summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/Makefile5
-rw-r--r--src/exim_monitor/em_log.c2
-rwxr-xr-xsrc/scripts/Configure-Makefile16
-rw-r--r--src/src/acl.c2
-rw-r--r--src/src/auths/dovecot.c2
-rw-r--r--src/src/config.h.defaults2
-rw-r--r--src/src/daemon.c2
-rw-r--r--src/src/deliver.c2
-rw-r--r--src/src/dmarc.c2
-rw-r--r--src/src/dmarc.h2
-rw-r--r--src/src/dns.c12
-rw-r--r--src/src/drtables.c2
-rw-r--r--src/src/exigrep.src2
-rw-r--r--src/src/exim.c2
-rw-r--r--src/src/exim.h2
-rw-r--r--src/src/eximstats.src2
-rw-r--r--src/src/exiqgrep.src4
-rw-r--r--src/src/expand.c4
-rw-r--r--src/src/functions.h9
-rw-r--r--src/src/globals.c4
-rw-r--r--src/src/globals.h8
-rw-r--r--src/src/host.c112
-rw-r--r--src/src/ip.c2
-rw-r--r--src/src/log.c2
-rw-r--r--src/src/lookups/dnsdb.c4
-rw-r--r--src/src/lookups/ldap.c2
-rw-r--r--src/src/macros.h2
-rw-r--r--src/src/malware.c2
-rw-r--r--src/src/match.c2
-rw-r--r--src/src/moan.c2
-rw-r--r--src/src/readconf.c2
-rw-r--r--src/src/route.c2
-rw-r--r--src/src/routers/dnslookup.c12
-rw-r--r--src/src/routers/dnslookup.h2
-rw-r--r--src/src/routers/rf_get_munge_headers.c2
-rw-r--r--src/src/routers/rf_lookup_hostlist.c6
-rw-r--r--src/src/smtp_in.c133
-rw-r--r--src/src/spf.c2
-rw-r--r--src/src/string.c2
-rw-r--r--src/src/structs.h2
-rw-r--r--src/src/tls-gnu.c16
-rw-r--r--src/src/tls-openssl.c15
-rw-r--r--src/src/tls.c12
-rw-r--r--src/src/transport.c2
-rw-r--r--src/src/transports/lmtp.c2
-rw-r--r--src/src/transports/pipe.c2
-rw-r--r--src/src/transports/pipe.h2
-rw-r--r--src/src/transports/smtp.c16
-rw-r--r--src/src/transports/smtp.h2
-rw-r--r--src/src/verify.c20
-rw-r--r--src/util/proxy_protocol_client.pl250
51 files changed, 564 insertions, 158 deletions
diff --git a/src/Makefile b/src/Makefile
index 161167f3f..b913aec8a 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -2,7 +2,7 @@
# appropriate links, and then creating and running the main makefile in that
# directory.
-# Copyright (c) University of Cambridge, 1995 - 2013
+# Copyright (c) University of Cambridge, 1995 - 2014
# See the file NOTICE for conditions of use and distribution.
# IRIX make uses the shell that is in the SHELL variable, which often defaults
@@ -90,7 +90,8 @@ distclean:; $(RM_COMMAND) -rf build-* cscope*
cscope.files: FRC
echo "-q" > $@
echo "-p3" >> $@
- find src Local -name "*.[cshyl]" -print \
+ find src Local OS -name "*.[cshyl]" -print \
+ -o -name "os.h*" -print \
-o -name "*akefile*" -print \
-o -name EDITME -print >> $@
diff --git a/src/exim_monitor/em_log.c b/src/exim_monitor/em_log.c
index 757936dea..6efd9c0c9 100644
--- a/src/exim_monitor/em_log.c
+++ b/src/exim_monitor/em_log.c
@@ -2,7 +2,7 @@
* Exim Monitor *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2013 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* This module contains code for scanning the main log,
diff --git a/src/scripts/Configure-Makefile b/src/scripts/Configure-Makefile
index 5e8a72683..eeb26eeb1 100755
--- a/src/scripts/Configure-Makefile
+++ b/src/scripts/Configure-Makefile
@@ -142,6 +142,10 @@ then
fi
if [ ".$need_this" != "." ]; then
tls_include=`pkg-config --cflags $pc_value`
+ if [ $? -ne 0 ]; then
+ echo >&2 "*** Missing pkg-config for package $pc_value (for Exim $var build option)"
+ exit 1
+ fi
tls_libs=`pkg-config --libs $pc_value`
echo "TLS_INCLUDE=$tls_include"
echo "TLS_LIBS=$tls_libs"
@@ -161,6 +165,10 @@ then
else
# main binary
cflags=`pkg-config --cflags $pc_value`
+ if [ $? -ne 0 ]; then
+ echo >&2 "*** Missing pkg-config for package $pc_value (for Exim $var build option)"
+ exit 1
+ fi
libs=`pkg-config --libs $pc_value`
if [ "$var" != "${var#LOOKUP_}" ]; then
echo "LOOKUP_INCLUDE += $cflags"
@@ -178,6 +186,10 @@ then
case $PCRE_CONFIG in
yes|YES|y|Y)
cflags=`pcre-config --cflags`
+ if [ $? -ne 0 ]; then
+ echo >&2 "*** Missing pcre-config for regular expression support"
+ exit 1
+ fi
libs=`pcre-config --libs`
if [ ".$cflags" != "." ]; then
echo "INCLUDE += $cflags"
@@ -196,6 +208,10 @@ then
echo "# End of pkg-config fixups"
echo
) >> $mft
+ subexit=$?
+ if [ $subexit -ne 0 ]; then
+ exit $subexit
+ fi
fi
rm -f $mftt
diff --git a/src/src/acl.c b/src/src/acl.c
index 4fda03b77..9d0842c1d 100644
--- a/src/src/acl.c
+++ b/src/src/acl.c
@@ -2,7 +2,7 @@
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2013 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* Code for handling Access Control Lists (ACLs) */
diff --git a/src/src/auths/dovecot.c b/src/src/auths/dovecot.c
index 0f4822745..1874f3238 100644
--- a/src/src/auths/dovecot.c
+++ b/src/src/auths/dovecot.c
@@ -1,6 +1,6 @@
/*
* Copyright (c) 2004 Andrey Panin <pazke@donpac.ru>
- * Copyright (c) 2006-2013 The Exim Maintainers
+ * Copyright (c) 2006-2014 The Exim Maintainers
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published
diff --git a/src/src/config.h.defaults b/src/src/config.h.defaults
index 962b90d68..6f7295ca1 100644
--- a/src/src/config.h.defaults
+++ b/src/src/config.h.defaults
@@ -2,7 +2,7 @@
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2013 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* The default settings for Exim configuration variables. A #define without
diff --git a/src/src/daemon.c b/src/src/daemon.c
index caf494a24..66ed22440 100644
--- a/src/src/daemon.c
+++ b/src/src/daemon.c
@@ -2,7 +2,7 @@
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2013 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* Functions concerned with running Exim as a daemon */
diff --git a/src/src/deliver.c b/src/src/deliver.c
index 121f7c2e0..1e7a8a18a 100644
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -2,7 +2,7 @@
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2013 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* The main code for delivering a message. */
diff --git a/src/src/dmarc.c b/src/src/dmarc.c
index 05de69353..b2336b388 100644
--- a/src/src/dmarc.c
+++ b/src/src/dmarc.c
@@ -2,7 +2,7 @@
* Exim - an Internet mail transport agent *
*************************************************/
/* Experimental DMARC support.
- Copyright (c) Todd Lyons <tlyons@exim.org> 2012, 2013
+ Copyright (c) Todd Lyons <tlyons@exim.org> 2012 - 2014
License: GPL */
/* Portions Copyright (c) 2012, 2013, The Trusted Domain Project;
diff --git a/src/src/dmarc.h b/src/src/dmarc.h
index 088d86494..ee78450a6 100644
--- a/src/src/dmarc.h
+++ b/src/src/dmarc.h
@@ -3,7 +3,7 @@
*************************************************/
/* Experimental DMARC support.
