A router may return REROUTED if it has set up a child address as a result
1251 of a change of domain name (typically from widening). In this case we always
1252 want to continue to verify the new child. */
1254 if (rc == REROUTED) continue;
1256 /* Handle hard failures */
1263 address_item *p = addr->parent;
1265 respond_printf(f, "%s%s %s", ko_prefix,
1266 full_info? addr->address : address,
1267 address_test_mode? "is undeliverable" : "failed to verify");
1268 if (!expn && admin_user)
1270 if (addr->basic_errno > 0)
1271 respond_printf(f, ": %s", strerror(addr->basic_errno));
1272 if (addr->message != NULL)
1273 respond_printf(f, ": %s", addr->message);
1276 /* Show parents iff doing full info */
1278 if (full_info) while (p != NULL)
1280 respond_printf(f, "%s\n <-- %s", cr, p->address);
1283 respond_printf(f, "%s\n", cr);
1286 if (!full_info) return copy_error(vaddr, addr, FAIL);
1292 else if (rc == DEFER)
1297 address_item *p = addr->parent;
1298 respond_printf(f, "%s%s cannot be resolved at this time", ko_prefix,
1299 full_info? addr->address : address);
1300 if (!expn && admin_user)
1302 if (addr->basic_errno > 0)
1303 respond_printf(f, ": %s", strerror(addr->basic_errno));
1304 if (addr->message != NULL)
1305 respond_printf(f, ": %s", addr->message);
1306 else if (addr->basic_errno <= 0)
1307 respond_printf(f, ": unknown error");
1310 /* Show parents iff doing full info */
1312 if (full_info) while (p != NULL)
1314 respond_printf(f, "%s\n <-- %s", cr, p->address);
1317 respond_printf(f, "%s\n", cr);
1319 if (!full_info) return copy_error(vaddr, addr, DEFER);
1320 else if (yield == OK) yield = DEFER;
1323 /* If we are handling EXPN, we do not want to continue to route beyond
1324 the top level (whose address is in "address"). */
1328 uschar *ok_prefix = US"250-";
1329 if (addr_new == NULL)
1331 if (addr_local == NULL && addr_remote == NULL)
1332 respond_printf(f, "250 mail to <%s> is discarded\r\n", address);
1334 respond_printf(f, "250 <%s>\r\n", address);
1336 else while (addr_new != NULL)
1338 address_item *addr2 = addr_new;
1339 addr_new = addr2->next;
1340 if (addr_new == NULL) ok_prefix = US"250 ";
1341 respond_printf(f, "%s<%s>\r\n", ok_prefix, addr2->address);
1346 /* Successful routing other than EXPN. */
1350 /* Handle successful routing when short info wanted. Otherwise continue for
1351 other (generated) addresses. Short info is the operational case. Full info
1352 can be requested only when debug_selector != 0 and a file is supplied.
1354 There is a conflict between the use of aliasing as an alternate email
1355 address, and as a sort of mailing list. If an alias turns the incoming
1356 address into just one address (e.g. J.Caesar->jc44) you may well want to
1357 carry on verifying the generated address to ensure it is valid when
1358 checking incoming mail. If aliasing generates multiple addresses, you
1359 probably don't want to do this. Exim therefore treats the generation of
1360 just a single new address as a special case, and continues on to verify the
1361 generated address. */
1363 if (!full_info && /* Stop if short info wanted AND */
1364 (((addr_new == NULL || /* No new address OR */
1365 addr_new->next != NULL || /* More than one new address OR */
1366 testflag(addr_new, af_pfr))) /* New address is pfr */
1368 (addr_new != NULL && /* At least one new address AND */
1369 success_on_redirect))) /* success_on_redirect is set */
1371 if (f != NULL) fprintf(f, "%s %s\n", address,
1372 address_test_mode? "is deliverable" : "verified");
1374 /* If we have carried on to verify a child address, we want the value
1375 of $address_data to be that of the child */
1377 vaddr->p.address_data = addr->p.address_data;
1381 } /* Loop for generated addresses */
1383 /* Display the full results of the successful routing, including any generated
1384 addresses. Control gets here only when full_info is set, which requires f not
1385 to be NULL, and this occurs only when a top-level verify is called with the
1386 debugging switch on.
1388 If there are no local and no remote addresses, and there were no pipes, files,
1389 or autoreplies, and there were no errors or deferments, the message is to be
1390 discarded, usually because of the use of :blackhole: in an alias file. */
1392 if (allok && addr_local == NULL && addr_remote == NULL)
1394 fprintf(f, "mail to %s is discarded\n", address);
1398 for (addr_list = addr_local, i = 0; i < 2; addr_list = addr_remote, i++)
1400 while (addr_list != NULL)
1402 address_item *addr = addr_list;
1403 address_item *p = addr->parent;
1404 addr_list = addr->next;
1406 fprintf(f, "%s", CS addr->address);
1407 #ifdef EXPERIMENTAL_SRS
1408 if(addr->p.srs_sender)
1409 fprintf(f, " [srs = %s]", addr->p.srs_sender);
1412 /* If the address is a duplicate, show something about it. */
1414 if (!testflag(addr, af_pfr))
1417 if ((tnode = tree_search(tree_duplicates, addr->unique)) != NULL)
1418 fprintf(f, " [duplicate, would not be delivered]");
1419 else tree_add_duplicate(addr->unique, addr);
1422 /* Now show its parents */
1426 fprintf(f, "\n <-- %s", p->address);
1431 /* Show router, and transport */
1433 fprintf(f, "router = %s, ", addr->router->name);
1434 fprintf(f, "transport = %s\n", (addr->transport == NULL)? US"unset" :
1435 addr->transport->name);
1437 /* Show any hosts that are set up by a router unless the transport
1438 is going to override them; fiddle a bit to get a nice format. */
1440 if (addr->host_list != NULL && addr->transport != NULL &&
1441 !addr->transport->overrides_hosts)
1446 for (h = addr->host_list; h != NULL; h = h->next)
1448 int len = Ustrlen(h->name);
1449 if (len > maxlen) maxlen = len;
1450 len = (h->address != NULL)? Ustrlen(h->address) : 7;
1451 if (len > maxaddlen) maxaddlen = len;
1453 for (h = addr->host_list; h != NULL; h = h->next)
1455 int len = Ustrlen(h->name);
1456 fprintf(f, " host %s ", h->name);
1457 while (len++ < maxlen) fprintf(f, " ");
1458 if (h->address != NULL)
1460 fprintf(f, "[%s] ", h->address);
1461 len = Ustrlen(h->address);
1463 else if (!addr->transport->info->local) /* Omit [unknown] for local */
1465 fprintf(f, "[unknown] ");
1469 while (len++ < maxaddlen) fprintf(f," ");
1470 if (h->mx >= 0) fprintf(f, "MX=%d", h->mx);
1471 if (h->port != PORT_NONE) fprintf(f, " port=%d", h->port);
1472 if (h->status == hstatus_unusable) fprintf(f, " ** unusable **");
1479 /* Will be DEFER or FAIL if any one address has, only for full_info (which is
1480 the -bv or -bt case). */
1488 /*************************************************
1489 * Check headers for syntax errors *
1490 *************************************************/
1492 /* This function checks those header lines that contain addresses, and verifies
1493 that all the addresses therein are syntactially correct.
