1 /* $Cambridge: exim/src/src/verify.c,v 1.46 2007/01/17 11:17:58 ph10 Exp $ */
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
7 /* Copyright (c) University of Cambridge 1995 - 2007 */
8 /* See the file NOTICE for conditions of use and distribution. */
10 /* Functions concerned with verifying things. The original code for callout
11 caching was contributed by Kevin Fleming (but I hacked it around a bit). */
17 /* Structure for caching DNSBL lookups */
19 typedef struct dnsbl_cache_block {
27 /* Anchor for DNSBL cache */
29 static tree_node *dnsbl_cache = NULL;
32 /* Bits for match_type in one_check_dnsbl() */
39 /*************************************************
40 * Retrieve a callout cache record *
41 *************************************************/
43 /* If a record exists, check whether it has expired.
46 dbm_file an open hints file
48 type "address" or "domain"
49 positive_expire expire time for positive records
50 negative_expire expire time for negative records
52 Returns: the cache record if a non-expired one exists, else NULL
55 static dbdata_callout_cache *
56 get_callout_cache_record(open_db *dbm_file, uschar *key, uschar *type,
57 int positive_expire, int negative_expire)
62 dbdata_callout_cache *cache_record;
64 cache_record = dbfn_read_with_length(dbm_file, key, &length);
66 if (cache_record == NULL)
68 HDEBUG(D_verify) debug_printf("callout cache: no %s record found\n", type);
72 /* We treat a record as "negative" if its result field is not positive, or if
73 it is a domain record and the postmaster field is negative. */
75 negative = cache_record->result != ccache_accept ||
76 (type[0] == 'd' && cache_record->postmaster_result == ccache_reject);
77 expire = negative? negative_expire : positive_expire;
80 if (now - cache_record->time_stamp > expire)
82 HDEBUG(D_verify) debug_printf("callout cache: %s record expired\n", type);
86 /* If this is a non-reject domain record, check for the obsolete format version
87 that doesn't have the postmaster and random timestamps, by looking at the
88 length. If so, copy it to a new-style block, replicating the record's
89 timestamp. Then check the additional timestamps. (There's no point wasting
90 effort if connections are rejected.) */
92 if (type[0] == 'd' && cache_record->result != ccache_reject)
94 if (length == sizeof(dbdata_callout_cache_obs))
96 dbdata_callout_cache *new = store_get(sizeof(dbdata_callout_cache));
97 memcpy(new, cache_record, length);
98 new->postmaster_stamp = new->random_stamp = new->time_stamp;
102 if (now - cache_record->postmaster_stamp > expire)
103 cache_record->postmaster_result = ccache_unknown;
105 if (now - cache_record->random_stamp > expire)
106 cache_record->random_result = ccache_unknown;
109 HDEBUG(D_verify) debug_printf("callout cache: found %s record\n", type);
115 /*************************************************
116 * Do callout verification for an address *
117 *************************************************/
119 /* This function is called from verify_address() when the address has routed to
120 a host list, and a callout has been requested. Callouts are expensive; that is
121 why a cache is used to improve the efficiency.
124 addr the address that's been routed
125 host_list the list of hosts to try
126 tf the transport feedback block
128 ifstring "interface" option from transport, or NULL
129 portstring "port" option from transport, or NULL
130 protocolstring "protocol" option from transport, or NULL
131 callout the per-command callout timeout
132 callout_overall the overall callout timeout (if < 0 use 4*callout)
133 callout_connect the callout connection timeout (if < 0 use callout)
134 options the verification options - these bits are used:
135 vopt_is_recipient => this is a recipient address
136 vopt_callout_no_cache => don't use callout cache
137 vopt_callout_fullpm => if postmaster check, do full one
138 vopt_callout_random => do the "random" thing
139 vopt_callout_recipsender => use real sender for recipient
140 vopt_callout_recippmaster => use postmaster for recipient
141 se_mailfrom MAIL FROM address for sender verify; NULL => ""
142 pm_mailfrom if non-NULL, do the postmaster check with this sender
144 Returns: OK/FAIL/DEFER
148 do_callout(address_item *addr, host_item *host_list, transport_feedback *tf,
149 int callout, int callout_overall, int callout_connect, int options,
150 uschar *se_mailfrom, uschar *pm_mailfrom)
152 BOOL is_recipient = (options & vopt_is_recipient) != 0;
153 BOOL callout_no_cache = (options & vopt_callout_no_cache) != 0;
154 BOOL callout_random = (options & vopt_callout_random) != 0;
157 int old_domain_cache_result = ccache_accept;
160 uschar *from_address;
161 uschar *random_local_part = NULL;
162 uschar *save_deliver_domain = deliver_domain;
163 uschar **failure_ptr = is_recipient?
164 &recipient_verify_failure : &sender_verify_failure;
166 open_db *dbm_file = NULL;
167 dbdata_callout_cache new_domain_record;
168 dbdata_callout_cache_address new_address_record;
170 time_t callout_start_time;
172 new_domain_record.result = ccache_unknown;
173 new_domain_record.postmaster_result = ccache_unknown;
174 new_domain_record.random_result = ccache_unknown;
176 memset(&new_address_record, 0, sizeof(new_address_record));
178 /* For a recipient callout, the key used for the address cache record must
179 include the sender address if we are using the real sender in the callout,
180 because that may influence the result of the callout. */
182 address_key = addr->address;
187 if ((options & vopt_callout_recipsender) != 0)
189 address_key = string_sprintf("%s/<%s>", addr->address, sender_address);
190 from_address = sender_address;
192 else if ((options & vopt_callout_recippmaster) != 0)
194 address_key = string_sprintf("%s/<postmaster@%s>", addr->address,
195 qualify_domain_sender);
196 from_address = string_sprintf("postmaster@%s", qualify_domain_sender);
200 /* For a sender callout, we must adjust the key if the mailfrom address is not
205 from_address = (se_mailfrom == NULL)? US"" : se_mailfrom;
206 if (from_address[0] != 0)
207 address_key = string_sprintf("%s/<%s>", addr->address, from_address);
210 /* Open the callout cache database, it it exists, for reading only at this
211 stage, unless caching has been disabled. */
213 if (callout_no_cache)
215 HDEBUG(D_verify) debug_printf("callout cache: disabled by no_cache\n");
217 else if ((dbm_file = dbfn_open(US"callout", O_RDWR, &dbblock, FALSE)) == NULL)
219 HDEBUG(D_verify) debug_printf("callout cache: not available\n");
222 /* If a cache database is available see if we can avoid the need to do an
223 actual callout by making use of previously-obtained data. */
225 if (dbm_file != NULL)
227 dbdata_callout_cache_address *cache_address_record;
228 dbdata_callout_cache *cache_record = get_callout_cache_record(dbm_file,
229 addr->domain, US"domain",
230 callout_cache_domain_positive_expire,
231 callout_cache_domain_negative_expire);
233 /* If an unexpired cache record was found for this domain, see if the callout
234 process can be short-circuited. */
236 if (cache_record != NULL)
238 /* In most cases, if an early command (up to and including MAIL FROM:<>)
239 was rejected, there is no point carrying on. The callout fails. However, if
240 we are doing a recipient verification with use_sender or use_postmaster
241 set, a previous failure of MAIL FROM:<> doesn't count, because this time we
242 will be using a non-empty sender. We have to remember this situation so as
243 not to disturb the cached domain value if this whole verification succeeds
244 (we don't want it turning into "accept"). */
246 old_domain_cache_result = cache_record->result;
248 if (cache_record->result == ccache_reject ||
249 (*from_address == 0 && cache_record->result == ccache_reject_mfnull))
251 setflag(addr, af_verify_nsfail);
253 debug_printf("callout cache: domain gave initial rejection, or "
254 "does not accept HELO or MAIL FROM:<>\n");
255 setflag(addr, af_verify_nsfail);
256 addr->user_message = US"(result of an earlier callout reused).";
258 *failure_ptr = US"mail";
262 /* If a previous check on a "random" local part was accepted, we assume
263 that the server does not do any checking on local parts. There is therefore
264 no point in doing the callout, because it will always be successful. If a
265 random check previously failed, arrange not to do it again, but preserve
266 the data in the new record. If a random check is required but hasn't been
267 done, skip the remaining cache processing. */
269 if (callout_random) switch(cache_record->random_result)
273 debug_printf("callout cache: domain accepts random addresses\n");
274 goto END_CALLOUT; /* Default yield is OK */
278 debug_printf("callout cache: domain rejects random addresses\n");
279 callout_random = FALSE;
280 new_domain_record.random_result = ccache_reject;
281 new_domain_record.random_stamp = cache_record->random_stamp;
286 debug_printf("callout cache: need to check random address handling "
287 "(not cached or cache expired)\n");
291 /* If a postmaster check is requested, but there was a previous failure,
292 there is again no point in carrying on. If a postmaster check is required,
293 but has not been done before, we are going to have to do a callout, so skip
294 remaining cache processing. */
296 if (pm_mailfrom != NULL)
298 if (cache_record->postmaster_result == ccache_reject)
300 setflag(addr, af_verify_pmfail);
302 debug_printf("callout cache: domain does not accept "
303 "RCPT TO:<postmaster@domain>\n");
305 *failure_ptr = US"postmaster";
306 setflag(addr, af_verify_pmfail);
307 addr->user_message = US"(result of earlier verification reused).";
310 if (cache_record->postmaster_result == ccache_unknown)
313 debug_printf("callout cache: need to check RCPT "
314 "TO:<postmaster@domain> (not cached or cache expired)\n");
318 /* If cache says OK, set pm_mailfrom NULL to prevent a redundant
319 postmaster check if the address itself has to be checked. Also ensure
320 that the value in the cache record is preserved (with its old timestamp).
323 HDEBUG(D_verify) debug_printf("callout cache: domain accepts RCPT "
324 "TO:<postmaster@domain>\n");
326 new_domain_record.postmaster_result = ccache_accept;
327 new_domain_record.postmaster_stamp = cache_record->postmaster_stamp;
331 /* We can't give a result based on information about the domain. See if there
332 is an unexpired cache record for this specific address (combined with the
333 sender address if we are doing a recipient callout with a non-empty sender).