- Copyright (c) Todd Lyons <tlyons@exim.org> 2012, 2013
+ Copyright (c) Todd Lyons <tlyons@exim.org> 2012 - 2014
License: GPL */
/* Portions Copyright (c) 2012, 2013, The Trusted Domain Project;
diff --git a/src/src/dns.c b/src/src/dns.c
index 2aeb5af62..6efb88d58 100644
--- a/src/src/dns.c
+++ b/src/src/dns.c
@@ -2,7 +2,7 @@
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2013 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* Functions for interfacing with the DNS. */
@@ -159,12 +159,13 @@ the first time we have been here, and set the resolver options.
Arguments:
qualify_single TRUE to set the RES_DEFNAMES option
search_parents TRUE to set the RES_DNSRCH option
+ use_dnssec TRUE to set the RES_USE_DNSSEC option
Returns: nothing
*/
void
-dns_init(BOOL qualify_single, BOOL search_parents)
+dns_init(BOOL qualify_single, BOOL search_parents, BOOL use_dnssec)
{
res_state resp = os_get_dns_resolver_res();
@@ -206,6 +207,8 @@ if (dns_use_edns0 >= 0)
# ifndef RES_USE_EDNS0
# error Have RES_USE_DNSSEC but not RES_USE_EDNS0? Something hinky ...
# endif
+if (use_dnssec)
+ resp->options |= RES_USE_DNSSEC;
if (dns_dnssec_ok >= 0)
{
if (dns_use_edns0 == 0 && dns_dnssec_ok != 0)
@@ -228,6 +231,9 @@ if (dns_dnssec_ok >= 0)
DEBUG(D_resolver)
debug_printf("Unable to %sset DNSSEC without resolver support.\n",
dns_dnssec_ok ? "" : "un");
+if (use_dnssec)
+ DEBUG(D_resolver)
+ debug_printf("Unable to set DNSSEC without resolver support.\n");
# endif
#endif /* DISABLE_DNSSEC */
@@ -1249,4 +1255,6 @@ else
return yield;
}
+/* vi: aw ai sw=2
+*/
/* End of dns.c */
diff --git a/src/src/drtables.c b/src/src/drtables.c
index d48945e90..c2d866850 100644
--- a/src/src/drtables.c
+++ b/src/src/drtables.c
@@ -2,7 +2,7 @@
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2013 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
diff --git a/src/src/exigrep.src b/src/src/exigrep.src
index 7b35da866..2d3b40cbf 100644
--- a/src/src/exigrep.src
+++ b/src/src/exigrep.src
@@ -2,7 +2,7 @@
use strict;
-# Copyright (c) 2007-2013 University of Cambridge.
+# Copyright (c) 2007-2014 University of Cambridge.
# See the file NOTICE for conditions of use and distribution.
# Except when they appear in comments, the following placeholders in this
diff --git a/src/src/exim.c b/src/src/exim.c
index 1637c891e..3ab657fea 100644
--- a/src/src/exim.c
+++ b/src/src/exim.c
@@ -2,7 +2,7 @@
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2013 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
diff --git a/src/src/exim.h b/src/src/exim.h
index c72c1f10a..b824b48f3 100644
--- a/src/src/exim.h
+++ b/src/src/exim.h
@@ -2,7 +2,7 @@
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2013 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
diff --git a/src/src/eximstats.src b/src/src/eximstats.src
index 66777c9ee..4370b4eab 100644
--- a/src/src/eximstats.src
+++ b/src/src/eximstats.src
@@ -1,6 +1,6 @@
#!PERL_COMMAND -w
-# Copyright (c) 2001-2013 University of Cambridge.
+# Copyright (c) 2001-2014 University of Cambridge.
# See the file NOTICE for conditions of use and distribution.
# Perl script to generate statistics from one or more Exim log files.
diff --git a/src/src/exiqgrep.src b/src/src/exiqgrep.src
index e05589073..05c1b9ed0 100644
--- a/src/src/exiqgrep.src
+++ b/src/src/exiqgrep.src
@@ -43,8 +43,9 @@ if ($^O eq 'darwin') { # aka MacOS X
$base = 62;
};
-getopts('hf:r:y:o:s:zxlibRc',\%opt);
+getopts('hf:r:y:o:s:zxlibRca',\%opt);
if ($opt{h}) { &help; exit;}
+if ($opt{a}) { $eargs = '-bp'; }
# Read message queue output into hash
&collect();
@@ -78,6 +79,7 @@ Display options:
-i Message IDs only
-b Brief Format
-R Reverse order
+ -a All recipients (including delivered)
EOF
}
diff --git a/src/src/expand.c b/src/src/expand.c
index d2ac8ca79..fd4f65abb 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -2,7 +2,7 @@
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2013 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
@@ -565,6 +565,8 @@ static var_entry var_table[] = {
{ "proxy_host_address", vtype_stringptr, &proxy_host_address },
{ "proxy_host_port", vtype_int, &proxy_host_port },
{ "proxy_session", vtype_bool, &proxy_session },
+ { "proxy_target_address",vtype_stringptr, &proxy_target_address },
+ { "proxy_target_port", vtype_int, &proxy_target_port },
#endif
{ "prvscheck_address", vtype_stringptr, &prvscheck_address },
{ "prvscheck_keynum", vtype_stringptr, &prvscheck_keynum },
diff --git a/src/src/functions.h b/src/src/functions.h
index 35500a165..599afd206 100644
--- a/src/src/functions.h
+++ b/src/src/functions.h
@@ -2,7 +2,7 @@
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2013 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
@@ -45,7 +45,7 @@ extern void tls_version_report(FILE *);
#ifndef USE_GNUTLS
extern BOOL tls_openssl_options_parse(uschar *, long *);
#endif
-#endif
+#endif /*SUPPORT_TLS*/
/* Everything else... */
@@ -115,7 +115,7 @@ extern BOOL dkim_transport_write_message(address_item *, int, int,
#endif
extern dns_address *dns_address_from_rr(dns_answer *, dns_record *);
extern void dns_build_reverse(uschar *, uschar *);
-extern void dns_init(BOOL, BOOL);
+extern void dns_init(BOOL, BOOL, BOOL);
extern int dns_basic_lookup(dns_answer *, uschar *, int);
extern BOOL dns_is_secure(dns_answer *);
extern int dns_lookup(dns_answer *, uschar *, int, uschar **);
@@ -157,7 +157,7 @@ extern void host_build_log_info(void);
extern void host_build_sender_fullhost(void);
extern BOOL host_find_byname(host_item *, uschar *, int, uschar **, BOOL);
extern int host_find_bydns(host_item *, uschar *, int, uschar *, uschar *,
- uschar *,uschar **, BOOL *);
+ uschar *, uschar *, uschar *, uschar **, BOOL *);
extern ip_address_item *host_find_interfaces(void);
extern BOOL host_is_in_net(uschar *, uschar *, int);
extern BOOL host_is_tls_on_connect_port(int);
@@ -374,6 +374,7 @@ extern int strncmpic(const uschar *, const uschar *, int);
extern uschar *strstric(uschar *, uschar *, BOOL);
extern uschar *tod_stamp(int);
+extern void tls_modify_variables(tls_support *);
extern BOOL transport_check_waiting(uschar *, uschar *, int, uschar *,
BOOL *);
extern void transport_init(void);
diff --git a/src/src/globals.c b/src/src/globals.c
index 839b91dcc..fbc3787f9 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -2,7 +2,7 @@
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2013 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* All the global variables are defined together in this one module, so
@@ -925,6 +925,8 @@ int proxy_host_port = 0;
uschar *proxy_required_hosts = US"";
BOOL proxy_session = FALSE;
BOOL proxy_session_failed = FALSE;
+uschar *proxy_target_address = US"";
+int proxy_target_port = 0;
#endif
uschar *prvscheck_address = NULL;
diff --git a/src/src/globals.h b/src/src/globals.h
index 1cc39fc09..e18bddc01 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -2,7 +2,7 @@