1496 msgptr where to put an error message
1503 verify_check_headers(uschar **msgptr)
1509 for (h = header_list; h != NULL && yield == OK; h = h->next)
1511 if (h->type != htype_from &&
1512 h->type != htype_reply_to &&
1513 h->type != htype_sender &&
1514 h->type != htype_to &&
1515 h->type != htype_cc &&
1516 h->type != htype_bcc)
1519 colon = Ustrchr(h->text, ':');
1521 while (isspace(*s)) s++;
1523 /* Loop for multiple addresses in the header, enabling group syntax. Note
1524 that we have to reset this after the header has been scanned. */
1526 parse_allow_group = TRUE;
1530 uschar *ss = parse_find_address_end(s, FALSE);
1531 uschar *recipient, *errmess;
1532 int terminator = *ss;
1533 int start, end, domain;
1535 /* Temporarily terminate the string at this point, and extract the
1536 operative address within, allowing group syntax. */
1539 recipient = parse_extract_address(s,&errmess,&start,&end,&domain,FALSE);
1542 /* Permit an unqualified address only if the message is local, or if the
1543 sending host is configured to be permitted to send them. */
1545 if (recipient != NULL && domain == 0)
1547 if (h->type == htype_from || h->type == htype_sender)
1549 if (!allow_unqualified_sender) recipient = NULL;
1553 if (!allow_unqualified_recipient) recipient = NULL;
1555 if (recipient == NULL) errmess = US"unqualified address not permitted";
1558 /* It's an error if no address could be extracted, except for the special
1559 case of an empty address. */
1561 if (recipient == NULL && Ustrcmp(errmess, "empty address") != 0)
1563 uschar *verb = US"is";
1568 /* Arrange not to include any white space at the end in the
1569 error message or the header name. */
1571 while (t > s && isspace(t[-1])) t--;
1572 while (tt > h->text && isspace(tt[-1])) tt--;
1574 /* Add the address that failed to the error message, since in a
1575 header with very many addresses it is sometimes hard to spot
1576 which one is at fault. However, limit the amount of address to
1577 quote - cases have been seen where, for example, a missing double
1578 quote in a humungous To: header creates an "address" that is longer
1579 than string_sprintf can handle. */
1588 *msgptr = string_printing(
1589 string_sprintf("%s: failing address in \"%.*s:\" header %s: %.*s",
1590 errmess, tt - h->text, h->text, verb, len, s));
1593 break; /* Out of address loop */
1596 /* Advance to the next address */
1598 s = ss + (terminator? 1:0);
1599 while (isspace(*s)) s++;
1600 } /* Next address */
1602 parse_allow_group = FALSE;
1603 parse_found_group = FALSE;
1604 } /* Next header unless yield has been set FALSE */
1611 /*************************************************
1612 * Check for blind recipients *
1613 *************************************************/
1615 /* This function checks that every (envelope) recipient is mentioned in either
1616 the To: or Cc: header lines, thus detecting blind carbon copies.
1618 There are two ways of scanning that could be used: either scan the header lines
1619 and tick off the recipients, or scan the recipients and check the header lines.
1620 The original proposed patch did the former, but I have chosen to do the latter,
1621 because (a) it requires no memory and (b) will use fewer resources when there
1622 are many addresses in To: and/or Cc: and only one or two envelope recipients.
1625 Returns: OK if there are no blind recipients
1626 FAIL if there is at least one blind recipient
1630 verify_check_notblind(void)
1633 for (i = 0; i < recipients_count; i++)
1637 uschar *address = recipients_list[i].address;
1639 for (h = header_list; !found && h != NULL; h = h->next)
1643 if (h->type != htype_to && h->type != htype_cc) continue;
1645 colon = Ustrchr(h->text, ':');
1647 while (isspace(*s)) s++;
1649 /* Loop for multiple addresses in the header, enabling group syntax. Note
1650 that we have to reset this after the header has been scanned. */
1652 parse_allow_group = TRUE;
1656 uschar *ss = parse_find_address_end(s, FALSE);
1657 uschar *recipient,*errmess;
1658 int terminator = *ss;
1659 int start, end, domain;
1661 /* Temporarily terminate the string at this point, and extract the
1662 operative address within, allowing group syntax. */
1665 recipient = parse_extract_address(s,&errmess,&start,&end,&domain,FALSE);
1668 /* If we found a valid recipient that has a domain, compare it with the
1669 envelope recipient. Local parts are compared case-sensitively, domains
1670 case-insensitively. By comparing from the start with length "domain", we
1671 include the "@" at the end, which ensures that we are comparing the whole
1672 local part of each address. */
1674 if (recipient != NULL && domain != 0)
1676 found = Ustrncmp(recipient, address, domain) == 0 &&
1677 strcmpic(recipient + domain, address + domain) == 0;
1681 /* Advance to the next address */
1683 s = ss + (terminator? 1:0);
1684 while (isspace(*s)) s++;
1685 } /* Next address */
1687 parse_allow_group = FALSE;
1688 parse_found_group = FALSE;
1689 } /* Next header (if found is false) */
1691 if (!found) return FAIL;
1692 } /* Next recipient */
1699 /*************************************************
1700 * Find if verified sender *
1701 *************************************************/
1703 /* Usually, just a single address is verified as the sender of the message.
1704 However, Exim can be made to verify other addresses as well (often related in
1705 some way), and this is useful in some environments. There may therefore be a
1706 chain of such addresses that have previously been tested. This function finds
1707 whether a given address is on the chain.
1709 Arguments: the address to be verified
1710 Returns: pointer to an address item, or NULL
1714 verify_checked_sender(uschar *sender)
1717 for (addr = sender_verified_list; addr != NULL; addr = addr->next)
1718 if (Ustrcmp(sender, addr->address) == 0) break;
1726 /*************************************************
1727 * Get valid header address *
1728 *************************************************/
1730 /* Scan the originator headers of the message, looking for an address that
1731 verifies successfully. RFC 822 says:
1733 o The "Sender" field mailbox should be sent notices of
1734 any problems in transport or delivery of the original
1735 messages. If there is no "Sender" field, then the
1736 "From" field mailbox should be used.
1738 o If the "Reply-To" field exists, then the reply should
1739 go to the addresses indicated in that field and not to
1740 the address(es) indicated in the "From" field.
