From f64a1e235f8579c91d6ea0275d7d97e7a958709b Mon Sep 17 00:00:00 2001 From: Phil Pennock Date: Tue, 15 Apr 2014 19:43:31 -0700 Subject: Report OpenSSL build date too. Adjust `-d -bV` output for OpenSSL to include library build date. Some OS packagers have backported heartbleed security fixes without changing anything in the reported version number. The closest we can get to a reassuring sign for administrators is to report the OpenSSL library build date, as picked by the library which Exim is using at run time. ``` Library version: OpenSSL: Compile: OpenSSL 1.0.1g 7 Apr 2014 Runtime: OpenSSL 1.0.1g 7 Apr 2014 : built on: Mon Apr 7 15:08:30 PDT 2014 ``` For comparison, the version information for OpenSSL on Ubuntu (where Exim is by default built with GnuTLS, but this provides for context for comparison): ``` $ openssl version -v -b OpenSSL 1.0.1 14 Mar 2012 built on: Mon Apr 7 20:33:29 UTC 2014 ``` GnuTLS: the closest I can find to a runtime value is the call we are already making; if an OS vendor patches GnuTLS without changing the version which would be returned by `gnutls_check_version(NULL)` then the sysadmin is SOL and will have to explore library linkages more carefully. --- src/src/tls-openssl.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index a64f85dea..b7b2f8847 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -1923,6 +1923,11 @@ one version of OpenSSL but the run-time linker picks up another version, it can result in serious failures, including crashing with a SIGSEGV. So report the version found by the compiler and the run-time version. +Note: some OS vendors backport security fixes without changing the version +number/string, and the version date remains unchanged. The _build_ date +will change, so we can more usefully assist with version diagnosis by also +reporting the build date. + Arguments: a FILE* to print the results to Returns: nothing */ @@ -1931,9 +1936,13 @@ void tls_version_report(FILE *f) { fprintf(f, "Library version: OpenSSL: Compile: %s\n" - " Runtime: %s\n", + " Runtime: %s\n" + " : %s\n", OPENSSL_VERSION_TEXT, - SSLeay_version(SSLEAY_VERSION)); + SSLeay_version(SSLEAY_VERSION), + SSLeay_version(SSLEAY_BUILT_ON)); +/* third line is 38 characters for the %s and the line is 73 chars long; +the OpenSSL output includes a "built on: " prefix already. */ } -- cgit v1.2.3 From 14ea0bea67dc606a55b1a7c29ce7e8595bd86f64 Mon Sep 17 00:00:00 2001 From: Phil Pennock Date: Tue, 15 Apr 2014 23:25:45 -0700 Subject: Bail configuration on missing package If we're configured to use pkg-config (or pcre-config) and the tool is not available or does not know about the package we ask for, that should be a fatal configuration error. We should not silently ignore the missing package, then try to compile, and have missing header warnings from the compiler. Eg, if we're told to support GSASL, we'll try to compile the client code, and without compiler flags, we'll either fail to compile (missing headers) or fail to link, which obscures the source of the errors. This change will only break people who had builds set to have Exim depend upon non-existent packages, and that _needs_ to break. --- src/scripts/Configure-Makefile | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'src') diff --git a/src/scripts/Configure-Makefile b/src/scripts/Configure-Makefile index 5e8a72683..eeb26eeb1 100755 --- a/src/scripts/Configure-Makefile +++ b/src/scripts/Configure-Makefile @@ -142,6 +142,10 @@ then fi if [ ".$need_this" != "." ]; then tls_include=`pkg-config --cflags $pc_value` + if [ $? -ne 0 ]; then + echo >&2 "*** Missing pkg-config for package $pc_value (for Exim $var build option)" + exit 1 + fi tls_libs=`pkg-config --libs $pc_value` echo "TLS_INCLUDE=$tls_include" echo "TLS_LIBS=$tls_libs" @@ -161,6 +165,10 @@ then else # main binary cflags=`pkg-config --cflags $pc_value` + if [ $? -ne 0 ]; then + echo >&2 "*** Missing pkg-config for package $pc_value (for Exim $var build option)" + exit 1 + fi libs=`pkg-config --libs $pc_value` if [ "$var" != "${var#LOOKUP_}" ]; then echo "LOOKUP_INCLUDE += $cflags" @@ -178,6 +186,10 @@ then case $PCRE_CONFIG in yes|YES|y|Y) cflags=`pcre-config --cflags` + if [ $? -ne 0 ]; then + echo >&2 "*** Missing pcre-config for regular expression support" + exit 1 + fi libs=`pcre-config --libs` if [ ".$cflags" != "." ]; then echo "INCLUDE += $cflags" @@ -196,6 +208,10 @@ then echo "# End of pkg-config fixups" echo ) >> $mft + subexit=$? + if [ $subexit -ne 0 ]; then + exit $subexit + fi fi rm -f $mftt -- cgit v1.2.3 From 887291d23b561d0bb8cf43db80c191810e2d8ce3 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Fri, 18 Apr 2014 14:21:59 +0100 Subject: Fix logging of nomail When built with TLS support, non-TLS connections not resulting in mail transfer were crashing while building a log line. Fix by not returning a non-extensible string from the routine added in 67d81c1. --- src/src/smtp_in.c | 22 ++++++++++++++++------ test/log/0547 | 1 + 2 files changed, 17 insertions(+), 6 deletions(-) (limited to 'src') diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c index fbfe1ed7b..2a3873d33 100644 --- a/src/src/smtp_in.c +++ b/src/src/smtp_in.c @@ -1164,6 +1164,15 @@ return string_sprintf("SMTP connection from %s", hostname); #ifdef SUPPORT_TLS +/* Append TLS-related information to a log line + +Arguments: + s String under construction: allocated string to extend, or NULL + sizep Pointer to current allocation size (update on return), or NULL + ptrp Pointer to index for new entries in string (update on return), or NULL + +Returns: Allocated string or NULL +*/ static uschar * s_tlslog(uschar * s, int * sizep, int * ptrp) { @@ -1189,8 +1198,6 @@ s_tlslog(uschar * s, int * sizep, int * ptrp) if (sizep) *sizep = size; if (ptrp) *ptrp = ptr; } - else - s = US""; return s; } #endif @@ -2715,14 +2722,17 @@ the connection is not forcibly to be dropped, return 0. Otherwise, log why it is closing if required and return 2. */ if (log_reject_target != 0) - log_write(0, log_reject_target, "%s%s %s%srejected %s%s", - host_and_ident(TRUE), + { #ifdef SUPPORT_TLS - s_tlslog(NULL, NULL, NULL), + uschar * s = s_tlslog(NULL, NULL, NULL); + if (!s) s = US""; #else - "", + uschar * s = US""; #endif + log_write(0, log_reject_target, "%s%s %s%srejected %s%s", + host_and_ident(TRUE), s, sender_info, (rc == FAIL)? US"" : US"temporarily ", what, log_msg); + } if (!drop) return 0; diff --git a/test/log/0547 b/test/log/0547 index 6a5b233e0..3b86d2bd5 100644 --- a/test/log/0547 +++ b/test/log/0547 @@ -1,4 +1,5 @@ 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 no MAIL in SMTP connection from [127.0.0.1] D=0s 1999-03-02 09:44:33 no MAIL in SMTP connection from [127.0.0.1] D=0s C=QUIT 1999-03-02 09:44:33 H=(x.y.z) [127.0.0.1] rejected VRFY a@b.c 1999-03-02 09:44:33 no MAIL in SMTP connection from (x.y.z) [127.0.0.1] D=0s C=EHLO,VRFY,QUIT -- cgit v1.2.3 From eb57651e8badf0b65af0371732e42f2ee5c7772c Mon Sep 17 00:00:00 2001 From: Todd Lyons Date: Thu, 17 Apr 2014 11:58:09 -0700 Subject: Fix Proxy Protocol v2 handling Change recv() to not use MSGPEEK and eliminated flush_input(). Add proxy_target_address/port expansions. Convert ipv6 decoding to memmove(). Use sizeof() for variable sizing. Correct struct member access. Enhance debug output when passed invalid command/family. Add to and enhance documentation. Client script to test Proxy Protocol, interactive on STDIN/STDOUT, so can be chained (ie a swaks pipe), useful for any service, not just Exim and/or smtp. --- doc/doc-txt/experimental-spec.txt | 21 +++- src/src/expand.c | 2 + src/src/globals.c | 2 + src/src/globals.h | 6 +- src/src/smtp_in.c | 109 +++++++++++------ src/util/proxy_protocol_client.pl | 250 ++++++++++++++++++++++++++++++++++++++ 6 files changed, 347 insertions(+), 43 deletions(-) create mode 100644 src/util/proxy_protocol_client.pl (limited to 'src') diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt index 265e1211b..f21609662 100644 --- a/doc/doc-txt/experimental-spec.txt +++ b/doc/doc-txt/experimental-spec.txt @@ -1087,10 +1087,16 @@ Proxy Protocol server at 192.168.1.2 will look like this: 3. In the ACL's the following expansion variables are available. -proxy_host_address The src IP of the proxy server making the connection -proxy_host_port The src port the proxy server is using -proxy_session Boolean, yes/no, the connected host is required to use - Proxy Protocol. +proxy_host_address The (internal) src IP of the proxy server + making the connection to the Exim server. +proxy_host_port The (internal) src port the