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2013 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* Almost all the global variables are defined together in this one header, so
@@ -595,11 +595,13 @@ extern uschar *process_log_path; /* Alternate path */
extern BOOL prod_requires_admin; /* TRUE if prodding requires admin */
#ifdef EXPERIMENTAL_PROXY
-extern uschar *proxy_host_address; /* IP of proxy server */
-extern int proxy_host_port; /* Port of proxy server */
+extern uschar *proxy_host_address; /* IP of host being proxied */
+extern int proxy_host_port; /* Port of host being proxied */
extern uschar *proxy_required_hosts; /* Hostlist which (require) use proxy protocol */
extern BOOL proxy_session; /* TRUE if receiving mail from valid proxy */
extern BOOL proxy_session_failed; /* TRUE if required proxy negotiation failed */
+extern uschar *proxy_target_address; /* IP of proxy server inbound */
+extern int proxy_target_port; /* Port of proxy server inbound */
#endif
extern uschar *prvscheck_address; /* Set during prvscheck expansion item */
diff --git a/src/src/host.c b/src/src/host.c
index 785eea412..495a44d58 100644
--- a/src/src/host.c
+++ b/src/src/host.c
@@ -1622,7 +1622,7 @@ while ((ordername = string_nextinlist(&list, &sep, buffer, sizeof(buffer)))
{
if (strcmpic(ordername, US"bydns") == 0)
{
- dns_init(FALSE, FALSE);
+ dns_init(FALSE, FALSE, FALSE); /*XXX dnssec? */
dns_build_reverse(sender_host_address, buffer);
rc = dns_lookup(&dnsa, buffer, T_PTR, NULL);
@@ -1919,7 +1919,8 @@ if (running_in_test_harness)
some circumstances when the get..byname() function actually calls the DNS. */
dns_init((flags & HOST_FIND_QUALIFY_SINGLE) != 0,
- (flags & HOST_FIND_SEARCH_PARENTS) != 0);
+ (flags & HOST_FIND_SEARCH_PARENTS) != 0,
+ FALSE); /*XXX dnssec? */
/* In an IPv6 world, unless IPv6 has been disabled, we need to scan for both
kinds of address, so go round the loop twice. Note that we have ensured that
@@ -2195,6 +2196,7 @@ Arguments:
fully_qualified_name if not NULL, return fully qualified name here if
the contents are different (i.e. it must be preset
to something)
+ dnnssec_require if TRUE check the DNS result AD bit
Returns: HOST_FIND_FAILED couldn't find A record
HOST_FIND_AGAIN try again later
@@ -2204,7 +2206,8 @@ Returns: HOST_FIND_FAILED couldn't find A record
static int
set_address_from_dns(host_item *host, host_item **lastptr,
- uschar *ignore_target_hosts, BOOL allow_ip, uschar **fully_qualified_name)
+ uschar *ignore_target_hosts, BOOL allow_ip, uschar **fully_qualified_name,
+ BOOL dnssec_require)
{
dns_record *rr;
host_item *thishostlast = NULL; /* Indicates not yet filled in anything */
@@ -2287,6 +2290,12 @@ for (; i >= 0; i--)
if (rc != DNS_NOMATCH && rc != DNS_NODATA) v6_find_again = TRUE;
continue;
}
+ if (dnssec_require && !dns_is_secure(&dnsa))
+ {
+ log_write(L_host_lookup_failed, LOG_MAIN, "dnssec fail on %s for %.256s",
+ i>1 ? "A6" : i>0 ? "AAAA" : "A", host->name);
+ continue;
+ }
/* Lookup succeeded: fill in the given host item with the first non-ignored
address found; create additional items for any others. A single A6 record
@@ -2433,6 +2442,8 @@ Arguments:
srv_service when SRV used, the service name
srv_fail_domains DNS errors for these domains => assume nonexist
mx_fail_domains DNS errors for these domains => assume nonexist
+ dnssec_request_domains => make dnssec request
+ dnssec_require_domains => ditto and nonexist failures
fully_qualified_name if not NULL, return fully-qualified name
removed set TRUE if local host was removed from the list
@@ -2450,6 +2461,7 @@ Returns: HOST_FIND_FAILED Failed to find the host or domain;
int
host_find_bydns(host_item *host, uschar *ignore_target_hosts, int whichrrs,
uschar *srv_service, uschar *srv_fail_domains, uschar *mx_fail_domains,
+ uschar *dnssec_request_domains, uschar *dnssec_require_domains,
uschar **fully_qualified_name, BOOL *removed)
{
host_item *h, *last;
@@ -2459,6 +2471,10 @@ int ind_type = 0;
int yield;
dns_answer dnsa;
dns_scan dnss;
+BOOL dnssec_request = match_isinlist(host->name, &dnssec_request_domains,
+ 0, NULL, NULL, MCL_DOMAIN, TRUE, NULL) == OK;
+BOOL dnssec_require = match_isinlist(host->name, &dnssec_require_domains,
+ 0, NULL, NULL, MCL_DOMAIN, TRUE, NULL) == OK;
/* Set the default fully qualified name to the incoming name, initialize the
resolver if necessary, set up the relevant options, and initialize the flag
@@ -2466,7 +2482,9 @@ that gets set for DNS syntax check errors. */
if (fully_qualified_name != NULL) *fully_qualified_name = host->name;
dns_init((whichrrs & HOST_FIND_QUALIFY_SINGLE) != 0,
- (whichrrs & HOST_FIND_SEARCH_PARENTS) != 0);
+ (whichrrs & HOST_FIND_SEARCH_PARENTS) != 0,
+ dnssec_request || dnssec_require
+ );
host_find_failed_syntax = FALSE;
/* First, if requested, look for SRV records. The service name is given; we
@@ -2494,13 +2512,19 @@ if ((whichrrs & HOST_FIND_BY_SRV) != 0)
/* On DNS failures, we give the "try again" error unless the domain is
listed as one for which we continue. */
+ if (rc == DNS_SUCCEED && dnssec_require && !dns_is_secure(&dnsa))
+ {
+ log_write(L_host_lookup_failed, LOG_MAIN,
+ "dnssec fail on SRV for %.256s", host->name);
+ rc = DNS_FAIL;
+ }
if (rc == DNS_FAIL || rc == DNS_AGAIN)
{
#ifndef STAND_ALONE
if (match_isinlist(host->name, &srv_fail_domains, 0, NULL, NULL, MCL_DOMAIN,
TRUE, NULL) != OK)
#endif
- return HOST_FIND_AGAIN;
+ { yield = HOST_FIND_AGAIN; goto out; }
DEBUG(D_host_lookup) debug_printf("DNS_%s treated as DNS_NODATA "
"(domain in srv_fail_domains)\n", (rc == DNS_FAIL)? "FAIL":"AGAIN");
}
@@ -2517,16 +2541,29 @@ if (rc != DNS_SUCCEED && (whichrrs & HOST_FIND_BY_MX) != 0)
{
ind_type = T_MX;
rc = dns_lookup(&dnsa, host->name, ind_type, fully_qualified_name);
- if (rc == DNS_NOMATCH) return HOST_FIND_FAILED;
- if (rc == DNS_FAIL || rc == DNS_AGAIN)
- {
- #ifndef STAND_ALONE
- if (match_isinlist(host->name, &mx_fail_domains, 0, NULL, NULL, MCL_DOMAIN,
- TRUE, NULL) != OK)
- #endif
- return HOST_FIND_AGAIN;
- DEBUG(D_host_lookup) debug_printf("DNS_%s treated as DNS_NODATA "
- "(domain in mx_fail_domains)\n", (rc == DNS_FAIL)? "FAIL":"AGAIN");
+ switch (rc)
+ {
+ case DNS_NOMATCH:
+ yield = HOST_FIND_FAILED; goto out;
+
+ case DNS_SUCCEED:
+ if (!dnssec_require || dns_is_secure(&dnsa))
+ break;
+ log_write(L_host_lookup_failed, LOG_MAIN,
+ "dnssec fail on MX for %.256s", host->name);
+ rc = DNS_FAIL;
+ /*FALLTRHOUGH*/
+
+ case DNS_FAIL:
+ case DNS_AGAIN:
+ #ifndef STAND_ALONE
+ if (match_isinlist(host->name, &mx_fail_domains, 0, NULL, NULL, MCL_DOMAIN,
+ TRUE, NULL) != OK)
+ #endif
+ { yield = HOST_FIND_AGAIN; goto out; }
+ DEBUG(D_host_lookup) debug_printf("DNS_%s treated as DNS_NODATA "
+ "(domain in mx_fail_domains)\n", (rc == DNS_FAIL)? "FAIL":"AGAIN");
+ break;
}
}
@@ -2539,14 +2576,15 @@ if (rc != DNS_SUCCEED)
if ((whichrrs & HOST_FIND_BY_A) == 0)
{
DEBUG(D_host_lookup) debug_printf("Address records are not being sought\n");
- return HOST_FIND_FAILED;
+ yield = HOST_FIND_FAILED;
+ goto out;
}
last = host; /* End of local chainlet */
