From 379ba7d06d366c8cd151215e4c82424c36049375 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 20 Dec 2015 20:01:52 +0000 Subject: dnslists: permit use with explicit key(s) in nonsmtp ACLs. Bug 1748 --- src/src/acl.c | 8 +++++--- src/src/functions.h | 2 +- src/src/verify.c | 20 ++++++++++++++------ 3 files changed, 20 insertions(+), 10 deletions(-) (limited to 'src') diff --git a/src/src/acl.c b/src/src/acl.c index 17f55c2ac..1456cc724 100644 --- a/src/src/acl.c +++ b/src/src/acl.c @@ -475,8 +475,10 @@ static unsigned int cond_forbids[] = { ~(1<next) #endif case ACLC_DNSLISTS: - rc = verify_check_dnsbl(&arg); + rc = verify_check_dnsbl(where, &arg, log_msgptr); break; case ACLC_DOMAINS: diff --git a/src/src/functions.h b/src/src/functions.h index bd43934f0..3b700873a 100644 --- a/src/src/functions.h +++ b/src/src/functions.h @@ -480,7 +480,7 @@ extern void utf8_version_report(FILE *); extern int verify_address(address_item *, FILE *, int, int, int, int, uschar *, uschar *, BOOL *); -extern int verify_check_dnsbl(const uschar **); +extern int verify_check_dnsbl(int, const uschar **, uschar **); extern int verify_check_header_address(uschar **, uschar **, int, int, int, uschar *, uschar *, int, int *); extern int verify_check_headers(uschar **); diff --git a/src/src/verify.c b/src/src/verify.c index b73f45a24..ef95394d3 100644 --- a/src/src/verify.c +++ b/src/src/verify.c @@ -3876,7 +3876,9 @@ Note: an address for testing DUL is 192.203.178.4 Note: a domain for testing RFCI is example.tld.dsn.rfc-ignorant.org Arguments: + where the acl type listptr the domain/address/data list + log_msgptr log message on error Returns: OK successful lookup (i.e. the address is on the list), or lookup deferred after +include_unknown @@ -3886,7 +3888,7 @@ Returns: OK successful lookup (i.e. the address is on the list), or */ int -verify_check_dnsbl(const uschar **listptr) +verify_check_dnsbl(int where, const uschar ** listptr, uschar ** log_msgptr) { int sep = 0; int defer_return = FAIL; @@ -3933,21 +3935,19 @@ while ((domain = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL /* See if there's explicit data to be looked up */ - key = Ustrchr(domain, '/'); - if (key != NULL) *key++ = 0; + if ((key = Ustrchr(domain, '/'))) *key++ = 0; /* See if there's a list of addresses supplied after the domain name. This is introduced by an = or a & character; if preceded by = we require all matches and if preceded by ! we invert the result. */ - iplist = Ustrchr(domain, '='); - if (iplist == NULL) + if (!(iplist = Ustrchr(domain, '='))) { bitmask = TRUE; iplist = Ustrchr(domain, '&'); } - if (iplist != NULL) /* Found either = or & */ + if (iplist) /* Found either = or & */ { if (iplist > domain && iplist[-1] == '!') /* Handle preceding ! */ { @@ -3966,6 +3966,7 @@ while ((domain = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL } } + /* If there is a comma in the domain, it indicates that a second domain for looking up TXT records is provided, before the main domain. Otherwise we must set domain_txt == domain. */ @@ -4011,6 +4012,13 @@ while ((domain = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL if (key == NULL) { + if (where == ACL_WHERE_NOTSMTP_START || where == ACL_WHERE_NOTSMTP) + { + *log_msgptr = string_sprintf + ("cannot test auto-keyed dnslists condition in %s ACL", + acl_wherenames[where]); + return ERROR; + } if (sender_host_address == NULL) return FAIL; /* can never match */ if (revadd[0] == 0) invert_address(revadd, sender_host_address); rc = one_check_dnsbl(domain, domain_txt, sender_host_address, revadd, -- cgit v1.2.3