From 7e8360e68b5372e91cc02d0450807a52f32d20da Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Sat, 24 Jan 2015 18:48:48 +0000
Subject: [PATCH] Support /defer_ok on verify=reverse_host_lookup.  Bug 344

---
 doc/doc-docbook/spec.xfpt    |  5 ++++-
 doc/doc-txt/ChangeLog        |  3 +++
 src/src/acl.c                |  8 +++++--
 test/confs/0023              |  4 ++++
 test/scripts/0000-Basic/0023 | 11 ++++++++++
 test/stderr/0023             | 42 ++++++++++++++++++++++++++++++++++++
 test/stdout/0023             | 18 ++++++++++++++++
 7 files changed, 88 insertions(+), 3 deletions(-)

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index d5a16cacc..77d966d6d 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -28824,7 +28824,7 @@ verified is redirected to a single address, verification continues with the new
 address, and in that case, the subsequent value of &$address_data$& is the
 value for the child address.
 
-.vitem &*verify&~=&~reverse_host_lookup*&
+.vitem &*verify&~=&~reverse_host_lookup/*&<&'options'&>
 .cindex "&%verify%& ACL condition"
 .cindex "&ACL;" "verifying host reverse lookup"
 .cindex "host" "verifying reverse lookup"
@@ -28835,6 +28835,9 @@ Verification ensures that the host name obtained from a reverse DNS lookup, or
 one of its aliases, does, when it is itself looked up in the DNS, yield the
 original IP address.
 
+There is one possible option, &`defer_ok`&.  If this is present and a
+DNS operation returns a temporary error, the verify condition succeeds.
+
 If this condition is used for a locally generated message (that is, when there
 is no client host involved), it always succeeds.
 
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 57df78280..bfe872503 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -47,6 +47,9 @@ JH/11 The incoming_interface log option now also enables logging of the
 JH/12 The cutthrough-routing facility now supports multi-recipient mails,
       if the interface and destination host and port all match.
 
+JH/13 Bug 344: The verify = reverse_host_lookup ACL condition now accepts a
+      /defer_ok option.
+
 
 
 Exim version 4.85
diff --git a/src/src/acl.c b/src/src/acl.c
index 06c1c494c..f0716e016 100644
--- a/src/src/acl.c
+++ b/src/src/acl.c
@@ -1662,7 +1662,7 @@ typedef struct {
   unsigned alt_opt_sep;		/* >0 Non-/ option separator (custom parser) */
   } verify_type_t;
 static verify_type_t verify_type_list[] = {
-    { US"reverse_host_lookup",	VERIFY_REV_HOST_LKUP,	~0,	TRUE, 0 },
+    { US"reverse_host_lookup",	VERIFY_REV_HOST_LKUP,	~0,	FALSE, 0 },
     { US"certificate",	  	VERIFY_CERT,	 	~0,	TRUE, 0 },
     { US"helo",	  		VERIFY_HELO,	 	~0,	TRUE, 0 },
     { US"csa",	  		VERIFY_CSA,	 	~0,	FALSE, 0 },
@@ -1783,7 +1783,11 @@ switch(vp->value)
   {
   case VERIFY_REV_HOST_LKUP:
     if (sender_host_address == NULL) return OK;
-    return acl_verify_reverse(user_msgptr, log_msgptr);
+    if ((rc = acl_verify_reverse(user_msgptr, log_msgptr)) == DEFER)
+      while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)))
+	if (strcmpic(ss, US"defer_ok") == 0)
+	  return OK;
+    return rc;
 
   case VERIFY_CERT:
     /* TLS certificate verification is done at STARTTLS time; here we just
diff --git a/test/confs/0023 b/test/confs/0023
index 2e5e15cb2..43f140d65 100644
--- a/test/confs/0023
+++ b/test/confs/0023
@@ -98,6 +98,10 @@ acl_9_9_9:
 acl_V4NET_0_0:
   require verify = reverse_host_lookup
   accept
+acl_V4NET_99_99:
+  accept  local_parts = defer_ok
+	  verify = reverse_host_lookup/defer_ok
+  accept  verify = reverse_host_lookup
 