host->mx = MX_NONE;
host->port = PORT_NONE;
rc = set_address_from_dns(host, &last, ignore_target_hosts, FALSE,
- fully_qualified_name);
+ fully_qualified_name, dnssec_require);
/* If one or more address records have been found, check that none of them
are local. Since we know the host items all have their IP addresses
@@ -2573,7 +2611,8 @@ if (rc != DNS_SUCCEED)
}
}
- return rc;
+ yield = rc;
+ goto out;
}
/* We have found one or more MX or SRV records. Sort them according to
@@ -2757,7 +2796,8 @@ if (ind_type == T_SRV)
if (host == last && host->name[0] == 0)
{
DEBUG(D_host_lookup) debug_printf("the single SRV record is \".\"\n");
- return HOST_FIND_FAILED;
+ yield = HOST_FIND_FAILED;
+ goto out;
}
DEBUG(D_host_lookup)
@@ -2867,12 +2907,14 @@ otherwise invalid host names obtained from MX or SRV records can cause trouble
if they happen to match something local. */
yield = HOST_FIND_FAILED; /* Default yield */
-dns_init(FALSE, FALSE); /* Disable qualify_single and search_parents */
+dns_init(FALSE, FALSE, /* Disable qualify_single and search_parents */
+ dnssec_request || dnssec_require);
for (h = host; h != last->next; h = h->next)
{
if (h->address != NULL) continue; /* Inserted by a multihomed host */
- rc = set_address_from_dns(h, &last, ignore_target_hosts, allow_mx_to_ip, NULL);
+ rc = set_address_from_dns(h, &last, ignore_target_hosts, allow_mx_to_ip,
+ NULL, dnssec_require);
if (rc != HOST_FOUND)
{
h->status = hstatus_unusable;
@@ -2981,6 +3023,9 @@ DEBUG(D_host_lookup)
}
}
+out:
+
+dns_init(FALSE, FALSE, FALSE); /* clear the dnssec bit for getaddrbyname */
return yield;
}
@@ -3002,6 +3047,8 @@ int whichrrs = HOST_FIND_BY_MX | HOST_FIND_BY_A;
BOOL byname = FALSE;
BOOL qualify_single = TRUE;
BOOL search_parents = FALSE;
+BOOL request_dnssec = FALSE;
+BOOL require_dnssec = FALSE;
uschar **argv = USS cargv;
uschar buffer[256];
@@ -3021,7 +3068,7 @@ if (argc > 1) primary_hostname = argv[1];
/* So that debug level changes can be done first */
-dns_init(qualify_single, search_parents);
+dns_init(qualify_single, search_parents, FALSE);
printf("Testing host lookup\n");
printf("> ");
@@ -3047,10 +3094,14 @@ while (Ufgets(buffer, 256, stdin) != NULL)
whichrrs = HOST_FIND_BY_SRV | HOST_FIND_BY_MX;
else if (Ustrcmp(buffer, "srv+mx+a") == 0)
whichrrs = HOST_FIND_BY_SRV | HOST_FIND_BY_MX | HOST_FIND_BY_A;
- else if (Ustrcmp(buffer, "qualify_single") == 0) qualify_single = TRUE;
+ else if (Ustrcmp(buffer, "qualify_single") == 0) qualify_single = TRUE;
else if (Ustrcmp(buffer, "no_qualify_single") == 0) qualify_single = FALSE;
- else if (Ustrcmp(buffer, "search_parents") == 0) search_parents = TRUE;
+ else if (Ustrcmp(buffer, "search_parents") == 0) search_parents = TRUE;
else if (Ustrcmp(buffer, "no_search_parents") == 0) search_parents = FALSE;
+ else if (Ustrcmp(buffer, "request_dnssec") == 0) request_dnssec = TRUE;
+ else if (Ustrcmp(buffer, "no_request_dnssec") == 0) request_dnssec = FALSE;
+ else if (Ustrcmp(buffer, "require_dnssec") == 0) require_dnssec = TRUE;
+ else if (Ustrcmp(buffer, "no_reqiret_dnssec") == 0) require_dnssec = FALSE;
else if (Ustrcmp(buffer, "test_harness") == 0)
running_in_test_harness = !running_in_test_harness;
else if (Ustrcmp(buffer, "ipv6") == 0) disable_ipv6 = !disable_ipv6;
@@ -3083,11 +3134,12 @@ while (Ufgets(buffer, 256, stdin) != NULL)
if (qualify_single) flags |= HOST_FIND_QUALIFY_SINGLE;
if (search_parents) flags |= HOST_FIND_SEARCH_PARENTS;
- rc = byname?
- host_find_byname(&h, NULL, flags, &fully_qualified_name, TRUE)
- :
- host_find_bydns(&h, NULL, flags, US"smtp", NULL, NULL,
- &fully_qualified_name, NULL);
+ rc = byname
+ ? host_find_byname(&h, NULL, flags, &fully_qualified_name, TRUE)
+ : host_find_bydns(&h, NULL, flags, US"smtp", NULL, NULL,
+ request_dnssec ? &h.name : NULL,
+ require_dnssec ? &h.name : NULL,
+ &fully_qualified_name, NULL);
if (rc == HOST_FIND_FAILED) printf("Failed\n");
else if (rc == HOST_FIND_AGAIN) printf("Again\n");
@@ -3146,4 +3198,6 @@ return 0;
}
#endif /* STAND_ALONE */
+/* vi: aw ai sw=2
+*/
/* End of host.c */
diff --git a/src/src/ip.c b/src/src/ip.c
index a820998ca..0211adc1e 100644
--- a/src/src/ip.c
+++ b/src/src/ip.c
@@ -2,7 +2,7 @@
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2013 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* Functions for doing things with sockets. With the advent of IPv6 this has
diff --git a/src/src/log.c b/src/src/log.c
index 1a5d38866..c80c34751 100644
--- a/src/src/log.c
+++ b/src/src/log.c
@@ -2,7 +2,7 @@
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2013 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* Functions for writing log files. The code for maintaining datestamped
diff --git a/src/src/lookups/dnsdb.c b/src/src/lookups/dnsdb.c
index beba09508..a1eb2b658 100644
--- a/src/src/lookups/dnsdb.c
+++ b/src/src/lookups/dnsdb.c
@@ -2,7 +2,7 @@
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2012 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
#include "../exim.h"
@@ -241,7 +241,7 @@ if ((equals = Ustrchr(keystring, '=')) != NULL)
/* Initialize the resolver in case this is the first time it has been used. */
-dns_init(FALSE, FALSE);
+dns_init(FALSE, FALSE, FALSE); /*XXX dnssec? */
/* The remainder of the string must be a list of domains. As long as the lookup
for at least one of them succeeds, we return success. Failure means that none
diff --git a/src/src/lookups/ldap.c b/src/src/lookups/ldap.c
index 7071dc259..27780db49 100644
--- a/src/src/lookups/ldap.c
+++ b/src/src/lookups/ldap.c
@@ -2,7 +2,7 @@
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2013 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* Many thanks to Stuart Lynne for contributing the original code for this
diff --git a/src/src/macros.h b/src/src/macros.h
index 3f3810127..fc3776c84 100644
--- a/src/src/macros.h
+++ b/src/src/macros.h
@@ -2,7 +2,7 @@
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2013 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
diff --git a/src/src/malware.c b/src/src/malware.c
index 01209d684..7b3453f72 100644
--- a/src/src/malware.c
+++ b/src/src/malware.c
@@ -2,7 +2,7 @@
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) Tom Kistner <tom@duncanthrax.net> 2003-2013 */
+/* Copyright (c) Tom Kistner <tom@duncanthrax.net> 2003-2014 */
/* License: GPL */
/* Code for calling virus (malware) scanners. Called from acl.c. */
diff --git a/src/src/match.c b/src/src/match.c
index 66ae3dddb..97a098205 100644
--- a/src/src/match.c
+++ b/src/src/match.c
@@ -221,6 +221,8 @@ if (cb->at_is_special && pattern[0] == '@')
NULL, /* service name not relevant */
NULL, /* srv_fail_domains not relevant */
NULL, /* mx_fail_domains not relevant */
+ NULL, /* no dnssec request XXX ? */
+ NULL, /* no dnssec require XXX ? */
NULL, /* no feedback FQDN */
&removed); /* feedback if local removed */
diff --git a/src/src/moan.c b/src/src/moan.c
index 5ae6f85f7..4d7b51b9a 100644
--- a/src/src/moan.c
