summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/src/acl.c1
-rw-r--r--src/src/dkim.c1
-rw-r--r--src/src/expand.c1
-rw-r--r--src/src/globals.c1
-rw-r--r--src/src/globals.h1
-rw-r--r--src/src/host.c16
-rw-r--r--src/src/lookups/dnsdb.c3
7 files changed, 21 insertions, 3 deletions
diff --git a/src/src/acl.c b/src/src/acl.c
index 9d0842c1d..270a2f2c0 100644
--- a/src/src/acl.c
+++ b/src/src/acl.c
@@ -1614,6 +1614,7 @@ else
DNS_LOOKUP_AGAIN:
#endif
+lookup_dnssec_authenticated = NULL;
switch (dns_lookup(&dnsa, target, type, NULL))
{
/* If something bad happened (most commonly DNS_AGAIN), defer. */
diff --git a/src/src/dkim.c b/src/src/dkim.c
index cb7fc7065..171fcccdb 100644
--- a/src/src/dkim.c
+++ b/src/src/dkim.c
@@ -23,6 +23,7 @@ int dkim_exim_query_dns_txt(char *name, char *answer) {
dns_scan dnss;
dns_record *rr;
+ lookup_dnssec_authenticated = NULL;
if (dns_lookup(&dnsa, (uschar *)name, T_TXT, NULL) != DNS_SUCCEED) return PDKIM_FAIL;
/* Search for TXT record */
diff --git a/src/src/expand.c b/src/src/expand.c
index fd4f65abb..54b3abc54 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -510,6 +510,7 @@ static var_entry var_table[] = {
{ "localhost_number", vtype_int, &host_number },
{ "log_inodes", vtype_pinodes, (void *)FALSE },
{ "log_space", vtype_pspace, (void *)FALSE },
+ { "lookup_dnssec_authenticated",vtype_stringptr,&lookup_dnssec_authenticated},
{ "mailstore_basename", vtype_stringptr, &mailstore_basename },
#ifdef WITH_CONTENT_SCAN
{ "malware_name", vtype_stringptr, &malware_name },
diff --git a/src/src/globals.c b/src/src/globals.c
index fbc3787f9..cb014fbe8 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -837,6 +837,7 @@ BOOL log_testing_mode = FALSE;
BOOL log_timezone = FALSE;
unsigned int log_write_selector= L_default;
uschar *login_sender_address = NULL;
+uschar *lookup_dnssec_authenticated = NULL;
int lookup_open_max = 25;
uschar *lookup_value = NULL;
diff --git a/src/src/globals.h b/src/src/globals.h
index e18bddc01..cfa6d2bff 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -503,6 +503,7 @@ extern unsigned int log_write_selector;/* Bit map of logging options for log_wri
extern uschar *login_sender_address; /* The actual sender address */
extern lookup_info **lookup_list; /* Array of pointers to available lookups */
extern int lookup_list_count; /* Number of entries in the list */
+extern uschar *lookup_dnssec_authenticated; /* AD status of dns lookup */
extern int lookup_open_max; /* Max lookup files to cache */
extern uschar *lookup_value; /* Value looked up from file */
diff --git a/src/src/host.c b/src/src/host.c
index 495a44d58..05bcbe8c7 100644
--- a/src/src/host.c
+++ b/src/src/host.c
@@ -220,6 +220,8 @@ else
int rc = dns_lookup(&dnsa, lname, type, NULL);
int count = 0;
+ lookup_dnssec_authenticated = NULL;
+
switch(rc)
{
case DNS_SUCCEED: break;
@@ -2207,7 +2209,7 @@ Returns: HOST_FIND_FAILED couldn't find A record
static int
set_address_from_dns(host_item *host, host_item **lastptr,
uschar *ignore_target_hosts, BOOL allow_ip, uschar **fully_qualified_name,
- BOOL dnssec_require)
+ BOOL dnssec_requested, BOOL dnssec_require)
{
dns_record *rr;
host_item *thishostlast = NULL; /* Indicates not yet filled in anything */
@@ -2268,6 +2270,8 @@ for (; i >= 0; i--)
dns_scan dnss;
int rc = dns_lookup(&dnsa, host->name, type, fully_qualified_name);
+ lookup_dnssec_authenticated = !dnssec_requested ? NULL
+ : dns_is_secure(&dnsa) ? US"yes" : US"no";
/* We want to return HOST_FIND_AGAIN if one of the A, A6, or AAAA lookups
fails or times out, but not if another one succeeds. (In the early
@@ -2506,6 +2510,9 @@ if ((whichrrs & HOST_FIND_BY_SRV) != 0)
magic. */
rc = dns_lookup(&dnsa, buffer, ind_type, &temp_fully_qualified_name);
+ lookup_dnssec_authenticated = !dnssec_request ? NULL
+ : dns_is_secure(&dnsa) ? US"yes" : US"no";
+
if (temp_fully_qualified_name != buffer && fully_qualified_name != NULL)
*fully_qualified_name = temp_fully_qualified_name + prefix_length;
@@ -2541,6 +2548,9 @@ if (rc != DNS_SUCCEED && (whichrrs & HOST_FIND_BY_MX) != 0)
{
ind_type = T_MX;
rc = dns_lookup(&dnsa, host->name, ind_type, fully_qualified_name);
+ lookup_dnssec_authenticated = !dnssec_request ? NULL
+ : dns_is_secure(&dnsa) ? US"yes" : US"no";
+
switch (rc)
{
case DNS_NOMATCH:
@@ -2584,7 +2594,7 @@ if (rc != DNS_SUCCEED)
host->mx = MX_NONE;
host->port = PORT_NONE;
rc = set_address_from_dns(host, &last, ignore_target_hosts, FALSE,
- fully_qualified_name, dnssec_require);
+ fully_qualified_name, dnssec_request, dnssec_require);
/* If one or more address records have been found, check that none of them
are local. Since we know the host items all have their IP addresses
@@ -2914,7 +2924,7 @@ for (h = host; h != last->next; h = h->next)
{
if (h->address != NULL) continue; /* Inserted by a multihomed host */
rc = set_address_from_dns(h, &last, ignore_target_hosts, allow_mx_to_ip,
- NULL, dnssec_require);
+ NULL, dnssec_request, dnssec_require);
if (rc != HOST_FOUND)
{
h->status = hstatus_unusable;
diff --git a/src/src/lookups/dnsdb.c b/src/src/lookups/dnsdb.c
index b7e50588b..ef3376505 100644
--- a/src/src/lookups/dnsdb.c
+++ b/src/src/lookups/dnsdb.c
@@ -354,6 +354,9 @@ while ((domain = string_nextinlist(&keystring, &sep, buffer, sizeof(buffer)))
#endif
rc = dns_special_lookup(&dnsa, domain, type, &found);
+ lookup_dnssec_authenticated = dnssec_mode==OK ? NULL
+ : dns_is_secure(&dnsa) ? US"yes" : US"no";
+
if (rc == DNS_NOMATCH || rc == DNS_NODATA) continue;
if (rc != DNS_SUCCEED)
{