1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* Copyright (c) The Exim Maintainers 2020 */
7 /* See the file NOTICE for conditions of use and distribution. */
8
9 /* Functions for finding hosts, either by gethostbyname(), gethostbyaddr(), or
10 directly via the DNS. When IPv6 is supported, getipnodebyname() and
11 getipnodebyaddr() may be used instead of gethostbyname() and gethostbyaddr(),
12 if the newer functions are available. This module also contains various other
13 functions concerned with hosts and addresses, and a random number function,
14 used for randomizing hosts with equal MXs but available for use in other parts
15 of Exim. */
16
17
18 #include "exim.h"
19
20
21 /* Static variable for preserving the list of interface addresses in case it is
22 used more than once. */
23
24 static ip_address_item *local_interface_data = NULL;
25
26
27 #ifdef USE_INET_NTOA_FIX
28 /*************************************************
29 * Replacement for broken inet_ntoa() *
30 *************************************************/
31
32 /* On IRIX systems, gcc uses a different structure passing convention to the
33 native libraries. This causes inet_ntoa() to always yield 0.0.0.0 or
34 255.255.255.255. To get round this, we provide a private version of the
35 function here. It is used only if USE_INET_NTOA_FIX is set, which should happen
36 only when gcc is in use on an IRIX system. Code send to me by J.T. Breitner,
37 with these comments:
38
39 code by Stuart Levy
40 as seen in comp.sys.sgi.admin
41
42 August 2005: Apparently this is also needed for AIX systems; USE_INET_NTOA_FIX
43 should now be set for them as well.
44
45 Arguments: sa an in_addr structure
46 Returns: pointer to static text string
47 */
48
49 char *
inet_ntoa(struct in_addr sa)50 inet_ntoa(struct in_addr sa)
51 {
52 static uschar addr[20];
53 sprintf(addr, "%d.%d.%d.%d",
54 (US &sa.s_addr)[0],
55 (US &sa.s_addr)[1],
56 (US &sa.s_addr)[2],
57 (US &sa.s_addr)[3]);
58 return addr;
59 }
60 #endif
61
62
63
64 /*************************************************
65 * Random number generator *
66 *************************************************/
67
68 /* This is a simple pseudo-random number generator. It does not have to be
69 very good for the uses to which it is put. When running the regression tests,
70 start with a fixed seed.
71
72 If you need better, see vaguely_random_number() which is potentially stronger,
73 if a crypto library is available, but might end up just calling this instead.
74
75 Arguments:
76 limit: one more than the largest number required
77
78 Returns: a pseudo-random number in the range 0 to limit-1
79 */
80
81 int
random_number(int limit)82 random_number(int limit)
83 {
84 if (limit < 1)
85 return 0;
86 if (random_seed == 0)
87 {
88 if (f.running_in_test_harness) random_seed = 42; else
89 {
90 int p = (int)getpid();
91 random_seed = (int)time(NULL) ^ ((p << 16) | p);
92 }
93 }
94 random_seed = 1103515245 * random_seed + 12345;
95 return (unsigned int)(random_seed >> 16) % limit;
96 }
97
98 /*************************************************
99 * Wrappers for logging lookup times *
100 *************************************************/
101
102 /* When the 'slow_lookup_log' variable is enabled, these wrappers will
103 write to the log file all (potential) dns lookups that take more than
104 slow_lookup_log milliseconds
105 */
106
107 static void
log_long_lookup(const uschar * type,const uschar * data,unsigned long msec)108 log_long_lookup(const uschar * type, const uschar * data, unsigned long msec)
109 {
110 log_write(0, LOG_MAIN, "Long %s lookup for '%s': %lu msec",
111 type, data, msec);
112 }
113
114
115 /* returns the current system epoch time in milliseconds. */
116 static unsigned long
get_time_in_ms()117 get_time_in_ms()
118 {
119 struct timeval tmp_time;
120 unsigned long seconds, microseconds;
121
122 gettimeofday(&tmp_time, NULL);
123 seconds = (unsigned long) tmp_time.tv_sec;
124 microseconds = (unsigned long) tmp_time.tv_usec;
125 return seconds*1000 + microseconds/1000;
126 }
127
128
129 static int
dns_lookup_timerwrap(dns_answer * dnsa,const uschar * name,int type,const uschar ** fully_qualified_name)130 dns_lookup_timerwrap(dns_answer *dnsa, const uschar *name, int type,
131 const uschar **fully_qualified_name)
132 {
133 int retval;
134 unsigned long time_msec;
135
136 if (!slow_lookup_log)
137 return dns_lookup(dnsa, name, type, fully_qualified_name);
138
139 time_msec = get_time_in_ms();
140 retval = dns_lookup(dnsa, name, type, fully_qualified_name);
141 if ((time_msec = get_time_in_ms() - time_msec) > slow_lookup_log)
142 log_long_lookup(dns_text_type(type), name, time_msec);
143 return retval;
144 }
145
146
147 /*************************************************
148 * Replace gethostbyname() when testing *
149 *************************************************/
150
151 /* This function is called instead of gethostbyname(), gethostbyname2(), or
152 getipnodebyname() when running in the test harness. . It also
153 recognizes an unqualified "localhost" and forces it to the appropriate loopback
154 address. IP addresses are treated as literals. For other names, it uses the DNS
155 to find the host name. In the test harness, this means it will access only the
156 fake DNS resolver.
157
158 Arguments:
159 name the host name or a textual IP address
160 af AF_INET or AF_INET6
161 error_num where to put an error code:
162 HOST_NOT_FOUND/TRY_AGAIN/NO_RECOVERY/NO_DATA
163
164 Returns: a hostent structure or NULL for an error
165 */
166
167 static struct hostent *
host_fake_gethostbyname(const uschar * name,int af,int * error_num)168 host_fake_gethostbyname(const uschar *name, int af, int *error_num)
169 {
170 #if HAVE_IPV6
171 int alen = (af == AF_INET)? sizeof(struct in_addr):sizeof(struct in6_addr);
172 #else
173 int alen = sizeof(struct in_addr);
174 #endif
175
176 int ipa;
177 const uschar *lname = name;
178 uschar *adds;
179 uschar **alist;
180 struct hostent *yield;
181 dns_answer * dnsa = store_get_dns_answer();
182 dns_scan dnss;
183
184 DEBUG(D_host_lookup)
185 debug_printf("using host_fake_gethostbyname for %s (%s)\n", name,
186 af == AF_INET ? "IPv4" : "IPv6");
187
188 /* Handle unqualified "localhost" */
189
190 if (Ustrcmp(name, "localhost") == 0)
191 lname = af == AF_INET ? US"127.0.0.1" : US"::1";
192
193 /* Handle a literal IP address */
194
195 if ((ipa = string_is_ip_address(lname, NULL)) != 0)
196 if ( ipa == 4 && af == AF_INET
197 || ipa == 6 && af == AF_INET6)
198 {
199 int x[4];
200 yield = store_get(sizeof(struct hostent), FALSE);
201 alist = store_get(2 * sizeof(char *), FALSE);
202 adds = store_get(alen, FALSE);
203 yield->h_name = CS name;
204 yield->h_aliases = NULL;
205 yield->h_addrtype = af;
206 yield->h_length = alen;
207 yield->h_addr_list = CSS alist;
208 *alist++ = adds;
209 for (int n = host_aton(lname, x), i = 0; i < n; i++)
210 {
211 int y = x[i];
212 *adds++ = (y >> 24) & 255;
213 *adds++ = (y >> 16) & 255;
214 *adds++ = (y >> 8) & 255;
215 *adds++ = y & 255;
216 }
217 *alist = NULL;
218 }
219
220 /* Wrong kind of literal address */
221
222 else
223 {
224 *error_num = HOST_NOT_FOUND;
225 yield = NULL;
226 goto out;
227 }
228
229 /* Handle a host name */
230
231 else
232 {
233 int type = af == AF_INET ? T_A:T_AAAA;
234 int rc = dns_lookup_timerwrap(dnsa, lname, type, NULL);
235 int count = 0;
236
237 lookup_dnssec_authenticated = NULL;
238
239 switch(rc)
240 {
241 case DNS_SUCCEED: break;
242 case DNS_NOMATCH: *error_num = HOST_NOT_FOUND; yield = NULL; goto out;
243 case DNS_NODATA: *error_num = NO_DATA; yield = NULL; goto out;
244 case DNS_AGAIN: *error_num = TRY_AGAIN; yield = NULL; goto out;
245 default:
246 case DNS_FAIL: *error_num = NO_RECOVERY; yield = NULL; goto out;
247 }
248
249 for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
250 rr;
251 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == type)
252 count++;
253
254 yield = store_get(sizeof(struct hostent), FALSE);
255 alist = store_get((count + 1) * sizeof(char *), FALSE);
256 adds = store_get(count *alen, FALSE);
257
258 yield->h_name = CS name;
259 yield->h_aliases = NULL;
260 yield->h_addrtype = af;
261 yield->h_length = alen;
262 yield->h_addr_list = CSS alist;
263
264 for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
265 rr;
266 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == type)
267 {
268 int x[4];
269 dns_address *da;
270 if (!(da = dns_address_from_rr(dnsa, rr))) break;
271 *alist++ = adds;
272 for (int n = host_aton(da->address, x), i = 0; i < n; i++)
273 {
274 int y = x[i];
275 *adds++ = (y >> 24) & 255;
276 *adds++ = (y >> 16) & 255;
277 *adds++ = (y >> 8) & 255;
278 *adds++ = y & 255;
279 }
280 }
281 *alist = NULL;
282 }
283
284 out:
285
286 store_free_dns_answer(dnsa);
287 return yield;
288 }
289
290
291
292 /*************************************************
293 * Build chain of host items from list *
294 *************************************************/
295
296 /* This function builds a chain of host items from a textual list of host
297 names. It does not do any lookups. If randomize is true, the chain is build in
298 a randomized order. There may be multiple groups of independently randomized
299 hosts; they are delimited by a host name consisting of just "+".
300
301 Arguments:
302 anchor anchor for the chain
303 list text list
304 randomize TRUE for randomizing
305
306 Returns: nothing
307 */
308
309 void
host_build_hostlist(host_item ** anchor,const uschar * list,BOOL randomize)310 host_build_hostlist(host_item **anchor, const uschar *list, BOOL randomize)
311 {
312 int sep = 0;
313 int fake_mx = MX_NONE; /* This value is actually -1 */
314 uschar *name;
315
316 if (!list) return;
317 if (randomize) fake_mx--; /* Start at -2 for randomizing */
318
319 *anchor = NULL;
320
321 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
322 {
323 host_item *h;
324
325 if (name[0] == '+' && name[1] == 0) /* "+" delimits a randomized group */
326 { /* ignore if not randomizing */
327 if (randomize) fake_mx--;
328 continue;
329 }
330
331 h = store_get(sizeof(host_item), FALSE);
332 h->name = name;
333 h->address = NULL;
334 h->port = PORT_NONE;
335 h->mx = fake_mx;
336 h->sort_key = randomize? (-fake_mx)*1000 + random_number(1000) : 0;
337 h->status = hstatus_unknown;
338 h->why = hwhy_unknown;
339 h->last_try = 0;
340
341 if (!*anchor)
342 {
343 h->next = NULL;
344 *anchor = h;
345 }
346 else
347 {
348 host_item *hh = *anchor;
349 if (h->sort_key < hh->sort_key)
350 {
351 h->next = hh;
352 *anchor = h;
353 }
354 else
355 {
356 while (hh->next && h->sort_key >= hh->next->sort_key)
357 hh = hh->next;
358 h->next = hh->next;
359 hh->next = h;
360 }
361 }
362 }
363 }
364
365
366
367
368
369 /*************************************************
370 * Extract port from address string *
371 *************************************************/
372
373 /* In the spool file, and in the -oMa and -oMi options, a host plus port is
374 given as an IP address followed by a dot and a port number. This function
375 decodes this.
376
377 An alternative format for the -oMa and -oMi options is [ip address]:port which
378 is what Exim 4 uses for output, because it seems to becoming commonly used,
379 whereas the dot form confuses some programs/people. So we recognize that form
380 too.
381
382 Argument:
383 address points to the string; if there is a port, the '.' in the string
384 is overwritten with zero to terminate the address; if the string
385 is in the [xxx]:ppp format, the address is shifted left and the
386 brackets are removed
387
388 Returns: 0 if there is no port, else the port number. If there's a syntax
389 error, leave the incoming address alone, and return 0.
390 */
391
392 int
host_address_extract_port(uschar * address)393 host_address_extract_port(uschar *address)
394 {
395 int port = 0;
396 uschar *endptr;
397
398 /* Handle the "bracketed with colon on the end" format */
399
400 if (*address == '[')
401 {
402 uschar *rb = address + 1;
403 while (*rb != 0 && *rb != ']') rb++;
404 if (*rb++ == 0) return 0; /* Missing ]; leave invalid address */
405 if (*rb == ':')
406 {
407 port = Ustrtol(rb + 1, &endptr, 10);
408 if (*endptr != 0) return 0; /* Invalid port; leave invalid address */
409 }
410 else if (*rb != 0) return 0; /* Bad syntax; leave invalid address */
411 memmove(address, address + 1, rb - address - 2);
412 rb[-2] = 0;
413 }
414
415 /* Handle the "dot on the end" format */
416
417 else
418 {
419 int skip = -3; /* Skip 3 dots in IPv4 addresses */
420 address--;
421 while (*(++address) != 0)
422 {
423 int ch = *address;
424 if (ch == ':') skip = 0; /* Skip 0 dots in IPv6 addresses */
425 else if (ch == '.' && skip++ >= 0) break;
426 }
427 if (*address == 0) return 0;
428 port = Ustrtol(address + 1, &endptr, 10);
429 if (*endptr != 0) return 0; /* Invalid port; leave invalid address */
430 *address = 0;
431 }
432
433 return port;
434 }
435
436
437 /*************************************************
438 * Get port from a host item's name *
439 *************************************************/
440
441 /* This function is called when finding the IP address for a host that is in a
442 list of hosts explicitly configured, such as in the manualroute router, or in a
443 fallback hosts list. We see if there is a port specification at the end of the
444 host name, and if so, remove it. A minimum length of 3 is required for the
445 original name; nothing shorter is recognized as having a port.
446
447 We test for a name ending with a sequence of digits; if preceded by colon we
448 have a port if the character before the colon is ] and the name starts with [
449 or if there are no other colons in the name (i.e. it's not an IPv6 address).
450
451 Arguments: pointer to the host item
452 Returns: a port number or PORT_NONE
453 */
454
455 int
host_item_get_port(host_item * h)456 host_item_get_port(host_item *h)
457 {
458 const uschar *p;
459 int port, x;
460 int len = Ustrlen(h->name);
461
462 if (len < 3 || (p = h->name + len - 1, !isdigit(*p))) return PORT_NONE;
463
464 /* Extract potential port number */
465
466 port = *p-- - '0';
467 x = 10;
468
469 while (p > h->name + 1 && isdigit(*p))
470 {
471 port += (*p-- - '0') * x;
472 x *= 10;
473 }
474
475 /* The smallest value of p at this point is h->name + 1. */
476
477 if (*p != ':') return PORT_NONE;
478
479 if (p[-1] == ']' && h->name[0] == '[')
480 h->name = string_copyn(h->name + 1, p - h->name - 2);
481 else if (Ustrchr(h->name, ':') == p)
482 h->name = string_copyn(h->name, p - h->name);
483 else return PORT_NONE;
484
485 DEBUG(D_route|D_host_lookup) debug_printf("host=%s port=%d\n", h->name, port);
486 return port;
487 }
488
489
490
491 #ifndef STAND_ALONE /* Omit when standalone testing */
492
493 /*************************************************
494 * Build sender_fullhost and sender_rcvhost *
495 *************************************************/
496
497 /* This function is called when sender_host_name and/or sender_helo_name
498 have been set. Or might have been set - for a local message read off the spool
499 they won't be. In that case, do nothing. Otherwise, set up the fullhost string
500 as follows:
501
502 (a) No sender_host_name or sender_helo_name: "[ip address]"
503 (b) Just sender_host_name: "host_name [ip address]"
504 (c) Just sender_helo_name: "(helo_name) [ip address]" unless helo is IP
505 in which case: "[ip address}"
506 (d) The two are identical: "host_name [ip address]" includes helo = IP
507 (e) The two are different: "host_name (helo_name) [ip address]"
508
509 If log_incoming_port is set, the sending host's port number is added to the IP
510 address.