1742 So we check a Sender field if there is one, else a Reply_to field, else a From
1743 field. As some strange messages may have more than one of these fields,
1744 especially if they are resent- fields, check all of them if there is more than
1748 user_msgptr points to where to put a user error message
1749 log_msgptr points to where to put a log error message
1750 callout timeout for callout check (passed to verify_address())
1751 callout_overall overall callout timeout (ditto)
1752 callout_connect connect callout timeout (ditto)
1753 se_mailfrom mailfrom for verify; NULL => ""
1754 pm_mailfrom sender for pm callout check (passed to verify_address())
1755 options callout options (passed to verify_address())
1756 verrno where to put the address basic_errno
1758 If log_msgptr is set to something without setting user_msgptr, the caller
1759 normally uses log_msgptr for both things.
1761 Returns: result of the verification attempt: OK, FAIL, or DEFER;
1762 FAIL is given if no appropriate headers are found
1766 verify_check_header_address(uschar **user_msgptr, uschar **log_msgptr,
1767 int callout, int callout_overall, int callout_connect, uschar *se_mailfrom,
1768 uschar *pm_mailfrom, int options, int *verrno)
1770 static int header_types[] = { htype_sender, htype_reply_to, htype_from };
1775 for (i = 0; i < 3 && !done; i++)
1778 for (h = header_list; h != NULL && !done; h = h->next)
1780 int terminator, new_ok;
1781 uschar *s, *ss, *endname;
1783 if (h->type != header_types[i]) continue;
1784 s = endname = Ustrchr(h->text, ':') + 1;
1786 /* Scan the addresses in the header, enabling group syntax. Note that we
1787 have to reset this after the header has been scanned. */
1789 parse_allow_group = TRUE;
1793 address_item *vaddr;
1795 while (isspace(*s) || *s == ',') s++;
1796 if (*s == 0) break; /* End of header */
1798 ss = parse_find_address_end(s, FALSE);
1800 /* The terminator is a comma or end of header, but there may be white
1801 space preceding it (including newline for the last address). Move back
1802 past any white space so we can check against any cached envelope sender
1803 address verifications. */
1805 while (isspace(ss[-1])) ss--;
1809 HDEBUG(D_verify) debug_printf("verifying %.*s header address %s\n",
1810 (int)(endname - h->text), h->text, s);
1812 /* See if we have already verified this address as an envelope sender,
1813 and if so, use the previous answer. */
1815 vaddr = verify_checked_sender(s);
1817 if (vaddr != NULL && /* Previously checked */
1818 (callout <= 0 || /* No callout needed; OR */
1819 vaddr->special_action > 256)) /* Callout was done */
1821 new_ok = vaddr->special_action & 255;
1822 HDEBUG(D_verify) debug_printf("previously checked as envelope sender\n");
1823 *ss = terminator; /* Restore shortened string */
1826 /* Otherwise we run the verification now. We must restore the shortened
1827 string before running the verification, so the headers are correct, in
1828 case there is any rewriting. */
1832 int start, end, domain;
1833 uschar *address = parse_extract_address(s, log_msgptr, &start, &end,
1838 /* If we found an empty address, just carry on with the next one, but
1839 kill the message. */
1841 if (address == NULL && Ustrcmp(*log_msgptr, "empty address") == 0)
1848 /* If verification failed because of a syntax error, fail this
1849 function, and ensure that the failing address gets added to the error
1852 if (address == NULL)
1855 while (ss > s && isspace(ss[-1])) ss--;
1856 *log_msgptr = string_sprintf("syntax error in '%.*s' header when "
1857 "scanning for sender: %s in \"%.*s\"",
1858 endname - h->text, h->text, *log_msgptr, ss - s, s);
1864 /* Else go ahead with the sender verification. But it isn't *the*
1865 sender of the message, so set vopt_fake_sender to stop sender_address
1866 being replaced after rewriting or qualification. */
1870 vaddr = deliver_make_addr(address, FALSE);
1871 new_ok = verify_address(vaddr, NULL, options | vopt_fake_sender,
1872 callout, callout_overall, callout_connect, se_mailfrom,
1877 /* We now have the result, either newly found, or cached. If we are
1878 giving out error details, set a specific user error. This means that the
1879 last of these will be returned to the user if all three fail. We do not
1880 set a log message - the generic one below will be used. */
1884 *verrno = vaddr->basic_errno;
1885 if (smtp_return_error_details)
1887 *user_msgptr = string_sprintf("Rejected after DATA: "
1888 "could not verify \"%.*s\" header address\n%s: %s",
1889 endname - h->text, h->text, vaddr->address, vaddr->message);
1893 /* Success or defer */
1902 if (new_ok == DEFER) yield = DEFER;
1904 /* Move on to any more addresses in the header */
1907 } /* Next address */
1909 parse_allow_group = FALSE;
1910 parse_found_group = FALSE;
1911 } /* Next header, unless done */
1912 } /* Next header type unless done */
1914 if (yield == FAIL && *log_msgptr == NULL)
1915 *log_msgptr = US"there is no valid sender in any header line";
1917 if (yield == DEFER && *log_msgptr == NULL)
1918 *log_msgptr = US"all attempts to verify a sender in a header line deferred";
1926 /*************************************************
1927 * Get RFC 1413 identification *
1928 *************************************************/
1930 /* Attempt to get an id from the sending machine via the RFC 1413 protocol. If
1931 the timeout is set to zero, then the query is not done. There may also be lists
1932 of hosts and nets which are exempt. To guard against malefactors sending
1933 non-printing characters which could, for example, disrupt a message's headers,
1934 make sure the string consists of printing characters only.
1937 port the port to connect to; usually this is IDENT_PORT (113), but when
1938 running in the test harness with -bh a different value is used.