+++ b/src/src/moan.c
@@ -2,7 +2,7 @@
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2013 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* Functions for sending messages to sender or to mailmaster. */
diff --git a/src/src/readconf.c b/src/src/readconf.c
index 81e3bc267..a0238d25f 100644
--- a/src/src/readconf.c
+++ b/src/src/readconf.c
@@ -2,7 +2,7 @@
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2013 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* Functions for reading the configuration file, and for displaying
diff --git a/src/src/route.c b/src/src/route.c
index c83233e97..271175e4b 100644
--- a/src/src/route.c
+++ b/src/src/route.c
@@ -2,7 +2,7 @@
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2013 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* Functions concerned with routing, and the list of generic router options. */
diff --git a/src/src/routers/dnslookup.c b/src/src/routers/dnslookup.c
index 057a2a15d..c8fd3f991 100644
--- a/src/src/routers/dnslookup.c
+++ b/src/src/routers/dnslookup.c
@@ -18,6 +18,10 @@ optionlist dnslookup_router_options[] = {
(void *)(offsetof(dnslookup_router_options_block, check_secondary_mx)) },
{ "check_srv", opt_stringptr,
(void *)(offsetof(dnslookup_router_options_block, check_srv)) },
+ { "dnssec_request_domains", opt_stringptr,
+ (void *)(offsetof(dnslookup_router_options_block, dnssec_request_domains)) },
+ { "dnssec_require_domains", opt_stringptr,
+ (void *)(offsetof(dnslookup_router_options_block, dnssec_require_domains)) },
{ "mx_domains", opt_stringptr,
(void *)(offsetof(dnslookup_router_options_block, mx_domains)) },
{ "mx_fail_domains", opt_stringptr,
@@ -53,7 +57,9 @@ dnslookup_router_options_block dnslookup_router_option_defaults = {
NULL, /* mx_domains */
NULL, /* mx_fail_domains */
NULL, /* srv_fail_domains */
- NULL /* check_srv */
+ NULL, /* check_srv */
+ NULL, /* dnssec_request_domains */
+ NULL /* dnssec_require_domains */
};
@@ -261,7 +267,9 @@ for (;;)
}
rc = host_find_bydns(&h, rblock->ignore_target_hosts, flags, srv_service,
- ob->srv_fail_domains, ob->mx_fail_domains, &fully_qualified_name, &removed);
+ ob->srv_fail_domains, ob->mx_fail_domains,
+ ob->dnssec_request_domains, ob->dnssec_require_domains,
+ &fully_qualified_name, &removed);
if (removed) setflag(addr, af_local_host_removed);
/* If host found with only address records, test for the domain's being in
diff --git a/src/src/routers/dnslookup.h b/src/src/routers/dnslookup.h
index b0c384367..518b7f478 100644
--- a/src/src/routers/dnslookup.h
+++ b/src/src/routers/dnslookup.h
@@ -17,6 +17,8 @@ typedef struct {
uschar *mx_fail_domains;
uschar *srv_fail_domains;
uschar *check_srv;
+ uschar *dnssec_request_domains;
+ uschar *dnssec_require_domains;
} dnslookup_router_options_block;
/* Data for reading the private options. */
diff --git a/src/src/routers/rf_get_munge_headers.c b/src/src/routers/rf_get_munge_headers.c
index c44ba70b8..a4a13b04f 100644
--- a/src/src/routers/rf_get_munge_headers.c
+++ b/src/src/routers/rf_get_munge_headers.c
@@ -2,7 +2,7 @@
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2009 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
#include "../exim.h"
diff --git a/src/src/routers/rf_lookup_hostlist.c b/src/src/routers/rf_lookup_hostlist.c
index eadcd5df7..0eae31e61 100644
--- a/src/src/routers/rf_lookup_hostlist.c
+++ b/src/src/routers/rf_lookup_hostlist.c
@@ -94,6 +94,8 @@ for (h = addr->host_list; h != NULL; h = next_h)
NULL, /* SRV service not relevant */
NULL, /* failing srv domains not relevant */
NULL, /* no special mx failing domains */
+ NULL, /* no dnssec request XXX ? */
+ NULL, /* no dnssec require XXX ? */
NULL, /* fully_qualified_name */
NULL); /* indicate local host removed */
}
@@ -117,7 +119,9 @@ for (h = addr->host_list; h != NULL; h = next_h)
BOOL removed;
DEBUG(D_route|D_host_lookup) debug_printf("doing DNS lookup\n");
rc = host_find_bydns(h, ignore_target_hosts, HOST_FIND_BY_A, NULL, NULL,
- NULL, &canonical_name, &removed);
+ NULL,
+ NULL, NULL, /*XXX dnssec? */
+ &canonical_name, &removed);
if (rc == HOST_FOUND)
{
if (removed) setflag(addr, af_local_host_removed);
diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index fbfe1ed7b..27ff13785 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -2,7 +2,7 @@
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2013 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* Functions for handling an incoming SMTP call. */
@@ -603,22 +603,6 @@ return proxy_session;
/*************************************************
-* Flush waiting input string *
-*************************************************/
-static void
-flush_input()
-{
-int rc;
-
-rc = smtp_getc();
-while (rc != '\n') /* End of input string */
- {
- rc = smtp_getc();
- }
-}
-
-
-/*************************************************
* Setup host for proxy protocol *
*************************************************/
/* The function configures the connection based on a header from the
@@ -664,12 +648,18 @@ union {
} v2;
} hdr;
+/* Temp variables used in PPv2 address:port parsing */
+uint16_t tmpport;
+char tmpip[INET_ADDRSTRLEN];
+struct sockaddr_in tmpaddr;
+char tmpip6[INET6_ADDRSTRLEN];
+struct sockaddr_in6 tmpaddr6;
+
+int get_ok = 0;
int size, ret, fd;
-uschar *tmpip;
const char v2sig[13] = "\x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A\x02";
uschar *iptype; /* To display debug info */
struct timeval tv;
-int get_ok = 0;
socklen_t vslen = 0;
struct timeval tvtmp;
@@ -690,7 +680,9 @@ setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, (char *)&tv,
do
{
- ret = recv(fd, &hdr, sizeof(hdr), MSG_PEEK);
+ /* The inbound host was declared to be a Proxy Protocol host, so
+ don't do a PEEK into the data, actually slurp it up. */
+ ret = recv(fd, &hdr, sizeof(hdr), 0);
}
while (ret == -1 && errno == EINTR);
@@ -715,20 +707,63 @@ if (ret >= 16 &&
case 0x01: /* PROXY command */
switch (hdr.v2.fam)
{
- case 0x11: /* TCPv4 */
- tmpip = string_sprintf("%s", hdr.v2.addr.ip4.src_addr);
- if (!string_is_ip_address(tmpip,NULL))
+ case 0x11: /* TCPv4 address type */
+ iptype = US"IPv4";
+ tmpaddr.sin_addr.s_addr = hdr.v2.addr.ip4.src_addr;
+ inet_ntop(AF_INET, &(tmpaddr.sin_addr), (char *)&tmpip, sizeof(tmpip));
+ if (!string_is_ip_address(US tmpip,NULL))
+ {
+ DEBUG(D_receive) debug_printf("Invalid %s source IP\n", iptype);
return ERRNO_PROXYFAIL;
- sender_host_address = tmpip;
- sender_host_port = hdr.v2.addr.ip4.src_port;
+ }
+ proxy_host_address = sender_host_address;
+ sender_host_address = string_copy(US tmpip);
+ tmpport = ntohs(hdr.v2.addr.ip4.src_port);
+ proxy_host_port = sender_host_port;
+ sender_host_port = tmpport;
+ /* Save dest ip/port */
+ tmpaddr.sin_addr.s_addr = hdr.v2.addr.ip4.dst_addr;
+ inet_ntop(AF_INET, &(tmpaddr.sin_addr), (char *)&tmpip, sizeof(tmpip));
+ if (!string_is_ip_address(US tmpip,NULL))
+ {
+ DEBUG(D_receive) debug_printf("Invalid %s dest port\n", iptype);
+ return ERRNO_PROXYFAIL;
+ }