511
512 This function also builds sender_rcvhost for use in Received: lines, whose
513 syntax is a bit different. This value also includes the RFC 1413 identity.
514 There wouldn't be two different variables if I had got all this right in the
515 first place.
516
517 Because this data may survive over more than one incoming SMTP message, it has
518 to be in permanent store. However, STARTTLS has to be forgotten and redone
519 on a multi-message conn, so this will be called once per message then. Hence
520 we use malloc, so we can free.
521
522 Arguments: none
523 Returns: nothing
524 */
525
526 void
host_build_sender_fullhost(void)527 host_build_sender_fullhost(void)
528 {
529 BOOL show_helo = TRUE;
530 uschar * address, * fullhost, * rcvhost;
531 rmark reset_point;
532 int len;
533
534 if (!sender_host_address) return;
535
536 reset_point = store_mark();
537
538 /* Set up address, with or without the port. After discussion, it seems that
539 the only format that doesn't cause trouble is [aaaa]:pppp. However, we can't
540 use this directly as the first item for Received: because it ain't an RFC 2822
541 domain. Sigh. */
542
543 address = string_sprintf("[%s]:%d", sender_host_address, sender_host_port);
544 if (!LOGGING(incoming_port) || sender_host_port <= 0)
545 *(Ustrrchr(address, ':')) = 0;
546
547 /* If there's no EHLO/HELO data, we can't show it. */
548
549 if (!sender_helo_name) show_helo = FALSE;
550
551 /* If HELO/EHLO was followed by an IP literal, it's messy because of two
552 features of IPv6. Firstly, there's the "IPv6:" prefix (Exim is liberal and
553 doesn't require this, for historical reasons). Secondly, IPv6 addresses may not
554 be given in canonical form, so we have to canonicalize them before comparing. As
555 it happens, the code works for both IPv4 and IPv6. */
556
557 else if (sender_helo_name[0] == '[' &&
558 sender_helo_name[(len=Ustrlen(sender_helo_name))-1] == ']')
559 {
560 int offset = 1;
561 uschar *helo_ip;
562
563 if (strncmpic(sender_helo_name + 1, US"IPv6:", 5) == 0) offset += 5;
564 if (strncmpic(sender_helo_name + 1, US"IPv4:", 5) == 0) offset += 5;
565
566 helo_ip = string_copyn(sender_helo_name + offset, len - offset - 1);
567
568 if (string_is_ip_address(helo_ip, NULL) != 0)
569 {
570 int x[4], y[4];
571 int sizex, sizey;
572 uschar ipx[48], ipy[48]; /* large enough for full IPv6 */
573
574 sizex = host_aton(helo_ip, x);
575 sizey = host_aton(sender_host_address, y);
576
577 (void)host_nmtoa(sizex, x, -1, ipx, ':');
578 (void)host_nmtoa(sizey, y, -1, ipy, ':');
579
580 if (strcmpic(ipx, ipy) == 0) show_helo = FALSE;
581 }
582 }
583
584 /* Host name is not verified */
585
586 if (!sender_host_name)
587 {
588 uschar *portptr = Ustrstr(address, "]:");
589 gstring * g;
590 int adlen; /* Sun compiler doesn't like ++ in initializers */
591
592 adlen = portptr ? (++portptr - address) : Ustrlen(address);
593 fullhost = sender_helo_name
594 ? string_sprintf("(%s) %s", sender_helo_name, address)
595 : address;
596
597 g = string_catn(NULL, address, adlen);
598
599 if (sender_ident || show_helo || portptr)
600 {
601 int firstptr;
602 g = string_catn(g, US" (", 2);
603 firstptr = g->ptr;
604
605 if (portptr)
606 g = string_append(g, 2, US"port=", portptr + 1);
607
608 if (show_helo)
609 g = string_append(g, 2,
610 firstptr == g->ptr ? US"helo=" : US" helo=", sender_helo_name);
611
612 if (sender_ident)
613 g = string_append(g, 2,
614 firstptr == g->ptr ? US"ident=" : US" ident=", sender_ident);
615
616 g = string_catn(g, US")", 1);
617 }
618
619 rcvhost = string_from_gstring(g);
620 }
621
622 /* Host name is known and verified. Unless we've already found that the HELO
623 data matches the IP address, compare it with the name. */
624
625 else
626 {
627 if (show_helo && strcmpic(sender_host_name, sender_helo_name) == 0)
628 show_helo = FALSE;
629
630 if (show_helo)
631 {
632 fullhost = string_sprintf("%s (%s) %s", sender_host_name,
633 sender_helo_name, address);
634 rcvhost = sender_ident
635 ? string_sprintf("%s\n\t(%s helo=%s ident=%s)", sender_host_name,
636 address, sender_helo_name, sender_ident)
637 : string_sprintf("%s (%s helo=%s)", sender_host_name,
638 address, sender_helo_name);
639 }
640 else
641 {
642 fullhost = string_sprintf("%s %s", sender_host_name, address);
643 rcvhost = sender_ident
644 ? string_sprintf("%s (%s ident=%s)", sender_host_name, address,
645 sender_ident)
646 : string_sprintf("%s (%s)", sender_host_name, address);
647 }
648 }
649
650 sender_fullhost = string_copy_perm(fullhost, TRUE);
651 sender_rcvhost = string_copy_perm(rcvhost, TRUE);
652
653 store_reset(reset_point);
654
655 DEBUG(D_host_lookup) debug_printf("sender_fullhost = %s\n", sender_fullhost);
656 DEBUG(D_host_lookup) debug_printf("sender_rcvhost = %s\n", sender_rcvhost);
657 }
658
659
660
661 /*************************************************
662 * Build host+ident message *
663 *************************************************/
664
665 /* Used when logging rejections and various ACL and SMTP incidents. The text
666 return depends on whether sender_fullhost and sender_ident are set or not:
667
668 no ident, no host => U=unknown
669 no ident, host set => H=sender_fullhost
670 ident set, no host => U=ident
671 ident set, host set => H=sender_fullhost U=ident
672
673 Use taint-unchecked routines on the assumption we'll never expand the results.
674
675 Arguments:
676 useflag TRUE if first item to be flagged (H= or U=); if there are two
677 items, the second is always flagged
678
679 Returns: pointer to a string in big_buffer
680 */
681
682 uschar *
host_and_ident(BOOL useflag)683 host_and_ident(BOOL useflag)
684 {
685 if (!sender_fullhost)
686 string_format_nt(big_buffer, big_buffer_size, "%s%s", useflag ? "U=" : "",
687 sender_ident ? sender_ident : US"unknown");
688 else
689 {
690 uschar * flag = useflag ? US"H=" : US"";
691 uschar * iface = US"";
692 if (LOGGING(incoming_interface) && interface_address)
693 iface = string_sprintf(" I=[%s]:%d", interface_address, interface_port);
694 if (sender_ident)
695 string_format_nt(big_buffer, big_buffer_size, "%s%s%s U=%s",
696 flag, sender_fullhost, iface, sender_ident);
697 else
698 string_format_nt(big_buffer, big_buffer_size, "%s%s%s",
699 flag, sender_fullhost, iface);
700 }
701 return big_buffer;
702 }
703
704 #endif /* STAND_ALONE */
705
706
707
708
709 /*************************************************
710 * Build list of local interfaces *
711 *************************************************/
712
713 /* This function interprets the contents of the local_interfaces or
714 extra_local_interfaces options, and creates an ip_address_item block for each
715 item on the list. There is no special interpretation of any IP addresses; in
716 particular, 0.0.0.0 and ::0 are returned without modification. If any address
717 includes a port, it is set in the block. Otherwise the port value is set to
718 zero.
719
720 Arguments:
721 list the list
722 name the name of the option being expanded
723
724 Returns: a chain of ip_address_items, each containing to a textual
725 version of an IP address, and a port number (host order) or
726 zero if no port was given with the address
727 */
728
729 ip_address_item *
host_build_ifacelist(const uschar * list,uschar * name)730 host_build_ifacelist(const uschar *list, uschar *name)
731 {
732 int sep = 0;
733 uschar *s;
734 ip_address_item * yield = NULL, * last = NULL, * next;
735 BOOL taint = is_tainted(list);
736
737 while ((s = string_nextinlist(&list, &sep, NULL, 0)))
738 {
739 int ipv;
740 int port = host_address_extract_port(s); /* Leaves just the IP address */
741
742 if (!(ipv = string_is_ip_address(s, NULL)))
743 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Malformed IP address \"%s\" in %s",
744 s, name);
745
746 /* Skip IPv6 addresses if IPv6 is disabled. */
747
748 if (disable_ipv6 && ipv == 6) continue;
749
750 /* This use of strcpy() is OK because we have checked that s is a valid IP
751 address above. The field in the ip_address_item is large enough to hold an
752 IPv6 address. */
753
754 next = store_get(sizeof(ip_address_item), taint);
755 next->next = NULL;
756 Ustrcpy(next->address, s);
757 next->port = port;
758 next->v6_include_v4 = FALSE;
759 next->log = NULL;
760
761 if (!yield)
762 yield = last = next;
763 else
764 {
765 last->next = next;
766 last = next;
767 }
768 }
769
770 return yield;
771 }
772
773
774
775
776
777 /*************************************************
778 * Find addresses on local interfaces *
779 *************************************************/
780
781 /* This function finds the addresses of local IP interfaces. These are used
782 when testing for routing to the local host. As the function may be called more
783 than once, the list is preserved in permanent store, pointed to by a static
784 variable, to save doing the work more than once per process.
785
786 The generic list of interfaces is obtained by calling host_build_ifacelist()
787 for local_interfaces and extra_local_interfaces. This list scanned to remove
788 duplicates (which may exist with different ports - not relevant here). If
789 either of the wildcard IP addresses (0.0.0.0 and ::0) are encountered, they are
790 replaced by the appropriate (IPv4 or IPv6) list of actual local interfaces,
791 obtained from os_find_running_interfaces().
792
793 Arguments: none
794 Returns: a chain of ip_address_items, each containing to a textual
795 version of an IP address; the port numbers are not relevant
796 */
797
798
799 /* First, a local subfunction to add an interface to a list in permanent store,
800 but only if there isn't a previous copy of that address on the list. */
801
802 static ip_address_item *
add_unique_interface(ip_address_item * list,ip_address_item * ipa)803 add_unique_interface(ip_address_item *list, ip_address_item *ipa)
804 {
805 ip_address_item *ipa2;
806 for (ipa2 = list; ipa2; ipa2 = ipa2->next)
807 if (Ustrcmp(ipa2->address, ipa->address) == 0) return list;
808 ipa2 = store_get_perm(sizeof(ip_address_item), FALSE);
809 *ipa2 = *ipa;
810 ipa2->next = list;
811 return ipa2;
812 }
813
814
815 /* This is the globally visible function */
816
817 ip_address_item *
host_find_interfaces(void)818 host_find_interfaces(void)
819 {
820 ip_address_item *running_interfaces = NULL;
821
822 if (!local_interface_data)
823 {
824 void *reset_item = store_mark();
825 ip_address_item *dlist = host_build_ifacelist(CUS local_interfaces,
826 US"local_interfaces");
827 ip_address_item *xlist = host_build_ifacelist(CUS extra_local_interfaces,
828 US"extra_local_interfaces");
829 ip_address_item *ipa;
830
831 if (!dlist) dlist = xlist;
832 else
833 {
834 for (ipa = dlist; ipa->next; ipa = ipa->next) ;
835 ipa->next = xlist;
836 }
837
838 for (ipa = dlist; ipa; ipa = ipa->next)
839 {
840 if (Ustrcmp(ipa->address, "0.0.0.0") == 0 ||
841 Ustrcmp(ipa->address, "::0") == 0)
842 {
843 BOOL ipv6 = ipa->address[0] == ':';
844 if (!running_interfaces)
845 running_interfaces = os_find_running_interfaces();
846 for (ip_address_item * ipa2 = running_interfaces; ipa2; ipa2 = ipa2->next)
847 if ((Ustrchr(ipa2->address, ':') != NULL) == ipv6)
848 local_interface_data = add_unique_interface(local_interface_data,
849 ipa2);
850 }
851 else
852 {
853 local_interface_data = add_unique_interface(local_interface_data, ipa);
854 DEBUG(D_interface)
855 {
856 debug_printf("Configured local interface: address=%s", ipa->address);
857 if (ipa->port != 0) debug_printf(" port=%d", ipa->port);
858 debug_printf("\n");
859 }
860 }
861 }
862 store_reset(reset_item);
863 }
864
865 return local_interface_data;
866 }
867
868
869
870
871
872 /*************************************************
873 * Convert network IP address to text *
874 *************************************************/
875
876 /* Given an IPv4 or IPv6 address in binary, convert it to a text
877 string and return the result in a piece of new store. The address can
878 either be given directly, or passed over in a sockaddr structure. Note
879 that this isn't the converse of host_aton() because of byte ordering
880 differences. See host_nmtoa() below.
881
882 Arguments:
883 type if < 0 then arg points to a sockaddr, else
884 either AF_INET or AF_INET6
885 arg points to a sockaddr if type is < 0, or
886 points to an IPv4 address (32 bits), or
887 points to an IPv6 address (128 bits),
888 in both cases, in network byte order
889 buffer if NULL, the result is returned in gotten store;
890 else points to a buffer to hold the answer
891 portptr points to where to put the port number, if non NULL; only
892 used when type < 0
893
894 Returns: pointer to character string
895 */
896
897 uschar *
host_ntoa(int type,const void * arg,uschar * buffer,int * portptr)898 host_ntoa(int type, const void *arg, uschar *buffer, int *portptr)
899 {
900 uschar *yield;
901
902 /* The new world. It is annoying that we have to fish out the address from
903 different places in the block, depending on what kind of address it is. It
904 is also a pain that inet_ntop() returns a const uschar *, whereas the IPv4
905 function inet_ntoa() returns just uschar *, and some picky compilers insist
906 on warning if one assigns a const uschar * to a uschar *. Hence the casts. */
907
908 #if HAVE_IPV6
909 uschar addr_buffer[46];
910 if (type < 0)
911 {
912 int family = ((struct sockaddr *)arg)->sa_family;
913 if (family == AF_INET6)
914 {
915 struct sockaddr_in6 *sk = (struct sockaddr_in6 *)arg;
916 yield = US inet_ntop(family, &(sk->sin6_addr), CS addr_buffer,
917 sizeof(addr_buffer));
918 if (portptr != NULL) *portptr = ntohs(sk->sin6_port);
919 }
920 else
921 {
922 struct sockaddr_in *sk = (struct sockaddr_in *)arg;
923 yield = US inet_ntop(family, &(sk->sin_addr), CS addr_buffer,
924 sizeof(addr_buffer));
925 if (portptr != NULL) *portptr = ntohs(sk->sin_port);
926 }
927 }
928 else
929 {
930 yield = US inet_ntop(type, arg, CS addr_buffer, sizeof(addr_buffer));
931 }
932
933 /* If the result is a mapped IPv4 address, show it in V4 format. */
934
935 if (Ustrncmp(yield, "::ffff:", 7) == 0) yield += 7;
936
937 #else /* HAVE_IPV6 */
938
939 /* The old world */
940
941 if (type < 0)
942 {
943 yield = US inet_ntoa(((struct sockaddr_in *)arg)->sin_addr);
944 if (portptr != NULL) *portptr = ntohs(((struct sockaddr_in *)arg)->sin_port);
945 }
946 else
947 yield = US inet_ntoa(*((struct in_addr *)arg));
948 #endif
949
950 /* If there is no buffer, put the string into some new store. */
951
952 if (!buffer) buffer = store_get(46, FALSE);
953
954 /* Callers of this function with a non-NULL buffer must ensure that it is
955 large enough to hold an IPv6 address, namely, at least 46 bytes. That's what
956 makes this use of strcpy() OK.