336 cache_address_record = (dbdata_callout_cache_address *)
337 get_callout_cache_record(dbm_file,
338 address_key, US"address",
339 callout_cache_positive_expire,
340 callout_cache_negative_expire);
342 if (cache_address_record != NULL)
344 if (cache_address_record->result == ccache_accept)
347 debug_printf("callout cache: address record is positive\n");
352 debug_printf("callout cache: address record is negative\n");
353 addr->user_message = US"Previous (cached) callout verification failure";
354 *failure_ptr = US"recipient";
360 /* Close the cache database while we actually do the callout for real. */
363 dbfn_close(dbm_file);
367 /* The information wasn't available in the cache, so we have to do a real
368 callout and save the result in the cache for next time, unless no_cache is set,
369 or unless we have a previously cached negative random result. If we are to test
370 with a random local part, ensure that such a local part is available. If not,
371 log the fact, but carry on without randomming. */
373 if (callout_random && callout_random_local_part != NULL)
375 random_local_part = expand_string(callout_random_local_part);
376 if (random_local_part == NULL)
377 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand "
378 "callout_random_local_part: %s", expand_string_message);
381 /* Default the connect and overall callout timeouts if not set, and record the
382 time we are starting so that we can enforce it. */
384 if (callout_overall < 0) callout_overall = 4 * callout;
385 if (callout_connect < 0) callout_connect = callout;
386 callout_start_time = time(NULL);
388 /* Now make connections to the hosts and do real callouts. The list of hosts
389 is passed in as an argument. */
391 for (host = host_list; host != NULL && !done; host = host->next)
393 smtp_inblock inblock;
394 smtp_outblock outblock;
397 BOOL send_quit = TRUE;
398 uschar *active_hostname = smtp_active_hostname;
399 uschar *helo = US"HELO";
400 uschar *interface = NULL; /* Outgoing interface to use; NULL => any */
401 uschar inbuffer[4096];
402 uschar outbuffer[1024];
403 uschar responsebuffer[4096];
405 clearflag(addr, af_verify_pmfail); /* postmaster callout flag */
406 clearflag(addr, af_verify_nsfail); /* null sender callout flag */
408 /* Skip this host if we don't have an IP address for it. */
410 if (host->address == NULL)
412 DEBUG(D_verify) debug_printf("no IP address for host name %s: skipping\n",
417 /* Check the overall callout timeout */
419 if (time(NULL) - callout_start_time >= callout_overall)
421 HDEBUG(D_verify) debug_printf("overall timeout for callout exceeded\n");
425 /* Set IPv4 or IPv6 */
427 host_af = (Ustrchr(host->address, ':') == NULL)? AF_INET:AF_INET6;
429 /* Expand and interpret the interface and port strings. The latter will not
430 be used if there is a host-specific port (e.g. from a manualroute router).
431 This has to be delayed till now, because they may expand differently for
432 different hosts. If there's a failure, log it, but carry on with the
435 deliver_host = host->name;
436 deliver_host_address = host->address;
437 deliver_domain = addr->domain;
439 if (!smtp_get_interface(tf->interface, host_af, addr, NULL, &interface,
441 !smtp_get_port(tf->port, addr, &port, US"callout"))
442 log_write(0, LOG_MAIN|LOG_PANIC, "<%s>: %s", addr->address,
445 /* Expand the helo_data string to find the host name to use. */
447 if (tf->helo_data != NULL)
449 uschar *s = expand_string(tf->helo_data);
451 log_write(0, LOG_MAIN|LOG_PANIC, "<%s>: failed to expand transport's "
452 "helo_data value for callout: %s", addr->address,
453 expand_string_message);
454 else active_hostname = s;
457 deliver_host = deliver_host_address = NULL;
458 deliver_domain = save_deliver_domain;
460 /* Set HELO string according to the protocol */
462 if (Ustrcmp(tf->protocol, "lmtp") == 0) helo = US"LHLO";
464 HDEBUG(D_verify) debug_printf("interface=%s port=%d\n", interface, port);
466 /* Set up the buffer for reading SMTP response packets. */
468 inblock.buffer = inbuffer;
469 inblock.buffersize = sizeof(inbuffer);
470 inblock.ptr = inbuffer;
471 inblock.ptrend = inbuffer;
473 /* Set up the buffer for holding SMTP commands while pipelining */
475 outblock.buffer = outbuffer;
476 outblock.buffersize = sizeof(outbuffer);
477 outblock.ptr = outbuffer;
478 outblock.cmd_count = 0;
479 outblock.authenticating = FALSE;
481 /* Connect to the host; on failure, just loop for the next one, but we
482 set the error for the last one. Use the callout_connect timeout. */
484 inblock.sock = outblock.sock =
485 smtp_connect(host, host_af, port, interface, callout_connect, TRUE);
486 if (inblock.sock < 0)
488 addr->message = string_sprintf("could not connect to %s [%s]: %s",
489 host->name, host->address, strerror(errno));
493 /* Wait for initial response, and send HELO. The smtp_write_command()
494 function leaves its command in big_buffer. This is used in error responses.
495 Initialize it in case the connection is rejected. */
497 Ustrcpy(big_buffer, "initial connection");
500 smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
502 smtp_write_command(&outblock, FALSE, "%s %s\r\n", helo,
503 active_hostname) >= 0 &&
504 smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
507 /* Failure to accept HELO is cached; this blocks the whole domain for all
508 senders. I/O errors and defer responses are not cached. */
512 *failure_ptr = US"mail"; /* At or before MAIL */
513 if (errno == 0 && responsebuffer[0] == '5')
515 setflag(addr, af_verify_nsfail);
516 new_domain_record.result = ccache_reject;
520 /* Send the MAIL command */
523 smtp_write_command(&outblock, FALSE, "MAIL FROM:<%s>\r\n",
524 from_address) >= 0 &&
525 smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
528 /* If the host does not accept MAIL FROM:<>, arrange to cache this
529 information, but again, don't record anything for an I/O error or a defer. Do
530 not cache rejections of MAIL when a non-empty sender has been used, because
531 that blocks the whole domain for all senders. */
535 *failure_ptr = US"mail"; /* At or before MAIL */
536 if (errno == 0 && responsebuffer[0] == '5')
538 setflag(addr, af_verify_nsfail);
539 if (from_address[0] == 0)
540 new_domain_record.result = ccache_reject_mfnull;
544 /* Otherwise, proceed to check a "random" address (if required), then the
545 given address, and the postmaster address (if required). Between each check,
546 issue RSET, because some servers accept only one recipient after MAIL
549 Before doing this, set the result in the domain cache record to "accept",
550 unless its previous value was ccache_reject_mfnull. In that case, the domain
551 rejects MAIL FROM:<> and we want to continue to remember that. When that is
552 the case, we have got here only in the case of a recipient verification with
553 a non-null sender. */
557 new_domain_record.result =
558 (old_domain_cache_result == ccache_reject_mfnull)?
559 ccache_reject_mfnull: ccache_accept;
561 /* Do the random local part check first */
563 if (random_local_part != NULL)
565 uschar randombuffer[1024];
567 smtp_write_command(&outblock, FALSE,
568 "RCPT TO:<%.1000s@%.1000s>\r\n", random_local_part,
569 addr->domain) >= 0 &&
570 smtp_read_response(&inblock, randombuffer,
571 sizeof(randombuffer), '2', callout);
573 /* Remember when we last did a random test */
575 new_domain_record.random_stamp = time(NULL);
577 /* If accepted, we aren't going to do any further tests below. */
581 new_domain_record.random_result = ccache_accept;
584 /* Otherwise, cache a real negative response, and get back to the right
585 state to send RCPT. Unless there's some problem such as a dropped
586 connection, we expect to succeed, because the commands succeeded above. */
590 if (randombuffer[0] == '5')
591 new_domain_record.random_result = ccache_reject;
594 smtp_write_command(&outblock, FALSE, "RSET\r\n") >= 0 &&
595 smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
598 smtp_write_command(&outblock, FALSE, "MAIL FROM:<%s>\r\n",
599 from_address) >= 0 &&
600 smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
603 else done = FALSE; /* Some timeout/connection problem */
606 /* If the host is accepting all local parts, as determined by the "random"
607 check, we don't need to waste time doing any further checking. */
609 if (new_domain_record.random_result != ccache_accept && done)
611 /* Get the rcpt_include_affixes flag from the transport if there is one,
612 but assume FALSE if there is not. */
615 smtp_write_command(&outblock, FALSE, "RCPT TO:<%.1000s>\r\n",
616 transport_rcpt_address(addr,
617 (addr->transport == NULL)? FALSE :
618 addr->transport->rcpt_include_affixes)) >= 0 &&
619 smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
623 new_address_record.result = ccache_accept;
624 else if (errno == 0 && responsebuffer[0] == '5')
626 *failure_ptr = US"recipient";
627 new_address_record.result = ccache_reject;
630 /* Do postmaster check if requested; if a full check is required, we
631 check for RCPT TO:<postmaster> (no domain) in accordance with RFC 821. */
633 if (done && pm_mailfrom != NULL)
636 smtp_write_command(&outblock, FALSE, "RSET\r\n") >= 0 &&
637 smtp_read_response(&inblock, responsebuffer,
638 sizeof(responsebuffer), '2', callout) &&
640 smtp_write_command(&outblock, FALSE,
641 "MAIL FROM:<%s>\r\n", pm_mailfrom) >= 0 &&
642 smtp_read_response(&inblock, responsebuffer,
643 sizeof(responsebuffer), '2', callout) &&
645 /* First try using the current domain */
648 smtp_write_command(&outblock, FALSE,
649 "RCPT TO:<postmaster@%.1000s>\r\n", addr->domain) >= 0 &&
650 smtp_read_response(&inblock, responsebuffer,
651 sizeof(responsebuffer), '2', callout)
656 /* If that doesn't work, and a full check is requested,
657 try without the domain. */
660 (options & vopt_callout_fullpm) != 0 &&
661 smtp_write_command(&outblock, FALSE,
662 "RCPT TO:<postmaster>\r\n") >= 0 &&
663 smtp_read_response(&inblock, responsebuffer,
664 sizeof(responsebuffer), '2', callout)
667 /* Sort out the cache record */
669 new_domain_record.postmaster_stamp = time(NULL);
672 new_domain_record.postmaster_result = ccache_accept;
673 else if (errno == 0 && responsebuffer[0] == '5')
675 *failure_ptr = US"postmaster";
676 setflag(addr, af_verify_pmfail);
677 new_domain_record.postmaster_result = ccache_reject;
680 } /* Random not accepted */
681 } /* MAIL FROM: accepted */
683 /* For any failure of the main check, other than a negative response, we just
684 close the connection and carry on. We can identify a negative response by the
685 fact that errno is zero. For I/O errors it will be non-zero
687 Set up different error texts for logging and for sending back to the caller
688 as an SMTP response. Log in all cases, using a one-line format. For sender
689 callouts, give a full response to the caller, but for recipient callouts,
690 don't give the IP address because this may be an internal host whose identity
691 is not to be widely broadcast. */
695 if (errno == ETIMEDOUT)
697 HDEBUG(D_verify) debug_printf("SMTP timeout\n");
702 if (*responsebuffer == 0) Ustrcpy(responsebuffer, US"connection dropped");
705 string_sprintf("response to \"%s\" from %s [%s] was: %s",
706 big_buffer, host->name, host->address,
707 string_printing(responsebuffer));
709 addr->user_message = is_recipient?
710 string_sprintf("Callout verification failed:\n%s", responsebuffer)
712 string_sprintf("Called: %s\nSent: %s\nResponse: %s",
713 host->address, big_buffer, responsebuffer);
715 /* Hard rejection ends the process */
717 if (responsebuffer[0] == '5') /* Address rejected */
725 /* End the SMTP conversation and close the connection. */
727 if (send_quit) (void)smtp_write_command(&outblock, FALSE, "QUIT\r\n");
728 (void)close(inblock.sock);
729 } /* Loop through all hosts, while !done */
731 /* If we get here with done == TRUE, a successful callout happened, and yield
732 will be set OK or FAIL according to the response to the RCPT command.
733 Otherwise, we looped through the hosts but couldn't complete the business.
734 However, there may be domain-specific information to cache in both cases.
736 The value of the result field in the new_domain record is ccache_unknown if
737 there was an error before or with MAIL FROM:, and errno was not zero,
738 implying some kind of I/O error. We don't want to write the cache in that case.