proxy server is + using to connect to the Exim server. +proxy_target_address The dest (public) IP of the remote host to + the proxy server. +proxy_target_port The dest port the remote host is using to + connect to the proxy server. +proxy_session Boolean, yes/no, the connected host is required + to use Proxy Protocol. There is no expansion for a failed proxy session, however you can detect it by checking if $proxy_session is true but $proxy_host is empty. As @@ -1110,6 +1116,13 @@ an example, in my connect ACL, I have: [$sender_host_address] through proxy protocol \ host $proxy_host_address + # Possibly more clear + warn logwrite = Remote Source Address: $sender_host_address:$sender_host_port + logwrite = Proxy Target Address: $proxy_target_address:$proxy_target_port + logwrite = Proxy Internal Address: $proxy_host_address:$proxy_host_port + logwrite = Internal Server Address: $received_ip_address:$received_port + + 4. Runtime issues to be aware of: - Since the real connections are all coming from your proxy, and the per host connection tracking is done before Proxy Protocol is diff --git a/src/src/expand.c b/src/src/expand.c index d2ac8ca79..7e8c2b49d 100644 --- a/src/src/expand.c +++ b/src/src/expand.c @@ -565,6 +565,8 @@ static var_entry var_table[] = { { "proxy_host_address", vtype_stringptr, &proxy_host_address }, { "proxy_host_port", vtype_int, &proxy_host_port }, { "proxy_session", vtype_bool, &proxy_session }, + { "proxy_target_address",vtype_stringptr, &proxy_target_address }, + { "proxy_target_port", vtype_int, &proxy_target_port }, #endif { "prvscheck_address", vtype_stringptr, &prvscheck_address }, { "prvscheck_keynum", vtype_stringptr, &prvscheck_keynum }, diff --git a/src/src/globals.c b/src/src/globals.c index 839b91dcc..38bd37bce 100644 --- a/src/src/globals.c +++ b/src/src/globals.c @@ -925,6 +925,8 @@ int proxy_host_port = 0; uschar *proxy_required_hosts = US""; BOOL proxy_session = FALSE; BOOL proxy_session_failed = FALSE; +uschar *proxy_target_address = US""; +int proxy_target_port = 0; #endif uschar *prvscheck_address = NULL; diff --git a/src/src/globals.h b/src/src/globals.h index 1cc39fc09..b229c1a07 100644 --- a/src/src/globals.h +++ b/src/src/globals.h @@ -595,11 +595,13 @@ extern uschar *process_log_path; /* Alternate path */ extern BOOL prod_requires_admin; /* TRUE if prodding requires admin */ #ifdef EXPERIMENTAL_PROXY -extern uschar *proxy_host_address; /* IP of proxy server */ -extern int proxy_host_port; /* Port of proxy server */ +extern uschar *proxy_host_address; /* IP of host being proxied */ +extern int proxy_host_port; /* Port of host being proxied */ extern uschar *proxy_required_hosts; /* Hostlist which (require) use proxy protocol */ extern BOOL proxy_session; /* TRUE if receiving mail from valid proxy */ extern BOOL proxy_session_failed; /* TRUE if required proxy negotiation failed */ +extern uschar *proxy_target_address; /* IP of proxy server inbound */ +extern int proxy_target_port; /* Port of proxy server inbound */ #endif extern uschar *prvscheck_address; /* Set during prvscheck expansion item */ diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c index 2a3873d33..7fe00be12 100644 --- a/src/src/smtp_in.c +++ b/src/src/smtp_in.c @@ -602,22 +602,6 @@ return proxy_session; } -/************************************************* -* Flush waiting input string * -*************************************************/ -static void -flush_input() -{ -int rc; - -rc = smtp_getc(); -while (rc != '\n') /* End of input string */ - { - rc = smtp_getc(); - } -} - - /************************************************* * Setup host for proxy protocol * *************************************************/ @@ -664,12 +648,18 @@ union { } v2; } hdr; +/* Temp variables used in PPv2 address:port parsing */ +uint16_t tmpport; +char tmpip[INET_ADDRSTRLEN]; +struct sockaddr_in tmpaddr; +char tmpip6[INET6_ADDRSTRLEN]; +struct sockaddr_in6 tmpaddr6; + +int get_ok = 0; int size, ret, fd; -uschar *tmpip; const char v2sig[13] = "\x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A\x02"; uschar *iptype; /* To display debug info */ struct timeval tv; -int get_ok = 0; socklen_t vslen = 0; struct timeval tvtmp; @@ -690,7 +680,9 @@ setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, (char *)&tv, do { - ret = recv(fd, &hdr, sizeof(hdr), MSG_PEEK); + /* The inbound host was declared to be a Proxy Protocol host, so + don't do a PEEK into the data, actually slurp it up. */ + ret = recv(fd, &hdr, sizeof(hdr), 0); } while (ret == -1 && errno == EINTR); @@ -715,20 +707,63 @@ if (ret >= 16 && case 0x01: /* PROXY command */ switch (hdr.v2.fam) { - case 0x11: /* TCPv4 */ - tmpip = string_sprintf("%s", hdr.v2.addr.ip4.src_addr); - if (!string_is_ip_address(tmpip,NULL)) + case 0x11: /* TCPv4 address type */ + iptype = US"IPv4"; + tmpaddr.sin_addr.s_addr = hdr.v2.addr.ip4.src_addr; + inet_ntop(AF_INET, &(tmpaddr.sin_addr), (char *)&tmpip, sizeof(tmpip)); + if (!string_is_ip_address(US tmpip,NULL)) + { + DEBUG(D_receive) debug_printf("Invalid %s source IP\n", iptype); return ERRNO_PROXYFAIL; - sender_host_address = tmpip; - sender_host_port = hdr.v2.addr.ip4.src_port; + } + proxy_host_address = sender_host_address; + sender_host_address = string_copy(US tmpip); + tmpport = ntohs(hdr.v2.addr.ip4.src_port); + proxy_host_port = sender_host_port; + sender_host_port = tmpport; + /* Save dest ip/port */ + tmpaddr.sin_addr.s_addr = hdr.v2.addr.ip4.dst_addr; + inet_ntop(AF_INET, &(tmpaddr.sin_addr), (char *)&tmpip, sizeof(tmpip)); + if (!string_is_ip_address(US tmpip,NULL)) + { + DEBUG(D_receive) debug_printf("Invalid %s dest port\n", iptype); + return ERRNO_PROXYFAIL; + } + proxy_target_address = string_copy(US tmpip); + tmpport = ntohs(hdr.v2.addr.ip4.dst_port); + proxy_target_port = tmpport; goto done; - case 0x21: /* TCPv6 */ - tmpip = string_sprintf("%s", hdr.v2.addr.ip6.src_addr); - if (!string_is_ip_address(tmpip,NULL)) + case 0x21: /* TCPv6 address type */ + iptype = US"IPv6"; + memmove(tmpaddr6.sin6_addr.s6_addr, hdr.v2.addr.ip6.src_addr, 16); + inet_ntop(AF_INET6, &(tmpaddr6.sin6_addr), (char *)&tmpip6, sizeof(tmpip6)); + if (!string_is_ip_address(US tmpip6,NULL)) + { + DEBUG(D_receive) debug_printf("Invalid %s source IP\n", iptype); + return ERRNO_PROXYFAIL; + } + proxy_host_address = sender_host_address; + sender_host_address = string_copy(US tmpip6); + tmpport = ntohs(hdr.v2.addr.ip6.src_port); + proxy_host_port = sender_host_port; + sender_host_port = tmpport; + /* Save dest ip/port */ + memmove(tmpaddr6.sin6_addr.s6_addr, hdr.v2.addr.ip6.dst_addr, 16); + inet_ntop(AF_INET6, &(tmpaddr6.sin6_addr), (char *)&tmpip6, sizeof(tmpip6)); + if (!string_is_ip_address(US tmpip6,NULL)) + { + DEBUG(D_receive) debug_printf("Invalid %s dest port\n", iptype); return ERRNO_PROXYFAIL; - sender_host_address = tmpip; - sender_host_port = hdr.v2.addr.ip6.src_port; + } + proxy_target_address = string_copy(US tmpip6); + tmpport = ntohs(hdr.v2.addr.ip6.dst_port); + proxy_target_port = tmpport; goto done; + default: + DEBUG(D_receive) + debug_printf("Unsupported PROXYv2 connection type: 0x%02x\n", + hdr.v2.fam); + goto proxyfail; } /* Unsupported protocol, keep local connection address */ break; @@ -736,7 +771,9 @@ if (ret >= 16 && /* Keep local connection address for LOCAL */ break; default: - DEBUG(D_receive) debug_printf("Unsupported PROXYv2 command\n"); + DEBUG(D_receive) + debug_printf("Unsupported PROXYv2 command: 0x%02x\n", + hdr.v2.cmd); goto proxyfail; } } @@ -816,7 +853,7 @@ else if (ret >= 8 && debug_printf("Proxy dest arg is not an %s address\n", iptype); goto proxyfail; } - /* Should save dest ip somewhere? */ + proxy_target_address = p; p = sp + 1; if ((sp = Ustrchr(p, ' ')) == NULL) { @@ -846,29 +883,27 @@ else if (ret >= 8 && debug_printf("Proxy dest port '%s' not an integer\n", p); goto proxyfail; } - /* Should save dest port somewhere? */ + proxy_target_port = tmp_port; /* Already checked for /r /n above. Good V1 header received. */ goto done; } else { /* Wrong protocol */ - DEBUG(D_receive) debug_printf("Wrong proxy protocol specified\n"); + DEBUG(D_receive) debug_printf("Invalid proxy protocol version negotiation\n"); goto proxyfail; } proxyfail: restore_socket_timeout(fd, get_ok, tvtmp, vslen); /* Don't flush any potential buffer contents. Any input should cause a -synchronization failure or we just don't want to speak SMTP to them */ + synchronization failure */ return FALSE; done: restore_socket_timeout(fd, get_ok, tvtmp, vslen); -flush_input(); DEBUG(D_receive) - debug_printf("Valid %s sender from Proxy Protocol header\n", - iptype); + debug_printf("Valid %s sender from Proxy Protocol header\n", iptype); return proxy_session; } #endif diff --git a/src/util/proxy_protocol_client.pl b/src/util/proxy_protocol_client.pl new file mode 100644 index 000000000..7cfc13ddc --- /dev/null +++ b/src/util/proxy_protocol_client.pl @@ -0,0 +1,250 @@ +#!