X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/7b564712ff3a235ce9ef42ffa4036023057f295e..a050bbe0d120464d80dab3eb8af420c4ec686ca8:/src/src/verify.c diff --git a/src/src/verify.c b/src/src/verify.c index 60579668b..fba1f6e9e 100644 --- a/src/src/verify.c +++ b/src/src/verify.c @@ -3,6 +3,7 @@ *************************************************/ /* Copyright (c) University of Cambridge 1995 - 2018 */ +/* Copyright (c) The Exim Maintainers 2020 */ /* See the file NOTICE for conditions of use and distribution. */ /* Functions concerned with verifying things. The original code for callout @@ -574,6 +575,7 @@ else { smtp_transport_options_block *ob = (smtp_transport_options_block *)addr->transport->options_block; + smtp_context * sx = NULL; /* The information wasn't available in the cache, so we have to do a real callout and save the result in the cache for next time, unless no_cache is set, @@ -586,6 +588,10 @@ else log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand " "callout_random_local_part: %s", expand_string_message); + /* Compile regex' used by client-side smtp */ + + smtp_deliver_init(); + /* Default the connect and overall callout timeouts if not set, and record the time we are starting so that we can enforce it. */ @@ -625,8 +631,7 @@ coding means skipping this whole loop and doing the append separately. */ { int host_af; int port = 25; - uschar *interface = NULL; /* Outgoing interface to use; NULL => any */ - smtp_context sx; + uschar * interface = NULL; /* Outgoing interface to use; NULL => any */ if (!host->address) { @@ -666,14 +671,17 @@ coding means skipping this whole loop and doing the append separately. */ log_write(0, LOG_MAIN|LOG_PANIC, "<%s>: %s", addr->address, addr->message); - sx.addrlist = addr; - sx.conn_args.host = host; - sx.conn_args.host_af = host_af, - sx.port = port; - sx.conn_args.interface = interface; - sx.helo_data = tf->helo_data; - sx.conn_args.tblock = addr->transport; - sx.verify = TRUE; + if (!sx) sx = store_get(sizeof(*sx), TRUE); /* tainted buffers */ + memset(sx, 0, sizeof(*sx)); + + sx->addrlist = addr; + sx->conn_args.host = host; + sx->conn_args.host_af = host_af, + sx->port = port; + sx->conn_args.interface = interface; + sx->helo_data = tf->helo_data; + sx->conn_args.tblock = addr->transport; + sx->verify = TRUE; tls_retry_connection: /* Set the address state so that errors are recorded in it */ @@ -686,7 +694,7 @@ tls_retry_connection: SMTP command to send. If we tried TLS but it failed, try again without if permitted */ - yield = smtp_setup_conn(&sx, FALSE); + yield = smtp_setup_conn(sx, FALSE); #ifndef DISABLE_TLS if ( yield == DEFER && addr->basic_errno == ERRNO_TLSFAILURE @@ -698,7 +706,7 @@ tls_retry_connection: "%s: callout unencrypted to %s [%s] (not in hosts_require_tls)", addr->message, host->name, host->address); addr->transport_return = PENDING_DEFER; - yield = smtp_setup_conn(&sx, TRUE); + yield = smtp_setup_conn(sx, TRUE); } #endif if (yield != OK) @@ -728,11 +736,11 @@ tls_retry_connection: addr->authenticator = client_authenticator; addr->auth_id = client_authenticated_id; - sx.from_addr = from_address; - sx.first_addr = sx.sync_addr = addr; - sx.ok = FALSE; /*XXX these 3 last might not be needed for verify? */ - sx.send_rset = TRUE; - sx.completed_addr = FALSE; + sx->from_addr = from_address; + sx->first_addr = sx->sync_addr = addr; + sx->ok = FALSE; /*XXX these 3 last might not be needed for verify? */ + sx->send_rset = TRUE; + sx->completed_addr = FALSE; new_domain_record.result = old_domain_cache_result == ccache_reject_mfnull ? ccache_reject_mfnull : ccache_accept; @@ -789,12 +797,12 @@ tls_retry_connection: Avoid using a SIZE option on