739 Otherwise the value is ccache_accept, ccache_reject, or ccache_reject_mfnull. */
741 if (!callout_no_cache && new_domain_record.result != ccache_unknown)
743 if ((dbm_file = dbfn_open(US"callout", O_RDWR|O_CREAT, &dbblock, FALSE))
746 HDEBUG(D_verify) debug_printf("callout cache: not available\n");
750 (void)dbfn_write(dbm_file, addr->domain, &new_domain_record,
751 (int)sizeof(dbdata_callout_cache));
752 HDEBUG(D_verify) debug_printf("wrote callout cache domain record:\n"
753 " result=%d postmaster=%d random=%d\n",
754 new_domain_record.result,
755 new_domain_record.postmaster_result,
756 new_domain_record.random_result);
760 /* If a definite result was obtained for the callout, cache it unless caching
765 if (!callout_no_cache && new_address_record.result != ccache_unknown)
767 if (dbm_file == NULL)
768 dbm_file = dbfn_open(US"callout", O_RDWR|O_CREAT, &dbblock, FALSE);
769 if (dbm_file == NULL)
771 HDEBUG(D_verify) debug_printf("no callout cache available\n");
775 (void)dbfn_write(dbm_file, address_key, &new_address_record,
776 (int)sizeof(dbdata_callout_cache_address));
777 HDEBUG(D_verify) debug_printf("wrote %s callout cache address record\n",
778 (new_address_record.result == ccache_accept)? "positive" : "negative");
783 /* Failure to connect to any host, or any response other than 2xx or 5xx is a
784 temporary error. If there was only one host, and a response was received, leave
785 it alone if supplying details. Otherwise, give a generic response. */
789 uschar *dullmsg = string_sprintf("Could not complete %s verify callout",
790 is_recipient? "recipient" : "sender");
793 if (host_list->next != NULL || addr->message == NULL) addr->message = dullmsg;
795 addr->user_message = (!smtp_return_error_details)? dullmsg :
796 string_sprintf("%s for <%s>.\n"
797 "The mail server(s) for the domain may be temporarily unreachable, or\n"
798 "they may be permanently unreachable from this server. In the latter case,\n%s",
799 dullmsg, addr->address,
801 "the address will never be accepted."
803 "you need to change the address or create an MX record for its domain\n"
804 "if it is supposed to be generally accessible from the Internet.\n"
805 "Talk to your mail administrator for details.");
807 /* Force a specific error code */
809 addr->basic_errno = ERRNO_CALLOUTDEFER;
812 /* Come here from within the cache-reading code on fast-track exit. */
815 if (dbm_file != NULL) dbfn_close(dbm_file);
821 /*************************************************
822 * Copy error to toplevel address *
823 *************************************************/
825 /* This function is used when a verify fails or defers, to ensure that the
826 failure or defer information is in the original toplevel address. This applies
827 when an address is redirected to a single new address, and the failure or
828 deferral happens to the child address.
831 vaddr the verify address item
832 addr the final address item
835 Returns: the value of YIELD
839 copy_error(address_item *vaddr, address_item *addr, int yield)
843 vaddr->message = addr->message;
844 vaddr->user_message = addr->user_message;
845 vaddr->basic_errno = addr->basic_errno;
846 vaddr->more_errno = addr->more_errno;
847 vaddr->p.address_data = addr->p.address_data;
855 /*************************************************
856 * Verify an email address *
857 *************************************************/
859 /* This function is used both for verification (-bv and at other times) and
860 address testing (-bt), which is indicated by address_test_mode being set.
863 vaddr contains the address to verify; the next field in this block
865 f if not NULL, write the result to this file
866 options various option bits:
867 vopt_fake_sender => this sender verify is not for the real
868 sender (it was verify=sender=xxxx or an address from a
869 header line) - rewriting must not change sender_address
870 vopt_is_recipient => this is a recipient address, otherwise
871 it's a sender address - this affects qualification and
872 rewriting and messages from callouts
873 vopt_qualify => qualify an unqualified address; else error
874 vopt_expn => called from SMTP EXPN command
875 vopt_success_on_redirect => when a new address is generated
876 the verification instantly succeeds
878 These ones are used by do_callout() -- the options variable
881 vopt_callout_fullpm => if postmaster check, do full one
882 vopt_callout_no_cache => don't use callout cache
883 vopt_callout_random => do the "random" thing
884 vopt_callout_recipsender => use real sender for recipient
885 vopt_callout_recippmaster => use postmaster for recipient
887 callout if > 0, specifies that callout is required, and gives timeout
888 for individual commands
889 callout_overall if > 0, gives overall timeout for the callout function;
890 if < 0, a default is used (see do_callout())
891 callout_connect the connection timeout for callouts
892 se_mailfrom when callout is requested to verify a sender, use this
893 in MAIL FROM; NULL => ""
894 pm_mailfrom when callout is requested, if non-NULL, do the postmaster
895 thing and use this as the sender address (may be "")
897 routed if not NULL, set TRUE if routing succeeded, so we can
898 distinguish between routing failed and callout failed
900 Returns: OK address verified
901 FAIL address failed to verify
902 DEFER can't tell at present
906 verify_address(address_item *vaddr, FILE *f, int options, int callout,
907 int callout_overall, int callout_connect, uschar *se_mailfrom,
908 uschar *pm_mailfrom, BOOL *routed)
911 BOOL full_info = (f == NULL)? FALSE : (debug_selector != 0);
912 BOOL is_recipient = (options & vopt_is_recipient) != 0;
913 BOOL expn = (options & vopt_expn) != 0;
914 BOOL success_on_redirect = (options & vopt_success_on_redirect) != 0;
917 int verify_type = expn? v_expn :
918 address_test_mode? v_none :
919 is_recipient? v_recipient : v_sender;
920 address_item *addr_list;
921 address_item *addr_new = NULL;
922 address_item *addr_remote = NULL;
923 address_item *addr_local = NULL;
924 address_item *addr_succeed = NULL;
925 uschar **failure_ptr = is_recipient?
926 &recipient_verify_failure : &sender_verify_failure;
927 uschar *ko_prefix, *cr;
928 uschar *address = vaddr->address;
930 uschar null_sender[] = { 0 }; /* Ensure writeable memory */
932 /* Clear, just in case */
936 /* Set up a prefix and suffix for error message which allow us to use the same
937 output statements both in EXPN mode (where an SMTP response is needed) and when
938 debugging with an output file. */
942 ko_prefix = US"553 ";
945 else ko_prefix = cr = US"";
947 /* Add qualify domain if permitted; otherwise an unqualified address fails. */
949 if (parse_find_at(address) == NULL)
951 if ((options & vopt_qualify) == 0)
954 fprintf(f, "%sA domain is required for \"%s\"%s\n", ko_prefix, address,
956 *failure_ptr = US"qualify";
959 address = rewrite_address_qualify(address, is_recipient);
964 debug_printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
965 debug_printf("%s %s\n", address_test_mode? "Testing" : "Verifying", address);
968 /* Rewrite and report on it. Clear the domain and local part caches - these
969 may have been set by domains and local part tests during an ACL. */
971 if (global_rewrite_rules != NULL)
973 uschar *old = address;
974 address = rewrite_address(address, is_recipient, FALSE,
975 global_rewrite_rules, rewrite_existflags);
978 for (i = 0; i < (MAX_NAMED_LIST * 2)/32; i++) vaddr->localpart_cache[i] = 0;
979 for (i = 0; i < (MAX_NAMED_LIST * 2)/32; i++) vaddr->domain_cache[i] = 0;
980 if (f != NULL && !expn) fprintf(f, "Address rewritten as: %s\n", address);
984 /* If this is the real sender address, we must update sender_address at
985 this point, because it may be referred to in the routers. */
987 if ((options & (vopt_fake_sender|vopt_is_recipient)) == 0)
988 sender_address = address;
990 /* If the address was rewritten to <> no verification can be done, and we have
991 to return OK. This rewriting is permitted only for sender addresses; for other
992 addresses, such rewriting fails. */
994 if (address[0] == 0) return OK;
996 /* Save a copy of the sender address for re-instating if we change it to <>
997 while verifying a sender address (a nice bit of self-reference there). */
999 save_sender = sender_address;
1001 /* Update the address structure with the possibly qualified and rewritten
1002 address. Set it up as the starting address on the chain of new addresses. */
1004 vaddr->address = address;
1007 /* We need a loop, because an address can generate new addresses. We must also
1008 cope with generated pipes and files at the top level. (See also the code and
1009 comment in deliver.c.) However, it is usually the case that the router for
1010 user's .forward files has its verify flag turned off.
1012 If an address generates more than one child, the loop is used only when
1013 full_info is set, and this can only be set locally. Remote enquiries just get
1014 information about the top level address, not anything that it generated. */
1016 while (addr_new != NULL)
1019 address_item *addr = addr_new;
1021 addr_new = addr->next;
1026 debug_printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
1027 debug_printf("Considering %s\n", addr->address);
1030 /* Handle generated pipe, file or reply addresses. We don't get these
1031 when handling EXPN, as it does only one level of expansion. */
1033 if (testflag(addr, af_pfr))
1040 if (addr->address[0] == '>')
1042 allow = testflag(addr, af_allow_reply);
1043 fprintf(f, "%s -> mail %s", addr->parent->address, addr->address + 1);
1047 allow = (addr->address[0] == '|')?
1048 testflag(addr, af_allow_pipe) : testflag(addr, af_allow_file);
1049 fprintf(f, "%s -> %s", addr->parent->address, addr->address);
1052 if (addr->basic_errno == ERRNO_BADTRANSPORT)
1053 fprintf(f, "\n*** Error in setting up pipe, file, or autoreply:\n"
1054 "%s\n", addr->message);
1056 fprintf(f, "\n transport = %s\n", addr->transport->name);
1058 fprintf(f, " *** forbidden ***\n");
1063 /* Just in case some router parameter refers to it. */
1065 return_path = (addr->p.errors_address != NULL)?