/usr/bin/perl +# +# Copyright (C) 2014 Todd Lyons +# License GPLv2: GNU GPL version 2 +# +# +# This script emulates a proxy which uses Proxy Protocol to communicate +# to a backend server. It should be run from an IP which is configured +# to be a Proxy Protocol connection (or not, if you are testing error +# scenarios) because Proxy Protocol specs require not to fall back to a +# non-proxied mode. +# +# The script is interactive, so when you run it, you are expected to +# perform whatever conversation is required for the protocol being +# tested. It uses STDIN/STDOUT, so you can also pipe output to/from the +# script. It was originally written to test Exim's Proxy Protocol +# code, and it could be tested like this: +# +# swaks --pipe 'perl proxy_protocol_client.pl --server-ip +# host.internal.lan' --from user@example.com --to user@example.net +# +use strict; +use warnings; +use IO::Select; +use IO::Socket; +use Getopt::Long; +use Data::Dumper; + +my %opts; +GetOptions( \%opts, + 'help', + '6|ipv6', + 'dest-ip:s', + 'dest-port:i', + 'source-ip:s', + 'source-port:i', + 'server-ip:s', + 'server-port:i', + 'version:i' +); +&usage() if ($opts{help} || !$opts{'server-ip'}); + +my ($dest_ip,$source_ip,$dest_port,$source_port); +my %socket_map; +my $status_line = "Testing Proxy Protocol Version " . + ($opts{version} ? $opts{version} : '2') . + ":\n"; + +# All ip's and ports are in network byte order in version 2 mode, but are +# simple strings when in version 1 mode. The binary_pack_*() functions +# return the required data for the Proxy Protocol version being used. + +# Use provided source or fall back to www.mrball.net +$source_ip = $opts{'source-ip'} ? binary_pack_ip($opts{'source-ip'}) : + $opts{6} ? + binary_pack_ip("2001:470:d:367::50") : + binary_pack_ip("208.89.139.252"); +$source_port = $opts{'source-port'} ? + binary_pack_port($opts{'source-port'}) : + binary_pack_port(43118); + +$status_line .= "-> " if (!$opts{version} || $opts{version} == 2); + +# Use provided dest or fall back to mail.exim.org +$dest_ip = $opts{'dest-ip'} ? binary_pack_ip($opts{'dest-ip'}) : + $opts{6} ? + binary_pack_ip("2001:630:212:8:204:23ff:fed6:b664") : + binary_pack_ip("131.111.8.192"); +$dest_port = $opts{'dest-port'} ? + binary_pack_port($opts{'dest-port'}) : + binary_pack_port(25); + +# The IP and port of the Proxy Protocol backend real server being tested, +# don't binary pack it. +my $server_ip = $opts{'server-ip'}; +my $server_port = $opts{'server-port'} ? $opts{'server-port'} : 25; + +my $s = IO::Select->new(); # for socket polling + +sub generate_preamble { + my @preamble; + if (!$opts{version} || $opts{version} == 2) { + @preamble = ( + "\x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A", # 12 byte v2 header + "\x02", # declares v2 + "\x01", # connection is proxied + $opts{6} ? "\x21" : "\x11", # inet6/4 and TCP (stream) + $opts{6} ? "\x24" : "\x0b", # 36 bytes / 12 bytes + $source_ip, + $dest_ip, + $source_port, + $dest_port + ); + } + else { + @preamble = ( + "PROXY", " ", # Request proxy mode + $opts{6} ? "TCP6" : "TCP4", " ", # inet6/4 and TCP (stream) + $source_ip, " ", + $dest_ip, " ", + $source_port, " ", + $dest_port, + "\x0d\x0a" + ); + $status_line .= join "", @preamble; + } + print "\n", $status_line, "\n"; + print "\n" if (!$opts{version} || $opts{version} == 2); + return @preamble; +} + +sub binary_pack_port { + my $port = shift(); + if ($opts{version} && $opts{version} == 1) { + return $port + if ($port && $port =~ /^\d+$/ && $port > 0 && $port < 65536); + die "Not a valid port: $port"; + } + $status_line .= $port." "; + $port = pack "S", $port; + return $port; +} + +sub binary_pack_ip { + my $ip = shift(); + if ( $ip =~ m/\./ && !$opts{6}) { + if (IP4_valid($ip)) { + return $ip if ($opts{version} && $opts{version} == 1); + $status_line .= $ip.":"; + $ip = pack "C*", split /\./, $ip; + } + else { die "Invalid IPv4: $ip"; } + } + elsif ($ip =~ m/:/ && $opts{6}) { + $ip = pad_ipv6($ip); + if (IP6_valid($ip)) { + return $ip if ($opts{version} && $opts{version} == 1); + $status_line .= $ip.":"; + $ip = pack "S>*", map hex, split /:/, $ip; + } + else { die "Invalid IPv6: $ip"; } + } + else { die "Mismatching IP families passed: $ip"; } + return $ip; +} + +sub pad_ipv6 { + my $ip = shift(); + my @ip = split /:/, $ip; + my $segments = scalar @ip; + return $ip if ($segments == 8); + $ip = ""; + for (my $count=1; $count <= $segments; $count++) { + my $block = $ip[$count-1]; + if ($block) { + $ip .= $block; + $ip .= ":" unless $count == $segments; + } + elsif ($count == 1) { + # Somebody passed us ::1, fix it, but it's not really valid + $ip = "0:"; + } + else { + $ip .= join ":", map "0", 0..(8-$segments); + $ip .= ":"; + } + } + return $ip; +} + +sub IP6_valid { + my $ip = shift; + $ip = lc($ip); + return 0 unless ($ip =~ /^[0-9a-f:]+$/); + my @ip = split /:/, $ip; + return 0 if (scalar @ip != 8); + return 1; +} + +sub IP4_valid { + my $ip = shift; + $ip =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/; + foreach ($1,$2,$3,$4){ + if ($_ <256 && $_ >0) {next;} + return 0; + } + return 1; +} + +sub go_interactive { + my $continue = 1; + while($continue) { + # Check for input on both ends, recheck every 5 sec + for my $socket ($s->can_read(5)) { + my $remote = $socket_map{$socket}; + my $buffer; + my $read = $socket->sysread($buffer, 4096); + if ($read) { + $remote->syswrite($buffer); + } + else { + $continue = 0; + } + } + } +} + +sub connect_stdin_to_proxy { + my $sock = new IO::Socket::INET( + PeerAddr => $server_ip, + PeerPort => $server_port, + Proto => 'tcp' + ); + + die "Could not create socket: $!\n" unless $sock; + # Add sockets to the Select group + $s->add(\*STDIN); + $s->add($sock); + # Tie the sockets together using this hash + $socket_map{\*STDIN} = $sock; + $socket_map{$sock} = \*STDOUT; + return $sock; +} + +sub usage { + chomp(my $prog = `basename $0`); + print < Date: Sat, 19 Apr 2014 10:28:32 -0700 Subject: Copyright year updates: vim $(git whatchanged --since=2014-01-01 | grep '^:100' | sed 's/^[^M]*M//' | sort -u | fgrep -v test/) --- doc/doc-docbook/filter.xfpt | 2 +- src/Makefile | 2 +- src/exim_monitor/em_log.c | 2 +- src/src/acl.c | 2 +- src/src/auths/dovecot.c | 2 +- src/src/config.h.defaults | 2 +- src/src/daemon.c | 2 +- src/src/deliver.c | 2 +- src/src/dmarc.c | 2 +- src/src/dmarc.h | 2 +- src/src/dns.c | 2 +- src/src/drtables.c | 2 +- src/src/exigrep.src | 2 +- src/src/exim.c | 2 +- src/src/exim.h | 2 +- src/src/eximstats.src | 2 +- src/src/expand.c | 2 +- src/src/functions.h | 2 +- src/src/globals.c | 2 +- src/src/globals.h | 2 +- src/src/ip.c | 2 +- src/src/log.c | 2 +- src/src/lookups/dnsdb.c | 2 +- src/src/lookups/ldap.c | 2 +- src/src/macros.h | 2 +- src/src/malware.c | 2 +- src/src/moan.c | 2 +- src/src/readconf.c | 2 +- src/src/route.c | 2 +- src/src/routers/rf_get_munge_headers.c | 2 +- src/src/smtp_in.c | 2 +- src/src/spf.c | 2 +- src/src/string.c | 2 +- src/src/structs.h | 2 +- src/src/tls-gnu.c | 2 +- src/src/tls-openssl.c | 2 +- src/src/transport.c | 2 +- src/src/transports/lmtp.c | 2 +- src/src/transports/pipe.c | 2 +- src/src/transports/pipe.h | 2 +- src/src/transports/smtp.c | 2 +- src/src/transports/smtp.h | 2 +- 42 files changed, 42 insertions(+), 42 deletions(-) (limited to 'src') diff --git a/doc/doc-docbook/filter.xfpt b/doc/doc-docbook/filter.xfpt index 19ad586c3..8cac5d5c8 100644 --- a/doc/doc-docbook/filter.xfpt +++ b/doc/doc-docbook/filter.xfpt @@ -48,7 +48,7 @@ . Copyright year. Update this (only) when changing content. .macro copyyear -2013 +2014 .endmacro . =========================================================================== diff --git a/src/Makefile b/src/Makefile index 161167f3f..31c459a05 100644 --- a/src/Makefile +++ b/src/Makefile @@ -2,7 +2,7 @@ # appropriate links, and then creating and running the main makefile in that # directory. -# Copyright (c) University of Cambridge, 1995 - 2013 +# Copyright (c) University of Cambridge, 1995 - 2014 # See the file NOTICE for conditions of use and distribution. # IRIX make uses the shell that is in the SHELL variable, which often defaults diff --git a/src/exim_monitor/em_log.c b/src/exim_monitor/em_log.c index 757936dea..6efd9c0c9 100644 --- a/src/exim_monitor/em_log.c +++ b/src/exim_monitor/em_log.c @@ -2,7 +2,7 @@ * Exim Monitor * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2013 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* This module contains code for scanning the main log, diff --git a/src/src/acl.c b/src/src/acl.c index 4fda03b77..9d0842c1d 100644 --- a/src/src/acl.c +++ b/src/src/acl.