From 1f155f8e69b44ee7678dd1009ae0348e5c8d768e Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Tue, 19 May 2015 22:32:38 +0100 Subject: Change host_lookup re-forward from byname to bydns; checking DNSSEC --- src/src/functions.h | 3 ++- src/src/host.c | 39 ++++++++++++++++++++------------------- src/src/ip.c | 4 ++-- src/src/routers/iplookup.c | 1 + src/src/smtp_in.c | 4 ++++ src/src/verify.c | 4 ++++ 6 files changed, 33 insertions(+), 22 deletions(-) (limited to 'src') diff --git a/src/src/functions.h b/src/src/functions.h index 6b0689b3c..c3095c06b 100644 --- a/src/src/functions.h +++ b/src/src/functions.h @@ -197,7 +197,8 @@ extern void host_build_hostlist(host_item **, const uschar *, BOOL); extern ip_address_item *host_build_ifacelist(const uschar *, uschar *); extern void host_build_log_info(void); extern void host_build_sender_fullhost(void); -extern BOOL host_find_byname(host_item *, const uschar *, int, const uschar **, BOOL); +extern BOOL host_find_byname(host_item *, const uschar *, int, + const uschar **, BOOL); extern int host_find_bydns(host_item *, const uschar *, int, uschar *, uschar *, uschar *, const dnssec_domains *, const uschar **, BOOL *); extern ip_address_item *host_find_interfaces(void); diff --git a/src/src/host.c b/src/src/host.c index b3d38c578..4772a7c6c 100644 --- a/src/src/host.c +++ b/src/src/host.c @@ -1639,8 +1639,7 @@ if (running_in_test_harness && /* Do lookups directly in the DNS or via gethostbyaddr() (or equivalent), in the order specified by the host_lookup_order option. */ -while ((ordername = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) - != NULL) +while ((ordername = string_nextinlist(&list, &sep, buffer, sizeof(buffer)))) { if (strcmpic(ordername, US"bydns") == 0) { @@ -1661,8 +1660,6 @@ while ((ordername = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) int count = 0; int old_pool = store_pool; - /* Ideally we'd check DNSSEC both forward and reverse, but we use the - gethost* routines for forward, so can't do that unless/until we rewrite. */ sender_host_dnssec = dns_is_secure(&dnsa); DEBUG(D_dns) debug_printf("Reverse DNS security status: %s\n", @@ -1710,8 +1707,8 @@ while ((ordername = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) "empty name: treated as non-existent host name\n"); continue; } - if (sender_host_name == NULL) sender_host_name = s; - else *aptr++ = s; + if (!sender_host_name) sender_host_name = s; + else *aptr++ = s; while (*s != 0) { *s = tolower(*s); s++; } } @@ -1790,21 +1787,30 @@ for (hname = sender_host_name; hname != NULL; hname = *aliases++) int rc; BOOL ok = FALSE; host_item h; + dnssec_domains d; + h.next = NULL; h.name = hname; h.mx = MX_NONE; h.address = NULL; + d.request = sender_host_dnssec ? US"*" : NULL;; + d.require = NULL; - /* When called with the last argument FALSE, host_find_byname() won't return - HOST_FOUND_LOCAL. If the incoming address is an IPv4 address expressed in - IPv6 format, we must compare the IPv4 part to any IPv4 addresses. */ - - if ((rc = host_find_byname(&h, NULL, 0, NULL, FALSE)) == HOST_FOUND) + if ( (rc = host_find_bydns(&h, NULL, HOST_FIND_BY_A, + NULL, NULL, NULL, &d, NULL, NULL)) == HOST_FOUND + || rc == HOST_FOUND_LOCAL + ) { host_item *hh; HDEBUG(D_host_lookup) debug_printf("checking addresses for %s\n", hname); + + /* If the forward lookup was not secure we cancel the is-secure variable */ + + DEBUG(D_dns) debug_printf("Forward DNS security status: %s\n", + h.dnssec == DS_YES ? "DNSSEC verified (AD)" : "unverified"); + if (h.dnssec != DS_YES) sender_host_dnssec = FALSE; + for (hh = &h; hh != NULL; hh = hh->next) - { if (host_is_in_net(hh->address, sender_host_address, 0)) { HDEBUG(D_host_lookup) debug_printf(" %s OK\n", hh->address); @@ -1812,10 +1818,8 @@ for (hname = sender_host_name; hname != NULL; hname = *aliases++) break; } else - { HDEBUG(D_host_lookup) debug_printf(" %s\n", hh->address); - } - } + if (!ok) HDEBUG(D_host_lookup) debug_printf("no IP address for %s matched %s\n", hname, sender_host_address); @@ -1828,9 +1832,7 @@ for (hname = sender_host_name; hname != NULL; hname = *aliases++) return DEFER; } else - { HDEBUG(D_host_lookup) debug_printf("no IP addresses found for %s\n", hname); - } /* If this name is no good, and it's the sender name, set it null pro tem; if it's an alias, just remove it from the list. */ @@ -2539,8 +2541,7 @@ that gets set for DNS syntax check errors. */ if (fully_qualified_name != NULL) *fully_qualified_name = host->name; dns_init((whichrrs & HOST_FIND_QUALIFY_SINGLE) != 0, (whichrrs & HOST_FIND_SEARCH_PARENTS) != 0, - dnssec_request - ); + dnssec_request); host_find_failed_syntax = FALSE; /* First, if requested, look for SRV records. The service name is given; we diff --git a/src/src/ip.c b/src/src/ip.c index f6c7433f5..9a7444ed8 100644 --- a/src/src/ip.c +++ b/src/src/ip.c @@ -309,8 +309,8 @@ else if (string_is_ip_address(hostname, NULL) != 0) else { shost.name = string_copy(hostname); - if (host_find_byname(&shost, NULL, HOST_FIND_QUALIFY_SINGLE, NULL, - FALSE) != HOST_FOUND) + if (host_find_byname(&shost, NULL, HOST_FIND_QUALIFY_SINGLE, + NULL, FALSE) != HOST_FOUND) { *errstr = string_sprintf("no IP address found for host %s", shost.name); return -1; diff --git a/src/src/routers/iplookup.c b/src/src/routers/iplookup.c index 33329f887..79d083ef2 100644 --- a/src/src/routers/iplookup.c +++ b/src/src/routers/iplookup.c @@ -207,6 +207,7 @@ while ((hostname = string_nextinlist(&listptr, &sep, host_buffer, host->address = host->name; else { +/*XXX might want dnssec request/require on an iplookup router? */ int rc = host_find_byname(host, NULL, HOST_FIND_QUALIFY_SINGLE, NULL, TRUE); if (rc == HOST_FIND_FAILED || rc == HOST_FIND_AGAIN) continue; } diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c index 37cc023d3..b2f8b0fc8 100644 --- a/src/src/smtp_in.c +++ b/src/src/smtp_in.c @@ -3009,6 +3009,7 @@ else if (helo_verified) { + /*XXX have sender_host_dnssec */ HDEBUG(D_receive) debug_printf("matched host name\n"); } else @@ -3018,6 +3019,7 @@ else { helo_verified = strcmpic(*aliases++, sender_helo_name) == 0; if (helo_verified) break; + /*XXX have sender_host_dnssec */ } HDEBUG(D_receive) { @@ -3039,6 +3041,8 @@ else h.next = NULL; HDEBUG(D_receive) debug_printf("getting IP address for %s\n", sender_helo_name); +/*XXX would like to determine dnssec status here */ +/* need to change to bydns */ rc = host_find_byname(&h, NULL, 0, NULL, TRUE); if (rc == HOST_FOUND || rc == HOST_FOUND_LOCAL) { diff --git a/src/src/verify.c b/src/src/verify.c index 10cef82f1..506b7e09b 100644 --- a/src/src/verify.c +++ b/src/src/verify.c @@ -3245,6 +3245,10 @@ if (*t == 0) h.address = NULL; h.mx = MX_NONE; + /* Using byname rather than bydns here means we cannot determine dnssec + status. On the other hand it is unclear how that could be either + propagated up or enforced. */ + rc = host_find_byname(&h, NULL, HOST_FIND_QUALIFY_SINGLE, NULL, FALSE); if (rc == HOST_FOUND || rc == HOST_FOUND_LOCAL) { -- cgit v1.2.3