 acl_V4NET_11_12:
   deny    message = host in DNS list $dnslist_domain: $dnslist_text
diff --git a/test/scripts/0000-Basic/0023 b/test/scripts/0000-Basic/0023
index 51e7123d0..3c028a1f0 100644
--- a/test/scripts/0000-Basic/0023
+++ b/test/scripts/0000-Basic/0023
@@ -189,6 +189,17 @@ mail from:<>
 rcpt to:<x@y>
 quit
 ****
+# This resolves to a name which will give `try again' when looked up
+exim -bh V4NET.99.99.96
+mail from:<>
+rcpt to:<x@y>
+quit
+****
+exim -bh V4NET.99.99.96
+mail from:<>
+rcpt to:<defer_ok@y>
+quit
+****
 exim -bh 29.29.29.29
 mail from:<a@localhost>
 rcpt to:<x@y>
diff --git a/test/stderr/0023 b/test/stderr/0023
index 89c1d3993..7da373917 100644
--- a/test/stderr/0023
+++ b/test/stderr/0023
@@ -1128,6 +1128,48 @@ LOG: H=[V4NET.0.0.97] F=<> rejected RCPT <x@y>: host lookup failed for reverse l
 >>> host in helo_verify_hosts? no (option unset)
 >>> host in helo_try_verify_hosts? no (option unset)
 >>> host in helo_accept_junk_hosts? no (option unset)
+>>> using ACL "acl_V4NET_99_99"
+>>> processing "accept"
+>>> check local_parts = defer_ok
+>>> x in "defer_ok"? no (end of list)
+>>> accept: condition test failed in ACL "acl_V4NET_99_99"
+>>> processing "accept"
+>>> check verify = reverse_host_lookup
+>>> looking up host name to force name/address consistency check
+>>> looking up host name for V4NET.99.99.96
+>>> IP address lookup yielded "x.test.again.dns"
+>>> x.test.again.dns in dns_again_means_nonexist? no (option unset)
+>>> temporary error for host name lookup
+>>> accept: condition test deferred in ACL "acl_V4NET_99_99"
+LOG: H=[V4NET.99.99.96] F=<> temporarily rejected RCPT <x@y>: host lookup deferred for reverse lookup check
+>>> host in hosts_connection_nolog? no (option unset)
+>>> host in host_lookup? no (option unset)
+>>> host in host_reject_connection? no (option unset)
+>>> host in sender_unqualified_hosts? no (option unset)
+>>> host in recipient_unqualified_hosts? no (option unset)
+>>> host in helo_verify_hosts? no (option unset)
+>>> host in helo_try_verify_hosts? no (option unset)
+>>> host in helo_accept_junk_hosts? no (option unset)
+>>> using ACL "acl_V4NET_99_99"
+>>> processing "accept"
+>>> check local_parts = defer_ok
+>>> defer_ok in "defer_ok"? yes (matched "defer_ok")
+>>> check verify = reverse_host_lookup/defer_ok
+>>> looking up host name to force name/address consistency check
+>>> looking up host name for V4NET.99.99.96
+>>> IP address lookup yielded "x.test.again.dns"
+>>> x.test.again.dns in dns_again_means_nonexist? no (option unset)
+>>> temporary error for host name lookup
+>>> accept: condition test succeeded in ACL "acl_V4NET_99_99"
+>>> end of ACL "acl_V4NET_99_99": ACCEPT
+>>> host in hosts_connection_nolog? no (option unset)
+>>> host in host_lookup? no (option unset)
+>>> host in host_reject_connection? no (option unset)
+>>> host in sender_unqualified_hosts? no (option unset)
+>>> host in recipient_unqualified_hosts? no (option unset)
+>>> host in helo_verify_hosts? no (option unset)
+>>> host in helo_try_verify_hosts? no (option unset)
+>>> host in helo_accept_junk_hosts? no (option unset)
 >>> using ACL "acl_29_29_29"
 >>> processing "deny"
 >>> check dnslists = test.ex/$sender_address_domain
diff --git a/test/stdout/0023 b/test/stdout/0023
index b805f334b..a835f2a4e 100644
--- a/test/stdout/0023
+++ b/test/stdout/0023
@@ -302,6 +302,24 @@
 550 Administrative prohibition
 221 myhost.test.ex closing connection
 
+**** SMTP testing session as if from host V4NET.99.99.96
+**** but without any ident (RFC 1413) callback.
+**** This is not for real!
+
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+250 OK
+451 Temporary local problem - please try later
+221 myhost.test.ex closing connection
+
+**** SMTP testing session as if from host V4NET.99.99.96
+**** but without any ident (RFC 1413) callback.
+**** This is not for real!
+
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+250 OK
+250 Accepted
+221 myhost.test.ex closing connection
+
 **** SMTP testing session as if from host 29.29.29.29
 **** but without any ident (RFC 1413) callback.
 **** This is not for real!
-- 
2.30.2