1 /* $Cambridge: exim/src/src/rewrite.c,v 1.5 2009/11/16 19:50:37 nm4 Exp $ */
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
7 /* Copyright (c) University of Cambridge 1995 - 2009 */
8 /* See the file NOTICE for conditions of use and distribution. */
10 /* Functions concerned with rewriting headers */
15 /* Names for testing rewriting */
17 static const char *rrname[] = {
28 /* Structure and table for finding source of address for debug printing */
30 typedef struct where_list_block {
35 static where_list_block where_list[] = {
36 { rewrite_sender, CUS"sender:" },
37 { rewrite_from, CUS"from:" },
38 { rewrite_to, CUS"to:" },
39 { rewrite_cc, CUS"cc:" },
40 { rewrite_bcc, CUS"bcc:" },
41 { rewrite_replyto, CUS"reply-to:" },
42 { rewrite_envfrom, CUS"env-from" },
43 { rewrite_envto, CUS"env-to" },
44 { rewrite_smtp, CUS"smtp recipient" },
45 { rewrite_smtp|rewrite_smtp_sender, CUS"smtp sender" }
48 static int where_list_size = sizeof(where_list)/sizeof(where_list_block);
52 /*************************************************
53 * Ensure an address is qualified *
54 *************************************************/
59 is_recipient TRUE if a recipient address; FALSE if a sender address
61 Returns: fully-qualified address
65 rewrite_address_qualify(uschar *s, BOOL is_recipient)
67 return (parse_find_at(s) != NULL)? s :
68 string_sprintf("%s@%s", s,
69 is_recipient? qualify_domain_recipient : qualify_domain_sender);
74 /*************************************************
75 * Rewrite a single address *
76 *************************************************/
78 /* The yield is the input address if there is no rewriting to be done. Assume
79 the input is a valid address, except in the case of SMTP-time rewriting, which
80 is handled specially. When this function is called while processing filter and
81 forward files, the uid may be that of the user. Ensure it is reset while
82 expanding a replacement, in case that involves file lookups.
86 flag indicates where this address comes from; it must match the
87 flags in the rewriting rule
88 whole if not NULL, set TRUE if any rewriting rule contained the
89 "whole" bit and it is a header that is being rewritten
90 add_header if TRUE and rewriting occurs, add an "X-rewrote-xxx" header
91 if headers are in existence; this should be TRUE only when
92 a message is being received, not during delivery
93 name name of header, for use when adding X-rewrote-xxxx
94 rewrite_rules chain of rewriting rules
96 Returns: new address if rewritten; the input address if no change;
97 for a header rewrite, if the "whole" bit is set, the entire
98 rewritten address is returned, not just the active bit.
102 rewrite_one(uschar *s, int flag, BOOL *whole, BOOL add_header, uschar *name,
103 rewrite_rule *rewrite_rules)
108 uschar *domain = NULL;
111 int yield_start = 0, yield_end = 0;
113 if (whole != NULL) *whole = FALSE;
115 /* Scan the rewriting rules */
117 for (rule = rewrite_rules;
118 rule != NULL && !done;
119 rule_number++, rule = rule->next)
121 int start, end, pdomain;
123 uschar *save_localpart, *save_domain;
124 uschar *error, *new, *newparsed;
126 /* Ensure that the flag matches the flags in the rule. */
128 if ((rule->flags & flag) == 0) continue;
130 /* Come back here for a repeat after a successful rewrite. We do this
131 only so many times. */
135 /* If this is an SMTP-time rewrite, the pattern must be a regex and
136 the subject may have any structure. No local part or domain variables
137 can be set for the expansion. We expand the pattern in order to be consistent
138 with the other kinds of rewrite, where expansion happens inside
139 match_address_list(). */
141 if ((flag & rewrite_smtp) != 0)
143 uschar *key = expand_string(rule->key);
146 if (!expand_string_forcedfail)
147 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand \"%s\" while "
148 "checking for SMTP rewriting: %s", rule->key, expand_string_message);
151 if (match_check_string(subject, key, 0, TRUE, FALSE, FALSE, NULL) != OK)
153 new = expand_string(rule->replacement);