957 If the library returned apparently an apparently tainted string, clean it;
958 we trust IP addresses. */
959
960 string_format_nt(buffer, 46, "%s", yield);
961 return buffer;
962 }
963
964
965
966
967 /*************************************************
968 * Convert address text to binary *
969 *************************************************/
970
971 /* Given the textual form of an IP address, convert it to binary in an
972 array of ints. IPv4 addresses occupy one int; IPv6 addresses occupy 4 ints.
973 The result has the first byte in the most significant byte of the first int. In
974 other words, the result is not in network byte order, but in host byte order.
975 As a result, this is not the converse of host_ntoa(), which expects network
976 byte order. See host_nmtoa() below.
977
978 Arguments:
979 address points to the textual address, checked for syntax
980 bin points to an array of 4 ints
981
982 Returns: the number of ints used
983 */
984
985 int
host_aton(const uschar * address,int * bin)986 host_aton(const uschar *address, int *bin)
987 {
988 int x[4];
989 int v4offset = 0;
990
991 /* Handle IPv6 address, which may end with an IPv4 address. It may also end
992 with a "scope", introduced by a percent sign. This code is NOT enclosed in #if
993 HAVE_IPV6 in order that IPv6 addresses are recognized even if IPv6 is not
994 supported. */
995
996 if (Ustrchr(address, ':') != NULL)
997 {
998 const uschar *p = address;
999 const uschar *component[8];
1000 BOOL ipv4_ends = FALSE;
1001 int ci = 0;
1002 int nulloffset = 0;
1003 int v6count = 8;
1004 int i;
1005
1006 /* If the address starts with a colon, it will start with two colons.
1007 Just lose the first one, which will leave a null first component. */
1008
1009 if (*p == ':') p++;
1010
1011 /* Split the address into components separated by colons. The input address
1012 is supposed to be checked for syntax. There was a case where this was
1013 overlooked; to guard against that happening again, check here and crash if
1014 there are too many components. */
1015
1016 while (*p != 0 && *p != '%')
1017 {
1018 int len = Ustrcspn(p, ":%");
1019 if (len == 0) nulloffset = ci;
1020 if (ci > 7) log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1021 "Internal error: invalid IPv6 address \"%s\" passed to host_aton()",
1022 address);
1023 component[ci++] = p;
1024 p += len;
1025 if (*p == ':') p++;
1026 }
1027
1028 /* If the final component contains a dot, it is a trailing v4 address.
1029 As the syntax is known to be checked, just set up for a trailing
1030 v4 address and restrict the v6 part to 6 components. */
1031
1032 if (Ustrchr(component[ci-1], '.') != NULL)
1033 {
1034 address = component[--ci];
1035 ipv4_ends = TRUE;
1036 v4offset = 3;
1037 v6count = 6;
1038 }
1039
1040 /* If there are fewer than 6 or 8 components, we have to insert some
1041 more empty ones in the middle. */
1042
1043 if (ci < v6count)
1044 {
1045 int insert_count = v6count - ci;
1046 for (i = v6count-1; i > nulloffset + insert_count; i--)
1047 component[i] = component[i - insert_count];
1048 while (i > nulloffset) component[i--] = US"";
1049 }
1050
1051 /* Now turn the components into binary in pairs and bung them
1052 into the vector of ints. */
1053
1054 for (i = 0; i < v6count; i += 2)
1055 bin[i/2] = (Ustrtol(component[i], NULL, 16) << 16) +
1056 Ustrtol(component[i+1], NULL, 16);
1057
1058 /* If there was no terminating v4 component, we are done. */
1059
1060 if (!ipv4_ends) return 4;
1061 }
1062
1063 /* Handle IPv4 address */
1064
1065 (void)sscanf(CS address, "%d.%d.%d.%d", x, x+1, x+2, x+3);
1066 bin[v4offset] = ((uint)x[0] << 24) + (x[1] << 16) + (x[2] << 8) + x[3];
1067 return v4offset+1;
1068 }
1069
1070
1071 /*************************************************
1072 * Apply mask to an IP address *
1073 *************************************************/
1074
1075 /* Mask an address held in 1 or 4 ints, with the ms bit in the ms bit of the
1076 first int, etc.
1077
1078 Arguments:
1079 count the number of ints
1080 binary points to the ints to be masked
1081 mask the count of ms bits to leave, or -1 if no masking
1082
1083 Returns: nothing
1084 */
1085
1086 void
host_mask(int count,int * binary,int mask)1087 host_mask(int count, int *binary, int mask)
1088 {
1089 if (mask < 0) mask = 99999;
1090 for (int i = 0; i < count; i++)
1091 {
1092 int wordmask;
1093 if (mask == 0) wordmask = 0;
1094 else if (mask < 32)
1095 {
1096 wordmask = (uint)(-1) << (32 - mask);
1097 mask = 0;
1098 }
1099 else
1100 {
1101 wordmask = -1;
1102 mask -= 32;
1103 }
1104 binary[i] &= wordmask;
1105 }
1106 }
1107
1108
1109
1110
1111 /*************************************************
1112 * Convert masked IP address in ints to text *
1113 *************************************************/
1114
1115 /* We can't use host_ntoa() because it assumes the binary values are in network
1116 byte order, and these are the result of host_aton(), which puts them in ints in
1117 host byte order. Also, we really want IPv6 addresses to be in a canonical
1118 format, so we output them with no abbreviation. In a number of cases we can't
1119 use the normal colon separator in them because it terminates keys in lsearch
1120 files, so we want to use dot instead. There's an argument that specifies what
1121 to use for IPv6 addresses.
1122
1123 Arguments:
1124 count 1 or 4 (number of ints)
1125 binary points to the ints
1126 mask mask value; if < 0 don't add to result
1127 buffer big enough to hold the result
1128 sep component separator character for IPv6 addresses
1129
1130 Returns: the number of characters placed in buffer, not counting
1131 the final nul.
1132 */
1133
1134 int
host_nmtoa(int count,int * binary,int mask,uschar * buffer,int sep)1135 host_nmtoa(int count, int *binary, int mask, uschar *buffer, int sep)
1136 {
1137 int j;
1138 uschar *tt = buffer;
1139
1140 if (count == 1)
1141 {
1142 j = binary[0];
1143 for (int i = 24; i >= 0; i -= 8)
1144 tt += sprintf(CS tt, "%d.", (j >> i) & 255);
1145 }
1146 else
1147 for (int i = 0; i < 4; i++)
1148 {
1149 j = binary[i];
1150 tt += sprintf(CS tt, "%04x%c%04x%c", (j >> 16) & 0xffff, sep, j & 0xffff, sep);
1151 }
1152
1153 tt--; /* lose final separator */
1154
1155 if (mask < 0)
1156 *tt = 0;
1157 else
1158 tt += sprintf(CS tt, "/%d", mask);
1159
1160 return tt - buffer;
1161 }
1162
1163
1164 /* Like host_nmtoa() but: ipv6-only, canonical output, no mask
1165
1166 Arguments:
1167 binary points to the ints
1168 buffer big enough to hold the result
1169
1170 Returns: the number of characters placed in buffer, not counting
1171 the final nul.
1172 */
1173
1174 int
ipv6_nmtoa(int * binary,uschar * buffer)1175 ipv6_nmtoa(int * binary, uschar * buffer)
1176 {
1177 int i, j, k;
1178 uschar * c = buffer;
1179 uschar * d = NULL; /* shut insufficiently "clever" compiler up */
1180
1181 for (i = 0; i < 4; i++)
1182 { /* expand to text */
1183 j = binary[i];
1184 c += sprintf(CS c, "%x:%x:", (j >> 16) & 0xffff, j & 0xffff);
1185 }
1186
1187 for (c = buffer, k = -1, i = 0; i < 8; i++)
1188 { /* find longest 0-group sequence */
1189 if (*c == '0') /* must be "0:" */
1190 {
1191 uschar * s = c;
1192 j = i;
1193 while (c[2] == '0') i++, c += 2;
1194 if (i-j > k)
1195 {
1196 k = i-j; /* length of sequence */
1197 d = s; /* start of sequence */
1198 }
1199 }
1200 while (*++c != ':') ;
1201 c++;
1202 }
1203
1204 *--c = '\0'; /* drop trailing colon */
1205
1206 /* debug_printf("%s: D k %d <%s> <%s>\n", __FUNCTION__, k, buffer, buffer + 2*(k+1)); */
1207 if (k >= 0)
1208 { /* collapse */
1209 c = d + 2*(k+1);
1210 if (d == buffer) c--; /* need extra colon */
1211 *d++ = ':'; /* 1st 0 */
1212 while ((*d++ = *c++)) ;
1213 }
1214 else
1215 d = c;
1216
1217 return d - buffer;
1218 }
1219
1220
1221
1222 /*************************************************
1223 * Check port for tls_on_connect *
1224 *************************************************/
1225
1226 /* This function checks whether a given incoming port is configured for tls-
1227 on-connect. It is called from the daemon and from inetd handling. If the global
1228 option tls_on_connect is already set, all ports operate this way. Otherwise, we
1229 check the tls_on_connect_ports option for a list of ports.
1230
1231 Argument: a port number
1232 Returns: TRUE or FALSE
1233 */
1234
1235 BOOL
host_is_tls_on_connect_port(int port)1236 host_is_tls_on_connect_port(int port)
1237 {
1238 int sep = 0;
1239 const uschar * list = tls_in.on_connect_ports;
1240
1241 if (tls_in.on_connect) return TRUE;
1242
1243 for (uschar * s, * end; s = string_nextinlist(&list, &sep, NULL, 0); )
1244 if (Ustrtol(s, &end, 10) == port)
1245 return TRUE;
1246
1247 return FALSE;
1248 }
1249
1250
1251
1252 /*************************************************
1253 * Check whether host is in a network *
1254 *************************************************/
1255
1256 /* This function checks whether a given IP address matches a pattern that
1257 represents either a single host, or a network (using CIDR notation). The caller
1258 of this function must check the syntax of the arguments before calling it.
1259
1260 Arguments:
1261 host string representation of the ip-address to check
1262 net string representation of the network, with optional CIDR mask
1263 maskoffset offset to the / that introduces the mask in the key
1264 zero if there is no mask
1265
1266 Returns:
1267 TRUE the host is inside the network
1268 FALSE the host is NOT inside the network
1269 */
1270
1271 BOOL
host_is_in_net(const uschar * host,const uschar * net,int maskoffset)1272 host_is_in_net(const uschar *host, const uschar *net, int maskoffset)
1273 {
1274 int address[4];
1275 int incoming[4];
1276 int mlen;
1277 int size = host_aton(net, address);
1278 int insize;
1279
1280 /* No mask => all bits to be checked */
1281
1282 if (maskoffset == 0) mlen = 99999; /* Big number */
1283 else mlen = Uatoi(net + maskoffset + 1);
1284
1285 /* Convert the incoming address to binary. */
1286
1287 insize = host_aton(host, incoming);
1288
1289 /* Convert IPv4 addresses given in IPv6 compatible mode, which represent
1290 connections from IPv4 hosts to IPv6 hosts, that is, addresses of the form
1291 ::ffff:<v4address>, to IPv4 format. */
1292
1293 if (insize == 4 && incoming[0] == 0 && incoming[1] == 0 &&
1294 incoming[2] == 0xffff)
1295 {
1296 insize = 1;
1297 incoming[0] = incoming[3];
1298 }
1299
1300 /* No match if the sizes don't agree. */
1301
1302 if (insize != size) return FALSE;
1303
1304 /* Else do the masked comparison. */
1305
1306 for (int i = 0; i < size; i++)
1307 {
1308 int mask;
1309 if (mlen == 0) mask = 0;
1310 else if (mlen < 32)
1311 {
1312 mask = (uint)(-1) << (32 - mlen);
1313 mlen = 0;
1314 }
1315 else
1316 {
1317 mask = -1;
1318 mlen -= 32;
1319 }
1320 if ((incoming[i] & mask) != (address[i] & mask)) return FALSE;
1321 }
1322
1323 return TRUE;
1324 }
1325
1326
1327
1328 /*************************************************
1329 * Scan host list for local hosts *
1330 *************************************************/
1331
1332 /* Scan through a chain of addresses and check whether any of them is the
1333 address of an interface on the local machine. If so, remove that address and
1334 any previous ones with the same MX value, and all subsequent ones (which will
1335 have greater or equal MX values) from the chain. Note: marking them as unusable
1336 is NOT the right thing to do because it causes the hosts not to be used for
1337 other domains, for which they may well be correct.
1338
1339 The hosts may be part of a longer chain; we only process those between the
1340 initial pointer and the "last" pointer.
1341
1342 There is also a list of "pseudo-local" host names which are checked against the
1343 host names. Any match causes that host item to be treated the same as one which
1344 matches a local IP address.
1345
1346 If the very first host is a local host, then all MX records had a precedence
1347 greater than or equal to that of the local host. Either there's a problem in
1348 the DNS, or an apparently remote name turned out to be an abbreviation for the
1349 local host. Give a specific return code, and let the caller decide what to do.
1350 Otherwise, give a success code if at least one host address has been found.
1351
1352 Arguments:
1353 host pointer to the first host in the chain
1354 lastptr pointer to pointer to the last host in the chain (may be updated)
1355 removed if not NULL, set TRUE if some local addresses were removed
1356 from the list
1357
1358 Returns:
1359 HOST_FOUND if there is at least one host with an IP address on the chain
1360 and an MX value less than any MX value associated with the
1361 local host
1362 HOST_FOUND_LOCAL if a local host is among the lowest-numbered MX hosts; when
1363 the host addresses were obtained from A records or
1364 gethostbyname(), the MX values are set to -1.
1365 HOST_FIND_FAILED if no valid hosts with set IP addresses were found
1366 */
1367
1368 int
host_scan_for_local_hosts(host_item * host,host_item ** lastptr,BOOL * removed)1369 host_scan_for_local_hosts(host_item *host, host_item **lastptr, BOOL *removed)
1370 {
1371 int yield = HOST_FIND_FAILED;
1372 host_item *last = *lastptr;
1373 host_item *prev = NULL;
1374 host_item *h;
1375
1376 if (removed != NULL) *removed = FALSE;
1377
1378 if (local_interface_data == NULL) local_interface_data = host_find_interfaces();
1379
1380 for (h = host; h != last->next; h = h->next)
1381 {
1382 #ifndef STAND_ALONE
1383 if (hosts_treat_as_local != NULL)
1384 {
1385 int rc;
1386 const uschar *save = deliver_domain;
1387 deliver_domain = h->name; /* set $domain */
1388 rc = match_isinlist(string_copylc(h->name), CUSS &hosts_treat_as_local, 0,
1389 &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL);
1390 deliver_domain = save;
1391 if (rc == OK) goto FOUND_LOCAL;
1392 }
1393 #endif
1394
1395 /* It seems that on many operating systems, 0.0.0.0 is treated as a synonym
1396 for 127.0.0.1 and refers to the local host. We therefore force it always to
1397 be treated as local. */
1398
1399 if (h->address != NULL)
1400 {
1401 if (Ustrcmp(h->address, "0.0.0.0") == 0) goto FOUND_LOCAL;
1402 for (ip_address_item * ip = local_interface_data; ip; ip = ip->next)
1403 if (Ustrcmp(h->address, ip->address) == 0) goto FOUND_LOCAL;
1404 yield = HOST_FOUND; /* At least one remote address has been found */
1405 }
1406
1407 /* Update prev to point to the last host item before any that have
1408 the same MX value as the one we have just considered. */
1409
1410 if (h->next == NULL || h->next->mx != h->mx) prev = h;
1411 }
1412
1413 return yield; /* No local hosts found: return HOST_FOUND or HOST_FIND_FAILED */
1414
1415 /* A host whose IP address matches a local IP address, or whose name matches
1416 something in hosts_treat_as_local has been found. */
1417
1418 FOUND_LOCAL:
1419
1420 if (prev == NULL)
1421 {
1422 HDEBUG(D_host_lookup) debug_printf((h->mx >= 0)?
1423 "local host has lowest MX\n" :
1424 "local host found for non-MX address\n");
1425 return HOST_FOUND_LOCAL;
1426 }
1427
1428 HDEBUG(D_host_lookup)
1429 {
1430 debug_printf("local host in host list - removed hosts:\n");
1431 for (h = prev->next; h != last->next; h = h->next)
1432 debug_printf(" %s %s %d\n", h->name, h->address, h->mx);
1433 }
1434
1435 if (removed != NULL) *removed = TRUE;
1436 prev->next = last->next;
1437 *lastptr = prev;
1438 return yield;
1439 }
1440
1441
1442
1443
1444 /*************************************************
1445 * Remove duplicate IPs in host list *
1446 *************************************************/
1447
1448 /* You would think that administrators could set up their DNS records so that
1449 one ended up with a list of unique IP addresses after looking up A or MX
1450 records, but apparently duplication is common. So we scan such lists and
1451 remove the later duplicates. Note that we may get lists in which some host
1452 addresses are not set.