1942 Side effect: any received ident value is put in sender_ident (NULL otherwise)
1946 verify_get_ident(int port)
1948 int sock, host_af, qlen;
1949 int received_sender_port, received_interface_port, n;
1951 uschar buffer[2048];
1953 /* Default is no ident. Check whether we want to do an ident check for this
1956 sender_ident = NULL;
1957 if (rfc1413_query_timeout <= 0 || verify_check_host(&rfc1413_hosts) != OK)
1960 DEBUG(D_ident) debug_printf("doing ident callback\n");
1962 /* Set up a connection to the ident port of the remote host. Bind the local end
1963 to the incoming interface address. If the sender host address is an IPv6
1964 address, the incoming interface address will also be IPv6. */
1966 host_af = (Ustrchr(sender_host_address, ':') == NULL)? AF_INET : AF_INET6;
1967 sock = ip_socket(SOCK_STREAM, host_af);
1968 if (sock < 0) return;
1970 if (ip_bind(sock, host_af, interface_address, 0) < 0)
1972 DEBUG(D_ident) debug_printf("bind socket for ident failed: %s\n",
1977 if (ip_connect(sock, host_af, sender_host_address, port, rfc1413_query_timeout)
1980 if (errno == ETIMEDOUT && (log_extra_selector & LX_ident_timeout) != 0)
1982 log_write(0, LOG_MAIN, "ident connection to %s timed out",
1983 sender_host_address);
1987 DEBUG(D_ident) debug_printf("ident connection to %s failed: %s\n",
1988 sender_host_address, strerror(errno));
1993 /* Construct and send the query. */
1995 sprintf(CS buffer, "%d , %d\r\n", sender_host_port, interface_port);
1996 qlen = Ustrlen(buffer);
1997 if (send(sock, buffer, qlen, 0) < 0)
1999 DEBUG(D_ident) debug_printf("ident send failed: %s\n", strerror(errno));
2003 /* Read a response line. We put it into the rest of the buffer, using several
2004 recv() calls if necessary. */
2012 int size = sizeof(buffer) - (p - buffer);
2014 if (size <= 0) goto END_OFF; /* Buffer filled without seeing \n. */
2015 count = ip_recv(sock, p, size, rfc1413_query_timeout);
2016 if (count <= 0) goto END_OFF; /* Read error or EOF */
2018 /* Scan what we just read, to see if we have reached the terminating \r\n. Be
2019 generous, and accept a plain \n terminator as well. The only illegal
2022 for (pp = p; pp < p + count; pp++)
2024 if (*pp == 0) goto END_OFF; /* Zero octet not allowed */
2027 if (pp[-1] == '\r') pp--;
2029 goto GOT_DATA; /* Break out of both loops */
2033 /* Reached the end of the data without finding \n. Let the loop continue to
2034 read some more, if there is room. */
2041 /* We have received a line of data. Check it carefully. It must start with the
2042 same two port numbers that we sent, followed by data as defined by the RFC. For
2045 12345 , 25 : USERID : UNIX :root
2047 However, the amount of white space may be different to what we sent. In the
2048 "osname" field there may be several sub-fields, comma separated. The data we
2049 actually want to save follows the third colon. Some systems put leading spaces
2050 in it - we discard those. */
2052 if (sscanf(CS buffer + qlen, "%d , %d%n", &received_sender_port,
2053 &received_interface_port, &n) != 2 ||
2054 received_sender_port != sender_host_port ||
2055 received_interface_port != interface_port)
2058 p = buffer + qlen + n;
2059 while(isspace(*p)) p++;
2060 if (*p++ != ':') goto END_OFF;
2061 while(isspace(*p)) p++;
2062 if (Ustrncmp(p, "USERID", 6) != 0) goto END_OFF;
2064 while(isspace(*p)) p++;
2065 if (*p++ != ':') goto END_OFF;
2066 while (*p != 0 && *p != ':') p++;
2067 if (*p++ == 0) goto END_OFF;
2068 while(isspace(*p)) p++;
2069 if (*p == 0) goto END_OFF;
2071 /* The rest of the line is the data we want. We turn it into printing
2072 characters when we save it, so that it cannot mess up the format of any logging
2073 or Received: lines into which it gets inserted. We keep a maximum of 127
2076 sender_ident = string_printing(string_copyn(p, 127));
2077 DEBUG(D_ident) debug_printf("sender_ident = %s\n", sender_ident);
2087 /*************************************************
2088 * Match host to a single host-list item *
2089 *************************************************/
2091 /* This function compares a host (name or address) against a single item
2092 from a host list. The host name gets looked up if it is needed and is not
2093 already known. The function is called from verify_check_this_host() via
2094 match_check_list(), which is why most of its arguments are in a single block.
2097 arg the argument block (see below)
2098 ss the host-list item
2099 valueptr where to pass back looked up data, or NULL
2100 error for error message when returning ERROR
2103 host_name (a) the host name, or
2104 (b) NULL, implying use sender_host_name and
2105 sender_host_aliases, looking them up if required, or
2106 (c) the empty string, meaning that only IP address matches
2108 host_address the host address
2109 host_ipv4 the IPv4 address taken from an IPv6 one
2113 DEFER lookup deferred
2114 ERROR (a) failed to find the host name or IP address, or
2115 (b) unknown lookup type specified, or
2116 (c) host name encountered when only IP addresses are
2121 check_host(void *arg, uschar *ss, uschar **valueptr, uschar **error)
2123 check_host_block *cb = (check_host_block *)arg;
2126 BOOL iplookup = FALSE;
2127 BOOL isquery = FALSE;
2128 BOOL isiponly = cb->host_name != NULL && cb->host_name[0] == 0;
2133 /* Optimize for the special case when the pattern is "*". */
2135 if (*ss == '*' && ss[1] == 0) return OK;
2137 /* If the pattern is empty, it matches only in the case when there is no host -
2138 this can occur in ACL checking for SMTP input using the -bs option. In this
2139 situation, the host address is the empty string. */
2141 if (cb->host_address[0] == 0) return (*ss == 0)? OK : FAIL;
2142 if (*ss == 0) return FAIL;
2144 /* If the pattern is precisely "@" then match against the primary host name,
2145 provided that host name matching is permitted; if it's "@[]" match against the
2146 local host's IP addresses. */
2152 if (isiponly) return ERROR;
2153 ss = primary_hostname;
2155 else if (Ustrcmp(ss, "@[]") == 0)
2157 ip_address_item *ip;
2158 for (ip = host_find_interfaces(); ip != NULL; ip = ip->next)
2159 if (Ustrcmp(ip->address, cb->host_address) == 0) return OK;
2164 /* If the pattern is an IP address, optionally followed by a bitmask count, do
2165 a (possibly masked) comparision with the current IP address. */
2167 if (string_is_ip_address(ss, &maskoffset) != 0)
2168 return (host_is_in_net(cb->host_address, ss, maskoffset)? OK : FAIL);
2170 /* The pattern is not an IP address. A common error that people make is to omit
2171 one component of an IPv4 address, either by accident, or believing that, for
2172 example, 1.2.3/24 is the same as 1.2.3.0/24, or 1.2.3 is the same as 1.2.3.0,
2173 which it isn't. (Those applications that do accept 1.2.3 as an IP address
2174 interpret it as 1.2.0.3 because the final component becomes 16-bit - this is an
2175 ancient specification.) To aid in debugging these cases, we give a specific
2176 error if the pattern contains only digits and dots or contains a slash preceded
2177 only by digits and dots (a slash at the start indicates a file name and of
2178 course slashes may be present in lookups, but not preceded only by digits and
2181 for (t = ss; isdigit(*t) || *t == '.'; t++);
2182 if (*t == 0 || (*t == '/' && t != ss))
2184 *error = US"malformed IPv4 address or address mask";
2188 /* See if there is a semicolon in the pattern */
2190 semicolon = Ustrchr(ss, ';');
2192 /* If we are doing an IP address only match, then all lookups must be IP
2193 address lookups, even if there is no "net-". */
2197 iplookup = semicolon != NULL;
2200 /* Otherwise, if the item is of the form net[n]-lookup;<file|query> then it is
2201 a lookup on a masked IP network, in textual form. We obey this code even if we
2202 have already set iplookup, so as to skip over the "net-" prefix and to set the
2203 mask length. The net- stuff really only applies to single-key lookups where the
2204 key is implicit. For query-style lookups the key is specified in the query.
