X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/328c5688dbe0f4c14418f22350ccd99b3fe8ac71..66387a737208e277990b0cbfe58db3db419f34b2:/src/src/verify.c diff --git a/src/src/verify.c b/src/src/verify.c index 6a50af506..a4a4c4943 100644 --- a/src/src/verify.c +++ b/src/src/verify.c @@ -68,9 +68,7 @@ int length, expire; time_t now; dbdata_callout_cache *cache_record; -cache_record = dbfn_read_with_length(dbm_file, key, &length); - -if (cache_record == NULL) +if (!(cache_record = dbfn_read_with_length(dbm_file, key, &length))) { HDEBUG(D_verify) debug_printf("callout cache: no %s record found for %s\n", type, key); return NULL; @@ -390,18 +388,21 @@ if (addr->transport == cutthrough.addr.transport) host_af = Ustrchr(host->address, ':') ? AF_INET6 : AF_INET; - if (!smtp_get_interface(tf->interface, host_af, addr, &interface, - US"callout") || - !smtp_get_port(tf->port, addr, &port, US"callout")) + if ( !smtp_get_interface(tf->interface, host_af, addr, &interface, + US"callout") + || !smtp_get_port(tf->port, addr, &port, US"callout") + ) log_write(0, LOG_MAIN|LOG_PANIC, "<%s>: %s", addr->address, addr->message); + smtp_port_for_connect(host, port); + if ( ( interface == cutthrough.interface || ( interface && cutthrough.interface && Ustrcmp(interface, cutthrough.interface) == 0 ) ) - && port == cutthrough.host.port + && host->port == cutthrough.host.port ) { uschar * resp = NULL; @@ -785,19 +786,26 @@ tls_retry_connection: postmaster-verify. The sync_responses() would need to be taught about it and we'd need another return code filtering out to here. + + Avoid using a SIZE option on the MAIL for all randon-rcpt checks. */ + sx.avoid_option = OPTION_SIZE; + /* Remember when we last did a random test */ new_domain_record.random_stamp = time(NULL); if (smtp_write_mail_and_rcpt_cmds(&sx, &yield) == 0) switch(addr->transport_return) { - case PENDING_OK: + case PENDING_OK: /* random was accepted, unfortunately */ new_domain_record.random_result = ccache_accept; - break; - case FAIL: + yield = OK; /* Only usable verify result we can return */ + done = TRUE; + goto no_conn; + case FAIL: /* rejected: the preferred result */ new_domain_record.random_result = ccache_reject; + sx.avoid_option = 0; /* Between each check, issue RSET, because some servers accept only one recipient after MAIL FROM:<>. @@ -829,6 +837,8 @@ tls_retry_connection: sx.send_rset = TRUE; sx.completed_addr = FALSE; goto tls_retry_connection; + case DEFER: /* 4xx response to random */ + break; /* Just to be clear. ccache_unknown, !done. */ } /* Re-setup for main verify, or for the error message when failing */ @@ -842,12 +852,14 @@ tls_retry_connection: else done = TRUE; - /* Main verify. If the host is accepting all local parts, as determined - by the "random" check, we don't need to waste time doing any further - checking. */ + /* Main verify. For rcpt-verify use SIZE if we know it and we're not cacheing; + for sndr-verify never use it. */ if (done) { + if (!(options & vopt_is_recipient && options & vopt_callout_no_cache)) + sx.avoid_option = OPTION_SIZE; + done = FALSE; switch(smtp_write_mail_and_rcpt_cmds(&sx, &yield)) { @@ -856,12 +868,12 @@ tls_retry_connection: case PENDING_OK: done = TRUE; new_address_record.result = ccache_accept; break; - case FAIL: done = TRUE; + case FAIL: done = TRUE; yield = FAIL; *failure_ptr = US"recipient"; new_address_record.result = ccache_reject; break; - default: break; + default: break; } break; @@ -914,6 +926,7 @@ tls_retry_connection: sx.ok = FALSE; sx.send_rset = TRUE; sx.completed_addr = FALSE; + sx.avoid_option = OPTION_SIZE; if( smtp_write_mail_and_rcpt_cmds(&sx, &yield) == 0 && addr->transport_return == PENDING_OK @@ -983,7 +996,7 @@ no_conn: if (*sx.buffer == 0) Ustrcpy(sx.buffer, US"connection dropped"); /*XXX test here is ugly; seem to have a split of responsibility for - building this message. Need to reationalise. Where is it done + building this message. Need to rationalise. Where is it done before here, and when not? Not == 5xx resp to MAIL on main-verify */ @@ -1177,7 +1190,7 @@ if(cutthrough.fd < 0) if( #ifdef SUPPORT_TLS - (tls_out.active == cutthrough.fd) ? tls_write(FALSE, ctblock.buffer, n) : + tls_out.active == cutthrough.fd ? tls_write(FALSE, ctblock.buffer, n, FALSE) : #endif send(cutthrough.fd, ctblock.buffer, n, 0) > 0 ) @@ -1370,6 +1383,7 @@ if(fd >= 0) _cutthrough_puts(US"QUIT\r\n", 6); /* avoid recursion */ _cutthrough_flush_send(); cutthrough.fd = -1; /* avoid recursion via read timeout */ + cutthrough.nrcpt = 0; /* permit re-cutthrough on subsequent message */ /* Wait a short time for response, and discard it */ cutthrough_response(fd, '2', NULL, 1); @@ -1517,7 +1531,7 @@ va_list ap; va_start(ap, format); if (smtp_out && (f == smtp_out)) - smtp_vprintf(format, ap); + smtp_vprintf(format, FALSE, ap); else vfprintf(f, format, ap); va_end(ap); @@ -1779,16 +1793,16 @@ while (addr_new) transport. */ transport_feedback tf = { - NULL, /* interface (=> any) */ - US"smtp", /* port */ - US"smtp", /* protocol */ - NULL, /* hosts */ - US"$smtp_active_hostname", /* helo_data */ - FALSE, /* hosts_override */ - FALSE, /* hosts_randomize */ - FALSE, /* gethostbyname */ - TRUE, /* qualify_single */ - FALSE /* search_parents */ + .interface = NULL, /* interface (=> any) */ + .port = US"smtp", + .protocol = US"smtp", + .hosts = NULL, + .helo_data = US"$smtp_active_hostname", + .hosts_override = FALSE, + .hosts_randomize = FALSE, + .gethostbyname = FALSE, + .qualify_single = TRUE, + .search_parents = FALSE }; /* If verification yielded a remote transport, we want to use that @@ -1835,7 +1849,7 @@ while (addr_new) additional host items being inserted into the chain. Hence we must save the next host first. */ - flags = HOST_FIND_BY_A; + flags = HOST_FIND_BY_A | HOST_FIND_BY_AAAA; if (tf.qualify_single) flags |= HOST_FIND_QUALIFY_SINGLE; if (tf.search_parents) flags |= HOST_FIND_SEARCH_PARENTS; @@ -2155,7 +2169,7 @@ return yield; *************************************************/ /* This function checks those header lines that contain addresses, and verifies -that all the addresses therein are syntactially correct. +that all the addresses therein are 5322-syntactially correct. Arguments: msgptr where to put an error message @@ -2171,7 +2185,7 @@ header_line *h; uschar *colon, *s; int yield = OK; -for (h = header_list; h != NULL && yield == OK; h = h->next) +for (h = header_list; h && yield == OK; h = h->next) { if (h->type != htype_from && h->type != htype_reply_to && @@ -2190,7 +2204,7 @@ for (h = header_list; h != NULL && yield == OK; h = h->next) parse_allow_group = TRUE; - while (*s != 0) + while (*s) { uschar *ss = parse_find_address_end(s, FALSE); uschar *recipient, *errmess; @@ -2207,7 +2221,7 @@ for (h = header_list; h != NULL && yield == OK; h = h->next) /* Permit an unqualified address only if the message is local, or if the sending host is configured to be permitted to send them. */ - if (recipient != NULL && domain == 0) + if (recipient && !domain) { if (h->type == htype_from || h->type == htype_sender) { @@ -2223,7 +2237,7 @@ for (h = header_list; h != NULL && yield == OK; h = h->next) /* It's an error if no address could be extracted, except for the special case of an empty address. */ - if (recipient == NULL && Ustrcmp(errmess, "empty address") != 0) + if (!recipient && Ustrcmp(errmess, "empty address") != 0) { uschar *verb = US"is"; uschar *t = ss; @@ -2253,7 +2267,7 @@ for (h = header_list; h != NULL && yield == OK; h = h->next) /* deconst cast ok as we're passing a non-const to string_printing() */ *msgptr = US string_printing( string_sprintf("%s: failing address in \"%.