1453
1454 Arguments:
1455 host pointer to the first host in the chain
1456 lastptr pointer to pointer to the last host in the chain (may be updated)
1457
1458 Returns: nothing
1459 */
1460
1461 static void
host_remove_duplicates(host_item * host,host_item ** lastptr)1462 host_remove_duplicates(host_item *host, host_item **lastptr)
1463 {
1464 while (host != *lastptr)
1465 {
1466 if (host->address != NULL)
1467 {
1468 host_item *h = host;
1469 while (h != *lastptr)
1470 {
1471 if (h->next->address != NULL &&
1472 Ustrcmp(h->next->address, host->address) == 0)
1473 {
1474 DEBUG(D_host_lookup) debug_printf("duplicate IP address %s (MX=%d) "
1475 "removed\n", host->address, h->next->mx);
1476 if (h->next == *lastptr) *lastptr = h;
1477 h->next = h->next->next;
1478 }
1479 else h = h->next;
1480 }
1481 }
1482 /* If the last item was removed, host may have become == *lastptr */
1483 if (host != *lastptr) host = host->next;
1484 }
1485 }
1486
1487
1488
1489
1490 /*************************************************
1491 * Find sender host name by gethostbyaddr() *
1492 *************************************************/
1493
1494 /* This used to be the only way it was done, but it turns out that not all
1495 systems give aliases for calls to gethostbyaddr() - or one of the modern
1496 equivalents like getipnodebyaddr(). Fortunately, multiple PTR records are rare,
1497 but they can still exist. This function is now used only when a DNS lookup of
1498 the IP address fails, in order to give access to /etc/hosts.
1499
1500 Arguments: none
1501 Returns: OK, DEFER, FAIL
1502 */
1503
1504 static int
host_name_lookup_byaddr(void)1505 host_name_lookup_byaddr(void)
1506 {
1507 struct hostent * hosts;
1508 struct in_addr addr;
1509 unsigned long time_msec = 0; /* init to quieten dumb static analysis */
1510
1511 if (slow_lookup_log) time_msec = get_time_in_ms();
1512
1513 /* Lookup on IPv6 system */
1514
1515 #if HAVE_IPV6
1516 if (Ustrchr(sender_host_address, ':') != NULL)
1517 {
1518 struct in6_addr addr6;
1519 if (inet_pton(AF_INET6, CS sender_host_address, &addr6) != 1)
1520 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "unable to parse \"%s\" as an "
1521 "IPv6 address", sender_host_address);
1522 #if HAVE_GETIPNODEBYADDR
1523 hosts = getipnodebyaddr(CS &addr6, sizeof(addr6), AF_INET6, &h_errno);
1524 #else
1525 hosts = gethostbyaddr(CS &addr6, sizeof(addr6), AF_INET6);
1526 #endif
1527 }
1528 else
1529 {
1530 if (inet_pton(AF_INET, CS sender_host_address, &addr) != 1)
1531 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "unable to parse \"%s\" as an "
1532 "IPv4 address", sender_host_address);
1533 #if HAVE_GETIPNODEBYADDR
1534 hosts = getipnodebyaddr(CS &addr, sizeof(addr), AF_INET, &h_errno);
1535 #else
1536 hosts = gethostbyaddr(CS &addr, sizeof(addr), AF_INET);
1537 #endif
1538 }
1539
1540 /* Do lookup on IPv4 system */
1541
1542 #else
1543 addr.s_addr = (S_ADDR_TYPE)inet_addr(CS sender_host_address);
1544 hosts = gethostbyaddr(CS(&addr), sizeof(addr), AF_INET);
1545 #endif
1546
1547 if ( slow_lookup_log
1548 && (time_msec = get_time_in_ms() - time_msec) > slow_lookup_log
1549 )
1550 log_long_lookup(US"gethostbyaddr", sender_host_address, time_msec);
1551
1552 /* Failed to look up the host. */
1553
1554 if (!hosts)
1555 {
1556 HDEBUG(D_host_lookup) debug_printf("IP address lookup failed: h_errno=%d\n",
1557 h_errno);
1558 return (h_errno == TRY_AGAIN || h_errno == NO_RECOVERY) ? DEFER : FAIL;
1559 }
1560
1561 /* It seems there are some records in the DNS that yield an empty name. We
1562 treat this as non-existent. In some operating systems, this is returned as an
1563 empty string; in others as a single dot. */
1564
1565 if (!hosts->h_name || !hosts->h_name[0] || hosts->h_name[0] == '.')
1566 {
1567 HDEBUG(D_host_lookup) debug_printf("IP address lookup yielded an empty name: "
1568 "treated as non-existent host name\n");
1569 return FAIL;
1570 }
1571
1572 /* Copy and lowercase the name, which is in static storage in many systems.
1573 Put it in permanent memory. */
1574
1575 {
1576 int old_pool = store_pool;
1577 store_pool = POOL_TAINT_PERM; /* names are tainted */
1578
1579 sender_host_name = string_copylc(US hosts->h_name);
1580
1581 /* If the host has aliases, build a copy of the alias list */
1582
1583 if (hosts->h_aliases)
1584 {
1585 int count = 1; /* need 1 more for terminating NULL */
1586 uschar **ptr;
1587
1588 for (uschar ** aliases = USS hosts->h_aliases; *aliases; aliases++) count++;
1589 store_pool = POOL_PERM;
1590 ptr = sender_host_aliases = store_get(count * sizeof(uschar *), FALSE);
1591 store_pool = POOL_TAINT_PERM;
1592
1593 for (uschar ** aliases = USS hosts->h_aliases; *aliases; aliases++)
1594 *ptr++ = string_copylc(*aliases);
1595 *ptr = NULL;
1596 }
1597 store_pool = old_pool;
1598 }
1599
1600 return OK;
1601 }
1602
1603
1604
1605 /*************************************************
1606 * Find host name for incoming call *
1607 *************************************************/
1608
1609 /* Put the name in permanent store, pointed to by sender_host_name. We also set
1610 up a list of alias names, pointed to by sender_host_alias. The list is
1611 NULL-terminated. The incoming address is in sender_host_address, either in
1612 dotted-quad form for IPv4 or in colon-separated form for IPv6.
1613
1614 This function does a thorough check that the names it finds point back to the
1615 incoming IP address. Any that do not are discarded. Note that this is relied on
1616 by the ACL reverse_host_lookup check.
1617
1618 On some systems, get{host,ipnode}byaddr() appears to do this internally, but
1619 this it not universally true. Also, for release 4.30, this function was changed
1620 to do a direct DNS lookup first, by default[1], because it turns out that that
1621 is the only guaranteed way to find all the aliases on some systems. My
1622 experiments indicate that Solaris gethostbyaddr() gives the aliases for but
1623 Linux does not.
1624
1625 [1] The actual order is controlled by the host_lookup_order option.
1626
1627 Arguments: none
1628 Returns: OK on success, the answer being placed in the global variable
1629 sender_host_name, with any aliases in a list hung off
1630 sender_host_aliases
1631 FAIL if no host name can be found
1632 DEFER if a temporary error was encountered
1633
1634 The variable host_lookup_msg is set to an empty string on success, or to a
1635 reason for the failure otherwise, in a form suitable for tagging onto an error
1636 message, and also host_lookup_failed is set TRUE if the lookup failed. If there
1637 was a defer, host_lookup_deferred is set TRUE.
1638
1639 Any dynamically constructed string for host_lookup_msg must be in permanent
1640 store, because it might be used for several incoming messages on the same SMTP
1641 connection. */
1642
1643 int
host_name_lookup(void)1644 host_name_lookup(void)
1645 {
1646 int old_pool, rc;
1647 int sep = 0;
1648 uschar *save_hostname;
1649 uschar **aliases;
1650 uschar *ordername;
1651 const uschar *list = host_lookup_order;
1652 dns_answer * dnsa = store_get_dns_answer();
1653 dns_scan dnss;
1654
1655 sender_host_dnssec = host_lookup_deferred = host_lookup_failed = FALSE;
1656
1657 HDEBUG(D_host_lookup)
1658 debug_printf("looking up host name for %s\n", sender_host_address);
1659
1660 /* For testing the case when a lookup does not complete, we have a special
1661 reserved IP address. */
1662
1663 if (f.running_in_test_harness &&
1664 Ustrcmp(sender_host_address, "99.99.99.99") == 0)
1665 {
1666 HDEBUG(D_host_lookup)
1667 debug_printf("Test harness: host name lookup returns DEFER\n");
1668 host_lookup_deferred = TRUE;
1669 return DEFER;
1670 }
1671
1672 /* Do lookups directly in the DNS or via gethostbyaddr() (or equivalent), in
1673 the order specified by the host_lookup_order option. */
1674
1675 while ((ordername = string_nextinlist(&list, &sep, NULL, 0)))
1676 {
1677 if (strcmpic(ordername, US"bydns") == 0)
1678 {
1679 uschar * name = dns_build_reverse(sender_host_address);
1680
1681 dns_init(FALSE, FALSE, FALSE); /* dnssec ctrl by dns_dnssec_ok glbl */
1682 rc = dns_lookup_timerwrap(dnsa, name, T_PTR, NULL);
1683
1684 /* The first record we come across is used for the name; others are
1685 considered to be aliases. We have to scan twice, in order to find out the
1686 number of aliases. However, if all the names are empty, we will behave as
1687 if failure. (PTR records that yield empty names have been encountered in
1688 the DNS.) */
1689
1690 if (rc == DNS_SUCCEED)
1691 {
1692 uschar **aptr = NULL;
1693 int ssize = 264;
1694 int count = 1; /* need 1 more for terminating NULL */
1695 int old_pool = store_pool;
1696
1697 sender_host_dnssec = dns_is_secure(dnsa);
1698 DEBUG(D_dns)
1699 debug_printf("Reverse DNS security status: %s\n",
1700 sender_host_dnssec ? "DNSSEC verified (AD)" : "unverified");
1701
1702 store_pool = POOL_PERM; /* Save names in permanent storage */
1703
1704 for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
1705 rr;
1706 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == T_PTR)
1707 count++;
1708
1709 /* Get store for the list of aliases. For compatibility with
1710 gethostbyaddr, we make an empty list if there are none. */
1711
1712 aptr = sender_host_aliases = store_get(count * sizeof(uschar *), FALSE);
1713
1714 /* Re-scan and extract the names */
1715
1716 for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
1717 rr;
1718 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == T_PTR)
1719 {
1720 uschar * s = store_get(ssize, TRUE); /* names are tainted */
1721
1722 /* If an overlong response was received, the data will have been
1723 truncated and dn_expand may fail. */
1724
1725 if (dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen,
1726 US (rr->data), (DN_EXPAND_ARG4_TYPE)(s), ssize) < 0)
1727 {
1728 log_write(0, LOG_MAIN, "host name alias list truncated for %s",
1729 sender_host_address);
1730 break;
1731 }
1732
1733 store_release_above(s + Ustrlen(s) + 1);
1734 if (!s[0])
1735 {
1736 HDEBUG(D_host_lookup) debug_printf("IP address lookup yielded an "
1737 "empty name: treated as non-existent host name\n");
1738 continue;
1739 }
1740 if (!sender_host_name) sender_host_name = s;
1741 else *aptr++ = s;
1742 while (*s) { *s = tolower(*s); s++; }
1743 }
1744
1745 *aptr = NULL; /* End of alias list */
1746 store_pool = old_pool; /* Reset store pool */
1747
1748 /* If we've found a name, break out of the "order" loop */
1749
1750 if (sender_host_name) break;
1751 }
1752
1753 /* If the DNS lookup deferred, we must also defer. */
1754
1755 if (rc == DNS_AGAIN)
1756 {
1757 HDEBUG(D_host_lookup)
1758 debug_printf("IP address PTR lookup gave temporary error\n");
1759 host_lookup_deferred = TRUE;
1760 return DEFER;
1761 }
1762 }
1763
1764 /* Do a lookup using gethostbyaddr() - or equivalent */
1765
1766 else if (strcmpic(ordername, US"byaddr") == 0)
1767 {
1768 HDEBUG(D_host_lookup)
1769 debug_printf("IP address lookup using gethostbyaddr()\n");
1770 rc = host_name_lookup_byaddr();
1771 if (rc == DEFER)
1772 {
1773 host_lookup_deferred = TRUE;
1774 return rc; /* Can't carry on */
1775 }
1776 if (rc == OK) break; /* Found a name */
1777 }
1778 } /* Loop for bydns/byaddr scanning */
1779
1780 /* If we have failed to find a name, return FAIL and log when required.
1781 NB host_lookup_msg must be in permanent store. */
1782
1783 if (!sender_host_name)
1784 {
1785 if (host_checking || !f.log_testing_mode)
1786 log_write(L_host_lookup_failed, LOG_MAIN, "no host name found for IP "
1787 "address %s", sender_host_address);
1788 host_lookup_msg = US" (failed to find host name from IP address)";
1789 host_lookup_failed = TRUE;
1790 return FAIL;
1791 }
1792
1793 HDEBUG(D_host_lookup)
1794 {
1795 uschar **aliases = sender_host_aliases;
1796 debug_printf("IP address lookup yielded \"%s\"\n", sender_host_name);
1797 while (*aliases) debug_printf(" alias \"%s\"\n", *aliases++);
1798 }
1799
1800 /* We need to verify that a forward lookup on the name we found does indeed
1801 correspond to the address. This is for security: in principle a malefactor who
1802 happened to own a reverse zone could set it to point to any names at all.
1803
1804 This code was present in versions of Exim before 3.20. At that point I took it
1805 out because I thought that gethostbyaddr() did the check anyway. It turns out
1806 that this isn't always the case, so it's coming back in at 4.01. This version
1807 is actually better, because it also checks aliases.