+ proxy_target_address = string_copy(US tmpip);
+ tmpport = ntohs(hdr.v2.addr.ip4.dst_port);
+ proxy_target_port = tmpport;
goto done;
- case 0x21: /* TCPv6 */
- tmpip = string_sprintf("%s", hdr.v2.addr.ip6.src_addr);
- if (!string_is_ip_address(tmpip,NULL))
+ case 0x21: /* TCPv6 address type */
+ iptype = US"IPv6";
+ memmove(tmpaddr6.sin6_addr.s6_addr, hdr.v2.addr.ip6.src_addr, 16);
+ inet_ntop(AF_INET6, &(tmpaddr6.sin6_addr), (char *)&tmpip6, sizeof(tmpip6));
+ if (!string_is_ip_address(US tmpip6,NULL))
+ {
+ DEBUG(D_receive) debug_printf("Invalid %s source IP\n", iptype);
return ERRNO_PROXYFAIL;
- sender_host_address = tmpip;
- sender_host_port = hdr.v2.addr.ip6.src_port;
+ }
+ proxy_host_address = sender_host_address;
+ sender_host_address = string_copy(US tmpip6);
+ tmpport = ntohs(hdr.v2.addr.ip6.src_port);
+ proxy_host_port = sender_host_port;
+ sender_host_port = tmpport;
+ /* Save dest ip/port */
+ memmove(tmpaddr6.sin6_addr.s6_addr, hdr.v2.addr.ip6.dst_addr, 16);
+ inet_ntop(AF_INET6, &(tmpaddr6.sin6_addr), (char *)&tmpip6, sizeof(tmpip6));
+ if (!string_is_ip_address(US tmpip6,NULL))
+ {
+ DEBUG(D_receive) debug_printf("Invalid %s dest port\n", iptype);
+ return ERRNO_PROXYFAIL;
+ }
+ proxy_target_address = string_copy(US tmpip6);
+ tmpport = ntohs(hdr.v2.addr.ip6.dst_port);
+ proxy_target_port = tmpport;
goto done;
+ default:
+ DEBUG(D_receive)
+ debug_printf("Unsupported PROXYv2 connection type: 0x%02x\n",
+ hdr.v2.fam);
+ goto proxyfail;
}
/* Unsupported protocol, keep local connection address */
break;
@@ -736,7 +771,9 @@ if (ret >= 16 &&
/* Keep local connection address for LOCAL */
break;
default:
- DEBUG(D_receive) debug_printf("Unsupported PROXYv2 command\n");
+ DEBUG(D_receive)
+ debug_printf("Unsupported PROXYv2 command: 0x%02x\n",
+ hdr.v2.cmd);
goto proxyfail;
}
}
@@ -816,7 +853,7 @@ else if (ret >= 8 &&
debug_printf("Proxy dest arg is not an %s address\n", iptype);
goto proxyfail;
}
- /* Should save dest ip somewhere? */
+ proxy_target_address = p;
p = sp + 1;
if ((sp = Ustrchr(p, ' ')) == NULL)
{
@@ -846,29 +883,27 @@ else if (ret >= 8 &&
debug_printf("Proxy dest port '%s' not an integer\n", p);
goto proxyfail;
}
- /* Should save dest port somewhere? */
+ proxy_target_port = tmp_port;
/* Already checked for /r /n above. Good V1 header received. */
goto done;
}
else
{
/* Wrong protocol */
- DEBUG(D_receive) debug_printf("Wrong proxy protocol specified\n");
+ DEBUG(D_receive) debug_printf("Invalid proxy protocol version negotiation\n");
goto proxyfail;
}
proxyfail:
restore_socket_timeout(fd, get_ok, tvtmp, vslen);
/* Don't flush any potential buffer contents. Any input should cause a
-synchronization failure or we just don't want to speak SMTP to them */
+ synchronization failure */
return FALSE;
done:
restore_socket_timeout(fd, get_ok, tvtmp, vslen);
-flush_input();
DEBUG(D_receive)
- debug_printf("Valid %s sender from Proxy Protocol header\n",
- iptype);
+ debug_printf("Valid %s sender from Proxy Protocol header\n", iptype);
return proxy_session;
}
#endif
@@ -1164,6 +1199,15 @@ return string_sprintf("SMTP connection from %s", hostname);
#ifdef SUPPORT_TLS
+/* Append TLS-related information to a log line
+
+Arguments:
+ s String under construction: allocated string to extend, or NULL
+ sizep Pointer to current allocation size (update on return), or NULL
+ ptrp Pointer to index for new entries in string (update on return), or NULL
+
+Returns: Allocated string or NULL
+*/
static uschar *
s_tlslog(uschar * s, int * sizep, int * ptrp)
{
@@ -1189,8 +1233,6 @@ s_tlslog(uschar * s, int * sizep, int * ptrp)
if (sizep) *sizep = size;
if (ptrp) *ptrp = ptr;
}
- else
- s = US"";
return s;
}
#endif
@@ -2715,14 +2757,17 @@ the connection is not forcibly to be dropped, return 0. Otherwise, log why it
is closing if required and return 2. */
if (log_reject_target != 0)
- log_write(0, log_reject_target, "%s%s %s%srejected %s%s",
- host_and_ident(TRUE),
+ {
#ifdef SUPPORT_TLS
- s_tlslog(NULL, NULL, NULL),
+ uschar * s = s_tlslog(NULL, NULL, NULL);
+ if (!s) s = US"";
#else
- "",
+ uschar * s = US"";
#endif
+ log_write(0, log_reject_target, "%s%s %s%srejected %s%s",
+ host_and_ident(TRUE), s,
sender_info, (rc == FAIL)? US"" : US"temporarily ", what, log_msg);
+ }
if (!drop) return 0;
diff --git a/src/src/spf.c b/src/src/spf.c
index 0f215e3b5..7167f5778 100644
--- a/src/src/spf.c
+++ b/src/src/spf.c
@@ -3,7 +3,7 @@
*************************************************/
/* Experimental SPF support.
- Copyright (c) Tom Kistner <tom@duncanthrax.net> 2004
+ Copyright (c) Tom Kistner <tom@duncanthrax.net> 2004 - 2014
License: GPL */
/* Code for calling spf checks via libspf-alt. Called from acl.c. */
diff --git a/src/src/string.c b/src/src/string.c
index eb73fae3e..365eaec03 100644
--- a/src/src/string.c
+++ b/src/src/string.c
@@ -2,7 +2,7 @@
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2012 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* Miscellaneous string-handling functions. Some are not required for
diff --git a/src/src/structs.h b/src/src/structs.h
index b89d2cad3..eb430851d 100644
--- a/src/src/structs.h
+++ b/src/src/structs.h
@@ -2,7 +2,7 @@
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2013 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 5600d6bb8..cbd44d6f2 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -2,7 +2,7 @@
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2013 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* Copyright (c) Phil Pennock 2012 */
@@ -1228,25 +1228,23 @@ unsigned int verify;
*error = NULL;
-rc = peer_status(state);
-if (rc != OK)
+if ((rc = peer_status(state)) != OK)
{
verify = GNUTLS_CERT_INVALID;
- *error = "not supplied";
+ *error = "certificate not supplied";
}
else
- {
rc = gnutls_certificate_verify_peers2(state->session, &verify);
- }
/* Handle the result of verification. INVALID seems to be set as well
as REVOKED, but leave the test for both. */
-if ((rc < 0) || (verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED)) != 0)
+if (rc < 0 || verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED))
{
state->peer_cert_verified = FALSE;
- if (*error == NULL)
- *error = ((verify & GNUTLS_CERT_REVOKED) != 0) ? "revoked" : "invalid";
+ if (!*error)
+ *error = verify & GNUTLS_CERT_REVOKED
+ ? "certificate revoked" : "certificate invalid";
DEBUG(D_tls)
debug_printf("TLS certificate verification failed (%s): peerdn=%s\n",
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index a64f85dea..bdf910acc 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -2,7 +2,7 @@
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2013 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* Portions Copyright (c) The OpenSSL Project 1999 */
@@ -1923,6 +1923,11 @@ one version of OpenSSL but the run-time linker picks up another version,
it can result in serious failures, including crashing with a SIGSEGV. So
report the version found by the compiler and the run-time version.
