dnslists: make valid lookup result addresses configurable. Bug 2631

This allows the Spamhaus error addresses to be considered an error, e.g.:
  dnslist_valid_addresses = ${if match{$dnslist_domain}{\N.spamhaus.org$\N}{!127.255.255.0/24 : }}127.0.0.0/8

Author: nomis

doc/doc-docbook/spec.xfpt

@@ -15814,6 +15814,20 @@ means that DNSSEC will not work with Exim on that platform either, unless Exim
 is linked against an alternative DNS client library.
 
 
+.new
+.option dnslist_valid_addresses main "host list&!!" &`127.0.0.0/8`&
+.cindex "dnslists ACL condition" "valid addresses"
+This option specifies IP addresses that are acceptable in dnslist responses.
+
+Responses containing address records that do not match this list will be logged
+as an error and ignored. This helps identify list domains that have been taken
+over by a domain-parking registrar.
+
+The variable &$dnslist_domain$& contains the name of the overall domain that
+matched (for example, &`spamhaus.example`&).
+.wen
+
+
 .option drop_cr main boolean false
 This is an obsolete option that is now a no-op. It used to affect the way Exim
 handled CR and LF characters in incoming messages. What happens now is
@@ -32368,6 +32382,12 @@ connection (assuming long-enough TTL).
 Exim does not share information between multiple incoming
 connections (but your local name server cache should be active).
 
+.new
+DNS list responses are filtered using the &%dnslist_valid_addresses%& host list
+before use to protect against list domains that have been taken over by a
+domain-parking registrar and no longer return values in the 127.0.0.0/8 range.
+.wen
+
 There are a number of DNS lists to choose from, some commercial, some free,
 or free for small deployments.  An overview can be found at
 &url(https://en.wikipedia.org/wiki/Comparison_of_DNS_blacklists).

src/src/dnsbl.c

@@ -239,6 +239,10 @@ if (cb->rc == DNS_SUCCEED)
         {
         int address[4];
         int mask = 0;
+        uschar *orig_dnslist_domain = dnslist_domain;
+
+        /* Make dnslist_domain available to dnslist_valid_addresses expansion. */
+        dnslist_domain = domain_txt;
 
         /* At present, all known DNS blocking lists use A records, with
         IPv4 addresses on the RHS encoding the information they return. I
@@ -248,14 +252,21 @@ if (cb->rc == DNS_SUCCEED)
         We change this only for IPv4 addresses in the list. */
 
         if (host_aton(da->address, address) == 1)
-	  if ((address[0] & 0xff000000) != 0x7f000000)    /* 127.0.0.0/8 */
-	    log_write(0, LOG_MAIN,
-	      "DNS list lookup for %s at %s returned %s;"
-	      " not in 127.0/8 and discarded",
-	      keydomain, domain, da->address);
+          {
+          if (verify_check_this_host(&dnslist_valid_addresses, NULL, US"", da->address, NULL) == OK)
+            {
+            mask = address[0];
+            }
+          else
+            {
+            log_write(0, LOG_MAIN,
+              "DNS list lookup for %s at %s returned %s;"
+              " invalid address discarded",
+              keydomain, domain, da->address);
+            }
+          }
 
-	  else
-	    mask = address[0];
+        dnslist_domain = orig_dnslist_domain;
 
         /* Scan the returned addresses, skipping any that are IPv6 */
 
@@ -315,20 +326,33 @@ if (cb->rc == DNS_SUCCEED)
   else
     {
     BOOL ok = FALSE;
+    uschar *orig_dnslist_domain = dnslist_domain;
+
+    /* Make dnslist_domain available to dnslist_valid_addresses expansion. */
+    dnslist_domain = domain_txt;
+
     for (da = cb->rhs; da; da = da->next)
       {
       int address[4];
 
-      if (  host_aton(da->address, address) == 1		/* ipv4 */
-	 && (address[0] & 0xff000000) == 0x7f000000	/* 127.0.0.0/8 */
-	 )
-	ok = TRUE;
-      else
-	log_write(0, LOG_MAIN,
-	    "DNS list lookup for %s at %s returned %s;"
-	    " not in 127.0/8 and discarded",
-	    keydomain, domain, da->address);
+      if (host_aton(da->address, address) == 1)
+        {
+        if (verify_check_this_host(&dnslist_valid_addresses, NULL, US"", da->address, NULL) == OK)
+          {
+          ok = TRUE;
+          }
+        else
+          {
+          log_write(0, LOG_MAIN,
+            "DNS list lookup for %s at %s returned %s;"
+            " invalid address discarded",
+            keydomain, domain, da->address);
+          }
+        }
       }
+
+    dnslist_domain = orig_dnslist_domain;
+
     if (!ok) return FAIL;
     }
 