1066 addr->p.errors_address : sender_address;
1068 /* Split the address into domain and local part, handling the %-hack if
1069 necessary, and then route it. While routing a sender address, set
1070 $sender_address to <> because that is what it will be if we were trying to
1071 send a bounce to the sender. */
1073 if (routed != NULL) *routed = FALSE;
1074 if ((rc = deliver_split_address(addr)) == OK)
1076 if (!is_recipient) sender_address = null_sender;
1077 rc = route_address(addr, &addr_local, &addr_remote, &addr_new,
1078 &addr_succeed, verify_type);
1079 sender_address = save_sender; /* Put back the real sender */
1082 /* If routing an address succeeded, set the flag that remembers, for use when
1083 an ACL cached a sender verify (in case a callout fails). Then if routing set
1084 up a list of hosts or the transport has a host list, and the callout option
1085 is set, and we aren't in a host checking run, do the callout verification,
1086 and set another flag that notes that a callout happened. */
1090 if (routed != NULL) *routed = TRUE;
1093 host_item *host_list = addr->host_list;
1095 /* Make up some data for use in the case where there is no remote
1098 transport_feedback tf = {
1099 NULL, /* interface (=> any) */
1100 US"smtp", /* port */
1101 US"smtp", /* protocol */
1103 US"$smtp_active_hostname", /* helo_data */
1104 FALSE, /* hosts_override */
1105 FALSE, /* hosts_randomize */
1106 FALSE, /* gethostbyname */
1107 TRUE, /* qualify_single */
1108 FALSE /* search_parents */
1111 /* If verification yielded a remote transport, we want to use that
1112 transport's options, so as to mimic what would happen if we were really
1113 sending a message to this address. */
1115 if (addr->transport != NULL && !addr->transport->info->local)
1117 (void)(addr->transport->setup)(addr->transport, addr, &tf, 0, 0, NULL);
1119 /* If the transport has hosts and the router does not, or if the
1120 transport is configured to override the router's hosts, we must build a
1121 host list of the transport's hosts, and find the IP addresses */
1123 if (tf.hosts != NULL && (host_list == NULL || tf.hosts_override))
1126 uschar *save_deliver_domain = deliver_domain;
1127 uschar *save_deliver_localpart = deliver_localpart;
1129 host_list = NULL; /* Ignore the router's hosts */
1131 deliver_domain = addr->domain;
1132 deliver_localpart = addr->local_part;
1133 s = expand_string(tf.hosts);
1134 deliver_domain = save_deliver_domain;
1135 deliver_localpart = save_deliver_localpart;
1139 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand list of hosts "
1140 "\"%s\" in %s transport for callout: %s", tf.hosts,
1141 addr->transport->name, expand_string_message);
1146 uschar *canonical_name;
1147 host_item *host, *nexthost;
1148 host_build_hostlist(&host_list, s, tf.hosts_randomize);
1150 /* Just ignore failures to find a host address. If we don't manage
1151 to find any addresses, the callout will defer. Note that more than
1152 one address may be found for a single host, which will result in
1153 additional host items being inserted into the chain. Hence we must
1154 save the next host first. */
1156 flags = HOST_FIND_BY_A;
1157 if (tf.qualify_single) flags |= HOST_FIND_QUALIFY_SINGLE;
1158 if (tf.search_parents) flags |= HOST_FIND_SEARCH_PARENTS;
1160 for (host = host_list; host != NULL; host = nexthost)
1162 nexthost = host->next;
1163 if (tf.gethostbyname ||
1164 string_is_ip_address(host->name, NULL) != 0)
1165 (void)host_find_byname(host, NULL, flags, &canonical_name, TRUE);
1167 (void)host_find_bydns(host, NULL, flags, NULL, NULL, NULL,
1168 &canonical_name, NULL);
1174 /* Can only do a callout if we have at least one host! If the callout
1175 fails, it will have set ${sender,recipient}_verify_failure. */
1177 if (host_list != NULL)
1179 HDEBUG(D_verify) debug_printf("Attempting full verification using callout\n");
1180 if (host_checking && !host_checking_callout)
1183 debug_printf("... callout omitted by default when host testing\n"
1184 "(Use -bhc if you want the callouts to happen.)\n");
1188 rc = do_callout(addr, host_list, &tf, callout, callout_overall,
1189 callout_connect, options, se_mailfrom, pm_mailfrom);
1194 HDEBUG(D_verify) debug_printf("Cannot do callout: neither router nor "
1195 "transport provided a host list\n");
1200 /* Otherwise, any failure is a routing failure */
1202 else *failure_ptr = US"route";
1204 /* A router may return REROUTED if it has set up a child address as a result
1205 of a change of domain name (typically from widening). In this case we always
1206 want to continue to verify the new child. */
1208 if (rc == REROUTED) continue;
1210 /* Handle hard failures */
1217 address_item *p = addr->parent;
1219 fprintf(f, "%s%s %s", ko_prefix, full_info? addr->address : address,
1220 address_test_mode? "is undeliverable" : "failed to verify");
1221 if (!expn && admin_user)
1223 if (addr->basic_errno > 0)
1224 fprintf(f, ": %s", strerror(addr->basic_errno));
1225 if (addr->message != NULL)
1226 fprintf(f, ": %s", addr->message);
1229 /* Show parents iff doing full info */
1231 if (full_info) while (p != NULL)
1233 fprintf(f, "%s\n <-- %s", cr, p->address);
1236 fprintf(f, "%s\n", cr);
1239 if (!full_info) return copy_error(vaddr, addr, FAIL);
1245 else if (rc == DEFER)
1250 address_item *p = addr->parent;
1251 fprintf(f, "%s%s cannot be resolved at this time", ko_prefix,
1252 full_info? addr->address : address);
1253 if (!expn && admin_user)
1255 if (addr->basic_errno > 0)
1256 fprintf(f, ": %s", strerror(addr->basic_errno));
1257 if (addr->message != NULL)
1258 fprintf(f, ": %s", addr->message);
1259 else if (addr->basic_errno <= 0)
1260 fprintf(f, ": unknown error");
1263 /* Show parents iff doing full info */
1265 if (full_info) while (p != NULL)
1267 fprintf(f, "%s\n <-- %s", cr, p->address);
1270 fprintf(f, "%s\n", cr);
1273 if (!full_info) return copy_error(vaddr, addr, DEFER);
1274 else if (yield == OK) yield = DEFER;
1277 /* If we are handling EXPN, we do not want to continue to route beyond
1278 the top level (whose address is in "address"). */
1282 uschar *ok_prefix = US"250-";
1283 if (addr_new == NULL)
1285 if (addr_local == NULL && addr_remote == NULL)
1286 fprintf(f, "250 mail to <%s> is discarded\r\n", address);
1288 fprintf(f, "250 <%s>\r\n", address);
1290 else while (addr_new != NULL)
1292 address_item *addr2 = addr_new;
1293 addr_new = addr2->next;
1294 if (addr_new == NULL) ok_prefix = US"250 ";
1295 fprintf(f, "%s<%s>\r\n", ok_prefix, addr2->address);
1300 /* Successful routing other than EXPN. */
1304 /* Handle successful routing when short info wanted. Otherwise continue for
1305 other (generated) addresses. Short info is the operational case. Full info
1306 can be requested only when debug_selector != 0 and a file is supplied.
1308 There is a conflict between the use of aliasing as an alternate email
1309 address, and as a sort of mailing list. If an alias turns the incoming
1310 address into just one address (e.g. J.Caesar->jc44) you may well want to
1311 carry on verifying the generated address to ensure it is valid when
1312 checking incoming mail. If aliasing generates multiple addresses, you
1313 probably don't want to do this. Exim therefore treats the generation of
1314 just a single new address as a special case, and continues on to verify the
1315 generated address. */
1317 if (!full_info && /* Stop if short info wanted AND */
1318 (((addr_new == NULL || /* No new address OR */
1319 addr_new->next != NULL || /* More than one new address OR */
1320 testflag(addr_new, af_pfr))) /* New address is pfr */
1322 (addr_new != NULL && /* At least one new address AND */
1323 success_on_redirect))) /* success_on_redirect is set */
1325 if (f != NULL) fprintf(f, "%s %s\n", address,
1326 address_test_mode? "is deliverable" : "verified");
1328 /* If we have carried on to verify a child address, we want the value
1329 of $address_data to be that of the child */
1331 vaddr->p.address_data = addr->p.address_data;
1335 } /* Loop for generated addresses */
1337 /* Display the full results of the successful routing, including any generated
1338 addresses. Control gets here only when full_info is set, which requires f not
1339 to be NULL, and this occurs only when a top-level verify is called with the
1340 debugging switch on.
1342 If there are no local and no remote addresses, and there were no pipes, files,
1343 or autoreplies, and there were no errors or deferments, the message is to be
1344 discarded, usually because of the use of :blackhole: in an alias file. */
1346 if (allok && addr_local == NULL && addr_remote == NULL)
1348 fprintf(f, "mail to %s is discarded\n", address);
1352 for (addr_list = addr_local, i = 0; i < 2; addr_list = addr_remote, i++)
1354 while (addr_list != NULL)
1356 address_item *addr = addr_list;
1357 address_item *p = addr->parent;
1358 addr_list = addr->next;
1360 fprintf(f, "%s", CS addr->address);
1361 #ifdef EXPERIMENTAL_SRS
1362 if(addr->p.srs_sender)
1363 fprintf(f, " [srs = %s]", addr->p.srs_sender);
1366 /* If the address is a duplicate, show something about it. */
1368 if (!testflag(addr, af_pfr))
1371 if ((tnode = tree_search(tree_duplicates, addr->unique)) != NULL)
1372 fprintf(f, " [duplicate, would not be delivered]");
1373 else tree_add_duplicate(addr->unique, addr);
1376 /* Now show its parents */
1380 fprintf(f, "\n <-- %s", p->address);
1385 /* Show router, and transport */
1387 fprintf(f, "router = %s, ", addr->router->name);
1388 fprintf(f, "transport = %s\n", (addr->transport == NULL)? US"unset" :
1389 addr->transport->name);
1391 /* Show any hosts that are set up by a router unless the transport
1392 is going to override them; fiddle a bit to get a nice format. */
1394 if (addr->host_list != NULL && addr->transport != NULL &&
1395 !addr->transport->overrides_hosts)
1400 for (h = addr->host_list; h != NULL; h = h->next)
1402 int len = Ustrlen(h->name);
1403 if (len > maxlen) maxlen = len;
1404 len = (h->address != NULL)? Ustrlen(h->address) : 7;
1405 if (len > maxaddlen) maxaddlen = len;
1407 for (h = addr->host_list; h != NULL; h = h->next)
1409 int len = Ustrlen(h->name);
1410 fprintf(f, " host %s ", h->name);
1411 while (len++ < maxlen) fprintf(f, " ");
1412 if (h->address != NULL)
1414 fprintf(f, "[%s] ", h->address);
1415 len = Ustrlen(h->address);
1417 else if (!addr->transport->info->local) /* Omit [unknown] for local */
1419 fprintf(f, "[unknown] ");
1423 while (len++ < maxaddlen) fprintf(f," ");
1424 if (h->mx >= 0) fprintf(f, "MX=%d", h->mx);
1425 if (h->port != PORT_NONE) fprintf(f, " port=%d", h->port);
1426 if (h->status == hstatus_unusable) fprintf(f, " ** unusable **");
1433 /* Will be DEFER or FAIL if any one address has, only for full_info (which is
1434 the -bv or -bt case). */
1442 /*************************************************
1443 * Check headers for syntax errors *
1444 *************************************************/
1446 /* This function checks those header lines that contain addresses, and verifies
1447 that all the addresses therein are syntactially correct.