1808
1809 The code was made more robust at release 4.21. Prior to that, it accepted all
1810 the names if any of them had the correct IP address. Now the code checks all
1811 the names, and accepts only those that have the correct IP address. */
1812
1813 save_hostname = sender_host_name; /* Save for error messages */
1814 aliases = sender_host_aliases;
1815 for (uschar * hname = sender_host_name; hname; hname = *aliases++)
1816 {
1817 int rc;
1818 BOOL ok = FALSE;
1819 host_item h = { .next = NULL, .name = hname, .mx = MX_NONE, .address = NULL };
1820 dnssec_domains d =
1821 { .request = sender_host_dnssec ? US"*" : NULL, .require = NULL };
1822
1823 if ( (rc = host_find_bydns(&h, NULL, HOST_FIND_BY_A | HOST_FIND_BY_AAAA,
1824 NULL, NULL, NULL, &d, NULL, NULL)) == HOST_FOUND
1825 || rc == HOST_FOUND_LOCAL
1826 )
1827 {
1828 HDEBUG(D_host_lookup) debug_printf("checking addresses for %s\n", hname);
1829
1830 /* If the forward lookup was not secure we cancel the is-secure variable */
1831
1832 DEBUG(D_dns) debug_printf("Forward DNS security status: %s\n",
1833 h.dnssec == DS_YES ? "DNSSEC verified (AD)" : "unverified");
1834 if (h.dnssec != DS_YES) sender_host_dnssec = FALSE;
1835
1836 for (host_item * hh = &h; hh; hh = hh->next)
1837 if (host_is_in_net(hh->address, sender_host_address, 0))
1838 {
1839 HDEBUG(D_host_lookup) debug_printf(" %s OK\n", hh->address);
1840 ok = TRUE;
1841 break;
1842 }
1843 else
1844 HDEBUG(D_host_lookup) debug_printf(" %s\n", hh->address);
1845
1846 if (!ok) HDEBUG(D_host_lookup)
1847 debug_printf("no IP address for %s matched %s\n", hname,
1848 sender_host_address);
1849 }
1850 else if (rc == HOST_FIND_AGAIN)
1851 {
1852 HDEBUG(D_host_lookup) debug_printf("temporary error for host name lookup\n");
1853 host_lookup_deferred = TRUE;
1854 sender_host_name = NULL;
1855 return DEFER;
1856 }
1857 else
1858 HDEBUG(D_host_lookup) debug_printf("no IP addresses found for %s\n", hname);
1859
1860 /* If this name is no good, and it's the sender name, set it null pro tem;
1861 if it's an alias, just remove it from the list. */
1862
1863 if (!ok)
1864 {
1865 if (hname == sender_host_name) sender_host_name = NULL; else
1866 {
1867 uschar **a; /* Don't amalgamate - some */
1868 a = --aliases; /* compilers grumble */
1869 while (*a != NULL) { *a = a[1]; a++; }
1870 }
1871 }
1872 }
1873
1874 /* If sender_host_name == NULL, it means we didn't like the name. Replace
1875 it with the first alias, if there is one. */
1876
1877 if (sender_host_name == NULL && *sender_host_aliases != NULL)
1878 sender_host_name = *sender_host_aliases++;
1879
1880 /* If we now have a main name, all is well. */
1881
1882 if (sender_host_name != NULL) return OK;
1883
1884 /* We have failed to find an address that matches. */
1885
1886 HDEBUG(D_host_lookup)
1887 debug_printf("%s does not match any IP address for %s\n",
1888 sender_host_address, save_hostname);
1889
1890 /* This message must be in permanent store */
1891
1892 old_pool = store_pool;
1893 store_pool = POOL_PERM;
1894 host_lookup_msg = string_sprintf(" (%s does not match any IP address for %s)",
1895 sender_host_address, save_hostname);
1896 store_pool = old_pool;
1897 host_lookup_failed = TRUE;
1898 return FAIL;
1899 }
1900
1901
1902
1903
1904 /*************************************************
1905 * Find IP address(es) for host by name *
1906 *************************************************/
1907
1908 /* The input is a host_item structure with the name filled in and the address
1909 field set to NULL. We use gethostbyname() or getipnodebyname() or
1910 gethostbyname2(), as appropriate. Of course, these functions may use the DNS,
1911 but they do not do MX processing. It appears, however, that in some systems the
1912 current setting of resolver options is used when one of these functions calls
1913 the resolver. For this reason, we call dns_init() at the start, with arguments
1914 influenced by bits in "flags", just as we do for host_find_bydns().
1915
1916 The second argument provides a host list (usually an IP list) of hosts to
1917 ignore. This makes it possible to ignore IPv6 link-local addresses or loopback
1918 addresses in unreasonable places.
1919
1920 The lookup may result in a change of name. For compatibility with the dns
1921 lookup, return this via fully_qualified_name as well as updating the host item.
1922 The lookup may also yield more than one IP address, in which case chain on
1923 subsequent host_item structures.
1924
1925 Arguments:
1926 host a host item with the name and MX filled in;
1927 the address is to be filled in;
1928 multiple IP addresses cause other host items to be
1929 chained on.
1930 ignore_target_hosts a list of hosts to ignore
1931 flags HOST_FIND_QUALIFY_SINGLE ) passed to
1932 HOST_FIND_SEARCH_PARENTS ) dns_init()
1933 fully_qualified_name if not NULL, set to point to host name for
1934 compatibility with host_find_bydns
1935 local_host_check TRUE if a check for the local host is wanted
1936
1937 Returns: HOST_FIND_FAILED Failed to find the host or domain
1938 HOST_FIND_AGAIN Try again later
1939 HOST_FOUND Host found - data filled in
1940 HOST_FOUND_LOCAL Host found and is the local host
1941 */
1942
1943 int
host_find_byname(host_item * host,const uschar * ignore_target_hosts,int flags,const uschar ** fully_qualified_name,BOOL local_host_check)1944 host_find_byname(host_item *host, const uschar *ignore_target_hosts, int flags,
1945 const uschar **fully_qualified_name, BOOL local_host_check)
1946 {
1947 int yield, times;
1948 host_item *last = NULL;
1949 BOOL temp_error = FALSE;
1950 int af;
1951
1952 #ifndef DISABLE_TLS
1953 /* Copy the host name at this point to the value which is used for
1954 TLS certificate name checking, before anything modifies it. */
1955
1956 host->certname = host->name;
1957 #endif
1958
1959 /* Make sure DNS options are set as required. This appears to be necessary in
1960 some circumstances when the get..byname() function actually calls the DNS. */
1961
1962 dns_init((flags & HOST_FIND_QUALIFY_SINGLE) != 0,
1963 (flags & HOST_FIND_SEARCH_PARENTS) != 0,
1964 FALSE); /* Cannot retrieve dnssec status so do not request */
1965
1966 /* In an IPv6 world, unless IPv6 has been disabled, we need to scan for both
1967 kinds of address, so go round the loop twice. Note that we have ensured that
1968 AF_INET6 is defined even in an IPv4 world, which makes for slightly tidier
1969 code. However, if dns_ipv4_lookup matches the domain, we also just do IPv4
1970 lookups here (except when testing standalone). */
1971
1972 #if HAVE_IPV6
1973 #ifdef STAND_ALONE
1974 if (disable_ipv6)
1975 #else
1976 if ( disable_ipv6
1977 || dns_ipv4_lookup
1978 && match_isinlist(host->name, CUSS &dns_ipv4_lookup, 0,
1979 &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL) == OK)
1980 #endif
1981
1982 { af = AF_INET; times = 1; }
1983 else
1984 { af = AF_INET6; times = 2; }
1985
1986 /* No IPv6 support */
1987
1988 #else /* HAVE_IPV6 */
1989 af = AF_INET; times = 1;
1990 #endif /* HAVE_IPV6 */
1991
1992 /* Initialize the flag that gets set for DNS syntax check errors, so that the
1993 interface to this function can be similar to host_find_bydns. */
1994
1995 f.host_find_failed_syntax = FALSE;
1996
1997 /* Loop to look up both kinds of address in an IPv6 world */
1998
1999 for (int i = 1; i <= times;
2000 #if HAVE_IPV6
2001 af = AF_INET, /* If 2 passes, IPv4 on the second */
2002 #endif
2003 i++)
2004 {
2005 BOOL ipv4_addr;
2006 int error_num = 0;
2007 struct hostent *hostdata;
2008 unsigned long time_msec = 0; /* compiler quietening */
2009
2010 #ifdef STAND_ALONE
2011 printf("Looking up: %s\n", host->name);
2012 #endif
2013
2014 if (slow_lookup_log) time_msec = get_time_in_ms();
2015
2016 #if HAVE_IPV6
2017 if (f.running_in_test_harness)
2018 hostdata = host_fake_gethostbyname(host->name, af, &error_num);
2019 else
2020 {
2021 #if HAVE_GETIPNODEBYNAME
2022 hostdata = getipnodebyname(CS host->name, af, 0, &error_num);
2023 #else
2024 hostdata = gethostbyname2(CS host->name, af);
2025 error_num = h_errno;
2026 #endif
2027 }
2028
2029 #else /* not HAVE_IPV6 */
2030 if (f.running_in_test_harness)
2031 hostdata = host_fake_gethostbyname(host->name, af, &error_num);
2032 else
2033 {
2034 hostdata = gethostbyname(CS host->name);
2035 error_num = h_errno;
2036 }
2037 #endif /* HAVE_IPV6 */
2038
2039 if ( slow_lookup_log
2040 && (time_msec = get_time_in_ms() - time_msec) > slow_lookup_log)
2041 log_long_lookup(US"gethostbyname", host->name, time_msec);
2042
2043 if (!hostdata)
2044 {
2045 uschar * error;
2046 switch (error_num)
2047 {
2048 case HOST_NOT_FOUND: error = US"HOST_NOT_FOUND"; break;
2049 case TRY_AGAIN: error = US"TRY_AGAIN"; temp_error = TRUE; break;
2050 case NO_RECOVERY: error = US"NO_RECOVERY"; temp_error = TRUE; break;
2051 case NO_DATA: error = US"NO_DATA"; break;
2052 #if NO_DATA != NO_ADDRESS
2053 case NO_ADDRESS: error = US"NO_ADDRESS"; break;
2054 #endif
2055 default: error = US"?"; break;
2056 }
2057
2058 DEBUG(D_host_lookup) debug_printf("%s(af=%s) returned %d (%s)\n",
2059 f.running_in_test_harness ? "host_fake_gethostbyname" :
2060 #if HAVE_IPV6
2061 # if HAVE_GETIPNODEBYNAME
2062 "getipnodebyname",
2063 # else
2064 "gethostbyname2",
2065 # endif
2066 #else
2067 "gethostbyname",
2068 #endif
2069 af == AF_INET ? "inet" : "inet6", error_num, error);
2070
2071 continue;
2072 }
2073 if (!(hostdata->h_addr_list)[0]) continue;
2074
2075 /* Replace the name with the fully qualified one if necessary, and fill in
2076 the fully_qualified_name pointer. */
2077
2078 if (hostdata->h_name[0] && Ustrcmp(host->name, hostdata->h_name) != 0)
2079 host->name = string_copy_dnsdomain(US hostdata->h_name);
2080 if (fully_qualified_name) *fully_qualified_name = host->name;
2081
2082 /* Get the list of addresses. IPv4 and IPv6 addresses can be distinguished
2083 by their different lengths. Scan the list, ignoring any that are to be
2084 ignored, and build a chain from the rest. */
2085
2086 ipv4_addr = hostdata->h_length == sizeof(struct in_addr);
2087
2088 for (uschar ** addrlist = USS hostdata->h_addr_list; *addrlist; addrlist++)
2089 {
2090 uschar *text_address =
2091 host_ntoa(ipv4_addr? AF_INET:AF_INET6, *addrlist, NULL, NULL);
2092
2093 #ifndef STAND_ALONE
2094 if ( ignore_target_hosts
2095 && verify_check_this_host(&ignore_target_hosts, NULL, host->name,
2096 text_address, NULL) == OK)
2097 {
2098 DEBUG(D_host_lookup)
2099 debug_printf("ignored host %s [%s]\n", host->name, text_address);
2100 continue;
2101 }
2102 #endif
2103
2104 /* If this is the first address, last is NULL and we put the data in the
2105 original block. */
2106
2107 if (!last)
2108 {
2109 host->address = text_address;
2110 host->port = PORT_NONE;
2111 host->status = hstatus_unknown;
2112 host->why = hwhy_unknown;
2113 host->dnssec = DS_UNK;
2114 last = host;
2115 }
2116
2117 /* Else add further host item blocks for any other addresses, keeping
2118 the order. */
2119
2120 else
2121 {
2122 host_item *next = store_get(sizeof(host_item), FALSE);
2123 next->name = host->name;
2124 #ifndef DISABLE_TLS
2125 next->certname = host->certname;
2126 #endif
2127 next->mx = host->mx;
2128 next->address = text_address;
2129 next->port = PORT_NONE;
2130 next->status = hstatus_unknown;
2131 next->why = hwhy_unknown;
2132 next->dnssec = DS_UNK;
2133 next->last_try = 0;
2134 next->next = last->next;
2135 last->next = next;
2136 last = next;
2137 }
2138 }
2139 }
2140
2141 /* If no hosts were found, the address field in the original host block will be
2142 NULL. If temp_error is set, at least one of the lookups gave a temporary error,
2143 so we pass that back. */
2144
2145 if (!host->address)
2146 {
2147 uschar *msg =
2148 #ifndef STAND_ALONE
2149 !message_id[0] && smtp_in
2150 ? string_sprintf("no IP address found for host %s (during %s)", host->name,
2151 smtp_get_connection_info()) :
2152 #endif
2153 string_sprintf("no IP address found for host %s", host->name);
2154
2155 HDEBUG(D_host_lookup) debug_printf("%s\n", msg);
2156 if (temp_error) goto RETURN_AGAIN;
2157 if (host_checking || !f.log_testing_mode)
2158 log_write(L_host_lookup_failed, LOG_MAIN, "%s", msg);
2159 return HOST_FIND_FAILED;
2160 }
2161
2162 /* Remove any duplicate IP addresses, then check to see if this is the local
2163 host if required. */
2164
2165 host_remove_duplicates(host, &last);
2166 yield = local_host_check?
2167 host_scan_for_local_hosts(host, &last, NULL) : HOST_FOUND;
2168
2169 HDEBUG(D_host_lookup)
2170 {
2171 if (fully_qualified_name)
2172 debug_printf("fully qualified name = %s\n", *fully_qualified_name);
2173 debug_printf("%s looked up these IP addresses:\n",
2174 #if HAVE_IPV6
2175 #if HAVE_GETIPNODEBYNAME
2176 "getipnodebyname"
2177 #else
2178 "gethostbyname2"
2179 #endif
2180 #else
2181 "gethostbyname"
2182 #endif
2183 );
2184 for (const host_item * h = host; h != last->next; h = h->next)
2185 debug_printf(" name=%s address=%s\n", h->name,
2186 h->address ? h->address : US"<null>");
2187 }
2188
2189 /* Return the found status. */
2190
2191 return yield;
2192
2193 /* Handle the case when there is a temporary error. If the name matches
2194 dns_again_means_nonexist, return permanent rather than temporary failure. */
2195
2196 RETURN_AGAIN:
2197 {
2198 #ifndef STAND_ALONE
2199 int rc;
2200 const uschar *save = deliver_domain;
2201 deliver_domain = host->name; /* set $domain */
2202 rc = match_isinlist(host->name, CUSS &dns_again_means_nonexist, 0,
2203 &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL);
2204 deliver_domain = save;
2205 if (rc == OK)
2206 {
2207 DEBUG(D_host_lookup) debug_printf("%s is in dns_again_means_nonexist: "
2208 "returning HOST_FIND_FAILED\n", host->name);
2209 return HOST_FIND_FAILED;
2210 }
2211 #endif
2212 return HOST_FIND_AGAIN;
2213 }
2214 }
2215
2216
2217
2218 /*************************************************
2219 * Fill in a host address from the DNS *
2220 *************************************************/
2221
2222 /* Given a host item, with its name, port and mx fields set, and its address
2223 field set to NULL, fill in its IP address from the DNS. If it is multi-homed,
2224 create additional host items for the additional addresses, copying all the
2225 other fields, and randomizing the order.
2226
2227 On IPv6 systems, AAAA records are sought first, then A records.
2228
2229 The host name may be changed if the DNS returns a different name - e.g. fully
2230 qualified or changed via CNAME. If fully_qualified_name is not NULL, dns_lookup
2231 ensures that it points to the fully qualified name. However, this is the fully
2232 qualified version of the original name; if a CNAME is involved, the actual
2233 canonical host name may be different again, and so we get it directly from the
2234 relevant RR. Note that we do NOT change the mx field of the host item in this
2235 function as it may be called to set the addresses of hosts taken from MX
2236 records.