156 /* All other rewrites expect the input to be a valid address, so local part
157 and domain variables can be set for expansion. For the first rule, to be
158 applied to this address, domain will be NULL and needs to be set. */
162 if (domain == NULL) domain = Ustrrchr(subject, '@') + 1;
164 /* Use the general function for matching an address against a list (here
165 just one item, so use the "impossible value" separator UCHAR_MAX+1). */
167 if (match_address_list(subject, FALSE, TRUE, &(rule->key), NULL, 0,
168 UCHAR_MAX + 1, NULL) != OK)
171 /* The source address matches, and numerical variables have been
172 set up. If the replacement string consists of precisely "*" then no
173 rewriting is required for this address - the behaviour is as for "fail"
174 in the replacement expansion, but assuming the quit flag. */
176 if (Ustrcmp(rule->replacement, "*") == 0) break;
178 /* Otherwise, expand the replacement string. Set $local_part and $domain to
179 the appropriate values, restoring whatever value they previously had
182 save_localpart = deliver_localpart;
183 save_domain = deliver_domain;
185 /* We have subject pointing to "localpart@domain" and domain pointing to
186 the domain. Temporarily terminate the local part so that it can be
187 set up as an expansion variable */
190 deliver_localpart = subject;
191 deliver_domain = domain;
193 new = expand_string(rule->replacement);
196 deliver_localpart = save_localpart;
197 deliver_domain = save_domain;
200 /* If the expansion failed with the "forcedfail" flag, don't generate
201 an error - just give up on this rewriting rule. If the "q" flag is set,
202 give up altogether. For other expansion failures we have a configuration
207 if (expand_string_forcedfail)
208 { if ((rule->flags & rewrite_quit) != 0) break; else continue; }
209 log_write(0, LOG_MAIN|LOG_PANIC, "Expansion of %s failed while rewriting: "
210 "%s", rule->replacement, expand_string_message);
214 /* Check the what has been generated is a valid RFC 2822 address. Only
215 envelope from or SMTP sender is permitted to be rewritten as <>.*/
217 newparsed = parse_extract_address(new, &error, &start, &end, &pdomain,
218 flag == rewrite_envfrom || flag == (rewrite_smtp|rewrite_smtp_sender));
220 if (newparsed == NULL)
222 log_write(0, LOG_MAIN|LOG_PANIC, "Rewrite of %s yielded unparseable "
223 "address: %s in address %s", subject, error, new);
224 break; /* Give up on this address */
227 /* A non-null unqualified address can be qualified if requested. Otherwise,
228 this is an error unless it's the empty address in circumstances where that is
231 if (pdomain == 0 && (*newparsed != 0 ||
232 (flag != rewrite_envfrom && flag != (rewrite_smtp|rewrite_smtp_sender))))
234 if ((rule->flags & rewrite_qualify) != 0)
236 newparsed = rewrite_address_qualify(newparsed, TRUE);
237 new = string_sprintf("%.*s%s%.*s", start, new, newparsed,
238 Ustrlen(new) - end, new + end);
239 end = start + Ustrlen(newparsed);
243 log_write(0, LOG_MAIN|LOG_PANIC, "Rewrite of %s yielded unqualified "
244 "address \"%s\"", subject, new);
245 break; /* Give up on this address */
249 /* We have a validly rewritten address */
251 if ((log_write_selector & L_address_rewrite) != 0 ||
252 (debug_selector & D_rewrite) != 0)
255 const uschar *where = CUS"?";
257 for (i = 0; i < where_list_size; i++)
259 if (flag == where_list[i].bit)
261 where = where_list[i].string;
265 log_write(L_address_rewrite,
266 LOG_MAIN, "\"%s\" from %s rewritten as \"%s\" by rule %d",
267 yield, where, new, rule_number);
270 /* A header will only actually be added if header_last is non-NULL,
271 i.e. during message reception or delivery, but add_header should not
272 be set TRUE during delivery, as otherwise multiple instances of the header
273 can fill up the -H file and make it embarrassingly large. We don't need
274 to set header_rewritten because the -H file always gets written at the end
275 of message reception. */
278 header_add(htype_old, "X-rewrote-%s: %s\n", name, subject);
280 /* Handle the case when replacement of the whole address is possible.