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2013 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* Code for handling Access Control Lists (ACLs) */ diff --git a/src/src/auths/dovecot.c b/src/src/auths/dovecot.c index 0f4822745..1874f3238 100644 --- a/src/src/auths/dovecot.c +++ b/src/src/auths/dovecot.c @@ -1,6 +1,6 @@ /* * Copyright (c) 2004 Andrey Panin - * Copyright (c) 2006-2013 The Exim Maintainers + * Copyright (c) 2006-2014 The Exim Maintainers * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published diff --git a/src/src/config.h.defaults b/src/src/config.h.defaults index 962b90d68..6f7295ca1 100644 --- a/src/src/config.h.defaults +++ b/src/src/config.h.defaults @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2013 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* The default settings for Exim configuration variables. A #define without diff --git a/src/src/daemon.c b/src/src/daemon.c index caf494a24..66ed22440 100644 --- a/src/src/daemon.c +++ b/src/src/daemon.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2013 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* Functions concerned with running Exim as a daemon */ diff --git a/src/src/deliver.c b/src/src/deliver.c index 121f7c2e0..1e7a8a18a 100644 --- a/src/src/deliver.c +++ b/src/src/deliver.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2013 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* The main code for delivering a message. */ diff --git a/src/src/dmarc.c b/src/src/dmarc.c index 05de69353..b2336b388 100644 --- a/src/src/dmarc.c +++ b/src/src/dmarc.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ /* Experimental DMARC support. - Copyright (c) Todd Lyons 2012, 2013 + Copyright (c) Todd Lyons 2012 - 2014 License: GPL */ /* Portions Copyright (c) 2012, 2013, The Trusted Domain Project; diff --git a/src/src/dmarc.h b/src/src/dmarc.h index 088d86494..ee78450a6 100644 --- a/src/src/dmarc.h +++ b/src/src/dmarc.h @@ -3,7 +3,7 @@ *************************************************/ /* Experimental DMARC support. - Copyright (c) Todd Lyons 2012, 2013 + Copyright (c) Todd Lyons 2012 - 2014 License: GPL */ /* Portions Copyright (c) 2012, 2013, The Trusted Domain Project; diff --git a/src/src/dns.c b/src/src/dns.c index 2aeb5af62..185522e58 100644 --- a/src/src/dns.c +++ b/src/src/dns.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2013 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* Functions for interfacing with the DNS. */ diff --git a/src/src/drtables.c b/src/src/drtables.c index d48945e90..c2d866850 100644 --- a/src/src/drtables.c +++ b/src/src/drtables.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2013 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ diff --git a/src/src/exigrep.src b/src/src/exigrep.src index 7b35da866..2d3b40cbf 100644 --- a/src/src/exigrep.src +++ b/src/src/exigrep.src @@ -2,7 +2,7 @@ use strict; -# Copyright (c) 2007-2013 University of Cambridge. +# Copyright (c) 2007-2014 University of Cambridge. # See the file NOTICE for conditions of use and distribution. # Except when they appear in comments, the following placeholders in this diff --git a/src/src/exim.c b/src/src/exim.c index 1637c891e..3ab657fea 100644 --- a/src/src/exim.c +++ b/src/src/exim.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2013 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ diff --git a/src/src/exim.h b/src/src/exim.h index c72c1f10a..b824b48f3 100644 --- a/src/src/exim.h +++ b/src/src/exim.h @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2013 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ diff --git a/src/src/eximstats.src b/src/src/eximstats.src index 66777c9ee..4370b4eab 100644 --- a/src/src/eximstats.src +++ b/src/src/eximstats.src @@ -1,6 +1,6 @@ #!PERL_COMMAND -w -# Copyright (c) 2001-2013 University of Cambridge. +# Copyright (c) 2001-2014 University of Cambridge. # See the file NOTICE for conditions of use and distribution. # Perl script to generate statistics from one or more Exim log files. diff --git a/src/src/expand.c b/src/src/expand.c index 7e8c2b49d..fd4f65abb 100644 --- a/src/src/expand.c +++ b/src/src/expand.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2013 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ diff --git a/src/src/functions.h b/src/src/functions.h index 35500a165..0bd3d7267 100644 --- a/src/src/functions.h +++ b/src/src/functions.h @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2013 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ diff --git a/src/src/globals.c b/src/src/globals.c index 38bd37bce..fbc3787f9 100644 --- a/src/src/globals.c +++ b/src/src/globals.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2013 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* All the global variables are defined together in this one module, so diff --git a/src/src/globals.h b/src/src/globals.h index b229c1a07..e18bddc01 100644 --- a/src/src/globals.h +++ b/src/src/globals.h @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2013 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* Almost all the global variables are defined together in this one header, so diff --git a/src/src/ip.c b/src/src/ip.c index a820998ca..0211adc1e 100644 --- a/src/src/ip.c +++ b/src/src/ip.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2013 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* Functions for doing things with sockets. With the advent of IPv6 this has diff --git a/src/src/log.c b/src/src/log.c index 1a5d38866..c80c34751 100644 --- a/src/src/log.c +++ b/src/src/log.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2013 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* Functions for writing log files. The code for maintaining datestamped diff --git a/src/src/lookups/dnsdb.c b/src/src/lookups/dnsdb.c index beba09508..e2e0f7f0d 100644 --- a/src/src/lookups/dnsdb.c +++ b/src/src/lookups/dnsdb.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2012 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ #include "../exim.h" diff --git a/src/src/lookups/ldap.c b/src/src/lookups/ldap.c index 7071dc259..27780db49 100644 --- a/src/src/lookups/ldap.c +++ b/src/src/lookups/ldap.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2013 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* Many thanks to Stuart Lynne for contributing the original code for this diff --git a/src/src/macros.h b/src/src/macros.h index 3f3810127..fc3776c84 100644 --- a/src/src/macros.h +++ b/src/src/macros.h @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2013 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ diff --git a/src/src/malware.c b/src/src/malware.c index 01209d684..7b3453f72 100644 --- a/src/src/malware.c +++ b/src/src/malware.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) Tom Kistner 2003-2013 */ +/* Copyright (c) Tom Kistner 2003-2014 */ /* License: GPL */ /* Code for calling virus (malware) scanners. Called from acl.c. */ diff --git a/src/src/moan.c b/src/src/moan.c index 5ae6f85f7..4d7b51b9a 100644 --- a/src/src/moan.c +++ b/src/src/moan.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2013 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* Functions for sending messages to sender or to mailmaster. */ diff --git a/src/src/readconf.c b/src/src/readconf.c index 81e3bc267..a0238d25f 100644 --- a/src/src/readconf.c +++ b/src/src/readconf.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2013 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* Functions for reading the configuration file, and for displaying diff --git a/src/src/route.c b/src/src/route.c index c83233e97..271175e4b 100644 --- a/src/src/route.c +++ b/src/src/route.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2013 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* Functions concerned with routing, and the list of generic router options. */ diff --git a/src/src/routers/rf_get_munge_headers.c b/src/src/routers/rf_get_munge_headers.c index c44ba70b8..a4a13b04f 100644 --- a/src/src/routers/rf_get_munge_headers.c +++ b/src/src/routers/rf_get_munge_headers.