the MAIL for all random-rcpt checks. */ - sx.avoid_option = OPTION_SIZE; + sx->avoid_option = OPTION_SIZE; /* Remember when we last did a random test */ new_domain_record.random_stamp = time(NULL); - if (smtp_write_mail_and_rcpt_cmds(&sx, &yield) == 0) + if (smtp_write_mail_and_rcpt_cmds(sx, &yield) == 0) switch(addr->transport_return) { case PENDING_OK: /* random was accepted, unfortunately */ @@ -805,36 +813,36 @@ tls_retry_connection: goto no_conn; case FAIL: /* rejected: the preferred result */ new_domain_record.random_result = ccache_reject; - sx.avoid_option = 0; + sx->avoid_option = 0; /* Between each check, issue RSET, because some servers accept only one recipient after MAIL FROM:<>. XXX We don't care about that for postmaster_full. Should we? */ if ((done = - smtp_write_command(&sx, SCMD_FLUSH, "RSET\r\n") >= 0 && - smtp_read_response(&sx, sx.buffer, sizeof(sx.buffer), '2', callout))) + smtp_write_command(sx, SCMD_FLUSH, "RSET\r\n") >= 0 && + smtp_read_response(sx, sx->buffer, sizeof(sx->buffer), '2', callout))) break; HDEBUG(D_acl|D_v) debug_printf_indent("problem after random/rset/mfrom; reopen conn\n"); random_local_part = NULL; #ifndef DISABLE_TLS - tls_close(sx.cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT); + tls_close(sx->cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT); #endif HDEBUG(D_transport|D_acl|D_v) debug_printf_indent(" SMTP(close)>>\n"); - (void)close(sx.cctx.sock); - sx.cctx.sock = -1; + (void)close(sx->cctx.sock); + sx->cctx.sock = -1; #ifndef DISABLE_EVENT (void) event_raise(addr->transport->event_action, US"tcp:close", NULL); #endif addr->address = main_address; addr->transport_return = PENDING_DEFER; - sx.first_addr = sx.sync_addr = addr; - sx.ok = FALSE; - sx.send_rset = TRUE; - sx.completed_addr = FALSE; + sx->first_addr = sx->sync_addr = addr; + sx->ok = FALSE; + sx->send_rset = TRUE; + sx->completed_addr = FALSE; goto tls_retry_connection; case DEFER: /* 4xx response to random */ break; /* Just to be clear. ccache_unknown, !done. */ @@ -843,10 +851,10 @@ tls_retry_connection: /* Re-setup for main verify, or for the error message when failing */ addr->address = main_address; addr->transport_return = PENDING_DEFER; - sx.first_addr = sx.sync_addr = addr; - sx.ok = FALSE; - sx.send_rset = TRUE; - sx.completed_addr = FALSE; + sx->first_addr = sx->sync_addr = addr; + sx->ok = FALSE; + sx->send_rset = TRUE; + sx->completed_addr = FALSE; } else done = TRUE; @@ -857,10 +865,10 @@ tls_retry_connection: if (done) { if (!(options & vopt_is_recipient && options & vopt_callout_no_cache)) - sx.avoid_option = OPTION_SIZE; + sx->avoid_option = OPTION_SIZE; done = FALSE; - switch(smtp_write_mail_and_rcpt_cmds(&sx, &yield)) + switch(smtp_write_mail_and_rcpt_cmds(sx, &yield)) { case 0: switch(addr->transport_return) /* ok so far */ { @@ -878,7 +886,7 @@ tls_retry_connection: case -1: /* MAIL response error */ *failure_ptr = US"mail"; - if (errno == 0 && sx.buffer[0] == '5') + if (errno == 0 && sx->buffer[0] == '5') { setflag(addr, af_verify_nsfail); if (from_address[0] == 0) @@ -908,8 +916,8 @@ tls_retry_connection: cancel_cutthrough_connection(TRUE, US"postmaster verify"); HDEBUG(D_acl|D_v) debug_printf_indent("Cutthrough cancelled by presence of postmaster verify\n"); - done = smtp_write_command(&sx, SCMD_FLUSH, "RSET\r\n") >= 0 - && smtp_read_response(&sx, sx.buffer, sizeof(sx.buffer), '2', callout); + done = smtp_write_command(sx, SCMD_FLUSH, "RSET\r\n") >= 0 + && smtp_read_response(sx, sx->buffer, sizeof(sx->buffer), '2', callout); if (done) { @@ -919,23 +927,23 @@ tls_retry_connection: addr->address = string_sprintf("postmaster@%.1000s", addr->domain); addr->transport_return = PENDING_DEFER; - sx.from_addr = pm_mailfrom; - sx.first_addr = sx.sync_addr = addr; - sx.ok = FALSE; - sx.send_rset = TRUE; - sx.completed_addr = FALSE; - sx.avoid_option = OPTION_SIZE; + sx->from_addr = pm_mailfrom; + sx->first_addr = sx->sync_addr = addr; + sx->ok = FALSE; + sx->send_rset = TRUE; + sx->completed_addr = FALSE; + sx->avoid_option = OPTION_SIZE; - if( smtp_write_mail_and_rcpt_cmds(&sx, &yield) == 0 + if( smtp_write_mail_and_rcpt_cmds(sx, &yield) == 0 && addr->transport_return == PENDING_OK ) done = TRUE; else done = (options & vopt_callout_fullpm) != 0 - && smtp_write_command(&sx, SCMD_FLUSH, + && smtp_write_command(sx, SCMD_FLUSH, "RCPT TO:\r\n") >= 0 - && smtp_read_response(&sx, sx.buffer, - sizeof(sx.buffer), '2', callout); + && smtp_read_response(sx, sx->buffer, + sizeof(sx->buffer), '2', callout); /* Sort out the cache record */ @@ -943,7 +951,7 @@ tls_retry_connection: if (done) new_domain_record.postmaster_result = ccache_accept; - else if (errno == 0 && sx.buffer[0] == '5') + else if (errno == 0 && sx->buffer[0] == '5') { *failure_ptr = US"postmaster"; setflag(addr, af_verify_pmfail); @@ -968,7 +976,7 @@ no_conn: { case ETIMEDOUT: HDEBUG(D_verify) debug_printf("SMTP timeout\n"); - sx.send_quit = FALSE; + sx->send_quit = FALSE; break; #ifdef SUPPORT_I18N @@ -986,11 +994,11 @@ no_conn: break; #endif case ECONNREFUSED: - sx.send_quit = FALSE; + sx->send_quit = FALSE; break; case 0: - if (*sx.buffer == 0) Ustrcpy(sx.buffer, US"connection dropped"); + if (*sx->buffer == 0) Ustrcpy(sx->buffer, US"connection dropped"); /*XXX test here is ugly; seem to have a split of responsibility for building this message. Need to rationalise. Where is it done @@ -999,7 +1007,7 @@ no_conn: */ if (!addr->message) addr->message = string_sprintf("response to \"%s\" was: %s", - big_buffer, string_printing(sx.buffer)); + big_buffer, string_printing(sx->buffer)); /* RFC 5321 section 4.2: the text portion of the response may have only HT, SP, Printable US-ASCII. Deal with awkward chars by cutting the @@ -1007,14 +1015,14 @@ no_conn: just become a multiline response (but wrapped in the error code we produce). */ - for (uschar * s = sx.buffer; - *s && s < sx.buffer + sizeof(sx.buffer); + for (uschar * s = sx->buffer; + *s && s < sx->buffer + sizeof(sx->buffer); s++) { uschar c = *s; if (c != '\t' && c != '\n' && (c < ' ' || c > '~')) { - if (s - sx.buffer < sizeof(sx.buffer) - 12) + if (s - sx->buffer < sizeof(sx->buffer) - 12) memcpy(s, "(truncated)", 12); else *s = '\0'; @@ -1022,13 +1030,13 @@ no_conn: } } addr->user_message = options & vopt_is_recipient - ? string_sprintf("Callout verification failed:\n%s", sx.buffer) + ? string_sprintf("Callout verification failed:\n%s", sx->buffer) : string_sprintf("Called: %s\nSent: %s\nResponse: %s", - host->address, big_buffer, sx.buffer); + host->address, big_buffer, sx->buffer); /* Hard rejection ends the process */ - if (sx.buffer[0] == '5') /* Address rejected */ + if (sx->buffer[0] == '5') /* Address rejected */ { yield = FAIL; done = TRUE; @@ -1075,7 +1083,7 @@ no_conn: && !random_local_part && !pm_mailfrom && cutthrough.cctx.sock < 0 - && !sx.lmtp + && !sx->lmtp ) { HDEBUG(D_acl|D_v) debug_printf_indent("holding verify callout open for %s\n", @@ -1085,7 +1093,7 @@ no_conn: cutthrough.callout_hold_only = !cutthrough.delivery; cutthrough.is_tls = tls_out.active.sock >= 0; /* We assume no buffer in use in the outblock */ - cutthrough.cctx = sx.cctx; + cutthrough.cctx = sx->cctx; cutthrough.nrcpt = 1; cutthrough.transport = addr->transport->name; cutthrough.interface = interface; @@ -1121,23 +1129,23 @@ no_conn: /* Ensure no cutthrough on multiple verifies that were incompatible */ if (options & vopt_callout_recipsender) cancel_cutthrough_connection(TRUE, US"not usable for cutthrough"); - if (sx.send_quit) - if (smtp_write_command(&sx, SCMD_FLUSH, "QUIT\r\n") != -1) + if (sx->send_quit) + if (smtp_write_command(sx, SCMD_FLUSH, "QUIT\r\n") != -1) /* Wait a short time for response, and discard it */ - smtp_read_response(&sx, sx.buffer, sizeof(sx.buffer), '2', 1); + smtp_read_response(sx, sx->buffer, sizeof(sx->buffer), '2', 1); - if (sx.cctx.sock >= 0) + if (sx->cctx.sock >= 0) { #ifndef DISABLE_TLS - if (sx.cctx.tls_ctx) + if (sx->cctx.tls_ctx) { - tls_close(sx.cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT); - sx.cctx.tls_ctx = NULL; + tls_close(sx->cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT); + sx->cctx.tls_ctx = NULL; } #endif HDEBUG(D_transport|D_acl|D_v) debug_printf_indent(" SMTP(close)>>\n"); - (void)close(sx.cctx.sock); - sx.cctx.sock = -1; + (void)close(sx->cctx.sock); + sx->cctx.sock = -1; #ifndef DISABLE_EVENT (void) event_raise(addr->transport->event_action, US"tcp:close", NULL); #endif @@ -2253,7 +2261,7 @@ for (header_line * h = header_list; h && yield == OK; h = h->next) colon = Ustrchr(h->text, ':'); s = colon + 1; - while (isspace(*s)) s++; + Uskip_whitespace(&s); /* Loop for multiple addresses in the header, enabling group syntax. Note that we have to reset this after the header has been scanned. */ @@ -2287,7 +2295,7 @@ for (header_line * h = header_list; h && yield == OK; h = h->next) { if (!f.allow_unqualified_recipient) recipient = NULL; } - if (recipient == NULL) errmess = US"unqualified address not permitted"; + if (!recipient) errmess = US"unqualified address not permitted"; } /* It's an error if no address could be extracted, except for the special @@ -2332,7 +2340,7 @@ for (header_line * h = header_list; h && yield == OK; h = h->next) /* Advance to the next address */ s = ss + (terminator ? 1 : 0); - while (isspace(*s)) s++; + Uskip_whitespace(&s); } /* Next address */ f.parse_allow_group = FALSE; @@ -2410,7 +2418,7 @@ for (int i = 0; i < recipients_count; i++) colon = Ustrchr(h->text, ':'); s = colon + 1; - while (isspace(*s)) s++; + Uskip_whitespace(&s); /* Loop for multiple addresses in the header, enabling group syntax. Note that we have to reset this after the header has been scanned. */ @@ -2448,7 +2456,7 @@ for (int i = 0; i < recipients_count; i++) /* Advance to the next address */ s = ss + (terminator ? 1:0); - while (isspace(*s)) s++; + Uskip_whitespace(&s); } /* Next address */ f.parse_allow_group = FALSE; @@ -2601,7 +2609,7 @@ for (int i = 0; i < 3 && !done; i++) /* If we found an empty address, just carry on with the next one, but kill the message. */ - if (address == NULL && Ustrcmp(*log_msgptr, "empty address") == 0) + if (!address && Ustrcmp(*log_msgptr, "empty address") == 0) { *log_msgptr = NULL; s = ss; @@ -2612,7 +2620,7 @@ for (int i = 0; i < 3 && !done; i++) function, and ensure that the failing address gets added to the error message. */ - if (address == NULL) + if (!address) { new_ok = FAIL; while (ss > s && isspace(ss[-1])) ss--; @@ -2883,7 +2891,7 @@ BOOL iplookup = FALSE; BOOL isquery = FALSE; BOOL isiponly = cb->host_name != NULL && cb->host_name[0] == 0; const uschar *t; -uschar *semicolon; +uschar * semicolon, * endname, * opts; uschar **aliases; /* Optimize for the special case when the pattern is "*". */ @@ -2902,7 +2910,6 @@ provided that host name matching is permitted; if it's "@[]" match against the local host's IP addresses. */ if (*ss == '@') - { if (ss[1] == 0) { if (isiponly) return ERROR; @@ -2914,7 +2921,6 @@ if (*ss == '@') if (Ustrcmp(ip->address, cb->host_address) == 0) return OK; return FAIL; } - } /* If