2205 From release 4.30, the use of net- for query style is no longer needed, but we
2206 retain it for backward compatibility. */
2208 if (Ustrncmp(ss, "net", 3) == 0 && semicolon != NULL)
2211 for (t = ss + 3; isdigit(*t); t++) mlen = mlen * 10 + *t - '0';
2212 if (mlen == 0 && t == ss+3) mlen = -1; /* No mask supplied */
2213 iplookup = (*t++ == '-');
2217 /* Do the IP address lookup if that is indeed what we have */
2225 uschar *filename, *key, *result;
2228 /* Find the search type */
2230 search_type = search_findtype(t, semicolon - t);
2232 if (search_type < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s",
2233 search_error_message);
2235 /* Adjust parameters for the type of lookup. For a query-style lookup, there
2236 is no file name, and the "key" is just the query. For query-style with a file
2237 name, we have to fish the file off the start of the query. For a single-key
2238 lookup, the key is the current IP address, masked appropriately, and
2239 reconverted to text form, with the mask appended. For IPv6 addresses, specify
2240 dot separators instead of colons, except when the lookup type is "iplsearch".
2243 if (mac_islookup(search_type, lookup_absfilequery))
2245 filename = semicolon + 1;
2247 while (*key != 0 && !isspace(*key)) key++;
2248 filename = string_copyn(filename, key - filename);
2249 while (isspace(*key)) key++;
2251 else if (mac_islookup(search_type, lookup_querystyle))
2254 key = semicolon + 1;
2256 else /* Single-key style */
2258 int sep = (Ustrcmp(lookup_list[search_type]->name, "iplsearch") == 0)?
2260 insize = host_aton(cb->host_address, incoming);
2261 host_mask(insize, incoming, mlen);
2262 (void)host_nmtoa(insize, incoming, mlen, buffer, sep);
2264 filename = semicolon + 1;
2267 /* Now do the actual lookup; note that there is no search_close() because
2268 of the caching arrangements. */
2270 handle = search_open(filename, search_type, 0, NULL, NULL);
2271 if (handle == NULL) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s",
2272 search_error_message);
2273 result = search_find(handle, filename, key, -1, NULL, 0, 0, NULL);
2274 if (valueptr != NULL) *valueptr = result;
2275 return (result != NULL)? OK : search_find_defer? DEFER: FAIL;
2278 /* The pattern is not an IP address or network reference of any kind. That is,
2279 it is a host name pattern. If this is an IP only match, there's an error in the
2284 *error = US"cannot match host name in match_ip list";
2288 /* Check the characters of the pattern to see if they comprise only letters,
2289 digits, full stops, and hyphens (the constituents of domain names). Allow
2290 underscores, as they are all too commonly found. Sigh. Also, if
2291 allow_utf8_domains is set, allow top-bit characters. */
2293 for (t = ss; *t != 0; t++)
2294 if (!isalnum(*t) && *t != '.' && *t != '-' && *t != '_' &&
2295 (!allow_utf8_domains || *t < 128)) break;
2297 /* If the pattern is a complete domain name, with no fancy characters, look up
2298 its IP address and match against that. Note that a multi-homed host will add
2299 items to the chain. */
2310 rc = host_find_byname(&h, NULL, HOST_FIND_QUALIFY_SINGLE, NULL, FALSE);
2311 if (rc == HOST_FOUND || rc == HOST_FOUND_LOCAL)
2314 for (hh = &h; hh != NULL; hh = hh->next)
2316 if (host_is_in_net(hh->address, cb->host_address, 0)) return OK;
2320 if (rc == HOST_FIND_AGAIN) return DEFER;
2321 *error = string_sprintf("failed to find IP address for %s", ss);
2325 /* Almost all subsequent comparisons require the host name, and can be done
2326 using the general string matching function. When this function is called for
2327 outgoing hosts, the name is always given explicitly. If it is NULL, it means we
2328 must use sender_host_name and its aliases, looking them up if necessary. */
2330 if (cb->host_name != NULL) /* Explicit host name given */
2331 return match_check_string(cb->host_name, ss, -1, TRUE, TRUE, TRUE,
2334 /* Host name not given; in principle we need the sender host name and its
2335 aliases. However, for query-style lookups, we do not need the name if the
2336 query does not contain $sender_host_name. From release 4.23, a reference to
2337 $sender_host_name causes it to be looked up, so we don't need to do the lookup
2340 if ((semicolon = Ustrchr(ss, ';')) != NULL)
2343 int partial, affixlen, starflags, id;
2346 id = search_findtype_partial(ss, &partial, &affix, &affixlen, &starflags);
2349 if (id < 0) /* Unknown lookup type */
2351 log_write(0, LOG_MAIN|LOG_PANIC, "%s in host list item \"%s\"",
2352 search_error_message, ss);
2355 isquery = mac_islookup(id, lookup_querystyle|lookup_absfilequery);
2360 switch(match_check_string(US"", ss, -1, TRUE, TRUE, TRUE, valueptr))
2363 case DEFER: return DEFER;
2364 default: return FAIL;
2368 /* Not a query-style lookup; must ensure the host name is present, and then we
2369 do a check on the name and all its aliases. */
2371 if (sender_host_name == NULL)
2373 HDEBUG(D_host_lookup)
2374 debug_printf("sender host name required, to match against %s\n", ss);
2375 if (host_lookup_failed || host_name_lookup() != OK)
2377 *error = string_sprintf("failed to find host name for %s",
2378 sender_host_address);;
2381 host_build_sender_fullhost();
2384 /* Match on the sender host name, using the general matching function */
2386 switch(match_check_string(sender_host_name, ss, -1, TRUE, TRUE, TRUE,
2390 case DEFER: return DEFER;
2393 /* If there are aliases, try matching on them. */
2395 aliases = sender_host_aliases;
2396 while (*aliases != NULL)
2398 switch(match_check_string(*aliases++, ss, -1, TRUE, TRUE, TRUE, valueptr))
2401 case DEFER: return DEFER;
2410 /*************************************************
2411 * Check a specific host matches a host list *
2412 *************************************************/
2414 /* This function is passed a host list containing items in a number of
2415 different formats and the identity of a host. Its job is to determine whether
2416 the given host is in the set of hosts defined by the list. The host name is
2417 passed as a pointer so that it can be looked up if needed and not already
2418 known. This is commonly the case when called from verify_check_host() to check
2419 an incoming connection. When called from elsewhere the host name should usually
2422 This function is now just a front end to match_check_list(), which runs common
2423 code for scanning a list. We pass it the check_host() function to perform a
2427 listptr pointer to the host list
2428 cache_bits pointer to cache for named lists, or NULL
2429 host_name the host name or NULL, implying use sender_host_name and
2430 sender_host_aliases, looking them up if required
2431 host_address the IP address
2432 valueptr if not NULL, data from a lookup is passed back here
2434 Returns: OK if the host is in the defined set
2435 FAIL if the host is not in the defined set,
2436 DEFER if a data lookup deferred (not a host lookup)
2438 If the host name was needed in order to make a comparison, and could not be
2439 determined from the IP address, the result is FAIL unless the item
2440 "+allow_unknown" was met earlier in the list, in which case OK is returned. */
2443 verify_check_this_host(uschar **listptr, unsigned int *cache_bits,
2444 uschar *host_name, uschar *host_address, uschar **valueptr)
2447 unsigned int *local_cache_bits = cache_bits;
2448 uschar *save_host_address = deliver_host_address;
2449 check_host_block cb;
2450 cb.host_name = host_name;
2451 cb.host_address = host_address;
2453 if (valueptr != NULL) *valueptr = NULL;
2455 /* If the host address starts off ::ffff: it is an IPv6 address in
2456 IPv4-compatible mode. Find the IPv4 part for checking against IPv4
2459 cb.host_ipv4 = (Ustrncmp(host_address, "::ffff:", 7) == 0)?