281 This happens only when whole is not NULL and we are rewriting a header.
282 If *whole is already TRUE it means that a previous rule had the w
283 flag set and so we must preserve the non-active portion of the current
284 subject unless the current rule also has the w flag set. */
286 if (whole != NULL && (flag & rewrite_all_headers) != 0)
288 /* Current rule has the w flag set. We must ensure the phrase parts
289 are syntactically valid if they are present. */
291 if ((rule->flags & rewrite_whole) != 0)
293 if (start > 0 && new[start-1] == '<')
295 uschar *p1 = new + start - 1;
296 uschar *p2 = new + end + 1;
298 uschar buff1[256], buff2[256];
300 while (p1 > new && p1[-1] == ' ') p1--;
301 pf1 = parse_fix_phrase(new, p1 - new, buff1, sizeof(buff1));
302 while (*p2 == ' ') p2++;
303 pf2 = parse_fix_phrase(p2, Ustrlen(p2), buff2, sizeof(buff2));
305 /* Note that pf1 and pf2 are NOT necessarily buff1 and buff2. For
306 a non-RFC 2047 phrase that does not need to be RFC 2822 quoted, they
307 will be buff1+1 and buff2+1. */
309 start = Ustrlen(pf1) + start + new - p1;
310 end = start + Ustrlen(newparsed);
311 new = string_sprintf("%s%.*s%s", pf1, p2 - p1, p1, pf2);
314 /* Now accept the whole thing */
323 /* Current rule does not have the w flag set; if not previously
324 done any whole rewriting, behave in non-whole manner. */
326 else if (!*whole) goto NEVER_WHOLE;
328 /* Current rule does not have the w flag set, but a previous
329 rule did rewrite the whole address. Thus yield and subject will be
330 different. Preserve the previous non-active part of the address. */
335 new = string_sprintf("%.*s%s%n%s",
336 yield_start, yield, subject, &end, yield + yield_end);
342 /* Rule just rewrites active part, or handling an envelope. This
343 code is obeyed only when all rules so far have not done "whole"
349 subject = yield = newparsed;
352 domain = NULL; /* Reset for next rule */
354 /* If no further rewrites are to be done, set the done flag. This allows
355 repeats of the current rule if configured before breaking the loop. */
357 if ((rule->flags & rewrite_quit) != 0) done = TRUE;
359 /* Allow the current rule to be applied up to 10 times if
362 if ((rule->flags & rewrite_repeat) != 0)
364 if (count++ < 10) goto REPEAT_RULE;
365 log_write(0, LOG_MAIN|LOG_PANIC, "rewrite rule repeat ignored after 10 "
370 /* Unset expansion numeric variables, and that's it. */
378 /*************************************************
379 * Ensure qualification and rewrite *
380 *************************************************/
382 /* This function is called for envelope addresses, the boolean specifying
383 whether a recipient or a sender. It must first of all ensure the address is
384 fully qualified, and then apply any relevant re-writing rules. The add-header
385 flag causes a header to be added, recording the old address. This is marked
386 "old", so that it is never transported anywhere; it exists for local checking
387 and debugging purposes.
390 s the address to be considered
391 is_recipient TRUE for recipient addresses; FALSE otherwise
392 add_header add "X-rewrote-xxx" header when rewriting; this is
393 set TRUE only for calls from the reception functions
394 rewrite_rules points to chain of rewrite rules
395 existflags bits indicating which headers there are rewrites for
396 (just an optimisation)
398 Returns: possibly rewritten address
402 rewrite_address(uschar *s, BOOL is_recipient, BOOL add_header,
403 rewrite_rule *rewrite_rules, int existflags)
405 int flag = is_recipient? rewrite_envto : rewrite_envfrom;
406 s = rewrite_address_qualify(s, is_recipient);
407 if ((existflags & flag) != 0)
409 uschar *new = rewrite_one(s, flag, NULL, add_header, is_recipient?