1450 msgptr where to put an error message
1457 verify_check_headers(uschar **msgptr)
1463 for (h = header_list; h != NULL && yield == OK; h = h->next)
1465 if (h->type != htype_from &&
1466 h->type != htype_reply_to &&
1467 h->type != htype_sender &&
1468 h->type != htype_to &&
1469 h->type != htype_cc &&
1470 h->type != htype_bcc)
1473 colon = Ustrchr(h->text, ':');
1475 while (isspace(*s)) s++;
1477 /* Loop for multiple addresses in the header, enabling group syntax. Note
1478 that we have to reset this after the header has been scanned. */
1480 parse_allow_group = TRUE;
1484 uschar *ss = parse_find_address_end(s, FALSE);
1485 uschar *recipient, *errmess;
1486 int terminator = *ss;
1487 int start, end, domain;
1489 /* Temporarily terminate the string at this point, and extract the
1490 operative address within, allowing group syntax. */
1493 recipient = parse_extract_address(s,&errmess,&start,&end,&domain,FALSE);
1496 /* Permit an unqualified address only if the message is local, or if the
1497 sending host is configured to be permitted to send them. */
1499 if (recipient != NULL && domain == 0)
1501 if (h->type == htype_from || h->type == htype_sender)
1503 if (!allow_unqualified_sender) recipient = NULL;
1507 if (!allow_unqualified_recipient) recipient = NULL;
1509 if (recipient == NULL) errmess = US"unqualified address not permitted";
1512 /* It's an error if no address could be extracted, except for the special
1513 case of an empty address. */
1515 if (recipient == NULL && Ustrcmp(errmess, "empty address") != 0)
1517 uschar *verb = US"is";
1522 /* Arrange not to include any white space at the end in the
1523 error message or the header name. */
1525 while (t > s && isspace(t[-1])) t--;
1526 while (tt > h->text && isspace(tt[-1])) tt--;
1528 /* Add the address that failed to the error message, since in a
1529 header with very many addresses it is sometimes hard to spot
1530 which one is at fault. However, limit the amount of address to
1531 quote - cases have been seen where, for example, a missing double
1532 quote in a humungous To: header creates an "address" that is longer
1533 than string_sprintf can handle. */
1542 *msgptr = string_printing(
1543 string_sprintf("%s: failing address in \"%.*s:\" header %s: %.*s",
1544 errmess, tt - h->text, h->text, verb, len, s));
1547 break; /* Out of address loop */
1550 /* Advance to the next address */
1552 s = ss + (terminator? 1:0);
1553 while (isspace(*s)) s++;
1554 } /* Next address */
1556 parse_allow_group = FALSE;
1557 parse_found_group = FALSE;
1558 } /* Next header unless yield has been set FALSE */
1565 /*************************************************
1566 * Check for blind recipients *
1567 *************************************************/
1569 /* This function checks that every (envelope) recipient is mentioned in either
1570 the To: or Cc: header lines, thus detecting blind carbon copies.
1572 There are two ways of scanning that could be used: either scan the header lines
1573 and tick off the recipients, or scan the recipients and check the header lines.
1574 The original proposed patch did the former, but I have chosen to do the latter,
1575 because (a) it requires no memory and (b) will use fewer resources when there
1576 are many addresses in To: and/or Cc: and only one or two envelope recipients.
1579 Returns: OK if there are no blind recipients
1580 FAIL if there is at least one blind recipient
1584 verify_check_notblind(void)
1587 for (i = 0; i < recipients_count; i++)
1591 uschar *address = recipients_list[i].address;
1593 for (h = header_list; !found && h != NULL; h = h->next)
1597 if (h->type != htype_to && h->type != htype_cc) continue;
1599 colon = Ustrchr(h->text, ':');
1601 while (isspace(*s)) s++;
1603 /* Loop for multiple addresses in the header, enabling group syntax. Note
1604 that we have to reset this after the header has been scanned. */
1606 parse_allow_group = TRUE;
1610 uschar *ss = parse_find_address_end(s, FALSE);
1611 uschar *recipient,*errmess;
1612 int terminator = *ss;
1613 int start, end, domain;
1615 /* Temporarily terminate the string at this point, and extract the
1616 operative address within, allowing group syntax. */
1619 recipient = parse_extract_address(s,&errmess,&start,&end,&domain,FALSE);
1622 /* If we found a valid recipient that has a domain, compare it with the
1623 envelope recipient. Local parts are compared case-sensitively, domains
1624 case-insensitively. By comparing from the start with length "domain", we
1625 include the "@" at the end, which ensures that we are comparing the whole
1626 local part of each address. */
1628 if (recipient != NULL && domain != 0)
1630 found = Ustrncmp(recipient, address, domain) == 0 &&
1631 strcmpic(recipient + domain, address + domain) == 0;
1635 /* Advance to the next address */
1637 s = ss + (terminator? 1:0);
1638 while (isspace(*s)) s++;
1639 } /* Next address */
1641 parse_allow_group = FALSE;
1642 parse_found_group = FALSE;
1643 } /* Next header (if found is false) */
1645 if (!found) return FAIL;
1646 } /* Next recipient */
1653 /*************************************************
1654 * Find if verified sender *
1655 *************************************************/
1657 /* Usually, just a single address is verified as the sender of the message.
1658 However, Exim can be made to verify other addresses as well (often related in
1659 some way), and this is useful in some environments. There may therefore be a
1660 chain of such addresses that have previously been tested. This function finds
1661 whether a given address is on the chain.
1663 Arguments: the address to be verified
1664 Returns: pointer to an address item, or NULL
1668 verify_checked_sender(uschar *sender)
1671 for (addr = sender_verified_list; addr != NULL; addr = addr->next)
1672 if (Ustrcmp(sender, addr->address) == 0) break;
1680 /*************************************************
1681 * Get valid header address *
1682 *************************************************/
1684 /* Scan the originator headers of the message, looking for an address that
1685 verifies successfully. RFC 822 says:
1687 o The "Sender" field mailbox should be sent notices of
1688 any problems in transport or delivery of the original
1689 messages. If there is no "Sender" field, then the
1690 "From" field mailbox should be used.
1692 o If the "Reply-To" field exists, then the reply should
1693 go to the addresses indicated in that field and not to
1694 the address(es) indicated in the "From" field.
1696 So we check a Sender field if there is one, else a Reply_to field, else a From
1697 field. As some strange messages may have more than one of these fields,
1698 especially if they are resent- fields, check all of them if there is more than
1702 user_msgptr points to where to put a user error message
1703 log_msgptr points to where to put a log error message
1704 callout timeout for callout check (passed to verify_address())
1705 callout_overall overall callout timeout (ditto)
1706 callout_connect connect callout timeout (ditto)
1707 se_mailfrom mailfrom for verify; NULL => ""
1708 pm_mailfrom sender for pm callout check (passed to verify_address())
1709 options callout options (passed to verify_address())
1710 verrno where to put the address basic_errno
1712 If log_msgptr is set to something without setting user_msgptr, the caller
1713 normally uses log_msgptr for both things.
1715 Returns: result of the verification attempt: OK, FAIL, or DEFER;
1716 FAIL is given if no appropriate headers are found
1720 verify_check_header_address(uschar **user_msgptr, uschar **log_msgptr,
1721 int callout, int callout_overall, int callout_connect, uschar *se_mailfrom,
1722 uschar *pm_mailfrom, int options, int *verrno)
1724 static int header_types[] = { htype_sender, htype_reply_to, htype_from };
1729 for (i = 0; i < 3 && !done; i++)
1732 for (h = header_list; h != NULL && !done; h = h->next)
1734 int terminator, new_ok;
1735 uschar *s, *ss, *endname;
1737 if (h->type != header_types[i]) continue;
1738 s = endname = Ustrchr(h->text, ':') + 1;
1740 /* Scan the addresses in the header, enabling group syntax. Note that we
1741 have to reset this after the header has been scanned. */
1743 parse_allow_group = TRUE;
1747 address_item *vaddr;
1749 while (isspace(*s) || *s == ',') s++;
1750 if (*s == 0) break; /* End of header */
1752 ss = parse_find_address_end(s, FALSE);
1754 /* The terminator is a comma or end of header, but there may be white
1755 space preceding it (including newline for the last address). Move back
1756 past any white space so we can check against any cached envelope sender
1757 address verifications. */
1759 while (isspace(ss[-1])) ss--;
1763 HDEBUG(D_verify) debug_printf("verifying %.*s header address %s\n",
1764 (int)(endname - h->text), h->text, s);
1766 /* See if we have already verified this address as an envelope sender,
1767 and if so, use the previous answer. */
1769 vaddr = verify_checked_sender(s);
1771 if (vaddr != NULL && /* Previously checked */
1772 (callout <= 0 || /* No callout needed; OR */
1773 vaddr->special_action > 256)) /* Callout was done */
1775 new_ok = vaddr->special_action & 255;
1776 HDEBUG(D_verify) debug_printf("previously checked as envelope sender\n");
1777 *ss = terminator; /* Restore shortened string */
1780 /* Otherwise we run the verification now. We must restore the shortened
1781 string before running the verification, so the headers are correct, in
1782 case there is any rewriting. */
1786 int start, end, domain;
1787 uschar *address = parse_extract_address(s, log_msgptr, &start, &end,
1792 /* If we found an empty address, just carry on with the next one, but
1793 kill the message. */
1795 if (address == NULL && Ustrcmp(*log_msgptr, "empty address") == 0)
1802 /* If verification failed because of a syntax error, fail this
1803 function, and ensure that the failing address gets added to the error
1806 if (address == NULL)
1809 while (ss > s && isspace(ss[-1])) ss--;
1810 *log_msgptr = string_sprintf("syntax error in '%.*s' header when "
1811 "scanning for sender: %s in \"%.*s\"",
1812 endname - h->text, h->text, *log_msgptr, ss - s, s);
1818 /* Else go ahead with the sender verification. But it isn't *the*
1819 sender of the message, so set vopt_fake_sender to stop sender_address
1820 being replaced after rewriting or qualification. */
1824 vaddr = deliver_make_addr(address, FALSE);
1825 new_ok = verify_address(vaddr, NULL, options | vopt_fake_sender,
1826 callout, callout_overall, callout_connect, se_mailfrom,
1831 /* We now have the result, either newly found, or cached. If we are
1832 giving out error details, set a specific user error. This means that the
1833 last of these will be returned to the user if all three fail. We do not
1834 set a log message - the generic one below will be used. */
1838 *verrno = vaddr->basic_errno;
1839 if (smtp_return_error_details)
1841 *user_msgptr = string_sprintf("Rejected after DATA: "
1842 "could not verify \"%.*s\" header address\n%s: %s",
1843 endname - h->text, h->text, vaddr->address, vaddr->message);
1847 /* Success or defer */
1856 if (new_ok == DEFER) yield = DEFER;
1858 /* Move on to any more addresses in the header */
1861 } /* Next address */
1863 parse_allow_group = FALSE;
1864 parse_found_group = FALSE;
1865 } /* Next header, unless done */
1866 } /* Next header type unless done */
1868 if (yield == FAIL && *log_msgptr == NULL)
1869 *log_msgptr = US"there is no valid sender in any header line";
1871 if (yield == DEFER && *log_msgptr == NULL)
1872 *log_msgptr = US"all attempts to verify a sender in a header line deferred";
1880 /*************************************************
1881 * Get RFC 1413 identification *
1882 *************************************************/
1884 /* Attempt to get an id from the sending machine via the RFC 1413 protocol. If
1885 the timeout is set to zero, then the query is not done. There may also be lists
1886 of hosts and nets which are exempt. To guard against malefactors sending
1887 non-printing characters which could, for example, disrupt a message's headers,
1888 make sure the string consists of printing characters only.
1891 port the port to connect to; usually this is IDENT_PORT (113), but when
1892 running in the test harness with -bh a different value is used.