2460 host_address + 7 : host_address;
2462 /* During the running of the check, put the IP address into $host_address. In
2463 the case of calls from the smtp transport, it will already be there. However,
2464 in other calls (e.g. when testing ignore_target_hosts), it won't. Just to be on
2465 the safe side, any existing setting is preserved, though as I write this
2466 (November 2004) I can't see any cases where it is actually needed. */
2468 deliver_host_address = host_address;
2469 rc = match_check_list(
2470 listptr, /* the list */
2471 0, /* separator character */
2472 &hostlist_anchor, /* anchor pointer */
2473 &local_cache_bits, /* cache pointer */
2474 check_host, /* function for testing */
2475 &cb, /* argument for function */
2476 MCL_HOST, /* type of check */
2477 (host_address == sender_host_address)?
2478 US"host" : host_address, /* text for debugging */
2479 valueptr); /* where to pass back data */
2480 deliver_host_address = save_host_address;
2487 /*************************************************
2488 * Check the remote host matches a list *
2489 *************************************************/
2491 /* This is a front end to verify_check_this_host(), created because checking
2492 the remote host is a common occurrence. With luck, a good compiler will spot
2493 the tail recursion and optimize it. If there's no host address, this is
2494 command-line SMTP input - check against an empty string for the address.
2497 listptr pointer to the host list
2499 Returns: the yield of verify_check_this_host(),
2500 i.e. OK, FAIL, or DEFER
2504 verify_check_host(uschar **listptr)
2506 return verify_check_this_host(listptr, sender_host_cache, NULL,
2507 (sender_host_address == NULL)? US"" : sender_host_address, NULL);
2514 /*************************************************
2515 * Invert an IP address *
2516 *************************************************/
2518 /* Originally just used for DNS xBL lists, now also used for the
2519 reverse_ip expansion operator.
2522 buffer where to put the answer
2523 address the address to invert
2527 invert_address(uschar *buffer, uschar *address)
2530 uschar *bptr = buffer;
2532 /* If this is an IPv4 address mapped into IPv6 format, adjust the pointer
2533 to the IPv4 part only. */
2535 if (Ustrncmp(address, "::ffff:", 7) == 0) address += 7;
2537 /* Handle IPv4 address: when HAVE_IPV6 is false, the result of host_aton() is
2540 if (host_aton(address, bin) == 1)
2544 for (i = 0; i < 4; i++)
2546 sprintf(CS bptr, "%d.", x & 255);
2547 while (*bptr) bptr++;
2552 /* Handle IPv6 address. Actually, as far as I know, there are no IPv6 addresses
2553 in any DNS black lists, and the format in which they will be looked up is
2554 unknown. This is just a guess. */
2560 for (j = 3; j >= 0; j--)
2563 for (i = 0; i < 8; i++)
2565 sprintf(CS bptr, "%x.", x & 15);
2566 while (*bptr) bptr++;
2573 /* Remove trailing period -- this is needed so that both arbitrary
2574 dnsbl keydomains and inverted addresses may be combined with the
2575 same format string, "%s.%s" */
2582 /*************************************************
2583 * Perform a single dnsbl lookup *
2584 *************************************************/
2586 /* This function is called from verify_check_dnsbl() below. It is also called
2587 recursively from within itself when domain and domain_txt are different
2588 pointers, in order to get the TXT record from the alternate domain.
2591 domain the outer dnsbl domain
2592 domain_txt alternate domain to lookup TXT record on success; when the
2593 same domain is to be used, domain_txt == domain (that is,
2594 the pointers must be identical, not just the text)
2595 keydomain the current keydomain (for debug message)
2596 prepend subdomain to lookup (like keydomain, but
2597 reversed if IP address)
2598 iplist the list of matching IP addresses, or NULL for "any"
2599 bitmask true if bitmask matching is wanted
2600 match_type condition for 'succeed' result
2601 0 => Any RR in iplist (=)
2602 1 => No RR in iplist (!=)
2603 2 => All RRs in iplist (==)
2604 3 => Some RRs not in iplist (!==)
2605 the two bits are defined as MT_NOT and MT_ALL
2606 defer_return what to return for a defer
2608 Returns: OK if lookup succeeded
2613 one_check_dnsbl(uschar *domain, uschar *domain_txt, uschar *keydomain,
2614 uschar *prepend, uschar *iplist, BOOL bitmask, int match_type,
2620 dnsbl_cache_block *cb;
2621 int old_pool = store_pool;
2622 uschar query[256]; /* DNS domain max length */
2624 /* Construct the specific query domainname */
2626 if (!string_format(query, sizeof(query), "%s.%s", prepend, domain))
2628 log_write(0, LOG_MAIN|LOG_PANIC, "dnslist query is too long "
2629 "(ignored): %s...", query);
2633 /* Look for this query in the cache. */
2635 t = tree_search(dnsbl_cache, query);
2637 /* If not cached from a previous lookup, we must do a DNS lookup, and
2638 cache the result in permanent memory. */
2642 store_pool = POOL_PERM;
2644 /* Set up a tree entry to cache the lookup */
2646 t = store_get(sizeof(tree_node) + Ustrlen(query));
2647 Ustrcpy(t->name, query);
2648 t->data.ptr = cb = store_get(sizeof(dnsbl_cache_block));
2649 (void)tree_insertnode(&dnsbl_cache, t);
2651 /* Do the DNS loopup . */
2653 HDEBUG(D_dnsbl) debug_printf("new DNS lookup for %s\n", query);
2654 cb->rc = dns_basic_lookup(&dnsa, query, T_A);
2655 cb->text_set = FALSE;
2659 /* If the lookup succeeded, cache the RHS address. The code allows for
2660 more than one address - this was for complete generality and the possible
2661 use of A6 records. However, A6 records have been reduced to experimental
2662 status (August 2001) and may die out. So they may never get used at all,
2663 let alone in dnsbl records. However, leave the code here, just in case.