410 US"original-recipient" : US"sender", rewrite_rules);
411 if (new != s) s = new;
418 /*************************************************
419 * Qualify and possibly rewrite one header *
420 *************************************************/
422 /* This is called only from rewrite_header() below, either when reading a
423 message. or when routing, in order to rewrite addresses that get changed by a
424 router. This is normally the addition of full qualification to a partial
425 domain. The first rewriting rule in this case is "change routed_old into
426 routed_new", and it applies to all header lines that contain addresses. Then
427 header-specific rewriting rules are applied.
429 Before rewriting can be done, addresses without domains have to be qualified.
430 This should only be done for messages from "local" senders. This is a difficult
431 concept to pin down, what with the use of SMTP both as a submission and as a
432 transmission protocol. Exim normally requires incoming SMTP to contain fully-
433 qualified addresses, but there are options to permit unqualified ones from
434 certain hosts. For those hosts only, addresses in headers can also be
435 qualified. For other hosts, unqualified addresses in headers do not get touched
436 in any way. For locally sourced messages, unqualified addresses always get
437 qualified, except when -bnq is used to explicitly suppress this.
440 h pointer to header line block
441 flag indicates which header this is
442 routed_old if not NULL, this is a rewrite caused by a router, changing
443 this domain into routed_new
444 routed_new new routed domain if routed_old is not NULL
445 rewrite_rules points to chain of rewriting rules
446 existflags bits indicating which rewrites exist
447 replace if TRUE, insert the new header in the chain after the old
448 one, and mark the old one "replaced"
450 Returns: NULL if header unchanged; otherwise the rewritten header
454 rewrite_one_header(header_line *h, int flag, uschar *routed_old,
455 uschar *routed_new, rewrite_rule *rewrite_rules, int existflags, BOOL replace)
458 header_line *newh = NULL;
459 void *function_reset_point = store_get(0);
460 uschar *s = Ustrchr(h->text, ':') + 1;
461 while (isspace(*s)) s++;
464 debug_printf("rewrite_one_header: type=%c:\n %s", h->type, h->text);
466 parse_allow_group = TRUE; /* Allow group syntax */
468 /* Loop for multiple addresses in the header. We have to go through them all
469 in case any need qualifying, even if there's no rewriting. Pathological headers
470 may have thousands of addresses in them, so cause the store to be reset for
471 any that don't actually get rewritten. We also play silly games for those that
472 _are_ rewritten so as to avoid runaway store usage for these kinds of header.
473 We want to avoid keeping store for any intermediate versions. */
478 uschar *ss = parse_find_address_end(s, FALSE);
479 uschar *recipient, *new, *errmess;
480 void *loop_reset_point = store_get(0);
481 BOOL changed = FALSE;
482 int terminator = *ss;
483 int start, end, domain;
485 /* Temporarily terminate the string at this point, and extract the
486 operative address within. Then put back the terminator and prepare for
487 the next address, saving the start of the old one. */
490 recipient = parse_extract_address(s,&errmess,&start,&end,&domain,FALSE);
493 s = ss + (terminator? 1:0);
494 while (isspace(*s)) s++;
496 /* There isn't much we can do for syntactic disasters at this stage.
497 Pro tem (possibly for ever) ignore them. */
499 if (recipient == NULL)
501 store_reset(loop_reset_point);
505 /* If routed_old is not NULL, this is a rewrite caused by a router,
506 consisting of changing routed_old into routed_new, and applying to all
507 headers. If the header address has no domain, it is excluded, since a router
508 rewrite affects domains only. The new value should always be fully qualified,
509 but it may be something that has an explicit re-write rule set, so we need to
510 check the configured rules subsequently as well. (Example: there's an
511 explicit rewrite turning *.foo.com into foo.com, and an address is supplied
512 as abc@xyz, which the DNS lookup turns into abc@xyz.foo.com). However, if no
513 change is made here, don't bother carrying on. */
515 if (routed_old != NULL)
517 if (domain <= 0 || strcmpic(recipient+domain, routed_old) != 0) continue;
518 recipient[domain-1] = 0;
519 new = string_sprintf("%s@%s", recipient, routed_new);
522 recipient[domain-1] = '@';
523 debug_printf("%s rewritten by router as %s\n", recipient, new);
529 /* This is not a router-inspired rewrite. Ensure the address is fully
530 qualified if that is permitted. If an unqualified address was received
531 from a host that isn't listed, do not continue rewriting this address.
