X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fsrc%2Fverify.c;h=5d0551e89c5ea8ac87c75eb37b6c68955b69ed32;hb=49e56fb37f587bf0e69d2fbe76fa0793f898c26f;hp=a4a4c49432e355a5694770837543982220844d12;hpb=66387a737208e277990b0cbfe58db3db419f34b2;p=user%2Fhenk%2Fcode%2Fexim.git diff --git a/src/src/verify.c b/src/src/verify.c index a4a4c4943..5d0551e89 100644 --- a/src/src/verify.c +++ b/src/src/verify.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2017 */ +/* Copyright (c) University of Cambridge 1995 - 2018 */ /* See the file NOTICE for conditions of use and distribution. */ /* Functions concerned with verifying things. The original code for callout @@ -196,6 +196,7 @@ else case ccache_accept: HDEBUG(D_verify) debug_printf("callout cache: domain accepts random addresses\n"); + *failure_ptr = US"random"; dbfn_close(dbm_file); return TRUE; /* Default yield is OK */ @@ -787,7 +788,7 @@ tls_retry_connection: The sync_responses() would need to be taught about it and we'd need another return code filtering out to here. - Avoid using a SIZE option on the MAIL for all randon-rcpt checks. + Avoid using a SIZE option on the MAIL for all random-rcpt checks. */ sx.avoid_option = OPTION_SIZE; @@ -802,6 +803,7 @@ tls_retry_connection: new_domain_record.random_result = ccache_accept; yield = OK; /* Only usable verify result we can return */ done = TRUE; + *failure_ptr = US"random"; goto no_conn; case FAIL: /* rejected: the preferred result */ new_domain_record.random_result = ccache_reject; @@ -821,7 +823,7 @@ tls_retry_connection: debug_printf_indent("problem after random/rset/mfrom; reopen conn\n"); random_local_part = NULL; #ifdef SUPPORT_TLS - tls_close(FALSE, TRUE); + tls_close(FALSE, TLS_SHUTDOWN_NOWAIT); #endif HDEBUG(D_transport|D_acl|D_v) debug_printf_indent(" SMTP(close)>>\n"); (void)close(sx.inblock.sock); @@ -1026,6 +1028,29 @@ no_conn: here is where we want to leave the conn open. Ditto for a lazy-close verify. */ + if (cutthrough.delivery) + { + if (addr->transport->filter_command) + { + cutthrough.delivery= FALSE; + HDEBUG(D_acl|D_v) debug_printf("Cutthrough cancelled by presence of transport filter\n"); + } +#ifndef DISABLE_DKIM + if (ob->dkim.dkim_domain) + { + cutthrough.delivery= FALSE; + HDEBUG(D_acl|D_v) debug_printf("Cutthrough cancelled by presence of DKIM signing\n"); + } +#endif +#ifdef EXPERIMENTAL_ARC + if (ob->arc_sign) + { + cutthrough.delivery= FALSE; + HDEBUG(D_acl|D_v) debug_printf("Cutthrough cancelled by presence of ARC signing\n"); + } +#endif + } + if ( (cutthrough.delivery || options & vopt_callout_hold) && rcpt_count == 1 && done @@ -1088,7 +1113,7 @@ no_conn: if (sx.inblock.sock >= 0) { #ifdef SUPPORT_TLS - tls_close(FALSE, TRUE); + tls_close(FALSE, TLS_SHUTDOWN_NOWAIT); #endif HDEBUG(D_transport|D_acl|D_v) debug_printf_indent(" SMTP(close)>>\n"); (void)close(sx.inblock.sock); @@ -1389,7 +1414,7 @@ if(fd >= 0) cutthrough_response(fd, '2', NULL, 1); #ifdef SUPPORT_TLS - tls_close(FALSE, TRUE); + tls_close(FALSE, TLS_SHUTDOWN_NOWAIT); #endif HDEBUG(D_transport|D_acl|D_v) debug_printf_indent(" SMTP(close)>>\n"); (void)close(fd); @@ -1634,9 +1659,9 @@ else ko_prefix = cr = US""; if (parse_find_at(address) == NULL) { - if ((options & vopt_qualify) == 0) + if (!