1896 Side effect: any received ident value is put in sender_ident (NULL otherwise)
1900 verify_get_ident(int port)
1902 int sock, host_af, qlen;
1903 int received_sender_port, received_interface_port, n;
1905 uschar buffer[2048];
1907 /* Default is no ident. Check whether we want to do an ident check for this
1910 sender_ident = NULL;
1911 if (rfc1413_query_timeout <= 0 || verify_check_host(&rfc1413_hosts) != OK)
1914 DEBUG(D_ident) debug_printf("doing ident callback\n");
1916 /* Set up a connection to the ident port of the remote host. Bind the local end
1917 to the incoming interface address. If the sender host address is an IPv6
1918 address, the incoming interface address will also be IPv6. */
1920 host_af = (Ustrchr(sender_host_address, ':') == NULL)? AF_INET : AF_INET6;
1921 sock = ip_socket(SOCK_STREAM, host_af);
1922 if (sock < 0) return;
1924 if (ip_bind(sock, host_af, interface_address, 0) < 0)
1926 DEBUG(D_ident) debug_printf("bind socket for ident failed: %s\n",
1931 if (ip_connect(sock, host_af, sender_host_address, port, rfc1413_query_timeout)
1934 if (errno == ETIMEDOUT && (log_extra_selector & LX_ident_timeout) != 0)
1936 log_write(0, LOG_MAIN, "ident connection to %s timed out",
1937 sender_host_address);
1941 DEBUG(D_ident) debug_printf("ident connection to %s failed: %s\n",
1942 sender_host_address, strerror(errno));
1947 /* Construct and send the query. */
1949 sprintf(CS buffer, "%d , %d\r\n", sender_host_port, interface_port);
1950 qlen = Ustrlen(buffer);
1951 if (send(sock, buffer, qlen, 0) < 0)
1953 DEBUG(D_ident) debug_printf("ident send failed: %s\n", strerror(errno));
1957 /* Read a response line. We put it into the rest of the buffer, using several
1958 recv() calls if necessary. */
1966 int size = sizeof(buffer) - (p - buffer);
1968 if (size <= 0) goto END_OFF; /* Buffer filled without seeing \n. */
1969 count = ip_recv(sock, p, size, rfc1413_query_timeout);
1970 if (count <= 0) goto END_OFF; /* Read error or EOF */
1972 /* Scan what we just read, to see if we have reached the terminating \r\n. Be
1973 generous, and accept a plain \n terminator as well. The only illegal
1976 for (pp = p; pp < p + count; pp++)
1978 if (*pp == 0) goto END_OFF; /* Zero octet not allowed */
1981 if (pp[-1] == '\r') pp--;
1983 goto GOT_DATA; /* Break out of both loops */
1987 /* Reached the end of the data without finding \n. Let the loop continue to
1988 read some more, if there is room. */
1995 /* We have received a line of data. Check it carefully. It must start with the
1996 same two port numbers that we sent, followed by data as defined by the RFC. For
1999 12345 , 25 : USERID : UNIX :root
2001 However, the amount of white space may be different to what we sent. In the
2002 "osname" field there may be several sub-fields, comma separated. The data we
2003 actually want to save follows the third colon. Some systems put leading spaces
2004 in it - we discard those. */
2006 if (sscanf(CS buffer + qlen, "%d , %d%n", &received_sender_port,
2007 &received_interface_port, &n) != 2 ||
2008 received_sender_port != sender_host_port ||
2009 received_interface_port != interface_port)
2012 p = buffer + qlen + n;
2013 while(isspace(*p)) p++;
2014 if (*p++ != ':') goto END_OFF;
2015 while(isspace(*p)) p++;
2016 if (Ustrncmp(p, "USERID", 6) != 0) goto END_OFF;
2018 while(isspace(*p)) p++;
2019 if (*p++ != ':') goto END_OFF;
2020 while (*p != 0 && *p != ':') p++;
2021 if (*p++ == 0) goto END_OFF;
2022 while(isspace(*p)) p++;
2023 if (*p == 0) goto END_OFF;
2025 /* The rest of the line is the data we want. We turn it into printing
2026 characters when we save it, so that it cannot mess up the format of any logging
2027 or Received: lines into which it gets inserted. We keep a maximum of 127
2030 sender_ident = string_printing(string_copyn(p, 127));
2031 DEBUG(D_ident) debug_printf("sender_ident = %s\n", sender_ident);
2041 /*************************************************
2042 * Match host to a single host-list item *
2043 *************************************************/
2045 /* This function compares a host (name or address) against a single item
2046 from a host list. The host name gets looked up if it is needed and is not
2047 already known. The function is called from verify_check_this_host() via
2048 match_check_list(), which is why most of its arguments are in a single block.
2051 arg the argument block (see below)
2052 ss the host-list item
2053 valueptr where to pass back looked up data, or NULL
2054 error for error message when returning ERROR
2057 host_name (a) the host name, or
2058 (b) NULL, implying use sender_host_name and
2059 sender_host_aliases, looking them up if required, or
2060 (c) the empty string, meaning that only IP address matches
2062 host_address the host address
2063 host_ipv4 the IPv4 address taken from an IPv6 one
2067 DEFER lookup deferred
2068 ERROR (a) failed to find the host name or IP address, or
2069 (b) unknown lookup type specified, or
2070 (c) host name encountered when only IP addresses are
2075 check_host(void *arg, uschar *ss, uschar **valueptr, uschar **error)
2077 check_host_block *cb = (check_host_block *)arg;
2080 BOOL iplookup = FALSE;
2081 BOOL isquery = FALSE;
2082 BOOL isiponly = cb->host_name != NULL && cb->host_name[0] == 0;
2087 /* Optimize for the special case when the pattern is "*". */
2089 if (*ss == '*' && ss[1] == 0) return OK;
2091 /* If the pattern is empty, it matches only in the case when there is no host -
2092 this can occur in ACL checking for SMTP input using the -bs option. In this
2093 situation, the host address is the empty string. */
2095 if (cb->host_address[0] == 0) return (*ss == 0)? OK : FAIL;
2096 if (*ss == 0) return FAIL;
2098 /* If the pattern is precisely "@" then match against the primary host name,
2099 provided that host name matching is permitted; if it's "@[]" match against the
2100 local host's IP addresses. */
2106 if (isiponly) return ERROR;
2107 ss = primary_hostname;
2109 else if (Ustrcmp(ss, "@[]") == 0)
2111 ip_address_item *ip;
2112 for (ip = host_find_interfaces(); ip != NULL; ip = ip->next)
2113 if (Ustrcmp(ip->address, cb->host_address) == 0) return OK;
2118 /* If the pattern is an IP address, optionally followed by a bitmask count, do
2119 a (possibly masked) comparision with the current IP address. */
2121 if (string_is_ip_address(ss, &maskoffset) != 0)
2122 return (host_is_in_net(cb->host_address, ss, maskoffset)? OK : FAIL);
2124 /* The pattern is not an IP address. A common error that people make is to omit
2125 one component of an IPv4 address, either by accident, or believing that, for
2126 example, 1.2.3/24 is the same as 1.2.3.0/24, or 1.2.3 is the same as 1.2.3.0,
2127 which it isn't. (Those applications that do accept 1.2.3 as an IP address
2128 interpret it as 1.2.0.3 because the final component becomes 16-bit - this is an
2129 ancient specification.) To aid in debugging these cases, we give a specific
2130 error if the pattern contains only digits and dots or contains a slash preceded
2131 only by digits and dots (a slash at the start indicates a file name and of
2132 course slashes may be present in lookups, but not preceded only by digits and
2135 for (t = ss; isdigit(*t) || *t == '.'; t++);
2136 if (*t == 0 || (*t == '/' && t != ss))
2138 *error = US"malformed IPv4 address or address mask";
2142 /* See if there is a semicolon in the pattern */
2144 semicolon = Ustrchr(ss, ';');
2146 /* If we are doing an IP address only match, then all lookups must be IP
2147 address lookups, even if there is no "net-". */
2151 iplookup = semicolon != NULL;
2154 /* Otherwise, if the item is of the form net[n]-lookup;<file|query> then it is
2155 a lookup on a masked IP network, in textual form. We obey this code even if we
2156 have already set iplookup, so as to skip over the "net-" prefix and to set the
2157 mask length. The net- stuff really only applies to single-key lookups where the
2158 key is implicit. For query-style lookups the key is specified in the query.
2159 From release 4.30, the use of net- for query style is no longer needed, but we
2160 retain it for backward compatibility. */
2162 if (Ustrncmp(ss, "net", 3) == 0 && semicolon != NULL)
2165 for (t = ss + 3; isdigit(*t); t++) mlen = mlen * 10 + *t - '0';
2166 if (mlen == 0 && t == ss+3) mlen = -1; /* No mask supplied */
2167 iplookup = (*t++ == '-');
2171 /* Do the IP address lookup if that is indeed what we have */
2179 uschar *filename, *key, *result;
2182 /* Find the search type */
2184 search_type = search_findtype(t, semicolon - t);
2186 if (search_type < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s",
2187 search_error_message);
2189 /* Adjust parameters for the type of lookup. For a query-style lookup, there
2190 is no file name, and the "key" is just the query. For query-style with a file
2191 name, we have to fish the file off the start of the query. For a single-key
2192 lookup, the key is the current IP address, masked appropriately, and
2193 reconverted to text form, with the mask appended. For IPv6 addresses, specify
2194 dot separators instead of colons. */
2196 if (mac_islookup(search_type, lookup_absfilequery))
2198 filename = semicolon + 1;
2200 while (*key != 0 && !isspace(*key)) key++;
2201 filename = string_copyn(filename, key - filename);
2202 while (isspace(*key)) key++;
2204 else if (mac_islookup(search_type, lookup_querystyle))
2207 key = semicolon + 1;
2211 insize = host_aton(cb->host_address, incoming);
2212 host_mask(insize, incoming, mlen);
2213 (void)host_nmtoa(insize, incoming, mlen, buffer, '.');
2215 filename = semicolon + 1;
2218 /* Now do the actual lookup; note that there is no search_close() because
2219 of the caching arrangements. */
2221 handle = search_open(filename, search_type, 0, NULL, NULL);
2222 if (handle == NULL) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s",
2223 search_error_message);
2224 result = search_find(handle, filename, key, -1, NULL, 0, 0, NULL);
2225 if (valueptr != NULL) *valueptr = result;
2226 return (result != NULL)? OK : search_find_defer? DEFER: FAIL;
2229 /* The pattern is not an IP address or network reference of any kind. That is,
2230 it is a host name pattern. If this is an IP only match, there's an error in the
2235 *error = US"cannot match host name in match_ip list";
2239 /* Check the characters of the pattern to see if they comprise only letters,
2240 digits, full stops, and hyphens (the constituents of domain names). Allow
2241 underscores, as they are all too commonly found. Sigh. Also, if
2242 allow_utf8_domains is set, allow top-bit characters. */
2244 for (t = ss; *t != 0; t++)
2245 if (!isalnum(*t) && *t != '.' && *t != '-' && *t != '_' &&
2246 (!allow_utf8_domains || *t < 128)) break;
2248 /* If the pattern is a complete domain name, with no fancy characters, look up
2249 its IP address and match against that. Note that a multi-homed host will add
2250 items to the chain. */
2261 rc = host_find_byname(&h, NULL, HOST_FIND_QUALIFY_SINGLE, NULL, FALSE);
2262 if (rc == HOST_FOUND || rc == HOST_FOUND_LOCAL)
2265 for (hh = &h; hh != NULL; hh = hh->next)
2267 if (host_is_in_net(hh->address, cb->host_address, 0)) return OK;
2271 if (rc == HOST_FIND_AGAIN) return DEFER;
2272 *error = string_sprintf("failed to find IP address for %s", ss);
2276 /* Almost all subsequent comparisons require the host name, and can be done
2277 using the general string matching function. When this function is called for
2278 outgoing hosts, the name is always given explicitly. If it is NULL, it means we