532 Sender, From or Reply-To headers are treated as senders, the rest as
533 recipients. This matters only when there are different qualify strings. */
538 (flag & (rewrite_sender | rewrite_from | rewrite_replyto)) == 0;
539 new = rewrite_address_qualify(recipient, is_recipient);
540 changed = (new != recipient);
543 /* Can only qualify if permitted; if not, no rewrite. */
545 if (changed && ((is_recipient && !allow_unqualified_recipient) ||
546 (!is_recipient && !allow_unqualified_sender)))
548 store_reset(loop_reset_point);
553 /* If there are rewrite rules for this type of header, apply
554 them. This test is just for efficiency, to save scanning the rules
555 in cases when nothing is going to change. If any rewrite rule had the
556 "whole" flag set, adjust the pointers so that the whole address gets
557 replaced, except possibly a final \n. */
559 if ((existflags & flag) != 0)
562 new = rewrite_one(recipient, flag, &whole, FALSE, NULL, rewrite_rules);
563 if (new != recipient)
570 if (sprev[end-1] == '\n') end--;
575 /* If nothing has changed, lose all dynamic store obtained in this loop, and
576 move on to the next address. We can't reset to the function start store
577 point, because we may have a rewritten line from a previous time round the
580 if (!changed) store_reset(loop_reset_point);
582 /* If the address has changed, create a new header containing the
583 rewritten address. We do not need to set the chain pointers at this
584 stage. We want to avoid using more and more memory if the header is very long
585 and contains lots and lots of rewritten addresses. Therefore, we build the
586 new text string in malloc store, then at the end we reset dynamic store
587 before copying the new header to a new block (and then freeing the malloc
588 block). The header must end up in dynamic store so that it's freed at the end
589 of receiving a message. */
594 int newlen = Ustrlen(new);
595 int oldlen = end - start;
597 header_line *prev = (newh == NULL)? h : newh;
598 uschar *newt = store_malloc(prev->slen - oldlen + newlen + 4);
599 uschar *newtstart = newt;
601 int type = prev->type;
602 int slen = prev->slen - oldlen + newlen;
604 /* Build the new header text by copying the old and putting in the
605 replacement. This process may make the header substantially longer
606 than it was before - qualification of a list of bare addresses can
607 often do this - so we stick in a newline after the re-written address
608 if it has increased in length and ends more than 40 characters in. In
609 fact, the code is not perfect, since it does not scan for existing
610 newlines in the header, but it doesn't seem worth going to that
611 amount of trouble. */
613 Ustrncpy(newt, prev->text, sprev - prev->text + start);
614 newt += sprev - prev->text + start;
618 remlen = s - (sprev + end);
621 Ustrncpy(newt, sprev + end, remlen);
626 /* Must check that there isn't a newline here anyway; in particular, there
627 will be one at the very end of the header, where we DON'T want to insert
628 another one! The pointer s has been skipped over white space, so just
629 look back to see if the last non-space-or-tab was a newline. */
631 if (newlen > oldlen && newt - newtstart - lastnewline > 40)
634 while (p >= prev->text && (*p == ' ' || *p == '\t')) p--;
637 lastnewline = newt - newtstart;
638 Ustrcat(newt, "\n\t");
643 /* Finally, the remaining unprocessed addresses, if any. */
647 DEBUG(D_rewrite) debug_printf("newlen=%d newtype=%c newtext:\n%s",
648 slen, type, newtstart);
650 /* Compute the length of the rest of the header line before we possibly
651 flatten a previously rewritten copy. */
653 remlen = (s - prev->text) - oldlen + newlen;
655 /* We have the new text in a malloc block. That enables us to release all
656 the memory that has been used, back to the point at which the function was
657 entered. Then set up a new header in dynamic store. This will override a
658 rewritten copy from a previous time round this loop. */
660 store_reset(function_reset_point);
661 newh = store_get(sizeof(header_line));
664 newh->text = string_copyn(newtstart, slen);
665 store_free(newtstart);
667 /* Set up for scanning the rest of the header */
669 s = newh->text + remlen;
670 DEBUG(D_rewrite) debug_printf("remainder: %s", (*s == 0)? US"\n" : s);
674 parse_allow_group = FALSE; /* Reset group flags */
675 parse_found_group = FALSE;
677 /* If a rewrite happened and "replace" is true, put the new header into the
678 chain following the old one, and mark the old one as replaced. */
680 if (newh != NULL && replace)
682 newh->next = h->next;
683 if (newh->next == NULL) header_last = newh;
694 /*************************************************
695 * Rewrite a header line *
696 *************************************************/
698 /* This function may be passed any old header line. It must detect those which
699 contain addresses, then then apply any rewriting rules that apply. If
700 routed_old is NULL, only the configured rewriting rules are consulted.