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2009 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ #include "../exim.h" diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c index 7fe00be12..27ff13785 100644 --- a/src/src/smtp_in.c +++ b/src/src/smtp_in.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2013 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* Functions for handling an incoming SMTP call. */ diff --git a/src/src/spf.c b/src/src/spf.c index 0f215e3b5..7167f5778 100644 --- a/src/src/spf.c +++ b/src/src/spf.c @@ -3,7 +3,7 @@ *************************************************/ /* Experimental SPF support. - Copyright (c) Tom Kistner 2004 + Copyright (c) Tom Kistner 2004 - 2014 License: GPL */ /* Code for calling spf checks via libspf-alt. Called from acl.c. */ diff --git a/src/src/string.c b/src/src/string.c index eb73fae3e..365eaec03 100644 --- a/src/src/string.c +++ b/src/src/string.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2012 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* Miscellaneous string-handling functions. Some are not required for diff --git a/src/src/structs.h b/src/src/structs.h index b89d2cad3..eb430851d 100644 --- a/src/src/structs.h +++ b/src/src/structs.h @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2013 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index 5600d6bb8..7c3625216 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2013 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* Copyright (c) Phil Pennock 2012 */ diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index b7b2f8847..bdf910acc 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2013 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* Portions Copyright (c) The OpenSSL Project 1999 */ diff --git a/src/src/transport.c b/src/src/transport.c index d4495393b..92de4b92b 100644 --- a/src/src/transport.c +++ b/src/src/transport.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2013 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* General functions concerned with transportation, and generic options for all diff --git a/src/src/transports/lmtp.c b/src/src/transports/lmtp.c index 7a1e7c471..84bbeb939 100644 --- a/src/src/transports/lmtp.c +++ b/src/src/transports/lmtp.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2009 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ diff --git a/src/src/transports/pipe.c b/src/src/transports/pipe.c index ceb24b891..3366a6dcf 100644 --- a/src/src/transports/pipe.c +++ b/src/src/transports/pipe.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2013 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ diff --git a/src/src/transports/pipe.h b/src/src/transports/pipe.h index 6417361ca..ed5c142b3 100644 --- a/src/src/transports/pipe.h +++ b/src/src/transports/pipe.h @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2013 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* Private structure for the private options. */ diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 938844799..16e5c022f 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2013 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ #include "../exim.h" diff --git a/src/src/transports/smtp.h b/src/src/transports/smtp.h index fc4e014c1..6d33802ab 100644 --- a/src/src/transports/smtp.h +++ b/src/src/transports/smtp.h @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2013 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* Private structure for the private options and other private data. */ -- cgit v1.2.3 From 35aba663e3f1eab672a8b2082a83194bf3b7a058 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 20 Apr 2014 16:44:52 +0100 Subject: Fix handling of $tls_cipher et.al. in (non-verify) transport. Bug 1455 The split of these variables into _in and _out sets introduced by d9b231 in 4.82 was incomplete, leaving the deprecated legacy variables nonfunctional during a transport and associated client authenticator. Fix by repointing the legacy set to the outbound connection set at transport startup (and do not clear out the inbound set at this time, either). --- doc/doc-txt/ChangeLog | 3 +++ src/src/functions.h | 3 ++- src/src/tls.c | 12 ++++++++++++ src/src/transports/smtp.c | 13 ++++++------- src/src/verify.c | 17 ++--------------- test/confs/3465 | 4 ++++ 6 files changed, 29 insertions(+), 23 deletions(-) (limited to 'src') diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index e41dc3e02..56ff713cb 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -82,6 +82,9 @@ TL/07 Add new dmarc expansion variable $dmarc_domain_policy to directly is a combined value of both the record presence and the result of the analysis. +JH/13 Fix handling of $tls_cipher et.al. in (non-verify) transport. Bug 1455. + + Exim version 4.82 ----------------- diff --git a/src/src/functions.h b/src/src/functions.h index 0bd3d7267..be71345a1 100644 --- a/src/src/functions.h +++ b/src/src/functions.h @@ -45,7 +45,7 @@ extern void tls_version_report(FILE *); #ifndef USE_GNUTLS extern BOOL tls_openssl_options_parse(uschar *, long *); #endif -#endif +#endif /*SUPPORT_TLS*/ /* Everything else... */ @@ -374,6 +374,7 @@ extern int strncmpic(const uschar *, const uschar *, int); extern uschar *strstric(uschar *, uschar *, BOOL); extern uschar *tod_stamp(int); +extern void tls_modify_variables(tls_support *); extern BOOL transport_check_waiting(uschar *, uschar *, int, uschar *, BOOL *); extern void transport_init(void); diff --git a/src/src/tls.c b/src/src/tls.c index 0625c48b8..972785284 100644 --- a/src/src/tls.c +++ b/src/src/tls.c @@ -181,4 +181,16 @@ return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm; #endif /* SUPPORT_TLS */ +void +tls_modify_variables(tls_support * dest_tsp) +{ +modify_variable(US"tls_bits", &dest_tsp->bits); +modify_variable(US"tls_certificate_verified", &dest_tsp->certificate_verified); +modify_variable(US"tls_cipher", &dest_tsp->cipher); +modify_variable(US"tls_peerdn", &dest_tsp->peerdn); +#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS) +modify_variable(US"tls_sni", &dest_tsp->sni); +#endif +} + /* End of tls.c */ diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 16e5c022f..0aa95a448 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -1213,13 +1213,6 @@ outblock.authenticating = FALSE; /* Reset the parameters of a TLS session. */ -tls_in.bits = 0; -tls_in.cipher = NULL; /* for back-compatible behaviour */ -tls_in.peerdn = NULL; -#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS) -tls_in.sni = NULL; -#endif - tls_out.bits = 0; tls_out.cipher = NULL; /* the one we may use for this transport */ tls_out.peerdn = NULL; @@ -1227,6 +1220,12 @@ tls_out.peerdn = NULL; tls_out.sni = NULL; #endif +/* Flip the legacy TLS-related variables over to the outbound set in case +they're used in the context of the transport. Don't bother resetting +afterward as we're in a subprocess. */ + +tls_modify_variables(&tls_out); + #ifndef SUPPORT_TLS if (smtps) { diff --git a/src/src/verify.c b/src/src/verify.c index 8cc67f1b1..690bb8f01 100644 --- a/src/src/verify.c +++ b/src/src/verify.c @@ -1576,13 +1576,7 @@ if (address[0] == 0) return OK; they're used in the context of a transport used by verification. Reset them at exit from this routine. */ -modify_variable(US"tls_bits", &tls_out.bits); -modify_variable(US"tls_certificate_verified", &tls_out.certificate_verified); -modify_variable(US"tls_cipher", &tls_out.cipher); -modify_variable(US"tls_peerdn", &tls_out.peerdn); -#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS) -modify_variable(US"tls_sni", &tls_out.sni); -#endif +tls_modify_variables(&tls_out); /* Save a copy of the sender address for re-instating if we change it to <> while verifying a sender address (a nice bit of self-reference there). */ @@ -2041,14 +2035,7 @@ for (addr_list = addr_local, i = 0; i < 2; addr_list = addr_remote, i++) the -bv or -bt case). */ out: - -modify_variable(US"tls_bits", &tls_in.bits); -modify_variable(US"tls_certificate_verified", &tls_in.certificate_verified); -modify_variable(US"tls_cipher", &tls_in.cipher); -modify_variable(US"tls_peerdn", &tls_in.peerdn); -#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS) -modify_variable(US"tls_sni", &tls_in.sni); -#endif +tls_modify_variables(&tls_in); return yield; } diff --git a/test/confs/3465 b/test/confs/3465 index 161fff526..83592a678 100644 --- a/test/confs/3465 +++ b/test/confs/3465 @@ -70,5 +70,9 @@ t1: hosts_require_auth = * allow_localhost + # These can be made visible by adding "-d-all+deliver+transport+tls" to the script 1st queuerun + headers_add = X-tls-cipher: <$tls_cipher> + headers_add = X-tls-out-cipher: <$tls_out_cipher> + # End -- cgit v1.2.3 From 8c51eead714a52b81651352b5db4b985d17c3148 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 20 Apr 2014 16:44:52 +0100 Subject: Add options dnssec_request_domains, dnssec_require_domains to the dnslookup router Note there are no testsuite cases included. TODO in this area: - dnssec during verify-callouts - dnssec during dnsdb expansions - dnssec on the forward lookup of a verify=helo and verify=reverse_host_lookup - observability of status of requested dnssec --- doc/doc-docbook/spec.xfpt | 23 +++++++ doc/doc-txt/ChangeLog | 3 + src/src/dns.c | 10 +++- src/src/functions.h | 4 +- src/src/host.c | 112 ++++++++++++++++++++++++++--------- src/src/lookups/dnsdb.c | 2 +- src/src/match.c | 2 + src/src/routers/dnslookup.c | 12 +++- src/src/routers/dnslookup.h | 2 + src/src/routers/rf_lookup_hostlist.c | 6 +- src/src/transports/smtp.c | 1 + src/src/verify.c | 3 +- 12 files changed, 143 insertions(+), 37 deletions(-) (limited to 'src') diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 86090290b..68ebf8ad6 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -17622,6 +17622,29 @@ when there is a DNS lookup error. +.option dnssec_request_domains dnslookup "domain list&!!" unset +.cindex "MX record" "security" +.cindex "DNSSEC" "MX lookup" +.cindex "security" "MX lookup" +.cindex "DNS" "DNSSEC" +DNS lookups for domains matching &%dnssec_request_domains%& will be done with +the dnssec request bit set. +This applies to all of the SRV, MX A6, AAAA, A lookup sequence. + + + +.option dnssec_require_domains dnslookup "domain list&!!" unset +.cindex "MX record" "security" +.cindex "DNSSEC" "MX lookup" +.cindex "security" "MX lookup" +.cindex "DNS" "DNSSEC" +DNS lookups for domains matching &%dnssec_request_domains%& will be done with +the dnssec request bit set. Any returns not having the Authenticated Data bit +(AD bit) set wil be ignored and logged as a host-lookup failure. +This applies to all of the SRV, MX A6, AAAA, A lookup sequence. + + + .option mx_domains dnslookup "domain list&!!" unset .cindex "MX record" "required to exist" .cindex "SRV record" "required to exist" diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 56ff713cb..6252956a6 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -84,6 +84,9 @@ TL/07 Add new dmarc expansion variable $dmarc_domain_policy to directly JH/13 Fix handling of $tls_cipher et.al. in (non-verify) transport. Bug 1455. +JH/14 New options dnssec_request_domains, dnssec_require_domains on the + dnslookup router (applying to the forward lookup). + Exim version 4.82 ----------------- diff --git a/src/src/dns.c b/src/src/dns.c index 185522e58..a15eb033a 100644 --- a/src/src/dns.c +++ b/src/src/dns.c @@ -159,12 +159,13 @@ the first time we have been here, and set the resolver options. Arguments: qualify_single TRUE to set the RES_DEFNAMES option search_parents TRUE to set the RES_DNSRCH option + use_dnssec TRUE to set the RES_USE_DNSSEC option Returns: nothing */ void -dns_init(BOOL qualify_single, BOOL search_parents) +dns_init(BOOL qualify_single, BOOL search_parents, BOOL use_dnssec) { res_state resp = os_get_dns_resolver_res(); @@ -206,6 +207,8 @@ if (dns_use_edns0 >= 0) # ifndef RES_USE_EDNS0 # error Have RES_USE_DNSSEC but not RES_USE_EDNS0? Something hinky ... # endif +if (use_dnssec) + resp->options |= RES_USE_DNSSEC; if (dns_dnssec_ok >= 0) { if (dns_use_edns0 == 0 && dns_dnssec_ok != 0) @@ -228,6 +231,9 @@ if (dns_dnssec_ok >= 0) DEBUG(D_resolver) debug_printf("Unable to %sset DNSSEC without resolver support.\n", dns_dnssec_ok ? "" : "un"); +if (use_dnssec) + DEBUG(D_resolver) + debug_printf("Unable to set DNSSEC without resolver support.\n") # endif #endif /* DISABLE_DNSSEC */ @@ -1249,4 +1255,6 @@ else return yield; } +/* vi: aw ai sw=2 +*/ /* End of dns.c */ diff --git a/src/src/functions.h b/src/src/functions.h index be71345a1..599afd206 100644 --- a/src/src/functions.h +++ b/src/src/functions.h @@ -115,7 +115,7 @@ extern BOOL dkim_transport_write_message(address_item *, int, int, #endif extern dns_address *dns_address_from_rr(dns_answer *, dns_record *); extern void dns_build_reverse(uschar *, uschar *); -extern void dns_init(BOOL, BOOL); +extern void dns_init(BOOL, BOOL, BOOL); extern int dns_basic_lookup(dns_answer *, uschar *, int); extern BOOL dns_is_secure(dns_answer *); extern int dns_lookup(dns_answer *, uschar *, int, uschar **); @@ -157,7 +157,7 @@ extern void host_build_log_info(void); extern void host_build_sender_fullhost(void); extern BOOL host_find_byname(host_item *, uschar *, int, uschar **, BOOL); extern int host_find_bydns(host_item *, uschar *, int, uschar *, uschar *, - uschar *,uschar **, BOOL *); + uschar *, uschar *, uschar *, uschar **, BOOL *); extern ip_address_item *host_find_interfaces(void); extern BOOL host_is_in_net(uschar *, uschar *, int); extern BOOL host_is_tls_on_connect_port(int); diff --git a/src/src/host.c b/src/src/host.c index 785eea412..495a44d58 100644 --- a/src/src/host.c +++ b/src/src/host.c @@ -1622,7 +1622,7 @@ while ((ordername = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) { if (strcmpic(ordername, US"bydns") == 0) { - dns_init(FALSE, FALSE); + dns_init(FALSE, FALSE, FALSE); /*XXX dnssec? */ dns_build_reverse(sender_host_address, buffer); rc = dns_lookup(&dnsa, buffer, T_PTR, NULL); @@ -1919,7 +1919,8 @@ if (running_in_test_harness) some circumstances when the get..byname() function actually calls the DNS. */ dns_init((flags & HOST_FIND_QUALIFY_SINGLE) != 0, - (flags & HOST_FIND_SEARCH_PARENTS) != 0); + (flags & HOST_FIND_SEARCH_PARENTS) != 0, + FALSE); /*XXX dnssec? */ /* In an IPv6 world, unless IPv6 has been disabled, we need to scan for both kinds of address, so go round the loop twice. Note that we have ensured that @@ -2195,6 +2196,7 @@ Arguments: fully_qualified_name if not NULL, return fully qualified name here if the contents are different (i.e. it must be preset to something) + dnnssec_require if TRUE check the DNS result AD bit Returns: HOST_FIND_FAILED couldn't find A record HOST_FIND_AGAIN try again later @@ -2204,7 +2206,8 @@ Returns: HOST_FIND_FAILED couldn't find A record static int set_address_from_dns(host_item *host, host_item **lastptr, - uschar *ignore_target_hosts, BOOL allow_ip, uschar **fully_qualified_name) + uschar *ignore_target_hosts, BOOL allow_ip, uschar **fully_qualified_name, + BOOL dnssec_require) { dns_record *rr; host_item *thishostlast = NULL; /* Indicates not yet filled in anything */ @@ -2287,6 +2290,12 @@ for (; i >= 0; i--) if (rc != DNS_NOMATCH && rc != DNS_NODATA) v6_find_again = TRUE; continue; } + if (dnssec_require && !dns_is_secure(&dnsa)) + { + log_write(L_host_lookup_failed, LOG_MAIN, "dnssec fail on %s for %.256s", + i>1 ? "A6" : i>0 ? "AAAA" : "A", host->name); + continue; + } /* Lookup succeeded: fill in the given host item with the first non-ignored address found; create additional items for any others. A single A6 record @@ -2433,6 +2442,8 @@ Arguments: srv_service when SRV used, the service name srv_fail_domains DNS errors for these domains => assume nonexist mx_fail_domains DNS errors for these domains => assume nonexist + dnssec_request_domains => make dnssec request + dnssec_require_domains => ditto and nonexist failures fully_qualified_name if not NULL, return fully-qualified name removed set TRUE if local host was removed from the list @@ -2450,6 +2461,7 @@ Returns: HOST_FIND_FAILED Failed to find the host or domain; int host_find_bydns(host_item *host, uschar *ignore_target_hosts, int whichrrs, uschar *srv_service, uschar *srv_fail_domains, uschar *mx_fail_domains, + uschar *dnssec_request_domains, uschar *dnssec_require_domains, uschar **fully_qualified_name, BOOL *removed) { host_item *h, *last; @@ -2459,6 +2471,10 @@ int ind_type = 0; int yield; dns_answer dnsa; dns_scan dnss; +BOOL dnssec_request = match_isinlist(host->name, &dnssec_request_domains, + 0, NULL, NULL, MCL_DOMAIN, TRUE, NULL) == OK; +BOOL dnssec_require = match_isinlist(host->name, &dnssec_require_domains, + 0, NULL, NULL, MCL_DOMAIN, TRUE, NULL) == OK; /* Set the default fully qualified name to the incoming name, initialize the resolver if necessary, set up the relevant options, and initialize the flag @@ -2466,7 +2482,9 @@ that gets set for DNS syntax check errors. */ if (fully_qualified_name != NULL) *fully_qualified_name = host->name; dns_init((whichrrs & HOST_FIND_QUALIFY_SINGLE) != 0, - (whichrrs & HOST_FIND_SEARCH_PARENTS) != 0); + (whichrrs & HOST_FIND_SEARCH_PARENTS) != 0, + dnssec_request || dnssec_require + ); host_find_failed_syntax = FALSE; /* First, if requested, look for SRV records. The service name is given; we @@ -2494,13 +2512,19 @@ if ((whichrrs & HOST_FIND_BY_SRV) != 0) /* On DNS failures, we give the "try again" error unless the domain is listed as one for which we continue. */ + if (rc == DNS_SUCCEED && dnssec_require && !dns_is_secure(&dnsa)) + { + log_write(L_host_lookup_failed, LOG_MAIN, + "dnssec fail on SRV for %.256s", host->name); + rc = DNS_FAIL; + } if (rc == DNS_FAIL || rc == DNS_AGAIN) { #ifndef STAND_ALONE if (match_isinlist(host->name, &srv_fail_domains, 0, NULL, NULL, MCL_DOMAIN, TRUE, NULL) != OK) #endif - return HOST_FIND_AGAIN; + { yield = HOST_FIND_AGAIN; goto out; } DEBUG(D_host_lookup) debug_printf("DNS_%s treated as DNS_NODATA " "(domain in srv_fail_domains)\n", (rc == DNS_FAIL)? "FAIL":"AGAIN"); } @@ -2517,16 +2541,29 @@ if (rc != DNS_SUCCEED && (whichrrs & HOST_FIND_BY_MX) != 0) { ind_type = T_MX; rc = dns_lookup(&dnsa, host->name, ind_type, fully_qualified_name); - if (rc == DNS_NOMATCH) return HOST_FIND_FAILED; - if (rc == DNS_FAIL || rc == DNS_AGAIN) - { - #ifndef STAND_ALONE - if (match_isinlist(host->name, &mx_fail_domains, 0, NULL, NULL, MCL_DOMAIN, - TRUE, NULL) != OK) - #endif - return HOST_FIND_AGAIN; - DEBUG(D_host_lookup) debug_printf("DNS_%s treated as DNS_NODATA " - "(domain in mx_fail_domains)\n", (rc == DNS_FAIL)? "FAIL":"AGAIN"); + switch (rc) + { + case DNS_NOMATCH: + yield = HOST_FIND_FAILED; goto out; + + case DNS_SUCCEED: + if (!dnssec_require || dns_is_secure(&dnsa)) + break; + log_write(L_host_lookup_failed, LOG_MAIN, + "dnssec fail on MX for %.256s", host->name); + rc = DNS_FAIL; + /*FALLTRHOUGH*/ + + case DNS_FAIL: + case DNS_AGAIN: + #ifndef STAND_ALONE + if (match_isinlist(host->name, &mx_fail_domains, 0, NULL, NULL, MCL_DOMAIN, + TRUE, NULL) != OK) + #endif + { yield = HOST_FIND_AGAIN; goto out; } + DEBUG(D_host_lookup) debug_printf("DNS_%s treated as DNS_NODATA " + "(domain in mx_fail_domains)\n", (rc == DNS_FAIL)? "FAIL":"AGAIN"); + break; } } @@ -2539,14 +2576,15 @@ if (rc != DNS_SUCCEED) if ((whichrrs & HOST_FIND_BY_A) == 0) { DEBUG(D_host_lookup) debug_printf("Address records are not being sought\n"); - return HOST_FIND_FAILED; + yield = HOST_FIND_FAILED; + goto out; } last = host; /* End of local chainlet */ host->mx = MX_NONE; host->port = PORT_NONE; rc = set_address_from_dns(host, &last, ignore_target_hosts, FALSE, - fully_qualified_name); + fully_qualified_name, dnssec_require); /* If one or more address records have been found, check that none of them are local. Since we know the host items all have their IP addresses @@ -2573,7 +2611,8 @@ if (rc != DNS_SUCCEED) } } - return rc; + yield = rc; + goto out; } /* We have found one or more MX or SRV records. Sort them according to @@ -2757,7 +2796,8 @@ if (ind_type == T_SRV) if (host == last && host->name[0] == 0) { DEBUG(D_host_lookup) debug_printf("the single SRV record is \".\"\n"); - return HOST_FIND_FAILED; + yield = HOST_FIND_FAILED; + goto out; } DEBUG(D_host_lookup) @@ -2867,12 +2907,14 @@ otherwise invalid host names obtained from MX or SRV records can cause trouble if they happen to match something local. */ yield = HOST_FIND_FAILED; /* Default yield */ -dns_init(FALSE, FALSE); /* Disable qualify_single and search_parents */ +dns_init(FALSE, FALSE, /* Disable qualify_single and search_parents */ + dnssec_request || dnssec_require); for (h = host; h != last->next; h = h->next) { if (h->address != NULL) continue; /* Inserted by a multihomed host */ - rc = set_address_from_dns(h, &last, ignore_target_hosts, allow_mx_to_ip, NULL); + rc = set_address_from_dns(h, &last, ignore_target_hosts, allow_mx_to_ip, + NULL, dnssec_require); if (rc != HOST_FOUND) { h->status = hstatus_unusable; @@ -2981,6 +3023,9 @@ DEBUG(D_host_lookup) } } +out: + +dns_init(FALSE, FALSE, FALSE); /* clear the dnssec bit for getaddrbyname */ return yield; } @@ -3002,6 +3047,8 @@ int whichrrs = HOST_FIND_BY_MX | HOST_FIND_BY_A; BOOL byname = FALSE; BOOL qualify_single = TRUE; BOOL search_parents = FALSE; +BOOL request_dnssec = FALSE; +BOOL require_dnssec = FALSE; uschar **argv = USS cargv; uschar buffer[256]; @@ -3021,7 +3068,7 @@ if (argc > 1) primary_hostname = argv[1]; /* So that debug level changes can be done first */ -dns_init(qualify_single, search_parents); +dns_init(qualify_single, search_parents, FALSE); printf("Testing host lookup\n"); printf("> "); @@ -3047,10 +3094,14 @@ while (Ufgets(buffer, 256, stdin) != NULL) whichrrs = HOST_FIND_BY_SRV | HOST_FIND_BY_MX; else if (Ustrcmp(buffer, "srv+mx+a") == 0) whichrrs = HOST_FIND_BY_SRV | HOST_FIND_BY_MX | HOST_FIND_BY_A; - else if (Ustrcmp(buffer, "qualify_single") == 0) qualify_single = TRUE; + else if (Ustrcmp(buffer, "qualify_single") == 0) qualify_single = TRUE; else if (Ustrcmp(buffer, "no_qualify_single") == 0) qualify_single = FALSE; - else if (Ustrcmp(buffer, "search_parents") == 0) search_parents = TRUE; + else if (Ustrcmp(buffer, "search_parents") == 0) search_parents = TRUE; else if (Ustrcmp(buffer, "no_search_parents") == 0) search_parents = FALSE; + else if (Ustrcmp(buffer, "request_dnssec") == 0) request_dnssec = TRUE; + else if (Ustrcmp(buffer, "no_request_dnssec") == 0) request_dnssec = FALSE; + else if (Ustrcmp(buffer, "require_dnssec") == 0) require_dnssec = TRUE; + else if (Ustrcmp(buffer, "no_reqiret_dnssec") == 0) require_dnssec = FALSE; else if (Ustrcmp(buffer, "test_harness") == 0) running_in_test_harness = !running_in_test_harness; else if (Ustrcmp(buffer, "ipv6") == 0) disable_ipv6 = !disable_ipv6; @@ -3083,11 +3134,12 @@ while (Ufgets(buffer, 256, stdin) != NULL) if (qualify_single) flags |= HOST_FIND_QUALIFY_SINGLE; if (search_parents) flags |= HOST_FIND_SEARCH_PARENTS; - rc = byname? - host_find_byname(&h, NULL, flags, &fully_qualified_name, TRUE) - : - host_find_bydns(&h, NULL, flags, US"smtp", NULL, NULL, - &fully_qualified_name, NULL); + rc = byname + ? host_find_byname(&h, NULL, flags, &fully_qualified_name, TRUE) + : host_find_bydns(&h, NULL, flags, US"smtp", NULL, NULL, + request_dnssec ? &h.name : NULL, + require_dnssec ? &h.name : NULL, + &fully_qualified_name, NULL); if (rc == HOST_FIND_FAILED) printf("Failed\n"); else if (rc == HOST_FIND_AGAIN) printf("Again\n"); @@ -3146,4 +3198,6 @@ return 0; } #endif /* STAND_ALONE */ +/* vi: aw ai sw=2 +*/ /* End of host.c */ diff --git a/src/src/lookups/dnsdb.c b/src/src/lookups/dnsdb.c index e2e0f7f0d..a1eb2b658 100644 --- a/src/src/lookups/dnsdb.c +++ b/src/src/lookups/dnsdb.c @@ -241,7 +241,7 @@ if ((equals = Ustrchr(keystring, '=')) != NULL) /* Initialize the resolver in case this is the first time it has been used. */ -dns_init(FALSE, FALSE); +dns_init(FALSE, FALSE, FALSE); /*XXX dnssec? */ /* The remainder of the string must be a list of domains. As long as the lookup for at least one of them succeeds, we return success. Failure means that none diff --git a/src/src/match.c b/src/src/match.c index 66ae3dddb..97a098205 100644 --- a/src/src/match.c +++ b/src/src/match.c @@ -221,6 +221,8 @@ if (cb->at_is_special && pattern[0] == '@') NULL, /* service name not relevant */ NULL, /* srv_fail_domains not relevant */ NULL, /* mx_fail_domains not relevant */ + NULL, /* no dnssec request XXX ? */ + NULL, /* no dnssec require XXX ? */ NULL, /* no feedback FQDN */ &removed); /* feedback if local removed */ diff --git a/src/src/routers/dnslookup.c b/src/src/routers/dnslookup.c index 057a2a15d..c8fd3f991 100644 --- a/src/src/routers/dnslookup.c +++ b/src/src/routers/dnslookup.c @@ -18,6 +18,10 @@ optionlist dnslookup_router_options[] = { (void *)(offsetof(dnslookup_router_options_block, check_secondary_mx)) }, { "check_srv", opt_stringptr, (void *)(offsetof(dnslookup_router_options_block, check_srv)) }, + { "dnssec_request_domains", opt_stringptr, + (void *)(offsetof(dnslookup_router_options_block, dnssec_request_domains)) }, + { "dnssec_require_domains", opt_stringptr, + (void *)(offsetof(dnslookup_router_options_block, dnssec_require_domains)) }, { "mx_domains", opt_stringptr, (void *)(offsetof(dnslookup_router_options_block, mx_domains)) }, { "mx_fail_domains", opt_stringptr, @@ -53,7 +57,9 @@ dnslookup_router_options_block dnslookup_router_option_defaults = { NULL, /* mx_domains */ NULL, /* mx_fail_domains */ NULL, /* srv_fail_domains */ - NULL /* check_srv */ + NULL, /* check_srv */ + NULL, /* dnssec_request_domains */ + NULL /* dnssec_require_domains */ }; @@ -261,7 +267,9 @@ for (;;) } rc = host_find_bydns(&h, rblock->ignore_target_hosts, flags, srv_service, - ob->srv_fail_domains, ob->mx_fail_domains, &fully_qualified_name, &removed); + ob->srv_fail_domains, ob->mx_fail_domains, + ob->dnssec_request_domains, ob->dnssec_require_domains, + &fully_qualified_name, &removed); if (removed) setflag(addr, af_local_host_removed); /* If host found with only address records, test for the domain's being in diff --git a/src/src/routers/dnslookup.h b/src/src/routers/dnslookup.h index b0c384367..518b7f478 100644 --- a/src/src/routers/dnslookup.h +++ b/src/src/routers/dnslookup.h @@ -17,6 +17,8 @@ typedef struct { uschar *mx_fail_domains; uschar *srv_fail_domains; uschar *check_srv; + uschar *dnssec_request_domains; + uschar *dnssec_require_domains; } dnslookup_router_options_block; /* Data for reading the private options. */ diff --git a/src/src/routers/rf_lookup_hostlist.c b/src/src/routers/rf_lookup_hostlist.c index eadcd5df7..0eae31e61 100644 --- a/src/src/routers/rf_lookup_hostlist.c +++ b/src/src/routers/rf_lookup_hostlist.c @@ -94,6 +94,8 @@ for (h = addr->host_list; h != NULL; h = next_h) NULL, /* SRV service not relevant */ NULL, /* failing srv domains not relevant */ NULL, /* no special mx failing domains */ + NULL, /* no dnssec request XXX ? */ + NULL, /* no dnssec require XXX ? */ NULL, /* fully_qualified_name */ NULL); /* indicate local host removed */ } @@ -117,7 +119,9 @@ for (h = addr->host_list; h != NULL; h = next_h) BOOL removed; DEBUG(D_route|D_host_lookup) debug_printf("doing DNS lookup\n"); rc = host_find_bydns(h, ignore_target_hosts, HOST_FIND_BY_A, NULL, NULL, - NULL, &canonical_name, &removed); + NULL, + NULL, NULL, /*XXX dnssec? */ + &canonical_name, &removed); if (rc == HOST_FOUND) { if (removed) setflag(addr, af_local_host_removed); diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 0aa95a448..57b66b881 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -2816,6 +2816,7 @@ for (cutoff_retry = 0; expired && rc = host_find_byname(host, NULL, flags, &canonical_name, TRUE); else rc = host_find_bydns(host, NULL, flags, NULL, NULL, NULL, + NULL, NULL, /*XXX todo: smtp tpt hosts_require_dnssec */ &canonical_name, NULL); /* Update the host (and any additional blocks, resulting from diff --git a/src/src/verify.c b/src/src/verify.c index 690bb8f01..f799ff1de 100644 --- a/src/src/verify.c +++ b/src/src/verify.c @@ -1750,6 +1750,7 @@ while (addr_new != NULL) (void)host_find_byname(host, NULL, flags, &canonical_name, TRUE); else (void)host_find_bydns(host, NULL, flags, NULL, NULL, NULL, + NULL, NULL, /*XXX todo: dnssec */ &canonical_name, NULL); } } @@ -3546,7 +3547,7 @@ revadd[0] = 0; /* In case this is the first time the DNS resolver is being used. */ -dns_init(FALSE, FALSE); +dns_init(FALSE, FALSE, FALSE); /*XXX dnssec? */ /* Loop through all the domains supplied, until something matches */ -- cgit v1.2.3 From 93d4b03a2d9da8858f33c445b57128ef890f77fe Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Mon, 21 Apr 2014 13:07:17 +0100 Subject: Fix DISABLE_DNSSEC build Bad syntax possibly only affected some compilers. --- src/Makefile | 3 ++- src/src/dns.c | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/Makefile b/src/Makefile index 31c459a05..b913aec8a 100644 --- a/src/Makefile +++ b/src/Makefile @@ -90,7 +90,8 @@ distclean:; $(RM_COMMAND) -rf build-* cscope* cscope.files: FRC echo "-q" > $@ echo "-p3" >> $@ - find src Local -name "*.[cshyl]" -print \ + find src Local OS -name "*.[cshyl]" -print \ + -o -name "os.h*" -print \ -o -name "*akefile*" -print \ -o -name EDITME -print >> $@ diff --git a/src/src/dns.c b/src/src/dns.c index a15eb033a..6efb88d58 100644 --- a/src/src/dns.c +++ b/src/src/dns.c @@ -233,7 +233,7 @@ if (dns_dnssec_ok >= 0) dns_dnssec_ok ? "" : "un"); if (use_dnssec) DEBUG(D_resolver) - debug_printf("Unable to set DNSSEC without resolver support.\n") + debug_printf("Unable to set DNSSEC without resolver support.\n"); # endif #endif /* DISABLE_DNSSEC */ -- cgit v1.2.3 From 0a92f87f7d62bb4f83fef5b8b10513cdd923fc2e Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Mon, 21 Apr 2014 16:34:01 +0100 Subject: Fix testcase "server missing/empty certificate file" GnuTLS early versions (pre 3.0.0 ?) fail to send a reasonable client-cert request when tls_verify_certificates is an empty file. Since the test is for missing *server* certs (tls_certificate) avoid this by pointing to a real (if non-verifying) cert in tls_verify_certificates. --- src/src/tls-gnu.c | 14 ++++++-------- test/confs/2024 | 3 ++- test/log/2024 | 2 +- test/stdout/2024 | 2 +- 4 files changed, 10 insertions(+), 11 deletions(-) (limited to 'src') diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index 7c3625216..cbd44d6f2 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -1228,25 +1228,23 @@ unsigned int verify; *error = NULL; -rc = peer_status(state); -if (rc != OK) +if ((rc = peer_status(state)) != OK) { verify = GNUTLS_CERT_INVALID; - *error = "not supplied"; + *error = "certificate not supplied"; } else - { rc = gnutls_certificate_verify_peers2(state->session, &verify); - } /* Handle the result of verification. INVALID seems to be set as well as REVOKED, but leave the test for both. */ -if ((rc < 0) || (verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED)) != 0) +if (rc < 0 || verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED)) { state->peer_cert_verified = FALSE; - if (*error == NULL) - *error = ((verify & GNUTLS_CERT_REVOKED) != 0) ? "revoked" : "invalid"; + if (!*error) + *error = verify & GNUTLS_CERT_REVOKED + ? "certificate revoked" : "certificate invalid"; DEBUG(D_tls) debug_printf("TLS certificate verification failed (%s): peerdn=%s\n", diff --git a/test/confs/2024 b/test/confs/2024 index a677c4c86..c59e975de 100644 --- a/test/confs/2024 +++ b/test/confs/2024 @@ -24,6 +24,7 @@ tls_certificate = CERT tls_privatekey = CERT tls_verify_hosts = HOSTIPV4 -tls_verify_certificates = TVC +#tls_verify_certificates = TVC +tls_verify_certificates = CERT # End diff --git a/test/log/2024 b/test/log/2024 index c45da6e89..117382b5a 100644 --- a/test/log/2024 +++ b/test/log/2024 @@ -1,4 +1,4 @@ 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (gnutls_handshake): The peer did not send any certificate. +1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (certificate verification failed): certificate invalid 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (cert/key setup: cert=/non/exist key=/non/exist): Error while reading file. diff --git a/test/stdout/2024 b/test/stdout/2024 index 2e30f7dd6..ecedd4193 100644 --- a/test/stdout/2024 +++ b/test/stdout/2024 @@ -20,7 +20,7 @@ Key file = aux-fixed/cert2 ??? 220 <<< 220 TLS go ahead Attempting to start TLS -Failed to start TLS +Succeeded in starting TLS End of script Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected Certificate file = aux-fixed/cert2 -- cgit v1.2.3 From 209e806ce1bf13554bf7a5cfe161b83f0fbbab3a Mon Sep 17 00:00:00 2001 From: mg Date: Tue, 22 Apr 2014 00:41:34 +0200 Subject: exiqgrep: add -a to use all recipients (including delivered) --- doc/doc-docbook/spec.xfpt | 13 ++++++++++--- src/src/exiqgrep.src | 4 +++- 2 files changed, 13 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 68ebf8ad6..3542557c4 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -34656,9 +34656,13 @@ This utility is a Perl script contributed by Matt Hubbard. It runs .code exim -bpu .endd -to obtain a queue listing with undelivered recipients only, and then greps the -output to select messages that match given criteria. The following selection -options are available: +or (in case &*-a*& switch is specified) +.code +exim -bp +.endd + +to obtain a queue listing, and then greps the output to select messages +that match given criteria. The following selection options are available: .vlist .vitem &*-f*&&~<&'regex'&> @@ -34705,6 +34709,9 @@ Brief format &-- one line per message. .vitem &*-R*& Display messages in reverse order. + +.vitem &*-a*& +Include delivered recipients in queue listing. .endlist There is one more option, &%-h%&, which outputs a list of options. diff --git a/src/src/exiqgrep.src b/src/src/exiqgrep.src index e05589073..05c1b9ed0 100644 --- a/src/src/exiqgrep.src +++ b/src/src/exiqgrep.src @@ -43,8 +43,9 @@ if ($^O eq 'darwin') { # aka MacOS X $base = 62; }; -getopts('hf:r:y:o:s:zxlibRc',\%opt); +getopts('hf:r:y:o:s:zxlibRca',\%opt); if ($opt{h}) { &help; exit;} +if ($opt{a}) { $eargs = '-bp'; } # Read message queue output into hash &collect(); @@ -78,6 +79,7 @@ Display options: -i Message IDs only -b Brief Format -R Reverse order + -a All recipients (including delivered) EOF } -- cgit v1.2.3