the pattern is an IP address, optionally followed by a bitmask count, do a (possibly masked) comparison with the current IP address. */ @@ -2940,17 +2946,26 @@ if (*t == 0 || (*t == '/' && t != ss)) return ERROR; } -/* See if there is a semicolon in the pattern */ +/* See if there is a semicolon in the pattern, separating a searchtype +prefix. If there is one then check for comma-sep options. */ -semicolon = Ustrchr(ss, ';'); +if ((semicolon = Ustrchr(ss, ';'))) + if ((opts = Ustrchr(ss, ',')) && opts < semicolon) + { + endname = opts++; + opts = string_copyn(opts, semicolon - opts); + } + else + { + endname = semicolon; + opts = NULL; + } /* If we are doing an IP address only match, then all lookups must be IP address lookups, even if there is no "net-". */ if (isiponly) - { iplookup = semicolon != NULL; - } /* Otherwise, if the item is of the form net[n]-lookup; then it is a lookup on a masked IP network, in textual form. We obey this code even if we @@ -2960,12 +2975,12 @@ key is implicit. For query-style lookups the key is specified in the query. From release 4.30, the use of net- for query style is no longer needed, but we retain it for backward compatibility. */ -if (Ustrncmp(ss, "net", 3) == 0 && semicolon != NULL) +if (Ustrncmp(ss, "net", 3) == 0 && semicolon) { mlen = 0; for (t = ss + 3; isdigit(*t); t++) mlen = mlen * 10 + *t - '0'; if (mlen == 0 && t == ss+3) mlen = -1; /* No mask supplied */ - iplookup = (*t++ == '-'); + iplookup = *t++ == '-'; } else t = ss; @@ -2983,7 +2998,7 @@ if (iplookup) /* Find the search type */ - search_type = search_findtype(t, semicolon - t); + search_type = search_findtype(t, endname - t); if (search_type < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s", search_error_message); @@ -3026,7 +3041,7 @@ if (iplookup) if (!(handle = search_open(filename, search_type, 0, NULL, NULL))) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s", search_error_message); - result = search_find(handle, filename, key, -1, NULL, 0, 0, NULL); + result = search_find(handle, filename, key, -1, NULL, 0, 0, NULL, opts); if (valueptr) *valueptr = result; return result ? OK : f.search_find_defer ? DEFER: FAIL; } @@ -3084,7 +3099,7 @@ using the general string matching function. When this function is called for outgoing hosts, the name is always given explicitly. If it is NULL, it means we must use sender_host_name and its aliases, looking them up if necessary. */ -if (cb->host_name != NULL) /* Explicit host name given */ +if (cb->host_name) /* Explicit host name given */ return match_check_string(cb->host_name, ss, -1, TRUE, TRUE, TRUE, valueptr); @@ -3094,13 +3109,14 @@ query does not contain $sender_host_name. From release 4.23, a reference to $sender_host_name causes it to be looked up, so we don't need to do the lookup on spec. */ -if ((semicolon = Ustrchr(ss, ';')) != NULL) +if ((semicolon = Ustrchr(ss, ';'))) { - const uschar *affix; + const uschar * affix, * opts; int partial, affixlen, starflags, id; *semicolon = 0; - id = search_findtype_partial(ss, &partial, &affix, &affixlen, &starflags); + id = search_findtype_partial(ss, &partial, &affix, &affixlen, &starflags, + &opts); *semicolon=';'; if (id < 0) /* Unknown lookup type */ @@ -3371,16 +3387,18 @@ one_check_dnsbl(uschar *domain, uschar *domain_txt, uschar *keydomain, uschar *prepend, uschar *iplist, BOOL bitmask, int match_type, int defer_return) { -dns_answer dnsa; +dns_answer * dnsa = store_get_dns_answer(); dns_scan dnss; tree_node *t; dnsbl_cache_block *cb; int old_pool = store_pool; -uschar query[256]; /* DNS domain max length */ +uschar * query; +int qlen; /* Construct the specific query domainname */ -if (!string_format(query, sizeof(query), "%s.