*s:\" header %s: %.*s", - errmess, tt - h->text, h->text, verb, len, s)); + errmess, (int)(tt - h->text), h->text, verb, len, s)); yield = FAIL; break; /* Out of address loop */ @@ -2261,7 +2275,7 @@ for (h = header_list; h != NULL && yield == OK; h = h->next) /* Advance to the next address */ - s = ss + (terminator? 1:0); + s = ss + (terminator ? 1 : 0); while (isspace(*s)) s++; } /* Next address */ @@ -2554,7 +2568,7 @@ for (i = 0; i < 3 && !done; i++) while (ss > s && isspace(ss[-1])) ss--; *log_msgptr = string_sprintf("syntax error in '%.*s' header when " "scanning for sender: %s in \"%.*s\"", - endname - h->text, h->text, *log_msgptr, ss - s, s); + (int)(endname - h->text), h->text, *log_msgptr, (int)(ss - s), s); yield = FAIL; done = TRUE; break; @@ -2582,11 +2596,9 @@ for (i = 0; i < 3 && !done; i++) { *verrno = vaddr->basic_errno; if (smtp_return_error_details) - { *user_msgptr = string_sprintf("Rejected after DATA: " "could not verify \"%.*s\" header address\n%s: %s", - endname - h->text, h->text, vaddr->address, vaddr->message); - } + (int)(endname - h->text), h->text, vaddr->address, vaddr->message); } /* Success or defer */ @@ -2647,6 +2659,7 @@ verify_get_ident(int port) int sock, host_af, qlen; int received_sender_port, received_interface_port, n; uschar *p; +blob early_data; uschar buffer[2048]; /* Default is no ident. Check whether we want to do an ident check for this @@ -2672,8 +2685,15 @@ if (ip_bind(sock, host_af, interface_address, 0) < 0) goto END_OFF; } +/* Construct and send the query. */ + +qlen = snprintf(CS buffer, sizeof(buffer), "%d , %d\r\n", + sender_host_port, interface_port); +early_data.data = buffer; +early_data.len = qlen; + if (ip_connect(sock, host_af, sender_host_address, port, - rfc1413_query_timeout, TRUE) < 0) + rfc1413_query_timeout, &early_data) < 0) { if (errno == ETIMEDOUT && LOGGING(ident_timeout)) log_write(0, LOG_MAIN, "ident connection to %s timed out", @@ -2684,16 +2704,6 @@ if (ip_connect(sock, host_af, sender_host_address, port, goto END_OFF; } -/* Construct and send the query. */ - -sprintf(CS buffer, "%d , %d\r\n", sender_host_port, interface_port); -qlen = Ustrlen(buffer); -if (send(sock, buffer, qlen, 0) < 0) - { - DEBUG(D_ident) debug_printf("ident send failed: %s\n", strerror(errno)); - goto END_OFF; - } - /* Read a response line. We put it into the rest of the buffer, using several recv() calls if necessary. */ @@ -3144,18 +3154,16 @@ verify_check_this_host(const uschar **listptr, unsigned int *cache_bits, int rc; unsigned int *local_cache_bits = cache_bits; const uschar *save_host_address = deliver_host_address; -check_host_block cb; -cb.host_name = host_name; -cb.host_address = host_address; +check_host_block cb = { .host_name = host_name, .host_address = host_address }; -if (valueptr != NULL) *valueptr = NULL; +if (valueptr) *valueptr = NULL; /* If the host address starts off ::ffff: it is an IPv6 address in IPv4-compatible mode. Find the IPv4 part for checking against IPv4 addresses. */ -cb.host_ipv4 = (Ustrncmp(host_address, "::ffff:", 7) == 0)? - host_address + 7 : host_address; +cb.host_ipv4 = Ustrncmp(host_address, "::ffff:", 7) == 0 + ? host_address + 7 : host_address; /* During the running of the check, put the IP address into $host_address. In the case of calls from the smtp transport, it will already be there. However,