701 Otherwise, the rewriting rule is "change routed_old into routed_new", and it
702 applies to all header lines that contain addresses. Then header-specific
703 rewriting rules are applied.
705 The old header line is flagged as "old". Old headers are saved on the spool for
706 debugging but are never sent to any recipients.
709 h header line to rewrite
710 routed_old if not NULL, this is a rewrite caused by a router, changing
711 this domain into routed_new
712 routed_new new routed domain if routed_old is not NULL
713 rewrite_rules points to chain of rewrite rules
714 existflags bits indicating which rewrites exist
715 replace if TRUE, the new header is inserted into the header chain
716 after the old one, and the old one is marked replaced
718 Returns: NULL if header unchanged; otherwise the rewritten header
722 rewrite_header(header_line *h, uschar *routed_old, uschar *routed_new,
723 rewrite_rule *rewrite_rules, int existflags, BOOL replace)
728 return rewrite_one_header(h, rewrite_sender, routed_old, routed_new,
729 rewrite_rules, existflags, replace);
732 return rewrite_one_header(h, rewrite_from, routed_old, routed_new,
733 rewrite_rules, existflags, replace);
736 return rewrite_one_header(h, rewrite_to, routed_old, routed_new,
737 rewrite_rules, existflags, replace);
740 return rewrite_one_header(h, rewrite_cc, routed_old, routed_new,
741 rewrite_rules, existflags, replace);
744 return rewrite_one_header(h, rewrite_bcc, routed_old, routed_new,
745 rewrite_rules, existflags, replace);
748 return rewrite_one_header(h, rewrite_replyto, routed_old, routed_new,
749 rewrite_rules, existflags, replace);
757 /************************************************
758 * Test rewriting rules *
759 ************************************************/
761 /* Called from the mainline as a result of the -brw option. Test the
762 address for all possible cases.
764 Argument: the address to test
768 void rewrite_test(uschar *s)
770 uschar *recipient, *error;
771 int i, start, end, domain;
772 BOOL done_smtp = FALSE;
774 if (rewrite_existflags == 0)
776 printf("No rewrite rules are defined\n");
780 /* Do SMTP rewrite only if a rule with the S flag exists. Allow <> by
781 pretending it is a sender. */
783 if ((rewrite_existflags & rewrite_smtp) != 0)
785 uschar *new = rewrite_one(s, rewrite_smtp|rewrite_smtp_sender, NULL, FALSE,
786 US"", global_rewrite_rules);
790 printf(" SMTP: <>\n");
792 printf(" SMTP: %s\n", new);
797 /* Do the other rewrites only if a rule without the S flag exists */
799 if ((rewrite_existflags & ~rewrite_smtp) == 0) return;
801 /* Qualify if necessary before extracting the address */
803 if (parse_find_at(s) == NULL)
804 s = string_sprintf("%s@%s", s, qualify_domain_recipient);
806 recipient = parse_extract_address(s, &error, &start, &end, &domain, FALSE);
808 if (recipient == NULL)
811 printf("Syntax error in %s\n%c%s\n", s, toupper(error[0]), error+1);
815 for (i = 0; i < 8; i++)
819 uschar *new = rewrite_one(recipient, flag, &whole, FALSE, US"",
820 global_rewrite_rules);
821 printf("%s: ", rrname[i]);
824 else if (whole || (flag & rewrite_all_headers) == 0)
825 printf("%s\n", CS new);
826 else printf("%.*s%s%s\n", start, s, new, s+end);
830 /* End of rewrite.c */