2665 Quite apart from one A6 RR generating multiple addresses, there are DNS
2666 lists that return more than one A record, so we must handle multiple
2667 addresses generated in that way as well. */
2669 if (cb->rc == DNS_SUCCEED)
2672 dns_address **addrp = &(cb->rhs);
2673 for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
2675 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
2677 if (rr->type == T_A)
2679 dns_address *da = dns_address_from_rr(&dnsa, rr);
2683 while (da->next != NULL) da = da->next;
2684 addrp = &(da->next);
2689 /* If we didn't find any A records, change the return code. This can
2690 happen when there is a CNAME record but there are no A records for what
2693 if (cb->rhs == NULL) cb->rc = DNS_NODATA;
2696 store_pool = old_pool;
2699 /* Previous lookup was cached */
2703 HDEBUG(D_dnsbl) debug_printf("using result of previous DNS lookup\n");
2707 /* We now have the result of the DNS lookup, either newly done, or cached
2708 from a previous call. If the lookup succeeded, check against the address
2709 list if there is one. This may be a positive equality list (introduced by
2710 "="), a negative equality list (introduced by "!="), a positive bitmask
2711 list (introduced by "&"), or a negative bitmask list (introduced by "!&").*/
2713 if (cb->rc == DNS_SUCCEED)
2715 dns_address *da = NULL;
2716 uschar *addlist = cb->rhs->address;
2718 /* For A and AAAA records, there may be multiple addresses from multiple
2719 records. For A6 records (currently not expected to be used) there may be
2720 multiple addresses from a single record. */
2722 for (da = cb->rhs->next; da != NULL; da = da->next)
2723 addlist = string_sprintf("%s, %s", addlist, da->address);
2725 HDEBUG(D_dnsbl) debug_printf("DNS lookup for %s succeeded (yielding %s)\n",
2728 /* Address list check; this can be either for equality, or via a bitmask.
2729 In the latter case, all the bits must match. */
2733 for (da = cb->rhs; da != NULL; da = da->next)
2737 uschar *ptr = iplist;
2740 /* Handle exact matching */
2744 while ((res = string_nextinlist(&ptr, &ipsep, ip, sizeof(ip))) != NULL)
2746 if (Ustrcmp(CS da->address, ip) == 0) break;
2750 /* Handle bitmask matching */
2757 /* At present, all known DNS blocking lists use A records, with
2758 IPv4 addresses on the RHS encoding the information they return. I
2759 wonder if this will linger on as the last vestige of IPv4 when IPv6
2760 is ubiquitous? Anyway, for now we use paranoia code to completely
2761 ignore IPv6 addresses. The default mask is 0, which always matches.
2762 We change this only for IPv4 addresses in the list. */
2764 if (host_aton(da->address, address) == 1) mask = address[0];
2766 /* Scan the returned addresses, skipping any that are IPv6 */
2768 while ((res = string_nextinlist(&ptr, &ipsep, ip, sizeof(ip))) != NULL)
2770 if (host_aton(ip, address) != 1) continue;
2771 if ((address[0] & mask) == address[0]) break;
2777 (a) An IP address in an any ('=') list matched, or
2778 (b) No IP address in an all ('==') list matched
2780 then we're done searching. */
2782 if (((match_type & MT_ALL) != 0) == (res == NULL)) break;
2785 /* If da == NULL, either
2787 (a) No IP address in an any ('=') list matched, or
2788 (b) An IP address in an all ('==') list didn't match
2790 so behave as if the DNSBL lookup had not succeeded, i.e. the host is not on
2793 if ((match_type == MT_NOT || match_type == MT_ALL) != (da == NULL))
2801 res = US"was no match";
2804 res = US"was an exclude match";
2807 res = US"was an IP address that did not match";
2810 res = US"were no IP addresses that did not match";
2813 debug_printf("=> but we are not accepting this block class because\n");
2814 debug_printf("=> there %s for %s%c%s\n",
2816 ((match_type & MT_ALL) == 0)? "" : "=",
2817 bitmask? '&' : '=', iplist);
2823 /* Either there was no IP list, or the record matched, implying that the
2824 domain is on the list. We now want to find a corresponding TXT record. If an
2825 alternate domain is specified for the TXT record, call this function
2826 recursively to look that up; this has the side effect of re-checking that
2827 there is indeed an A record at the alternate domain. */
2829 if (domain_txt != domain)
2830 return one_check_dnsbl(domain_txt, domain_txt, keydomain, prepend, NULL,
2831 FALSE, match_type, defer_return);
2833 /* If there is no alternate domain, look up a TXT record in the main domain
2834 if it has not previously been cached. */
2838 cb->text_set = TRUE;
2839 if (dns_basic_lookup(&dnsa, query, T_TXT) == DNS_SUCCEED)
2842 for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
2844 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
2845 if (rr->type == T_TXT) break;
2848 int len = (rr->data)[0];
2849 if (len > 511) len = 127;
2850 store_pool = POOL_PERM;
2851 cb->text = string_sprintf("%.*s", len, (const uschar *)(rr->data+1));
2852 store_pool = old_pool;
2857 dnslist_value = addlist;
2858 dnslist_text = cb->text;
2862 /* There was a problem with the DNS lookup */
2864 if (cb->rc != DNS_NOMATCH && cb->rc != DNS_NODATA)
2866 log_write(L_dnslist_defer, LOG_MAIN,
2867 "DNS list lookup defer (probably timeout) for %s: %s", query,
2868 (defer_return == OK)? US"assumed in list" :
2869 (defer_return == FAIL)? US"assumed not in list" :
2870 US"returned DEFER");
2871 return defer_return;
2874 /* No entry was found in the DNS; continue for next domain */
2878 debug_printf("DNS lookup for %s failed\n", query);
2879 debug_printf("=> that means %s is not listed at %s\n",
2889 /*************************************************
2890 * Check host against DNS black lists *
2891 *************************************************/
2893 /* This function runs checks against a list of DNS black lists, until one
2894 matches. Each item on the list can be of the form
2896 domain=ip-address/key
2898 The domain is the right-most domain that is used for the query, for example,
2899 blackholes.mail-abuse.org. If the IP address is present, there is a match only
2900 if the DNS lookup returns a matching IP address. Several addresses may be
2901 given, comma-separated, for example: x.y.z=127.0.0.1,127.0.0.2.