%s", prepend, domain)) +query = string_sprintf("%s.%s", prepend, domain); +if ((qlen = Ustrlen(query)) >= 256) { log_write(0, LOG_MAIN|LOG_PANIC, "dnslist query is too long " "(ignored): %s...", query); @@ -3396,7 +3414,7 @@ if ( (t = tree_search(dnsbl_cache, query)) /* Previous lookup was cached */ { - HDEBUG(D_dnsbl) debug_printf("using result of previous DNS lookup\n"); + HDEBUG(D_dnsbl) debug_printf("dnslists: using result of previous lookup\n"); } /* If not cached from a previous lookup, we must do a DNS lookup, and @@ -3404,7 +3422,7 @@ cache the result in permanent memory. */ else { - uint ttl = 3600; + uint ttl = 3600; /* max TTL for positive cache entries */ store_pool = POOL_PERM; @@ -3415,7 +3433,7 @@ else else { /* Set up a tree entry to cache the lookup */ - t = store_get(sizeof(tree_node) + Ustrlen(query), is_tainted(query)); + t = store_get(sizeof(tree_node) + qlen + 1 + 1, is_tainted(query)); Ustrcpy(t->name, query); t->data.ptr = cb = store_get(sizeof(dnsbl_cache_block), FALSE); (void)tree_insertnode(&dnsbl_cache, t); @@ -3424,7 +3442,7 @@ else /* Do the DNS lookup . */ HDEBUG(D_dnsbl) debug_printf("new DNS lookup for %s\n", query); - cb->rc = dns_basic_lookup(&dnsa, query, T_A); + cb->rc = dns_basic_lookup(dnsa, query, T_A); cb->text_set = FALSE; cb->text = NULL; cb->rhs = NULL; @@ -3439,34 +3457,58 @@ else addresses generated in that way as well. Mark the cache entry with the "now" plus the minimum of the address TTLs, - or some suitably far-future time if none were found. */ + or the RFC 2308 negative-cache value from the SOA if none were found. */ - if (cb->rc == DNS_SUCCEED) + switch (cb->rc) { - dns_address ** addrp = &(cb->rhs); - for (dns_record * rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS); rr; - rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT)) - if (rr->type == T_A) - { - dns_address *da = dns_address_from_rr(&dnsa, rr); - if (da) - { - *addrp = da; - while (da->next) da = da->next; - addrp = &da->next; + case DNS_SUCCEED: + { + dns_address ** addrp = &cb->rhs; + dns_address * da; + for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr; + rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) + if (rr->type == T_A && (da = dns_address_from_rr(dnsa, rr))) + { + *addrp = da; + while (da->next) da = da->next; + addrp = &da->next; if (ttl > rr->ttl) ttl = rr->ttl; - } - } + } + + if (cb->rhs) + { + cb->expiry = time(NULL) + ttl; + break; + } + + /* If we didn't find any A records, change the return code. This can + happen when there is a CNAME record but there are no A records for what + it points to. */ + + cb->rc = DNS_NODATA; + } + /*FALLTHROUGH*/ + + case DNS_NOMATCH: + case DNS_NODATA: + { + /* Although there already is a neg-cache layer maintained by + dns_basic_lookup(), we have a dnslist cache entry allocated and + tree-inserted. So we may as well use it. */ - /* If we didn't find any A records, change the return code. This can - happen when there is a CNAME record but there are no A records for what - it points to. */ + time_t soa_negttl = dns_expire_from_soa(dnsa, T_A); + cb->expiry = soa_negttl ? soa_negttl : time(NULL) + ttl; + break; + } - if (!cb->rhs) cb->rc = DNS_NODATA; + default: + cb->expiry = time(NULL) + ttl; + break; } - cb->expiry = time(NULL)+ttl; store_pool = old_pool; + HDEBUG(D_dnsbl) debug_printf("dnslists: wrote cache entry, ttl=%d\n", + (int)(cb->expiry - time(NULL))); } /* We now have the result of the DNS lookup, either newly done, or cached @@ -3477,7 +3519,7 @@ list (introduced by "&"), or a negative bitmask list (introduced by "!&").