2237
2238 Arguments:
2239 host points to the host item we're filling in
2240 lastptr points to pointer to last host item in a chain of
2241 host items (may be updated if host is last and gets
2242 extended because multihomed)
2243 ignore_target_hosts list of hosts to ignore
2244 allow_ip if TRUE, recognize an IP address and return it
2245 fully_qualified_name if not NULL, return fully qualified name here if
2246 the contents are different (i.e. it must be preset
2247 to something)
2248 dnssec_request if TRUE request the AD bit
2249 dnssec_require if TRUE require the AD bit
2250 whichrrs select ipv4, ipv6 results
2251
2252 Returns: HOST_FIND_FAILED couldn't find A record
2253 HOST_FIND_AGAIN try again later
2254 HOST_FIND_SECURITY dnssec required but not acheived
2255 HOST_FOUND found AAAA and/or A record(s)
2256 HOST_IGNORED found, but all IPs ignored
2257 */
2258
2259 static int
set_address_from_dns(host_item * host,host_item ** lastptr,const uschar * ignore_target_hosts,BOOL allow_ip,const uschar ** fully_qualified_name,BOOL dnssec_request,BOOL dnssec_require,int whichrrs)2260 set_address_from_dns(host_item *host, host_item **lastptr,
2261 const uschar *ignore_target_hosts, BOOL allow_ip,
2262 const uschar **fully_qualified_name,
2263 BOOL dnssec_request, BOOL dnssec_require, int whichrrs)
2264 {
2265 host_item *thishostlast = NULL; /* Indicates not yet filled in anything */
2266 BOOL v6_find_again = FALSE;
2267 BOOL dnssec_fail = FALSE;
2268 int i;
2269 dns_answer * dnsa;
2270
2271 #ifndef DISABLE_TLS
2272 /* Copy the host name at this point to the value which is used for
2273 TLS certificate name checking, before any CNAME-following modifies it. */
2274
2275 host->certname = host->name;
2276 #endif
2277
2278 /* If allow_ip is set, a name which is an IP address returns that value
2279 as its address. This is used for MX records when allow_mx_to_ip is set, for
2280 those sites that feel they have to flaunt the RFC rules. */
2281
2282 if (allow_ip && string_is_ip_address(host->name, NULL) != 0)
2283 {
2284 #ifndef STAND_ALONE
2285 if ( ignore_target_hosts
2286 && verify_check_this_host(&ignore_target_hosts, NULL, host->name,
2287 host->name, NULL) == OK)
2288 return HOST_IGNORED;
2289 #endif
2290
2291 host->address = host->name;
2292 return HOST_FOUND;
2293 }
2294
2295 dnsa = store_get_dns_answer();
2296
2297 /* On an IPv6 system, unless IPv6 is disabled, go round the loop up to twice,
2298 looking for AAAA records the first time. However, unless doing standalone
2299 testing, we force an IPv4 lookup if the domain matches dns_ipv4_lookup global.
2300 On an IPv4 system, go round the loop once only, looking only for A records. */
2301
2302 #if HAVE_IPV6
2303 #ifndef STAND_ALONE
2304 if ( disable_ipv6
2305 || !(whichrrs & HOST_FIND_BY_AAAA)
2306 || dns_ipv4_lookup
2307 && match_isinlist(host->name, CUSS &dns_ipv4_lookup, 0,
2308 &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL) == OK
2309 )
2310 i = 0; /* look up A records only */
2311 else
2312 #endif /* STAND_ALONE */
2313
2314 i = 1; /* look up AAAA and A records */
2315
2316 /* The IPv4 world */
2317
2318 #else /* HAVE_IPV6 */
2319 i = 0; /* look up A records only */
2320 #endif /* HAVE_IPV6 */
2321
2322 for (; i >= 0; i--)
2323 {
2324 static int types[] = { T_A, T_AAAA };
2325 int type = types[i];
2326 int randoffset = i == (whichrrs & HOST_FIND_IPV4_FIRST ? 1 : 0)
2327 ? 500 : 0; /* Ensures v6/4 sort order */
2328 dns_scan dnss;
2329
2330 int rc = dns_lookup_timerwrap(dnsa, host->name, type, fully_qualified_name);
2331 lookup_dnssec_authenticated = !dnssec_request ? NULL
2332 : dns_is_secure(dnsa) ? US"yes" : US"no";
2333
2334 DEBUG(D_dns)
2335 if ( (dnssec_request || dnssec_require)
2336 && !dns_is_secure(dnsa)
2337 && dns_is_aa(dnsa)
2338 )
2339 debug_printf("DNS lookup of %.256s (A/AAAA) requested AD, but got AA\n", host->name);
2340
2341 /* We want to return HOST_FIND_AGAIN if one of the A or AAAA lookups
2342 fails or times out, but not if another one succeeds. (In the early
2343 IPv6 days there are name servers that always fail on AAAA, but are happy
2344 to give out an A record. We want to proceed with that A record.) */
2345
2346 if (rc != DNS_SUCCEED)
2347 {
2348 if (i == 0) /* Just tried for an A record, i.e. end of loop */
2349 {
2350 if (host->address != NULL)
2351 i = HOST_FOUND; /* AAAA was found */
2352 else if (rc == DNS_AGAIN || rc == DNS_FAIL || v6_find_again)
2353 i = HOST_FIND_AGAIN;
2354 else
2355 i = HOST_FIND_FAILED; /* DNS_NOMATCH or DNS_NODATA */
2356 goto out;
2357 }
2358
2359 /* Tried for an AAAA record: remember if this was a temporary
2360 error, and look for the next record type. */
2361
2362 if (rc != DNS_NOMATCH && rc != DNS_NODATA) v6_find_again = TRUE;
2363 continue;
2364 }
2365
2366 if (dnssec_request)
2367 {
2368 if (dns_is_secure(dnsa))
2369 {
2370 DEBUG(D_host_lookup) debug_printf("%s A DNSSEC\n", host->name);
2371 if (host->dnssec == DS_UNK) /* set in host_find_bydns() */
2372 host->dnssec = DS_YES;
2373 }
2374 else
2375 {
2376 if (dnssec_require)
2377 {
2378 dnssec_fail = TRUE;
2379 DEBUG(D_host_lookup) debug_printf("dnssec fail on %s for %.256s",
2380 i>0 ? "AAAA" : "A", host->name);
2381 continue;
2382 }
2383 if (host->dnssec == DS_YES) /* set in host_find_bydns() */
2384 {
2385 DEBUG(D_host_lookup) debug_printf("%s A cancel DNSSEC\n", host->name);
2386 host->dnssec = DS_NO;
2387 lookup_dnssec_authenticated = US"no";
2388 }
2389 }
2390 }
2391
2392 /* Lookup succeeded: fill in the given host item with the first non-ignored
2393 address found; create additional items for any others. A single A6 record
2394 may generate more than one address. The lookup had a chance to update the
2395 fqdn; we do not want any later times round the loop to do so. */
2396
2397 fully_qualified_name = NULL;
2398
2399 for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
2400 rr;
2401 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == type)
2402 {
2403 dns_address * da = dns_address_from_rr(dnsa, rr);
2404
2405 DEBUG(D_host_lookup)
2406 if (!da) debug_printf("no addresses extracted from A6 RR for %s\n",
2407 host->name);
2408
2409 /* This loop runs only once for A and AAAA records, but may run
2410 several times for an A6 record that generated multiple addresses. */
2411
2412 for (; da; da = da->next)
2413 {
2414 #ifndef STAND_ALONE
2415 if (ignore_target_hosts != NULL &&
2416 verify_check_this_host(&ignore_target_hosts, NULL,
2417 host->name, da->address, NULL) == OK)
2418 {
2419 DEBUG(D_host_lookup)
2420 debug_printf("ignored host %s [%s]\n", host->name, da->address);
2421 continue;
2422 }
2423 #endif
2424
2425 /* If this is the first address, stick it in the given host block,
2426 and change the name if the returned RR has a different name. */
2427
2428 if (thishostlast == NULL)
2429 {
2430 if (strcmpic(host->name, rr->name) != 0)
2431 host->name = string_copy_dnsdomain(rr->name);
2432 host->address = da->address;
2433 host->sort_key = host->mx * 1000 + random_number(500) + randoffset;
2434 host->status = hstatus_unknown;
2435 host->why = hwhy_unknown;
2436 thishostlast = host;
2437 }
2438
2439 /* Not the first address. Check for, and ignore, duplicates. Then
2440 insert in the chain at a random point. */
2441
2442 else
2443 {
2444 int new_sort_key;
2445 host_item *next;
2446
2447 /* End of our local chain is specified by "thishostlast". */
2448
2449 for (next = host;; next = next->next)
2450 {
2451 if (Ustrcmp(CS da->address, next->address) == 0) break;
2452 if (next == thishostlast) { next = NULL; break; }
2453 }
2454 if (next != NULL) continue; /* With loop for next address */
2455
2456 /* Not a duplicate */
2457
2458 new_sort_key = host->mx * 1000 + random_number(500) + randoffset;
2459 next = store_get(sizeof(host_item), FALSE);
2460
2461 /* New address goes first: insert the new block after the first one
2462 (so as not to disturb the original pointer) but put the new address
2463 in the original block. */
2464
2465 if (new_sort_key < host->sort_key)
2466 {
2467 *next = *host; /* Copies port */
2468 host->next = next;
2469 host->address = da->address;
2470 host->sort_key = new_sort_key;
2471 if (thishostlast == host) thishostlast = next; /* Local last */
2472 if (*lastptr == host) *lastptr = next; /* Global last */
2473 }
2474
2475 /* Otherwise scan down the addresses for this host to find the
2476 one to insert after. */
2477
2478 else
2479 {
2480 host_item *h = host;
2481 while (h != thishostlast)
2482 {
2483 if (new_sort_key < h->next->sort_key) break;
2484 h = h->next;
2485 }
2486 *next = *h; /* Copies port */
2487 h->next = next;
2488 next->address = da->address;
2489 next->sort_key = new_sort_key;
2490 if (h == thishostlast) thishostlast = next; /* Local last */
2491 if (h == *lastptr) *lastptr = next; /* Global last */
2492 }
2493 }
2494 }
2495 }
2496 }
2497
2498 /* Control gets here only if the second lookup (the A record) succeeded.
2499 However, the address may not be filled in if it was ignored. */
2500
2501 i = host->address
2502 ? HOST_FOUND
2503 : dnssec_fail
2504 ? HOST_FIND_SECURITY
2505 : HOST_IGNORED;
2506
2507 out:
2508 store_free_dns_answer(dnsa);
2509 return i;
2510 }
2511
2512
2513
2514
2515 /*************************************************
2516 * Find IP addresses and host names via DNS *
2517 *************************************************/
2518
2519 /* The input is a host_item structure with the name field filled in and the
2520 address field set to NULL. This may be in a chain of other host items. The
2521 lookup may result in more than one IP address, in which case we must created
2522 new host blocks for the additional addresses, and insert them into the chain.
2523 The original name may not be fully qualified. Use the fully_qualified_name
2524 argument to return the official name, as returned by the resolver.
2525
2526 Arguments:
2527 host point to initial host item
2528 ignore_target_hosts a list of hosts to ignore
2529 whichrrs flags indicating which RRs to look for:
2530 HOST_FIND_BY_SRV => look for SRV
2531 HOST_FIND_BY_MX => look for MX
2532 HOST_FIND_BY_A => look for A
2533 HOST_FIND_BY_AAAA => look for AAAA
2534 also flags indicating how the lookup is done
2535 HOST_FIND_QUALIFY_SINGLE ) passed to the
2536 HOST_FIND_SEARCH_PARENTS ) resolver
2537 HOST_FIND_IPV4_FIRST => reverse usual result ordering
2538 HOST_FIND_IPV4_ONLY => MX results elide ipv6
2539 srv_service when SRV used, the service name
2540 srv_fail_domains DNS errors for these domains => assume nonexist
2541 mx_fail_domains DNS errors for these domains => assume nonexist
2542 dnssec_d.request => make dnssec request: domainlist
2543 dnssec_d.require => ditto and nonexist failures
2544 fully_qualified_name if not NULL, return fully-qualified name
2545 removed set TRUE if local host was removed from the list
2546
2547 Returns: HOST_FIND_FAILED Failed to find the host or domain;
2548 if there was a syntax error,
2549 host_find_failed_syntax is set.