2279 must use sender_host_name and its aliases, looking them up if necessary. */
2281 if (cb->host_name != NULL) /* Explicit host name given */
2282 return match_check_string(cb->host_name, ss, -1, TRUE, TRUE, TRUE,
2285 /* Host name not given; in principle we need the sender host name and its
2286 aliases. However, for query-style lookups, we do not need the name if the
2287 query does not contain $sender_host_name. From release 4.23, a reference to
2288 $sender_host_name causes it to be looked up, so we don't need to do the lookup
2291 if ((semicolon = Ustrchr(ss, ';')) != NULL)
2294 int partial, affixlen, starflags, id;
2297 id = search_findtype_partial(ss, &partial, &affix, &affixlen, &starflags);
2300 if (id < 0) /* Unknown lookup type */
2302 log_write(0, LOG_MAIN|LOG_PANIC, "%s in host list item \"%s\"",
2303 search_error_message, ss);
2306 isquery = mac_islookup(id, lookup_querystyle|lookup_absfilequery);
2311 switch(match_check_string(US"", ss, -1, TRUE, TRUE, TRUE, valueptr))
2314 case DEFER: return DEFER;
2315 default: return FAIL;
2319 /* Not a query-style lookup; must ensure the host name is present, and then we
2320 do a check on the name and all its aliases. */
2322 if (sender_host_name == NULL)
2324 HDEBUG(D_host_lookup)
2325 debug_printf("sender host name required, to match against %s\n", ss);
2326 if (host_lookup_failed || host_name_lookup() != OK)
2328 *error = string_sprintf("failed to find host name for %s",
2329 sender_host_address);;
2332 host_build_sender_fullhost();
2335 /* Match on the sender host name, using the general matching function */
2337 switch(match_check_string(sender_host_name, ss, -1, TRUE, TRUE, TRUE,
2341 case DEFER: return DEFER;
2344 /* If there are aliases, try matching on them. */
2346 aliases = sender_host_aliases;
2347 while (*aliases != NULL)
2349 switch(match_check_string(*aliases++, ss, -1, TRUE, TRUE, TRUE, valueptr))
2352 case DEFER: return DEFER;
2361 /*************************************************
2362 * Check a specific host matches a host list *
2363 *************************************************/
2365 /* This function is passed a host list containing items in a number of
2366 different formats and the identity of a host. Its job is to determine whether
2367 the given host is in the set of hosts defined by the list. The host name is
2368 passed as a pointer so that it can be looked up if needed and not already
2369 known. This is commonly the case when called from verify_check_host() to check
2370 an incoming connection. When called from elsewhere the host name should usually
2373 This function is now just a front end to match_check_list(), which runs common
2374 code for scanning a list. We pass it the check_host() function to perform a
2378 listptr pointer to the host list
2379 cache_bits pointer to cache for named lists, or NULL
2380 host_name the host name or NULL, implying use sender_host_name and
2381 sender_host_aliases, looking them up if required
2382 host_address the IP address
2383 valueptr if not NULL, data from a lookup is passed back here
2385 Returns: OK if the host is in the defined set
2386 FAIL if the host is not in the defined set,
2387 DEFER if a data lookup deferred (not a host lookup)
2389 If the host name was needed in order to make a comparison, and could not be
2390 determined from the IP address, the result is FAIL unless the item
2391 "+allow_unknown" was met earlier in the list, in which case OK is returned. */
2394 verify_check_this_host(uschar **listptr, unsigned int *cache_bits,
2395 uschar *host_name, uschar *host_address, uschar **valueptr)
2398 unsigned int *local_cache_bits = cache_bits;
2399 uschar *save_host_address = deliver_host_address;
2400 check_host_block cb;
2401 cb.host_name = host_name;
2402 cb.host_address = host_address;
2404 if (valueptr != NULL) *valueptr = NULL;
2406 /* If the host address starts off ::ffff: it is an IPv6 address in
2407 IPv4-compatible mode. Find the IPv4 part for checking against IPv4
2410 cb.host_ipv4 = (Ustrncmp(host_address, "::ffff:", 7) == 0)?
2411 host_address + 7 : host_address;
2413 /* During the running of the check, put the IP address into $host_address. In
2414 the case of calls from the smtp transport, it will already be there. However,
2415 in other calls (e.g. when testing ignore_target_hosts), it won't. Just to be on
2416 the safe side, any existing setting is preserved, though as I write this
2417 (November 2004) I can't see any cases where it is actually needed. */
2419 deliver_host_address = host_address;
2420 rc = match_check_list(
2421 listptr, /* the list */
2422 0, /* separator character */
2423 &hostlist_anchor, /* anchor pointer */
2424 &local_cache_bits, /* cache pointer */
2425 check_host, /* function for testing */
2426 &cb, /* argument for function */
2427 MCL_HOST, /* type of check */
2428 (host_address == sender_host_address)?
2429 US"host" : host_address, /* text for debugging */
2430 valueptr); /* where to pass back data */
2431 deliver_host_address = save_host_address;
2438 /*************************************************
2439 * Check the remote host matches a list *
2440 *************************************************/
2442 /* This is a front end to verify_check_this_host(), created because checking
2443 the remote host is a common occurrence. With luck, a good compiler will spot
2444 the tail recursion and optimize it. If there's no host address, this is
2445 command-line SMTP input - check against an empty string for the address.
2448 listptr pointer to the host list
2450 Returns: the yield of verify_check_this_host(),
2451 i.e. OK, FAIL, or DEFER
2455 verify_check_host(uschar **listptr)
2457 return verify_check_this_host(listptr, sender_host_cache, NULL,
2458 (sender_host_address == NULL)? US"" : sender_host_address, NULL);
2465 /*************************************************
2466 * Invert an IP address for a DNS black list *
2467 *************************************************/
2471 buffer where to put the answer
2472 address the address to invert
2476 invert_address(uschar *buffer, uschar *address)
2479 uschar *bptr = buffer;
2481 /* If this is an IPv4 address mapped into IPv6 format, adjust the pointer
2482 to the IPv4 part only. */
2484 if (Ustrncmp(address, "::ffff:", 7) == 0) address += 7;
2486 /* Handle IPv4 address: when HAVE_IPV6 is false, the result of host_aton() is
2489 if (host_aton(address, bin) == 1)
2493 for (i = 0; i < 4; i++)
2495 sprintf(CS bptr, "%d.", x & 255);
2496 while (*bptr) bptr++;
2501 /* Handle IPv6 address. Actually, as far as I know, there are no IPv6 addresses
2502 in any DNS black lists, and the format in which they will be looked up is
2503 unknown. This is just a guess. */
2509 for (j = 3; j >= 0; j--)
2512 for (i = 0; i < 8; i++)
2514 sprintf(CS bptr, "%x.", x & 15);
2515 while (*bptr) bptr++;
2522 /* Remove trailing period -- this is needed so that both arbitrary
2523 dnsbl keydomains and inverted addresses may be combined with the
2524 same format string, "%s.%s" */
2531 /*************************************************
2532 * Perform a single dnsbl lookup *
2533 *************************************************/
2535 /* This function is called from verify_check_dnsbl() below. It is also called
2536 recursively from within itself when domain and domain_txt are different
2537 pointers, in order to get the TXT record from the alternate domain.
2540 domain the outer dnsbl domain
2541 domain_txt alternate domain to lookup TXT record on success; when the
2542 same domain is to be used, domain_txt == domain (that is,
2543 the pointers must be identical, not just the text)
2544 keydomain the current keydomain (for debug message)
2545 prepend subdomain to lookup (like keydomain, but
2546 reversed if IP address)
2547 iplist the list of matching IP addresses, or NULL for "any"
2548 bitmask true if bitmask matching is wanted
2549 match_type condition for 'succeed' result
2550 0 => Any RR in iplist (=)
2551 1 => No RR in iplist (!=)
2552 2 => All RRs in iplist (==)
2553 3 => Some RRs not in iplist (!==)
2554 the two bits are defined as MT_NOT and MT_ALL
2555 defer_return what to return for a defer
2557 Returns: OK if lookup succeeded
2562 one_check_dnsbl(uschar *domain, uschar *domain_txt, uschar *keydomain,
2563 uschar *prepend, uschar *iplist, BOOL bitmask, int match_type,
2569 dnsbl_cache_block *cb;
2570 int old_pool = store_pool;
2571 uschar query[256]; /* DNS domain max length */
2573 /* Construct the specific query domainname */
2575 if (!string_format(query, sizeof(query), "%s.%s", prepend, domain))
2577 log_write(0, LOG_MAIN|LOG_PANIC, "dnslist query is too long "
2578 "(ignored): %s...", query);
2582 /* Look for this query in the cache. */
2584 t = tree_search(dnsbl_cache, query);
2586 /* If not cached from a previous lookup, we must do a DNS lookup, and
2587 cache the result in permanent memory. */
2591 store_pool = POOL_PERM;
2593 /* Set up a tree entry to cache the lookup */
2595 t = store_get(sizeof(tree_node) + Ustrlen(query));
2596 Ustrcpy(t->name, query);
2597 t->data.ptr = cb = store_get(sizeof(dnsbl_cache_block));
2598 (void)tree_insertnode(&dnsbl_cache, t);
2600 /* Do the DNS loopup . */
2602 HDEBUG(D_dnsbl) debug_printf("new DNS lookup for %s\n", query);
2603 cb->rc = dns_basic_lookup(&dnsa, query, T_A);
2604 cb->text_set = FALSE;
2608 /* If the lookup succeeded, cache the RHS address. The code allows for
2609 more than one address - this was for complete generality and the possible
2610 use of A6 records. However, A6 records have been reduced to experimental
2611 status (August 2001) and may die out. So they may never get used at all,
2612 let alone in dnsbl records. However, leave the code here, just in case.
2614 Quite apart from one A6 RR generating multiple addresses, there are DNS
2615 lists that return more than one A record, so we must handle multiple
2616 addresses generated in that way as well. */
2618 if (cb->rc == DNS_SUCCEED)
2621 dns_address **addrp = &(cb->rhs);
2622 for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
2624 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
2626 if (rr->type == T_A)
2628 dns_address *da = dns_address_from_rr(&dnsa, rr);
2632 while (da->next != NULL) da = da->next;
2633 addrp = &(da->next);
2638 /* If we didn't find any A records, change the return code. This can
2639 happen when there is a CNAME record but there are no A records for what
2642 if (cb->rhs == NULL) cb->rc = DNS_NODATA;
2645 store_pool = old_pool;
2648 /* Previous lookup was cached */
2652 HDEBUG(D_dnsbl) debug_printf("using result of previous DNS lookup\n");
2656 /* We now have the result of the DNS lookup, either newly done, or cached
2657 from a previous call. If the lookup succeeded, check against the address
2658 list if there is one. This may be a positive equality list (introduced by
2659 "="), a negative equality list (introduced by "!="), a positive bitmask
2660 list (introduced by "&"), or a negative bitmask list (introduced by "!&").*/
2662 if (cb->rc == DNS_SUCCEED)
2664 dns_address *da = NULL;
2665 uschar *addlist = cb->rhs->address;
2667 /* For A and AAAA records, there may be multiple addresses from multiple
2668 records. For A6 records (currently not expected to be used) there may be
2669 multiple addresses from a single record. */
2671 for (da = cb->rhs->next; da != NULL; da = da->next)
2672 addlist = string_sprintf("%s, %s", addlist, da->address);
2674 HDEBUG(D_dnsbl) debug_printf("DNS lookup for %s succeeded (yielding %s)\n",
2677 /* Address list check; this can be either for equality, or via a bitmask.