+Note: some OS vendors backport security fixes without changing the version
+number/string, and the version date remains unchanged. The _build_ date
+will change, so we can more usefully assist with version diagnosis by also
+reporting the build date.
+
Arguments: a FILE* to print the results to
Returns: nothing
*/
@@ -1931,9 +1936,13 @@ void
tls_version_report(FILE *f)
{
fprintf(f, "Library version: OpenSSL: Compile: %s\n"
- " Runtime: %s\n",
+ " Runtime: %s\n"
+ " : %s\n",
OPENSSL_VERSION_TEXT,
- SSLeay_version(SSLEAY_VERSION));
+ SSLeay_version(SSLEAY_VERSION),
+ SSLeay_version(SSLEAY_BUILT_ON));
+/* third line is 38 characters for the %s and the line is 73 chars long;
+the OpenSSL output includes a "built on: " prefix already. */
}
diff --git a/src/src/tls.c b/src/src/tls.c
index 0625c48b8..972785284 100644
--- a/src/src/tls.c
+++ b/src/src/tls.c
@@ -181,4 +181,16 @@ return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm;
#endif /* SUPPORT_TLS */
+void
+tls_modify_variables(tls_support * dest_tsp)
+{
+modify_variable(US"tls_bits", &dest_tsp->bits);
+modify_variable(US"tls_certificate_verified", &dest_tsp->certificate_verified);
+modify_variable(US"tls_cipher", &dest_tsp->cipher);
+modify_variable(US"tls_peerdn", &dest_tsp->peerdn);
+#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
+modify_variable(US"tls_sni", &dest_tsp->sni);
+#endif
+}
+
/* End of tls.c */
diff --git a/src/src/transport.c b/src/src/transport.c
index d4495393b..92de4b92b 100644
--- a/src/src/transport.c
+++ b/src/src/transport.c
@@ -2,7 +2,7 @@
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2013 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* General functions concerned with transportation, and generic options for all
diff --git a/src/src/transports/lmtp.c b/src/src/transports/lmtp.c
index 7a1e7c471..84bbeb939 100644
--- a/src/src/transports/lmtp.c
+++ b/src/src/transports/lmtp.c
@@ -2,7 +2,7 @@
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2009 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
diff --git a/src/src/transports/pipe.c b/src/src/transports/pipe.c
index ceb24b891..3366a6dcf 100644
--- a/src/src/transports/pipe.c
+++ b/src/src/transports/pipe.c
@@ -2,7 +2,7 @@
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2013 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
diff --git a/src/src/transports/pipe.h b/src/src/transports/pipe.h
index 6417361ca..ed5c142b3 100644
--- a/src/src/transports/pipe.h
+++ b/src/src/transports/pipe.h
@@ -2,7 +2,7 @@
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2013 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* Private structure for the private options. */
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 938844799..57b66b881 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -2,7 +2,7 @@
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2013 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
#include "../exim.h"
@@ -1213,13 +1213,6 @@ outblock.authenticating = FALSE;
/* Reset the parameters of a TLS session. */
-tls_in.bits = 0;
-tls_in.cipher = NULL; /* for back-compatible behaviour */
-tls_in.peerdn = NULL;
-#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
-tls_in.sni = NULL;
-#endif
-
tls_out.bits = 0;
tls_out.cipher = NULL; /* the one we may use for this transport */
tls_out.peerdn = NULL;
@@ -1227,6 +1220,12 @@ tls_out.peerdn = NULL;
tls_out.sni = NULL;
#endif
+/* Flip the legacy TLS-related variables over to the outbound set in case
+they're used in the context of the transport. Don't bother resetting
+afterward as we're in a subprocess. */
+
+tls_modify_variables(&tls_out);
+
#ifndef SUPPORT_TLS
if (smtps)
{
@@ -2817,6 +2816,7 @@ for (cutoff_retry = 0; expired &&
rc = host_find_byname(host, NULL, flags, &canonical_name, TRUE);
else
rc = host_find_bydns(host, NULL, flags, NULL, NULL, NULL,
+ NULL, NULL, /*XXX todo: smtp tpt hosts_require_dnssec */
&canonical_name, NULL);
/* Update the host (and any additional blocks, resulting from
diff --git a/src/src/transports/smtp.h b/src/src/transports/smtp.h
index fc4e014c1..6d33802ab 100644
--- a/src/src/transports/smtp.h
+++ b/src/src/transports/smtp.h
@@ -2,7 +2,7 @@
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2013 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* Private structure for the private options and other private data. */
diff --git a/src/src/verify.c b/src/src/verify.c
index 8cc67f1b1..f799ff1de 100644
--- a/src/src/verify.c
+++ b/src/src/verify.c
@@ -1576,13 +1576,7 @@ if (address[0] == 0) return OK;
they're used in the context of a transport used by verification. Reset them
at exit from this routine. */
-modify_variable(US"tls_bits", &tls_out.bits);
-modify_variable(US"tls_certificate_verified", &tls_out.certificate_verified);
-modify_variable(US"tls_cipher", &tls_out.cipher);
-modify_variable(US"tls_peerdn", &tls_out.peerdn);
-#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
-modify_variable(US"tls_sni", &tls_out.sni);
-#endif
+tls_modify_variables(&tls_out);
/* Save a copy of the sender address for re-instating if we change it to <>
while verifying a sender address (a nice bit of self-reference there). */
@@ -1756,6 +1750,7 @@ while (addr_new != NULL)
(void)host_find_byname(host, NULL, flags, &canonical_name, TRUE);
else
(void)host_find_bydns(host, NULL, flags, NULL, NULL, NULL,
+ NULL, NULL, /*XXX todo: dnssec */
&canonical_name, NULL);
}
}
@@ -2041,14 +2036,7 @@ for (addr_list = addr_local, i = 0; i < 2; addr_list = addr_remote, i++)
the -bv or -bt case). */
out:
-
-modify_variable(US"tls_bits", &tls_in.bits);
-modify_variable(US"tls_certificate_verified", &tls_in.certificate_verified);
-modify_variable(US"tls_cipher", &tls_in.cipher);
-modify_variable(US"tls_peerdn", &tls_in.peerdn);
-#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
-modify_variable(US"tls_sni", &tls_in.sni);
-#endif
+tls_modify_variables(&tls_in);
return yield;
}
@@ -3559,7 +3547,7 @@ revadd[0] = 0;
/* In case this is the first time the DNS resolver is being used. */
-dns_init(FALSE, FALSE);
+dns_init(FALSE, FALSE, FALSE); /*XXX dnssec? */
/* Loop through all the domains supplied, until something matches */
diff --git a/src/util/proxy_protocol_client.pl b/src/util/proxy_protocol_client.pl
new file mode 100644
index 000000000..7cfc13ddc
--- /dev/null
+++ b/src/util/proxy_protocol_client.pl
@@ -0,0 +1,250 @@
+#!/usr/bin/perl
+#
+# Copyright (C) 2014 Todd Lyons
+# License GPLv2: GNU GPL version 2
+# <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
+#
+# This script emulates a proxy which uses Proxy Protocol to communicate
+# to a backend server. It should be run from an IP which is configured
+# to be a Proxy Protocol connection (or not, if you are testing error
+# scenarios) because Proxy Protocol specs require not to fall back to a
+# non-proxied mode.