2550 HOST_FIND_AGAIN Could not resolve at this time
2551 HOST_FIND_SECURITY dnsssec required but not acheived
2552 HOST_FOUND Host found
2553 HOST_FOUND_LOCAL The lowest MX record points to this
2554 machine, if MX records were found, or
2555 an A record that was found contains
2556 an address of the local host
2557 */
2558
2559 int
host_find_bydns(host_item * host,const uschar * ignore_target_hosts,int whichrrs,uschar * srv_service,uschar * srv_fail_domains,uschar * mx_fail_domains,const dnssec_domains * dnssec_d,const uschar ** fully_qualified_name,BOOL * removed)2560 host_find_bydns(host_item *host, const uschar *ignore_target_hosts, int whichrrs,
2561 uschar *srv_service, uschar *srv_fail_domains, uschar *mx_fail_domains,
2562 const dnssec_domains *dnssec_d,
2563 const uschar **fully_qualified_name, BOOL *removed)
2564 {
2565 host_item *h, *last;
2566 int rc = DNS_FAIL;
2567 int ind_type = 0;
2568 int yield;
2569 dns_answer * dnsa = store_get_dns_answer();
2570 dns_scan dnss;
2571 BOOL dnssec_require = dnssec_d
2572 && match_isinlist(host->name, CUSS &dnssec_d->require,
2573 0, &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL) == OK;
2574 BOOL dnssec_request = dnssec_require
2575 || ( dnssec_d
2576 && match_isinlist(host->name, CUSS &dnssec_d->request,
2577 0, &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL) == OK);
2578 dnssec_status_t dnssec;
2579
2580 /* Set the default fully qualified name to the incoming name, initialize the
2581 resolver if necessary, set up the relevant options, and initialize the flag
2582 that gets set for DNS syntax check errors. */
2583
2584 if (fully_qualified_name != NULL) *fully_qualified_name = host->name;
2585 dns_init((whichrrs & HOST_FIND_QUALIFY_SINGLE) != 0,
2586 (whichrrs & HOST_FIND_SEARCH_PARENTS) != 0,
2587 dnssec_request);
2588 f.host_find_failed_syntax = FALSE;
2589
2590 /* First, if requested, look for SRV records. The service name is given; we
2591 assume TCP protocol. DNS domain names are constrained to a maximum of 256
2592 characters, so the code below should be safe. */
2593
2594 if (whichrrs & HOST_FIND_BY_SRV)
2595 {
2596 gstring * g;
2597 uschar * temp_fully_qualified_name;
2598 int prefix_length;
2599
2600 g = string_fmt_append(NULL, "_%s._tcp.%n%.256s",
2601 srv_service, &prefix_length, host->name);
2602 temp_fully_qualified_name = string_from_gstring(g);
2603 ind_type = T_SRV;
2604
2605 /* Search for SRV records. If the fully qualified name is different to
2606 the input name, pass back the new original domain, without the prepended
2607 magic. */
2608
2609 dnssec = DS_UNK;
2610 lookup_dnssec_authenticated = NULL;
2611 rc = dns_lookup_timerwrap(dnsa, temp_fully_qualified_name, ind_type,
2612 CUSS &temp_fully_qualified_name);
2613
2614 DEBUG(D_dns)
2615 if ((dnssec_request || dnssec_require)
2616 && !dns_is_secure(dnsa)
2617 && dns_is_aa(dnsa))
2618 debug_printf("DNS lookup of %.256s (SRV) requested AD, but got AA\n", host->name);
2619
2620 if (dnssec_request)
2621 {
2622 if (dns_is_secure(dnsa))
2623 { dnssec = DS_YES; lookup_dnssec_authenticated = US"yes"; }
2624 else
2625 { dnssec = DS_NO; lookup_dnssec_authenticated = US"no"; }
2626 }
2627
2628 if (temp_fully_qualified_name != g->s && fully_qualified_name != NULL)
2629 *fully_qualified_name = temp_fully_qualified_name + prefix_length;
2630
2631 /* On DNS failures, we give the "try again" error unless the domain is
2632 listed as one for which we continue. */
2633
2634 if (rc == DNS_SUCCEED && dnssec_require && !dns_is_secure(dnsa))
2635 {
2636 log_write(L_host_lookup_failed, LOG_MAIN,
2637 "dnssec fail on SRV for %.256s", host->name);
2638 rc = DNS_FAIL;
2639 }
2640 if (rc == DNS_FAIL || rc == DNS_AGAIN)
2641 {
2642 #ifndef STAND_ALONE
2643 if (match_isinlist(host->name, CUSS &srv_fail_domains, 0,
2644 &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL) != OK)
2645 #endif
2646 { yield = HOST_FIND_AGAIN; goto out; }
2647 DEBUG(D_host_lookup) debug_printf("DNS_%s treated as DNS_NODATA "
2648 "(domain in srv_fail_domains)\n", rc == DNS_FAIL ? "FAIL":"AGAIN");
2649 }
2650 }
2651
2652 /* If we did not find any SRV records, search the DNS for MX records, if
2653 requested to do so. If the result is DNS_NOMATCH, it means there is no such
2654 domain, and there's no point in going on to look for address records with the
2655 same domain. The result will be DNS_NODATA if the domain exists but has no MX
2656 records. On DNS failures, we give the "try again" error unless the domain is
2657 listed as one for which we continue. */
2658
2659 if (rc != DNS_SUCCEED && whichrrs & HOST_FIND_BY_MX)
2660 {
2661 ind_type = T_MX;
2662 dnssec = DS_UNK;
2663 lookup_dnssec_authenticated = NULL;
2664 rc = dns_lookup_timerwrap(dnsa, host->name, ind_type, fully_qualified_name);
2665
2666 DEBUG(D_dns)
2667 if ( (dnssec_request || dnssec_require)
2668 && !dns_is_secure(dnsa)
2669 && dns_is_aa(dnsa))
2670 debug_printf("DNS lookup of %.256s (MX) requested AD, but got AA\n", host->name);
2671
2672 if (dnssec_request)
2673 if (dns_is_secure(dnsa))
2674 {
2675 DEBUG(D_host_lookup) debug_printf("%s (MX resp) DNSSEC\n", host->name);
2676 dnssec = DS_YES; lookup_dnssec_authenticated = US"yes";
2677 }
2678 else
2679 {
2680 dnssec = DS_NO; lookup_dnssec_authenticated = US"no";
2681 }
2682
2683 switch (rc)
2684 {
2685 case DNS_NOMATCH:
2686 yield = HOST_FIND_FAILED; goto out;
2687
2688 case DNS_SUCCEED:
2689 if (!dnssec_require || dns_is_secure(dnsa))
2690 break;
2691 DEBUG(D_host_lookup)
2692 debug_printf("dnssec fail on MX for %.256s", host->name);
2693 #ifndef STAND_ALONE
2694 if (match_isinlist(host->name, CUSS &mx_fail_domains, 0,
2695 &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL) != OK)
2696 { yield = HOST_FIND_SECURITY; goto out; }
2697 #endif
2698 rc = DNS_FAIL;
2699 /*FALLTHROUGH*/
2700
2701 case DNS_FAIL:
2702 case DNS_AGAIN:
2703 #ifndef STAND_ALONE
2704 if (match_isinlist(host->name, CUSS &mx_fail_domains, 0,
2705 &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL) != OK)
2706 #endif
2707 { yield = HOST_FIND_AGAIN; goto out; }
2708 DEBUG(D_host_lookup) debug_printf("DNS_%s treated as DNS_NODATA "
2709 "(domain in mx_fail_domains)\n", (rc == DNS_FAIL)? "FAIL":"AGAIN");
2710 break;
2711 }
2712 }
2713
2714 /* If we haven't found anything yet, and we are requested to do so, try for an
2715 A or AAAA record. If we find it (or them) check to see that it isn't the local
2716 host. */
2717
2718 if (rc != DNS_SUCCEED)
2719 {
2720 if (!(whichrrs & (HOST_FIND_BY_A | HOST_FIND_BY_AAAA)))
2721 {
2722 DEBUG(D_host_lookup) debug_printf("Address records are not being sought\n");
2723 yield = HOST_FIND_FAILED;
2724 goto out;
2725 }
2726
2727 last = host; /* End of local chainlet */
2728 host->mx = MX_NONE;
2729 host->port = PORT_NONE;
2730 host->dnssec = DS_UNK;
2731 lookup_dnssec_authenticated = NULL;
2732 rc = set_address_from_dns(host, &last, ignore_target_hosts, FALSE,
2733 fully_qualified_name, dnssec_request, dnssec_require, whichrrs);
2734
2735 /* If one or more address records have been found, check that none of them
2736 are local. Since we know the host items all have their IP addresses
2737 inserted, host_scan_for_local_hosts() can only return HOST_FOUND or
2738 HOST_FOUND_LOCAL. We do not need to scan for duplicate IP addresses here,
2739 because set_address_from_dns() removes them. */
2740
2741 if (rc == HOST_FOUND)
2742 rc = host_scan_for_local_hosts(host, &last, removed);
2743 else
2744 if (rc == HOST_IGNORED) rc = HOST_FIND_FAILED; /* No special action */
2745
2746 DEBUG(D_host_lookup)
2747 if (host->address)
2748 {
2749 if (fully_qualified_name)
2750 debug_printf("fully qualified name = %s\n", *fully_qualified_name);
2751 for (host_item * h = host; h != last->next; h = h->next)
2752 debug_printf("%s %s mx=%d sort=%d %s\n", h->name,
2753 h->address ? h->address : US"<null>", h->mx, h->sort_key,
2754 h->status >= hstatus_unusable ? US"*" : US"");
2755 }
2756
2757 yield = rc;
2758 goto out;
2759 }
2760
2761 /* We have found one or more MX or SRV records. Sort them according to
2762 precedence. Put the data for the first one into the existing host block, and
2763 insert new host_item blocks into the chain for the remainder. For equal
2764 precedences one is supposed to randomize the order. To make this happen, the
2765 sorting is actually done on the MX value * 1000 + a random number. This is put
2766 into a host field called sort_key.
2767
2768 In the case of hosts with both IPv6 and IPv4 addresses, we want to choose the
2769 IPv6 address in preference. At this stage, we don't know what kind of address
2770 the host has. We choose a random number < 500; if later we find an A record
2771 first, we add 500 to the random number. Then for any other address records, we
2772 use random numbers in the range 0-499 for AAAA records and 500-999 for A
2773 records.
2774
2775 At this point we remove any duplicates that point to the same host, retaining
2776 only the one with the lowest precedence. We cannot yet check for precedence
2777 greater than that of the local host, because that test cannot be properly done
2778 until the addresses have been found - an MX record may point to a name for this
2779 host which is not the primary hostname. */
2780
2781 last = NULL; /* Indicates that not even the first item is filled yet */
2782
2783 for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
2784 rr;
2785 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == ind_type)
2786 {
2787 int precedence, weight;
2788 int port = PORT_NONE;
2789 const uschar * s = rr->data; /* MUST be unsigned for GETSHORT */
2790 uschar data[256];
2791
2792 GETSHORT(precedence, s); /* Pointer s is advanced */
2793
2794 /* For MX records, we use a random "weight" which causes multiple records of
2795 the same precedence to sort randomly. */
2796
2797 if (ind_type == T_MX)
2798 weight = random_number(500);
2799 else
2800 {
2801 /* SRV records are specified with a port and a weight. The weight is used
2802 in a special algorithm. However, to start with, we just use it to order the
2803 records of equal priority (precedence). */
2804 GETSHORT(weight, s);
2805 GETSHORT(port, s);
2806 }
2807
2808 /* Get the name of the host pointed to. */
2809
2810 (void)dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, s,
2811 (DN_EXPAND_ARG4_TYPE)data, sizeof(data));
2812
2813 /* Check that we haven't already got this host on the chain; if we have,
2814 keep only the lower precedence. This situation shouldn't occur, but you
2815 never know what junk might get into the DNS (and this case has been seen on
2816 more than one occasion). */
2817
2818 if (last) /* This is not the first record */
2819 {
2820 host_item *prev = NULL;
2821
2822 for (h = host; h != last->next; prev = h, h = h->next)
2823 if (strcmpic(h->name, data) == 0)
2824 {
2825 DEBUG(D_host_lookup)
2826 debug_printf("discarded duplicate host %s (MX=%d)\n", data,
2827 precedence > h->mx ? precedence : h->mx);
2828 if (precedence >= h->mx) goto NEXT_MX_RR; /* Skip greater precedence */
2829 if (h == host) /* Override first item */
2830 {
2831 h->mx = precedence;
2832 host->sort_key = precedence * 1000 + weight;
2833 goto NEXT_MX_RR;
2834 }
2835
2836 /* Unwanted host item is not the first in the chain, so we can get
2837 get rid of it by cutting it out. */
2838
2839 prev->next = h->next;
2840 if (h == last) last = prev;
2841 break;
2842 }
2843 }
2844
2845 /* If this is the first MX or SRV record, put the data into the existing host
2846 block. Otherwise, add a new block in the correct place; if it has to be
2847 before the first block, copy the first block's data to a new second block. */
2848
2849 if (!last)
2850 {
2851 host->name = string_copy_dnsdomain(data);
2852 host->address = NULL;
2853 host->port = port;
2854 host->mx = precedence;
2855 host->sort_key = precedence * 1000 + weight;
2856 host->status = hstatus_unknown;
2857 host->why = hwhy_unknown;
2858 host->dnssec = dnssec;
2859 last = host;
2860 }
2861 else
2862
2863 /* Make a new host item and seek the correct insertion place */
2864 {
2865 int sort_key = precedence * 1000 + weight;
2866 host_item *next = store_get(sizeof(host_item), FALSE);
2867 next->name = string_copy_dnsdomain(data);
2868 next->address = NULL;
2869 next->port = port;
2870 next->mx = precedence;
2871 next->sort_key = sort_key;
2872 next->status = hstatus_unknown;
2873 next->why = hwhy_unknown;
2874 next->dnssec = dnssec;
2875 next->last_try = 0;
2876
2877 /* Handle the case when we have to insert before the first item. */
2878
2879 if (sort_key < host->sort_key)
2880 {
2881 host_item htemp;
2882 htemp = *host;
2883 *host = *next;
2884 *next = htemp;
2885 host->next = next;
2886 if (last == host) last = next;
2887 }
2888 else
2889
2890 /* Else scan down the items we have inserted as part of this exercise;
2891 don't go further. */
2892 {
2893 for (h = host; h != last; h = h->next)
2894 if (sort_key < h->next->sort_key)
2895 {
2896 next->next = h->next;
2897 h->next = next;
2898 break;
2899 }
2900
2901 /* Join on after the last host item that's part of this
2902 processing if we haven't stopped sooner. */
2903
2904 if (h == last)
2905 {
2906 next->next = last->next;
2907 last->next = next;
2908 last = next;
2909 }
2910 }
2911 }
2912
2913 NEXT_MX_RR: continue;
2914 }
2915
2916 if (!last) /* No rr of correct type; give up */
2917 {
2918 yield = HOST_FIND_FAILED;
2919 goto out;
2920 }
2921
2922 /* If the list of hosts was obtained from SRV records, there are two things to
2923 do. First, if there is only one host, and it's name is ".", it means there is
2924 no SMTP service at this domain. Otherwise, we have to sort the hosts of equal
2925 priority according to their weights, using an algorithm that is defined in RFC
2926 2782. The hosts are currently sorted by priority and weight. For each priority
2927 group we have to pick off one host and put it first, and then repeat for any
2928 remaining in the same priority group. */
2929
2930 if (ind_type == T_SRV)
2931 {
2932 host_item ** pptr;
2933
2934 if (host == last && host->name[0] == 0)
2935 {
2936 DEBUG(D_host_lookup) debug_printf("the single SRV record is \".\"\n");
2937 yield = HOST_FIND_FAILED;
2938 goto out;
2939 }
2940
2941 DEBUG(D_host_lookup)
2942 {
2943 debug_printf("original ordering of hosts from SRV records:\n");
2944 for (h = host; h != last->next; h = h->next)
2945 debug_printf(" %s P=%d W=%d\n", h->name, h->mx, h->sort_key % 1000);
2946 }
2947
2948 for (pptr = &host, h = host; h != last; pptr = &h->next, h = h->next)
2949 {
2950 int sum = 0;
2951 host_item *hh;
2952
2953 /* Find the last following host that has the same precedence. At the same
2954 time, compute the sum of the weights and the running totals. These can be
2955 stored in the sort_key field. */
2956
2957 for (hh = h; hh != last; hh = hh->next)
2958 {
2959 int weight = hh->sort_key % 1000; /* was precedence * 1000 + weight */
2960 sum += weight;
2961 hh->sort_key = sum;
2962 if (hh->mx != hh->next->mx) break;
2963 }
2964
2965 /* If there's more than one host at this precedence (priority), we need to
2966 pick one to go first. */
2967
2968 if (hh != h)
2969 {
2970 host_item *hhh;
2971 host_item **ppptr;
2972 int randomizer = random_number(sum + 1);
2973
2974 for (ppptr = pptr, hhh = h;
2975 hhh != hh;
2976 ppptr = &hhh->next, hhh = hhh->next)
2977 if (hhh->sort_key >= randomizer)
2978 break;
2979
2980 /* hhh now points to the host that should go first; ppptr points to the
2981 place that points to it. Unfortunately, if the start of the minilist is
2982 the start of the entire list, we can't just swap the items over, because
2983 we must not change the value of host, since it is passed in from outside.
2984 One day, this could perhaps be changed.
2985
2986 The special case is fudged by putting the new item *second* in the chain,
2987 and then transferring the data between the first and second items. We
2988 can't just swap the first and the chosen item, because that would mean
2989 that an item with zero weight might no longer be first. */
2990
2991 if (hhh != h)
2992 {
2993 *ppptr = hhh->next; /* Cuts it out of the chain */
2994
2995 if (h == host)
2996 {
2997 host_item temp = *h;
2998 *h = *hhh;
2999 *hhh = temp;
3000 hhh->next = temp.next;
3001 h->next = hhh;
3002 }
3003 else
3004 {
3005 hhh->next = h; /* The rest of the chain follows it */
3006 *pptr = hhh; /* It takes the place of h */
3007 h = hhh; /* It's now the start of this minilist */
3008 }
3009 }
3010 }
3011
3012 /* A host has been chosen to be first at this priority and h now points
3013 to this host. There may be others at the same priority, or others at a
3014 different priority. Before we leave this host, we need to put back a sort
3015 key of the traditional MX kind, in case this host is multihomed, because
3016 the sort key is used for ordering the multiple IP addresses. We do not need
3017 to ensure that these new sort keys actually reflect the order of the hosts,
3018 however. */
3019
3020 h->sort_key = h->mx * 1000 + random_number(500);
3021 } /* Move on to the next host */
3022 }
3023
3024 /* Now we have to find IP addresses for all the hosts. We have ensured above
3025 that the names in all the host items are unique. Before release 4.61 we used to
3026 process records from the additional section in the DNS packet that returned the
3027 MX or SRV records. However, a DNS name server is free to drop any resource
3028 records from the additional section. In theory, this has always been a
3029 potential problem, but it is exacerbated by the advent of IPv6. If a host had
3030 several IPv4 addresses and some were not in the additional section, at least
3031 Exim would try the others. However, if a host had both IPv4 and IPv6 addresses
3032 and all the IPv4 (say) addresses were absent, Exim would try only for a IPv6
3033 connection, and never try an IPv4 address. When there was only IPv4
3034 connectivity, this was a disaster that did in practice occur.
3035
3036 So, from release 4.61 onwards, we always search for A and AAAA records
3037 explicitly. The names shouldn't point to CNAMES, but we use the general lookup
3038 function that handles them, just in case. If any lookup gives a soft error,
3039 change the default yield.