src/src/globals.c

@@ -886,6 +886,7 @@ int     dns_use_edns0          = -1; /* <0 = not coerced */
 uschar *dnslist_domain         = NULL;
 uschar *dnslist_matched        = NULL;
 uschar *dnslist_text           = NULL;
+const uschar *dnslist_valid_addresses = US"127.0.0.0/8";
 uschar *dnslist_value          = NULL;
 tree_node *domainlist_anchor   = NULL;
 int     domainlist_count       = 0;

src/src/globals.h

@@ -554,6 +554,7 @@ extern int     dns_use_edns0;          /* Coerce EDNS0 support on/off in resolve
 extern uschar *dnslist_domain;         /* DNS (black) list domain */
 extern uschar *dnslist_matched;        /* DNS (black) list matched key */
 extern uschar *dnslist_text;           /* DNS (black) list text message */
+extern const uschar *dnslist_valid_addresses; /* DNS list IP addresses that are considered valid (127.0.0.0/8) */
 extern uschar *dnslist_value;          /* DNS (black) list IP address */
 extern tree_node *domainlist_anchor;   /* Tree of defined domain lists */
 extern int     domainlist_count;       /* Number defined */

src/src/readconf.c

@@ -140,6 +140,7 @@ static optionlist optionlist_config[] = {
   { "dns_retry",                opt_int,         {&dns_retry} },
   { "dns_trust_aa",             opt_stringptr,   {&dns_trust_aa} },
   { "dns_use_edns0",            opt_int,         {&dns_use_edns0} },
+  { "dnslist_valid_addresses",  opt_stringptr,   {&dnslist_valid_addresses} },
  /* This option is now a no-op, retained for compatibility */
   { "drop_cr",                  opt_bool,        {&drop_cr} },
 /*********************************************************/

test/confs/0139

@@ -8,6 +8,16 @@
 domainlist local_domains = exim.test.ex
 trusted_users = CALLER
 
+.ifdef DNSBL_127_255
+# Split into two /9s so that it's visible in the debug output
+dnslist_valid_addresses = ${if eq{$dnslist_domain}{rbl.test.ex}{!127.255.255.0/24 : 127.0.0.0/9 : 127.128.0.0/9}{127.0.0.0/8}}
+.endif
+
+.ifdef DNSBL_FAIL
+# Expansion failure
+dnslist_valid_addresses = ${if eq{intentional_expansion_failure
+.endif
+
 acl_smtp_helo = check_helo
 acl_smtp_rcpt = check_recipient
 acl_smtp_mail = check_mail

test/dnszones-src/db.test.ex

@@ -212,6 +212,10 @@ TTL=2 14.12.11.V4NET.rbl A 127.0.0.2
 105.13.13.V4NET.rbl    A   255.255.255.255
                        A   255.255.255.254
 
+; Configuration to consider 127.255.255.0/24 as invalid
+
+106.13.13.V4NET.rbl    A   127.255.255.255
+
 ; -------- Testing MX records --------
 
 mxcased      MX  5  ten-99.TEST.EX.

test/log/0509

@@ -1,4 +1,4 @@
 1999-03-02 09:44:33 rbl.test.ex/<;1.2.3.4;V4NET.11.12.13
-1999-03-02 09:44:33 DNS list lookup for ten-1 at test.ex returned V4NET.0.0.1; not in 127.0/8 and discarded
+1999-03-02 09:44:33 DNS list lookup for ten-1 at test.ex returned V4NET.0.0.1; invalid address discarded
 1999-03-02 09:44:33 test.ex/a.b.c.d::ten-1::localhost
 1999-03-02 09:44:33 U=CALLER rejected connection in "connect" ACL

test/scripts/0000-Basic/0139

@@ -65,4 +65,20 @@ exim -bh V4NET.13.13.105
 vrfy a@b
 quit
 ****
+exim -bh V4NET.13.13.106
+vrfy a@b
+quit
+****
+exim -DDNSBL_127_255 -bh V4NET.13.13.2
+vrfy a@b
+quit
+****
+exim -DDNSBL_127_255 -bh V4NET.13.13.106
+vrfy a@b
+quit
+****
+exim -DDNSBL_FAIL -bh V4NET.13.13.2
+vrfy a@b
+quit
+****
 no_msglog_check