*/ if (cb->rc == DNS_SUCCEED) { - dns_address *da = NULL; + dns_address * da = NULL; uschar *addlist = cb->rhs->address; /* For A and AAAA records, there may be multiple addresses from multiple @@ -3498,7 +3540,6 @@ if (cb->rc == DNS_SUCCEED) for (da = cb->rhs; da; da = da->next) { int ipsep = ','; - uschar ip[46]; const uschar *ptr = iplist; uschar *res; @@ -3506,8 +3547,8 @@ if (cb->rc == DNS_SUCCEED) if (!bitmask) { - while ((res = string_nextinlist(&ptr, &ipsep, ip, sizeof(ip)))) - if (Ustrcmp(CS da->address, ip) == 0) + while ((res = string_nextinlist(&ptr, &ipsep, NULL, 0))) + if (Ustrcmp(CS da->address, res) == 0) break; } @@ -3529,9 +3570,9 @@ if (cb->rc == DNS_SUCCEED) /* Scan the returned addresses, skipping any that are IPv6 */ - while ((res = string_nextinlist(&ptr, &ipsep, ip, sizeof(ip)))) + while ((res = string_nextinlist(&ptr, &ipsep, NULL, 0))) { - if (host_aton(ip, address) != 1) continue; + if (host_aton(res, address) != 1) continue; if ((address[0] & mask) == address[0]) break; } } @@ -3596,9 +3637,9 @@ if (cb->rc == DNS_SUCCEED) if (!cb->text_set) { cb->text_set = TRUE; - if (dns_basic_lookup(&dnsa, query, T_TXT) == DNS_SUCCEED) - for (dns_record * rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS); rr; - rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT)) + if (dns_basic_lookup(dnsa, query, T_TXT) == DNS_SUCCEED) + for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr; + rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == T_TXT) { int len = (rr->data)[0]; @@ -3701,7 +3742,6 @@ int sep = 0; int defer_return = FAIL; const uschar *list = *listptr; uschar *domain; -uschar buffer[1024]; uschar revadd[128]; /* Long enough for IPv6 address */ /* Indicate that the inverted IP address is not yet set up */ @@ -3714,7 +3754,7 @@ dns_init(FALSE, FALSE, FALSE); /*XXX dnssec? */ /* Loop through all the domains supplied, until something matches */ -while ((domain = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL) +while ((domain = string_nextinlist(&list, &sep, NULL, 0))) { int rc; BOOL bitmask = FALSE; @@ -3724,7 +3764,7 @@ while ((domain = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL uschar *iplist; uschar *key; - HDEBUG(D_dnsbl) debug_printf("DNS list check: %s\n", domain); + HDEBUG(D_dnsbl) debug_printf("dnslists check: %s\n", domain); /* Deal with special values that change the behaviour on defer */ @@ -3778,8 +3818,7 @@ while ((domain = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL set domain_txt == domain. */ domain_txt = domain; - comma = Ustrchr(domain, ','); - if (comma != NULL) + if ((comma = Ustrchr(domain, ','))) { *comma++ = 0; domain = comma; @@ -3821,7 +3860,7 @@ while ((domain = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL acl_wherenames[where]); return ERROR; } - if (sender_host_address == NULL) return FAIL; /* can never match */ + if (!sender_host_address) return FAIL; /* can never match */ if (revadd[0] == 0) invert_address(revadd, sender_host_address); rc = one_check_dnsbl(domain, domain_txt, sender_host_address, revadd, iplist, bitmask, match_type, defer_return); @@ -3843,11 +3882,9 @@ while ((domain = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL int keysep = 0; BOOL defer = FALSE; uschar *keydomain; - uschar keybuffer[256]; uschar keyrevadd[128]; - while ((keydomain = string_nextinlist(CUSS &key, &keysep, keybuffer, - sizeof(keybuffer))) != NULL) + while ((keydomain = string_nextinlist(CUSS &key, &keysep, NULL, 0))) { uschar *prepend = keydomain; @@ -3859,7 +3896,6 @@ while ((domain = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL rc = one_check_dnsbl(domain, domain_txt, keydomain, prepend, iplist, bitmask, match_type, defer_return); - if (rc == OK) { dnslist_domain = string_copy(domain_txt);