3040
3041 For these DNS lookups, we must disable qualify_single and search_parents;
3042 otherwise invalid host names obtained from MX or SRV records can cause trouble
3043 if they happen to match something local. */
3044
3045 yield = HOST_FIND_FAILED; /* Default yield */
3046 dns_init(FALSE, FALSE, /* Disable qualify_single and search_parents */
3047 dnssec_request || dnssec_require);
3048
3049 for (h = host; h != last->next; h = h->next)
3050 {
3051 if (h->address) continue; /* Inserted by a multihomed host */
3052
3053 rc = set_address_from_dns(h, &last, ignore_target_hosts, allow_mx_to_ip,
3054 NULL, dnssec_request, dnssec_require,
3055 whichrrs & HOST_FIND_IPV4_ONLY
3056 ? HOST_FIND_BY_A : HOST_FIND_BY_A | HOST_FIND_BY_AAAA);
3057 if (rc != HOST_FOUND)
3058 {
3059 h->status = hstatus_unusable;
3060 switch (rc)
3061 {
3062 case HOST_FIND_AGAIN: yield = rc; h->why = hwhy_deferred; break;
3063 case HOST_FIND_SECURITY: yield = rc; h->why = hwhy_insecure; break;
3064 case HOST_IGNORED: h->why = hwhy_ignored; break;
3065 default: h->why = hwhy_failed; break;
3066 }
3067 }
3068 }
3069
3070 /* Scan the list for any hosts that are marked unusable because they have
3071 been explicitly ignored, and remove them from the list, as if they did not
3072 exist. If we end up with just a single, ignored host, flatten its fields as if
3073 nothing was found. */
3074
3075 if (ignore_target_hosts)
3076 {
3077 host_item *prev = NULL;
3078 for (h = host; h != last->next; h = h->next)
3079 {
3080 REDO:
3081 if (h->why != hwhy_ignored) /* Non ignored host, just continue */
3082 prev = h;
3083 else if (prev == NULL) /* First host is ignored */
3084 {
3085 if (h != last) /* First is not last */
3086 {
3087 if (h->next == last) last = h; /* Overwrite it with next */
3088 *h = *(h->next); /* and reprocess it. */
3089 goto REDO; /* C should have redo, like Perl */
3090 }
3091 }
3092 else /* Ignored host is not first - */
3093 { /* cut it out */
3094 prev->next = h->next;
3095 if (h == last) last = prev;
3096 }
3097 }
3098
3099 if (host->why == hwhy_ignored) host->address = NULL;
3100 }
3101
3102 /* There is still one complication in the case of IPv6. Although the code above
3103 arranges that IPv6 addresses take precedence over IPv4 addresses for multihomed
3104 hosts, it doesn't do this for addresses that apply to different hosts with the
3105 same MX precedence, because the sorting on MX precedence happens first. So we
3106 have to make another pass to check for this case. We ensure that, within a
3107 single MX preference value, IPv6 addresses come first. This can separate the
3108 addresses of a multihomed host, but that should not matter. */
3109
3110 #if HAVE_IPV6
3111 if (h != last && !disable_ipv6) for (h = host; h != last; h = h->next)
3112 {
3113 host_item temp;
3114 host_item *next = h->next;
3115
3116 if ( h->mx != next->mx /* If next is different MX */
3117 || !h->address /* OR this one is unset */
3118 )
3119 continue; /* move on to next */
3120
3121 if ( whichrrs & HOST_FIND_IPV4_FIRST
3122 ? !Ustrchr(h->address, ':') /* OR this one is IPv4 */
3123 || next->address
3124 && Ustrchr(next->address, ':') /* OR next is IPv6 */
3125
3126 : Ustrchr(h->address, ':') /* OR this one is IPv6 */
3127 || next->address
3128 && !Ustrchr(next->address, ':') /* OR next is IPv4 */
3129 )
3130 continue; /* move on to next */
3131
3132 temp = *h; /* otherwise, swap */
3133 temp.next = next->next;
3134 *h = *next;
3135 h->next = next;
3136 *next = temp;
3137 }
3138 #endif
3139
3140 /* Remove any duplicate IP addresses and then scan the list of hosts for any
3141 whose IP addresses are on the local host. If any are found, all hosts with the
3142 same or higher MX values are removed. However, if the local host has the lowest
3143 numbered MX, then HOST_FOUND_LOCAL is returned. Otherwise, if at least one host
3144 with an IP address is on the list, HOST_FOUND is returned. Otherwise,
3145 HOST_FIND_FAILED is returned, but in this case do not update the yield, as it
3146 might have been set to HOST_FIND_AGAIN just above here. If not, it will already
3147 be HOST_FIND_FAILED. */
3148
3149 host_remove_duplicates(host, &last);
3150 rc = host_scan_for_local_hosts(host, &last, removed);
3151 if (rc != HOST_FIND_FAILED) yield = rc;
3152
3153 DEBUG(D_host_lookup)
3154 {
3155 if (fully_qualified_name)
3156 debug_printf("fully qualified name = %s\n", *fully_qualified_name);
3157 debug_printf("host_find_bydns yield = %s (%d); returned hosts:\n",
3158 yield == HOST_FOUND ? "HOST_FOUND" :
3159 yield == HOST_FOUND_LOCAL ? "HOST_FOUND_LOCAL" :
3160 yield == HOST_FIND_SECURITY ? "HOST_FIND_SECURITY" :
3161 yield == HOST_FIND_AGAIN ? "HOST_FIND_AGAIN" :
3162 yield == HOST_FIND_FAILED ? "HOST_FIND_FAILED" : "?",
3163 yield);
3164 for (h = host; h != last->next; h = h->next)
3165 {
3166 debug_printf(" %s %s MX=%d %s", h->name,
3167 !h->address ? US"<null>" : h->address, h->mx,
3168 h->dnssec == DS_YES ? US"DNSSEC " : US"");
3169 if (h->port != PORT_NONE) debug_printf("port=%d ", h->port);
3170 if (h->status >= hstatus_unusable) debug_printf("*");
3171 debug_printf("\n");
3172 }
3173 }
3174
3175 out:
3176
3177 dns_init(FALSE, FALSE, FALSE); /* clear the dnssec bit for getaddrbyname */
3178 store_free_dns_answer(dnsa);
3179 return yield;
3180 }
3181
3182
3183
3184
3185 #ifdef SUPPORT_DANE
3186 /* Lookup TLSA record for host/port.
3187 Return: OK success with dnssec; DANE mode
3188 DEFER Do not use this host now, may retry later
3189 FAIL_FORCED No TLSA record; DANE not usable
3190 FAIL Do not use this connection
3191 */
3192
3193 int
tlsa_lookup(const host_item * host,dns_answer * dnsa,BOOL dane_required)3194 tlsa_lookup(const host_item * host, dns_answer * dnsa, BOOL dane_required)
3195 {
3196 uschar buffer[300];
3197 const uschar * fullname = buffer;
3198 int rc;
3199 BOOL sec;
3200
3201 /* TLSA lookup string */
3202 (void)sprintf(CS buffer, "_%d._tcp.%.256s", host->port, host->name);
3203
3204 rc = dns_lookup_timerwrap(dnsa, buffer, T_TLSA, &fullname);
3205 sec = dns_is_secure(dnsa);
3206 DEBUG(D_transport)
3207 debug_printf("TLSA lookup ret %s %sDNSSEC\n", dns_rc_names[rc], sec ? "" : "not ");
3208
3209 switch (rc)
3210 {
3211 case DNS_AGAIN:
3212 return DEFER; /* just defer this TLS'd conn */
3213
3214 case DNS_SUCCEED:
3215 if (sec)
3216 {
3217 DEBUG(D_transport)
3218 {
3219 dns_scan dnss;
3220 for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
3221 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
3222 if (rr->type == T_TLSA && rr->size > 3)
3223 {
3224 uint16_t payload_length = rr->size - 3;
3225 uschar s[MAX_TLSA_EXPANDED_SIZE], * sp = s, * p = US rr->data;
3226
3227 sp += sprintf(CS sp, "%d ", *p++); /* usage */
3228 sp += sprintf(CS sp, "%d ", *p++); /* selector */
3229 sp += sprintf(CS sp, "%d ", *p++); /* matchtype */
3230 while (payload_length-- > 0 && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4))
3231 sp += sprintf(CS sp, "%02x", *p++);
3232
3233 debug_printf(" %s\n", s);
3234 }
3235 }
3236 return OK;
3237 }
3238 log_write(0, LOG_MAIN,
3239 "DANE error: TLSA lookup for %s not DNSSEC", host->name);
3240 /*FALLTRHOUGH*/
3241
3242 case DNS_NODATA: /* no TLSA RR for this lookup */
3243 case DNS_NOMATCH: /* no records at all for this lookup */
3244 return dane_required ? FAIL : FAIL_FORCED;
3245
3246 default:
3247 case DNS_FAIL:
3248 return dane_required ? FAIL : DEFER;
3249 }
3250 }
3251 #endif /*SUPPORT_DANE*/
3252
3253
3254
3255 /*************************************************
3256 **************************************************
3257 * Stand-alone test program *
3258 **************************************************
3259 *************************************************/
3260
3261 #ifdef STAND_ALONE
3262
main(int argc,char ** cargv)3263 int main(int argc, char **cargv)
3264 {
3265 host_item h;
3266 int whichrrs = HOST_FIND_BY_MX | HOST_FIND_BY_A | HOST_FIND_BY_AAAA;
3267 BOOL byname = FALSE;
3268 BOOL qualify_single = TRUE;
3269 BOOL search_parents = FALSE;
3270 BOOL request_dnssec = FALSE;
3271 BOOL require_dnssec = FALSE;
3272 uschar **argv = USS cargv;
3273 uschar buffer[256];
3274
3275 disable_ipv6 = FALSE;
3276 primary_hostname = US"";
3277 store_init();
3278 store_pool = POOL_MAIN;
3279 debug_selector = D_host_lookup|D_interface;
3280 debug_file = stdout;
3281 debug_fd = fileno(debug_file);
3282
3283 printf("Exim stand-alone host functions test\n");
3284
3285 host_find_interfaces();
3286 debug_selector = D_host_lookup | D_dns;
3287
3288 if (argc > 1) primary_hostname = argv[1];
3289
3290 /* So that debug level changes can be done first */
3291
3292 dns_init(qualify_single, search_parents, FALSE);
3293
3294 printf("Testing host lookup\n");
3295 printf("> ");
3296 while (Ufgets(buffer, 256, stdin) != NULL)
3297 {
3298 int rc;
3299 int len = Ustrlen(buffer);
3300 uschar *fully_qualified_name;
3301
3302 while (len > 0 && isspace(buffer[len-1])) len--;
3303 buffer[len] = 0;
3304
3305 if (Ustrcmp(buffer, "q") == 0) break;
3306
3307 if (Ustrcmp(buffer, "byname") == 0) byname = TRUE;
3308 else if (Ustrcmp(buffer, "no_byname") == 0) byname = FALSE;
3309 else if (Ustrcmp(buffer, "a_only") == 0) whichrrs = HOST_FIND_BY_A | HOST_FIND_BY_AAAA;
3310 else if (Ustrcmp(buffer, "mx_only") == 0) whichrrs = HOST_FIND_BY_MX;
3311 else if (Ustrcmp(buffer, "srv_only") == 0) whichrrs = HOST_FIND_BY_SRV;
3312 else if (Ustrcmp(buffer, "srv+a") == 0)
3313 whichrrs = HOST_FIND_BY_SRV | HOST_FIND_BY_A | HOST_FIND_BY_AAAA;
3314 else if (Ustrcmp(buffer, "srv+mx") == 0)
3315 whichrrs = HOST_FIND_BY_SRV | HOST_FIND_BY_MX;
3316 else if (Ustrcmp(buffer, "srv+mx+a") == 0)
3317 whichrrs = HOST_FIND_BY_SRV | HOST_FIND_BY_MX | HOST_FIND_BY_A | HOST_FIND_BY_AAAA;
3318 else if (Ustrcmp(buffer, "qualify_single") == 0) qualify_single = TRUE;
3319 else if (Ustrcmp(buffer, "no_qualify_single") == 0) qualify_single = FALSE;
3320 else if (Ustrcmp(buffer, "search_parents") == 0) search_parents = TRUE;
3321 else if (Ustrcmp(buffer, "no_search_parents") == 0) search_parents = FALSE;
3322 else if (Ustrcmp(buffer, "request_dnssec") == 0) request_dnssec = TRUE;
3323 else if (Ustrcmp(buffer, "no_request_dnssec") == 0) request_dnssec = FALSE;
3324 else if (Ustrcmp(buffer, "require_dnssec") == 0) require_dnssec = TRUE;
3325 else if (Ustrcmp(buffer, "no_require_dnssec") == 0) require_dnssec = FALSE;
3326 else if (Ustrcmp(buffer, "test_harness") == 0)
3327 f.running_in_test_harness = !f.running_in_test_harness;
3328 else if (Ustrcmp(buffer, "ipv6") == 0) disable_ipv6 = !disable_ipv6;
3329 else if (Ustrcmp(buffer, "res_debug") == 0)
3330 {
3331 _res.options ^= RES_DEBUG;
3332 }
3333 else if (Ustrncmp(buffer, "retrans", 7) == 0)
3334 {
3335 (void)sscanf(CS(buffer+8), "%d", &dns_retrans);
3336 _res.retrans = dns_retrans;
3337 }
3338 else if (Ustrncmp(buffer, "retry", 5) == 0)
3339 {
3340 (void)sscanf(CS(buffer+6), "%d", &dns_retry);
3341 _res.retry = dns_retry;
3342 }
3343 else
3344 {
3345 int flags = whichrrs;
3346 dnssec_domains d;
3347
3348 h.name = buffer;
3349 h.next = NULL;
3350 h.mx = MX_NONE;
3351 h.port = PORT_NONE;
3352 h.status = hstatus_unknown;
3353 h.why = hwhy_unknown;
3354 h.address = NULL;
3355
3356 if (qualify_single) flags |= HOST_FIND_QUALIFY_SINGLE;
3357 if (search_parents) flags |= HOST_FIND_SEARCH_PARENTS;
3358
3359 d.request = request_dnssec ? &h.name : NULL;
3360 d.require = require_dnssec ? &h.name : NULL;
3361
3362 rc = byname
3363 ? host_find_byname(&h, NULL, flags, &fully_qualified_name, TRUE)
3364 : host_find_bydns(&h, NULL, flags, US"smtp", NULL, NULL,
3365 &d, &fully_qualified_name, NULL);
3366
3367 switch (rc)
3368 {
3369 case HOST_FIND_FAILED: printf("Failed\n"); break;
3370 case HOST_FIND_AGAIN: printf("Again\n"); break;
3371 case HOST_FIND_SECURITY: printf("Security\n"); break;
3372 case HOST_FOUND_LOCAL: printf("Local\n"); break;
3373 }
3374 }
3375
3376 printf("\n> ");
3377 }
3378
3379 printf("Testing host_aton\n");
3380 printf("> ");
3381 while (Ufgets(buffer, 256, stdin) != NULL)
3382 {
3383 int x[4];
3384 int len = Ustrlen(buffer);
3385
3386 while (len > 0 && isspace(buffer[len-1])) len--;
3387 buffer[len] = 0;
3388
3389 if (Ustrcmp(buffer, "q") == 0) break;
3390
3391 len = host_aton(buffer, x);
3392 printf("length = %d ", len);
3393 for (int i = 0; i < len; i++)
3394 {
3395 printf("%04x ", (x[i] >> 16) & 0xffff);
3396 printf("%04x ", x[i] & 0xffff);
3397 }
3398 printf("\n> ");
3399 }
3400
3401 printf("\n");
3402
3403 printf("Testing host_name_lookup\n");
3404 printf("> ");
3405 while (Ufgets(buffer, 256, stdin) != NULL)
3406 {
3407 int len = Ustrlen(buffer);
3408 while (len > 0 && isspace(buffer[len-1])) len--;
3409 buffer[len] = 0;
3410 if (Ustrcmp(buffer, "q") == 0) break;
3411 sender_host_address = buffer;
3412 sender_host_name = NULL;
3413 sender_host_aliases = NULL;
3414 host_lookup_msg = US"";
3415 host_lookup_failed = FALSE;
3416 if (host_name_lookup() == FAIL) /* Debug causes printing */
3417 printf("Lookup failed:%s\n", host_lookup_msg);
3418 printf("\n> ");
3419 }
3420
3421 printf("\n");
3422
3423 return 0;
3424 }
3425 #endif /* STAND_ALONE */
3426
3427 /* vi: aw ai sw=2
3428 */
3429 /* End of host.c */
3430