2903 If no key is given, what is looked up in the domain is the inverted IP address
2904 of the current client host. If a key is given, it is used to construct the
2905 domain for the lookup. For example:
2907 dsn.rfc-ignorant.org/$sender_address_domain
2909 After finding a match in the DNS, the domain is placed in $dnslist_domain, and
2910 then we check for a TXT record for an error message, and if found, save its
2911 value in $dnslist_text. We also cache everything in a tree, to optimize
2914 The TXT record is normally looked up in the same domain as the A record, but
2915 when many lists are combined in a single DNS domain, this will not be a very
2916 specific message. It is possible to specify a different domain for looking up
2917 TXT records; this is given before the main domain, comma-separated. For
2920 dnslists = http.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.2 : \
2921 socks.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.3
2923 The caching ensures that only one lookup in dnsbl.sorbs.net is done.
2925 Note: an address for testing RBL is 192.203.178.39
2926 Note: an address for testing DUL is 192.203.178.4
2927 Note: a domain for testing RFCI is example.tld.dsn.rfc-ignorant.org
2930 listptr the domain/address/data list
2932 Returns: OK successful lookup (i.e. the address is on the list), or
2933 lookup deferred after +include_unknown
2934 FAIL name not found, or no data found for the given type, or
2935 lookup deferred after +exclude_unknown (default)
2936 DEFER lookup failure, if +defer_unknown was set
2940 verify_check_dnsbl(uschar **listptr)
2943 int defer_return = FAIL;
2944 uschar *list = *listptr;
2947 uschar buffer[1024];
2948 uschar revadd[128]; /* Long enough for IPv6 address */
2950 /* Indicate that the inverted IP address is not yet set up */
2954 /* In case this is the first time the DNS resolver is being used. */
2956 dns_init(FALSE, FALSE);
2958 /* Loop through all the domains supplied, until something matches */
2960 while ((domain = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL)
2963 BOOL bitmask = FALSE;
2970 HDEBUG(D_dnsbl) debug_printf("DNS list check: %s\n", domain);
2972 /* Deal with special values that change the behaviour on defer */
2974 if (domain[0] == '+')
2976 if (strcmpic(domain, US"+include_unknown") == 0) defer_return = OK;
2977 else if (strcmpic(domain, US"+exclude_unknown") == 0) defer_return = FAIL;
2978 else if (strcmpic(domain, US"+defer_unknown") == 0) defer_return = DEFER;
2980 log_write(0, LOG_MAIN|LOG_PANIC, "unknown item in dnslist (ignored): %s",
2985 /* See if there's explicit data to be looked up */
2987 key = Ustrchr(domain, '/');
2988 if (key != NULL) *key++ = 0;
2990 /* See if there's a list of addresses supplied after the domain name. This is
2991 introduced by an = or a & character; if preceded by = we require all matches
2992 and if preceded by ! we invert the result. */
2994 iplist = Ustrchr(domain, '=');
2998 iplist = Ustrchr(domain, '&');
3001 if (iplist != NULL) /* Found either = or & */
3003 if (iplist > domain && iplist[-1] == '!') /* Handle preceding ! */
3005 match_type |= MT_NOT;
3009 *iplist++ = 0; /* Terminate domain, move on */
3011 /* If we found = (bitmask == FALSE), check for == or =& */
3013 if (!bitmask && (*iplist == '=' || *iplist == '&'))
3015 bitmask = *iplist++ == '&';
3016 match_type |= MT_ALL;
3020 /* If there is a comma in the domain, it indicates that a second domain for
3021 looking up TXT records is provided, before the main domain. Otherwise we must
3022 set domain_txt == domain. */
3024 domain_txt = domain;
3025 comma = Ustrchr(domain, ',');
3032 /* Check that what we have left is a sensible domain name. There is no reason
3033 why these domains should in fact use the same syntax as hosts and email
3034 domains, but in practice they seem to. However, there is little point in
3035 actually causing an error here, because that would no doubt hold up incoming
3036 mail. Instead, I'll just log it. */
3038 for (s = domain; *s != 0; s++)
3040 if (!isalnum(*s) && *s != '-' && *s != '.' && *s != '_')
3042 log_write(0, LOG_MAIN, "dnslists domain \"%s\" contains "
3043 "strange characters - is this right?", domain);
3048 /* Check the alternate domain if present */
3050 if (domain_txt != domain) for (s = domain_txt; *s != 0; s++)
3052 if (!isalnum(*s) && *s != '-' && *s != '.' && *s != '_')
3054 log_write(0, LOG_MAIN, "dnslists domain \"%s\" contains "
3055 "strange characters - is this right?", domain_txt);
3060 /* If there is no key string, construct the query by adding the domain name
3061 onto the inverted host address, and perform a single DNS lookup. */
3065 if (sender_host_address == NULL) return FAIL; /* can never match */
3066 if (revadd[0] == 0) invert_address(revadd, sender_host_address);
3067 rc = one_check_dnsbl(domain, domain_txt, sender_host_address, revadd,
3068 iplist, bitmask, match_type, defer_return);
3071 dnslist_domain = string_copy(domain_txt);
3072 dnslist_matched = string_copy(sender_host_address);
3073 HDEBUG(D_dnsbl) debug_printf("=> that means %s is listed at %s\n",
3074 sender_host_address, dnslist_domain);
3076 if (rc != FAIL) return rc; /* OK or DEFER */
3079 /* If there is a key string, it can be a list of domains or IP addresses to
3080 be concatenated with the main domain. */
3087 uschar keybuffer[256];
3088 uschar keyrevadd[128];
3090 while ((keydomain = string_nextinlist(&key, &keysep, keybuffer,
3091 sizeof(keybuffer))) != NULL)
3093 uschar *prepend = keydomain;
3095 if (string_is_ip_address(keydomain, NULL) != 0)
3097 invert_address(keyrevadd, keydomain);
3098 prepend = keyrevadd;
3101 rc = one_check_dnsbl(domain, domain_txt, keydomain, prepend, iplist,
3102 bitmask, match_type, defer_return);
3106 dnslist_domain = string_copy(domain_txt);
3107 dnslist_matched = string_copy(keydomain);
3108 HDEBUG(D_dnsbl) debug_printf("=> that means %s is listed at %s\n",
3109 keydomain, dnslist_domain);
3113 /* If the lookup deferred, remember this fact. We keep trying the rest
3114 of the list to see if we get a useful result, and if we don't, we return
3115 DEFER at the end. */
3117 if (rc == DEFER) defer = TRUE;
3118 } /* continue with next keystring domain/address */
3120 if (defer) return DEFER;
3122 } /* continue with next dnsdb outer domain */
3127 /* End of verify.c */