/* Do lookups directly in the DNS or via gethostbyaddr() (or equivalent), in
the order specified by the host_lookup_order option. */
-while ((ordername = string_nextinlist(&list, &sep, buffer, sizeof(buffer)))
- != NULL)
+while ((ordername = string_nextinlist(&list, &sep, buffer, sizeof(buffer))))
{
if (strcmpic(ordername, US"bydns") == 0)
{
int count = 0;
int old_pool = store_pool;
- /* Ideally we'd check DNSSEC both forward and reverse, but we use the
- gethost* routines for forward, so can't do that unless/until we rewrite. */
sender_host_dnssec = dns_is_secure(&dnsa);
DEBUG(D_dns)
debug_printf("Reverse DNS security status: %s\n",
"empty name: treated as non-existent host name\n");
continue;
}
- if (sender_host_name == NULL) sender_host_name = s;
- else *aptr++ = s;
+ if (!sender_host_name) sender_host_name = s;
+ else *aptr++ = s;
while (*s != 0) { *s = tolower(*s); s++; }
}
int rc;
BOOL ok = FALSE;
host_item h;
+ dnssec_domains d;
+
h.next = NULL;
h.name = hname;
h.mx = MX_NONE;
h.address = NULL;
+ d.request = sender_host_dnssec ? US"*" : NULL;;
+ d.require = NULL;
- /* When called with the last argument FALSE, host_find_byname() won't return
- HOST_FOUND_LOCAL. If the incoming address is an IPv4 address expressed in
- IPv6 format, we must compare the IPv4 part to any IPv4 addresses. */
-
- if ((rc = host_find_byname(&h, NULL, 0, NULL, FALSE)) == HOST_FOUND)
+ if ( (rc = host_find_bydns(&h, NULL, HOST_FIND_BY_A,
+ NULL, NULL, NULL, &d, NULL, NULL)) == HOST_FOUND
+ || rc == HOST_FOUND_LOCAL
+ )
{
host_item *hh;
HDEBUG(D_host_lookup) debug_printf("checking addresses for %s\n", hname);
+
+ /* If the forward lookup was not secure we cancel the is-secure variable */
+
+ DEBUG(D_dns) debug_printf("Forward DNS security status: %s\n",
+ h.dnssec == DS_YES ? "DNSSEC verified (AD)" : "unverified");
+ if (h.dnssec != DS_YES) sender_host_dnssec = FALSE;
+
for (hh = &h; hh != NULL; hh = hh->next)
- {
if (host_is_in_net(hh->address, sender_host_address, 0))
{
HDEBUG(D_host_lookup) debug_printf(" %s OK\n", hh->address);
break;
}
else
- {
HDEBUG(D_host_lookup) debug_printf(" %s\n", hh->address);
- }
- }
+
if (!ok) HDEBUG(D_host_lookup)
debug_printf("no IP address for %s matched %s\n", hname,
sender_host_address);
return DEFER;
}
else
- {
HDEBUG(D_host_lookup) debug_printf("no IP addresses found for %s\n", hname);
- }
/* If this name is no good, and it's the sender name, set it null pro tem;
if it's an alias, just remove it from the list. */
dns_init((flags & HOST_FIND_QUALIFY_SINGLE) != 0,
(flags & HOST_FIND_SEARCH_PARENTS) != 0,
- FALSE); /*XXX dnssec? */
+ FALSE); /* Cannot retrieve dnssec status so do not request */
/* In an IPv6 world, unless IPv6 has been disabled, we need to scan for both
kinds of address, so go round the loop twice. Note that we have ensured that
srv_service when SRV used, the service name
srv_fail_domains DNS errors for these domains => assume nonexist
mx_fail_domains DNS errors for these domains => assume nonexist
- dnssec_request_domains => make dnssec request
- dnssec_require_domains => ditto and nonexist failures
+ dnssec_d.request => make dnssec request: domainlist
+ dnssec_d.require => ditto and nonexist failures
fully_qualified_name if not NULL, return fully-qualified name
removed set TRUE if local host was removed from the list
int
host_find_bydns(host_item *host, const uschar *ignore_target_hosts, int whichrrs,
uschar *srv_service, uschar *srv_fail_domains, uschar *mx_fail_domains,
- uschar *dnssec_request_domains, uschar *dnssec_require_domains,
+ const dnssec_domains *dnssec_d,
const uschar **fully_qualified_name, BOOL *removed)
{
host_item *h, *last;
int yield;
dns_answer dnsa;
dns_scan dnss;
-BOOL dnssec_require = match_isinlist(host->name, CUSS &dnssec_require_domains,
+BOOL dnssec_require = dnssec_d
+ && match_isinlist(host->name, CUSS &dnssec_d->require,
0, NULL, NULL, MCL_DOMAIN, TRUE, NULL) == OK;
BOOL dnssec_request = dnssec_require
- || match_isinlist(host->name, CUSS &dnssec_request_domains,
- 0, NULL, NULL, MCL_DOMAIN, TRUE, NULL) == OK;
+ || ( dnssec_d
+ && match_isinlist(host->name, CUSS &dnssec_d->request,
+ 0, NULL, NULL, MCL_DOMAIN, TRUE, NULL) == OK);
dnssec_status_t dnssec;
/* Set the default fully qualified name to the incoming name, initialize the
if (fully_qualified_name != NULL) *fully_qualified_name = host->name;
dns_init((whichrrs & HOST_FIND_QUALIFY_SINGLE) != 0,
(whichrrs & HOST_FIND_SEARCH_PARENTS) != 0,
- dnssec_request
- );
+ dnssec_request);
host_find_failed_syntax = FALSE;
/* First, if requested, look for SRV records. The service name is given; we
else
{
int flags = whichrrs;
+ dnssec d;
h.name = buffer;
h.next = NULL;
if (qualify_single) flags |= HOST_FIND_QUALIFY_SINGLE;
if (search_parents) flags |= HOST_FIND_SEARCH_PARENTS;
+ d.request = request_dnssec ? &h.name : NULL;
+ d.require = require_dnssec ? &h.name : NULL;
+
rc = byname
? host_find_byname(&h, NULL, flags, &fully_qualified_name, TRUE)
: host_find_bydns(&h, NULL, flags, US"smtp", NULL, NULL,
- request_dnssec ? &h.name : NULL,
- require_dnssec ? &h.name : NULL,
- &fully_qualified_name, NULL);
+ &d, &fully_qualified_name, NULL);
if (rc == HOST_FIND_FAILED) printf("Failed\n");
else if (rc == HOST_FIND_AGAIN) printf("Again\n");
git://git.exim.org / exim.git / blobdiff