+#
+# The script is interactive, so when you run it, you are expected to
+# perform whatever conversation is required for the protocol being
+# tested. It uses STDIN/STDOUT, so you can also pipe output to/from the
+# script. It was originally written to test Exim's Proxy Protocol
+# code, and it could be tested like this:
+#
+# swaks --pipe 'perl proxy_protocol_client.pl --server-ip
+# host.internal.lan' --from user@example.com --to user@example.net
+#
+use strict;
+use warnings;
+use IO::Select;
+use IO::Socket;
+use Getopt::Long;
+use Data::Dumper;
+
+my %opts;
+GetOptions( \%opts,
+ 'help',
+ '6|ipv6',
+ 'dest-ip:s',
+ 'dest-port:i',
+ 'source-ip:s',
+ 'source-port:i',
+ 'server-ip:s',
+ 'server-port:i',
+ 'version:i'
+);
+&usage() if ($opts{help} || !$opts{'server-ip'});
+
+my ($dest_ip,$source_ip,$dest_port,$source_port);
+my %socket_map;
+my $status_line = "Testing Proxy Protocol Version " .
+ ($opts{version} ? $opts{version} : '2') .
+ ":\n";
+
+# All ip's and ports are in network byte order in version 2 mode, but are
+# simple strings when in version 1 mode. The binary_pack_*() functions
+# return the required data for the Proxy Protocol version being used.
+
+# Use provided source or fall back to www.mrball.net
+$source_ip = $opts{'source-ip'} ? binary_pack_ip($opts{'source-ip'}) :
+ $opts{6} ?
+ binary_pack_ip("2001:470:d:367::50") :
+ binary_pack_ip("208.89.139.252");
+$source_port = $opts{'source-port'} ?
+ binary_pack_port($opts{'source-port'}) :
+ binary_pack_port(43118);
+
+$status_line .= "-> " if (!$opts{version} || $opts{version} == 2);
+
+# Use provided dest or fall back to mail.exim.org
+$dest_ip = $opts{'dest-ip'} ? binary_pack_ip($opts{'dest-ip'}) :
+ $opts{6} ?
+ binary_pack_ip("2001:630:212:8:204:23ff:fed6:b664") :
+ binary_pack_ip("131.111.8.192");
+$dest_port = $opts{'dest-port'} ?
+ binary_pack_port($opts{'dest-port'}) :
+ binary_pack_port(25);
+
+# The IP and port of the Proxy Protocol backend real server being tested,
+# don't binary pack it.
+my $server_ip = $opts{'server-ip'};
+my $server_port = $opts{'server-port'} ? $opts{'server-port'} : 25;
+
+my $s = IO::Select->new(); # for socket polling
+
+sub generate_preamble {
+ my @preamble;
+ if (!$opts{version} || $opts{version} == 2) {
+ @preamble = (
+ "\x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A", # 12 byte v2 header
+ "\x02", # declares v2
+ "\x01", # connection is proxied
+ $opts{6} ? "\x21" : "\x11", # inet6/4 and TCP (stream)
+ $opts{6} ? "\x24" : "\x0b", # 36 bytes / 12 bytes
+ $source_ip,
+ $dest_ip,
+ $source_port,
+ $dest_port
+ );
+ }
+ else {
+ @preamble = (
+ "PROXY", " ", # Request proxy mode
+ $opts{6} ? "TCP6" : "TCP4", " ", # inet6/4 and TCP (stream)
+ $source_ip, " ",
+ $dest_ip, " ",
+ $source_port, " ",
+ $dest_port,
+ "\x0d\x0a"
+ );
+ $status_line .= join "", @preamble;
+ }
+ print "\n", $status_line, "\n";
+ print "\n" if (!$opts{version} || $opts{version} == 2);
+ return @preamble;
+}
+
+sub binary_pack_port {
+ my $port = shift();
+ if ($opts{version} && $opts{version} == 1) {
+ return $port
+ if ($port && $port =~ /^\d+$/ && $port > 0 && $port < 65536);
+ die "Not a valid port: $port";
+ }
+ $status_line .= $port." ";
+ $port = pack "S", $port;
+ return $port;
+}
+
+sub binary_pack_ip {
+ my $ip = shift();
+ if ( $ip =~ m/\./ && !$opts{6}) {
+ if (IP4_valid($ip)) {
+ return $ip if ($opts{version} && $opts{version} == 1);
+ $status_line .= $ip.":";
+ $ip = pack "C*", split /\./, $ip;
+ }
+ else { die "Invalid IPv4: $ip"; }
+ }
+ elsif ($ip =~ m/:/ && $opts{6}) {
+ $ip = pad_ipv6($ip);
+ if (IP6_valid($ip)) {
+ return $ip if ($opts{version} && $opts{version} == 1);
+ $status_line .= $ip.":";
+ $ip = pack "S>*", map hex, split /:/, $ip;
+ }
+ else { die "Invalid IPv6: $ip"; }
+ }
+ else { die "Mismatching IP families passed: $ip"; }
+ return $ip;
+}
+
+sub pad_ipv6 {
+ my $ip = shift();
+ my @ip = split /:/, $ip;
+ my $segments = scalar @ip;
+ return $ip if ($segments == 8);
+ $ip = "";
+ for (my $count=1; $count <= $segments; $count++) {
+ my $block = $ip[$count-1];
+ if ($block) {
+ $ip .= $block;
+ $ip .= ":" unless $count == $segments;
+ }
+ elsif ($count == 1) {
+ # Somebody passed us ::1, fix it, but it's not really valid
+ $ip = "0:";
+ }
+ else {
+ $ip .= join ":", map "0", 0..(8-$segments);
+ $ip .= ":";
+ }
+ }
+ return $ip;
+}
+
+sub IP6_valid {
+ my $ip = shift;
+ $ip = lc($ip);
+ return 0 unless ($ip =~ /^[0-9a-f:]+$/);
+ my @ip = split /:/, $ip;
+ return 0 if (scalar @ip != 8);
+ return 1;
+}
+
+sub IP4_valid {
+ my $ip = shift;
+ $ip =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/;
+ foreach ($1,$2,$3,$4){
+ if ($_ <256 && $_ >0) {next;}
+ return 0;
+ }
+ return 1;
+}
+
+sub go_interactive {
+ my $continue = 1;
+ while($continue) {
+ # Check for input on both ends, recheck every 5 sec
+ for my $socket ($s->can_read(5)) {
+ my $remote = $socket_map{$socket};
+ my $buffer;
+ my $read = $socket->sysread($buffer, 4096);
+ if ($read) {
+ $remote->syswrite($buffer);
+ }
+ else {
+ $continue = 0;
+ }
+ }
+ }
+}
+
+sub connect_stdin_to_proxy {
+ my $sock = new IO::Socket::INET(
+ PeerAddr => $server_ip,
+ PeerPort => $server_port,
+ Proto => 'tcp'
+ );
+
+ die "Could not create socket: $!\n" unless $sock;
+ # Add sockets to the Select group
+ $s->add(\*STDIN);
+ $s->add($sock);
+ # Tie the sockets together using this hash
+ $socket_map{\*STDIN} = $sock;
+ $socket_map{$sock} = \*STDOUT;
+ return $sock;
+}
+
+sub usage {
+ chomp(my $prog = `basename $0`);
+ print <<EOF;
+Usage: $prog [required] [optional]
+ Required:
+ --server-ip IP of server to test proxy configuration,
+ a hostname is ok, but for only this setting
+ Optional:
+ --server-port Port server is listening on (default 25)
+ --6 IPv6 source/dest (default IPv4), if none specified,
+ some default, reverse resolvable IP's are used for
+ the source and dest ip/port
+ --dest-ip Public IP of the proxy server
+ --dest-port Port of public IP of proxy server
+ --source-ip IP connecting to the proxy server
+ --source-port Port of IP connecting to the proxy server
+ --help This output
+EOF
+ exit;
+}
+
+
+my $sock = connect_stdin_to_proxy();
+my @preamble = generate_preamble();
+print $sock @preamble;
+go_interactive();