2678 In the latter case, all the bits must match. */
2682 for (da = cb->rhs; da != NULL; da = da->next)
2686 uschar *ptr = iplist;
2689 /* Handle exact matching */
2693 while ((res = string_nextinlist(&ptr, &ipsep, ip, sizeof(ip))) != NULL)
2695 if (Ustrcmp(CS da->address, ip) == 0) break;
2699 /* Handle bitmask matching */
2706 /* At present, all known DNS blocking lists use A records, with
2707 IPv4 addresses on the RHS encoding the information they return. I
2708 wonder if this will linger on as the last vestige of IPv4 when IPv6
2709 is ubiquitous? Anyway, for now we use paranoia code to completely
2710 ignore IPv6 addresses. The default mask is 0, which always matches.
2711 We change this only for IPv4 addresses in the list. */
2713 if (host_aton(da->address, address) == 1) mask = address[0];
2715 /* Scan the returned addresses, skipping any that are IPv6 */
2717 while ((res = string_nextinlist(&ptr, &ipsep, ip, sizeof(ip))) != NULL)
2719 if (host_aton(ip, address) != 1) continue;
2720 if ((address[0] & mask) == address[0]) break;
2726 (a) An IP address in an any ('=') list matched, or
2727 (b) No IP address in an all ('==') list matched
2729 then we're done searching. */
2731 if (((match_type & MT_ALL) != 0) == (res == NULL)) break;
2734 /* If da == NULL, either
2736 (a) No IP address in an any ('=') list matched, or
2737 (b) An IP address in an all ('==') list didn't match
2739 so behave as if the DNSBL lookup had not succeeded, i.e. the host is not on
2742 if ((match_type == MT_NOT || match_type == MT_ALL) != (da == NULL))
2750 res = US"was no match";
2753 res = US"was an exclude match";
2756 res = US"was an IP address that did not match";
2759 res = US"were no IP addresses that did not match";
2762 debug_printf("=> but we are not accepting this block class because\n");
2763 debug_printf("=> there %s for %s%c%s\n",
2765 ((match_type & MT_ALL) == 0)? "" : "=",
2766 bitmask? '&' : '=', iplist);
2772 /* Either there was no IP list, or the record matched, implying that the
2773 domain is on the list. We now want to find a corresponding TXT record. If an
2774 alternate domain is specified for the TXT record, call this function
2775 recursively to look that up; this has the side effect of re-checking that
2776 there is indeed an A record at the alternate domain. */
2778 if (domain_txt != domain)
2779 return one_check_dnsbl(domain_txt, domain_txt, keydomain, prepend, NULL,
2780 FALSE, match_type, defer_return);
2782 /* If there is no alternate domain, look up a TXT record in the main domain
2783 if it has not previously been cached. */
2787 cb->text_set = TRUE;
2788 if (dns_basic_lookup(&dnsa, query, T_TXT) == DNS_SUCCEED)
2791 for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
2793 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
2794 if (rr->type == T_TXT) break;
2797 int len = (rr->data)[0];
2798 if (len > 511) len = 127;
2799 store_pool = POOL_PERM;
2800 cb->text = string_sprintf("%.*s", len, (const uschar *)(rr->data+1));
2801 store_pool = old_pool;
2806 dnslist_value = addlist;
2807 dnslist_text = cb->text;
2811 /* There was a problem with the DNS lookup */
2813 if (cb->rc != DNS_NOMATCH && cb->rc != DNS_NODATA)
2815 log_write(L_dnslist_defer, LOG_MAIN,
2816 "DNS list lookup defer (probably timeout) for %s: %s", query,
2817 (defer_return == OK)? US"assumed in list" :
2818 (defer_return == FAIL)? US"assumed not in list" :
2819 US"returned DEFER");
2820 return defer_return;
2823 /* No entry was found in the DNS; continue for next domain */
2827 debug_printf("DNS lookup for %s failed\n", query);
2828 debug_printf("=> that means %s is not listed at %s\n",
2838 /*************************************************
2839 * Check host against DNS black lists *
2840 *************************************************/
2842 /* This function runs checks against a list of DNS black lists, until one
2843 matches. Each item on the list can be of the form
2845 domain=ip-address/key
2847 The domain is the right-most domain that is used for the query, for example,
2848 blackholes.mail-abuse.org. If the IP address is present, there is a match only
2849 if the DNS lookup returns a matching IP address. Several addresses may be
2850 given, comma-separated, for example: x.y.z=127.0.0.1,127.0.0.2.
2852 If no key is given, what is looked up in the domain is the inverted IP address
2853 of the current client host. If a key is given, it is used to construct the
2854 domain for the lookup. For example:
2856 dsn.rfc-ignorant.org/$sender_address_domain
2858 After finding a match in the DNS, the domain is placed in $dnslist_domain, and
2859 then we check for a TXT record for an error message, and if found, save its
2860 value in $dnslist_text. We also cache everything in a tree, to optimize
2863 The TXT record is normally looked up in the same domain as the A record, but
2864 when many lists are combined in a single DNS domain, this will not be a very
2865 specific message. It is possible to specify a different domain for looking up
2866 TXT records; this is given before the main domain, comma-separated. For
2869 dnslists = http.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.2 : \
2870 socks.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.3
2872 The caching ensures that only one lookup in dnsbl.sorbs.net is done.
2874 Note: an address for testing RBL is 192.203.178.39
2875 Note: an address for testing DUL is 192.203.178.4
2876 Note: a domain for testing RFCI is example.tld.dsn.rfc-ignorant.org
2879 listptr the domain/address/data list
2881 Returns: OK successful lookup (i.e. the address is on the list), or
2882 lookup deferred after +include_unknown
2883 FAIL name not found, or no data found for the given type, or
2884 lookup deferred after +exclude_unknown (default)
2885 DEFER lookup failure, if +defer_unknown was set
2889 verify_check_dnsbl(uschar **listptr)
2892 int defer_return = FAIL;
2893 uschar *list = *listptr;
2896 uschar buffer[1024];
2897 uschar revadd[128]; /* Long enough for IPv6 address */
2899 /* Indicate that the inverted IP address is not yet set up */
2903 /* In case this is the first time the DNS resolver is being used. */
2905 dns_init(FALSE, FALSE);
2907 /* Loop through all the domains supplied, until something matches */
2909 while ((domain = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL)
2912 BOOL bitmask = FALSE;
2919 HDEBUG(D_dnsbl) debug_printf("DNS list check: %s\n", domain);
2921 /* Deal with special values that change the behaviour on defer */
2923 if (domain[0] == '+')
2925 if (strcmpic(domain, US"+include_unknown") == 0) defer_return = OK;
2926 else if (strcmpic(domain, US"+exclude_unknown") == 0) defer_return = FAIL;
2927 else if (strcmpic(domain, US"+defer_unknown") == 0) defer_return = DEFER;
2929 log_write(0, LOG_MAIN|LOG_PANIC, "unknown item in dnslist (ignored): %s",
2934 /* See if there's explicit data to be looked up */
2936 key = Ustrchr(domain, '/');
2937 if (key != NULL) *key++ = 0;
2939 /* See if there's a list of addresses supplied after the domain name. This is
2940 introduced by an = or a & character; if preceded by = we require all matches
2941 and if preceded by ! we invert the result. */
2943 iplist = Ustrchr(domain, '=');
2947 iplist = Ustrchr(domain, '&');
2950 if (iplist != NULL) /* Found either = or & */
2952 if (iplist > domain && iplist[-1] == '!') /* Handle preceding ! */
2954 match_type |= MT_NOT;
2958 *iplist++ = 0; /* Terminate domain, move on */
2960 /* If we found = (bitmask == FALSE), check for == or =& */
2962 if (!bitmask && (*iplist == '=' || *iplist == '&'))
2964 bitmask = *iplist++ == '&';
2965 match_type |= MT_ALL;
2969 /* If there is a comma in the domain, it indicates that a second domain for
2970 looking up TXT records is provided, before the main domain. Otherwise we must
2971 set domain_txt == domain. */
2973 domain_txt = domain;
2974 comma = Ustrchr(domain, ',');
2981 /* Check that what we have left is a sensible domain name. There is no reason
2982 why these domains should in fact use the same syntax as hosts and email
2983 domains, but in practice they seem to. However, there is little point in
2984 actually causing an error here, because that would no doubt hold up incoming
2985 mail. Instead, I'll just log it. */
2987 for (s = domain; *s != 0; s++)
2989 if (!isalnum(*s) && *s != '-' && *s != '.')
2991 log_write(0, LOG_MAIN, "dnslists domain \"%s\" contains "
2992 "strange characters - is this right?", domain);
2997 /* Check the alternate domain if present */
2999 if (domain_txt != domain) for (s = domain_txt; *s != 0; s++)
3001 if (!isalnum(*s) && *s != '-' && *s != '.')
3003 log_write(0, LOG_MAIN, "dnslists domain \"%s\" contains "
3004 "strange characters - is this right?", domain_txt);
3009 /* If there is no key string, construct the query by adding the domain name
3010 onto the inverted host address, and perform a single DNS lookup. */
3014 if (sender_host_address == NULL) return FAIL; /* can never match */
3015 if (revadd[0] == 0) invert_address(revadd, sender_host_address);
3016 rc = one_check_dnsbl(domain, domain_txt, sender_host_address, revadd,
3017 iplist, bitmask, match_type, defer_return);
3020 dnslist_domain = string_copy(domain_txt);
3021 HDEBUG(D_dnsbl) debug_printf("=> that means %s is listed at %s\n",
3022 sender_host_address, dnslist_domain);
3024 if (rc != FAIL) return rc; /* OK or DEFER */
3027 /* If there is a key string, it can be a list of domains or IP addresses to
3028 be concatenated with the main domain. */
3035 uschar keybuffer[256];
3036 uschar keyrevadd[128];
3038 while ((keydomain = string_nextinlist(&key, &keysep, keybuffer,
3039 sizeof(keybuffer))) != NULL)
3041 uschar *prepend = keydomain;
3043 if (string_is_ip_address(keydomain, NULL) != 0)
3045 invert_address(keyrevadd, keydomain);
3046 prepend = keyrevadd;
3049 rc = one_check_dnsbl(domain, domain_txt, keydomain, prepend, iplist,
3050 bitmask, match_type, defer_return);
3054 dnslist_domain = string_copy(domain_txt);
3055 HDEBUG(D_dnsbl) debug_printf("=> that means %s is listed at %s\n",
3056 keydomain, dnslist_domain);
3060 /* If the lookup deferred, remember this fact. We keep trying the rest
3061 of the list to see if we get a useful result, and if we don't, we return
3062 DEFER at the end. */
3064 if (rc == DEFER) defer = TRUE;
3065 } /* continue with next keystring domain/address */
3067 if (defer) return DEFER;
3069 } /* continue with next dnsdb outer domain */
3074 /* End of verify.c */
git://git.exim.org / users / jgh / exim.git / blob