(options & vopt_qualify)) { - if (f != NULL) + if (f) respond_printf(f, "%sA domain is required for \"%s\"%s\n", ko_prefix, address, cr); *failure_ptr = US"qualify"; @@ -1654,7 +1679,7 @@ DEBUG(D_verify) /* Rewrite and report on it. Clear the domain and local part caches - these may have been set by domains and local part tests during an ACL. */ -if (global_rewrite_rules != NULL) +if (global_rewrite_rules) { uschar *old = address; address = rewrite_address(address, options & vopt_is_recipient, FALSE, @@ -1663,21 +1688,21 @@ if (global_rewrite_rules != NULL) { for (i = 0; i < (MAX_NAMED_LIST * 2)/32; i++) vaddr->localpart_cache[i] = 0; for (i = 0; i < (MAX_NAMED_LIST * 2)/32; i++) vaddr->domain_cache[i] = 0; - if (f != NULL && !expn) fprintf(f, "Address rewritten as: %s\n", address); + if (f && !expn) fprintf(f, "Address rewritten as: %s\n", address); } } /* If this is the real sender address, we must update sender_address at this point, because it may be referred to in the routers. */ -if ((options & (vopt_fake_sender|vopt_is_recipient)) == 0) +if (!(options & (vopt_fake_sender|vopt_is_recipient))) sender_address = address; /* If the address was rewritten to <> no verification can be done, and we have to return OK. This rewriting is permitted only for sender addresses; for other addresses, such rewriting fails. */ -if (address[0] == 0) return OK; +if (!address[0]) return OK; /* Flip the legacy TLS-related variables over to the outbound set in case they're used in the context of a transport used by verification. Reset them @@ -1729,7 +1754,7 @@ while (addr_new) if (testflag(addr, af_pfr)) { allok = FALSE; - if (f != NULL) + if (f) { BOOL allow; @@ -1740,8 +1765,8 @@ while (addr_new) } else { - allow = (addr->address[0] == '|')? - testflag(addr, af_allow_pipe) : testflag(addr, af_allow_file); + allow = addr->address[0] == '|' + ? testflag(addr, af_allow_pipe) : testflag(addr, af_allow_file); fprintf(f, "%s -> %s", addr->parent->address, addr->address); } @@ -3076,7 +3101,7 @@ if (isquery) /* Not a query-style lookup; must ensure the host name is present, and then we do a check on the name and all its aliases. */ -if (sender_host_name == NULL) +if (!sender_host_name) { HDEBUG(D_host_lookup) debug_printf("sender host name required, to match against %s\n", ss); @@ -3091,8 +3116,7 @@ if (sender_host_name == NULL) /* Match on the sender host name, using the general matching function */ -switch(match_check_string(sender_host_name, ss, -1, TRUE, TRUE, TRUE, - valueptr)) +switch(match_check_string(sender_host_name, ss, -1, TRUE, TRUE, TRUE, valueptr)) { case OK: return OK; case DEFER: return DEFER; @@ -3101,14 +3125,12 @@ switch(match_check_string(sender_host_name, ss, -1, TRUE, TRUE, TRUE, /* If there are aliases, try matching on them. */ aliases = sender_host_aliases; -while (*aliases != NULL) - { +while (*aliases) switch(match_check_string(*aliases++, ss, -1, TRUE, TRUE, TRUE, valueptr)) { case OK: return OK; case DEFER: return DEFER; } - } return FAIL; } @@ -3389,9 +3411,8 @@ else /* If the lookup succeeded, cache the RHS address. The code allows for more than one address - this was for complete generality and the possible - use of A6 records. However, A6 records have been reduced to experimental - status (August 2001) and may die out. So they may never get used at all, - let alone in dnsbl records. However, leave the code here, just in case. + use of A6 records. However, A6 records are no longer supported. Leave the code + here, just in case. Quite apart from one A6 RR generating multiple addresses, there are DNS lists that return more than one A record, so we must handle multiple @@ -3407,25 +3428,23 @@ else for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS); rr; rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT)) - { if (rr->type == T_A) { dns_address *da = dns_address_from_rr(&dnsa, rr); if (da) { *addrp = da; - while (da->next != NULL) da = da->next; - addrp = &(da->next); + while (da->next) da = da->next; + addrp = &da->next; if (ttl > rr->ttl) ttl = rr->ttl; } } - } /* If we didn't find any A records, change the return code. This can happen when there is a CNAME record but there are no A records for what it points to. */ - if (cb->rhs == NULL) cb->rc = DNS_NODATA; + if (!cb->rhs) cb->rc = DNS_NODATA; } cb->expiry = time(NULL)+ttl; @@ -3447,7 +3466,7 @@ if (cb->rc == DNS_SUCCEED) records. For A6 records (currently not expected to be used) there may be multiple addresses from a single record. */ - for (da = cb->rhs->next; da != NULL; da = da->next) + for (da = cb->rhs->next; da; da = da->next) addlist = string_sprintf("%s, %s", addlist, da->address); HDEBUG(D_dnsbl) debug_printf("DNS lookup for %s succeeded (yielding %s)\n", @@ -3456,9 +3475,9 @@ if (cb->rc == DNS_SUCCEED) /* Address list check; this can be either for equality, or via a bitmask. In the latter case, all the bits must match. */ - if (iplist != NULL) + if (iplist) { - for (da = cb->rhs; da != NULL; da = da->next) + for (da = cb->rhs; da; da = da->next) { int ipsep = ','; uschar ip[46]; @@ -3468,12 +3487,11 @@ if (cb->rc == DNS_SUCCEED) /* Handle exact matching */ if (!bitmask) - { - while ((res = string_nextinlist(&ptr, &ipsep, ip, sizeof(ip))) != NULL) - { - if (Ustrcmp(CS da->address, ip) == 0) break; - } - } + { + while ((res = string_nextinlist(&ptr, &ipsep, ip, sizeof(ip)))) + if (Ustrcmp(CS da->address, ip) == 0) + break; + } /* Handle bitmask matching */ @@ -3493,7 +3511,7 @@ if (cb->rc == DNS_SUCCEED) /* Scan the returned addresses, skipping any that are IPv6 */ - while ((res = string_nextinlist(&ptr, &ipsep, ip, sizeof(ip))) != NULL) + while ((res = string_nextinlist(&ptr, &ipsep, ip, sizeof(ip)))) { if (host_aton(ip, address) != 1) continue; if ((address[0] & mask) == address[0]) break; @@ -3526,17 +3544,13 @@ if (cb->rc == DNS_SUCCEED) switch(match_type) { case 0: - res = US"was no match"; - break; + res = US"was no match"; break; case MT_NOT: - res = US"was an exclude match"; - break; + res = US"was an exclude match"; break; case MT_ALL: - res = US"was an IP address that did not match"; - break; + res = US"was an IP address that did not match"; break; case MT_NOT|MT_ALL: - res = US"were no IP addresses that did not match"; - break; + res = US"were no IP addresses that did not match"; break; } debug_printf("=> but we are not accepting this block class because\n"); debug_printf("=> there %s for %s%c%s\n", @@ -3568,15 +3582,15 @@ if (cb->rc == DNS_SUCCEED) { dns_record *rr; for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS); - rr != NULL; + rr; rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT)) if (rr->type == T_TXT) break; - if (rr != NULL) + if (rr) { int len = (rr->data)[0]; if (len > 511) len = 127; store_pool = POOL_PERM; - cb->text = string_sprintf("%.*s", len, (const uschar *)(rr->data+1)); + cb->text = string_sprintf("%.*s", len, CUS (rr->data+1)); store_pool = old_pool; } }